Regulatory Compliance Program Requirements for Marketplace/Exchange Delegated and Downstream Entities

UPMC ISD issues qualified health plans (QHPs) through the Federally Facilitated Marketplace, also known as the federal “Exchange,” which customers can access through the UPMC Health Plan Marketplace/Exchange website or the federal Healthcare.gov website. The Centers for Medicare and Medicaid Services (CMS) requires QHP issuers to oversee the activities of third parties who perform administrative functions for the QHP issuer or provide health care services to beneficiaries, also called "delegated and downstream entities" (DDEs).

What Are Delegated and Downstream Entities?

Delegated entity: Any party, including an agent or broker, that enters into an agreement with a QHP issuer to provide administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents (45 CFR § 156.20).

Downstream entity: Any party, including an agent or broker, that enters into an agreement with a delegated entity or with another downstream entity for purposes of providing administrative or health care services related to the agreement between the delegated entity and the QHP issuer. The term ‘‘downstream entity’’ is intended to reach the entity that directly provides administrative services or health care services to qualified individuals, qualified employers, or qualified employees and their dependents (45 CFR § 156.20).

Examples of functions performed by DDEs include (but are not limited to): plan design, marketing, enrollment, customer service, claims administration, network development, benefit management, quality improvement.

As a DDE, you must comply with the compliance program requirements below. Additionally, you must attest to your compliance on an annual basis.

Annual Compliance Attestation

An authorized representative from your organization is required to complete the Third-Party Compliance Program Attestation on behalf of your organization on an annual basis. In doing so, you attest to your organization’s compliance with the Third-Party Compliance Program requirements. For the purposes of this attestation, an authorized representative is an individual who has responsibility, directly or indirectly, for all employees, contracted personnel, and delegated vendors who provide administrative and/or health care services for UPMC ISD; this would include a Chief Compliance Officer, Chief Medical Officer, Chief Operating Officer, or other executive position.

• 2023 Third-Party Compliance Program Attestation Form

UPMC ISD will send a notification to each DDE to communicate the deadline for completion of the annual Attestation. All DDEs must complete the Attestations within the designated time frame.

Code of Conduct/Compliance Policies/Conflict of Interest Policy

A Code of Conduct or Standards of Conduct state the overarching principles and values by which an organization operates and defines the underlying framework for an organization’s compliance policies and procedures. The Code of Conduct and compliance policies describe your organization’s expectations that all employees conduct themselves in an ethical manner; that issues of noncompliance and potential fraud, waste, and abuse (FWA) are reported through appropriate mechanisms, and that reported issues will be addressed and corrected.

The Code of Conduct communicates to employees of your organization that compliance is everyone’s responsibility, from the top to the bottom of the organization. As a DDE who contracts with UPMC ISD to provide administrative or health care services for our Marketplace business, you are required to distribute the Code of Conduct and any additional compliance policies and procedures to all employees (and those of your downstream entities) who provide services for UPMC Health Plan Marketplace/Exchange within 90 days of hire or contracting, and annually thereafter.

• Code of Conduct (PDF)

In addition to the Code of Conduct and compliance policies, you must ensure that all of your employees (and those of your downstream entities) who provide services for UPMC Health Plan Marketplace/Exchange have reviewed either the UPMC Conflict of Interest policy or your own equivalent version. Any potential conflicts of interest as they relate to administering or delivering Marketplace/Exchange benefits on behalf of our organization must be disclosed to senior management within your organization and to UPMC ISD. If necessary, your organization must promptly address all conflicts of interest by any of the following:

• Determine that the potential conflict does not impact administering or delivering Marketplace/Exchange benefits
• Eliminate any potential conflicts
• Remove anyone who has a conflict of interest from administering or delivering Marketplace/Exchange benefits

General Compliance & Fraud, Waste, and Abuse Training

What is fraud, waste, and abuse (FWA)?

Fraud is an intentional misrepresentation that is made to obtain something of value.

Waste is an overutilization of services that, directly or indirectly, results in unnecessary costs.

Abuse is an affirmative action that is inconsistent with sound medical, business or fiscal practices, and that is not medically necessary.

As a DDE who provides administrative or health care services to Marketplace/Exchange beneficiaries on behalf of UPMC Health Plan Marketplace/Exchange, you must provide any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors FWA training and general compliance training within 90 days of initial hiring, and annually thereafter.

To reduce the potential burden on our DDEs, UPMC ISD has developed and made available standardized General Compliance and FWA training and education modules. Those trainings can be found at the below links. You can use provided FWA and General Compliance trainings that were created by UPMC ISD, or a similar FWA and General Compliance training program.

FWA training includes, but is not limited to the following:

• Relevant laws and regulations (e.g., HIPAA/HITECH, etc.);
• Obligations of DDEs to have appropriate policies and procedures to address FWA;
• Processes for employees of your organization or those of any of your downstream entities to report suspected FWA;
• Protections for employees of your organization or those of any of your downstream entities who report suspected FWA; and
• Types of FWA that can occur in the setting of your organization or those of any of your downstream entities.

*UPMC ISD requires that all training documentation be retained for a minimum of 10 years.

• CMS Medicare Learning Network (MLN)
• UPMC Fraud, Waste, and Abuse (FWA) Training
• UPMC General Compliance Training

Exclusion Screenings

As a DDE that provides administrative or health care services to Marketplace/Exchange beneficiaries, UPMC ISD requires you to review the DHHS Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) and the General Services Administration (GSA) System for Award Management (SAM). These checks must be performed prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.

The websites utilized to perform the required screening are:

• Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE)
• General Services Administration (GSA) System for Award Management (SAM)

Reporting FWA and Compliance Concerns

We at UPMC ISD take compliance concerns and suspected or actual violations related to the Marketplace/Exchange very seriously. As a DDE that contracts with UPMC ISD, you must ensure that all of your employees (and those of any of your downstream entities) are informed of how to report compliance concerns and suspected misconduct. UPMC ISD will perform an internal investigation of each concern after your organization reports any incidents.

UPMC Health Plan Compliance Hotline: 1-877-983-8442

Fraud, Waste, and Abuse:
Fraud Hotline: 1-866-372-8301
Special Investigations Unit: specialinvestigationsunit@upmc.edu

Third-party Compliance:
Thirdpartycompliance@upmc.edu

Marketplace/Exchange Compliance:
Exchangecompliance@upmc.edu

Ongoing Monitoring and Auditing

As a DDE that contracts with UPMC ISD, you must ensure that your organization and your downstream entities are in compliance with state and federal regulations. UPMC ISD reserves the right to request that you provide evidence of your compliance with the above requirements or other requirements within the scope of our delegation to you. If you fail to comply with the Third-party Compliance Program requirements, UPMC ISD will request remedial action. The remedial action will depend upon the severity of your noncompliance and may include requiring a corrective action plan or terminating your contract.

About downstream and delegated entities

1. They are vendors that support Marketplace/Exchange lines of business.
2. The function of the vendor is a requirement of UPMC Health Plan's Marketplace/Exchange contract or applicable guidance (law or regulation).
3. The vendor provides administrative services and/or health care services to qualified individuals, qualified employers, or qualified employees and their dependents.
4. Vendor deliverables are management/service-related (e.g., processing functions), not product-related (e.g., software).