Risks in Misclassifying First Tier, Downstream, and Related Entities (FDRs)

There are a number of criteria outlining the oversight of First Tier, Downstream and Related Entities for Medicare Advantage Organizations.  Chapters 21 / 9 and 11 of the Medicare Managed Care Manual provide guidance and expectations on how to oversee FDRs. For designated FDRs, oversight activities include the following, which amounts to considerable financial and administrative commitments:

• Appropriate Contracting
• Pre-delegation audits
• Annual compliance audits
• Risk assessments
• Routine monitoring
• Routine auditing
• Exclusions & Sanctioned Screening
• Corrective actions oversight
• Overall compliance oversight

But first, however, we have to identify them.  At onset, a more risk averse approach may appear to be overly inclusive. However, this may not be so. In fact, being overly inclusive in designating a vendor as an FDR may impose further regulatory risk and burden to the Sponsor.  It is important to take the time to ‘get it right.’ The following article outlines recommendations related to improving and streamlining any Sponsor’s approach to identifying and managing First Tier, Downstream, and Related Entities (FDRs) Identification.  Now, more than ever, it is important to ‘get it right’ because Sponsors are responsible for ensuring that all First-Tier entities are included in their risk assessments, and auditing and monitoring work plans as is evidenced in current CMS Compliance Program Evaluation audit protocols.  The determination of whether a vendor is an FDR bears, financial, legal and regulatory burdens that must be well understood and considered before decisioning on whether a vendor is an FDR.

1. FDR Identification

With regard to FDR identification, a Sponsor’s approach may be, ‘if in doubt, include the vendor as an FDR.’ However, it is recommended that there is a multi-disciplinary team which includes, business owners, compliance, and legal to review the statement of work of a particular vendor in question.

For example, the threshold question may be,
‘Does a new vendor impact Medicare members?’

If so, then proceed with the analysis.  Note that the business must ensure that this question is triggered early on in the contracting process.  Once a business owner answers this question in the affirmative, then an FDR assessment is triggered.  It is recommended that the review process include the following:

1. Compliance is sent the actual contract or statement of work.
2. Compliance reviews the contract against its applicable FDR Identification policy and procedure.
3. Compliance makes a determination as to whether a vendor is an FDR.
4. Compliance notifies legal of its determination.
5. Legal reviews the determination either agreeing or disagreeing with compliance’s determination.
6. Before making a final determination, compliance, legal, and the business owner should meet to discuss the statement of work, particularly for more complicated work orders.
7. If the determinations between legal and compliance are not aligned, then leadership and business owners are engaged in order to flush out any factual gaps until resolution is achieved.

It should be noted that readily being able to access contracts and discussions with business owners is imperative in order to effectively making decisions on FDR status.  To be able to effectively assess whether a vendor is an FDR, there are a number of factors that CMS recommends Sponsors take into consideration in making the determination. To learn about FDR identification, click here: mc86c21.pdf (cms.gov).  Discussing these criteria can help the Sponsor take a more conservative and mindful approach in designating FDRs.   Being specific about criteria and determinations will help curb exposure and regulatory risk for the Plan.  If a Sponsor designates a vendor as an FDR, then the following must occur:

1. Ensure that appropriate contracting requirements, including Medicare Advantage Addendum as required by MCMG Chapter 21 / 19, 11 are met
2. Ensure and evidence the FDR is incorporated into the Annual Medicare Compliance Risk Assessment
3. Ensure and evidence the FDR is effectively monitored consistent with CMS expectations
4. Ensure and evidence that the FDR is effectively audited consistent with CMS expectations and associated risk scores
5. Ensure and evidence that the Medicare specific Standards of Conduct and policies and procedures are distributed annually
6. Ensure and evidence that all FDRs are screened through sanctioned screening policies and procedures upon contracting and monthly thereafter
7. Ensure and evidence that all pre-delegation activities are conducted upon contracting
8. Ensure that annual Compliance related attestations are administered annually
9. Address any corrective actions as a result of appropriate oversight
10. Report the status of these FDRs to the Medicare Compliance Committee and the Board of Directors on a regular basis.

It is recommended that the Sponsor establish a forum and resources to effectively determine whether a vendor is an FDR upon contracting.  There are risks in being overly inclusive of FDRs in that Sponsor’s must demonstrate these oversight activities to CMS.  Further, based on standard business practice, there are likely already established oversight mechanisms to mitigate risks for those entities with whom the Sponsor has entered Business Associate Agreements.  Often time, Sponsors use the criteria of the exchange of protected health information, as a basis for designating a vendor as an FDR.  To be clear, the exchange of protected health information under HIPAA is not the only criteria to consider whether a vendor is an FDR; it may be part of a risk analysis but in and of itself is not the only determinant.

The following factors can be considered and discussed more openly and with more confidence on determinations and designations of FDR status:

1. Whether the function is something the Plan is required to do or to provide under its contract with CMS, the applicable federal regulations or CMS guidance;
2. Are the delegated services that the vendor will be performing in the CMS contract for the Sponsor?
3. The overall function to be performed by the delegated entity;
4. To what extent the function being delegated directly impacts enrollees;
5. To what extent the delegated entity interacts with enrollees, either orally or in writing;
6. Whether the delegated entity has access to beneficiary information or personal health information;
7. Whether the delegated entity has decision-making authority (e.g., enrollment vendor deciding time frames) or whether the entity strictly takes direction from the Plan;
8. The extent to which the function places the delegated entity in a position to commit health care fraud, waste, or abuse; and
9. The risk that the entity could harm enrollees or otherwise violate Medicare program requirements or commit Fraud, Waste, and Abuse.

If the response is Yes to #1 above (the threshold question), then the vendor should be designated as an FDR for the Sponsor. If the answer to the threshold question is No, in conjunction with the responses to the questions following, the Sponsor may or may not consider the entity to be an FDR.

When identifying an FDR, it is recommended that a Sponsor establish a forum for dialogue around answering the above questions in order to make an accurate determination of whether a vendor is an FDR.  It is further recommended that the basis for determinations be documented.

1. Pre-Delegation Audits

Once it is determined that a vendor is an FDR, the Sponsor should establish a formalized process to conduct a pre-delegation audit.  The purpose of conducting a pre-delegation audit is to fully assess a First Tier entity’s capacity to manage and perform the delegated function(s) in accordance with state and federal laws, CMS regulations, and the Sponsor’s own goals, policies and procedures.

Before embarking on establishing a new pre-delegation audit process, it is recommended that Sponsor’s inventory established tools for leading a vendor through the contracting and approval process.   For example, consider incorporating implementation and assessment work performed by business owners, by IT to meet security standards, by the privacy department, and legal.  Identify the tools already in place and build on them to create a well-documented pre-delegation audit trail to help evidence the oversight activities the Sponsor has already established prior to delegating the function.

Sponsors may wish to consider the following procedural steps once a determination has been made that a vendor is being designated as an FDR by the Sponsor AND that the Sponsor’s business owner intends to proceed with contracting.

1. Establish a main point of contact with the FDR
2. Trigger a pre-delegation audit notification covering the following topics:

• Medicare Compliance (these questions can be pre-canned)
• HIPAA Security and Disaster Recovery (these questions can be pre-canned)
• HIPAA Privacy team (these questions can be pre-canned)
• Operational capabilities*

*These questions need to be customized to the relevant FDR and delegated function.  There may need to be a multi-disciplinary team developing these questions but should include information on reporting capabilities, cadences, communications and routing, capabilities in general and whether they are compliant with regulatory requirements.

All of these audit oversight activities are separate and apart from legal review of the contract, including ensuring that the agreement is in writing and consistent with Chapter 11 – Medicare Advantage Application Procedures and Contract Requirements, Section 110  of the Medicare Managed Care Manual (MA Addendum provisions).

The Sponsor may wish to consider establishing one point of contact for the prospective First Tier entity to manage communications.  Upon submission of materials by the prospective First Tier entity, then subject matter experts from Medicare Compliance, IT, privacy, and business owners would review responses.  If there are any open items, they should be addressed with the FDR.  If there are any material deficiencies, a corrective action plan (CAP) must be requested.  While it is preferred that CAPs are fully remediated before contracting, it is not required so long as a reasonable timeline for remediation and assurance of interim compliance efforts exists.

It should be noted that that Section 110.2 of Chapter 11 notes that the “following specific requirements apply to all delegated functions:

• Written arrangements must specify delegated activities and reporting responsibilities;

• The organization evaluates the entity’s ability to perform the delegated activities prior to delegation. The organization must document that it has approved the entity’s policies and procedures with respect to the delegated function. It also must verify that the contractor has devoted sufficient resources and appropriately qualified staff to performing the function; or

• The performance of the entity is monitored on an ongoing basis and formally reviewed by the organization at least annually. The organization must have written procedures for monitoring and review of delegated activities. The nature of ongoing monitoring may vary according to the organization’s past experience with the delegate and with the nature of the delegated activity. In the areas of grievance processing or utilization management, for example, monitoring may be more or less continuous, in as much as decisions by the delegate may be appealed to the organization. However, the organization must periodically verify that the delegate is in fact forwarding requests for reconsideration, and that its statistical or other reporting on these processes is accurate. In other areas, such as credentialing, annual review of the delegate’s activities may be sufficient, particularly if the organization has ascertained in the past that the delegate is performing the activity properly.”

There are pitfalls related to the when the Sponsor conducts pre-delegation audits.  Many Sponsors have businesses that run fast, and pre-delegation audits occur either prior to the effective date of delegation or during implementation of delegated services (generally no later than within six months of the effective date).  Taking this approach (i.e., completing pre-delegation after contracting) bears risk and positions the organization with weaker leverage in negotiating issues that require corrective actions as opposed to pre-delegation audits and their respective CAPs were to occur prior to contracting.   As a best practices, it is recommended that Sponsors conduct both pre-delegation oversight activities as well as ongoing auditing and monitoring, which is consistent with guidance outlined in in Chapter 11, 110.2.

In general, the Medicare Compliance Department, in conjunction with the Sponsor is responsible for the FDR relationship will need develop a checklist of items to assess during the Pre-Delegation Audit, which may include:

1. The FDR’s ability to perform the delegated function(s)
2. Policies and procedures specific to the delegated function
3. Resources (administrative and financial) sufficient and qualified to perform the required function(s)
4. Documentation systems
5. Performance monitoring and activity reports (and their respective cadence)
6. Capabilities related to sub-delegated functions/oversight
7. Confirmation that the proposed FDR has all required licenses and certifications
8. The FDR has an adequate compliance program
9. The FDR has an adequate HIPAA privacy and security program
10. Willingness and capabilities to provide Sponsors access to databases and systems

At minimum, the pre-delegation audit consists of a desk review of documentation.  In addition, it may include a review of the FDR’s downstream arrangements, and may include a review of committee meetings, interviews and an in-person site visit, if necessary.

1. Information collected during the pre-delegation audit may include but is not limited to policies and procedures; program descriptions and work plans; forms, tools, systems, and reports; sub delegation agreements; letters of accreditation; and sample reports.
2. The results of the pre-delegation audit will be given to the business owner responsible for the function(s) being delegated, and to the Medicare Compliance Committee.   The FDR must be informed of any corrective actions and an expected timeline for completion (or a request that the FDR provide this timeline).

The results of the Pre-Delegation Audit must be presented to the Sponsor’s Medicare Compliance Committee, the business owners, and the FDR.  There should be widespread communication of any pre-delegation failures or failures to complete required CAP actions. If applicable, CAPs and timely remediation activities must follow the Sponsor’s Medicare Compliance CAP policy and procedure.  The Medicare Compliance Department retains the right to request assurances from the FDR that any findings will be addressed within a reasonable time, and any repeat findings will be considered proof of inadequate performance and will be addressed by the remedies made available to the Plan in the delegation agreement.

CAP progress, CAP completion, and any related issues must be reported to the Medicare Compliance Committee and any summary high-level information would be reported to the Board of Directors.

In sum, there are different ways in which a Sponsor can complete this task.  However, so long as pre-delegation audits occur timely, are well-documented and evidenced (along with the initiation and remediation of CAPs) and reported to the Medicare Compliance Committee and Board of Directors, the Sponsor can meet its regulatory requirements.