Compliance Attestation

For Independent Health’s Government Program Vendors and First Tier, Downstream and Related Entities (FDRs)

Independent Health is committed to ensuring that our Government Program Vendors (also identified as FDRs, subcontractors, delegated entities, business associates, contractors, or affiliates) are in full compliance with all applicable federal and New York State laws, regulations and statutory requirements.

Through an internal vetting process, your organization has been identified as being delegated or contractually responsible for services impacting Independent Health’s members/providers (e.g. healthcare and/or administrative) for one or more of the following Government health insurance Programs:

  • Medicare Advantage (Part C and/or Part D); and/or
  • Medicaid Managed Care (MediSource); and/or
  • Child Health Plus

Since Independent Health is wholly accountable for fulfilling the terms and conditions with our contract with the Center for Medicare & Medicaid Services (CMS) and in meeting the program requirements set forth with our contract with New York State Department of Health (DOH), we are required to ensure that your organization is also fulfilling the requirements applicable to your scope of services/delegation.

Although specific functions, services or products are handled by your business, Independent Health remains ultimately responsible for actions conducted by your business. Therefore, Independent Health has developed an attestation process to validate that each contracted Government Program Vendor has met standard requirements.

The following are required of your organization (if your organization provides services associated with both Medicare Advantage [C/D] and Medicaid Managed Care/Child Health Plus, the requirements for both programs are mandatory):

For Vendors that provide services solely related to Medicare (Part C/D):

  • That General Compliance training, compliance policies and procedures and Standards of Conduct are distributed and facilitated within 90 days of new hire and annually thereafter.
  • That CMS produced Combatting Medicare Parts C and D Fraud, Waste, and Abuse and Medicare Parts C and D General Compliance Training are distributed and facilitated within 90 days of new hire and annually thereafter.*
  • Review and agree (by your organization’s Compliance Officer or equivalent position) to the contents of Independent Health’s Supplemental Compliance training module (document can be found here). Additionally, my organization and all members of my workforce that supports Independent Health’s contract will abide by these provisions.
  • That my organization facilitates, both prior to hire of associates and prior to contracting with subcontracted entities and monthly thereafter, all relevant exclusion list checking. This includes:
    1. The Office of the Inspector General’s(OIG) List of Excluded Individuals and Entities (LEIE);
    2. General Service Administration’s(GSA) Excluded Parties List Service (EPLS);
    3. U.S. Treasury’s Office of Foreign Assets Control’s (OFAC) List of Specially Designated Nationals and Blocked Persons.
  • Record retention:
    • Your organization maintains documentation/proof of all associates that completed the compliance and FWA training, in addition to all other and other supporting records for a period of 10 years.
    • In general, records must be retained for a minimum of 10 years from the date of its creation in accordance with federal requirements, the date when it was last in effect (i.e. the date it was last used for business operation purposes), whichever is later. If the record contains information (medical records, claims or services rendered/denied) concerning a minor (under 18 years of age), the Record Retention Period must be extended until six (6) years after the minor reaches age 18.
  • As an organization supporting Independent Health’s Medicare contract requirements I confirm that my organization does not utilize the services of any offshore entity (offshore: outside the geographical bounds of United States territory) to facilitate, fulfill or help fulfill requirements contracted to your organization. Offshore pertains to any transaction or operational element that receives, processes, transfers, handles, stores, or accesses (in any form or capacity and whether it be oral, written or electronic) any portion of Independent Health’s member’s Protected Health Information (PHI) and/or Personally Identifiable Information (PII).) This includes but is not limited to people, data and servers located offshore. If your organization does currently use offshore services to support Independent Health’s contract and an affirmative attestation cannot be made, please provide additional comment in the box below. (For CMS’ offshore definition, please reference the HPMS memo dated September 20, 2007 entitled Sponsor Activities Performed Outside of the United States [Offshore Subcontracting] Questions & Answers).
  • That your organization has mechanisms in place to promptly receive and respond to Fraud, Waste and Abuse concerns and that these issues are reported to Independent Health.
  • That your organization has established and implemented disciplinary policies and procedures that reflect clear and specific disciplinary standards. The disciplinary policies must describe the sponsor’s expectations for the reporting of compliance issues including noncompliant, unethical or illegal behavior, that employees participate in required training, and the expectations for assisting in the resolution of reported compliance issues.
  • Lastly, if applicable that you verify that any downstream/subcontractor follows all aforementioned requirements. We request that you list in the comment section any downstream entity your organization utilizes to support administrative, healthcare or member impacting services relating to our contract.

For Vendors that provide services solely associated with Medicaid Managed Care Relationships and/or Child Health Plus:

  • Pursuant to 42 CFR 455.104, if your organization is a s a disclosing entity, fiscal agent, and/or a managed care entity (see definitions 42 CFR 455.101) your organization is obligated to:
    • Within 35 days of request, provide to Independent Health ownership or control interest disclosure of the organization and/or managing employees; and
    • Disclose any criminal convictions by managing employees related to that person’s involvement in Medicare, Medicaid or Title XX programs, which in turn will be disclosed to the New York State Department of Health;
  • That General Compliance training is conducted at least annually and within ninety (90) days of onboarding of any associate that support our contract.
  • Review and agree (by your organization’s Compliance Officer or equivalent position) to the contents of Independent Health’s Supplemental Compliance training module (document can be found here). Additionally, my organization and all members of my workforce that supports Independent Health’s contract will abide by these provisions.
  • That my organization maintains a Code of Conduct and Ethics (or similarly named document) and distributes this document to all employees that work on our contract within 90 days of hire and provided annually thereafter. Independent Health reserves the right to review and deem appropriate your organization’s version. If your organization does not maintain such a document, that you agree in principle to Independent Health’s Code of Conduct and Ethics, which can be found here.
  • That my organization facilitates, both prior to hire of associates and prior to contracting with subcontracted entities and monthly thereafter, all relevant exclusion list checking. This includes:
    • 1) New York Office of Medicaid Inspector General (OMIG) list of Excluded and Terminated Providers and Entities;
    • 2) New York State Office of General Services - Iran Divestment Act - navigate to “List of Entities” link.
  • Record retention:
    • Your organization maintains documentation/proof of individual associate compliance and other supporting records for a period of 6 years for New York State’s Medicaid Managed Care (MediSource) and Child Health Plus.
  • As an organization supporting one of Independent Health’s Government Programs contracts, I confirm that my organization does not utilize the services of any offshore entity (offshore: outside the geographical bounds of United States territory) to facilitate, fulfill or help fulfill requirements contracted to your organization. Offshore pertains to any transaction or operational element that receives, processes, transfers, handles, stores, or accesses (in any form or capacity and whether it be oral, written or electronic) any portion of Independent Health’s member’s Protected Health Information (PHI) and/or Personally Identifiable Information (PII).) This includes but is not limited to people, data and servers located offshore. If your organization does currently use offshore services to support Independent Health’s contract and an affirmative attestation cannot be made, please provide additional comment in the box below.
  • My organization maintains a policy that prohibits retaliatory or intimidating acts against workforce members who fulfill their obligation in good faith to report known or suspected incidents of wrongdoing or noncompliance or participating in an organizational investigation pertaining to alleged violations of laws, rules, regulations or policies or procedures.
  • That your organization has mechanisms in place to promptly receive and respond to Fraud, Waste and Abuse concerns and that these issues are reported to Independent Health.
  • That your organization has established and implemented disciplinary policies and procedures that reflect clear and specific disciplinary standards. The disciplinary policies must describe the sponsor’s expectations for the reporting of compliance issues including noncompliant, unethical or illegal behavior, that employees participate in required training, and the expectations for assisting in the resolution of reported compliance issues.
  • Lastly, if applicable that you verify that any downstream/subcontractor follows all aforementioned requirements. We request that you list in the comment section any downstream entity your organization utilizes to support administrative, healthcare or member impacting services relating to our contract.

I certify, as the authorized representative (who should be one of the following at your organization: a Compliance Officer; Risk Officer; Operational Executive; General Counsel; or similar position) having responsibility directly or indirectly for all employees, contracted personnel, providers/practitioners, and vendors who provide health care, administrative or member impacting services under Medicaid and/or Medicare, that the statements above are true and correct to the best of my knowledge.

In addition, my organization reserves the right for Independent Health to audit and verify that the items your organization attested are true, accurate and that each have been completed.

If you have any questions, please contact Independent Health’s Compliance Department at compliance@independenthealth.com or (716) - 504-3233.