Fourteen tools in one place, on one license, with one audit trail underneath. Network Adequacy gets its own section because it's what most plans get caught on. SOC 2 Type I is in process with our auditor.
Compliance officers usually find us once they realize they're paying for a GRC platform, a policy vendor, a privacy vendor, a network adequacy tool, and an FDR oversight tool, and none of them know the others exist.
Fax, email, the monitored inboxes, HPMS pickups, direct uploads. Everything is timestamped on arrival and routed to the right owner. The routing learns as it goes: three corrections from your team and the rule flips for next time.
42 CFR § 422.504Upload a memo or let it pick one up from HPMS. It pulls out the action items with department, urgency, and due date. Citation-coverage dashboards show which CFR sections you have controls for and which you don't.
42 CFR § 422.503(b)Row-by-row validation of your ODAG, CDAG, FA, SNPCC, and CPE universes before you submit. FDR submissions ride a separate portal with two-factor sign-in and an audit trail nothing can quietly overwrite.
CMS Program Audit ProtocolEvery MA plan owes CMS a stack of reports each year: grievances, organization determinations, reconsiderations, enrollment and disenrollment, payments, supplemental benefits, D-SNP. The counts have to reconcile with the records behind them, the deadlines are firm to the minute, and the numbers end up public in the CMS Limited Data Set where they get audited later. So before you upload to HPMS, drop the file in here with the source records. Reporter recounts, compares, shows you every miscount and misclassified case with the CFR cite beside it, and tells you whether HPMS will reject the file before you click submit.
42 CFR §§ 422.516 / 423.514A full lifecycle: setup, team invite, 5 Whys root-cause analysis, milestone tracking, leadership sign-off. The closure packet for the CMS audit response builds itself as the plan moves.
42 CFR § 422.503(b)(4)(vi)(G)One library, with versions, approvals, distribution lists, and attestation tracking. The eight SOC 2 policies in force at our own company ship as the starting set.
42 CFR § 422.503(b)(4)(vi)Investigation through notification. The 60-day clock runs on every case, state-specific rules are built in, and the HHS portal output is on tap. Substance-use disorder records carry their 42 CFR Part 2 consent trail end to end.
45 CFR § 164.404 · 42 CFR Part 2Every issue, violation, and remediation in one log, with owners, evidence, and a link back to whatever surfaced it (the memo, the universe row, the audit finding). Closed status is closed for good, so the next audit doesn't reopen finished work.
42 CFR § 422.503(b)(4)(vi)(F)Every deadline from every other tool rolls up here: upcoming, due soon, overdue, satisfied. Each item carries two due dates, the regulator's and a safer internal one a few days before.
42 CFR § 422.503(b)(4)(vi)(B)Risk surveys across fourteen functional areas, with weighted heat maps and a board-ready PDF. The year-over-year diff is automatic.
42 CFR § 422.503(b)(4)(vi)(C)Provider and facility files validated against the CMS HSD minimums by county and specialty, with geographic deficiency maps and exception packets drafted with the rationale attached. More in § 02 below.
42 CFR § 422.116First-tier, downstream, and related entity tracking, with monthly OIG LEIE and SAM.gov exclusion screening and an evidence trail for every entity and every check.
42 CFR § 422.504(i)A year-over-year Final Rule diff with the operational impact mapped to your departments. It reads the Federal Register, maps the changes to your control owners, and flags the new memos you'll need to issue.
42 CFR Parts 422 / 423Pulls CMS-routed complaints from HPMS daily. The two-day Immediate Need clock runs at the case level, not the queue level, and beneficiary and provider complaints stay in their own lanes. Closure proof attaches to the audit record so the next audit doesn't reopen what the team already closed.
42 CFR § 422.504(b)(3)Most plans run network adequacy in a spreadsheet against last year's HSD table and find out at audit that they're three clinical social workers short. This one runs the comparison continuously, by county and by specialty, with the deficiency map drawn live.
Upload your provider and facility files. Specialty is mapped to the CMS HSD codes (001–036 provider, 040–068 facility) automatically, and bad rows are surfaced before the run.
CMS HSD LayoutDistance and travel-time comparisons against the federal minimums for every specialty-and-county pair in your service area. Maximum drive miles vary by community type (large metro, micro, rural), and that's handled.
42 CFR § 422.116Each shortfall comes out as a worked finding: Broward County needs eight clinical social workers, has five, short three. Your network team picks up the list, and closure requires an NPI, not a comment.
CMS Network Adequacy CriteriaPan to a county and see your providers, the radius circles, and the gap. Print a board-ready map; export the underlying NPI list.
HPMS NA WorkbookFor each remaining deficiency, it drafts the CMS exception request with the rationale (community pattern, telehealth substitution, geographic isolation) and the supporting data attached.
CMS Exception GuidanceType I observation is in progress with our auditor, with attestation targeted for Q4 2026 and Type II to follow in 2027. Independent of the audit, the controls listed here are running today.
We sign a Business Associate Agreement before any work begins. PHI never leaves your environment. Multi-factor sign-in is required for every user, and every action is written to an audit log that can't be quietly rewritten.
Thirty minutes, your own data, the tool that fits. We hand your team the keyboard at the end.