Understanding the Obligations of FDR Entities
In service to clients, our firms adhere to many compliance standards, including those of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security, Office of Inspector General (OIG), coding guidelines, and others. But what about FDR (first tier, downstream, and related entity) compliance? We may have obligations as a first tier, downstream, and related entity that are often overlooked in the compliance line up. However, we need to be prepared in the event that our clients request information from us for an external audit or inquiry from the Medicare health plan.
What Is an FDR?
First tier, downstream, and related entities are individuals or entities that are providing services under a Medicare Part C (Advantage) or Medicare Part D (Pharmacy) program. Many hospitals, physicians, and other entities are directly contracted with Medicare health plans under one or both of these programs. When an entity is subject to the FDR standards, it needs to be related to a core function of program administration such as billing, credentialing, or healthcare services.
HBMA members may offer services to providers and some health plans that are classified as core services. As a result, direct contracting with the health plan is "first tier." This applies to providers but may include some HBMA members who work directly with health plans. In most cases, HBMA members will be subcontractors of providers (first tier) and will qualify as "downstream." Therefore, several compliance obligations in the Medicare manual for Parts C and D need to be considered by you as well.
Is FDR Compliance New?
It is not new. In fact, you may have previously received questions from providers asking you to review annual education attestation from Medicare Advantage plans – this document relates directly to FDR compliance and the education requirements. However, FDR compliance is now increasingly being reviewed by health plans because they are getting audited directly by the Centers for Medicare and Medicaid Services (CMS) on program administration.
Is FDR Compliance Difficult?
The good news is that FDR compliance closely mirrors the effective elements of a compliance program that we regularly see in other standards such as OIG. There are a few differences or specifics that should be noted:
- The timeline for new employee education on standards of conduct, policies, etc. must be completed within 90 days of date of hire.
- Expectations that the First Tier entity (i.e., providers) is providing its policies and procedures to you.
- Strong recommendations for compliance officers and committees for the Parts C and D program that can be compared against your compliance officer and committee's roles.
- Use of the CMS-approved web-based trainings on compliance and fraud, waste, and abuse.
- Strong recommendations for auditing and monitoring structure.
Advertisement. Click on image to visit advertiser's website. Story continues below.
What Are My Next Steps?
This is a great opportunity to have a discussion with your clients to understand how health plans will be auditing the clients to ensure that FDR standards are met. It may be the case that clients do not understand these requirements and you have a service and educational opportunity.
Compare the FDR standards against your own compliance program. Are there areas you can improve? Are there new ideas you can apply? Are there gaps that you can close? These questions present you with new angles on your program risk analysis to explore and evaluate.
Where Can I Learn More About FDR Requirements?
Medicare publishes its compliance manual jointly for the Parts C and D programs called the Medicare-managed Care Manual and Prescription Drug Benefit Manual. You can find it located in the Medicare manual downloads on the CMS website at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf. Additionally, most health plans include information on their websites about Medicare Advantage products and compliance requirements.
Carrie Aiken serves as the associate director of Corporate Compliance and Privacy Offices for Navitus Health Solutions. In this role, she provides active leadership and support for the Navitus Corporate Compliance Program and is the HIPAA Privacy Officer. She has over 25 years of experience across several healthcare disciplines physician, hospital, home health and pharmacy, as well as contracting and revenue cycle.