On March 1, 2016, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that would greatly expand CMS’ program integrity enforcement capabilities, allowing enrollment denial and revocation against any provider or supplier for direct or indirect affiliations with individuals or entities that are or have previously gotten into trouble with federal healthcare programs (Proposed Rule).1 This Proposed Rule carries significant implications for all federal healthcare program providers and suppliers, but does not seem to be getting much notice. The close of the comment period is 5:00 p.m., April 25, 2016.


CMS started to expand its ability to deny or revoke Medicare enrollments based on prior affiliations last year. Effective February 2015, CMS promulgated final regulations2 increasing its ability to deny initial Medicare enrollments if the enrolling provider, supplier or owner (5% or more direct or indirect) has an existing Medicare debt (which includes overpayments). In addition, CMS may deny an initial enrollment if the enrolling provider, supplier or owner was previously the owner of a provider or supplier that had a Medicare debt when it left the program (i.e., voluntarily terminated, involuntary terminated or revoked) if: (i) the owner left the provider or supplier with the Medicare debt within one year of (before or after) its voluntary termination, involuntary termination or revocation; (ii) the Medicare debt has not been fully repaid; and (iii) CMS determines there is an undue risk of fraud, waste or abuse. In making the undue risk determination, CMS is to consider the debt amount; the length and timeframe of ownership; the percentage of ownership; appeal status; and, whether the enrolling provider, supplier or owner thereof owned the prior entity at the time the Medicare debt was incurred. In addition, CMS expanded its ability to deny enrollment or revoke Medicare billing privileges of a Medicare provider or supplier for managing employee convictions, within the preceding 10 years, of a federal or state felony offense that CMS determines is detrimental to the interests of the Medicare program. Notably, CMS already had this ability with respect to providers, suppliers and owner convictions.

This Proposed Rule, however, goes much further to expand CMS’ ability to deny and revoke enrollments. The Proposed Rule is the first step in implementing Section 6401 of the Affordable Care Act, which requires providers and suppliers to disclose on Medicare, Medicaid and Children’s Health Insurance Program (CHIP) enrollment applications current and previous affiliations (directly or indirectly) with providers or suppliers that (i) have uncollected debt; (ii) have been or are subject to payment suspension under a federal healthcare program; (iii) have been excluded from participation in Medicare, Medicaid or CHIP; or (iv) have had its billing privileges denied or revoked; and, permits denial of an application if that affiliation poses an undue risk of fraud, waste and abuse.

While aimed at curbing the ability of unscrupulous individuals from continuing fraudulent or abusive behavior by departing and re-entering federal healthcare programs or shifting activities to another enrolled provider or supplier, the Proposed Rule seems to set a high bar for providers and suppliers to provide precise, accurate and continuously updated enrollment information to Medicare or risk revocation (and subsequent reporting obligations for all of its affiliated entities and owners as a result of that revocation). And, at the same time, gives CMS (and by extension its contractors) broad discretion regarding what constitutes an undue risk, seemingly allowing CMS (and its contractors) the ability to effectively “exclude” certain providers, suppliers and owners.

Affiliations & Disclosable Events

The Proposed Rule requires providers and suppliers submitting an initial or revalidating enrollment application to disclose whether any of its owners or managing employees have a current or past affiliation with a currently or formerly enrolled Medicare, Medicaid or CHIP provider or supplier which experienced one of the following disclosable events: (i) currently has an uncollected debt to Medicare, Medicaid or CHIP (regardless of the amount of the debt or whether the debt is being repaid or appealed); (ii) has been subject to a payment suspension under a federal healthcare program; (iii) has been excluded from participation in Medicare, Medicaid or CHIP; or (iv) has had its Medicare, Medicaid or CHIP enrollment denied, revoked, or terminated (regardless of the reason or status of an appeal).3 CMS indicates that the terms “revoked” and “terminated” for purposes of disclosure include voluntary terminations done to avoid potential revocation or termination. Notably, however, CMS requests comment regarding whether disclosure should be restricted to certain denial, revocation and termination reasons.

Affiliation is defined broadly to include, with respect to another organization: (i) 5% or greater direct or indirect ownership interest; (ii) partnership interests; (iii) operational or managerial control over or directly or indirectly conducting the day-to-day operations; (iv) officer or director; or (v) any reassignment relationships. CMS interprets these affiliations very broadly in the Proposed Rule. For example, an affiliated provider need not have been enrolled in the federal healthcare program when the disclosing party had its relationship with the affiliated provider. Additionally, the disclosable event could have occurred either before the affiliation began or after it ended. For example, an affiliation would need to be reported if “a disclosing party sold its majority interest in an affiliated provider or supplier that was terminated from Medicare 2 months after the sale.”4 Given that the entity subject to the disclosable event has no obligation to inform or even make such information available upon request, it is likely the applicant may not be aware of certain disclosure events, particularly with respect to past affiliations. In consideration of this, CMS built in a “knew or should reasonably have known” standard into the repercussions for failing to disclose (discussed below). It does seem that providers and suppliers would need to take some reasonable steps to find out about disclosable events of past affiliations.

The Proposed Rule institutes a 5-year “look-back” period for past affiliations, but ultimately captures much more than five years by noting that the event triggering disclosure could have occurred or been imposed more than five years prior. For example, if a “supplier currently has a managerial interest in an ambulance company that was subject to a Medicare payment suspension 8 years ago. The affiliation and the payment suspension must be disclosed even though the latter was imposed outside of the 5-year affiliation look-back period.”5

Undue Risk

After receiving notice of an affiliation with a person or entity which was the subject of a “disclosable event,” CMS will determine whether there is an “undue risk of fraud, waste or abuse.” If CMS finds an undue risk, CMS would deny initial enrollments or revoke existing enrollments. Additionally, CMS could revoke or deny enrollment based on a finding of undue risk “outside of the provider’s or supplier’s submission of an initial, revalidating or change of information application.”6 It is important to note that “an actual finding of fraud, waste or abuse would not be necessary” for a denial or revocation of Medicare enrollment. An undue risk is to be determined by CMS upon consideration of a variety of factors, including duration of affiliation, how long ago the affiliation ended, the extent of affiliation (e.g., percentage ownership), the reason for termination of affiliation (if applicable) and information regarding the disclosable event. In the context of an uncollected debt, CMS will consider the debt amount, status of repayment and to whom the debt is owed. CMS noted that “[a] closer, longer, and more recent affiliation involving, for instance, an excluded provider or a large uncollected debt might pose a greater risk to the Medicare program than a brief affiliation that occurred 5 years ago.”7

Failure To Report Affiliations and More

As proposed, the failure to report affiliations appropriately can result in denial or revocation if the provider or supplier knew or should reasonably have known of the affiliation. Moreover, providers and suppliers would be required to report new affiliations and changes regarding existing affiliations (subject to the 5-year look back period). Updates to past affiliations would only be required as part of the revalidation process.8

Moreover, CMS proposes to significantly expand its ability to generally revoke Medicare enrollment for all providers and suppliers under 42 C.F.R. § 424.535(a)(9) for failures to report changes of ownership and most other changes of information. CMS emphasizes “[w]e must have complete and accurate data on each provider and supplier to help confirm that the provider or supplier still meets all Medicare requirements and that Medicare payments are made correctly.”9 CMS explains it would retain the discretion to revoke a provider’s or supplier’s enrollment for any reporting failures, but is primarily focused on egregious cases of non-reporting. CMS outlines a few elements it would consider, including whether the data was reported, how late it was reported, the materiality of the data and any other information CMS deems relevant.

Further Expansion of Other Denial and Revocation

The Proposed Rule also provides that CMS may perform a separate analysis to revoke any and all of a provider’s Medicare enrollments. Specifically, if a provider or supplier has its enrollment revoked for any reason pursuant to the revised version of 42 CFR § 424.535(a) (including due to an affiliation), CMS would have authority to revoke other Medicare enrollments including those under different names, numerical identities or business identities, and those under different business types. In determining whether to use this authority, CMS would analyze specific factors including the individuals and entities, the reason for revocation, the degree of commonality, any final adverse actions, and the number and types of other enrollments.10 This proposed change could have far reaching implications for larger healthcare corporations and entities. For example, the Proposed Rule would allow for the revocation of associated hospital enrollments based on a single revocation involving suppliers of durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) in another state. Consider the impact if the revocation was simply based on the failure to timely submit a voluntary termination upon merging two locations for business efficiencies.

As proposed, CMS would have the option to revoke a provider’s or supplier’s Medicare enrollment for all practice locations, regardless of whether they are part of the same enrollment, if the provider or supplier billed for services performed at or items furnished “from a location that it knew or should have known did not comply with Medicare enrollment requirements.”11 The Proposed Rule also allows the revocation of a provider’s or supplier’s billing privileges if there is a pattern or practice of submitting claims that are not reasonable or necessary, including referring or prescribing Medicare Part A or Part B services, items or drugs in way which is abusive or represents a threat to the health and safety of beneficiaries.12

Expansion of Re-enrollment Bar

CMS also proposes to expand the maximum re-enrollment bar from three to 10 years. In addition, CMS would be able to extend the re-enrollment bar by three years (even going beyond 10 years) if it believes the provider or supplier is attempting to circumvent its existing re-enrollment bar by enrolling in Medicare under a different name, numerical identifier or business entity. The re-enrollment bar would be extended up to 20 years for second revocations. And, finally, CMS proposes to extend the re-enrollment bar to a provider’s or supplier’s current, former or future business names, numerical identifiers or business identities.13

Expansion of Reapplication Bar

The Proposed Rule also would extend CMS’ ability to prohibit prospective provider and supplier enrollment for up to three years if it finds the applicant submitted false or misleading information on or with (or omitted information from) its application in order to gain enrollment in Medicare. The reapplication bar would apply to the individual or organization under all current, former or future names, numerical identifiers or business identity. In light of how much information Medicare requests and the ease in which providers and suppliers can inadvertently complete the application incorrectly, this is particularly worrisome for smaller organizations.14

Expansion of Payment Suspensions

CMS also proposes to expand the ability to deny Medicare enrollment based on payment suspensions beyond owners, physicians and non-physician practitioners, to also reach all types of providers and suppliers and to any owning or managing employees or organization of the provider or supplier and any other of its existing enrollments. In addition, CMS proposes to add Medicaid payment suspensions as a denial reason.15

And More…

There are many other proposals in this Proposed Rule, including expansion of these program integrity tools for Medicaid and CHIP. Specifically, the Proposed Rule allows revocations or denial of enrollment for suspensions and terminations in other federal healthcare programs.16


While well intentioned to protect federal healthcare programs, these newly proposed program integrity safeguards place significant discretion in CMS’ hands to remove provider and supplier billing privileges – an action that can put providers and suppliers out of business. In addition, it places the onus (with significant consequences for getting it wrong) on providers and suppliers to evaluate, track and disclose both past and current affiliations and timely report all enrollment information updates. The Proposed Rule raises the stakes for noncompliance by expanding regulators’ authority to revoke enrollments in a way that can have a ripple effect on all direct and indirect owners and other direct or indirectly affiliated providers and suppliers, and locations. The Proposed Rule, however, is subject to change and may be altered based on commentary from industry stakeholders and members of the public. As of the date of the publication of this alert, only four comments have been posted in response to the Proposed Rule.17 Nevertheless, CMS is explicitly seeking commentary on various aspects of the Proposed Rule, including the process for weighing and evaluating factors relating to a determination that an affiliation constitutes finding an undue risk of fraud, waste or abuse. As mentioned above, comments are due by 5:00 p.m. on April 25, 2016.18

1 See 81 Fed. Reg. 10720 (March 1, 2016) available at https://www.gpo.gov/fdsys/pkg/FR-2016-03-01/pdf/2016-04312.pdf.
2 See 79 Fed. Reg. 72499 (December 5, 2014).
3 81 Fed. Reg. at 10724.
4 Id. at 10724 – 10725 (An “owner” includes anyone with a 5 percent or more direct or indirect interest, and “managing employees” includes persons who directly or indirectly conduct “the day-to-day operation of the provider” entity.).
5 Id. at 10725 – 10726.
6 Id. at 10726 – 10727.
7 Id. at 10727 – 10728.
8 Id. 10726 –10728, and 10749; 42 CFR §§ 424.57 & 424.515.
9 Id. at 10733.
10 Id. at 10730, 10734. The Proposed Rule seems to provide CMS this ability in two different provisions. One focuses on the “degree of commonality” and the other focuses on the other characteristics mentioned above. In evaluating the “degree of commonality,” CMS would consider the owning and managing employees and organizations, geographic location, provider or supplier type, and business structure.
11 Id. at 10730 (CMS would consider multiple factors including 1) the reasons for noncompliance; 2) the number of additional locations; 3) whether the enrolled entity has a history of final adverse actions; 4) the risk involved; 5) the length of noncompliance; and the amount billed at the noncompliant location).
12 Id. at 10731.
13 Id. at 10732.
14 Id. at 10732 – 10733.
15 Id. at 10733 – 10734.
16 Id. at 10729 – 10730.
17 See https://www.regulations.gov/#!documentDetail;D=CMS-2016-0031-0001.
18 81 Fed. Reg. at 10728.