How Health Plans Must Prepare for Vendor Risk, Noncompliance

October 04, 2021 - Managed care organizations, ranging from Medicare Advantage plans to accountable care organizations, must be prepared to comply with federal regulatory compliance that now extends to a growing body of business associates and other third-party organizations.

Beginning in October 2021, covered entities, which include qualified health plans as defined by the Department of Health & Human Services, must ensure that their business associates comply with new requirements of the HIPAA Privacy Rule as well as ongoing regulation pertaining to the coronavirus pandemic, namely continued telehealth enforcement discretion.

Compliance with these regulations is critical given the growing reliance of health plans on outsourcing. Market projections anticipate that business process outsourcing is set for dramatic growth over the next five years, rising globally from $264.4 billion in 2021 to $468.5 billion in 2026 across providers, payers, and the life sciences. More than 40 percent of that outsourcing spend — north of $155 billion — will be made by healthcare organizations in the United States. Almost $20 billion in 2026 will be earmarked by payers for claims management alone. As a result of COVID-19, the healthcare industry, including health plans, has encountered staffing shortages necessitating the increased use of outsourcing.

In light of this outsourcing, health plans contracted with the Centers for Medicare & Medicaid Services through the QHP program must comply with a provision to maintain compliance oversight of business associates, known in the Medicare Advantage space as first-tier, downstream, and related entities (FDRs) or on the Federally Facilitated Marketplace as delegated and downstream entities (DDEs)

Understanding the terms

To ensure compliance, it is essential for health plans to understand their responsibilities relatives to their business partners that provide a host of administrative functions (e.g., care management, claims processing, healthcare services, patient management, credentialing).

First tier entities are organizations that enter into a written agreement with Medicare Advantage Organizations (MAOs) or Part D plans to provide administrative or healthcare services to Medicare beneficiaries. One step down is the downstream entity, which enters into written agreements with either the MAO/Part D plan or first tier entities. Lastly, related entities through common ownership of control of the MAO or Part D plan are organizations that perform under contract or delegation management functions, furnish services to Medicare beneficiaries under verbal or written agreements, or “leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period.”

The Federally Facilitated Marketplace has more simplified definitions relative to delegated and downstream entities. UPMC Health Plan provides a succinct explanation:

Delegated entity: Any party, including an agent or broker, that enters into an agreement with a QHP issuer to provide administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents (45 CFR § 156.20).

Downstream entity: Any party, including an agent or broker, that enters into an agreement with a delegated entity or with another downstream entity for purposes of providing administrative or health care services related to the agreement between the delegated entity and the QHP issuer. The term ‘‘downstream entity’’ is intended to reach the entity that directly provides administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents (45 CFR § 156.20).

Examples of functions performed by DDEs include (but are not limited to): plan design, marketing, enrollment, customer service, claims administration, network development, benefit management, quality improvement.

Why it all matters

Simply put, FDRs and DDEs must comply with program requirements set by CMS through annual attestation.

Under the CMS Compliance Program, business associates must demonstrate adherence to the code of conduct within 90 days of hire or contracting. The program stipulates expectations for all employees to act ethically, appropriate mechanisms for reporting issues of noncompliance and potential fraud, waste, and abuse (FWA), and remedies for addressing and correcting these issues. As noted in the modifications to the HIPAA Privacy Rule, “all affected covered entities would need to adopt or change some policies and procedures and re-train some employees.”

Federal officials have emphasized FWA over the past few years with major investigations and severe financial penalties, signaling the importance of this issue to health plans and business associates.

While CMS has provided FWA guidance to reduce the potential burden on FDRs and DDEs, health plans must do their due diligence to ensure that their business partners comply with relevant laws and regulations and maintain appropriate policies and procedures. Doing so requires that health plans manage third-party risk as a top priority.

Fortunately, health plans can leverage strategic partnerships with technology providers that specifically address vendor risk management. A comprehensive solution should be able to identify risks associated with specific vendors, track vendor progress in completing self-assessments, report a summary of known issues, viewing vendor responses to assessments, and review contract status, among others.

While federal officials have relaxed enforcement of HIPAA-related activities to ensure that the healthcare industry can address the coronavirus pandemic, they are more than willing to aggressively investigate bad actors looking to exploit federal programs and consumers. As a result, health plans must go above and beyond in terms of monitoring the work of their business partners to root out fraudulency and the downstream financial implications for their organizations.