Compliance & Fraud, Waste & Abuse and Cultural Competency

The Health Plan uses education as a tool to ensure our members receive the highest quality of care by you, the provider. We achieve this through periodic reminders, updates and by communicating various compliance topics to facilitate our preventative approach.

  • Compliance and FWA training should be completed annually. Training may be completed through your own internal compliance program or by using training documents provided by The Health Plan.
  • Annual D-SNP training and attestation are required if you provide health care services to five or more of The Health Plan’s D-SNP members in the prior quarter. Your practice management consultants​​​​​​ will contact you to inform you of the requirement to complete training and provide you with the training materials and attestation form.
  • Centers for Medicare and Medicaid Services (CMS) require that all providers complete cultural competency training.
  • Training should be completed within 90 days of the initial hire date or the effective date of contracting and at least annually thereafter.
  • You are required to maintain evidence of training for 10 years. This may be in the form of attestations, training logs or other means determined by you to best represent completion of these obligations.
  • It is recommended that you verify with your outside billing and/or management companies that they are conducting compliance and FWA training as part of the seven core elements of an effective compliance program. 

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule requires health care providers to protect the privacy of their patients’ health care information. This information is called protected health information or PHI.

The HIPAA Security Rule requires health care providers to implement administrative, physical and technical safeguards to protect electronic PHI (ePHI). In addition, health care providers are required to perform periodic HIPAA security risk assessments and remediate deficiencies found during the risk assessment that threaten the security of ePHI. HIPAA requires health care providers obtain an authorization from the patient before using or disclosing the patient’s PHI. HIPAA does allow the use and disclosure of PHI without patient authorization as long as the use or disclosure is for treatment, payment, health care operations (TPO) or for certain other disclosures required by law. However, uses and disclosures should be limited to the minimum amount of information necessary. This is called “minimum necessary” under HIPAA.

The HIPAA Privacy rule gives patients important rights with regards to their PHI such as:

  • The right to receive a Notice of Privacy Practices
  • The right to access their PHI
  • The right to request confidential communications
  • The right to request a restriction
  • The right to request an amendment or correction of their PHI
  • The right to receive an accounting of disclosures
  • The right to file a complaint

For more information, visit the Office for Civil Rights website at