Skip to Content

1. What does CMS mean by an first tier versus downstream entity?

First Tier Entity (F) - any party that enters into a written arrangement, acceptable to CMS, with a Medicare and/or Medicaid plan sponsor or applicant to provide administrative services or health care services to a Medicare and/or Medicaid-eligible individual under these programs. Navitus Health Solutions (Navitus) is a First Tier Entity.

Downstream Entity (D)- any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the Medicare and/or Medicaid, below the level of first tier entity. These arrangements, often subcontractors, continue down to the level of the ultimate provider of both health and administrative services. This includes pharmacies participating in Navitus pharmacy network and vendors providing services on behalf of Navitus that have been delegated by Plan Sponsors.

2. What are the Code of Conduct requirements?
Vendor/FDRs contracted with Navitus must provide either their own or the Navitus Vendor Code of Conduct to their employees (including temporary workers and volunteers), the CEO, senior administrators or managers, governing body members, and subcontractors who are involved in the administration or delivery of Medicare and/or Medicaid services. This must be distributed within 90 days of hire and annually thereafter, by Dec. 31 of each year. The Navitus Vendor Code of Conduct is accessible on the Navitus website under the Vendor/FDR webpage.

3. Can an FDR use its own Code of Conduct?
Yes, however, at minimum it must include the required elements found in the Chapter 9 and/or Chapter 21 of the Medicare Managed Care Manual (see links in Question 4).

4. What elements must be included in FWA and general compliance training?
For the list of minimum required training elements, please see the links to Chapter 9 and/or Chapter 21 of the Medicare Managed Care Manual.

5. What if we offer our own training or have completed another plan’s training?
If a Vendor/FDR has completed a general compliance and FWA training program through another health plan sponsor, we accept documentation of that training as long as it includes all CMS-required elements. Vendor/FDRs may create their own training provided it includes all CMS-required elements.

6. What kind of documentation is needed to show training was completed?
Evidence may be in the form of employee attestations, employee attendance/training logs, or other means determined by you to best represent fulfillment of your obligations. You should retain evidence of completion for at least ten years.

7. What are my requirements related to Federal or State health care program exclusion checks?
Vendor/FDRs contracted must review the federal exclusion lists, OIG List of Excluded Individuals and Entities (LEIE list) and GSA Systems for Award Management (SAM) prior to hiring or contracting with employees (including temporary workers and volunteers), the CEO, senior administrators or managers, governing body members, and subcontractors who have involvement in the administration or delivery of Medicare or Medicaid services.  Where a state Medicaid program requires screening against a state Medicaid exclusion, preclusion or other debarment list, employees and any vendors or FDRs must be screened at the time of hiring or contracting and monthly thereafter. Vendor/FDRs must continue to review the federal exclusion lists on a monthly basis thereafter. If you identify an excluded individual or party, report this to Navitus immediately.

8. What if I subcontract to other entities that do not contract directly with Navitus?
If your organization has contracted with other entities to provide Medicare or Medicaid services on behalf of Navitus, you will need to provide the relevant training materials to that entity and ensure records are kept by the entities that document that they have distributed the Vendor/FDR Code of Conduct; have completed FWA and general compliance training; and have conducted HHS/OIG, GSA and state (if applicable) exclusion checks requirements.

9. What kind of documentation do I need to show that the CMS requirements for distribution of standards of conduct, compliance and FWA training, screening of excluded individuals, offshore vendors services, compliance with Medicare law and record retention have been met?

Vendor/FDR employees and Downstream/Related Entities received Navitus’ or equivalent Code of Conduct (COC) upon hire/initial contracting and annually thereafter
  • Policy
  • Employee attestations confirming receipt
  • Training agendas and sign-in sheets for Code of Conduct training
  • Participation/onboarding/orientation manuals
  • Subcontractor contractual provision
Vendor/FDR employees and Downstream/Related Entities completed Navitus’ or equivalent FWA Training upon hire/initial contracting and annually thereafter
  • Policy
  • Employee attestations confirming participation
  • Training agendas, materials and sign-in sheets for FWA training
  • Proof of deemed status
  • Subcontractor contractual provision
Vendor/FDRs check OIG and SAM Lists for employees and Downstream/Related Entities prior to hire/contracting and monthly thereafter
  • Policy
  • Website screenshots of list checks
  • Automated results from acquired tools
  • Evidence of reporting excluded individuals/entities to Navitus as they are identified
  • Subcontractor contractual provision
Vendor/FDR employees and subcontractors received reporting mechanisms for reporting potential or actual non-compliance and/or FWA either internally then to Navitus or to Navitus directly (including non-retaliation policy for good faith reporting)
  • Policy
  • Reporting mechanism posters in facilities
  • Code of Conduct content in trainings with training sign-in sheets, materials, etc. that include reporting and non-retaliation statements
  • Subcontractor contractual provision
Offshore subcontractors used by Vendor/FDR to provide Medicare and/or Medicaid services
  • Policy
  • Subcontractor contractual provision
  • Evidence of training
  • Evidence of exclusion checks
FDRs conduct sufficient oversight of their Downstream and Related Entities CMS compliance
  • Policy
  • Audit Plan
  • Audit Reports with review results
  • Monitoring of entity functions with results
FDR retains records related to Navitus Medicare product service delivery/activities for a period of no less than 10 years
  • Policy
  • Record Destruction Schedule
  • Proof of record age – date, timestamp
  • Downstream/Related Entity contractual provision

10. How do I report suspected non-compliance or fraud, waste or abuse?
You can report by one of these mechanisms:

  • Confidential Compliance / FWA Hotline at 855-673-6503
  • Confidential FWA email sent to
  • Contacting the Navitus Chief Compliance Officer at 608-298-5763

11. Didn't CMS discontinue the requirement to complete CMS-issued general compliance and fraud, waste, and abuse training in 2019?
This did not eliminate the need for completion of training overall or exempt any provider type. This only eliminated use of the CMS MedLearn training as the mandated standard for accomplishing these two education requirements.
The CMS Medicare Managed Care and Prescription Drug Manuals on the CMS website under Ch 50.3 still mandate the need for effective training on an annual basis.  This is a component of the contract you hold with Navitus. 

For pharmacies, NCPDP also took this into consideration with the annual attestation by providing the option for pharmacies to “use a non-CMS program that meets all applicable CMS and Federal requirements."