Medicare, Medicaid and CHIP Enrollment Revocation and Denial Authorities Have Expanded.  What Steps are You Taking to Reduce Your Level of Risk?

/ Medicare, Medicaid & Private Payor Updates / By
Medicare Enrollment

Big Changes to CMS Form 855 are on the Horizon[/caption]

(September 18, 2019): On September 10, 2019, the Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) published a Final Rule in the Federal Register entitled, "Medicare, Medicaid, and Children's Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process." Issuance of the Final Rule is necessary in order to implement sections 1866(j)(5) and 1902(kk)(3) of the Social Security Act (as amended by the Affordable Care Act), which require that providers and suppliers fully disclose information related to affiliations, uncollected debts and certain adverse actions that may impact the program integrity of the affected government health plan. As discussed below, the impact of the Final Rule on the Medicare enrollment disclosure requirements of providers and suppliers has been significantly enhanced. Moreover, the authority of CMS to revoke or deny the enrollment of a participating provider or supplier has been greatly expanded. Under the Final Rule, the reporting obligations of Medicare, Medicaid, and CHIP providers and suppliers will dramatically increase when they file a new enrollment application, revalidate their enrollment, need to file a change of information, or need to notify the agency of a change in ownership .[1] This article is intended to take a “first look” at the impact of the Final Rule on the obligations faced by providers and suppliers. Additionally this article reviews CMS’ new revocation and denial authority, and it explores a number of the challenges that you or other providers may face, as a result.

I. Background – Medicare Enrollment and Revalidation Program Integrity Measures:

Approximately, 54 million individuals are enrolled in the Medicare program.[2] In order to qualify to provide care and treatment services to these beneficiaries, a health care provider or supplier must meet a number of administrative, regulatory, and statutory requirements that are meant to protect both the patient and the financial integrity of the Medicare program. The Medicare enrollment process effectively serves as one of the agency’s primary ways to protect patients and the Medicare Trust Fund from the actions of providers and suppliers whose participation would represent a significant risk of fraud or abuse.

When enrolling in the Medicare program, an applicant provider or supplier must complete and submit an appropriate enrollment application (i.e., a Form CMS-855) to their assigned Medicare contractor. The enrollment application can be submitted by paper or electronically through the agency’s Provider Enrollment, Chain, and Ownership System (PECOS). Several of the previous rules promulgated by CMS to strengthen the overall effectiveness and program integrity of the enrollment process have included:

  • April 21, 2006: CMS published a Final Rule entitled "Medicare Program; Requirements for Providers and Suppliers to Establish and Maintain Medicare Enrollment."[3] This Final Rule laid out a number of requirements that must be met by providers and suppliers in order to maintain their Medicare billing privileges.
  • February 2, 2011: CMS published a Final Rule entitled "Medicare, Medicaid, and Children's Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers."[4] This Final Rule established a number of new provider enrollment screening requirements.
  • March 1, 2016: CMS published a Proposed Rule entitled "Medicare, Medicaid, and Children's Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process." This Proposed Rule set out the enrollment revocation and denial changes CMS planned to implement in an effort to address long-standing program integrity risks that have previously been exploited in the past.[5]

A little more than three years after the issuance of the March 2016 Proposed Rule, CMS has now issued its much-anticipated Final Rule entitled, "Medicare, Medicaid, and Children's Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process." [6] With the implementation of this Final Rule, CMS will now have expanded authority to deny the enrollment and / or revalidation of a provider or supplier if it determines that an “affiliation” presents an undue risk of fraud risk or abuse. The Final Rule will also make it much easier to revoke the enrollment of existing providers and suppliers whose continued participation in the Medicare, Medicaid, or CHIP programs is determined to represent a program integrity risk.

II. Why Has CMS Tightened Up the Medicare Enrollment and Revalidation Process?

Despite past efforts to strengthen the Medicare provider enrollment process, existing Medicare, Medicaid, and CHIP systems haven't been fully effective in identifying direct owners, managing employees, and close affiliates of provider and supplier applicants with a history of certain adverse events. As representatives of the Office of Inspector General (OIG) have testified before Congress, health care providers and suppliers engaging in wrongful billing practices have often been found to have relied on networks of affiliations with other fraudulent providers and suppliers. For example, in south Florida, law enforcement has previously found that some Medicare providers and suppliers have taken steps to hide their ownership through the use of straw owners. The real owners (who are likely prohibited from participating or likely to be denied participation in Federal health care programs) are then free to engage in improper billing practices.[7]

The issuance of the new Final Rule requires that as part of the enrollment and revalidation process, providers and suppliers must disclose any business affiliations that may pose an undue risk of fraud, waste and / or abuse to the Medicare, Medicaid and CHIP programs. CMS will be phasing the new affiliation reporting requirements in over a period of years. First, the agency will update and issue new provider enrollment Form CMS-855 applications, and then it will require reporting of certain affiliations “upon request.”[8] At least initially, only those providers or suppliers who are asked to report affiliations on the new enrollment forms will be required to do so. CMS states in the new Final Rule that it will publish further rulemaking to expand this reporting requirement after assessing the progress of its initial phased-in approach.

Notably, CMS estimates that the new disclosure requirements and revocation authorities implemented by the Final Rule will result in approximately 2,600 new revocations each year and will save the affected government health programs an estimated $4.16 billion over the next 10 years.

III. Reporting Affiliations:

Under the Final Rule, the “affiliations” that a provider or supplier may have to disclose upon request by CMS include the following:

“The term “affiliation” is defined under 42 CFR §424.519 as meaning any of the following:

  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • A general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization.
  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • An interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization (including, for purposes of § 424.519 only, sole proprietorships), either under contract or through some other arrangement, regardless of whether or not the managing individual or entity is a W–2 employee of the organization.
  • An interest in which an individual is acting as an officer or director of a corporation.
  • Any reassignment relationship under 42 CFR § 424.80.”

The new affiliation provisions are intended to identify individuals and entities that have an ownership interest or exercise managerial control in multiple Medicare program providers or suppliers. Both OIG and CMS have repeatedly identified situations where providers and suppliers whose Medicare billing privileges have been revoked for fraud and / or other improper conduct have managed to surreptitiously re-enter the program using a nominee owner to disguise their true ownership or through other deceptive means. As the agency has noted, the broad definition of affiliation that has been adopted, is needed so that providers and suppliers fully disclose any prior or current relationships that could pose risks of fraud, waste or abuse to the Medicare program. CMS has estimated that if the new affiliation provisions had been in place over the previous five years, it could have prevented $51.9 billion from being paid to 2,097 entities with affiliations with a previously-revoked individual or entity.

IV. Disclosable Events Under 42 CFR § 424.519:

When initially enrolling or revalidating with the Medicare program, the new regulations will require that a provider or supplier disclose whether it or any of its owning or managing employees or organizations (consistent with the terms ‘‘owner’’ and ‘‘managing employee’’ as defined in 42 CFR § 424.502) has or, within the previous 5 years, has had an affiliation with a currently or formerly enrolled Medicare, Medicaid, or CHIP provider or supplier that has had any “disclosable events.”[9] Importantly, the term, “disclosable event“ is defined in the new regulation as an affiliation with a currently or formerly enrolled Medicare, Medicaid or CHIP provider or supplier that:

  1. "Currently has an uncollected debt to Medicare, Medicaid, or CHIP, regardless of – (i) The amount of the debt; (ii) Whether the debt is currently being repaid (for example, as part of a repayment plan); or (iii) Whether the debt is currently being appealed;
  2. Has been or is subject to a payment suspension under a federal health care program (as that latter term is defined in section 1128B(f) of the Act), regardless of when the payment suspension occurred or was imposed;
  3. Has been or is excluded by the OIG from participation in Medicare, Medicaid, or CHIP, regardless of whether the exclusion is currently being appealed or when the exclusion occurred or was imposed; or
  4. Has had its Medicare, Medicaid, or CHIP enrollment denied, revoked, or terminated, regardless of— (i) The reason for the denial, revocation, or termination; (ii) Whether the denial, revocation, or termination is currently being appealed; or (iii) When the denial, revocation, or termination occurred or was imposed.”

Responding to comments submitted in connection with the Proposed Rule, CMS clarified who must be reported as an owner or managing employee of a provider or supplier, and likewise, who the organization must collect information from to identify all “affiliations” and “disclosable events.” CMS commented that the following situations would (1) require disclosure of a person or organization as an owner or managing employee, and (2) require disclosure of those persons or organizations “affiliations” if there has been a disclosable event:

  • Does a “Physician Director” or “Director of Nursing” have to be reported as part of the enrollment process?Yes, if the Physician Director or the Director of Nursing fall within the definition of “managing employee”[10] under 42 CFR § 424.502, he or she would have to be reported [on the Form CMS-855 application as a managing employee]. Moreover, if the Physician Director or the Director of Nursing was previously a managing employee of another provider or supplier with a “disclosable event,” the Physician Director or Director of Nursing would have to be reported.
  • Do the members of the Board of Trustees of a tax-exempt entity have to be reported as part of the enrollment process?Yes, as set out in CMS Publication 100-08, Program Integrity Manual (PIM), Chapter 15, Section 15.5.5 (Owning and Managing Organizations) members of a Board of Trustees are considered to be Corporate Directors and must be reported on CMS Form 855. As an aside, CMS takes the position that non-profit entities and offices would fall under the affiliation definition to the same extent as for-profit entities and officials.
  • Does an entity with a 5% or greater mortgage or security interest have to be reported? Consistent with the PIM, Chapter 15, Section 15.5.5: “All entities with at least a 5 percent mortgage, deed of trust or other security interest in the provider must be reported in section 5. This frequently will include banks, other financial institutions, and investment firms.”
  • Does a billing agency or a collection agency have to be reported? Yes, if the billing agency or collection agency meets the definition of a managing employee (as it applied to organizations), then they would have to be reported on the CMS Form 855.
  • Does a public company that owns 5% of more of an enrolling or reenrolling company have to be reported?CMS takes the position that public companies fall within the purview of 42 CFR §424.519.
  • Does an affiliated managing individual have to be reported in CMS Form 855 even if he or she has no responsibilities concerning payment for services? The definition of managing employee under 42 CFR §?424.502 includes all persons who directly or indirectly conduct a provider’s or supplier’s day-to-day operations. There is no requirement that these individuals must have responsibilities related to payment for services.

In short, the above individuals must be disclosed in the owner and managing employee sections of the Form CMS-855 applications (or their counterpart in PECOS), and if those owners or managing employees have affiliations that have disclosable events, then those must be reported as well. As we stated earlier, in response to the many comments and concerns submitted by providers and suppliers, For now, CMS is not requiring that providers and suppliers disclose affiliations with disclosable events under 42 CFR §?424.519 unless CMS specifically requests that they do so.[11] Moreover, CMS does not intend to request these disclosures until it has updated CMS Form-855. However, as CMS further noted:

“Although we will initially be implementing a more targeted approach to the disclosure requirement, we recognize that section 1866(j)(5) of the Act requires every provider and supplier (regardless of the relative risk they may pose) to disclose affiliations upon initial enrollment and revalidation. While section 1866(j)(5) of the Act does give the Secretary some discretion in applying this provision in terms of form, manner, and timing, it does not permanently exempt any provider or supplier from its applicability . . . Consequently, CMS must eventually secure affiliation data from all initially enrolling and revalidating providers.” (emphasis added).

Therefore, at this time, providers and suppliers are not required to report disclosable affiliations until CMS has an opportunity to update its Form CMS-855 applications so that this data can be collected. Furthermore, CMS will be issuing additional sub-regulatory guidance regarding the affiliation disclosure process. This sub-regulatory guidance is expected to set out the agency’s expectations with respect to the "level of effort that is required" of a provider or supplier to research and secure an owner or managing employees relevant affiliation information.

V. When Will a Disclosed Affiliation be Found to “Pose an Undue Risk of Fraud, Waste or Abuse”?

The Final Rule makes it clear that just because an affiliation must be disclosed, does not necessarily mean that CMS will determine that an affiliation will “pose an undue risk of fraud, waste, or abuse.”[12] Before making a determination, CMS intends to carefully examine the specifics of each situation prior to deciding whether to exercise its discretion to deny an application for enrollment OR to revoke the participation of a currently enrolled provider. When deciding whether a disclosed affiliation represents an undue risk, CMS will consider:

  1. The duration of the affiliation.
  2. Whether the affiliation still exists and, if not, how long ago it ended.
  3. The degree and extent of the affiliation.
  4. If applicable, the reason for the termination of the affiliation.
  5. Regarding the affiliated provider’s or supplier’s disclosable event, CMS will consider:
    1. The type of disclosable event.
    2. When the disclosable event occurred or was imposed.
    3. Whether the affiliation existed when the disclosable event occurred or was imposed.
    4. If the disclosable event is an uncollected debt:
      1. The amount of the debt.
      2. Whether the affiliated provider or supplier is repaying the debt.
      3. To whom the debt is owed.
    5. If a denial, revocation, termination, exclusion, or payment suspension is involved, the reason for the disclosable event.
  6. Any other evidence that CMS deems relevant to its determination.

Depending on the particulars of each case, CMS may find that a disclosed affiliation does, in fact, pose an undue risk of fraud, waste, or abuse. Should this occur, CMS will deny a provider’s or supplier’s initial enrollment application under 42 CFR § 424.530(a)(13) OR revoke a currently participating provider’s or supplier’s Medicare enrollment under 42 CFR § 424.535(a)(19).

VI. What Can Happen if a Provider or Supplier Fails to Report a Disclosable Affiliation?

When asked to do so by CMS, it will be essential that a provider or supplier ensure that any and all disclosable affiliations and other general business information is fully and completely reported. If a provider or supplier fails to report a disclosable affiliation and “knew or should have known”[13] of the omitted information, CMS may choose to deny an applicant’s initial enrollment application (under 42 CFR § 424.530(a)(1) and, if applicable, 42 CFR § 424.530(a)(4)). Alternatively, if a currently participating provider or supplier fails to report a disclosable affiliation, CMS may choose to revoke the entity’s Medicare enrollment (under 42 CFR § 424.535(a)(1) and, if applicable, 42 CFR § 424.535(a)(4)).

VII. What is an “Uncollected Debt”?

As set out under 42 CFR §?424.519(a)(1), if an applicant, or an applicant’s owner or managing employee is affiliated with another provider or supplier that has an “uncollected debt,” that is a disclosable event under 42 CFR §?424.502. As previously discussed, an uncollected debt is only intended to include:

  1. Medicare, Medicaid, or CHIP overpayments for which CMS or the state has sent notice of the debt to the affiliated provider or supplier.
  2. Civil money penalties imposed under this title.
  3. Assessments imposed under this title.

(emphasis added).

Importantly, the phrase "notice of the debt to the affiliated provider or supplier” does not include audit requests or routine denial letters where refunds are made through remittance advices or claims corrections. In its response to comments from stakeholders, CMS expressly notes that “notice of the debt” would include something like a demand letter or other formal request for payment.

CMS has not established a minimum amount that would require the reporting of an uncollected debt. Regardless of whether an alleged uncollected debt is $500 or $5 million, it would qualify as a reportable disclosable event under the Final Rule. As CMS noted, “there could be isolated cases where a particular debt, though of a de minimis amount, presents an undue risk when all of the applicable factors are considered.” CMS further states that even though a provider or supplier may currently be in the process of repaying a debt, the debt would still be a reportable disclosable event.

VIII. Impact of Filing an Appeal in an Uncollected Debt or Enrollment-Related Action:

Throughout the Final Rule, multiple commenters urged CMS to view alleged debts and enrollment-related actions that are being appealed by a provider or supplier differently than those where no appeal has been filed. After considering the points raised, CMS consistently declined to adopt such a position and has decided that even if an alleged debt is currently under appeal, the debt would still qualify as a disclosable event. As CMS wrote:

“consistent with our obligation to protect the Medicare program and the Trust Funds, as well as with our authority under section 1866(j)(5) of the Act, we believe we should have the ability to determine whether the debt and the associated affiliation pose an undue risk regardless of whether the debt is being appealed".”(emphasis added).

Similarly, CMS held that under 42 CFR § 424.519, enrollment denial, revocation, and termination actions will still qualify as disclosable events even if they are under appeal.

IX. Modification to the Enrollment Denial Reasons Under 42 CFR § 424.530:

As set out under 42 CFR § 424.530(a), CMS is authorized to deny a provider’s or supplier’s enrollment in the Medicare program for a number of reasons. Prior to the issuance of the Final Rule, the authorized reasons for denying enrollment in Medicare fell within the following broad categories:

  1. Noncompliance
  2. Provider or supplier conduct.
  3. Felonies
  4. False or misleading information.
  5. On-site review.
  6. Medicare debt.
  7. Payment suspension.
  8. Initial reserve operating funds.
  9. Application fee / hardship exception.
  10. Temporary moratorium.
  11. Prescribing authority.

Under the Final Rule, enrollment denials based on “Payment Suspension” (42 CFR § 424.530(a)(7)) have been expanded and may now be based on the following:

  1. “The provider or supplier, or any owning or managing employee or organization of the provider or supplier, is currently under a Medicare or Medicaid payment suspension as defined in §§ 405.370 through 405.372 or in § 455.23 of this chapter.
  2. CMS may apply the provision in this paragraph (a)(7) to the provider or supplier under any of the provider’s, supplier’s, or owning or managing employee’s or organization’s current or former names, numerical identifiers, or business identities or to any of its existing enrollments.
  3. In determining whether a denial is appropriate, CMS considers the following factors:
    1. The specific behavior in question.
    2. Whether the provider or supplier is the subject of other similar investigations.
    3. Any other information that CMS deems relevant to its determination.”

Prior to this expansion, the Payment Suspension basis for denying a provider’s or supplier’s Medicare enrollment was limited to situations where the current owner, physician, or non-physician practitioner had been placed on Medicare suspension. CMS believed this did not allow them to deny enrollment to any provider or supplier type based on a payment suspension by the Medicare program, and did not encompass scenarios where a provider or supplier’s payments had been suspended by a state Medicaid payment but the Medicare program. Under the revised Final Rule, now all provider and supplier types can be denied enrollment if that provider or supplier is subject to a Medicare OR Medicaid payment suspension, or if the provider’s or supplier’s owners or managing employees or organizations are subject to such a suspension. Importantly, CMS will look at a provider’s or supplier’s owners and managing employee’s or organization's current and former names, business identities and related numerical identifiers to identify any payment suspensions.

Additionally, the Final Rule has added several additional bases that may be relied on by CMS when deciding to deny a provider’s or supplier’s Medicare enrollment. These new reasons for denial include:

12. Revoked under different name, numerical identifier or business identity and the applicable re-enrollment bar has not expired.[14]
13. Affiliation that poses undue risk.
14. Other program termination or suspension.

Each of the fourteen reasons that may be relied on by CMS when denying a provider’s or supplier’s Medicare enrollment have specific requirements which must be met. If you or your practice are denied Medicare enrollment, you should work with your legal counsel to determine whether the denial reason cited by CMS is accurate and consistent with the facts in your case.

X. Introduction of a New “Reapplication Bar” Rule Under 42 CFR § 424.530(f):

As revised, the Medicare enrollment denial regulations now include a new “Reapplication Bar” rule. As 42 CFR § 424.530(f) sets out, if a provider or supplier submitted false or misleading information on (or with) their Medicare enrollment application, CMS can choose to prohibit the prospective provider or supplier from enrolling in the Medicare program for up to three years. Importantly, the scope of the reapplication bar rule set out under 42 CFR § 424.530(f)(1) and (f)(2) is quite broad:

  1. “The reapplication bar applies to the prospective provider or supplier under any of its current, former, or future names, numerical identifiers or business identities.
  2. CMS determines the bar’s length by considering the following factors:
    1. The materiality of the information in question.
    2. Whether there is evidence to suggest that the provider or supplier purposely furnished false or misleading information or deliberately withheld information.
    3. Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
    4. Any other information that CMS deems relevant to its determination.

XI. Modifications to the Medicare Enrollment Revocation Regulations Under 42 CFR § 424.535:

Prior to the issuance of the Final Rule, under 42 CFR § 424.535(a), CMS has long exercised the authority to revoke a currently-enrolled provider’s or supplier’s Medicare billing privileges (along with any related provider or supplier agreement). Reasons for revocation have included:

  1. Noncompliance
  2. Provider or supplier conduct.
  3. Felonies
  4. False or misleading information.
  5. On-site review;
  6. Grounds related to provider or supplier screening requirements.
  7. Misuse of billing number.
  8. Abuse of billing privileges.
  9. Failure to report.
  10. Failure to document or provide CMS access to documentation.
  11. Initial reserve operating funds.
  12. Medicaid termination.
  13. Prescribing authority.
  14. Improper prescribing practices.

Under the Final Rule, the reasons for revocation under 42 CFR § 424.535(a)(9) and (a)(12) have been revised. The revocation reason set out under 42 CFR § 424.535(a)(9) Failure to report, has been changed. The basis for revocation has now been expanded to cover the following:

“9. Failure to report. The provider or supplier did not comply with the reporting requirements specified in § 424.516(d) or (e), § 410.33(g)(2) of this chapter, or § 424.57(c)(2). In determining whether a revocation under this paragraph (a)(9) is appropriate, CMS considers the following factors:

  1. Whether the data in question was reported.
  2. If the data was reported, how belatedly.
  3. The materiality of the data in question.
  4. Any other information that CMS deems relevant to its determination.”

Similarly, the Final Rule expands the revocation basis set out under 42 CFR § 424.535(a)(12). Rather than focus exclusively on the termination of a provider’s or supplier’s Medicaid billing privileges, under the Final Rule 42 CFR § 424.535(a)(12) the basis for revocation has been expanded to include not merely Medicaid but also adverse actions taken by any other Federal health care program. As the regulation now reads:

“12. Other program termination.

  1. The provider or supplier is terminated, revoked or otherwise barred from participation in a State Medicaid program or any other federal health care program. In determining whether a revocation under this paragraph (a)(12) is appropriate, CMS considers the following factors:
    1. The reason(s) for the termination or revocation.
    2. Whether the provider or supplier is currently terminated, revoked or otherwise barred from more than one program (for example, more than one State’s Medicaid program) or has been subject to any other sanctions during its participation in other programs.
    3. Any other information that CMS deems relevant to its determination.
  2. Medicare may not revoke unless and until a provider or supplier has exhausted all applicable appeal rights.
  3. CMS may apply paragraph (a)(12)(i) of this section to the provider or supplier under any of its current or former names, numerical identifiers or business identities.”

The Final Rule has set aside slots for future bases for revocation at 42 CFR § 424.535(a)(15) and (a)(16).

Notably, a number of new bases for Medicare enrollment revocation have now been established under the Final Rule and are set out under 42 CFR § 424.535(a)(17) through (a)(20). These new reasons for revocation include the following:

17.Debt referred to the United States Department of Treasury. The provider or supplier has an existing debt that CMS appropriately refers to the United States Department of Treasury. In determining whether a revocation under this paragraph (a)(17) is appropriate, CMS considers the following factors:

  1. The reason(s) for the failure to fully repay the debt (to the extent this can be determined).
  2. Whether the provider or supplier has attempted to repay the debt (to the extent this can be determined).
  3. Whether the provider or supplier has responded to CMS’ requests for payment (to the extent this can be determined).
  4. Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
  5. The amount of the debt.
  6. Any other evidence that CMS deems relevant to its determination.

18. Revoked under different name, numerical identifier or business identity. The provider or supplier is currently revoked under a different name, numerical identifier, or business identity, and the applicable reenrollment bar period has not expired. In determining whether a provider or supplier is a currently revoked provider or supplier under a different name, numerical identifier, or business identity, CMS investigates the degree of commonality by considering the following factors:

  1. Owning and managing employees and organizations (regardless of whether they have been disclosed on the Form CMS–855 application).
  2. Geographic location.
  3. Provider or supplier type.
  4. Business structure.
  5. Any evidence indicating that the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar

19. Affiliation that poses an undue risk. CMS determines that the provider or supplier has or has had an affiliation under § 424.519 that poses an undue risk of fraud, waste, or abuse to the Medicare program.

20. Billing from non-compliant location. CMS may revoke a provider’s or supplier’s Medicare enrollment or enrollments, even if all of the practice locations associated with a particular enrollment comply with Medicare enrollment requirements, if the provider or supplier billed for services performed at or items furnished from a location that it knew or should have known did not comply with Medicare enrollment requirements. In determining whether and how many of the provider’s or supplier’s enrollments, involving the non-compliant location or other locations, should be revoked, CMS considers the following factors:

  1. The reason(s) for and the specific facts behind the location’s noncompliance.
  2. The number of additional locations involved.
  3. Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
  4. The degree of risk that the location’s continuance poses to the Medicare Trust Funds.
  5. The length of time that the noncompliant location was non-compliant.
  6. The amount that was billed for services performed at or items furnished from the non-compliant location.
  7. Any other evidence that CMS deems relevant to its determination.

21. Abusive ordering, certifying, referring, or prescribing of Part A or B services, items or drugs. The physician or eligible professional has a pattern or practice of ordering, certifying, referring, or prescribing Medicare Part A or B services, items, or drugs that are abusive, represents a threat to the health and safety of Medicare beneficiaries, or otherwise fails to meet Medicare requirements. In making its determination as to whether such a pattern or practice exists, CMS considers the following factors:

  1. Whether the physician’s or eligible professional’s diagnoses support the orders, certifications, referrals or prescriptions in question.
  2. Whether there are instances where the necessary evaluation of the patient for whom the service, item or drug was ordered, certified, referred, or prescribed could not have occurred (for example, the patient was deceased or out of state at the time of the alleged office visit).
  3. The number and type(s) of disciplinary actions taken against the physician or eligible professional by the licensing body or medical board for the state or states in which he or she practices, and the reason(s) for the action(s).
  4. Whether the physician or eligible professional has any history of final adverse actions (as that term is defined in § 424.502).
  5. The length of time over which the pattern or practice has continued.
  6. How long the physician or eligible professional has been enrolled in Medicare.
  7. The number and type(s) of malpractice suits that have been filed against the physician or eligible professional related to ordering, certifying, referring or prescribing that have resulted in a final judgment against the physician or eligible professional or in which the physician or eligible professional has paid a settlement to the plaintiff(s) (to the extent this can be determined).
  8. Whether any State Medicaid program or any other public or private health insurance program has restricted, suspended, revoked, or terminated the physician’s or eligible professional’s ability to practice medicine, and the reason(s) for any such restriction, suspension, revocation, or termination.
  9. Any other information that CMS deems relevant to its determination.

Notably, under the Final Rule, 42 CFR § 424.535(c), the regulations setting out the rules for reapplying after a provider’s or supplier’s Medicare enrollment has been revoked, have been revised and enhanced. First, the maximum reenrollment bar for a first-time revocation has been extended to 10 years. 42 CFR § 424.535(c)(1)(i). Second, if a provider or supplier attempts to “circumvent its existing reenrollment bar by enrolling in Medicare under a different name, numerical identifier or business identity,” CMS can extend that provider’s or supplier’s existing reenrollment bar by 3 additional years. See 42 CFR § 424.535(c)(2)(i).

Moreover, under 42 CFR § 424.535(c)(3), if a provider or supplier is being revoked from Medicare a second time, CMS may choose to impose a reenrollment bar of up to 20 years. The factors to be considered by CMS when determining the proper length of a reenrollment bar are set out under 42 CFR § 424.535(c)(3), subsections (i) through (iii).

In an effort to further prevent improper attempts to reenroll in the Medicare program, 42 CFR § 424.535(c)(4) provides a reenrollment bar applies to a provider or supplier “under any of its current, former or future names, numerical identifiers or business identities.”

XII. Impact of the Final Rule on State Medicaid and CHIP Enrollment and Disclosure Practices:

Section 1902(kk)(3) of the Act,1 as amended by section 6401(b) of the Affordable Care Act, which mandates that states require providers and suppliers to comply with the same disclosure requirements established by the Secretary under section 1866(j)(5) of the Act. In other words, the increased disclosure requirements apply to providers and suppliers enrolling or revalidating in the Medicare or Medicaid programs. It also applies to changes of information that must be reported under the Final Rule.

As the Final Rule further notes, as long as they continue to work within the broad Federal framework, States have been delegated considerable flexibility in how they administer their Medicaid and CHIP programs. Ultimately, the enrollment requirements established by a State must be consistent with section 1902(a)(23) of the Act and implementing regulations at 42 CFR § 431.51. As the Final Rule reflects, as long as a State meets its obligations under 42 CFR § 431.51, it is free to:

“. . . [S]et reasonable standards relating to the qualifications of providers but may not restrict the right of beneficiaries to obtain services from any person or entity that is both qualified and willing to furnish such services.”

XIII. Due Diligence and Credentialing Risks When Enrolling, Revalidating or Submitting a Change of Information:

The affiliation disclosure requirements set out in the Final Rule are anticipated to be gradually implemented by CMS over the next three years. The agency contends that such an approach will better enable the provider and supplier communities to meet their affiliation, uncollected debt and adverse event reporting obligations. Unfortunately, the Final Rule imposes yet another unfunded obligation on participating providers and suppliers. From a practical standpoint, the implementation of the Final Rule will have an enormous impact on the credentialing process. Federal and State payors have historically used the credentialing process as their first line of defense with respect to program integrity. The disclosure obligations set out in the Final Rule are quite comprehensive. Third-party billing companies and credentialing companies handling these submissions on behalf of their provider and supplier clients will need to diligently work to better ensure that each submission is both accurate and complete before submitting the credentialing package to a Federal or State payor. On the payor side of the credentialing equation, professional credentialing companies, (such as CredSimple), will likely see an exponential increase in the demand for their verification and screening services. Moreover, we fully expect to see private payors, medical centers and hospital systems adopt program integrity safeguards similar to those outlined in the Final Rule as they take steps to protect their organizations from fraud, waste, and abuse.

XIV. Final Thoughts:

As the Final Rule details, the Affordable Care Act imposed a number of enrollment and reenrollment disclosure obligations on Medicare, Medicaid, and CHIP providers and suppliers. These revised reporting obligations are intended to prevent bad actors from circumventing the existing safeguards that had been implemented to guard against fraud, waste, and abuse. CMS estimates that it will take at least several years for the agency to revise the various versions of its CMS Form 855 enrollment applications and fully implement the new reporting obligations. The true enormity of these new obligations has yet to be realized. Affiliations, disclosable events and uncollected debts will be carefully evaluated by CMS and weighed as the agency decides whether to deny an application for enrollment or revalidation or revoke an existing provider’s or supplier’s Medicare billing privileges.

Healthcare Attorney
Jennifer Papapanagiotou,
Click here for bio

Robert W. Liles Healthcare Attorney
Robert W. Liles,
Click here for bio

Now, more than ever before, it is important for providers and suppliers to effectively conduct due diligence before hiring managerial staff, purchasing or selling an entity, appealing an alleged overpayment and / or seeking relief in bankruptcy. As the enrollment disclosure and reporting process moves towards full implementation, it will be essential for you to fully understand your obligations under the law. The attorneys at Liles Parker have extensive experience representing providers and suppliers in the provider enrollment, revalidation, change of information and change of ownership process. Our team has represented healthcare providers and suppliers around the country in the appeal of Medicare termination actions, enrollment denials, and the revocation of an entity’s billing privileges.
Questions? Give Robert Liles or Jennifer Papapanagiotou a call. For a free consultation, we can be reached at: 1 (800) 475-1906.

  • [1] 42 CFR § 424.516.
  • [2] CMS is the single largest health care insurance payor in the country. Approximately 90 million individuals are currently covered by Medicare, Medicaid and / or the Children’s Health Insurance Program (CHIP) programs.
  • [3] 71 FR 20754.
  • [4] 76 FR 5861.
  • [5] 81 FR 10720.
  • [6] The Final Rule is effective on November 4, 2019.
  • [7] 84 FR 47794, 47797.
  • [8] 84 FR 47794, 47803.
  • [9] 84 FR47794, 47802.
  • [10] Under 42 CFR § 424.502, the term “managing employee” means:“a general manager, business manager, administrator, director, or other individual that exercises operational or managerial control over, or who directly or indirectly conducts, the day-to-day operation of the provider or supplier, either under contract or through some other arrangement, whether or not the individual is a W-2 employee of the provider or supplier.”
  • [11] 84 FR 47794, 47803, 47805. In light of the concerns raised, CMS will be adopting a “phased-in” approach to complying with the requirements under 42 CFR §?424.519(b). Under this phased-in approach, CMS will first be revised Form CMS-855 to cover the various disclosures required under the Final Rule. Initially, providers and suppliers will not be required to disclose affiliations under 42 CFR §?424.519(b) unless CMS asks for this information. While this approach will initially relieve providers and suppliers of the disclosure burden, CMS notes that this is not meant to be a permanent exemption. Ultimately, providers and suppliers will be required to report any affiliations with one or more disclosable events.
  • [12] 84 FR 47794, 47807.
  • [13] CMS acknowledges in its response to comments in the Final Rule that the additional sub-regulatory guidance is needed to further clarify the “knew or should have known” standard. See 84 FR 47794,47811.
  • [14] This is similar to CMS’ new expanded authority to deny enrollment if an owner or managing employee of a provider or supplier is under a payment suspension by Medicare or a state Medicaid program. Under this new denial authority, CMS will examine the degree of commonality between the applicant and other revoked providers and suppliers, looking specifically at the owning and managing employees and organizations of the applicant and a revoked provider or supplier, the applicant and revoked provider’s or supplier’s geographic location, provider or supplier type, business structures, and “any evidence indicating the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar.” 84 FR 47794, 47823.