ANS Normative Resolution 659 — issued by Brazil's national health insurance regulator, Agência Nacional de Saúde Suplementar — marks a turning point in how Brazilian health operators will be supervised. For mid-market operators in Brazil, the change is regulatory. For international observers, the Brazilian model is worth watching: as one of Latin America's largest and most regulated private health markets, Brazil tends to set precedents that other regional regulators follow.
This playbook translates what RN 659 implies for day-to-day operations, where ANS is most likely to focus its attention, where the pharmacy claims book is most exposed, and what a mid-market operator can do in the next 60 days to walk into the next audit cycle with a defensible program.
1. What RN 659 actually changes — a plain-language breakdown for operators
In practical terms, RN 659 reinforces the regulator's expectation that operators maintain active and demonstrable controls over claims authorization, denial, payment, and audit. The norm does not invent new controls from scratch. It consolidates the obligation to prove that those controls exist, are executed consistently, and are auditable.
Three shifts deserve attention.
From declared control to demonstrated control. Having written internal policies is not enough. ANS expects to see execution evidence: audit trails, exception logs, documented justifications for off-standard approvals, coverage metrics.
From sample-based audit to continuous monitoring. The historical model — where operators review a fraction of claims after payment — fits less and less comfortably with regulatory expectations. ANS has signaled that controls considered adequate should cover the full universe of relevant claims, not just samples.
From reactive response to documented prevention. When indicators of fraud, waste, or abuse appear, the operator must demonstrate it had mechanisms to identify the problem before payment, not only to recover the amount afterward.
The useful read for a board of directors is straightforward: the cost of non-compliance is not only the potential fine. It is the much higher likelihood that an inspection identifies structural weaknesses that trigger corrective actions, intensified monitoring, and reputational damage in the market.
2. The new enforcement model — planned audits, escalating penalties, inspection triggers
ANS has signaled, through public communications and its regulatory agenda, a more active enforcement posture. For operators, that means three things.
Risk-based planned audits. The selection of operators to be inspected tends to favor specific risk profiles: atypical loss-ratio growth, recurring complaints, indicators outside sector norms, failures in previous cycles. Operators that do not monitor their own indicators are exposed to being surprised by what ANS already sees.
Escalating penalties. Although specific fine amounts vary case by case and are governed by separate norms, the principle is clear: repeated or structural violations can escalate significantly, potentially going beyond pecuniary penalties to reach special intervention regimes such as fiscal or technical oversight.
Inspection triggers. Beneficiary complaints, inconsistencies in data submitted to regulatory systems, press alerts, and cross-references against external databases have been consolidating as inspection triggers. Operators that cannot respond quickly when a trigger fires immediately enter at a disadvantage.
The practical consequence is direct: an operator may be audited not because something went wrong, but because it cannot demonstrate quickly enough that everything is going right. The absence of evidence has itself become a risk factor.
3. Pharmacy claims — the highest-risk category under ANS scrutiny
Within the broader claims universe, pharmacy benefits — where they exist as covered services — concentrate a disproportionate share of regulatory risk. The reasons are structural.
Pharmacy claims are high in volume and low in unit value. That favors diffuse leakage: thousands of small overpayments, each individually defensible, that aggregate into a significant cost. Manual review cannot keep up with the volume, and sample-based audit tends to miss the pattern entirely.
Analysis of Latin American health insurance claims data has identified that 43.4% of pharmacy spend exhibits detectable anomalies. The composition of those anomalies shows where the risk concentrates:
For an operator with 50,000 subscribers, those patterns project to roughly 5.1 million dollars per year in preventable leakage. These figures — calculated against real Latin American pharmacy claims data — are not marketing material. They represent the size of the problem an inspection can discover before the operator does.
Under the logic of RN 659, the question the regulator can ask is simple: did you have mechanisms to identify that leakage? If yes, where are the records? If no, why not?
4. What "adequate controls" looks like in an ANS audit
The phrase "adequate controls" appears across several norms, and what counts as adequate is generally defined in the practice of each inspection. But there is a set of elements that is consolidating as the expected floor.
Universal coverage. Controls operate over the full set of relevant claims, not over samples. Where exceptions exist (by volume, by procedure type), the exception is justified and documented.
Traceability. Every decision — authorization, denial, adjustment, rejection — leaves a trail. The trail includes the criterion applied, the actor that decided (human or system), the timestamp, and the evidence consulted.
Timeliness. Controls act at the right moment in the cycle. For pharmacy claims, that means preferably before or at the moment of authorization, not months later in post-payment review.
Independence. Controls cannot be overridden by the same areas that push for approval. There is a separation of duties between who authorizes, who audits, and who recovers.
Demonstrability. At any moment, the operator can produce consolidated reports that show volume processed, exceptions raised, actions taken, and the financial outcomes of those controls.
When an inspector asks to "see the controls," what they expect is not a slide presentation of the policy. It is a body of operational evidence that proves, in data, that the controls work every day.
5. Building an audit-ready pharmacy fraud program — required documentation
A program that survives an ANS audit, from a pharmacy fraud and waste standpoint, is built on four documentation layers. None of them is optional.
Layer 1 — Policy and governance. A document approved by senior management that defines what waste, abuse, and fraud mean in the operator's context; who owns the program; which committees are involved; how often indicators are reported to the board.
Layer 2 — Detection rule catalog. A description of the rules applied to identify anomalies in pharmacy claims. The description must be readable by a non-technical auditor: what each rule looks for, why it exists, and what its clinical or financial basis is. Operational internal details belong to the technical area and should not be published externally. What matters is that the catalog exists, is versioned, and is reviewed periodically.
Layer 3 — Execution trails. For each audited period, evidence that the rules were actually applied: number of claims analyzed, number of exceptions raised, distribution by rule type, resulting actions. Without execution trails, the rule catalog is just paper.
Layer 4 — Exception resolution. For each exception raised, a record of how it was handled: was it confirmed as an anomaly? Did the provider contest it? Was it escalated to investigation? Was the amount recovered? False positive rate, confirmation rate, and recovered amount should be monitored indicators.
An operator that presents all four layers in an inspection demonstrates a functional program. An operator that presents only Layer 1 — policy without execution — is the one that receives a corrective action plan.
6. Technology infrastructure — what you need vs. what you probably have
Most mid-market operators run on a combination of legacy claims-management systems, spreadsheets, and human audit teams. That arrangement cannot sustain the level of documentation that RN 659 implicitly demands.
What typically exists:
What inspectors expect to see:
The distance between those two points is exactly where regulatory risk accumulates. Closing that gap without rewriting the entire IT environment requires adopting specialized components that connect to the existing stack. The core function of those components is twofold: apply detection rules over the actual claims flow and automatically produce the documentation an audit will request.
This is exactly where Inspector AI positions itself: as the compliance backbone — automating documentation, flagging anomalies, and generating audit-ready reports — without forcing the operator to rebuild legacy systems. The initial analysis does not require integration: a sample of claims data can be evaluated in roughly three weeks, giving the operator a picture of its own risk before any inspection arrives.
7. 60-day compliance sprint — prioritized checklist for mid-market operators
For a mid-market operator, rebuilding the entire anti-fraud program in a single move is unrealistic. The realistic path is a 60-day sprint that orders priorities and produces fast evidence.
Days 1–10: Current-state diagnostic
Days 11–25: Initial risk analysis
Days 26–40: Minimum documentation
Days 41–55: Documented execution
Days 56–60: Inspection-ready package
In 60 days, a mid-market operator does not solve the entire problem. But it walks into the next audit cycle with something that was missing: a demonstrable program.
The decision left on the table
RN 659 is not asking operators to do the impossible. It is asking them to do, in a documented and continuous way, what has always been recommended: identify, prevent, and address waste, abuse, and fraud before they become losses. The cost of further delay is a combination of fines, premium pressure, reputational damage, and — in extreme cases — operational restrictions. For health operators outside Brazil, the Brazilian model is also an early signal of where regional regulators are heading.
To understand where your operation stands against this expectation, request a free analysis or write to info@inspector-ai.com.