AI Is the New FDR: Why Health Plans Are Rewriting the Rules for Technology Vendors

Over the last several months, we’ve noticed a clear shift in the conversations health plans are having with technology vendors—particularly those building AI-enabled solutions.

And it’s not theoretical.

In just the past few weeks, several AI companies reached out to our compliance practice for support in building formal compliance programs. Both were responding to health plan RFPs. Both were being asked essentially the same question:

“Do you meet our FDR compliance requirements?”

Five years ago, most software companies would never have expected that question. Today, it’s becoming increasingly common. And in our view, this is the beginning of a much larger shift in how Medicare Advantage and Part D organizations evaluate vendor risk.

The Traditional FDR Lens Is Changing

Historically, many health plans applied a fairly straightforward test when evaluating whether a vendor should be treated as a First Tier, Downstream, or Related Entity (FDR):

• Do they interact directly with members?

• Do they process claims?

• Do they enroll beneficiaries?

• Do they perform utilization management?

• Do they issue coverage determinations?

If the answer was no, technology companies were often categorized as “standard vendors”—important, but not necessarily part of the plan’s delegated compliance ecosystem.

That framework worked when software primarily supported infrastructure, reporting, or back-office operations. It does not work as cleanly in an AI-driven environment.

AI Has Changed the Question

Today, health plans are asking a different question:

Does this technology influence how we fulfill a Medicare obligation?

That is a much broader—and far more consequential—question. Because when AI is used to:

• prioritize utilization management cases,

• assist with prior authorization workflows,

• draft member communications,

• support appeals and grievances,

• identify risk adjustment opportunities,

• guide provider outreach,

• optimize call center interactions,

• triage sales or enrollment inquiries, or

• generate content used in regulated beneficiary communications…

…the technology may not be making the final decision. But it may absolutely be influencing the decision.

From a compliance perspective, that distinction matters less than many technology companies realize.

The Regulation Didn’t Change. The Interpretation Did.

The irony is that CMS’s definition of an FDR hasn’t fundamentally changed.

The regulations have long referenced entities performing administrative or healthcare services under the Medicare benefit.

What’s changing is how plans are applying that language to modern technology.

Compliance leaders are increasingly recognizing that algorithms, automation tools, workflow engines, and generative AI platforms can materially affect regulated plan functions—even when there is no direct member interaction.

That realization is driving a new level of scrutiny.

What We’re Seeing in the Market

Over the last year, we’ve seen health plans begin incorporating FDR-like requirements into technology RFPs and contracting processes, including expectations around:

• written compliance and ethics programs,

• Code of Conduct acknowledgements,

• Fraud, Waste, and Abuse training,

• exclusion screening,

• audit and monitoring rights,

• incident reporting obligations,

• delegated oversight cooperation,

• cybersecurity governance,

• documentation of human oversight.

For many AI startups, these requirements come as a surprise. They see themselves as software companies. Health plans are increasingly seeing them as operationally embedded partners.

That is a very different risk profile.

The Strategic Mistake AI Companies Are Making

The most common mistake I’m seeing is waiting until the RFP arrives before thinking about compliance.

By that point, the health plan has already decided compliance maturity is part of the procurement decision.

And increasingly, “we’re just a technology platform” is not a sufficient answer.

If your solution influences regulated workflows, beneficiary communications, payment accuracy, clinical prioritization, or operational decision-making, you should assume FDR questions are coming.