Cover Your Attestation Part 3: Monitoring, Reporting and Record Retention

Cover Your Attestation Part 3: Monitoring, Reporting and Record Retention

In this concluding part of our Cover Your Attestation article series, we will discuss Medicare's requirements for plan sponsors to monitor its first tier, downstream and related entities; report detected noncompliance or potential fraud, waste and abuse (FWA); and your organization's requirement to maintain documentation and records for a period of ten years.


The plan sponsor must develop a strategy to monitor and audit its first tier entities to ensure that they are in compliance with all applicable laws and regulations, and to ensure that the first tier entities are monitoring the compliance of the entities with which they contract (the plan sponsors' "downstream" entities).

Monitoring of first tier entities for compliance program requirements must include an evaluation to confirm that the first tier entities are applying appropriate compliance program requirements to downstream entities with which the first tier contracts.

In addition, if your organization works with offshore subcontractors (first tier, downstream and related entities) to perform Medicare-related work that uses beneficiary protected health information (PHI), you are required to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI.


Medicare Advantage plan sponsors are required to have a system in place to receive, record, respond to, and track compliance questions or reports of suspected or detected noncompliance or potential FWA from FDRs and their employees. Reporting systems must maintain confidentiality (to the greatest extent possible), allow anonymity if desired, and emphasize the plan sponsor's / FDR's policy of non-intimidation and non-retaliation for good faith reporting.

If you are unaware of these requirements, reporting requirements are addressed in our Corporate Compliance training module. For example, the Effective Lines of Communication slide includes the following policy:

Offices should have a general "open door" policy for employees to communicate with their direct supervisor, compliance officer, and compliance committee (if applicable).

Staff should be advised that the compliance officer's duties include answering routine questions regarding compliance or ethics issues.

And the following procedure:

(Your Organization's name) has mechanisms in place for employees and others to report suspected or actual acts of non-compliance. Reports can be made to managers, supervisors, our Corporate Compliance Officer or any member of our compliance staff.

We maintain a detailed log of all reports of actual or potential non-compliance. We strive to create an environment in which employees feel free to report concerns or incidents of wrongdoing without fear of retaliation or retribution, when making a good faith report of non-compliance.

With the following recommendations:

Who can your employees report to for any cases of fraud, waste, or abuse? If you provide a hotline for your employees, then please provide it and any other instructions.

Record Retention

Does your organization understand and agree to maintain documentation and records for a period of ten years and will furnish evidence of compliance with applicable requirements to the insurance company, CMS and/or an agent of CMS upon request?

First tier and downstream entities must comply with Medicare laws, regulations, and CMS instructions (CFR 422.504(i)(4)(v)), and agree to audits and inspection by CMS and/or its designees and to cooperate, assist, and provide information as requested, and maintain records a minimum of 10 years. During this 10 year period, plan sponsors are accountable for maintaining attendance, topic, certificates of completion (if applicable), and test scores of any tests administered to their employees, and must require FDRs to maintain records of the training of the FDRs' employees.

Did you know these requirements are easily fulfilled by completing Healthcare Compliance Pros online training modules? In addition, our clients can create and store organization specific training that can be taken on the HCP website. Records of organization specific training can be easily retained and accessed upon request.

Final thoughts

In addition to Meaningful Use, CMS requires First Tier, Downstream or Related Entities (FDRs) of many insurance companies, such as providers, to complete Compliance Program requirements. Healthcare Compliance Pros helps you cover these Compliance Program requirements in a variety of ways. For example, this week we are launching our automatic Corporate Plus program which includes automatic OIG Exclusion Database checking of both your employees and vendors. Moreover, we are easing the ongoing burden by continuously monitoring the OIG Exclusion Database for your organization. We are offering this service at a rate far less than what it would cost your organization to assign an employee to perform the same responsibilities. Additionally, we help you complete all of the requirements as we discussed in this three part Cover Your Attestation article series.

If you have any questions about our Cover Your Attestation article series, or please feel free to comment below or send us an email [email protected] or reach us by phone 855-427-0427.