[Federal Register Volume 75, Number 184 (Thursday, September 23, 2010)]
[Proposed Rules]
[Pages 58204-58248]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-23579]



[[Page 58203]]

-----------------------------------------------------------------------

Part IV





Department of Health and Human Services





-----------------------------------------------------------------------



Centers for Medicare & Medicaid Services



-----------------------------------------------------------------------



42 CFR Parts 405, 424, 438, et al.



Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers; Proposed Rule

  Federal Register / Vol. 75 , No. 184 / Thursday, September 23, 2010 / 
Proposed Rules  

[[Page 58204]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Parts 405, 424, 438, 447, 455, 457, 498, and 1007

[CMS-6028-P]
RIN 0938-AQ20


Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would implement provisions of the 
Affordable Care Act that establish: Procedures under which screening is 
conducted for providers of medical or other services and suppliers in 
the Medicare program, providers in the Medicaid program, and providers 
in the Children's Health Insurance Program (CHIP); an application fee 
to be imposed on providers and suppliers; temporary moratoria that may 
be imposed if necessary to prevent or combat fraud, waste, and abuse 
under the Medicare and Medicaid programs, and CHIP; guidance for States 
regarding termination of providers from Medicaid and CHIP if terminated 
by Medicare or another Medicaid State plan or CHIP; guidance regarding 
the termination of providers and suppliers from Medicare if terminated 
by a Medicaid State agency; and requirements for suspension of payments 
pending credible allegations of fraud in the Medicare and Medicaid 
programs. This proposed rule would also present an approach and request 
comments on the provisions of the Affordable Care Act that require 
providers of medical or other items or services or suppliers within a 
particular industry sector or category to establish compliance 
programs.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on November 16, 
2010.

ADDRESSES: In commenting, please refer to file code CMS-6028-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to http://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular mail. You may mail written comments to the following 
address only:
    Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Attention: CMS-6028-P, P.O. Box 8020, Baltimore, MD 
21244-8020.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address only:
    Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Attention: CMS-6028-P, Mail Stop C4-26-05, 7500 
Security Boulevard, Baltimore, MD 21244-1850
    4. By hand or courier. If you prefer, you may deliver (by hand or 
courier) your written comments before the close of the comment period 
to either of the following addresses:
    a. For delivery in Washington, DC--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, Room 445-G, Hubert 
H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 
20201.
    (Because access to the interior of the Hubert H. Humphrey Building 
is not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, 7500 Security 
Boulevard, Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
please call telephone number (410) 786-9994 in advance to schedule your 
arrival with one of our staff members.
    Comments mailed to the addresses indicated as appropriate for hand 
or courier delivery may be delayed and received after the comment 
period.
    Submission of comments on paperwork requirements. You may submit 
comments on this document's paperwork requirements by following the 
instructions at the end of the ``Collection of Information 
Requirements'' section in this document.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton (410) 786-1812 for 
Medicare enrollment issues. Claudia Simonson (312) 353-2115 for 
Medicaid and CHIP enrollment and Medicaid payment suspension issues.
    Joseph Strazzire (410) 786-2775 for Medicare payment suspension 
issues.
    Laura Minassian-Kiefel (410) 786-4641 for compliance program 
issues.

SUPPLEMENTARY INFORMATION: Inspection of Public Comments: All comments 
received before the close of the comment period are available for 
viewing by the public, including any personally identifiable or 
confidential business information that is included in a comment. We 
post all comments received before the close of the comment period on 
the following Web site as soon as possible after they have been 
received: http://www.regulations.gov. Follow the search instructions on 
that Web site to view public comments.
    Comments received timely will also be available for public 
inspection as they are received, generally beginning approximately 3 
weeks after publication of a document, at the headquarters of the 
Centers for Medicare & Medicaid Services, 7500 Security Boulevard, 
Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 
a.m. to 4 p.m. To schedule an appointment to view public comments, 
phone 1-800-743-3951.

I. Background

    The Medicare program (title XVIII of the Social Security Act (the 
Act)) is the primary payer of health care for 45 million enrolled 
beneficiaries. Under section 1802 of the Act, a beneficiary may obtain 
health services from an individual or an organization qualified to 
participate in the Medicare program. Qualifications to participate are 
specified in statute and in regulations (see, for example, sections 
1814, 1815, 1819, 1833, 1834, 1842, 1861, 1866, and 1891 of the Act; 
and 42 CFR chapter IV, subchapter G, which concerns standards and 
certification requirements).
    Providers and suppliers furnishing services must comply with the 
Medicare requirements stipulated in the Act and in our regulations. 
These requirements are meant to ensure compliance with applicable 
statutes, as well as to promote the furnishing of high quality care. As 
Medicare program expenditures have grown, we have increased our efforts 
to ensure that only qualified individuals and organizations are

[[Page 58205]]

allowed to enroll or maintain their Medicare billing privileges.
    The Medicaid program (title XIX of the Act) is a joint Federal and 
State health care program for eligible low-income individuals. States 
have considerable flexibility in how they administer their Medicaid 
programs within a broad Federal framework and programs vary from State 
to State.
    The Children's Health Insurance Program (CHIP) (title XXI of the 
Act) is a joint Federal and State health care program that provides 
health care coverage to more than 7.7 million otherwise uninsured 
children.
    Historically, States, in operating Medicaid and CHIP, have 
permitted the enrollment of providers who meet the State requirements 
for program enrollment.
    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
as amended by the Health Care and Education Reconciliation Act of 2010 
(Pub. L. 111-152) (collectively known as the Affordable Care Act) (the 
ACA) makes a number of changes to the Medicare and Medicaid programs 
and CHIP that enhance the provider and supplier enrollment process to 
improve the integrity of the programs to reduce fraud, waste, and abuse 
in the programs.

A. Statutory Authority

    The following is an overview of some of the statutory authority 
relevant to enrollment in Medicare, Medicaid, and CHIP:
     Sections 1102 and 1871 of the Act provide general 
authority for the Secretary of Health and Human Services (the 
Secretary) to prescribe regulations for the efficient administration of 
the Medicare program. Section 1102 of the Act also provides general 
authority for the Secretary to prescribe regulations for the efficient 
administration of the Medicaid program and CHIP.
     Section 4313 of the Balanced Budget Act of 1997 (BBA) 
(Pub. L. 105-33) amended sections 1124(a)(1) and 1124A of the Act to 
require disclosure of both the Employer Identification Number (EIN) and 
Social Security Number (SSN) of each provider or supplier, each person 
with ownership or control interest in the provider or supplier, any 
subcontractor in which the provider or supplier directly or indirectly 
has a 5 percent or more ownership interest, and any managing employees 
including directors and officers of corporations and non-profit 
organizations and charities. The ``Report to Congress on Steps Taken to 
Assure Confidentiality of Social Security Account Numbers as required 
by the Balanced Budget Act'' was signed by the Secretary and sent to 
the Congress on January 26, 1999. This report outlines the provisions 
of a mandatory collection of SSNs and EINs effective on or after April 
26, 1999.
     Section 936(a)(2) of the Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) 
amended the Act to require the Secretary to establish a process for the 
enrollment of providers of services and suppliers. We are authorized to 
collect information on the Medicare enrollment application (that is, 
the CMS-855, (Office of Management and Budget (OMB) approval number 
0938-0685)) to ensure that correct payments are made to providers and 
suppliers under the Medicare program as established by title XVIII of 
the Act.
     Section 1902(a)(27) of the Act provides general authority 
for the Secretary to require provider agreements under the Medicaid 
State Plans with every person or institution providing services under 
the State plan. Under these agreements, the Secretary may require 
information regarding any payments claimed by such person or 
institution for providing services under the State plan.
     Section 2107(e) of the Act, which provides that certain 
title XIX and title XI provisions apply to States under title XXI, 
including 1902(a)(4)(C) of the Act, relating to conflict of interest 
standards.
     Section 1903(i)(2) of the Act relating to limitations on 
payment.
     Section 1124 of the Act relating to disclosure of 
ownership and related information.
     Sections 6401, 6402, 6501,10603, and 1304 of the ACA 
amended the Act by establishing: (1) Procedures under which screening 
is conducted for providers of medical or other services and suppliers 
in the Medicare program, providers in the Medicaid program, and 
providers in the CHIP; (2) an application fee to be imposed on 
providers and suppliers; (3) temporary moratoria that the Secretary may 
impose if necessary to prevent or combat fraud, waste, and abuse under 
the Medicare and Medicaid programs and CHIP; (4) procedures to 
terminate providers if terminated by Medicare or another State plan; 
(5) requirements for suspensions of payments pending credible 
allegations of fraud in both the Medicare and Medicaid programs.

II. Provisions of the Proposed Regulations

A. Provider Screening Under Medicare, Medicaid, and CHIP

1. Statutory Changes
    Section 6401(a) of the ACA, as amended by section 10603 of the ACA, 
amends section 1866(j) of the Act to add a new paragraph, paragraph 
``(2) Provider Screening.'' Section 1866(j)(2)(A) of the Act requires 
the Secretary, in consultation with the Department of Health of Human 
Services' Office of the Inspector General (HHS OIG), to establish 
procedures under which screening is conducted with respect to providers 
of medical or other items or services and suppliers under Medicare, 
Medicaid, and CHIP. Section 1866(j)(2)(B) of the Act requires the 
Secretary to determine the level of screening to be conducted according 
to the risk of fraud, waste, and abuse with respect to the category of 
provider of medical or other items or services or supplier. The 
provision states that the screening shall include a licensure check, 
which may include such checks across State lines; and the screening 
may, as the Secretary determines appropriate based on the risk of 
fraud, waste, and abuse, include a criminal background check; 
fingerprinting; unscheduled or unannounced site visits, including pre-
enrollment site visits; database checks, including such checks across 
State lines; and such other screening as the Secretary determines 
appropriate. Section 1866(j)(2)(C) of the Act requires the Secretary to 
impose a fee on each institutional provider of medical or other items 
or services or supplier that would be used by the Secretary for program 
integrity efforts including to cover the cost of screening and to carry 
out the provisions of sections 1866(j) and 1128J of the Act. We discuss 
the fee in section II.B. of this proposed rule.
    Section 6401(b) of the ACA amends section 1902 of the Act to add 
new paragraphs (a)(77)(i) and (ii), which require States to comply with 
the process for screening providers and suppliers as established by the 
Secretary under 1866(j)(2) of the Act.\1\
---------------------------------------------------------------------------

    \1\ We believe that the reference to section 1886(j)(2) of the 
Act in section 6401(b)(1) of the Affordable Care Act is a 
scrivener's error. We believe the Congress intended to refer to 
section 1866(j)(2) of the Act, which, as amended by section 6401(a) 
of the Affordable Care Act, requires the Secretary to establish a 
process for screening providers and suppliers. Because the drafting 
error is apparent, and a literal reading of the reference to section 
1886(j)(2) of the Act would produce absurd results, we propose to 
interpret the cross-reference to section 1886(j)(2) in the new 
section 1902(ii) of the Act as if the reference were to section 
1866(j)(2).

---------------------------------------------------------------------------

[[Page 58206]]

    We note that the statute uses the terms ``providers of medical or 
other items or services,'' ``institutional providers,'' and 
``suppliers.'' The Medicare program enrolls a variety of providers and 
suppliers, some of which are referred to as ``providers of services,'' 
``institutional providers,'' ``certified providers,'' ``certified 
suppliers,'' and ``suppliers.'' In Medicare, the term ``providers of 
services'' under section 1861(u) of the Act means health care entities 
that furnish services primarily payable under Part A of Medicare, such 
as hospitals, home health agencies (including home health agencies 
providing services under Part B), hospices, and skilled nursing 
facilities. The term ``suppliers'' defined in section 1861(d) of the 
Act refers to health care entities that furnish services primarily 
payable under Part B of Medicare, such as independent diagnostic 
testing facilities (IDTFs), durable medical equipment prosthetics, 
orthotics, and supplies (DMEPOS) suppliers, and eligible professionals, 
which refers to health care suppliers who are individuals, that is, 
physicians and the other professionals listed in section 1848(k)(3)(B) 
of the Act. For Medicaid and CHIP, we use the terms ``providers'' or 
``Medicaid providers'' or ``CHIP providers'' when referring to all 
Medicaid or CHIP health care providers, including individual 
practitioners, institutional providers, and providers of medical 
equipment or goods related to care. The term ``supplier'' has no 
meaning in the Medicaid program or CHIP.
    Section 424.502 contains additional definitions that apply to these 
and other terms used throughout this proposed rule including the 
following:
     Authorized official means an appointed official (for 
example, chief executive officer, chief financial officer, general 
partner, chairman of the board, or direct owner) to whom the 
organization has granted the legal authority to enroll it in the 
Medicare program, to make changes or updates to the organization's 
status in the Medicare program, and to commit the organization to fully 
abide by the statutes, regulations, and program instructions of the 
Medicare program.
     Delegated official means an individual who is delegated by 
the ``Authorized Official,'' the authority to report changes and 
updates to the enrollment record. The delegated official must be an 
individual with ownership or control interest in, or be a W-2 managing 
employee of the provider or supplier.
     Managing employee means a general manager, business 
manager, administrator, director, or other individual that exercises 
operational or managerial control over, or who directly or indirectly 
conducts, the day-to-day operation of the provider or supplier, either 
under contract or through some other arrangement, whether or not the 
individual is a W-2 employee of the provider or supplier.
     Owner means any individual or entity that has any 
partnership interest in, or that has 5 percent or more direct or 
indirect ownership of the provider or supplier as defined in sections 
1124 and 1124A(A) of the Act.
     Physician or nonphysician practitioner organization means 
any physician or nonphysician practitioner entity that enrolls in the 
Medicare program as a sole proprietorship or organizational entity.
    The new screening procedures implemented pursuant to new section 
1866(j)(2) of the Act would be applicable to newly enrolling providers 
and suppliers, including eligible professionals, beginning on March 23, 
2011. These new procedures would be applicable to currently enrolled 
Medicare, Medicaid, and CHIP providers, suppliers, and eligible 
professionals beginning on March 23, 2012. These new screening 
procedures implemented pursuant to new section 1866(j)(2) of the Act 
would be applicable beginning on March 23, 2011 for those providers and 
suppliers currently enrolled in Medicare, Medicaid, and CHIP who 
revalidate their enrollment information. Within Medicare, the March 23, 
2011 implementation date will impact those current providers and 
suppliers whose 5-year revalidation cycle (or 3-year revalidation cycle 
for DMEPOS suppliers) results in revalidation occurring on or after 
March 23, 2011 and before March 23, 2012.
2. Summary of Existing Screening Measures
    Before we outline the new measures we are proposing under the ACA, 
it may be helpful to provide a summary of some of the screening 
measures already being utilized in Medicare, Medicaid, and CHIP. 
Pursuant to other authority, but with the notable exceptions of 
criminal background checks and fingerprinting, Medicare, generally 
through private contractors, already employs a number of the screening 
practices described in section 1866(j)(2)(B) of the Act to determine if 
a provider or supplier is in compliance with Federal and State 
requirements to enroll or to maintain enrollment in the Medicare 
program.
a. Licensure Requirements--Medicare and Medicaid
    Over the past several years, we have taken a number of steps to 
strengthen our ability to deny or revoke Medicare billing privileges 
when providers or suppliers do not have or do not maintain the 
applicable State licensure requirements for their provider or supplier 
type or profession. We established reporting responsibilities for all 
providers, suppliers, and eligible professionals in earlier regulations 
at Sec.  424.516(b) through (e). Today, to ensure that only qualified 
providers and suppliers remain in the Medicare fee-for-service (FFS) 
program, we require that Medicare contractors review State licensing 
board data on a monthly basis to determine if providers and suppliers 
remain in compliance with State licensure requirements. Medicare 
billing privileges would be revoked for those providers and suppliers 
who do not report a final adverse action (for example, license 
revocation or suspension, felony conviction) within the applicable 
reporting period, as required in Sec.  424.516(b) through (e). Medicare 
suppliers of DMEPOS and IDTFs are already subject to similar provisions 
in Sec.  424.57(c) and Sec.  410.33(g), respectively. DMEPOS suppliers 
are also subject to additional requirements including accreditation and 
surety bonding, pursuant to 42 CFR 424.57(c)(22) through (26) and 42 
CFR 424.57(d).
    Medicare Advantage organizations (MAOs) are required to verify 
licensure of providers and suppliers, including physicians and other 
health care professionals, in accordance with Sec.  422.204.
    For Medicaid and CHIP, most States do some checking of in-State 
provider licenses. For example, in some States, the existence of the 
license may be verified, but little attention might be given to any 
restrictions on the license.
b. Site Visits--Medicare
    Pursuant to Sec.  424.517, Medicare conducts the following site 
visits and takes the following actions, generally through private 
contractors under CMS direction:
     The National Supplier Clearinghouse (NSC) Medicare 
Administrative Contractor (the Medicare contractor that processes 
enrollment applications for suppliers of DMEPOS) conducts pre-
enrollment site visits to DMEPOS suppliers that are not associated with 
a chain supplier of

[[Page 58207]]

DMEPOS (a chain supplier of DMEPOS is a supplier with 25 or more 
distinct practice locations.)
     The NSC also conducts unannounced post-enrollment site 
visits to DMEPOS suppliers for which CMS or the NSC believes there is a 
likelihood of fraudulent or abusive activities to ensure those DMEPOS 
suppliers remain in compliance with the supplier standards found at 
Sec.  424.57(c).
     CMS at times exercises its right to--
     Have the NSC conduct ad hoc pre- and post-enrollment site 
visits to any DMEPOS supplier;
     Have Medicare contractors conduct pre-enrollment site 
visits to all IDTFs; and
     Conduct ad hoc pre-and post enrollment site visits to any 
prospective Medicare provider and supplier or any enrolled Medicare 
provider or supplier.
    In addition, under 42 CFR parts 488 and 489, a State survey agency 
or an approved national accreditation organization with deeming 
authority conducts pre-enrollment surveys for certified providers and 
suppliers to determine whether they meet the applicable Federal 
conditions and requirements for their provider or supplier type before 
they can participate in the Medicare program.
    We believe these efforts need to be expanded to include additional 
site visits and site visits to additional provider and supplier types 
in order to protect the Medicare FFS program from unscrupulous or 
potentially fraudulent providers and suppliers.
    We note that the site visits discussed here and elsewhere within 
this preamble and the proposed regulations are separate and apart from 
the site visits that are conducted pursuant to the Clinical Laboratory 
Improvement Amendments (CLIA). We intend to work with our State survey 
agency partners in coordinating these site visits so as to avoid 
duplication and burden on providers.
c. Database Checks--Medicare
    Today, Medicare contractors employ database checks of eligible 
professionals, owners, authorized officials, delegated officials, 
managing employees, medical directors, and supervising physicians (at 
IDTFs and laboratories) as part of the Medicare provider and supplier 
enrollment process. These include database checks with the Social 
Security Administration (SSA) (to verify an individual's SSN), the 
National Plan and Provider Enumeration System (NPPES) to verify the 
National Provider Identifier (NPI) of an eligible professional, and 
State licensing board checks to determine if an eligible professional 
is appropriately licensed to furnish medical services within a given 
State. These checks also include checking a provider or supplier 
against the HHS OIG's List of Excluded Individuals/Entities (LEIE) and 
the General Service Administration's Excluded Parties List System 
(EPLS). All of the database checks are used to assess the eligibility 
and qualifications of providers and suppliers to enroll in the Medicare 
program, to confirm the identity of an eligible professional to ensure 
that he or she may be considered for enrollment in the Medicare 
program.
    Also, on a monthly basis, CMS' Medicare contractors systematically 
compare enrolled providers, suppliers, and eligible professionals 
against the information in the Medicare Exclusions Database. The 
Medicare Exclusions Database identifies providers, suppliers, and 
eligible professionals who have been excluded from the Medicare and 
Medicaid programs by the HHS OIG. When a match is found, the HHS OIG 
exclusion information is systematically noted in the Medicare 
enrollment record of the provider, supplier, or eligible professional. 
In the Medicare program today, we deny or revoke the billing privileges 
of providers, suppliers, and eligible professionals who have been 
excluded by the HHS OIG. If the HHS OIG lifts the exclusion, the 
provider, supplier or eligible professional must reapply for enrollment 
in the Medicare program. In addition, Medicare contractors also review 
State licensure Web sites on a monthly basis to ensure that eligible 
professionals continue to meet State licensing requirements.
    In addition, since January 2009, we have compared date of death 
information obtained from the Social Security Administration Death 
Master File (SSA DMF) with the information maintained in the National 
Plan and Provider Enumeration System (NPPES), the system that assigns a 
NPI to individual and organizations. Based on this comparison and the 
subsequent verification, we have deactivated the NPIs of more than 
11,500 individuals who were previously assigned a type 1 (individual) 
NPI. We automatically transfer this information from NPPES to the 
Provider Enrollment, Chain, and Ownership System (PECOS), CMS' national 
Medicare enrollment repository to deactivate a deceased individual's 
Medicare billing privileges. In addition, Medicare contractors are 
required to review and act upon monthly files that contain a list of 
nonpractitioner individuals enrolled in the Medicare program who have 
been reported to the SSA as deceased. These individuals include: 
Owners, authorized officials, and delegated officials.
    MAOs, as required by Sec.  422.204, generally use database checks 
to verify licensure and licensure sanctions and limitations with State 
licensing boards and the Federation of State Medical Boards, DEA 
certificates with the National Technical Information Service (NTIS), 
history of adverse professional review actions and malpractice from the 
National Practitioner Data Bank (NPDB), accreditation status of 
institutional providers and suppliers with national accrediting boards, 
such as The Joint Commission (TJC), and search for HHS OIG exclusions 
using the HHS OIG Web site http://www.oig.hhs.gov/fraud/exclusions/list 
of excluded.html.
d. Criminal Background Checks--Medicare
    As described in Sec.  424.530(a) and Sec.  424.535(a), CMS or its 
designated Medicare contractor may deny or revoke the Medicare billing 
privileges of the owner of a provider or supplier, a physician or 
nonphysician practitioner, and terminate any corresponding provider or 
supplier agreement for a number of reasons, including an exclusion from 
the Medicare, Medicaid, and any other Federal health care program, a 
felony within the preceding 10 years that is considered detrimental to 
the Medicare program, and/or submission of false or misleading 
information on the Medicare enrollment application. While we currently 
require our Medicare contractors to verify data submitted on, and as 
part of, the Medicare provider/supplier enrollment application, our 
contractors are not able to verify information that may have been 
purposefully omitted or changed in a manner to obfuscate any previous 
criminal activity. In addition, criminal background checks are not 
routinely used in the FFS Medicare screening process.
e. Medicare MAO Requirements
    As mentioned earlier in this section, MAOs already employ a number 
of screening procedures in accordance with regulations and CMS manual 
instructions. Specifically, under Sec.  422.204(b)(3) in the case of 
providers meeting the definition of ``provider of services'' in section 
1861(u) of the Act, basic benefits may only be provided through 
providers if they have a provider agreement with CMS permitting them to 
furnish services under original Medicare. With respect to other 
entities like suppliers, Sec.  422.204(b)(3) requires that they ``meet 
the applicable requirements of title XVIII and Part A of title XI of 
the Act.''

[[Page 58208]]

Given these requirements we are considering to what extent MAOs should 
be required to apply the identical screening requirements we are 
proposing for the original Medicare program or whether substantively 
similar alternative approaches adopted by MAOs would be acceptable. 
Accordingly, we solicit public comments on whether or to what extent 
MAOs should be required to implement the same enhanced screening 
requirements for providers, suppliers and physicians that we are 
proposing for the original Medicare program.
f. Fingerprinting--Medicare
    We do not currently use fingerprinting in the Medicare screening 
process.
g. Screening--Medicaid and CHIP
    States vary in the degree to which they employ screening methods 
such as unscheduled and unannounced site visits and database checks, 
including such checks across State lines, criminal background checks, 
and fingerprinting. However, there are at least a few States that 
utilize each of those methods.
    States also vary in what they require their managed care entities 
(MCEs) \2\ to do in terms of screening network-level providers that are 
not also enrolled in the Medicaid program as FFS providers. We are 
considering to what extent States must require their MCEs to apply the 
identical screening requirements we are proposing for the States or 
whether substantively similar alternative approaches adopted by MCEs 
would be acceptable. Accordingly, we solicit public comments on whether 
or to what extent MCEs should be required to implement the same 
enhanced screening requirements for Medicaid and CHIP providers that we 
are proposing for State Medicaid and CHIP programs.
---------------------------------------------------------------------------

    \2\ For purposes of this preamble and the proposed regulations, 
``managed care entity'' and ``MCE'' will have the meaning Medicaid 
managed care organization (MCO), primary care case manager (PCCM), 
prepaid inpatient health plan (PIHP), prepaid ambulatory health plan 
(PAHP), and health insuring organization (HIO). This definition 
differs from the meaning in section 1932(a)(1)(B) of the Social 
Security Act, which limits MCEs to Medicaid MCOs and PCCMs. We 
propose a more inclusive definition for the regulation so that all 
those entities in States' managed care programs will provide 
disclosure information.
---------------------------------------------------------------------------

3. Proposed Screening Requirements
a. Medicare
    Section 1866(j)(2)(B) of the Act requires the Secretary to 
determine the level of screening applicable to providers and suppliers 
according to the risk of fraud, waste, and abuse the Secretary 
determines is posed by particular categories of providers and 
suppliers.
    In considering how to establish consistent screening standards, we 
are proposing to designate provider and supplier categories that would 
be subject to certain screening procedures based on CMS' assessment of 
fraud, waste and abuse risk of the provider or supplier category, 
taking into consideration a variety of factors including studies 
conducted by the HHS OIG and the GAO and other sources. We would 
designate categories of providers or suppliers (for example, ``newly 
enrolling DME suppliers'' or ``currently enrolled home health 
agencies'') that would be subject to screening procedures in each 
category based on our assessment of the level of risk presented by the 
category of provider. There will be 3 levels of risk: ``limited,'' 
``moderate'' and ``high,'' and each provider/supplier category will be 
assigned to one of these 3 levels. The screening procedures applicable 
to each risk level will be set by us and are included in this proposed 
rule. The categories described below and associated risk levels 
assigned are designed to identify those categories of providers and 
suppliers that pose a risk of fraud, waste, and abuse.
    Under this proposed approach, the relevant Medicare contractor (for 
example, fiscal intermediary, regional home health intermediary, 
carriers, Part A or Part B Medicare Administrative Contractor (A/B 
MAC), or the NSC Administrative Contractor) would utilize the screening 
tools mandated by us for the risk level assigned to a particular 
provider or supplier category.
    We are soliciting comments on the proposed assignment of specific 
provider and supplier types to established risk levels, including what 
criteria should be considered in making such assignments, whether such 
assignments should be released publicly, whether they should be subject 
to agency review and updated according to an established schedule (that 
is, annually, bi-annually), and the extent to which they should be 
updated according to evolving risks. We are also soliciting comments on 
any additional database checks that we should consider as a type of 
screening.
    Based on the level of risk assigned, we propose that the Medicare 
contractors would establish and conduct the following categorical 
screenings.

      Table 1--Category of Risk and Required Screening for Medicare
    Physicians, Non-Physician Practitioners, Providers, and Suppliers
------------------------------------------------------------------------
  Type of screening required       Limited      Moderate        High
------------------------------------------------------------------------
Verification of any provider/             X             X             X
 supplier-specific
 requirements established by
 Medicare.....................
Conduct license verifications,            X             X             X
 (may include licensure checks
 across States)...............
Database Checks (to verify                X             X             X
 Social Security Number (SSN),
 the National Provider
 Identifier (NPI), the
 National Practitioner Data
 Bank (NPDB) licensure, an OIG
 exclusion, taxpayer
 identification number, tax
 delinquency, death of
 individual practitioner,
 owner, authorized official,
 delegated official, or
 supervising physician).......
Unscheduled or Unannounced      ............            X             X
 Site Visits..................
Criminal Background Check.....  ............  ............            X
Fingerprinting................  ............  ............            X
------------------------------------------------------------------------

    As described above, we already require Medicare contractors to 
ensure that every provider or supplier meets any applicable Federal 
regulations or State requirements, including applicable licensure 
requirements \3\ for the provider or supplier type prior to making an 
enrollment determination. In addition, we also require that Medicare

[[Page 58209]]

contractors conduct monthly reviews of State licensing board actions to 
determine if an individual practitioner, such as a physician or non-
physician practitioner continues to meet State licensing requirements. 
In the case of organizational entities, we also require our Medicare 
contractors to conduct monthly or periodic checks to determine if an 
organizational entity continues to meet the Federal and State 
requirements for its provider or supplier type. Such verifications help 
ensure that a prospective provider or supplier is eligible to 
participate in the Medicare program or that an existing provider or 
supplier is eligible to maintain its Medicare billing privileges.
---------------------------------------------------------------------------

    \3\ We note that under section 408 of the reauthorized Indian 
Health Care Improvement Act, ``[a]ny requirement for participation 
as a provider of health care services under a Federal health care 
program that an entity be licensed or recognized under the State or 
local law where the entity is located to furnish health care 
services shall be deemed to have been met in the case of an entity 
operated by the [Indian Health] Service, an Indian tribe, tribal 
organization, or urban Indian organization if the entity meets all 
the applicable standards for such licensure or recognition, 
regardless of whether the entity obtains a license or other 
documentation under such State or local law.''
---------------------------------------------------------------------------

    Currently in the Medicare program, DMEPOS suppliers are required to 
re-enroll every 3 years, and other providers are required to revalidate 
their enrollment every 5 years. The terms revalidation and re-
enrollment are often used interchangeably, but are actually specific to 
these provider types. To eliminate any confusion about which term 
applies to which provider or supplier, we are proposing language at 42 
CFR 424.57(e) to change all references to re-enroll or re-enrollment to 
revalidate or revalidation. In addition, the ACA requires that no 
provider or supplier shall be allowed to enroll in Medicare or 
revalidate its enrollment in Medicare after March 23, 2013 without 
being screened pursuant to the authorities covered by this proposed 
rule. To assist CMS in assuring that the statutory effective date is 
met, we are proposing at 42 CFR 424.515 to permit CMS to require that a 
provider or supplier revalidate its enrollment at any time. After the 
revalidation, the current cycle for revalidation (3 years for DMEPOS, 
and 5 years for all other providers) would apply.
(1) Limited
    In general, we consider physicians, nonphysician practitioners, and 
medical clinics and group practices to pose limited risk because these 
professionals are State licensed and we are not aware of any recent 
studies or other evidence that indicates that these suppliers, as a 
category, pose an elevated risk to the Medicare program.
    Similarly, we believe that a provider or supplier that is publicly 
traded on the New York Stock Exchange (NYSE) or the National 
Association of Securities Dealers Automated Quotation System (NASDAQ) 
poses a limited risk because of the financial oversight provided by 
investors, corporate boards of directors, and the Security and Exchange 
Commission. Finally, based on our own data analysis including analysis 
of historical trends and CMS's own experience with provider screening 
and enrollment we believe that the following providers and suppliers 
currently pose a limited risk to the Medicare program: Ambulatory 
surgical centers (ASCs); end-stage renal disease (ERSD) facilities; 
Federally qualified health centers (FQHCs); histocompatibility 
laboratories; hospitals, including critical access hospitals (CAHs); 
Indian Health Service (IHS) facilities; mammography screening centers; 
organ procurement organizations (OPOs); mass immunization roster 
billers, portable x-ray suppliers; religious nonmedical health care 
institutions (RNHCIs); rural health clinics (RHCs); radiation therapy 
centers; public or government owned or affiliated ambulance services 
suppliers (defined as an ambulance supplier owned in whole or in part 
by a State or local government), and skilled nursing facilities (SNFs). 
Accordingly, we propose to include the categories of providers and 
suppliers listed above within the ``limited'' level of risk. We think 
the additional government oversight of ``government owned or 
affiliated'' ambulance service providers justifies placing these 
providers in the limited category.
    In Sec.  424.518(a), we propose that the following screening tools 
will apply to providers and suppliers in categories designated as 
``limited'' risk: (1) Verification that a provider or supplier meets 
any applicable Federal regulations, or State requirements for the 
provider or supplier type prior to making an enrollment determination; 
(2) verification that a provider or supplier meets applicable licensure 
requirements; and (3) database checks on a pre- and post-enrollment 
basis to ensure that providers and suppliers continue to meet the 
enrollment criteria for their provider/supplier type.
    To assist readers in understanding the type of providers and 
suppliers that we propose to include in the ``limited'' risk level, we 
are providing the following table.

  Table 2--Medicare Providers and Suppliers Designated as a ``Limited''
                 Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Physician or non-physician practitioners and medical groups or clinics.
Providers or suppliers that are publicly traded on the NYSE or NASDAQ.
Ambulatory surgical centers, end-stage renal disease facilities,
 Federally qualified health centers, histocompatibility laboratories,
 hospitals, including critical access hospitals, Indian Health Service
 facilities, mammography screening centers, organ procurement
 organizations, mass immunization roster billers, portable x-ray
 supplier, religious non-medical health care institutions, rural health
 clinics, radiation therapy centers, public or government owned or
 affiliated ambulance services suppliers, and skilled nursing
 facilities.
------------------------------------------------------------------------

(2) Moderate
    For those provider and supplier categories with a ``moderate'' 
level of risk, we propose that Medicare contractors will conduct 
unannounced pre- and/or post-enrollment site visits in addition to 
those screening tools applicable to the ``limited'' level of risk. 
Based on the success of pre- and/or post-enrollment site visits 
conducted by the NSC during the enrollment process for suppliers of 
DMEPOS and a similar process established by carriers and A/B MACs 
during the enrollment of IDTFs, we believe that unscheduled and 
unannounced pre- and post-enrollment site visits help ensure that 
suppliers are operational and meet applicable supplier standards or 
performance standards. In addition, we believe that unscheduled and 
unannounced pre- and post-enrollment site visits are an essential tool 
in determining whether a provider or supplier is in compliance with its 
reporting responsibilities, including the requirement in Sec.  424.516 
to notify the Medicare contractor of any change of practice location.
    Moreover, Sec.  424.530(a)(5) and Sec.  424.535(a)(5) give CMS and 
its Medicare contractors the authority to deny or revoke Medicare 
billing privileges for providers and suppliers respectively if the 
provider or supplier is not operational or the provider does not 
maintain the established provider or supplier performance standards. 
And while we do not believe that unscheduled or unannounced site visits 
are necessary for all providers and

[[Page 58210]]

suppliers, we do believe that a number of businesses, like the ones 
mentioned below, pose an increased risk to the Medicare program, due at 
least in part to the lack of individual professional licensure.
    Moreover, as discussed below, we have found that certain types of 
providers and suppliers that easily enter a line or business without 
clinical or business experience, for example by leasing minimal office 
space and equipment, present a higher risk of possible fraud to our 
programs. As such, we believe that because these types of providers 
pose an increased risk of fraud they should be subject to substantial 
scrutiny before being permitted to enroll and bill Medicare, Medicaid, 
or CHIP. This type of pre-enrollment scrutiny will help us move away 
from the ``pay and chase'' approach. With the exception of providers 
and suppliers that are publicly traded on the NYSE or NASDAQ and 
therefore considered ``limited'' risk, we propose that the following 
prospective provider and supplier types be considered a ``moderate'' 
risk for the purpose of determining the appropriate level of screening: 
nonpublic, non-government owned or affiliated ambulance service 
suppliers, community mental health centers (CMHCs), comprehensive 
outpatient rehabilitation facilities (CORFs), hospice organizations, 
IDTFs, and independent clinical laboratories.
    Most of these provider and supplier types are generally highly 
dependent on Medicare, Medicaid, or CHIP to pay their salaries and 
other operating expenses and are subject to less additional other 
government or professional oversight than the providers and suppliers 
in the limited risk category. Accordingly, we believe it is appropriate 
and necessary to conduct unscheduled and unannounced pre-enrollment 
site visits to ensure that these prospective providers and suppliers 
meet CMS' enrollment requirements prior to enrolling in the Medicare 
program. Moreover, we believe that post-enrollment site visits are also 
important to ensure that the enrolled provider or supplier remains a 
viable health care provider or supplier in the Medicare program.
    Accordingly, we propose in Sec.  424.518(b)(i) that in addition to 
the categorical screening tools used with respect to limited risk 
providers and suppliers that Medicare contractors shall conduct 
unannounced and unscheduled site visits prior to enrolling the 
following prospective providers and suppliers with the exception of 
providers and suppliers that are publicly traded on the NYSE or NASDAQ 
and therefore considered ``limited'' risk: Nonpublic, nongovernment 
owned or affiliated ambulance services suppliers, CMHCs, CORFs, hospice 
organizations, IDTFs, and independent clinical laboratories. In 
addition, we propose that the following currently enrolled Medicare 
providers should be categorized as ``moderate'': Currently enrolled 
(revalidating) home health agencies or suppliers of DMEPOS. (Except 
that any such provider that is publicly traded on the NYSE or NASDAQ is 
considered ``limited'' risk.)
    We believe that the providers and suppliers described above have 
the similar risk level as suppliers of DMEPOS and IDTFs, for both of 
which we already require a pre-enrollment site visit prior to 
completing the enrollment process.
    We are also proposing in Sec.  424.518(b)(ii) that the Medicare 
contractor shall conduct an unannounced and unscheduled pre-enrollment 
and/or post-enrollment on-site visit for the following providers and 
suppliers that are not publicly traded on the NYSE or NASDAQ during the 
revalidation process: non-public, non-government owned or affiliated 
ambulance services suppliers; CMHCs, CORFs, DMEPOS suppliers, HHAs, 
hospice organizations, IDTFs, and independent clinical laboratories. 
For the same reasons that we believe that a Medicare contractor should 
conduct a pre-enrollment site visit, we believe that Medicare 
contractors should conduct post-enrollment site visits during the 
revalidation process for the provider and supplier types described 
above.
    HHS OIG and GAO have issued studies indicating that several of the 
provider and supplier types cited above have an elevated risk. In an 
October 2007 report titled, ``Growth in Advanced Imaging Paid under the 
Medicare Physician Fee Schedule'' (OEI-01-06-00260), the HHS OIG 
recommended that CMS consider conducting site visits to monitor IDTFs' 
compliance with Medicare requirements.'' In addition, in an April 2007 
report titled, ``Medicare Hospices: Certification and Centers for 
Medicare & Medicaid Services Oversight'' (OEI-06-05-00260), the HHS OIG 
recommended that CMS seek legislation to establish additional 
enforcement remedies for poor hospice performance. In response to this 
recommendation, CMS stated that it was considering whether to pursue 
new enforcement remedies for poor hospice performance. While the 
Medicare enrollment process is not designed to verify the conditions of 
participation, we do believe that more frequent onsite visits may help 
identify those hospice organizations that are no longer operational at 
the practice location identified on the Medicare enrollment 
application.
    In a January 2006 report titled, ``Medicare Payments for Ambulance 
Transports'' (OEI-05-02-000590), the HHS OIG found that ``twenty-five 
percent of ambulance transports did not meet Medicare's program 
requirements, resulting in an estimated $402 million in improper 
payments.''
    In an August 2004 report titled, ``Comprehensive Outpatient 
Rehabilitation Facilities: High Medicare Payments in Florida Raise 
Program Integrity Concerns'' (GAO-04-709), the GAO concluded that, 
``[s]izeable disparities between Medicare therapy payments per patient 
to Florida CORFs and other facility-based outpatient therapy providers 
in 2002--with no clear indication of differences in patient needs--
raise questions about the appropriateness of CORF billing practices. 
After finding high rates of medically unnecessary therapy services to 
CORFs, CMS's claims administration contractor for Florida took steps to 
ensure appropriate claim payments for a small, targeted group of CORF 
patients. Despite its limited success, billing irregularities continued 
among some CORFs and many CORFs continued to receive relatively high 
payments the following year. This suggests that the contractor's 
efforts were too limited in scope to be effective with all CORF 
providers.''
    In addition to GAO and HHS OIG studies and reports, a number of 
Zone Program Integrity Contractors (ZPIC) and Program Safeguard 
Contractors (PSC), organizations used by CMS in helping to fight fraud 
in Medicare, have taken a number of administrative actions including 
payment suspensions and increased medical review, for the provider and 
supplier types shown above. For example, the Zone 7 ZPIC contractor in 
South Florida has conducted onsite reviews at 62 CORFs since January 
2010 and recommended revocation for 51 CORFs, or 82 percent of the 
CORFS in the area. The same contractor has conducted an onsite reviews 
at 38 CMHCs located in Dade, Broward and Palm Beach County since 
January 2010, and recommended that 30 CMHCs be revoked for 
noncompliance (79 percent of the CMHCs in the area). In each instance 
where the ZPIC requested a revocation, the CMHC was also placed on 
prepay review. We have also conducted an analysis of IDTF licensure 
requirements and have found several circumstances that indicate

[[Page 58211]]

irregularity and potential risk of fraud. Although independent clinical 
laboratories are subject to survey against CLIA requirements, there are 
nonetheless a number of potentials for fraud, not the least of which is 
the sheer volume of service and associated billing generated by these 
entities.
    Also, while we believe that prospective suppliers of DMEPOS that 
are not publicly-traded on the NYSE or NASDAQ are a ``high'' 
categorical risk (see discussion below), we believe that there is ample 
evidence to support the use of post-enrollment site visits as a 
reliable and effective tool to ensure that a current supplier of DMEPOS 
remains operational and continues to meet the supplier standards found 
in Sec.  424.57(c). In a March 2007 report titled, ``Medical Equipment 
Suppliers Compliance with Medicare Enrollment Requirements'' (OEI-04-
05-00380), the HHS OIG concluded that, ``By helping to ensure the 
legitimacy of DMEPOS suppliers, out-of cycle site visits may help to 
prevent fraud, waste, and abuse in the Medicare program. CMS may want 
to consider the findings of our study as they determine how and to what 
extent out-of-cycle site visits of DMEPOS suppliers will occur.'' 
Today, the NSC MAC utilizes on post-enrollment site visits as the 
primary screening to determine ongoing compliance with the enrollment 
criteria set forth in Sec.  424.57(c). Therefore, we have included 
currently enrolled DMEPOS suppliers in the ``moderate'' category.
    We also note that, in addition to the new screening measures being 
proposed in this rule, under the existing regulation at Sec.  424.517, 
a Medicare contractor may conduct an unannounced or unscheduled site 
visit at any time for any provider or supplier type prior to enrolling 
a prospective provider or supplier or for any existing provider or 
supplier enrolled in the Medicare program. While the primary purpose of 
an unannounced and unscheduled site visit is to ensure that a provider 
or supplier is operational at the practice location found on the 
Medicare enrollment application, a Medicare contractor may also verify 
established supplier standards or performance standards other than 
conditions of participation (CoP) subject to survey and certification 
by the State Survey agency, where applicable, to ensure that the 
supplier remains in compliance with program requirements.
    To assist readers in understanding the type of providers and 
suppliers that we propose to include in the ``moderate'' risk level, we 
are providing the following table.

 Table 3--Medicare Providers and Suppliers Designated as a ``Moderate''
                 Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Community mental health centers; Comprehensive outpatient rehabilitation
 facilities; Hospice organizations; Independent diagnostic testing
 facilities; Independent clinical laboratories; and Nonpublic,
 Nongovernment owned or affiliated ambulance services suppliers. (Except
 that any such provider or supplier that is publicly traded on the NYSE
 or NASDAQ is considered ``limited'' risk.)
Currently enrolled (revalidating) home health agencies. (Except that any
 such provider that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
Currently enrolled (re-validating) suppliers of DMEPOS.(Except that any
 such supplier that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
------------------------------------------------------------------------

 (3) High
    For those provider and supplier categories within the ``high'' 
level of risk, we propose that, in addition to the screening tools 
applicable to the ``limited'' and ``moderate'' levels of risk, Medicare 
contractors would use the following screening tools in the enrollment 
process: (1) Criminal background check; and (2) submission of 
fingerprints using the FD-258 standard fingerprint card. (The FD-258 
fingerprint card is recognized nationally and can be found at local, 
county or State law enforcement agencies where, for a fee, agencies 
will supply the card and take the fingerprints.) We propose that these 
tools would be applied to owners, authorized or delegated officials or 
managing employees of any provider or supplier within the ``high'' 
level of risk. We believe that criminal background checks will assist 
CMS in determining if an individual, such as an owner, authorized 
official, or delegated official, or managing employee of a high-risk 
provider or supplier type, submitted a complete and truthful Medicare 
enrollment application and whether an individual is eligible to enroll 
in the Medicare program or maintain Medicare billing privileges. We 
also believe that use of fingerprinting will help in verification of an 
individual's identity and help resolve issues associated with identity 
theft as discussed below. We believe that this position is supported by 
testimony of the GAO before the subcommittees for Health and Oversight 
and Ways and Means within the House of Representatives on June 15, 
2010, stating in part that ``[c]hecking the background of providers at 
the time they apply to become Medicare providers is a crucial step to 
reduce the risk of enrolling providers intent on defrauding or abusing 
the program. In particular, we have recommended stricter scrutiny of 
enrollment processes for two types of providers whose services and 
items CMS has identified as especially vulnerable to improper 
payments--home health agencies (HHAs) and suppliers of durable medical 
equipment, prosthetics, orthotics, and supplies (DMEPOS).''
    In Sec.  424.518(c)(1), we are proposing that, unless they are 
publicly traded on the NYSE or NASDAQ, newly enrolling HHAs and 
suppliers of DMEPOS are within the ``high'' risk level. Based on our 
experience and on work conducted by the HHS OIG and the GAO, and 
because we do not have the monitoring experience with newly enrolling 
DMEPOS suppliers or HHAs that we have with those currently enrolled, we 
have placed these providers and suppliers in the ``high'' risk 
category. We are especially concerned about newly enrolling HHAs and 
suppliers of DMEPOS because of the high number of HHAs and suppliers of 
DMEPOS already enrolled in the Medicare program and program 
vulnerabilities that these entities pose to the Medicare program. Below 
is a list of HHS OIG and GAO reports identifying home health agencies 
and suppliers of DMEPOS as posing an elevated risk to the Medicare 
program.
     In a December 2009 report titled, ``Aberrant Medicare Home 
Health Outlier Payment Patterns in Miami-Dade County and Other 
Geographic Areas in 2008'' (OEI-04-08-00570), the HHS OIG recommended 
that CMS continue with efforts to strengthen enrollment standards for 
home health providers to prevent illegitimate HHAs from obtaining 
billing privileges.

[[Page 58212]]

     In a February 2009 report titled, ``Medicare: Improvements 
Needed to Address Improper Payments in Home Health'' (GAO-09-185), the 
GAO concluded that the Medicare enrollment process does not routinely 
include verification of the criminal history of applicants, and without 
this information individuals and businesses that misrepresent their 
criminal histories or have a history of relevant convictions, such as 
for fraud, could be allowed to enter the Medicare program. In addition, 
the GAO recommended that CMS assess the feasibility of verifying the 
criminal history of all key officials named on the Medicare enrollment 
application.
     In a February 2008 report titled, ``Los Angeles County 
Suppliers' Compliance with Medicare Standards: Results from Unannounced 
Visits'' (OEI-09-07-00550) and in a March 2007 report titled, ``South 
Florida Suppliers' Compliance with Medicare Standards: Results from 
Unannounced Visits (OEI-03-07-00150), the HHS OIG recommended that CMS 
strengthen the Medicare DMEPOS supplier enrollment process and ensure 
that suppliers meet Medicare supplier standards. The HHS OIG provided 
several options to implement this recommendation including: (1) 
Conducting more unannounced site visits to suppliers; (2) performing 
more rigorous background checks on applicants; (3) assessing the fraud 
risk of suppliers; and (4) targeting, monitoring, and enforcement of 
high-risk suppliers.
     In a September 2005 report titled, ``Medicare: More 
Effective Screening and Stronger Enrollment Standards Needed for 
Medical Equipment Suppliers'' (GAO-05-656), the GAO concluded that,

    CMS is responsible for assuring that Medicare beneficiaries have 
access to the equipment, supplies, and services they need, and at 
the same time, for protecting the program from abusive billing and 
fraud. The supplier standards and NSC's gate keeping activities were 
intended to provide assurance that potential suppliers are qualified 
and would comply with Medicare rules. However, there is overwhelming 
evidence--in the form of criminal convictions, revocations, and 
recoveries--that the enrollment processes and the standards are not 
strong enough to thoroughly protect the program from fraudulent 
entities. We believe that CMS must focus on strengthening the 
standards and overseeing the supplier enrollment process. It needs 
to better focus on ways to scrutinize suppliers to ensure that they 
are responsible businesses, analogous to Federal standards for 
evaluating potential contractors.

    We recognize that there may also be circumstances where a 
particular provider or supplier or group of providers and suppliers may 
pose a higher risk of fraud, waste, and abuse than the level identified 
for their category generally. Therefore, in Sec.  424.518(c)(3), we are 
proposing specific criteria that we would use to adjust the 
classification of a provider or supplier into a higher risk level than 
would generally apply to the category of provider or supplier, in order 
to address specific program vulnerabilities. We are soliciting comments 
on specific additional circumstances that might justify shifting a 
provider or supplier into a higher risk level than would generally 
apply to its category. We are also soliciting comment on the criteria 
that we could use to shift the risk level back down.
    In Sec.  424.518(c)(3)(i), we are proposing to adjust a provider or 
supplier from the ``limited'' or ``moderate'' risk level to the 
``high'' risk level when CMS has evidence from or concerning a 
physician or nonphysician practitioner that another individual is using 
their identity within the Medicare program. While our Medicare 
contractors have implemented procedures to reduce the possibility of 
identity theft and use of physician's identity for the purposes of 
enrolling and fraudulently billing the Medicare program, we believe 
that we have a responsibility to all individuals participating in the 
Medicare program to take the necessary steps to investigate and resolve 
any allegations of identity theft. We do not intend to fingerprint the 
individual physician or other eligible professional who has been the 
victim of identity or provider number theft.
    In Sec.  424.518(c)(3), we are proposing to adjust a provider or 
supplier from the ``limited'' or ``moderate'' level of risk to the 
``high'' level of risk based on: the provider or supplier having been 
placed on a previous payment suspension; or the provider or supplier 
has been excluded by the HHS OIG or had its Medicare billing privileges 
denied or revoked by a Medicare contractor within the previous 10 years 
and is attempting to establish additional Medicare billing privileges 
for a new practice location or by enrolling as a new provider or 
supplier. In addition, we believe that providers that have been 
terminated or otherwise precluded from billing Medicaid should be 
adjusted from the ``limited'' or ``moderate'' category to the ``high'' 
category. We believe that such providers or suppliers pose an elevated 
level of risk to the Medicare program.
    In Sec.  424.518(c)(3)(iv), we are proposing to adjust providers or 
suppliers from the ``limited'' or ``moderate'' level of risk to the 
``high'' level of risk for 6 months after CMS lifts a temporary 
moratorium (see section II.C. of this proposed rule) applicable to such 
providers or suppliers. This would include providers and suppliers 
revalidating their enrollment if the moratorium is applicable to the 
provider or supplier type. We are seeking comments on criteria that 
would justify recategorization of providers or suppliers from the 
``limited'' or ``moderate'' category to the ``high'' category. We are 
also seeking comment on criteria appropriate to the recategorization 
from ``high'' to ``moderate'' or ``limited.'' We are seeking comment on 
the applicability of geographical circumstances as a possible criterion 
for adjusting providers or suppliers from one risk level to another. We 
are also seeking comments on whether non-practitioner-owned facilities 
and suppliers should be subject to a higher level of screening than 
their practitioner-owned counterparts or, whether there is an 
appropriate corresponding trigger for non-practitioner owned facilities 
and suppliers. We are seeking comment on whether providers and 
suppliers should be subject to higher levels of screening when the 
provider specialty does not match clinic type on an enrollment 
application. We are seeking comment on what objective conditions might 
support a broad category of circumstances or factors that would allow 
us to determine that provider screening levels of risk should be based 
on ``other conditions or factors that CMS determines are necessary to 
combat fraud, waste, and abuse.''
    We are seeking public comment on the appropriateness of using 
criminal background checks in the provider enrollment screening 
process, including the instances when such background checks might be 
appropriate, the process of notifying a provider, supplier or 
individual that a criminal background check is to be performed, and the 
frequency of such checks.
    We are also seeking comment on the use of fingerprinting as a 
screening measure in our programs. We recognize that requesting, 
collecting, analyzing, and checking fingerprints from providers and 
suppliers are complex and sensitive undertakings that place certain 
burdens on affected individuals. There are privacy concerns and 
operational concerns about how to assure individual privacy, how to 
check fingerprints against appropriate law enforcement fingerprint 
databases, and how to store the results of the query of the data bases 
and also how to handle the subsequent analysis of the results. As a 
result, we are soliciting comments on how CMS or an approved contractor

[[Page 58213]]

should maintain and store fingerprints, what security processes and 
measures are needed to protect the privacy of individuals, and any 
other issues related to the use of fingerprints in the enrollment 
screening process. As indicated in other portions of the document, we 
think fingerprints would be useful in situations where a provider's 
identity has been compromised or potentially compromised. We are 
interested in comments on this and other possible circumstances in 
which fingerprinting would be potentially useful in provider screening 
or other fraud prevention efforts. Our proposed screening approach 
contemplates requesting fingerprints from providers and suppliers 
categorized as presenting a ``high'' risk of fraud. We are seeking 
comment on this requirement, the circumstances under which it is 
appropriate, limitations on its use and any alternatives to the 
proposed approach regarding fingerprints. Our proposed approach would 
allow denial of billing privileges to newly enrolled providers and 
suppliers and revocation of billing privileges for revalidating 
providers and suppliers if owners or officials of providers or 
suppliers refuse to submit fingerprints when requested to do so. We are 
seeking comments on this proposal including its appropriateness and 
utility as a fraud prevention tool. In addition, we are also seeking 
comment on the applicability and appropriateness of using, in addition 
to or in lieu of fingerprinting, other enhanced identification 
techniques and secure forms of identification including but not limited 
to other biological or biometric techniques, passports, United States 
Military identification, or Real ID drivers licenses. As technology and 
secure identification techniques change, the tools we use may change to 
reflect improvements or shifts in technology or in risk identification. 
We are seeking comment on the appropriate uses of these techniques
    We note that any physician or non-physician practitioner or 
organizational provider or supplier that is denied enrollment into the 
Medicare program or whose Medicare billing privileges are revoked is 
afforded due process rights under Sec.  405.874.
    To assist readers in understanding the type of providers and 
suppliers that we propose to include in the ``high'' risk level, we are 
providing the following table.

   Table 4--Medicare Providers and Suppliers Designated as a ``High''
                 Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Prospective (newly enrolling) home health agencies and suppliers of
 DMEPOS. (Except that any such provider or supplier that is publicly
 traded on the NYSE or NASDAQ is considered ``limited'' risk.)
------------------------------------------------------------------------

    The new screening procedures implemented pursuant to new section 
1866(j)(2) of the Act would be applicable to newly enrolling providers 
and suppliers, beginning on March 23, 2011. These new screening 
procedures would also be applicable beginning on March 23, 2011 for 
those providers and suppliers currently enrolled in Medicare, Medicaid, 
and CHIP who revalidate their enrollment information. For Medicare, 
this will impact those providers and suppliers whose revalidation cycle 
results in revalidation occurring between March 23, 2011 and March 23, 
2012. Finally, these new procedures would be applicable to currently 
enrolled Medicare, Medicaid, and CHIP providers and suppliers beginning 
on March 23, 2012, in accordance with section 1866(j)(2)(ii) of the 
Act. As such, some providers and suppliers may be required to 
revalidate their enrollment outside of their regular revalidation 
cycle.
b. General Screening of Providers--Medicaid and CHIP
    Section 1902(ii)(1) of the Act requires that States comply with the 
process for screening providers established by the Secretary under 
section 1866(j)(2) of the Act \4\. Section 2107(e)(1) of the Act 
provides that all provisions that apply to Medicaid under sections 
1902(a)(77) and 1902(ii) of the Act apply to CHIP. We propose in new 
regulation Sec.  457.990 that all the provider screening, provider 
application, and moratorium regulations that apply to Medicaid 
providers will apply to providers that participate in CHIP. In 
addition, in this proposed rule, we refer to State Medicaid agencies as 
responsible for screening Medicaid-only providers. CHIP is often not 
administered by the Medicaid agency. Throughout this proposed rule, 
with respect to those instances, ``State Medicaid agency'' should be 
read as ``Children's Health Insurance Program agency.''
---------------------------------------------------------------------------

    \4\ As noted previously, we believe that the reference to 
section 1886(j)(2) of the Act in section 6401(b)(1) of the 
Affordable Care Act is a scrivener's error, and that the Congress 
intended to refer instead to section 1866(j)(2) of the Act.
---------------------------------------------------------------------------

    Because it would be inefficient and costly to require States to 
conduct the same screening activities that Medicare contractors perform 
for dually-enrolled providers, we are proposing that a State may rely 
on the results of the screening conducted by a Medicare contractor to 
meet the provider screening requirements under Medicaid and CHIP. 
Similarly, we propose in Sec.  455.410 that State Medicaid agencies may 
rely on the results of the provider screening performed by their sister 
State Medicaid programs and CHIP. For Medicaid-only providers or CHIP-
only providers, we are proposing that States follow the same screening 
procedures that CMS or its contractors follow with respect to Medicare 
providers and suppliers.
    As noted above, section 1902(ii)(1) of the Act requires that State 
screening methods follow those performed under the Medicare program. 
For the sake of brevity, we will not restate those methods verbatim. We 
propose that States follow the rationale that we have set forth for 
Medicare in section II.A.3. of this proposed rule, and that we use as 
the basis for Sec.  455.450. For the types of providers that are 
recognized as a provider or supplier under the Medicare program, States 
will use the same risk level that is assigned to that category of 
provider by Medicare. For those Medicaid and CHIP provider types that 
are not recognized by Medicare, States will assess the risk posed by a 
particular provider or provider type. States should examine their 
programs to identify specific providers or provider types that may 
present increased risks of fraud, waste or abuse to their Medicaid 
programs or CHIP. States are uniquely qualified to understand issues 
involved with balancing beneficiaries' access to medical assistance and 
ensuring the fiscal integrity of the Medicaid programs and CHIP. 
However, where applicable, we expect that States will assess the risk 
of fraud, waste, and abuse using similar criteria to those used in 
Medicare. For example, physicians and non-physician practitioners, 
medical groups and

[[Page 58214]]

clinics that are State-licensed or State-regulated would generally be 
categorized as limited risk, as would providers publicly traded on the 
NYSE or NASDAQ. Those provider types that are generally highly 
dependent on Medicare, Medicaid and CHIP to pay salaries and other 
operating expenses and which are not subject to additional government 
or professional oversight would be considered moderate risk, and those 
provider types identified by the State as being especially vulnerable 
to improper payments would be considered high risk. States will then 
screen the provider using the screening tools applicable to that risk 
assigned. However, we are not proposing to limit or otherwise preclude 
the ability of States to engage in provider screening activities beyond 
those required under section 1866(j)(2) of the Act, including, but not 
limited to, assigning a particular provider type to a higher risk level 
than the level assigned by Medicare.
    As with the proposed screening provisions for Medicare, we are 
soliciting comments on the applicability of these proposals for 
Medicaid as well. We are seeking comment on the proposed assignment of 
specific provider types to established risk categories, including 
whether such assignments should be released publicly, whether they 
should be reconsidered and updated according to an established 
schedule, and what criteria should be considered in making such 
assignments.
    Based on the level of risk assigned to a provider or provider type, 
we propose that States conduct the following screenings:

 Table 5--Category of Risk and Required Screening for Medicaid and CHIP
                                Providers
------------------------------------------------------------------------
  Type of Screening Required       Limited      Moderate        High
------------------------------------------------------------------------
Verification of any provider/             X             X             X
 supplier-specific
 requirements established by
 Medicaid/CHIP................
Conduct license verifications             X             X             X
 (may include licensure checks
 across State lines)..........
Database Checks (to verify SSN            X             X             X
 and NPI, the NPDB, licensure,
 a HHS OIG exclusion, taxpayer
 identification number, tax
 delinquency, death of
 individual practitioner, and
 persons with an ownership or
 control interest or who are
 agents or managing employees
 of the provider).............
Unscheduled or Unannounced      ............            X             X
 Site Visits..................
Criminal Background Check.....  ............  ............            X
Fingerprinting................  ............  ............            X
------------------------------------------------------------------------

    All States do not routinely require persons with an ownership or 
control interest or who are agents or managing employees of the 
provider to submit SSNs or dates of birth (DOBs). Without such critical 
personal identifiers, it is difficult to be certain of the identity of 
persons with an ownership or control interest or who are agents or 
managing employees of the provider, and it may be difficult for States 
to conduct the screening proposed under this rule. Accordingly, and to 
be consistent with Medicare requirements, pursuant to our general 
rulemaking authority under section 1102 of the Act, we propose in Sec.  
455.104 to require that States will require submission of SSNs and DOBs 
for all persons with an ownership or control interest in a provider. In 
addition to the amendment to Sec.  455.104, we are proposing to revise 
that section for the sake of clarity both for the disclosing entities' 
provision and the States' collection of the disclosures. We recognize 
that there may be privacy concerns raised by the submission of this 
personally identifiable information as well as concerns about how the 
States will assure individual privacy as appropriate; however, we 
believe this personally identifiable information is necessary for 
States to adequately conduct the provider screening activities under 
this proposed rule. We are seeking comment specifically on this issue.
    Although the level of screening may vary depending on the risk of 
fraud, waste or abuse the provider represents to the Medicaid program 
or CHIP, under section 1866(j)(2)(B)(i) of the Act, all providers would 
be subject to licensure checks. Therefore, we are proposing that States 
be required to verify the status of a provider's license by the State 
of issuance and whether there are any current limitations on that 
license.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, these requirements for provider screening and 
assigning of categories of risk of fraud, waste, or abuse, as well as 
verification of licensure, under Sec.  455.412 and Sec.  455.450 will 
apply in CHIP.
1. Database Checks--Medicaid and CHIP
    States employ several database checks, including database checks 
with the Social Security Administration and the NPPES, to confirm the 
identity of an individual or to ensure that a person with an ownership 
or control interest is eligible to participate in the Medicaid program.
    A critical element of Medicaid program integrity is the assurance 
that persons with an ownership or control interest or who are agents or 
managing employees of the provider do not receive payments when 
excluded or debarred from such payments. Accordingly, in Sec.  455.436, 
we propose that States be required to screen all persons disclosed 
under Sec.  455.104 against the OIG's LEIE and the General Services 
Administration's EPLS. We propose that States be required to conduct 
such screenings upon initial enrollment and monthly thereafter for as 
long as that provider is enrolled in the Medicaid program.
    We also propose at Sec.  455.450, as well as Sec.  455.436, that 
database checks be conducted on all providers on a pre- and post-
enrollment basis to ensure that providers continue to meet the 
enrollment criteria for their provider type.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, this requirement for database checks under Sec.  
455.436 will apply in CHIP.
2. Unscheduled and Unannounced Site Visits--Medicaid and CHIP
    Section 1866(j)(2)(B)(ii)(III) of the Act states that the 
Secretary, based on the level of fraud, waste, and abuse, may conduct 
unscheduled and unannounced site visits, including pre-enrollment site 
visits, for prospective providers and those providers already enrolled 
in the

[[Page 58215]]

Medicare and Medicaid programs and CHIP.
    Some States already require site visits, often for provider 
categories at increased risk of fraud, waste or abuse such as home 
health and non-emergency transportation. According to FY 08 State 
Program Integrity Assessment (SPIA) data, at least 16 States report 
that they perform some type of site visits. However, such efforts vary 
widely across the country and are subject to budget shortfalls.
    We are also proposing to require in Sec.  455.432 and Sec.  
455.450(b) that States must conduct pre-enrollment and post-enrollment 
site visits for those categories of providers the State designates as 
being in the ``moderate'' or ``high'' level of risk.
    Further, in Sec.  455.432, pursuant to our general rulemaking 
authority under section 1102 of the Act, we are proposing that any 
enrolled provider must permit the State Medicaid agency and CMS, 
including CMS' agents or its designated contractors, to conduct 
unannounced on-site inspections to ensure that the provider is 
operational at any and all provider locations.
    We maintain that site visits are essential in determining whether a 
provider is operational at the practice location found on the Medicaid 
enrollment agreement. We expect these requirements to increase the 
number of both pre-enrollment and post-enrollment site visits for those 
provider types that pose an increased financial risk of fraud, waste, 
or abuse to the Medicaid program.
    We propose that failure to permit access for site visits would be a 
basis for denial or termination of Medicaid enrollment as specified in 
Sec.  455.416.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, this requirement for site visits under Sec.  
455.432 will apply in CHIP.
3. Provider Enrollment and Provider Termination--Medicaid and CHIP
    States may refuse to enroll or may terminate the enrollment 
agreement of providers for a number of reasons related to a provider's 
status or history, including an exclusion from Medicare, Medicaid, or 
any other Federal health care program, conviction of a criminal offense 
related to Medicare or Medicaid, or submission of false or misleading 
information on the Medicaid enrollment application. Failure to provide 
disclosures is another reason for termination from participation in the 
Medicaid program.
    Federal regulations beginning at Sec.  455.100 require certain 
disclosures by providers to States before enrollment. States require 
additional disclosures prior to enrollment. Some States require 
periodic re-enrollment and disclosure at that time. However, States 
vary in the frequency of such re-disclosures. Providers are also 
inconsistent in keeping their enrollment information current, including 
items as elementary as their address.
    We are proposing, at Sec.  455.414, pursuant to our general 
rulemaking authority under section 1102 of the Act, that all providers 
undergo screening pursuant to the procedures outlined herein at least 
once every 5 years, consistent with current Medicare requirements for 
revalidation.
    In Sec.  455.416, we propose to establish termination provisions, 
requiring States to deny or terminate the enrollment of providers: (1) 
Where any person with an ownership or control interest or who is an 
agent or managing employee of the provider does not submit timely and 
accurate disclosure information or fails to cooperate with all required 
screening methods; (2) that are terminated on or after January 1, 2011 
by Medicare or any other Medicaid program or CHIP (see section II.F. of 
this proposed rule); and (3) where the provider or any person with an 
ownership or control interest or who is an agent or managing employee 
of the provider fails to submit sets of fingerprints within 30 days of 
a State agency or CMS request. We propose to permit States to deny 
enrollment to a provider if the provider has falsified any information 
on an application if CMS or the State cannot verify the identity of the 
applicant. We also propose to require States to deny enrollment to 
providers, unless States determine in writing that denial of enrollment 
is not in the best interests of the State's Medicaid program, in these 
circumstances: (1) The provider or a person with an ownership or 
control interest or who is an agent or managing employee of the 
provider fails to provide accurate information; (2) the provider fails 
to provide access to the provider's locations for site visits, or (3) 
the provider, or any person with an ownership or control interest, or 
who is an agent or managing employee of the provider has been convicted 
of a criminal offense related to that person's involvement in Medicare, 
Medicaid, or CHIP in the last ten years. We believe that providers can 
significantly reduce the likelihood of fraud, waste or abuse by 
providing and maintaining timely and accurate Medicaid enrollment 
information. We believe the Medicaid program will be better protected 
by not allowing persons with serious criminal offenses related to 
Medicare, Medicaid, and CHIP to serve as providers.
    We propose at Sec.  455.416 that the State be allowed to deny an 
initial enrollment application or agreement submitted by a provider or 
terminate the Medicaid enrollment of a provider, including an 
individual physician or non-physician practitioner, if CMS or the State 
is not able to verify an individual's identity, eligibility to 
participate in the Medicaid program, or determines that information on 
the Medicaid enrollment application was falsified.
    In Sec.  455.420, we propose to require that any providers whose 
enrollment has been denied or terminated must undergo screening and pay 
all appropriate application fees again to enroll or re-enroll as a 
Medicaid provider.
    We propose at Sec.  455.422 that in the event of termination under 
Sec.  455.416, the State Medicaid agency must give a provider any 
appeal rights available under State law or rule.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, these requirements for provider enrollment, 
provider termination, and provider appeal rights under Sec. Sec.  
455.414, 455.416, 455.420, and 455.422 will apply in CHIP.
4. Criminal Background Checks and Fingerprinting--Medicaid and CHIP
    Section 1866(j)(2)(B)(ii)(II) of the Act allows the Secretary to 
use fingerprinting during the screening process; and while several 
States have implemented procedures to require fingerprinting of 
physicians and non-physician practitioners as a condition of licensure, 
we maintain that if a State designates a provider as within the 
``high'' level of risk as described previously, each person with an 
ownership or control interest of that provider or who is an agent or 
managing employee of the provider should be subject to fingerprinting.
    We maintain that adding fingerprinting to State screening processes 
for those providers that pose the greatest risk to the Medicaid program 
will allow CMS and the State to: (1) Verify The individual's identity;

[[Page 58216]]

(2) determine whether the individual is eligible is participate in the 
Medicaid program; (3) ensure the validity of information collected 
during the Medicaid enrollment process; and (4) prevent and detect 
identity theft. Ensuring the identity of ``high'' risk Medicaid 
providers through fingerprinting protects both the Medicaid program and 
providers whose identities might otherwise be stolen as part of a 
scheme to defraud Medicaid.
    In addition, while Sec.  455.106 requires providers to submit 
information to the Medicaid agency on criminal convictions related to 
Medicare and Medicaid and title XX, current regulations do not require 
States to verify data submitted as part of the Medicaid enrollment 
application and they are sometimes not able to verify information that 
was purposefully omitted or changed in a manner to obfuscate any 
previous criminal activity. According to fiscal year (FY) 2008 SPIA 
data, at least 20 States report that they conduct some type of criminal 
background check as part of their Medicaid enrollment practices.
    Elements of a robust criminal background check could include, but 
are not necessarily limited to: (1) Conducting national and State 
criminal records checks; and (2) requiring submission of fingerprints 
to be used for conducting the criminal records check and verification 
of identity.
    We are proposing in Sec.  455.434 and Sec.  455.450 for those 
categories of providers that a State Medicaid agency determines is 
within the ``high'' level of risk, the State must: (1) Conduct a 
criminal background check of each person with an ownership or control 
interest or who is an agent or managing employee of the provider, and 
(2) require that each person with an ownership or control interest or 
who is an agent or managing employee of the provider to submit his or 
her fingerprints. While the FD-258 fingerprint card is recognized 
nationally and can be found at local, county, or State law enforcement 
agencies where, for a fee, agencies will supply the card and take the 
fingerprints, the State Medicaid agency has the discretion to determine 
the form and manner of submission of fingerprints.
    At Sec.  455.434, we propose that the State Medicaid agency must 
require providers or any person with an ownership or control interest 
or who is an agent or managing employee of the provider to submit 
fingerprints in response to a State's or CMS' request.
    We are seeking public comment on the appropriateness of using 
criminal background checks in the provider enrollment screening 
process, including the instances when such background checks might be 
appropriate, the process of notifying a provider or individual that a 
criminal background check is to be performed, and the frequency of such 
checks.
    We are also seeking comment on the use of fingerprinting as a 
screening measure. We recognize that requesting, collecting, analyzing, 
and checking fingerprints from providers are complex and sensitive 
undertakings that place certain burdens on affected individuals. There 
are privacy concerns and operational concerns about how to assure 
individual privacy, how to check fingerprints against appropriate law 
enforcement fingerprint databases, and how to store the results of the 
query of the databases and also how to handle the subsequent analysis 
of the results. As a result, we are soliciting comments on how CMS or a 
State Medicaid agency should maintain and store fingerprints, what 
security processes and measures are needed to protect the privacy of 
individuals, and any other issues related to the use of fingerprints in 
the enrollment screening process. As indicated in other portions of the 
document, we think fingerprints would be useful in situations where a 
provider's identity has been compromised or potentially compromised. We 
are interested in comments on this and other possible circumstances in 
which fingerprinting would be potentially useful in provider screening 
or other fraud prevention efforts. Our proposed screening approach 
contemplates requesting fingerprints from providers categorized as 
presenting a ``high'' risk of fraud. We are seeking comment on whether 
this is an appropriate requirement, the circumstances under which it 
might be appropriate or inappropriate, and any alternatives to the 
proposed approach regarding fingerprints. Our proposed approach would 
allow States to deny enrollment to newly-enrolling providers and to 
terminate existing providers if individuals who have an ownership or 
control interest in the provider or who are agents or managing 
employees of the provider refuse to submit fingerprints when requested 
to do so. We are seeking comments on this proposal including its 
appropriateness and utility as a fraud prevention tool.
    In addition, we are also seeking comment on the applicability and 
appropriateness of using, in addition to or in lieu of fingerprinting, 
other enhanced identification techniques and secure forms of 
identification including but not limited to passports, United States 
Military identification, or Real ID drivers licenses. As technology and 
secure identification techniques change, the tools we or State Medicaid 
agencies use may change to reflect changes in technology or in risk 
identification. We are seeking comment on the appropriate uses of these 
techniques and the ways in which we should notify the public about any 
tools CMS or State Medicaid agencies would adopt. We also welcome 
comments on whether there should be differences allowed between Federal 
and State techniques, or among States, and if so, on what basis.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, these requirements for criminal background checks 
and fingerprinting under Sec.  455.434 will apply in CHIP.
5. Deactivation and Reactivation of Provider Enrollment--Medicaid and 
CHIP
    Section 1902(ii)(1) of the Act requires the screening of Medicaid 
providers to ensure they are eligible to provide services and receive 
payments. While the ACA does not specifically require it, we maintain 
that it is important to the protection of the Medicaid program and 
consistent with longstanding Medicare requirements to identify and 
deactivate the enrollment of inactive Medicaid providers.
    Accordingly, in Sec.  455.418, we propose that any Medicaid 
provider that has not submitted any claims or made a referral that 
resulted in a Medicaid claim for a period of 12 consecutive months must 
have its Medicaid provider enrollment deactivated. Further, we propose 
that any such provider wishing to be reinstated to the Medicaid program 
must first undergo all disclosures and screening required of any other 
applicant. In addition, the provider must pay any associated 
application fees under Sec.  455.426.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, this requirement for deactivation of provider 
enrollment under Sec.  455.418 will apply in CHIP.

[[Page 58217]]

6. Enrollment and NPI of Ordering or Referring Providers--Medicaid and 
CHIP
    Section 1902(ii)(7) of the Act provides that States must require 
all ordering or referring physicians or other professionals to be 
enrolled under a Medicaid State plan or waiver of the plan as a 
participating provider. Further, the NPI of such ordering or referring 
provider or other professional must be on any Medicaid claim for 
payment based on an order or referral from that physician or other 
professional.
    Providers and suppliers under Medicare and providers in the 
Medicaid program are already subject to the requirement that the NPI be 
on applications to enroll and on all claims for payment, pursuant to 
section 6402(a) of the ACA, amending section 1128J of the Act, and 
under Sec.  424.506, Sec.  424.507, and Sec.  431.107, as amended by 
the May 5, 2010 interim final rule with comment (75 FR 24437).
    In Sec.  455.410, we propose that any physician or other 
professional ordering or referring services for Medicaid beneficiaries 
must be enrolled as a participating provider by the State in the 
Medicaid program. This applies equally to fee-for-service providers or 
MCE network-level providers.
    Additionally, we propose to amend Sec.  438.6 to require that 
States must include in their contracts with MCEs a requirement that all 
ordering and referring network-level MCE providers be enrolled in the 
Medicaid program, as are fee-for-service providers, and thus are 
screened directly by the State.
    Although the NPI requirements in section 6402(a) of the ACA did not 
extend to CHIP providers, section 6401 of the ACA does apply equally to 
CHIP, and the proposed requirement herein for ordering and referring 
physicians or other professionals under the Medicaid program would 
apply equally under CHIP.
    In addition, in Sec.  455.440, we propose that all claims for 
payment for services ordered or referred by such a physician or other 
professional must include the NPI of the ordering or referring 
physician or other professional. This applies equally to fee-for-
service providers or MCE network-level providers.
    It is essential that all such claims have the ordering or referring 
NPI and that the State has properly screened the ordering or referring 
physician or other professional. Without such assurances, it is 
difficult for CMS or the State to determine the validity of individual 
claims for payment or to conduct effective data mining to identify 
patterns of fraud, waste, and abuse.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, these requirements for provider enrollment and NPI 
under Sec. Sec.  455.410 and 455.440 will apply in CHIP.
7. Other State Screening--Medicaid and CHIP
    Section 1902(ii)(8) of the Act establishes that States are not 
limited in their abilities to engage in provider screening beyond those 
required by the Secretary. Accordingly, in Sec.  455.452, we propose 
that States may utilize additional screening methods, in accordance 
with their approved State plan.
    As stated above, pursuant to section 2107(e)(1) of the Act, all 
provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(ii) of the Act apply to CHIP. Because we are proposing a new 
regulation in Part 457 under which all provider screening requirements 
that apply to Medicaid providers will apply to providers that 
participate in CHIP, this requirement for other State screening under 
Sec.  455.452 will apply in CHIP.

B. Application Fee--Medicare, Medicaid, and CHIP

1. Statutory Changes
    Section 6401(a) of the ACA, as amended by section 10603 of the ACA, 
amended section 1866(j) of the Act and requires the Secretary of DHHS 
to impose a fee on each ``institutional provider of medical or other 
items or services or supplier,'' The fee would be used by the Secretary 
to cover the cost of screening and to carry out the screening and other 
program integrity efforts under section 1866(j) and section 1128J of 
the Act. Since section 10603 of the ACA excludes eligible 
professionals, such as physicians and nurse practitioners, from paying 
an enrollment application fee, we maintain that an ``institutional 
provider of medical or other items or services or supplier'' would be 
any health care provider that bills Medicare, Medicaid, or CHIP on a 
fee-for-service basis, with the exception of Part B medical groups or 
clinics and physician and nonphysician practitioners who submit the CMS 
855I to enroll in Medicare.
    Section 1866(j)(2)(D)(i) of the Act states that the new screening 
procedures implemented pursuant to section 6401 of the ACA would be 
applicable to newly enrolling providers, suppliers, and eligible 
professionals who are not enrolled in Medicare, Medicaid, or CHIP by 
March 23, 2011. Accordingly, the enrollment application fees for newly 
enrolling institutional providers and suppliers would be applicable on 
that date as well.
    Section 1866(j)(2)(D)(ii) of the Act states that the new screening 
procedures will apply to currently enrolled Medicare, Medicaid, and 
CHIP providers, suppliers, and eligible professionals beginning on 
March 23, 2012. However, because the new procedures will be applicable 
beginning on March 23, 2011 for those providers, suppliers, (and 
eligible professionals) currently enrolled in Medicare, Medicaid and 
CHIP that revalidate their enrollment information, we will begin 
collecting the application fee for those revalidating entities for all 
revalidation activities beginning after March 23, 2011.
    Section 1866(j)(2)(C)(ii) of the Act permits the Secretary, acting 
through CMS, to, on a case-by-case basis, exempt a provider or supplier 
from the imposition of an application fee if CMS determines that the 
imposition of the enrollment application fee would result in a 
hardship. It also permits the Secretary to waive the enrollment 
application fee for Medicaid providers for whom the State demonstrates 
that imposition of the fee would impede Medicaid beneficiaries' access 
to care.
    Section 1866(j)(2)(C)(i)(I) of the Act establishes a $500 
application fee for providers and suppliers in 2010. For 2011 and each 
subsequent year, the amount of the fee would be the amount for the 
preceding year, adjusted by the percentage change in the consumer price 
index for all urban consumers (all items; United States city average), 
(CPI-U) for the 12-month period ending with June of the previous year. 
To ease the administration of the fee, if the adjustment sets the fee 
at an uneven dollar amount, CMS will round the fee to the nearest whole 
dollar amount.
2. Proposed Provisions
    In Sec.  424.502, we also propose to establish a definition for an 
``institutional provider'' as it relates to the submission of an 
application fee. We propose that an ``institutional provider'' means 
any provider or supplier that submits a paper Medicare enrollment 
application using the CMS-855A, CMS-855B (but not physician and 
nonphysician practitioner

[[Page 58218]]

organizations), or CMS-855S or associated Internet-based PECOS 
enrollment application.
    For purposes of Medicare, Medicaid, and CHIP, we interpret the 
statutory reference to ``institutional provider[s] of medical or other 
items or services or supplier'' to include, but not be limited to: the 
range of ambulance service suppliers; ASCs; CMHCs; CORFs; DMEPOS 
suppliers; ESRD facilities; FQHCs; histocompatibility laboratories; 
HHAs; hospices; hospitals, including but not limited to acute inpatient 
facilities, inpatient psychiatric facilities (IPFs), inpatient 
rehabilitation facilities (IRFs), and physician-owned specialty 
hospitals; CAHs; independent clinical laboratories; IDTFs; mammography 
centers; mass immunizers (roster billers); OPOs; outpatient physical 
therapy/occupational therapy/speech pathology services, portable x-ray 
suppliers; SNFs; slide preparation facilities; radiation therapy 
centers; RNHCIs; and RHCs.
    In addition to the providers and suppliers listed above, for 
purposes of Medicaid and CHIP, we propose that a State may impose the 
application fee on any institutional entity that bills the State 
Medicaid program or CHIP on a fee-for-service basis, such as: Personal 
care agencies, non-emergency transportation providers, and residential 
treatment centers, in accordance with the approved Medicaid or CHIP 
State plan.
    We propose that an application fee will not be required from an 
eligible professional who reassigns Medicare benefits to another 
individual or organization, since it would not create a new enrollment 
of an institutional provider or supplier that would result in an 
application fee. In addition, we propose that in no case would the 
application fee be required from any individual physician or Part B 
medical group/clinic.
    We propose that an application fee will be required with the 
submission of an initial enrollment application, the application to 
establish a new practice location, as a part of revalidation, or in 
response to a Medicare contractor revalidation request.
    We are proposing that prospective institutional providers and 
suppliers as well as currently enrolled providers who are re-enrolling 
or revalidating their enrollment in Medicare must submit the applicable 
application fee or submit a request for a hardship exception to the 
application fee at the time of filing a Medicare enrollment application 
on or after March 23, 2011 in the case of prospective providers or 
suppliers, and in the case of revalidations. We believe that it is 
essential that a Medicare contractor be able to receive and deposit the 
application fee or consider the institutional provider's request for a 
hardship exception prior to initiating an application review. 
Therefore, Medicare contractors would not begin processing an 
application for either a new provider or supplier, or for a provider or 
supplier that is currently enrolled, until the enrollment application 
fee is received and is credited to the United States Treasury.
    The fee would accompany the certification statement that the 
provider or supplier signs, dates, and mails to the Medicare contractor 
if the provider or supplier uses Internet-based PECOS to enroll or 
revalidate. The fee would accompany the paper CMS-855 provider 
enrollment application if the provider or supplier enrolls or 
revalidates by paper. Because the statutory provisions are effective 
for newly enrolling providers and suppliers effective March 23, 2011 
institutional providers and suppliers will not be required to furnish 
the application fee with applications submitted before that date. 
However, because the ACA provides that the new procedures will be 
applicable beginning on March 23, 2011 for those providers and 
suppliers, (and eligible professionals) currently enrolled in Medicare, 
Medicaid, and CHIP that revalidate their enrollment information, CMS 
will begin collecting the application fee for those revalidating 
entities for all revalidation activities beginning after March 23, 
2011. We will not collect the fee from individual physicians and 
eligible professionals.
    We propose that the Medicare contractor reject and return to the 
provider or supplier an initial enrollment application submitted by a 
provider or supplier, without further review as to whether the provider 
or supplier qualifies to enroll in the Medicare program, when the 
Medicare enrollment application or the Certification Statement is 
received by the Medicare contractor and the provider or supplier did 
not include a request for hardship exception to the application fee, 
did not include the application fee or the appropriate number of 
application fees, if applicable. We do not believe that it is 
appropriate for a Medicare contractor to begin the application review 
process without first having received the application fee.
    We propose that the Medicare contractor reject any initial 
enrollment applications submitted after March 23, 2011, if a provider 
or a supplier did not furnish the application fee at the time of 
filing, using Sec.  424.525(a)(3) as the legal basis for the rejection.
    In Sec.  424.525(a)(3), we propose adding a new reason why a 
Medicare contractor could reject an initial enrollment application or 
an application to establish a new practice location. Specifically, we 
are proposing a new Sec.  424.525(a)(3) to state, ``The prospective 
institutional provider or supplier does not submit an application fee 
in the appropriate amount or a hardship exception request with the 
Medicare enrollment application at the time of filing.''
    We also believe that a Medicare contractor should be allowed to 
reject an initial enrollment application received from a provider or 
supplier on or after March 23, 2011, using Sec.  424.525(a)(1) as the 
legal basis, if, for any reason, CMS or the Medicare contractor is not 
able to deposit the full application amount into a government-owned 
account and credited to the U.S. Treasury. In the case where a provider 
or supplier did not submit the application fee because they requested a 
hardship exception that is not granted, a provider or supplier has 30 
days from the date on which the contractor sends notice of the 
rejection of the hardship exception request to send in the required 
application fee and application forms.
    In Sec.  424.535, we propose adding a new reason why a Medicare 
contractor can revoke Medicare billing privileges. Specifically, we are 
proposing a new Sec.  424.535(a)(6)(i) to state that billing privileges 
may be revoked if ``An institutional provider does not submit an 
application fee or hardship exception request that meets the 
requirements set forth in Sec.  424.514 with the Medicare revalidation 
application or the hardship exception is not granted.''
    In addition, in Sec.  424.535, we are proposing a new Sec.  
424.535(a)(6)(ii) to state that billing privileges shall be revoked if 
``The Medicare contractor is not able to deposit the full application 
amount into a government-owned account or the funds are not able to be 
credited to the U.S. Treasury.''
    In Sec.  424.514(b), we are proposing that currently enrolled 
institutional providers and suppliers that are subject to CMS 
revalidation efforts must submit the applicable application fee or 
submit a request for a hardship exception to the application fee at the 
time of filing a Medicare enrollment application on or after March 23, 
2011.
    In Sec.  424.514(d)(2)(iii), we propose that institutional 
providers and suppliers submit the application fee with each initial 
application, application to establish a new practice location, or

[[Page 58219]]

with the submission of an application in response to a Medicare 
contractor revalidation request.
    In Sec.  424.514(d)(2), we propose that the application fee be 
based on the amount calculated by CMS using the CPI-U as of June 30 of 
the previous year and adjusted annually to be effective January 1st of 
the following year. The application fee for a given year will be 
effective from January 1 to December 31 of a calendar year.
    In Sec.  424.514(d)(2)(v), we propose that the application fee be 
non-refundable. Neither the Federal government, its Medicare 
contractors, State Medicaid agencies or CHIP should be liable for 
reimbursement of the application fee to the provider or supplier if the 
application fee has been received by the Medicare contractor and 
deposited into a Government-owned account and, later, during the course 
of verifying, validating, and processing the information in the 
enrollment application, CMS or its Medicare contractor appropriately 
denies the enrollment application. Appropriate denial requires a 
substantive reason and applications will not be denied over 
inconsequential errors or omissions or over errors or omissions 
corrected timely.
    In Sec.  424.514(d)(4)(vi), we propose that a provider or supplier 
must submit a new application fee if the provider or supplier resubmits 
a Medicare enrollment application because a previously-submitted 
enrollment application was appropriately denied or rejected. In some 
cases, a rejected application would be returned to the provider or 
supplier along with the application fee; in other cases, the 
application would be denied and the application fee retained by the 
Federal government because the processing of the application would have 
already begun. In those latter cases, CMS funds would have been 
expended for some or all of the required screening involved in 
processing the application. For example, if a home health agency 
enrollment application is rejected because the enrollment application, 
or the certification statement generated by Internet-based PECOS, was 
not signed, the enrollment application would be rejected and it and the 
check for the application fee would both be returned to the home health 
agency. If a home health agency enrollment application is denied based 
on non-compliance with a provider enrollment requirement or because the 
HHA did not meet the conditions of participation for its provider type, 
the enrollment would be denied and the application fee would be 
retained by the Federal government. If the HHA wishes to send a new 
enrollment application, it would have to include another application 
fee with that new enrollment application. Similarly, we propose that a 
provider or supplier would be required to submit to the Medicare 
contractor a new application fee with a subsequent enrollment 
application if, among other things, the previous enrollment application 
was rejected because the provider or supplier did not timely furnish 
the Medicare contractor with the applicable supporting documentation or 
information necessary to complete its review and verification of the 
previous enrollment application.
    In Sec.  424.514(d)(6)(vii), we propose that the application fee 
must be able to be deposited into a government-owned account.
    Because we are proposing that a State may rely on the results of 
the screening conducted by the Medicare contractor to meet the 
screening requirements for participation in a State Medicaid program or 
CHIP, we propose that, for dually participating providers, the 
application fee would be imposed at the time of the Medicare enrollment 
application, consistent with the procedures described above. 
Additionally, because the purpose of the application fee is to, in 
part, cover the costs of conducting the provider and supplier screening 
activities, we propose that a provider or supplier enrolled in more 
than one program (that is, Medicare and Medicaid or CHIP, or all three 
programs) would only be subject to the application fee under Medicare 
and that the fee would cover screening activities for enrollment in all 
programs.
    Section 1866(j)(2)(C)(iii) of the Act also permits the Secretary to 
grant, on a case-by-case basis, exceptions to the application fee for 
institutional providers and suppliers enrolled in the Medicare and 
Medicaid programs and CHIP if the Secretary determines that imposition 
of the fee would result in a hardship. One instance that might support 
a request for hardship exception is in the event of a national public 
health emergency where a provider or supplier is enrolling for purposes 
of furnishing services required as a result of the national public 
health emergency situation. Such requests will be considered on a case-
by-case basis, as required by the statute. In addition, we are 
soliciting comments on the appropriate objective criteria that should 
be used in making a hardship determination and if there are any other 
circumstances in which such exemptions should be allowed. We are also 
seeking comment on the kinds of documents to be submitted to CMS or its 
contractor to exhibit hardship, including any comments on the financial 
or legal records that might be needed to make a determination of 
hardship. Section 1866(j)(2)(C)(iii) of the Act also permits the 
Secretary to waive the application fee for providers enrolled in a 
State Medicaid program for whom the State demonstrates that imposition 
of the fee would impede beneficiary access to care. We are soliciting 
comments on how waivers from the application fee should be implemented 
for Medicaid-only or dually-participating Medicare and Medicaid 
providers and suppliers specifically those seeking to furnish services 
where beneficiary access issues are prevalent, either geographically or 
in the provision of the services.
    We are committed to assuring access to care for program 
beneficiaries. We are in the process of undertaking a review of 
promising practices related to ensuring access in the Medicaid program 
and CHIP. We will incorporate information from that review into 
developing appropriate access criteria for purposes of the required 
fee. We are also soliciting comments on the appropriate criteria that 
we should consider. We are particularly interested in hearing from 
States, providers, advocates, and other stakeholders relating to 
concrete examples based on experiences in using specific access 
criteria.
    Based on the statutory requirements for calculating the application 
fee, we offer the following example for purely illustrative purposes. 
The initial application fee beginning in 2010 is established by law at 
$500. However, for the following year, when the annual Consumer Price 
Index (CPI-U) is calculated for the period ending June 2010, we would 
recalculate the application fee using the CPI-U. Thus, if the CPI 
increased by 2.34 percent for the 12-month period ending June 2010, the 
application fee would be calculated by multiplying the fee for the year 
by the CPI-U. The $500 application fee established by law in 2010 would 
be multiplied by 1.0234 to give $511.70. We would then round to the 
nearest dollar amount of $512.00. This would be the amount of the fee 
in effect for 2011, and would apply to applications received after the 
effective date of the statute--March 23, 2011 for newly enrolling 
providers and suppliers and for revalidating providers and suppliers. A 
similar process, based on the CPI-U for the period of July 1, 2010 
through June 30, 2011 would be used to calculate the fee that would 
become effective on January 1, 2012, and that

[[Page 58220]]

would apply to new and currently enrolled providers or suppliers that 
submit applications on or after March 23, 2012. In Sec.  424.514(d)(2), 
we propose that the annually recalculated application fee amount would 
be effective for the calendar year during which the application for 
enrollment is being submitted.
    The amount of the application fee that is required of enrolling 
providers or suppliers, would be the amount that is in effect on the 
day the provider or supplier mails an enrollment application or 
Certification Statement, postmarked by the USPS, or if mailed through a 
private mail service, the date of receipt by the Medicare contractor. 
Because the application fee will become an integral part of the 
enrollment process, we believe that it is essential that we notify 
State Medicaid agencies and the public about any changes in the 
application fee prior to implementing a change in the fee. Accordingly, 
we would afford States and the public with at least 30 days' notice of 
any impending change in the application fee. We will make such 
notification annually in the Federal Register and by issuing guidance 
to the State Medicaid and CHIP Directors, issuing CMS provider and 
supplier listserv messages, making announcements at CMS Open Door 
Forums, and placing information on the CMS Provider/Supplier Enrollment 
Web page (http://www.cms.gov/MedicareProviderSupEnroll).
    We are proposing that a provider or supplier that believes it is 
entitled to a hardship exception from the application fee enclose a 
letter with the enrollment application or, if using Internet-based 
PECOS, with the Certification Statement, explaining the nature of the 
hardship. Further, we propose that we would not begin to process an 
enrollment application submitted with a letter requesting a hardship 
exception from the application fee until it makes a decision on whether 
to grant the exception. Further, we are proposing that we make a 
hardship exception determination within 60 days from receipt of the 
request from an institutional provider and CMS contractor notify the 
applicant or enrolled institutional provider or supplier by letter 
approving or denying the request for a hardship exception. Moreover, if 
we deny the request for hardship exception, we would provide our 
reason(s) for denying the hardship exception.
    In Sec.  424.530(a)(8), we propose adding a new reason why a 
Medicare contractor can deny Medicare billing privileges. Specifically, 
we are proposing a new Sec.  424.530(a)(8) to state, ``An institutional 
provider's or supplier's `hardship exception' request is not granted.''
    In 424.535(a)(6)(i), we propose adding a new reason why a Medicare 
contractor can revoke Medicare billing privileges. Specifically, we are 
proposing a new Sec.  424.535(a)(6)(i) to state, ``An institutional 
provider does not submit an application fee or `hardship exception' 
request that meets the requirements set forth in Sec.  424.514 with the 
Medicare revalidation application or the hardship exception request is 
not granted and the institutional provider or supplier does not submit 
the required application fee within 30 days of being notified that the 
exception request was not approved.
    We are also proposing that an institutional provider may appeal the 
determination not to grant a hardship exception from the application 
fee using the provider enrollment appeals process established in Sec.  
405.874 and found in 1866(j)(2) of the Act.
    In Sec.  455.460, we are proposing that, for those providers who do 
not participate in Medicare, the State may collect the fee established 
by the Secretary as outlined above as the State will be responsible for 
conducting the provider screening activities for these providers. Total 
fees collected will be used to offset the cost of the Medicaid and CHIP 
screening programs. The fees represent an applicable credit under OMB 
Circular A-87, entitled ``Cost Principles for State, Local, and Indian 
Tribal Governments'' (August 31, 2005 (70 FR 51910)), codified at 2 CFR 
part 225, and made applicable to States by 45 CFR 92.22(b). The cost 
principles require that the costs a State claims must be reduced by 
``applicable credits,'' or ``those receipts or reduction of 
expenditure-type transactions that offset or reduce expense items 
allocable to Federal awards as direct or indirect costs'', (Paragraphs 
C.1.i., C.4.a. and D.1. of Appendix A to 2 CFR part 225). If the fees 
collected by a State agency exceed the cost of the screening program, 
the State agency must return that portion of the fees to the Federal 
Government. CMS will direct these fees to support program integrity 
efforts as permitted by the ACA.

C. Temporary Moratoria on Enrollment of Medicare Providers and 
Suppliers, Medicaid and CHIP Providers

1. Statutory Changes
    Section 6401(a) of the ACA amended section 1866(j) of the Act by 
adding a new section 1866(j)(7) of the Act, which provides that the 
Secretary may impose temporary moratoria on the enrollment of new 
Medicare, Medicaid, or CHIP providers and suppliers, including 
categories of providers and suppliers, if the Secretary determines such 
moratoria are necessary to prevent or combat fraud, waste, or abuse 
under the programs.
    Section 6401(b)(1) of the Act adds specific moratorium language 
applicable to Medicaid at section 1902(ii)(4) of the Act, requiring 
States to comply with any temporary moratorium imposed by the Secretary 
unless the State determines that the imposition of such moratorium 
would adversely affect Medicaid beneficiaries' access to care. Section 
1902(ii)(4)(B) of the Act further permits States to impose temporary 
enrollment moratoria, numerical caps, or other limits, for providers 
identified by the Secretary as being at high risk for fraud, waste, or 
abuse, if the State determines that the imposition of such moratorium, 
cap, or other limits would not adversely impact Medicaid beneficiaries' 
access to care.
    Section 1866(j)(7) of the Act uses the term ``providers of services 
and suppliers.'' Although, as noted above, the Medicaid program does 
not use the term ``suppliers,'' section 1902(ii)(4) of the Act refers 
to ``providers and suppliers.'' In this regulation, for uniformity with 
sections II A. and B. of the proposed rule, we are using the term 
``providers and suppliers'' in lieu of the term ``provider of services 
and suppliers.'' We will use the term ``provider'' or ``Medicaid 
provider'' or ``CHIP provider'' in lieu of the term ``provider or 
supplier'' when referring to all Medicaid or CHIP health care 
providers, including, but not limited to, providers and suppliers of 
Medicaid items or services, individual practitioners, and institutional 
providers.
2. Proposed Requirements
a. Medicare
    We propose at Sec.  424.570(a) that CMS may impose a moratorium on 
the enrollment of new Medicare providers and suppliers in 6- month 
increments in situations where--(1) CMS, based on its review of 
existing data, without limitation, indentifies a trend that appears to 
be associated with a high risk of fraud, waste or abuse, such as highly 
disproportionate number of providers or suppliers in a category 
relative to the number of beneficiaries or a rapid increase in 
enrollment applications within a category determines that there is a 
significant potential for fraud, waste or abuse with respect to a 
particular provider or supplier type or particular geographic area or 
both; (2) a State has

[[Page 58221]]

imposed a moratorium on enrollment in a particular geographic area or 
on a particular provider of supplier type or both; or (3) CMS, in 
consultation with the HHS OIG or the Department of Justice (DOJ) or 
both identifies either or both of the following as having a significant 
potential for fraud, waste or abuse in the Medicare program:
     A particular provider or supplier type.
     Any particular geographic area.

As part of the CMS decision-making process, we will consider any 
recommendation from the DOJ, HHS OIG, or the GAO to impose a temporary 
moratorium for a specific provider or supplier type in a specific 
geographic area.
    We believe that imposing moratoria will, among other things, allow 
us to review and consider additional programmatic initiatives, 
including the development of additional regulatory and subregulatory 
provisions to ensure that Medicare providers and suppliers are meeting 
program requirements, beneficiaries receive quality care, and that an 
adequate number of providers of suppliers exists to furnish services to 
Medicare beneficiaries.
    We also propose that enrollment moratoria be limited to: (1) Newly 
enrolling providers and suppliers (that is., initial enrollment 
applications); and (2) the establishment of new practice locations, not 
to a change of practice locations. The temporary moratoria would not 
apply to existing providers or suppliers of services unless they were 
attempting to expand operations to new practice locations where a 
temporary moratorium was imposed. Moreover, the temporary moratoria 
would not apply in situations involving changes in ownership of 
existing providers or suppliers, mergers, or consolidations.
    We also propose at Sec.  424.570(b) that a moratorium would be 
imposed for a period of 6 months, and such moratorium could be extended 
by CMS in 6-month increments if CMS continues to believe that a 
moratorium is needed to prevent or combat fraud, waste, or abuse. The 
Secretary will re-evaluate whether a moratorium should continue prior 
to each 6 month expiration date.
    We also propose at Sec.  424.570(c) that CMS will deny enrollment 
applications received from providers or suppliers covered by an 
existing moratorium. We note that denial of Medicare billing privileges 
is subject to the administrative review process established in Sec.  
405.874. Accordingly, we believe that denial of Medicare billing 
privileges is also afforded the right to appeal a Medicare contractor 
determination to deny enrollment into the Medicare program.
    In Sec.  424.530(a)(9), we propose adding a new reason why CMS can 
deny Medicare billing privileges. Specifically, we are proposing a new 
Sec.  424.530(a)(9) to state, ``A provider or supplier submits an 
enrollment application for a practice location in a geographic area 
where CMS has imposed a temporary moratorium.'' Further, in Sec.  
498.5(l)(4), we propose that the scope of review for appeals of denials 
under Sec.  424.530(a)(9) based upon a provider or supplier being 
subject to a temporary moratorium will be limited to whether the 
temporary moratoria applies to that particular provider or supplier.
    We note that section 1866(j)(7) of the Act provides that there 
shall be no judicial review of a temporary moratorium. Accordingly, we 
propose that a provider or supplier may administratively appeal an 
adverse determination based on the imposition of a temporary moratorium 
up to and including the Department Appeal Board (DAB) level of review.
    Finally, we propose at Sec.  424.570(d) that we may lift a 
moratorium in the following circumstances: (1) In the case of a 
Presidentially- declared disaster under the Robert T. Stafford Disaster 
Relief and Emergency Assistance Act, 42 U.S.C. 5121 through 5206 
(Stafford Act); (2) circumstances warranting the imposition of a 
moratorium have abated or CMS has implemented program safeguards to 
address any program vulnerability that was the basis for the 
moratorium; or (3) in the judgment of the Secretary, the moratorium is 
no longer needed.
    We also recognize that in a limited number of circumstances a State 
Medicaid agency may enroll a provider or supplier into Medicaid during 
the temporary moratorium period established by Medicare. If this occurs 
and the prospective Medicare provider or supplier applies to enroll in 
the Medicare program after the temporary moratorium is lifted, we would 
use the screening tools described in section II.A. of this proposed 
rule.
    We are also seeking public comment on specific exemptions to the 
temporary moratoria criteria proposed above. Prior to imposing a 
moratorium, we would assess Medicare beneficiary access to the type(s) 
of services that are furnished by the provider or supplier type and/or 
within the geographic area to which the moratorium would apply.
    We would announce the implementation of a moratorium at any time. 
The announcement would be made in the Federal Register and we would 
also address it in other methods or forums, such as Press Releases, at 
CMS Provider Open Door Forums, in CMS provider listservs, and on the 
CMS Provider/Supplier Enrollment Web page (http://www.cms.gov/MedicareProviderSupEnroll). We would also require our Medicare 
contractors to post the moratorium announcement or note the expiration 
of a moratorium on their Web sites. Our Federal Register announcement 
would explain in detail the rationale for the moratorium and the 
rationale for the geographic area(s) in which it would apply.
b. Medicaid and CHIP
    Pursuant to section 1902(ii)(4)(A) of the Act, we are proposing at 
Sec.  455.470(a)(2) and (3) that a State Medicaid agency will comply 
with a temporary moratorium imposed by the Secretary unless it 
determines that the imposition of such a moratorium would adversely 
affect beneficiaries' access to medical assistance.
    Where the Secretary has imposed a temporary moratorium in 
accordance with Sec.  424.570, and the State has determined that 
compliance with such a moratorium would adversely impact Medicaid 
beneficiaries', or CHIP participants', as the case may be, access to 
medical assistance, section 1902(ii)(4)(A)(ii) of the Act creates an 
exception for the State from complying with the moratorium. We propose 
that the State provide the Secretary with written details of the 
moratorium's adverse impact on Medicaid beneficiaries. Prior to the 
Secretary imposing such a moratorium in any State, we propose at Sec.  
455.470(a)(1) that the Secretary consult with the State, so that the 
State may have an opportunity to seek an exception from the moratorium.
    Pursuant to section 1902(ii)(4)(B) of the Act, States have 
authority to impose moratoria, numerical caps, or other limits for 
providers that are identified by the Secretary as being at ``high'' 
risk for fraud, waste, or abuse. We propose that where the State 
identifies a category of providers as posing a significant risk of 
fraud, waste, or abuse, the State must seek CMS' concurrence with that 
determination and provide CMS with written details of the proposed 
moratorium, including the anticipated duration, and with a substantial 
justification explaining why disallowing newly enrolling providers 
would reduce the risk of fraud. We propose at Sec.  455.470 that 
States' moratoria would be imposed for a period of 6 months and may be 
extended in 6-month increments.

[[Page 58222]]

    Section 2107(e)(1) of the Act provides that all provisions that 
apply to Medicaid under sections 1902(a)(77) and 1902(ii) of the Act 
apply to CHIP. Accordingly, we propose in new regulation Sec.  457.990 
that all the provider screening, provider application, and moratorium 
regulations that apply to Medicaid providers will apply in providers 
that participate in CHIP.

D. Suspension of Payments

1. Medicare
a. Background
    In section 6402(h) of the ACA, Congress amended section 1862 of the 
Social Security Act by adding a new paragraph (o), under which the 
Secretary may suspend payments to a provider or supplier pending an 
investigation of a credible allegation of fraud unless the Secretary 
determines that there is good cause not to suspend payments. This 
section requires that the Secretary consult with the HHS OIG in 
determining whether there is a credible allegation of fraud against a 
provider or supplier.
b. Current Medicare Regulations
    We have long been authorized to suspend payments in cases of 
suspected fraudulent activity. On December 2, 1996, we finalized 
regulations Sec.  405.370 through Sec.  405.379 that provides for 
suspension of payments to providers and suppliers for several 
scenarios, including when we possess reliable information that fraud or 
willful misrepresentation exists. The rule provides that we may suspend 
payments to a provider or supplier in whole or in part based upon 
possession of reliable information that an overpayment or fraud or 
willful misrepresentation exists or that the payments to be made may 
not be correct, although additional evidence may be needed for a 
determination.
    The existing rule provides that a suspension of payments is limited 
to 180 days, unless it meets one of several exceptions. A Medicare 
contractor may request a one-time-only extension of the suspension 
period for up to 180 additional days if it is unable to complete its 
examination of the information that serves as the basis for the 
suspension. Also, OIG or a law enforcement agency may request a one-
time-only extension for up to 180 additional days to complete its 
investigation in cases of fraud and willful misrepresentation. The rule 
provides that these time limits do not apply if the case has been 
referred to and is being considered by the OIG for administrative 
action, such as civil monetary penalties. We may also grant an 
extension beyond the 180 additional days if DOJ requests that the 
suspension of payments be continued based on the ongoing investigation 
and anticipated filing of criminal or civil actions. The DOJ extension 
is limited to the amount of time needed to implement the criminal or 
civil proceedings.
c. Proposed Requirements
    Section 6402(h) of the ACA requires that the Secretary consult with 
the OIG in determining whether there is a credible allegation of fraud 
against a provider or supplier. If a credible allegation of fraud 
exists, the Secretary may impose a suspension of payments pending an 
investigation of the allegations, unless the Secretary determines that 
there is good cause not to suspend payments. We are proposing to revise 
Sec.  405.370 to add a definition of what constitutes a ``credible 
allegation of fraud,'' to include an allegation from any source, 
including but not limited to fraud hotline complaints, claims data 
mining, patterns identified through provider audits, civil false claims 
cases, and law enforcement investigations. Allegations are considered 
to be credible when they have an indicia of reliability. Many issues 
related to this definition will need to be determined on a case-by-case 
basis by looking at all the factors, circumstances and issues at hand. 
We continue to believe that CMS or its contractors must review all 
allegations, facts, and information carefully and act judiciously on a 
case-by-case basis when contemplating a payment suspension, mindful of 
the impact that payment suspension may have upon a provider.
    We additionally propose modifying the existing Sec.  405.370 to add 
a definition for ``resolution of an investigation.'' The ACA provides 
for the suspension of payments pending the investigation of a credible 
allegation of fraud, and we believe that this provision necessitates 
defining when an investigation has concluded and the basis for the 
suspension of payments no longer exists. The definition proposed here 
is that a resolution of an investigation occurs when legal action is 
terminated by settlement, judgment, or dismissal, or when the case is 
closed or dropped because of insufficient evidence. We are seeking 
comments on an alternative definition of the term ``resolution of an 
investigation'' which is that it occurs when a legal action is 
initiated or the case is closed or dropped because of insufficient 
evidence to support the allegations of fraud.
    We propose modifying the existing Sec.  405.371(a) to differentiate 
between suspensions based on either reliable information that an 
overpayment exists or that payments to be made may not be correct, and 
suspensions based upon a credible allegation of fraud. As required by 
the ACA, we propose in this section that CMS or its contractor must 
consult with the OIG, and as appropriate, the Department of Justice 
(DOJ) in determining whether a credible allegation of fraud exists 
prior to suspending payments on the basis of alleged fraud.
    We also propose in accordance with the ACA that CMS retains 
discretion regarding whether or not to impose a suspension or continue 
a suspension, as there may be good cause not to suspend payments or not 
to continue to suspend payments to providers or suppliers in certain 
circumstances. We propose to add a new Sec.  405.371(b) to describe 
circumstances that may qualify as good cause not to suspend payments or 
not to continue to suspend payments despite credible allegations of 
fraud.
    In paragraph (b)(1), we propose a good cause exception based upon 
specific requests by law enforcement that CMS not suspend payments. 
There are numerous reasons for which law enforcement personnel might 
make such a request, including that imposing a payment suspension might 
alert a potential perpetrator to an investigation at an inopportune or 
particularly sensitive time, jeopardize an undercover investigation, or 
potentially expose whistleblowers or confidential sources.
    In paragraph (b)(2), we propose a good cause exception not to 
suspend payments if CMS determines that beneficiary access to necessary 
items or services may be jeopardized. We envision there may be 
scenarios in which a payment suspension to a provider might jeopardize 
a provider's ability to continue rendering services to Medicare 
beneficiaries whose access to items or services would be so jeopardized 
as to cause a danger to life or health.
    In paragraph (b)(3), we propose a good cause exception not to 
suspend payments if CMS determines that other available remedies 
implemented by or on behalf of CMS more effectively or quickly protect 
Medicare funds than would implementing a payment suspension. For 
example, law enforcement personnel might request that a court 
immediately enjoin potentially unlawful conduct or prevent the 
withdrawal, removal, transfer, disposal, or dissipation of assets, 
either or both of which might protect Medicare

[[Page 58223]]

funds more fully or quickly than would imposition of a payment 
suspension.
    More generally, in paragraph (b)(4), we propose a good cause 
exception based upon a determination by CMS that a payment suspension 
or continuation of a payment suspension is not in the best interests of 
the Medicare program. We further propose that CMS will conduct an 
evaluation of whether there is good cause not to continue a suspension 
every 180 days after the initiation of a suspension based on credible 
allegations of fraud. We believe that circumstances surrounding a 
specific case may change as an investigation progresses, and it may 
become in the best of interests of the Medicare program to terminate a 
payment suspension prior to the resolution of an investigation. As part 
of this ongoing evaluation, CMS will request a certification from the 
OIG or other law enforcement agency as to whether that agency continues 
to investigate the matter.
    We are considering additional specific circumstances and scenarios 
that may qualify as good cause not to continue a payment suspension 
prior to the resolution of an investigation, and solicit comments on 
this approach. For example, one scenario that we are considering as 
additional good cause not to continue a suspension is when a suspension 
has been in place for a specific length of time, such as 2 years or 3 
years, and the investigation has not been resolved. We anticipate that 
on a case by case basis, CMS will evaluate the status of a particular 
investigation and the nature of the alleged fraud in determining 
whether keeping a payment suspension in effect beyond a certain length 
of time may not be in the best interests of the Medicare program. We 
have chosen not to propose specific language on duration in the 
regulatory text. However, we solicit comment on this approach.
    We propose modifying the existing Sec.  405.372 to reflect the 
changes made in Sec.  405.371 which divides the payment suspension 
authority into situations involving overpayments and situations 
involving allegations of fraud. In Sec.  405.372(c) we clarify the 
subsequent action requirements to distinguish between suspensions based 
on credible allegations of fraud and those that are based on other 
factors, such as overpayments. For suspensions that are not based on 
credible allegations of fraud, CMS and its contractors will continue to 
take timely action to obtain additional information needed to make an 
overpayment determination and make all reasonable efforts to expedite 
the determination. Once the determination is made, notice of the 
determination will be given to the provider or supplier and the payment 
suspension will be terminated. If the payment suspension is based on 
credible allegations of fraud, CMS and its contractors will take 
subsequent action to determine if an overpayment exists or if the 
payments may be made, however the termination of the suspension and the 
issuance of a final determination notice to the provider or supplier 
may be delayed until resolution of the investigation. At the end of the 
fraud investigation, it is possible that the Medicare contractor will 
not have completed its overpayment determination, but will have 
reliable evidence of an overpayment or will have evidence that the 
payments to be made may not be correct. This typically occurs when a 
law enforcement investigation results in civil or criminal resolution 
prior to the Medicare contractor having had sufficient time to complete 
its overpayment determination. In such a situation, we would allow the 
suspension to continue as an overpayment suspension.
    We propose modifying the existing Sec.  405.372(d) concerning the 
duration of suspension of payment. In Sec.  405.372(d)(3) we except 
suspensions based on credible allegations of fraud from the established 
time limits specified in paragraphs (d)(1) and (d)(2). We believe the 
strict time constraints found in paragraphs (d)(1) and (d)(2) should 
only be applied to suspensions based on reliable information of an 
overpayment or where payments to be made may not be correct both of 
which require a speedy overpayment determination. When credible 
allegations of fraud are present, we believe that CMS should have the 
flexibility to maintain a suspension beyond these established time 
limits in order for an investigation to be completed or the matter to 
be resolved. However, we note that by excepting suspensions based on 
credible allegations of fraud from these previously established 
timeframes, we do not intend to suspend payments to providers and 
suppliers indefinitely. We will be actively evaluating the progress of 
any investigation to determine if good cause exists to no longer 
continue the suspension of payments, as suspensions are designed to be 
a temporary measure. As part of this recurring evaluation, CMS will 
request a certification from the OIG or other law enforcement agency 
that the matter continues to be under investigation.
    We also propose eliminating the two other existing scenarios in 
paragraph (d)(3) for extending payment suspensions beyond the time 
limits in paragraphs (d)(1) and (d)(2), which are when the OIG is 
considering administrative action such as civil monetary penalties and 
also when the DOJ requests an extension based on an ongoing 
investigation and the anticipated filing of criminal and/or civil 
actions. We believe that both of these reasons under the existing rule 
for extending suspensions will be captured in the new rule which will 
allow for payment suspensions to extend until the resolution of an 
investigation and are unnecessary given the other proposed changes.
2. Medicaid
a. Background
    In section 6402(h) of the ACA, the Congress amended section 
1903(i)(2) of the Act to provide that Federal Financial Participation 
(FFP) in the Medicaid program shall not be made with respect to any 
amount expended for items or services (other than an emergency item or 
service, not including items or services furnished in an emergency room 
of a hospital) furnished by an individual or entity to whom a State has 
failed to suspend payments under the plan during any period when there 
is pending an investigation of a credible allegation of fraud against 
the individual or entity as determined by the State in accordance with 
these regulations, unless the State determines in accordance with these 
regulations that good cause exists not to suspend such payments.
b. Current Medicaid Regulations
    State Medicaid agencies have long been authorized to withhold 
payments in cases of fraud or willful misrepresentation. On December 
28, 1987, DHHS finalized regulations at Sec.  455.23 that they 
described as specifically encouraging State Medicaid agencies to 
withhold program payments to providers without first granting 
administrative review where the State agency has reliable evidence of 
fraudulent activity by the provider. The regulations were issued by the 
HHS OIG based on a concern that State administrative hearings could 
interfere with investigations conducted by HHS OIG's Office of 
Investigations or by the State's Medicaid fraud control unit (MFCU). 
The requirements of an administrative hearing could jeopardize criminal 
cases and investigators were reluctant to agree to a State's 
withholding payment, thus risking additional overpayments. (See the 
December 28, 1987 final rule (52 FR

[[Page 58224]]

48814)). The December 28, 1987 final rule remains in effect and has 
remained unchanged since it was promulgated.
    At the time the rule was proposed, the Department was in the 
process of reorganizing its fraud and abuse regulations to reflect 
authorities transferred to HHS OIG in 1983, as well as those retained 
by CMS. HHS OIG authorities were transferred to a new 42 CFR chapter V, 
while CMS' Medicaid program integrity authorities were retained at 42 
CFR part 455. (See the September 30, 1986 final rule (51 FR 34764)).
    This current rule provides that a State Medicaid agency may 
withhold payments to a provider in whole or in part based upon receipt 
of reliable evidence that the need for withholding payments involves 
fraud or willful misrepresentation under the Medicaid program. At the 
time this rule was published, commenters questioned what constituted 
``reliable evidence of fraud.'' The HHS OIG declined to provide a 
specific definition, noting that what constitutes ``reliable evidence'' 
is not easily and readily definable. The HHS OIG noted that while the 
existence of an ongoing criminal or civil investigation against a 
provider may be a factor in determining whether reliable evidence 
exists, that reliable evidence should be determined on a case-by-case 
basis with the State agency looking at all the factors, circumstances, 
and issues at hand, and acting judiciously on this information.
    The 1987 regulations also permitted payments to be suspended in 
whole or in part. Commenters had suggested that ``clean claims'' 
continue to be processed without delay, and that any withholding ought 
be targeted to only the type of Medicaid claims under investigation. 
The HHS OIG responded that it is usually difficult to determine which 
claims are ``clean'' until after an investigation has been completed, 
but noted that where an investigation is solely and definitively 
centered upon a specific type of claim that a State could, at its 
discretion, withhold payments on just those types of claims. The HHS 
OIG also agreed to commenters' requests to clarify that the withholding 
provisions apply only to alleged fraud or willful misrepresentation 
related to improperly received Medicaid payments and not to ancillary 
unrelated matters such as deceptive advertising.
c. Proposed Requirements
    The current regulation at Sec.  455.23 forms the framework for 
these proposed regulations. State Medicaid agencies have long had the 
authority to withhold payments in cases of alleged fraud or willful 
misrepresentation. Section 6402(h)(2) of the ACA now mandates that 
States not receive FFP in cases where they fail to suspend Medicaid 
payments during any period when there is pending an investigation of a 
credible allegation of fraud against an individual or entity as 
determined by the State in accordance with these proposed regulations 
unless the State determines that good cause exists for a State not to 
suspend such payments. To conform the existing regulation to the 
terminology of the ACA, we propose to change the phrase ``withhold 
payments'' to ``suspend payments,'' a change we believe is merely 
semantic.
    We propose to implement section 6402(h)(2) of the ACA by modifying 
the existing Sec.  455.23(a) to make payment suspensions mandatory 
where an investigation of a credible allegation of fraud under the 
Medicaid program exists. Based on the ACA's use of just the term 
``fraud,'' we do not propose to retain the existing term ``willful 
misrepresentation.'' We believe that fraud and willful 
misrepresentation are largely indistinguishable, thus we do not believe 
this proposal represents a substantive change nor do we intend it to 
have a substantive effect insofar as reducing or limiting a State's 
authority to suspend Medicaid payments. We solicit comments on this 
approach.
    To conform the proposed regulation to the requirements of the ACA, 
we propose to modify terminology in the existing Sec.  455.23(a) that 
now refers to ``receipt of reliable evidence'' to instead refer to a 
``pending investigation of a credible allegation of fraud.'' In 
contrast to the semantic change from ``withhold payments'' to ``suspend 
payments,'' in this case we believe that there is a substantive 
difference between the threshold level of certainty or proof necessary 
to identify a ``credible allegation'' versus the heightened requirement 
of ``reliable evidence'' in the current regulation.
    We do not believe that the phrase ``when there is pending an 
investigation of a credible allegation of fraud'' necessarily demands 
that an investigation originate in or with a law enforcement agency. 
Rather, State Medicaid agencies have program integrity units that, in 
the normal course of business, receive, and conduct investigations 
based upon, tips alleging fraud, and which also conduct proactive 
investigations based upon internal data analyses and other fraud 
detection techniques. We believe that State agency investigations, 
though they may be preliminary in the sense that they lead to a 
referral to a law enforcement agency for continued investigation, are 
adequate vehicles by which it may be determined that a credible 
allegation of fraud exists sufficient to trigger a payment suspension 
to protect Medicaid funds.
    This threshold by which a State agency investigation may give rise 
to a payment suspension is a somewhat lesser threshold than that in the 
current regulation. The preamble to the current regulation specified 
that it was anticipated the State agency would confer with, and receive 
the concurrence of, investigative or prosecuting authorities prior to 
imposing a withholding action. However, that preamble also stated that 
it was establishing mere minimum requirements, and that States could 
exercise broader power where State law or regulation so provided. Most 
States have availed themselves of the existing Federal authority (or 
broader state authority) to withhold payments, and we believe that 
experience over the past 20 years offers no indication this authority 
has been misused against providers. Moreover, we believe this proposed 
threshold is consistent with the phrase ``investigation of a credible 
allegation of fraud'' of the ACA. We do anticipate that payment 
suspension authority will be used more frequently because the ACA 
dictates that where there is a pending investigation of credible 
allegations of fraud against a provider, a State that fails to suspend 
payments to that provider will not receive FFP with respect to such 
payments unless good cause exists not to suspend them.
    We propose to adopt at Sec.  455.2 the same broad definition of 
``credible allegation'' proposed above in the context of the Medicare 
program. In many cases, what constitutes a ``credible allegation'' must 
be determined on a case-by-case basis with the State agency looking at 
all the factors, circumstances, and issues at hand. Guided by the 
experience of more than 20 years, we are aware that States have been 
able to identify ``reliable evidence'' through a variety of means 
including, but not limited to, fraud hotline complaints, Medicaid 
claims data mining, and patterns identified through provider audits, 
along with the appropriate level of additional investigation that 
accompanies each of these. Moreover, States have received referrals 
from State MFCUs, other law enforcement agencies, and other State 
benefits program investigative units. We continue to believe that State 
agencies must review all allegations, facts, and evidence carefully and 
act judiciously on a case-by-case basis when contemplating a payment 
suspension,

[[Page 58225]]

mindful of the impact that payment suspension may have upon a provider.
    In paragraph (b), we propose that the State agency notify a 
provider of a payment suspension in a way very similar to the mechanism 
currently specified in regulation by which the State agency is required 
to notify a provider, specifying certain details, within 5 days of 
taking such action. However, we do propose to provide for a 30-day 
period, renewable in writing up to twice for a total not to exceed 90 
days, by which law enforcement may, in writing, request the State 
agency to delay notification to a provider. We propose this because we 
believe that occasionally an investigation may be at a sensitive stage, 
perhaps involving undercover personnel or a confidential informant, 
where required notification to the provider at a particular time might 
jeopardize the investigation. We do not believe we should extend the 
delay notification beyond 90 days out of fairness to a provider and, in 
any event, a provider deriving any significant revenue stream from 
Medicaid is likely to itself discern the fact of a payment suspension 
well in advance of 90 days.
    We are proposing only minor changes to the current provisions in 
Sec.  455.23(c) on the duration of a suspension. To comport with the 
ACA, we change the term ``withholding'' to ``suspension''; this is a 
semantic change that, as noted above, has been made throughout. In the 
proposed new Sec.  455.23(c)(2), we propose to require a State to 
notify a provider of the termination of a payment suspension and, where 
applicable, to specify the availability to a provider of any appeal 
rights under State law and regulation.
    Substantively, we do not propose significant change to the existing 
duration provisions, which specify that withholding (now, suspension) 
will be temporary and will not continue after: (1) Authorities discern 
that there is insufficient evidence of fraud upon which to base a legal 
action; or (2) legal proceedings related to the alleged fraud are 
completed.
    We believe that maintaining the existing duration provisions is 
consistent with the ACA that requires that FFP not be made when a State 
fails to suspend payments ``during any period when there is pending an 
investigation of a credible allegation of fraud against an individual 
or entity.'' We further recognize that the Act applies a very similar 
standard to the Medicare program. We solicit comments on our proposal 
to maintain the existing duration provisions.
    In paragraph (d), we propose to require a State to make a formal, 
written suspected fraud referral to its MFCU or, where a State does not 
have a MFCU to an appropriate law enforcement agency, for each instance 
of payment suspension as the result of a State agency's preliminary 
investigation of a credible allegation of fraud. This will ensure that 
an appropriate full investigation by a law enforcement agency timely 
ensues. If the MFCU or other law enforcement agency declines to accept 
the referral, we propose to require the State to immediately release 
the payment suspension unless the State refers the matter to another 
law enforcement entity or unless the State has alternative Federal or 
State authority by which it may impose a suspension. In the latter 
case, the requirements of that alternative authority, including any 
notice and due process or other safeguards, would be applicable.
    We propose to require that a State's formal, written suspected 
fraud referral meets fraud referral performance standards issued by the 
Secretary. The currently applicable fraud referral performance 
standards were issued by CMS on September 30, 2008. In a January 2007 
report entitled ``Suspected Medicaid Fraud Referrals,'' (OEI 07-04-
00181) the HHS OIG expressed concern with the lack of CMS criteria 
specific to the referral of suspected fraud issues from State Medicaid 
agencies to MFCUs such that it was unable to determine the adequacy of 
State Medicaid agencies' performance. CMS agreed in response to that 
report to work towards the establishment of fraud referral performance 
standards (which it has now issued) to which States will be required to 
conform in making referrals under this regulation.
    In paragraph (d)(3), we propose that on a quarterly basis a State 
must request a certification from the MFCU or other law enforcement 
agency that any matter accepted on the basis of a referral continues to 
be under investigation or in the course of enforcement proceedings 
warranting continuation of the payment suspension. We recognize that 
due to various constraints, law enforcement agencies may not be able to 
provide specific updates on matters under investigation. In recognition 
of the fact that payment suspensions are only temporary, however, we 
propose to require such quarterly certifications to ensure, for 
example, that a suspension will not be continued long after a law 
enforcement agency has closed an investigation but neglected to alert a 
State agency of that fact. To maximize State flexibility to implement 
this requirement, we are not prescribing the precise format such 
certifications must take.
    Consistent with the new Affordable Care Act provision, we also 
propose to create several ``good cause'' exceptions by which States may 
determine good cause exists not to suspend payments or to suspend 
payments only in part. In new paragraph (e) we have included several 
circumstances that we believe constitute ``good cause'' for a State to 
determine not to suspend payments, or not to continue a payment 
suspension previously imposed, to an individual or entity despite a 
pending investigation of a credible allegation of fraud. In paragraph 
(e)(1), we propose a good cause exception based upon specific requests 
by law enforcement that State officials not suspend (or continue to 
suspend) payment. There are numerous reasons for which law enforcement 
personnel might make such a request, including that imposing a payment 
suspension might alert a potential perpetrator to an investigation at 
an inopportune or particularly sensitive time, jeopardize an undercover 
investigation, or potentially expose whistleblowers or confidential 
sources.
    In paragraph (e)(2), we propose a good cause exception if a State 
determines that other available remedies implemented by the State could 
more effectively or quickly protect Medicaid funds than would 
implementing (or continuing) a payment suspension. For example, law 
enforcement personnel might request that a court immediately enjoin 
potentially unlawful conduct or prevent the withdrawal, removal, 
transfer, disposal, or dissipation of assets, either or both of which 
might protect Medicaid funds more fully or quickly than would 
imposition of a payment suspension.
    Paragraph (e)(3) proposes a good cause exception based upon a 
determination by the State agency that a payment suspension is not in 
the best interests of the Medicaid program. It is conceivable that a 
State may, in rare situations, face exigent circumstances with respect 
to a suspension situation not addressed by the other good cause 
exceptions specified here but where it otherwise determines suspension 
would not be in the State Medicaid's programs best interests. This 
broad standard is intended to reflect that payment suspension is a very 
serious action that can potentially lead to dire consequences, but that 
it is impossible to specify detailed contingencies with respect to 
every possible scenario that might arise. We do not anticipate that 
States will frequently make use of this exception; however where this 
exception is utilized we do require that States document their use of 
this exception, and will closely monitor its

[[Page 58226]]

implementation to determine whether further regulation is necessary. We 
solicit comments on this approach.
    In paragraph (e)(4), we propose a good cause exception based upon a 
determination by the State of an adverse effect of the suspension on 
beneficiary access to necessary items or services. We envision there 
may be scenarios in which a payment suspension to a provider might 
jeopardize a provider's ability to continue rendering services to 
Medicaid beneficiaries, thus threatening Medicaid beneficiaries' access 
to care. Utilizing a standard identical to that which CMS and the HHS 
OIG apply in assessing requests for waivers of exclusion at Parts 402 
and 1001 of Title 42, for example, we posit one basis for a good cause 
exception from payment suspension is if a provider under investigation 
is a sole community physician or the sole source of specialized 
services available in a community. Likewise, in Federally-designated 
medically underserved areas the potential impact of a payment 
suspension upon a large provider might equally threaten recipient 
access, thus this underlies a second access exception. We welcome 
comments on this approach, including comments with respect to other 
metrics by which to assess potential beneficiary jeopardy in terms of 
access to necessary items or services.
    Finally, in paragraph (e)(5) we propose a good cause exception that 
would permit (but not require) a State to discontinue an existing 
suspension to the extent law enforcement declines to cooperate in 
certifying under the requirements of paragraph (d)(3) that a matter 
continues to be under investigation and therefore warrants continuing 
the suspension.
    We do not interpret the new provision in the ACA as mandating that 
a State must always suspend payments in toto in cases of an 
investigation of a credible allegation of fraud. In general, we 
continue to believe a payment suspension should apply to all claims 
consistent with the HHS OIG's responses to comments in the 1987 
regulations that it is usually difficult to determine which claims are 
clean claims until after an investigation is completed, and one purpose 
of payment suspension is to build a type of escrow account out of which 
any overpayments can be deducted when an investigation is concluded.
    With certain new constraints, we have chosen to continue to allow 
States the flexibility to suspend payments in part. For example, as 
stated in the preamble to the current regulation, there may be times 
where an investigation is solely and definitively centered on only a 
specific type of claim in which case a State may determine it is 
appropriate to impose a payment suspension on only that type of claim. 
Likewise, a State might determine that an investigation of a credible 
allegation of fraud is limited to a particular business unit or 
component of a provider such that a suspension need not apply to 
certain business units or components of a provider.
    Balancing these approaches, we propose to allow States to implement 
a partial payment suspension, or, where appropriate, to convert a 
previously imposed full payment suspension to a partial payment 
suspension, if justified via a good cause exception. The good cause 
exceptions for partial suspension at paragraphs (f)(1) and (2) mirror 
those at paragraphs (e)(4) and (3), respectively, and allow the State 
to adopt a partial payment suspension where suspension in whole would 
so jeopardize a recipient's access to items or services as to endanger 
the recipient's life or health, or where the State deems it in the best 
interests of the Medicaid program. At paragraph (f)(3), we propose that 
a State may avail itself of the good cause exception to suspend 
payments only in part if the nature of the credible allegation is 
focused solely and definitively on only a specific type of claim or 
arises from only a specific business unit of a provider, and the State 
determines and documents in writing that a payment suspension in part 
would effectively ensure that potentially fraudulent claims were not 
continuing to be paid. Many such cases will still demand suspension in 
full, but this provision, which we anticipate States would exercise 
sparingly, gives States flexibility to act otherwise in those limited 
circumstances where appropriate. Finally, at paragraph (f)(4), we 
propose that a State may avail itself of the good cause exception to 
convert a payment suspension in whole to one only in part to the extent 
law enforcement declines to cooperate in certifying under the 
requirements of paragraph (d)(3) that a matter continues to be under 
investigation. We solicit comment on these proposed approaches.
    We propose in new paragraph (g) to add several reporting and 
document retention guidelines to Sec.  455.23. Payment suspension 
authority is critically important to protect Medicaid funds, but 
payment suspension can have dire consequences to a provider. Payment 
suspension authority, including a State's exercise of a good cause 
exception to otherwise address a suspension situation, must be 
exercised responsibly by a State at all stages, from the inception to 
the termination of the suspension. Through, among other things, its 
State Program Integrity Reviews, we expect to maintain close oversight 
of State utilization of suspension authority. However, to be clear, we 
expressly and explicitly do not expect State compliance (or 
noncompliance) with these documentation or retention provisions to give 
rise to any enforceable right of a provider aggrieved by any real or 
perceived failures with respect to these requirements to seek any form 
of redress (administratively, judicially, or otherwise).
    Under these proposed reporting and retention guidelines, States are 
required to maintain for a minimum of 5 years from the date of issuance 
all materials documenting the life cycle of a payment suspension that 
is imposed, including: (1) All notices of suspension of payment in 
whole or part; (2) all fraud referrals to MFCUs or other law 
enforcement agencies; (3) all quarterly certifications by law 
enforcement that a matter continues to be under investigation; and (4) 
all notices documenting the termination of a suspension. Likewise, we 
propose to require States to maintain for the same period all 
documentation justifying the exercise of the good cause exceptions. 
Finally, we propose to require States to annually report to the 
Secretary information regarding the life cycle of each payment 
suspension imposed and any determinations to exercise the good cause 
exceptions not to suspend payment, to suspend payment only in part, or 
to discontinue a payment suspension.
    To effectuate section 6402(h)(2) of the ACA's prohibition on 
expenditure of FFP where a State fails to suspend payments that should, 
by virtue of the ACA standard and this proposed rule, have been 
suspended, we propose to add a new Sec.  447.90 that contains both the 
general rule and which refers to the exceptions found in Sec.  455.23 
for ``good cause.'' Paragraph (a) specifies the basis and purpose for 
the new provision. Paragraph (b) specifies the general rule that FFP 
would not be available with respect to items or services furnished by 
an individual or entity to whom the State has failed to suspend 
Medicaid payments during any period where there is pending an 
investigation of a credible allegation of fraud against the individual 
or entity except in specified circumstances that include certain 
emergency circumstances, or if good cause exists as specified at Sec.  
455.23(e) or (f).
    As mentioned, we anticipate that CMS' enforcement and monitoring of

[[Page 58227]]

these provisions will largely be accomplished through measures such as 
State Program Integrity reviews conducted by CMS. Such reviews will, 
among other things, evaluate States' complaint intake and investigation 
efforts, and assess whether States have an effective process to move 
matters where there are found to be credible allegations of fraud to 
the point where they are evaluated for payment suspension. However, we 
do not believe it is viable to require States to report and document to 
CMS every instance of where any allegation of fraud arises and further 
qualify which ones rise to the level of credible allegation. We want to 
foster effective and efficient State program integrity efforts with 
respect to which payment suspension is an integral component, but we do 
not want to create a system so procedurally onerous that it overwhelms 
a State's ability to substantively perform this critical work. 
Nevertheless, we will thoroughly investigate and act by, among other 
things, deferring and/or disallowing FFP in accordance with Sec.  
430.40 and Sec.  430.42, if program integrity reviews or other methods 
of ensuring State compliance with Medicaid program requirements reveal 
a State is failing to suspend payments (or inappropriately applying a 
good cause exception) where pending investigations of credible 
allegations of fraud do exist. A State may not claim (on its Form CMS-
64) FFP for payments that are suspended. Any State that does not 
suspend payments, or that suspends payments but continues to claim FFP 
with respect to what would have been paid had no suspension been in 
place, puts that FFP at risk. In such cases, we would pursue a deferral 
and/or disallowance to reclaim the Federal portion of such payment. We 
solicit comments on CMS' proposed oversight approach.
    Finally, three provisions are proposed to be added to the 
regulations at Sec.  1007.9 that specify the State MFCU's relationship 
to, and agreement with, the State Medicaid agency. These proposed 
revisions are necessary to effectuate the proposed revisions under 
Sec.  455.23. The regulations at 42 CFR part 1007 are enforced by HHS 
OIG as part of its delegated authority to certify and fund the State 
MFCUs. (See August 15, 1979 final rule (44 FR 47811)). However, we are 
including amendments to part 1007 here to ensure a comprehensive 
regulatory package that sets forth in one location the Department's 
implementation of the suspension provisions of section 6402(h) of the 
ACA.
    The first of these provisions proposes to add a new paragraph (e) 
to Sec.  1007.9 that specifies that the MFCU may refer to the State 
agency any provider against which there is pending an investigation of 
a credible allegation of fraud for purposes of payment suspension in 
accord with Sec.  455.23. Allegations of potential fraud may first be 
identified by the MFCU rather than by the State agency, so this 
provision merely formalizes a path from the MFCU to the State agency so 
a payment suspension may be implemented where appropriate. This 
provision also proposes that any referral to the State agency for 
consideration of a payment suspension be in writing. The written 
referral need not be extensive, but must include information adequate 
to enable the State agency to identify the provider and a brief 
explanation of the credible allegations forming the grounds for the 
payment suspension. The second proposed addition to Sec.  1007.9 
proposes to add a new paragraph (f) providing that any request by the 
unit to the State agency to delay notification of suspension to a 
provider pursuant to the provisions of the proposed Sec.  
455.23(b)(1)(ii) come in writing. Proposing to require that such 
requests need be made in writing (which could take the form of an e-
mail) provides for an audit trail to ensure that proper procedures are 
followed. However, we expressly do not intend for this requirement to 
create any substantive right upon which a provider might lodge 
objection or other legal challenge to the extent the proper procedures 
were not followed. Last, a new paragraph (g) is proposed to require the 
unit to notify the State agency in writing when it has accepted or 
declined a case referred by the State agency. Aside from also creating 
an audit trail, this proposed provision would be important in that it 
would alert the State agency as to the status of a referral, which 
would shape how the State agency would handle a suspension under the 
proposed revisions to Sec.  455.23.

E. Proposed Approach and Solicitation of Comments for Sections 6102 and 
6401(a) of the ACA--Ethics and Compliance Program

    Under section 6102 of the ACA which established new section 1128I 
of the Act, a nursing facility (NF) or SNF shall have in operation a 
compliance and ethics program that is effective in preventing and 
detecting criminal, civil, and administrative violations and in 
promoting quality of care, consistent with regulations developed by the 
Secretary, working jointly with the HHS OIG. The regulations to 
establish the compliance and ethics program for operating organizations 
may include a model compliance program. The statute requires that in 
the case of an organization that has five or more facilities, the 
formality or specific elements of the program vary with the size of the 
organization. The statute also requires that not later than 3 years 
after the effective date of the regulations, the Secretary shall 
complete an evaluation of the programs to determine if such programs 
led to changes in deficiency citations, changes in quality performance, 
or changes in the quality of resident care. The Secretary shall submit 
to Congress a report on such evaluation with recommendations for 
changes in the requirements, as the Secretary deems appropriate.
    Similarly, under section 6401(a) of the ACA, which established a 
new section 1866(j)(8) of the Act, a provider of medical or other items 
or services or a supplier shall, as a condition of enrollment in 
Medicare, Medicaid or CHIP, establish a compliance program that 
contains certain ``core elements.'' The statute requires the Secretary, 
in consultation with the HHS OIG, to establish the core elements for 
providers or suppliers within a particular industry or category. The 
statute allows the Secretary to determine the date that providers and 
suppliers need to establish the required core elements as a condition 
of enrollment in Medicare, Medicaid, and CHIP. The statute requires the 
Secretary to consider the extent to which the adoption of compliance 
programs by providers or suppliers is widespread in a particular 
industry sector or particular provider or supplier category. Please 
note, NFs and SNFs are subject to both compliance plan requirements 
under sections 6102 and 6401(a) since section 6401(a) of the ACA 
includes all providers and suppliers enrolling into Medicare, Medicaid 
and CHIP. We intend to establish compliance program core elements per 
section 6401(a) of the ACA for NFs and SNFs that closely match the 
required components of a compliance program per section 6102 of the 
ACA.
    In order to consider the views of industry stakeholders, we are 
soliciting comments on compliance program requirements included in the 
ACA. We do not intend to finalize compliance plan requirements when the 
other proposals in this proposed rule are finalized; rather, we intend 
to do further rulemaking on compliance plan requirements and will 
advance specific proposals at some point in the future. We are most 
interested in receiving comments on the following:

[[Page 58228]]

    The use of the seven elements of an effective compliance and ethics 
program as described in Chapter 8 of the U.S. Federal Sentencing 
Guidelines Manual (http://www.ussc.gov/2010guid/20100503_Reader_Friendly_Proposed_Amendments.pdf, pp. 31-35) as the basis for the 
core elements of the required compliance programs for Medicare, 
Medicaid and CHIP enrollment. These elements instill a commitment to 
prevent, detect and correct inappropriate behavior and ensure 
compliance with all applicable laws, regulations and requirements, and 
include--
     The development and distribution of written policies, 
procedures and standards of conduct to prevent and detect inappropriate 
behavior;
     The designation of a chief compliance officer and other 
appropriate bodies (for example a corporate compliance committee) 
charged with the responsibility of operating and monitoring the 
compliance program and who report directly to high-level personnel and 
the governing body;
     The use of reasonable efforts not to include any 
individual in the substantial authority personnel whom the organization 
knew, or should have known, has engaged in illegal activities or other 
conduct inconsistent with an effective compliance and ethics program;
     The development and implementation of regular, effective 
education and training programs for the governing body, all employees, 
including high-level personnel, and, as appropriate, the organization's 
agents;
     The maintenance of a process, such as a hotline, to 
receive complaints and the adoption of procedures to protect the 
anonymity of complainants and to protect whistleblowers from 
retaliation;
     The development of a system to respond to allegations of 
improper conduct and the enforcement of appropriate disciplinary action 
against employees who have violated internal compliance policies, 
applicable statutes, regulations or Federal health care program 
requirements;
     The use of audits and/or other evaluation techniques to 
monitor compliance and assist in the reduction of identified problem 
areas; and
     The investigation and remediation of identified systemic 
problems including making any necessary modifications to the 
organization's compliance and ethics program.
    In addition, we are particularly interested in comments about the 
following:
     The extent to which, and the manner in which, providers 
and suppliers already incorporate each of the seven U.S. Federal 
Sentencing Guidelines elements into their compliance programs or 
business operations. We are interested in how and to what degree each 
element has been incorporated effectively into the compliance programs 
of different types of providers and suppliers considering their risk 
areas, business model and industry sector or particular provider or 
supplier category.
     Any other suggestions for compliance program elements 
beyond, or related to, the seven elements referenced above considering 
provider or supplier risk areas, business model and industry sector or 
particular provider or supplier category including whether external 
and/or internal quality monitoring should be a required for hospitals 
and long-term care facilities.
     The costs and benefits of compliance programs or 
operations including aggregate or component costs and benefits of 
implementing particular elements and how these costs and benefits were 
measured.
     The types of systems necessary for effective compliance, 
the costs associated with these systems and the degree to which 
providers and suppliers already have these systems including, but not 
limited to, tracking systems, data capturing systems and electronic 
claims submission systems. We anticipate having providers and suppliers 
evaluate the effectiveness of their compliance plans using electronic 
data.
     The existence of and experience with state or other 
compliance requirements for various providers and suppliers and 
foreseeable conflicts or duplication from multiple requirements.
     The criteria we should consider when determining whether, 
and if so, how to divide providers and suppliers into groupings that 
would be subject to similar compliance requirements including whether 
individuals should have different compliance obligations from 
corporations.
     Available research or individual experience regarding the 
current rate of adoption and level of sophistication of compliance 
programs for providers or suppliers based on their business model and 
industry sector or particular provider or supplier category.
     How effective compliance programs have been for varied 
providers and suppliers and how the level of effectiveness was 
measured.
     The extent to which providers and suppliers currently use 
third party resources, such as consultants, review organizations, and 
auditors, in their compliance efforts.
     The extent to which providers and suppliers have already 
identified staff responsible for compliance and, for those who already 
have staff responsible for compliance, the positions of these staff.
     A reasonable timeline for establishment of a required 
compliance program for various types and sizes of providers and 
suppliers, assuming the compliance program core elements were based on 
the aforementioned U.S. Federal Sentencing Guidelines' seven elements 
of an effective compliance and ethics program, considering business 
model and industry sector or particular provider or supplier category.
    We welcome any information concerning how the industry views 
compliance program elements and how we can establish required 
compliance program elements to protect Medicare, Medicaid, and CHIP 
from fraud and abuse.

F. Termination of Provider Participation Under the Medicaid Program and 
CHIP if Terminated Under the Medicare Program or Another State Medicaid 
Program or CHIP

1. Discussion
    Effective provider screening prevents excluded providers from 
enrolling in government health care programs and being paid with 
Federal and State funds. Providers barred from participating because of 
effective screening cannot abuse Medicare, Medicaid, or CHIP.
    When a State terminates a provider but does not share that 
information with any other State, all other States become vulnerable to 
potential fraud, waste, and abuse committed by that provider. 
Similarly, a provider, supplier, or eligible professional that has been 
terminated from Medicare or has had Medicare billing privileges revoked 
may enroll with a State Medicaid program or with CHIP when a State is 
not aware of the Medicare termination or revocation. We may terminate 
or revoke the billing privileges of a provider, supplier, or eligible 
professional under Medicare for a number of reasons, as set forth at 
Sec.  424.535, including exclusion from health care programs, 
government-wide debarment, and conviction of violent felonies and 
financial crimes.
    Section 6501 Affordable Care Act requires a State's Medicaid 
program to terminate an individual or entity's participation in the 
program (subject to certain limitations on exclusions in sections 
1128(c)(2)(B) and 1128(d)(2)(B) of the Act), if the individual or 
entity has been terminated under Medicare or

[[Page 58229]]

another State's Medicaid program. Although the term ``termination'' 
only applies to providers under Medicare whose billing privileges have 
been revoked (and does not apply to Medicare suppliers or eligible 
professionals), we believe it was the intent of the Congress that this 
requirement also be applicable to suppliers and eligible professionals 
that have had their billing privileges under Medicare revoked as well. 
Therefore, we are proposing that ``termination'' be inclusive of 
situations where an individual's or entity's billing privileges have 
been revoked. The requirement for States to terminate would only apply 
in cases where providers, suppliers, or eligible professionals were 
terminated or had their billing privileges revoked for cause, for 
example, for reasons based upon fraud, integrity or quality, and not in 
cases where the providers, suppliers, or eligible professionals were 
terminated or had their billing privileges revoked based upon a failure 
to submit claims over a period of 12 months or more, or any other 
voluntary action taken by the provider to end its participation in the 
program, except where that voluntary action is taken to avoid a 
sanction.
    In addition, State Medicaid programs would terminate a provider 
only after the provider had exhausted all available appeal rights in 
the State that originally terminated the provider.
    Section 6501 of the ACA builds upon the requirements in section 
6401(b)(2) of the ACA, which requires that CMS establish a process to 
make available Medicare provider, supplier, and eligible professional 
and CHIP provider termination information to State Medicaid programs. 
Section 1902(ii)(6) of the Act also requires States to report adverse 
provider actions to CMS, including criminal convictions, sanctions, and 
negative licensure actions.
    When States are apprised of the terminations or revocations of 
billing privileges, as the case may be, of providers, suppliers, and 
eligible professionals that have occurred in other State Medicaid 
programs, CHIP, or in Medicare, States have the information they need 
to protect their programs.
2. Statutory Change
    Section 6501 of the ACA amends section 1902(a)(39) of the Act to 
require a State Medicaid program to terminate any provider, be it an 
individual or entity, participating in that program, subject to the 
limitations on exclusions in sections 1128(c)(2)(B) and 1128(d)(2)(B) 
of the Act, if the provider's participation has been terminated under 
title XVIII of the Act or another State's Medicaid program.
3. Proposed Requirements
    We propose at 42 CFR 455.416 that a State Medicaid program must 
deny enrollment or terminate the enrollment of a provider that is 
terminated on or after January 1, 2011 under Medicare, or has had its 
billing privileges revoked, or is terminated on or after January 1, 
2011 under any other State's Medicaid program or CHIP.
    While section 6501 of the ACA does not expressly require that 
individuals or entities that have been terminated under Medicare or 
Medicaid also be terminated from CHIP, we also propose, under our 
general rulemaking authority pursuant to section 1102 of the Act, to 
require in CHIP regulations that CHIP take similar action to terminate 
a provider terminated or revoked under Medicare, or terminated under 
any other State's Medicaid program or CHIP.
    We also propose to add a definition at Sec.  455.101 for 
termination for purposes of this section. That definition distinguishes 
between Medicaid providers and Medicare providers, suppliers, and 
eligible professionals and specifies that termination means a State 
Medicaid program or the Medicare program has taken action to revoke the 
Medicaid provider's or Medicare provider, supplier or eligible 
professional's billing privileges and the provider, supplier or 
eligible professional has exhausted all applicable appeal rights. There 
is no expectation on the part of the provider, supplier, or eligible 
professional or the State or Medicare program that the termination or 
revocation is temporary. The provider, supplier or eligible 
professional would be required to reenroll with the applicable program 
if they wish billing privileges to be reinstated.

G. Additional Medicare Provider Enrollment Provisions

    In Sec.  424.535(a)(11), we propose allowing CMS or its designated 
Medicare contractor to revoke Medicare billing privileges when a State 
Medicaid agency terminates, revokes, or suspends a provider or 
supplier's Medicaid enrollment or billing privileges. We believe that 
this approach works in tandem with section 6501 of the ACA which 
requires States to terminate a provider or supplier under the Medicaid 
program when the provider or supplier has been terminated by Medicare 
or by another State's Medicaid program. Moreover, we believe that 
providers and suppliers whose enrollment has been terminated by a State 
Medicaid program pose an increased risk to the Medicare program.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We are soliciting public comment on each of these issues for the 
following sections of this document that contain information collection 
requirements (ICRs):

A. ICRs Regarding Application Fee Hardship Exception (Sec.  424.514)

    Proposed Sec.  424.514(e) states that a provider or supplier that 
believes it has a hardship that justifies a waiver exception of the 
application fee must include with its enrollment application a letter 
that describes the hardship and why the hardship justifies a waiver 
exception. The burden associated with this proposed requirement would 
be the time and effort necessary to submit a Medicare enrollment 
application, which is required currently of any individual or entity 
enrolling in Medicare. In addition to the enrollment application, a 
provider or supplier would have the new burden of drafting and 
submitting a letter to justify its hardship waiver request should it 
choose to submit one. The burden associated with submitting Medicare 
enrollment applications is approved under both 0938-0685 and 0938-1056, 
the CMS Forms 855-A, B, and the CMS-855-S (or their associated 
Internet-based PECOS enrolment application), respectively. Although we 
have no way of knowing for certain how many entities will actually 
submit an application with a letter requesting a waiver, we know that 
initially there are likely to be more such requests in the early years 
of implementation than in later years. We estimate that in the first

[[Page 58230]]

year, 12,000 providers or suppliers -or slightly over 50 percent of the 
total number of providers and suppliers that we believe (as discussed 
in the section V. of this proposed rule) will be subject to the 
application fee--will submit waiver request letters as part of their 
application packages. We also estimate that it will take each provider 
or supplier 1 hour to develop the letter. The total estimated annual 
burden associated with this requirement is therefore 12,000 hours at a 
cost of $600,000, or $50.00 per waiver request.

B. ICRs Regarding Fingerprinting (Sec.  424.518 and Sec.  455.434)

    Proposed Sec.  424.518(c) which reads: ``In addition to the 
``limited'' and ``moderate'' screening requirements described in (a) 
and (b) above, the Medicare enrollment contractor shall conduct a 
criminal background check or require the submission of set of 
fingerprints using the FD-258 standard fingerprint card when a 
prospective home health agency or supplier of DMEPOS is enrolling into 
the Medicare program or is establishing a new practice location and is 
not publicly-traded on the NYSE or NASDAQ,'' would allow CMS, its 
agents or its designated contractors to require the submission of a set 
of fingerprints using the FD-258 standard fingerprint card. Similarly, 
proposed Sec.  424.518(d) which reads in part: ``An individual must 
submit a set of fingerprints using the FD-258 standard fingerprint card 
with the Medicare enrollment application or within 30 days of a 
Medicare contractor request. An individual who does not submit a set of 
fingerprints using the FD-258 standard fingerprint card with the 
Medicare enrollment revalidation or revalidation application or within 
30 days of a Medicare contractor request, may have his/her Medicare 
billing privileges denied,'' would allow CMS, its agents or its 
designated contractors to require that each owner, authorized official, 
delegated official, and managing employee, of a provider or supplier to 
submit a set of fingerprints using the FD-258 standard fingerprint 
card. We estimate that CMS or its designated contractors will make 
7,000 such requests per year. This is predicated on our projection 
that--based on 2009 statistics--roughly 7,000 DMEPOS suppliers and HHAs 
will annually enroll in Medicare. For purposes of this ICR statement 
only, and to ensure that we do not underestimate the possible burden, 
we will estimate that all of these providers and suppliers will be 
required to submit the standard fingerprint card. We further estimate 
that an average of five individuals per provider or supplier will be 
required to comply with this request, though we do seek comments--for 
purposes of this ICR and the RIA below--on whether the estimate of 5 
individuals per applicant is accurate. Additionally, we estimate that 
it will take each of the 35,000 respondents (7,000 x 5) a total of 2 
hours to obtain a set of fingerprints using the FD-258 standard 
fingerprint card and to submit the card to CMS or its designated 
contractor. Consequently, the total estimated annual burden associated 
with this requirement is 70,000 hours (35,000 respondents x 2 hours) at 
a cost of $3.5 million (70,000 hours x an estimated per hour cost of 
$50).
    Similarly, proposed Sec.  424.518(c)(3)(iv) (new providers in 
``high'' risk category after lifting of moratoria) would allow CMS, its 
agents or its designated contractors to require that each owner, 
authorized official, delegated official, and managing employee, of a 
provider or supplier to submit a set of fingerprints using the FD-258 
standard fingerprint card. The burden associated with the proposed 
requirement is the time and effort necessary for the owner, authorized 
official, delegated official, and managing employee of a provider or 
supplier to submit the required information upon request. We estimate 
that CMS or its designated contractors will make 2,000 requests per 
year. This is based on the number of providers and suppliers that we 
estimate will attempt to enroll in Medicare after the lifting of a 
moratorium for their respective provider or supplier type. This 
estimate of course, cannot be conclusively quantified because it is 
impossible for us to say with certainty which provider and supplier 
types will be subject to a moratorium. To ensure that we do not 
underestimate the potential burden, we will calculate projections 
should 5,000 or even 10,000 requests be made.
    We estimate that an average of five individuals per provider or 
supplier will be required to comply with this request. We further 
project that it will take each of the 10,000 respondents (2,000 x 5) a 
total of 2 hours to obtain a set of fingerprints using the FD-258 
standard fingerprint card and to submit the card to CMS or its 
designated fee-for-service contractor. The estimate annual burden 
associated with this requirement, based on 2000 requests, is 20,000 
hours (10,000 respondents x 2 hours) at a cost of $1 million (20,000 x 
$50 per hour). If 5,000 requests are made, the burden is 50,000 hours 
at a cost of $2.5 million (5,000 x 5 respondents x 2 hours x $50 per 
hour.) If 10,000 requests are made, the burden is 100,000 hours at a 
cost of $5 million (10,000 x 5 respondents x 2 hours x $50 per hour).
    In addition, there are some limited circumstances when CMS could 
ask a physician to submit fingerprints. For example, a provider or 
supplier that is being enrolled in Medicare after the lifting of a 
temporary moratorium could automatically be classified as ``high'' risk 
and as such would be subject to criminal background checks and 
fingerprinting of owners and other officials in the company. If a 
physician were to be the owner or other official of the company, CMS 
would have the authority to request fingerprints from the company 
official. Other circumstances where physicians might be subject to a 
request for finger printing are when the physician is an official of an 
entity in the ``high'' risk category, or if CMS or its agent(s) 
determine that a particular provider or supplier in the ``high'' risk 
category is possibly engaged in fraud. We estimate that CMS or its 
designated contractors will make 500 such requests for finger prints 
per year. We further estimate that it will take each of the 500 
respondents a total of 2 hours to obtain a set of fingerprints using 
the FD-258 standard fingerprint card and to submit the card to CMS or 
its contractor. The total estimate annual burden associated with this 
requirement is 1,000 hours (500 respondents x 2 hours) at a cost of 
$50,000 (1,000 hours x $50 per hour).
    Assuming that 2,000 post-moratorium requests for fingerprints are 
made, the total estimated annual burden associated with the 
requirements in this ICR is 103,000 hours at a cost of $5,150,000. If 
5,000 post-moratorium requests are made, the estimated annual burden is 
133,000 hours at a cost of $6,650,000. If 10,000 post-moratorium 
requests are made, the estimated annual burden is 183,000 hours at a 
cost of $9,150,000.
    Proposed Sec.  455.434 states that when a State Medicaid agency 
determines that a provider is ``high'' risk, the State Medicaid agency 
will require that provider to submit fingerprints. We anticipate that 
States will be collecting fingerprints on a significantly smaller 
number of providers. However, as with our estimate on potential burden 
discussed for Medicare, we prefer to overestimate the potential burden 
rather than underestimate it. Therefore, we anticipate that States may 
require an additional 26,000 individuals to submit fingerprints prior 
to enrolling in a State's Medicaid program or CHIP. The total estimate 
annual burden associated with this requirement for Medicaid and CHIP is 
52,000 hours (26,000 respondents x 2 hours) at a cost of

[[Page 58231]]

$2,600,000 (52,000 hours x $50 per hour).

C. ICRs Regarding Suspension of Payments in Cases of Fraud or Willful 
Misrepresentation (Sec.  455.23)

    As stated in proposed Sec.  455.23(a), a State Medicaid agency 
shall suspend all Medicaid payments to a provider when there is pending 
an investigation of a credible allegation of fraud under the Medicaid 
program against an individual or entity unless it has good cause to not 
suspend payments or to suspend payment only in part. The State Medicaid 
agency may suspend payments without first notifying the provider of its 
intention to suspend such payments. A provider may request, and must be 
granted, administrative review where State law so requires.
    The burden associated with this requirement is the time and effort 
necessary for a provider to request administrative review were State 
law so requires. While this requirement is subject to the PRA, we 
believe the associated burden is exempt in accordance with 5 CFR 
1320.4; information collected subsequent to an administrative action is 
not subject.

D. ICRs Regarding Collection of SSNs and DOBs for Medicaid and CHIP 
Providers (Sec.  455.104)

    As stated in proposed Sec.  455.104(b)(1), the State Medicaid 
agency must require that all persons with an ownership or control 
interest in a provider submit their SSN and DOB. The burden associated 
with the Medicaid requirements in Sec.  455.104(b)(1) is the time and 
effort necessary for a provider to report the SSN and DOB for all 
persons with an ownership or control interest in a provider.
    Although our data on Medicaid provider enrollment at the national 
level is very limited, we do collect annual data on State Medicaid 
program integrity activities. This annual data collection, known as the 
State Program Integrity Assessment (SPIA) program approved, under OCN 
0938-1033, consists of self-reported data by States regarding a variety 
of program integrity related activities. The information is self-
reported and has not been independently verified by CMS, and it 
undoubtedly represents some unknown degree of duplication among 
providers across States. Consequently, the estimated number of Medicaid 
providers nationally is likely overstated. According to SPIA data for 
FFYs 2007 and 2008, there has been an average of 1,855,070 existing 
Medicaid providers nationally over the 2-year period of FFY 2007 and 
FFY 2008. We estimate that one-fifth, or 371,014 (1,855,070 x 20 
percent) of existing Medicaid providers would be required to re-enroll 
each year. Additionally, we estimate that there will be 56,250 newly 
enrolling Medicaid providers each year, for a total of 427,264 Medicaid 
providers that will be subject to the SSN and DOB reporting 
requirements each year. We further estimate that it will take each 
provider an average of 2 minutes to report the SSN and DOB for all 
persons with an ownership or control interest. Thus, the estimate 
annual burden associated with this requirement for Medicaid providers 
is 14,242 hours (427,264 x 2 minutes, divided by 60 minutes per hr) at 
a cost of $712,100 (14,242 hours x $50 per hour).

E. ICRs Regarding Site Visits for Medicaid-Only or CHIP-Only Providers 
(Sec.  455.450)

    As stated in proposed in Sec.  455.450(b), a State Medicaid agency 
must conduct on-site visits for providers it determines to be 
``moderate'' or ``high'' categorical risk. We anticipate that Medicare 
contractors will perform the screening activities for the overwhelming 
majority of providers that are dually enrolled in both Medicare and 
Medicaid, and thus, we estimate that State Medicaid agencies will 
conduct approximately 5,000 site visits for Medicaid-only providers 
nationally per year. We further estimate that it will take one 
individual 8 hours to perform each on-site visit (including travel 
time). Thus, the total estimate annual burden associated with this 
requirement for Medicaid is 40,000 hours (5,000 site visits x 8 hours) 
at a cost of $2,000,000 (40,000 hours x $50 per hour).

F. ICRs Regarding the Rescreening of Medicaid Providers Every 5 Years 
(Sec.  455.414)

    As stated in proposed Sec.  455.414, a State Medicaid agency must 
screen all providers at least every 5 years. This requirement is 
consistent with the Medicare requirement that providers, suppliers, and 
eligible professionals must re-enroll at least every 5 years (more 
often for certain types of suppliers). The burden associated with this 
proposed requirement would be the time and effort necessary for 
Medicaid-only providers to re-enroll in Medicaid, and the time and 
effort necessary for a State to conduct the provider screening,
    Although our data on Medicaid provider enrollment at the national 
level is very limited, we do collect annual data on State Medicaid 
program integrity activities. This annual data collection, known as the 
State Program Integrity Assessment (SPIA) program, consists of self-
reported data by States regarding a variety of program integrity 
related activities. The information is self-reported and has not been 
independently verified by CMS, and it undoubtedly represents some 
unknown degree of duplication among providers across States. 
Consequently, the estimated number of Medicaid providers nationally is 
likely overstated. According to SPIA data for FFYs 2007 and 2008, there 
has been an average of 1,855,070 existing Medicaid providers nationally 
over the 2-year period of FFY 2007 and FFY 2008. We estimate that one-
fifth, or 371,014 (1,855,070 x 20 percent) of existing Medicaid 
provider would be required to re-enroll each year, Although provider 
enrollment requirements vary by State, we further estimate that it will 
take each provider an average of 2 hours to complete the Medicaid re-
enrollment requirements. Thus, the estimate annual burden associated 
with this requirement for Medicaid providers is 742,028 hours (371,014 
x 2 hours) at a cost of $37,101,400 (742,028 hours x $50 per hour).
    We estimate that 80 percent of Medicaid providers also participate 
in Medicare, and thus would have provider screening activities 
performed by the Medicare contractors. Thus, we estimate that States 
would be required to conduct provider screening activities for 74,203 
(371,014 x 20 percent) re-enrolling Medicaid-only providers each year. 
We further estimate that it will take States, on average, 4 hours to 
perform the required provider screening activities--noting that 
currently enrolled providers would generally be categorized as lower 
risk than newly-enrolling providers. The estimated burden associated 
with this requirement for State Medicaid agencies is 296,812 hours 
(74,203 x 4 hours) at a cost of $14,840,600 (296,812 hours x $50 per 
hour). We believe that the burden on States will be in large part 
offset by the application fees collected and by the Federal share for 
the amounts not covered by the application fee.
    The total estimate annual burden associated with this requirement 
is 1,038,840 hours at a cost of $51,942,000.

[[Page 58232]]



                                                                    Table 6--Estimated Annual Reporting/Recordkeeping Burden
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                                            Hourly
                                                                                                                Burden per     Total      labor cost   Total labor  Total capital/
             Regulation section(s)                       OMB Control No.            Respondents    Responses     response      annual         of         cost of      maintenance    Total cost
                                                                                                                 (hours)       burden     reporting     reporting     costs  ($)         ($)
                                                                                                                              (hours)        ($)           ($)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   424.514(e)**............................  0938-0685; 0938-1056...........          12,000       12,000            1       12,000           50       600,000               0       600,000
Sec.   424.518(c)(2)(b) and (d)................  0938-New.......................          35,000       35,000            2       70,000           50     3,500,000               0     3,500,000
Sec.   424.518(c)(3)(iv) and (d)...............  0938-New.......................          10,500       10,500            2       21,000           50     1,050,000               0     1,050,000
Sec.   455.434.................................  0938-New.......................          26,000       26,000            2       52,000           50     2,600,000               0     2,600,000
Sec.   455.104.................................  0938-New.......................         427,264      427,264         .033       14,242           50       712,100               0       712,100
Sec.   455.450.................................  0938-New.......................           5,000        5,000            8       40,000           50     2,000,000               0     2,000,000
Sec.   455.414 (Providers).....................  0938-New.......................         371,014      371,014            2      742,028           50    37,101,400               0    37,101,400
Sec.   455.414 (State Medicaid Agencies).......  0938-New.......................          74,203       74,203            4      296,812           50    14,840,600  ..............    14,840,600
    Total......................................  ...............................         960,981      960,981  ...........    1,248,082  ...........  ............  ..............    62,404,100
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
** Denotes that we will be submitting revisions of the currently approved information collection requests for OMB review and approval.

IV. Response to Comments

    Because of the large number of public comments we normally receive 
on Federal Register documents, we are not able to acknowledge or 
respond to them individually. We will consider all comments we receive 
by the date and time specified in the DATES section of this preamble, 
and, when we proceed with a subsequent document, we will respond to the 
comments in the preamble to that document.

V. Regulatory Impact Analysis

A. Overall Impact

    We have examined the impact of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 1993), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act, section 202 of the Unfunded 
Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on 
Federalism (August 4, 1999), and the Congressional Review Act (U.S.C. 
804(s).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts; and equity). A regulatory impact 
analysis (RIA) must be prepared for rules with economically significant 
effects ($100 million or more in any 1 year). This rule does reach the 
economic threshold and thus is considered an economically significant 
rule.
    The RFA requires agencies to analyze options for regulatory relief 
for small businesses. Under the RFA, we must either prepare an Initial 
Regulatory Flexibility Analysis or certify that the proposed rule will 
not have a significant impact on a substantial number of small 
entities. For purposes of the RFA, small entities include small 
businesses, nonprofit organizations, and government agencies. Most 
hospitals and most other providers and suppliers are small entities, 
either by nonprofit status or by having revenues of less than $7.0 to 
$34.5 million (depending on provider type) in any one year. Individuals 
and States are not included in the definition of a small entity. HHS 
practice is to assume that all providers affected by our rules are 
small entities, since we know that the vast majority meet the criteria 
used under the RFA. We do not believe that our application fees will 
have a significant impact on any small entities. Likewise, we do not 
believe that other screening provisions, such as the provision of 
fingerprints or accommodating unannounced visits, will have a 
significant impact on any small entities. We think this proposed rule 
could have significant impact on a relatively small proportion of small 
businesses in terms of restrictions on Federal health monies paid to 
small businesses participating in the Medicare or Medicaid programs or 
CHIP. Clearly, imposition of an enrollment moratorium would have an 
impact on a small business that is attempting to do business with any 
of the Federal health programs. Similarly, suspension of payments to 
any small entity could create a significant impact on that entity. We 
have, however, no basis for estimating how many entities might be 
affected by these provisions. Finally, we believe that this proposed 
rule will reduce fraud and abuse among potential providers. Clearly, 
there will be a significant impact on their ability to defraud the 
taxpayer in several ways. First, closer screening of certain high-risk 
providers and suppliers will better enable CMS to detect those 
individuals and entities that pose a risk to the Medicare program. 
Preventing unqualified providers and suppliers from enrolling in 
Medicare will protect the Medicare Trust Fund and save the taxpayers 
millions of dollars. Second, an application fee will help reduce the 
costs of administering the Medicare program. Third, the temporary 
moratoria provisions will enable CMS to restrict the entry of certain 
providers and suppliers into Medicare in order to prevent or combat 
fraud, waste, and abuse, thus, again, saving millions of Federal 
dollars. While we cannot quantify with exactitude the amount of money 
that the Medicare program will save as a result of these measures, we 
do believe that the figure will exceed the costs outlined in this RIA. 
We are seeking comment on the overall proposed screening processes 
described in section II.A. of this proposed rule, including how the 
risk of fraud is determined, the administrative interventions proposed 
to address the risk, and the criteria for exceptions to the enrollment 
application fee and any temporary enrollment moratoria. We ask small 
businesses to comment on these provisions and offer suggestions about 
how to mitigate what they might see as adverse administrative or 
financial impacts. This RIA, taken together with the remainder of the 
preamble, constitutes an Initial Regulatory Flexibility Analysis under 
the RFA.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 603 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital

[[Page 58233]]

as a hospital that is located outside of a Metropolitan Statistical 
Area and has fewer than 100 beds. We are not preparing an analysis for 
section 1102(b) of the Act because we have determined that this final 
rule will not have a significant impact on the operations of a 
substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule that may result in expenditure in any 1 year by State, 
local, or tribal governments, in the aggregate, or by the private 
sector, of $135 million. This rule does mandate expenditures by State 
and local governments, in order to enforce the Medicaid-related 
provisions, but we believe that those expenditures will be relatively 
minor. The mandated costs on providers--primarily for application 
fees--may approach or exceed the threshold for the private sector. 
Accordingly, this RIA constitutes the required assessment of costs and 
benefits under UMRA.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has Federalism 
implications. Since this proposed rule would not impose any substantial 
direct requirement costs on State or local governments, preempt State 
law, or otherwise have Federalism implication, the requirements of E.O. 
13132 are not applicable.

B. Anticipated Effects

1. Medicare
a. Enhanced Screening Procedures--Medicare
    Based on statistics obtained from PECOS and our Medicare 
contractors, there are approximately 400,000 providers and suppliers 
currently enrolled in the Medicare program. (This does not include 
eligible professionals.) This figure includes ambulance service 
suppliers; ambulatory surgical centers; community mental health 
centers; comprehensive outpatient rehabilitation facilities; suppliers 
of DMEPOS; end-stage renal disease facilities; federally qualified 
health centers; histocompatibility laboratories; home health agencies; 
hospices; hospitals, including physician-owned specialty hospitals; 
critical access hospitals; independent clinical laboratories; 
independent diagnostic testing facilities; Indian health service 
facilities; mammography centers; mass immunizers (roster billers); 
medical groups/clinics, including single and multi-specialty clinics; 
organ procurement organizations; outpatient physical therapy/
occupational therapy/speech pathology services; portable X-ray 
suppliers; skilled nursing facilities; radiation therapy centers; 
religious non-medical health care institutions; and rural health 
clinics. We note the following in section III. of this proposed rule:
     Based on 2009 experience we estimate that there will be 
7,000 DMEPOS suppliers and HHAs that will submit an application to 
become a new Medicare enrolled provider in 2011. We would require 
approximately 35,000 individuals (7,000 providers/suppliers x 5 
individuals per applicant) to undergo fingerprinting to participate in 
the Medicare program as an owner, authorized official, delegated 
official, or managing employee of an HHA or supplier of DMEPOS. We have 
found that the cost of having a set (two prints) of fingerprints done 
through a local law enforcement office is approximately $50.00 per 
individual. The cost of this fingerprinting requirement would therefore 
be $1.75 million per year (35,000 individuals x $50).
     We estimate that 10,000 individuals (2,000 providers or 
suppliers x 5 individuals per applicant) would undergo fingerprinting 
following the lifting of a moratorium on a particular provider or 
supplier type, at a cost of $500,000 per year (10,000 x $50). Should 
requests be made of 5,000 providers or suppliers, the annual figure 
would be $1,250,000 (5,000 x 5 individuals per applicant x $50). Should 
requests be made of 10,000 providers or suppliers, the annual figure 
would be $2.5 million (10,000 x 5 x $50).
     We estimate that 500 physicians would undergo 
fingerprinting per year, at a cost of $25,000.
    This results in a total cost of the fingerprinting requirement of 
$2,275,000 per year ($1,750,000 + $500,000 + $25,000), or $11,375,000 
over 5 years. If 5,000 post-moratorium requests are made, the annual 
cost is $3,025,000, with a 5-year cost of $15,125,000. Should 10,000 
post-moratorium requests be made, the annual cost is $4,275,000, with a 
5-year cost of $21,375,000.
    As we believe that 2,000 post-moratorium requests is the most 
likely scenario, we will hereafter use the $2,275,000 amount as the 
annual cost of this requirement. This results in an estimated 5-year 
cost of $11,375,000.
b. Application Fee--Medicare
    The Secretary shall impose an application fee on each institutional 
provider. The amount of the fee is $500 per provider or supplier for 
2010. For 2011 and each subsequent year, the fee amount will be 
determined by the statutorily-required formula using the consumer price 
index for all urban consumers (CPI-U). The enrollment application fee 
does not apply to individual eligible professionals (for example, 
physicians). The fee is to be paid by institutional providers only. The 
new screening provisions are applicable to new and revalidating 
providers and suppliers effective March 23, 2011, and to currently 
enrolled providers and suppliers as of March 23, 2012. We intend to 
begin collecting the enrollment application fee for new providers and 
suppliers and for currently enrolled providers revalidating enrollment 
effective March 23, 2011.
c. General Enrollment Framework
(1) New Enrollment
    Medicare contractors report that over the last several years, 
approximately 32,000 is the annual number of newly enrolling providers 
and suppliers that would--without accounting for the possible granting 
of waivers--be subject to the enrollment application fee--
(approximately 20,000 for Medicare Part B, approximately 7,000 DMEPOS 
suppliers and HHAs (as explained in the Collection of Information 
section above), and approximately 5,000 non-HHA Medicare Part A 
providers).
    We assume that no more than 2.5 percent of these 32,000 providers 
and suppliers--or 800--will receive a hardship exception; as indicated 
earlier, exceptions will only be approved infrequently.
    In FY 2011, we reduced the estimate number of institutional 
providers subject to the application fee by 25 percent because the 
application fee will not begin until March 23, 2011. Accordingly, the 
number of institutional providers that we anticipate paying the 
application fee will be 23,400 (or 31,200 X .75) in FY 2011. In FY 
2011, we reduced the estimate number of institutional providers subject 
to the application fee by 25 percent because the application fee will 
not begin until March 23, 2011. Accordingly, the number of 
institutional providers that we anticipate paying the application fee 
will be 24,000 in FY 2011.
    Therefore, the impacts of the enrollment application fee are as 
follows. If we use 23,400 as the number of newly enrolling providers 
and

[[Page 58234]]

suppliers in 2011, multiply this number by the $500 application fee, we 
get $11,700,000 collected for the first year (that is, CY 2011). If we 
assume that the number of newly enrolling providers and suppliers will 
remain constant at 31,200 for years 2012 through 2015, then the cost to 
the number of newly enrolling providers and suppliers would be 
approximately $78.87 million. These estimates are displayed in the 
table below, and account for a projected annual CPI-U rate increase of 
3 percent from FY 2012 to FY 2015--knowing, of course, that this figure 
could fluctuate significantly based on national economic conditions.
    Although we have no way to predict that the number of new 
enrollments will change in future years, it is possible that the number 
of enrolling providers and suppliers vary from what has been the norm. 
If our estimate of the number of newly enrolling providers is 
inaccurate and we enroll a different number of providers and suppliers 
after the effective date of the new screening and other provisions 
contained in the ACA, we estimate based on the $500 enrollment 
application fee--a rough difference of $1 million for each increment of 
2000 new enrollments, whether fewer or greater.

 Table 7--Cumulative Application Fees for Newly Enrolling Medicare Providers and Suppliers for the First 5 Years
                                                of the Provision
----------------------------------------------------------------------------------------------------------------
                                                       Newly
                                                     enrolling
                                                   institutional  Consumer price
                                                   providers and       index
                                       Newly         suppliers     adjusted fee
                                     enrolling      paying the      in dollars    Total fees for    Cumulative
              Year                 institutional    application    (estimated 3%   each year in       fees in
                                   providers and  fee  (based on      annual          dollars         dollars
                                     suppliers        a 2.5%        increase in
                                                     hardship          CPI)
                                                     exception
                                                       rate)
----------------------------------------------------------------------------------------------------------------
2011............................          24,000          23,400            $500     $11,700,000     $11,700,000
2012............................          32,000          31,200             515      16,068,000      27,768,000
2013............................          32,000          31,200             530      16,536,000      44,304,000
2014............................          32,000          31,200             546      17,035,200      61,339,200
2015............................          32,000          31,200             562      17,534,400      78,873,600
                                 -------------------------------------------------------------------------------
    Total.......................  ..............  ..............  ..............      78,873,600      78,873,600
----------------------------------------------------------------------------------------------------------------

(2) Revalidation
    There are approximately 100,000 currently enrolled suppliers of 
DMEPOS who are required to revalidate their enrollment every 3 years 
and 300,000 additional providers and suppliers that do not provide 
DMEPOS that are required to revalidate their enrollment every 5 years. 
On a yearly basis, we estimate that approximately 33,000 DMEPOS 
suppliers (one-third of the total) and 60,000 other, non-DMEPOS 
providers/suppliers (one-fifth of the total) would revalidate their 
enrollment in Medicare, for an annual total of 93,000. Since, as 
explained earlier, we estimate that no more than 2.5 percent of these 
providers and suppliers will receive a waiver from the application fee, 
we project that 90,675 such providers and suppliers will be subject to 
the fee.
    This proposed rule contemplates collecting the application fee for 
currently enrolled providers that revalidate their enrollment on or 
after March 23, 2011--almost 3 months into CY 2011. Therefore, we have 
adjusted the number of existing Medicare institutional providers 
subject to an application fee by 25 percent, from 90.675 to 68.006 (or 
90.675 x .75) in FY 2011. Further accounting for: (1) A projected 
annual CPI-U rate increase of 3 percent, as stated above; and (2) our 
assumption that the number of revalidating providers and suppliers will 
remain at 90,675 between CY 2012 and 2015, the cost associated with 
these fees for revalidating providers and suppliers would be 
approximately $183,548,740 over the first 5 years that the ACA 
provisions are in effect, as shown in Table 8 below.

 Table 8--Cumulative Application Fees for Revalidating Medicare Providers and Suppliers for the First 5 Years of
                                                  the Provision
----------------------------------------------------------------------------------------------------------------
                                                 Revalidating
                                                 institutional
                                                  providers &   Consumer price
                                 Revalidating      suppliers    index adjusted
                                 institutional      paying      fee in dollars   Total fees for  Cumulative fees
             Year                providers and    application    (estimated 3%   each year  (in    (in dollars)
                                   suppliers    fee  (based on      annual          dollars)
                                                 2.5% hardship    increase in
                                                   exception         CPI)
                                                     rate)
----------------------------------------------------------------------------------------------------------------
2011..........................          69,750          68,006            $500      $34,003,000      $34,003,000
2012..........................          93,000          90,675             515       46,697,625       80,700,625
2013..........................          93,000          90,675             530       48,057,750      128.758,375
2014..........................          93,000          90,675             546       49,508,550      178,266,925
2015..........................          93,000          90,675             562       50,959,350      229,226,275
                               ---------------------------------------------------------------------------------
    Total.....................  ..............  ..............  ..............      229,226,275      229,226,275
----------------------------------------------------------------------------------------------------------------


[[Page 58235]]

    Therefore, we estimate that the total impact of the proposed 
provisions for the application fee to be approximately $308,099,875 
over the next 5 years. This number was approximated by adding the 
cumulative application fees for newly enrolling providers and suppliers 
($78,873,600 as shown in Table 6) to the cumulative application fees 
for revalidating providers and suppliers ($229,226,275).
2. Medicaid
a. Enhanced Screening Procedures
    Although our data on Medicaid provider enrollment at the national 
level is very limited, we do collect annual data on State Medicaid 
program integrity activities. This annual data collection, known as the 
State Program Integrity Assessment (SPIA) program, consists of self-
reported data by States regarding a variety of program integrity 
related activities. The information is self-reported and has not been 
independently verified by CMS, and it undoubtedly represents some 
unknown degree of duplication among providers across States. 
Consequently, the estimated number of Medicaid providers nationally is 
likely overstated. According to SPIA data for FFYs 2007 and 2008, there 
has been an average of 1,855,070 existing Medicaid providers nationally 
over the 2-year period of FFY 2007 and FFY 2008. This universe of 
Medicaid providers includes all provider types, both institutional 
providers and individual practitioners. In the Medicare program, 
eligible practitioners make up approximately 70 percent of the total 
universe of providers, suppliers, and eligible practitioners. Because 
we do not have detailed information regarding the breakdown of Medicaid 
providers by type nationally, we will apply the same ratio to determine 
the percentage of institutional Medicaid providers. Therefore, we 
estimate that there are approximately 556,521 Medicaid-only providers 
nationally that are not individual practitioners.
    We also estimate almost all CHIP providers are also Medicaid 
providers. So, for purposes of this section, we are considering CHIP 
providers to also be Medicaid providers and will subsequently refer to 
them only as Medicaid providers.
    As previously stated in the Medicare section of the analysis, we 
estimate that we would require the following:
     Approximately 35,000 individuals will undergo 
fingerprinting to enroll in the Medicare program as owners, authorized 
officials, delegated officials, or managing employees of a home health 
agency or supplier of DMEPOS. Based on data collected as part of the 
State survey and certification activities for home health agencies, 
less than 1 percent of home health agencies are Medicaid-only. And, 
although there is no data available on the number of Medicaid-only 
suppliers of DMEPOS, we estimate that the number is minimal as well, as 
a number of States require suppliers of DMEPOS to be enrolled in 
Medicare prior to enrolling in Medicaid. Therefore, we estimate that 
States may require approximately 1,000 additional individuals with 
ownership or control interests in the suppliers of DMEPOS, or home 
health agencies, or persons who are agents of or managing employees of 
the suppliers of DMEPOS, or home health agencies, to undergo 
fingerprinting for enrollment in the Medicaid program. The cost of this 
fingerprinting requirement would be approximately $50,000 (1,000 x $50 
= $50,000), though we seek comments on the accuracy of this figure.
     We anticipate that Medicare contractors will perform the 
screening activities for the overwhelming majority of providers 
following the lifting of a Secretary-imposed temporary moratorium and 
for the limited circumstances in which physicians may be fingerprinted. 
However, given that States may also classify certain Medicaid-only 
providers as ``high'' categorical risks, we are estimating that States 
may require approximately 25,000 additional individuals to undergo 
fingerprinting prior to enrolling in a State's Medicaid program, at a 
cost of $1,250,000 (25,000 x $50 = $1,250,000).
    Consequently, we estimate that fingerprinting individuals for 
purposes of Medicaid enrollment will cost $1,300,000.
    When averaged across 50 States, the District of Columbia and Puerto 
Rico, the annual cost of fingerprinting per State will be $26,000.
b. Application Fee--Medicaid
    For those providers not screened by Medicare, the State may impose 
a fee on each institutional provider being screened. The amount of the 
fee is $500 per provider for 2010. For 2011 and each subsequent year, 
the amount will be determined by the statutorily-required formula using 
the consumer price index for all urban consumers (CPI-U).
c. General Enrollment Framework
    For purposes of this section, we assume that 80 percent of 
institutional Medicaid providers will be dually participating in both 
Medicare and Medicaid, and thus will be subject to the application fee 
as part of the Medicare screening and enrollment. Therefore we estimate 
that 20 percent, or 111,304 (556,521 x 20 percent), of the 
institutional Medicaid-only providers will not be screened by Medicare 
and thus will be subject to the application fee under Medicaid. We 
project that a significant number of existing and future Medicaid 
providers will request a hardship exception, or that a State will 
request a waiver of the application fee for certain Medicaid provider 
types of the application fee on the basis of ensuring access to care. 
For purposes of this section, although we have no way to estimate the 
exact number of providers that will ultimately request and be approved 
for a hardship exception, or the number of States that will request a 
waiver of the fee for certain Medicaid provider types, we predict that 
25 percent of all Medicaid providers subject to the fee will receive 
the hardship exception or be granted a waiver of the fee on the basis 
of ensuring beneficiary access to care. We recognize that this 25 
percent figure is significantly higher than the 2.5 percent waiver rate 
we are using for Medicare application fees. Yet we believe the 
difference is justified because of the greater access to care issues 
that may arise in Medicaid. Consequently, we estimate that 83,478 
existing Medicaid providers will be required to pay the application fee 
(111,304 existing Medicaid providers that are not dually enrolled less 
25 percent or 27,826 existing providers).
(1) New Enrollments
    We apply the 80 percent rate for newly-enrolling Medicaid 
institutional providers that will be dually participating in both 
Medicare and Medicaid and thus not subject to the fee under Medicaid, 
and 25 percent hardship exception rate to the annual number of newly-
enrolling Medicaid institutional providers not dually enrolled. The 
45,000 newly-enrolling Medicare institutional providers annually 
represent 80 percent of the total newly-enrolling Medicaid 
institutional providers annually. Therefore, we estimate that there 
will be 11,250 newly-enrolling Medicaid institutional providers 
annually that are subject to the application fee under Medicaid (45,000 
providers divided by 80 percent, -45,000 = 11,250). We project another 
25 percent will be exempted for hardship or be granted a waiver of the 
fee on the basis of ensuring beneficiary access to care, resulting in 
8,438 newly-enrolling Medicaid institutional providers being

[[Page 58236]]

subject to the application fee each year nationally.
    Consistent with the Medicare analysis, in FY 2011, we reduced the 
estimated number of institutional providers subject to the application 
fee by 25 percent because the application fee will not begin until 
March 23, 2011. Accordingly, the number of institutional providers that 
we anticipate paying the application fee will be 6,329 in FY 2011. 
Consequently, we project the dollars due from application fees for 
newly-enrolling Medicaid institutional providers who are not dually 
enrolled to be $21,331,514 for the first 5 years in total. When 
averaged across 50 States, the District of Columbia and Puerto Rico, 
the total application fees for the 5 years in total per State will be 
approximately $410,221.
---------------------------------------------------------------------------

    \5\ After the first year, the CPI-U is applied to the base fee 
of $500.

     Table 9--Cumulative Application Fees for Newly Enrolled Medicaid Providers for the First 5 Years of the
                                                    Provision
----------------------------------------------------------------------------------------------------------------
                                                                  Consumer Price
                                                   New Medicaid   Index adjusted
                                                   providers not   fee \5\  (in
                                                   exempted from     dollars)     Total fees for    Cumulative
                   Fiscal year                          the        (estimated 3   each year  (in     fees  (in
                                                    application   percent annual     dollars)        dollars)
                                                        fee         increase in
                                                                       CPI)
----------------------------------------------------------------------------------------------------------------
2011............................................           6,329             500       3,164,500       3,164,500
2012............................................           8,438             515       4,345,570       7,510,070
2013............................................           8,438             530       4,472,140      11,982,210
2014............................................           8,438             546       4,607,148      16,589,358
2015............................................           8,438             562       4,742,156      21,331,514
                                                 ---------------------------------------------------------------
    Total.......................................  ..............  ..............      21,331,514      21,331,514
----------------------------------------------------------------------------------------------------------------

 (2) Re-Enrollment
    This proposed rule contemplates that States would require Medicaid 
providers to re-enroll every 5 years. On a yearly basis, we estimate 
that approximately 16,696 Medicaid institutional providers (one fifth 
of the total) would re-enroll with the State Medicaid agency.
    We contemplate collecting the application fee for currently 
enrolled providers beginning on March 24, 2011. States would not 
collect an application fee with any re-enrollments until that time--
almost 3 months into CY 2011. Therefore, we have adjusted the number of 
existing Medicaid institutional providers subject to an application fee 
by 25 percent, from 16,696 to 12,522 in FY 2011. Consequently, we 
project the dollars due from application fees for currently-enrolled 
Medicaid institutional providers who are not dually enrolled is 
$42,207,488 for the first 5 years in total. When averaged across 50 
States, the District of Columbia and Puerto Rico, the total application 
fees for the 5 years in total per State will be approximately $811,682.

Table 10--Cumulative Application Fees for Re-Enrolling Medicaid Providers for the First 5 Years of the Provision
----------------------------------------------------------------------------------------------------------------
                                                                  Consumer Price
                                                     Existing     index adjusted
                                                     Medicaid         fee (in
                                                   providers not     dollars)     Total fees for    Cumulative
                      Year                         exempted from   (Estimated 3    each year (in     fees (in
                                                        the       percent annual     dollars)        dollars)
                                                    application     increase in
                                                        fee            CPI)
----------------------------------------------------------------------------------------------------------------
2011............................................          12,522               0       6,261,000       6,261,000
2012............................................          16,696             515       8,598,440      14,859,440
2013............................................          16,696             530       8,848,880      23,708,320
2014............................................          16,696             546       9,116,016      32,824,336
2015............................................          16,696             562       9,383,152      42,207,488
                                                 ---------------------------------------------------------------
    Total.......................................  ..............  ..............      42,207,488      42,207,488
----------------------------------------------------------------------------------------------------------------


[[Page 58237]]

3. Medicare and Medicaid
a. Moratoria on Enrollment of New Medicare Providers and Suppliers and 
Medicaid Providers
    Although we have no way of predicting the exact cost savings 
associated with enrollment moratoria, we expect there will be program 
savings achieved by implementation of this section. As stated 
previously, these provisions will enable CMS to restrict the entry of 
certain providers and suppliers into Medicare in order to prevent or 
combat fraud, waste, and abuse. However, there are no cost burdens to 
the public or to the provider community. Therefore, we have not 
estimated the cost impacts of this provision.
b. Suspension of Payments in Medicare and Medicaid
    As with payment moratoria, although we have no way of predicting 
the exact cost savings to Medicare and Medicaid associated with 
implementation of the provisions contained in this proposed rule, we 
certainly expect that there will be program savings that result from 
implementation of this provision. CMS and its law enforcement partners 
already have a process for payment suspension when possible fraud is 
involved. The changes proposed in this rule will strengthen the 
existing process and its applicability to Medicaid, but it will not 
create any different impact or burden on the provider community in 
circumstances of payment suspension. There are no new cost burdens to 
the public or the provider community associated with this provision.

C. Accounting Statement and Table

    As required by OMB Circular A-4 (available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/circulars/a004/a4.pdf), we have prepared an accounting statement. This statement only 
addresses: (1) The costs of the fingerprinting requirement, and (2) the 
monetary transfer associated with the application fee. It does not 
address the potential financial benefits of these two requirements from 
the standpoint of their possible effectiveness in deterring certain 
unscrupulous providers and suppliers from enrolling in or maintaining 
their enrollment in Medicare and Medicaid. This is because it is 
impossible for us to quantify these benefits in monetary terms. 
Moreover, we cannot predict how many potentially fraudulent providers 
and suppliers will be kept out of the Medicare and Medicaid programs 
due to these proposed requirements.
1. Medicare
    As stated previously, we estimate a total cost of the 
fingerprinting requirement of $2,275,000 per year ($1,750,000 + 
$500,000 + $25,000), or $11,375,000 over 5 years, if 2,000 post-
moratorium requests are made. If 5,000 post-moratorium requests are 
made, the annual cost is $3,025,000, with a 5-year cost of $15,125,000. 
Should 10,000 post-moratorium requests be made, the annual cost is 
$4,275,000, with a 5-year cost of $21,375,000. We also stated in the 
RIA that the expected total application fees:
     For newly enrolling providers and suppliers would be $11.7 
million in 2011, $16,068,000 in 2012, $16,536,000 in 2013, $17,035,200 
in 2014, and $17,534,400 in 2015. This results in a 5-year total of 
$78,873,600.
     For revalidating providers and suppliers would be 
$34,003,000 in 2011, $46,697,625 in 2012, $48,057,750 in 2013, 
$49,508,550 in 2014, and $50,959,350 in 2015. This results in a 5-year 
total of $229,226,275.
    The accounting statement reflects the: (1) Annual cost of the 
fingerprinting requirement, and (2) the application of the 3 percent 
and 7 percent discount rate to the combined amounts of the application 
fees for FY 2015--that is, $17,534,400 plus $50,959,350 
(revalidations), for a total of $68,493,750; this constitutes a 
transfer of funds to the Federal government. We chose the FY 2015 
figures so as to reflect the maximum amount of transferred funds in a 
given year during the initial-5 year period.
2. Medicaid
    As stated in the RIA, we estimate that the annual cost of the 
fingerprint requirement for Medicaid will be $1,300,000, or $6,500,000 
over a 5-year period. We also stated in the RIA that the expected total 
application fees:
     For newly enrolling providers and suppliers would be 
$3,164,500 in 2011, $4,345,570 in 2012, $4,472,140 in 2013, $4,607,148 
in 2014, and $4,742,156 in 2015. This results in a 5-year total of 
$21,331,514. For revalidating providers and suppliers would be $0 in 
2011; $6,448,830 in 2012; $8,448,880 in 2013; $9,116,016 in 2014; and 
$9,383,152 in 2015. This results in a 5-year total of $33,796,878.
    The accounting statement reflects: (1) The annual cost of the 
fingerprinting requirement, and (2) the application of the 3 percent 
and 7 percent discount rate to the combined amounts of the application 
fees for FY 2015--specifically, $4,742,156 (new applicants) plus 
$9,383,152 (revalidations), for a total of $14,125,308. This 
constitutes a transfer of funds to the Federal government. As with the 
Medicare figures, we chose to use those from FY 2015 for Medicaid so as 
to reflect the maximum amount of transferred funds in a given year 
during the initial-5 year period.

[[Page 58238]]



        Accounting Statement: Classification of Estimated Expenditures and Costs From FY 2011 to FY 2015
                                                  [In millions]
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
  Medicare Fingerprint Requirement                                       COSTS
----------------------------------------------------------------------------------------------------------------
                                             3 percent Discount Rate               7 percent Discount Rate
     Annualized Monetized Costs
  (2,000 post-moratorium requests)                   $2.275                                $2.275
----------------------------------------------------------------------------------------------------------------
     Annualized Monetized Costs
  (5,000 post-moratorium requests)                   $3.025                                $3.025
----------------------------------------------------------------------------------------------------------------
     Annualized Monetized Costs
  (10,000 post-moratorium requests)                  $4.275                                $4.275
----------------------------------------------------------------------------------------------------------------
          Who is Affected?                                      Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
      Medicare Application Fee                                         TRANSFERS
----------------------------------------------------------------------------------------------------------------
                                             3 percent Discount Rate               7 percent Discount Rate
   Annualized Monetized Transfers                     $48.2                                 $47.3
----------------------------------------------------------------------------------------------------------------
         From Whom to Whom?                          Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
  Medicaid Fingerprint Requirement                                       COSTS
----------------------------------------------------------------------------------------------------------------
                                             3 percent Discount Rate               7 percent Discount Rate
     Annualized Monetized Costs                       $1.3                                  $1.3
----------------------------------------------------------------------------------------------------------------
          Who is Affected?                                      Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
      Medicaid Application Fee                                         TRANSFERS
----------------------------------------------------------------------------------------------------------------
                                             3 percent Discount Rate               7 percent Discount Rate
     Annualized Monetized Costs                       $10.1                                 $10.0
----------------------------------------------------------------------------------------------------------------
         From Whom to Whom?                          Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
                                                                       BENEFITS
----------------------------------------------------------------------------------------------------------------
Qualitative: The above-referenced requirements will: (1) Allow CMS to more closely screen providers and
 suppliers that pose risks to the Medicare and Medicaid programs, and (2) help offset the costs of administering
 the Medicare and Medicaid programs. We believe these and other financial benefits outlined in this proposed
 rule will exceed the costs outlined above.
----------------------------------------------------------------------------------------------------------------

D. Conclusion

    This proposed rule contains provisions that are of critical 
importance in the transition of CMS' antifraud activities from ``pay 
and chase'' to fraud prevention. ``Pay and chase'' refers to the 
traditional approach under which CMS met its obligations to provide 
beneficiaries access to qualified providers and suppliers and to pay 
claims quickly by making it relatively easy for providers to sign up to 
bill Medicare, Medicaid or CHIP, paying their claims rapidly, and then 
detecting overpayments or fraudulent bills and pursuing recoveries of 
overpayments after the fact. That system functions reasonably well when 
the problems arise with legitimate providers and suppliers that will be 
solvent and in business when CMS seeks to recover overpayments or law 
enforcement pursues civil or criminal penalties. It is not adequate 
when the fraud is committed by sham operations that provide no services 
or supplies and exist simply to steal from Medicare or Medicaid and 
thrive on stealing or subverting the identities of beneficiaries and 
providers.
    This proposed rule strikes a balance that will permit CMS to 
continue to assure that eligible beneficiaries receive appropriate 
services from qualified providers whose claims are paid on a timely 
basis while implementing enhanced measures to prevent outright fraud. 
The new and strengthened provisions in the ACA that are the subject of 
this proposed rule will help assure that only legitimate providers and 
suppliers are enrolled in Medicare, Medicaid, and CHIP, and that only 
legitimate claims will be paid. These provisions are applied according 
to the level of risk of fraud, waste, and abuse posed by different 
provider and supplier types. CMS will use screening tools for a 
particular provider or supplier type based on 3 distinct categories of 
risk: (1) Limited; (2) moderate; and (3) high. Limited risk providers 
will have enrollment requirements, license and database verifications; 
moderate risk will have those verifications plus unscheduled site 
visits; high risk will have verifications, unscheduled site visits, 
criminal background check and fingerprinting. CMS and the States will 
impose moratoria on the enrollment of new providers in situations when 
doing so is necessary to protect against a high risk of fraud. Working 
in conjunction with the OIG, CMS, and States will suspend payments 
pending an investigation of a credible allegation of fraud. And 
legitimate providers will be assisted in avoiding problems by 
implementing effective compliance programs.
    This proposed rule is an essential tool in protecting public 
resources and assuring that they are devoted to providing health care 
rather than enriching fraudulent actors.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

[[Page 58239]]

List of Subjects

42 CFR Part 405

    Administrative practice and procedure, Health facilities, Health 
professions, Kidney diseases, Medical devices, Medicare, Reporting and 
recordkeeping requirements, Rural areas, X-rays.

42 CFR Part 424

    Emergency medical services, Health facilities, Health professions, 
Medicare, and Reporting and recordkeeping requirements.

42 CFR Part 438

    Grant programs--health, Medicaid, Reporting and recordkeeping 
requirements.

42 CFR Part 447

    Accounting, Administrative practice and procedure, Drugs, Grant 
programs--health, Health facilities, Health professions, Medicaid, 
Reporting and recordkeeping requirements, and Rural areas.

42 CFR Part 455

    Fraud, Grant programs--health, Health facilities, Health 
professions, Investigations, Medicaid, and Reporting and recordkeeping 
requirements.

42 CFR Part 457

    Administrative practice and procedure, Grant programs--health, 
Health insurance, and Reporting and recordkeeping requirements.

42 CFR Part 498

    Administrative practice and procedure, Health facilities, Health 
professions, Medicare, Reporting and recordkeeping requirements.

42 CFR Part 1007

    Administrative practice and procedure, Fraud, Grant programs--
health, Medicaid, and Reporting and recordkeeping requirements.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services proposes to amend 42 CFR chapters IV and V as set 
forth below:

PART 405--FEDERAL HEALTH INSURANCE FOR THE AGED AND DISABLED

    1. The authority citation for part 405 continues to read as 
follows:

    Authority:  Secs. 205(a), 1102, 1861, 1862(a), 1869, 1871, 1874, 
1881, and 1886(k) of the Social Security Act (42 U.S.C. 405(a), 
1302, 1395x, 1395y(a), 1395ff, 1395hh, 1395kk, 1395rr and 
1395ww(k)), and sec. 353 of the Public Health Service Act (42 U.S.C. 
263a).

Subpart C--Suspension of Payment, Recovery of Overpayments, and 
Repayment of Scholarships and Loans

    2. The authority citation for subpart C is revised to read as 
follows:

    Authority: Secs. 1102, 1815, 1833, 1842, 1862, 1866, 1870, 1871, 
1879 and 1892 of the Social Security Act (42 U.S.C. 1302, 1395g, 
1395l, 1395u, 1395y, 1395cc, 1395gg, 1395hh, 1395pp and 1395ccc) and 
31 U.S.C. 3711.
    3. In subpart C, remove the phrase ``intermediary or carrier'' and 
add the phrase ``Medicare contractor'' in its place.
    4. Section 405.370 is amended as follows:
    A. In paragraph (a), adding the definitions of ``Credible 
allegation of fraud,'' ``Medicare contractor,'' and ``Resolution of an 
investigation'' in alphabetical order.
    B. In paragraph (a), revising the definitions of ``Offset,'' 
``Recoupment,'' and ``Suspension of payment''.
    The additions and revisions read as follows:


Sec.  405.370  Definitions.

    (a) * * *
    Credible allegation of fraud. A credible allegation of fraud is an 
allegation from any source, including but not limited to the following:
    (1) Fraud hotline complaints.
    (2) Claims data mining.
    (3) Patterns identified through provider audits, civil false claims 
cases, and law enforcement investigations. Allegations are considered 
to be credible when they have indicia of reliability.
    Medicare contractor. Unless the context otherwise requires, 
includes, but is not limited to the any of following:
    (1) A fiscal intermediary.
    (2) A carrier.
    (3) Program safeguard contractor.
    (4) Zone program integrity contractor.
    (5) Part A/Part B Medicare administrative contractor.
    Offset. The recovery by Medicare of a non-Medicare debt by reducing 
present or future Medicare payments and applying the amount withheld to 
the indebtedness. (Examples are Public Health Service debts or Medicaid 
debts recovered by HCFA).
    Recoupment. The recovery by Medicare of any outstanding Medicare 
debt by reducing present or future Medicare payments and applying the 
amount withheld to the indebtedness.
    Resolution of an investigation. An investigation of credible 
allegations of fraud will be considered resolved when legal action is 
terminated by settlement, judgment, or dismissal, or when the case is 
closed or dropped because of insufficient evidence to support the 
allegations of fraud.
    Suspension of payment. The withholding of payment by a Medicare 
contractor from a provider or supplier of an approved Medicare payment 
amount before a determination of the amount of the overpayment exists, 
or until the resolution of an investigation of a credible allegation of 
fraud.
    5. Section 405.371 is revised to read as follows:


Sec.  405.371  Suspension, offset, and recoupment of Medicare payments 
to providers and suppliers of services.

    (a) General rules. Medicare payments to providers and suppliers, as 
authorized under this subchapter (excluding payments to beneficiaries), 
may be--
    (1) Suspended, in whole or in part, by CMS or a Medicare contractor 
if CMS or the Medicare contractor possesses reliable information that 
an overpayment exists or that the payments to be made may not be 
correct, although additional information may be needed for a 
determination;
    (2) In cases of suspected fraud, suspended, in whole or in part, by 
CMS or a Medicare contractor if CMS or the Medicare contractor has 
consulted with the OIG, and, as appropriate, the Department of Justice, 
and determined that a credible allegation of fraud exists against a 
provider or supplier, unless there is good cause not to suspend 
payments; or
    (3) Offset or recouped, in whole or in part, by a Medicare 
contractor if the Medicare contractor or CMS has determined that the 
provider or supplier to whom payments are to be made has been overpaid.
    (b) Good cause not to suspend payments. CMS may find that good 
cause exists not to suspend payments or not to continue to suspend 
payments to an individual or entity against which there are credible 
allegations of fraud if--
    (1) OIG or other law enforcement agency has specifically requested 
that a payment suspension not be imposed because such a payment 
suspension may compromise or jeopardize an investigation;
    (2) It is determined that beneficiary access to items or services 
would be so jeopardized by a payment suspension in whole or part as to 
cause a danger to life or health;
    (3) It is determined that other available remedies implemented by 
CMS or a Medicare contractor more effectively or quickly protect 
Medicare

[[Page 58240]]

funds than would implementing a payment suspension; or
    (4) CMS determines that a payment suspension or a continuation of a 
payment suspension is not in the best interests of the Medicare 
program. CMS will--
    (i) Evaluate whether there is good cause not to continue a 
suspension of payments under this section every 180 days after the 
initiation of a suspension based on credible allegations of fraud; and
    (ii) Request a certification from the OIG or other law enforcement 
agency that the matter continues to be under investigation warranting 
continuation of the suspension.
    (c) Steps necessary for suspension of payment, offset, and 
recoupment.
    (1) Except as provided in paragraph (d) of this section, CMS or the 
Medicare contractor suspends payments only after it has complied with 
the procedural requirements set forth at Sec.  405.372.
    (2) The Medicare contractor offsets or recoups payments only after 
it has complied with the procedural requirements set forth at Sec.  
405.373.
    (d) Suspension of payment in the case of unfiled cost reports. (1) 
If a provider has failed to timely file an acceptable cost report, 
payment to the provider is immediately suspended in whole or in part 
until a cost report is filed and determined by the Medicare contractor 
to be acceptable.
    (2) In the case of an unfiled cost report, the provisions of Sec.  
405.372 do not apply. (See Sec.  405.372(a)(2) concerning failure to 
furnish other information.)
    6. Section 405.372 is amended as follows:
    A. Remove the phrase ``intermediary, carrier'' wherever it appears 
and adding the phrase ``Medicare contractor'' in its place.
    B. Revising paragraphs (a)(4) and (d)(3).
    C. In paragraph (e), removing the cross-reference ``Sec.  
405.371(b)'' and adding the cross-reference ``Sec.  405.371(a)''.


Sec.  405.372  Proceeding for suspension of payment.

    (a) * * *
    (4) Fraud. If the intended suspension of payment involves credible 
allegations of fraud under Sec.  405.371(a)(2), CMS--
    (i) In consultation with OIG and, as appropriate, the Department of 
Justice, determines whether to impose the suspension and if prior 
notice is appropriate;
    (ii) Directs the Medicare contractor as to the timing and content 
of the notification to the provider or supplier; and
    (iii) Is the real party in interest and is responsible for the 
decision.
* * * * *
    (d) * * *
    (3) Exceptions to the time limits. (i) The time limits specified in 
paragraphs (d)(1) and (d)(2) of this section do not apply if the 
suspension of payments is based upon credible allegations of fraud 
under Sec.  405.371(a)(2).
    (ii) Although the time limits specified in (d)(1) and (d)(2) do not 
apply to suspensions based on credible allegations of fraud, all 
suspensions of payment in accordance with Sec.  405.371(a)(2) will be 
temporary and will not continue after the resolution of an 
investigation, unless a suspension is warranted because of reliable 
evidence of an overpayment or that the payments to be made may not be 
correct, as specified in Sec.  405.371(a)(1).
* * * * *

PART 424--CONDITIONS FOR MEDICARE PAYMENT

    7. The authority of citation for part 424 continues to read as 
follows:

    Authority: Secs. 1102 and 1871 of the Social Security Act (42 
U.S.C. 1302 and 1395hh).

    8. Section 424.57 is amended by revising paragraph (e) to read as 
follows:


Sec.  424.57  Special payment rules for items furnished by DMEPOS 
suppliers and issuance of DMEPOS supplier billing privileges.

* * * * *
    (e) Revalidation of billing privileges. A supplier must revalidate 
its application for billing privileges every 3 years after the billing 
privileges are first granted. (Each supplier must complete a new 
application for billing privileges 3 years after its last 
revalidation.)
* * * * *
    9. Section 424.502 is amended by adding the definition of 
``Institutional provider'' in alphabetical order to read as follows:


Sec.  424.502  Definitions.

* * * * *
    Institutional provider means any provider or supplier that submits 
a paper Medicare enrollment application using the CMS-855A, CMS-855B 
(not including physician and nonphysician practitioner organizations), 
CMS-855S or associated Internet-based PECOS enrollment application.
* * * * *
    10. Section 424.514 is added to read as follows:


Sec.  424.514  Application fee.

    (a) Application fee requirements for prospective institutional 
providers. Beginning on or after March 23, 2011, prospective 
institutional providers who are submitting an initial application or an 
application to establish a new practice location must submit either of 
the following:
    (1) The applicable application fee.
    (2) A request for a hardship exception to the application fee at 
the time of filing a Medicare enrollment application.
    (b) Application fee requirements for revalidating institutional 
providers. Beginning March 23, 2011, institutional providers that are 
subject to CMS revalidation efforts must submit either of the 
following:
    (1) The applicable application fee.
    (2) A request for a hardship exception to the application fee at 
the time of filing a Medicare enrollment application.
    (c) Hardship exception for disaster areas. CMS will assess on a 
case-by-case basis whether institutional providers enrolling in a 
geographic area that is a Presidentially-declared disaster under the 
Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 
U.S.C. 5121-5206 (Stafford Act) should receive an exception to the 
application fee.
    (d) Application fee. The application fee and associated 
requirements are as follows:
    (1) For 2010, $500.00.
    (2) For 2011 and subsequent years--
    (i) Is adjusted by the percentage change in the consumer price 
index for all urban consumers (all items; United States city average) 
for the 12-month period ending with June of the previous year;
    (ii) Is effective from January 1 to December 31 of a calendar year;
    (iii) Is based on the submission of an initial application, 
application to establish a new practice location or the submission of 
an application in response to a Medicare contractor revalidation 
request;
    (iv) Must be in the amount calculated by CMS in effect for the year 
during which the application for enrollment is being submitted;
    (v) Is nonrefundable;
    (vi) Must be resubmitted with an enrollment application that was 
previously denied or rejected; and
    (vii) Must be able to be deposited into a Government-owned account 
and credited to the United States Treasury.
    (e) Denial or revocation based on application fee. A Medicare 
contractor may deny or revoke Medicare billing privileges of a provider 
or supplier

[[Page 58241]]

based on noncompliance if, in the absence of a written request for a 
hardship exception from the application fee that accompanies a Medicare 
enrollment application the bank account on which the check that is 
submitted with the enrollment application is drawn does not contain 
sufficient funds to pay the application fee.
    (f) Information needed for submission of a hardship exception 
request. A provider or supplier requesting an exception from the 
application fee must include with its enrollment application a letter 
that describes the hardship and why the hardship justifies an 
exception.
    (g) Failure to submit application fee or hardship exception 
request. A Medicare contractor must--
    (1) Reject an enrollment application from a provider or supplier 
that, with the exceptions described in Sec.  424.514(b), is not 
accompanied by the application fee or by a letter requesting a hardship 
exception from the application fee.
    (2) Revoke the billing privileges of a currently enrolled provider 
or supplier or deny the application to enroll and establish billing 
privileges in the case of providers or suppliers not currently 
enrolled, with the exceptions noted in Sec.  424.514(b), if an 
enrollment application, including revalidation, is received that is not 
accompanied by the application fee or by a letter requesting a hardship 
exception from the application fee.
    (h) Consideration of hardship exception request. CMS has 60 days in 
which to approve or disapprove a hardship exception request.
    (1) A Medicare contractor does not--
    (i) Begin processing an enrollment application that is accompanied 
by a hardship exception request until CMS has made a decision to 
approve or disapprove the hardship exception request; and
    (ii) Deny an enrollment application that is accompanied by a 
hardship exception request unless the hardship exception request is 
denied by CMS and the provider or supplier fails to submit the required 
application fee within 30 days of being notified that the request for a 
hardship exception was denied.
    (2) A hardship exception determination made by CMS is appealable 
using Sec.  405.874.
    11. Section 424.515 is amended by adding a new paragraph (e) to 
read as follows:


Sec.  424.515  Requirements for reporting changes and updates to, and 
the periodic revalidation of Medicare enrollment information.

* * * * *
    (e) Additional off-cycle revalidation. On or after March 23, 2012, 
Medicare providers and suppliers, including DMEPOS suppliers, may be 
required to revalidate their enrollment outside the routine 5-year 
revalidation cycle (3-year DMEPOS supplier revalidation cycle).
    (1) CMS will contact providers or suppliers to revalidate their 
enrollment for off-cycle revalidation.
    (2) As with all revalidations, revalidations described in this 
paragraph are conducted in accordance with the screening procedures 
specified at Sec.  424.518.
    12. Section 424.518 is added to read as follows:


Sec.  424.518  Screening categories for Medicare providers and 
suppliers.

    A Medicare contractor is required to screen all initial 
applications, including applications for a new practice location, and 
any applications received in response to a revalidation request based 
on a CMS categorical risk level of ``limited,'' ``moderate,'' or 
``high.''
    (a) Limited categorical risk--(1) Limited categorical risk: 
Provider and supplier types. CMS has designated the following providers 
and suppliers as ``limited'' categorical risk:
    (i) Physician or nonphysician practitioners and medical groups or 
clinics.
    (ii) Ambulatory surgical centers.
    (iii) End-stage renal disease facilities.
    (iv) Federally qualified health centers.
    (v) Histocompatibility laboratories.
    (vi) Hospitals including critical access hospitals.
    (vii) Indian Health Service facilities.
    (viii) Mammography screening centers.
    (ix) Organ procurement organizations.
    (x) Mass immunization roster billers.
    (xi) Portable x-ray suppliers.
    (xii) Religious non-medical health care institutions.
    (xiii) Rural health clinics.
    (xiv) Radiation therapy centers.
    (xv) Public or government-owned or -affiliated ambulance services 
suppliers.
    (xvi) Skilled nursing facilities.
    (2) Limited categorical risk: Screening requirements. When CMS 
designates a provider or supplier as a ``limited'' categorical level of 
risk or the provider or supplier is publicly traded on the New York 
Stock Exchange (NYSE) or the National Association of Securities Dealers 
Automated Quotation System (NASDAQ), the Medicare contractor does all 
of the following:
    (i) Verifies that a provider or supplier meets any applicable 
Federal regulations, or State requirement for the provider or supplier 
type prior to making an enrollment determination.
    (ii) Conducts license verifications, including licensure 
verifications across State lines for physicians or nonphysician 
practitioners and providers and suppliers that obtain or maintain 
Medicare billing privileges as a result of State licensure, including 
State licensure in State other than where the provider or supplier is 
enrolling.
    (iii) Conducts database checks on a pre- and post-enrollment basis 
to ensure that providers and suppliers continue to meet the enrollment 
criteria for their provider/supplier type.
    (b) Moderate categorical risk--(1) Moderate categorical risk: 
Provider and supplier types. CMS has designated the following providers 
and suppliers as ``moderate'' categorical risk:
    (i) The following prospective providers and suppliers that are not 
publicly-traded on the NYSE or NASDAQ:
    (A) Community mental health centers.
    (B) Comprehensive outpatient rehabilitation facilities.
    (C) Hospice organizations.
    (D) Independent diagnostic testing facilities.
    (E) Nongovernment-owned or -affiliated ambulance service suppliers.
    (F) Independent clinical laboratories.
    (ii) The following revalidating providers and suppliers that are 
not publicly-traded on the NYSE or NASDAQ:
    (A) Community mental health centers.
    (B) Comprehensive outpatient rehabilitation facilities.
    (C) Home health agencies.
    (D) Hospice organizations.
    (E) Independent diagnostic testing facilities.
    (F) Nongovernment-owned or -affiliated ambulance service suppliers.
    (G) Independent clinical laboratories.
    (iii) Re-enrolling suppliers of DMEPOS that are not publicly-traded 
on the NYSE or NASDAQ.
    (2) Moderate categorical risk: Screening requirements. When CMS 
designates a provider or supplier as a ``moderate'' categorical level 
of risk, the Medicare contractor does all of the following:
    (i) Performs the ``limited'' screening requirements described in 
paragraph (a)(2) of this section.
    (ii) Conducts an on-site visit.
    (c) High categorical risk--(1) High categorical risk: Provider and 
supplier types. CMS has designated home health agencies or suppliers of 
DMEPOS that are not publicly-traded on the NYSE or NASDAQ as ``high'' 
categorical risk:
    (A) Prospective providers or suppliers enrolling in the Medicare 
program.
    (B) Providers or suppliers establishing a new practice location.

[[Page 58242]]

    (2) High categorical risk: Screening requirements. When CMS 
designates a provider or supplier as a ``high'' categorical level of 
risk, the Medicare contractor does all of the following:
    (i) Performs the ``limited'' and ``moderate'' screening 
requirements described in paragraphs (a)(2) and (b)(2) of this section.
    (ii)(A) Conducts a criminal background check; and
    (B) Requires the submission of sets of fingerprints using the FD-
258 standard fingerprint card.
    (3) Adjustment in the categorical risk. CMS adjusts the categorical 
risk level from ``limited'' or ``moderate'' to ``high'' if any of the 
following occur:
    (i) CMS or its Medicare contractor has information from a physician 
or nonphysician practitioner that another individual is using their 
identity within the Medicare program.
    (ii) CMS imposes a payment suspension on a provider or supplier.
    (iii) The provider or supplier--
    (A) Has been excluded from Medicare by the OIG; or
    (B) Had its billing privileges denied or revoked by a Medicare 
contractor within the previous 10 years and is attempting to establish 
additional Medicare billing privileges by--
    (1) Enrolling as a new provider or supplier; or
    (2) Billing privileges for a new practice location.
    (C) Has been terminated or is otherwise precluded from billing 
Medicaid.
    (iv) CMS lifts a temporary moratorium for a particular provider or 
supplier type.
    (d) Fingerprinting requirements. An individual subject to the 
fingerprints requirements specified in paragraph (c)(2)(ii)(B) of this 
section--
    (1) Must submit a set of fingerprints using the FD-258 standard 
fingerprint card--
    (i) With the Medicare enrollment application; or
    (ii) Within 30 days of a Medicare contractor request.
    (2) Who does not submit a set of fingerprints in accordance with 
paragraph (d)(1) of this section will have his or her Medicare billing 
privileges--
    (i) Denied under Sec.  424.530(a)(1); or
    (ii) Revoked under Sec.  424.535(a)(1).
    13. Section 424.525 is amended by revising paragraph (a) as 
follows:
    A. Revising paragraph (a) introductory text.
    B. Adding a new paragraph (a)(3).
    The revision and addition read as follows:


Sec.  424.525  Rejection of a provider or supplier's enrollment 
application for Medicare enrollment.

    (a) Reasons for rejection. CMS may reject a provider or supplier's 
enrollment application for any of the following reasons:
* * * * *
    (3) The prospective institutional provider or supplier does not 
submit the application fee in the designated amount or a hardship 
waiver request with the Medicare enrollment application at the time of 
filing.
* * * * *
    14. Section 424.530 is amended by adding new paragraphs (a)(8) and 
(a)(9) to read as follows:


Sec.  424.530  Denial of enrollment in the Medicare program.

    (a) * * *
    (8) Application fee/hardship exception. An institutional provider 
or supplier's ``hardship exception'' request is not granted.
    (9) Temporary moratorium. A provider or supplier submits an 
enrollment application for a practice location in a geographic area 
where CMS has imposed a temporary moratorium.
* * * * *
    15. Section 424.535 is amended as follows:
    A. Revising paragraph (a)(6).
    B. Adding a new paragraph (a)(11).
    C. Revising paragraph (c).


Sec.  424.535  Revocation of enrollment billing and billing privileges 
in the Medicare program.

    (a) * * *
    (6) Grounds related to provider and supplier screening 
requirements. (i)(A) An institutional provider does not submit an 
application fee or ``hardship exception'' request that meets the 
requirements set forth in Sec.  424.514 with the Medicare revalidation 
application; or
    (B) The ``hardship exception'' is not granted and the institutional 
provider does not submit the applicable application form or application 
fee within 30 days of being notified that the hardship exception 
request was denied.
    (ii)(A) The Medicare contractor is not able to either of the 
following:
    (1) Deposit the full application amount into a government-owned 
account.
    (2) The funds are not able to be credited to the U.S. Treasury.
    (B) The provider or supplier lacks sufficient funds in the account 
at the banking institution whose name is imprinted on the check or 
other banking instrument to pay the application fee; or
    (C) There is any other reason why CMS or its Medicare contractor is 
unable to deposit the application fee into a government-owned account.
* * * * *
    (11) Medicaid termination. Medicaid billing privileges are 
terminated or revoked by a State Medicaid Agency, not withstanding 
anything to the contrary in this section, must not apply unless and 
until a provider or supplier has exhausted all applicable appeal 
rights.
* * * * *
    (c) Reapplying after revocation. (1) After a provider, supplier, 
delegated official, or authorizing official has had their billing 
privileges revoked, they are barred from participating in the Medicare 
program from the effective date of the revocation until the end of the 
re-enrollment bar.
    (2) The re-enrollment bar is a minimum of 1 year, but not greater 
than 3 years depending on the severity of the basis for revocation.
    (3) CMS may waive the re-enrollment bar if it has revoked a 
provider or supplier under Sec.  424.535(a)(6)(i) based upon the 
failure of the provider or supplier to submit an application fee or a 
hardship exception request with an enrollment application upon 
revalidation.
* * * * *
    16. A new Sec.  424.570 is added to read as follows:


Sec.  424.570  Moratoria on newly enrolling Medicare providers and 
suppliers.

    (a) Temporary moratoria. CMS may impose a moratorium on the 
enrollment of new Medicare providers and suppliers of a particular type 
or the establishment of new practice locations of a particular type in 
a particular geographic area or nationally if--
    (1) CMS determines that there is a significant potential for fraud, 
waste or abuse with respect to a particular provider or supplier type 
or particular geographic area or both. CMS's determination is based on 
its review of existing data, and without limitation, identifies a trend 
that appears to be associated with a high risk of fraud, waste or 
abuse, such as a--
    (i) Highly disproportionate number of providers or suppliers in a 
category relative to the number of beneficiaries; or
    (ii) Rapid increase in enrollment applications within a category;
    (2) A State Medicaid program has imposed a moratorium on a group of 
Medicaid providers or suppliers that are also eligible to enroll in the 
Medicare program;

[[Page 58243]]

    (3) A State has imposed a moratorium on enrollment in a particular 
geographic area or on a particular provider or supplier type or both; 
or
    (4) CMS, in consultation the HHS OIG or the Department of Justice 
or both and with the approval of the CMS Administrator identifies 
either or both of the following as having a significant potential for 
fraud, waste or abuse in the Medicare program:
    (i) A particular provider or supplier type.
    (ii) Any particular geographic area.
    (b) Duration of moratoria. A moratorium under this section may be 
imposed for a period of 6 months and, if deemed necessary by CMS, may 
be extended in 6-month increments.
    (c) Denial of enrollment: Moratoria. A Medicare contractor denies 
the enrollment application of a provider or supplier if the provider or 
supplier is subject to a moratorium as specified in paragraph (a) of 
this section.
    (d) Lifting moratoria. CMS may lift a temporary moratorium in a 
specific geographic area or nationally if--
    (1) The President declares an area a disaster under the Robert T. 
Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. 5121-
5206 (Stafford Act); or
    (2) Circumstances warranting the imposition of a moratorium have 
abated or CMS has implemented program safeguards to address the program 
vulnerability;
    (3) In the judgment of the Secretary, the moratorium is no longer 
needed.

PART 438--MANAGED CARE

    17. The authority for part 438 continues to read as follows:

    Authority:  Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).

    18. Section 438.6 is amended by adding new paragraph (c)(5)(vi).


Sec.  438.6  Contract requirements.

* * * * *
    (c) * * *
    (5) * * *
    (vi) Contracts with MCOs, PIHPs, and PAHPs must require all 
ordering or referring network providers to be enrolled as participating 
providers with the Medicaid program.
* * * * *

PART 447--PAYMENT FOR SERVICES

    19. The authority citation for part 447 continues to read as 
follows:

    Authority:  Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).

    20. A new Sec.  447.90 is added to read as follows:


Sec.  447.90  FFP: Conditions related to pending investigations of 
credible allegations of fraud against the Medicaid program.

    (a) Basis and purpose. This section implements section 
1903(i)(2)(C) of the Act which prohibits payment of FFP with respect to 
items or services furnished by an individual or entity with respect to 
which there is pending an investigation of a credible allegation of 
fraud except under specified circumstances.
    (b) Denial of FFP. No FFP is available with respect to any amount 
expended for an item or service furnished by any individual or entity 
to whom a State has failed to suspend payments in whole or part as 
required by Sec.  455.23 unless:
    (1) The item or service is furnished as an emergency item or 
service, but not including items or services furnished in an emergency 
room of a hospital; or
    (2) The State determines and documents that good cause as specified 
at Sec.  455.23(e) or (f) exists not to suspend such payments, to 
suspend payments only in part, or to discontinue a previously imposed 
payment suspension.

PART 455--PROGRAM INTEGRITY: MEDICAID

    21. The authority citation for part 455 continues to read as 
follows:

    Authority:  Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).

    22. Section 455.2 is amended by adding the definition of ``Credible 
allegation of fraud'' to read as follows:


Sec.  455.2  Definitions.

* * * * *
    Credible allegation of fraud. A credible allegation of fraud is an 
allegation from any source, including but not limited to the following:
    (1) Fraud hotline complaints.
    (2) Claims data mining.
    (3) Patterns identified through provider audits, civil false claims 
cases, and law enforcement investigations. Allegations are considered 
to be credible when they have indicia of reliability.
* * * * *
    23. Section 455.23 is revised to read as follows:


Sec.  455.23  Suspension of payments in cases of fraud.

    (a) Basis for suspension. (1) The State Medicaid agency must 
suspend all Medicaid payments to a provider when there is pending an 
investigation of a credible allegation of fraud under the Medicaid 
program against an individual or entity unless it has good cause to not 
suspend payments or to suspend payment only in part.
    (2) The State Medicaid agency may suspend payments without first 
notifying the provider of its intention to suspend such payments.
    (3) A provider may request, and must be granted, administrative 
review where State law so requires.
    (b) Notice of suspension. (1) The State agency must send notice of 
its suspension of program payments within the following timeframes:
    (i) Five days of taking such action unless requested in writing by 
a law enforcement agency to temporarily withhold such notice.
    (ii) Thirty days if requested by law enforcement in writing to 
delay sending such notice, which request for delay may be renewed in 
writing up to twice and in no event may exceed 90 days.
    (2) The notice must include or address all of the following:
    (i) State that payments are being suspended in accordance with this 
provision.
    (ii) Set forth the general allegations as to the nature of the 
suspension action, but need not disclose any specific information 
concerning an ongoing investigation.
    (iii) State that the suspension is for a temporary period, as 
stated in paragraph (c) of this section, and cite the circumstances 
under which suspension will be terminated.
    (iv) Specify, when applicable, to which type or types of Medicaid 
claims or business units of a provider suspension is effective.
    (v) Inform the provider of the right to submit written evidence for 
consideration by State Medicaid Agency.
    (c) Duration of suspension. (1) All suspension of payment actions 
under this section will be temporary and will not continue after either 
of the following:
    (i) The agency or the prosecuting authorities determine that there 
is insufficient evidence of fraud by the provider.
    (ii) Legal proceedings related to the provider's alleged fraud are 
completed.
    (2) A State must document in writing the termination of a 
suspension including, where applicable and appropriate, any appeal 
rights available to a provider.
    (d) Referrals to the Medicaid fraud control unit. (1) Whenever a 
State Medicaid agency investigation leads to the initiation of a 
payment suspension in whole or part, the State Medicaid Agency must 
make a fraud referral to either of the following:

[[Page 58244]]

    (i) To a Medicaid fraud control unit established and certified 
under part 1007 of this Title; or
    (ii) In States with no certified Medicaid fraud control unit, to an 
appropriate law enforcement agency.
    (2) The fraud referral made under paragraph (d)(1) of this section 
must meet all of the following requirements:
    (i) Be made in writing and provided to the Medicaid fraud control 
unit not later than the next business day after the suspension is 
enacted.
    (ii) Conform to fraud referral performance standards issued by the 
Secretary.
    (3)(i) If the Medicaid fraud control unit or other law enforcement 
agency accepts the fraud referral for investigation, the payment 
suspension may be continued until such time as the investigation and 
any associated enforcement proceedings are completed.
    (ii) On a quarterly basis, the State must request a certification 
from the Medicaid fraud control unit or other law enforcement agency 
that any matter accepted on the basis of a referral continues to be 
under investigation thus warranting continuation of the suspension.
    (4) If the Medicaid fraud control unit or other law enforcement 
agency declines to accept the fraud referral for investigation the 
payment suspension must be discontinued unless the State Medicaid 
agency makes a fraud referral to another law enforcement agency. In 
that situation, the provisions of paragraph (d)(3) of this section 
apply equally to that referral as well.
    (5) A State's decision to exercise the good cause exceptions in 
paragraphs (e) or (f) of this section not to suspend payments or to 
suspend payments only in part does not relieve the State of the 
obligation to refer any credible allegation of fraud as provided in 
paragraph (d)(1) of this section.
    (e) Good cause not to suspend payments. A State may find that good 
cause exists not to suspend payments, or not to continue a payment 
suspension previously imposed, to an individual or entity against which 
there is an investigation of a credible allegation of fraud if any of 
the following are applicable:
    (1) Law enforcement officials have specifically requested that a 
payment suspension not be imposed because such a payment suspension may 
compromise or jeopardize an investigation.
    (2) Other available remedies implemented by the State more 
effectively or quickly protect Medicaid funds.
    (3) The State determines that payment suspension is not in the best 
interests of the Medicaid program.
    (4) Recipient access to items or services would be jeopardized by a 
payment suspension because of either of the following:
    (i) An individual or entity is the sole community physician or the 
sole source of essential specialized services in a community.
    (ii) The individual or entity serves a large number of recipients 
within a HRSA-designated medically underserved area.
    (5) Law enforcement declines to certify that a matter continues to 
be under investigation per the requirements of paragraph (d)(3) of this 
section.
    (f) Good cause to suspend payment only in part. A State may find 
that good cause exists to suspend payments in part, or to convert a 
payment suspension previously imposed in whole to one only in part, to 
an individual or entity against which there is an investigation of a 
credible allegation of fraud if any of the following are applicable:
    (1) Recipient access to items or services would be jeopardized by a 
payment suspension in whole or part because of either of the following:
    (i) An individual or entity is the sole community physician or the 
sole source of essential specialized services in a community.
    (ii) The individual or entity serves a large number of recipients 
within a HRSA-designated medically underserved area;
    (2) The State determines that payment suspension only in part is in 
the best interests of the Medicaid program.
    (3)(i) The credible allegation focuses solely and definitively on 
only a specific type of claim or arises from only a specific business 
unit of a provider; and
    (ii) The State determines and documents in writing that a payment 
suspension in part would effectively ensure that potentially fraudulent 
claims were not continuing to be paid.
    (4) Law enforcement declines to certify that a matter continues to 
be under investigation per the requirements of paragraph (d)(3) of this 
section.
    (g) Documentation and record retention. State Medicaid agencies 
must meet the following requirements:
    (1) Maintain for a minimum of 5 years from the date of issuance all 
materials documenting the life cycle of a payment suspension that was 
imposed in whole or part, including the following:
    (i) All notices of suspension of payment in whole or part.
    (ii) All fraud referrals to the Medicaid fraud control unit or 
other law enforcement agency.
    (iii) All quarterly certifications of continuing investigation 
status by law enforcement.
    (iv) All notices documenting the termination of a suspension.
    (2)(i) Maintain for a minimum of 5 years from the date of issuance 
all materials documenting each instance where a payment suspension was 
not imposed, imposed only in part, or discontinued for good cause.
    (ii) This type of documentation must include, at a minimum, 
detailed information on the basis for the existence of the good cause 
not to suspend payments, to suspend payments only in part, or to 
discontinue a payment suspension and, where applicable, must specify 
how long the State anticipates such good cause will exist.
    (3) Annually report to the Secretary summary information on each of 
following:
    (i) Suspension of payment, including the nature of the suspected 
fraud, the basis for suspension, and the outcome of the suspension.
    (ii) Situation in which the State determined good cause existed to 
not suspend payments, to suspend payments only in part, or to 
discontinue a payment suspension as described in this section, 
including describing the nature of the suspected fraud and the nature 
of the good cause.
    24. Section 455.101 is amended as follows:
    A. Adding introductory text.
    B. Adding the definitions of ``Health insuring organization 
(HIO),'' ``Managed care entity (MCE),'' ``Prepaid ambulatory health 
plan (PAHP),'' ``Primary care case manager (PCCM),'' ``Prepaid 
inpatient health plan (PIHP),'' and ``Termination'' in alphabetical 
order to read as follows:


Sec.  455.101  Definitions.

    For the purposes of this part--
* * * * *
    Health insuring organization (HIO) has the meaning specified in 
Sec.  438.2.
    Managed care entity (MCE) means managed care organizations (MCOs), 
PIHPs, PAHPs, PCCMs, and HIOs.
* * * * *
    Prepaid ambulatory health plan (PAHP) has the meaning specified in 
Sec.  438.2.
    Primary care case manager (PCCM) has the meaning specified in Sec.  
438.2.
    Prepaid inpatient health plan (PIHP) has the meaning specified in 
Sec.  438.2.

[[Page 58245]]

    Termination means--
    (1) For a--
    (i) Medicaid provider, a State Medicaid program has taken an action 
to revoke the provider's billing privileges, and the provider has 
exhausted all applicable appeal rights; and
    (ii) Medicare provider, supplier or eligible professional, the 
Medicare program has revoked the provider or supplier's billing 
privileges.
    (2)(i) In both programs, there is no expectation on the part of the 
provider or supplier or the State or Medicare program that the 
revocation is temporary.
    (ii) The provider, supplier, or eligible professional will be 
required to reenroll with the applicable program if they wish billing 
privileges to be reinstated.
    25. Section 455.104 is revised to read as follows:


Sec.  455.104  Disclosure by Medicaid providers and fiscal agents: 
Information on ownership and control.

    (a) Who must provide disclosures. The Medicaid agency must obtain 
disclosures from disclosing entities, fiscal agents, and managed care 
entities.
    (b) What disclosures must be provided. The Medicaid agency must 
require that disclosing entities, fiscal agents, and managed care 
entities provide the following disclosures:
    (1)(i) The name and address of any person (individual or 
corporation).
    (ii) Date of birth and social security number (in the case of an 
individual).
    (iii) Other tax identification number (in the case of a 
corporation) with an ownership or control interest in the disclosing 
entity (or fiscal agent or managed care entity) or in any subcontractor 
in which the disclosing entity (or fiscal agent or managed care entity) 
has a 5 percent or more interest.
    (2) Whether the person (individual or corporation) with ownership 
or control interest in the disclosing entity (or fiscal agent or 
managed care entity) or in any subcontractor in which the disclosing 
entity (or fiscal agent or managed care entity) has a 5 percent or more 
interest is related to another as a spouse, parent, child, or sibling.
    (3) The name of any other disclosing entity (or fiscal agent or 
managed care entity) in which an owner of the disclosing entity (or 
fiscal agent or managed care entity) has an ownership or control 
interest.
    (4) The name and address of any managing employee of the disclosing 
entity (or fiscal agent or managed care entity).
    (c) When the disclosures must be provided--(1) Disclosures from 
providers. Disclosure from any provider is due at any of the following 
times:
    (i) Submits the provider application.
    (ii) Executes the provider agreement.
    (iii) Re-enrolls under Sec.  455.12.
    (iv) Within 35 days after any change in ownership of the disclosing 
entity.
    (2) Disclosures from fiscal agents. Disclosures from fiscal agents 
are due at any of the following times:
    (i) That the fiscal agent submits the proposal in accordance with 
the State's procurement process.
    (ii) The fiscal agent executes the contract with the State
    (iii) Upon renewal or extension of the contract.
    (iv) Within 35 days after any change in ownership of the fiscal 
agent.
    (3) Disclosures from managed care entities. Disclosures from 
managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are 
due at any of the following times:
    (i) The managed care entity submits the proposal in accordance with 
the State's procurement process.
    (ii) The managed care entity executes the contract with the State.
    (iii) Upon renewal or extension of the contract.
    (iv) Within 35 days after any change in ownership of the managed 
care entity.
    (4) Disclosures from PCCMs. PCCMs will comply with disclosure 
requirements under (c)(1) of this section.
    (d) To whom must the disclosures be provided. All disclosures must 
be provided to the Medicaid agency.
    (e) Consequences for failure to provide required disclosures. 
Federal financial participation (FFP) is not available in payments made 
to a disclosing entity that fails to disclose ownership or control 
information as required by this section.
    26. A new subpart E is added to part 455 to read as follows:
Subpart E--Provider Screening and Enrollment
Sec.
455.400 Purpose.
455.405 State plan requirements.
455.410 Enrollment and screening of providers.
455.412 Verification of provider licenses.
455.414 Reenrollment.
455.416 Termination or denial of enrollment.
455.418 Deactivation of provider enrollment.
455.420 Reactivation of provider enrollment.
455.422 Appeal rights.
455.432 Site visits.
455.434 Criminal background checks.
455.436 Federal database checks.
455.440 National Provider Identifier.
455.450 Screening categories for Medicaid providers.
455.452 Other State screening methods.
455.460 Application fee.
455.470 Temporary moratoria.

Subpart E--Provider Screening and Enrollment


Sec.  455.400  Purpose.

    This subpart implements sections 1866(j), 1902(a)(39), 1902(a)(77), 
and 1902(a)(78) of the Social Security Act. It sets forth State plan 
requirements regarding the following:
    (a) Provider screening and enrollment requirements.
    (b) Fees associated with provider screening.
    (c) Temporary moratoria on enrollment of providers.


Sec.  455.405  State plan requirements.

    A State plan must provide that the requirements of Sec.  455.410 
through Sec.  455.450 and Sec.  455.470 are met.


Sec.  455.410  Enrollment and screening of providers.

    (a) The State Medicaid agency must require all enrolled providers 
to be screened under to this subpart.
    (b) The State Medicaid agency must require all ordering or 
referring physicians or other professionals providing services under 
the State plan or under a waiver of the plan to be enrolled as 
participating providers.
    (c) The State Medicaid agency may rely on the results of the 
provider screening performed by any of the following:
    (1) Medicare contractors.
    (2) Medicaid agencies or Children's Health Insurance Programs of 
other States.


Sec.  455.412  Verification of provider licenses.

    The State Medicaid agency must--
    (a) Have a method for verifying that any provider purporting to be 
licensed in accordance with the laws of any State is licensed by such 
State.
    (b) Confirm that the provider's license has not expired and that 
there are no current limitations on the provider's license.


Sec.  455.414  Reenrollment.

    The State Medicaid agency must screen all providers regardless of 
provider type at least every 5 years.


Sec.  455.416  Termination or denial of enrollment.

    The State Medicaid agency--
    (a) Must terminate the enrollment of any provider where any person 
with an ownership or control interest or who is an agent or managing 
employee of the provider did not submit timely and

[[Page 58246]]

accurate information and cooperate with any screening methods required 
under this subpart.
    (b) Must deny enrollment or terminate the enrollment of any 
provider where any person with an ownership or control interest or who 
is an agent or managing employee of the provider has been convicted of 
a criminal offense related to that person's involvement with the 
Medicare, Medicaid, or title XXI program in the last 10 years, unless 
the State Medicaid agency determines that denial or termination of 
enrollment is not in the best interests of the Medicaid program and the 
State Medicaid agency documents that determination in writing.
    (c) Must deny enrollment or terminate the enrollment of any 
provider that is terminated on or after January 1, 2011, under title 
XVIII of the Act or under the Medicaid program or CHIP of any other 
State.
    (d) Must terminate the provider's enrollment or deny enrollment of 
the provider if the provider or a person with an ownership or control 
interest or who is an agent or managing employee of the provider fails 
to submit timely or accurate information, unless the State Medicaid 
agency determines that termination or denial of enrollment is not in 
the best interests of the Medicaid program and the State Medicaid 
agency documents that determination in writing.
    (e) Must terminate or deny enrollment if the provider, or any 
person with an ownership or control interest or who is an agent or 
managing employee of the provider, fails to submit sets of fingerprints 
in a form and manner to be determined by the Medicaid agency within 30 
days of a CMS or a State Medicaid agency request, unless the State 
Medicaid agency determines that termination or denial of enrollment is 
not in the best interests of the Medicaid program and the State 
Medicaid agency documents that determination in writing.
    (f) Must terminate or deny enrollment if the provider fails to 
permit access to provider locations for any site visits under Sec.  
455.432, unless the State Medicaid agency determines that termination 
or denial of enrollment is not in the best interests of the Medicaid 
program and the State Medicaid agency documents that determination in 
writing.
    (g) May terminate or deny the provider's enrollment if CMS or the 
State Medicaid agency--
    (1) Determines that the provider has falsified any information 
provided on the application; or
    (2) Cannot verify the identity of any provider applicant.


Sec.  455.418  Deactivation of provider enrollment.

    The State Medicaid Agency must deactivate any provider enrollment 
number that has been inactive as a result of having submitted no claims 
or making no referrals that resulted in Medicaid claims for a period of 
12 months.


Sec.  455.420  Reactivation of provider enrollment.

    After deactivation of a provider enrollment number for any reason, 
before the provider's enrollment may be reactivated, the State Medicaid 
agency must re-screen the provider and require payment of associated 
provider application fees under Sec.  455.460.


Sec.  455.422  Appeal rights.

    The State Medicaid agency must give providers terminated under 
Sec.  455.416, and with respect to enrollment, any appeal rights 
available under procedures established by State law or rule.


Sec.  455.432  Site visits.

    The State Medicaid agency--
    (a) Must conduct pre-enrollment and post-enrollment site visits of 
providers who are designated as ``moderate'' or ``high'' categorical 
risks to the Medicaid program. The purpose of the site visit will be to 
verify that the information submitted to the State Medicaid agency is 
accurate and to determine compliance with Federal and State enrollment 
requirements.
    (b) Must require any enrolled provider to permit CMS, its agents, 
its designated contractors, or the State Medicaid agency to conduct 
unannounced on-site inspections of any and all provider locations.


Sec.  455.434  Criminal background checks.

    The State Medicaid agency--
    (a) As a condition of enrollment, must require providers to consent 
to criminal background checks including fingerprinting when required to 
do so under State law or by the level of risk determined for that 
category of provider.
    (b) Must establish categorical risk levels for providers and 
provider types who pose an increased financial risk of fraud, waste or 
abuse to the Medicaid program.
    (1) Upon the State Medicaid agency determining that a provider, or 
a person with an ownership or control interest or who is an agent or 
managing employee of the provider, meets the State Medicaid agency's 
criteria hereunder for criminal background checks as a ``high'' risk to 
the Medicaid program, the State Medicaid agency will require that each 
such provider or person submit fingerprints.
    (2) The State Medicaid agency must require a provider, or any 
person with an ownership or control interest or who is an agent or 
managing employee of the provider, to submit two sets of fingerprints, 
in a form and manner to be determined by the State Medicaid agency, 
within 30 days upon request from CMS or the State Medicaid agency.


Sec.  455.436  Federal database checks.

    The State Medicaid agency must do all of the following:
    (a) Confirm the identity and determine the exclusion status of 
providers and any person with an ownership or control interest or who 
is an agent or managing employee of the provider through routine checks 
of Federal databases.
    (b) Check applicable databases maintained by the Social Security 
Administration, the National Plan and Provider Enumeration System 
(NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded 
Parties List System (EPLS), and any such other databases as the 
Secretary may prescribe.
    (c)(1) Consult appropriate databases to confirm identity upon 
enrollment and reenrollment; and
    (2) Check the LEIE and EPLS no less frequently than monthly.


Sec.  455.440  National Provider Identifier.

    The State Medicaid agency must require all claims for payment for 
items and services that were ordered or referred to contain the 
National Provider Identifier (NPI) of the physician or other 
professional who ordered or referred such items or services.


Sec.  455.450  Screening categories for Medicaid providers.

    A State Medicaid agency must screen all initial applications, 
including applications for a new practice location, and any 
applications received in response to a re-enrollment request based on a 
categorical risk level of ``limited,'' ``moderate,'' or ``high.'' If a 
provider could fit within more than one risk category described in this 
section, the risk category with the highest level of screening is 
applicable.
    (a) Screening for providers designated as limited categorical risk. 
When the State Medicaid agency designates a provider as a ``limited'' 
categorical risk or the provider is publicly traded on the New York 
Stock Exchange (NYSE) or National Association of Securities Dealers 
Automated Quotation System (NASDAQ), the State Medicaid agency must do 
all of the following:

[[Page 58247]]

    (1) Verify that a provider meets any applicable Federal 
regulations, or State requirements for the provider type prior to 
making an enrollment determination.
    (2) Conduct license verifications, including State licensure 
verifications in States other than where the provider is enrolling, in 
accordance with Sec.  455.412.
    (3) Conduct database checks on a pre- and post-enrollment basis to 
ensure that providers continue to meet the enrollment criteria for 
their provider type, in accordance with Sec.  455.436.
    (b) Screening for providers designated as moderate categorical 
risk. When the State Medicaid agency designates a provider as a 
``moderate'' categorical risk, a State Medicaid agency must do both of 
the following:
    (1) Perform the ``limited'' screening requirements described in 
paragraph (a) of this section.
    (2) Conduct on-site visits in accordance with Sec.  455.432.
    (c) Screening for providers designated as high categorical risk. 
When the State Medicaid agency designates a provider as a ``high'' 
categorical risk, a State Medicaid agency must do both of the 
following:
    (1) Perform the ``limited'' and ``moderate'' screening requirements 
described in paragraphs (a) and (b) of this section.
    (2)(i) Conduct a criminal background check; or
    (ii) Require the submission of set of fingerprints in accordance 
with Sec.  455.434.
    (d) Denial or termination of enrollment. A provider, or any person 
with an ownership or control interest or who is an agent or managing 
employee of the provider, who is required by the State Medicaid agency 
or CMS to submit a set of fingerprints and fails to do so may have 
its--
    (1) Application denied under Sec.  455.434; or
    (2) Enrollment terminated under Sec.  455.416.
    (e) Adjustment of risk level. The State agency must adjust the 
categorical risk level from ``limited'' or ``moderate'' to ``high'' 
when any of the following occurs:
    (1) The State Medicaid agency imposes a payment suspension on a 
provider based on credible allegation of fraud, waste or abuse, the 
provider has an existing Medicaid overpayment, or the provider has been 
excluded by the OIG or another State's Medicaid program within the 
previous 10 years.
    (2) The State Medicaid agency or CMS lifts a temporary moratorium 
for a particular provider type.


Sec.  455.452  Other State screening methods.

    Nothing herein must restrict the State Medicaid agency from 
establishing provider screening methods in addition to or more 
stringent than those required by this subpart.


Sec.  455.460  Application fee.

    (a) Beginning on or after March 23, 2011, States may collect the 
applicable application fee prior to executing a provider agreement from 
prospective or re-enrolling providers other than--
    (1) Individual physicians or nonphysician practitioners.
    (2) (i) Providers who are enrolled in either--
    (A) Title XVIII of the Act; or
    (B) Another State's title XIX or XXI plan.
    (ii) Providers that have paid the applicable application fee to--
    (A) A Medicare contractor; or
    (B) Another State.
    (b) If the fees collected by a State agency in accordance with 
paragraph (a) of this section exceed the cost of the screening program, 
the State agency must return that portion of the fees to the Federal 
government.


Sec.  455.470  Temporary moratoria.

    (a)(1) The Secretary consults with any affected State Medicaid 
agency regarding imposition of temporary moratoria on enrollment of new 
providers or provider types prior to imposition of the moratoria, in 
accordance with Sec.  424.570.
    (2) The State Medicaid agency will impose temporary moratoria on 
enrollment of new providers or provider types identified by the 
Secretary as posing an increased risk to the Medicaid program.
    (3)(i) The State Medicaid agency is not required to impose such a 
moratorium if the State Medicaid agency determines that imposition of a 
temporary moratorium would adversely affect beneficiaries' access to 
medical assistance.
    (ii) If a State Medicaid agency makes such a determination, the 
State Medicaid agency must notify the Secretary in writing.
    (b)(1) A State Medicaid agency may impose temporary moratoria on 
enrollment of new providers, or impose numerical caps or other limits 
that the State Medicaid agency identifies as having a significant 
potential for fraud, waste, or abuse and that the Secretary has 
identified as being at ``high'' risk for fraud, waste, or abuse.
    (2) Before implementing the moratoria, caps, or other limits, the 
State Medicaid agency must determine that its action would not 
adversely impact beneficiaries' access to medical assistance.
    (3) The State Medicaid agency must notify the Secretary in writing 
in the event the State Medicaid agency imposes such moratoria, 
including all details of the moratoria.
    (c)(1) The State Medicaid agency must impose the moratorium for an 
initial period of 6 months.
    (2) If the State Medicaid agency determines that it is necessary, 
the State Medicaid agency may extend the moratorium in 6-month 
increments.
    (3) Each time, the State Medicaid agency must document in writing 
the necessity for extending the moratorium.

PART 457--ALLOTMENTS AND GRANTS TO STATES

    27. The authority for part 457 continues to read as follows:

    Authority:  Section 1102 of the Social Security Act (42 U.S.C. 
1302).
    28. Section 457.900 is amended by adding a new paragraph (a)(2)(x) 
to read as follows:


Sec.  457.900  Basis, scope and applicability.

    (a) * * *
    (2) * * *
    (x) Sections 1902(a)(77) and 1902(ii) relating to provider and 
supplier screening, oversight, and reporting requirements.
* * * * *
    29. A new Sec.  457.990 is added to subpart I to read as follows:


Sec.  457.990  Provider and supplier screening, oversight and reporting 
requirements.

    The following provisions and their corresponding regulations apply 
to a State under title XXI of the Act, in the same manner as these 
provisions and regulations apply to a State under title XIX of the Act:
    (a) Part 455 Subpart E of this chapter.
    (b) Sections 1902(a)(77) and 1902(ii) of the Act pertaining to 
provider and supplier screening, oversight, and reporting requirements.

PART 498--APPEALS PROCEDURES FOR DETERMINATIONS THAT AFFECT 
PARTICIPATION IN THE MEDICARE PROGRAM AND FOR DETERMINATIONS THAT 
AFFECT THE PARTICIPATION OF ICFs/MR AND CERTAIN NFs IN THE MEDICAID 
PROGRAM

    30. The authority citation for part 498 continues to read as 
follows:

    Authority: Secs. 1102 and 1871 of the Social Security Act (42 
U.S.C. 1302 and 1395hh).

[[Page 58248]]

    31. Section 498.5 is amended by adding a new paragraph (l)(4) to 
read as follows:
* * * * *
    (l) * * *
    (4) Scope of review. For appeals of denials based on Sec.  
424.530(a)(9) related to temporary moratorium, the scope of review will 
be limited to whether the temporary moratoria applies to the provider 
or supplier appealing the denial. The agency's basis for imposing a 
temporary moratorium is not subject to review.

PART 1007--STATE MEDICAID FRAUD CONTROL UNITS

    32. The authority for part 1007 continues to read as follows:

    Authority: 42 U.S.C. 1320 and 1395hh.
    33. Section 1007.9 is amended by adding paragraphs (e) through (g) 
to read as follows:

Sec.  1007.9  Relationship to, and agreement with, the Medicaid agency.

* * * * *
    (e)(1) The unit may refer any provider with respect to which there 
is pending an investigation of a credible allegation of fraud under the 
Medicaid program to the State Medicaid agency for payment suspension in 
whole or part under Sec.  455.23.
    (2) Referrals may be brief, but must be in writing and include 
sufficient information to allow the State Medicaid agency to identify 
the provider and to explain the credible allegations forming the 
grounds for the payment suspension.
    (f) Any request by the unit to the State Medicaid agency to delay 
notification to the provider of a payment suspension under Sec.  455.23 
of this Title must be in writing.
    (g) When the unit accepts or declines a case referred by the State 
Medicaid agency, the unit notifies the State Medicaid agency in writing 
of the acceptance or declination of the case.

(Catalog of Federal Domestic Assistance Program No. 93.778, Medical 
Assistance Program) (Catalog of Federal Domestic Assistance Program 
No. 93.773, Medicare--Hospital Insurance; and Program No. 93.774, 
Medicare--Supplementary Medical Insurance Program)

    Dated: September 13, 2010.
Donald Berwick,
Administrator, Centers for Medicare & Medicaid Services.
    Approved: September 15, 2010.
Kathleen Sebelius,
Secretary.
[FR Doc. 2010-23579 Filed 9-17-10; 11:15 am]
BILLING CODE 4120-01-P