Bethany A. Corbin (bcorbin@wileyrein.com) is an attorney at Wiley Rein, LLP in Washington, DC and focuses her practice on healthcare, privacy, and cybersecurity.
Establishing a robust and comprehensive compliance program is crucial to the prevention, detection, and mitigation of risk. To assist Medicare Advantage Organizations (MAOs) and Medicare Prescription Drug Plans (Part D) with the creation of an effective compliance structure, the Centers for Medicare & Medicaid Services (CMS) has published extensive guidance on this topic.[1] Although CMS controls the compliance requirements for MAOs and Prescription Drug Plans, it does not have direct authority over a first tier, downstream, or related entity’s (FDR) compliance program.[2]
Instead, CMS establishes requirements and guidance for sponsors of Part D Plans and MAOs to use regarding oversight of their FDRs. This guidance necessarily vests sponsors with discretion regarding how to effectuate and conduct FDR oversight for compliance purposes. Indeed, because sponsors that engage FDRs maintain ultimate responsibility for satisfying all Medicare program requirements, it is common for them to flow down certain compliance requirements and mandate confirmation or proof of compliance. This proof typically takes the form of an annual attestation document or certification. This article discusses the most common sponsor attestation requirements, and offers tips for how FDRs can build successful compliance frameworks.
Develop standards of conduct, policies, and procedures
First, FDRs should develop written policies, procedures, and standards of conduct. Standards of conduct set forth the organization’s commitment to follow applicable laws and regulations, and also state its dedication to ethical business practices. An effective code of conduct works in concert with the mission statement to build a strong, ethical foundation that prioritizes compliance. Policies and procedures, on the other hand, delve more specifically into the compliance program’s operation and substantive risk areas. Specifically, where the code of conduct reflects the organization’s ethical philosophy, the policies and procedures highlight the organization’s response to the daily risks it faces.[3] These documents help clearly communicate compliance expectations and ensure employees are aware of their compliance obligations.
Development of written policies, procedures, and standards of conduct is generally mandated by most MAOs and Part D Plan sponsors. CMS requires MAOs and sponsors to communicate their compliance expectations of FDRs, and this includes ensuring that standards of conduct, policies, and procedures are distributed to all FDRs. MAOs and sponsors retain discretion regarding distribution of these standards to FDRs and establishment of systems or procedures to ensure that FDRs implement comparable standards. Typically, the sponsor’s contracts with its FDRs will determine specifics regarding communicating compliance expectations through standards of conduct.
In general, most FDRs have already adopted their own standards of conduct consistent with CMS’s compliance guidelines. These entities, therefore, can demonstrate to the sponsor or MAO that compliance expectations are already being satisfied and communicated throughout the organization and to downstream companies.[4] That said, it is within the sponsor’s discretion to ensure that the FDR has comparable policies, procedures, and standards of conduct to its own. If a sponsor or MAO determines that the FDR’s documents are insufficient, it may require distribution of and adherence to its own policies, procedures, and standards of conduct.
Action tip: Take time to read through the code of conduct of MAOs or sponsors with which your organization contracts. Determine if there are any gaps between your organization’s documents and the sponsor’s documents. If so, consider what revisions you could implement to bring your standards of conduct in line with those of the sponsor organization.