Banner Health Network
FDR Compliance Attestation
Banner Health Network’s (BHN) triple aim goals are: improving the patient’s experience of care, improving the health of populations, and reducing the per capita cost of health care. To meet these goals and our commitment to compliance BHN must ensure that our first tier, downstream, and related entities (FDRs) operate in compliance with the applicable law and regulatory guidance. FDRs must complete this Attestation Form upon contract execution and annually thereafter. BHN has developed this Attestation Form to facilitate its responsibilities of ensuring FDR compliance and to assist in providing a consistent process for oversight of the BHN FDRs.
Attestation Form Submission Instructions
Please complete the below attestation in its entirety and provide to Banner by due date listed below.
This Attestation Form must be signed by an individual with the authority to sign on behalf of FDR and to attest to the accuracy and completeness of the information provided.
Attestation Form Due Date:
The completed Attestation form may be mailed or scanned and e-mailed to:
Banner Health Network
BHN Compliance Dept.
Attn: Linda Steward
1441 N 12th St
Phoenix, AZ 85006
Please maintain records for 10 years that show that you have met these requirements. You may be called upon by us or CMS to provide documentation upon request. Examples of documentation include: (1) communication of Standards of Conduct in an email, website portal or contract; (2) FWA and general compliance training methods, materials used for training, employee sign-in sheet(s), attestations or electronic certifications that include the date of the training; (3) method of OIG/GSA and state (if applicable) exclusion checks and a copy of a sanction check report for each employee/contractor; and (4) policy(ies) and procedure(s) that describe the process(es) you use to meet the preceding requirements.
What if I identify a potential issue?
Please report all suspected or detected noncompliance, potential Fraud, Waste and Abuse, suspected breach of PHI or misconduct to us immediately so that we may investigate and respond appropriately. Reports can be made to your BHN Account Manager, business contact or BHN Compliance Officer. Confidential reports can be made to the Banner Health ComplyLIne at 888-747-7989. Callers are encouraged to provide contact information in case additional information is needed. You may also report anonymously. BHN expressly prohibits retaliation for reports made in good faith.
What if I identify an excluded individual or entity?
If you identify an excluded individual or entity employed or contracted by your organization, you must report this to BHN through either your Account Manager, business contact or BHN Compliance Officer.
Organization(s) Covered by Attestation: ______
Compliance Policies and Procedures
Chapter 21, Section 50.1.3, 42 CFR §§ 422.503(b)(4)(vi)(A), 23.504(b)(4)(vi)(A)
Please check (P) one of the following:
☐ Contractor has implemented written compliance policies and procedures and Standards of Conduct compliant with the requirements of Chapter 21 and distributes the foregoing to all employees who provide health or administrative services for Medicare beneficiaries who are enrolled in a Medicare Part C or Part D plan (hereinafter referred to as “Employees”).
☐ If Contractor has not implemented written compliance policies and procedures and Standards of Conduct of its own, within 90 days of contracting with BHN and annually thereafter while the contract with BHN is in place, Contractor will distribute to all Employees BHN’s Standards of Conduct and compliance policies and procedures.
☐ If not attesting to either of the above, please provide an explanation:
Link to Banner Health’s Code of Conduct and the Compliance Handbook & Plan:
Will add link once training is added to Intranet
General Compliance Training
Chapter 21, Section 50.3, 42 CFR §§ 422.503(b)(4)(vi)(C), 423.504(b)(4)(vi)(C)
Please check (P) one of the following:
☐ Contractor will (1) require its Employees, at least annually, to take general compliance training[1] required by CMS and ensure that the general compliance training is part of the orientation of new Employees and (2) communicate to its Employees general compliance information provided by BHN.
☐ If Contractor does not have general compliance training adequate to meet CMS requirements, Contractor will require its Employees to take BHN’s general compliance training.
☐ If not attesting to either the above, please provide an explanation:
Link to Banner Health’s General Compliance Training:
Will add link once training is added to Intranet
FWA Training
Chapter 21, Section 50.3, 42 CFR §§ 422.503(b)(4)(vi)(C), 423.504(b)(4)(vi)(C)
Please check (P) one of the following:
☐ Contractor meets Fraud, Waste, and Abuse (“FWA”) certification requirements through enrollment into the Medicare program or through accreditation as a supplier of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) and, as such, is “deemed” compliant with CMS FWA training requirements.
☐ Within 90 days of hire/contracting with BHN and annually thereafter, Contractor provides all of its Employees FWA training compliant with CMS requirements or requires its employees to take training developed by CMS and available through CMS Medicare Learning Network (MLN) at http://www.cms.gov/MLNProducts.
☐ If not attesting to either of the above, please provide an explanation:
[Remainder of page intentionally left blank.]
OIG/GSA Exclusion
Chapter 21, 50.6.8, 42 CFR §§ 422.503(b)(4)(vi)(F), 423.504(b)(4)(vi)(F), 42 CFR 1001.1901
Please check (P) one of the following:
☐ Contractor reviews the DHHS OIG List of Excluded Individuals and Entities (LEIE list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or contracting of any new Employee, temporary Employee, volunteer, consultant, governing body member, and downstream entities, and monthly thereafter, to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs and (2) will immediately disclose (and has disclosed) any exclusion, or other event that makes them ineligible to perform work related directly or indirectly to Federal health care programs to BHN.
☐ If not attesting to the above, please provide an explanation:
[Remainder of page intentionally left blank.]
Conflict of Interest
Chapter 21, 50.6.4, 42 CFR §§ 422.503(b)(4)(vi)(F), 423.504(b)(4)(vi)(F), 42 CFR 1001.1901
Please check (P) one of the following:
☐ Contractor has a process in place to effectively screen its governing bodies and senior leadership for conflicts of interest.
☐ If not attesting to the above, please provide an explanation:
[Remainder of page intentionally left blank.]
Record Retention
Chapter 21, Section 50.3.2, 42 C.F.R. §§ 422.503(b)(4)(vi)(C), 423.504(b)(4)(vi)(C), 42 CFR 422.504 (e) (4)
☐ Contractor retains records to support this attestation including but not limited to time, attendance, topic, certificates of completion (if applicable), and test scores of any tests administered to Employees for at least ten (10) years, or longer if required by applicable law.
☐ If not attesting to the above, please provide an explanation:
[Remainder of page intentionally left blank.]
Business Continuity and Disaster Recovery Management
Health Insurance Portability and Accountability Act: Sec 164.306 Security Standards: General Rules; Sec.164.308 Administrative Safeguards: (a)(7)(i) Contingency Plan Standard and (a)(7)(ii) Contingency Plan Implementation Specifications.
Please check (P) one of the following:
☐ Contractor has a disaster recovery management plan in place to effectively provide system-wide consistency and conformity of emergency, business continuity, and disaster recovery management activities.
☐ If not attesting to the above, please provide an explanation:
[Remainder of page intentionally left blank.]
HIPAA & Privacy
Health Insurance Portability and Accountability Act: of 1996 and 45 Code of Federal Regulations. HITECH Act provisions within the American Recovery and Reinvestment Act of 2009. If the Contractor has access to BHN’s protected health information there must be a Business Associate Agreement (BAA). This also requires that the Contractor have a process to notify BHN if a breach of unsecured protected health information occurs. Must provide notice to BHN without reasonable delay and not later than 60 days from discovery of the breach.
Please check (P) one of the following:
☐ Contractor has appropriate safeguards and controls in place to protect and secure BHN’s protected health information from any intentional or unintentional use or disclosure.
If you checked this box please also answer this question:
☐ If not attesting to the above, please provide an explanation:
In addition, please provide responses to the questions below:
1) Is there a current and executed BAA between BHN and the Contractor? Yes ☐ No ☐
2) Does the Contractor have a process to notify BHN if a breach occurs? Yes ☐ No ☐
ICD-10
45 CFR 162.1002 HHS’s final regulation that adopted the ICD-10 code set as HIPAA standards. Contractor has the planning, communications, testing and training in place to ensure compliance with meeting the 10/1/14 due date and implementation of the ICD-10 code set.
Please check (P) one of the following:
☐ Contractor will be compliant with the 10/1/14 due date and implementation of the ICD-10 code set.
☐ If not attesting to the above, please provide an explanation:
[Remainder of page intentionally left blank.]
Sub-Contract and Offshore Contracts
Health Insurance Portability and Accountability Act of 1996, 45 CFR Parts 160, 162 and 64,CMS issued guidance 08/15/2006 and 07/23/2007; and 2008 Call Letter
Does your or organization sub-contract any functions?
Yes No If yes, provide sub-contract name(s) and function(s) each preforms:
1. Does your organization outsource (claims scanning, claims data entry or claims processing, mailroom services, etc.)
Yes No If yes, provide entity name(s) and function(s) each preforms:
2. If Yes, for either 1 or 2 above. Have you communicated these contractual relationships to Banner Health Network?
Yes No If yes, provide name of person this was communicated to and the date:
3. If Yes, for either 1 or 2 above. Are any of these contractual relationships or functions located offshore? (“offshore” refers to any country that is not one of the fifty United States or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands).
Yes No If yes, provide entity name(s) and function(s) each preforms:
4. If Yes, for 4. Have you submitted a completed offshore attestation for each of the entities you provided above for 4 to Banner Health Network?
Yes, If yes, provide a copy submitted
No, If no, Please complete and return the BHN Offshore Subcontractor Attestation attached hereto as Attachment A, annually thereafter as well as within 20 days of entering into or amending any agreement with an Offshore Subcontractor.
Signature
By signing below, I attest that I have carefully reviewed the information provided on this Attestation Form and attest to its completeness and accuracy, and that I have the authority to sign this Attestation on behalf of the Contractor.
Print Name: ______
Print Title: ______
Signature: ______
Date: ______
12
Banner Health Network
FDR Compliance Attestation 2/21/2014
Attachment A
Banner Health Network
Offshore Subcontracting Attestation
Name of Entity Completing Attestation:Enter your name, your title and the date that you completed this attestation:
Name: Title: Signature:
Date:
Do you utilize offshore subcontractors?
Centers for Medicare and Medicaid Services define an offshore subcontractor as the following: The term “subcontractor” refers to any organization that a Medicare Advantage Organization or Part D sponsor contracts with to fulfill or help fulfill requirements in their Part C and/or Part D contracts. Subcontractors include all first-tier, downstream and/or related entities. The term “offshore” refers to any country that is not one of the fifty United States or one of the United States territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). Examples of countries that meet the definition of “offshore” include Mexico, Canada, India, Germany, and Japan. Subcontractors that are considered offshore can be either American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States. Offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies. / Response: Yes
No
We engage in offshore subcontracting that involves receiving, processing, transferring, handling, storing, or accessing protected health information (PHI).
If “No,” the survey is complete and you do not need to complete or submit the attestation.
If “Yes,” continue completing the form below and provide a copy to:
Banner Health Network
BHN Compliance Department
Attn: Linda Steward
Provider Network Management 1441 N 12th St
Phoenix, AZ 85006
If a new offshore subcontractor is added, the full Offshore Subcontractor Attestation must be completed and sent to Banner Health Network within 20 calendar days from the date the contract is signed with the Offshore Vendor. / Response: Yes
No
2
Banner Health Network
Offshore Subcontracting Attestation 2/21/2014
Part I. Offshore Subcontractor InformationOffshore Subcontractor Name:
Offshore Subcontractor Country:
Offshore Subcontractor Address:
Describe Offshore Subcontractor Functions:
Effective Date for Offshore Subcontractor:
(Month, Day, Year: Example
January 15, 2009)
Part II. Precautions for PHI
Describe the PHI that will be provided to the offshore subcontractor:
Discuss why providing PHI is necessary to accomplish the offshore subcontractor objectives:
Describe alternatives considered to avoid providing PHI, and why each alternative was rejected:
2
Banner Health Network
Offshore Subcontracting Attestation 2/21/2014
Banner Health Network
Offshore Subcontracting Attestation
Part I. Attestation of Safeguards to Project Beneficiary Information in the Offshore SubcontractItem / Attestation / Response: Yes
No
I.1. / Offshore subcontracting arrangement has policies and procedures in place to ensure that Medicare beneficiary PHI and other personal information remains secure
I.2. / Offshore subcontracting arrangement prohibits subcontractor’s access to Medicare data not associated with the sponsor’s contract with the offshore subcontractor
I.3. / Offshore subcontracting arrangement has policies and procedures in place that allow for immediate termination of the subcontract upon discovery of a significant security breach
I.4. / Offshore subcontracting arrangement includes all required Medicare Part C and D language such as record retention requirements, compliance with all Medicare Part C and D requirements, etc.
Part II. Attestation of Audit Requirements to Ensure Protection of PHI
Item / Attestation / Response: Yes
No
II.1. / Organization will conduct an annual audit of the offshore subcontractor
II.2. / Audit results will be used by the Organization to evaluate the continuation of its relationship with the offshore subcontractor
II.3. / Organization agrees to share offshore subcontractors audit results with CMS upon request
3