On November 4, 2019, CMS’ new regulations regarding Medicare provider enrollment and program integrity became effective. Originally proposed in 2016, these changes were authorized by the Affordable Care Act and spurred by CMS’ longstanding concern about Medicare-enrolled providers or suppliers that engage in fraudulent or abusive practices and then depart the program with large amounts of accumulated debt – only to then resurface in a different capacity or shift their activities to an affiliated Medicare entity. Frustrated by its limited reach to thwart this type of circumvention, CMS hopes that its new authority pursuant to these regulations will allow it to take more immediate action to prevent bad actors from using the “provider or supplier organization as a shield for their conduct.”

The new regulations require certain disclosures during the Medicare, Medicaid, and Children’s Health Insurance Programs (“CHIP”) enrollment process, and provide CMS with related enforcement authority. The purpose of the new disclosure requirements is to identify individuals and entities that pose a risk to the programs based on their relationships with previously sanctioned entities. Specifically, “upon a CMS request,” a provider or supplier that is either initially enrolling in, or revalidating its enrollment, must disclose any affiliations that it, or any of its owning or managing employees or organizations, either currently has or has had during the past five years with any currently or formerly enrolled provider or supplier that has had a “disclosable event.”

A “disclosable event” is defined to mean that the provider or supplier:

• currently has uncollected debt to Medicare, Medicaid, or CHIP (overpayments for which CMS or the state has sent notice of the debt, civil money penalties, or assessments);

• has been or is subject to a payment suspension under a federal health care program;

• has been or is excluded by the OIG from participation in Medicare, Medicaid, or CHIP; or

• has had its Medicare, Medicaid, or CHIP enrollment denied, revoked, or terminated.

The rule also adds a definition for “affiliation,” which is defined broadly to mean:

• a 5% or greater direct or indirect ownership interest that an individual or entity has in another organization;

• a general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization;

• an interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization, either under contract or through some other arrangement;

• an interest in which an individual is acting as an officer or director of a corporation; or

• any reassignment relationship.

Interestingly, CMS is requiring that providers and suppliers look back five years to assess their affiliations, but there is no restriction on the timing of the occurrence of the disclosable event. A provider would have to disclose an affiliation with an individual who was subjected to a Medicare payment suspension 10 years ago – even if that affiliation has since been terminated. Since information regarding overpayments, payment suspensions, and enrollment denial, revocation, or termination are not easily publicly available, collection of this information will undoubtedly prove challenging, at the very least. CMS is requiring providers and suppliers to report disclosable events about which they reasonably “knew or should have known,” but plans to issue additional guidance regarding how providers and suppliers should collect this information.

CMS adopted a “phased in” approach to implementing the disclosure requirement. While it ultimately anticipates implementing the requirement for all providers and suppliers that participate in Medicare, Medicaid, or CHIP, the regulations currently only apply to those providers and suppliers that CMS has determined currently have at least one disclosable affiliation. Such a provider or supplier will have to report all disclosable affiliations upon request by CMS.  CMS is expected to revise the current Form CMS-855, the Medicare enrollment application, to permit the required disclosures.

The regulations also vest CMS with authority to deny new enrollment or revoke existing enrollment based on failure to comply with the new disclosure requirements and based on the content of the disclosures. Pursuant to the regulations, after receiving the required information, CMS is to determine whether any of the disclosed affiliations pose an “undue risk of fraud, waste, or abuse.” CMS will consider various factors to determine whether this standard is met, particularly focusing on the length and period of the affiliation, the nature and extent of the affiliation, and the type and timing of the disclosable event. If “undue risk” exists, CMS may deny the provider’s or supplier’s enrollment application, or revoke the provider’s or supplier’s Medicare enrollment.

Although CMS arguably will not ask most providers and suppliers to make these disclosures during the first phase of implementation, the publication of the new regulations pose an opportunity for providers and suppliers to conduct internal audits to ensure that they are aware of any potential disclosable events and to implement internal systems to ensure that disclosable events are tracked going forward. Notably, the broad definition of “affiliation” captures not only owners, board members, directors, and investors, but also any practitioner who reassigns benefits to the disclosing entity. Given the breadth of information that could potentially be requested and given CMS’ anticipated universal roll-out of the disclosure requirements, preparing now is advisable.