Years after the enactment of the Affordable Care Act, the Centers for Medicare & Medicaid Services (CMS) has issued guidance which effectively implements the requirement from the Affordable Care Act that state Medicaid agencies conduct fingerprint and background checks for high-risk providers. State Medicaid agencies have until July 30, 2016 to implement new rules for fingerprinting and background checks in compliance with the Affordable Care Act. Failure to comply with these new fingerprint and background check requirements exposes providers to the risk of being terminated from Medicaid enrollment.

Section 6401 of the Affordable Care Act, which amended sections 1866(j)(2) and 1902 of the Social Security Act, requires the Secretary of the Department of Health and Human Services to establish procedures for screening providers and suppliers under Medicaid and Medicare and for state Medicaid agencies to comply with those procedures. CMS enacted the screening requirements with federal regulations at 42 C.F.R. Part 455 subpart E, and at 42 C.F.R. § 457.990, which makes Part 455 applicable to the Children’s Health Inusrance Program (CHIP).

The final rule includes requirements that, based on a provider’s level of risk, Medicaid agencies may need to perform fingerprint-based criminal background checks (FCBCs). The final rule further said that states have 60 days following implementation of further sub regulatory guidance by CMS on FCBCs to begin implementation of the FCBC requirement. This sub regulatory guidance (Guidance) was finally issued June 1, 2015, when CMS delivered a letter to state Medicaid directors regarding “Medicaid/CHIP Provider Fingerprint-Based Criminal Background Check.” Accordingly, state Medicaid agencies have until July 31, 2015 to begin implementation of the requirements outlined in the Guidance and have until July 31, 2016 to complete the implementation.

The Guidance, in accordance with 42 C.F.R. § 455.434, requires state Medicaid agencies to establish categorical risk levels for providers and provider categories which pose an increased financial risk of fraud, waste, or abuse to the Medicaid program. The levels are “limited,” “moderate,” and “high,” and, with some exceptions, the methods for determining which providers fall into which categories will be determined by state Medicaid agencies. If a provider’s risk level is “high,” the state Medicaid agency must require the provider to consent to criminal background checks, including fingerprinting. This requirement applies to both the provider and any person with a 5 percent or more direct or indirect ownership interest in the provider. The state Medicaid agency has the power to determine the type and extent of the background checks, as well as the method for submitting fingerprints. It may also require a provider to pay the costs for the fingerprints.

Importantly, if Medicare has already designated a risk level for a provider type, then state Medicaid agencies must apply either the same screening designation as Medicare or higher to that provider type. This means that if Medicare has designated a provider as “high” risk, then state Medicaid agencies must also apply the high risk designation to the provider. Related to this rule, a Medicaid agency is not required to conduct an FCBC on a “high” risk provider if that provider is considered a “high” risk provider by Medicare and the provider has been enrolled by Medicare. For provider types that do not have a Medicare screening designation, CMS recommends that state Medicaid agencies should use similar criteria to Medicare in making the risk-level determination. The following are the general guidelines Medicare uses in making its risk level designations:

Physicians and non-physician practitioners, medical groups, and clinics that are state-licensed would generally be categorized as “limited” risk; provider types that are highly dependent on Medicare, Medicaid and CHIP to pay salaries and other operating expenses and are not subject to additional governmental or professional oversight would be considered “moderate” risk; and those identified as being especially vulnerable to improper payments would be considered “high” risk.

Currently, Medicare designates newly enrolling home health agencies and newly enrolling Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) suppliers as “high” risk. Medicare also designates all providers that have been subject to a payment suspension or that have had billing privileges revoked at any time in the last 10 years as “high” risk.

The penalties imposed upon a provider for failing to submit the required fingerprints to a state Medicaid agency are severe. Under 42 C.F.R. § 455.416, a state must terminate or deny enrollment of a provider if the provider, or any person with a 5% or greater direct or indirect ownership interest, who is required to submit fingerprints: 1) fails to submit them within 30 days of the Medicaid agency’s request; 2) fails to submit them in the form and manner requested by the Medicaid agency; or 3) has been convicted of a criminal offense related to that person’s involvement with the Medicare, Medicaid or CHIP program in the last 10 years. However, if the Medicaid agency determines that termination or denial of enrollment is not in the best interests of the Medicaid program, it may decline to terminate or allow the provider to enroll.

Providers should monitor their Medicaid agencies’ responses to this Guidance and should be prompt in responding to request for FCBCs.