On Sept. 5, the Centers for Medicare & Medicaid Services (CMS) issued a final rule that "strengthens the agency's ability to stop fraud before it happens by keeping unscrupulous providers and suppliers out of our federal health insurance programs," including Medicare, Medicaid and the Children's Health Insurance Programs (CHIP) (collectively, FHCP). The final rule, program integrity enhancements to the provider enrollment process (CMS-6058-FC) (final rule), creates several new revocation and denial authorities to strengthen CMS' efforts to stop fraud and abuse, including a new "affiliations" authority that allows CMS to identify individuals and organizations that pose an undue risk of fraud, waste and abuse based on their relationships with other previously sanctioned entities. For example, a currently enrolled or newly enrolling organization that has an owner or managing employee who is "affiliated" with another previously revoked organization can be denied enrollment in the FHCPs or, if already enrolled, can have its enrollment revoked because of the problematic affiliation. The final rule takes effect on Nov. 4.

The final rule, which is a first-of-its-kind action by CMS to stop fraudsters before they get paid, marks a critical step forward in CMS' longstanding fight to end "pay and chase" in federal health care fraud efforts and replace it with effective and proactive measures. This progressive action is part of the Trump administration's ongoing effort to safeguard taxpayer dollars and protect the integrity of the CMS programs that millions rely on. CMS hopes to address gaps and vulnerabilities in the provider enrollment system when it comes to identifying "bad actors"—those who have real and demonstrable histories of conduct and relationships that pose an undue risk to taxpayers, patients and program, beneficiaries—within Medicare, Medicaid and CHIP.

"For too many years, we have played an expensive and inefficient game of 'whack-a-mole' with criminals—going after them one at a time—as they steal from our programs. These fraudsters temporarily disappear into complex, hard-to-track webs of criminal entities, and then re-emerge under different corporate names. These criminals engage in the same behaviors again and again," said CMS administrator Seema Verma. "Now, for the first time, we have tools to stop criminals before they can steal from taxpayers. This is CMS hardening the target for criminals and locking the door to the vault. If you're a bad actor you can never get into the program, and you can't steal from it."

Specifically, the final rule requires applicants to disclose information regarding such affiliations with individuals or entities who: have been excluded, terminated or suspended from participation in FHCPs; have had billing privileges in FHCPs denied, revoked, or terminated; have been subjected to FHCP payments suspension; or have uncollected debt to FHCP.

Interestingly, however, the timing of the disclosable event is irrelevant, except for a current uncollected debt.  In other words, if the enrolled or enrolling provider or supplier had an affiliation with a provider/supplier in the past five years, and that provider/supplier at any point —prior to or after the termination of the affiliation—had a payment suspension, exclusion or a denial, revocation or termination of billing privileges, the affiliation must be disclosed to CMS.

The final rule also includes other authorities that will improve CMS's fraud-fighting capabilities by providing a basis for administrative action to revoke or deny Medicare enrollment if the provider or supplier: is currently revoked and uses different names or numbers to participate in FHCPs (e.g., the provider attempts to "reinvent" itself); is billing for items or services provided at locations out of compliance with FHCP billing requirements; is engaging in abusive practices, fails to satisfy FHCP requirements, or is a threat to patient health and safety; or has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.

Additionally, the final rule gives CMS the ability to prevent applicants from enrolling in the program for up to three years if a provider or supplier is found to have submitted false or misleading information in its initial enrollment application. Furthermore, the final rule expands the re-enrollment bar that prevents fraudulent or otherwise problematic providers from re-entering the Medicare program. Any provider or supplier whose enrollment has been revoked once will not be permitted to re-enroll for up to ten years. An applicant whose enrollment has been revoked twice will not be permitted to re-enroll for up to 20 years.

Although CMS has issued the final rule with an included comment period, it will be enforcing new requirements via a "phased-in" approach. This is because growing concerns from healthcare providers during the comment period over the burden of collecting and evaluating so much affiliate information and meeting new guidelines persuaded CMS to ease into all of the requirements of the new rule. In fact, many components of the new rule are currently incomplete for providers to disclose information during the enrollment process.

The final rule will also require CMS to revise its current enrollment applications (forms CMS-855) to accommodate the required disclosures, which CMS notes will require notice and comment rulemaking. During the initial phase, CMS will only be requiring providers and suppliers to disclose affiliations if CMS determines that the provider or supplier has at least one affiliation that includes any of the four disclosable events, and will specifically request the provider or supplier to submit more information. Expansion of disclosure requirements are scheduled to move forward, and healthcare organizations must be prepared to meet these new requirements if the affiliations authority can be applied.

Comments to the final rule must be received by 5 p.m. EST on Nov. 4. CMS is encouraging all providers and suppliers to carefully review the final rule and consider submitting comments, and to consider implementing enhancements to the background diligence process and review the effectiveness of certain key compliance areas.

—Rachel E. Lusk, an associate at the firm, who focuses her practice on health law and health care litigation, assisted with preparing this article.

Vasilios J. Kalogredis is chairman of Lamb McErlane's health law department. He represents many medical and dental groups and thousands of individual physicians and dentists.