Recently, the Centers for Medicare and Medicaid Services announced a final rule that “strengthens the agency’s ability to stop fraud before it happens by keeping unscrupulous providers out of our federal health insurance programs”. According to CMS, the Program Integrity Enhancements to the Provider Enrollment Process (CMS-6058-FC) aims to reduce a “pay and chase” model for investigating fraud in the federal healthcare program.
CMS hopes to address gaps and vulnerabilities in the provider enrollment system when it comes to identifying bad actors and vendor and owner deception within Medicare, Medicaid, and CHIP. Because of increased compliance standards for uncovering vendor and owner information, as well as previous healthcare affiliations, it is important to have a smarter process for monitoring all your healthcare populations. In this post, we’ll take a look at the new rule from CMS and how it applies to your organization.
New CMS Revocation and Denial Authorities
CMS and HHS OIG are continually working to reduce fraud, waste, and abuse in federal healthcare programs such as Medicare, Medicaid, CHIP, and more. Providers and suppliers are now more accountable for their relationships with previous sanctioned or revoked individuals or entities under the affiliations authority found in the CMS Medicare and Medicaid Enforcement Announcement.
CMS Definition for an Affiliation
The new “affiliation” term for CMS is considered to be quite broad, applying to both reassignment relationships (§ 424.80) and ownership interest of a healthcare organization.
According to the Centers for Medicare and Medicaid Services (CMS), an affiliation can be defined as the following for providers and suppliers:
- 5% or greater direct or indirect ownership interest (publicly-traded company, mutual fund or other large investment vehicle) that an individual or entity has in another organization.
- A general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization.
- An interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts the day-to-day operations of another organization (including sole proprietorships), either under contract or through some other arrangement, regardless of whether or not the managing individual or entity is a W–2 employee of the organization.
- An interest in which an individual is acting as an officer or director of a corporation.
- Any reassignment relationship under [42 C.F.R. § 424.80].
Provider and Supplier Disclosure of Affiliations
The Centers for Medicare and Medicaid Services now has the authority to identify individuals and organizations with an undue risk of FWA and block these providers from being enrolled for up to 10 years. Previously, revoked providers were able to re-enroll in the federal healthcare programs after 3 years of being disciplined with sanctions or exclusion. Visit the following page to read the final rule with public comments here – Program Integrity Enhancements to the Provider Enrollment Process (CMS-6058-FC).
According to the CMS update, “new authorities and restrictions, which go into effect on November 4, 2019, ensure that the only providers and suppliers that will face additional burdens are “bad actors” — those who have real and demonstrable histories of conduct and relationships that pose undue risk to taxpayers and beneficiaries. This new rule ushers in an important new era of smart, effective, proactive and risk-based tools designed to protect the integrity of these vitally important federal healthcare programs we rely on every day to care for millions of Americans”.
Disclosable Events for Enrolled or Enrolling Providers and Suppliers
An affiliation, under the new rule, must be disclosed if it is a provider or supplier that meets one or more of the following event items:
- Currently has uncollected debt to Medicare, Medicaid, or CHIP.
- Has been or is subject to a payment suspension under a federal health care program.
- Has been or is excluded from Medicare, Medicaid, or CHIP.
- Has had its Medicare, Medicaid, or CHIP billing privileges denied, revoked, or terminated.
Interestingly, the timing of the disclosable event is irrelevant, except for a current uncollected debt. In other words, if the enrolled or enrolling provider or supplier had an affiliation with a provider/supplier in the past five years, and that provider/supplier at any point — prior to or after the termination of the affiliation — had a payment suspension, exclusion or a denial, revocation or termination of billing privileges, the affiliation must be disclosed to CMS.
CMS Issues a “Phased-In” Approach to Program Integrity Enhancements
Although CMS has issued the final rule included a comment period, it will be enforcing new requirements via a “phased-in” approach. Growing concerns from healthcare providers during the comment period over the burden of collecting and evaluating so much affiliate information and meeting new guidelines persuaded CMS to ease into all of the requirements of the new rule. In fact, many components of the new rule are currently incomplete for providers to disclose information during the enrollment process.
CMS must revise current enrollment forms (Forms CMS-855) to accommodate the required disclosures, which CMS notes will require notice and comment rulemaking. The application of the disclosure requirement to a broader group of providers would also require additional rulemaking. Currently, there are no public databases of Medicare payment suspensions or revocations for healthcare providers to evaluate if the disclosure event applies to one of their affiliations. This causes some major issues for enrollees to address, so CMS is considering a “knew or should reasonably have known” standard for determining whether to deny or revoke enrollment.
During the initial phase, CMS will only be requiring providers and suppliers to disclose affiliations if CMS determines that the provider or supplier has at least one affiliation that includes any of the four disclosable events, and will specifically request the provider or supplier to submit more information. Expansion of disclosure requirements are scheduled to move forward, and healthcare organizations must be prepared to meet these new requirements if the affiliations authority can be applied.
Healthcare Compliance for Vendors, Owners, and Third-Parties
Third-party risk management remains a critical component of overall compliance for healthcare organizations. Because the vulnerabilities of improper and criminal medical behavior currently exist, providers and regulators bear a huge burden of responsibility for ensuring smarter and more effective ways to utilize data and monitor affiliations between all parties. In some ways, providers are feeling a lot of pressure from these new announcements because of the inefficiencies, interpretations, and expectations to manage and process so many disparate data points and depend on unreliable government sources.
Healthcare Vendor Onboarding and Monitoring
ProviderTrust recognizes the challenges that many healthcare organizations are facing with their vendor onboarding processes to meet CMS and OIG requirements. Many times, health systems are either understaffed or ill-equipped to handle each step of collecting vendor and owner attestations and ensuring that third-party data is updated and accurate. Medicare Advantage plans (Part require providers to define and establish consistent and clear documentation of their partnerships with First Tier, Downstream, and Related Entities (FDRs).
The compliance risks associated with gathering and managing data on third-parties can feel overwhelming. Companies are looking more frequently at automated solutions to help to bridge the gaps between their vendors, affiliates, and downstream care partners. In our commitment to providing the industry with tools to enhance compliance visibility, we’ve created a database for the vendor selection process – check out VendorProof Marketplace to locate businesses in good standing with federal programs.
CMS Program Integrity Issues with Sanctioned or Excluded Providers
The new rule seems to address some long-standing frustration from the Centers for Medicare and Medicaid Services (CMS) regarding enrollment loopholes and ineffective oversight of “bad actors” taking advantage of taxpayer funds. In 2016, CMS identified some of these issues of concern in a report titled – Medicare Vulnerabilities Related to Provider Enrollment and Ownership Disclosure.
“For too many years, we have played an expensive and inefficient game of ‘whack-a-mole’ with criminals – going after them one at a time — as they steal from our programs. These fraudsters temporarily disappear into complex, hard-to-track webs of criminal entities, and then re-emerge under different corporate names. These criminals engage in the same behaviors again and again.
Now, for the first time, we have tools to stop criminals before they can steal from taxpayers. This is CMS hardening the target for criminals and locking the door to the vault. If you’re a bad actor you can never get into the program, and you can’t steal from it.”– Seema Verma, Centers for Medicare and Medicaid Services (CMS) Administrator
Now, it is all the more critical for healthcare organizations to get serious about their ongoing sanction/exclusion monitoring programs to identify providers who could be abusing the system or hiding behind a corporate veil.
New CMS authorities provide a basis for administrative action to revoke or deny, as applicable, Medicare enrollment for the following actions:
- A provider or supplier circumvents program rules by coming back into the program or attempting to come back in, under a different name (e.g., the provider attempts to “reinvent” itself)
- A provider or supplier bills for services/items from non-compliant locations
- A provider or supplier exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services or drugs
- A provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.
Are you confident in your current process for identifying these individuals and organizations within your compliance program? If not, we can help! Our healthcare solutions mitigate your risk and provide a standard process for gathering and evaluating your vendor and owner information.
Written by Michael Rosen, Esq.
Michael brings over 20 years of experience founding and leading risk mitigation businesses, receiving numerous accolades such as Inc. Magazine’s Inc. 500 Award and Nashville Chamber of Commerce Small Business of the Year.