On September 5, 2019, the Centers for Medicare & Medicaid Services (CMS) announced a final rule expanding CMS’ authority to deny or revoke enrollment in the Medicare program as a result of “bad actor” affiliations. Providers and suppliers will be required to disclose any and all affiliations that they have or, had within the previous five years, with former or current providers or suppliers that have a disclosable event. “Disclosable events” include:
Providers and suppliers should begin planning how they will determine and track their affiliations and whether those affiliations have a disclosable event. Due to CMS’ expanded authority, collecting the necessary information to make those determinations will require extensive due diligence about the past conduct of all new affiliations, as well as continued monitoring of affiliations even after the relationship ends. CMS expects the total annual cost associated with this due diligence to be $937,500 for all providers and suppliers.
Initially, CMS will phase-in the new disclosure requirement by requesting information from specific providers and suppliers that it determines have at least one affiliation with a provider who has a disclosable event. However, CMS intends to expand the requirements to all providers and suppliers following the initial phase-in period. Medicaid plans are also required to include provisions that will ensure compliance with this disclosure requirement.
While CMS asserts that this new revocation authority is intended to keep “criminals” out of the Medicare program, compliant providers and suppliers may now face enrollment revocation for regulatory non-compliance that was previously penalized by financial penalties and corrective action. CMS anticipates the rule will lead to 2,600 new revocations per year.
For questions on how to prepare for and comply with these requirements and/or respond to a disclosure request from CMS, contact one of the authors of this alert.