On September 23, 2010, CMS proposed a new rule to implement significant anti-fraud provisions of the Patient Protection and Affordable Care Act (Pub. L. No. 111-148), as amended by the Health Care and Education Reconciliation Act (Pub. L. No. 111-152) (collectively, ACA) that would impact providers and suppliers enrolled in Medicare, Medicaid and the Children’s Health Insurance Program (CHIP). The proposed rule emphasizes fraud prevention. These proposals attempt to steer CMS away from engaging in “pay and chase.” In such a situation, the agency detects fraud after the fact and then attempts to both recoup payments made and take actions against the perpetrators of the fraud. The rule is designed to ensure “that only legitimate providers and suppliers are enrolled in Medicare, Medicaid, and CHIP, and that only legitimate claims will be paid.” The majority of the provisions in the proposed rule would be effective on or after March 23, 2011.

The following provides summary highlights of the proposed rule, and outlines key implications of the rule for new and current providers and suppliers in Medicare, Medicaid and CHIP. Comments on the proposed rule must be submitted no later than November 16, 2010, at 5:00 p.m. ET.

I. Brief Overview

Under the rule, CMS proposed to do the following:

  • Suspend payments to a provider or supplier where a credible allegation of fraud exists;  
  • Place a temporary moratorium on enrollment, either based on provider type, geographic area or both, which would establish the authority to deny providers and suppliers the opportunity to enroll in and bill Medicare, Medicaid and CHIP when necessary to help prevent or fight fraud, waste and abuse;  
  • Strengthen and build on current provider enrollment rules to ensure potential providers and suppliers are appropriately screened according to the risk of fraud, waste and abuse before being allowed to enroll in and bill Medicare, Medicaid and CHIP;
  • Outline requirements for states to terminate providers from Medicaid and CHIP when terminated by Medicare or another state Medicaid program or CHIP;  
  • Authorize CMS to terminate providers and suppliers from Medicare when terminated by a state Medicaid program;  
  • Require institutional providers to pay an application fee; and  
  • Solicit input on how best to structure and develop provider compliance plans, now required under the ACA, that will ensure providers are aware of and comply with CMS program requirements.  

II. Summary of Key Provisions

Suspension of Payments

Section 6402(h) of the ACA states that the Secretary may suspend payments to a provider or supplier if there is a credible allegation of fraud, unless the Secretary determines there is good cause not to suspend the payments. In the proposed rule, CMS proposes to define “credible allegation of fraud” as “an allegation from any source, including but not limited to fraud hotline complaints, claims data mining, patterns identified through provider audits, civil false claims cases, and law enforcement investigations.” Furthermore, allegations would be considered reliable when they have an “indicia of reliability.” CMS proposes that the resolution of an investigation would occur when “legal action is terminated by settlement, judgment, or dismissal, or when the case is closed or dropped because of insufficient evidence.” However, the agency seeks comment on the following alternative definition of resolution of an investigation: “when a legal action is initiated or the case is closed or dropped because of insufficient evidence to support the allegations of fraud.”

Existing Medicare rules providing for suspension of payments in the case of suspected fraudulent activity limit the suspension to 180 days (with extensions allowed in certain circumstances). The proposed rule would differentiate between suspensions based on reliable information that overpayments or incorrect payments exist and suspensions based on credible allegations of fraud. In cases where suspensions are based on credible allegations of fraud, CMS proposes to eliminate the 180-day time limit.  

The ACA specifies that payments may be suspended unless there is “good cause” not to suspend them. CMS proposes the following good cause exceptions:

  • Where law enforcement makes specific requests not to suspend payments;
  • Where CMS determines that beneficiary access to necessary items or services may be jeopardized;
  • Where CMS determines that other remedies would more effectively or quickly protect Medicare funds; and
  • Where CMS determines that suspension is not in the best interests of the Medicare program.

Under the rule, CMS would evaluate whether there is good cause not to continue the suspension after the

initial 180-day period for credible allegations of fraud. CMS requests comment on whether another good cause exception should be included to address suspensions that have been in place for a specific length of time (i.e., two or three years).

Section 6402(h)(2) of the ACA specifies that states may not receive federal financial participation (FFP) in cases where they fail to suspend Medicaid payments during any period when there is a pending investigation of a credible allegation of fraud against an individual or entity, unless good cause exists for a state not to suspend the payments. CMS proposes to lower the threshold level of proof that must be present to mandate a suspension of Medicaid payment. Current Medicaid regulations refer to “receipt of reliable evidence,” while CMS proposes that suspension of payment must occur when there is a “pending investigation of a credible allegation of fraud.” Credible allegations could exist whether the investigation originates with a law enforcement agency or a state Medicaid Fraud Control Unit (MFCU). In addition, CMS proposes good cause exceptions for not suspending payments, provides for quarterly certifications to ensure suspensions are not continued after the investigation is closed, specifies record retention guidelines and addresses a number of other issues in the proposed rule.


CMS included “fraud hotline complaints” under the definition of “credible evidence of fraud” in the proposed regulation. This inclusion is very interesting as CMS currently does not require providers or suppliers to report hotline complaints to CMS and it is not clear in the proposed rule to whom such hotline complaints would be made. The majority of effective compliance programs include some sort of reporting mechanism, like a hotline, where complaints can be made anonymously and it is expected that the issues reported to the hotline be addressed quickly and without retribution to the reporting individual. By tying suspension of payments to fraud hotline complaints, CMS is potentially creating a challenge for compliance officers, since this could have a chilling effect on whether entities want to continue to have a hotline if it puts them at a greater level of risk for government investigation.

Providers, particularly small entities, will likely have trouble continuing to provide services to patients with no cash flow from the government while the investigation into the suspected fraudulent activity plays out. In the past at CMS, it was not uncommon for the 180-day timeframe to be extended at least once, but there usually was a reduction in the percentage of payments suspended to address any potential interruption of services to beneficiaries during the extended suspension period. Under the proposed rule, it does not appear CMS would retain that flexibility, which could cause serious issues if providers are unable to remain financially viable and need to cease or reduce beneficiary services.

Temporary Moratorium of Potentially High Risk Providers and Suppliers

Section 6401(a) of the ACA grants CMS the authority to impose a temporary moratorium on the enrollment of new Medicare, Medicaid or CHIP providers and suppliers, including categories of providers and suppliers, if necessary, to prevent fraud, abuse and waste in these programs. Many states already utilize their existing authority to impose moratoria (e.g., California), and the ACA requires states to comply with the temporary moratoria imposed by the Secretary under this proposed regulation.  

Under the rule, CMS proposes that temporary moratoria on the enrollment of new providers and suppliers in Medicare could be imposed (and extended) in six-month increments in the following situations:  

  • CMS identifies a trend associated with a high risk of fraud, waste or abuse;  
  • A state has imposed a moratorium on enrollment in a particular geographic area and/or on a particular provider or supplier type; or
  • CMS has identified a particular provider or supplier type and/or a particular geographic area that has a high potential for fraud.

Furthermore, CMS proposes that the enrollment moratoria be limited to (i) newly enrolling providers and suppliers and (ii) the establishment of new practice locations (i.e., not to a change of locations). In addition, moratoria would not apply to changes in ownership, mergers or consolidations. While CMS indicates it would deny enrollment applications received from providers or suppliers identified in an existing moratorium, those providers and suppliers denied billing privileges based on a moratorium could appeal this determination up to and including the Department Appeal Board (DAB). Appeals would be limited to whether the temporary moratorium applies to the provider or supplier.

Finally, CMS proposes that it may lift moratoria in the following circumstances:  

  • In areas of a Presidentially-declared disaster;  
  • Where CMS has implemented safeguards to address the problem or circumstances initially necessitating the moratoria are no longer present; or  
  • In the Secretary’s judgment, the moratoria are no longer needed.  

Medicaid programs must also comply with temporary moratoria imposed by the Secretary, unless a state determines that compliance would adversely affect beneficiaries’ access to medical assistance. As mentioned above, states have the authority to impose moratoria, numerical caps or other limits for providers. Where this is determined necessary, CMS proposes that the state seek CMS’ agreement. As under the Medicare program, moratoria could be imposed (and extended) for six-month increments. The same moratoria regulations that apply to Medicaid programs would also apply to CHIP.  


There are a number of questions that arise, including how will these criteria be communicated and will there be opportunity for public input in the criteria? Additionally, while the rule specifically exempts changes of ownership, this provision could have a potential chilling effect on new business ventures in areas that might become subject to a moratorium while a new entity is being created.

Also of note is the fact that CMS is not subject to judicial review on the imposition of the moratoria, so it is completely at their discretion when and for what entities they impose this new requirement.

Risk-Based Screening Criteria

Under the proposed rule, all providers and suppliers would be placed in one of three risk levels (i.e., limited, moderate and high), based on an assessment of their overall risk of fraud, waste and abuse. Screening procedures would differ for every risk level, with high-risk providers and suppliers receiving the most scrutiny. CMS and its contractors would begin applying the new categories and the related enrollment screening procedures with respect to newly enrolling providers and suppliers on March 23, 2011 (one year after enactment of the ACA), and to currently enrolled providers and suppliers beginning on March 23, 2012.

CMS seeks comments on the criteria that should be considered in assigning providers and suppliers to the various risk categories, but it is unclear whether the agency will take those comments into account since they already placed providers and suppliers in the different risk categories in the proposed rule.

(1) Medicare

Under the rule, CMS bases the categories of risk of fraud, waste and abuse—low, moderate and high— on its data and reports from the Office of Inspector General (OIG) and Government Accountability Office (GAO). This approach has been utilized by CMS over the past couple of years for suppliers using criteria developed by the National Supplier Clearinghouse (NSC). The data used by CMS reflects information on where the highest percentage of potentially high-risk providers or suppliers has existed traditionally (i.e., Florida, Texas and California) and the provider or supplier types that continue to be a risk to the Medicare program (i.e., durable medical equipment, home health).

Specifically, the risk categories are defined as follows under the rule:

  • Limited Risk: CMS identifies physicians, non-physician practitioners, medical clinics, providers and suppliers publicly traded on the NYSE or NASDAQ (and traditional providers and suppliers including ambulatory surgical centers (ASCs)), hospitals and skilled nursing facilities (SNFs) as posing “limited” risk of fraud, waste and abuse. For “limited” risk providers and suppliers, CMS proposes that the Medicare contractors would establish and conduct the following screening tools: (1) verification that a provider or supplier meets any applicable federal regulations or state requirements for the provider or supplier type prior to making an enrollment determination; (2) verification that a provider or supplier meets applicable licensure requirements; and (3) database checks on a pre- and post-enrollment basis to ensure that providers and suppliers continue to meet the enrollment criteria for their provider/supplier type.  
  • Moderate Risk: CMS identifies nonpublic, non-government owned or affiliated ambulance service suppliers, community mental health centers (CMHCs), comprehensive outpatient rehabilitation facilities (CORFs), independent diagnostic testing facilities (IDTFs), independent clinical labs and hospice organizations because “they are generally highly dependent on Medicare, Medicaid or CHIP to pay their salaries and other operating expenses and are subject to less additional other government or professional oversight than the providers and suppliers in the limited risk category.” For “moderate” risk providers and suppliers, CMS would require pre- and post-unscheduled and unannounced site visits in addition to those screening tools applicable to the “limited” level of risk. CMS also includes currently enrolled durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) suppliers and home health agencies (HHAs) because the site visits are viewed by CMS as a way to ensure that such entities remain operational and continue to meet supplier and other Medicare, Medicaid and CHIP standards. This has consistently been a high-risk area for CMS and one where the OIG and GAO have repeatedly found CMS’ oversight efforts to be lacking.
  • High Risk: CMS identifies newly enrolled, not publicly traded, DMEPOS suppliers and HHAs as “high” risk because of the “high number of HHAs and suppliers of DMEPOS already enrolled in the Medicare program and program vulnerabilities that these entities pose to the Medicare program.” For “high” risk providers and suppliers, CMS proposes that, in addition to the screening tools applicable to the “limited” and “moderate” levels of risk, Medicare contractors would use the following screening tools in the enrollment process: (1) criminal background checks; and (2) submission of fingerprints. Both these screening tools would be applied to owners, authorized or delegated officials or managing employees of any provider or supplier within the “high” level of risk. This is a significant step for CMS since fingerprint checks, for example, have never been used in the screening process, and criminal background checks have been used sparingly.

Additionally, under the proposed rule, CMS would have the ability to move a provider or supplier to a higher risk level based on various factors, including evidence that the provider or supplier had been the victim of identity theft. Other factors that would allow adjusting the classification of a provider or supplier into a higher risk level include the provider or supplier having been placed on a previous payment suspension, or if the provider or supplier had been excluded by the OIG or had its Medicare billing privileges denied or revoked by a Medicare contractor within the previous 10 years and is attempting to establish additional Medicare billing privileges for a new practice location or by enrolling as a new provider or supplier. Another factor that would allow adjusting the risk category is if providers have been terminated or otherwise precluded from billing Medicaid.

The following tables provide a concise but detailed summary of the proposed screening requirements under the different risk categories, as well as the designated providers and suppliers under each risk category:

See table.

(2) Medicaid

Section 1902(ii)(1) of the ACA requires that states comply with the process for screening providers as established by the Secretary. CMS proposes that all the provider screening, provider application and moratorium regulations that apply to Medicaid providers will apply to providers that participate in CHIP.

For “dually-enrolled” providers, the agency notes that a state may rely on the results of the screening conducted by a Medicare contractor to meet the provider screening requirements under Medicaid and CHIP. For these providers, a state would not be required to conduct the same screening activities that Medicare contractors perform because “it would be inefficient and costly.” State Medicaid agencies could also rely on the results of the provider screening performed by their sister state Medicaid programs and CHIP.

For Medicaid-only providers or CHIP-only providers, CMS proposes that states follow the same screening procedures that CMS or its contractors follow with respect to Medicare providers and suppliers. For example, physicians and non-physician practitioners, medical groups and clinics that are state-licensed or state-regulated would generally be categorized as “limited” risk, as would providers publicly traded on the NYSE or NASDAQ. Those provider types that are generally highly dependent on Medicare, Medicaid and CHIP to pay salaries and other operating expenses and which are not subject to additional government or professional oversight would be considered moderate-risk, and those provider types identified by the state as being especially vulnerable to improper payments would be considered high-risk. States would then screen the provider using the screening tools applicable to that risk assigned. However, CMS notes that they are not proposing to limit or otherwise preclude the ability of states to engage in provider screening activities beyond those required by the ACA, including, but not limited to, assigning a particular provider type to a higher risk level than the level assigned by Medicare.


With regard to the “high” risk category, it is unclear how CMS will address indirect owners of these entities because, under Medicare and Medicaid rules, any person (including any corporate entities) with five percent or more direct or indirect ownership of a provider or supplier must be reported.

For example, will CMS want criminal background checks and fingerprints for all indirect owners—e.g., the grandparent entity of the provider/supplier entity and above? How will CMS address corporate owners’ responsibility to submit criminal background checks and fingerprint cards?

In addition, with regard to the “high” risk category, although government enforcement efforts to date have shown fraud, waste and abuse issues with HHAs and DMEPOS suppliers in certain geographical regions (e.g., South Florida, Texas, California), it is not clear that issues with such entities are national. Because the criminal background checks and fingerprints are onerous requirements that are not currently used by Medicare, it may make sense for CMS to consider introducing such requirements in high risk geographic areas, rather than nationally, at least at this stage.  

Termination of Provider Participation

Section 6501 of the ACA requires state Medicaid programs to terminate an individual or entity’s participation in the program, if the individual or entity’s participation has been terminated under Medicare or another state Medicaid program. Although the ACA’s use of “termination” would only apply to providers, CMS believes that, based on congressional intent, this requirement should also extend to suppliers and eligible professionals who have had their Medicare billing privileges revoked. Termination would only be required in instances where enrollment was terminated or billing privileges were revoked for cause based on fraud, integrity or quality. Under the proposed rule, state Medicaid agencies would be required to terminate or deny enrollment for any provider that has its billing privileges revoked or its enrollment terminated under Medicare, another state Medicaid program or CHIP on or after January 1, 2011. As a note, although the ACA does not specifically mention termination from CHIP, CMS proposes to use its general rulemaking authority to also require termination from this program. Finally, CMS also proposes to require termination from Medicare when a state Medicaid agency terminates, revokes or suspends a provider or supplier’s Medicaid enrollment or billing privileges.

Application Fee for Existing Providers

Under Section 6401(a) of the ACA, the Secretary is required to impose an application fee on “each institutional provider of medical or other items or services or supplier.” This $500 fee would be used to conduct the screening process and to fund other “program integrity efforts” such as the enhanced screening measures. The fee would apply to all providers (current and newly eligible) billing Medicare, Medicaid and CHIP for services, with the exception of Part B medical groups or clinics and physicians and non-physician practitioners submitting a CMS 855I for enrollment in Medicare. The application fee would not be required from an eligible professional who reassigns Medicare benefits to another individual or organization, since it would not create a new enrollment of an institutional provider or supplier that would result in an application fee. The fee would be effective March 23, 2011, and for each subsequent year, the fee would be the same as the preceding year, with an adjustment made based on the consumer price index.

Under the proposed rule, CMS maintains its ability to exempt, on a case-by-case basis, a provider or supplier from the imposition of an application fee if CMS determines that the fee would result in a “hardship.” CMS could also waive the enrollment application fee for Medicaid providers for whom the state demonstrates that imposition of the fee would impede Medicaid beneficiaries’ access to care.

The application fee (or “hardship” exception waiver) would be required with the submission of an initial enrollment application, the application to establish a new practice location, as a part of a revalidation, or in response to a Medicare contractor revalidation request. Medicare contractors would not begin processing an application for either a new provider or supplier, or for a provider or supplier that is currently enrolled, until the enrollment application fee is received and credited to the United States Treasury. The fee would accompany the certification statement that the provider or supplier signs, dates and mails to the Medicare contractor if the provider or supplier uses Internet-based Provider Enrollment, Chain and Ownership System (PECOS) to enroll or revalidate. The fee would accompany the paper CMS-855 provider enrollment applications if the provider or supplier enrolls or revalidates by paper.

Mandatory Compliance Programs

Section 6102 of the ACA requires a nursing facility (NF) or a skilled nursing facility (SNF) to have a compliance and ethics program. In addition, Section 6401(a) requires providers of medical or other items or services or suppliers to establish compliance programs containing specified “core elements.” CMS states its intent to ensure that the established core elements would be similar to the required elements for NF and SNF compliance programs.

CMS is soliciting comments on the core elements that should be required for compliance plans. Specifically, CMS seeks comment on whether the seven elements of effective compliance and ethics programs, which are included in Chapter 8 of the U.S. Federal Sentencing Guidelines Manual, should serve as the foundation for the core elements. While comments on this section are due by November 16, CMS plans to issue the proposed rule on compliance program requirements in a separate, future rulemaking.


The agency is seeking input from hospitals and others about what should be required in compliance plans, as well as information about their current anti-fraud compliance programs, including how they have incorporated the seven core elements from the U.S. Sentencing Guidelines, their programs’ costs, benefits and effectiveness of such programs, and the systems necessary to implement them. CMS does not appear to be limiting the scope of the proposed mandatory compliance programs to just the seven elements, and it is unclear from the proposed rule whether CMS is considering not requiring all of the seven elements in order to demonstrate that a provider or supplier has an “effective” compliance program. Under the ACA, CMS is required to work with OIG to develop the criteria so it seems logical that whatever is ultimately developed will be based off of OIG’s existing compliance program guidance.

All Medicare/Medicaid participating providers and suppliers should be aware of this new requirement and track it closely. It is likely that providers/suppliers with established compliance programs will need to make changes to comply with the new regulations, while those who do not have a compliance program will need to act quickly to come into compliance. Therefore, providers/suppliers should begin assessing their existing compliance programs now to ensure they meet criteria such as those set forth in the various industry-specific OIG Compliance Program Guidance and/or the Federal Sentencing Guidelines. Those who do not currently have a compliance program should begin developing one that incorporates at least the basic elements set forth in the above guidance.

CMS will be closely reviewing all comments on this section to help guide them in developing the compliance requirements, so providers/suppliers would be well served to submit comments particularly on areas such as potential financial and implementation burdens of requiring certain elements in a mandatory compliance plan.

III. Conclusion

This proposed rule significantly expands the tools available to CMS and OIG for oversight of the Medicare and Medicaid programs and to strengthen the program integrity process. Certain provisions, including the payment suspension and enrollment moratoria provisions, will have a direct impact on both new and existing providers/suppliers, so it is important for providers/suppliers to closely follow the finalization and implementation of the provisions contained in this rule. Although certain aspects of the proposed regulations are dictated by the ACA, CMS has applied its discretion in many respects in this proposed rule, so providers/suppliers would be well-served to submit comments on areas that could have a significant financial or operational impact on their overall business.