CMS Fraud, Waste, and Abuse Training: Requirements, Timeline, and Attestation Guide

Training Requirements and Frequency

Who must complete training

If you work with Medicare Advantage or Part D plans—either as the plan sponsor or as a first tier, downstream, or related entity (FDR)—you must complete General Compliance Training and Fraud, Waste, and Abuse (FWA) training. This includes employees, temporary workers, volunteers, contractors, and governing body members who touch Medicare Parts C and D Compliance activities.

Frequency and timeline

Complete training within 90 days of hire or contracting and repeat it at least annually. “Annually” means every 12 months, though most organizations align to the calendar year and set an internal deadline of December 31. Build reminders into your learning system so managers can track due dates and prevent lapses that could surface in Compliance Audit Procedures.

Scope of coverage

• General Compliance Training: required for all FDRs and staff who support Medicare Parts C and D operations.
• FWA training: required for most FDRs and plan staff; some entities qualify for the deeming exception described below.
• Code of Conduct: distribute and document acknowledgement annually; reinforce non-retaliation and reporting expectations.

Training Content Overview

General Compliance Training essentials

• Standards of conduct and your organization’s expectations.
• The seven elements of an effective compliance program (governance, policies, training, reporting, enforcement, monitoring/auditing, and corrective action).
• How to report concerns without fear of retaliation and what happens after a report.
• Roles and responsibilities for leaders, managers, and staff supporting Medicare Parts C and D Compliance.

FWA training essentials

• Definitions and examples of fraud, waste, and abuse (e.g., billing for services not rendered, upcoding, kickbacks, duplicate claims).
• Common FWA risk areas for sponsors and FDRs (provider contracting, formulary management, pharmacy claims, sales and marketing, enrollment, grievances and appeals).
• Red flags and how to escalate promptly to your compliance office or anonymous reporting channels.
• Consequences of FWA, including overpayments, civil monetary penalties, exclusion, and contract actions.

Role-based tailoring

Use scenarios that match your function—pharmacy operations, claims, utilization management, agent/broker sales, or provider offices. When you leverage Fraud Waste and Abuse (FWA) Training Modules from the Medicare Learning Network (MLN) or an internal LMS, add department-specific examples and job aids to ensure the content is actionable.

Training Delivery Methods

Acceptable formats

• Web-based modules (e.g., MLN) with knowledge checks and certificates.
• Instructor-led sessions or live webinars recorded for on-demand viewing.
• Self-study with a completion attestation and scored assessment.

Tracking and accessibility

• Use a learning management system to assign courses, capture completions, and generate reports by business unit and FDR.
• Provide accessible formats and translations where appropriate; document accommodations.
• Issue completion certificates and store them centrally to support the Training Attestation Process and audits.

Quality and version control

Review training content at least annually and upon regulatory or operational changes. Keep version histories so you can show what material an employee saw on a given date, which is critical during Compliance Audit Procedures.

Attestation and Documentation

Training Attestation Process

Two levels of attestation are typical. Individuals attest they completed General Compliance Training and FWA modules. Organizations (plan sponsors or FDRs) attest annually that all in-scope workforce members completed required training, that a Code of Conduct was distributed, and that policies are in place. You usually submit organizational attestations to the contracting plan via its vendor portal or designated template; you do not submit to CMS unless requested during an audit.

What to document

• Completion roster: employee name, role, NPI (if applicable), department, hire/contract date, training titles, completion dates, and scores.
• Certificates: MLN or internal module certificates saved as PDF with learner ID and date/time stamp.
• Content evidence: syllabus, objectives, slide decks, knowledge checks, and the version presented.
• Policy artifacts: Code of Conduct acknowledgements, non-retaliation policy, and reporting procedures.

Common submission practices

Plan sponsors often request either a file upload of completion reports or a signed organizational attestation by a compliance officer. Maintain a standard package you can provide within short notice: roster, certificates, policies, and your training calendar.

Record Retention Policies

Retention period and scope

Maintain training and attestation records for at least 10 years. Apply legal holds to pause destruction if an investigation, audit, or litigation is anticipated or ongoing. Include workforce rosters, certificates, content versions, policies, attestations, and evidence of Code of Conduct distribution.

Storage and retrieval

• Store records in a secure repository with role-based access and routine backups.
• Index by employee, FDR, and year so you can retrieve proof within required timelines.
• Encrypt sensitive data at rest and in transit; log access and changes for accountability.

Data integrity and continuity

Document your retention schedule and destruction procedures. If you switch LMS platforms or vendors, migrate historical data and validate completeness so Medicare Parts C and D Compliance documentation remains intact.

Deeming Exception Criteria

Who is deemed for FWA training

Entities and individuals enrolled in Medicare Part A or Part B are generally deemed to have met the FWA training requirement. This often includes hospitals, physician practices, DMEPOS suppliers, and many pharmacies that bill Medicare. Deeming simplifies the FWA requirement but does not change other obligations.

What deeming does not cover

• Deeming applies only to FWA training—not to General Compliance Training. You must still complete and document General Compliance Training if you perform work for a Part C or D sponsor.
• Administrative vendors not enrolled in Medicare (e.g., PBMs, call centers, IT, marketing firms) are not deemed and must complete FWA training.
• Plan sponsors may still request proof of Medicare enrollment and may require an organizational attestation acknowledging deeming status.

Compliance Monitoring and Auditing

Ongoing monitoring

• Monthly or quarterly reports showing assignment, completion rates, and overdue items for both employees and FDRs.
• Automated reminders and escalations to managers and vendor liaisons.
• Spot checks to verify that certificates match roster entries and that new hires complete training within 90 days.

Risk-based audits

• Sample departments or FDRs with higher exposure (claims, pharmacy, utilization management, sales/marketing) and test end-to-end controls.
• Review training content quality, version control, testing rigor, and accessibility.
• Validate the Training Attestation Process, including signatory authority and evidence supporting the attestation.

Corrective actions and reporting

• Document findings with clear root causes, assign corrective actions and owners, and set due dates.
• Track completion and verify effectiveness—e.g., improved on-time training rates or reduced exceptions.
• Report outcomes to governance (compliance committee and board) as part of General Compliance Training oversight.

Conclusion

To stay compliant, deliver timely General Compliance and FWA training, document completions and attestations, retain records for 10 years, apply the deeming exception correctly, and test your program through routine monitoring and risk-based audits. A disciplined approach protects beneficiaries, safeguards federal funds, and positions you for successful reviews.

FAQs

What are the CMS FWA training deadlines?

Complete FWA training within 90 days of hire or contracting and at least annually thereafter. Most organizations use a calendar-year cycle and set an internal deadline of December 31, but you should follow the specific dates your contracting plan sponsor communicates.

How is training attestation submitted?

Individuals attest within the learning system when they finish a course. Organizations provide an annual attestation to each contracting plan—often through a vendor portal or designated form—confirming that all applicable staff completed General Compliance Training and FWA training (or are properly deemed) and that a Code of Conduct was distributed.

What records must providers retain?

Keep completion rosters, certificates, training content versions, Code of Conduct acknowledgements, policies, and organizational attestations. Retain these records for at least 10 years, pausing destruction if an audit, investigation, or litigation is pending.

How does the deeming exception apply to Medicare Part A and B providers?

Providers and suppliers enrolled in Medicare Part A or B are generally deemed to have satisfied the FWA training requirement. Deeming does not waive General Compliance Training, and plan sponsors may request proof of enrollment and an attestation that you rely on deeming for FWA.