Health plans often choose to outsource or delegate administrative functions to gain expertise, reduce administrative costs, increase capacity and increase speed to market. However, delegating authority to perform services is not the same as delegating responsibility for the compliance of that service. If a plan chooses to outsource administrative functions, regulatory agencies and accrediting bodies have defined expectations regarding delegation. This includes the plan’s responsibility for structured oversight of the selected vendor and even any subcontractors to that vendor. Regardless of who performs the administrative function, the health plan retains the responsibility for compliance with all regulatory requirements and accrediting standards. Depending on the number of outsourced functions and overarching line-of-sight, it could be a cumbersome task to monitor compliance. What can a health plan do to overcome this challenge?
Consider developing a comprehensive oversight program to ensure that contractual, compliant services are being delivered on behalf of your plan. To be comprehensive, your oversight program should include the following:
- Auditing and Monitoring
- Policies and Procedures
- Training and Education
- Communication Protocols
Accountability A Delegate Oversight Committee should oversee your program to provide a structured process to collect and manage documentation demonstrating appropriate vendor oversight and operational accountability for the delegated functions. Cross-functional representation should include the operational management team responsible for the delegated function, plus members from compliance, procurement and quality management. This will enable accountability and ensure the documentation and processes support the regulatory or accreditation requirements. Additionally, this comprehensive program will provide reasonable assurance of oversight for senior leaders.
Your program should include delegated vendors as classified by the Centers for Medicaid and Medicare Services (CMS)—First Tier, Downstream or Related entities (FDR) in accordance with the following definitions[i]:
First tier entity is any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage (MA) organization or applicant to provide administrative services or healthcare services for a Medicare-eligible individual under the MA program or Part D.
Downstream entity means any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the MA benefit, below the level of the arrangement between an MA organization (or applicant) or Part D sponsor and a first tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.
Related entity includes any entity that is related to the MA organization or Prescription Drug Plan (PDP) sponsor by common ownership or control and:
- Performs some of the MA organization’s or PDP sponsor’s management functions under contract or delegation.
- Furnishes services to Medicare enrollees under an oral or written agreement.
- Leases real property or sells materials to the MA organization or PDP sponsor at a cost of more than $2,500 during a contract period.
The contract between the plan and the delegated entity governs the relationship and should include roles and responsibilities associated with the administrative functions, decision-making authority, performance expectations, audit rights, penalties for unacceptable performance and any regulatory-required language.
You may find it helpful to develop a matrix of all delegates and consider the following as you rate the risk of each vendor:
- Impact and level of direct access to the beneficiary.
- Access to personally identifiable information or personal health information
- Level of decision-making authority.
These criteria, along with the definitions of a first tier, downstream or related entity provided above will help establish a framework to classify and oversee the vendors as depicted in the following sample Vendor Classification Matrix.
Audit and Monitoring Vendor performance should be monitored on an ongoing basis as part of normal business operations, with a periodic formal audit. The type and frequency of monitoring should be outlined for each vendor and include documented evidence of the results. Formal audits are independent from the operational business unit and include techniques such as document review, requirement checklists, interviews and sampling of results. When you have a risk ranking in place, you can customize the types of routine monitoring and audit activities needed.
A high-performance vendor can position a health plan for rapid growth and market expansion, while conversely, poor vendor performance can damage a health plan’s reputation, tarnish its brand and result in stringent regulatory penalties. You’ll want to be sure your vendor oversight program includes the necessary compliance documentation to manage the risk for your health plan.
Policies and Procedures These are a foundational element of any organization’s business operations model and are required to successfully delegate administrative functions to a vendor. Policies define the “What” and “Why” related to a function and include regulatory citations that govern the specific activities. The procedure and/or process documents outline “How” the function is performed. We recommend that your vendor oversight program include supporting policies and procedures that clearly define each aspect of the program.
You should carefully evaluate the applicable regulatory requirements for oversight of delegated services and the potential risk associated with the vendor’s failure to perform the services in a compliant manner. Best practice includes compliance and quality management approval of your formal oversight program. It’s important to document your processes for monitoring delegated entities and be able to demonstrate that these activities adhere to regulatory and accreditation standards. These activities must include administration of corrective action plans, validation the actions are effective and do not recur, and the ramifications of continued failures.
Training and Education Also, consider that when delegating services to a vendor, you are not only outsourcing the administrative function, you are extending your organizational culture, mission and values to another company. Since education and training activities set the tone for an organization, they are a critical element of the relationship with the vendor. At a minimum, the vendor’s corporate policies (such as the standards of conduct, privacy, information security, and fraud, waste and abuse protection) should align with your organizational standards. You will also want validation that their employees are educated and trained to meet compliance standards
Communication Protocols Finally, a defined process to share information and maintain clear communication with the vendor will enable accountability and avoid surprises. Consider responsibility for regulatory change management and the types and frequency of performance reports, meetings to go over reports and changes, and disclosure of compliance concerns. This open communication allows for more rapid and complete evaluation of potential compliance failures such as missed performance metrics, inappropriate disclosure of member information or a deliberate act of theft or fraud. A clear understanding of the communication protocols will ensure a timely notification from the vendor and thorough response from your organization.
Responsibly delegate authority for your plan
Outsourcing services can provide your health plan with access to expertise and operational efficiencies. However, the responsibility to prove compliance still lies within your plan. It is critical to have a comprehensive program, including policies and processes, regular communication and access to artifacts that demonstrate oversight and monitoring activities to protect your plan.
SS&C Health’s Executive Consulting team has more than 75 years of collective experience to help you address the pressures of evolving regulatory changes, maximize technology for consistent compliance and overcome challenges in staff hiring and retention. We’re pleased to provide a "Delegate Oversight Compliance Vendor Checklist" you can download to assess your delegate oversight process. Contact us today for a compliance assessment to validate your vendor oversight program, or get one started for your plan.
[i] CMS Medicare Managed Care Manual Chapter 21 Compliance Program Guidelines and Prescription Drug Benefit Manual Chapter 9 Compliance Program Guidelines https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf
Written by Judith Nelson
Sr. Director Strategic Business Execution