Skip to main content

First-tier, Downstream, and Related Entities Compliance Program

We at UPMC ISD would like to thank you for your partnership with UPMC for Life and helping us provide exceptional service to our Medicare beneficiaries.

The Centers for Medicare & Medicaid Services (CMS), in its regulatory guidance, refers to our contracted partners as first-tier, downstream, and related entities (FDRs). UPMC ISD is required to effectively manage and oversee our FDRs that assist us in providing administrative and/or health care services for our Medicare beneficiaries. Examples of FDRs include but are not limited to field marketing organizations, agents, providers, pharmacies, pharmacy benefits managers, claim administration vendors, fulfillment, and other contracted vendors.

What Are First-tier, Downstream, and Related Entities?

First-tier entity: Any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization (MAO) or Part D plan to provide administrative services or health care services to a Medicare eligible individual under the Medicare Advantage (MA) program or Part D program. (See, 42 C.F.R. § 423.501).

Downstream entity: Any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the MA benefit or Part D benefit, below the level of the arrangement between an MAO or a Part D plan and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.

Related entity: Any entity that is related to an MAO or Part D plan by common ownership or control and

  1. Performs some of the MAO or Part D plan’s management functions under contract or delegation;
  2. Furnishes services to Medicare enrollees under an oral or written agreement; or
  3. Leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period.

As an FDR, you are required to comply with the CMS Medicare Compliance Program requirements provided below. Additionally, we ask you to complete the Annual Third-Party Compliance Program Attestation.

Medicare Parts C & D Fraud, Waste, and Abuse Training and General Compliance Training

As a first-tier, downstream, or related entity who provides administrative or health care services to Medicare beneficiaries on behalf of UPMC for Life, you must, at a minimum, provide any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors training on Fraud, Waste, and Abuse (FWA) and General Compliance within 90 days of initial hiring and annually thereafter.

To reduce the potential burden on our FDRs, UPMC ISD has developed and made available General Compliance and FWA training and education modules. Those modules can be found at the links below. You must use the provided FWA and General Compliance trainings or another similar training program. CMS training requirements can be found in the Medicare Managed Care Manual Chapters 21: Compliance Program Guidelines; and the Prescription Drug Benefit Manual Chapter 9: Compliance Program Guidelines. This includes the ability to demonstrate that your employees and contractors have fulfilled these training requirements as applicable. Examples of proof of training may include copies of sign-in sheets, employee attestations and electronic certifications from the employees taking and completing the training.

FWA training includes, but is not limited to the following:

  • Laws and regulations related to MA and Part D FWA (e.g., False Claims Act, Anti-Kickback statute, HIPAA/HITECH, etc.);
  • Obligations of FDRs to have appropriate policies and procedures to address FWA;
  • Processes for employees of your organization or those of any of your downstream and related entities to report suspected FWA to the appropriate area within your company, who in turn will notify UPMC ISD; or they may directly report suspected FWA to UPMC ISD;
  • Protections for employees of your organization or those of any of your downstream and related entities who report suspected FWA; and
  • Types of FWA that can occur in the settings of your organization or those of any of your downstream and related entities work.

*CMS requires that all training documentation be retained for a minimum of 10 years.

Code of Conduct and Compliance Policies

The Code of Conduct, also known as the “Standards of Conduct”, states the overarching principles and values by which an organization operates, and defines the underlying framework for the compliance policies and procedures. The Code of Conduct and compliance policies describe your organization’s expectations that all employees conduct themselves in an ethical manner; that issues of noncompliance and potential FWA are reported through appropriate mechanisms; and that reported issues will be addressed and corrected.

The Code of Conduct communicates to employees of your organization and those of your Downstream and Related entities that compliance is everyone’s responsibility from the top to the bottom of the organization. As an FDR who contracts with UPMC ISD to provide administrative or health care services for our Medicare business, you are required to distribute the Code of Conduct and any additional compliance policies and procedures to all your organization’s employees and those of your downstream and related entities who provide services for UPMC for Life beneficiaries within 90 days of hire or contracting, annually, and when updates are made. If your organization does not have its own Code of Conduct, you may adopt the UPMC Code of Conduct.

OIG/GSA Exclusion Screening

Medicare payment may not be made for items or services furnished or prescribed by an excluded provider or entity. UPMC ISD is responsible for ensuring that we do not use federal funds to pay for services, equipment, or drugs prescribed or provided by a provider, supplier, employee, or FDR excluded by the OIG or GSA.

As a first-tier, downstream, or related entity that provides administrative or health care services to Medicare beneficiaries, your organization is required to review the DHHS Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) and the General Services Administration (GSA) System for Award Management (SAM). These checks must be performed prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or delegated vendors and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs. After entities are initially screened against the entire LEIE and GSA at the time of hire or contracting, at minimum, you must review the LEIE supplement file provided each month, which lists the entities added to the list that month, and review SAM updates provided during the specified monthly time frame.

Reporting FWA and Compliance Concerns

We at UPMC ISD take compliance concerns and suspected or actual violations related to the Medicare program very seriously. As an FDR that contracts with UPMC ISD, you must ensure that all your employees and those of your downstream and related entities are informed of how to report compliance concerns and suspected misconduct. UPMC ISD will perform an internal investigation of each concern after your organization reports any incidents.

Good faith reporting of suspected noncompliance or FWA is expected and accepted behavior. Anyone who in good faith reports a violation is referred to as a “whistleblower” and is protected from any retaliation. A number of laws contain whistleblower protection, including the False Claims Act. You are expected to cooperate with any investigation resulting from the reporting of a violation. We have various reporting mechanisms for your use to ensure confidentiality when reporting compliance concerns and/or suspected or actual misconduct.

For issues of noncompliance:
Compliance Hotline: 1-877-983-8442
Medicare Compliance:

For potential FWA:
Fraud Hotline: 1-866-372-8301
Special Investigations Unit:

Third-party Compliance:

Offshore Subcontractor Reporting

As an FDR that contracts with UPMC ISD, you must ensure that your downstream or related entities do not engage in offshore operations for any of UPMC ISD’s Medicare-related work without first having received express consent from an authorized representative at UPMC ISD. CMS requires UPMC ISD to provide attestations to CMS within 30 calendar days after an offshore subcontract is signed. In the event that UPMC ISD approves an offshore subcontract, to ensure that any applicable attestations are provided to CMS in a timely manner, UPMC ISD requires that all necessary information be provided to UPMC ISD within a time frame not to exceed 15 calendar days from the date the contract is signed.

The term “offshore” refers to any country that is not one of the 50 United States or one of the United States territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). Examples of countries that meet the definition of “offshore” include Mexico, Canada, India, Germany, and Japan. Subcontractors that are considered offshore can be either American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States. Offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.

Medicare-related work encompasses what offshore subcontractors do when they receive, process, transfer, handle, store, or access beneficiary PHI while helping organizations such as UPMC ISD fulfill their Medicare Part C and Part D contract requirements. For example, the term “Medicare-related work” includes offshore subcontractors that receive radiological images for reading, because beneficiary PHI is included with the radiological image and the diagnosis is transmitted back to the U.S. More examples of Medicare-related work include claims processing, claims data entry services, scanning paper claims to create electronic records, receipt of beneficiary calls, and any situation where the offshore subcontractor may have access to beneficiary PHI.

Ongoing Monitoring and Auditing

As an FDR that contracts with UPMC ISD, you must ensure that compliance is maintained by your organization as well as your downstream and related entities that provide administrative or health care services to UPMC ISD’s Medicare business. To ensure ongoing compliance with state and federal regulations, your organization must perform ongoing oversight to ensure that your organization and your downstream and related entities, if applicable, comply with the above stated requirements and any additional regulations related to the services you/they provide to UPMC for Life beneficiaries.

To ensure that UPMC ISD has proper auditing and monitoring controls in place, UPMC ISD and/or CMS reserve the right to request that you provide evidence of your compliance with these requirements or other requirements within the scope of our delegation to you. If you fail to comply with the Medicare Compliance program requirements, UPMC ISD will request remedial action. The remedial action will depend upon the severity of your noncompliance. An authorized representative from your organization is required to complete the Third-Party Compliance Program Attestation Form (on behalf of your organization) on an annual basis. In doing so, you attest to your organization’s compliance with these Medicare Compliance Program requirements. For the purposes of this attestation, an authorized representative is an individual who has responsibility directly or indirectly for all employees, contracted personnel, providers/practitioners, and delegated vendors who provide administrative and/or health care services for UPMC ISD; this would include the Compliance Officer, Chief Medical Officer, Chief Operating Officer, an Executive Officer, or similar related positions.

UPMC ISD maintains the ultimate responsibility for fulfilling the terms and conditions of its contract with CMS, and for meeting the Medicare program requirements. Therefore, CMS may hold UPMC ISD accountable for the failure of its FDRs to comply with Medicare program requirements.