Mazars logo Mazars logo Mazars logo The Ledger

Conducting Pre-Delegation Audit In NYS

July 29, 2020


Oversight of First Tier, Downstream, and Related (FDR) entities in Medicare Advantage (MA), Medicaid Managed Care (MMC) and Part D plans is an important part of a plan’s compliance program. The Centers for Medicare and Medicaid Services (CMS) and NYS Department of Health (NYSDOH) have been increasing the level of focus on FDRs through their program audits. Plans must implement the FDR oversight requirements to meet CMS and NYSDOH regulations.

In most federal and state jurisdictions including NYS, the Managed Care Organization (MCO) is responsible for policing the delivery of healthcare to its consumers. In fact, during CMS and state department of health audits, MCOs will be subject to compliance findings or corrective actions if there is a lack of vendor oversight or if a delegated vendor is found to be in violation of a regulation pertaining to healthcare delivery.

MCOs often struggle to manage the compliance expectations of their contracted entities. A vendor to an MCO that does not understand the law or fails to demonstrate evidence of compliance is not a sufficient excuse for violations. For this reason, it is common for MCOs to require a pre-delegation audit followed by an annual attestation from their vendors to ensure they are following applicable compliance program requirements.

Although the pre-delegation audit and annual attestation are standard monitoring practices, many MCOs fail to include state-specific requirements in their vendor oversight programs. Consequently, in the worst-case scenario, a vendor may achieve consistent high scores in its ability to adhere to CMS requirements, but because state requirements were not as actively monitored and evaluated, that same vendor may be failing operationally in specific jurisdictions.

The purpose of this article is to explain both the NYS and CMS requirements regarding vendor monitoring and oversight and, ultimately, recommend to MCOs that a pre-delegation audit should not only include CMS requirements but also the requirements for specific jurisdictions.

The NYSDOH heavily scrutinizes management functions that are delegated to another entity or vendor. During Article 44/49 site surveys, NYSDOH will audit the delegated activity to ensure that the delegated vendor can perform the delegated action/s in full compliance with the MCO’s contractual and regulatory requirements. If the delegated vendor is found to be deficient in meeting regulatory requirements that must be met by the MCO, the MCO will be cited for the vendors’ failure and, in some examples, the MCO is also cited for not meeting its governing authority oversight requirements.

NYSDOH is generally skeptical when the MCO delegates what it considers to be a core competency to a third-party since NYS Public Health Law restricts the leadership of an MCO to delegate independent adoption and/or enforcement of policies affecting the operation of the MCO and the delivery of healthcare services or oversight of any management functions. An exception to the NYS PHL no-delegation rule is where an MCO and the vendor enter into a management agreement for the delegation of these functions that was expressly approved by NYSDOH prior to its implementation.

However, even with an NYSDOH approved management agreement, NYSDOH and the NYS Office of the Medicaid Inspector General continue to struggle to define best practices for MCO vendor oversight. This is especially true for out-of-state vendors that rely on national benchmarks, typically defined by an accreditation organization like the National Committee for Quality Assurance (NCQA), for all of its contracted MCOs. In this situation, the vendor is unable (or unwilling) to meet the specific NYS operational requirements. This issue was specifically addressed in the Office of the Medical Inspector General’s (OMIG) 2017 Workplan when it noted that, in addition to a pre-delegation audit, several plans conduct annual on-site examinations of contracted vendors in order to ensure Medicaid and contractual requirements are being met. It is processes such as these that OMIG is identifying and analyzing for potential inclusion in future contractual arrangements with MCOs.

Contrary to NYSDOH, CMS is less focused on the specific operations of a delegated vendor, but rather on whether the vendor is in compliance with applicable CMS program requirements.

CMS provides details for its qualifications and guidelines for FDRs and Medicare Parts C and D in the report, Medicare Managed Care Manual Chapter 21 – Compliance Program Guidelines | Prescription Drug Benefit Manual Chapter 9 – Compliance Program Guidelines.

In the guidelines FDRs are defined as follows:

  • First Tier Entity – Any party that enters into a written agreement, acceptable to CMS, with a Medicare Advantage (MA) organization or Part D plan sponsor or applicant to provide administrative or health care services to a Medicare-eligible individual under the MA or Part D program.
    • Examples include:
      • Management Service Organization (MSO)
      • Hospital
      • Independent Practice Associations (IPA)
      • Benefit Manager (for Pharmacy, Dental, Vision, etc.)
      • Billing or Network Vendors
  • Downstream Entity – Any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the MA or Part D benefit, below the level of the arrangement between an MA organization or applicant or a Part D plan sponsor or applicant and a First Tier Entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.
    • Examples include:
      • Providers contracted with hospitals or IPAs
      • Vendors to hospitals, IPA or MSOs
  • Related Entity – Any entity that is related to an MA organization or Part D sponsor by common ownership or control and:
      • Performs some of the MA organization or Part D plan sponsor’s management functions under contract or delegation.
      • Furnishes services to Medicare enrollees under an oral or written agreement.
      • Leases real property or sells materials to the MA organization or Part D plan sponsor at a cost of more than $2,500 during a contract period.

At its highest level, monitoring a First-Tier Entity (or vendor) is assuring that the organization and any of its Downstream and/or Related Entities are in compliance with requirements relating to the following:

  • Standards of Conduct: Distribution & Awareness
    • Delegates must distribute their own written policies, procedures or standards of conduct or the MCOs Code of Conduct to employees who support the administration or delivery of program benefits or services.
    • Standards of Conduct must be distributed within 90 days of hire and annually thereafter.
    • Delegates must retain proof of distribution for each employee.
  • CMS Requirements
    • Commitment to comply with all applicable federal and state standards.
    • Describe compliance expectations.
    • Implement a compliance program.
    • Provide guidance to employees and others on dealing with suspected, detected or reported compliance issues.
    • Explain how to communicate compliance issues.
    • Describe how compliance issues are investigated and resolved.
    • Include policy of nonintimidation/nonretaliation for good faith reporting.
  • Fraud, Waste & Abuse and Compliance Training
    • Delegates working on our organization’s Medicare Advantage (MA) or Part D programs must provide Waste & Abuse (FWA) and General Compliance training to employees who are involved in the administration or delivery of our MA or Part D benefits or services.
    • It is recommended that training be completed within 90 days of hire and annually thereafter.
    • It is recommended that delegates document and retain dates, methods, materials used, and employees trained.
  • Exclusion Checks
    • Delegates must review the federal exclusion lists maintained by the Office of Inspector General and the U.S. General Services Administration.
    • Reviews of federal exclusion lists must be completed prior to hiring or contracting with employees and must continue on a monthly basis.
    • Proof of the method used, date performed, employee list and results found must be documented and retained.
  • Document Retention
    • Delegates must retain records for 10 years to show compliance with requirements.
  • Offshoring Reporting & Downstream Delegates
    • Delegates must report any offshore subcontracting that involves receiving, processing, transferring, handling, storing, viewing or accessing PHI or PII.
    • Delegates must hold their downstream entities or subcontractors that support the delivery or administration of program benefits or services accountable for the same Compliance Program requirements.


Mazars strongly recommends to its clients to conduct a thorough pre-delegation vendor audit that incorporates both NYS and CMS requirements.

Typically, a pre-delegation audit relies exclusively on CMS standards. The danger in this type of pre-delegation audit, is that a vendor who is able to meet all CMS requirements may, during a NYSDOH Article 44/49 audit, fail to demonstrate compliance with NYS-specific requirements. In this scenario, NYSDOH not only issues the MCO a citation for the vendor’s operational failings but also a citation for failing to meet its governing authority requirements.

Mazars has developed a pre-delegation audit tool that incorporates both NYS and CMS requirements. Our Healthcare Consulting Practice can complete an FDR audit for MA and MMC Plans licensed in NYS. The scope of the audit would include:

  1. Identifying the Plan’s FDRs.
  2. Reviewing and testing the Plan’s FDR management and oversight protocols against relevant CMS and SDOH regulations. Specifically, an audit of the Plan’s FDR or delegated vendor operations will be conducted to ascertain whether there are controls in place to:
    • Identify FDRs/delegated vendors;
    • Monitor operational compliance;
    • Prevent Fraud, Waste, and Abuse (FWA);
    • Assure the FDR is correctly monitoring for employee exclusions from federal programs; and
    • Providing employees and consumers access to a compliance reporting hotline.

As a leading change facilitator in this era of sweeping healthcare reform, the Mazars Healthcare Practice offers healthcare payers and providers a powerful combination of service and results-oriented strategy to help them meet their business goals, overcome challenges, and improve performance. For more information about their timely, valuable information and insights into policies, best practices and industry developments, visit

Related posts

New York State is finally ready to reopen retail outlets.  This is perfect timing for my 10-year anniversary.

The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) that was signed into law March 27,

Recently, both the Internal Revenue Service (“IRS”) and the New York State Attorney General’s Charities Bureau provided guidance