Medicare Administrative Contractors (MACs) are beginning the process of revalidating enrollment of all Medicare providers and suppliers according to the more stringent screening criteria required by the Patient Protection and Affordable Care Act (ACA).1 The new screening procedures represent some of the initiatives contained within the ACA that enable the Centers for Medicare & Medicaid Services (CMS) and the US Department for Health and Human Services (HHS), the agency within which CMS is housed, to more aggressively address fraud and abuse in federal health care programs. Beginning March 23, 2013, no provider or supplier will be allowed to newly enroll in Medicare or revalidate its enrollment without being screened pursuant to the new procedures.2

On August 10, 2011, CMS announced that the MACs would initiate the revalidation process by sending a revalidation notice to individual providers and suppliers.3 When an entity receives the revalidation request from the MAC, it will have 60 days from the date of the notice to submit a complete enrollment form.4 The revalidation process will occur on a rolling basis, and CMS has requested that providers and suppliers not submit revalidation information until receiving notice from the MAC.5 Failure to timely submit enrollment forms may result in deactivation of Medicare billing privileges.

To revalidate their participation in the Medicare program, providers and suppliers will undergo the more rigorous screening procedures mandated by the ACA’s risk-based approach to screening. This is applicable to all Medicare providers and suppliers, including providers in the Medicaid and Children’s Health Insurance Programs (CHIP), administered by the States.6 CMS, after consultation with HHS’ Office of Inspector General (OIG), developed the new screening procedures and began implementing them on March 25, 2011 for newly enrolling providers and suppliers and those due to revalidate their enrollment information. In order to comply with the ACA’s requirement by 2013, the MACs are initiating the revalidation of all currently enrolled providers and suppliers at this time.

In addition to the new screening requirements, the ACA mandates a number of other fraud prevention measures, thereby granting CMS additional authority to prevent fraud in the first instance and ensure that payments are only made for covered services. Providers and suppliers should be prepared for the rigor of the new screening criteria and other fraud prevention measures which have the potential to impact the receipt of government payments. The extent to which CMS’ expanded authority may cause unintended consequences for legitimate providers remains an open question, especially given recent findings by the Government Accountability Office (GAO) that the activities of the Medicare Integrity Program (MIP) – a program intended to help CMS track improper Medicare payments – are not connected to overall CMS program goals.7 Therefore, companies should take the necessary steps to plan for the new measures and align their operations accordingly. To assist companies in this process, this Client Alert discusses the ACA changes now being implemented.

HHS Risk-based Screening Measures & Implications Were Established for Medicare Providers and Suppliers

The ACA directs CMS to "determine the level of screening conducted … according to the risk of fraud, waste, and abuse, … with respect to the category of provider of medical or other items or services or supplier."8 To accomplish this, CMS evaluated a number of factors and assigned providers and suppliers to three risk categories — limited, moderate and high. The risk category of a particular provider or supplier in turn determines the level of screening that the Medicare contractor is required to perform when the provider or supplier initially enrolls in Medicare, adds a new practice location, or revalidates its enrollment information.9

The factors evaluated by CMS in assigning providers and suppliers to these categories include: CMS’ experience with claims data used to identify questionable billing practices, the expertise of CMS contractors who investigate and identify instances of potential Medicare fraud, and insights gained from studies conducted by the HHS-OIG, the Government Accountability Office (GAO), and other sources.10 Additionally, CMS accounted for certain facts that might make it easier for a particular type of business to engage in fraudulent activity. For example, CMS looked to whether individual professional licensure is required for the provider or supplier and the ease of entering the particular line of business without clinical or business expertise. CMS noted that where a provider or supplier can easily enter a line of business — such as simply leasing office space and equipment — there is a higher risk of potential fraud. In this instance, CMS believes that a higher level of pre-enrollment scrutiny will help accomplish the ACA’s goal of moving away from the "pay and chase" approach to fraud enforcement.11

Limited Risk Screening Category

The following provider and supplier types fall within the limited risk screening category:

  • Physicians;
  • Non-physician practicioners, other than physical therapists;
  • Physician group practices;
  • Non-physician group practices, other than physical therapist group practices;
  • Ambulatory surgical centers;
  • Competitive Acquisition Program/Part B vendors;
  • End-stage renal disease facilities;
  • Federally qualified health centers;
  • Histocompatibility laboratories;
  • Hospitals (including critical access hospitals, Department of Veterans Affairs hospitals, and other federally-owned hospital facilities);
  • Health programs operated by an Indian Health Program (as defined in section 4(12) of the Indian Health Care Improvement Act) or an urban Indian organization (as defined in section 4(20) of the Indian Health Care Improvement Act) that receives funding from the Indian Health Services pursuant to Title V of the Indian Health Care Improvement Act;
  • Mammography screening centers;
  • Mass immunization roster billers;
  • Organ procurement organizations;
  • Pharmacies that are newly enrolling or revalidating via the Form CMS-855B application;
  • Radiation therapy centers;
  • Religious non-medical health care institutions;
  • Rural health clinics; and
  • Skilled nursing facilities.12

CMS has determined that these types of provider and suppliers pose the least amount of risk for fraud and, as a result, these providers and suppliers will undergo the lowest level of scrutiny. At this level, the MAC will:

  • Verify that the provider or supplier meets all applicable Federal regulations and State requirements for the provider or supplier type;
  • Conduct a license verification, including license verifications across State lines for physicians or non-physician practitioners and providers and suppliers that have Medicare billing privileges as a result of State licensure; and
  • Conduct database checks on a pre- and post-enrollment basis to ensure that providers and suppliers continue to meet the enrollment criteria for their provider/supplier type.13

Moderate Risk Screening Category

The types of providers and suppliers determined by CMS to pose a moderate risk of fraud include:

  • Ambulance service centers;
  • Community mental health centers (CMHCs);
  • Comprehensive outpatient rehabilitation facilities (CORFs);
  • Hospice organizations; Independent clinical laboratories;
  • Independent diagnostic testing facilities;
  • Physical therapists enrolling as individuals or as group practices;
  • Portable x-ray suppliers (PXRSs);
  • Revalidating home health agencies (HHAs); and
  • Revalidating durable medical equipment prosthetics, orthotics, and supplies (DMEPOS) suppliers.14

For providers and suppliers in the moderate risk level category, the MAC will:

  • Perform the screening tasks required for providers and suppliers in the limited risk category; and
  • Conduct a site visit.15

According to CMS guidance, the timing and scope of the site visit will vary based on the provider or supplier type. For example, for ambulance suppliers, independent clinical laboratories and physical therapists (individuals or group practices), the MAC will conduct the site visit prior to making a decision regarding the application. For revalidating HHAs and DMEPOS suppliers, the site visit will also occur prior to the contractor reaching a decision regarding revalidation. In contrast, for CMHCs, CORFs, hospice organizations, and PXRSs, the contractor will conduct the site visit after receiving the tie-in notice from the regional office, but before Medicare billing privileges are conveyed.16

High Risk Screening Category

The high risk screening category includes:

  • Newly enrolling DMEPOS suppliers; and
  • Newly enrolling HHAs.17

When screening these types of entities, the MAC will:

  • Perform the screening tasks required for providers and suppliers in the limited risk category; and
  • Perform the screening task required for providers and suppliers in the moderate risk category.18

Also for providers and suppliers in the high risk category, CMS has proposed two additional screening activities, which have not yet been implemented:

  • Require the submission of a set of fingerprints for a national background check from all individuals who maintain a 5 percent or greater direct or indirect ownership interest in the provider or supplier; and
  • Conduct a fingerprint-based criminal history record check of the Federal Bureau of Investigation’s Integrated Automated Fingerprint Identification System on all individuals who maintain a 5 percent or greater direct or indirect ownership interest in the provider or supplier.19

CMS Flexibility To Change Risk Screening Category

Although providers and suppliers are formally assigned to one of the three risk-based screening categories, CMS additionally has authority to move a particular provider or supplier in the low or moderate risk categories into the high risk screening category. CMS may make this change if any of the following occur:

  • CMS imposed a payment suspension on a provider or supplier any time within the last 10 years;
  • CMS lifts a temporary moratorium for a particular provider or supplier type,20 and a provider or supplier that was prevented from enrolling based on the moratorium applies for enrollment as a Medicare provider or supplier any time within 6 months from the date the moratorium was lifted; or
  • The provider or supplier:
    • Has been excluded from Medicare by OIG;
    • Has had billing privilege revoked by a MAC within the previous 10 years and is attempting to establish additional Medicare billing privileges by enrolling as a new provider/supplier or obtaining billing privileges for a new practice location;
    • Has been terminated or is otherwise precluded from billing Medicaid;
    • Has been excluded from any federal health care program; or
    • Has been subject to any final adverse action within the previous 10 years.21

The ACA Confers Additional Enhanced Authority to CMS With Regard to New Applications by Medicare Providers and Suppliers as Well as Continued Governmental Payments to Providers and Suppliers

In addition to the new screening measures, the ACA grants CMS additional authority to address potential fraud and abuse in the federal and State health care programs. In combination with the enhanced screening measures, CMS explains that these measures better position the agency to move away from the current "pay and chase" approach and toward a "prevention and detection" model of identifying fraud before it occurs.22

The ACA authorizes CMS to impose moratoria on newly enrolling Medicare providers and suppliers.23 CMS has authority to impose moratoria in certain situations, such as where existing data demonstrates a trend that is associated with a high risk of fraud (for example, a rapid increase in enrollment applications for a particular category or a disproportionate number of providers and suppliers relative to the number of beneficiaries) or where CMS identifies a particular provider or supplier type or a particular geographic area as having a high risk of fraud. A moratorium may be imposed in 6-month increments, during which time CMS will not approve the enrollment application of an affected provider or supplier. The moratorium may be targeted towards a particular type of provider/supplier or the establishment of new practice locations in a given geographic area. Moratoria will not apply to reactivations, revalidations, a change in practice locations, a change of ownership, or any other change in the provider or supplier’s enrollment information.24

Additionally, the ACA expands CMS’ existing authority to suspend payments to a provider or supplier, by permitting CMS to suspend payment upon a credible allegation of fraud.25 Prior suspension authority was limited to situations where CMS proceeded with an investigation of the provider or supplier. Under the new standard, a "credible allegation of fraud" includes an allegation from any source, including fraud hotline complaints, claims data mining, patterns identified through provider audits and civil False Claims Act or law enforcement investigations.

Finally, the ACA directs a cross-termination among federal and state health programs. For example, State Medicaid agencies must terminate a provider’s enrollment when the provider is terminated by CMS or another State Medicaid agency.26 Similarly, CMS is authorized to terminate Medicare billing privileges when a State Medicaid agency terminates, revokes or suspends a provider or supplier’s Medicaid enrollment.27


The program integrity measures contained within the ACA are indicative of CMS’ increased focus on fraud and abuse prevention, which will require additional diligence by providers and suppliers in order to continue participation in the Medicare and other federal health programs. The ACA’s program integrity measures are part of an overall "Fraud Prevention Initiative" led by CMS. The scope of CMS’ authority leaves open the question of whether there will be unintended consequences for legitimate providers and suppliers. Please contact us with any questions.