Compliance Program Requirements for Medicare Advantage First Tier, Downstream or Related Entities (FDRs), Annual Attestation and Disclosure Statement

Transcription

1 Compliance Program Requirements for Medicare Advantage First Tier, Downstream or Related Entities (FDRs), Annual Attestation and Disclosure Statement May 1, 2018 Dear: First Tier Delegated Entity Your Organization is receiving this Annual Attestation and Disclosure Statement because your Organization has contracted with Mercy Care as a First Tier, Downstream, or Related Entity (FDR) for our Mercy Care Advantage product. Mercy Care is committed to complying with all applicable regulations specified by Centers for Medicare & Medicaid Services (CMS) under our Mercy Care Advantage contract, while upholding the highest ethical business laws, rules, and regulations. Mercy Care s commitment to compliance includes ensuring that all of our contracted First Tier, Downstream, and Related Entities (FDRs) understand and operate in compliance with the federal laws applicable to the Medicare program, which includes CMS rules, regulations, and sub-regulatory guidance. CMS definitions of a First-Tier, Downstream, and Related Entity First Tier Entity is any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization or Part D plan sponsor or applicant to provide administrative services or healthcare services to a Medicare eligible individual under the Medicare Advantage program or Part D program. Downstream Entity is any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the Medicare Advantage benefit or Part D benefit, below the level of the arrangement between a Medicare Advantage Organization or applicant or a Part D plan sponsor or applicant and a first tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. Related Entity means any entity that is related to a Medicare Advantage Organization or Part D sponsor by common ownership or control and: 1. Performs some of the Medicare Advantage Organization or Part D plan Sponsor s management functions under contract or delegation; 2. Furnishes services to Medicare enrollees under an oral or written agreement; or 3. Leases real property or sells materials to the Medicare Advantage Organization or Part D plan Sponsor at a cost of more than $2,500 during a contract period. As a contracted FDR, your organization must have processes in place to prevent, detect, and correct noncompliance with CMS program requirements. Your Organization s employees and downstream contractors must abide by federal laws related to the Medicare program as well as CMS rules, regulations and sub-regulatory guidance. 1

2 Included in this packet for your review are: Section 1) Medicare Participation Compliance Program Requirements Section 2) Compliance Requirements for Mercy Care s First Tier, Downstream and Related Entities Section 3) Attestation s, Organization Information and Signatures the attestations must be returned to Mercy Care s Medicare Compliance Department. Mercy Care FDR Web Page Mercy Care implemented an FDR web page on our Mercy Care Provider website. This web page contains information and resources such as our Compliance Program and policies, Aetna Code of Conduct and FDR newsletters to assist our contracted FDRs. We encourage you to routinely check this web page for new information and resources. ACTION REQUIRED If you are an existing contracted FDR, please review this packet, complete, sign, and return the enclosed FDR Attestation and Offshore Attestation within (30) calendar days of the date on this notice. If you are a newly contracted FDR, please review this packet, complete, sign and return the enclosed FDR Attestation and Offshore Attestation within (60) calendar days of the date on this notice. Please see page 9 for instructions and options to return your completed attestations. If you have any questions regarding the information in this packet, feel free to contact me at or MaciasC1@Aetna.com. To report non-compliance or potential Fraud, Waste and Abuse, please contact me directly at the phone number provided or send an to the address provided. You may also report anonymously by contacting our toll-free ALERTLINE toll-free at in the U.S. (7 days a week, 24 hours a day) or visit ALERTLINE on the web at Thank you, Chris Macias Medicare Compliance Officer Mercy Care Advantage MaciasC1@aetna.com Office: E. Cotton Center Blvd., 2

3 Section 1. Medicare Participation Compliance Program Requirements Compliance and Fraud, Waste and Abuse (FWA) Training The Centers for Medicare & Medicaid Services (CMS) requires that FDRs use CMS s training courses to meet the FDR training requirements. All of the Organization s employees (including temporary or volunteer), and Organization s downstream and related entities (subcontractors) must complete required compliance and FWA training if any persons are involved in the administration or delivery of the Medicare Program benefits. Training must be completed within 90 days of initial hire and annually thereafter. Additionally, FDRs should have an established code of conduct, compliance policies, and/or a compliance program within your Organization. You can provide the CMS trainings in one of two ways: 1. Have employees and business partners complete the training modules on the CMS Medicare Learning network (MLN) website at Learning-Network-MLN/MLNProducts/WebBasedTraining.html The General Compliance course is named Medicare Parts C and D General Compliance Training (January 2018). The FWA training is named Combating Medicare Parts C and D Fraud, Waste and Abuse (FWA) Training (January 2018). 2. Download or print the CMS general compliance training and FWA training and incorporate them into your training materials/system. The content of the CMS training modules cannot be changed to ensure the integrity and completeness of the training. CMS provides a training certificate upon training completion that can be used as evidence of completion. This information must be available upon request by Mercy Care or CMS. The only exception to this training requirement is if individuals within your Organization are deemed to have met the FWA certification requirements through enrollment into Medicare Parts A or B of the Medicare program or though accreditation as a supplier of Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS). Those parties deemed to have met the FWA training through enrollment into the CMS Medicare Program must still complete CMS general compliance training. Record Keeping You must maintain evidence of training completion, attestations, and other records required under your Mercy Care FDR contract for 10 years. Evidence of required training completion may be in the form of certificates from the MLN, attestations, or training logs. Your Organization will be asked to provide documentation to support training completion if Mercy Care is selected for a CMS audit and for internal audits conducted by Mercy Care as part of FDR oversight requirements. Organizations must maintain a log of employees who are required to take training, employees who completed the training and the materials utilized for training. Training logs need to include: Employee names and dates of employment Dates of completion and passing scores (if applicable to the testing) 3

4 Code of Conduct Under a Plan Management Services Agreement with Aetna, Mercy Care utilizes and complies with the Aetna Code of Conduct. Mercy Care requires that all FDRs supporting the Medicare Advantage and Part D Prescription Drug Programs to either adopt and abide by the Aetna Code of Conduct or implement a code of conduct that incorporates requirements consistent with Aetna s Code of Conduct. If you re Organization implements a Code of Conduct, it must explain your Organization s over-arching principles and values by which your Organization operates, and define the underlying framework for the compliance policies and procedures. The Code of Conduct must provide the standards by which employees and Business Partners will conduct themselves including the responsibility to perform duties in an ethical manner and in compliance with laws, regulations, and policies. Your processes must include detailed and specific guidance regarding how to report potential compliance and potential FWA issues. Your Organization s Code of Conduct should include provisions to ensure employees, managers, officers and directors responsible for the administration or delivery of the Medicare benefits are free from any conflict of interest in administering or delivering Medicare benefits. Conflicts of interest are created when an activity or relationship renders a person unable or potentially unable to provide impartial assistance or advice, impairs a person s objectivity, or provides a person with an unfair competitive or monetary advantage. Your Organization must have processes to ensure employees and business partners, as a condition of employment, read and agree to comply with all written compliance policies and procedures and code of conduct within 90 days of date of hire and annually thereafter. Employee statements or certifications should be retained for 10 years and made available upon request to Mercy Care or CMS. A copy of the Aetna Code of Conduct is available for review on our FDR web page at: FDR Oversight and Disclosure Mercy Care monitors contracted FDRs using various methods, metrics and reporting data depending on the functions delegated. As required by CMS, FDRs are required to disclose and respond to identified compliance deficiencies promptly. Upon the discovery of any compliance deficiency, either through your own internal compliance activities or through notification from Mercy Care, your Organization must take immediate action to determine root cause, member impact and develop a corrective action plan and timeframe for required remediation. Prompt disclosure will allow Mercy Care to assist in required remediation and provide notification to CMS (as applicable), in accordance with CMS rules, regulations, and guidance. To report non-compliance or potential Fraud, Waste and Abuse, please contact Chris Macias, Medicare Compliance Officer at or via MaciasC1@aetna.com. Non-compliance issues may also be reported anonymously by contacting the toll-free ALERTLINE at in the U.S. (7 days a week, 24 hours a day) or visit ALERTLINE on the web at 4

5 Compliance Program Guidelines To help organizations understand and comply with CMS Compliance Program expectations, CMS issued the Medicare Managed Care Manual Chapter 21 and the Prescription Drug Benefit Program Manual Chapter 9 which contains the Compliance Program Requirements for Part C and Part D respectively. Medicare program requirements apply to FDRs delegated to provide administrative or health care service functions relating to Mercy Care s Medicare Part C and D contracts. A link to this CMS manual is provided below; contracted FDRs must review this manual and ensure appropriate protocols are in place to comply with CMS requirements and guidelines. CMS Audits and Monitoring Projects CMS conducts regular monitoring projects and Medicare Advantage program audits of contracted plan sponsors. These monitoring projects and audits help CMS to evaluate and validate plan sponsors and FDR compliance for delivering benefits and services in accordance with CMS contract and core program requirements. Organizations delegated to provide services and functions associated to our Mercy Care Advantage contract are required to participate in internal audits conducted by Medicare Compliance and/or CMS audits upon selection. CMS releases annual audit protocols that explain their audit approach, universes, and documentation required to measure the outcome of the selected Part C and D performance areas. FDRs delegated for Part C or D functions applicable to the Mercy Care Advantage contract are required to review and comply with CMS Audit Protocols which are available at: Audits/ProgramAudits.html Sub-Delegation Sub-delegation occurs when a Mercy Care delegated FDR gives another entity the authority to carry out a delegated responsibility that Mercy Care delegated to the FDR. If your Organization decides to subdelegate any current delegated function, you must first obtain prior approval from Mercy Care. Requests for sub-delegation must be submitted in writing to Mercy Care ninety (90) days in advance of the anticipated sub-delegation effective date. If approved, the contract between Mercy Care and your Organization will be amended to include the sub-delegation function and will be communicated to the appropriate regulatory agencies. Any sub-delegation shall be subject to all requirements set forth herein as mandated by CMS. 5

6 Offshore Subcontractors To help ensure Mercy Care is compliant with CMS and AHCCCS Medicaid regulations for offshore subcontracting, Mercy Care s contracts with Organizations based in the United States and its territories includes contract language specific to Offshoring. The term Offshore refers to any country that is not one of the fifty (50) United States or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands). Subcontractors that are considered Offshore can be either American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States. Offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies. Should your Organization want to sub-delegate any Mercy Care Advantage functions or activities to an offshore subcontractor, your Organization must first obtain Mercy Care s approval by following the process described above under sub-delegation. Note: your Organization must complete and submit the Offshore attestation included in this packet even if offshore of activity is not occurring. Exclusion Verification As an FDR of Mercy Care, your Organization is prohibited against employing or contracting with persons or entities that have been excluded from doing business with the Federal Government (42 CFR ). Upon hiring or contracting and monthly thereafter, your Organization is required to verify employees (including temporary and volunteer) are not excluded by comparing them against the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) and the General Services Administration (GSA) Excluded Parties List System (EPLS). Upon discovery of an excluded individual, your Organization must provide immediate disclosure to Mercy Care. To assist you in conducting the required verification process, below are links to the GSA and OIG exclusion websites. GSA System for Award Management (SAM) List of Excluded Individuals and Entities (LEIE) 6

7 Section 2. Compliance Requirements for Mercy Care s First Tier, Downstream, and Related Entities (FDRs) 1) Written Policies, Procedures and Standards of Conduct Contracted FDRs must maintain an effective Compliance Program that includes Standards of Conduct as well as specific policies and procedures that implement the operations of the compliance program. An FDR must distribute its Standards of Conduct and compliance policies and procedures to its employees within 90 days of hire, when updated, and annually thereafter. If your organization does not have its own Standards of Conduct, Compliance Program and policies, you must utilize Mercy Care s: 2) Compliance and Fraud, Waste and Abuse Training Contracted FDRs agree to conduct general compliance and FWA training for its employees within 90 days of hire and annually thereafter by utilizing the CMS Compliance and FWA training available on the Medicare Learning Network. FDRs will maintain proof of training, including training logs for staff, for a period of ten (10) years. 3) Effective Lines of Communication Contracted FDRs agree to offer methods for reporting noncompliance and FWA to their employees and publicize these methods to their employees. If an FDR receives a report of, or becomes aware of, potential noncompliance or FWA related to the provisions of its Agreement with Mercy Care, the FDR agrees to disclose such instances to Mercy Care within 10 calendar days of becoming aware of the potential noncompliance or FWA. FDRs must also publish and make employees aware of Mercy Care s toll free anonymous compliance hotline: ALERTLINE in the U.S. (available 7 days a week, 24 hours a day). FDRs agree not to discriminate or retaliate against any employee or agent for reporting a compliance concern or for cooperating in any government or law enforcement authority s investigation or prosecution. FDRs and employees can report noncompliance and FWA issues or concerns to: Chris Macias Medicare Compliance Officer Mercy Care Advantage 4350 E. Cotton Center Blvd., MaciasC1@aetna.com Office:

8 4) Well-Publicized Disciplinary Standards Contracted FDRs agree to publicize disciplinary standards to all employees, including the duty and expectation to report issues and concerns. Disciplinary standards must identify noncompliant, unethical, or illegal behavior through examples. This may be done through trainings, communications, or posters. FDR agrees to take corrective action against its employees when noncompliant or unethical behavior is detected and to maintain records of compliance violation disciplinary actions for 10 years. 5) Sanction/Exclusion Lists Screening Contracted FDRs providing services for Mercy Care s government programs warrant that they meet all applicable terms of participation in the Medicare program. FDR agrees to notify Mercy Care immediately upon any changes in its Medicare participation or other status, or the imposition of any sanction or remedial remedy by applicable state or federal authorities. FDRs agree to review the OIG and GSA sanction or exclusion lists to ensure its employees and downstream entities are not on such lists upon initial hire or contracting, and monthly thereafter. If an employee or subcontractor is found to be on such lists, that employee or subcontractor must be immediately removed from any work directly or indirectly related to all government programs and FDR shall take appropriate corrective actions, including reporting such action to Mercy Care. FDR understands that they may not employ or subcontract with an individual who is excluded from participation in Medicare under Section 1128 or 1128A of the Social Security Act. 6) Oversight, Monitoring and Auditing Mercy Care shall establish and maintain ongoing delegation monitoring and oversight of all aspects of contracted FDR performance. The delegation agreement describes the following: The responsibilities of Mercy Care and the delegated entity, The delegated activities, reporting requirements, and the processes by which Mercy Care evaluates the entity, and remedies for noncompliance. FDR agrees to provide Mercy Care access for auditing and monitoring purposes as required by CMS. If an FDR engages in conduct, that constitutes a breach of the delegation agreement, Mercy Care will take appropriate actions to enforce the delegation agreement. FDR agrees to implement corrective actions for identified deficiencies. At minimum, the corrective action plan shall specify the actions taken to remedy the breach or deficiencies, the date of expected implemented, and the parties responsible for implementation. All documentation of corrective actions must be provided to Mercy Care in writing. Reference: Center for Medicare & Medicaid Services Medicare Managed Care Manual Chapter 21 Compliance Program Guidelines: Guidance/Guidance/Manuals/Downloads/mc86c21.pdf 8

9 Section 3. Attestations and Organization Information and Signature Page Action Required Existing contracted FDR: you must review, complete, sign, and return the two attestations listed below within (30) calendar days of the date on this notice. Please keep copies for your records. New contracted FDR: you must review complete, sign, and return the two attestation listed below within (60) calendar days of the date on this notice. Please keep copies for your records. Annual Attestation and Organization Information and Signature Page (pages 10-12) Offshore Attestation (pages 13-14) Both of the mentioned attestations must be returned to Mercy Care s Medicare Compliance Department. Please complete, sign, print or scan, and return using one of the methods below: to MercyCareAdvantageMedicareCompliance@AETNA.com Or mail to: Mercy Care Plan 4350 E. Cotton Center Blvd.,, Attention: LaRetha Taylor, Medicare Compliance Department If you have any questions regarding the information in this packet or what you need to return, please contact Chris Macias at or MaciasC1@aetna.com. Mercy Care FDR Web Page Mercy Care implemented an FDR web page on our Mercy Care Provider website. This web page contains information and resources such as our Compliance Program and policies, Aetna Code of Conduct and FDR newsletters to assist our contracted FDRs. We encourage you to routinely check this web page for new information and resources. 9

10 Annual Attestation I hereby attest that our Organization, and contracted downstream entities, if any, that are involved in the provision of health or administrative services for Mercy Care or Mercy Care Advantage will: I. Provide CMS Combating Medicare Parts C and D Fraud, Waste and Abuse (FWA) Training to all Organization, downstream entities, Board members, officers, employees, temporary employees, and volunteers, within 90 days of appointment, hire, or contracting, as applicable, and at least annually thereafter as a condition of appointment, employment or contracting. Note: The only exception permitted for this training is for individuals deemed to have met the FWA training through enrollment into the CMS Medicare Program. These individuals are still required to complete CMS Medicare Parts C and D General Compliance Training. II. III. IV. Provide CMS Medicare Parts C and D General Compliance Training to your Organization and downstream entities, Board members, employees, temporary employees, and volunteers: (i) based on their job function within the first 90 days of hire and at least annually thereafter as a condition of appointment, employment or contracting, (ii) when requirements change; (iii) when such persons work in an area previously found to be non-compliant with program requirements or implicated in past misconduct. Have established and publicized compliance policies and procedures, standards of conduct, and compliance reference material that meet the requirements outlined in 42 CFR (b)(4)(vi)(A) and 42 CFR (b)(4)(vi)(A) that are distributed to all Organization and downstream entities, Board members, officers, employees, temporary employees, and volunteers within 90 days of appointment, hire or contracting, as applicable, and at least annually thereafter or when requirements change or updates occur. Have processes implemented to screen Board members, officers, potential and actual employees, temporary employees, and volunteers against the OIG and GSA exclusions lists upon appointment, hire or contracting, and monthly thereafter. V. Have processes implemented to screen employees and governing bodies for conflicts of interest as defined in state and federal law and Mercy Care Policies upon hire and annually thereafter. VI. VII. Will timely report suspected fraud, waste, and abuse, as well as all other forms of noncompliance, as it relates to Mercy Care. Will ensure that persons reporting suspected fraud, waste, abuse, and other noncompliance are protected from retaliation under the False Claims Act and other applicable laws prohibiting retaliation. 10

11 VIII. IX. Understand that any violation of any laws, regulations, or Mercy Care Policies is grounds for disciplinary action, up to and including termination of Organization s contractual status. Will retain documented evidence of compliance with all of the above, including training and exclusion screening (i.e. sign-in sheets, certificates, attestations, OIG and GSA search results, etc.) for at least ten (10) years, and provide such documentation to Mercy Care or CMS upon request. Important Note: If you re Organization or contracted downstream entities are not compliant with any of the regulatory requirements listed in this attestation, please include a written explanation below identifying the area(s) of noncompliance, the action steps to remediate and expected implementation timeframe. Please include a name and contact number of the person in your Organization who can be contacted for more information. Noncompliance Explanation: please describe of area of noncompliance identified. Organization Contact Name: Phone Number: 11

12 Organization Information and Signatures I, attest that I am an authorized representative with signature authority for the Organization listed below. Our Organization is contracted with Mercy Care as a First Tier, Downstream, or Related Entity (FDR) for Mercy Care s Medicare Advantage contract. As a Mercy Care contractor, I understand the Organization, its employees and downstream entities (including contractors and subcontractors) are subject and required to comply with Federal laws related to the Medicare program as well as CMS rules, regulations, and sub-regulatory guidance. I attest on behalf of the Organization that all employees and downstream entities (including contractors and subcontractors) that provide health or administrative services for Mercy Care s Medicare Advantage members through or on behalf of the Organization have access to the CMS required trainings and other required information outlined in this packet to abide by the applicable regulatory requirements. Please note that the certification is intended to be completed at the contract level. If your Organization has multiple tax identification numbers (TINs) under one contract, please list each TIN below. Organization Name Authorized Representative Name Title Phone Number Fax Number Address NPI (10 digits) * Tax Identification Numbers By signature, I certify that the information provided here is true and correct and I understand that CMS, AHCCCS, and/or Mercy Care may request additional information to substantiate the statements made in this attestation. Signature: Phone: Date: 12

13 Offshore Attestation As a contracted Mercy Care FDR, you must complete and return this Offshore Attestation with the required FDR Annual Attestation. Mercy Care will review the information provided in this attestation and contact your Organization if we have any questions. Organization Name: Name of Authorized Person: Title: Phone: Date: Are any administrative or other functions conducted on behalf of your organization by entities located offshore? This includes employees of your organization, downstream entities, and any third party subcontractors. No - Our Organization is Not using any Offshore Subcontractors and/or Employees at this time. Yes - Our Organization is using Offshore Subcontractors and/or Employees. If yes, please complete Parts I-III of this form. Part I Offshore Subcontractor Information 1. Name of Offshore Subcontractor: 2. Proposed or Actual Effective Date your Organization began using the Offshore Subcontractor and/or Employees: 3. Describe the Offshore Subcontractor and/or Employee Functions: Part II Precautions for Protected Health Information (PHI) 1. Describe the PHI that is provided to the Offshore Subcontractor and/or Employee: 2. Explain why providing PHI is necessary to accomplish the Offshore Subcontractor and/or Employee s objectives and responsibilities: 13

14 3. Describe alternatives considered to avoid providing PHI, and why each alternative was rejected: Complete the following attestations with a Yes or No response: Attestation of Safeguards to Protect Beneficiary Information in Item Attestation Response Yes / No A. Offshore Subcontractor/Employee arrangement has policies and procedures in place to ensure that Medicaid, Medicare beneficiary protected health information (PHI) and other personal information remains secure. B. Offshore Subcontractor/Employee arrangement prohibits Subcontractor/Employee access to Medicaid, Medicare, data not associated with Mercy Care s contract with the Offshore Subcontractor/Employee. C. Offshore Subcontractor/Employee arrangement has policies and procedures in place that allow for immediate termination of the subcontractor/employee upon discovery of a significant security breach. D. Offshore subcontractor/employee arrangement includes all required State and/or CMS contractual language Part III Attestation of Audit Requirements to Ensure Protection of PHI Item Attestation Response Yes / No A. Your organization will conduct an annual audit of the Offshore Subcontractor/Employee. B. Audit results will be used by your organization to evaluate the continuation of its relationship with the Offshore Subcontractor/Employee. C. Your organization agrees to share Offshore Subcontractor s/employee s audit results upon request. 14