As a provider of healthcare services for Health First Health Plans (HFHP) Medicare Advantage enrollees, you and your organization are considered a First Tier, Downstream or Related Entity (FDR).

HFHP and its FDRs must all comply with the Centers for Medicare & Medicaid Services (CMS) program requirements. This includes an annual attestation from you of compliance with these requirements. This document assists HFHP in demonstrating effective communication of these requirements to you, as well as a record of your agreement to comply.

 

INSTRUCTIONS
 

Visit FDR Attestation Compliance | Health First for resources and information about the responsibilities of an FDR.

Compliance Requirements

1. Code of Conduct

42 CFR 422.503(b)(4)(vi) and 423.504(b)(4)(vi)

Practice/Provider has viewed Health First’s Code of Ethics & Business Conduct, located in the provider manual or at Health First Code of Ethics and Business Conduct.

2. Education: HFHP Compliance Policies and Procedures

42 CFR 422.503(b)(4)(vi)(C) and 423.504(b)(4)(vi)(C)

Practice/Provider is aware that the HFHP FDR compliance webpage  FDR Attestation Compliance | Health First has educational information about:

• General compliance: HFHP compliance/integrity policies and procedures
• Fraud, waste, and abuse: Help Us Fight Healthcare Fraud | Health First 

Practice/Provider presents required training on general compliance, and fraud, waste, and abuse to all new and established employees (including temporary workers and volunteers) and downstream entities after hire or contracting and annually thereafter.  Additionally, Practice/Provider presents required compliance/integrity and FWA policies and procedures to all new and established employees (including temporary workers and volunteers) and downstream entities after hire or contracting and annually thereafter.

3. Record Retention

42 CFR 422.503, 422.504(d), 423.136 and 423.505(d)
 

Practice/Provider complies with Medicare laws, regulations, and CMS instructions as it relates to maintaining records for a period of 10 years and will comply with all requests for medical records retrieval.

4. Privacy and Security

HIPAA, 42 CFR 422.118, 422.504(e)(1)(ii), and 423.136

Practice/Provider employees and downstream entities agree to safeguard beneficiary privacy, confidentiality, and assure accuracy of beneficiary health records pursuant to applicable laws. Practice/Provider affirms that its employees and downstream entities will comply with the confidentiality and enrollee record accuracy requirements, including: (1) abiding by all Federal and State laws regarding confidentiality and disclosure of medical records, or other health and enrollment information, (2) ensuring that medical information is released only in accordance with applicable Federal or Florida law, or pursuant to court orders or subpoenas, (3) maintaining the records and information in an accurate and timely manner, and (4) ensuring timely access by enrollees to the records and information that pertains to them. Practice/Provider affirms that it has provided or required appropriate training and/or education on these subjects to its employees and downstream entities. Practice/Provider, leadership, employees, and contractors agree to safeguard patient privacy, confidentiality, and assure accuracy of beneficiary health records pursuant to applicable laws.

5. Exclusion Screening

42 CFR 422.503, 422.752(a)(8), 423.504(b)(4)(vi)(F), and 423.752(a)(6)

Prior to hiring personnel or contracting with subcontractors or vendors, Practice/Provider has reviewed proposed personnel, subcontractors and/or vendors against the Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) and the General Services Administration (GSA) System for Award Management (SAM) exclusion records.

After hire or contracting Practice/Provider has continued this screening monthly of those personnel and subcontractors and/or vendors to ensure the individuals/companies are not excluded or do not become excluded from participation in federal programs.

6. Reporting Non-Compliance/Enforcement of Standards

42 CFR 422.503 and 423.504

Practice/Provider will report to HFHP (within a reasonable time frame) all suspected or known instances of non-compliance and/or fraud, waste, and/or abuse. Reporting methods are contained in Health First’s Code of Ethics & Business Conduct.

7. Correction of Identified Deficiencies

42 CFR 422.503(b)(4)(vi)(G), 423.504(b)(4)(vi)(G) and per contractual requirements

Practice/Provider will timely correct any deficiencies related to misconduct or Medicare program non-compliance. Practice/Provider will furnish reasonable documentation to support any CMS requirements to HFHP upon request, at no cost. Practice/Provider shall reasonably cooperate and fulfill any corrective action requested by HFHP.

8. Non-United States/Offshore Subcontractors

HIPAA, CMS HPMS Memos released on 7/23/2007 and 8/26/2008

With prior approval from HFHP, Practice/Provider can utilize offshore subcontractors/vendors/ personnel in connection with providing administrative or healthcare services for HFHP. Practice/Provider will report to HFHP (within a reasonable time frame) any changes to Offshore Subcontractor relationships.

• Offshore subcontractors = companies or individuals that fulfill or help fulfill Medicare requirements or have access to patient data.
• Offshore = to any country that is not one of the 50 United States or one of the United States territories. Offshore subcontractors can be American-owned companies with portions of their operations performed outside the United States or foreign-owned companies with operations performed outside of the United States.

If Practice/Provider utilizes or plans to utilize offshore subcontractor(s), contact the HFHP Provider Network Operations (ProviderNetworkOperations@hf.org) to complete an Off-Shoring Addendum.