FDR Compliance Requirements

Part B: FDR Compliance Program Requirements

CMS requires that all FDRs fulfill specific Medicare Compliance Program Requirements. We will describe these requirements in this document. The Code of Federal Regulations (CFR) outlines these Medicare Compliance Program requirements and they are specifically defined by CMS in the July 2, 2013, release of the Compliance Program Guidelines found in Chapter 21 of the Medicare Managed Care Manual and Chapter 9 of the Prescription Drug Benefit Manual, which are identical.

First Tier Entities are responsible for making sure that their Downstream Entities comply with applicable laws and regulations, including the requirements in this guide. As a First Tier Entity, you/your organization and all of your Downstream Entities (if applicable) must comply with Medicare Compliance Program requirements. This guide summarizes your Medicare Compliance Program responsibilities. Please review it to make sure that you have internal processes to support your compliance with these requirements each calendar year. These Medicare Compliance Program requirements include, but are not limited to:


  1. Fraud, Waste and Abuse (“FWA”) Training, General Compliance Training and Code of Conduct/Compliance Policy Distribution

    As a First Tier Entity, you/your organization must provide FWA and general compliance training to all your employees and Downstream Entities assigned to provide administrative and/or health care services for Medicare Plans. To comply with this requirement you may use the CMS Medicare Parts C & D Fraud, Waste, and Abuse Training Course January 2019 and Medicare Parts C and D General Compliance Training Course January 2019.

    This applies to all non-agent employees who touch Medicare Advantage or Part D business (administrative staff, IT staff who has access to PHI, clerical staff who process applications, etc.). If you do not have any such staff, these requirements would not apply to you.

    This training must be completed within 90 days of initial hire AND at least annually thereafter.

    You must maintain evidence of training completion. The PDF 2019 versions do not have certificates of completion; you must make your own or maintain some kind of log.
  2. Code of Conduct

    You must provide either a carrier’s Code of Conduct or your own comparable Code of Conduct to all employees.

    You must distribute that Code of Conduct within 90 days of hire and at least annually thereafter, and when there are updates to the Code of Conduct.
  3. OIG and GSA Exclusion List Screenings

    Federal law prohibits Medicare, Medicaid and other federal health care programs from paying for items or services provided by a person or entity excluded from participation in these federal programs. Therefore, prior to hire and/or contract and monthly thereafter, each First Tier Entity must check the Office of Inspector General (OIG) and General Services Administration (GSA) and all applicable state “exclusion lists” to confirm that employees and Downstream Entities performing administrative and/or health care services for Medicare Plans aren’t excluded from participating in federally funded healthcare programs. You can use these websites to perform the required OIG and GSA exclusion list screening:

Also, FDRs must maintain evidence they checked these various exclusion lists. You can use logs or other records to document that you’ve screened each employee and Downstream Entity in accordance with current laws, regulations and CMS requirements.

You Must Take Action If an Employee or Downstream Entity Is on the List If any of your employees or Downstream Entities are on one of these exclusion lists, you must immediately remove them from work directly or indirectly related to Medicare plans and notify SMS and the carrier right away.

These exclusion list requirements are noted in § 1862(e)(1)(B) of the Social Security Act, 42 C.F.R. §§ 422.503(b)(4)(vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), 423.752(a)(6), 1001.1901, and further described in the Manual, Chapter 9 § 50.6.8.

For more information surrounding meeting these FDR requirements, see the carrier guides below.


  1. Reporting Offshore Operations

    To help make sure we comply with applicable federal and state laws, rules and regulations, you’re prohibited from using any individual or entity (Offshore Entity) to perform services for Medicare plans if the individual or entity is physically located outside of one of the fifty United States or one of the United States Territories (i.e., American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands).
  2. Keep Documentation for 10 years

    You may be asked to provide evidence of compliance. The carriers and/or CMS may request that you provide evidence of your compliance with these Medicare Compliance Program requirements. This is for monitoring and auditing purposes.
  3. Monitoring and Auditing
    FDRs must continuously monitor and audit their operations to ensure compliance with CMS requirements.

Aetna FDR Compliance Guide