The Centers for Medicare and Medicaid Services (CMS) recently issued a final rule that includes several anti-fraud measures and significantly enhances the agency’s authority to exclude new and current providers and suppliers that are identified as posing an undue risk of fraud, waste or abuse. The new measures require providers and suppliers to disclose to CMS upon its request and upon application for initial enrollment or revalidation any “affiliations” or parties who have one or more defined “disclosable events.” The rule went into effect November 4, 2019.
The new rule requires all providers to disclose any current or prior affiliations within the past five years that the provider—or any of its owning or managing employees or organizations—has or had with a current or former Medicare provider with a “disclosable event,” which is triggered by any of the following:
- an uncollected debt to CMS
- current or previous payments suspension from a federal health care program
- current or previously exclusion from healthcare programs
- previous denial, revocation or termination of Medicare, Medicaid or CHIP billing privileges
The term “affiliation” is broadly defined to include any of the following conditions:
- a five percent or greater direct or indirect ownership in another organization
- a general or limited partnership interest in another organization
- an interest in which the entity or individual “exercises operational or managerial control over or directly or indirectly conducts, the day-to-day operations of another organization”
- an interest in which the individual acts as “an officer or director of a corporation”
- any reassignment relationship under 42 F.R. § 424.80 (which prohibits reassignment of claims by suppliers under the Medicare program)
Whenever there is a “triggering affiliation,” the provider must disclose certain information about the affiliates such as legal and fictitious names, tax ID number, national provider identifier, the reason for the disclosure, the length of the relationship, the type of relationship, the degree of affiliation, and, if applicable, the reason for termination.
CMS can deny or revoke enrollment if it determines the affiliation “poses an undue risk of fraud, waste or abuse.” This power extends to both reported and unreported affiliations. CMS can also deny enrollment or revoke an existing enrollment if it requests information about the affiliation and the provider fails to “fully and completely disclose” the required information when it “knew or should have known of the information.”
When the rule was originally proposed, the public comments raised concerns about the broad authority of CMS to determine whether there is “an undue risk of fraud, waste or abuse.” In response CMS stated that it would only take actions against a provider “after careful consideration of the facts and circumstances.” The final rule also gives CMS more authority and discretion to revoke or deny Medicare enrollment if:
- the agency determines that it previously excluded providers or suppliers attempting to reenter the program under a different identifier (name, numeral identifier, business identity)
- a provider or a supplier bills for services or items that it knew or should have reasonably known are from non-compliant locations
- a physician or eligible professional exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services, or drugs
- a provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department
CMS has also been given new authority to prohibit a provider from enrolling in Medicare for up to three years if the basis for its initial enrollment denial was the submission of false or misleading information on its application. Under certain circumstances CMS can also extend the re-enrollment bar against a previously excluded provider for three up to ten years. Providers or suppliers that are revoked from Medicare for a second time may be prohibited from applying to re-enroll in the program for up to 20 years.
This new rule puts a premium on making sure that a corporate compliance and ethics program thoroughly reviews the information of persons with whom the provider is doing business or entering into business relationships.