Cody Consulting Group Inc., (“CODY®”) is a first-tier entity that supplies administrative and/or operational services to our clients who are health care plan sponsors. As such, CODY® is required by federal regulations to ensure that CODY® and our contractor partners are compliant with applicable state and federal regulations. Medicare regulations and CODY's client contracts require that we hold our contractors accountable to the same Medicare compliance requirements directed of us.

This guide provides you with important information and tools to meet the Centers for Medicare and Medicaid (CMS) requirements for first tier, downstream and related entities (FDRs). The laws and regulations governing Medicare Compliance Program requirements can be found in:

  • Code of Federal Regulations (CFR)
  • CMS Medicare Managed Care Manual (MMCM), Chapter 21, Compliance Program Guidelines
  • CMS MMCM, Chapter 11, Medicare Advantage Application Procedures and Contract Requirements

FDR Compliance Program Requirements

(MMCM, Ch 11, Sections 100 and 110).

FDRs must comply with applicable laws and regulations, including Medicare Compliance Program requirements. This guide provides a summary of these requirements.

What is an FDR?

(42 CFR §423.501; MMCM, Chapter 21, Sections 20 and 40)

CMS defines an FDR as:

  • First Tier Entity: Any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization or Part D plan sponsor or applicant to provide administrative services or healthcare services to a Medicare eligible individual under the Medicare Advantage Program or Part D program.
  • Downstream Entity: Any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the Medicare Advantage benefit or Part D benefit, below the level of the arrangement between a Medicare Advantage Organization or applicant or a Part D plan sponsor or applicant and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.
  • Related Entity: Any entity that is related to a Medicare Advantage Organization or Part D sponsor by common ownership or control and:
    • Performs some of the Medicare Advantage Organization or Part D plan sponsor’s management functions under contract or delegation; or
    • Furnishes services to Medicare enrollees under an oral or written arrangement; or
    • Leases real property or sells materials to the Medicare Advantage Organization or Part D plan sponsor at a cost of more than $2,500 during a contract period

Code of Conduct and Compliance Policies

(42 CFR §§ 422.503(b)(4)(vi)(A) and 423.504(b)(4)(vi)(A); MMCM, Chapter 21, Section.50.1)

FDRs must provide Standards of Conduct to their employees and contracted parties. You may provide either the CODY® Code of Business Conduct and Ethics (“Code of Conduct”) and CODY's Compliance policies (collectively “Compliance Program Policies”) or you may provide your own comparable Code of Conduct and policies. There may be instances in which CODY’s clients require that CODY® and CODY's contractors must comply with the client’s code of conduct. CODY® will notify you if this requirement will applies to you.

CMS regulations state that you must distribute the Code of Conduct and compliance policies:

  • Within 90 days of hire or the effective date of contracting
  • When there are updates to the Code of Conduct or compliance policies
  • Annually thereafter

You must retain evidence of your distribution of the Code of Conduct and compliance policies for a period of ten years.

General Compliance and Fraud, Waste and Abuse Training

(42 CFR §§ 422.503(b)(4)(vi)(C) and 423.504(b)(4)(vi)(C); MMCM, Chapter 21, Section 50.3.2)

CMS requires health plan sponsors to provide general compliance and FWA training to employees, senior administrators, governing body members and FDRs.

The 2019 Final Rule (HPMS Memo dated April 2, 2019) no longer requires that plan sponsors and FDRs take the CMS-developed training. However, CMS will continue to allow health plan sponsors to require FDRs to provide compliance training to the FDRs’ employees, senior administrators, governing body members, and contractors.

CODY® believes that general compliance training and FWA training are crucial to the success of CODY®, our clients and our business partners. Therefore, CODY® will continue to provide general compliance and FWA training to our employees, senior administrators, and governing body members.

CODY® will require its business partner subcontractors to provide similar general compliance and FWA training to its employees and senior administrators who perform work related to your contract with CODY®.

CMS no longer provides the general compliance training and the FWA training on its website. Therefore, CODY® provides our vendors the former CMS FWA general compliance and FWA training decks. CODY® also provides our vendors with CODY-specific compliance training. We encourage our vendors to adopt and modify the materials to fit your organizational needs.

Contractors must submit (upon request by CODY® or CODY® clients), proof of completion of the general compliance and FWA training that meets CMS requirements, an attestation that the contractor organization has completed the training, or other such documentation as requested.

The training must occur within 90 days of initial hiring or contracting and annually thereafter.

Exclusion List Screening Requirements

(42 CFR §§ 422.503(b)(4)(vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), 423.752(a)(6) and 1001.1901; MMCM, Chapter 21, Section 50.6.8)

Federal regulations prohibit Medicare, Medicaid and other federal healthcare programs from paying for items or services provided by a person or entity excluded from participation in these federal programs.

FDRs must perform searches of the Office of the Inspector General (OIG) and General Services Administration (GSA) exclusion lists to confirm that employees and downstream entities performing services for CODY® are not excluded from participating in federally-funded healthcare programs.

CODY's clients require that we conduct these searches and that we require our contractors to do the same. CODY® will perform exclusion searches of our contractors’ business name before final contracting and monthly thereafter. CODY® requires our contractors to conduct exclusion checks of their employees and any downstream contractors for the term of the contract.

Use the websites below to perform the required exclusion screenings:

Exclusion screenings must be conducted as follows:

  • Prior to hire and/or contract
  • Monthly thereafter

CODY® contractors must maintain evidence that exclusion checks have been completed. You must retain copies of the individual checks and it is an industry best practice to keep a log of the checks. If one of your employees or sub-contractors is on an exclusion list:

  • Immediately remove the employee/contractor from work directly or indirectly related to CODY®
  • Notify the CODY® Compliance Program upon discovery

Conflict of Interest Attestation

(42 CFR §§ 422.503(b)(4)(vi)(F), 423.504(b)(4)(vi)(F), 422.503(b)(4)(vi)(F) and

CODY® expects its employees and contractors to transact business according to the highest ethical standards of conduct. CODY® contractors to should avoid any activity, investment, interest or association that interferes or appears to interfere with the independent exercise of judgment in carrying out assigned job responsibilities or with the business interests of CODY®.

CODY® contractors are required to provide a contractor Conflict of Interest attestation to CODY® during the initial contracting process and annually thereafter.

Reporting FWA and Compliance Concerns to CODY®

(42 CFR §§422.503(b)(4)(vi)(D); 423.504(b)(4)(vi)(D); MMCM, Chapter 21, Section 50.4.2)

Suspected or detected compliance issues or potential FWA issues that affect a contract with CODY® must be reported to the CODY® Compliance Program. All employees and contractors must contact CODY® to report compliance concerns.

CODY® contractors must adopt and enforce a reporting policy that includes:

  • A zero-tolerance policy that provides assurances of non-retaliation or non-intimidation against anyone who reports, in good faith, suspected or detected compliance issues
  • The ability for employees/contractors to report issues and concerns in an anonymous manner

Questions or concerns should be directed to the CODY® Compliance Program via the following reporting avenues:

  • Contact the CODY® Hotline at 1-855-900-CODY (2639) ext 208. You may request confidentiality and anonymity. CODY® will honor this request to the greatest extent possible.
  • CODY® Compliance Reporting Email Address:
  • Contact CODY® Compliance Staff:
    • Tonya Edwards, Director, Compliance
      Cell: 813-480-5829, Office: 855-990-CODY (2639) ext. 201
    • Julie Hughes, Chief Compliance Officer
      Cell: 540-226-1893
  • To report anonymously, send a letter to: Julie Hughes, 1513 Keeneland Rd, Fredericksburg VA 22401

Contractors may also refer to the CODY® Code of Conduct which contains these reporting avenues.

FDR Record Retention and Attestation Requirements

(42 CFR §425.314; MMCM, Chapter 11, Section 110.4.3)

Your organization must maintain evidence of compliance with these Medicare Compliance Program requirements by retaining documentation addressed in this guide and by contract with CODY® for a period of ten years. Pursuant to the Medicare requirements, CODY® and CODY’s contractors must maintain books, records, documents, and other evidence of accounting procedures and practices for 10 years from the end date of a contract or the completion date of an audit, whichever is later.

Also, each year, an authorized representative from your organization must attest to your compliance with the requirements described in this guide. The authorized individual is a person who has responsibility directly or indirectly for:

  • Employees
  • Contracted Personnel
  • Contractors who provide healthcare and/or administrative services on behalf of CODY® for CODY's clients

The authorized representative may be your Compliance Officer, Practice Manager or Administrator, an Executive Officer or similar related position.

In addition to completing an attestation, CODY® or CODY's clients, may request that you provide evidence of your compliance with these Medicare Compliance Program requirements for monitoring and auditing purposes.

Monitoring, Auditing and Required Reporting

(42 CFR §§422.503(b)(40)(vi)(F) and 423.504(b)(4)(vi)(F); MMCM, Chapter 21, Section.50.6)

CMS requires that plan sponsors develop a strategy to monitor and audit their first-tier and downstream entities. The CMS regulations and CODY’s client contracts may require that CODY® monitor and audit our contractors as well. CODY’s clients will routinely monitor and periodically audit CODY® which may also include review of CODY’s contractors.

CODY’s contractors must comply with these Medicare compliance guidelines. Should a CODY® client request monitoring and auditing reports, documentation, or audit data from CODY® regarding a contractor, the CODY® Compliance Department will notify the contractor to discuss the client’s request.

CODY’s clients may also expect routine reporting from CODY® and our contractors. Such reporting will be discussed with the contractor in a timely fashion to comply with client expectations.

Federal and State Compliance Obligations

Based upon the services your organization performs for CODY®, you may be subject to other federal and state laws, rules and regulations not described in this guide. If you have questions about Medicare compliance requirements for the services you perform, please contact CODY's Director, Compliance, Tonya Edwards.

Compliance Resources

CODY® Code of
FDR Compliance Program
OIG Exclusion List
GSA Exclusion List
CMS MMCM, Chapter 21
CMS MMCM, Chapter 11