On January 24, 2011, CMS finalized a rule to implement significant anti-fraud provisions of the Patient Protection and Affordable Care Act (Pub. L. No. 111-148), as amended by the Health Care and Education Reconciliation Act (Pub. L. No. 111-152) (collectively, the “Affordable Care Act” or “ACA”) that would impact both current and prospective providers and suppliers enrolled in Medicare, Medicaid and the Children’s Health Insurance Program (CHIP). The final rule emphasizes fraud prevention. These new policies attempt to steer CMS away from engaging in “pay and chase.” In such a situation, the agency detects fraud after the fact and then attempts to both recoup payments made and take actions against the perpetrators of the fraud. The rule is designed to ensure “that only legitimate providers and suppliers are enrolled in Medicare, Medicaid, and CHIP, and that only legitimate claims will be paid.”

The following provides summary highlights of the final rule, and discusses significant changes from the proposed rule. The majority of the provisions in the final rule will be effective on or after March 25, 2011.

I. Brief Overview

Under the final rule, CMS implements provisions to:

  • suspend payments to a provider or supplier where a credible allegation of fraud exists;
  • place a temporary moratorium on enrollment, either based on provider type, geographic area or both, which would establish the authority to deny providers and suppliers the opportunity to enroll in and bill Medicare, Medicaid and CHIP when necessary to help prevent or fight fraud, waste and abuse;
  • strengthen and build on current provider enrollment rules to ensure potential providers and suppliers are appropriately screened according to the risk of fraud, waste and abuse before being allowed to enroll in and bill Medicare, Medicaid and CHIP;
  • outline requirements for states to terminate providers from Medicaid and CHIP when terminated by Medicare or another state Medicaid program or CHIP;
  • authorize CMS to terminate providers and suppliers from Medicare when terminated by a state Medicaid program; and
  • require institutional providers to pay an application fee.

As a note, although CMS solicited input on how best to structure and develop provider compliance plans, now required under the ACA, the agency will respond to comments on this topic in future rulemaking.

II. Summary of Key Provisions

Suspension of Payments

Section 6402(h) of the ACA states that the Secretary may suspend payments to a provider or supplier if there is a credible allegation of fraud, unless the Secretary determines there is good cause not to suspend the payments. In the final rule, CMS defines “credible allegation of fraud” as “an allegation from any source, including but not limited to fraud hotline complaints, claims data mining, patterns identified through provider audits, civil false claims cases, and law enforcement investigations.” Furthermore, allegations would be considered reliable when they have an “indicia of reliability.” Under the rule, the resolution of an investigation occurs (and payments could resume) when “legal action is terminated by settlement, judgment, or dismissal, or when the case is closed or dropped because of insufficient evidence.”

Existing Medicare rules providing for suspension of payments in the case of suspected fraudulent activity limit the suspension to 180 days (with extensions allowed in certain circumstances). The rule differentiates between suspensions based on reliable information that overpayments or incorrect payments exist and suspensions based on credible allegations of fraud.

In cases where suspensions are based on credible allegations of fraud, the rule eliminates the 180-day time limit. However, in the final rule, CMS added a “good cause exception” to the elimination of time limits for cases where payment has been suspended for more than 18 months without resolution of the investigation. Under this exception, CMS must discontinue the payment suspension after 18 months unless (1) “the case has been referred to, and is being considered by, the [Department of Health and Human Services (HHS) Office of Inspector General (OIG)] for administrative action, or such administrative action is pending” or (2) “the Department of Justice submits a written request to CMS that the suspension of payments be continued based on the ongoing investigation and anticipated filing of criminal or civil action or both or based on pending criminal or civil action or both.”

In addition to good cause exceptions to the duration of the payment suspension, the final rule also addresses good cause exceptions to suspending payments in the first place. The ACA specifies that payments may be suspended unless there is “good cause” not to suspend them. Under the final rule, CMS would evaluate whether there is good cause not to continue the suspension after the initial 180-day period for credible allegations of fraud. The final rule allows for the following good cause exceptions: 

  •  where law enforcement makes specific requests not to suspend payments;
  • where CMS determines that beneficiary access to necessary items or services may be jeopardized;
  • where CMS determines that other remedies would more effectively or quickly protect Medicare funds;
  • where CMS determines that suspension is not in the best interests of the Medicare program; and
  • where payment suspension has been in effect for more than 180 days without resolution of the investigation.

Section 6402(h)(2) of the ACA specifies that states may not receive federal financial participation (FFP) in cases where they fail to suspend Medicaid payments during any period when there is a pending investigation of a credible allegation of fraud against an individual or entity, unless good cause exists for a state not to suspend the payments. States have long held the authority to suspend payments, but section 6402(h)(2) and the final rule diverge from traditional approaches to this authority by making payment suspension mandatory in certain circumstances.

The final rule provides a lower threshold level of proof that must be present to mandate a suspension of Medicaid payment. Current Medicaid regulations refer to “receipt of reliable evidence,” while the final rule provides that suspension of payment must occur when there is a “pending investigation of a credible allegation of fraud.” Credible allegations could exist whether the investigation originates with a law enforcement agency or a state Medicaid Fraud Control Unit (MFCU). The final rule clarifies that investigations will trigger the mandatory payment suspension only if the state agency has already made a determination that the allegation of fraud (being investigated) is a credible allegation of fraud, whereas the payment suspension will not be triggered by investigations that are used to determine whether an allegation of fraud is credible. Allegations of fraud will be considered “credible” when they have “indicia of reliability and the State Medicaid agency has reviewed all allegations, facts, and evidence carefully and acts judiciously on a case-by-case basis.” In addition, the final rule allows for six good cause exceptions for not suspending Medicaid payments:

  • where law enforcement makes specific requests not to suspend payments; 
  • where other available remedies implemented by the state more effectively or quickly protect Medicaid funds;
  • where the state determines, based upon the submission of written evidence, by the individual or entity subject to the suspension, that the suspension should be removed;
  • where recipient access to items or services would be jeopardized by payment suspension—when the (1) individual is a sole community physician, or sole source of specialized services for a community; or the (2) individual or entity serves a large number of recipients in a Health Resources and Services Administration (HRSA)-designated medically underserved area.
  • where law enforcement declines to certify to the state Medicaid agency that the investigation into the individual or entity is ongoing; and
  • where the state determines that payment suspension is not in the best interest of the Medicaid program.

Under the final rule, the states also have discretion to suspend payments only “in part” rather than “in whole” when one of the above good cause exceptions exists, or when they can determine that the fraudulent activity alleged is limited to a specific class of services or items within a broader range of services or items that the individual or entity provides and bills for. The rule also addresses a number of other issues, including record retention guidelines, as well as the requirement of quarterly certification requests from the state Medicaid agency to law enforcement (to ensure suspensions are not continued after the investigation is closed).


CMS included “fraud hotline complaints” under the definition of “credible allegations of fraud” in the final rule. This inclusion is very interesting, as CMS currently does not require providers or suppliers to report hotline complaints to CMS and it is not clear in the final rule to whom such hotline complaints would be made. The majority of effective compliance programs include some sort of reporting mechanism, like a hotline, where complaints can be made anonymously and it is expected that the issues reported to the hotline will be addressed quickly and without retribution to the reporting individual. By tying suspension of payments to fraud hotline complaints, CMS is potentially creating a challenge for compliance officers, since this could have a chilling effect on whether entities want to continue to have a hotline if it puts them at a greater level of risk for government investigation. Additionally, the inclusion of “fraud hotline complaints” raises concerns that such “hotline complaints” will lead to disingenuous allegations from competitors or disgruntled former employees resulting in unjustified payment suspensions. CMS believes that agency’s discretion to act judiciously and the statutorily required consultation between CMS and HHS-OIG prior to implementation of payment suspension will act as safeguards against the prospect of false allegations resulting in payment suspension.

Providers, particularly small entities, will likely have trouble continuing to provide services to patients with no cash flow from the government while the investigation into the suspected fraudulent activity runs its course. In the past at CMS, it was not uncommon for the 180-day timeframe to be extended at least once, but there usually was a reduction in the percentage of payments suspended to address any potential interruption of services to beneficiaries during the extended suspension period. Under the final rule, it does not appear CMS would retain that flexibility, which could cause serious access issues if providers are unable to remain financially viable and need to cease or reduce beneficiary services.

The lower threshold of proof of “credible allegations of fraud,” combined with the potential for interruption in FFP, may create impetus for states to suspend payments as a precaution in any instance where an investigation has been launched. Of course, this is somewhat accounted for vis-à-vis the good-cause exceptions available and the states’ general discretion in determining whether allegations are credible. For these reasons, CMS and HHS-OIG do not anticipate that states’ Medicaid payment suspension authority will be used any more frequently than in prior years. However, given that state Medicaid payment suspension is mandatory under the ACA and the final rule, rather than permitted (as it has been under prior Medicaid fraud enforcement regulations), one could expect, at minimum, a different mindset in the approach to fraud enforcement from state Medicaid agencies as a result.

Temporary Moratorium of Potentially High Risk Providers and Suppliers

Section 6401(a) of the ACA grants CMS the authority to impose a temporary moratorium on the enrollment of new Medicare, Medicaid or CHIP providers and suppliers, including categories of providers and suppliers, if necessary, to prevent fraud, abuse and waste in these programs. Many states already utilize their existing authority to impose moratoria (e.g., California), and the ACA requires states to comply with the temporary moratoria imposed by the Secretary under this final regulation.

Under the final rule, CMS is finalizing its proposal that temporary moratoria on the enrollment of new providers and suppliers in Medicare could be imposed (and extended) in six-month increments in the following situations:

  • CMS identifies a trend associated with a high risk of fraud, waste or abuse;
  • a state has imposed a moratorium on enrollment in a particular geographic area and/or on a particular provider or supplier type; or
  • CMS has identified a particular provider or supplier type and/or a particular geographic area that has a significant potential for fraud.

The enrollment moratoria will be limited to (i) newly enrolling providers and suppliers and (ii) the establishment of new practice locations (i.e., not to a change of locations). In addition, moratoria will not apply to changes in ownership, mergers or consolidations. In the final rule, CMS clarified that it will deny enrollment applications from providers or suppliers subject to a moratorium with pending enrollment applications unless such applications have been approved by the enrollment contractor before the imposition of the moratorium. While CMS indicates that it will deny enrollment applications received from providers or suppliers identified in an existing moratorium, those providers and suppliers denied billing privileges based on a moratorium could appeal this determination before a body up to and including the Departmental Appeal Board (DAB). Appeals would be limited to whether the temporary moratorium applies to the provider or supplier.

Under the rule, CMS may lift moratoria in the following circumstances:

  • in areas of a presidentially declared disaster;
  • where CMS has implemented safeguards to address the problem, or circumstances initially necessitating the moratoria are no longer present;
  • in the Secretary’s judgment, the moratoria are no longer needed; or
  • in the event of a public health emergency in the affected geographic area.

Medicaid programs must also comply with temporary moratoria imposed by the Secretary, unless a state determines that compliance would adversely affect beneficiaries’ access to medical assistance. As mentioned above, states have the authority to impose moratoria, numerical caps or other limits for providers. Where this is determined necessary, states will seek CMS’ agreement. As under the Medicare program, moratoria could be imposed (and extended) for six-month increments. The same moratoria regulations that apply to Medicaid programs would also apply to CHIP.

In the final rule, CMS specifies that any temporary enrollment moratorium will be announced through a notice in the Federal Register that will include the rationale for the imposition of the moratorium. CMS also added language to clarify that it will fully assess the impact of a temporary enrollment moratorium on beneficiary access to services.


Of note, CMS is not subject to judicial review on the imposition of the moratoria, so it is completely at the agency’s discretion when and for what entities they impose this new requirement.

Risk-Based Screening Criteria

Under the final rule, all providers and suppliers will be placed in one of three risk levels (i.e., limited, moderate and high) based on an assessment of their overall risk of fraud, waste and abuse. Screening procedures will differ for every risk level, with high-risk providers and suppliers receiving the most scrutiny. CMS and its contractors will begin applying the new categories and the related enrollment screening procedures with respect to newly enrolling providers and suppliers on March 25, 2011, and to currently enrolled providers and suppliers beginning on March 23, 2012. The only exception to this timeline, added in the final rule, is for fingerprint-based criminal history record checks, which will be implemented 60 days following the publication of subregulatory guidance.

Although CMS sought comments on the criteria that should be considered in assigning providers and suppliers to the various risk categories, it finalized most of the proposals with some notable exceptions, as discussed below.

(1) Medicare

Under the rule, CMS bases the categories of risk of fraud, waste and abuse—low, moderate and high— on its data and reports from the OIG and Government Accountability Office (GAO). This approach has been utilized by CMS over the past couple of years for suppliers using criteria developed by the National Supplier Clearinghouse (NSC). The data utilized by CMS reflects information on where the highest percentage of potentially high-risk providers or suppliers has existed traditionally (e.g., Florida, Texas and California) and the provider or supplier types that continue to be a risk to the Medicare program (e.g., durable medical equipment, prosthetics, orthotics and supplies (DMEPOS), as well as home health).

Under the final rule, CMS made a number of changes from the proposed rule. Most significantly, in response to comments on the proposed rule, CMS determined that Medicare Advantage companies and managed care organizations will not be subjected to the new screening requirements. Additionally, the final rule eliminated the distinction between publicly traded and non-publicly traded, and publicly-owned and non-publicly owned as criteria for assignment of any provider type to a level of screening. The rule also eliminated the distinction between government-owned and non-government-owned ambulance companies for the purposes of screening level assignments. CMS asserted that the agency “may consider additional classifications in future rulemakings.”

Specifically, the risk categories are defined as follows under the final rule:

  •  Limited Risk: CMS identifies the following providers and suppliers as posing “limited” risk of fraud, waste and abuse: physician or non-physician practitioners and medical groups or clinics (with the exception of physical therapists and physical therapist groups); ambulatory surgical centers; competitive acquisition program/Part B vendors; end-stage renal disease facilities; federally qualified health centers; histocompatibility laboratories; hospitals, including critical access hospitals; Indian Health Service facilities; mammography screening centers; mass immunization roster billers; organ procurement organizations; pharmacies newly enrolling or revalidating via the CMS-855B; radiation therapy centers; religious nonmedical health care institutions; rural health clinics; and skilled nursing facilities.

For “limited’ risk providers and suppliers, CMS states that the Medicare contractors will establish and conduct the following screening tools: (1) verification of any provider/supplier-specific requirements established by Medicare; (2) license verifications, (may include licensure checks across states); and (3) database checks (to verify Social Security Number); the National Provider Identifier (NPI); the National Practitioner Data Bank (NPDB) licensure; an OIG exclusion; taxpayer identification number; death of individual practitioner, owner, authorized official, delegated official or supervising physician.

  • Moderate Risk: CMS identifies ambulance suppliers; community mental health centers; comprehensive outpatient rehabilitation facilities; hospice organizations; independent diagnostic testing facilities; independent clinical laboratories; physical therapy, including physical therapy groups; portable x-ray suppliers; and currently enrolled (revalidating) home health agencies because “they are generally highly dependent on Medicare, Medicaid, or CHIP to pay their salaries and other operating expenses and are subject to less additional government or professional oversight than the providers and suppliers in the limited risk screening level.”

For “moderate” risk providers and suppliers, CMS will require pre- and post-unscheduled and unannounced site visits in addition to those screening tools applicable to the “limited” level of risk.

  • High Risk: CMS identifies prospective (newly enrolling) home health agencies and prospective (newly enrolling) DMEPOS suppliers as “high” risk because of the “high number of home health agencies and suppliers of DMEPOS already enrolled in the Medicare program and program vulnerabilities that these entities pose to the Medicare program.” Additionally, home health agencies and DMEPOS suppliers have consistently been a high-risk area for CMS, and one where the OIG and GAO have repeatedly found CMS’ oversight efforts to be lacking.
  • For “high” risk providers and suppliers, CMS states that, in addition to the screening tools applicable to the “limited” and “moderate” levels of risk, Medicare contractors will use the following screening tools in the enrollment process: (1) fingerprint-based criminal history record and (2) check of law enforcement repositories. Per the final rule, both these screening tools will be applied to all individuals who maintain a five percent or greater direct or indirect ownership interest in the provider or supplier. Both these screening tools will be applied to owners, authorized or delegated officials or managing employees of any provider or supplier within the “high” level of risk. The final rule removed the criteria that fingerprints be submitted using the FD-258 fingerprint card. Nevertheless, this is a significant step for CMS since fingerprint checks, for example, have never been used in the screening process, and criminal background checks have been used sparingly.

Additionally, under the final rule, CMS will have the ability to move a provider or supplier to a higher risk level based on various factors, including evidence that the provider or supplier had been the victim of identity theft. Other factors that will allow adjusting the classification of a provider or supplier into a higher risk level include the provider or supplier having been placed on a previous payment suspension, or the provider or supplier having been excluded by the OIG or had its Medicare billing privileges revoked by a Medicare contractor within the previous 10 years and is attempting to establish additional Medicare billing privileges for a new practice location or by enrolling as a new provider or supplier. Another factor that will allow adjusting the risk category is if providers have been terminated or otherwise precluded from billing Medicaid. In the final rule, CMS added that a provider or supplier that has been subject to any final adverse actions would be a basis for reassignment to the high screening level, and added six months as the length of time a provider or supplier category will be assigned to the high screening level following the lifting of a temporary enrollment moratorium. Responding to comments, CMS removed the denial of billing privileges as a basis for moving a provider or supplier into a higher risk screening level (although the agency retained revocations of Medicare billing privileges as such a basis).

 The following tables provide a summary of the proposed screening requirements under the different risk categories, as well as the designated providers and suppliers under each risk category:

Click here to view table

Click here to view table

(2) Medicaid

 The Social Security Act, as amended by the ACA, requires that states comply with the process for screening providers as established by the Secretary, and that certain provisions that apply to Medicaid also apply to CHIP. Thus, CMS has finalized its proposal that all the provider screening, provider application and moratorium regulations that apply to Medicaid providers will apply to providers that participate in CHIP. With some exceptions, CMS has adopted the Medicaid and CHIP provider screening requirements as proposed.

For “dually-enrolled” providers, a state may rely on the results of the screening conducted by a Medicare contractor to meet the provider screening requirements under Medicaid and CHIP. For these providers, states will not be required to conduct the same screening activities that Medicare contractors perform because “it would be inefficient and costly.” State Medicaid agencies may also rely on the results of the provider screening performed by other states’ Medicaid and CHIP programs.

For Medicaid-only providers or CHIP-only providers, CMS has finalized its proposal that states must follow the same screening procedures that CMS or its contractors follow with respect to Medicare providers and suppliers. For the types of providers that are recognized as providers or suppliers under the Medicare program, states will use the same screening level as assigned to that category by Medicare. For those provider types not recognized by Medicare, states will assess the risk posed by each particular provider type, including examining their programs to identify providers that may present increased risks of fraud, waste or abuse, and are expected to perform such assessment using similar criteria as those used for Medicare. For example, physicians and non-physician practitioners, medical groups and clinics that are state-licensed or state-regulated would generally be categorized as limited risk. Those provider types that are generally highly dependent on Medicare, Medicaid and CHIP to pay salaries and other operating expenses and that are not subject to additional government or professional oversight would be considered moderate risk, and those provider types identified by the state as being especially vulnerable to improper payments would be considered high-risk.

States will then screen the provider using the screening tools applicable to that assigned risk level. However, CMS did not limit states’ ability to engage in provider screening activities beyond those required by the ACA, including, but not limited to, assigning a particular provider type to a higher risk level than the level assigned by Medicare.

In the final rule, CMS has included a number of clarifications to the regulatory text in response to comments on the proposed rule, including clarifying that states must screen applications in both re-enrollment and revalidation of enrollment, that states must revalidate enrollment information of all providers at least every five years, that criminal background checks are required for providers or persons with an ownership interest in a high-risk provider of at least five percent and that fingerprints from those with such ownership interest are required upon CMS’ or the state Medicaid agency’s request. CMS is not finalizing its proposal that states must deactivate the enrollment of providers who have not billed for 12 months, nor its proposed requirement that all ordering and referring Medicaid Managed Care network providers be enrolled as participating providers. 


CMS made a number of significant changes in the final rule. Most importantly, the agency made clear that Medicare Advantage plans and managed care organizations would not be subject to the new screening requirements.

Additionally, CMS made modifications to the providers and suppliers in the different risk categories, including:

  • adding Competitive Acquisition Program/Part B Venders to the limited risk screening level;
  • adding pharmacies that are newly enrolling or revalidating via the CMS-855B to the limited screening level;
  • clarifying that occupational therapy and speech pathology providers are assigned to the limited screening level;
  • removing physical therapists and physical therapist groups from the category of non-physician practitioners that are within the limited screening level, and adding physical therapist and physical therapist groups to the moderate screening level;
  • adding portable x-ray suppliers to the moderate screening level; and
  • assigning all ambulance suppliers to the moderate screening level, regardless of whether they are publicor government-affiliated.

CMS also eliminated the distinction between (1) publicly traded and non-publicly traded, and (2) publicly owned and non-publicly owned as criteria for assignment of any provider type to a level of screening.

Finally, responding to comments from stakeholders, CMS modified the fingerprint requirements. Specifically, CMS removed the requirement that fingerprints must be submitted using the FD-258 fingerprint card. CMS also made clear that fingerprints must be collected from all individuals who maintain a five percent or greater direct or indirect ownership interest in the provider or supplier.

 Termination of Provider Participation

Section 6501 of the ACA requires state Medicaid programs to terminate an individual or entity’s participation in the program if the individual or entity’s participation has been terminated under Medicare or another state Medicaid program. Although the ACA’s use of “termination” would only apply to providers, CMS believes that, based on congressional intent, this requirement should also extend to suppliers and eligible professionals who have had their Medicare billing privileges revoked. Termination is only required in instances where enrollment was terminated or billing privileges were revoked for cause, which may include, but is not limited to, fraud, integrity or quality.

Under the final rule, state Medicaid agencies will be required to terminate or deny enrollment for any provider that has its billing privileges revoked or its enrollment terminated under Medicare, another state Medicaid program or CHIP on or after January 1, 2011. Of note, although the ACA does not specifically mention termination from CHIP, CMS is using its general rulemaking authority to also require termination from this program. For purposes of this section, “termination” means that Medicaid or Medicare has taken action to revoke the provider, supplier or eligible professional’s billing privileges, and appeal rights have been exhausted. In response to comments, CMS notes that it is in the process of establishing a secure web-based portal that will allow states to share information regarding terminated providers and is exploring options for supporting a centralized information sharing solution to give states access to the exclusion database.

In addition to the requirements under Section 6501 of the ACA, CMS is finalizing its proposal to allow termination from Medicare when a state Medicaid agency terminates, revokes or suspends a provider or supplier’s Medicaid enrollment or billing privileges.

Application Fee for Existing Providers

Under Section 6401(a) of the ACA, the Secretary is required to impose an application fee on “each institutional provider of medical or other items or services or supplier.” CMS has finalized the application fee provisions in the proposed rule with a few exceptions, described below.

The $500 application fee will be used to conduct the screening process and to fund other “program integrity efforts,” such as the enhanced screening measures. The fee will apply to all providers (current and newly eligible) billing Medicare, Medicaid and CHIP for services, with the exception of Part B medical groups or clinics and physicians and non-physician practitioners submitting a CMS 855I for enrollment in Medicare. The application fee will not be required from an eligible professional who reassigns Medicare benefits to another individual or organization, since this would not create a new enrollment of an institutional provider or supplier that would result in an application fee. The fee becomes effective March 23, 2011, and for each subsequent year will be adjusted based on the consumer price index.

Under the final rule, CMS maintains its ability to exempt on a case-by-case basis a provider or supplier from the imposition of an application fee if CMS determines that the fee would result in a “hardship.” CMS could also waive the enrollment application fee for Medicaid providers for whom the state demonstrates that imposition of the fee would impede Medicaid beneficiaries’ access to care.

The application fee (or hardship exception waiver) is required with the submission of an initial enrollment application, the application to establish a new practice location, as a part of a revalidation or in response to a Medicare contractor revalidation request. States must collect the application fee from Medicaid-only and CHIP-only providers. CMS clarifies in the final rule that a provider or supplier may submit both an application fee and a hardship exception waiver to avoid delays in the processing of the application, should the hardship exception be denied. The final rule also clarifies that the fee is non-refundable except where the provider or supplier submits both an application fee and a hardship waiver request and the waiver is subsequently approved. If a hardship exception waiver is submitted without an application fee and the waiver is denied, CMS will notify the provider or supplier and allow 30 days from the date of notification to submit the application fee.

In general, Medicare contractors will not begin processing an application for either a new provider or supplier, or for a provider or supplier that is currently enrolled, until the enrollment application fee is received and credited to the United States Treasury. The fee will accompany the certification statement that the provider or supplier signs, dates and mails to the Medicare contractor if the provider or supplier uses an Internet-based Provider Enrollment, Chain and Ownership System (PECOS) to enroll or revalidate, or the paper CMS-855 provider enrollment applications if the provider or supplier enrolls or revalidates by paper.

Mandatory Compliance Programs

Section 6102 of the ACA requires a nursing facility (NF) or a skilled nursing facility (SNF) to have a compliance and ethics program. In addition, Section 6401(a) requires providers of medical or other items or services or suppliers to establish compliance programs containing specified “core elements.” CMS solicited comments on these core elements, which it intends to be similar to the required elements for NF and SNF compliance programs. CMS plans to issue the proposed rule on compliance program requirements in a separate, future rulemaking and is not finalizing compliance plan requirements at this time. In comments, CMS received input on whether the seven elements of effective compliance and ethics programs, included in Chapter 8 of the U.S. Federal Sentencing Guidelines Manual, should serve as the foundation for the core elements. CMS will respond to comments it received on this section of the rule in future rulemaking.


The agency sought input from hospitals and others about what should be required in compliance plans, as well as information about their current anti-fraud compliance programs, including how they have incorporated the seven core elements from the Federal Sentencing Guidelines, their programs’ costs, benefits and effectiveness of such program, and the systems necessary to implement them. CMS does not appear to be limiting the scope of the proposed mandatory compliance programs to just the seven elements, and it is unclear from the proposed rule whether CMS is considering not requiring all of the seven elements in order to demonstrate that a provider or supplier has an “effective” compliance program. Under the ACA, CMS is required to work with OIG to develop the criteria, so it seems logical that whatever is ultimately developed will be based off of OIG’s existing compliance program guidance.

All Medicare/Medicaid participating providers and suppliers should be aware of this new requirement and continue to track it closely. It is likely that providers/suppliers with established compliance programs will need to make changes to comply with the new regulations, while those who do not have a compliance program will need to act quickly to come into compliance. Therefore, providers/suppliers should begin assessing their existing compliance programs now to ensure they meet criteria, such as those set forth in the various industry-specific OIG Compliance Program Guidance and/or the Federal Sentencing Guidelines. Those who do not currently have a compliance program should begin developing one that incorporates at least the basic elements set forth in the above guidance.

 III. Conclusion

This final rule significantly expands the tools available to CMS and OIG for oversight of the Medicare and Medicaid programs and to strengthen the program integrity process. Certain provisions, including the payment suspension and enrollment moratoria provisions, will have a direct impact on both new and existing providers/ suppliers, so it is important for providers and suppliers to closely follow the implementation of the provisions contained in this final rule. In addition, more program integrity regulations are expected this year. According to the Office of Management and Budget’s Unified Agenda, CMS intends to issue further rulemaking in 2011 to target fraud, waste and abuse using the provider and supplier enrollment requirements under the Affordable Care Act and the agency’s authority prior to the enactment of the ACA. The Unified Agenda shows expected release dates for these proposed rules of May and September, 2011.