Establishing a proactive MAO vendor oversight program

By Susan D. Kerrigan, MBA, CHC and Shawn A. Nettles, JD, CHPC

Susan D. Kerrigan (susan.kerrigan@hf.org) is Compliance Supervisor and Shawn A. Nettles (shawn.nettles@hf.org) is Regulatory Operations Coordinator at Health First Health Plans in Rockledge, FL.

For many compliance professionals, a monitoring event is a routine practice. However, there are times when a routine monitoring event can become memorable. Medicare Advantage Organizations (MAOs) expect to be asked to explain how the organization you have contracted with fits within the definition of a first tier, downstream, or related entity (FDR). However, a rather alarming question from the vendor is, “Can you give us a little more information about the General Services Administration (GSA) excluded provider list, federal contractor (SAM) exclusion list, and the OIG exclusions lists?” … a year into the contractual relationship.

This article does not provide medical advice, but this sort of question has been known to cause side effects such as an increased heart rate, trouble sleeping, and hopes that your organization is not scheduled for an audit. Although some questions from your FDR can be extremely concerning, these questions are often found to be built on a breakdown of communication and understanding regarding each organization’s responsibility.

One of the first steps to avoiding a breakdown of communication and understanding is to fully understand your organization’s relationship with a vendor. For MAOs, the primary question will be whether the vendor that you are contracting with is an FDR. Another important consideration for a compliance professional is how and what oversight responsibility the vendor owes the MAO and also how much oversight responsibility the vendor should be tasked with. After clearly defining the relationship and defining each organization’s oversight duties, it is important to express this mutual assent in writing in the form of a contract.

The implementation of these steps does not eliminate potential breakdowns of communication, but it does provide valuable support for building a positive and productive relationship for the individuals that your organization serves. The Medicare Managed Care Manual (Chapter 21) assists an MAO with defining their relationship with a vendor and understanding the six most important questions.

What is an FDR?

To build a valuable relationship with a vendor, an MAO must answer the often-asked question: Does this vendor qualify as an FDR? To break that down, it is the terminology used by the Centers for Medicare & Medicaid Services (CMS) to identify those vendors that contract with an MAO to perform administrative and/or healthcare service functions relating to the MAO’s contract(s) for Medicare Parts C and D.[1]

As stated in Chapter 21, “it is critical that sponsors correctly identify those entities with which they contract that qualify as FDRs.”[2] CMS requires that MAOs conduct an analysis of all of the circumstances related to the vendor’s responsibilities, unless it is clear that an entity can be established as fitting within the FDR definition or is clearly not an FDR.[3] To ensure that the conundrum of FDR status is ascertained by an MAO, CMS also requires that FDRs have a defined process and criteria to evaluate and categorize all vendors that are contracted to perform services on behalf of the MAO for the Medicare contract.[4]

To assist MAOs in the evaluation of FDR status, CMS provided some areas for consideration. As a base guideline for conducting the FDR status analysis, CMS suggests that MAOs look at:

  • The function being performed (see Chapter 21 for a full list)

  • The impact for the enrollee

  • The vendor’s access to protected health information (PHI)

  • Whether or not decision-making authority is being delegated

  • The vendor’s ability to commit fraud, waste or abuse (FWA)

The risk the vendor presents to the MAO[5]

Because CMS does not provide the exact methodology for the determination of FDR status, a magnitude of effective methods are used for making these determinations, depending on your organization’s size, structure, and processes. A few of the methodologies include using an FDR Decision Tree, hosting a decision-making committee that deliberates on whether the vendor should be designated as an FDR (Note: It is recommend to have specific criteria in place to discuss at these meetings), or a combination of these processes.

Once you have determined the best process for your organization, you need to document this in an official policy and procedure to ensure that the standard is set and you are consistent in your execution and determinations of which vendors are defined as FDRs and the vendors that are outside the FDR definition.

Where does it say I am supposed to do that?

After you have determined that your vendor qualifies as an FDR, it is important that you work with legal counsel to solidify your relationship with a written contract. Under Chapter 11 and Chapter 21, CMS tasks the MAO with the ultimate responsibility for ensuring that any function contracted to another entity is performed in accordance with applicable standards.[6] ,[7] Although an MAO has the ultimate responsibility for contract compliance, an MAO may shift some of the financial penalties associated with non-compliance to its FDR. Given the potential financial and reputational penalties that result from some noncompliance, the contract is a way to assign some responsibility to a vendor for the services that they perform. In some instances, the contract may also be a method for the MAO to require an FDR to assist in any remediation efforts required by a regulating entity.

In Section 100.5 of Chapter 11, CMS has outlined specific provisions that must be included in FDR contracts.[8] One provision that has been reiterated throughout this article is also included in Chapter 11—CMS states that “the person or entity must agree to comply with all applicable Medicare laws, regulations, and CMS instructions.”[9] The contract can be an important tool to require FDRs to remain aware of changes to CMS regulations and instructions.

For instance, many FDRs wonder if they should be responsible for monitoring the guidance that is distributed through the Health Plan Management System as memorandums. For some small vendors that deliver services that have a limited affect on the operations of the MAO, it may be appropriate for the MAO to provide updated information regarding changes to CMS regulations and/or instructions. However, for large vendors, such as prescription benefits managers, it may be best to include contract provisions requiring the vendor to remain abreast of changes to legal or regulatory guidance and to establish policies and procedures to implement these changes to ensure that both the FDR and MAO maintain compliance.

Is that my responsibility?

Responsibility for the FDR does not end when the contract is signed. That is truly just the beginning of the MAO’s obligation for FDR oversight. Determining that your vendor is an FDR removes some of the improvisation that is commonplace in the MAO-FDR relationship. Incorporating effective oversight requirements ensures that your vendor is aware that they are an FDR and the requirements that may be applicable to the service(s) they perform. The most important point to remember about contracting with FDRs is that, as the MAO, you are responsible for oversight of the FDR and ensuring they maintain compliance with the terms and conditions of your contract with CMS and for meeting the Medicare program requirements.

If an FDR fails to be compliant, CMS may hold the MAO responsible and accountable for the failure. An MAO must conduct an analysis of the functions that the FDR conducts on behalf of the MAO and answer questions such as:

  • How much oversight is necessary for the MAO to conduct?

  • How often should you be communicating with your FDRs?

  • What expectations should you have of them sharing information with you?

  • Should you be monitoring daily, weekly, monthly, quarterly, or annually?

  • Does their risk lead to the necessity for an audit?

  • If so, can it be a desk audit or should it be conducted onsite?

  • What communication methods are in place to ensure reporting of concerns or issues?

These are all questions you should be asking yourself when determining the level of oversight that is necessary for your FDRs and much of this can be based on the level of risk the vendor presents to your organization.

Are you managing FDR risk?

You have determined that your vendor is an FDR and each parties’ responsibilities, and you have worked with legal counsel to create a contract to avoid noncompliance. How do you ensure that the vendor is conducting their delegated responsibility in accordance with your contract and regulatory guidance? In Chapter 21, CMS simplified this question by requiring MAOs to monitor and audit FDRs to ensure they are compliant with all applicable laws and regulations.[10] The use of a risk assessment is a way to manage the difficulty of determining which vendors should be monitored and audited and when the monitoring or auditing event should occur.

Auditing all of your FDRs on an annual basis is the best way to ensure compliance, but this may not be feasible, depending on the number of FDRs with whom you contract. Therefore, you need to conduct a risk assessment of your FDRs to determine the level of risk that they present to your members and your organization. Your findings from this assessment can help you determine the level of monitoring and/or auditing that you need to conduct and help you balance your focus.

Those FDRs that have the ability to create member harm and that conduct significant functions related to the contract you hold with CMS are the FDRs that need the most in-depth oversight. They are most likely the highest risk to not only your organization but, more importantly, to the members you serve. You should consider conducting on-site audits of these high-impact FDRs. Additionally, your business areas should be conducting routine monitoring of these delegated functions to ensure that the vendor is conducting them in a manner that is compliant with the regulations and their contract.

For those FDRs that you determine are medium- and lower-level risks, you can then determine the level of oversight, the frequency of your monitoring/auditing, and level of consistent reporting from the organization.

How do I build an effective relationship with my vendor?

We have discussed the determination of FDR status, contracting responsibilities, oversight, monitoring, auditing, and risk assessments. This may seem like a heavy lift for the vendor and the MAO, but having effective communication can ease the burden and shed a positive light on these expectations and responsibilities. Therefore, it is extremely important to set your expectations from the beginning, both within the vendor contract, as well as with your relationships with the representatives from the vendor. Your contract should have strong service level agreements, spell out the regulatory expectations, and have penalties (up to and including termination) for when the vendor is not meeting these requirements.

Additionally, the operational area that is contracting with the FDR, as well as representatives from the internal compliance program, should build relationships with the vendor representatives at the beginning and continue that relationship throughout the life of the contract. This is a crucial part of having open lines of communication between you and the FDR. The stronger the relationship, the more likely the vendor will be to communicate issues to the MAO.

It is also the responsibility of the MAO to ensure that regulatory changes and updates applicable to the functions the vendor is conducting are communicated to the FDR in a timely fashion. The MAO must then confirm with the FDR that they have implemented any applicable changes to meet those requirements and monitor these changes to ensure they are in compliance with current regulatory guidance.

The FDR should also be held responsible for communicating the results of their internal monitoring and/or auditing efforts. Open lines of communication need to exist in order to ensure FDRs have methods for reporting compliance and/or FWA concerns to the MAO.

So why am I responsible for all of this?

To establish effective vendor oversight, the MAO must be able to answer whether their vendor qualifies as an FDR. Additionally, the MAO must be able to identify the responsibilities of the vendor to create a contract that holds both the vendor and any downstream entities accountable for complying with all laws and regulations applicable to their contract. The MAO must also conduct regular auditing and monitoring to ensure that vendors are completing their delegated contractual responsibilities in accordance with the contract and any applicable laws and/or regulations.

The question that you might have as a very busy compliance professional is why you should be worried about this topic. The short answer is that there are many benefits to having oversight of your vendors, including member safety and satisfaction, risk reduction, and the minimization of the personal and professional effects of sleep deprivation.

Members and their safety must be at the forefront of the MAO and the compliance professional’s mind, including when they are conducting oversight of vendors. Although you might expect your FDR to be an expert in the function that you have contracted with them to complete, it is the MAO’s responsibility to ensure that the FDR is conducting business in a manner that is compliant with the regulations and to ensure that members are being treated appropriately.

The role of the compliance professional and the MAO is to engage in the vendor oversight conversation with FDRs and to provide answers to the many tough questions that vendors may have when navigating the complex rules of federal, state, and regulatory authority. Creating an effective vendor management oversight program and, ultimately, a great relationship with your vendor, can lead to minimizing the effects of noncompliance on your members and potential financial penalties associated with noncompliance.

Takeaways

  • MAOs must define a process for identifying FDRs.

  • MAOs should clearly define FDR vs. MAO responsibility and establish a written contractual relationship with each FDR.

  • MAOs must conduct routine monitoring and auditing of FDRs to ensure that the FDR is conducting their delegated responsibilities in compliance with all regulatory and legal authority.

  • MAOs must develop a healthy relationship with each vendor and open communication to ensure any issue is readily communicated to the MAO.

  • The MAO is ultimately responsible for the actions of any FDR contracted to complete activities for the Medicare contract.

 
2 Idem, page 11
3 Idem
4 Idem, page 12
5 Idem
6 Idem
7 CMS: Medicare Managed Care Manual, Chapter 11 – Medicare Advantage Application Procedures and Contract Requirements (Rev 83, 04-25-2007). https://go.cms.gov/2F5FM3k
8 Idem
9 Idem
10 Ibid, Ref #4
1 CMS: Medicare Managed Care Manual, Chapters 21 and 9. http://go.cms.gov/2fFSkzM, pages 5, 7


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings