Problem Framework Output Risk Score Exposure Crosswalk Methodology Get Started

Sign In or Create Account

Enter your email. We will send a magic link. No password required.

New here? Enter your email to create your account. Save assessments, track delegates, and monitor audit events.

Free to use. All tools fully functional.

Covenant

Delegation Governance Intelligence

CMS audits all 550 MA contracts now. Delegation oversight is a top finding. Your spreadsheet is a liability.

Every delegation is a promise on paper. Prove you're keeping it.

Built from public regulatory guidance and CMS audit protocols.

Score your program. Calculate your exposure. Map your requirements.

The Problem Nobody Has Solved

Health plans delegate clinical and administrative functions to third parties. Claims processing, utilization management, credentialing, member services, pharmacy benefit management. The delegation creates a gap between who is responsible and who is performing. Every regulator sees it. No health plan has closed it at scale.

The industry answer has been the same for twenty years: annual oversight. Once a year, the plan collects reports, reviews performance against contractual SLAs, conducts a desk audit, and files the results. CMS has accepted this. So have NCQA and state regulators.

The annual cycle cannot catch problems in time. It was never designed to.

A delegated entity that begins underperforming in February will not be formally assessed until the following January. Eleven months of degraded performance pile up with nobody watching. By the time the annual review catches it, the damage is already done. Wrong providers credentialed. Wrong claims paid. Members denied care they were owed.

2–4
FTEs managing 30+ delegates
with spreadsheets
$2.9M
CMPs in 2024 audit cycle (CMS Civil Money Penalty Enforcement Actions, FY2024)
14 sponsors, 18 violations
550
MA contracts audited annually
(up from 60)
$200M
Kaiser behavioral health settlement
DMHC, 2023

This is not a technology problem. Spreadsheets are what people reach for when the process underneath never worked. Annual oversight was built for a regulatory environment that no longer exists. CMS expanded from 60 audits per year to all 550 eligible contracts. The OIG published its first MA compliance guidance in 27 years in February 2026. The 2026 HPMS audit updates require evidence that compliance programs actually govern delegated work, not just that contracts exist.

The direction is clear. Regulators expect continuous oversight, not annual check-ins. Plans still running annual oversight are defending a model the regulators already left behind.

The DGS defines what continuous oversight actually requires.

What Goes Wrong Without Structured Oversight

Credentialing Drift

Delegate credentials 14 providers with expired licenses. Plan doesn't know for 11 months.

Consequence: CMS audit finding. Civil money penalties. Member safety risk. The plan is liable — not the delegate.

With Covenant: Monthly credential verification triggers fire automatically. Breach detected in days, not months.

Claims Leakage

Delegated claims processor auto-adjudicates $4.2M in duplicate payments over 8 months.

Consequence: Unrecoverable overpayment. Recovery costs 3-5x prevention. Annual audit finds it in January — for errors that started in March.

With Covenant: Quarterly claims sampling triggers. Pattern detected at $520K, not $4.2M.

Hidden Sub-Delegation

UM vendor quietly sub-delegates peer review to an offshore entity. Plan discovers it during a state audit.

Consequence: Regulatory sanctions. State DOI investigation. Every clinical decision made by the undisclosed entity is now questionable.

With Covenant: Sub-delegation disclosure required and tracked. Undisclosed sub-delegation flagged as governance emergency.

Access Denial Pattern

Behavioral health delegate denies 40% of urgent requests. Members file 200+ grievances before anyone connects the dots.

Consequence: Kaiser paid $200M (DMHC, 2023). The plan was liable for delegate behavior it didn't monitor.

With Covenant: Denial rate monitoring with threshold triggers. Pattern visible in weeks, not years.

Hover each scenario to see the consequence — and how structured oversight changes the timeline.

The Delegation Governance Standard

DGS defines the minimum requirements for a structured, continuous delegation oversight program. It specifies what to monitor, how often, at what thresholds, with what response protocols, and with what documentation.

The Seven Non-Negotiables

  1. 01
    Continuous beats annual.
    An oversight program that assesses delegated entity performance once per year is not a governance program. It is a filing exercise. Annual review is one piece. It is not the program.
  2. 02
    The plan cannot delegate accountability.
    A health plan may delegate functions. It may not delegate the regulatory obligation to ensure those functions are performed correctly. CMS does not audit the delegate. CMS audits the plan.
  3. 03
    Sub-delegation must be visible to the bottom.
    If the health plan cannot identify every entity performing delegated functions on its behalf, the governance program has a structural blind spot. Undisclosed sub-delegation is a governance emergency, not an administrative finding.
  4. 04
    The trigger fires whether you are watching or not.
    Governance triggers are threshold-based, not judgment-based. The SLA breach fires the trigger. The response protocol activates. Documentation is generated. Human judgment applies within the response, not to the question of whether to respond.
  5. 05
    Documentation is the governance.
    If the monitoring happened but was not documented, the monitoring did not happen. CMS does not accept institutional memory. NCQA does not accept verbal assurances. The documentation is not a byproduct of the governance. The documentation is the governance.
  6. 06
    Escalation has teeth.
    An escalation tier system that never results in delegation scope reduction or termination is decorative. If you have never reduced or terminated a delegation despite sustained failure, the escalation tiers are furniture.
  7. 07
    The governance program governs itself.
    The DGS requires annual self-assessment of the delegation governance program itself. A governance program that does not evaluate its own effectiveness will harden into the same checkbox exercise it was meant to fix.

Eight Governance Triggers

Each trigger specifies the required response, the responsible party, and the documentation generated. A trigger that fires without a documented response is a governance failure.

SLABREACH
SLA Threshold Breach
Any metric falls below contracted SLA for two consecutive periods, or below 85% for a single period. Root Cause Analysis required within 5 business days.
NEWDEL
Pre-Delegation Assessment
New delegation relationship or new delegated function. Full Delegation Readiness Assessment required before delegation commences.
SUBDEL
Sub-Delegation Discovery
Undisclosed sub-delegation discovered. Disclosure demand within 3 business days. Undisclosed sub-delegation found externally triggers automatic Red status.
REGAUDIT
Regulatory Audit Notification
CMS, NCQA, OIG, or state audit includes delegated functions. Audit readiness protocol initiated within 24 hours.
LEADCHANGE
Leadership Change
C-suite departure at delegated entity. Leadership Transition Assessment within 30 days. 90-day enhanced monitoring mandatory.
CAPMISS
CAP Milestone Missed
Delegate misses a CAP milestone by 10+ business days without extension request. Automatic escalation by one tier.
REGCHANGE
Regulatory Requirement Change
Federal, state, or NCQA change affecting delegated functions. Impact assessment within 30 days. Agreement amendments within 60 days.
DATAINT
Data Integrity Anomaly
Data quality failures exceeding 2% error rate. Alert within 2 business days. Enhanced validation (100% audit sampling) until error rate is below 1% for three consecutive periods.

Three Monitoring Tiers

Tier 1

Continuous Monitoring

Real-time or daily automated data feeds

Quantitative performance metrics measured without human interpretation. Claims turnaround, UM decision turnaround, call center answer rates, credentialing processing time, pharmacy PA turnaround. The system surfaces exceptions. No human reviews every data point.

Tier 2

Periodic Monitoring

Monthly or quarterly structured assessments

Performance dimensions requiring aggregation, sampling, or clinical review. Claims accuracy audits, UM clinical appropriateness reviews, credentialing file audits, complaint trending, network adequacy, quality measure validation. Defined sampling methodology and minimum sample sizes.

Tier 3

Event-Driven Monitoring

Triggered by governance triggers or external events

Conditions requiring immediate assessment outside the standing schedule. Regulatory actions, leadership changes, data integrity failures, sub-delegation discoveries. May temporarily override the periodic schedule, shifting quarterly to monthly review during a CAP period.

Escalation Protocol

Status DHS Range Required Actions
Green 85–100 Standard monitoring cadence. Annual delegation review. No intervention required.
Yellow 70–84 Monthly reporting for all delegated functions. DGO review of delegate's internal QA. Quarterly face-to-face oversight meeting. Written notification to delegate.
Red 50–69 CAP required within 15 business days. Weekly reporting. On-site audit within 60 days. Notification to CCO and business owner. Delegation scope reduction considered.
Critical Below 50 48-hour notification to CCO, General Counsel, and executive sponsor. Delegation termination planning initiated. Daily monitoring. Regulatory disclosure assessment.

What Covenant Generates

Covenant produces the documents your governance program needs. Every output is audit-ready and built from the DGS methodology.

Scorecards

Delegation Health Scorecards

Composite scores for every delegated entity on a 0-100 scale. Weighted by function criticality. Trend lines showing performance trajectory. Green/Yellow/Red/Critical tier status at a glance. Updated continuously as new monitoring data arrives.

Evidence

Audit Evidence Packages

Complete oversight trail assembled in minutes, not weeks. Every monitoring action, every trigger activation, every response, every resolution. Structured for CMS program audit, NCQA survey, and state regulatory examination. Anyone can follow the trail without asking the person who built it.

CAPs

Corrective Action Plans

Structured plans with defined milestones, timelines, responsible parties, and monitoring cadence. Generated automatically when a trigger fires. Milestone tracking with automatic escalation when deadlines are missed. Linked to Delegation Review Panel governance.

Chains

Sub-Delegation Chain Maps

Visual proof of who delegated to whom, at every tier. Tier 1 direct delegates, Tier 2 sub-delegates, Tier 3 downstream entities. Contractual accountability flows mapped. Undisclosed sub-delegation flagged automatically. The visibility that 42 CFR 422.504(i)(5) and (i)(3)(ii) demand.

Crosswalks

Regulatory Crosswalks

Every applicable CMS, NCQA, OIG, and state requirement mapped to your delegation model. Jurisdiction-specific overlays for California DMHC, Texas TDI, New York DFS, and multi-state operations. Updated when regulatory requirements change.

Readiness

Delegation Readiness Assessments

Seven-dimension scoring covering operations, compliance, data, clinical quality, financials, contracts, and oversight readiness. 5-point maturity scale per dimension. Pre-delegation gate and annual reassessment.

See a sample Delegation Governance Standard →

Interactive Tool

Delegation Risk Score

See where your current program stands relative to the DGS framework. Takes 2 minutes.

How to Use This Tool
Answer 8 questions about your organization's delegation oversight maturity. Each question scores 0-3 points. Your result is an A-F grade with a gap analysis identifying your top deficiencies. Sign in to save assessments and track progress over time. Download your report to share with compliance leadership.
--

Gap Analysis

    Interactive Tool

    Penalty Exposure Calculator

    Estimate what your delegation oversight gaps could cost you.

    How to Use This Tool
    Enter your member count, number of delegates, oversight maturity level, and line of business. The calculator estimates your CMS Civil Monetary Penalty exposure, Star Rating impact, and total annual risk. Use this to build the business case for delegation governance investment.
    50,000
    10
    Interactive Tool

    Regulatory Crosswalk Generator

    Select your delegated functions, states, and lines of business. Get every applicable requirement with the citation attached.

    Regulatory citations current as of May 2026. Includes CMS Final Rule, February 2026 OIG ICPG, November 2025 HPMS Memo.
    How to Use This Tool
    Select your delegated functions, states, and lines of business. The generator produces a table of applicable regulatory requirements with specific citations from CMS, NCQA, OIG, and state regulators. Download the crosswalk as a compliance reference document.
    Citation Source Function Requirement

    A Free Published Standard

    Covenant is the Delegation Governance Standard (DGS v1.0) and its self-assessment — published openly, free to use. There is no subscription, no platform fee, and nothing to buy.

    DGS v1.0
    Free

    The published delegation-governance standard. Open to every health plan, delegate, and regulator.

    • Delegation Risk Score
    • Penalty Exposure Calculator
    • Regulatory Crosswalk (all states)
    • Downloadable reports and audit evidence
    Open Standard
    Self-Assessment
    Free

    The full DGS self-assessment — the delegation-oversight criteria nobody else publishes.

    • Full Crosswalk, all states
    • Delegate tracking and DHS scoring
    • Saved assessments history
    • Exportable audit evidence

    Covenant is a tool, not a product. The standard stays free.

    The Case Against Waiting

    Spreadsheets are not governance

    • Spreadsheets store data. They do not trigger responses, and they do not govern. A metric that breaches a threshold in a spreadsheet requires a human to notice, interpret, and act. The gap between the breach and the response is where regulatory exposure accumulates.
    • Spreadsheets cannot prove a chain of custody. CMS auditors want to reconstruct what was monitored, when, what was found, and what was done about it. A spreadsheet with RAG-coded cells does not meet that evidentiary standard.
    • Spreadsheets do not scale. A plan with 10 delegates, 5 delegated functions each, 6 metrics per function, monitored monthly, generates 3,600 data points per year. Add sub-delegates and the number triples. Nobody governs 3,600 data points in a spreadsheet.
    • Spreadsheets create key-person risk. The oversight analyst who built the tracker leaves, and the institutional knowledge walks out the door. A governance program that depends on a single person's Excel skills is not a governance program.

    The window is closing

    • CMS expanded annual audits from 60 to all 550 eligible MA contracts. Your plan will be audited. The only question is whether you are ready.
    • The OIG published its first MA compliance guidance in 27 years in February 2026. Third-party oversight is at the center. Diligence before delegation, monitoring proportional to risk, and compliance obligations that cascade through the full FDR chain.
    • The 2026 HPMS audit updates shifted from form-based validation to evaluating whether compliance programs actually govern delegated work. Ceremonial oversight will be flagged.
    • CMP totals through 2025 already exceed the combined total for 2021 through 2024. The enforcement numbers speak for themselves.

    What Implementation Actually Means

    Six weeks. Three phases. No data feeds required to start.

    Week 1–2: Configuration

    Map your delegation structure — delegates, sub-delegates, functions, and regulatory requirements. No data feeds required.

    Week 3–4: Calibration

    Set trigger thresholds, escalation tiers, and monitoring cadence based on your delegation risk profile. DGS calibrates to your organization, not a generic template.

    Week 5–6: Activation

    Live governance begins. First Delegation Health Score generated. Ongoing monitoring triggers start firing.

    A 180,000-life MA plan with 22 active delegates reduced audit preparation time from six weeks to 48 hours after implementing continuous delegation monitoring. Trigger-based escalation identified three sub-delegation gaps that annual review cycles had missed for two consecutive years.

    Composite illustration based on operational modeling

    The Methodology

    Full DGS methodology detail. Click to expand.

    SLABREACH: Any delegated function metric falls below the contracted SLA for two consecutive measurement periods, or falls below 85% of the contracted SLA for a single measurement period. The DGO initiates a Root Cause Analysis request within 5 business days. The delegate has 15 business days to submit a written RCA with proposed remediation. The DGO evaluates and either accepts (with monitoring escalation to monthly) or rejects (initiating a CAP). Documentation generated: SLA Breach Notification, RCA Request, RCA Evaluation Memo, Monitoring Escalation Order or CAP Initiation.

    NEWDEL: New delegation relationship or new delegated function. Full DRA required before delegation effective date. No function may commence before assessment. If material deficiencies are found, delegation proceeds only with a Pre-Delegation Remediation Plan specifying milestones, timelines, and enhanced monitoring for the first 180 days. Requires CCO sign-off.

    SUBDEL: Undisclosed sub-delegation discovered. Disclosure demand within 3 business days. Delegate has 10 business days to provide: identity and corporate structure, specific functions sub-delegated, contractual terms, delegate's oversight program, and regulatory compliance evidence. Abbreviated DRA within 30 days. Undisclosed sub-delegation discovered externally triggers automatic Red status. Notification to CCO and General Counsel.

    REGAUDIT: CMS, NCQA, OIG, or state audit includes delegated functions. Audit Readiness Protocol within 24 hours: notify all delegated entities in scope, validate current documentation, gap analysis against specific audit protocol, remediation of gaps before fieldwork. DGO serves as single coordination point.

    LEADCHANGE: C-suite departure at delegated entity. Leadership Transition Assessment within 30 days evaluating successor qualifications, operational risk, notification compliance, and enhanced monitoring need. 90-day enhanced monitoring mandatory for any C-suite change.

    CAPMISS: CAP milestone missed by 10+ business days without prior written extension request. DGO escalates status by one tier. CAP Failure Notice issued. Delegation Review Panel convened within 10 business days to determine: CAP revision, scope reduction, termination, or breach referral to General Counsel.

    REGCHANGE: Material regulatory change affecting delegated functions. Impact assessment within 30 days identifying affected functions, affected entities, required changes, compliance timeline, and delegate acknowledgment. Agreement amendments within 60 days or escalation to Yellow.

    DATAINT: Data quality failures exceeding 2% error rate in any category (encounter, claims, quality, credentialing, risk adjustment) or any single failure resulting in incorrect regulatory reporting. Alert within 2 business days. Enhanced validation (100% audit sampling) until below 1% for three consecutive periods. If erroneous data submitted to CMS or state regulator, DGO coordinates with CCO on reporting obligations.

    Claims Processing

    MetricSLATier
    Financial accuracy rate≥ 99.0%Periodic (quarterly)
    Procedural accuracy rate≥ 97.0%Periodic (quarterly)
    Clean claim turnaround (30 days)≥ 95.0%Continuous
    Pended claim turnaround (60 days)≥ 90.0%Continuous
    Claim denial accuracy≥ 98.0%Periodic (quarterly)
    Provider payment timeliness≥ 95.0%Continuous

    Utilization Management

    MetricSLATier
    Standard PA turnaround (14 calendar days)≥ 98.0%Continuous
    Urgent PA turnaround (72 hours)≥ 99.0%Continuous
    Clinical appropriateness≥ 95.0%Periodic (quarterly)
    Inter-rater reliability≥ 85.0%Periodic (annual)
    Peer-to-peer completion100%Continuous
    Appeal overturn rateTrending (>15% triggers review)Periodic (monthly)

    Credentialing

    MetricSLATier
    Initial credentialing turnaround (60 days)≥ 95.0%Continuous
    Recredentialing timeliness (36-month)≥ 98.0%Continuous
    Primary source verification100%Periodic (quarterly)
    NPDB query compliance100%Periodic (quarterly)
    Sanction monitoring (monthly OIG/SAM)100%Continuous
    Committee review documentation100%Periodic (quarterly)

    Member Services

    MetricSLATier
    Call abandonment rate≤ 5.0%Continuous
    Average speed of answer≤ 30 secondsContinuous
    First call resolution≥ 80.0%Periodic (monthly)
    Grievance turnaround (30 days)≥ 98.0%Continuous
    Grievance trending>15% increase triggers reviewPeriodic (monthly)
    Member satisfaction≥ 4.0/5.0Periodic (quarterly)

    Pharmacy Benefit Management

    MetricSLATier
    Formulary compliance≥ 99.5%Periodic (quarterly)
    PA turnaround, standard (72 hours)≥ 98.0%Continuous
    PA turnaround, urgent (24 hours)≥ 99.0%Continuous
    Generic substitution rateTrending (benchmark)Periodic (quarterly)
    Rebate reconciliation accuracy≥ 99.0%Periodic (quarterly)
    Clinical program compliance (MTM)Per contractPeriodic (monthly)

    The Delegation Readiness Assessment (DRA) evaluates current-state capability across seven dimensions, each scored on a 5-point maturity scale.

    1. Operational Capability: Staffing ratios, technology platform capabilities, business continuity readiness, historical performance data, process documentation completeness.

    2. Regulatory Compliance: State licensure, NCQA/URAC accreditation, compliance program documentation, regulatory action history (5 years), OIG exclusion monitoring.

    3. Data Governance: Data exchange capabilities, data quality program, information security posture (HITRUST/SOC 2), HIPAA compliance and breach history, data retention policies, reporting capability.

    4. Clinical Quality: Clinical criteria used (InterQual, MCG), clinical staff qualifications, peer review and inter-rater reliability programs, quality improvement program, clinical committee structure.

    5. Financial Stability: Audited financial statements (2 years), revenue concentration risk, insurance coverage (E&O, cyber, general), material litigation, ownership structure.

    6. Contractual Alignment: All CMS-required provisions present (42 CFR 422.504(i)), NCQA-required elements present, SLA definitions specific and measurable, reporting requirements operationally feasible, termination transition planning, sub-delegation provisions, right-to-audit.

    7. Oversight Readiness: Designated delegation liaison (named individual), internal reporting cadence aligned with DGS, RCA production capability, CAP response history, sub-delegate oversight program, board/executive oversight of delegated functions.

    Composite ScoreInterpretationAction
    4.0 - 5.0Ready for delegationProceed with standard monitoring.
    3.0 - 3.9Conditionally readyPre-Delegation Remediation Plan. Enhanced monitoring for 180 days.
    2.0 - 2.9Material deficienciesDelegation not recommended. Remediation required.
    Below 2.0Not readyDelegation denied. Fundamental capability gaps.

    Under 42 CFR 422.504(i)(5), the MA organization must retain the right to approve, suspend, or terminate any sub-delegated arrangement, and 422.504(i)(3) requires the same enrollee-protection and compliance provisions to flow down to every first tier, downstream, and related entity. CMS holds the MA plan accountable for every entity in the chain, regardless of direct contractual relationship.

    Tier 1 — Direct Delegates: Complete visibility required. Full DGS monitoring framework. All three monitoring tiers. DRA on initial delegation and annually. The plan must maintain a current Delegated Entity Register with legal name, tax ID, delegation agreement effective date, delegated functions, key contacts, DHS status, DRA score, and monitoring cadence.

    Tier 2 — Sub-Delegates: Plan must maintain a Sub-Delegate Register. Annual review of Tier 1's sub-delegate oversight program. Abbreviated DRA of each sub-delegate at initial sub-delegation and every 2 years. Right to direct audit preserved in delegation agreement. Sub-delegate performance metrics included in Tier 1 periodic reporting.

    Tier 3 — Downstream Entities: Plan must be able to identify Tier 3 entities upon request. Complete downstream entity inventory producible within 30 business days. Oversight achieved through contractual cascade requirements, Tier 2 program review, and direct assessment when governance triggers indicate downstream problems.

    Termination Cascade: Minimum 180-day transition period for functions affecting member access to care. All Tier 2 sub-delegation relationships assessed for transition impact. Data transfer and record retention at every tier. Member continuity of care maintained throughout transition.

    CMS 42 CFR 422.504(i)

    Regulatory RequirementDGS Element
    Written delegation agreement must be in placeDRA Dimension 6: Contractual Alignment
    Agreement must specify delegated activities and reportingDRA Dimension 6 + Monitoring Framework metrics
    MA org must monitor delegated activities on an ongoing basisContinuous + Periodic + Event-Driven Monitoring Tiers
    MA org must ensure compliance with all CMS requirementsDHS scoring with escalation tiers
    MA org must revoke delegation if delegate failsEscalation Protocol: Critical tier termination planning
    Sub-delegation requires same protectionsDelegation Chain Model: Tier 2-3 requirements
    MA org remains responsible for all delegated functionsNon-Negotiable #2: Cannot delegate accountability

    NCQA NET Element 6 (Delegation)

    NCQA RequirementDGS Element
    Written delegation agreement with required provisionsDRA Dimension 6 + NEWDEL trigger
    Pre-delegation evaluation of delegate capabilitiesFull Delegation Readiness Assessment
    Ongoing monitoring of delegated activitiesThree-tier Monitoring Framework
    Semi-annual reporting for key indicatorsMonthly/quarterly periodic monitoring exceeds this
    Opportunities for improvement identified and trackedGovernance Triggers + CAP protocol + DHS trending
    Actions taken when delegate does not meet requirementsEscalation tiers with specified actions

    OIG Compliance Program Guidance

    OIG ExpectationDGS Element
    Compliance program extends to all FDRsDelegation Chain Model: all three tiers
    Risk assessment of delegated activitiesDRA seven-dimension assessment
    Monitoring and auditing of delegate complianceThree-tier Monitoring Framework
    Enforcement through contractual provisionsEscalation: CAP, scope reduction, termination
    Training requirements flow to delegatesDRA Dimension 2: Regulatory Compliance

    The documentation standard: a CMS auditor, an NCQA surveyor, or a state regulator could review the delegation governance file and reconstruct, without institutional knowledge, what was monitored, what was found, and what was done about it.

    Standing Documentation (maintained continuously): Delegated Entity Register, Sub-Delegate Register, Delegation Agreement Repository, DHS Dashboard.

    Periodic Documentation (generated on schedule): Monthly Monitoring Reports, Quarterly Oversight Summaries, Annual Delegation Review Reports, Annual DGS Self-Assessment.

    Event-Driven Documentation (generated when triggers fire): Trigger Activation Records, Response Documentation, Root Cause Analyses, Corrective Action Plans, Escalation Determination Memos, Delegation Termination Packages.

    Audit Trail Requirements: All documentation must be date-stamped, author-identified (named individual, not department), version-controlled, immutable upon filing (corrections as addenda), and retrievable within 5 business days.

    Data Commitment

    BAA executed with every client. Delegation performance data is sensitive. We treat it that way from day one.
    Encrypted at rest and in transit. AES-256 storage, TLS 1.3 transport. No exceptions.
    Minimum necessary access. Analyst access scoped to assigned entities only. No bulk exports without written authorization.
    Client owns the data. All scoring, assessments, and governance artifacts are yours. Full export on request. Nothing held hostage.

    Joe Nalley built a 13-location integrated health system from the ground up — behavioral health, SUD/MAT, primary care, urgent care, lab, imaging, surgical center, and a community hospital — and ran it as CEO through acquisition. He founded and sold ClearBill, a billing-integrity platform that returned $9.2M to payers in its first six months of full deployment. Today he is Staff Vice President of Carelon Growth (Elevance Health's specialty health-services arm), where he owns six high-acuity clinical risk books — MSK, Oncology, CHF, Maternity, Autoimmune, and Dementia — across $50B+ in specialty medical spend. Across the lifetime of the companies he has led, more than 200,000 patients have been served.

    What month 12 looks like

    Your compliance team presents the Delegation Governance Certificate to your CMS auditor. Every delegated entity scored, every SLA tracked, every audit finding documented and remediated on a timeline. The DGS v1.0 standard is applied consistently across all delegates. When the auditor asks "how do you govern your delegates?" the answer is a verifiable artifact, not a spreadsheet. That is what Covenant is designed to deliver.

    If your plan manages 10 or more delegated entities, we should talk.

    Built from 15 years of managed care operations, regulatory response, and delegation oversight redesign. No sales deck. Just a conversation about what you are up against.

    No spam. No demo scheduling gauntlet. Just a direct reply.

    Or use the form above.