On February 2, 2011, the Centers for Medicare and Medicaid Services (CMS) issued its final rules establishing new screening requirements for enrollees in Medicare, Medicaid, and the Children’s Health Insurance Programs (CHIP) pursuant to Section 6401(a) of the Patient Protection and Affordable Care Act. The final rule dictates a three-tiered screening process for providers and suppliers broken down into three categories: “limited,” “moderate,” and “high” risk. In establishing these risk levels, CMS drew from its experience as well as other entities in identifying and investigating fraudulent billing practices. Each risk category assigned to a provider or supplier type imposes a different level of screening measures by CMS.
The “limited” risk category includes physicians or non-physician practitioners, medical groups, ambulatory surgery centers (ASCs), federally qualified health centers, hospitals, end stage renal facilities, mammography screening centers, radiation therapy centers, rural health clinics, and skilled nursing facilities. For providers or suppliers posing a “limited” risk, Medicare contractors will verify that the provider or supplier meets all of the applicable federal and state regulations, conduct license verifications (including verifications across state lines), and conduct database checks on a pre and post enrollment basis to ensure providers and suppliers continue to meet criteria.
Providers and suppliers posing “moderate” risk include, independent diagnostic testing facilities, community mental health centers, comprehensive outpatient rehab facilities, hospice organizations, and independent clinical laboratories. However, CMS provides some exceptions to currently enrolled providers and suppliers outlined in this paragraph that would be classified as “limited” risk. Providers and suppliers classified as “moderate” risk will be subject to all of the screening performed at the “limited” risk level as well as unscheduled or unannounced on-site visits.
The “high” risk category will impose the same level of screening as the “moderate” risk level but also will require the provider/supplier to submit a set of fingerprints for a national background check as well as an FBI criminal history record check from all individuals who maintain a 5 percent or greater direct or indirect ownership interest in the provider or supplier. In the final rule, CMS identified newly enrolling home health agencies and durable medical equipment companies as “high” risk. However, this classification should not be ignored by providers and suppliers simply because they are not identified by CMS as “high” risk.
The final rule allows CMS to adjust a screening level of a provider or supplier from “limited” or “moderate” to “high” upon occurrence of specific events including if the provider or supplier: (1) has a payment suspension at any time in the last 10 years; (2) has been excluded from Medicare by the Office of Inspector General (OIG); (3) has had its billing privileges revoked by a Medicare contractor within the last 10 years and is attempting to establish additional Medicare billing privileges; (4) has been terminated or otherwise precluded from billing Medicaid; (5) has been excluded from any federal healthcare program; or (6) has been subject to any final adverse action (as defined in 42 CFR 424.502) within the last 10 years.
In addition to assigning risk levels, CMS will also have the ability to issue a temporary moratorium on enrollment of new Medicare providers and suppliers in six month increments in situations where: (1) CMS identifies a trend that appears to be associated with a high risk of fraud; (2) a state has imposed a moratorium on enrollment in a particular geographic area or on a particular provider/supplier type or both; or (3) CMS, working with OIG, identifies fraud and abuse in the Medicare program of a particular provider/supplier type or a geographic area. The announcement of the implementation of the moratorium would be made in several press releases including the CMS webpage under the provider/supplier enrollment.
Lastly, the final rule addressed the compliance program requirements set for in Section 6401 of PPACA, which prescribes that, as a condition of enrolling in Medicare, Medicaid, or CHIP, providers and suppliers must establish compliance programs that meet certain “core elements.” At this time, CMS, neither finalized the rules on mandatory compliance nor provided any identification of the “core elements” that must be included in such a program. However, CMS advised it will use the seven elements of an effective compliance and ethics program described in the Federal Sentencing Guidelines Manual as a basis for the “core elements.” While the final rule did not finalize the compliance plan requirements, providers and suppliers should remain attentive to the developments of the core elements to ensure full compliance with the future rule.
Conrad Meyer is a Special Partner in Charge of the Health Law Section of Chaffe McCall, LLP. Mr. Meyer focuses his health care practice on regulatory, compliance and transactional matters.