Skip to main content
November 7, 2019

CMS Implements New Enrollment and Revocation Rules to Stop "Pay-and-Chase" Fraud and Abuse Enforcement


The Centers for Medicare & Medicaid Services (CMS) bolstered its enforcement capabilities by creating new revocation authorities, and expanding enrollment or reenrollment bars.1 On November 4, 2019, CMS implemented several new provisions designed to make it easier for the agency to deny and revoke provider participation.

CMS asserts that the new provisions are targeted to prohibit "bad actors" from entering the program. Administrator Seema Verma touted the new provisions emphasizing that CMS seeks to "stop criminals before they can steal from taxpayers."2 And Deputy Administrator Alec Alexander added "[f]or years we have pursued fraud and abuse cases using a 'pay and chase' model. The new rules are intended to allow us to root out bad actors before they are able to get paid."3 Notwithstanding the laudable purpose, the final rule's obligations may pose burdens on all providers and suppliers.

For decades, rules and regulations have been implemented with laudable purposes but serve more to create problems for legitimate providers than to prevent those intent on breaking the law. Providers and suppliers with bad intent do not even attempt to comply, but instead simply find ways to avoid regulatory efforts. Whether the new CMS provisions have the desired impact remains an unanswered question. In the meantime, all providers and suppliers will be required to comply with the new regulatory hurdles.

I. Newly Implemented Revocation and Denial Authorities

The most significant change is the creation of an "affiliations" enforcement framework. Under this framework, Medicare, Medicaid, and CHIP providers and suppliers that apply for enrollment or recertification must disclose their affiliations, and CMS may revoke or deny the applicant's enrollment if it determines that one of the affiliations presents "undue risk of fraud, waste, or abuse."

As part of a "phased-in" implementation approach, CMS will initially review data, including Medicare Provider Enrollment, Chain, and Ownership System data, as well as other internal and external databases, that might indicate patterns of suspicious behavior. If the initial review reveals problematic issues, the applicant must then disclose its direct and indirect affiliations over the prior five year period. CMS expects that this type of initial review will be limited to fewer than 4,000 applicants. Ultimately, CMS intends to require every applicant to disclose their affiliations during the process, and plans to issue a notice of proposed rulemaking in the future to address its proposed requirements.

Under the final rule, an "affiliation" exists if an owner or managing employee of the applicant had ownership or managerial control over another provider or supplier organization by way of: (1) a five percent or greater direct or indirect ownership interest; (2) a general or limited partnership interest; (3) an interest in which the individual exercised operational or managerial control or directly or indirectly conducted day-to-day operations; (4) an interest in which the individual acted as an officer or director; or (5) any reassignment relationship under 42 C.F.R. § 424.80.

Once an applicant identifies its direct and indirect affiliations from the last five years, the applicant is then tasked with identifying each affiliate's disclosable events, which include the following without regard to whether the event is under appeal at the time of the application:

  • Current uncollected debt, including overpayments from Medicare, Medicaid, or CHIP, and civil monetary penalties;
  • Current or previous payment suspension under a federal health care program;
  • Exclusion from Medicare, Medicaid or CHIP; and/or
  • Denials, revocations, or terminations of Medicare, Medicaid or CHIP billing privileges, regardless of reason.

Unlike the identification of affiliations, the identification of "disclosable events" has no time limitation. Applicants must report all of their affiliates' disclosable events, even those that occurred before the affiliation began or after it ended. CMS retains the authority to deny or revoke enrollment if it determines that the applicant failed to disclose an event that it knew or reasonably should have known about.

As the final step, CMS intends to analyze whether it should deny the applicant's enrollment because an affiliation creates an undue risk of fraud, waste, or abuse. While intended as a case-by-case analysis, CMS will consider a number of factors including the length and period of the affiliation, the nature and extent of it, the type of disclosable event(s), and when such event occurred. If CMS determines that the affiliation presents an undue risk, it will deny or revoke the applicant's enrollment, effective 30 days after CMS sends a notice of determination. The applicant may appeal the decision under 42 C.F.R. Part 498.

The final rule also implements a few other revocation and denial authorities that apply to Medicare enrollees. Notably, CMS may revoke or deny Medicare enrollment if the provider or supplier (1) is currently revoked and attempts to reinvent itself by using different names or numbers to participate in federal health care programs; (2) is billing for items or services provided at locations that it knew or reasonably should have known did not comply with enrollment requirements; (3) has an existing overpayment or debt that has been referred to the US Department of Treasury; (4) exhibits a pattern or practice of abusive "ordering, certifying, referring, or prescribing Medicare Part A or Part B services, items, or drugs"; or (5) fails to abide by reporting requirements for a change in ownership, final adverse action, or practice location change. Like CMS's determination of "undue risk" under the affiliations framework, it will consider a number of factors in deciding whether to revoke or deny under any of these provisions. For example, when deciding whether to revoke a provider trying to reinvent itself, CMS will investigate the "degree of commonality" with the barred entity, looking at factors like the geographic location, provider or supplier type, and business structure.

II. Expansion of Enrollment and Reenrollment Bars

The final rule also bolsters CMS's enforcement authority by expanding its ability to prevent providers or suppliers from enrolling or reenrolling in federal health care programs. For initial enrollment, if a provider submits an application with false or misleading information, CMS may prohibit that entity from enrolling in Medicare for up to three years, under any name, number, or business identity. CMS indicates that it will consider "evidence of intent and the information's materiality" while making its decision. In addition, CMS can prevent an entity from re-enrolling for up to ten years (instead of the prior three) following a revocation, and for up to twenty years if the entity has been revoked twice. In reaching its decision, CMS will consider the "facts, circumstances, and scope of the provider's or supplier's conduct," which will include the reason for the revocation, the length of time between revocations, and the entity's overall history of suspensions or adverse actions. CMS will also have the ability to add three additional years if the revoked entity attempts to circumvent the enrollment bar.

III. Impact

Taken together, these provisions broadly expand CMS's authority to revoke, deny or prevent program enrollment. CMS anticipates that the new authorities may lead to as many as 2,600 revocations a year, while the enrollment bars may result in approximately 400 barred entities a year. Moreover, the affiliations enforcement framework will have a significant impact on all providers and suppliers as they will have to comply with the disclosure requirements.

CMS received comments expressing concern about the difficulty of obtaining disclosable event information from all current and past affiliations, including those that occurred prior to any affiliation. Faced with these concerns, CMS chose to move forward with the framework as-is, but stated that it would release additional guidance. Given the breadth of the affiliation disclosure requirement and the potential increased costs of compliance, providers and suppliers should be proactive in putting procedures in place to track the disclosable events of their affiliated entities, both before, during, and after the affiliation, and to evaluate whether an affiliation should be created in the first place. For all providers and suppliers considering a business combination of any type, the importance of diligence prior to closing is more important than ever.

Finally, providers and suppliers should be on the lookout for future CMS guidance on the "undue risk" and "reasonably should have known" standards. In addition, the final rule gives states a choice in their implementation of the affiliation disclosure requirement: they can either require all providers not enrolled in Medicare but applying for or revalidating Medicaid enrollment to submit disclosures, or require submission of disclosures only upon request. No matter what the future guidance is, or what each state chooses to do, providers or suppliers should be prepared to shoulder the burden of the new provisions. 

© Arnold & Porter Kaye Scholer LLP 2019 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. Medicare, Medicaid, and Children's Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process, 82 Fed. Reg. 47794-47857 (Sept. 10, 2019).

  2. Press Release, Centers for Medicare & Medicaid Services, CMS Announces New Enforcement Authorities to Reduce Criminal Behavior in Medicare, Medicaid, and CHIP (Sept. 5, 2019).

  3. Speech by Alec Alexander, Health Care Compliance Association, Annual Enforcement Conference (Washington, DC, Nov. 4, 2019).