The authors wish to thank Kira Mann and Pamela Casey for their contributions to this content.

On September 10, 2019, the Centers for Medicare & Medicaid Services (CMS) published a final rule significantly expanding its authority to deny or revoke participation in Medicare, Medicaid or the Children’s Health Insurance Program (CHIP) based on any direct or indirect affiliation with any person or entity that has an outstanding Medicare debt; has previously had their Medicare, Medicaid or CHIP billing privileges denied or revoked; has been placed under a payment suspension; or, has been excluded from participation in federal healthcare programs. With this, and other new enforcement authorities implemented by the final rule, CMS enacts congressional mandates aiming to prevent bad actors from continuing to bilk Medicare, Medicaid and CHIP programs by moving from one enrolled entity to another. Although a laudable goal, the broad authorities and expansive definitions in the final rule leave much of the impact on providers and suppliers to CMS’ discretion.

The rule will affect all providers and suppliers, but not immediately. CMS softened its approach by initially requiring providers and suppliers to report “affiliate” information only upon request. CMS plans to phase-in front-end reporting of affiliate information over time.  Regardless of timing, the final rule’s commentary makes clear CMS’ high expectations for enrollment information accuracy and timely reporting of enrollment changes. That commentary, in combination with the expanded authorities to deny and revoke enrollments, signals, now more than ever, that providers and suppliers should ensure their enrollment information is accurate and they have systems in place to timely update that information when changes occur.  Large healthcare organizations may want to consider implementing mechanisms to track and document “affiliate” related “disclosable events” to enable them to quickly – and accurately – respond to CMS requests. Failure to respond timely may result in a delay in enrollment.

Despite three years having passed since CMS issued the proposed rule discussing these potential changes, the final rule implements many of the original proposals. Below we outline CMS’ new authorities, the new reporting requirement, who qualifies as affiliate, what events trigger disclosures, and CMS’ next steps for implementation. The final rule with comment period is effective on November 4, 2019.

Expansion to Require Disclosure of Certain Affiliations

Currently, for enrollment, provider and suppliers are required to disclose various relationships regarding ownership and control, certain organizational changes, and final adverse actions (e.g., criminal convictions). Once CMS revises its enrollment forms to include an affiliation disclosure section, providers and suppliers will be required to disclose affiliations upon CMS’ request in connection with initial enrollment and revalidation. For now, CMS plans to request affiliation disclosures from providers and suppliers when CMS has determined that one such disclosable affiliation exists.  Upon CMS’ request, providers and suppliers will have to disclose any and all affiliations that they, or any of their owners (5% direct or indirect interest) or managing employees or organizations, have, or have had within the previous five years, that had a disclosable event.  Thus, the disclosure is not limited to affiliations identified by CMS.

CMS may deny or revoke enrollment if a provider or supplier fails to fully and completely disclose an affiliation when the provider or supplier “knew or should reasonably have known” of the affiliation. This knowledge standard aims to ease the disclosure burden where it is difficult to obtain affiliation data. For example, CMS seems to recognize that providers and suppliers may not know (or reasonably be able to determine) whether passive investors, such as through pension funds, have a disclosable event. CMS also recognized that it is less likely that a provider or supplier would know of a disclosable event that occurred after an affiliation has ended.  Fortunately, CMS did not finalize its proposal to require providers or suppliers to report new or changed information regarding existing affiliations. CMS agreed with commenters that this reporting standard would be burdensome on providers and suppliers who have already disclosed affiliations during the enrollment process.

CMS may deny or revoke enrollment if CMS determines a disclosed affiliation poses an undue risk of fraud, waste or abuse.  To assess whether an affiliation constitutes an undue risk, CMS will consider the following criteria:

  • The duration of the affiliation
  • Whether the affiliation still exists and, if not, how long ago it ended
  • The degree and extent of the affiliation
  • If applicable, the reason for the termination of the affiliation
  • Details surrounding the disclosable event, such as type of event, when it occurred, amount of money and whether a payment plan is in place (for cases of uncollected debt)
  • Any other information CMS deems relevant

CMS may issue sub-regulatory guidance concerning the process by which it will analyze undue risk determinations.

To comply with the new rules, providers and suppliers will need to identify (i) all relevant affiliations of the entity, its direct and indirect owners (5% or more) and its managing employees and organizations, and (ii) whether any of those affiliations have had a disclosable event.

Affiliation Defined.  CMS defines “affiliation” to include five types of interests:

  • A 5% or greater direct or indirect ownership interest
  • A general or limited partnership interest
  • An interest in which an individual or entity exercises operational or managerial control over the day-to-day operations
  • An individual acting as an officer or director of a corporation
  • A reassignment relationship

The first four types of interests remain consistent with the definitions of “owner” and “managing employee” in § 424.502. The fifth type, any reassignment relationship, broadly includes – among other things – any employee or independent contractor practitioner relationship. For example, CMS notes that if a physician director falls within the definition of managing employee, he or she must be reported as part of the existing enrollment process. If that physician director was previously a managing employee of another provider/supplier with a disclosable event, that affiliation must be reported (upon request, initially).

Disclosable Events Defined.  The disclosable events that would trigger the disclosure requirement include:

  • A current uncollected debt (i.e., overpayment, civil monetary penalties or assessments) to Medicare, Medicaid or CHIP regardless of the amount of debt or whether the debt is currently being repaid or appealed
  • A current or prior payment suspension under a federal healthcare program regardless of when it occurred or was imposed
  • A current or prior OIG exclusion from participation in Medicare, Medicaid or CHIP regardless of whether it is currently being appealed or when the exclusion occurred or was imposed
  • Denial, revocation or termination of a Medicare, Medicaid or CHIP enrollment regardless of the reason, whether it is being appealed, or when it was imposed

Lookback Period.  Any affiliation that occurred in the last five years must be reported, regardless of whether the disclosable event occurred before, during or after the affiliation ended. This timeframe extends back from the date on which the application is submitted. CMS deemed that a sufficient look-back period was necessary because a past affiliation could be an “indicator of a disclosing party’s future behavior.” There is no look-back limitation for historic disclosable events, meaning that providers and suppliers must report disclosable events occurring more than five years ago if the affiliation occurred in the last five years.

Other CMS New Authorities

In addition to the authorities discussed above, the final rule makes several other noteworthy changes to the Medicare rules, many of which further expand CMS’ ability to deny or revoke enrollment, or prevent re-enrollment.

  • The final rule increases the maximum length of a re-enrollment bar from three years to 10 years, with certain exceptions. The re-enrollment bar can be extended for an additional three years – even if it exceeds 10 years – if CMS determines that the provider or supplier attempted to circumvent the existing re-enrollment bar by enrolling in Medicare under a different name, numerical identifier (e.g., TIN, NPI) or business identity.
  • CMS may prohibit a provider or supplier from enrolling in the Medicare program for up to three years if its enrollment application is denied because the provider or supplier submitted false or misleading information on or with (or omitted information from) its application to gain enrollment in the Medicare program.
  • CMS may deny a provider’s or supplier’s Medicare enrollment if CMS determines the provider or supplier, or any owner or managing employee, is currently under a Medicare or Medicaid payment suspension.
  • CMS may deny or revoke a provider’s or supplier’s Medicare enrollment if CMS determines that the provider or supplier is currently revoked under a different name, numerical identifier, or business identity, and the applicable re-enrollment bar period has not expired.
  • CMS may revoke a provider’s or supplier’s Medicare enrollment – including all of the provider’s or supplier’s practice locations, regardless of whether they are part of the same enrollment – if the provider or supplier billed for services performed at, or items furnished from, a location that it knew or should reasonably have known did not comply with Medicare enrollment requirements.
  • CMS may revoke a physician’s or eligible professional’s Medicare enrollment if he or she has a pattern or practice of ordering, certifying, referring, or prescribing Medicare Part A or B services, items, or drugs that is abusive; represents a threat to the health and safety of Medicare beneficiaries; or otherwise fails to meet Medicare requirements.
  • CMS may revoke a provider’s or supplier’s Medicare enrollment if the provider or supplier has an existing debt that CMS refers to the U.S. Treasury.
  • CMS may deny a provider’s or supplier’s Medicare enrollment application if (1) the provider or supplier is currently terminated or suspended (or otherwise barred) from participation in a state Medicaid program or any other federal healthcare program, or (2) the provider’s or supplier’s license is currently revoked or suspended in a state other than that in which the provider or supplier is enrolling.
  • CMS can extend a revocation prompted by the reasons above to all of the provider’s or supplier’s Medicare enrollments, including those under different names, numerical identifiers or business entities and those under different types. In using this authority, CMS must consider the reason for the revocation, the facts of the case, whether any final adverse actions have been imposed, the number and types of enrollment, and anything else it deems relevant.

In addition, the final rule also establishes similar affiliation reporting requirements applicable to the Medicaid and CHIP Programs.  Concerning these programs, CMS offers states two options to implement the new rules, both of which focus on initial enrollments of providers and suppliers, who are not otherwise enrolled in Medicare.  Under the first option, initial enrollments would automatically include disclosure of any and all affiliations of the enrolling party, its owners, or managing employees or organizations.  Under the second option, disclosure would only be required upon the state’s request, which requests will be made in consultation with CMS after identifying a potential disclosable affiliation. States cannot implement the disclosure components until each state’s Medicaid or CHIP applications are updated to collect the data. The timing of the updates to each state’s applications will vary.

Key Takeaways

This final rule demonstrates how important it is for providers and suppliers to maintain accurate and up-to-date enrollment information. CMS now has numerous avenues to revoke, deny and place re-enrollment bars on providers and suppliers for a variety of behaviors, extending those rights to not only the provider or supplier that ran afoul, but also – at CMS’ discretion – to any other locations or affiliated enrolled providers or suppliers.

As a result, providers and suppliers should:

  • Review current Medicare, Medicaid and CHIP enrollment records to ensure the accuracy of the information provided and make updates, if necessary. For example, if the practice has a current management relationship that qualifies as a managing employee or organization, but has not historically included that information in its enrollment, that relationship should be added.
  • Start developing procedures for the tracking and recording of affiliates and their disclosable events so that they can respond timely should CMS request such information.
  • Consider incorporating into their diligence procedures steps to identify disclosable events prior to initiating a new affiliation and to require prompt reporting of future disclosable events.
  • Revisit compliance programs to evaluate if there are additional steps that can be taken to minimize the occurrence of disclosable events in the first place.

If you have any questions regarding this final rule, or how to ensure you comply with CMS’ enrollment requirements, please contact the authors or one of our healthcare attorneys.