The Centers for Medicare & Medicaid Services (“CMS”) recently issued a final rule with comment period (CMS-6058-FC) implementing statutory provisions that afford CMS new denial and revocation authorities related to Medicare enrollment. The final rule, published on September 10, 2019, allows CMS to deny or revoke a provider’s or supplier’s Medicare enrollment due to the provider’s or supplier’s affiliation with an individual or entity that, in CMS’s determination, poses an undue risk of fraud, waste, or abuse. It also allows CMS to revoke a provider’s or supplier’s enrollment based upon the entity’s own actions or circumstances, including but not limited to a provider’s unresolved debt that has been referred to the Treasury Department.
A provider or supplier may have its enrollment revoked if CMS finds that its affiliation with another individual or entity poses an undue risk of fraud, waste, or abuse. “Affiliation” is defined expansively, ranging from a general or limited partnership interest that an individual or entity has in another organization to any interest in which an individual is acting as an officer or director of a corporation, among other relationships. Additionally, a provider or supplier will be required to disclose affiliations with persons or entities that have “disclosable events” if prompted by CMS upon initial enrollment or revalidation. A person or entity has a disclosable event when it has an uncollected debt or is subject to a payment suspension, exclusion by OIG, or a Medicare, Medicaid, or CHIP enrollment denial, revocation, or termination.
If CMS requests that a provider or supplier disclose affiliations and the entity fails to accurately and completely comply, CMS may take action. In determining whether a provider or supplier complies with a disclosure request, CMS has adopted a “knew or should have reasonably known” standard. When pushed as to what methods might meet such a standard, CMS responded that providers and suppliers must look beyond solely public data base searches in obtaining affiliation data, and they may have to review internal records and contact affiliates. In response to commenters who expressed significant concern regarding how to interpret the “reasonableness” standard, CMS stated it would issue subregulatory guidance at some point in the future clarifying expectations regarding the level of effort required under the “reasonableness” standard.
CMS confirmed that if it were to revoke or deny a provider’s or supplier’s Medicare enrollment under this enforcement authority, information regarding the reasons for the “undue risk” determination would be included in the ultimate denial or revocation letter sent to the provider or supplier. However, that information will not be shared with the provider or supplier beforehand. CMS reiterated multiple times that it would only take action against a provider or supplier after very careful review of the risk factors outlined at 42 CFR § 424.519(f). It also indicated that subregulatory guidance may be issued to further clarify the process by which undue risk determinations will be made.
In addition to the risk posed by a provider’s or supplier’s affiliations, an entity’s own actions could cause CMS to deny or revoke its Medicare enrollment. The final rule authorizes CMS to deny or revoke a provider’s or supplier’s Medicare enrollment if the provider or supplier (a) has been subject to revocation under a different name or identity, (b) has billed or performed services at a location it knew or should have known did not comply with enrollment requirements, (c) has abusive prescribing or ordering practices that threaten beneficiaries, (d) has an existing debt that has been referred to the Department of Treasury, (e) has been terminated or suspended by another state or federal health care program, or (f) has had its license currently revoked or suspended in another state. Additionally, the final rule expands CMS’s authority over revoked providers by increasing the maximum reenrollment bar in various circumstances.
Practically speaking, CMS may take adverse action against a provider’s or supplier’s enrollment before the entity has exhausted its appeal rights. For example, while a provider undergoes the appeals process related to outstanding debt, which can be lengthy, the provider’s debt in question could be referred to the U.S. Department of Treasury for collection. Since an existing debt is a reportable event that might result in revocation or denial, it’s possible that Medicare enrollment could be revoked before a provider or supplier has exhausted its appeal rights. And although CMS has clarified that appeal rights would apply to a denial or revocation under these new enforcement authorities, such appeals could involve a drawn-out process for a provider for which there is no guarantee of success. Accordingly, the final rule, although aimed at combatting fraudsters attempting to circumvent the system, could have significant adverse implications for providers and suppliers acting in good faith. It unquestionably will result in substantial additional provider and supplier time spent in identifying and reducing problematic affiliations.
The final rule is effective November 4, 2019 and comments are due on the same day.
 This alert focuses on the Medicare program. Although the final rule also applies to Medicaid and CHIP, states must take further steps to implement this rule. Those steps are outside the scope of this alert.