Under federal law, Medicare Advantage plans and Part D plan sponsors may delegate administrative or healthcare service functions to third parties, such as a medical group, pharmacy benefit manager, claims administration organization or hotline vendor. This delegation may cause the subcontracted entity to be identified as a first-tier, downstream or related entity (FDR) if the delegated entity provides a core function under the plan’s contract with CMS. However, being a FDR can come with significant responsibilities, including the duty to screen against the federal exclusion lists –  the OIG’s List of Excluded Individuals/Entities (LEIE) and the GSA’s System of Award Management (SAM) database.  In this article, we will review the duties of Medicare contract delegated entities with particular focus on exclusion screening requirements. 

CMS sets forth very clear expectations for Medicare Advantage plans and Part D Drug plan sponsors. Plans can delegate services but not accountability.  Plans are ultimately responsible for all services rendered whether they provide the services directly or through downstream agreements with third parties. In the event of noted subcontractor deficiencies, the plans remain responsible and will face the contractual consequences.  This dynamic has resulted in the development of downstream entity management infrastructure in many large insurance organizations to assure that subcontractors are fully compliant with their contractual duties.  Many create compliance guides to assist their contractors. However, not every contract entered into by a Medicare plan with a third party creates the same downstream expectations. 

Understanding Medicare’s Third-Party Delegation Requirements

There are three types of subcontracted entities defined by CMS related to its Medicare program.

A first-tier entity is any party that enters a written arrangement, acceptable to CMS, with an MA organization or Part D plan sponsor. These arrangements provide administrative or health care services to a Medicare-eligible individual under the MA program or Part D drug program.

A downstream entity is any that enters a written arrangement, acceptable to CMS, with persons or entities who are involved with the MA benefit or Part D benefit. They are below the level of the arrangement and between the following:

• An MA organization or applicant
• A Part D plan sponsor or applicant
• A first-tier entity

These arrangements continue down to the level of the ultimate provider of both health and administrative services. For example, if a MA plan contacts with a hospital group (first-tier) but does not have a direct contract with the group’s individual hospitals or provider network, then those hospitals and providers are considered downstream entities.

A related entity is any party that holds common ownership or control of an MA organization or Part D sponsor and:

• Performs some of the MA organization or Plan D plan sponsor’s management functions under    contract or delegation
• Furnishes services to Medicare enrollees under an oral or written agreement
• Leases real property or sells materials to the MA organization or Part D plan sponsor

Determining FDR Status

The types of services provided by subcontractors determine whether they are considered FDRs. While a specific methodology is not outlined, your organization should have a process to consistently evaluate the FDR status of subcontractors performing services on your behalf. The Medicare Manual sets forth considerations when determining if an entity qualifies as an FDR:

• The impact of the services on beneficiaries
• Access to protected health information
• Decision-making authority
• The ability to commit fraud, waste, or abuse
• The overall risk associated with the entity

Health care providers including physicians, hospitals and other provider types are considered FDRs.  According to Medicare Part C (Medicare Advantage/MA) regulations and CMS rules, providers who contract with Medicare or Part D plans to provide health care services are first-tier entities.  

The picture is less clear for subcontractors who provide administrative services. MA and Part D plans must develop and implement processes to determine which vendors qualify as FDRs. Because FDRs have been delegated to perform a core function of a plan’s Medicare program, they must follow Medicare program requirements and regulations, including oversight of their own downstream entities which provide health care or administrative services to Medicare plans.

Below are some examples of core administrative functions that, if delegated, would likely require FDR designation:

Duties of a Delegated Entity

FDRs must comply not only with the terms of their contract with their Medicare Advantage plan or Part D plan sponsor but also all applicable Medicare requirements and federal and state regulations and guidance.  Just as Medicare Advantage plans and Part D drug sponsors hold first tier organizations accountable for non-compliance and require remediation of deficiencies, FDRs must do the same for their downstream entities. First tier organization contracts with downstream entities must include the CMS required provisions. The focus of this section is the duties of FDRs relating to exclusion screening.

As an FDR, an organization is required to fulfill the following Medicare program requirements:

• Distribute a code of conduct or a compliance policy
• Conduct general compliance and FWA education and training
• Conduct regular exclusion list screenings
• Communicate reporting mechanisms to employees for notifications of non-compliance
• Monitor and audit first tier, downstream and related entities
• Report FWA and compliance concerns their upstream entity

Exclusion Screening

Individuals or entities that have been excluded from participating with Medicare, Medicaid and other Federal or State health care programs cannot receive compensation, directly or indirectly, related to the administration or delivery of Medicare program services. FDRs must screen all employees, contractors, volunteers, vendors, and board members upon or before hire/contracting and monthly thereafter against the both OIG’s LEIE and the GSA’s SAM database. Neither database alone provides all the exclusion information needed. Evidence of monthly screenings must be documented and retained for not less than 10 years.

If an organization delegates any functions to a downstream or related entity, it must ensure that the downstream entity is also completing the exclusion checks for the same individuals as noted above with the same frequency. A Medicare Advantage plan or Part D plan sponsor may request documentation of these checks to ensure FDR compliance. If an FDR or a downstream entity fails to meet the CMS exclusion screening requirements or identifies an excluded individual/entity during monthly screening, this should be reported upstream immediately.

Downstream Monitoring and Auditing

If an organization is a first-tier entity that contracts with a downstream or related entity to perform services, it must monitor and audit that downstream or related entity to ensure contract and program requirements are being met. This includes monitoring and auditing to assure that exclusion screening is being conducted.  It is expected first tier entities will impose corrective actions when deficiencies are identified. A Medicare Advantage plan or Part D plan sponsor may request documentation of such monitoring and auditing and corrective action.

Conclusion

The duties of an FDR are considerably more burdensome than those of other subcontractors. For this reason, Medicare Advantage plans and Part D plan sponsors organizations generally define FDRs as narrowly as legally permissible. The intent of CMS as pertains to exclusion screening is clear:  All health care and core administrative services will be rendered by individuals and entities who have demonstrated a respect for the law and will provide high quality services to Medicare beneficiaries. Excluded or debarred parties may not participate at any contract tier of Medicare Advantage or Part D plan.