Post on 25-May-2020
1
FDR Oversight
Turning Theory Into Practice:
A systemic, tool-laden approach to
meeting CMS expectations
Presenters
ERNESTO MARRERO Jr. , JD, CHCMedicare & FIDA Compliance Officer
CORINNE SINCLAIR, MBA, CHCDirector, Medicare Compliance
THOMAS WILSON, Ph.D., M.H.A. Business Ethics, Integrity & Compliance
2
Disclaimer
The views and opinions expressed during this
presentation are those solely of the presenters and
not those of any company or entity with which they
may be associated.
CMS Requirements
Sponsor oversees and is accountable for any
functions or responsibilities that are delegated to
other entities.
� Accountable to CMS or the State for performance of
the delegated function
� Responsible for ensuring the function is performed in
accordance with applicable federal and state standards
� Sponsor remains wholly accountable for the activities
of its subcontractors
� Source: CMS Best Practices for FDR Oversight: Training, Auditing and Enforcement , December 10, 2014.
3
Must: Requirements created by statute or regulation; no discretion
Should: Expectations identified in
Guidelines; discretion as to
how you accomplish effectiveness
Best Practices: Procedures that work well for some
Sponsors; may not work for all� Source: CMS Focused Training, Compliance Program Guidelines, CMS Compliance Program Element VI - Monitoring, Auditing
and Identification of Compliance Risks, March 27, 2013.
Definitions
“Must”…“Should”…“Best Practices”
Topic Requirement
Element I:
Written Policies,
Procedures and Standards
of Conduct
� should ensure that Standards of Conduct (“SOC”) and policies and procedures (“P&Ps”)
are distributed to FDRs’ employees. Alternatively, may ensure that the FDR has
comparable P&Ps and SOC.
� should have a method to demonstrate that SOC and P&Ps were distributed to FDRs’
employees.
� best practice to include appropriate contract provisions in the FDR contract, coupled with
periodic monitoring of a sample of FDRs based on risk assessment, including a review of
the FDRs’ compliance with P&Ps and SOC.
Element III:
Effective Training and
Education
� must establish, implement, and provide effective training and education for … FDRs.
� must occur at least annually and be made a part of the orientation for new … FDRs.
� must ensure that general compliance information is communicated to FDRs.
� should review and update, if necessary, the general compliance training whenever there are
material changes in regulations, policy or guidance, and at least annually.
� must ensure that FDRs’ employees who have involvement in the administration or delivery
of Parts C and D benefits, at a minimum, receive FWA training within 90 days of initial
hiring (or contracting in the case of FDRs), and annually thereafter.
� must be able to demonstrate that … FDRs have fulfilled these training requirements as
applicable.
� must provide the FWA training directly to FDRs or provide appropriate FWA training
materials to FDRs.
� must require FDRs to maintain records of the training of the FDRs’ employees.
4
Common Findings and Best Practices
Topic Requirement
Element I:
Written
Policies,
Procedures and
Standards of
Conduct
� should ensure that Standards of Conduct (“SOC”) and
policies and procedures (“P&Ps”) are distributed to
FDRs’ employees. Alternatively, may ensure that the
FDR has comparable P&Ps and SOC.
� should have a method to demonstrate that SOC and
P&Ps were distributed to FDRs’ employees.
� best practice to include appropriate contract provisions
in the FDR contract, coupled with periodic monitoring of
a sample of FDRs based on risk assessment, including a
review of the FDRs’ compliance P&Ps and SOC.
Element 1: P&Ps
5
Element 1: P&Ps
OVERARCHING POLICY
� COMMITMENT TO OVERSIGHT
ALL ELEMENTS OF OVERSIGHT PROGRAM
� CONTRACTUAL REQUIREMENTS: CMS BEST PRACTICE
RFPs
PRE-DELEGATION SURVEYS
�DELEGATION (NCQA) AUDITS
9
Element 1: P&Ps
OVERARCHING POLICY
� AUDITS
EXTERNAL
COMPLIANCE
� CREDENTIALING
� NETWORK/PROVIDER OPERATIONS
� BUSINESS AREA MONITORING
� REPORTING TO COMMITTEES
10
6
Element 1: P&Ps
FDR SELECTION COMMITTEE
� CHARTER
� SELECTION TOOL
�OPERATING PROCEDURE: COMMITTEE FUNTIONING
DOCUMENTATION OF WORK
�OPERATING PROCEDURE: ATTESTATION PROCESS
11
Charter: FDR Selection Sub Committee
PURPOSE:
The First Tier, Downstream, or Related Entity (“FDR”) Selection Committee supports the
Compliance Program by identifying entities to which Company has delegated
administrative or health care service functions relating to relevant Company healthcare
contracts to ensure compliance with applicable federal and state laws and regulations.
AUTHORITY AND RESPONSIBILITIES:
The FDR Selection Committee (“FDRSC”) carries out its responsibility to identify FDRs
by:
•identifying the entities with which Company contracts,
•gathering the relevant information to determine whether administrative or health care
service functions have been delegated by the Company to the entity,
•determining FDR status by vote after relevant information has been reviewed and
discussed, and
•forwarding the names of the entities designated as FDRs to Medicare Compliance for
appropriate action.
7
FDR Selection Process
Background
In implementing an effective compliance program, the Company is committed to identifying entities to which it has
delegated administrative or health care service functions relating to relevant Company healthcare contracts to ensure
compliance with applicable federal and state laws and regulations. This Operational Procedure will document the manner in
which First Tier, Downstream, and Related Entities (“FDRs) are identified by the FDR Selection Committee (“FDRSC”).
Guidelines
The FDRSC will review and discuss relevant factors to determine which of the entities with which the Company contracts
qualify as FDRs.
Process
The FDRSC Committee Coordinator will identify entities with which the Company has contracted or will contract using all
relevant sources, including Credentialing, Quality Management-Accreditation and Delegation, and Corporate Services.
The FDRSC will review and discuss the services to be provided or provided by the entity. The FDRSC will forward the
Vendor Analysis Form (“VAF”) (see Attachment “A”) to the Relationship Manager (“RM”) designated for the contracting
entity. The RM will complete the VAF by identifying the function(s) performed or to be performed by the FDR that will be
considered by the FDRSC, such as:
• sales and marketing;
• utilization management;
FDR Selection Committee
Vendor Analysis Form
FDR Selection Committee
Vendor Analysis Form
Initial Analysis Performed By: ____________________________________________________________
Title: _________________________ Department: ______________________ Date: _____________
Vendor Name: ________________________________ Type of Agreement: __ Delegation __ Other
Description of Services/Function performed by Vendor:
__________________________________________________________________________________________________________________________________
__________________________________________________
Instructions:
Medicare program requirements apply to FDRs to whom Company has delegated administrative or health care service functions relating to its Medicare Parts C
and D contracts. These requirements do not apply to persons and entities whose administrative contracts with Company do not relate to the its Medicare
functions, for example, a contract between Company and a real estate broker in connection with the rental of office space.
Unless it is very clear that an entity is or is not an FDR, the determination of FDR status requires an analysis of all of the circumstances. Below are some factors
to consider in determining whether an entity is an FDR. Answer “YES” to any that apply.
Y N
□ □ 1. Does the function performed by the vendor relate to Company’s Medicare Parts C and D contracts?
Below are examples of functions that relate to Company’s Medicare Parts C and D contracts. If any function below is checked YES, this question
should be answered “YES.”
Y N
□ □ Sales and marketing
□ □ Utilization management
8
Example: First Tier Entity Table
� Source: CMS Focused Training, Compliance Program Guidelines, CMS Compliance Program Element VI -
Monitoring, Auditing and Identification of Compliance Risks, March 27, 2013.
FDR Attestation Process
Guidelines
As part of the FDR oversight program, the Company requires a party responsible for compliance at an FDR,
such as a Compliance Officer or General Counsel, to attest to the following:
• standards of conduct and compliance policies are disseminated to all employees within 90 days of hire,
when there are updates to the policies, and annually thereafter;
• fraud, waste and abuse training and general compliance education are conducted within 90 days of
initial hire, an annually thereafter;
• exclusion/debarment/sanction screening of employees, temporary workers, volunteers, consultants,
governing board members, and downstream entities against federal exclusion lists is conducted at time
of hire/contract and monthly thereafter; and requires the same of its FDRs; and
• fraud, waste and abuse communication lines are maintained and widely published.
Process
The FDR Selection Committee (“FDRSC”) will provide Medicare Compliance with the names of entities
identified by the FDRSC as FDRs.
Medicare Compliance will identify the FDR party responsible for compliance and confirm that that party is
the appropriate person (the “FDR Contact”) to submit the required attestations on behalf of the FDR.
9
Element 1: P&Ps
CONTRACTING
� RFPs
� CONTRACTS
�DELEGATION AGREEMENTS
COMPLIANCE EXPECTATIONS
FOUR REQUIREMENTS
ATTESTATION
AUDITS
17
Element 1: P&Ps
DELEGATION OVERSIGHT
�OPERATING PROCEDURE
MONITORING REPORTS
AUDITS
CARs
SANCTIONS/TERMINATION
18
10
Common Types of FDRs
• Pharmacy Benefit Manager (PBM)
• Third Party Administrators (TPAs)
• Health Systems/Hospitals
• Network Providers
• Fulfillment Vendors
• Customer Service Call Centers
• Provider Credentialing Entity
• Sales and Field Marketing Agents
• Appeals, Grievances and Claims Processing Entity
• Pharmacies
• Data Validation vendors
� Source: CMS Best Practices for FDR Oversight: Training, Auditing and Enforcement , December 10, 2014.
Element 3: Training & Education
Topic Requirement
Element III:
Effective
Training
and
Education
� must establish, implement and provide effective training and
education for … FDRs.
� must occur at least annually and be made a part of the
orientation for new … FDRs.
� must ensure that general compliance information is
communicated to FDRs.
� should review and update, if necessary, the general
compliance training whenever there are material changes in
regulations, policy or guidance, and at least annually.
11
Element 3: Training & Education
Element 3: Training & Education
TRAINING OBLIGATIONS
�GENERAL COMPLIANCE
- STANDARD OF CONDUCT
- COMPLIANCE POLICIES & PROCEDURES
� FRAUD, WASTE, AND ABUSE (“FWA”)
- WITHIN 90 DAYS OF INITIAL CONTRACTING;
ANNUALLY THEREAFTER
- PROVIDE TRAINING DIRECTLY OR PROVIDE
APPROPRIATE FWA TRAINING MATERIALS
12
Element 3: Training & Education
DISTRIBUTION MECHANISMS - SOC/P&PS
� PAPER/ELECTRONIC
- PROVIDER GUIDES, BAAs, PARTICIPATION
MANUALS
- EMAIL BLAST
- MASS MAILING
�ATTESTATION
Element 3: Training & Education
Overview
The Prescription Drug Benefit Manual, Chapter 9 - Compliance Program Guidelines (Chapter 9 - Rev. 15, 07-27-12) and the
Medicare Managed Care Manual, Chapter 21 – Compliance Program Guidelines (Chapter 21 - Rev. 109, 07-27-12) require
BelDiaz to “develop procedures to promote and ensure that all FDRs are in compliance with all applicable laws, rules and
regulations with respect to Medicare Parts C and D delegated responsibilities” and have “a system in place to monitor
FDRs.”
As part of meeting these requirements, BelDiaz requires the compliance officer or an officer of each FDR to attest (and
document if appropriate) on an annual basis to the following requirements of a compliance program:
• Appropriate Standards of Conduct and Compliance policies are disseminated to all employees
• Fraud, waste and abuse (FWA) and general compliance education are conducted as required
• Employees, temporary workers, volunteers, consultants, governing body members and downstream entities are
regularly screened against relevant exclusions lists
• FWA communication lines are maintained and published
This year’s Compliance Attestations must be completed by XXXXXXX.
13
Element 3: Training & Education
1. STANDARDS OF CONDUCT AND COMPLIANCE POLICIES
BelDiaz’s Standards of Conduct (SOC) and Medicare Compliance Program (MCP) communicate to employees and FDRs that compliance is
everyone’s responsibility from the top to the bottom of the organization.
To communicate our compliance expectations and general compliance information to our FDRs and their employees, BelDiaz needs to ensure that
FDRs have comparable policies and procedures and that SOC is distributed to employees.
BelDiaz Compliance Issue Resolution & Hotline
BelDiaz Medicare Compliance Program 2014
BelDiaz Non-Retaliation
BelDiaz Standards of Conduct Handbook
ATTESTATION
To attest that your SOC and relevant policies are comparable to BelDiaz’s please complete the following:
1. I have read BelDiaz’s SOC, MCP and relevant policies.
2. We have comparable SOC and policies that are distributed to our employees.
2a. Attached are our SOC and comparable relevant policies. Attach
Element 3: Training & Education
FWA TRAINING MECHANISMS
� SPONSOR’S TRAINING MODULE
� CMS’ TRAINING MODULE
� FDR’S (OR THIRD PARTY) TRAINING MODULE
14
Element 3: Training & Education
Florida Blue
Thomas G. Wilson, Ph.D., M.H.A.
Consultant
Government Programs and Products Compliance
Business Ethics, Integrity & Compliance Division
Florida Blue
28
15
Florida Blue – Presentation Topics
• Florida Blue Company Profile
• CMS chapter guidance: Element VI – Effective System
for Routine Monitoring, Auditing and Identification of
Compliance Risks
• Governance Structure
• Compliance Organization
• Auditing and Monitoring
• Tools
– 2014 FDR Attestation
29
Florida Blue
• Florida-based health solutions company with our
headquarters located in Jacksonville
• Approximately 4.2 million health care members and
serves 15 million people across the United States– Products: Commercial (HMO and PPO), Medicare (HMO,
PPO, RPPO, PDP), HSA, and ancillary products – life,
disability, dental, workers’ comp., long-term care, vision
and wellness programs
• Medicare Service Areas– HMO: 32 Florida Counties, RPPO Statewide (67 Florida
Counties), Local PPO 30 Counties, PDP Statewide
– Total MA and PDP Membership – 196,40930
16
CMS Regulations: Element VI.
“Sponsors must establish and implement an effective system for
routine monitoring and auditing of compliance risks.”
“Sponsors must undertake monitoring and auditing to test and
confirm compliance with Medicare regulations, sub-regulatory
guidance, contractual agreements, and all applicable Federal and
State laws, as well as internal policies and procedures to protect
against Medicare program noncompliance and potential FWA.”
31
Source: Chapter 9/21 of the Prescription Drug and Medicare Managed Care Manual, Rev/ 110, 01-11-13.
Florida Blue – Governance Structure
32
Audit & Compliance Committee of the Board of Directors of GuideWell
Mutual Holding Corporation (Not-for-profit)
Parent Corporation of BCBS of Florida, Inc. d/b/a Florida Blue
General Counsel
Chief Audit
Executive
Chief Integrity and
Compliance Officer
17
Florida Blue – Governance Structure
33
Chairman and Chief Executive Office
(Chair)
GuideWell Mutual Holding Corporation
Enterprise Executive Management Team
Chief Financial
Officer
Chief
Communications
Officer
General Counsel
Chief Human
Resource Officer
President
Chief Strategy &
Marketing Officer
Florida Blue – Governance Structure
34
Chief Integrity and Compliance Officer
(Chair)
Corporate Ethics & Compliance
Committee
Commercial
Segment
Consumer Field
Sales
Government
Markets
Product Senior Counsel Chief Audit
Executive
Chief
Technology and
Security Officer
Claims,
Enrollment
Maintenance &
Billing
Organizational
Effectiveness
(HR)
Delivery
System
Operations
Government
Pharmacy
Programs
Finance and
Corp Controller
Government
Market
Services
18
Florida Blue – Risk Assessment
35
• Internal Audit
– Annual baseline risk assessment for all lines of
business
• Risk Impact Categories – Customer Service,
Regulatory Penalties, Brand and Reputational
Harm
• Score weight (1-2) – “Insignificant”
• Risk Likelihood (1-2) – “Extremely Unlikely”
• Risk Mitigation Control (1-2) – “Effective”
Florida Blue – Risk Management
36
• Internal Audit
– High risk items placed on Master Audit Plan
– Audit schedule, methodology and resources
• Board of Directors
– Ultimate accountability for oversight of risk
management program; quarterly meetings to
review status
• Executive Leadership
– Ultimate accountability for managing risk;
quarterly meetings to review status
19
Florida Blue – Auditing and Monitoring
37
• Delegation (Clinical) Oversight Committee
– Pre-delegation site visit (e.g., NCQA)
– Contract performance and corrective action plans
• Vendor Oversight
– Coordinate with Procurement, Legal and
Information Security to create and maintain
vendor profile in Compliance Tool
Florida Blue – Auditing and Monitoring
38
• Vendor Oversight (cont.)
– Conduct monthly calls with “high risk” vendors
• Contact with members, handle member data,
perform core “administrative” and “health
care” functions
– Receive and review reports and scorecards
• Call center performance, application
processing, appeals
• Monitor reports for “systemic issues” that
require corrective action
20
Florida Blue – Auditing and Monitoring
39
When a sponsor has a large number of first tier entities, making
it impractical and/or cost prohibitive to monitor or audit all first
tier entities for all compliance program requirements, the
sponsor may perform a risk assessment to identify its highest risk
first tier entities, then select a reasonable number of first tier
entities to audit from the highest risk groups.
• Business Ethics, Integrity and Compliance conducts a
compliance program risk assessment
– Collaborates with Internal Audit, SIU, Provider Network
• Criteria: Spending, location, provider type
• Method: Telephone call and email
Source: Chapter 9/21 of the Prescription Drug and Medicare Managed Care Manual, Rev/ 110, 01-11-13.
Florida Blue – Auditing and Monitoring
40
• Medicare Vendor Oversight
– Deploy annual FDR Attestation via Compliance
Tool
• Code of Conduct
• Education and Training
• Retention of Training Records
• Review of OIG and GSA websites
• Mechanism to report noncompliance and
potential FWA
21
Florida Blue – Auditing and Monitoring
41
• Medicare Vendor Oversight
– Conduct contract review of vendors identified as
FDRs; communicate compliance requirements
– Conduct monthly calls with FDRs and related
entities
• Receive and review reports and scorecards
– Conduct peer-to-peer compliance program audits
with Blue Plans
Florida Blue – Compliance Tools
42
• 2014 FDR Attestation
– Vendor attestation to five key areas
– Electronic link to Florida Blue Compliance
Resources (e.g., code of conduct, policies and
procedures and training)
22
Florida Blue – Comments & Questions
43
Questions?