First-tier, Downstream, and Related Entities Compliance Program

We at UPMC ISD would like to thank you for your partnership with UPMC for Life and helping us provide exceptional service to our Medicare beneficiaries.

The Centers for Medicare & Medicaid Services (CMS), in its regulatory guidance, refers to our contracted partners as first-tier, downstream, and related entities (FDRs). UPMC ISD is required to effectively manage and oversee our FDRs that assist us in providing administrative and/or health care services for our Medicare beneficiaries. Examples of FDRs include but are not limited to field marketing organizations, agents, providers, pharmacies, pharmacy benefits managers, claim administration vendors, fulfillment, and other contracted vendors.

What Are First-tier, Downstream, and Related Entities?

First-tier entity: Any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization (MAO) or Part D plan to provide administrative services or health care services to a Medicare eligible individual under the Medicare Advantage (MA) program or Part D program. (See, 42 C.F.R. § 423.501).

Downstream entity: Any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the MA benefit or Part D benefit, below the level of the arrangement between an MAO or a Part D plan and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.

Related entity: Any entity that is related to an MAO or Part D plan by common ownership or control and

1. Performs some of the MAO or Part D plan’s management functions under contract or delegation;
2. Furnishes services to Medicare enrollees under an oral or written agreement; or
3. Leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period.

As an FDR, you are required to comply with the CMS Medicare Compliance Program requirements provided below. Additionally, we ask you to complete the Annual Third-Party Compliance Program Attestation.

Medicare Parts C & D Fraud, Waste, and Abuse Training and General Compliance Training

As an FDR who provides administrative or health care services to Medicare beneficiaries on behalf of UPMC for Life, you must, at a minimum, provide any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors training on Fraud, Waste, and Abuse (FWA) and General Compliance within 90 days of initial hiring and annually thereafter.

To reduce the potential burden on our FDRs, UPMC ISD has developed and made available General Compliance and FWA training and education modules. Those modules can be found at the links below. You must use the provided FWA and General Compliance trainings or another similar training program. CMS training requirements can be found in the Medicare Managed Care Manual Chapters 21: Compliance Program Guidelines; and the Prescription Drug Benefit Manual Chapter 9: Compliance Program Guidelines. This includes the ability to demonstrate that your employees and contractors have fulfilled these training requirements as applicable. Examples of proof of training may include copies of sign-in sheets, employee attestations and electronic certifications from the employees taking and completing the training.

FWA training includes, but is not limited to the following:

• Laws and regulations related to MA and Part D FWA (e.g., False Claims Act, Anti-Kickback statute, HIPAA/HITECH, etc.);
• Obligations of FDRs to have appropriate policies and procedures to address FWA;
• Processes for employees of your organization or those of any of your downstream and related entities to report suspected FWA to the appropriate area within your company, who in turn will notify UPMC ISD; or they may directly report suspected FWA to UPMC ISD;
• Protections for employees of your organization or those of any of your downstream and related entities who report suspected FWA; and
• Types of FWA that can occur in the settings of your organization or those of any of your downstream and related entities work.

*CMS requires that all training documentation be retained for a minimum of 10 years.

• CMS Medicare Learning Network (MLN)
• UPMC Fraud, Waste, and Abuse (FWA) Training
• UPMC General Compliance Training
• Medicare Managed Care Manual Chapters 21: Compliance Program Guidelines; and the Prescription Drug Benefit Manual Chapter 9: Compliance Program Guidelines

Code of Conduct and Compliance Policies

The Code of Conduct, also known as the “Standards of Conduct”, states the overarching principles and values by which an organization operates, and defines the underlying framework for the compliance policies and procedures. The Code of Conduct and compliance policies describe your organization’s expectations that all employees conduct themselves in an ethical manner; that issues of noncompliance and potential FWA are reported through appropriate mechanisms; and that reported issues will be addressed and corrected.

The Code of Conduct communicates to employees of your organization and those of your Downstream and Related entities that compliance is everyone’s responsibility from the top to the bottom of the organization. As an FDR who contracts with UPMC ISD to provide administrative or health care services for our Medicare business, you are required to distribute the Code of Conduct and any additional compliance policies and procedures to all your organization’s employees and those of your downstream and related entities who provide services for UPMC for Life beneficiaries within 90 days of hire or contracting, annually, and when updates are made. If your organization does not have its own Code of Conduct, you may adopt the UPMC Code of Conduct.

• Code of Conduct (PDF)

OIG/GSA Exclusion Screening

Medicare payment may not be made for items or services furnished or prescribed by an excluded provider or entity. UPMC ISD is responsible for ensuring that we do not use federal funds to pay for services, equipment, or drugs prescribed or provided by a provider, supplier, employee, or FDR excluded by the OIG or GSA.

As a first-tier, downstream, or related entity that provides administrative or health care services to Medicare beneficiaries, your organization is required to review the DHHS Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) and the General Services Administration (GSA) System for Award Management (SAM). These checks must be performed prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs. After entities are initially screened against the entire LEIE and GSA at the time of hire or contracting, at minimum, you must review the LEIE supplement file provided each month, which lists the entities added to the list that month, and review SAM updates provided during the specified monthly time frame.

• Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE)
• General Services Administration (GSA) System for Award Management (SAM)

Reporting FWA and Compliance Concerns

We at UPMC ISD take compliance concerns and suspected or actual violations related to the Medicare program very seriously. As an FDR that contracts with UPMC ISD, you must ensure that all your employees and those of your downstream and related entities are informed of how to report compliance concerns and suspected misconduct. UPMC ISD will perform an internal investigation of each concern after your organization reports any incidents.

Good faith reporting of suspected noncompliance or FWA is expected and accepted behavior. Anyone who in good faith reports a violation is referred to as a “whistleblower” and is protected from any retaliation. A number of laws contain whistleblower protection, including the False Claims Act. You are expected to cooperate with any investigation resulting from the reporting of a violation. We have various reporting mechanisms for your use to ensure confidentiality when reporting compliance concerns and/or suspected or actual misconduct.

For issues of noncompliance:
Compliance Hotline: 1-877-983-8442
Medicare Compliance: Medicarecompliance@upmc.edu

For potential FWA:
Fraud Hotline: 1-866-372-8301
Special Investigations Unit: specialinvestigationsunit@upmc.edu

Third-party Compliance: Thirdpartycompliance@upmc.edu

Offshore Subcontractor Reporting

As an FDR that contracts with UPMC ISD, you must ensure that your downstream or related entities do not engage in offshore operations for any of UPMC ISD’s Medicare-related work without first having received express consent from an authorized representative at UPMC ISD. CMS requires UPMC ISD to provide attestations to CMS within 30 calendar days after an offshore subcontract is signed. In the event that UPMC ISD approves an offshore subcontract, to ensure that any applicable attestations are provided to CMS in a timely manner, UPMC ISD requires that all necessary information be provided to UPMC ISD within a time frame not to exceed 15 calendar days from the date the contract is signed.

The term “offshore” refers to any country that is not one of the 50 United States or one of the United States territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). Examples of countries that meet the definition of “offshore” include Mexico, Canada, India, Germany, and Japan. Subcontractors that are considered offshore can be either American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States. Offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.

Medicare-related work encompasses what offshore subcontractors do when they receive, process, transfer, handle, store, or access beneficiary PHI while helping organizations such as UPMC ISD fulfill their Medicare Part C and Part D contract requirements. For example, the term “Medicare-related work” includes offshore subcontractors that receive radiological images for reading, because beneficiary PHI is included with the radiological image and the diagnosis is transmitted back to the U.S. More examples of Medicare-related work include claims processing, claims data entry services, scanning paper claims to create electronic records, receipt of beneficiary calls, and any situation where the offshore subcontractor may have access to beneficiary PHI.

Ongoing Monitoring and Auditing

As an FDR that contracts with UPMC ISD, you must ensure that compliance is maintained by your organization as well as your downstream and related entities that provide administrative or health care services to UPMC ISD’s Medicare business. To ensure ongoing compliance with state and federal regulations, your organization must perform ongoing oversight to ensure that your organization and your downstream and related entities, if applicable, comply with the above stated requirements and any additional regulations related to the services you/they provide to UPMC for Life beneficiaries.

To ensure that UPMC ISD has proper auditing and monitoring controls in place, UPMC ISD and/or CMS reserve the right to request that you provide evidence of your compliance with these requirements or other requirements within the scope of our delegation to you. If you fail to comply with the Medicare Compliance program requirements, UPMC ISD will request remedial action. The remedial action will depend upon the severity of your noncompliance. An authorized representative from your organization is required to complete the Third-Party Compliance Program Attestation Form (on behalf of your organization) on an annual basis. In doing so, you attest to your organization’s compliance with these Medicare Compliance Program requirements. For the purposes of this attestation, an authorized representative is an individual who has responsibility directly or indirectly for all employees, contracted personnel, providers/practitioners, and delegated vendors who provide administrative and/or health care services for UPMC ISD; this would include the Compliance Officer, Chief Medical Officer, Chief Operating Officer, an Executive Officer, or similar related positions.

• Third-Party Compliance Program Attestation Form

UPMC ISD maintains the ultimate responsibility for fulfilling the terms and conditions of its contract with CMS, and for meeting the Medicare program requirements. Therefore, CMS may hold UPMC ISD accountable for the failure of its FDRs to comply with Medicare program requirements.

Section 1557 Final Rule

On April 26, 2024, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) released a Final Rule on the Affordable Care Act’s (ACA) Section 1557 Non-discrimination in Health Programs and Activities. The rule was published in the Federal Register on May 6, 2024. The Section 1557 Final Rule (Final Rule) prohibits discrimination in certain health programs and activities on the basis of race, color, national origin, sex, age, or disability.

The final rule applies to health programs or activities that receive HHS funding, health programs or activities administered by HHS (such as the Medicare Part D program), and the health insurance Marketplace (and all plans offered by issuers that participate in those Marketplaces that receive Federal financial assistance). Those covered by the rule may include hospitals, health clinics, health insurance issuers, state Medicaid agencies, community health centers, physicians’ practices, and home health care agencies.

Health programs or activities may comprise more than one recipient of Federal financial assistance. For example, a primary recipient (or “direct” recipient) is an entity that accepts Federal financial assistance from a Federal agency. The direct recipient may then distribute the Federal financial assistance to a subrecipient (or “indirect” recipient) to carry out all or part of the health program or activity. Primary recipients and all subrecipients are covered and must comply with section 1557. Under general civil rights principles, both the primary recipient and subrecipient are responsible for complying with applicable civil rights laws. Therefore, if an entity receives Federal financial assistance—directly as a primary recipient or indirectly as a subrecipient—it would be a covered entity and responsible for complying with Section 1557 and the part. As a recipient of Federal financial assistance, UPMC is a primary “direct” recipient and by executing a contract with UPMC, all delegated entities are subrecipients or “indirect” recipients and are to be considered a covered entities that are responsible for complying with Section 1557.  

Covered entities include FDRs; marketplace/exchange DDEs; and Subcontractors. As a covered entity under the Final Rule, your organization is required to maintain written policies and procedures that include: (1) a non-discrimination policy, (2) grievance procedures, (3) language access procedures, (4) effective communication procedures, and (5) reasonable modification procedures.  

All covered entities are required to train relevant employees in their health programs and activities on their Section 1557 policies and procedures. Additionally, all covered entities are required to provide a notice of non-discrimination to participants, beneficiaries, enrollees, and applicants of their health programs and activities, and to members of the public. Under the Final Rule, all covered entities are required to notify the public of the availability of language assistance services and auxiliary aids and services for their health programs and activities. Covered entities must take reasonable steps to provide meaningful access to each limited English proficiency (LEP) individual to be served or likely be directly affected by its health programs and activities. The Final Rule also requires all covered entities to take appropriate steps to ensure that communications with individuals with disabilities and companions with disabilities are as effective as communications with individuals without disabilities in its health programs and activities. Covered entities are required to make reasonable modifications to policies, practices, or procedures when such modifications are necessary to avoid discrimination on the basis of disability, unless the covered entity can demonstrate that making the modifications would fundamentally alter the nature of the health program or activity.

• Code of Federal Regulations (89 FR 37522) – Nondiscrimination in Health Programs and Activities Final Rule (Full Text)

• Third-Party Newsletter Article on the Section 1557 Final Rule (Q3-Issue 25, 2024)