Vendor FDR
Vendor/FDR Introduction
Navitus Health Solutions, Epiphany Rx, and Lumicera Health Solutions (collectively “Navitus”) is committed to compliance with all applicable laws, regulations and contract requirements. In addition, we hold ourselves to the highest ethical standards on behalf of our clients and members. To help ensure we maintain our compliance and ethical standards, we work closely with our vendors and business partners.
Our vendors are business partners who are important to our success and play a critical role in servicing our members and clients, whether directly or indirectly. This Vendor Code of Conduct (Code) is provided to you as an easy way to communicate our expectations as your company fulfills the terms of the contract. This Code is a guide and does not include all possible activities. Please share with your employees and contact us if you have a question about an activity not included in this Code.
Compliance Obligations
Vendors are expected to have mechanisms to enable employees, including temporary employees, or affiliates of vendor to report non-compliance, violations of this code of conduct, or other grievances. Such methods should protect the individual reporter from retaliation and offer anonymity. Navitus has several methods for reporting including via confidential, toll-free hotline, email, or mail. All good-faith reporting is protected under the Navitus Non-Retaliation Policy. Vendor may distribute the Navitus toll free Compliance Hotline number which is 1-855-673-6503.
Vendor is expected to take all reasonable actions to address non-compliance and remediate, mitigate, and engage in corrective action to comply with laws and regulations, comply with Guiding Principles on Business and Human Rights, health and safety protections, labor laws, and environmental protections. Navitus reserves the right to audit Vendor where performance of services is dependent on such compliance.
Gifts and Business Gratuities
Navitus discourages you from providing any gifts, meals, entertainment or other business gratuities to Navitus employees, consultants or pharmacists. While we appreciate the occasional pen with your business name, items such as the following are not appropriate:
- Gifts or entertainment of any kind to any Navitus staff during the selection, negotiation or purchasing stages of a contractual arrangement.
- Gifts or entertainment that could be perceived as a bribe, payoff or advantage.
- Cash or cash-equivalents, such as checks, gift certificates/cards or stock.
- Gifts or entertainment that violate the law.
Conflicts of Interest
Conflicts of interest between a vendor and Navitus staff (or the appearance of a conflict) should be avoided. When an actual, potential or perceived conflict of interest occurs, that conflict must be disclosed, in writing to Navitus.
- While Navitus employees may occasionally have secondary employment, no Navitus employee member may work for a vendor that has a contractual relationship with Navitus.
- No Navitus employee may participate on the board of a vendor with whom Navitus does business.
- Navitus will not engage with an individual who has been employed by Navitus within the last 24 months and who has been assigned as Navitus’ representative by the Vendor for products, sales, negotiation, contracting, promotion or other activities where the former employee’s confidential and proprietary knowledge about Navitus is a component of that assignment.
Compliance with Laws
Vendors are expected to conduct their business activities in compliance with all applicable laws and regulations, including Medicare and Medicaid. Vendors are also expected to take appropriate action against any of its employees or subcontractors that have violated such laws.
Privacy and Security
State and Federal privacy laws, such as the requirements of the Health Insurance Portability and Accountability Act (HIPAA) require Navitus and its Vendors to maintain the privacy and security of patient information (PHI). If a vendor has access to Navitus PHI, the vendor is responsible for ensuring that all employees who provide services to Navitus are trained on HIPAA Privacy and Security Rules and is expected to provide an annual attestation that such training has been completed. In addition, if vendor uses or discloses PHI on behalf of Navitus, the vendor will be expected to enter into a Business Associate Agreement.
Employed or Contracted Persons
Navitus will not knowingly do business with any vendor if it is, or any of its officers, directors or employees are excluded, debarred or ineligible to participate in any Federal or State health care program. To ensure no exclusion exists, Navitus vendors must screen all employees (including temporary and contracted), officers and directors against Federal exclusion lists before hire or engagement and on monthly thereafter. These lists are the U.S. Department of Health and Human Services, Office of Inspector General List of Excluded Individuals and Entities (LEIE) and the General Services Administration’s System for Awards Management (SAM). Vendors may be expected to provide an annual attestation that such exclusion screening has occurred.
Navitus will not knowingly do business with any vendor engaged in corruption, illegal sourcing or anti-boycott activity or involved in human trafficking, slavery, or child labor. Navitus expects a vendor to implement and enforce systems and controls to ensure that such abuses do not occur in staffing, in operations, in supply chains, with downstream entities or in relation to services to Navitus. This includes but is not limited prohibiting any requirement for employees, temporary workers, or contractors to pay fees or expenses to secure work with Vendor and prohibiting the retention of identity documents as a condition of working for Vendor.
Fraud, Waste and Abuse (FWA)
Vendors are expected to report any suspected or actual acts of FWA regardless of the source or possible participants. Navitus will investigate allegations of FWA and, where appropriate, will take corrective action, including civil or criminal action.
Vendor Compliance Training
Navitus requires all vendors, including vendor employees, to participate in and complete general compliance and FWA training. The vendor must document and provide an annual attestation that training has been completed. Training can be completed using the CMS free training modules located on the CMS MLN website. In addition to compliance and FWA training, Vendors and their employees who qualify as Business Associates must also complete annual privacy and security training. This training can be completed using the vendor’s training or by requesting a copy of the Navitus privacy and security training.
Vendor is obligated to comply with any additional regulatory or industry training requirements and maintain such evidence of training as needed by Navitus to represent the quality, knowledge, and/or regulatory awareness of the Vendor and its employees or contractors.
Business Record Retention
Navitus requires vendors to retain records related to services provided to Navitus for ten (10) years. These records must be made available to Navitus or a government auditor in accordance with applicable laws, regulations and contract terms.
Visiting Navitus
It is expected that any vendor who visits our campus additionally adheres to the Visitor Code of Conduct.
Environment and Sustainability
We are committed to protecting the environment. We expect our vendor to share our commitment and integrate proactive practices to minimize their environmental impact and waste, consider the full lifecycle of products or services, actively manage risks across their operations, products and supply chain and work for continuous improvement. We expect our vendors to partner with us to be good stewards of the environment by operating in a manner that actively manages risk, conserves natural resources and protects the environment. We expect our vendors to establish and apply a systematic approach to managing environmental issues, including potential risk from regulatory noncompliance, reputational loss and opportunities for business growth through operational and product stewardship as applicable to the service rendered on our behalf.
Artificial Intelligence
At Navitus are committed to the ethical use of artificial intelligence in healthcare. We expect our vendors to notify us of the use of AI technologies in their products/solutions so that we can approve in advance and ascertain the impact and ethical implications of the AI use to our clients/members. In addition, we expect our Vendors to adhere to the following core principles* when developing or using artificial intelligence solutions on our behalf:
- Engagement: understanding, expressing, and prioritizing the needs, preferences, goals of people and the related implication throughout the AI life cycle.
- Safety: Attendance to and continuous vigilance for potentially harmful consequences from the application of AI in health and medicine for individuals and population groups.
- Effectiveness: Application proven to achieve the intended improvement in personal health and the human condition, in the context of established ethical principles.
- Equitability: Application accompanied by proof of appropriate steps to ensure fair and unbiased development and access to AI-associated benefits and risk mitigation measures.
- Efficiency: Development and use of AI associated with reduced costs for health gained, in addition to a reduction, or at least neutral state, of adverse impacts on the natural environment.
- Accessibility: Ensuring that seamless stakeholder access and engagement is a core feature of each phase of the AI life cycle and governance
- Transparency: Provision of open, accessible, and understandable information on component AI elements, performance, and their associated outcomes.
- Accountability: Identifiable and measurable actions taken in the development and use of AI, with clear documentation of benefits, and clear accountability for potentially adverse consequences.
- Security: Validated procedures to ensure privacy and security, as health data sources are better positioned as a fully protected core utility for the common good, including use of AI for continuous learning and improvement.
- Adaptivity: Assurance that the accountability framework will deliver ongoing information on the results of AI application, for use as required for continuous learning and improvement in health, health care, biomedical science, and, ultimately, the human condition.
*= From Artificial Intelligence in Health, Health Care, and Biomedical Science: An AI Code of Conduct Principles and Commitments Discussion Draft – National Academy of Medicine, April 8th 2024
FDR Compliance Requirements and How to Meet Them
Navitus is committed to operating a PBM that meets the requirements of all applicable laws and regulations of these programs. As part of an effective compliance program, the Centers for Medicare and Medicaid Services (CMS) requires plan sponsors and their PBMs to ensure that any vendors to which the provision of administrative or healthcare services are delegated are also in compliance with applicable laws and regulations. This includes but is not limited to the following plan types:
- Medicare Advantage (MA)
- Prescription Drug (MAPD)
- Prescription Drug Plans (PDP)
- Medicare-Medicaid Plans (MMP)
- Special Needs Plans (SNP)
- Program of All-inclusive Care for the Elderly (PACE)
- Some State Medicaid plans
The key compliance requirements for Vendor/FDRs and recommendations for meeting those requirements are outlined below. Navitus provides FWA Attestations for your organization to validate compliance with these requirements. Pharmacies may access the FWA Attestation through the Navitus Pharmacy Portal or through NCPDP.
The recommendations provided in this Section for “How to Comply” below are suggestions and should not replace legal advice or analysis by your organization in meeting your compliance obligations. Additionally, these recommendations are not intended to encompass all of your compliance obligations as these relate to the function(s) your organization may be performing under the Medicare or Medicaid program only.
Downstream Entities
Requirements
Plan sponsors are responsible for the lawful and compliant administration of the Medicare and/or Medicaid benefits under their contracts with CMS, regardless of whether the plan sponsor has delegated some of that responsibility to FDRs, including their PBM. As a first tier entity, Navitus is monitored and audited by our plan sponsors to ensure we are in compliance with all applicable laws and regulations, and to ensure that we are monitoring the compliance of the entities with which we contract (“downstream” entities). This monitoring includes an evaluation to confirm that the first tier entities are applying appropriate compliance program requirements to downstream entities with which the first tier entity contracts. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.6.6
How to Comply
If your organization subcontracts with other entities (external vendors to your organization and downstream entities to Navitus) to perform any of the services contractually delegated to your organization by Navitus for Medicare and/or Medicaid programs, your organization must distribute materials and information to your downstream entities and monitor and audit their performance to ensure their compliance with all applicable CMS requirements and the requirements in this site.
General Compliance And Fraud, Waste And Abuse (FWA) Training
Requirements
General Compliance Education – Plan sponsors must ensure that general compliance information is communicated to their Vendor/FDRs including their PBM as a first tier entity. The plan sponsor’s compliance expectations can be communicated through distribution of the Navitus Code of Conduct and/or compliance policies and procedures to Vendor/FDRs’ employees. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.3.1)
FWA Training – The PBM’s employees (including temporary workers and volunteers),governing body members, as well as Vendor/FDRs’ employees who have involvement in the administration or delivery of Part D benefits must, at a minimum, receive FWA training within 90 days of initial hire (or contracting in the case of Vendor/FDRs), and annually thereafter. PBMs must be able to demonstrate that their employees and Vendor/FDRs have fulfilled these training requirements as applicable. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.3.2)
How to Comply
- Training
- Take the CMS standardized FWA Training Module, available at https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/webbasedtraining
- Use the CMS Standardized CMS general Compliance Training Module from 2019 at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/MedCandDGenCompdownload.pdf
- Provide training with content that is substantially similar to and addresses core concepts and topics of CMS Standardized General Compliance and FWA Training modules to satisfy CMS requirements.
- If a pharmacy is completing a General Compliance and/or FWA training module mandated by another PBM, Plan Sponsor or health plan, that training may be used to satisfy this requirement if it satisfies the requirements above.
- Ensure that any of your employees, including temporary workers or volunteers, that support Navitus Medicare/Medicaid programs complete the training within 90 days of hire and annually thereafter.
- Maintain records of satisfactory general compliance and fraud, waste, and abuse training and education taken by your employees for 10 years.
- The records must demonstrate the date of the training, the topic, attendance, and certificates of completion and/or test scores, if applicable.
- Examples of proof of training may include copies of sign-in sheets, employee attestations and electronic certifications from the employees taking and completing the training.
- If you are “deemed” for FWA training, you do not need to take the CMS Standardized FWA training. Organizations are “deemed” if they have met the FWA certification requirements through enrollment into Parts A or B of the Medicare program or through.
- accreditation as a supplier of DMEPOS. However, Navitus must still communicate general compliance training to its employees. Navitus provides General Compliance information to you and your employees through accreditation as a supplier of DMEPOS. However, Navitus must still communicate general compliance training to its employees. Navitus provides General Compliance information to you and your employees through:
- This Vendor/FDR section of the Navitus website; and
- The Navitus Vendor/FDR Education module.
General Compliance And Fraud, Waste And Abuse (FWA) Training
Requirements
General Compliance Education – Plan sponsors must ensure that general compliance information is communicated to their Vendor/FDRs including their PBM as a first tier entity. The plan sponsor’s compliance expectations can be communicated through distribution of the Navitus Code of Conduct and/or compliance policies and procedures to Vendor/FDRs’ employees. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.3.1)
FWA Training – The PBM’s employees (including temporary workers and volunteers),governing body members, as well as Vendor/FDRs’ employees who have involvement in the administration or delivery of Part D benefits must, at a minimum, receive FWA training within 90 days of initial hire (or contracting in the case of Vendor/FDRs), and annually thereafter. PBMs must be able to demonstrate that their employees and Vendor/FDRs have fulfilled these training requirements as applicable. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.3.2)
How to Comply
- Training
- Take the CMS standardized FWA Training Module, available at https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/webbasedtraining
- Use the CMS Standardized CMS general Compliance Training Module from 2019 at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/MedCandDGenCompdownload.pdf
- Provide training with content that is substantially similar to and addresses core concepts and topics of CMS Standardized General Compliance and FWA Training modules to satisfy CMS requirements.
- If a pharmacy is completing a General Compliance and/or FWA training module mandated by another PBM, Plan Sponsor or health plan, that training may be used to satisfy this requirement if it satisfies the requirements above.
- Ensure that any of your employees, including temporary workers or volunteers, that support Navitus Medicare/Medicaid programs complete the training within 90 days of hire and annually thereafter.
- Maintain records of satisfactory general compliance and fraud, waste, and abuse training and education taken by your employees for 10 years.
- The records must demonstrate the date of the training, the topic, attendance, and certificates of completion and/or test scores, if applicable.
- Examples of proof of training may include copies of sign-in sheets, employee attestations and electronic certifications from the employees taking and completing the training.
- If you are “deemed” for FWA training, you do not need to take the CMS Standardized FWA training. Organizations are “deemed” if they have met the FWA certification requirements through enrollment into Parts A or B of the Medicare program or through.
- accreditation as a supplier of DMEPOS. However, Navitus must still communicate general compliance training to its employees. Navitus provides General Compliance information to you and your employees through accreditation as a supplier of DMEPOS. However, Navitus must still communicate general compliance training to its employees. Navitus provides General Compliance information to you and your employees through:
- This Vendor/FDR section of the Navitus website; and
- The Navitus Vendor/FDR Education module.
Offshore Subcontractors
Requirements
Plan sponsors that work with offshore subcontractors to perform Medicare or Medicaid-related work that uses beneficiary protected health information (PHI) are required to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI.
The term “offshore” refers to any country that is not one of the fifty United States or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). Examples of countries that meet the definition of “offshore” include Mexico, Canada, Ireland, India, and Philippines. Subcontractors that are considered offshore can either be American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States. Offshore subcontractors are doing work that provides support for or directly performs delegated services that are located in offshore countries, regardless of whether the workers are employees of American or foreign companies.
“Program-related work” encompasses what offshore contractors do when they receive, process, transfer, handle, store, or access beneficiary PHI while helping organizations such as Navitus and our pharmacies and vendors fulfill their Medicare or Medicaid contract requirements. Examples of Program-related work includes claims processing, claims data entry services, scanning, software enhancement and troubleshooting, and any other situation where the offshore subcontractor may have access to beneficiary PHI. (CMS Memo dated August 28, 2008: Offshore Subcontractor Data Module in HPMS)
How to Comply
- You must ensure that you do not engage in offshore subcontracts for any of Navitus’ Medicare or Medicaid-related work without first having received expressed consent from the Navitus Chief Compliance Officer. CMS requires Plan Sponsors to provide attestation to CMS for Medicare programs within 30 calendar days after an offshore contract is signed. In the event Navitus approves an offshore subcontract and to ensure that the required attestations are provided to CMS timely, Navitus will request the information necessary to complete the Offshore Subcontractor Data Module in HPMS for Medicare. We require that this information be provided to us within 15 calendar days after an offshore subcontract is signed so we can provide the information to our Plan Sponsors.
- Verify that any vendor maintains contractual agreements with those entities that include all required Medicare and/or Medicaid language and HIPAA privacy and security regulations as the vendor’s Business Associate.
- Ensure the offshore subcontractor maintains policies and procedures that protect beneficiary PHI.
- Conduct annual audits of offshore subcontractors and make audit results available upon request from Navitus or CMS.
OIG And GSA Exclusion Screening
Requirements
As a first tier entity, our Plan Sponsors require that Navitus and their downstream entities review the DHHS OIG List of Excluded Individuals and Entities (LEIE list) and the GSA System for Award Management exclusion list (SAM) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or Vendor/FDR, and monthly thereafter. This is to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs. Monthly screening is required to prevent inappropriate payment to pharmacies, vendors, and other entities that have been added to exclusions lists since the prior month. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.6.8)
How to Comply
- Review the Department of Health and Human Services (DHHS) Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) for employees and any vendors or FDRs at the time of hiring or contracting and monthly thereafter. The LEIE is available at: https://oig.hhs.gov/exclusions/exclusions_list.asp.
- Review the General Service Administration (GSA) System for Award Management (SAM) for employees and any vendors or FDRs at the time of hiring or contracting and monthly thereafter. SAM is available at: https://www.sam.gov.
- Where a state Medicaid program requires screening against a state Medicaid exclusion, preclusion or other debarment list, employees and any vendors or FDRs must be screened at the time of hiring or contracting and monthly thereafter.
- Be prepared to produce documentation that your employees and any vendors or FDRs with whom you contract have been checked timely against the exclusion lists.
Record Retention And Record Availability
Requirements
PBMs, as first tier and downstream entities, must comply with Medicare laws, regulations, and CMS instructions (422.504(i)(4)(v)), and agree to audits and inspection by CMS and/or its designees and to cooperate, assist, and provide information as requested, and maintain records a minimum of 10 years. (Medicare Managed Care Manual Ch. 11 §100.4)
Plan sponsors are accountable for maintaining records for a period of 10 years of the time, attendance, topic, certificates of completion (if applicable), and test scores of any tests administered to their employees, and must require Vendor/FDRs to maintain records of the training of the Vendor/FDRs’ employees. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.3.1)
CMS has the discretionary authority to perform audits under 42 C.F.R. 422.504(e)(2) and 423.505(e)(2), which specify the right to audit, evaluate, or inspect any books, contracts, medical records, patient care documentation, and other records of plan sponsors or Vendor/FDRs (including PBMs and their downstream entities) that pertain to any aspect of services performed, reconciliation of benefit liabilities, and determination of amounts payable under the contract or as the Secretary of Health and Human Services may deem necessary to enforce the contract. Plan sponsors should cooperate in allowing access as requested. Failure to do so may result in a referral of the plan sponsor and/or FDR to law enforcement and/or implementation of other corrective actions, including intermediate sanctioning in line with 42 C.F.R. Subpart O. (Medicare Prescription Drug Benefit Manual Ch. 9 §50.6.11)
Record keeping requirements for Medicaid require any subcontractor or its Vendor/FDRs to retain information, as applicable for a period of no less than ten (10) years. (42 CFR § 438.3)
How to Comply
- Maintain all records, reports, and supporting documentation that relate to the functions your organization is performing or providing under the Navitus Medicare and/or Medicaid programs for 10 years. This includes but is not limited to
- Training and education
- Attestations
- Exclusion screening
- Be prepared to make your records available to Navitus as part of a Navitus audit or monitoring activity and to a Navitus plan sponsor in the event of a CMS program audit.
Reporting Mechanism For Compliance And FWA Issues
Requirements
Plan sponsors must have a system in place to receive, record, respond to, and track compliance questions or reports of suspected or detected noncompliance or potential FWA from employees, members of the governing body, enrollees, and Vendor/FDRs and their employees. Reporting systems must maintain confidentiality (to the greatest extent possible), allow anonymity if desired (e.g., through telephone hotlines or mail drops), and emphasize the plan sponsor’s or Vendor/FDR’s policy of non-intimidation and non-retaliation for good faith reporting of compliance concerns and participation in the compliance program. Vendor/FDRs that partner with multiple plan sponsors may train their employees on the Vendor/FDR’s reporting processes including emphasis that reports must be made to the appropriate PBM to forward to the appropriate plan sponsor. The anti-retaliation provision of the FCA prohibits an employer from retaliating against an employee “because of lawful acts done by the employee . . . in furtherance of an action under this section or other efforts to stop 1 or more violations.” (31 U.S.C. §3730(h).
How to Comply
- Distribute the Navitus FDR Reporting Poster to your employees or post it in your facility. This will provide the required notifications regarding the availability of an anonymous reporting method and the Navitus policy prohibiting retaliation or retribution against anyone who reports suspected violations in good faith.
- If you partner with multiple Medicare plan sponsors, train your employees on your organization’s reporting processes including an emphasis that reports must be made to the appropriate plan sponsor.
- Notify your employees that they are protected from retaliation for False Claims Act complaints.
- Below are suggested criteria for referring reported issues to Navitus. The list is not intended to be all inclusive.
- Medicare or Medicaid program non-compliance
- Fraud, waste or abuse
- Complaints or allegations that reference Navitus.
- Complaints from a Navitus member about quality of care.
- Complaints from Navitus members regarding access to care or services.
- Complainants wishing to appeal a Navitus coverage decision or to file a grievance about Navitus.
- Privacy or security violations that impact Navitus members.
- Allegations that the complainant has been contacted by “someone” from Navitus requesting personal or medical information.
- Discovery that an individual or subcontractor has become excluded from participation in federal or state programs.
Standard Of Conduct And Compliance Policies
Requirements
In order to communicate compliance expectations for Vendor/FDRs, Standards of Conduct and policies and procedures must be distributed to Vendor/FDRs’ employees and subcontractors. Distribution must occur within 90 days of hire, when there are updates to the policies, and annually thereafter.
Navitus makes Standards of Conduct and policies and procedures available to its Vendor/FDRs. Alternatively, the Vendor/FDR may use its own if it has comparable policies and procedures and Standards of Conduct.(Medicare Prescription Drug Benefit Manual Ch. 9 §50.1.3)
How to Comply
You can either distribute your organization’s own Standards of Conduct and compliance policies and procedures to your employees or you may distribute the Navitus materials.
Navitus makes its Vendor Code of Conduct available to Vendor/FDRs. Applicable Navitus Compliance Policies and Procedures are also available.
Fraud, Waste & Abuse
What is Prescription Fraud, Waste, and Abuse?
Fraud is when someone knowingly uses false information or statements to improperly obtain payment for prescription drugs.
Waste is when there is overutilization of services that result in unnecessary costs.
Abuse includes actions that may result in unnecessary or increased payment for prescription drugs.
Some examples are:
- A pharmacy submitting claims for drugs that the patient never received;
- A pharmacy sending drugs that were never ordered by the patient or the physician;
- Forging or altering a prescription;
- A person obtaining prescriptions for drugs in order to sell them;
- A physician writing a prescription for drugs for someone that is not a patient because the physician receives a payment;
- A patient selling their medical ID card or prescription to someone;
- Using another person’s insurance coverage or insurance card;
- A pharmacy billing for a brand drug, when it dispensed a generic drug;
- A claim for weight loss drugs falsely submitted with a diagnosis of diabetes so it will pay under the pharmacy benefit;
- A person falsely stating drugs were lost or stolen and requesting replacement drugs because of addiction problems.
Who does Prescription Fraud and Abuse Affect?
The answer is everyone. It results in misused benefits, safety issues, and unnecessary costs which is why Navitus is committed to ensuring it maintains a robust fraud, waste and abuse program.
How does Navitus Help Prevent and Detect Fraud, Waste, and Abuse?
Navitus’ Special Investigations Unit (SIU) is responsible for protecting the benefits of its clients and members and reducing the overall cost of prescription drugs. It can do this by preventing, detecting and investigating fraud, waste and abuse. Navitus’ SIU investigates referrals from internal and external sources. The SIU professionals also stay abreast of the latest fraud schemes and partner with pharmacies, vendors and clients on identifying potential fraud and abuse and identify suspicious patterns.
If you or one of your employees suspect fraud, waste or abuse, please report this activity using the FWA Reporting Form, or by calling the Navitus Hotline at 855-673-6503. Navitus has a strict non-retaliation and non-retribution policy and expects all vendors to adhere to non-retaliation for reports made in good-faith.
Quick Links
Frequently Asked Questions
1. What does CMS mean by an first tier versus downstream entity?
First Tier Entity (F) – any party that enters into a written arrangement, acceptable to CMS, with a Medicare and/or Medicaid plan sponsor or applicant to provide administrative services or health care services to a Medicare and/or Medicaid-eligible individual under these programs. Navitus Health Solutions (Navitus) is a First Tier Entity.
Downstream Entity (D)- any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the Medicare and/or Medicaid, below the level of first tier entity. These arrangements, often subcontractors, continue down to the level of the ultimate provider of both health and administrative services. This includes pharmacies participating in Navitus pharmacy network and vendors providing services on behalf of Navitus that have been delegated by Plan Sponsors.
2. What are the Code of Conduct requirements?
Vendor/FDRs contracted with Navitus must provide either their own or the Navitus Vendor Code of Conduct to their employees (including temporary workers and volunteers), the CEO, senior administrators or managers, governing body members, and subcontractors who are involved in the administration or delivery of Medicare and/or Medicaid services. This must be distributed within 90 days of hire and annually thereafter, by Dec. 31 of each year. The Navitus Vendor Code of Conduct is accessible on the Navitus website under the Vendor/FDR webpage.
3. Can an FDR use its own Code of Conduct?
Yes, however, at minimum it must include the required elements found in the Chapter 9 and/or Chapter 21 of the Medicare Managed Care Manual (see links in Question 4).
4. What elements must be included in FWA and general compliance training?
For the list of minimum required training elements, please see the links to Chapter 9 and/or Chapter 21 of the Medicare Managed Care Manual.
- http://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf
- http://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf
5. What if we offer our own training or have completed another plan’s training?
If a Vendor/FDR has completed a general compliance and FWA training program through another health plan sponsor, we accept documentation of that training as long as it includes all CMS-required elements. Vendor/FDRs may create their own training provided it includes all CMS-required elements.
6. What kind of documentation is needed to show training was completed?
Evidence may be in the form of employee attestations, employee attendance/training logs, or other means determined by you to best represent fulfillment of your obligations. You should retain evidence of completion for at least ten years.
7. What are my requirements related to Federal or State health care program exclusion checks?
Vendor/FDRs contracted must review the federal exclusion lists, OIG List of Excluded Individuals and Entities (LEIE list) and GSA Systems for Award Management (SAM) prior to hiring or contracting with employees (including temporary workers and volunteers), the CEO, senior administrators or managers, governing body members, and subcontractors who have involvement in the administration or delivery of Medicare or Medicaid services. Where a state Medicaid program requires screening against a state Medicaid exclusion, preclusion or other debarment list, employees and any vendors or FDRs must be screened at the time of hiring or contracting and monthly thereafter. Vendor/FDRs must continue to review the federal exclusion lists on a monthly basis thereafter. If you identify an excluded individual or party, report this to Navitus immediately.
8. What if I subcontract to other entities that do not contract directly with Navitus?
If your organization has contracted with other entities to provide Medicare or Medicaid services on behalf of Navitus, you will need to provide the relevant training materials to that entity and ensure records are kept by the entities that document that they have distributed the Vendor/FDR Code of Conduct; have completed FWA and general compliance training; and have conducted HHS/OIG, GSA and state (if applicable) exclusion checks requirements.
9. What kind of documentation do I need to show that the CMS requirements for distribution of standards of conduct, compliance and FWA training, screening of excluded individuals, offshore vendors services, compliance with Medicare law and record retention have been met?
|
SUMMARY OF EXPECTATION |
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
Vendor/FDR employees and Downstream/Related Entities received Navitus’ or equivalent Code of Conduct (COC) upon hire/initial contracting and annually thereafter |
|
|
Vendor/FDR employees and Downstream/Related Entities completed Navitus’ or equivalent FWA Training upon hire/initial contracting and annually thereafter |
|
|
Vendor/FDRs check OIG and SAM Lists for employees and Downstream/Related Entities prior to hire/contracting and monthly thereafter |
|
|
Vendor/FDR employees and subcontractors received reporting mechanisms for reporting potential or actual non-compliance and/or FWA either internally then to Navitus or to Navitus directly (including non-retaliation policy for good faith reporting) |
|
|
Offshore subcontractors used by Vendor/FDR to provide Medicare and/or Medicaid services |
|
|
FDRs conduct sufficient oversight of their Downstream and Related Entities CMS compliance |
|
|
FDR retains records related to Navitus Medicare product service delivery/activities for a period of no less than 10 years |
|
|
SUMMARY OF EXPECTATION |
|
Vendor/FDR employees and Downstream/Related Entities received Navitus’ or equivalent Code of Conduct (COC) upon hire/initial contracting and annually thereafter |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
Vendor/FDR employees and Downstream/Related Entities completed Navitus’ or equivalent FWA Training upon hire/initial contracting and annually thereafter |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
Vendor/FDRs check OIG and SAM Lists for employees and Downstream/Related Entities prior to hire/contracting and monthly thereafter |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
Vendor/FDR employees and subcontractors received reporting mechanisms for reporting potential or actual non-compliance and/or FWA either internally then to Navitus or to Navitus directly (including non-retaliation policy for good faith reporting) |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
Offshore subcontractors used by Vendor/FDR to provide Medicare and/or Medicaid services |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
FDRs conduct sufficient oversight of their Downstream and Related Entities CMS compliance |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
|
SUMMARY OF EXPECTATION |
|
FDR retains records related to Navitus Medicare product service delivery/activities for a period of no less than 10 years |
|
EXAMPLES OF EVIDENCE/DOCUMENTATION THAT MAY BE REQUESTED |
|
10. How do I report suspected non-compliance or fraud, waste or abuse?
You can report by one of these mechanisms:
- Confidential Compliance / FWA Hotline at 855-673-6503
- Confidential FWA email sent to [email protected]
- Contacting the Navitus Chief Compliance Officer at 608-298-5763
11. Didn’t CMS discontinue the requirement to complete CMS-issued general compliance and fraud, waste, and abuse training in 2019?
This did not eliminate the need for completion of training overall or exempt any provider type. This only eliminated use of the CMS MedLearn training as the mandated standard for accomplishing these two education requirements.
The CMS Medicare Managed Care and Prescription Drug Manuals on the CMS website under Ch 50.3 still mandate the need for effective training on an annual basis. This is a component of the contract you hold with Navitus.
For pharmacies, NCPDP also took this into consideration with the annual attestation by providing the option for pharmacies to “use a non-CMS program that meets all applicable CMS and Federal requirements.”
Ongoing Auditing and Monitoring
Navitus performs regular risk assessments, including an assessment of activities delegated to Vendor/FDRs, which are used to guide the work and activities of the Compliance Program and to develop an annual audit plan. Navitus’ monitoring activities are structured to regularly review normal operations and to confirm ongoing compliance using metrics and key performance indicators. Navitus also monitors federal lists to identify providers, pharmacies, and other individuals and entities that are excluded from participation in federal programs.
As a Vendor/FDR that contracts with Navitus to provide Medicare and/or Medicaid administrative and healthcare services, you must ensure that compliance is maintained by your organization as well as your downstream subcontractors. To ensure ongoing compliance, Navitus conducts periodic audits, which involve requesting evidence of your compliance with these requirements including:
Documentation that your organization’s Code of Conduct (or the Navitus Code of Conduct) and compliance policies were distributed within 90 days of hire, when there are updates, and annually thereafter;
Evidence of completion of compliance and FWA training for employees within 90 days of hire and annually thereafter. Copies of the training materials may also be requested.
Documentation showing OIG LEIE and GSA/SAM and Medicaid state (as applicable) exclusion reviews were conducted prior to hire and monthly thereafter;
Documentation of annual audits of any offshore subcontractors.
Please be familiar with these audit requirements and be prepared to produce the necessary documentation should it be requested by Navitus or CMS.
Vendor Code of Conduct
Navitus Health Solutions, EpiphanyRx, and Lumicera Health Solutions (collectively “Navitus”) is committed to compliance with all applicable laws, regulations and contract requirements. In addition, we hold ourselves to the highest ethical standards on behalf of our clients and members. To help ensure we maintain our compliance and ethical standards, we work closely with our vendors and business partners.
Our vendors are business partners who are important to our success and play a critical role in servicing our members and clients, whether directly or indirectly. This Vendor Code of Conduct (Code) is provided to you as an easy way to communicate our expectations as your company fulfills the terms of the contract. This Code is a guide and does not include all possible activities. Please share with your employees and contact us if you have a question about an activity not included in this Code.
Compliance Obligations
Vendors are expected to have mechanisms to enable employees, including temporary employees, or affiliates of vendor to report non-compliance, violations of this code of conduct, or other grievances. Such methods should protect the individual reporter from retaliation and offer anonymity. Navitus has several methods for reporting including via confidential, toll-free hotline, email, or mail. All good-faith reporting is protected under the Navitus Non-Retaliation Policy. Vendor may distribute the Navitus toll free Compliance Hotline number which is 855-673-6503.
Vendor is expected to take all reasonable actions to address non-compliance and remediate, mitigate, and engage in corrective action to comply with laws and regulations, comply with Guiding Principles on Business and Human Rights, health and safety protections, labor laws, and environmental protections. Navitus reserves the right to audit Vendor where performance of services is dependent on such compliance.
Gifts and Business Gratuities
Navitus discourages you from providing any gifts, meals, entertainment or other business gratuities to Navitus employees, consultants or pharmacists. While we appreciate the occasional pen with your business name, items such as the following are not appropriate:
- Gifts or entertainment of any kind to any Navitus staff during the selection, negotiation or purchasing stages of a contractual arrangement.
- Gifts or entertainment that could be perceived as a bribe, payoff or advantage.
- Cash or cash-equivalents, such as checks, gift certificates/cards or stock.
- Gifts or entertainment that violate the law.
Conflicts of Interest
Conflicts of interest between a vendor and Navitus staff (or the appearance of a conflict) should be avoided. When an actual, potential or perceived conflict of interest occurs, that conflict must be disclosed, in writing to Navitus.
- While Navitus employees may occasionally have secondary employment, no Navitus employee member may work for a vendor that has a contractual relationship with Navitus.
- No Navitus employee may participate on the board of a vendor with whom Navitus does business.
- Navitus will not engage with an individual who has been employed by Navitus within the last 24 months and who has been assigned as Navitus’ representative by the Vendor for products, sales, negotiation, contracting, promotion or other activities where the former employee’s confidential and proprietary knowledge about Navitus is a component of that assignment.
Compliance with Laws
Vendors are expected to conduct their business activities in compliance with all applicable laws and regulations, including Medicare and Medicaid. Vendors are also expected to take appropriate action against any of its employees or subcontractors that have violated such laws.
Privacy and Security
State and Federal privacy laws, such as the requirements of the Health Insurance Portability and Accountability Act (HIPAA) require Navitus and its Vendors to maintain the privacy and security of patient information (PHI). If a vendor has access to Navitus PHI, the vendor is responsible for ensuring that all employees who provide services to Navitus are trained on HIPAA Privacy and Security Rules and is expected to provide an annual attestation that such training has been completed. In addition, if vendor uses or discloses PHI on behalf of Navitus, the vendor will be expected to enter into a Business Associate Agreement.
Employed or Contracted Persons
Navitus will not knowingly do business with any vendor if it is, or any of its officers, directors or employees are excluded, debarred or ineligible to participate in any Federal or State health care program. To ensure no exclusion exists, Navitus vendors must screen all employees (including temporary and contracted), officers and directors against Federal exclusion lists before hire or engagement and on monthly thereafter. These lists are the U.S. Department of Health and Human Services, Office of Inspector General List of Excluded Individuals and Entities (LEIE) and the General Services Administration’s System for Awards Management (SAM). Vendors may be expected to provide an annual attestation that such exclusion screening has occurred.
Navitus will not knowingly do business with any vendor engaged in corruption, illegal sourcing or anti-boycott activity or involved in human trafficking, slavery, or child labor. Navitus expects a vendor to implement and enforce systems and controls to ensure that such abuses do not occur in staffing, in operations, in supply chains, with downstream entities or in relation to services to Navitus. This includes but is not limited prohibiting any requirement for employees, temporary workers, or contractors to pay fees or expenses to secure work with Vendor and prohibiting the retention of identity documents as a condition of working for Vendor.
Fraud, Waste and Abuse (FWA)
Vendors are expected to report any suspected or actual acts of FWA regardless of the source or possible participants. Navitus will investigate allegations of FWA and, where appropriate, will take corrective action, including civil or criminal action.
Vendor Compliance Training
Navitus requires all vendors, including vendor employees, to participate in and complete general compliance and FWA training. The vendor must document and provide an annual attestation that training has been completed. Training can be completed using the CMS free training modules located on the CMS MLN website. In addition to compliance and FWA training, Vendors and their employees who qualify as Business Associates must also complete annual privacy and security training. This training can be completed using the vendor’s training or by requesting a copy of the Navitus privacy and security training.
Vendor is obligated to comply with any additional regulatory or industry training requirements and maintain such evidence of training as needed by Navitus to represent the quality, knowledge, and/or regulatory awareness of the Vendor and its employees or contractors.
Business Record Retention
Navitus requires vendors to retain records related to services provided to Navitus for ten (10) years. These records must be made available to Navitus or a government auditor in accordance with applicable laws, regulations and contract terms. Visiting Navitus It is expected that any vendor who visits our campus additionally adheres to the Visitor Code of Conduct.
Visiting Navitus
It is expected that any vendor who visits our campus additionally adheres to the Visitor Code of Conduct.
What is an FDR?
The Centers for Medicare and Medicaid Services (CMS), in its regulatory guidance, refers to a Medicare and/or Medicaid Plan Sponsor’s contracted partners as First-Tier, Downstream, and related Entitles, or FDRs. (see 42 C.F.R. §423.501).
First Tier Entity (F) – any party that enters into a written arrangement, acceptable to CMS, with a Medicare and/or Medicaid plan sponsor or applicant to provide administrative services or health care services to a Medicare and/or Medicaid-eligible individual under these programs. Navitus Health Solutions (Navitus) is a First Tier Entity.
Downstream Entity (D) – any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the Medicare and/or Medicaid, below the level of first tier entity. These arrangements, often subcontractors, continue down to the level of the ultimate provider of both health and administrative services. This includes pharmacies participating in Navitus pharmacy network and vendors providing services on behalf of Navitus that have been delegated by Plan Sponsors.
Related Entity (R): any entity that is related to an plan sponsor by common ownership or control and
- Performs some of the plan sponsor’s management functions under contract or delegation;
- Furnishes services to Medicare enrollees under an oral or written agreement; or
- Leases real property or sells materials to the Medicare plan sponsor at a cost of more than $2,500 during a contract period.
NAVITUS MEDICARE and MEDICAID COMPLIANCE PROGRAMS
Navitus is committed to meeting the requirements of all applicable laws and regulations of the Medicare Part C and D and Medicaid programs. Our commitment to this is embodied in our standards of conduct in which each Navitus employee commits to uphold in his/her job and these standards are regularly reinforced with employees and Navitus-contracted participating pharmacies and Vendors/FDRs.
According to CMS rules and Navitus’ contractual terms with our Medicare and Medicaid plan sponsors, Navitus must implement a compliance program that is effective in preventing, detecting, and correcting program noncompliance as well as program Fraud, Waste, and Abuse (FWA). The compliance program is evaluated regularly to ensure adherence to CMS’ seven elements of an effective compliance program.