On June 1st, the Centers for Medicaid and Medicare Services (CMS) released a State Medicaid Director Letter (SMD Letter) providing guidance to states on the criminal background check and fingerprinting requirements for Medicaid provider enrollment. This sub-regulatory guidance starts a 60 day clock for state Medicaid programs to implement these enhanced provider screening requirements. Meaning, on August 1st providers determined to be at a high risk of defrauding the Medicaid program should expect fingerprint-based background checks.

The regulations requiring states to perform criminal background checks and fingerprinting on certain providers as part of the Medicaid enrollment, re-enrollment, and verification processes are not new. CMS issued these regulations in 2011 to implement Section 6401 of the Affordable Care Act, which requires the Secretary of the Department of Health and Human Services to develop procedures for screening providers and suppliers under Medicare and Medicaid. Following the release of these rules, CMS released an Informational Bulletin stating “additional sub-regulatory guidance will be issued on criminal background checks and fingerprinting requirements, following which States will have 60 days to implement these enhanced provider screening requirements.” This SMD Letter represents that additional sub-regulatory guidance.

The regulations require state Medicaid agencies to screen all providers based on categorical risk levels: “limited,” “moderate,” or “high” risk.   The state Medicaid agencies must determine which providers and provider categories fit into each risk level. High risk providers and any person with a 5 percent or more direct or indirect ownership interest in the provider must be subjected to the fingerprint-based background checks.

States will have one year from the date of the letter to perform fingerprint-based criminal background checks on all providers determined to be high risk by the states. Providers considered high risk by the Medicare program, including all home health and DMEPOS providers, who already had these background checks will not need new ones, as CMS is allowing states to rely on the Medicare provider enrollment screening process to meet this requirement.