Compliance Risk Management: Tips for Managing Your Health Plan’s Downstream Vendors

By Derek Frye
Wed, Apr, 05, 2017

For Medicare Advantage and Medicare Prescription Drug Plan Sponsors, proactive risk management and ensuring compliance with CMS requirements involves managing your outside vendors. Like it or not, if your vendors don’t comply, your plan or organization is ultimately on the hook for any deficiencies identified by CMS. Findings of deficiencies by CMS auditors can lead to corrective action plans imposed by the agency, hefty Civil Money Penalties (CMPs), sanctions preventing enrollment, or termination from the Medicare program. And these are not only expensive for your business, but highly disruptive to your organization and likely to undermine your plan’s success in the Medicare marketplace.

Of course, the process can seem overwhelming. Medicare plan sponsors often have anywhere from a dozen to hundreds of outside vendors. And because CMS audits touch on virtually every area of your business, they can cover almost everything your vendors do.

We’ve outlined below a general approach Medicare plan sponsors should take for ensuring their downstream vendors are operating in accordance with CMS requirements.

1. Make sure you have a delegated vendor oversight program. This will help identify which vendors meet the CMS definition of First-Tier, Downstream and Related Entities (FDR).

2. All oversight activities need to be rolled up to a single vendor oversight department. This should be a distinct area from your business to ensure that incentives are aligned and to avoid inherent conflicts. If your vendor oversight department reports up through the same department responsible for operations, there is the potential for conflict. For example, vendor oversight management may be less inclined to report on potential operational problems at vendors if they are rewarded based on avoiding operational problems.

3. Make sure you have a regular internally-conducted auditing and monitoring program in place. Pick a point in time - perhaps the past six months - and deep dive into your day-to-day operations to make sure everything is would be deemed in compliance if you were audited by CMS.

4. Develop a compliance risk management plan. Once you have identified potential problems and red flag areas through the internal auditing and monitoring activities described above, develop a strategic plan detailing how and where you will focus your efforts for improvements. Develop detailed questionnaires around areas of concern and have your vendors address these. PBM vendors are among the biggest risk areas because of the high volume of claims that they handle. Find out what their CMS compliance plan looks like and what kind of reporting they produce that can be used as documentation for CMS.

5. Work closely with your IT stakeholders. You will need them to help you map out an adequate compliance risk management profile from an electronic data standpoint. For example, on areas related to privacy of patient data, it is not uncommon for plans to need to develop detailed questionnaires containing 100 or more specific questions to make sure all bases on this area are adequately covered.

6. Make sure none of your vendors is on the list of “excluded entities” published by Health & Human Services Office of Inspector General (OIG). Your vendors should be screened at least monthly as the lists are updated. If any of your vendors is placed on this list due to fraud or licensure loss, your plan is responsible for taking appropriate action, which may include terminating those vendor relationships. You should consider including a requirement for vendors to conduct regular screenings on their employees in your master services agreements.

7. Consider working with a reputable, experienced third-party CMS compliance consulting firm that can help guide you through this process and develop a course of action with you. A firm with the right expertise can help you prioritize to address the high priority items first, and help you implement the best corrective action plans.

Effectively managing outside vendors is a critical piece of ensuring compliance with CMS requirements for Medicare Advantage and Medicare Prescription Drug Plan Sponsors. These guidelines will get you started on the path of making sure your vendors are truly supporting your compliance objectives and helping you avoid costly penalties.