First Tier, Downstream and Related Entities

Introduction – CMS Requirements As of January 1, 2011, Federal Regulations require that Medicare Advantage

Organizations (MAOs) and Prescription Drug Plans (PDPs) have an effective compliance program designated to deter Fraud Waste and Abuse (FWA). This includes compliance program requirements for annual training on compliance and FWA. Refer to 42 CFR 422.503(b)(4)(vi)(C) and 42 CFR 423.504(b)(4)(vi)(C) for details on required training and education for General Compliance and FWA.

Simply Healthcare Plans (SHP or the Company) is a MAO/health plan that has a contract with the federal government. MAO and Part D Sponsors must provide compliance and FWA training to employees and first tier entities. First tier entities must ensure that compliance and FWA training is distributed to their downstream entities (and such distribution must be documented).

First tier, downstream, and related entities (FDRs) who have met the fraud, waste, and abuse certification requirements through enrollment into the Medicare program are deemed to have met the training and educational requirements for fraud, waste, and abuse; however, Compliance training is still required for all FDR’s, even if deemed for FWA training.

Additional regulatory guidance can be found in Chapter 9 and 21 of the CMS Managed Care Manuals at www.cms.gov.

2

Compliance Program

and Code of Business Ethics

3

Description of the Compliance Program

The Compliance Program is a written guide directed to all employees and FDRs that outlines SHP’s core values and foundation for business operations and prevention of fraud, waste and abuse.

Supports all applicable laws and regulations governing Medicare, Medicaid, and Florida Department of Elder Affairs (Nursing Home Diversion).

SHP has delegated the implementation and oversight of the Compliance Program to the Compliance Committee and Compliance Officer.

4

Purpose of the Compliance Program

Assure compliance with federal and state laws.

Establish framework for Compliance activities that are designed

to avoid legal and compliance problems

Provide the general public, employees and FDRs with an official

statement of how SHP conducts its business

Identify how to communicate compliance issues to the

appropriate personnel

Describe how potential compliance issues are investigated and

includes a policy for non intimidation and non retaliation.

5

6

Corporate Compliance Plan

Policies and Procedures

Code of Business Conduct

and

Code of Business Ethics

Anti-Fraud Program

An Effective Compliance Program Includes

Code of Business Ethics The Code of Business Ethics (Codes) was prepared by senior management

of SHP and approved by the SHP Board of Directors to provide a formal statement of the Company's commitment to the standards and rules of ethical business conduct to First Tier Entities, Downstream Entities and Related Entities, including all providers and vendors who provide or arrange for the provision of health care services or administrative services in connection with or relating to the health plan benefits offered by SHP. All Company personnel and FDRs are required to comply with the standards contained in the Codes and report any alleged violation to the Compliance Officer and assist in the investigation of complaints.

Performance expectations are outlined in the Code

It is the policy of SHP to prevent the occurrence of unethical behavior and discipline personnel or take action against FDRs that violate the Code.

7

Seven Elements of a Compliance Program Every effective compliance program must begin with a formal

commitment to seven key elements. These seven elements are set by the federal government for contractors of the federal government to follow. Written Policies & Procedures, and Code of Ethics

Compliance Officer, Compliance Committee and High-Level Oversight (Governing Body)

Effective Training and Education

Effective Lines of Communication

Enforcement of Well Publicized Disciplinary Standards

Effective System for Routine Auditing and Monitoring

Procedures and Systems for Prompt and Effective Response to Detected Offenses

8

Element 1: Written Policies & Procedures,

and Code of Ethics The first element of a Compliance Program involves the development of written

policies & procedures, and standards of conduct to help prevent issues from occurring in the first place. Policies and procedures (P&Ps) are created to:

Articulate an organization’s commitment to comply with all applicable Federal and State standards

Describe the expectations embodied in the organization’s Code of Conduct

Provide guidance on how to deal with potential compliance issues

Identify how to report compliance issues

Describe how potential compliance issues are investigated and resolved

The Compliance Department at SHP has developed a series of policies & procedures that outline the organization’s commitment to complying with standards and regulations set by the federal government (i.e. the Centers for Medicare and Medicaid Services –CMS), state departments of insurance, etc.

Additionally, business associate agreements, contracts and other agreements between SHP and entities to which SHP delegates its business functions contain language emphasizing compliance-related expectations and/or stipulations.

9

Element 2: Medicare Compliance Officer,

Compliance Committee and High-Level Oversight

(Governing Body)

The second element of a Compliance Program is the designation of a Compliance Officer to accept responsibility for the program and oversee its day-to-day operations. The Compliance Officer ensures the Compliance Program remains visible, active, and accountable. The Compliance Officer has the authority to review all documents and other information that are relevant to compliance activities.

The Medicare Compliance Officer routinely reports to the Board of Directors, or its designee, to ensure it is knowledgeable about the content and operation of the Compliance Program.

The Medicare Compliance Officer chairs the Medicare Compliance Committee. A key focus of the Medicare Compliance Committee is to raise and address compliance issues, escalate compliance issues to Senior Management and the Board of Directors, and to provide oversight of the Medicare Advantage and Part D programs.

Additionally, the Compliance Officer facilitates quarterly meetings of the Compliance Committee, which is comprised of several key upper management personnel. The Compliance Committee meets quarterly to discuss current and/or potential compliance-related issues, including audits, fraud, waste and abuse inquiries, and new and/or revised regulatory guidance.

10

Element 3: Effective Training and Education

The third element of a successful Compliance Program is to provide effective education and training. This enhances the organization’s ability to detect potential issues.

Compliance training addresses relevant laws and regulations, including those related to FWA.

Each delegate should conduct specialized trainings pertaining to their associates’ job functions

All trainings need to be documented with a sign-sheet and training material

To ensure trainings are effective, each employee should be tested before and after the training

All employees of SHP are required to complete compliance training upon initial hiring and annually thereafter.

11

Element 4: Effective Lines of Communication

The fourth element of a Compliance Program involves the ability to report issues through open lines of communication.

Organizations must have effective lines of communication between the Compliance Officer, members of the Compliance Committee, the organizations employees, managers and directors, and the organization’s FDRs ensuring confidentiality, between all parties in accordance with applicable law

Employees, contractors, and other parties are encouraged to report violations of law and policy, without fear of retaliation, to SHP’s Compliance Department.

12

Element 4: Effective Lines of Communication

Some examples of non-compliant behavior:

Intentionally altering CMS/AHCA approved company documents

Intentionally falsifying call log

Intentionally disposing of company documents

Intentionally altering documents for monetary gain

Stealing member information for personal use

Falsifying prescriptions

13

Element 4: Effective Lines of Communication

If you detect a potential compliance issue, it is your responsibility to report it in any of the following ways:

Contact your supervisor, manager, Medicare Compliance Officer or anyone in the SHP Compliance Department or Special Investigations Unit (SIU)

Contact SIU at 866-847-8247 or SIU@simplyhealthcareplans.com

Contact the 24 hour Compliance Hotline at 1-877-253-9251

or Compliance@simplyhealthcareplans.com

Write: Simply Healthcare Plans, Inc.

ATTN: Compliance/FWA Dept.

9250 W. Flagler Street

Suite 600

Miami, FL. 33174-3460

14

Element 5: Enforcement of Well Publicized

Disciplinary Standards The fifth element of a Compliance Program involves well-publicized

disciplinary standards and enforcement so any problems are corrected and resolved.

SHP maintains non-retaliation and protects caller anonymity

These same regulations hold true for FDRs (First Tier, Downstream and Related Entities).

Every associate is responsible to report non-compliant and/or unethical behavior

SHP expects all employees and contracted entities to act in an ethical and compliant manner.

Disciplinary guidelines concerning violations are described in SHP’s Code of Business Ethics

15

Element 6: Effective System for Routine

Monitoring and Auditing The sixth element of an effective Compliance Program is ensuring the organization

has an effective system for auditing and routine monitoring of compliance risks. It is an ongoing process that helps continuously improve performance.

Auditing and monitoring lets us know how we're doing and identifies any areas for improvement.

Organizations must have procedures for effective internal monitoring and auditing.

The Compliance Department and Delegation Oversight Department at SHP are responsible for conducting audits of external (i.e. contracted) entities to which SHP delegates its business functions to identify areas of risk and compliance with federal and state regulatory guidelines.

SHP develops and implements a risk based audit plan. Risks are identified through various sources including, but not limited to: the OIG work plan, external and internal audits, internal monitoring and metrics reporting, compliance issues identified by CMS, and compliance issues identified internally.

16

Element 7: Prompt Response to

Detected Offenses The seventh element of an effective Compliance Program is responding to

detected offenses as soon as they are reported with a prompt investigation, and any necessary remediation.

Regardless of the mechanism used to report potential or suspected violations, all reports are taken seriously, reviewed, and investigated in a timely and reasonable manner. Investigations should result in appropriate corrective action and are treated in a confidential manner.

FDRs are expected to have procedures for ensuring prompt responses to identified areas of non-compliance and detected offenses including the development of corrective action plans to reduce the potential for recurrence, and ensure ongoing compliance with CMS requirements.

Violation of the standards contained in the Compliance Plan may result in disciplinary or corrective action against those Associates, subcontractors, or first tier, downstream, or related entities who participate in non-compliant, illegal, fraudulent, improper, dishonest, or unethical activities.

17

Duty to Report

18

Duty to Report Every employee and contractor has a duty to comply with all laws and

regulations and to report violations.

You do not have to be certain that a violation has occurred in order to report suspected wrongdoing.

Retaliating against anyone who reports a suspected violation is prohibited by Company policy.

SHP has processes to receive, record and respond to compliance questions, reports of potential or actual non-compliance, and FWA from contractors, agents, employees, enrollees, and FDRs. SHP maintains confidentiality to the extent possible, allows callers to remain anonymous if desired and ensures non-retaliation against those who report suspected misconduct in good faith.

Violations of the Code of Business Ethics, or any FWA must be reported. Not reporting fraud or suspected fraud can make you a party to a case by allowing the fraud to continue.

19

Reporting Suspected Non-Compliance

Employees/FDRs may discuss the issue with the manager of

his/her department; or

Contact the Simply Healthcare Plans Compliance Officer:

You can also call the hotline at: 1-855-782-8281 or 305 459-2377

OR email: Non-Compliance-Incident ASimplyhealthcareplans.com

You may remain anonymous

20

Michelle Watson

4343 Anchor Plaza Parkway

Tampa, FL. 33634

Phone: 305-921-2758

Email: mwatson@simplyhealthcareplans.com

Healthcare Fraud

Laws and Regulations

21

Anti-Kickback Statute

The Anti-kickback statute makes it a criminal offense to

knowingly and willfully offer, pay, solicit, or receive any

remuneration to induce or reward referrals of items or services

reimbursable by a Federal health care program.

The statue ascribes criminal liability to parties on both sides of

an impermissible “kickback” transaction.

“Remuneration” includes the transfer of anything of value,

directly or indirectly, overtly or covertly, in cash or in kind.

22

Anti-Kickback Statute

The government has approved a limited number of financial arrangements that the administration considers are unlikely to result in fraud and abuse. These arrangements are referred to as Safe Harbors.

Medicare Advantage Safe Harbors

Risk-based HMOs may offer Medicare beneficiaries increased coverage, reduced cost-sharing amounts or reduced premium amounts.

Plan must offer same benefits to all Medicare/Medicaid enrollees.

Plan must not claim the costs of these benefits as a bad debt or otherwise shift the costs.

23

False Claims Act (“FCA”)

It is a crime for any person or organization to:

Knowingly present, or cause to be presented, a false or fraudulent claim for payment or approval by the federal government; or

Knowingly make, use, or cause to be made or used a false record or statement to influence the payment of a false or fraudulent claim.

Note: Unlike the Anti-Kickback Statue, no proof of specific intent to defraud is required by the False Claims Act. The person submitting a claim does not need to have actual knowledge that the claim is false. Anyone who acts in reckless disregard or in deliberate ignorance of the truth or falsity of the information can also be found liable under the False Claims Act.

24

Qui Tam Provision of the FCA

Authorizes a person alleging a violation of the FCA, also known

as a “whistleblower” or “relator,” to file a case in federal court

and sue, on behalf of the government, those engaged in fraud.

Relator’s incentive to sue is the potential to share in the recovery

of any monies received if the case is successful.

Provides protection to relators who are discharged, demoted,

suspended, threatened, harassed, or discriminated against in

any manner for prosecuting or participating in an investigation.

25

Fraud Enforcement & Recovery Act of

2009 (“FERA”) Signed into law May 20, 2009.

Amends the FCA.

Makes it illegal to “knowingly conceal or knowingly and improperly avoid” an obligation to repay federal funds that have been paid in error, even if the erroneous payment was not caused by the submission of a false record or statement.

Expands the definition of “claim” to include:

Demands for payments made by subcontractors to companies receiving federal funds.

Any request or demand for money or property, whether or not the United States has title to the money or property.

Any request for money made to any “recipient” of funds provided, in whole or in part, by the government, “to advance a Government program or interest.”

26

Health Insurance Portability and

Accountability Act (HIPAA) An important part of any Compliance Program is being compliant with

HIPAA regulations.

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the "Privacy Rule" and the "Security Rule") protect the privacy of an individual’s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information (“PHI”).

HIPAA requires us to keep health plan members’ and patients’ information secure and private.

The HIPAA Privacy Rule states that PHI can only be used an disclosed to the minimum necessary for treatment, payment, and healthcare operations purposes.

27

Health Insurance Portability and

Accountability Act (HIPAA) • Only those involved in the treatment, payment, or health care

operation may share, apply, utilize, examine, or analyze PHI.

• Most disclosures of PHI require health plan member or patient

authorization.

• Unauthorized use of PHI has severe consequences to our members

or patients, and to our organization. You are obligated to comply with

HIPAA standards to ensure PHI remains secure.

• Carefully handle all PHI data

• Reporting MUST be done immediately if you become

aware of or suspect a breach may have occurred.

28

HIPAA – Your Responsibility HIPAA requires us to remember the following:

Keep member and patient information secure and private.

PHI may be used and disclosed for treatment, payment and healthcare operations purposes, using the minimally necessary amount of PHI to accomplish the purpose.

You are obligated to comply with HIPAA standards to ensure PHI remains secure.

You have a responsibility to identify and promptly report privacy and security incidents using your organization’s reporting policies and procedures.

Everyone at your organization must comply with HIPAA regulations. That means EVERYONE who provides healthcare directly or anyone who works at an organization that handles any type of PHI. By following HIPAA regulations, you support your organization’s commitment to ensuring the security and privacy of PHI.

29

Protected Health Information (PHI)

Protected Health Information (PHI) is information that both

identifies a member AND relates to their past, present, or future

health condition, provision of care, or payment of care.

Examples of PHI include, but are not limited to:

Member name AND case management notes

Member ID number AND a list of current medications

Member social security number AND medical claim information

30

Physician Self-Referral Prohibition Statute

Commonly referred to as the “Stark Law.”

Prohibits physicians from referring Medicare patients for certain

designated health services to an entity with which the physician

or a member of the physician’s immediate family has a financial

relationship – unless an exception applies.

Prohibits an entity from presenting or causing to be presented a

bill or claim to anyone for a designated health service furnished

as a result of a prohibited referral.

31

Resources Resource Link

Centers for Medicare and Medicaid

Services

http://www.cms.gov

Fraud & Abuse General Information http://www.cms.gov/fraudabuseforprofs/

Health Insurance Portability and

Accountability Act (HIPAA)

http://www.cms.gov/HIPAAGenInfo/01_o

verview.asp

HITECH Act http://www.hipaasurvivalguide.com/hitech

- act-text.php

Medicare Learning Network (MLN) Fraud

& Abuse

https://www.cms.gov/MLNProducts/downl

o ads/Fraud_and_Abuse.pdf

Medicare Managed Care Manuals http://www.cms.gov/Manuals/IOM/

Office of Inspector General Department of

Health and Human Services

http://oig.hhs.gov/

(refer to OIG guidance on Compliance

Programs)

http://oig.hhs.gov/fraud/hotline/

Part D Prescription Drug Benefit Manual http://www.cms.gov/prescriptiondrugcovc

o ntra/12_partdmanuals.asp#topofpage

Attestation of Medicare Compliance

Training Completion

1. If you are a participating broker please print the last page of

this training and submit to the plan’s sales manager.

2. If you are a contracted provider, complete and sign the

attestation and return to your account representative.

3. If you have office personnel, temporary and or sub-contracted

they are also required to take this training and records must be

maintained in your office for the plan to audit for 10 years.

The undersigned organization/person (the “Organization/Person”)

certifies and attests that as a first-tier entity, downstream entity or related

entity (as such terms are defined by Centers for Medicare and Medicaid

Services (“CMS”)), it has obtained and/or conducted, The Medicare

Compliance training for it and for all of its personnel and employees, as

applicable, (including, the chief executive, senior administrators or

managers, and governing body members), as required for the calendar

year by the CMS rules in 42 C.F.R. Parts 422 and 423.

Attestation of Medicare Compliance

Training Completion

Instructions on Attestation In addition, the undersigned Organization/Person certifies and

attests that it has required its downstream entities to certify and

attest that they have obtained and conducted, as applicable, the

required Medicare Compliance training for the calendar year for it

and for all its personnel and employees, as applicable.

Upon request by Simply Healthcare Plans, Inc., the

Organization/Person agrees that it will furnish training logs from its

downstream entities, as well as the certifications or attestations it

obtains from its downstream entities to validate that the required

Medicare Compliance Training was completed.

Attestation of Medicare Compliance

Training Completion

Thank You

SHP is committed to abiding by the laws, rules and regulations that govern our business.

SHP’s Compliance Program cannot operate without the cooperation of our associates, vendors, business partners, and FDRs.

Thank you for completing this CMS required training course on the Compliance Program.

37