Compliance & Privacy

Community Care Privacy Reminder

As required by federal and state laws, Community Care and all of our providers must protect the privacy of our members and only share information with others who have the legal right and need to know.

Please remember the Business Associate Agreement you signed with Community Care clearly identifies how you can use and disclose member information. It also describes your responsibilities to protect that information and how to report any disclosures or improper use to Community Care. The Business Associate Agreement applies to those not typically covered directly by the federal and state laws.

Please remember:

Any discussion about a member's information, services or care received must be conducted privately.

Emails that contain member information such as his or her name or any other identifiable information, including date of birth, social security number or address, must be encrypted.

Member information is confidential. Any information you as a provider hear, see, and/or learn must be considered privileged and can only be shared with those who have a legal right and need to know.

We thank you for your continued cooperation and encourage you to contact any member of the Community Care Provider Network team with questions.

Encryption - Send a Secure Email

If the information you are emailing to Community Care contains confidential data or member-specific material, please send us a secure email to ensure that information remains private.

Our email encryption service protects confidentiality and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

If this is the first time you are using our secure email service, you'll need to create a user account.

For help, please review our secure email service instructions.

Fraud, Waste and Abuse

As part of our effort to improve the health care system, and as required by Medicare and Medicaid, Community Care and its providers have made a commitment to and have a program in place to prevent, detect and investigate fraud, waster and abuse.

To better understand Fraud, Waste and Abuse and your role in preventing it as a provider, the below information is being provided for you.

Fraud, Waste and Abuse Training Part 1
Fraud, Waste and Abuse Training Part 2

First Tier Downstream and Related Entities (FDR) Compliance Program Requirements



Community Care contracts with FDRs to provide administrative and health services to fulfill its Medicare Parts C and D contracts. Although these services are delegated, Community Care is ultimately responsible for ensuring services are performed according to Medicare compliance program requirements. FDRs are identified based on the type of services they provide to Community Care’s and how that service relates to our Medicare Parts C and D contracts.

Health Services
Examples of health services include physicians, hospitals, and other provider types.

Administrative Services
Examples of administrative services include claims processing, patient management, credentialing, pharmacy benefits management, and other third-party administrators.

You can find more information about what constitutes health and administrative services in the Medicare Managed Care Manual, Chapter 21 § 40, Stakeholders Relationships Flow Charts.

What is an FDR?

Community Care defines FDRs according to the current CMS definition:

First-Tier Entity means any party that enters into a written arrangement, acceptable to CMS, with an Medicare Advantage Organization or Part D plan sponsor or applicant to provide administrative services or health care services to a Medicare eligible individual under the Medicare Advantage program or Part D program.

Downstream Entity means any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with the Medicare Advantage benefit, below the level of the arrangement between an Medicare Advantage Organization or applicant or a Part D plan sponsor or applicant and a first-tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services

Related Entity means any entity that is related to an Medicare Advantage Organization or Part D sponsor by common ownership or control and:

Performs some of the Medicare Advantage Organization or Part D plan sponsor’s management functions under contract or delegation;

Furnishes services to Medicare enrollees under oral or written agreement; or

Leases real property or sells materials to the Medicare Advantage Organization or Part D plan sponsor at a cost of $2,500 during a contract period.

Monitoring and Auditing of FDRs

Community Care monitors and audits the activities of FDRs to ensure compliance with Medicare Parts C and D program requirements. First-Tier Entities that subcontract with other individuals or entities to provide administrative or health services are responsible for ensuring their downstream entities comply with all Medicare Parts C and D requirements. Monitoring and auditing activities may include review of the following elements:


As an FDR, your organization is responsible for providing FWA and General compliance training to all your employees (including temporary workers and governing body members) and Downstream entities that provide administrative and/or health care services on Community Care’s contract. This training must be formally conducted within 90 days of initial contract/employment and annually thereafter. FDRs must be able to demonstrate that their employees and Downstream entities have fulfilled this training requirement.  Each FDR is responsible for designing and conducting their own FWA and General compliance training.

Code of Conduct

Your organization must provide either Community Care’s Code of Conduct or your own comparable Code of Conduct to all applicable employees and Downstream Entities who provide administrative and/or health care services for our Medicare lines of business. The Code of Conduct must contain all the elements set forth in Section 50.1 and subsections of the Medicare Managed Care Manual, Chapter 21. You must distribute the Code of Conduct:

  • Within 90 days of hire or the effective date of contracting
  • When there are updates to the Code of Conduct
  • Annually thereafter

You must retain evidence of your distribution of the Code of Conduct.

You can find Code of Conduct requirements in:

  • 42 C.F.R. § 422.503 (b) (4) (vi) (A)
  • 42 C.F.R. § 423.504 (b) (4) (vi) (A)
  • Medicare Managed Care Manual Chapter 21 § 50.1

Communication and Reporting Mechanisms

If FDRs know, or suspect, an issue of noncompliance or Fraud, Waste, or Abuse involving Community Care’s members, they must report the incident to Community Care. These issues can be reported by:

Contacting Community Care’s Compliance Department by calling 866-992-6600;

Calling the Ethics and Compliance Hotline anonymously 24 hours a day at (262) 207-9440;

Completing the Compliance Inquiry form online at www.communitycareinc. org; or

Emailing the Compliance Department at [email protected].

You must adopt, maintain, and enforce a zero-tolerance policy for retaliation or intimidation against anyone who reports suspected noncompliance and FWA.

You can find information about reporting noncompliance and FWA in:

  • 42 C.F. R. § 422.503 (b) (4) (vi) (D)
  • 42 C.F. R. § 422.504 (b) (4) (vi) (D)
  • Medicare Managed Care Manual Chapter 21 § 50.4

OIG/GSA Exclusion and Debarment Screenings

Federal law prohibits Medicare health care programs from paying for items or services provided by an individual or entity excluded from participation in federal health care programs. Therefore, before hiring or contracting, and monthly thereafter, each FDR must check exclusion lists from the Office of Inspector General (OIG) and General Administration Services (GSA). These exclusions list are located at the following websites:

You can find information about OIG/GSA exclusion and debarment screenings requirements in:

  • The Social security Act § 1862 (e) (1) (B)
  • 42 C.F.R. § 422.503 (b) (4) (vi) (F)
  • 42 C.F.R. § 422.752 (a) (8)
  • 42 C.F.R. § 423.504 (b) (4) (vi) (F)
  • Medicare Managed Care Manual Chapter 21 § 50.6.8

Offshore Subcontracting

Because of the unique risks associated with using contractors operating outside the United States or one of its territories (i.e., American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands), CMS requires Medicare Advantage Organization (MAOs) to take extra measures to ensure offshore contractors protect members’ protected health information (PHI). Specifically, CMS is concern with offshore subcontractors that receive, process, transfer, handle, store, or access members’ PHI. If a first-tier entity contracts with an offshore subcontractor, and provides that subcontractor with members’ PHI, the first-tier entity must report it to Community Care immediately.

Record Retention and Record Availability  

FDRs must agree to audits and inspections by Community Care, CMS and/or its designees. They must cooperate, assist, and provide information as requested. Documentation and records needed to meet program requirements (i.e., Medicare Parts C and D) must be maintained for 10 years, including but not limited to attendance records, training certificates, and any other documents that demonstrate compliance with program requirements.


Each year an authorized representative from your organization must attest to your compliance with the Medicare compliance program requirements described in this guide. An authorized representative is an individual who has authority to act on behalf of your organization. This individual could be a compliance officer, chief medical officer, practice manager/administrator, an executive officer, or a similar position.