On February 2, 2011, the Centers for Medicare & Medicaid Services (CMS) published a final rule with comment period (Final Rule) implementing provisions of the Affordable Care Act (ACA) that strengthen provider and supplier screening provisions under Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).1 The rule is effective March 25, 2011, as mandated by the ACA (although as discussed below, CMS is delaying the effective date of a provision requiring fingerprintbased criminal history record checks for certain providers until after additional subregulatory guidance is issued).

Among many other things, the Final Rule applies various screening tools, including unannounced site visits, background checks, and fingerprinting, based on the level of risk associated with different provider and supplier types. The Final Rule also: imposes application fees on institutional providers and suppliers; authorizes CMS and states to impose moratoria on new provider enrollment to protect against a high risk of fraud; authorizes the suspension of payments pending an investigation of a credible allegation of fraud; provides guidance to states regarding termination of providers from Medicaid and CHIP if terminated by Medicare or another state program; and addresses termination of providers and suppliers from Medicare if terminated by a Medicaid state agency. The rule also discusses comments regarding an ACA requirement that providers or suppliers in certain industry sectors establish compliance programs; these comments will be considered in a future rulemaking.

CMS notes it has identified specific provisions surrounding implementation of fingerprinting for certain providers and suppliers that may be subject to change based on public comments; comments on the fingerprinting requirements only will be accepted until April 4, 2011.

The following is a summary of the major provisions of the extensive Final Rule. We would be pleased to provide you with additional information on any aspect of the new regulations.

Risk-Based Provider Screening Under Medicare, Medicaid and CHIP

The Final Rule implements ACA provisions that require the Secretary of Health & Human Services (HHS) to establish procedures for screening providers and suppliers participating in federal health care programs (specifically, Medicare, Medicaid and CHIP). The Secretary is authorized to set different levels of screening depending upon the type of provider or supplier.

The screening procedures will apply to newly-enrolling Medicare, Medicaid, and CHIP providers, suppliers, and eligible professionals beginning March 23, 2011. The procedures also are applicable beginning March 23, 2011 for currently-enrolled providers and suppliers who revalidate their enrollment information. The screening procedures apply to all currently-enrolled providers, suppliers, and eligible professionals beginning March 23, 2012. Effective March 23, 2012, CMS could require a provider or a supplier, including a supplier of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS), to revalidate its enrollment at any time; after this off-cycle revalidation, the current cycle for revalidation (three years for DMEPOS suppliers and five years for all other providers) will apply.

Medicare Screening

Assignment of Risk Levels

The Final Rule establishes new screening requirements for Medicare providers and suppliers that vary based on different categories of risk, taking into account factors such as studies conducted by the HHS Office of Inspector General (OIG) and the Government Accountability Office (GAO). CMS is establishing three levels of risk – Limited, Moderate, and High – and every provider and supplier category will be assigned to one of these three levels. The relevant Medicare contractor must use the screening tools mandated by CMS for the risk level assigned to a particular provider or supplier category.

Factors CMS believes warrant assignment of a provider type to a particular risk category include the following:

  • “Limited” Risk Category: CMS’s analysis of historical trends and provider screening experience indicates that that a number of specific provider and supplier types pose limited risk to the Medicare program. In the September 23, 2010 proposed rule (Proposed Rule), CMS had suggested that a provider or supplier that was publicly traded on the New York Stock Exchange (NYSE) or the National Association of Securities Dealers Automated Quotation System (NASDAQ) posed a limited risk because of the financial oversight provided by investors, corporate boards of directors, and the Securities and Exchange Commission. However, in the Final Rule, CMS decided not to consider all publicly-traded companies to be in the “limited risk” category, since CMS does “not believe the risk differential between publicly traded and non-publicly traded entities is such as to warrant the automatic assignment of the former into a lesser screening level.” The agency also eliminated a proposed distinction between government-owned and nongovernment owned ambulance companies for purposes of the screening level assignments.  
  • “Moderate ” Risk Category: CMS characterizes the provider and supplier types in the “moderate” risk category as “generally highly dependent on Medicare, Medicaid, or CHIP to pay their salaries and other operating expenses and subject to less additional government or professional oversight” than limited-risk providers. Such moderate risk providers also may “easily enter a line or business without clinical or business experience, for example by leasing minimal office space and equipment,” thereby presenting a higher risk of fraud. The OIG and GAO also have issued reports indicating that several of the provider and supplier types in the moderate risk category pose an elevated risk of fraud.  
  • “High” Risk Category: CMS is including two categories of providers in the “high” risk category: newly enrolling home health agencies (HHAs) and DMEPOS suppliers (as noted, CMS has not adopted a proposed distinction between publicly-traded and non-publicly traded companies for risk assessment purposes). CMS has particular concerns about these entities “because of the high number of HHAs and suppliers of DMEPOS already enrolled in the Medicare program and program vulnerabilities that these entities pose to the Medicare program.” CMS lists in the preamble numerous OIG and GAO reports that identify elevated risks associated with HHAs and DMEPOS suppliers.

In the Final Rule, CMS modified certain of its proposed provider risk assignments and specified risk levels for other provider types that were not addressed in the Proposed Rule. The following table indicates the provider/supplier types CMS includes in each of the three risk categories in the Final Rule2:

To see table please click here.

The preamble includes an extensive discussion of comments CMS received in response to the Proposed Rule’s screening provisions. For instance, CMS stated that it disagreed with commenters who suggested that length of time as a Medicare provider should be a factor in reducing a provider’s or supplier’s screening level, although CMS could consider this as part of a future rulemaking if circumstances warrant. CMS also addressed questions about the risk level for physicians who also enroll as suppliers in order to furnish DMEPOS to their patients; CMS states that such duallyenrolled physicians would be subject to the higher DMEPOS screening requirements. In response to commenters who voiced concerns about backlogs in the enrollment process as a result of the rule, CMS announced that it is “working toward consolidation of the number of enrollment contractors as a means to achieve economy of scale and greater consistency in the enrollment process.”

CMS also received various proposals to provide more individualized assessments of risk or develop subcategories of providers (such as separating orthotists and prosthetists from DME suppliers for purposes of risk assessment), as alternatives to CMS’s framework of assigning specific categories of providers and suppliers to screening levels. CMS observes that “a more nuanced and precise approach for classifying specific categories of providers and suppliers into screening levels, for example using a scoring algorithm to create categories” could meet statutory requirements if the agency could “provide an adequate rationale for the classification.” However, the agency does “not yet have experience with such an approach.” CMS likewise declined to create subcategories of providers and suppliers with different risk levels (such as a lower risk level for community pharmacy DME suppliers). Nevertheless, CMS states that it could consider additional classifications in future rulemaking.

Screening Tools by Risk Category

The following screening tools will be used for providers and suppliers in the limited risk category: (1) verification that a provider or supplier meets any applicable federal regulations or state requirements prior to making an enrollment determination; (2) verification that a provider or supplier meets applicable licensure requirements; and (3) database checks on a pre- and post-enrollment basis to ensure that providers and suppliers continue to meet the applicable enrollment criteria (although CMS has not adopted its proposal to check tax delinquency status).3 Provider and supplier categories assigned to the moderate risk category also will be subject to unannounced pre- and/or post-enrollment site visits, in addition to the screening tools for the “limited” risk category. Providers and suppliers in the high risk category will be subject to fingerprint-based criminal history record checks of law enforcement repositories.

The following chart summarizes the types of screening tools CMS will require for each of the risk categories under the Final Rule:

Final Rule: Screening Tools by Risk Category

To see table please click here.

CMS discusses at length the use of fingerprint-based criminal history record checks as a screening tool. CMS has clarified that it will require a fingerprint-based criminal history report check of the Federal Bureau of Investigations (FBI) Integrated Automated Fingerprint Identification System on all individuals who maintain a 5 percent or greater direct or indirect ownership interest in the provider or supplier. Under the Final Rule, officers, directors, and managing employees – to the extent that they do not have a 5 percent or greater ownership interest – will not be subject to the fingerprint-based criminal background checks (although CMS may seek to extend the scope of this requirement in the future if warranted). CMS has removed a proposed requirement that fingerprints be submitted using the FD-258 fingerprint card. Failure to submit required fingerprints under this section will result in denial/revocation of billing privileges. Importantly, given the need to coordinate the new fingerprintbased criminal history check policy with law enforcement agencies, address privacy concerns, educate providers and suppliers, and prepare contractors, CMS is delaying implementation of the fingerprint-based criminal history record check requirement until 60 days following the publication of subregulatory guidance.4 CMS also states it could seek alternative or additional safeguards if, after evaluation, it concludes that fingerprint-based FBI criminal history record checks are not fulfilling the objective of identifying prior to enrollment applicants who pose a heightened risk of fraud, waste, and abuse.

Moreover, CMS continues to seek comment on methods it can use to ensure the privacy and confidentiality of the records that will be generated pursuant to adopting the criminal history records check provisions. While CMS states that it will adopt all protocols issued by the FBI, CMS is interested in ways to address any other privacy concerns. CMS also seeks comments on how it can measure the effectiveness of its criminal history records check policy. Finally, CMS requests comments on whether it should adopt additional technology to identify providers and suppliers that are enrolling in the program. Comments on this issue only will be accepted until April 4, 2011.  

Adjusting Risk Levels

CMS anticipates that there may be circumstances under which a particular provider or supplier (or group of providers and suppliers) may pose a higher fraud risk than the general level for their category. To that end, CMS is authorizing the risk category for a provider or supplier to be raised to “high” if:

  • CMS imposes a payment suspension on a provider or supplier at any time in the last 10 years.
  • The provider or supplier: (1) has been excluded from Medicare; (2) has had its billing privileges revoked by Medicare within the previous 10 years and is attempting to establish additional Medicare billing privileges by enrolling as a new provider or supplier, or by billing for a new practice location; (3) has been terminated or otherwise precluded from billing Medicaid; (4) has been excluded from any federal health care program; or (5) has been subject to any final adverse action within the previous 10 years.
  • CMS lifts a temporary moratorium for a particular provider or supplier type, and such a provider or supplier applies for enrollment within 6 months of the lifting of the moratorium.  

CMS did not finalize its proposal to raise a provider’s risk level if a physician or nonphysician practitioner is subject to identity theft, since the agency agrees with commenters that using screening tools to address identity theft concerns “would not be an adequate response.” CMS had also proposed including denial of Medicare billing privileges in the previous 10 years as a basis for reassigning a provider or supplier to the high screening level, but CMS did not finalize this proposal since many denials result from a provider not meeting enrollment requirements or as a result of clerical errors. In the preamble, CMS also discusses commenters’ recommendations for additional factors that could require changing a provider’s risk level; such suggestions could be included in future rulemaking.

If a change in a particular provider or supplier type’s assignment is warranted and it necessitates a change in existing regulatory language, CMS will publish notice of the change in the Federal Register.

Medicaid and CHIP Screening

Under the Final Rule, the provider screening regulations that apply to Medicaid providers also generally will apply to providers that participate in CHIP. Likewise, while CMS refers to state Medicaid agencies as responsible for screening Medicaid-only providers, it should be read to include CHIP agencies. CMS stresses that Final Rule’s provider enrollment verification tools do not supplant or diminish those that are presently in use.  

Recognizing that it would be “inefficient and costly” for states to conduct the same screening activities that Medicare contractors perform for dually enrolled providers, CMS adopted its proposal to allow a state to rely on the results of the screening conducted by Medicare to fulfill the provider screening requirements under Medicaid and CHIP. Similarly, state Medicaid agencies may rely on the results of the provider screening performed by other state Medicaid programs and CHIP. For Medicaid-only providers or CHIP-only providers, states would follow the same screening procedures that CMS or its contractors follow with respect to Medicare providers and suppliers (including verification of any provider/supplier-specific requirements established by Medicaid/CHIP, license verification, database checks, unannounced site visits, and criminal background checks, and fingerprinting).  

With regard to assignment of risk levels, for Medicaid provider types also recognized under Medicare, CMS is requiring states to use the same risk level that is assigned to that category of provider by Medicare. For those Medicaid and CHIP provider types that are not recognized by Medicare, states would assess the risk level using similar criteria to those used in Medicare. The Final Rule specifies, however, that the rule does not restrict the ability of states to establish provider screening methods in addition to or more stringent than those specified. The Final Rule also specifies that if a provider could fit within more than one risk category, the risk category with the highest screening is applicable.  

CMS also adopted a number of provisions related to enrollment and termination of Medicaid and CHIP providers. For instance, CMS is requiring such providers to undergo screening at least once every five years, consistent with current Medicare requirements for revalidation. State Medicaid agencies should revalidate 20 percent of providers annually beginning in 2011, with the first revalidation cycle completed by 2015. While states have the discretion to determine which provider types to revalidate first, CMS notes that states “may want to consider re-validating enrollment in the first years of the cycle those providers or provider types that pose the greatest risk of fraud, waste or abuse to the Medicaid program and CHIP.”

CMS also is adopting termination provisions, under which states must deny or terminate the enrollment of providers: (1) if any person with a 5 percent or more direct or indirect ownership interest in the provider does not submit timely and accurate disclosure information or fails to cooperate with all required screening methods; (2) that are terminated on or after January 1, 2011 by Medicare or any other Medicaid program or CHIP; and (3) if any person with a 5 percent or more direct or indirect ownership interest in the provider, does not submit a set of fingerprints within 30 days of the request. States also are required to deny enrollment to providers – unless the state justifies in writing that it would not be in the best interests of the state’s Medicaid program – in the following circumstances: (1) any person with a 5 percent or greater ownership or control interest in the provider has been convicted of a criminal offense related to that person’s involvement in Medicare, Medicaid, or CHIP in the past 10 years; (2) the provider, or any person with an ownership or control interest, or who is an agent or managing employee of the provider, fails to provide timely and accurate information; or (3) the provider fails to provide access to its locations for site visits. Likewise, states are permitted to deny enrollment to a provider who has falsified any information on an application if CMS or the state cannot verify the identity of the applicant.

In the event of a termination, the state Medicaid agency must give a provider any appeal rights available under state policy. Any providers whose enrollment has been deactivated must undergo screening and pay all appropriate application fees again to enroll or re-enroll as a Medicaid provider.

  • CMS also adopted a number of other Medicaid screening provisions designed to enhance program protections, including the following:  
  • Requiring disclosures of certain information (including SSNs/tax identification numbers, addresses, and dates of birth, and information about related ownership or control interest) for individuals and corporations with an ownership or control interest in a provider;  
  • Expanding disclosure requirements for fiscal agents and managed care entities;  
  • Requiring any physician or other professional ordering or referring services for Medicaid beneficiaries to enroll as a participating Medicaid provider (except for those in managed care risk based health plans); and
  • Requiring physicians or other professionals to include their NPI on all claims for services they

order or refer.

CMS has not adopted a proposed requirement that states deactivate the Medicaid provider enrollment of any Medicaid provider that has not submitted any claims or made a referral that resulted in a Medicaid claim for a period of 12 consecutive months.  

Application Fees

The ACA requires the HHS Secretary to impose an application fee on each “institutional provider of medical or other items or services or supplier” other than eligible professionals, to fund provider screening and other program integrity efforts. The ACA set the application fee at $500 for 2010, updated annually thereafter for inflation.5  

Under the Final Rule, CMS will begin collecting the enrollment application fee for new providers and suppliers, and for currently enrolled providers revalidating enrollment, effective March 23, 2011. The fee for 2011 is $505; CMS projects that the 2012 fee will be $515, rising to $547 in 2015.  

With regard to the entities subject to the application fee, CMS defines “institutional provider” as “any provider or supplier that submits a paper Medicare enrollment application using the CMS-855A, CMS-855B (not including physician and nonphysician practitioner organizations), CMS-855S or associated Internet-based PECOS enrollment application.” CMS interprets this definition to include, but not be limited to: ambulance service suppliers; ambulatory surgical centers, community mental health centers; comprehensive outpatient rehabilitation facilities; DMEPOS suppliers; end-stage renal disease facilities; federally qualified health centers; histocompatibility laboratories; HHAs; hospices; hospitals (including but not limited to acute inpatient facilities, inpatient psychiatric facilities, inpatient rehabilitation facilities, and physician-owned specialty hospitals); critical access hospitals; independent clinical laboratories; independent diagnostic testing facilities; mammography centers; mass immunizers (roster billers); organ procurement organizations; outpatient physical therapy/occupational therapy/speech pathology services, portable X‑ray suppliers; skilled nursing facilities; slide preparation facilities; radiation therapy centers; religious nonmedical health care institutions; and rural health clinics. Moreover, a state may impose the application fee on any additional institutional entity that bills the state Medicaid program or CHIP on a fee-for-service basis, such as personal care agencies, non-emergency transportation providers, and residential treatment centers. The application fee is not applicable to physicians or non-physician practitioners, regardless of whether the physician or non-physician practitioner is organized in a small group practice. An application fee also would not be required from an eligible professional who reassigned Medicare benefits to another individual or organization, However, if a physician also enrolled as a DMEPOS supplier to furnish items to his or her own patients, the physician would be required to pay the application fee associated with the DMEPOS supplier enrollment. Likewise, if entities enrolled as more than one kind of institutional provider (e.g., a DMEPOS supplier and an HHA), the fee would have to be submitted for each enrollment.  

CMS has adopted special rules for providers and suppliers that participate in Medicare and Medicaid and/or CHIP. Under the Final Rule, a provider or supplier enrolled in more than one of these programs only would be subject to the application fee under Medicare (imposed at the time of the Medicare enrollment application), and that fee would cover screening activities for enrollment in all programs. In instances in which Medicaid providers do not participate in Medicare, the state may collect the application fee under the same criteria as the Medicare program, and the state will be responsible for conducting the provider screening activities for these providers.6 Any providers whose enrollment has been denied or terminated would be required to undergo screening and pay all appropriate application fees again to enroll or re-enroll as a Medicaid provider.  

CMS is exercising its authority to permit “hardship” exceptions to the application fee on a case-bycase basis, including for providers enrolling in disaster areas. CMS would make a hardship exception determination within 60 days of receipt of the request. CMS also is permitting states to waive the enrollment application fee for Medicaid-only or CHIP-only providers for whom a state demonstrates that imposition of the fee would impede beneficiaries’ access to care.  

CMS is requiring institutional providers and suppliers to submit the application fee (or request for a hardship exception) with each initial application, application to establish a new practice location, or with the submission of an application in response to a Medicare contractor revalidation request. The Medicare contractor may reject any such application that does not include the appropriate application fee or a hardship exception request (or if the bank account on which the application fee check is drawn does not contain sufficient funds).7 Likewise, Medicare can revoke Medicare billing privileges if an institutional provider does not submit an application fee or hardship exception request with a revalidation application.  

While application fees generally would be nonrefundable, there are some cases in which a rejected application would be returned to the provider or supplier along with the application fee. Specifically, the application fee will be refundable if: the provider opts to submit both an application fee and a hardship waiver request at the same time (i.e., to avoid a delay in processing) and the waiver request is subsequently approved; if the application is rejected prior to the initiation of screening processes; or if the application is denied as a result of the imposition of a temporary moratorium.  

Note that the application fees are expected to have a significant financial impact on Medicare and Medicaid providers. CMS estimates that Medicare application fees will total approximately $304.5 million over the next 5 years ($78 million for newly enrolling providers and suppliers and $226 million for revalidating providers and suppliers). Likewise, application fees for Medicaid providers who are not dually enrolled are expected to total about $62.9 million over the first five years ($21 million for newly-enrolled providers and $42 million for re-enrolling providers)

Temporary Moratoria on Provider/Supplier Enrollment

Under the Final Rule, CMS could impose a moratorium on the enrollment of (or new practice locations for) certain types of new Medicare providers and suppliers in a particular geographic area or nationally, if necessary, to protect against a significant risk of fraud, waste, or abuse. CMS could base its determination regarding fraud potential on a review of existing data (which CMS specifies is “without limitation”) that identifies a trend, such as a highly disproportionate number of providers or suppliers in a category relative to the number of beneficiaries, or a rapid increase in enrollment applications within a category. CMS also could impose a moratorium if a state Medicaid program has imposed such a moratorium for types of Medicaid providers or suppliers that are also eligible to enroll in Medicare or in a particular geographic area. Likewise, CMS, in consultation with the OIG and/or Department of Justice (DOJ), could impose a moratorium if it deemed a particular provider or supplier type or any particular geographic area to have “a significant potential for fraud, waste or abuse in the Medicare program.”

CMS will announce any moratoria through Federal Register notices and through other methods; such announcement will include the rationale for the imposition of the moratorium. CMS notes that it will not provide advance notice of a planned moratorium, however, since “it would likely cause a rush of enrollments” of the provider type in question.

A moratorium would be imposed for a period of six months, which could be extended in six-month increments if CMS deemed it necessary. CMS could lift a temporary moratorium in response to a natural disaster, if the circumstances warranting the imposition of a moratorium have abated or if CMS has implemented program safeguards to address the program vulnerability, if the Secretary has declared a public health emergency in the area, or if the Secretary determines that the moratorium is no longer needed. CMS will publish a Federal Register notice when it lifts a moratorium.

As it proposed, CMS is limiting the enrollment moratoria to: (1) newly enrolling providers and suppliers and (2) the establishment of new practice locations (but not to a change of practice locations or changes in provider or supplier information, such as phone number or address changes). The temporary moratoria would not apply to existing providers or suppliers unless they were attempting to expand operations to new practice locations where a temporary moratorium was imposed. CMS also specifies that the temporary moratoria would not apply to existing providers or suppliers in situations involving changes in ownership (except for changes in ownership of HHAs that would require an initial enrollment under current regulations). CMS also has clarified that the moratoria would not apply to any enrollment application that has been approved by the enrollment contractor but not yet entered into PECOS at the time the moratorium is imposed.

While the ACA provides that there is no judicial review of a temporary moratorium, CMS points out that a provider or supplier may use the existing appeal procedures at 42 CFR part 498 to administratively appeal a denial of billing privileges based on the imposition of a temporary moratorium.

In the preamble, CMS states that it received recommendations to establish moratoria for several specific provider and supplier types, including hospices, HHAs, and slide preparation facilities. CMS believes it would be “premature” to identify particular provider or supplier types that might be subject to such a moratorium, however. On the other hand, some commenters suggested that if CMS imposed a moratorium related to DMEPOS suppliers, for instance, the moratorium should not apply to new community pharmacy locations providing DMEPOS, physicians newly enrolling as DMEPOS suppliers to furnish DMEPOS to their own patients, or to orthotists and prosthetists. CMS disagreed, saying that “circumstances could justify imposing a temporary enrollment moratorium on a category of providers or suppliers and not a subset within a provider or supplier type.” Moreover, CMS believes it “would not be appropriate to exclude any provider or supplier category, for example, DMEPOS suppliers owned by community pharmacies, from being subject to a moratorium if the circumstances warrant the imposition of a temporary enrollment moratorium.” CMS also addressed a comment raising concern about a potential moratorium on DMEPOS suppliers in a DMEPOS competitive bidding area. CMS observed that all DMEPOS competitive bidding contract suppliers are required to be enrolled in Medicare as a condition of their contract, but an application to enroll a new practice location “would in all likelihood be denied” if a moratorium were imposed in its bidding area.

CMS also adopted moratoria criteria for the Medicaid program (which also apply to CHIP). State Medicaid agencies will be required to comply with a temporary moratorium imposed by the Secretary unless the state determines that such a moratorium would adversely affect Medicaid or CHIP beneficiaries’ access to care. The state would need to provide written details supporting its request for an exception from the moratorium. The rule also authorizes states to impose moratoria, numerical caps, or other limits for providers identified by the state Medicaid agency or Secretary as being at high risk/significant potential for fraud, waste, or abuse if it would not adversely impact beneficiary access to services. If a state identifies a category of providers as posing a significant risk of fraud, waste, or abuse, the state must seek CMS’s concurrence with that determination. As is the case for CMS-imposed moratoria, state-imposed moratoria would last for a period of six months and could be extended in six-month increments. In the final rule, CMS specifies that the provision does not apply to Medicaid managed care entities.

Suspension of Payments

Medicare Provisions

The Final Rule implements the ACA provision that authorizes the Secretary to suspend Medicare payments to a provider or supplier, in whole or in part, pending an investigation of a credible allegation of fraud, unless the Secretary determines that there is good cause not to suspend payments.8 The Secretary must consult with the OIG in determining whether there is a credible allegation of fraud against a provider or supplier.  

As in the Proposed Rule, the Final Rule defines “credible allegation of fraud” to include an allegation from any source, including but not limited to fraud hotline complaints, claims data mining, patterns identified through provider audits, civil false claims cases, and law enforcement investigations. Allegations are considered to be credible when they have “indicia of reliability.” In the preamble, CMS notes it had received numerous comments that the definition of “credible allegations of fraud” was too ambiguous, and that the use of unsupported fraud hotline complaints as a source of allegations could lead to unjustified payment suspensions. CMS declined to further detail a precise evidentiary standard, however, since “assessing the reliability of an allegation is a process that will occur on a case-by-case basis.” CMS also noted the “need to act judiciously when corroborating information and investigating allegations of fraud, especially when the source of the allegation is an anonymous fraud hotline complaint.” Furthermore, CMS asserts that required consultation between CMS and the OIG prior to suspending payment “will provide ample opportunity for the credibility of an allegation to be assessed and for a preliminary investigation into the allegation of fraud to occur sufficient to meet a reasonable evidentiary standard.”  

CMS also has finalized its definition of when an investigation has been resolved and the basis for the suspension of payments no longer exists. Specifically, CMS defines resolution of an investigation as when “legal action is terminated by settlement, judgment, or dismissal, or when the case is closed or dropped because of insufficient evidence to support the allegations of fraud.”  

Every 180 days after an initial suspension of payments, CMS would evaluate whether there is good cause not to continue a suspension, including requesting a certification from the OIG or other law enforcement agency that the matter continues to be under investigation warranting continuation of the suspension. In the final rule, CMS also agreed with commenters that a payment suspension should not continue indefinitely except under certain limited circumstances. Specifically, CMS will deem there to be good cause not to continue to suspend payments if a payment suspension has been in effect for 18 months without a resolution of the investigation, unless: (1) the case is being considered by the OIG for administrative action, or (2) the DOJ submits a written request to CMS that the suspension be continued based on anticipated civil or criminal action, including information specified in the regulations.

As authorized by the ACA, CMS has discretion to determine whether there is good cause not to suspend payments or not to continue to suspend payments to providers or suppliers in certain circumstances. Circumstances that may qualify as good cause not to suspend payments, despite credible allegations of fraud, could include:

  • Specific requests by law enforcement that CMS not suspend payments (if, for instance, such suspension might jeopardize an investigation);  
  • If CMS determines that beneficiary access to items or services would be so jeopardized by a payment suspension as to cause a danger to life or health; „„
  • Other available remedies implemented by CMS or a Medicare contractor (i.e., a request that a court immediately enjoin potentially unlawful conduct) could more effectively or quickly protect Medicare funds than would implementing a payment suspension; or „„
  • CMS determines that a payment suspension or a continuation of a payment suspension is not in the best interests of the Medicare program.  

Note that while providers may offer information to “rebut” a suspension of payment, there are no further due process protections. Stated otherwise, if a rebuttal is rejected, the determination is final and not subject to appeal. CMS acknowledged that it received numerous comments voicing concern about “the perceived lack of due process afforded to the provider community in this proposed rule.” However, CMS contends that the “due process protections are more than adequate.” CMS points out that providers have “ample opportunity to submit information to us in the established rebuttal statement process to demonstrate their case for why a suspension is unjustified.” CMS also asserts that its “authority will be exercised judiciously.”

Medicaid and CHIP Provisions

State Medicaid agencies have long been authorized under § 455.23 to withhold payments in cases of alleged fraud or willful misrepresentation. Under the new ACA policy, states will not receive Federal Financial Participation (FFP) in cases where they fail to suspend Medicaid payments when there is a pending investigation of a credible allegation of fraud against an individual or entity, as determined by the state in accordance with the Final Rule (unless the state determines that good cause exists not to suspend such payments). Note that CMS stresses that the Final Rule provides “a floor for protection of Medicaid funds and does not bar a State from setting a higher bar allowing for imposition of suspensions with other conditions or in other circumstances.”  

CMS has made a series of amendments to conform § 455.23 to the new ACA mandate, such as changing the current phrase “withhold payments” to “suspend payments,” deleting the current reference to “willful misrepresentation,” and changing the current reference to “receipt of reliable evidence” to “pending investigation of a credible allegation of fraud.” CMS has adopted for the Medicaid program the same broad definition of “credible allegation” as is applicable for the Medicare program, although CMS has specified in the Final Rule that states must carefully review all allegations, facts, and evidence and act judiciously on a case-by-case basis. In the preamble, CMS notes that several commenters requested a more precise definition of this term, but CMS believes that different states may have different standards, and states should have the flexibility to make determinations of what constitutes a credible allegation.

CMS also has adopted several “good cause” exceptions by which states may determine good cause exists not to suspend Medicaid payments or to suspend payments only in part (such as only specific types of claims or claims arising from a particular business unit of a provider) if specific conditions are met. These exceptions are similar to the good cause exceptions for the Medicare program, although CMS has added that the state may determine, based upon the submission of written evidence by the individual or entity that is the subject of the payment suspension, that the suspension should be removed.

The Final Rule sets forth notification requirements related to payment suspensions, including timeframes and specifications related to the content of the notifications. The state generally must notify providers within five days of suspending payments, although this notification may be delayed if requested by law enforcement agencies because of a pending investigation. The notification must, among other things, provide specific information about the allegations, inform the provider of the right to submit evidence, and set forth the applicable administrative appeals process. The Final Rule also specifies that the suspension will be temporary and must not continue after the state determines that there is insufficient evidence of fraud, or legal proceedings related to the provider’s alleged fraud are completed. The Final Rule also establishes specific documentation requirements related to any suspension and requires states to report suspected fraud referrals to its Medicaid fraud control unit or other appropriate law enforcement agency.

In response to commenters’ concerns about the application of payment suspensions to billing providers as opposed to prescribing providers, CMS notes its belief that payment suspensions would not be “the appropriate mechanism to recover Medicaid funds from one provider who inescapably, but innocently, happens to be associated with the fraudulent conduct of another provider.” While payment suspensions will only be applied based upon credible allegations of fraud, however, the agency warns that “there is no guarantee that a payment suspension will only be imposed against the billing provider as, particularly at the outset of an investigation of a credible allegation of fraud, it may be impossible to precisely determine the locus of the fraud or whether it involved collusion or conspiracy.”

Compliance Programs

By way of background, the OIG has issued voluntary compliance program guidance for a number of segments of the health care industry, outlining actions that providers, suppliers, and manufacturers should consider to promote compliance with Medicare, Medicaid, and other federal health care program rules and guidelines.9 Moreover, in some cases, the OIG requires the adoption of an effective compliance program as a condition of a settlement with the government, (i.e., as part of a corporate integrity agreement).

Under the ACA, the Secretary must mandate that “a provider of medical or other items or services or supplier within a particular industry sector or category” adopt a compliance program as a condition of enrollment in Medicare, Medicaid, or CHIP. The Secretary is given broad discretion with regard to the scope of such compliance programs. The Secretary also is authorized to determine the timeline for the establishment of compliance program requirements, considering “the extent to which the adoption of compliance programs by a provider of medical or other items or services or supplier is widespread in a particular industry sector or with respect to a particular provider or supplier category.”

Rather than propose regulatory text to implement this provision as part of the Proposed Rule, CMS solicited industry stakeholder input on the ACA compliance program requirements, to be considered as part of a separate rulemaking. CMS specifically requested feedback on use of the elements of an effective compliance and ethics program as described in Chapter 8 of the U.S. Federal Sentencing Guidelines Manual10 as the basis for the core elements of the required compliance programs for Medicare, Medicaid and CHIP enrollment. In addition to inviting comments on how CMS can establish required compliance program elements to protect Medicare, Medicaid, and CHIP from fraud and abuse, CMS invited comments on a host of specific issues related to implementation of the ACA compliance plan provision, including, among many other things: suggestions for additional compliance program elements; types of tracking and other systems necessary for effective compliance; and a reasonable timeline for establishment of a mandatory compliance program for various types and sizes of providers and suppliers.

In the Final Rule, CMS notes that it received numerous comments on compliance program elements, but CMS declined to respond to these comments within the Final Rule. Instead, CMS noted that it is in the process of developing a new notice of proposed rulemaking incorporating the compliance plan provisions, which will also address comments received on this issue. The proposed rule, which will be published “at a later date,” also will provide an opportunity for further public comment.  

Termination of Provider Participation if Revoked Under Another Program

The Final Rule implements section 6501 of the ACA, which requires state Medicaid programs to terminate an individual or entity’s participation in the program if the individual or entity has been terminated under Medicare or another state’s Medicaid program (subject to certain limitations). CMS has interpreted this mandate to apply also to Medicare suppliers or eligible professionals whose billing privileges under Medicare are revoked. Likewise, CMS is requiring that CHIP take similar actions to terminate a provider terminated or revoked by Medicare or terminated under any other state Medicaid program or CHIP. The requirement for state terminations applies only in cases where providers were terminated or had their billing privileges revoked for cause, which the Final Rule specifies could include, but would not be limited to, fraud, integrity, or quality. Termination would not be required, on the other hand, based upon a failure to submit claims over a period of 12 months or more, or any other voluntary action by a provider to end participation in Medicare (unless that voluntary action is taken to avoid a sanction).  

State Medicaid programs can terminate a provider only after all appeals rights that are available in the state have been exhausted (or the timeline for appeal has expired, as applicable). The parameters of the Medicaid termination process would be governed by the terminating state’s administrative appeals processes; thus, the “timeline and parameters for termination will vary depending on the State in which the termination occurs.” Likewise, the duration of the state termination will “be consistent with state law, and not necessarily driven by the length of the Medicare termination” or that of another state.”  

CMS also was asked about the impact of this provision when a member of a group practice is terminated; in such cases, neither the individual provider nor the group practice would be able to bill Medicaid or CHIP for services furnished by the individual provider that had been terminated On the other hand, CMS notes that because it is not required by the ACA, CMS is “not requiring States at this time to terminate affiliates of those individuals or entities that have been terminated by another Medicaid program or had their billing privileges revoked by the Medicare program.”  

This provision applies to terminations under Medicare or another state’s Medicaid or CHIP program on or after January 1, 2011 In response to questions about the feasibility of this timeline, CMS notes that it is “in the process of establishing a secure web-based portal that will allow States to share information regarding terminated providers. States should report such termination information on a monthly basis, but states will not be required to report on providers who were terminated prior to January 1, 2011


CMS asserts that its Final Rule is “of critical importance in the transition of CMS’ antifraud activities from ‘pay and chase’ to fraud prevention. CMS also maintains that the rule “strikes a balance that will permit us to continue to assure that eligible beneficiaries receive appropriate services from qualified providers whose claims are paid on a timely basis while implementing enhanced measures to prevent outright fraud. Nevertheless, we observe that the Final Rule establishes complex new regulatory burdens and imposes hundreds of millions of dollars in new costs on providers and suppliers at a time when the health industry is already facing a wide variety of reimbursement reductions and operational changes mandated by the ACA

We would be pleased answer any questions you have on the Final Rule, or to assist you in assessing and responding to the operational implications of the new policy