CMS finalizes new Medicare and Medicaid anti-fraud measures

Fraud on government health benefit programs has been a major problem for decades. Despite enormous resources deployed at both the federal and state levels to recover moneys fraudulently obtained and to hold the perpetrators accountable, programs such as Medicare and Medicaid continue to be billed for and pay out claims for items or services that were not actually provided, or that were not necessary or appropriate for the patient, or that were provided pursuant to an illegal kickback or self-referral scheme.

A major part of this fraud problem clearly has been the fact that the programs’ fiscal intermediaries (FI) usually pay out these claims, and then the FI or the government itself must take steps to retrieve the improper payments and punish the perpetrators. The audits, investigations, and subsequent criminal and civil actions and debarment proceedings can take years. Another significant problem is that some perpetrators, after being caught and excluded from the programs, manage to get back into business under different names or by exercising behind-the-scenes control of other participating providers or suppliers (hereinafter collectively “providers”).

Now, however, the federal Centers for Medicare and Medicaid Services (CMS) has finalized sweeping new rules that have been in the works since the Obama administration giving CMS more authority to prevent fraud by keeping problem providers from enrolling in Medicare, Medicaid or the Children’s Health Insurance Program (CHIP), or removing them more expeditiously and barring them from applying for re-enrollment for longer periods of time. The final rule, known as the Program Integrity Enhancements to the Provider Enrollment Process (CMS-6058-FC), takes effect on Nov. 4, 2019.

Affiliations

Under the final rule, all providers that participate in Medicare, Medicaid or CHIP must disclose any current or past “affiliations” with any organization that has any of the following “disclosable events”:

• currently has an uncollected debt to Medicare, Medicaid or CHIP regardless of the amount, or whether the debt is currently being repaid or appealed;
• has been or is subject to a payment exclusion under a federal health care program regardless of when the payment suspension occurred or was imposed;
• has been or is excluded by the Office of Inspector General from participation in Medicare, Medicaid or CHIP, regardless of whether such exclusion is currently being appealed or when it occurred or was imposed; or
• has had its Medicare, Medicaid or CHIP enrollment denied, revoked or terminated regardless of the reason, or whether it is currently being appealed, or when it occurred or was imposed.

This disclosure must be made as part of a provider’s initial enrollment application and when they revalidate. CMS is in the process of updating its 855 enrollment and revalidation form to accommodate such disclosures.

The final rule defines a participating provider’s “affiliation” as including:

• a 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization;
• a general or limited partnership interest—regardless of percentage—that an individual or entity has in another organization;
• an interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day to day operations of another organization either under contract or some other arrangement;
• any interest in which an individual is acting as an officer or director of a corporation; and
• any re-assignment relationship under 42 CFR 424.80.

As examples, a Medicare-participating hospital would have to disclose to CMS if a director or trustee has a 5 percent or more ownership interest in another entity that owes a Medicare repayment or has been under a Medicare payment exclusion. A hospital would also have to disclose whether a physician who re-assigns his or her Medicare payment to the hospital owes a Medicare repayment, has been subject to a payment exclusion, or has any other disclosable event.

Once a provider discloses the required information, CMS is to determine whether any of the disclosed affiliations “poses an undue risk of fraud, waste or abuse” by considering the following factors:

• the duration of the affiliation;
• whether the affiliation is continuing, or if not, when it ended;
• the degree and extent of the affiliation;
• the reason for the termination, if any, of the affiliation;
• the circumstances of the affiliated provider’s disclosable event; and
• any other evidence that CMS deems relevant to its determination.

The final rule also authorizes CMS to deny an enrollment application or to revoke an existing enrollment if:

• a provider circumvents rules by coming back or attempting to come back into the program under a different name;
• a provider bills for services/items from non-compliant locations;
• a provider exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services or drugs; or
• a provider has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.

The provision regarding billing from a non-compliant location is particularly severe. The final rule states that CMS can revoke a provider’s Medicare enrollment “if the provider billed for services performed at or items furnished from a location that it knew or should have known did not comply with Medicare enrollment requirements.” This penalty can be imposed even if all of the provider’s other practice locations comply with Medicare’s enrollment requirements.

In determining whether enrollment should be revoked due to a non-compliant location or locations, the final rule states that CMS will consider the following factors:

• the reason(s) for and the specific facts behind the location’s non-compliance;
• the number of additional locations involved;
• whether the provider has any history of final adverse actions or Medicare or Medicaid payment suspensions;
• the degree of risk that the location’s continuance poses to the Medicare Trust Funds;
• the length of time that the non-compliant location was non-compliant;
• the amount that was billed for services performed at or items furnished from the non-compliant location; and
• any other evidence that CMS deems relevant to its determination.

The final rule also targets “ordering, certifying, referring, or prescribing of Part A or B services, items or drugs” by physicians or other practitioners “that is abusive, represents a threat to the health and safety of Medicare beneficiaries, or otherwise fails to meet Medicare requirements.” An obvious example of such abuse would be a practitioner who has over-prescribed opioid medications.

The final rule sets forth the factors that CMS can consider in determining whether abuse by a practitioner has occurred:

• whether the practitioner’s diagnoses support the orders, certifications, referrals or prescriptions in question;
• whether the necessary evaluation of the patient occurred during a legitimate office visit;
• the number and types of disciplinary actions taken against the practitioner by a state licensing or medical board, and the reasons therefor;
• whether the practitioner has any history of final adverse actions;
• the length of time over which the pattern or practice in question continued;
• how long the practitioner has been enrolled in Medicare;
• the number and type(s) of malpractice suits filed against the practitioner related to ordering, certifying, referring or prescribing that have resulted in either a final judgment or settlement;
• whether any state Medicaid program or any other public or private health insurance program has restricted, suspended, revoked or terminated the practitioner’s ability to practice, and the reason(s) for same; and
• any other information that CMS deems relevant to its determination.

Penalties

CMS states that its new affiliations disclosure requirements allow it to identify individuals and organizations that pose an undue risk of fraud, waste or abuse based on their relationship with other previously sanctioned individuals or entities:

For example, a currently enrolled or newly enrolling organization that has an owner/managing employee who is “affiliated” with another previously revoked organization can be denied enrollment in Medicare, Medicaid and CHIP or, if already enrolled, can have its enrollment revoked because of the problematic affiliation.

CMS Press Release, “CMS Announces New Enforcement Authorities to Reduce Criminal Behavior in Medicare, Medicaid and CHIP” (Sept. 5, 2019).

The failure of a participating provider to “fully and completely disclose” required information to CMS when it “knew or should have reasonably known” of this information can result in the denial of the provider’s initial Medicare enrollment application or the revocation of its existing Medicare enrollment.

Re-application after revocation

The final rule imposes new obstacles to re-enrollment for providers that have had their Medicare enrollment revoked. Previously, CMS could prevent revoked providers from re-applying for up to three years. The final rule authorizes CMS to block revoked providers from re-enrolling in Medicare for up to 10 years. CMS can also add up to three more years to a provider’s re-enrollment bar (even if it exceeds the 10-year period) if it determines that the provider is attempting to circumvent its existing enrollment bar by enrolling in Medicare under a different name, numerical identifier, or business entity.

Moreover, under certain circumstances, CMS may revoke any and all of a provider’s Medicare enrollments, whether under different names, numerical identifiers, or business entity. In other words, if a pharmacy and a durable medical equipment company are under common ownership, and the pharmacy’s Medicare enrollment is revoked because of abuse, the medical equipment company’s Medicare enrollment can also be revoked. If a provider has been revoked from Medicare enrollment for a second time, CMS can now block that provider from re-enrolling in Medicare for up to 20 years.

Analysis

As noted earlier, the final rule takes effect on Nov. 4, 2019, which is also the last day for submitting comments to the final rule. The disclosure requirement applies to any affiliation going back up to five years, regardless of whether the affiliation has been terminated.

Providers will have to take steps to protect themselves. It is advisable, for example, to add a reporting requirement of any “disclosable event” to any governing board disclosure forms. Contracts with any individual or entity that qualifies as an “affiliation” should include a disclosure clause requiring the affiliate to inform the provider about any “disclosable event” so the provider can report it to CMS. The same applies to any re-assignment agreement with any physician.

The final rule will place new stresses on already busy compliance officers, require providers to implement new policies and procedures, and result in more paperwork. As some public commenters have pointed out, among the difficulties presented by the final rule is the fact that, while there are public data bases identifying providers who have been excluded from Medicare and Medicaid, there is no public database identifying those whose Medicare enrollments have been denied, revoked or terminated, or who have an uncollected debt to Medicare, Medicaid or CHIP. Thus, many providers will have to depend upon their affiliates to act in good faith and timely inform the providers of any disclosable event(s).

Francis J. Serbaroli is a shareholder in Greenberg Traurig and the former vice chair of the New York State Public Health Council.