One platform for Medicare Advantage compliance: intake, CMS memos, universe validation, network adequacy, corrective actions, FDR oversight, and reporting. Because the record builds as the team works, the evidence is already there when an auditor asks for it.
Most plans cover this work with five separate vendors, a consulting retainer, and a stack of spreadsheets that don't talk to each other.
We built the thing we wished we'd had instead.
Each one maps to a specific regulation, a CMS protocol, or an HPMS process, not a general compliance platform with a healthcare label stuck on it.
Everything the team is sent (fax, email, the monitored inboxes, HPMS pickups, direct uploads) arrives here, gets timestamped, and goes to whoever owns it. Correct a routing call three times and it stops making that mistake.
42 CFR § 422.504Drop in a CMS memo, or let it pull one off HPMS. It pulls the action items out of the background, gives each one a department and a due date, and adds a second internal deadline a week ahead of the regulator's.
42 CFR § 422.503(b)Checks your ODAG, CDAG, FA, SNPCC, and CPE universes against the CMS protocol before you submit. Delegated entities get their own portal with a separate sign-in, and everything they touch lands in a log that can't be quietly edited later.
CMS Program Audit ProtocolEach year you file reports with CMS on grievances, determinations, enrollment, and payments. The numbers go public, and CMS audits them afterward. Before you upload, drop the file in alongside the records behind it. Reporter recounts, flags what doesn't reconcile, and tells you whether HPMS will reject it.
42 CFR §§ 422.516 / 423.514An audit finding opens a plan that moves through its own lifecycle (team invites, a 5 Whys root cause, milestones, leadership sign-off), and the closure packet CMS expects comes together as you go.
42 CFR § 422.503(b)(4)(vi)(G)One library for every policy the plan needs, with versions, approvals, and attestation tracking. The eight SOC 2 policies we run our own company on come loaded as a starting set.
42 CFR § 422.503(b)(4)(vi)Carries a privacy incident from first report through notification. The 60-day HIPAA clock starts when the case opens, state rules are built in, and the HHS portal output is a step away. Substance-use cases keep their 42 CFR Part 2 consent trail the whole way.
45 CFR § 164.404 · 42 CFR Part 2Every issue and its remediation in one register, each with an owner, its evidence, and a link back to whatever raised it. Once something is closed it stays closed, so next year's audit doesn't reopen work the team already finished.
42 CFR § 422.503(b)(4)(vi)(F)Every deadline from every other tool rolls up into a single view: upcoming, due soon, overdue, done. It tends to be the first screen a compliance officer opens in the morning.
42 CFR § 422.503(b)(4)(vi)(B)Run a risk survey across fourteen functional areas and get back a weighted heat map and a board-ready PDF. It diffs against last year on its own, so you can see what's gotten worse.
42 CFR § 422.503(b)(4)(vi)(C)Provider and facility files are checked against the CMS HSD minimums every time they change, with gaps drawn on a county map. When a gap can't be closed, it drafts the exception request. There's more on this below.
42 CFR § 422.116Tracks your first-tier, downstream, and related entities and screens them against the OIG exclusion list and SAM.gov every month on its own. Each check writes an evidence row nobody can edit after the fact.
42 CFR § 422.504(i)When CMS publishes a Final Rule, you get a year-over-year diff with the operational impact mapped to your departments. Somebody has to read the Federal Register. We'd rather it were us than your team.
42 CFR Parts 422 / 423Pulls CMS-routed complaints from HPMS once a day. The two-day Immediate Need clock runs per case rather than per queue, a detail plenty of plans get caught on. Beneficiary and provider complaints stay in their own lanes.
42 CFR § 422.504(b)(3)Run it in a spreadsheet against last year's HSD table and you find out you're three clinical social workers short on the day the auditor emails. This runs the comparison continuously, by county and by specialty, with the map drawn live.
Upload your provider and facility files and they're mapped to the CMS HSD specialty codes automatically. Bad rows get caught before the run, not in a 400-line error report two hours later.
CMS HSD LayoutTravel-time and distance against the federal minimums for every specialty-and-county pair in your service area. The maximum drive distance shifts with community type (large metro, micro, rural), and that's accounted for.
42 CFR § 422.116Each shortfall comes out as something the network team can actually work: Broward County needs eight clinical social workers, has five, short three. Closing it takes an NPI, not a comment.
CMS Network Adequacy CriteriaPan to a county and you see your providers, the radius circles, and the gap. Print a board-ready map, or export the underlying NPI list if your team would rather work it elsewhere.
HPMS NA WorkbookFor a gap you can't close, it drafts the CMS exception request, with the rationale (community pattern, telehealth substitution, geographic isolation) and the supporting data attached. You review it and sign it.
CMS Exception GuidanceEvery tool here traces back to a CFR section, a CMS protocol, or an HPMS memo. We didn't build a general-purpose compliance platform and paint it with healthcare terms. This is the product we wanted back when we were doing the work by hand.
A walk-through runs on your CMS memo, your universe file, your audit finding, not a sample tenant and not slides. You leave with something real that has your own data on it.
Universe rows, audit receipts, attached evidence, consent trails all get written as the team does its job. So when CMS asks, you're handing over a record that already exists rather than assembling one under deadline.
We're in Type I observation with our auditor now; attestation is targeted for Q4 2026, with Type II to follow. The controls listed here have been in place since the beginning, audit or no audit.
We sign a Business Associate Agreement before any work starts. PHI stays inside your environment. Every action is written to an audit log that can't be quietly rewritten.
Thirty minutes, your own data, and the tool that fits. We hand your team the keyboard at the end so you can push on it yourself.