RHSES-104: Conformity and Audit

DOCUMENT REF: RHSES-104

TITLE: Conformity Assessment and Audit Protocols

Status: Normative

1.0 Audit Governance

1.1 Auditor Accreditation

Audits must be performed by firms accredited by the IHSE. Accreditation requires demonstrated competence in Healthcare Finance, NIST Cybersecurity, and OIG Compliance.

1.2 Audit Frequency

  • Surveillance Audits: Annual.
  • Recertification Audits: Every 3 years.
  • Triggered Audits: Initiated upon detection of "Waterfall Variance" >1% or "Whistleblower" reports.

    • 2.0 Detailed Audit Protocols (Annex A Expansion)

    2.1 Protocol A-1: Financial Self-Sufficiency & GPO Safe Harbor

  • Objective: Verify compliance with 42 CFR § 1001.952(j) and RHSES Revenue Model.
  • Test Procedure 1: Select a random sample of 25 vendor contracts. Verify the existence of a clause limiting fees to 3% or specifying the fee amount.
  • Test Procedure 2: Trace a sample of 50 transaction fees from the "Vendor Payment" ledger to the "HEF Allocation" ledger. Recalculate the split. Pass: Calculated split matches actual transfer within $0.01. Fail: Variance detected.
  • Evidence: General Ledger (GL) extracts, Vendor Contracts, ACH logs.

    • 2.2 Protocol A-2: AI & Algorithmic Integrity

  • Objective: Verify that the AI Compliance Layer is operating without bias and with transparency (ISO 42001 alignment).
  • Test Procedure 1 (Bias Testing): Review the "AI Impact Assessment" report. Confirm that the model's "Predictive Parity" and "Equalized Odds" metrics were calculated for key demographic subgroups.
  • Test Procedure 2 (Immutable Logs): Attempt to modify a historical decision log in the test environment. Pass: System prevents modification or generates a "Tamper Alert." Fail: Log is editable without trace.

    • 2.3 Protocol A-3: Rural Protection Test

  • Objective: Verify that provider compensation was protected via supply chain efficiencies.
  • Test Procedure: Identify any fiscal period where provider compensation was reduced. Request the "Supply Chain Optimization Attestation" for that period.
  • Evidence: Board Minutes, Supply Chain Savings Reports, Payroll Records. If compensation was cut without evidence of maximized supply chain savings (e.g., <90% Generic Utilization), issue a Major Non-Conformance.

    • 3.0 Reporting and Certification

    3.1 Report on Compliance (ROC)

    The Accredited Auditor shall submit a ROC to the IHSE. The ROC must categorize findings as:

  • Compliant: Meets requirements.
  • Minor Non-Conformance: Process deviation without systemic risk.
  • Major Non-Conformance: Systemic failure (e.g., missing HEF funds, non-compliant GPO fees).

    • 3.2 Issuance

    Upon acceptance of a clean ROC, the IHSE shall issue the RHSES Certificate of Compliance, valid for 3 years subject to annual surveillance.

    Access Full Standard