On January 24, 2011, the U.S. Department of Health and Human Services (HHS) published rules implementing anti-fraud provisions of the Patient Protection and Affordable Care Act as amended by the Health Care and Education Reconciliation Act (PPACA) (the Final Rule). HHS also announced the results of a Health Care Fraud and Abuse Control Program (HCFAC) report showing that the government recovered a record of more than $4 billion in taxpayer dollars in FY 2010 from combating healthcare fraud. HCFAC is a joint effort between HHS and the Department of Justice (DOJ) aimed at collaboration and coordination of federal, state and local agencies and law enforcement. According to HHS, a large part of the government’s success has resulted from the Health Care Fraud Prevention & Enforcement Action Team (HEAT) that was created in 2009. A copy of the HCFAC annual report is available by clicking here.

The Final Rule implements program integrity provisions of PPACA aimed at reducing fraud, waste and abuse in the Medicare, Medicaid and Children’s Health Insurance Programs (CHIP) by changing the provider and supplier enrollment processes. Notably, CMS does not finalize regulations in this rulemaking with respect to mandatory compliance programs; rather, the agency states its intent to publish proposed rules on this issue at a later date. We set forth below a brief description of a few key provisions in the Final Rule.

  • CMS adopts new Medicare provider and supplier screening procedures in which provider and supplier types are categorized as either “limited,” “moderate” or “high” risk. New and currently enrolled providers and suppliers undergoing revalidation are screened according to their assigned risk category, with the “high” risk category to include fingerprinting. As an example, newly enrolling home health agencies and DMEPOS suppliers are included in the “high” risk screening level but hospitals, physicians and medical groups or clinics are categorized as “limited” risk. CMS may adjust a provider or supplier’s screening level from “limited” or “moderate” to “high” in certain instances.
  • States are required to follow the minimum screening methods performed under the Medicare program, but they are permitted to engage in screening activities beyond those required under Medicare. For example, a state may assign a particular provider type to a higher screening level than the level assigned by Medicare. A state Medicaid agency may rely on the results of screening performed by Medicare contractors or the Medicaid agencies or CHIPs of other states.
  • The Final Rule requires states to screen all persons disclosed with an ownership or control interest or who are agents or managing employees of a provider upon enrollment and monthly thereafter against the Office of Inspector General’s (OIG) and the General Services Administration’s exclusion lists.
  • CMS adopts rules imposing application fees on Medicare, Medicaid and CHIP “institutional provider[s] of medical or other items or services or supplier[s]” to cover the costs of the new screening measures and defines “institutional provider.”
  • CMS amends 42 C.F.R. §§ 405.370 through 405.372 dealing with suspending Medicare payments to providers. Currently, CMS may suspend payments to a provider based on reliable information that an overpayment or fraud or willful misrepresentation exists or that the payments to be made may not be correct. The regulations are amended to require that in cases of suspected fraud, CMS or a Medicare contractor must consult with the OIG and, as appropriate, the DOJ, and determine that a credible allegation of fraud exists against a provider or supplier. The amended regulations define “credible allegation” and set forth good cause exceptions to suspending payments. For example, a law enforcement agency may request that payment not be suspended because a suspension could compromise an investigation.
  • Although states have had the authority to withhold payments in cases of alleged fraud or willful misrepresentation, to date states have not been mandated to do so. The Final Rule amends 42 C.F.R. § 455.23(a) to require states to suspend payments where there is an investigation of a credible allegation of fraud under the Medicaid program. CMS explains in the preamble to the Final Rule that the payment suspensions apply to Medicaid managed care entities (MCOs) as well, such as when an investigation of credible allegations of fraud is pending against an MCO or a network provider of an MCO. Furthermore, whenever a state Medicaid agency investigation leads to the initiation of a payment suspension, the Medicaid agency must make a fraud referral to either the state Medicaid Fraud Control Unit (MFCU) or to the state’s appropriate law enforcement agency. If the MFCU or other law enforcement agency declines the referral, then the payment suspensions must cease unless the state has alternative authority to impose the suspension.
  • The Final Rule requires a state Medicaid program to deny or terminate a provider whose enrollment has been terminated under Medicare, whose Medicare billing privileges have been revoked or whose enrollment has been terminated under any other state’s Medicaid program or CHIP.

The Final Rule is effective March 25, 2011, but CMS is accepting comments on the fingerprinting requirements until sixty (60) days after the date of the Final Rule’s publication in the Federal Register. CMS expects the Final Rule to be published in the Federal Register on February 2, 2011. A copy of the display version is available by clicking here. The proposed rule, published on September 23, 2010, is available by clicking here.