CMS has issued proposed regulations (75 Fed. Reg. 58204-58248) that implement the significant screening requirements of the Patient Protection and Affordable Care Act (“PPACA”), for providers and suppliers participating in Medicare, Medicaid and CHIP. Brief highlights of the proposed regulations include:

Provider and Supplier Risk Category Assessment - The proposed rule establishes a risk assessment related to various categories of providers/suppliers, and then applies varying screening requirements based on the degree of risk presented. The procedures would apply to newly enrolling and revalidating providers and suppliers beginning on March 23, 2011, and would apply to currently enrolled providers and suppliers beginning on March 23, 2012.

Risk Category Definitions in the Proposed Regulation

Limited Risk: The limited risk category includes (i) physician or non-physician practitioners and medical groups or clinics, (ii) providers or suppliers that are publicly traded on the NYSE or NASDAQ, and (iii) ambulatory surgical centers, end-state renal disease facilities, federally qualified health centers, histocompatability laboratories, hospitals (including critical access hospitals), Indian Health Service facilities, mammography screening centers, organ procurement organizations, mass immunization roster billers, portable X-ray suppliers, religious non-medical health care institutions, rural health clinics, radiation therapy centers, public or government-owned or affiliated ambulance services suppliers, and skilled nursing facilities.

Moderate Risk: The moderate risk category includes: (i) community mental health centers, comprehensive outpatient rehabilitation facilities, hospice organizations, independent diagnostic testing facilities, independent clinical laboratories and nonpublic, nongovernment-owned or affiliated ambulance services suppliers (except that any such provider or supplier that is publicly traded on the NYSE or NASDAQ is considered “limited” risk); (ii) currently enrolled (revalidating) home health agencies (except that any such provider that is publicly traded on the NYSE or NASDAQ is considered “limited” risk); and (iii) currently enrolled (revalidating) suppliers of DMEPOS (except that any such supplier that is publicly traded on the NYSE or NASDAQ is considered “limited” risk).

High Risk: The high risk category includes prospective (newly enrolling) home health agencies and suppliers of DMEPOS (except that any such provider or supplier that is publicly traded on the NYSE or NASDAQ is considered “limited” risk).

Screening Levels

Limited Risk: In the limited risk category, screening would include verification of satisfaction of any provider/supplier – specific Medicare requirements, license verification, and database checks to verify NPI, Databank, OIG exclusion, etc.

Moderate Risk: For those of moderate risk, the foregoing checks are in place but such providers and suppliers also are are subject to unscheduled or unannounced site visits.

High Risk: High risk suppliers and providers of high risk also are subject to a criminal background check and fingerprinting of the provider or supplier or person with an ownership or control interest, or who is an agent or managing employee.

Adjustments to Risk Categories

The foregoing characterizations are not static, and CMS is prepared to adjust the classification of providers/suppliers into the high risk levels based on specific program vulnerabilities (and it also has requested comments and suggestions regarding such possible vulnerabilities). Suggested vulnerabilities include factors such as having been subject previously to a payment suspension, exclusion, or revocation of Medicare or Medicaid billing privileges, as well as those who were the victims of identity theft. Providers or suppliers also move from lower levels to high risk for six months after the suspension of any temporary moratorium (for example, as recently imposed regarding DMEPOS suppliers). CMS seeks comment on whether the screening provisions, as proposed, should be applicable to Medicaid and CHIP, and if so, what the rule should require.

Enrollment Termination and Denial

CMS also proposes regulations implementing the PPACA requirements that require states to deny and terminate enrollment to any provider/supplier (i) who does not submit timely and accurate disclosure information or fails to cooperate with all required screening methods; (ii) who is terminated on or after January 1, 2011 by Medicare or any other Medicaid or CHIP program; (iii) if any person with an ownership or control interest or who is an agent or managing employee of the provider/supplier fails to submit a set of fingerprints within thirty days of a state agency or CMS request.

For Medicaid and CHIP, including managed care, states are required to follow Medicare requisites based on the type of provider, and states must deny enrollment for the reasons set forth above, and where (i) the provider or person with an ownership or control interest or who is an agent or managing employee of the provider fails to provide accurate information; (ii) the provider fails to provide access to the provider’s location for site visits; or (iii) the provider or any person with ownership or control interest, or who is an agent or managing employee of the provider, has been convicted of a criminal offense related to that person’s involvement in Medicare, Medicaid or CHIP in the last ten years. CMS also is proposing that all providers be rescreened at least once every five years.

Application Fee

The regulations also implement the requisite provider application fee, which in 2010 is $500. It will be increased based on the CPI thereafter. Waivers are to be available based on hardship or if a state demonstrates that imposition of a fee upon certain providers would impede access.

Moratorium on Enrollment

The new regulations provide that the secretary of CMS has authority to impose a moratorium on the enrollment of new Medicare, Medicaid and CHIP providers and suppliers, including categories thereof, if the secretary determines that such moratoria are necessary to prevent or combat fraud, waste or abuse on the programs. States are bound to abide by these moratoria and may add their own.

In order for states to implement their own moratoria, however, they must seek CMS’ concurrence with that determination and provide CMS with written details of the proposal.

Payment Suspensions

The proposed rules change the framework for Medicare payment suspensions. If CMS obtains “reliable information” of an overpayment, payment may be suspended. In cases of suspected fraud, payment may be suspended if CMS (or the Medicare contractor) has consulted with the OIG (or the DOJ as appropriate) and determined that a credible allegation of fraud exists, unless there is good cause not to suspend payments. A credible allegation of fraud is defined as an allegation with “indicia of reliability.” Determinations are to be made on a case-by-case basis, reviewing all of the “circumstances and issues at hand.” Once imposed, a suspension remains in place until legal proceedings are concluded, or authorities determine that there is insufficient evidence of fraud upon which to take action.

Good cause not to suspend payments may arise if: (i) OIG or a law enforcement agency requests that suspension not be imposed to protect an investigation; (ii) it is determined that beneficiary access would be materially affected; (iii) other remedies are determined to be superior; or (iv) CMS determines that a suspension is not in the best interests of the Medicare program. In cases of suspected fraud, the presumptive 180-day limit on suspensions is eliminated. If CMS determines not to suspend because it “is not in the best interests of the Medicare program,” CMS will reevaluate that determination every 180 days.

In contrast with Medicare, in which payment suspension is permissive, the proposed regulations require states to suspend all Medicaid payments to a provider where an investigation of a credible allegation of fraud exists, unless it has good cause not to suspend or to suspend only in part. In the event of a payment suspension, the state must refer the matter to the state MFCU (or if there is no MFCU, an appropriate law enforcement agency). If the matter is accepted by the MFCU (or law enforcement agency) for investigation, the payment suspension continues until the investigation and related proceedings are completed. On a quarterly basis, the state must request a certification that the investigation continues to be ongoing. If the MFCU or law enforcement agency declines to accept the referral for investigation, the payment suspension must terminate unless a referral is made to another law enforcement agency. The regulations provide for good cause not to suspend, or to suspend only in part, largely similar to the Medicare good cause provisions.