Delegated Entities. COMPLIANCE GUIDE. P.O. Box 18880 San Jose, CA 951585 www.scfhp.com Updated 03/24/2020 40336
Forms and documents | Santa Clara Family Health Plan
COMPLIANCE GUIDE Delegated Entities P.O. Box 18880 San Jose, CA 951585 www.scfhp.com Updated 03/24/2020 40336 Table of contents I. The Santa Clara Family Health Plan Compliance Program .................................................................................. 2 II. Definitions ...................................................................................................................................................................... 3 III. Compliance Program and attestation ........................................................................................................................ 4 A. General overview ...................................................................................................................................................... 4 B. Fraud, waste, and abuse (FWA) training and general compliance training..................................................... 6 C. Standards of Conduct, Compliance Program, and compliance policies distribution ...................................... 7 D. Exclusion screenings................................................................................................................................................ 8 E. Reporting FWA and compliance concerns to SCFHP ........................................................................................ 8 F. Specific federal and state compliance obligations............................................................................................... 9 G. Subcontractors .......................................................................................................................................................... 9 H. Monitoring of Delegated Entities and Subcontractor data reporting ............................................................... 10 I. Monitoring and auditing of Delegated Entities and Subcontractors ................................................................ 10 Quick reference guide ....................................................................................................................................................... 12 I. The Santa Clara Family Health Plan Compliance Program Introduction Santa Clara Family Health Plan (SCFHP) is committed to maintaining a working environment that promotes compliance with all applicable federal and state laws. Such an environment can exist only if SCFHP employees, board members, volunteers, interns, temporary staff, contractors, providers, vendors, Delegated Entities, and Subcontractors strive to comply with state and federal regulatory requirements, contractual obligations, and the SCFHP mission to its members. Our Compliance Program helps us serve our members ethically We are committed to practicing business in an ethical manner. Our Compliance Program helps us to: Detect, correct and prevent fraud, waste, and abuse (FWA) and potential non-compliance Deliver accurate information and timely decisions on services and benefits for our members, and Reinforce our commitment to compliance Applicability to SCFHP lines of business Compliance program requirements extend to virtually every segment of the health care industry and apply especially to those health care plans that hold government-funded contracts for health care programs. Accordingly, the Office of Inspector General (OIG) has developed a series of voluntary compliance program guidance documents directed at various segments of the health care industry, such as hospitals, nursing homes, third-party billers, and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. We use external entities to bring our members cost-effective health care solutions SCFHP offers a Medi-Cal plan under its contract with the California Department of Health Care Services (DHCS). We contract with external entities and individuals as a cost-effective and efficient way of providing administrative and health care services. When an external entity provides services that we are required to perform, DHCS considers them to be a Delegated Entity. You will find specific requirements in this document State and federal agencies also require that Delegated Entities and Subcontractors of SCFHP fulfill specific compliance program requirements in this document. The Code of Federal Regulations (CFR) § 438.230 and (CFR) § 438.608 outlines these requirements, and they are further defined by DHCS in APL 17-004. Importance of following requirements You received this guide because we have identified you as a Delegated Entity to SCFHP. This means that you must comply with these requirements and, in turn, you must hold your Subcontractors to the same regulatory and contractual standards. 40336 2 II. Definitions Medi-Cal Managed Healthcare Plan (MCP) is a Medi-Cal Plan, such as SCFHP. Delegated Entity is an entity that is contracted to provide services that we are required to perform under our Medi-Cal contract with DHCS. Subcontractor is an individual or entity that has a subcontract that relates directly or indirectly to the performance of SCFHP's obligations under its contract with DHCS (42 CFR § 438.2 and 42 CFR § 438.230(a)). Delegated Entities and Subcontractors providing health care services The compliance program requirements described in this guide apply to health care providers contracted with SCFHP to participate in our network. This includes physicians, hospitals, and other provider types. This manual is not applicable to the SCFHP Medi-Cal network providers pursuant to 42 CFR § 438.2 and APL 17-004. Delegated Entities and Subcontractors providing administrative services The compliance program requirements also apply to entities with which we contract to perform administrative service functions relating to our Medi-Cal contract with DHCS. Some examples of administrative service functions include, but are not limited to: Call Center/Customer Service Claims Processing Coverage Decisions (Parts C/D) Credentialing* Document Storage Services Fulfillment Services Grievance & Appeals Pharmacy Operations Risk Adjustment Other examples include independent sales agents/brokers, field marketing organizations, pharmacy benefit managers, durable medical equipment (DME) suppliers, or other vendors contracted with SCFHP to provide administrative and/or health care services for our Medi-Cal products. *We are required to credential health care providers that participate in our network. We may contract with entities to perform these credentialing services on our behalf under a delegation agreement. 40336 3 III. Compliance Program and attestation A. General overview Regulatory requirements It is important that Delegated Entities and Subcontractors of SCFHP comply with applicable laws, rules, regulations, and the contract between SCFHP and the Delegated Entity. While SCFHP maintains ultimate responsibility in ensuring compliance with the Centers for Medicare and Medicaid Services (CMS), the Department of Managed Healthcare, and DHCS regulations, SCFHP also requires its Delegated Entities and Subcontractors to meet the same contractual standards. Our Delegated Entities and Subcontractors are responsible for complying with relevant operational and compliance program requirements as memorialized in state-issued All Plan Letters as well as other relevant guidance. Delegated Entities must also ensure that their Subcontractors, which they use for SCFHP products, also comply with applicable laws and regulations, including the requirements in this guide. Compliance program requirements Your organization and Subcontractors must comply with the SCFHP Compliance Program requirements. This guide summarizes the SCFHP Compliance Program requirements. Please review it to make sure you have internal processes to support your compliance with these requirements each calendar year. These Compliance Program requirements include, but are not limited to: Ensuring your organization is compliant with all applicable state and federal laws, rules, and regulations Conducting exclusion screenings prior to hire, contract, or appointment and monthly thereafter Completion of new hire and annual general compliance and fraud, waste, and abuse training Annual distribution of the Standards of Conduct, Compliance Program, and compliance policies and procedures Maintaining reporting mechanisms for potential non-compliance and FWA Reporting FWA and compliance concerns to SCFHP Providing disclosure information of Subcontractor's ownership and controls Identifying, reporting, and attesting to SCFHP on the use of offshore operations Ensuring Subcontractors are in compliance with state and federal laws Auditing and monitoring of internal business units and Subcontractors, and Regular reporting on performance of delegated functions For tools that may help you meet these requirements, please see the Quick reference guide for Delegated Entities at the end of this document. What may happen if you do not comply with state or federal requirements? If our Delegated Entities and Subcontractors fail to meet the compliance program requirements, it may lead to: Retraining opportunities Increased administrative interventions (e.g., monitoring, meetings, etc.) Issuance of a Corrective Action Plan (CAP) 40336 4 Monetary penalties related to any performance guarantees Suspension or revocation of delegated functions Contract termination Our actions in response to non-compliance are dependent on the severity of the non-compliant or FWA issue. If a Delegated Entity identifies areas of non-compliance (for example, issuing a CAP when non-compliant activities are identified during your audit of a Subcontractor), they must take prompt action to fix the issue and prevent it from happening again. Attestation requirements You must maintain evidence of your compliance with these compliance program requirements (for example, employee training records and certificates or score results of general compliance and/or FWA training completion) for no less than ten (10) years after the termination of SCFHP's Medi-Cal contract with DHCS or its 3-way contract with CMS and DHCS or the conclusion of any regulatory audits that may extend beyond the 10 years, whichever is later. Also, each year, an authorized representative from your organization must attest that your organization is compliant with the compliance program requirements described in this guide. The authorized representative is an individual who has responsibility directly or indirectly for all: Employees (including temporary employees, volunteers, interns, senior staff, and board members) Contracted staff (e.g., consultants) Providers/practitioners, and Vendors who provide health care and/or administrative services for SCFHP This could be your Compliance Officer, Chief Medical Officer, practice manager/administrator, an executive officer, or similar positions. IMPORTANT TIPS! Maintain all documentation that demonstrates what your organization has done in support of its delegated activities. SCFHP conducts audits based on our Risk Assessment. Audits verify contractual, regulatory, and attestation elements. Failure to deliver all required supporting documentation to demonstrate compliance with administrative, operational, and compliance requirements will result in audit CAPs. 40336 5 B. Fraud, waste, and abuse (FWA) training and general compliance training Moneys paid from SCFHP to your organization are, in part, federal funds. Federal laws governing the use of federal funds apply to the SCFHP agreement with your organization as well as any Subcontractor's use of those funds. Federal laws include but are not limited to federal fraud, waste, and abuse laws, Title VI of the Civil Rights Act of 1964, the Age Discrimination Act of 1975, and the Americans with Disabilities Act and other laws applicable to recipients of federal funds. You must ensure that your applicable employees and Subcontractors complete FWA and general compliance training. Your organization must ensure that employees (inclusive of temporary staff, volunteers, interns, consultants, senior staff, board members) and Subcontractors complete the training within 90 days of hire, appointment, or effective date of the contract. Your applicable employees, as noted above, and Subcontractors assigned to provide administrative and/or health care services for SCFHP can access these trainings in one of three ways: Complete the modules on the CMS Medicare Learning Network (MLN) website: General compliance course: "Medicare Parts C and D General Compliance Training", and FWA course: "Combating Medicare Parts C and D Fraud, Waste, and Abuse Training" Once completed, download and retain the certificate of completion. The certificates must be made available to SCFHP and/or CMS or DHCS upon request and/or audit. Your organization can also download or print the content of the CMS training modules from the MLN website to incorporate it into your training materials/system. The content of the CMS training modules cannot be changed to ensure the integrity and completeness of the training. Your organization must retain records of completion which must be made available to SCFHP and/or CMS upon request and/or audit. Your organization can develop its own training for general compliance and FWA. However, that training will need to be submitted to SCFHP for review and verification that it meets the minimum standards of CMS for training content. All documentation associated with this type of training option must be available upon request and/or audit. Training requirements Regardless of the method used, the training must be completed: Within 90 days of initial hire, board appointment, or the effective date of contracting; and At least annually thereafter (within the 12-month period from the previous year's training) We request that you confirm your compliance with these requirements as part of our annual attestation process. However, you must also maintain evidence of training completion. Evidence of completion may be in the form of certificates, attestations, training logs, or other means determined by you to best represent the fulfillment of your obligations. If you use training logs or reports as evidence of completion, they must include: (i) employee names; (ii) dates of employment; (iii) dates of completion; and (iv) passing scores. Who should complete training? Not every employee needs to take training. However, all employees, temporary staff, volunteers, interns, consultants, senior staff and board members that support SCFHP must receive general compliance and FWA training within 90 days of hire, contract, or appointment, and annually thereafter. Examples: 40336 6 Individuals responsible for the contract between SCFHP and the Delegated Entity (e.g., Senior Vice President, departmental managers, Chief Medical Officer, or Pharmacy Director) Individuals directly involved with developing and administering the SCFHP Medi-Cal formulary and/or medical benefits coverage policies and procedures Individuals or entities delivering non-medical services associated with a supplemental benefit covered by SCFHP Individuals with decision-making authority on behalf of SCFHP (for example, clinical decisions, coverage determinations, appeals and grievances, enrollment/disenrollment functions, processing of pharmacy, or medical claims) Individuals responsible for claims processing Individuals providing information to SCFHP members through oral or written communications (e.g., call center staff and fulfillment personnel) Individuals with job functions that are at risk for potential non-compliance and/or FWA If you are unsure whether an employee is subject to the training requirements, you can email Compliance_Advice_Medi_Cal@scfhp.com for help. The only exception to this training requirement is if you/your organization is "deemed" to have met the FWA certification requirements through: (1) the provider enrollment process for participating in the Medicare Part A or Part B program; or (2) through accreditation as a supplier of durable medical equipment, prosthetics, orthotics, and supplies. Those parties deemed to have met the FWA training through enrollment into the CMS Medicare program must still complete general compliance training. C. Standards of Conduct, Compliance Program, and compliance policies distribution You must give your employees Standards of Conduct, Compliance Program, and compliance policies and procedures Your organization must also provide either the SCFHP Standards of Conduct, SCFHP Compliance Program, and compliance policies and procedures, or your own comparable code of conduct/compliance policies and procedures to all applicable employees and Subcontractors who provide administrative and/or health care services for SCFHP. Your Standards of Conduct, Compliance Program, and compliance policies and procedures must contain all the elements set forth in MMCM, Chapter 21, Section 50.1 and articulate the commitment of your organization to comply with federal and state laws, ethical behavior, and compliance program operations. You must distribute Standards of Conduct, Compliance Program, and compliance policies and procedures: Within 90 days of hire, board appointment, or the effective date of contracting Whenever there are updates to the Standards of Conduct, Compliance Program, or compliance policies and procedures, and Annually thereafter 40336 7 D. Exclusion screenings General requirements Federal law prohibits Medicare, Medicaid, and other federal health care programs from paying for items or services provided by a person or entity excluded from participation in these federal programs. Therefore, before hiring, appointment, or contracting, and monthly thereafter, each Delegated Entity must check exclusion lists from the OIG, the List of Excluded Individuals/Entities (LEIE) and the General Services Administration's (GSA) System for Award Management (SAM) Excluded Parties List System (EPLS). This is to confirm that employees, temporary employees, volunteers, consultants, board members, and Subcontractors performing administrative and/or health care services for SCFHP are not excluded from participating in federally-funded health care programs. You can use these two websites to perform the required exclusion list screening: OIG List of Excluded Individuals and Entities (LEIE) GSA's System for Award Management (SAM) Also, Delegated Entities must maintain evidence they checked these exclusion lists. You can use logs accompanied by screenshots of the screening result in each of the above systems or other records to document that you have screened each employee and subcontractor in accordance with requirements. Be sure to retain evidence of the initial and monthly screening that was conducted, including the date of occurrence, the results of the screening, and any actions taken if sanctioned individuals or entities were identified. Your organization must immediately report any newly identified excluded individuals/entities that require firing or contract termination to SCFHP. You must perform exclusion list screenings You are not alone. We are also required to check these exclusion lists before hiring, appointing, or contracting with any new employee, temporary employee, volunteer, consultant, board member, or Subcontractor, and monthly thereafter. We cannot check these exclusion lists for your employees and Subcontractors. Accordingly, to ensure we are compliant with CMS requirements, you must confirm that your permanent and temporary employees, volunteers, consultants, board members, and Subcontractors that provide administrative and/or health care services for SCFHP are not on these exclusion lists. You must act if an employee or Subcontractor is on the exclusion list If any of your employees, temporary employees, volunteers, consultants, board members, or Subcontractors are on one of these exclusion lists, you must immediately remove them from direct or indirect work on SCFHP products and notify us immediately. The exclusion list requirements are noted in § 1862(e)(1)(B) of the Social Security Act, 42 CFR §§ 422.503(b)(4)(vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), 423.752(a)(6), 1001.1901, and further described in the MMCM, Chapter 21 § 50.6.8. E. Reporting FWA and compliance concerns to SCFHP There are several ways to report suspected or detected non-compliance, potential FWA, and privacy breaches. You can find this information in SCFHP's reporting mechanism flyer. You can share the flyer with your employees and Subcontractors. You can also keep it as a reference tool and use your own internal processes 40336 8 for reporting and collecting these issues. If you choose to use your own processes, make sure you report it to SCFHP. You can also refer to our SCFHP Standards of Conduct for information on our reporting guidelines. You must adopt and enforce a zero-tolerance policy for retaliation or intimidation against anyone who reports suspected misconduct, potential non-compliance or FWA in good faith. You must also have reporting mechanisms in place that protect the confidentiality of the information and anonymity of the individual reporting the issue in good faith. Questions or concerns can be sent to Compliance_Advice_Medi_Cal@scfhp.com. F. Specific federal and state compliance obligations Based on the services that your organization performs for SCFHP, you may be subject to other federal and state laws, rules, and regulations that are not described in this guide. If you have questions about other requirements for the services that your organization performs, consult with your SCFHP relationship manager or contact the SCFHP Compliance Officer. SCFHP expects your organization to be compliant with all applicable federal and state laws, rules, and regulations. G. Subcontractors Subcontractors must agree to comply with all applicable laws and regulations. SCFHP tracks Subcontracts of Delegated Entity's with the Subcontractor Form. Agreements with Subcontractors shall: Specify any and all delegated activities, obligations, and related reporting responsibilities Include agreement to perform the delegated activities and reporting responsibilities Provide for the revocation of the delegation of activities or obligations, or specify other remedies where DHCS, SCFHP, or Delegated Entity determines the Subcontractor is not performing satisfactorily Subcontractor ownership and disclosures Delegated Entities are required to provide written disclosure of information on Subcontractor's ownership and control for SCFHP to review against 42 CFR § 455.104.6. Delegated Entities must make the Subcontractors' ownership and control disclosure information available, and upon request, this information is subject to audit by DHCS. Delegated Entities shall alert SCFHP within three business days upon discovery that a Subcontractor is out of compliance with these requirements, and/or if a disclosure reveals any potential violation(s) of the ownership and control requirements. Offshore operations and reporting a. General requirements To help make sure we comply with applicable federal and state laws, rules, and regulations, you are required to obtain permission to perform offshore services or to use an individual or entity (offshore entity) to perform services for SCFHP when the individual or entity is physically located outside the United States or one of its territories (i.e., American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). The SCFHP Compliance Officer must approve the use of an offshore individual or entity in writing in advance of outsourcing the services to the offshore location. 40336 9 b. Notify us immediately if you plan to use an offshore entity If you perform services offshore or use an offshore entity to perform services involving the receipt, processing, transferring, handling, storing, or accessing of SCFHP member protected health information (PHI), SCFHP must approve the arrangement in writing and submit an attestation to CMS. Therefore, you must immediately notify your SCFHP relationship manager or the SCFHP Compliance Officer if you engage in offshore services yourself or through an offshore entity. Use this Offshore Services Attestation Form for reporting any offshore functions to SCFHP. One example provided by CMS of offshore services that trigger this attestation requirement is "offshore subcontractors that receive radiological images for reading because beneficiary PHI is included with the radiological image and the diagnosis is transmitted back to the US". H. Monitoring of Delegated Entities and Subcontractor data reporting SCFHP remains ultimately responsible for the data submitted by Delegated Entities and Subcontractors. We communicate requirements to all Delegated Entities, monitor the quality and compliance of data from Delegated Entities and, specifically, data that is submitted to DHCS or other entities pursuant to reporting responsibilities under state law. We must ensure all other data reported by Delegated Entities is complete, accurate, reasonable, and timely. This includes, but is not limited to, encounter data, monthly 274 provider network data files, data reported through quarterly templates, and any other ad hoc data requests required by DHCS. We must ensure Delegated Entities submit complete, accurate and timely encounter data to DHCS for all items and services furnished to Medi-Cal beneficiaries through subcontracts or other arrangements, including capitated providers. I. Monitoring and auditing of Delegated Entities and Subcontractors General requirements SCFHP is required to develop a strategy to monitor and audit our Delegated Entities to ensure that they are in compliance with all applicable laws and regulations. Our Delegated Entities are required to monitor and audit the compliance of their internal business units and Subcontractors. Therefore, if you choose to subcontract with other individuals/parties to provide administrative and/or health care services for SCFHP, you must make sure that these entities abide by all laws and regulations that apply to you as a Delegated Entity. Additionally, your organization must conduct oversight (i.e., auditing and monitoring) to test and ensure that your operational business units and Subcontractors are compliant. You must retain evidence of monitoring and auditing completed, ensure root cause analysis is conducted for any deficiencies, implement corrective actions, or take disciplinary actions such as contract termination, and validate that all remediation actions taken to correct non-compliance or FWA have been effective to prevent recurrence. Expect routine monitoring and audits SCFHP routinely monitors and audits our Delegated Entities based on our Risk Assessment conducted on all delegated functions managed on behalf of SCFHP. Our monitoring and auditing help us to ensure compliant administration of our Medi-Cal contract with DHCS, as well as applicable laws and regulations. Each Delegated Entity must cooperate and participate in these monitoring and auditing activities. If a Delegated 40336 10 Entity performs its own audits, those will be subject to review under SCFHP's compliance program effectiveness audit, which is a part of SCFHP's delegation audit process. If we determine that a Delegated Entity does not comply with any of the requirements in this guide, we will require them to develop and submit a CAP using this CAP form. We can help address the identified compliance issues. Develop procedures and systems for prompt response to compliance issues A key component of an effective compliance program is the ability to promptly respond to compliance issues as they are raised. During your organization's regular monitoring and auditing activities, you may become aware of potential non-compliance or FWA that may require additional action. Your organization must be able to demonstrate that it has established and implemented procedures and a system for promptly responding to compliance issues, including investigating the issues, correcting the problems promptly and completely to reduce the potential for recurrence, and ensuring ongoing compliance with CMS requirements. At a minimum, your organization must also: Initiate a reasonable inquiry as quickly as possible, but no later than two weeks after the date the potential noncompliance or potential FWA issue was identified; Self-report instances of FWA and noncompliance involving SCFHP to SCFHP immediately Undertake appropriate corrective actions Maintain thorough documentation of all deficiencies identified and corrective actions taken, and Validate that the corrective actions were effective in preventing recurrence of the non-compliance or FWA 40336 11 Quick reference guide General compliance and FWA training General compliance training Organizations can use the CMS general compliance training module on the CMS Medicare Learning Network (MLN). It can be completed on MLN after registration. It is titled "Medicare Parts C and D General Compliance Training". Organizations can download it and incorporate the module, unmodified, into existing training materials and systems. FWA training Organizations can use the CMS FWA training module on MLN. It can be completed on the MLN after registration. It is titled "Combating Medicare Parts C and D Fraud, Waste, and Abuse Training". Organizations can download it and incorporate the module, unmodified, into their existing training materials and systems. CMS requires Delegated Entities to maintain evidence of training completion. Delegated Entities must retain this evidence for 10 years. The CMS MLN certificate is Proof of training evidence of completion. Organizations may use this sample log to document trainings completion completed by their employees' if the organization has no process in place. Subcontractors can also use this log to document trainings completed by their employees. Standard of conduct and compliance policies & procedures Which code should be used? Which compliance policies are applicable? What information should be provided to employees? Exclusion list screenings Organizations are encouraged to distribute the SCFHP Standards of Conduct or their own comparable Code of Conduct to employees. The SCFHP Standards of Conduct, SCFHP Compliance Program, and associated compliance policies and procedures are available for review. Organizations may use this sample announcement template to share the SCFHP Standards of Conduct, SCFHP Compliance Program, and compliance policies and procedures with their employees and Subcontractors. How is the OIG site accessed? How is the SAM site accessed? Reporting mechanisms Organizations must complete OIG exclusion list screenings before hiring, appointment, or contracting and monthly thereafter for all employees, temps, volunteers, interns, providers, vendors, and Subcontractors. If your organization does not have a tracking process, see this sample screening log. Organizations must complete the SAM exclusion list screenings before hiring, appointment, or contracting and monthly thereafter for all employees, temps, volunteers, interns, providers, vendors, and Subcontractors. See the sample screening log for tracking linked in the above section for OIG screening. How is noncompliance or potential FWA reported to SCFHP? Organizations must report suspected or detected non-compliance or potential FWA that impact SCFHP directly to SCFHP. The reporting options flyer should be shared throughout your organization so that employees know how to report concerns. Monitoring and oversight What type of oversight of Subcontractors should be done? How will the organization know if it is in compliance with Medicare, Medi-Cal, and SCFHP compliance requirements? Organizations must conduct oversight of your Subcontractors and establish routine auditing and monitoring. SCFHP annually collects a Subcontractor Form from Delegated Entities. Organizations can use this sample tool to informally assess their compliance with CMS compliance program requirements. The organization can also modify the tool to assess compliance of Subcontractors. 40336 12 What is required regarding offshore operations? Organizations must obtain permission from SCFHP to use an offshore individual or entity to perform services that involve the processing, transferring, handling, storing, or accessing of SCFHP member PHI. Use this Offshore Services Attestation Form to request permission. Submit the completed form to your SCFHP relationship manager, or to Compliance_Advice_Medi_Cal@scfhp.com. 40336 13Microsoft Word 2013