Medicare Proposal to Curb Fraud and Abuse Through Enhancements to Enrollment Process

September 28, 2010

CMS has just released a proposed rule implementing provisions in the Affordable Care Act (ACA) which give CMS additional authority to curb fraud and abuse in the Medicare and Medicaid programs. The proposed rule includes 1) enrollment moratoria; 2) increased authority to suspend Medicare payment; and 3) enhanced screening procedures including fingerprinting and criminal background checks for certain “high risk” providers. The proposal would also impose a $500 application fee for all new and revalidating providers/suppliers including enrollment of a new location. Physicians and non-physician practitioners are exempt from the new fee which applies to all other entities. Of particular concern, as described below, is the apparent unlimited authority of CMS and the OIG to implement moratoria on enrollment and approval of new locations and the right to indefinitely suspend payment if fraud is suspected, with very limited due process rights to challenge the suspension.

The proposed rule was published in the September 23, 2010 Federal Register (75 Fed. Reg. 58204) and can be viewed at http://frwebgate3.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=ifq15J/0/2/0&WAISaction=retrieve.

CMS is accepting public comments on the proposal until November 16, 2010.

1. Moratoria on Enrollment: The ACA gives CMS the authority to impose temporary moratoria on the enrollment of new Medicare, Medicaid and CHIP providers and suppliers to prevent fraud, waste and abuse. A moratorium can be limited to a particular provider/supplier type and to a particular geographic area. However, any type of provider/supplier could be the subject of an enrollment moratorium. The ACA also gives States the right to impose enrollment moratoria, numerical caps and other limits for Medicaid providers identified by the Secretary as being at high risk for fraud, waste, or abuse. CMS gives, as examples of evidence of fraud, waste or abuse that might justify imposition of a moratorium, a disproportionate number of providers or suppliers in a category relative to the number of beneficiaries or a rapid increase in enrollment applications within a category. CMS will collaborate with HHS Office of Inspector General and the Department of Justice in imposing moratoria.

Moratoria would be limited to newly enrolling providers/suppliers and new practice locations (not changes in address) of existing providers/suppliers. Moratoria would be imposed for 6 months and could be extended in 6 month increments as needed. Any provider/supplier who submits an enrollment application that is covered by a moratorium would have its application denied. In appealing the denial, the provider or supplier would be limited to the issue of whether the moratoria applied to it. CMS does not state whether providers/suppliers would be given advance notice of a pending moratorium or whether it would apply to pending applications. Nor does the proposal does not set forth any specific criteria the agency would have to meet to justify imposition or a moratorium or to justify continuing it beyond the initial 6 months and there is no mechanism for challenging the moratorium.

2. Suspension of Payment: CMS already has authority to suspend payments for 180 days in cases of suspected fraud with a one-time extension of another 180 days. The ACA added a provision which allows suspension of Medicare payments pending an investigation of “credible allegations of fraud” and which requires the Secretary to consult with the HHS OIG in determining if a credible allegation of fraud exists. CMS is using this new statutory authority to eliminate the 180 limit in the current regulations. Thus, as proposed, payment could be suspended indefinitely or at least until CMS concludes its investigation. CMS states that it will monitor suspensions and request certification from the OIG that a matter is still under investigation. CMS proposes to define a “credible allegation of fraud” to include “an allegation from any source, including but not limited to fraud hotline complaints, claims data mining, patterns identified through provider audits, civil false claims cases, and law enforcement investigations.” “Allegations are considered to be credible when they have indicia of reliability.” Reliability will be determined by CMS or its contractors who should “act judiciously” when contemplating payment suspension. Thus, there is a high degree of subjectivity as to whether an allegation is credible and it is unclear at what level such determinations would be made.

A provider/supplier subject to a payment suspension is given the opportunity to submit a rebuttal statement. The agency (or its contractor) then rules on the rebuttal statement and that decision cannot be further appealed. Similar provisions apply with respect to suspensions of Medicaid payments by state Medicaid agencies.

3. Enhanced Screening

Section 6401 of the Affordable Care Act (ACA) requires HHS to establish enhanced screening of providers during the enrollment process using levels of risk and specifically states that the screening can include fingerprinting and criminal background checks as well as unannounced site visits. It also requires CMS to conduct licensure checks.

Medicare already conducts licensure checks and, for some entities, site visits in connection with enrollment and re-enrollment; the fingerprinting and criminal background checks would be new however.

The Agency proposes to establish 3 tiers of risk: limited, moderate, and high. The type of screening procedures used would be determined based on the level of risk. Assignment to a risk tier is based on the type of provider. (See Table below)

Limited risk providers/suppliers include physician and non-physician practitioners (e.g. nurse practitioners, physician assistants) and their group practices as well as hospitals, skilled nursing facilities, ambulatory surgery centers and a variety of other providers. Limited risk providers would be screened for compliance with Medicare requirements for their type of provider and compliance with state licensure. They would not be subject to site visits, fingerprinting, or criminal background checks or unannounced site visits. Any provider/supplier that is a company publically traded on the NYSE or NASDAQ is automatically considered limited risk.

Comment: This portion of the rule will have little or no impact on physicians and hospitals since it does not represent a change from current enrollment screening practices.

Moderate Risk providers/suppliers include, among others, CORFs, independent diagnostic testing facilities and hospices. DMEPOS suppliers (including O & P suppliers) and home health agencies that are already enrolled in Medicare would be treated as moderate risk when they re-enroll or revalidate their enrollment (unless publically traded, as mentioned above). Moderate risk providers would be subject to the same screening as limited risk except that they would also have an unannounced site visit.
High Risk providers/supplier include prospective DMEPOS suppliers and home health agencies seeking to enroll in the Medicare program. These providers would be subject to the screening requirements applicable to low and moderate risk providers plus fingerprinting and criminal background checks for owners and managing employees. This enhanced or “high risk” screening would also apply to existing DMEPOS suppliers or HHAs seeking to add new locations. CMS points to GAO and OIG reports of widespread fraud in the DMEPOS and home health fields as the justification for the high risk treatment of these providers.

CMS would change a provider to a higher risk level where there is evidence of specific program vulnerabilities including, for example, having been placed on previous payment suspension, having been excluded from Medicare or having had billing privileges denied or revoked. In addition, providers and suppliers that were the subject of a moratorium (see discussion below) would be treated as high risk for 6 months after the moratorium is lifted. This would affect revalidations of existing providers/suppliers well as new applicants.

Type of Screening	Limited	Moderate	High
Verification of any provider/supplier specific requirements established by Medicare	X	X	X
Conduct license verifications (may include checks across States)	X	X	X
Database Checks (to verify SSN, NPI, National Practitioner Data Bank licensure, OIG exclusion, tax payer ID number, tax delinquency, death of individual practitioner, owner, authorized official, delegated official or supervising physician.	X	X	X
Unscheduled or Unannounced Site Visits		X	X
Criminal Background Check			X
Fingerprinting			X

Fingerprinting: CMS believes that fingerprinting will help reveal cases of identity fraud as well as prevent those with criminal convictions from participating in Medicare and in Medicaid. It is only being proposed for what CMS considers to be “high risk” providers which would be limited to providers of DME and Orthotics and Prosthetics (DMEPOS) and home health agencies, but only if they are newly enrolling. The agency seeks comments on whether fingerprinting will be useful in preventing fraud and whether there are other identification techniques that should be considered.

Fingerprinting would be required for all owners and managing employees of “high risk” entities and would have to be furnished through a FD-258 fingerprint card obtained from local or state law enforcement agencies. CMS estimates that the average fee charged by local and state agencies is $50 per person and that obtaining the card will take, on average, two hours per person.

Fingerprinting would only apply to providers such as hospitals and physicians if they were moved into the high risk category by CMS.

Criminal Background Checks: CMS is proposing to require criminal background checks for all owners and managing employees of a high risk entity including individuals identified as authorized or delegated officials on the enrollment form. The background check would be performed by CMS or its contractor. The criminal background is to assist CMS in determining whether an individual submitted a truthful Medicare enrollment application and whether the individual is eligible to enroll in the Medicare program or maintain billing privileges.

The Medicare enrollment form (CMS-855) requires entities to self-disclose a wide range of convictions or other adverse actions of their owners or managing employees. However CMS does not normally run a criminal background check to confirm the information provided. Individuals who have, within 10 years of applying for enrollment, been convicted of crimes related to, among other things, tax fraud or evasion, controlled substances, embezzlement, and any crimes related to federal health care programs, can be excluded from Medicare participation.

CMS does not explain, in the preamble to the proposed regulations, exactly how it would use the information obtained through criminal background checks – in particular how it would treat convictions that are not among those which are the basis for exclusion from Medicare or Medicaid but which might raise concerns about whether the individual should be participating in the Medicare or Medicaid programs. Nor do the proposed regulations state whether or when CMS will inform the individual that a criminal background check is to be performed or the results of that check.

As noted above, criminal background checks would normally not apply to physicians or hospitals. A physician could be subject to a background check if he/she were an owner or managing employee of a high risk provider such as a home health agency or DMEPOS supplier.

4. Application Fees: Effective March 23, 2011, prospective providers/suppliers and revalidating providers/suppliers will be required to pay an application fee when they submit an enrollment application to Medicare. The fee in 2011 is $500 updated by the consumer price index. The fee is also required for revalidation of existing providers and enrollment of a new practice location. Physicians and non-physician practitioners (e.g. nurse practitioners, physician assistants) and their group practices are statutorily exempted from the application fee. All other providers/suppliers who enroll in Medicare would be required to pay the fee.

5. ACA-Mandated Ethics and Compliance Program: the ACA requires providers and suppliers, as a condition of enrollment in Medicare, Medicaid or CHIP, to establish a compliance program that contains certain core elements. The effective date of this provision is up to the Secretary. CMS is not proposing to implement this requirement at this time but is soliciting views as to what the core elements of an ethics and compliance program should be. As a starting point, it suggests the seven elements of an effective compliance and ethics program described in the U.S. Federal sentencing Guidelines Manual.

For more information, contact Rebecca Burke at 202.466.6550.