Compliance Program Design for FDRs

Increasing scrutiny has led to questions about how plan sponsors are monitoring the activities of their First-Tier, Downstream, and Related Entities

June 12, 2018

Recent headlines and state and federal enforcement actions have scrutinized delegated entities and their day-to-day business practices. This increasing scrutiny has also led to questions about how plan sponsors are monitoring the activities of their First-Tier, Downstream, and Related Entities (FDRs) to protect their members and providers from noncompliant practices. Plan sponsors may hold multiple contracts with the Centers for Medicare & Medicaid Services (CMS) along with state Medicaid contracts and commercial contracts. Each regulatory agency has its own requirements for monitoring the compliance practices of FDRs. CMS regularly cites the lack of effective monitoring of FDRs in their list of most common audit conditions. In California, the processing practices of entities licensed under the Knox-Keene Act (KKA) are under scrutiny after recent disclosures regarding timeliness reporting. Additionally, government initiatives, such as opioid management, are necessitating new levels of FDR oversight.


Knowing who your FDRs are and your responsibilities for oversight of those FDRs is important. Plan sponsors may enter into contracts with first-tier entities to provide administrative or healthcare services for enrollees, and first-tier entities may also enter into contracts with other entities to provide the contracted services. The plan sponsor is responsible for oversight, auditing, and monitoring of all the entities that perform services for their enrollees. The plan sponsor is also held accountable for the failure of its FDRs to comply with federal and state program requirements.1

It is critical that plan sponsors correctly identify those entities that qualify as FDRs and have clearly defined processes and criteria to evaluate and categorize all vendors with which they contract.2  First-tier entities may include organizations such as:

  • Pharmacy benefit managers (PBMs)
  • Call centers
  • Print vendors
  • Independent provider associations (IPAs)
  • Hospital groups
  • Health services
  • Credentialing
  • Marketing firm
  • Hotline operations

First-tier and related entities may contract with downstream entities to fulfill their contractual obligations to sponsors. Plan sponsors must ensure that their first-tier entities are monitoring the compliance of the entities with which they contract (the sponsors’ “downstream” entities).3 Examples of first-tier and downstream relationships are:

  • IPAs (first tier) contract with providers (downstream)
  • PBMs (first tier) contract with utilization management (UM) vendors (downstream)
  • Hospital groups (first tier) contract with hospitals (downstream)
  • Health services (first tier) contract with mental health groups (downstream)
  • PBMs (first tier) contract with medication therapy management vendors (downstream)
  • Field marketing firms (first tier) contract with sales agents (downstream)

A related entity means any entity that is related to an organization by common ownership or control.4  For example, it is common for KKA-licensed organizations to have common ownership in IPAs, claims processing operations, and UM processing operations.

Most plan sponsors contract with numerous FDRs and are ultimately responsible for their FDR’s compliance with state and federal laws, regulations, and requirements. If a plan sponsor has Medicare Part C and Part D, Medicaid, dual, and commercial contracts, the oversight of the FDRs can be daunting and require a team dedicated solely to FDR oversight. CMS common findings and recent disclosures of systemic noncompliant practices in UM and claims processing requires that plan sponsors evaluate the effectiveness of their compliance program design for FDR oversight.


In recent findings of non-compliant practices in UM and claims processing, the plan sponsors that contracted with the entities had performed the required annual auditing and oversight of their FDRs. In fact, the vendors contracted with numerous plan sponsors to perform UM and claims processing and all the sponsors performed oversight audits each year. Yet, the noncompliant practices were not discovered through standard oversight audits; they were ultimately self-disclosed by the vendors. What level of oversight, auditing, and monitoring is required to find noncompliant practices before a whistle-blower, self-disclosure, or government investigation is initiated?

Systemic noncompliance may not be detectable with traditional audit methods such as case file reviews, policy and procedure review, and timeliness reports. The recent disclosures of noncompliance involved alterations of documents, system changes, or deletion of cases from audit universes. These practices were implemented to conceal the untimely processing of claims or UM cases. Regulatory agencies establish thresholds for performance, such as 95% of all claims must be processed within 45 working days. One way a plan sponsor can monitor the performance of a vendor is by requiring the vendor to submit monthly or quarterly timeliness reports. However, a timeliness report can include or exclude certain data that may make the timeliness percentage more, or less, favorable. Is this then the best way to monitor timeliness?

When issues of noncompliance are detected, plan sponsors often find they are issuing corrective action requests to the same FDRs for the same issues. The FDRs may have completed corrective actions but the noncompliance shows up again in subsequent audits. How can plan sponsors ensure the root cause of noncompliance is corrected?

Following are insights to maximize a compliance program’s oversight of FDRs and enhance the compliance program guidelines established by CMS and other regulatory agencies.

Use Source Data for Analytics

The use of data analytics is becoming increasingly more valuable in auditing and monitoring. Most plan sponsors gather standard universes of data but the quality of the data and the relevancy of the data being analyzed is key to getting the information needed to determine whether a vendor is compliant or not. The data being collected must be source data that has not been manipulated or altered and the plan sponsor should verify all reports submitted by the vendor with source data. Consistent analysis of source data will show trends or variances that may require further investigation.

Evolve Audit Methodologies

Too often audits are routine and are designed to check off boxes rather than reveal the true performance of a vendor. Audits should be performed with intent to discover the vendor’s true day-to-day operating practices. For example, if a vendor has reported 100% timeliness for the past two quarters but their enrollment increased by 20% during that same period and their inventory is increasing daily, a focused audit of their timeliness reporting and methodology should be performed along with an audit of their enrollment process to verify that the vendor is meeting the increased demand.

Understand Root Cause

A standard response to performance issues or noncompliance is the use of corrective action plans (CAPs). CAP requests are initiated by plan sponsors and are delivered to vendors when issues of noncompliance are detected during an audit. After the vendor has satisfied the requirements of the CAP it is then closed. Frequently a plan sponsor will find the same issue of noncompliance in a subsequent audit and the process of corrective action begins again. It is not uncommon to have the same CAP request delivered multiple times to the same FDR. A common reason for this is because the root cause of the noncompliance was never determined before a CAP was approved. Plan sponsors should have a good understanding of the root cause of the noncompliance and the FDR’s CAP should specifically address the steps mitigating the root cause before the plan sponsor approves a CAP. Validation that the corrective actions implemented by the FDR addressed the root cause should be performed before the plan sponsor closes a CAP.

Create Contractual Obligations to Perform

Occasionally the severity of a CAP is not enough motivation to create a deterrent for future noncompliance. For instance, if the root cause of timeliness noncompliance is lack of staffing and the FDR is consistently not proactive about anticipating a need to increase staff during peak enrollment periods, a plan sponsor finds itself repeatedly issuing corrective action requests for the same issue. Including and enforcing financial penalties in vendor contracts for repeated instances of noncompliance may help the FDR be more motivated to proactively correct staffing deltas.

Perform Predelegation Audits and Due Diligence Exercises

Predelegation audits are performed before contracting with a vendor. A predelegation audit should go beyond a desktop review of policies and procedures. End-to-end process reviews will inform the plan sponsor about the way the vendor performs its day-to-day operations, whether they adhere to compliant business practices, and whether they are adequately staffed to handle the increase in volume your membership will bring to them. Talk with the staff who will be servicing your members and watch them perform their duties. If the vendor’s staff is already on mandatory overtime because they can’t keep up with their current inventory you will want to know that before you contract with them. Due diligence should include meeting the vendor’s compliance staff to understand how they monitor for noncompliance and how they correct their business practices when noncompliance is detected.

Ensure FDRs have Effective Internal Audit and Compliance Departments

Compliance departments and internal auditors do not only apply to plan sponsors. FDRs should have well-established compliance personnel and internal auditors within their business. Too often vendors do not recognize their own responsibilities to monitor their business for noncompliance. Plan sponsors that contract with FDRs that have internal compliance and audit departments have a greater ability to collaborate and identify emerging issues of noncompliance. On the other hand, if an FDR has inadequate or no internal auditing and monitoring practices they are not reasonably able to make annual attestations of compliance.

Enforce Accountability of First-Tier Entities to Perform Downstream Oversight

Plan sponsors’ oversight of their first-tier entities for compliance program requirements must include evaluation to confirm that the first-tier entities are applying appropriate compliance program requirements to downstream entities with which the first tier contracts.5 As part of their FDR audit and monitoring practices, plan sponsors should request and review their first-tier entities’ risk assessments, audit work plans, and downstream audit results to ensure the first-tier entities are accountable for oversight of the downstream entities.

Assess all the Risks

Developing a thorough risk assessment, which includes meaningful analysis of all FDRs, provides a road map for a successful annual audit work plan. The largest FDRs that service most of a plan sponsor’s membership are often regularly audited, but the smaller FDRs may never be audited. Undetected non-compliance at any level is a risk and no plan sponsor wants to have explain to a state or federal regulator why a vendor’s noncompliance went undetected for years.

Engage Experienced Audit Professionals

Consider engaging a firm with compliance and forensic audit experience to perform annual audits or pre-delegation audits. Many plan sponsors have hundreds of FDRs and find it difficult to audit all of them each year. Engaging an experienced audit firm to perform your FDR audits will assist with oversight and keep you informed about the activities and business practices of all your vendors.


The fundamentals of healthcare compliance are established by state and federal regulators and those elements should be the foundation of every compliance program. Successful compliance programs will reach beyond the baseline requirements by proactively assessing their risks for noncompliance outside of internal operations and designing programs for maximizing FDR oversight. FDRs are valuable partners in operating a managed-care organization. However, if a contracted FDR is systemically engaging in undetected noncompliance, it is as meaningful as noncompliance in internal operations and can have a large impact on the way regulators, members, and providers view a plan sponsor’s business practices and can lead to enforcement actions.

1  Medicare Managed Care Manual, Compliance Program Guidelines, Chapter 21, Section 40, January 11, 2013.
2  Medicare Managed Care Manual, Chapter 21, Section 40.
3  Medicare Managed Care Manual, Chapter 21, Section 50.6.6.
4  Medicare Managed Care Manual, Chapter 21, Section 30.
5  Medicare Managed Care Manual, Chapter 21, Section 50.6.6.