THE POLICY BELOW IS A SAMPLE FOR REFERENCE ONLY
<Practice Name> Standards of Conduct for First Tier, Downstream, and Related Entities
I. Introduction
Practice Name is committed to providing quality health care to its patients while abiding by the highest ethical standards in compliance with all applicable federal and state laws and regulations. As a result, the practice has implemented a Compliance Program to support our commitment to compliance and promote adherence to applicable laws, rules and regulations.
The Centers for Medicare and Medicaid Services (CMS) requires first tier, downstream and related entities (FDRs) to fulfill specific Medicare program compliance requirements. Chapter 9 of the Medicare Prescription Drug Benefit Manual and Chapter 21 of the Medicare Managed Care Manual (Medicare manuals) describe in detail Medicare’s expectations for all entities who are contracted with Medicare Advantage Carriers to provide health care services to their subscribers.
While reviewing this document, FDRs and their employees should keep in mind that ethical behavior and legal compliance begin with some basic guiding principles:
Honesty and integrity are expressed through truthfulness and the avoidance of deception or fraud. These qualities should guide behavior and decisions in any situation, whether involving day-to-day operational staff, management staff or officers of the practice or its FDRs.
Books, records and documents created and maintained for the furtherance of the practice’s business must be accurate and properly maintained.
FDRs have a responsibility to use the authority delegated to them in the best interest of the practice and to adhere to the standards set forth in this document.
Business operations should be conducted with attention to ethics and integrity, as this fosters a continued positive relationship with patients and CMS.
II. Definitions
Practice Name has adopted the following CMS definitions to define FDRs:
A. FDR means first tier, downstream or related entity.
B. First Tier Entity is any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization (MAO) or Part D plan sponsor or applicant to provide administrative services or health care services to a Medicare-eligible individual under the Medicare Advantage Part C and/or Part D programs.
C. Downstream Entity is a party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the Medicare Advantage benefit or Part D benefit, below the level of the arrangement between a MAO or applicant or a Part D plan sponsor or applicant and a first-tier entity. The written arrangements continue down to the level of the ultimate provider of both health care and administrative services.
D. Related Entity means any entity that is related to a MAO or Part D sponsor by common ownership or control and:
1. Performs some of the MAO or Part D sponsor's management functions under contract or delegation;
2. Furnishes services to Medicare enrollees under an oral or written agreement; or
3. Leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period.
All the Medicare compliance program requirements described in this document apply to anyone contracted with a Medicare Advantage Plan who provides administrative or health care services to our enrollees for the following reasons:
1. Medicare Advantage (MA) regulations and CMS rules clearly state providers contracted with a Medicare Advantage Plan to provide health care services to our Medicare members are designated as "first tier entities.” The Medicare manuals include "healthcare services" in the list of examples of the types of functions that a third-party can perform as a first-tier entity. These compliance program requirements apply to providers that deliver health care services to Medicare members.
2. Section 40 of the Medicare manuals further clarifies entities providing health services and hospital groups are first tier entities. If the practice is contracted with a hospital group but does not have a direct contract with the group's hospital and other providers, the group is obligated to ensure its downstream entities comply with CMS compliance program requirements as described in this guidance.
3. Medicare compliance program requirements apply to entities with which the practice contracts to perform certain functions such as claims processing, patient management, and credentialing under one of our Medicare Advantage Plans or Medicare Part D contracts. We are required to credential health care providers that participate in these Medicare lines of business. In certain circumstances, the practice contracts with entities to perform these credentialing services on our behalf under a delegation agreement. CMS identifies, in its manual guidance, these delegated credentialing entities to be first tier entities.
Other examples of FDRs include delegates, agents, broker organizations, pharmacies, and other individual entities such as vendors or suppliers contracted with a Medicare Advantage Plan to provide administrative and/or healthcare services for our Medicare lines of business.
III. Compliance with Laws and Regulations
1. The practice expects FDRs to operate in accordance with all applicable federal and state laws, regulations and Medicare program requirements including, but not limited to, the following:
1. Title XVIII of the Social Security Act
Title XVII of the Social Security Act established the Medicare program, which guarantees access to health insurance for all Americans, aged 65 and older, younger people with specific disabilities, and individuals with end stage renal disease.
2. Regulations Governing Medicare Parts C and D
(42 C.F.R. §§ 422 and423)
a. 42 C.F.R. §422: Medicare Advantage program. This regulation implements the Medicare Advantage Program under the Social Security Act.
b. 42 C.F.R. §423: Prescription drug program. This regulation implements the prescription drug program under the Social Security Act.
3. Federal and State False Claims Acts
(31 U.S.C. §§3729-3733)
The Federal False Claims Act (FCA) prohibits any person from engaging in any of the following activities:
a. Knowingly submitting a false or fraudulent claim for payment to the United States government;
b. Knowingly making a false record or statement to get a false or fraudulent claim paid or approved by the
government;
c. Conspiring to defraud the government by getting a false or fraudulent claim paid or approved by the government; or
d. Knowingly making a false record or statement to conceal, avoid or decrease an obligation to pay or transmit money or property to the government.
4. Federal Criminal False Claims Statutes
(18 U.S.C. §§ 287, 1001)
Federal law makes it a criminal offense for anyone to make a claim to the United States government knowing that it is false, fictitious, or fraudulent. This offense carries a criminal penalty of up to five years in prison and a monetary fine.
5. Anti-Kickback Statute
(42 U.S.C. § 1320a-7b(b))
This criminal statute prohibits anyone from knowingly and willfully receiving or paying anything of value to influence the referral of federal health care program business, including Medicare and Medicaid. Kickbacks can take many forms such as cash payments, entertainment, credits, gifts, free goods or services, the forgiveness of debt, or the sale or purchase of items at a price that is inconsistent with fair market value. Kickbacks may also include the routine waiver of copayments and/or co-insurance. Penalties for anti-kickback violations include fines of up to $25,000, imprisonment for up to five years, civil money penalties up to $50,000, and exclusion from participation in federal health care programs.
6. The Beneficiary Inducement Statute
(42 U.S.C. § 1320a-7a(a)(5))
This statute makes it illegal to offer remuneration that a person knows, or should know, is likely to influence a beneficiary to select a provider, practitioner, or supplier, including a retail, mail order or specialty pharmacy.
7. Physician Self-Referral (Stark) Law
(42 U.S.C. §1395nn)
The Stark Law prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies. Stark Law also prohibits the designated health services entity from submitting claims to Medicare for services resulting from a prohibited referral. Penalties for Stark Law violations include overpayment/refund obligations, FCA liability, and civil monetary penalties. Stark Law is a “strict liability” statute and does not require proof on intent.
8. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was developed as part of a Congressional effort to reform health care. HIPAA addresses many purposes, such as the transference of health insurance, the reduction of fraud and abuse, and the improvement of access to long-term care services. However, the regulations regarding privacy and administrative simplification of health insurance are the areas that have the greatest impact on MAOs and Medicare Part D Plans.
9. Fraud Enforcement and Recovery Act (FERA) of2009
FERA made significant changes to the False Claims Act (FCA). FERA makes it clear that the FCA imposes liability for the knowing retention of a Medicare or Medicaid overpayment. Consequently, a health care provider may violate the FCA if it conceals, improperly avoids or decreases an “obligation” to pay money to the government.
10. Non-Retention of Excluded Individuals
MAOs, Part D Plans, and Medicare providers and suppliers are prohibited from employing or contracting with persons or entities that have been excluded from doing business with the federal government.
Violations or suspected violations of the above-mentioned laws or regulations should be promptly reported to the practice.
IV. Medicare Compliance Program and Attestation Requirements for FDRs
A. Fraud, Waste and Abuse (FWA) Training and General Compliance Training
As a first-tier entity, the practice is required to provide FWA training and general compliance training to all employees and downstream entities that provide administrative and/or health care services for the practices Medicare Advantage Plan patients. The training should be completed within 90 days of initial hire or the effective date of the contract and on an annual basis thereafter. There are 3 options available for training:
1. Complete the general compliance and/or FWA training modules located on the CMS Medicare Learning Network (MLN), which are available through the links below. Once you complete the training, the system will generate a certificate of completion.
2. You can incorporate the content of the CMS standardized training modules from the CMS website into your organization’s existing compliance training materials.
3. You can incorporate the content of the CMS training modules into written documents for distribution to your employees and downstream entities.
NOTE: FDRs deemed to have met the FWA training through enrollment in Parts A or B of the Medicare program or through accreditation as a supplier of DMEPOS are NOT exempt from the general compliance training requirement.
Link to Medicare Parts C and D General Compliance Training:
Link to Medicare Parts C and D Fraud, Waste, and Abuse Training:
***Beginning January 1, 2019 CMS will not be requiring FDR’s to complete the general compliance training, however individual Medicare Advantage Plans may still require their FDR’s to implement compliance training as a condition of their contracts. The practice will comply with any compliance training requirements set forth in the Medicare Advantage Plans contract.
B. Code of Conduct Distribution
The practice will distribute the Code of Conduct to all new hires within 90 days of their hire date or date of the contract an annually thereafter. All employees and downstream providers will be provided with the Code of Conduct on an annual basis.
Distribution logs will be used as evidence of distribution of the Code of Conduct.
C. Exclusion List Screenings
Federal law prohibits the payment by Medicare, Medicaid or any other federal health care program for an item or service furnished by a person or entity excluded from participation in these federal programs. The practice and its FDRs are prohibited from contracting with, or doing business with, any person or entity that has been excluded from participation in these federal programs. The practice will check the exclusion list prior to hire and/or contract date, and monthly thereafter, to confirm its employees and downstream entities performing administrative or health care services for their Medicare Advantage Plan lines of business are not excluded from participation in federally-funded health care programs according to the OIG List of Excluded Individuals and Entities (OIG LEIE) and the System for Award Management (SAM) exclusion lists.
The OIG LEIE database can be found at:
https://exclusions.oig.hhs.gov/
The General Services Administration (GSA) SAM database can be found at:
https://www.sam.gov/portal/SAM/#1
In the event an employee or downstream entity are found on either exclusion list, the will be immediately removed from the work related directly or indirectly to Medicare Advantage Plan beneficiaries and will notify the Medicare Advantage Plan of the findings.
Logs will be maintained as evidence of each OIG LEI and SAM database query which will document that each employee and downstream entity has been checked for exclusion for a minimum of 10 years.
D. Reporting FWA and Compliance Issues or Concerns
The practice is dedicated to the prevention, detection and correction of incidents that could lead to fraudulent, abusive or wasteful behavior. The practice believes that it is the duty of every employee who has knowledge of a potential compliance or issue of fraud, waste or abuse to promptly report the concern upon discovery. The reporting obligation applies to all employees, including those not in a position to mitigate or resolve the potential problem. This applies to all of the practices FDR’s.
The reporting methods are as follows:
v Report the potential concern directly to the practices Compliance Officer,
v Report the potential concern directly to the Governing Body,
v Or report the potential concern by mail to the practice’s office address.
***Incidents of FWA or compliance issues can be reported anonymously however it must be noted that any anonymous reports of suspicious behavior can hinder or otherwise delay the practices ability to investigate and act upon the reported issue.
The practice has also adopted a zero-tolerance policy for intimidation or retaliation against anyone who reports suspected or actual misconduct.
E. Offshore Operations and CMS Reporting
To ensure compliance with applicable federal and state laws, rules and regulations, the practice is prohibited from using any offshore individual or entity , including, but not limited to, any employee, contractor, downstream (subcontractor), agent, representative or other individual or entity, to perform any services for the practices Medicare lines of business if the individual or entity is physically located outside of the United States territories unless an authorized Medicare Advantage Plans’ authorized representative agrees in advanced and in writing to the use of such offshore entity (i.e., American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands).
Should the practice engage or utilize an offshore entity to perform services for our Medicare lines of business in an offshore location involving the receipt, processing, transferring, handling, storing or accessing a Medicare member’s protected health information (PHI) and this arrangement was approved by the Medicare Advantage Plans the practice participates in, an attestation must be submitted to CMS notifying them of the practices use of the offshore entity. An example provided by CMS of offshore services that could cause this attestation requirement is “offshore subcontractors that receive radiographic images for reading, because the Medicare beneficiary PHI is included with the radiographic image and the diagnosis is transmitted back to the U.S.” The practice is required to notify the Medicare Advantage Plans’ representative immediately if you intend to use an offshore entity to perform services for our Medicare members.
F. Monitoring and Auditing of First Tier and Downstream Entities
CMS requires the practice to develop a process to monitor and audit our first-tier entities to ensure compliance with all applicable laws and regulations, and to ensure our first-tier entities are monitoring the compliance of their downstream entities. The practice will distribute the FDR Agreement to all subcontracted organizations/individuals or any other individuals/parties who provide administrative and/or health care services to the practices Medicare Advantage Plan lines of business. The practice will retain evidence of completion, and implement corrective action plans or take disciplinary actions, as necessary to prevent recurrence of noncompliance with applicable law.
If it is determined an FDR is not compliant with any of the requirements contained in the FDR Agreement, the FDR will be required to develop and submit a Corrective Action Plan (CAP). The practice will aid the FDR in addressing any compliance issues identified.
G. Violations of These Standards of Conduct Suspected violations of these Standards of Conduct must be reported to the practice immediately. Any individual who makes a report in good faith will not be subject to retaliation or any other form of reprisal. The practice will make every effort to protect the rights of any individual accused of violating these Standards of Conduct. However, any person who deliberately makes a false accusation with the intention of harming or retaliating against another person or the practice will be subject to disciplinary action. The practice will impose disciplinary actions for violations of law, CMS regulations, non-compliance with the Medicare program, and FWA. These actions may include, but are not limited to, oral or written warnings, suspensions, financial penalties, and/or reporting of the conduct to the appropriate law enforcement agency, and/or employment termination.
COMPLIANCE OFFICER, CORPORATE COMPLIANCE COMMITTEE AND HIGH-LEVEL
OVERSIGHT
Practice Name recognizes the importance of fostering a compliance culture. To this end, Practice Name maintains and supports a corporate compliance committee and a compliance officer vested with clear roles, responsibilities and objectives.
Compliance Officer
Practice Name compliance officer will serve as an integral part of Practice Name compliance plan and act as the focal point for compliance activities. The compliance officer will have direct access to the president/CEO and board of directors of Practice Name. The compliance officer will also be responsible for developing, operating and monitoring the compliance program. The compliance officer may delegate such responsibilities where appropriate. The compliance officer does not hold other responsibilities that could lead to self-policing of his activities. Practice Name compliance officer is Employee Name.
Authority:
The compliance officer has the following authority:
v Interview or delegate the responsibility to interview the sponsor’s employees and other relevant individuals regarding compliance issues;
v Review company contracts and other documents pertinent to the Medicare and Medicaid programs;
v Review or delegate the responsibility to review the submission of data to Medicare and Medicaid entities to ensure that it is accurate and in compliance with reporting requirements;
v Independently seek advice from legal counsel;
v Report potential FWA to CMS, its designee, or other required state entities or law enforcement;
v Conduct and/or direct audits and investigations of any FDRs;
v Conduct and/or direct audits of any area or functions of company, including those involved with Medicare Parts C or D plans; and
v Recommend policy, procedure, and process changes.
Roles and Responsibilities:
v Overseeing and monitoring the implementation of the compliance program; Report on a regular basis to the president/CEO, corporate compliance committee and board of directors;
v Periodically revise the compliance program considering changes in the needs of the organization, and in law and policy of governmental agencies;
v Develop, coordinate and participate in multifaceted educational and training programs that focus on the elements of the compliance program;
v Coordinate internal compliance review and auditing/monitoring activities;
v Develop policies and programs that encourage managers and employees to report suspected compliance issues, fraud and other improprieties without fear of retaliation; and
v Assist in the oversight of the Special Investigation Unit (SIU).
The compliance officer has the flexibility to design and coordinate internal investigations (e.g. responding to reports of problems or suspected violations) and issue any resulting corrective action (e.g. making necessary improvements to policies and practices and taking appropriate disciplinary action) working through the compliance program. Such activities may include but are not limited to:
v Coordinating issues with the governing body to ensure that the National Practitioner Data Bank, Cumulative Sanction Report, the OIG and GSA resources have been checked with respect to all employees, officers, directors and managers as well as FDRs and providers to make sure they are not included on such lists restricting participation in Medicare and Medicaid Programs;
v Reporting any applicable fraud or misconduct to CMS, its designee and/or law enforcement;
v Ensuring proper documentation is maintained for each report of potential compliance, FWA received through any of the reporting methods (e.g. hotline, mail, or in-person). Such documentation includes all corrective and/or disciplinary action(s) taken as a result of the investigation, the respective dates when each of these events and/or actions occurred, and the names and contact information for the person(s) who took and documented these actions;
v Overseeing the development and monitoring the implementation of CAPs; and
v Independently investigating and coordinating potential fraud investigations/ referrals and where applicable, coordinating and cooperating with the appropriate MEDIC and/or law enforcement agency.
The compliance officer, as appropriate, collaborates with other sponsors, commercial payers, and other organizations when an FWA issue is discovered that may involve multiple parties.
Corporate Compliance Committee
Practice Name has established a corporate compliance committee to advise and assist the compliance officer in the implementation of the compliance program. The committee will consist of members with relevant experience within Practice Name and senior management.
The voting members of the committee shall be comprised of the following: (member examples below. Modify to your specific practice)
v Chief Executive Officer
v Chief Financial Officer
v Vice President of Clinical Services
v Vice President of Human Resources
v Director of Pharmacy
v Director of Internal Audit
v Compliance Officer
Additional members of the executive management team will be brought in on an ad hoc basis. The committee’s chairperson is the compliance officer.
Roles and Responsibilities:
The committee’s responsibilities shall include:
v Meet at least four times per year, and as necessary;
v Analyze the industry environment, legal requirements with which it must comply and specific risk areas;
v Assess existing policies and procedures that address these risk areas;
v Work with appropriate departments to promote compliance;
v Recommend and monitor the development of internal systems and controls to carry out Practice Name standards, policies and procedures;
v Determine the appropriate strategy/approach to promote compliance with the program and detection of any potential violations through hotlines and other fraud reporting mechanisms;
v Support the officer’s needs for enough staff and resources to carry out his/her duties;
v Ensure Practice Name has appropriate, up-to-date compliance policies and procedures;
v Review and address reports of monitoring and auditing of areas in which Practice Name is at risk of FWA and ensuring CAPs are implemented and monitored;
v Annually, review the Corporate Compliance Plan.
Governing Body
The Corporate Compliance Program operates under the purview of the board of directors. To promote effective oversight, the board of directors has established Practice Name Audit and Corporate Compliance Committee (ACC). The purpose of the ACC is to assist the board of directors in fulfilling its oversight responsibilities of Practice Name with respect to the performance of the practices internal audit and compliance functions.
The ACC provides advice and counsel to management in its oversight of financial audits, internal controls, implementation of the corporate compliance program, and ethics processes. The ACC serves as an independent and objective party to monitor these processes and provides an open avenue of communication between the independent auditor, financial and senior management, the internal audit and compliance department, and the governing body.
The ACC, on behalf of the board of directors, will review and provide oversight to at least the following areas:
v Approval of the Code of Conduct (performed by the full board of directors);
v The scope, structure, process and effectiveness of the corporate compliance program;
v The findings of any regulatory investigations, including the results of internal and external audits;
v Updates from management and the compliance officer on legal or regulatory matters that significantly impact, or present an unaddressed risk, to the organization
v Governmental compliance enforcement activities such as notices of noncompliance, warning letters and/or more formal sanctions; and
v The communication of periodic updates from the compliance officer and corporate compliance committee to the board of directors.
Practice Name board of directors’ delegates the authority for the day-to-day development and implementation of the Corporate Compliance Plan to executive management and the compliance officer. These items include, but are not limited to:
v Development, implementation and annual review of compliance policies and procedures;
v Approval of compliance policies and procedures;
v Review and approval of periodic compliance risk assessments;
v Review of internal and external audit work plans and audit results;
v Review and approval of CAPs resulting from internal or external audits;
v Review, approval and appointment of the compliance officer; and
v Review of dashboards, scorecards, self-assessments and other applicable items that reveal compliance issues.