Managing third-party and vendor risks in healthcare
Under the U.S. Affordable Care Act, qualified health plans (QHPs) must adhere to a provision to maintain compliance oversight of business associates to HIPAA Privacy Rules and other regulations. These vendors and suppliers are known in the Medicare Advantage space as first-tier, downstream, and related entities (FDRs) or on the Federally Facilitated Marketplace as delegated and downstream entities (DDEs).
View and download as an infographic below
Definitions of FDRs and DDEs
- First-tier entities: Organizations that enter into a written agreement with Medicare Advantage Organizations (MAOs) or Part D plans to provide administrative or healthcare services to Medicare beneficiaries (42 CFR § 423.501)
- Delegated entity: Any party, including an agent or broker, that enters into an agreement with a QHP issuer to provide administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents (45 CFR § 156.20)
- Downstream entity: Any party, including an agent or broker, that enters into an agreement with a delegated entity or with another downstream entity for purposes of providing administrative or health care services related to the agreement between the delegated entity and the QHP issuer (45 CFR § 156.20)
Compliance program requirements
Under the CMS Compliance Program, business associates must demonstrate adherence to the code of conduct within 90 days of hire or contracting. The program stipulates expectations for all employees to act ethically, appropriate mechanisms for reporting issues of noncompliance and potential fraud, waste, and abuse (FWA), and remedies for addressing and correcting these issues:
- Maintain an effective compliance program
- Implement systems in place to train employees on job functions and general compliance
- Investigate, correct, and document all instances of suspected noncompliance
- Maintain formal delegation oversight over delegated functions
Consequences of non-compliance
Federal officials have emphasized FWA over the past few years with major investigations and severe financial penalties, signaling the importance of this issue to health plans and business associates.
Last fall, the Department of Justice announced the largest healthcare fraud takedown in the agency’s history: $6 billion in alleged fraud losses, $4.5 billion tied to telehealth. In Operation Rubber Stamp, DoJ alleged that one telehealth scheme alone had bilked Medicare for $1.5 billion in durable medical equipment.
As a result, more than 250 providers saw their ability to bill Medicare revoked.
Solutions for vendor risk management
Health plans can leverage strategic partnerships with technology providers that specifically address vendor risk management (VRM). Such partnerships enable health plans to resolve challenges associated with a diverse and potentially large group of vendors while facing tight budgets and constrained internal compliance resources.
A comprehensive VRM solution for health insurance organizations should be able to:
- Manage policies and contracts with third parties
- Identify risks associated with specific vendors via generated assessments
- Track vendor progress in completing assessments
- Report a summary of known issues and corrective actions plans
- View vendor responses to assessment
- Review contract status
- Provide ongoing monitoring of delegated and downstream entities
Learn why SAI360 is a leading provider of risk and compliance solutions for healthcare.