Medicare Part D Compliance: Are Your Staff Members Steering Patients to Specific Plans? (42 CFR § 423.504)

Small practices often see themselves as “just helping patients” when staff casually recommend a Medicare Part D plan. Under the Medicare Part D rules, and the standard contract provisions in 42 CFR 423.504, those same conversations can be treated as communications or marketing activities that the Part D sponsor must control through its compliance program.

When a practice functions as a downstream or related entity to a Part D sponsor, the practice must follow the sponsor’s compliance standards, including training, reporting, and corrective actions related to beneficiary interactions. If staff steer patients to a specific plan, or appear to favor a limited set of plans, the sponsor can be cited for failures in its compliance program and marketing oversight, and the practice may be exposed through contract sanctions or termination.

Because CMS enforces these obligations through audits, data analysis, and complaint investigations, a single patient complaint about “being pushed into a plan” can trigger a review that reaches your clinic. Small practices therefore need simple, low-cost controls that keep staff helpful but neutral, supported by documentation that shows the Part D sponsor and CMS they know the rules.

A basic combination of clear policies, short targeted training, and routine monitoring of staff scripts can greatly reduce the risk that routine conversations are misinterpreted as steering in violation of obligations that flow down from 42 CFR 423.504.

Patients trust front-desk staff, nurses, and physicians more than any marketing flyer. That trust makes your practice a powerful influence in how beneficiaries choose Part D plans, whether you intend it or not. A casual comment such as “Everyone here uses Plan X; it is the best” can be viewed by CMS and plan sponsors as steering, especially if your practice has contracts, data-sharing, or financial arrangements with a particular plan.

Under 42 CFR 423.504, every Part D sponsor’s contract with CMS must include specific compliance program elements. Those elements must extend to first tier, downstream, and related entities, which is where many small practices sit in the ecosystem. That means you practice’s conduct can directly affect whether the sponsor is viewed as having an effective compliance program or not.

For small clinics, the risk is not theoretical. If a sponsor discovers that a contracted practice is steering beneficiaries inappropriately, the sponsor may be forced to implement corrective action, limit referrals, or terminate the relationship to protect its own contract with CMS. In extreme cases, patterns of steering and related misconduct can lead to civil money penalties or other enforcement actions.

This guide shows small practices how to stay on the safe side: helping patients navigate complex coverage decisions without crossing the line into plan steering.

Understanding Legal Framework & Scope Under 42 CFR 423.504

42 CFR 423.504 sets the standard contract provisions that must appear in every agreement between CMS and a Part D sponsor. Among other things, it requires the sponsor to maintain an effective compliance program that includes: written policies and procedures, compliance oversight, training and education, effective lines of communication, enforcement of standards, internal monitoring and auditing, and prompt response to detected offenses with corrective action.

These obligations do not stop at the sponsor’s own employees. The regulation expressly requires the plan to ensure that its first tier, downstream, and related entities follow applicable Medicare requirements and the sponsor’s compliance program. This is where a small practice typically comes in: as a contracted provider or downstream entity that must, by contract, observe the same rules on fraud, waste, abuse, and marketing or communications.

While 42 CFR 423.504 itself sets out the high-level compliance obligations, other Medicare regulations and CMS guidance specify what is allowed and prohibited in communications and marketing, including activities that attempt to steer beneficiaries to particular plans or a limited set of plans. These rules restrict providers from recommending a specific plan, distributing biased materials, or selectively scheduling appointments with representatives from one plan, among other behaviors.

Federal requirements under the Part D program preempt contrary state laws in the specific field of Medicare benefit design and administration, but state insurance and consumer protection laws can still apply, such as prohibitions on unfair trade practices or deceptive marketing. As a result, a practice can face both Medicare-related consequences and state-level scrutiny if its staff behavior crosses the line.

Understanding 42 CFR 423.504 and its link to beneficiary communications reduces claim denials, contract friction, and administrative headaches. When your policies and training are aligned with the sponsor’s compliance program, auditors are more likely to view your practice as a partner in compliance rather than a risk to be managed.

CMS is the central federal agency enforcing Part D sponsor obligations under 42 CFR 423.504, including the adequacy of their compliance programs and oversight of downstream entities. When CMS identifies failures through audits, monitoring, or complaint investigations, it can impose corrective action plans, intermediate sanctions, or civil money penalties on the sponsor.

Because sponsors are held accountable for the conduct of their FDR network, they in turn police the behavior of contracted practices. Sponsors may perform their own audits, secret-shopper calls, or complaint reviews to determine whether a practice’s staff are steering beneficiaries or otherwise violating marketing rules. If they identify issues, they may require retraining, demand revisions to scripts and signage, or modify or terminate the provider contract.

The HHS Office of Inspector General (OIG) can become involved if steering is tied to remuneration, kickbacks, or other potential fraud. In those cases, the conduct may implicate the federal Anti-Kickback Statute or civil monetary penalty provisions, especially if payments or gifts are tied to enrolling beneficiaries into particular plans.

Common audit or enforcement triggers for steering-related issues include:

• Beneficiary complaints alleging that clinic staff pressured them to pick a specific plan or told them they could only be seen if they enrolled in a certain plan.

• Patterns of enrollment data suggesting a disproportionate share of patients from a practice are in one plan or a small cluster of plans.

• Sponsor audit findings that downstream entities have not completed required training or do not have written policies covering communications and marketing requirements flowing from 42 CFR 423.504.

By recognizing how CMS and sponsors look at steering risk, a small practice can design controls that prevent problems from ever becoming audit findings.

Even though the heading references HIPAA, the practical need is the same: to survive sponsor and CMS oversight with clear, defensible evidence that your practice manages steering risk under the contractual obligations tied to 42 CFR 423.504. The controls below are designed to be lean, low-cost, and realistic for small clinics.

1. Create a written “Plan-Neutral Patient Communication” policy tied to your Part D contracts.

• Implement by drafting a short policy that states staff may provide general information, lists of all plans with which the practice contracts, and referrals to unbiased resources, but may not recommend or endorse any particular Part D plan, referencing your obligations as a downstream entity under 42 CFR 423.504(b)(4).

• Evidence: Dated policy, acknowledgement signatures, and copies included in your employee handbook or onboarding packet.

• Low-cost method: Adapt an existing compliance or patient communication policy rather than creating a new document structure.

2. Standardize a front-desk and clinical script for plan questions.

• Implement by writing a very short script that staff must use whenever a beneficiary asks “Which plan should I pick?” or “Which plan is best here?”, emphasizing neutrality and referral to plan-agnostic resources, anchored to the training and education element in 42 CFR 423.504(b)(4)(vi).

• Evidence: Script documents with version control, training sign-in sheets, and periodic spot-check notes that confirm staff are using it.

• Low-cost method: Print the script on a half-page card taped discreetly to monitors or phones.

3. Document your status with each Part D sponsor in a simple matrix.

• Implement by building a one-page table listing each Medicare Advantage or Part D sponsor you contract with, whether you are designated as an FDR or other downstream entity, and any required training, reporting, or communication standards tied to 42 CFR 423.504(b)(4).

• Evidence: Dated matrix, copies of contract clauses specifying compliance responsibilities, and emails from payers confirming FDR status.

• Low-cost method: Maintain this matrix in a shared spreadsheet on your existing drive instead of investing in specialized software.

4. Align Part D compliance training with sponsor expectations.

• Implement by ensuring that applicable staff complete general Medicare compliance and fraud, waste, and abuse training, including a specific module on beneficiary communications and steering, consistent with the training requirement in 42 CFR 423.504(b)(4)(vi).

• Evidence: Training logs with date, completion status, and role; certificates from sponsor-provided or CMS-approved modules.

• Low-cost method: Use sponsor-provided or CMS general compliance training modules at no cost and supplement with a 15-minute internal briefing on your scripts.

5. Establish a simple reporting pathway for suspected steering concerns.

• Implement by designating a compliance contact in the practice and documenting how staff can report concerns about plan-related conversations, consistent with the effective lines of communication element in 42 CFR 423.504(b)(4)(vi).

• Evidence: Policy language describing reporting, posted contact information, and anonymous note options, plus records of issues raised and addressed.

• Low-cost method: Use an existing office email box or locked suggestion box rather than a commercial hotline.

6. Keep a brief log of plan-related education events or outreach.

• Implement by recording any presentations by plan representatives, community education sessions, or materials displayed in the clinic, and confirming that they comply with sponsor and CMS communication rules referenced in contracts governed by 42 CFR 423.504.

• Evidence: Event log with date, sponsor, content summary, approvals, and any handouts reviewed.

• Low-cost method: Maintain a simple paper or spreadsheet log maintained by a single point person.

7. Respond quickly and transparently to any sponsor inquiry about beneficiary communications.

• Implement by having a stepwise process for gathering records, interviewing staff, and revising scripts if a plan or CMS questions possible steering, which supports the prompt response and corrective action expectations in 42 CFR 423.504(b)(4)(vi).

• Evidence: Email threads, meeting notes, revised policies, and training updates following any inquiry or complaint.

• Low-cost method: Use existing leadership meetings and email to coordinate responses instead of separate committees.

Together, these controls create a defensible story that your practice understands its responsibilities under 42 CFR 423.504 and manages steering risk in a structured way, even with limited staff and budget.

Case Study

A small multi-specialty clinic contracts with several Medicare Advantages and Part D plans. Staff in the billing office have developed a strong preference for one particular plan, because its portals are easier to use and claims tend to pay faster. Over time, that preference leaks into patient conversations. Front-desk staff start saying, “Most of our patients pick Plan Green; it works best with our office,” and nurses occasionally tell patients, “If you switch to Plan Green, your meds will be cheaper.”

One beneficiary, after experiencing unexpected formulary issues with Plan Green, files a complaint with 1-800-MEDICARE, stating that the clinic “pressured” them to pick that plan. CMS routes the complaint to the sponsor and reviews the sponsor’s oversight of downstream entities under 42 CFR 423.504(b)(4), asking for evidence of training, policies, and monitoring of provider communications.

During the sponsor’s investigation, the clinic cannot produce any written policies about plan-neutral communications, has no scripts, and cannot show that staff completed required compliance or FWA training specific to beneficiary interactions. The sponsor concludes that the clinic’s conduct contributed to potential steering and reports its findings to CMS.

Consequences include:

• The sponsor issues a formal corrective action plan to the clinic requiring immediate policy changes, training, and periodic audits of staff conversations.

• The sponsor also tightens its own compliance controls and self-reports the issue to demonstrate compliance with 42 CFR 423.504(b)(4)(vi), adding cost and administrative burden.

• The clinic’s contract includes a clause allowing termination for noncompliance with sponsor and CMS requirements. The sponsor warns that any further issues could trigger contract termination, which would significantly reduce the clinic’s Medicare patient base.

• The clinic’s reputation in the community is harmed as word spreads that patients felt “pushed” into a particular plan.

If the clinic had implemented the controls described above, the outcome could have been very different. Written policies and scripts would show that management instructed staff to remain neutral, training logs would demonstrate that staff had received compliance training, and monitoring records would help the sponsor and CMS view this as an isolated deviation instead of a systemic failure. Corrective action could then focus on targeted coaching, not contract risk.

Use this brief table to verify that your practice has the basics in place. Each task is directly traceable to obligations that flow from 42 CFR 423.504.

Completing this table and saving evidence of each task gives both the sponsor and CMS concrete proof that your practice understands and is implementing requirements tied to 42 CFR 423.504.

Common Audit Pitfalls to Avoid Under 42 CFR 423.504

Auditors and sponsors tend to see the same steering missteps over and over again. Focusing on these high-impact errors can significantly reduce risk.

• Allowing staff to say that one plan is “best” or “recommended” by the clinic, without any documentation or training supporting neutral communications, suggests a failure to implement effective policies and training under 42 CFR 423.504(b)(4)(vi), and can lead to corrective actions or contract sanctions.

• Displaying marketing materials for only one or two plans, especially near check-in areas, can be interpreted as steering beneficiaries to a limited set of plans, raising questions about whether the sponsor’s oversight of downstream entities meets 42 CFR 423.504(b)(4) requirements.

• Letting plan representatives hold events in the waiting room without monitoring the content or ensuring balanced information may signal weak internal controls and monitoring under the sponsor’s compliance program obligations.

• Failing to distinguish between objective clinical advice (for example, explaining which drugs are covered under a patient’s current plan) and plan selection advice (“You should switch to Plan Y”) risks blurring clinical judgment with marketing, which sponsors must tightly control under their contract with CMS.

• Not tracking staff completion of Part C/D compliance and FWA training means the sponsor cannot show CMS that training obligations flowing from 42 CFR 423.504(b)(4)(vi) have been met for downstream entities.

• Ignoring or downplaying patient complaints about plan-related conversations deprives the sponsor of the prompt response and corrective action required by its compliance program and may worsen CMS findings if a complaint escalates.

By identifying and correcting these pitfalls early, a small clinic reinforces the sponsor’s ability to demonstrate an effective compliance program under 42 CFR 423.504 and greatly reduces the likelihood of being caught in the middle of a plan-level enforcement action.

Sustainable compliance around plan steering cannot depend on a single memo. It must be woven into daily operations. Leadership should clearly assign ownership of Medicare communications and steering risk, typically to a physician leader and an administrative compliance lead who together oversee policies, training, and responses to sponsor requests.

Staff training cadence should mirror sponsor expectations: initial training at hire, annual refreshers, and event-driven updates when CMS or the sponsor changes guidance. Short, practical sessions that use real patient scenarios work better than long slide decks. Training should consistently tie staff responsibilities to the fact that the practice is part of the sponsor’s compliance framework under 42 CFR 423.504.

Simple monitoring metrics help keep everything on track. Examples include: the percentage of staff current on required training; the number and type of plan-related complaints; and periodic reviews of scripts and signage for neutrality. Leadership should review these at least annually and discuss them with any major Part D sponsors as evidence of proactive compliance.

Finally, a healthy culture encourages staff to ask questions before speaking about plan choices, rather than improvising. When people feel safe saying “I am not sure if I can say that; let me check our policy,” the clinic is far less likely to drift into steering behavior.

Part D sponsors live under a microscope, and 42 CFR 423.504 places much of the responsibility for preventing steering and other communication violations on their compliance programs and their oversight of FDRs and downstream entities. Small practices that treat plan steering as “just a marketing issue” or “someone else’s problem” place both themselves and their sponsor partners at risk.

A lean but deliberate approach allows a clinic to protect patient trust, remain unbiased in plan discussions, and demonstrate to sponsors and CMS that it understands and fulfills its obligations. Practical policies, short training modules, and simple logs can all be built with existing tools and staff time.

Three to five concrete next steps for a small clinic are:

1. Identify which of your payers treat the practice as an FDR or downstream entity and pull the contract sections that reference compliance, training, or communications under 42 CFR 423.504.

2. Draft a single, clear, one-page policy and script on plan-neutral communications, and have every staff member who talks to patients sign that they have read and will follow it.

3. Make sure all applicable staff complete required Part C/D compliance and FWA training, and add a five-minute segment on steering and neutral communications to your next staff meeting.

4. Review your waiting room and website for any plan-specific signs, brochures, or statements that could look like endorsements, and replace them with balanced materials or referrals to unbiased resources.

5. Set up a basic monitoring and reporting mechanism, so staff can raise concerns confidentially and leadership can demonstrate how it responds and improves over time.

Recommended compliance tool: 

A shared “Medicare Plan Interaction” log and policy folder on your existing network or EHR, used to store scripts, training records, and any sponsor correspondence about beneficiary communications.

Advice: 

Before the next open enrollment, walk through your clinic as an auditor would and remove or rewrite anything that could be interpreted as recommending one Part D plan over another.

• 42 CFR 423.504 – Contracts with Part D plan sponsors
  

• 42 CFR 423.505 – Contract provisions for record retention and access
  

• CMS Medicare Prescription Drug Benefit Manual, Chapter 9 – Prescription Drug Benefit Program Requirements
  

• CMS Medicare Managed Care Manual, Chapter 4 – Benefits and Beneficiary Protections
  

• Medicare Program; Medicare Advantage and Prescription Drug Benefit Programs: Contract Year Policy and Technical Rule Updates (Federal Register)