The proposed rule, which was issued on September 20, 2010, is packed with new enrollment requirements for Medicare, Medicaid and Children's Health Insurance Program (CHIP) providers and suppliers.  The Centers for Medicare and Medicaid Services (CMS) has developed a new categorization of risk of fraud, waste and abuse – low, moderate and high – based on its data and reports from the Office of Inspector General (OIG) and Government Accountability Office (GAO).  Under the proposed rule, CMS's risk categorization and the related enrollment screening procedures will be applicable to newly enrolling providers and suppliers on March 23, 2011 – approximately 6 months from now – and to currently enrolled providers and suppliers beginning on March 23, 2012.  Interestingly, although CMS requested comments on what criteria should be considered in making assignments to the different risk categories, CMS already placed providers and suppliers in the different risk categories. 

Risk Categories – Low, Moderate and High

At "low" risk are physicians, nonphysician practitioners, medical clinics, publicly traded providers and suppliers and a number of other providers and suppliers including ASCs, hospitals and SNFs.  CMS will perform licensure verification and database checks (e.g., SSN, NPI, NPDB, LEIE, EPLS, tax delinquency) on individuals and entities in this "low" risk category.

At "moderate" risk because "they are highly dependent on Medicare, Medicaid or CHIP to pay their salaries and other operating expenses and are subject to less additional other government or professional oversight than the providers and suppliers in the limited risk category," CMS identified nonpublic, non-government owned or affiliated ambulance service suppliers, community mental health centers, CORFs, IDTFs, independent clinical labs and hospice organizations.  Under the proposed rule, CMS will require pre- and post-unscheduled and unannounced site visits in addition to the licensure verification and database checks.  CMS also tacked on currently enrolled DMEPOS suppliers and home health agencies because the site visits were seen to ensure that such entities remain operational and continue to meet supplier and other Medicare, Medicaid and CHIP standards.

At "high" risk because of the "high number of home health agencies and suppliers of DMEPOS already enrolled in the Medicare program and program vulnerabilities that these entities post to the Medicare program," CMS identified newly enrolled, not publicly traded, DMEPOS suppliers and home health agencies.  Under the proposed rule, in addition to licensure verification, database checks, pre- and post-enrollment unannounced and unscheduled site visits, CMS will require criminal background checks and the submission of fingerprint cards for owners, authorized officials, delegated officials and managing employees. 

With regard to the "high" risk category, it is unclear how CMS will address indirect owners of these entities because under Medicare and Medicaid rules, any person (including any corporate entities) with 5% or more direct or indirect ownership of a provider or supplier must be reported.  Will CMS want criminal background checks and fingerprints for all indirect owners, e.g., the grandparent entity of the provider/supplier entity and above?  Also, how will CMS address corporate owner's responsibility to submit criminal background checks and fingerprint cards?  The requirements could get burdensome on both the provider and government sides. 

In addition, with regard to the "high" risk category, although government enforcement efforts to date have shown fraud, waste and abuse issues with home health agencies and DMEPOS suppliers in certain geographical regions, e.g., South Florida, Texas, California, it is not clear that issues with such entities are national.  Because the criminal background checks and fingerprints are onerous requirements that are not currently used by Medicare, it may make sense for CMS to consider introducing such requirements in high risk geographic areas, rather than nationally, at least at this stage.

Payment Suspension

The proposed regulations regarding the suspension of payments pending an investigation of a credible allegation of fraud raised issues/questions.  There are existing Medicare and Medicaid rules that provide for the suspension of payments in the case of suspected fraudulent activity.  Under Medicare, the suspension is limited to 180 days with extensions in certain circumstances.  The proposed rule would eliminate that 180-day limit in cases of "credible allegations of fraud."  Many smaller providers and suppliers will likely have trouble continuing to provide services to patients with no cash flow from these payors. 

Under the definition of "credible allegation of fraud," CMS included "fraud hotline complaints" without specifying to whom or what entity such hotline complaints would be made.  It is typical for a provider or supplier with a compliance program to have a compliance hotline on which complaints should be made.  The hotline enables the a provider/supplier's compliance program to work effectively because issues can be addressed quickly and often anonymously.  CMS will need to further define what they mean by "fraud hotline complaints" to ensure that such compliance program functions are not stifled by the fear that CMS or a State agency could suspend payments.

Mandatory Compliance Programs

CMS is allowing time to comment on the "core elements" of a compliance program with which providers and suppliers will need to comply for continued enrollment.  CMS has brought up the 7 elements of the U.S. Federal Sentencing Guidelines Manual that is followed by the OIG's Compliance Program Guidance documents, but has not limited the core elements to those 7 elements.

CMS is accepting comments to the proposed rule until November 16, 2010.

Please contact Jana Kolarik Anderson at 202-545-2960 or jana.kolarik@nelsonmullins.com with any questions.

Logo Downloads