How to Integrate AI Delegated Functions into Your Compliance Program

As Medicare Advantage (MA) organizations increasingly adopt artificial intelligence (AI) for utilization management, risk adjustment, claims processing, prior authorization, and other critical functions, a key compliance question arises: Does this AI vendor qualify as a First Tier, Downstream, or Related Entity (FDR)? These days, the answer is often yes — and treating it as such is essential for maintaining compliance with Centers for Medicare & Medicaid Services (CMS) requirements. Failure to properly oversee AI partners can expose plans to significant regulatory, financial, and reputational risks. When these tools go beyond simple automation and involve delegated decision-making, data handling, or direct impact on enrollees, the vendor is likely an FDR. CMS has emphasized that plans must ensure equitable service delivery regardless of whether decisions come from humans or automated/AI systems. 

Here’s how forward-looking MA plans are integrating AI oversight:

1. Annual Risk Assessment

• Identify AI-specific risks: Bias in algorithms, lack of transparency (“black box” decisions), data privacy/security, over-reliance on population-level data instead of individualized clinical circumstances, and potential for improper denials.

• Assess by function: Evaluate the scope of delegation, the vendor’s compliance infrastructure, access to PHI/PII, and impact on enrollees.

• Incorporate emerging guidance: Factor in OIG and CMS expectations around algorithmic fairness, explainability, and individualized decision-making. 

• Risk-tier vendors: High-risk AI tools (e.g., those used in UM or prior auth) should receive heightened scrutiny.

2. Audit and Monitoring Work Plan

• Pre-delegation due diligence: Review the AI vendor’s compliance program, training, policies, and track record before signing.

• Ongoing monitoring: Include AI-specific metrics such as denial rates, override frequency, algorithm performance audits, bias testing, and audit trail completeness.

• Annual audits: Conduct (or oversee) audits of the delegated functions. Sample AI-assisted decisions for compliance with medical necessity, documentation, and timeliness requirements.

• Corrective action plans (CAPs): Ensure robust processes for addressing deficiencies, with clear timelines and validation of remediation.

• Leverage technology: Use data analytics (ironically, including compliant AI) to monitor patterns and anomalies. 

3. Contractual Obligations

Strong delegation agreements are your first line of defense. Key provisions to include:

• Explicit acknowledgment that the vendor is an FDR and must comply with all applicable Medicare laws and regulations.

• Rights to audit the vendor (including on-site if needed) and access to records, algorithms, training data (where appropriate), and decision logic.

• Requirements for transparency and explainability of AI outputs.

• Training mandates: Annual general compliance, FWA, and role-specific training.

• Data security, breach notification, and PHI safeguards.

• Performance standards, reporting requirements, and termination rights for non-compliance.

• Flow-down provisions to any sub-delegates.

• Indemnification and insurance requirements related to compliance failures. 

  
  

4. Additional Best Practices

• Update policies and procedures to address AI use explicitly.

• Enhance compliance training for internal staff on overseeing AI tools.

• Document everything — maintain clear records of oversight activities for CMS audits.

• Monitor regulatory developments: CMS continues to issue guidance on AI in coverage decisions, and program integrity.