What is an FDR?
CMS defines an FDR as any entity that contracts with a Medicare plan to provide administrative or health care services to enrollees.
- First Tier Entities provide administrative or health care services directly to our members through a direct contractual relationship with us.
- Downstream Entities provide services related to plan benefits through arrangements with first tier or other downstream entities, extending to the ultimate provider of administrative or health care services.
- Related Entities are organizations that share common ownership or control with us that:
- Perform management functions under contract or delegation;
- Furnish services to members under an oral or written agreement; or
- Lease real property or sell us materials for more than $2,500 during a contract period.
Examples of services provided by FDRs
Services FDRs often perform include claims processing; sales and marketing; quality improvement activities; enrollment and disenrollment functions; licensing and credentialing; hotline operations; fulfillment services; and other contracted services that support plan benefits administration.
Health care providers are FDRs and include physicians, hospitals, dentists and other licensed providers. Under Chapters 9 and 21 of the Medicare Managed Care Manual, organizations that deliver health care services or operate as provider groups are usually considered first-tier entities. However, when a plan contracts with a provider group but does not contract directly with the individual hospitals or providers within that group, those entities are classified as downstream entities in accordance with CMS guidance.
Why we provide FDR oversight
We’re obligated to meet the terms and conditions outlined in our contracts with CMS, including full compliance with all applicable Medicare program requirements. FDRs must also meet these standards. In addition, FDRs must be sure any downstream entities they work with comply with all relevant guidelines and contractual obligations.
Compliance’s role in FDR oversight1
CMS requires all health plans to establish and maintain an effective compliance program. It must include robust measures designed to prevent, detect and correct noncompliance, as well as fraud, waste and abuse. These safeguards help ensure the integrity of Medicare services and protect members. An effective compliance program must:
- Include written policies, procedures and standards of conduct.
- Have a Compliance Officer, compliance committee and high-level oversight.
- Have effective training and education.
- Establish lines of communication.
- Follow well publicized disciplinary standards.
- Provide an effective system for routine monitoring and identification of compliance risks.
- Have procedures and a system for prompt response to compliance issues.
Plans may not delegate compliance program administration functions (e.g., Compliance Officer, compliance committee, compliance reporting to senior management, etc.) to entities other than its parent organization or corporate affiliate. However, sponsors may use FDRs for compliance activities such as monitoring, auditing and training.
What is an FDR’s obligation for compliance?
Just as we have an obligation to conduct business ethically and to comply with state and federal laws and regulations, our FDRs must also comply with applicable laws and regulations. FDRs must also ensure their downstream entities comply with Medicare’s compliance requirements.
Medicare’s Compliance Program Requirements2
FDRs must comply with the following Medicare compliance requirements:
- Implement fraud, waste and abuse (FWA) and general compliance training.
- Distribute the Code of Conduct/compliance program policy.
- Screen for excluded individuals and entities.
- Maintain record retention.
- Make employees aware of reporting mechanisms.
- Report FWA and general compliance concerns to us.
- Report offshore subcontracting.
- Monitor and audit downstream and related entities.
Training requirements can be found in the Medicare Managed Care Manual, Chapter 21, §§ 50.3.1 and 50.3.2.
Noncompliance
An FDR’s failure to meet the CMS compliance requirements could lead to:
- Development of a corrective action plan
- Retraining
- Termination of their contract with us
How to report Compliance concerns?
If you find out about an actual or potential compliance violation, report it to Compliance as soon as possible. The Chief Compliance Officer will assign a reviewer to see whether the report needs an investigation. The company may take immediate action to address urgent issues.
We’ll handle reported concerns confidentially as much as possible, and we’ll share information only with people who have a legitimate need to know. Investigations will be conducted promptly, and outcomes will be shared with appropriate individuals and management. If a concern is verified, the company will determine any necessary disciplinary or corrective action.
You may report concerns to Corporate Compliance through:
- Compliance Hotline: Call 888-343-4221 or (423) 535-7900, or submit a web form on bcbst.com. An independent vendor manages these options, so they allow for anonymous reporting.
- Email: Send a message to compliancehotline@bcbst.com. (This method is not anonymous.)
- Mail: Submit your concern in writing to:
Corporate Compliance Department
1 Cameron Hill Circle
Chattanooga, TN 37402
Offshoring3
Offshoring is when a plan’s FDR conducts business outside of the United States or one of its territories. These can be American-owned companies with some of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States.
Offshore services are services the offshore entity will or may use to receive, process, handle, transfer, access or store plan enrollees’ Protected Health Information (PHI). The services are performed by workers outside the United States, regardless of if they are employees of American or foreign companies.
Examples of PHI include:
- Member name
- Birth date
- Address
- Social Security number
- Medicare beneficiary identifier
- Diagnosis
- Medical history
- Medical records
- Provider type
- Payment information
- Insurance information
- Any information that could reasonably identify a member
Any FDR that performs services outside the United States or contracts with an entity that does will need to complete an offshoring attestation to report to CMS. CMS requires attestations related to offshore entities that plans contract with to receive, process, transfer, handle, store or access member PHI.
Completed offshore attestations should be sent to the Medicare Compliance mailbox at CorpComplianceMA_GM@bcbst.com.
CMS asks plans to submit offshore attestations when:
- Plans enter a contract with an offshore contractor for the first time; or
- A current offshore contractor’s function changes.
Record Retention and Record Availability
CMS requires records and documentation that meet program requirements be kept for 10 years. This includes, but isn’t limited to, attendance records, training records or any other documentation that shows compliance with program requirements.
If an FDR contracts with a Downstream Entity to provide administrative or health care services, the Downstream Entity must agree to audits and reviews by CMS and us, and they must provide requested information.
Record retention requirements can be found at 42 CFR § 422.504 (i)(4)(v).
Monitoring FDRs
We’re responsible for being sure our Medicare Advantage plans are compliant with our CMS contractual requirements. CMS also requires us to monitor and audit our FDRs to ensure they’re compliant with all applicable laws and regulations.
FDRs that contract with other entities or individuals to provide administrative or health services are responsible for ensuring their Downstream Entities comply with all CMS requirements and their contractual obligations to us.
Any FDR found to be noncompliant with any contractual requirement or CMS guideline will be subject to a corrective action plan to fix the problem. CMS monitoring requirements can be found in 42 C.F.R. §§422.503(b)(4)(vi)(F) and 42 C.F.R. 423.504(b)(4)(vi)(F), and the Medicare Managed Care Manual Chapter 21 §50.6.6.
Questions
If you have any questions about this information, please email CorpComplianceMA_GM@bcbst.com.
Footnotes
- BlueCross BlueShield of Tennessee is committed to conducting business with integrity, transparency and high ethical standards. We also comply with all applicable laws and regulatory requirements to deliver quality health care to our members. In addition to serving members, we also must fulfill contractual obligations with vendors, government agencies and contractors. This includes our partnership with the Centers for Medicare & Medicaid Services (CMS) to administer Medicare benefits through the BlueAdvantage (PPO)SM Medicare Advantage plan and to provide coverage to eligible Medicaid beneficiaries through the BlueCare Plus Tennessee Dual Eligible Special Needs Plans in collaboration with the State of Tennessee. As part of these agreements, we’re required to oversee vendors, many of whom are considered First Tier, Downstream and Related Entities (FDRs), to ensure they comply with CMS regulations and contractual requirements.
- Medicare Managed Care Manual Chapter 21§50
- CMS Memo dated August 28, 2008: Offshore Subcontractor Data Module in HPMS
