Executive Summary

As of January 1, 2007, certain entities, including hospitals and nursing homes, may be required to provide education to their employees, contractors and agents. According to the new education requirements of the Defi cit Reduction Act of 2005 (the “DRA”), entities that receive or make at least $5 million in Medicaid payments must change their written policies and/ or their employee handbooks to include information on federal and state false claims acts, whistleblower protections and the providers’ own policies on detecting and preventing fraud. While there is some question as to whether entities covered by the education requirements must implement these education requirements now or may wait until the states amend their own Medicaid plans, we recommend that covered entities begin to implement the education requirements of the DRA.


Effective January 1, 2007, Section 6032 of the DRA (Pub. L. 109-171) requires states to amend their Medicaid plans to require entities that receive or make at least $5 million in Medicaid payments to educate their employees, agents and contractors about federal and state false claims acts and whistleblower protections. Pursuant to guidance released by the Centers for Medicare and Medicaid Services (“CMS”) on December 13, 2006 (the “Guidance”), state Medicaid agencies must amend their state plans by March 31, 2007, with a retroactive effective date of January 1, 2007, unless the state Medicaid agencies apply for an extension with CMS. In a national teleconference CMS held on January 11, 2007 (the “Teleconference”), CMS interpreted the DRA to require covered entities to comply with Section 6032 of the DRA by January 1, 2007, even if states have not amended their state plans by this date.

Covered Entities

Section 6032 of the DRA applies to all entities that receive or make payments under Medicaid totaling at least $5 million annually. In the Guidance, CMS clarifi ed that a covered entity includes a governmental agency, organization, unit, corporation, partnership, or other business arrangement (including any Medicaid managed care organization, irrespective of the form of business structure or arrangement by which it exists), whether for-profi t or not-for-profi t, that receives or makes payments under a State Plan approved under title XIX or under any waiver of such plan, totaling at least $5 million annually. Covered entities may meet the $5 million threshold in the following ways: (1) if an entity made or received payments in at least $5 million during the federal fi scal year 2006, which ended on September 30, 2006, the entity will be deemed to meet the threshold for fi scal year 2007; (2) if the entity furnished items or services at more than one location or used one or more provider identifi cation numbers or tax identifi cation numbers, because the $5 million threshold is calculated on an aggregate basis; and (3) if the entity received or paid $5 million on the basis of the date of service that accrued the payment or date when payment was received, depending on which methodology is chosen by the applicable state in which the entity resides.

Education Requirements

The education requirements of the DRA mandate that covered entities establish written policies for all employees (including management), contractors and agents that provide “detailed information” about:

  • the federal False Claims Act (sections 3729 through 3733 of title 31, United States Code);
  • administrative remedies for false claims and statements under the federal Program Fraud Civil Remedies Act (sections 3801 through 3812 of title 31, United States Code);
  • state laws pertaining to civil or criminal penalties for false claims and statements;
  • federal and state whistleblower protections under such laws;
  • the role of false claims laws in preventing and detecting fraud, waste and abuse in federal health programs; and
  • the entity’s own policies and procedures for detecting and preventing fraud, waste and abuse.

Further, the DRA requires entities to include in any existing employee handbook a specifi c discussion of:

  • the federal and state false claims acts described above;
  • the rights of the employees to be protected as whistleblowers; and
  • the entity’s policies and procedures for detecting and preventing fraud, waste and abuse.

The Guidance clarifi es several aspects of the DRA’s education requirements. First, the DRA does not require a covered entity to create an employee handbook if none exists. If the covered entity has an employee handbook, however, the covered entity must amend it. Second, the DRA requires covered entities to educate not only their employees, but also their contractors and agents. Covered entities must disseminate the written policies regarding the laws to their employees, contractors and agents and the policies must be adopted by their employees, contractors and agents. Third, the Guidance permits the policies to be written in either paper or electronic form, as long as the policies are readily available to employees, contractors and agents.

In the Teleconference, CMS made it clear that covered entities do not need to provide training sessions about their written policies. CMS, however, was less clear about whether contractors and agents must adopt the policies they receive from covered entities. CMS realized that contractors and agents may receive many and sometimes inconsistent policies from various covered entities, which may make adoption diffi cult. CMS has stated that it will bookmark this issue and clarify in future guidance whether contractors and agents must also adopt written policies received from covered entities.

Contractors and Agents

The Guidance defi nes contractors and agents as any contractor, subcontractor, agent or other person who, on behalf of the entity: (1) furnishes or authorizes the furnishing of Medicaid health care items or services; (2) performs billing or coding functions; or (3) monitors health care provided by the entity. In the Teleconference, CMS confi rmed that billing and coding vendors are contractors. CMS, however, did not clarify whether a hospital’s medical staff members or attending physicians are considered contractors of a hospital if there is no medical director or service agreement signed between the physician and the hospital. CMS stated that it will provide future guidance on this issue.

Compliance Monitoring

According to the Guidance, the education requirements of Section 6032 of the DRA must be incorporated into each state’s provider enrollment agreements. Thereafter, each state must determine the manner by which it will ensure covered entities’ compliance with the law. A state Medicaid agency may elect to provide model language to covered entities to incorporate into their written policies. Currently, at least one state, Ohio, has issued template summaries of the federal and state false claims acts and whistleblower protection laws.

Each state’s Medicaid plan also must include a description of its methodology for and frequency of compliance oversight. In addition to compliance monitoring by the state Medicaid agency, CMS may, at its discretion, independently determine compliance through audits and other means. CMS stated in the Teleconference that it does not currently have plans for enforcement.

Effective Date

As of January 11, 2007, CMS reported that no states have amended their state plans to comply with Section 6032 of the DRA. Nonetheless, CMS stated that the effective date for covered entities for the implementation of the education requirements under the DRA is January 1, 2007. CMS stated it would post on its Web site the state plans and the state plan amendments as they are approved so that covered entities can monitor the status of their state(s).


We recommend that entities that make or receive at least $5 million in Medicaid payments begin to implement the education requirements of the DRA. We also encourage covered entities to contact their state Medicaid agencies to determine the time line for amendment of their state plans, whether they have any model language for written policies, and how and when compliance will be monitored. Entities can also submit questions directly to CMS, which CMS will take into consideration when issuing future guidance, at the following e-mail address: [email protected]