Embed Size (px)
Citation preview
HMSA’s
Vendor Quick Guide
to Compliance
September 2018
Page 2 Vendor Quick Guide to Compliance
Table of Contents
Introduction .................................................................................................................... 3
Compliance program effectiveness................................................................................. 3
What is an FDR?.............................................................................................................. 4
What are business associates? …………………..…………………................................ 5
Elements of effective compliance ................................................................................... 5
Policies and procedures................................................................................................. 5
Prevention control ......................................................................................................... 6
Compliance structure..................................................................................................... 6
Training .......................................................................................................................... 6
Communication and issue tracking................................................................................ 7
Disciplinary standards .................................................................................................... 8
Monitoring, auditing, and identifying compliance risks .................... ............................9
OIG and GSA exclusion screening .................................................................................9
Privacy and security ........................................................................................................ 9
Blue Cross Blue Shield Association license standard 13 mandate.................................. 11
Section 508 compliance ................................................................................................. 11
Record retention............................................................................................................ 11
Code of business conduct ............................................................................................. 12
Strengthening vendor relationships with compliance partnerships ................................ 12
HMSA Contacts...............................................................................................................13
References …………………………………………………………………………………….…..13
Appendix ...................................................................................................................... 14
Introduction
Welcome to the Vendor Quick Guide to Compliance. This guide was developed as a reference
tool for vendors of Hawaii Medical Service Association (HMSA). The focus of this document is to
guide vendors in the development and maintenance of an effective compliance program,
especially for the highly regulated vendors where oversight expectations are more stringent. The
information focuses on various compliance areas and is based on the seven elements of an
effective compliance program, derived from the Office of Inspector General and Compliance
Program Guidelines published by the Centers for Medicare and Medicaid Services (CMS)
Managed Care Manual Chapter 21 and Prescription Drug Benefit Manual Chapter 9. NOTE: The information provided in this guide isn’t all encompassing and doesn’t
summarize all of your contractual responsibilities. If you have any questions,
please reach out to HMSA Vendor Contact Compliance program effectiveness Why is this Quick Guide important?
CMS requires all plan sponsors like HMSA to maintain an effective compliance program.
Regulators hold HMSA wholly accountable for the work its vendors perform on its behalf as if
HMSA is performing the work themselves. Therefore, HMSA holds their vendors to the same
compliance program requirements. This guide is an educational tool regarding CMS
requirements and recommendations.
What are the seven elements of an effective compliance program as defined by CMS?
1. Written policies, procedures and standards of conduct
2. Compliance officer, compliance committee and high-level oversight
3. Effective training and education
4. Effective lines of communication
5. Well-publicized disciplinary standards
6. Effective system for routine monitoring, auditing and identification of compliance risks
7. Procedures and system for prompt response to detected compliance issues and undertaking
corrective action CMS Audit Protocols Update
CMS‘ 2018 audit protocol introduced a new control-focused framework to apply the seven
elements. The key aspects of an effective compliance program can be broken into prevention,
detection or correction controls. Throughout this guide, we’ll outline which elements correlate to
each of the three controls.
• Prevention controls: These controls provide a framework to operate, communicate
compliance expectations, and prevent repeated issues from recurring.
Page 3 Vendor Quick Guide to Compliance
Page 4
• Detection controls: These controls indicate opportunities for improvement within
the compliance program. Detection controls may include monitoring and detecting
compliance issues.
• Correction controls: These controls allow for immediate and reasonable responses to
misconduct and compliance violations. Correction controls may include escalation
processes and corrective action plans.
What is an FDR?
FDR is short for first-tier, downstream, or related entity. You may be identified as an FDR, and FDRs
are subject to certain CMS compliance requirements.
Per CMS, a first-tier entity is any party that enters a written arrangement, acceptable to CMS, with
a Medicare Advantage (MA) organization or Part D plan sponsor, or applicant to provide
administrative services or health care services to a Medicare-eligible individual under the MA
program or Part D program.
A downstream entity is any party that enters a written arrangement, acceptable to CMS, with
persons or entities involved with the MA benefit or Part D benefit, below the level of the
arrangement between an MA organization or a Part D plan sponsor and a first-tier entity.
A related entity is any entity that is related to an MA organization or Part D sponsor by common
ownership or control and performs some of the MA organization sponsor’s management functions
under contract or delegation, furnishes services to Medicare enrollees under an oral or written
agreement and leases real property or sells materials to the MA organization or Part D plan
sponsor at a cost of more than $2,500 during a contract period. What do FDRs of HMSA do?
Vendors can perform very different functions. HMSA may enter contracts with FDRs to provide
administrative or health care services for MA enrollees on its behalf. Some examples include:
• Sales and marketing
• Utilization management
• Quality improvement
• Applications processing
• Enrollment, disenrollment, membership functions
• Claims administration, processing and coverage adjudication
• Appeals and grievances
• Licensing and credentialing
• Pharmacy benefit management
• Hotline operations
• Customer service
• Bid preparation
• Outbound enrollment verification
• Provider network management
Vendor Quick Guide to Compliance
• Processing of pharmacy claims at the point of sale
• Negotiation with prescription drug manufacturers and others for rebates, discounts or other
price concessions on prescription drugs
• Administration and tracking of enrollees’ drug benefits, including TrOOP balance processing
• Coordination with other benefit programs such as Medicaid, state pharmaceutical assistance
or other insurance programs
• Entities that generate claims data
• Health care services
What are business associates?
Business associates are persons or entities, other than the workforce of a covered entity, such
as HMSA, that perform functions or activities on behalf of, or provide certain services to, a
covered entity that involve access by the business associate to protected health information. Elements of effective compliance Policies and procedures
Policies act as a guide for employees in understanding corporate expectations, methods of
reporting, and relevant contact information. It’s imperative to maintain compliance policies to
demonstrate the establishment and communication of an organization’s compliance
expectations. HMSA provides you with a copy of its Code of Conduct to provide clarity about the
HMSA’s internal standards and expectations, and is available at
https://hmsa.com/Media/Default/documents/code-of-business-conduct.pdf.
You should also have written policies and procedures that address the following:
• Standards of conduct - a set of ethical and compliance-related expectations for employees
to follow. This should be provided to your employees and other applicable individuals
and entities within 90 days of hire, upon update, and annually thereafter
• Organization’s commitment to comply with federal and state laws, regulations, rules, and other
requirements
• Training requirements and timeframes
• Methods of communicating and reporting issues – outline the expectation to report
compliance concerns and suspected or actual violations, including the reporting of
compliance issues to HMSA
• An environment of non-intimidation and non-retaliation for good faith reporting
• Disciplinary standards
• Identification of corporate compliance leadership, especially the corporate compliance officer
• Record retention practices
Page 5 Vendor Quick Guide to Compliance
Prevention control
Evidence may take many forms. Your HMSA contract may request the following
information to ensure the necessary compliance policies and procedures are in place:
• Copy of the standards of conduct and other compliance policies
• Annual review and approval of the standards of conduct, including date of creation and
governing body approval
• Distribution of policies
• Necessary policy language
Compliance structure
Maintaining the necessary compliance structure and reporting relationships may help demonstrate
that you have appropriate oversight of your compliance program. It illustrates leadership is
invested in the effectiveness of the compliance program independent of operational goals. It’s
recommended that you maintain the following structure. (Prevention control)
Basic structural building blocks
Page 6
You can demonstrate evidence of your compliance structure in many ways and may include:
• Organization charts illustrating reporting lines
• Meeting minutes and agendas documenting participants, items discussed and decisions
made as they relate to the compliance program
• Committee charters
• Communications about the compliance officer, including contact information
Training
HMSA requires all FDRs to complete general compliance and fraud, waste and abuse training to
remain in compliance with CMS requirements and expectations. Employees and other eligible
individuals must take the training within 90 days of hire and at least annually thereafter.
(Prevention control)
Compliance officer • Employee
• Direct reporting to senior-most leader and governing body
• Meet with the compliance committee quarterly
• Independent involvement with compliance program
Compliance committee • Meet at least quarterly
• Review compliance issues
Governing body • Annual approval of the standards of conduct
• Reasonable insight into the effectiveness of the
compliance program
Vendor Quick Guide to Compliance
FDRs must provide CMS compliance and fraud, waste and abuse training to its employees and verify
its downstream entities are doing the same. CMS provides a few options for implementation:
1. FDRs can complete general compliance and FWA training on the Medicare Learning
Network and print out the certificate of completion.
2. FDRs can incorporate the unmodified CMS content of the standardized training modules from
the website into their own training materials.
• CMS allows changes to only the appearance of the material, i.e., font, color, background.
3. FDRs can incorporate the unmodified CMS content of the CMS training modules into written
documents for providers. FDRs are encouraged to provide supplemental training to their employees. Example topics may
include reporting protocols, conflict of interest, HIPAA, HITECH and the Anti-Kickback law.
WAIT! Does everyone have to take the training?
CMS advises FDRs to consider the roles and responsibilities of their staff to determine who is
required to take the training. Individuals that generally should complete the training include, but are
not limited to:
• Senior administrators or managers directly responsible for the FDR’s contract with the plan
sponsor
• Individuals directly involved with establishing and administering the plan sponsor’s formulary
and or medical benefits
• Individuals involved with decision-making authority on behalf of the plan sponsor
• Reviewers of beneficiary claims and services submitted for payment
• Individuals with job functions that place the vendor in a position to commit
significant noncompliance with CMS program requirements or health care FWA
Evidence of training can be presented in many ways and may include:
• Sign-in sheets
• Completion certificates
• Attestations confirming completion of the CMS training
• Copy of training material
• List of training dates, hire dates and cycle of annual training
• Governing body completion of training
• Record retention demonstrating attendance, topics and scores
Communication and issue tracking
Vendors must maintain lines of communication to provide their employees and downstream entities
with important regulatory information, compliance information, reporting protocols and issue
tracking expectations. The lines of communication should be accessible to all, allow the reporting of
compliance and FWA issues, and allow anonymous and confidential good faith reporting of issues.
The method of accessing and utilizing these lines of communication should be publicized throughout
the facility, be user-friendly and available 24 hours a day. (Prevention control)
Page 7 Vendor Quick Guide to Compliance
Keeping lines of communication open demonstrates an active effort to keep everyone informed of
necessary information and allows for the reporting of issues.
Maintaining a system to receive, record, respond to and track compliance questions or reports of
suspected or detected noncompliance or potential FWA is also important. Sponsors and vendors
must educate employees about identifying and reporting potential FWA. If the vendor experiences
any issue of noncompliance, FWA, or breach, it’s imperative they notify HMSA appropriately
(Detection control). Your HMSA Contact should track any issues reported, actions taken or
planned to be taken to remediate those issues, when the item was considered closed, and how
the vendor plans to prevent the same issue from occurring. (Correction control)
Evidence of communication and issue-tracking can be presented in many ways and may include:
• Availability to lines of communication, including physical postings, email, intranet, meeting
minutes and training
• Communications about regulatory changes, impact and action items
• Reporting procedures
• Policy language – outline reporting and investigation protocol or options for anonymous
reporting
• Issues tracking log
• Dashboard or scorecard tracking corrective actions
Disciplinary standards
FDRs should have disciplinary standards that address and correct instances of employee
misconduct. The standards should identify noncompliance, illegal or unethical behavior.
Employees should understand the consequences of participating in noncompliant or FWA-related
activities. There should be an emphasis on maintaining an environment for non-retaliation for good
faith participation in the compliance program. The disciplinary standards should outline different
stages of reprimand up to and including termination.
It’s important to demonstrate strong publication of these disciplinary standards.
Evidence of training can be presented in many ways and may include:
• Methods of publication, including newsletters, staff meeting minutes, compliance training and
intranet
• Policy language outlining the above
Monitoring, auditing, and identifying compliance risks
MA organizations are responsible for establishing and implementing an effective system for routine
monitoring and auditing and identifying compliance risks. MA organizations should have insight into
how its first-tier entities are complying with CMS requirements and the effectiveness of their overall
compliance programs.
The system should include both monitoring and auditing activities, which are defined below. These
activities are aimed at protecting against noncompliance, potential FWA, as well as monitoring
compliance with regulatory guidance, federal and state laws and internal policies and procedures.
(Detection control)
Page 8 Vendor Quick Guide to Compliance
Monitoring
Page 9
Regular reviews performed as part of normal operations to confirm ongoing
compliance and ensure that corrective actions are undertaken and effective
Formal review of compliance with a particular set of standards used as base
measures
Auditing
Monitoring activities are usually conducted within the business areas or the people involved
with the day-to-day work. Auditing activities are usually conducted by an independent unit
within the business or an external party.
How do I assign scope for the monitoring and auditing activities?
Identifying compliance risks will help determine what type of activities should be performed.
Once the risks are identified you should have a plan to address the identified risks. Risks
should also be ranked by priority. Ideally, you would focus on addressing the highest risks first.
Monitoring and auditing activities are often the answer to addressing these risks. (Detection
control) OIG and GSA exclusion screening Individuals and entities who are excluded from participating in federal programs must not perform
work or render services related to HMSA Medicare-based products. Screening for excluded
individuals and entities is done by checking against the HHS OIG List of Excluded Individuals and
Entities (LEIE) and General Services Administration (GSA) Excluded Parties List System (EPLS)
exclusion lists. The purpose of checking these lists is to avoid paying any federal funds to
individuals, providers or entities that are listed on any of these exclusion lists. Vendors who contract
with HMSA are required to check these lists and provide evidence that these checks were
completed. The OIG LEIE and GSA EPLS Excluded Parties Lists System lists should be reviewed
prior to hiring or contracting and monthly thereafter for:
• Employees ● Consultants
• Contractors ● Governing body members
• Temporary employees ● Major shareholders (5 percent or more)
• Volunteers ● FDR entities
(Detection control)
Evidence may include:
• List of all applicable employees and entities (or number of individuals and entities) with dates
checked, results of the checks and actions taken to resolve any positive indications
• Routine informal audits by the contract administrator to verify the vendor’s process is accurate
Privacy and Security Protecting our member data
We are often required to share our members’ protected information with our vendors. However,
before HMSA can provide this information to a vendor, Federal Privacy and Security regulations
(HIPAA) requires that vendors sign a contractual agreement called a Business Associate
Agreement (BAA). The BAA makes sure that a vendor has certain safeguards in place to protect
member information.
The information that requires safeguards falls into two categories, Personally Identifiable
Information (PII), and Protected Health Information (PHI).
Vendor Quick Guide to Compliance
What are some examples of PHI or PII?
The definitions and examples are listed in the chart below.
Page 10
Protected Health Information (PHI) Personally Identifiable Information (PII)
Any health information that, when considered in its
entirety, could identify an individual. Examples of
PHI include, but are not limited to an individual’s:
• Name
• Address
• Date of birth or age
• Telephone numbers
• Fax numbers
• Email addresses
• Health Plan ID or Subscriber number
• Medical Account number
• Medical Contract numbers
• Medical Claim numbers
• Diagnosis codes
• Medical Procedure codes
• Dates of medical services
• Genetic Information
• Certificate/license numbers
• Medical Device identifiers and serial
numbers
• Internet Web addresses- URLs (Uniform
Resource Locators, or internet file
addresses)
• Internet Protocol (IP) address numbers
• Vehicle identifiers and serial numbers,
including license plate numbers
• Full face photographic images and any
comparable images
• Any other unique identifying number,
characteristic, or code
Any information that alone, or in combination with
other information, identifies, or could reasonably
identify, an individual or his or her relatives,
employers or household members.
The company strives to protect all PII any
unauthorized disclosure of PII, should be reported
to HMSA as described in your contract. Examples
of PII include, but are not limited to an individual’s:
• Date of birth
• Place of birth
• Home and personal phone number
• Personal email address
• Social Security number
• Biometric identifiers, including finger and
voice prints
• Demographics
• Family Member’s Information
Vendor Quick Guide to Compliance
What is a privacy incident?
An unauthorized use of HMSA’s PII or PHI within your organization, or;
An unauthorized disclosure of HMSA’s PII or PHI to an unauthorized or unintended third party recipient.
What is a security incident? Any event affecting information systems that results in a compromise to the confidentiality, integrity, or availability of HMSA’s information. What to do when there is a privacy or security incident: If there is an incident that impacts HMSA’s information, you’re required to report the incident to HMSA as soon as possible, but no later than the timeframe indicated in your contract. Please follow the procedure for reporting incidents as described in your contract. The report should include as much information about the event known at the time of reporting, and to the extent known, include:
• Date and time the event occurred
• Date the event was discovered
• Complete description of the PII or PHI accessed, used or disclosed
• Complete description of the event including the cause, and the names and the effect on the systems or
data involved
• Contact information for communications regarding the event
• Initial mitigating action taken to contain the event and an assessment of the level of compromise to
HMSA’s data
• Plan to correct the compromises to HMSA’s data and to prevent future occurrences.
Blue Cross Blue Shield Association License Standard 13 Mandate
HMSA is an independent licensee of the Blue Cross Blue Shield Association (BCBSA). BCBSA makes
protection of PHI and PII a priority under the Blue Cross Blue Shield Association’s License Standards.
BCBSA Plans exercise reasonable and appropriate oversight of their Business Associate’s data security
controls used to safeguard and protect the plan’s PHI and PII. In order to comply with BCBSA standards
and with federal privacy and security laws, BCBSA Plans require that all Business Associates have an
up-to-date, signed Business Associate Agreement (BAA). It’s HMSA’s responsibility to ensure
compliance with these requirements . HMSA takes compliance seriously and it’s the responsibility of our
vendor partners to assist in helping us maintain it. Section 508 compliance
HMSA is a recipient of federal funds and therefore must be compliant with section 508 of the United
States Workforce Rehabilitation Act of 1973. Section 508 mandates that all electronic and information
technology developed, procured, maintained or used by the federal government be accessible to people
with disabilities.
As a vendor, you will be doing work on behalf of HMSA and therefore must also follow section 508. As an
entity that receives federal funding, the Centers for Medicare & Medicaid Services requires that you be
compliant with Section 508 as well. CMS has made available resources for assistance in creating 508
compliant documentation. Please visit https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-
Information-Technology/Section508/508-Compliant-doc.html to learn more. Record retention
Vendors must retain records related to their compliance programs, including training, and
screening. CMS requires that records be retained for a period of 10 years, unless otherwise
specified in the Business Associate Agreement.
Page 11 Vendor Quick Guide to Compliance
Code of business conduct
What is it?
Conducting our business with integrity in accordance to industry standards and all applicable laws,
regulations and mandates is required . . . and expected. The code of conduct is a critical document in
place which provides workforce members with the framework for decision-making. Together, these
elements serve as a compass that empowers workforce members to "do the right thing” by adhering to
ethical business conduct standards. The code of conduct ties all the above stated components together
and is the driving factor behind our recommended practices.
Why should I know this as a vendor?
Vendors aren’t exempt from the above stated ethical expectations. Our vendors are held to the same code
of conduct as our employees. Compliance and Ethics assists vendor managers in ensuring vendors are
meeting ethical standards. The figure below includes, but is not limited to, elements to maintain ethical
business conduct standards. These are some primary examples of areas of concentration and risk that
would have great impact in this space of the business.
• A conflict of interest occurs
when there is or appears to
be a conflict between the
interests of the company and
your personal interests, or the
interests of one of your close
relatives or cohabitants.
• You may not accept any gift
or entertainment that would
influence your business
judgment in favor of a
particular customer, vendor,
supplier or provider.
Conflict of interest
• When dealing with vendors
whose standards are more
restrictive than ours, you’re
to abide by the standards
for their workforce members
to the extent you are aware
of them.
Differing standards
• This code requires HMSA
to identify and consider
excluding from business
operations, individuals
whose prior conduct was
illegal or inconsistent
with an effective
compliance and ethics
program.
• Purpose for OIG sanction,
criminal and debarment
checks are to maintain ethical
standards of the Business.
Checks are to know more
about the persons working for
HMSA and its vendors. HMSA
wants employees and vendors
to uphold its standard and
message.
• Exclusion list checks should be
done on a monthly basis.
How to report an ethical issue:
Vendors and their staff can report potential issues to the toll-free compliance hotline at 1-800-749-
4672. This is an anonymous, confidential hotline available 24 hours a day, seven days a week.
Don’t wait to report or allow for issues of ethical compliance to grow. Report the issue as soon as
possible to our direct lines of communication.
Strengthening vendor relationships with compliance partnerships
In the constantly evolving world of healthcare compliance, it’s important to stay current on government
regulations. HMSA is committed to assisting our vendor partners in meeting the Centers for Medicare &
Medicaid Services regulatory requirements, and the provisions of the Health Insurance Portability and
Accountability Act as business associates.
Page 12
Exclusion checks
Vendor Quick Guide to Compliance
If you have any questions on the expectations for vendor compliance, please don’t hesitate to contact us.
HMSA Contacts
Who to contact when there is an compliance or ethical issue:
The toll-free compliance hotline hotline, 1-800-749-4672, or by email at [email protected]
Who to contact when there is a privacy incident:
Call 1-800-749-HMSA (4672) or email us at [email protected]
All other non-compliance must be reported to your HMSA Contact immediately.
R e f e r e n c e s
• 4 2 CFR 422.503(b)(4)(vi), 423.504(b)(4)(vi)
• Chapter 21- Medicare Managed Care Manual: Compliance Program Guidelines:
www.cms.gov/regulations-and-guidance/guidance/manuals
• Chapter 9 – Prescription Drug Benefit Manual: Compliance Program Guidelines:
www.cms.gov/medicare/prescription-drug-coverage/prescriptiondrugcovcontra/downloads/
chapter9.pdf
• HPMS Memo June 17, 2015: “Update – Reducing the Burden of the Compliance Program
Training Requirements”:
www.seniormarketagent.com/docs/232_americanprogressive/232_urgentmemo_urgentme
mo_universal american compliance memo.pdf
• HPMS Memo December 28, 2015: “Additional Guidance – Compliance Program Training
Requirements and Audit Process Update”: info.pharmastarpbm/cms-update-16-01
• HPMS Memo February 10, 2016: “Additional Guidance – Compliance Program Training
Requirements and Audit Process Update”: www.cms.gov/medicare/compliance-and-audit/
part-c-and-part-d-compliance-and-audits/downloads/2016_compliance_and_fwa_training_
update.pdf
• Health Information Privacy Policy (HIPP): workplace.bcbsm.com/hr/policiesandprocedures/
health information privacy policy.pdf
• HMSA Code of Business Conduct: https://hmsa.com/Media/Default/documents/code-of-
business-conduct.pdf
• Measuring Compliance Program Effectiveness: A Resource Guide: oig.hhs.gov/
compliance/101/files/hcca-oig-resource-guide.pdf
Page 13 Vendor Quick Guide to Compliance
Appendix
Below is an example of an HMSA checklist for Medicare Advantage First Tier Downstream Related
Entities
Section 1 - Attestation
Read, complete and sign attestation.
• Please read the entire attestation before signing. Make sure the expectation is agreed upon and
understood and offshore information is complete.
Section 2 – Supporting documentation
In the event of an audit, you may be required to provide the following: Element I: Written policies, procedures and standards of conduct (Please note - All policies must indicate the date of the last review and be reviewed on an annual basis)
• Policy that states the vendor’s commitment to comply with applicable state and federal laws.
• Policy that addresses zero tolerance for retaliation, retribution or intimidation for reporting a
compliance issue
• Policy that states FDR will refer non-compliance to HMSA
• Policy or monthly OIG/GSA attestation that states the FDR will check all the following against the
exclusion listing at the time of hire and monthly thereafter:
• Employees
• Contractors
• Temporary employees
• Volunteers
• Consultants
• Governing body members (board members)
• Major Shareholders (5 percent or more)
• Vendors
• Evidence from FDR demonstrating screening is being performed at the time of hire and monthly
thereafter against OIG/GSA exclusion lists (such as screenshot, list of individuals checked; monthly
OIG/GSA attestation or the policy alone won’t suffice). The evidence should indicate whether there
were positive matches and steps taken to remediate.
• Policy demonstrating FDRs 10 year retention of all documents related to Medicare Advantage. Element II: Compliance officer, compliance committee and high-level oversight
• Documentation identifying active compliance officer (must be an employee of the organization)
• Compliance committee that meets regularly with senior leadership to discuss compliance issues
(example includes minutes or agenda that identify the attendees and their titles, which must include
the compliance officer). Evidence must reflect MA items.
Page 14 Vendor Quick Guide to Compliance
Element III: Effective training and education (for workforce members that touch MA work)
• Evidence of general compliance and fraud, waste, and abuse training (the Medicare Learning
Network Module effective January 1, 2016 will meet the requirement)
• Examples include: Certificates training module, screen shots of training incorporated into
the FDR’s compliance training
• Evidence training has been performed:
• Spread sheet reflecting the workforce member name, position, hire date and
date training taken
• Policy requiring employees (including temporary employees and volunteers), contractors,
governing body members and downstream entities who provide administrative or health care
services for Medicare Advantage to complete compliance and FWA training at time or within
90 days of hire and annually
Element IV: Effective lines of communication
• Evidence of effective lines of communication such as: communication to employees,
contractors and downstream entities (such as an email regarding new guidance)
• Policy that addresses written standards for self-disclosure and reporting misconduct Element V: Well-publicized disciplinary standards
• Provide code of conduct policy with escalation for disciplinary actions
• Evidence of conflict of interest policy
• Evidence code of conduct is reviewed annually and approved by governing body
• Evidence the disciplinary standard is well publicized (screen shots of the link to the code of
conduct from the vendor’s intranet or email advising where to locate the code of conduct
policy) Element VI: Effective system for routine monitoring, auditing and identification of
compliance risks
• Evidence that shows FDR vendor is identifying compliance risk, i.e., risk assessment
• Evidence that FDR is addressing compliance risk, i.e., audit work plan or monitoring work plan
• Evidence that FDR is addressing compliance issues appropriately Element VII: Procedures and system for prompt response to compliance issues
• Evidence of prompt response to compliance issues
• Policy on the investigation of reported instances of noncompliance issues
• Evidence that monitoring occurs within the FDR and by the contract administrator at least on
a quarterly basis (can be provided quarterly)
Page 15 Vendor Quick Guide to Compliance
