UnitedHealth Group Home

Compliance Program

This page provides education, important links and resources to guide delegated entities for our organization through compliance program requirements.

Why Compliance Matters

The Centers for Medicare and Medicaid Services (CMS) and federal and state regulators take protection of their consumers seriously, and they pass that responsibility to our organization when we are acting in their capacity as a CMS contractor or plan sponsor. CMS and state regulators hold our organization directly accountable for delegate activities and performance.

How to Demonstrate Compliance Success

Learn and execute the delegated entity compliance elements.
Communicate the requirements across your organization.
Document and measure performance against regulatory and contractual standards.
Implement monitoring for performance and requirements.
Report any gaps or deficiencies to our organization so we can work together to remediate.
Provide a timely response to attestations.

Medicare Compliance

Find information for delegates working with our Medicare programs.

Medicaid Compliance

Find information for delegates working with our Medicaid programs.

General Compliance

Find information for all delegated entities working on behalf of our organization.

Attestation

Find information on attestation and how to contact us.

As part of an effective compliance program, CMS and other federal and state regulators require that UnitedHealth Group and its affiliate organizations (collectively, our organization) communicate and monitor specific compliance and fraud, waste and abuse requirements to our employees and delegated entities (delegates) – including first tier, downstream and related entities (FDRs). In the event of a CMS, federal or state audit, our organization must demonstrate that we evaluate our delegates’ compliance with program requirements, including effective monitoring and oversight of such delegates.

Our organization uses the terms: delegates; delegated entities; vendor; first-tier, downstream entity and related entity (FDR); subcontractor; and, occasionally, others interchangeably to name the parties with whom we contract with to support administration of benefits, access to care and other services performed on our behalf.

Definitions

Medicare Program First-Tier, Downstream and Related Organization (FDR)
First-tier entity is any party that enters into a written agreement to provide administrative services or health care services.

Downstream entity is any party that enters into a written arrangement with persons or entities below the level of the arrangement between our organization and the first tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services.

Related entity means any entity that is related to our organization by common ownership or control and:
Performs some of our organization’s management functions under contract or delegation.
Furnishes services to enrollees under an oral or written agreement.
Leases real property or sells materials to our organization at a cost of more than $2,500 during a contracting period.
Medicaid Program Delegated Entity (Subcontractor)
Federally Facilitated Marketplace (FFM) Qualified Health Plan (QHP) Program Specific Delegated Entity
While the entities our organization oversees may be broader, the definitions below apply to entities to which the QHP issuer has delegated the performance of one or more of its activities or obligations under the FFM QHP Issuer Standards set forth in 45 CFR 156.340(a):

Delegated entity means any party, including an agent or broker that enters into an agreement with a QHP issuer to provide administrative services or health care services to qualified individuals, qualified employers or qualified employees and their dependents.

Downstream entity means any party, including an agent or broker, that enters into an agreement with a delegated entity or with another downstream entity for purposes of providing administrative or health care services related to the agreement between the delegated entity and the QHP issuer. The term “downstream entity” is intended to reach the entity that directly provides administrative services or health care services to qualified individuals, qualified employers or qualified employees and their dependents.

Record retention of proof of compliance to requirements for a timeframe of 10 years from the final date of the agreement period (42 CFR 156.340).

If a delegate submits or stores FFE data, the delegate must comply with the following CMS requirements:

Implementation of a privacy and security framework compliant with National Institute for Standards and Technology (under Section II.b.3).

Reporting breaches (within 24 hours) and incidents (within 72 hours) (under Section II.b.7).