TABLE OF CONTENTS I. FDR General Compliance & Fraud, Waste, and Abuse Training and Standards/Code of Conduct 1. Why am I receiving notice to complete training for Aetna? 2. Why is this training necessary? 3. What does CMS mean by an FDR? 4. What Aetna products/plans does this training apply to? 5. What if I do not contract with Aetna for its Medicare products? 6. Who has to take this training? 7. Does every employee of every FDR have to satisfy FWA training requirements? 8. How do I know if I am deemed to have met the FWA training requirements already? 9. If I am deemed, am I exempt from these requirements completely? 10. What are the Compliance Training requirements? 11. What is a Standards/Code of Conduct? 12. How does Aetna s Code of Conduct relate to this training? 13. Can an FDR use its own Code of Conduct? 14. Do we have to use Aetna s training or can we use a different version of training? 15. How often does this training have to be taken? 16. By when does the training have to be completed? 17. Where is the Aetna Code of Conduct? 18. What kind of documentation is needed to show training was completed? 19. What documentation does Aetna need after completion of this training? 20. What will happen if I don t complete the required training? 21. What is the source of these requirements? 22. Are the requirements new? 23. Who do I contact if I have more questions about this training? II. Reporting Potential or Actual Non-Compliance or FWA 24. Do we have to report non-compliance and FWA to Aetna or does Aetna consider reporting within our organization to be sufficient? 25. What should I do if I suspect fraud, waste, or abuse or other compliance issues? III. Sanction, Debarment, Exclusion Lists 26. What is the OIG exclusion list? 27. What is the difference between the OIG LEIE, General Services Administration (GSA) Excluded Parties List System (EPLS), and the System for Award Management (SAM) Websites? 28. What are my requirements related to Federal health care program exclusion and debarment checks? 29. How often do the exclusion/debarment checks have to be completed? 30. What evidence should I submit to show that these checks are completed? 31. What if an individual or entity is identified on one of the exclusion/debarment lists? IV. Validation/Audit of Effective 32. What documentation/evidence will CMS and/or Aetna ask FDRs for to support their compliance with Aetna s Compliance Program? 33. Why is Aetna asking for all of this information? 34. Why are you asking about how long I retain my employee training and disciplinary records? 35. Why are you asking about my subcontractors (i.e., downstream contractual arrangements)? 36. What oversight is expected for my subcontractors? ATTACHMENT A: Evidence Examples Medicare Compliance April 2014 1
I. FDR General Compliance & Fraud, Waste, and Abuse Training and Standards/Code of Conduct 1. Why am I receiving notice to complete training for Aetna? Because of your contractual relationship with Aetna (or its subsidiaries) you are considered an FDR, therefore required to ensure that you, your employees, your Downstream and Related Entity employees complete this training. 2. Why is this training necessary? The Centers for Medicare and Medicaid Services (CMS) requires Medicare Advantage Organizations and Part D sponsors to ensure that general compliance and fraud, waste, and abuse training and education is communicated to their First Tier, Downstream, and Related Entities (FDRs) who have involvement in the administration or delivery of Parts C and D benefits. Because of your contractual relationship with Aetna (or its subsidiaries), you are considered an FDR; therefore CMS requires that you, your employees, your Downstream and Related Entity employees complete this training. 3. What does CMS mean by an FDR? CMS defines First Tier, Downstream and Related entities (FDR) as: First Tier Entity - any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization (MAO) or Part D plan sponsor or applicant to provide administrative services or health care services to a Medicare-eligible individual under the Medicare Advantage program or Part D program. Downstream Entity - any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the Medicare Advantage or Part D benefit, below the level of first tier entity. These arrangements continue down to the level of the ultimate provider of both health and administrative services. Related Entity - any entity that is related to an MAO or Part D Sponsor by common ownership or control and performs some of the sponsor's management functions under contract or delegation; furnishes services to Medicare enrollees under an oral or written agreement, or leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2500 during a contract period. 4. What Aetna products/plans does this training apply to? These requirements apply to all Aetna or Aetna subsidiary Part C and Part D Medicare products: Medicare Advantage (MA), Medicare Advantage Prescription Drug (MAPD) and Prescription Drug Plans (PDP). 5. What if I do not contract with Aetna for its Medicare products? This training does not apply to you unless you are contracted with another entity that is contracted with Aetna to service Aetna s Medicare products. 6. Who has to take this training? You, your employees, and any of your Downstream and/or Related Entity employees that are involved in the delivery of Aetna s Medicare product administration or delivery of services must take this training. It is your responsibility to identify those parties that serve in this capacity for you and to Medicare Compliance April 2014 2
ensure they complete the training. The only exception is if they are deemed, allowing them to be exempt from the Fraud, Waste, and Abuse (FWA) training. 7. Does every employee of every FDR have to satisfy FWA training requirements? FDR employees who perform work on behalf of Aetna s Medicare products must satisfy CMS FWA Training requirements, unless the employees are deemed to have met the FWA training requirements. 8. How do I know if I am deemed to have met the FWA training requirements already? FDRs who have met the FWA certification requirements through enrollment into Parts A or B of the Medicare program or through accreditation as a supplier of DMEPOS are deemed to have met the CMS FWA training requirements. Deeming is at the level of the entity s participation/accreditation (whether for the individual or entire organization). 9. If I am deemed, am I exempt from these requirements completely? No. This deeming status is applicable only to the FWA training so all other requirements still apply (e.g., code of conduct distribution to your employees and Downstream and/or Related Entities; FWA training distribution to your Downstream and/or Related Entity employees unless they are also deemed, etc.). 10. What are the Compliance Training requirements? Compliance Training is required by CMS of Aetna s FDR employees but can be completed through the dissemination of a Code of Conduct to these employees; therefore, Aetna s Compliance Training requirements are to distribute Aetna s Code of Conduct or an equivalent code to your employees and Downstream and/or Related Entities. 11. What is a Standards/Code of Conduct? Standards of Conduct, also known in some organizations as the Code of Conduct or by other similar names, state the overarching principles and values by which the company operates, and define the underlying framework for the compliance policies and procedures. Code of Conduct describes expectations that all employees conduct themselves in an ethical manner with issues of noncompliance and potential FWA required to be reported through appropriate mechanisms, etc. CMS requires the communication of this document to employees and FDR employees that service Aetna s Medicare products. We developed and maintain the Aetna Code of Conduct. 12. How does Aetna s Code of Conduct relate to this training? CMS requires that FDRs and their employees receive a Code of Conduct (either Aetna s or the FDR s equivalent code). In addition, Aetna uses its Code of Conduct to meet the CMS compliance training requirements. 13. Can an FDR use its own Code of Conduct? Yes, if it is equivalent to Aetna s Code of Conduct. 14. Do we have to use Aetna s training or can we use a different version of training? Either Aetna s FWA training and Code of Conduct or equivalent versions may be substituted to satisfy these training requirements. Regardless of the training used, you should retain evidence of your, your employees and your Downstream and/or Related Entity s completion for at least ten years. This evidence may be in the form of employee attestations, employee attendance/training logs, or other means determined by you to best represent fulfillment of your obligations. Medicare Compliance April 2014 3
15. How often does this training have to be taken? This training must be completed initially and annually thereafter. 16. By when does the training have to be completed? This training must be completed within 90 days of your and your employees initial hire date and at least annually thereafter. Your Downstream and/or Related Entity s must also be trained within this same timeframe. 17. Where is the Aetna Code of Conduct? The Aetna Code of Conduct should have been provided to Aetna s First Tiers during orientation/onboarding and annually thereafter. It is also posted at http://www.aetna.com/investorsaetna/governance/code_of_conduct.html. In addition, providers may find more information within Aetna s provider education site: www.aetnaeducation.com. If you would like another copy, send an email request to Aetna s FDR mailbox at MedicareFDR@aetna.com. 18. What kind of documentation is needed to show training was completed? Evidence may be in the form of employee attestations, employee attendance/training logs, or other means determined by you to best represent fulfillment of your obligations. You should retain evidence of completion for at least 10 years. Aetna and/or CMS may request this evidence to ensure completion of these requirements. If you and/or your employees are deemed to have met the FWA training requirements, you should retain proof of the deemed status. 19. What documentation does Aetna need after completion of this training? Aetna collects attestations to confirm completion of the training requirements. Depending on the type of First Tier that you are for Aetna, you may receive the request by email or in another manner. For example, providers can access a copy of Aetna s attestation form within the provider education site at www.aetnaeducation.com by enrolling in the annual Medicare Compliance Attestation. You must also maintain evidence to document the completion of this training for all of your employees and Downstream and/or Related Entity employees. Evidence may be in the form of employee attestations, employee attendance/training logs, or other means determined by you to best represent fulfillment of your obligations. You should retain evidence of completion for at least ten years. Aetna and/or CMS may request this evidence to ensure completion of these requirements. If you and/or your employees are deemed to have met the FWA training requirements, you should provide proof of the deemed status. 20. What will happen if I don t complete the required training? If areas of noncompliance are determined, enforcement actions may be taken to both cure the deficiency and prevent future occurrences. Enforcement actions, such as corrective action plans and/or contract termination, may vary depending upon the severity of the issue. CMS requirements dictate this training so completion of it is not an option. As expressed within the Code of Conduct, it is expected that you ensure timely, consistent, and effective enforcement through well-publicized disciplinary standards (e.g., mandatory retraining, termination, etc.) that are taken with any personnel within your organization who demonstrate any non-compliant or fraudulent behavior. As an Aetna First Tier, you are expected to enforce completion of these requirements with your Downstream and/or Related Entities, as well. Medicare Compliance April 2014 4
If you are aware of or suspect noncompliant, unethical or illegal behavior by others, including, but not limited to, failure to complete the required training and education, you are obligated to report it to Aetna immediately so that we can investigate and respond appropriately. (See Q25 for reporting mechanism options.) 21. What is the source of these requirements? The Code of Federal Regulations (CFR) outlines these regulatory requirements from CMS. The training requirement and deemed status are noted at 42 CFR 422.503(b)(4)(vi)(C) for Medicare Advantage and 42 CFR 423.504(b)(4)(vi)(C) for Part D and further described within the Medicare Managed Care Manual, Chapter 21 Compliance Program Guidelines and Prescription Drug Benefit Manual, Chapter 9 Compliance Program Guidelines. 22. Are the requirements new? No. These regulatory requirements from CMS are not new requirements. You should have received similar training notices regarding these requirements in previous years. 23. Who do I contact if I have more questions about this training? If you have any questions related to the notices you ve received about training needs, you should contact your Aetna representative or may email questions to MedicareFDR@aetna.com II. Reporting Potential or Actual Non-Compliance or FWA 24. Do we have to report non-compliance and FWA to Aetna or does Aetna consider reporting within our organization to be sufficient? FDRs that partner with multiple sponsors may train their employees on the FDR s internal reporting processes including emphasis that reports must be made to our company. FDR s internal processes must involve a system to promptly respond to compliance/fwa concerns as they are raised. They must also include thorough investigations, root cause analysis, actions for correction and prevention of reoccurrence and reporting to Aetna and authorities, as applicable. All concerns that affect Aetna s Medicare products must be reported to Aetna, but may go through your process initially. It is mandatory to report any potential or actual non-compliance and/or FWA to Aetna. There is a zero-tolerance policy for retaliation or retribution against anyone who reports suspected misconduct. 25. What should I do if I suspect fraud, waste, or abuse or other compliance issues? If you identify compliance issues and/or potential fraud, waste, or abuse, please report immediately to us so that we can investigate and respond appropriately. There are mechanisms in place that may be used to report issues such as the AlertLine: 1-888-891-8910 or at aetna.alertline.com. These reporting mechanisms are outlined in Aetna s Code of Conduct. We enforce a zero-tolerance policy for retaliation or retribution against anyone who reports suspected misconduct. III. Sanction, Debarment, Exclusion Lists 26. What is the OIG exclusion list? OIG s List of Excluded Individuals/Entities (LEIE) provides information to the health care industry, patients and the public regarding individuals and entities currently excluded from participation in Medicare Compliance April 2014 5
Medicare and other Federal health care programs. The effect of an exclusion is that no payment will be made by any Federal health care program for any items or services furnished, ordered or prescribed by an excluded individual or entity. No program payment will be made for anything that an excluded person furnishes, orders, or prescribes. This payment prohibition applies to the excluded person, anyone who employs or contracts with the excluded person, any hospital or other provider for which the excluded person provides services, and anyone else. The exclusion applies regardless of who submits the claims and applies to all administrative and management services furnished by the excluded person. CMS prohibits payments by Aetna directly or indirectly to anyone on this list or on the GSA/SAM list. For more information on the OIG LEIE, see: http://oig.hhs.gov/exclusions/index.asp. 27. What is the difference between the OIG LEIE, General Services Administration (GSA) Excluded Parties List System (EPLS), and the System for Award Management (SAM) Websites? GSA administers EPLS and SAM, both of which contain debarment actions taken by various Federal agencies, including exclusion actions taken by the OIG. The List of Excluded Individuals/Entities contains only the exclusion actions taken by the OIG. 28. What are my requirements related to Federal health care program exclusion and debarment checks? First Tier, Downstream, and Related Entities must review a number of federal excluded persons, sanction and debarment lists such as the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and General Services Administration (GSA), at the time of hire/contracting and monthly thereafter for their current employees/contractors, health care professionals, or vendors that work on Medicare Advantage or Part D programs to ensure that none are excluded from participating in Federal health care programs. For more information or access to the publicly accessible online databases, please see the following links: for OIG LEIE - www.oig.hhs.gov/exclusions/index.asp and for GSA - www.sam.gov. 29. How often do the exclusion/debarment checks have to be completed? The checks must be completed initially before hire/contracting and then monthly thereafter. This frequency is a change made by CMS. 30. What evidence should I submit to show that these checks are completed? The documentation or evidence may vary depending on the system used to complete this checks. If you perform a manual search of the website lists, you may use a screen print of the results of the check. If you perform these checks using a more automated system or program, your documentation may be based on the information available within that system. Regardless of the process you use to perform these required checks, the documentation to evidence compliance with this requirement should clearly identify the name of the entity/individual checked, the date the check was performed, and the results of the check. 31. What if an individual or entity is identified on one of the exclusion/debarment lists? If you identify an excluded individual or entity employed or contracted by your organization, you must report this to Aetna. This entity must be immediately removed from directly or indirectly servicing Aetna s Medicare products. Medicare Compliance April 2014 6
IV. Validation/Audit of Effective 32. What documentation/evidence will CMS and/or Aetna ask FDRs for to support their compliance with Aetna s Compliance Program? A variety of evidence could be requested by CMS and/or Aetna from FDRs such as those that can be found on ATTACHMENT A: Evidence Examples. 33. Why is Aetna asking for all of this information? CMS requires that Aetna conduct oversight of contracted entities to ensure that they are meeting CMS compliance expectations for all Part C & D related responsibilities. You are required to provide documentation at the request of Aetna and/or CMS as depicted within your contractual agreement. Please note that CMS requires your evidence of training completion to be at the level of your employees (e.g., employee attendance/training logs, sign-in sheets, employee attestations or certifications, etc.). 34. Why are you asking about how long I retain my employee training and disciplinary records? CMS requires that records are retained for at least ten years and requires that we validate your compliance. 35. Why are you asking about my subcontractors (i.e., downstream contractual arrangements)? CMS requires that Aetna assess your oversight of your downstream contractual arrangements that are used by you to service Aetna s Medicare products. This assessment is required to ensure that you have a process to validate their compliance and impose corrective actions when deficiencies are identified which may include termination of your contract with the entity if the deficiencies cannot be corrected and hence warrant such action. 36. What oversight is expected for my subcontractors? CMS requires that you, your organization, and any of your Downstream and Related Entities maintain compliance of all CMS requirements, as applicable, while servicing Aetna s Medicare products. This includes the requirements already mentioned, as well as any others that may apply that are not listed in these FAQs. For example, CMS requires the reporting and oversight of any and all entities that manage Protected Health Information (PHI) offshore. Therefore, it is expected that you identify any such services for your own organization or any of your Downstream/Related Entities in order to conduct oversight of those processes and report them to Aetna. If you use Downstream and/or Related Entities for Aetna s Medicare products, you must ensure that proper oversight is conducted comprehensively for all CMS requirements through ongoing monitoring processes and annual audits. Medicare Compliance April 2014 7
ATTACHMENT A: Evidence Examples Summary of expectation FDR employees and Downstream/Related Entities received Aetna s or equivalent Code of Conduct (COC) upon hire/initial contracting and annually thereafter FDR employees and Downstream/Related Entities completed Aetna s or equivalent FWA Training upon hire/initial contracting and annually thereafter FDRs check OIG & SAMs Lists for employees and Downstream/Related Entities prior to hire/contracting and monthly thereafter FDR employees and Downstream/Related Entities received reporting mechanisms for reporting potential or actual non-compliance and/or FWA either internally then to Aetna or to Aetna directly (including nonretaliation policy for good faith reporting) FDR retains records related to Aetna Medicare product service delivery/activities for a period of no less than 10 years FDRs conduct sufficient oversight of their Downstream and Related Entities CMS compliance Examples of evidence/documentation that may be requested Organization attestation confirming dissemination to employees and Downstream/Related Entities Employee attestations confirming receipt Training agendas and sign-in sheets for COC training Participation/onboarding/orientation manuals Organization attestation confirming dissemination to employees and Downstream/Related Entities Employee attestations confirming receipt Training agendas and sign-in sheets for FWA training Proof of deemed status Website screenshots of list checks Automated results from acquired tools (e.g., Bridger, etc.) Attestation from individual within organization that conducts these ongoing checks (e.g., Human Resources, etc.) Evidence of reporting found individuals/entities to Aetna as they are identified Reporting Mechanism Posters in facilities Code of Conduct content in trainings with training sign-in sheets, etc. Organization attestation confirming dissemination Record Destruction Schedule Notice and/or training content disseminated to employees and Downstream/Related Entities Organization attestation confirming retention Audit Plan Audit Reports with review results Monitoring of entity functions with results Medicare Compliance April 2014 8
Any corrective/preventive action plans for identified deficiencies Reporting of deficiencies to authoritative bodies including Aetna, as necessary Organization attestation confirming oversight completion and downstream compliance Note: This table is intended to be a list of examples only. The expectations listed are not intended to be all inclusive of CMS compliance requirements. Further, the examples of evidence listed are not intended to be a list of all items required to be in place nor a declaration of the maximum evidence needed to demonstrate compliance. Medicare Compliance April 2014 9