Federal Register, Volume 76 Issue 22 (Wednesday, February 2, 2011)

[Federal Register Volume 76, Number 22 (Wednesday, February 2, 2011)]
[Rules and Regulations]
[Pages 5862-5971]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-1686]

[[Page 5861]]

Vol. 76

Wednesday,

No. 22

February 2, 2011

Part II

Department of Health and Human Services

-----------------------------------------------------------------------

Centers for Medicare & Medicaid Services

-----------------------------------------------------------------------

42 CFR Parts 405, 424, 447 et al.

-----------------------------------------------------------------------

Office of Inspector General

-----------------------------------------------------------------------

42 CFR Part 1007

Medicare, Medicaid, and Children's Health Insurance Programs;
Additional Screening Requirements, Application Fees, Temporary
Enrollment Moratoria, Payment Suspensions and Compliance Plans for
Providers and Suppliers; Final Rule

Federal Register / Vol. 76 , No. 22 / Wednesday, February 2, 2011 /
Rules and Regulations

[[Page 5862]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Parts 405, 424, 447, 455, 457, and 498

Office of Inspector General

42 CFR Part 1007

[CMS-6028-FC]
RIN 0938-AQ20

AGENCY: Centers for Medicare & Medicaid Services (CMS); Office of
Inspector General (OIG), HHS.

ACTION: Final rule with comment period.

-----------------------------------------------------------------------

SUMMARY: This final rule with comment period will implement provisions
of the ACA that establish: Procedures under which screening is
conducted for providers of medical or other services and suppliers in
the Medicare program, providers in the Medicaid program, and providers
in the Children's Health Insurance Program (CHIP); an application fee
imposed on institutional providers and suppliers; temporary moratoria
that may be imposed if necessary to prevent or combat fraud, waste, and
abuse under the Medicare and Medicaid programs, and CHIP; guidance for
States regarding termination of providers from Medicaid and CHIP if
terminated by Medicare or another Medicaid State plan or CHIP; guidance
regarding the termination of providers and suppliers from Medicare if
terminated by a Medicaid State agency; and requirements for suspension
of payments pending credible allegations of fraud in the Medicare and
Medicaid programs. This final rule with comment period also discusses
our earlier solicitation of comments regarding provisions of the ACA
that require providers of medical or other items or services or
suppliers within a particular industry sector or category to establish
compliance programs.
We have identified specific provisions surrounding our
implementation of fingerprinting for certain providers and suppliers
for which we may make changes if warranted by the public comments
received. We expect to publish our response to those comments,
including any possible changes to the rule made as a result of them, as
soon as possible following the end of the comment period. Furthermore,
we clarify that we are finalizing the adoption of fingerprinting
pursuant to the terms and conditions set forth herein.

DATES: Effective date: These regulations are effective on March 25,
2011. Comment date: We will consider public comments only on the
Fingerprinting Requirements, contained in Sec. Sec. 424.518 and
455.434 and discussed in section II.A.5. of the preamble of this
document, if we receive them at one of the addresses provided below, no
later than 5 p.m. on April 4, 2011.

ADDRESSES: In commenting, please refer to file code CMS-6028-FC.
Because of staff and resource limitations, we cannot accept comments by
facsimile (FAX) transmission.
You may submit comments in one of four ways (please choose only one
of the ways listed):
1. Electronically. You may submit electronic comments on this
regulation to http://www.regulations.gov. Follow the instructions for
``submitting a comment.''
2. By regular mail. You may mail written comments to the following
address ONLY: Centers for Medicare & Medicaid Services, Department of
Health and Human Services, Attention: CMS-6028-FC, P.O. Box 8013,
Baltimore, MD 21244-8013.
Please allow sufficient time for mailed comments to be received
before the close of the comment period.
3. By express or overnight mail. You may send written comments to
the following address ONLY: Centers for Medicare & Medicaid Services,
Department of Health and Human Services, Attention: CMS-6028-FC, Mail
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
4. By hand or courier. If you prefer, you may deliver (by hand or
courier) your written comments before the close of the comment period
to either of the following addresses: a. For delivery in Washington,
DC--Centers for Medicare & Medicaid Services, Department of Health and
Human Services, Room 445-G, Hubert H. Humphrey Building, 200
Independence Avenue, SW., Washington, DC 20201.
(Because access to the interior of the Hubert H. Humphrey Building
is not readily available to persons without Federal government
identification, commenters are encouraged to leave their comments in
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing
by stamping in and retaining an extra copy of the comments being
filed.)
b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid
Services, Department of Health and Human Services, 7500 Security
Boulevard, Baltimore, MD 21244-1850.
If you intend to deliver your comments to the Baltimore address,
please call telephone number (410) 786-9994 in advance to schedule your
arrival with one of our staff members.
Comments mailed to the addresses indicated as appropriate for hand
or courier delivery may be delayed and received after the comment
period.

FOR FURTHER INFORMATION CONTACT: Frank Whelan (410) 786-1302 for
Medicare enrollment issues. Claudia Simonson (312) 353-2115 for
Medicaid and CHIP enrollment issues. Lori Bellan (410) 786-2048 for
Medicaid payment suspension issues and Medicaid termination issues.
Joseph Strazzire (410) 786-2775 for Medicare payment suspension issues.
Laura Minassian-Kiefel (410) 786-4641 for compliance program issues.

SUPPLEMENTARY INFORMATION: Due to the many organizations and terms to
which we refer by acronym in this final rule with comment period, we
are listing these acronyms and their corresponding terms in
alphabetical order below. In addition, we are providing a table of
contents which follows the list of acronyms to assist readers in
referencing sections contained in this preamble.

Acronyms

ABC American Board for Certification in Orthotics and Prosthetics
A/B MAC Part A or Part B Medicare Administrative Contractor
ACA ``Affordable Care Act''
APD Advance planning document
ASC Ambulatory surgical center
BBA Balanced Budget Act of 1997 (Pub. L. 105-33)
BIPA Medicare Medicaid, and SCHIP Benefits Improvement Protection
Act of 2000 (Pub. L. 106-544)
CAH Critical access hospital
CAP Competitive acquisition program
CBA Competitive bidding area
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CJIS Criminal Justice Information Services
CLIA Clinical laboratory improvement amendments
CMHC Community mental health centers
CMS Centers for Medicare & Medicaid Services
CON Certificate of Need
CoP Condition of participation
CORF Comprehensive outpatient rehabilitation facility
CPI-U Consumer price index for all urban consumers
DAB Department Appeal Board

[[Page 5863]]

DEA Drug Enforcement Agency
DHUD Department of Housing and Urban Development
DME Durable medical equipment
DMEPOS Durable medical equipment prosthetics, orthotics, and
supplies
DOB Dates of birth
DOJ Department of Justice
EIN Employer Identification Number
EMTALA Emergency Medical Treatment and Active Labor Act
VIN Vehicle Identifier Number
ESRD End-stage renal disease
EPLS General Service Administration's Excluded Parties List System
FBI Federal Bureau of Investigation
FFP Federal Financial Participation
FFS Medicare fee-for-service program
FQHC Federally qualified health center
GAO Government Accountability Office
HHAs Home health agencies
HHS [Department of] Health and Human Services
HIO Health insuring organization
IAFIS Integrated Automated Fingerprint Identification System
ICF/MR Intermediate care facilities for persons with mental
retardation
IDTF Independent diagnostic testing facility
IHCIA Indian Health Care Improvement Act
IHS Indian Health Service
IHSS In-home supportive services
IPF Inpatient psychiatric facility
IRF Inpatient rehabilitation facility
ISDEAA Indian Self-Determination and Education Assistance Act
LEIE List of Excluded Individuals/Entities
MCEs Managed care entities
MFCU Medicaid fraud control unit
MAO Medicare Advantage organizations
MMA Medicare Prescription Drug, Improvement, and Modernization Act
of 2003 (Pub. L. 108-173)
NASDAQ National Association of Securities Dealers Automated
Quotation System
NF Nursing facility
NPI National Provider Identifier
NPPES National Plan and Provider Enumeration System
NSC National Supplier Clearinghouse
NTIS National Technical Information Service
NPDB National Practitioner Data Bank
NYSE New York Stock Exchange
OIG Office of Inspector General
OMB Office of Management and Budget
OPO Organ procurement organization
PAHP Prepaid ambulatory health plan
PECOS Provider Enrollment, Chain, and Ownership System
PIHP Prepaid inpatient health plan
PSC Program Safeguard Contractors
PTAN Provider transaction account number
RFA Regulatory Flexibility Act
RHC Rural health clinic
RNHCI Religious nonmedical health care institution
SEC Securities and Exchange Commission
SMP Senior Medicare Patrol
SNFs Skilled nursing facilities
SPIA State Program Integrity Assessment
SSA Social Security Administration
SSA DMF Social Security Administration Death Master File
SSN Social Security Number
TTAG Tribal Technical Advisory Group
WAN [FBI CJIS Division's] Wide Area Network
ZPIC Zone Program Integrity Contractors

Table of Contents

I. Background
II. Proposed Provisions and Responses to Public Comments
A. Provider Screening Under Medicare, Medicaid, and CHIP
1. Statutory Changes
2. Summary of Existing Screening Measures
a. Licensure Requirements--Medicare and Medicaid
b. Site Visits--Medicare
c. Database Checks--Medicare
d. Criminal Background Checks--Medicare
e. Medicare MAO Requirements
f. Fingerprinting--Medicare
g. Screening--Medicaid and CHIP
3. General Screening of Providers--Medicare
a. Proposed Screening Requirements
(1) Limited
(2) Moderate
(3) High
b. Analysis of and Responses to Public Comment on Medicare
Screening Categories
c. Final Screening Provision--Medicare
4. General Screening of Providers--Medicaid and CHIP: Proposed
Provisions and Analysis of and Responses to Public Comments
a. Database Checks--Medicaid and CHIP
b. Unscheduled and Unannounced Site Visits--Medicaid and CHIP
c. Provider Enrollment and Provider Termination--Medicaid and
CHIP
d. Criminal Background Checks and Fingerprinting--Medicaid and
CHIP
e. Deactivation and Reactivation of Provider Enrollment--
Medicaid and CHIP
f. Enrollment and NPI of Ordering or Referring Providers--
Medicaid and CHIP
g. Other State Screening--Medicaid and CHIP
h. Final Screening Provisions--Medicaid and CHIP
5. Solicitation of Additional Comments Regarding the
Implementation of the
Fingerprinting Requirements
B. Application Fee--Medicare, Medicaid, and CHIP
1. Statutory Changes
2. Proposed Application Fee Provisions
C. Temporary Moratoria on Enrollment of Medicare Providers and
Suppliers, Medicaid and CHIP Providers
1. Statutory Changes
2. Proposed Temporary Moratoria Provisions
a. Medicare
b. Medicaid and CHIP
3. Analysis of and Responses to Public Comment
4. Final Temporary Moratoria on Enrollment of Medicare Providers
and Suppliers, Medicaid and CHIP Provisions
D. Suspension of Payments
1. Medicare
a. Background
b. Previous Medicare Regulations
c. Proposed Medicare Suspension of Payments Requirements
2. Medicaid
a. Background
b. Previous Medicaid Regulations
c. Proposed Medicaid Suspension of Payments Requirements
E. Proposed Approach and Solicitation of Comments for Sections
6102 and 6401(a) of the Affordable Care Act--Ethics and Compliance
Program
1. Statutory Changes
2. Proposed Ethics and Compliance Program Provisions
3. Analysis of and Responses to Public Comment
4. Final Provisions--Ethics and Compliance Program
F. Termination of Provider Participation Under the Medicaid
Program and CHIP if Terminated Under the Medicare Program or Another
State Medicaid Program or CHIP
1. Statutory Change
2. Proposed Provisions for Termination of Provider Participation
Under the Medicaid Program and CHIP if Terminated Under the Medicare
Program or Another State Medicaid Program or CHIP
3. Analysis of and Responses to Public Comment
4. Final Provisions for Termination of Provider Participation
Under the Medicaid Program and CHIP if Terminated Under the Medicare
Program or Another State Medicaid Program or CHIP
G. Additional Medicare Provider Enrollment Provisions
1. Statutory Changes
2. Proposed Provisions for Additional Medicare Provider
Enrollment
3. Analysis of and Response to Public Comments
4. Final Provisions for Additional Medicare Provider Enrollment
H. Technical and General Comments
III. Collection of Information Requirements
A. ICRs Regarding Medicare Application Fee Hardship Exception
(Sec. 424.514)
B. ICRs Regarding Medicare Fingerprinting Requirement (Sec.
424.518)
C. ICRs Regarding Medicaid Fingerprinting Requirement (Sec.
455.434)
D. ICRs Regarding Suspension of Payments in Cases of Fraud or
Willful Misrepresentation (Sec. 455.23)
E. ICRs Regarding Collection of SSNs and DOBs for Medicaid and
CHIP providers (Sec. 455.104)
F. ICRs Regarding Site Visits for Medicaid-Only or CHIP-Only
Providers (Sec. 455.450)
G. ICRs Regarding the Rescreening of Medicaid Providers Every 5
Years (Sec. 455.414).
IV. Response to Comments
V. Regulatory Impact Analysis
A. Statement of Need
B. Overall Impact
C. Anticipated Effects
1. Medicare
a. Enhanced Screening Procedures--Medicare
b. Application Fee--Medicare

[[Page 5864]]

c. General Enrollment Framework
(1) New Enrollment
(2) Revalidation
2. Medicaid
a. Enhanced Screening Procedures
b. Application Fee--Medicaid
c. General Enrollment Framework
(1) New Enrollments
(2) Re-enrollment
3. Medicare and Medicaid
a. Moratoria on Enrollment of New Medicare Providers and
Suppliers and Medicaid Providers
b. Suspension of Payments in Medicare and Medicaid
D. Accounting Statement and Table
1. Medicare
2. Medicaid
E. Alternatives Considered
1. General Burden Minimization Efforts
2. Fingerprinting
3. Other Suggested Alternatives
F. Conclusion
Regulations Text

I. Background

The Medicare program (title XVIII of the Social Security Act (the
Act)) is the primary payer of health care for 47 million enrolled
beneficiaries. Under section 1802 of the Act, a beneficiary may obtain
health services from an individual or an organization qualified to
participate in the Medicare program. Qualifications to participate are
specified in statute and in regulations (see, for example, sections
1814, 1815, 1819, 1833, 1834, 1842, 1861, 1866, and 1891 of the Act;
and 42 CFR Chapter IV, subchapter G, which concerns standards and
certification requirements).
Providers and suppliers furnishing services must comply with the
Medicare requirements stipulated in the Act and in our regulations.
These requirements are meant to ensure compliance with applicable
statutes, as well as to promote the furnishing of high quality care. As
Medicare program expenditures have grown, we have increased our efforts
to ensure that only qualified individuals and organizations are allowed
to enroll or maintain their Medicare billing privileges.
The Medicaid program (title XIX of the Act) is a joint Federal and
State health care program for eligible low-income individuals providing
coverage to more than 51 million people. States have considerable
flexibility in how they administer their Medicaid programs within a
broad Federal framework and programs vary from State to State.
The Children's Health Insurance Program (CHIP) (title XXI of the
Act) is a joint Federal and State health care program that provides
health care coverage to more than 7.7 million otherwise uninsured
children.
Historically, States, in operating Medicaid and CHIP, have
permitted the enrollment of providers who meet the State requirements
for program enrollment.
The Patient Protection and Affordable Care Act (Pub. L. 111-148),
as amended by the Health Care and Education Reconciliation Act of 2010
(Pub. L. 111-152) (collectively known as the Affordable Care Act or
ACA) makes a number of changes to the Medicare and Medicaid programs
and CHIP that enhance the provider and supplier enrollment process to
improve the integrity of the programs to reduce fraud, waste, and abuse
in the programs.
The following is an overview of some of the statutory authority
relevant to enrollment in Medicare, Medicaid, and CHIP:
Sections 1102 and 1871 of the Act provide general
authority for the Secretary of Health and Human Services (the
Secretary) to prescribe regulations for the efficient administration of
the Medicare program. Section 1102 of the Act also provides general
authority for the Secretary to prescribe regulations for the efficient
administration of the Medicaid program and CHIP.
Section 4313 of the Balanced Budget Act of 1997 (BBA)
(Pub. L. 105-33) amended sections 1124(a)(1) and 1124A of the Act to
require disclosure of both the Employer Identification Number (EIN) and
Social Security Number (SSN) of each provider or supplier, each person
with ownership or control interest in the provider or supplier, any
subcontractor in which the provider or supplier directly or indirectly
has a 5 percent or more ownership interest, and any managing employees
including directors and officers of corporations and non-profit
organizations and charities. The ``Report to Congress on Steps Taken to
Assure Confidentiality of Social Security Account Numbers as required
by the Balanced Budget Act'' was signed by the Secretary and sent to
the Congress on January 26, 1999. This report outlines the provisions
of a mandatory collection of SSNs and EINs effective on or after April
26, 1999.
Section 936(a)(2) of the Medicare Prescription Drug,
Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173)
amended the Act to require the Secretary to establish a process for the
enrollment of providers of services and suppliers. We are authorized to
collect information on the Medicare enrollment application (that is,
the CMS-855, (Office of Management and Budget (OMB) approval number
0938-0685)) to ensure that correct payments are made to providers and
suppliers under the Medicare program as established by title XVIII of
the Act.
Section 1902(a)(27) of the Act provides general authority
for the Secretary to require provider agreements under the Medicaid
State Plans with every person or institution providing services under
the State plan. Under these agreements, the Secretary may require
information regarding any payments claimed by such person or
institution for providing services under the State plan.
Section 2107(e) of the Act, which provides that certain
title XIX and title XI provisions apply to States under title XXI,
including 1902(a)(4)(C) of the Act, relating to conflict of interest
standards.
Section 1903(i)(2) of the Act relating to limitations on
payment.
Section 1124 of the Act relating to disclosure of
ownership and related information.
Sections 6401, 6402, 6501, and 10603 of the ACA and 1304
of the Health Care and Education Reconciliation Act (Pub. L. 111-152)
amended the Act by establishing: (1) Procedures under which screening
is conducted for providers of medical or other services and suppliers
in the Medicare program, providers in the Medicaid program, and
providers in the CHIP; (2) an application fee to be imposed on
providers and suppliers; (3) temporary moratoria that the Secretary may
impose if necessary to prevent or combat fraud, waste, and abuse under
the Medicare and Medicaid programs and CHIP; (4) requirements that
State Medicaid agencies must terminate any provider that is terminated
by Medicare or another State plan; (5) requirements for suspensions of
payments pending credible allegations of fraud in both the Medicare and
Medicaid programs.

II. Proposed Provisions and Responses to Public Comments

We received approximately 300 timely pieces of correspondence
containing multiple comments on the Additional Screening Requirements,
Application Fees, Temporary Enrollment Moratoria, Payment Suspensions
and Compliance Plans for Providers and Suppliers proposed rule
published September 23, 2010 (75 FR 58204). We note that we received
some comments that were outside the scope of the proposed rule. These
comments are not addressed in this final rule with comment period.
Summaries of the public comments that are within the scope of the
proposals and our responses to those comments are set forth in the
various sections of this final rule with comment period under the
appropriate headings.

[[Page 5865]]

A. Provider Screening Under Medicare, Medicaid, and CHIP

1. Statutory Changes
Section 6401(a) of the ACA, as amended by section 10603 of the ACA,
amends section 1866(j) of the Act to add a new paragraph, paragraph
``(2) Provider Screening.'' Section 1866(j)(2)(A) of the Act requires
the Secretary, in consultation with the Department of Health of Human
Services' Office of the Inspector General (HHS OIG), to establish
procedures under which screening is conducted with respect to providers
of medical or other items or services and suppliers under Medicare,
Medicaid, and CHIP. Section 1866(j)(2)(B) of the Act requires the
Secretary to determine the level of screening to be conducted according
to the risk of fraud, waste, and abuse with respect to the category of
provider of medical or other items or services or supplier. The
provision states that the screening shall include a licensure check,
which may include such checks across State lines; and the screening
may, as the Secretary determines appropriate based on the risk of
fraud, waste, and abuse, include a criminal background check;
fingerprinting; unscheduled or unannounced site visits, including pre-
enrollment site visits; database checks, including such checks across
State lines; and such other screening as the Secretary determines
appropriate. Section 1866(j)(2)(C) of the Act requires the Secretary to
impose a fee on each institutional provider of medical or other items
or services or supplier that would be used by the Secretary for program
integrity efforts including to cover the cost of screening and to carry
out the provisions of sections 1866(j) and 1128J of the Act. We
discussed the fee in section II.B. of the proposed rule.
Section 6401(b) of the ACA amends section 1902 of the Act to add
new paragraph (a)(77) and (ii), which requires States to comply with
the process for screening providers and suppliers as established by the
Secretary under 1866(j)(2) of the Act.\1\ Note that section 6401(b) of
the ACA erroneously added a duplicate section 1902(ii) to the Act.
Therefore, in the Medicare and Medicaid Extenders Act of 2010 (Pub. L.
111-309), the Congress enacted a technical correction to redesignate
the section 1902(ii) of the Act added by section 6401(b) of ACA as
section 1902(kk) of the Act. In this regulation, we therefore reference
section 1902(kk) of the Act when referring to the provisions added by
section 6401(b) of the ACA.
---------------------------------------------------------------------------

\1\ We believe that the reference to section 1886(j)(2) of the
Act in section 6401(b)(1) of the ACA is a scrivener's error. We
believe the Congress intended to refer to section 1866(j)(2) of the
Act, which, as amended by section 6401(a) of the ACA, requires the
Secretary to establish a process for screening providers and
suppliers. Because the drafting error is apparent, and a literal
reading of the reference to section 1886(j)(2) of the Act would
produce absurd results, we interpret the cross-reference to section
1886(j)(2) in the new section 1902(kk) of the Act as if the
reference were to section 1866(j)(2).
---------------------------------------------------------------------------

We noted in the proposed rule that the statute uses the terms
``providers of medical or other items or services,'' ``institutional
providers,'' and ``suppliers.'' The Medicare program enrolls a variety
of providers and suppliers, some of which are referred to as
``providers of services,'' ``institutional providers,'' ``certified
providers,'' ``certified suppliers,'' and ``suppliers.'' In Medicare,
the term ``providers of services'' under section 1861(u) of the Act
means health care entities that furnish services primarily payable
under Part A of Medicare, such as hospitals, home health agencies
(including home health agencies providing services under Part B),
hospices, and skilled nursing facilities. The term ``suppliers''
defined in section 1861(d) of the Act refers to health care entities
that furnish services primarily payable under Part B of Medicare, such
as independent diagnostic testing facilities (IDTFs), durable medical
equipment prosthetics, orthotics, and supplies (DMEPOS) suppliers, and
eligible professionals, which refers to health care suppliers who are
individuals, that is, physicians and the other professionals listed in
section 1848(k)(3)(B) of the Act. For Medicaid and CHIP, we use the
terms ``providers'' or ``Medicaid providers'' or ``CHIP providers''
when referring to all Medicaid or CHIP health care providers, including
individual practitioners, institutional providers, and providers of
medical equipment or goods related to care. The term ``supplier'' has
no meaning in the Medicaid program or CHIP.
The new screening procedures implemented pursuant to new section
1866(j)(2) of the Act are applicable to newly enrolling providers and
suppliers, including eligible professionals, beginning on March 25,
2011. These new procedures are applicable to currently enrolled
Medicare, Medicaid, and CHIP providers, suppliers, and eligible
professionals beginning on March 23, 2012. These new screening
procedures implemented pursuant to new section 1866(j)(2) of the Act
are applicable beginning on March 25, 2011 for those providers and
suppliers currently enrolled in Medicare, Medicaid, and CHIP who
revalidate their enrollment information. Within Medicare, the March 25,
2011 implementation date will impact those current providers and
suppliers whose 5-year revalidation cycle (or 3-year revalidation cycle
for DMEPOS suppliers) results in revalidation occurring on or after
March 25, 2011 and before March 23, 2012.
The requirements for revalidation are discussed in Sec. 424.515.
It is important to note that revalidation--for purposes of both
provider enrollment in general and this final rule with comment
period--does not include routine changes of information as described in
Sec. 424.516(d) and (e), such as address changes or changes in phone
number.
2. Summary of Existing Screening Measures
Before we outline the new measures we are finalizing under the ACA,
it may be helpful to provide a summary of some of the screening
measures already being utilized in Medicare, Medicaid, and CHIP.
Pursuant to other authority, but with the notable exception of
background checks and fingerprinting, Medicare, generally through
private contractors, already employs a number of the screening
practices described in section 1866(j)(2)(B) of the Act to determine if
a provider or supplier is in compliance with Federal and State
requirements to enroll or to maintain enrollment in the Medicare
program.
We also believe it important to note that nothing in this rule is
intended to abridge our established screening authority under existing
statutes and regulations or to diminish the screening that providers
and suppliers currently undergo. To the contrary; the provisions
specified in this final rule with comment period are intended to
enhance our existing authority. This rule's provisions, in other words,
set ``floors''--not ceilings--on enrollment requirements for each
screening level.
a. Licensure Requirements--Medicare and Medicaid
Over the past several years, we have taken a number of steps to
strengthen our ability to deny or revoke Medicare billing privileges
when providers or suppliers do not have or do not maintain the
applicable State licensure requirements for their provider or supplier
type or profession. We established reporting responsibilities for all
providers, suppliers, and eligible professionals in earlier regulations
at Sec. 424.516(b) through (e). To ensure that only qualified
providers and suppliers remain in the Medicare fee-for-service (FFS)
program, we require that Medicare

[[Page 5866]]

contractors review State licensing board data on a monthly basis to
determine if providers and suppliers remain in compliance with State
licensure requirements. Medicare billing privileges would be revoked
for those providers and suppliers who do not report a final adverse
action (for example, license revocation or suspension, felony
conviction) within the applicable reporting period, as required in
Sec. 424.516(b) through (e). Medicare suppliers of DMEPOS and IDTFs
are already subject to similar provisions in Sec. 424.57(c) and Sec.
410.33(g), respectively. DMEPOS suppliers are also subject to
additional requirements including accreditation and surety bonding,
pursuant to Sec. 424.57(c)(22) through (26) and Sec. 424.57(d).
Medicare Advantage organizations (MAOs) are required to verify
licensure of providers and suppliers, including physicians and other
health care professionals, in accordance with Sec. 422.204.
For Medicaid and CHIP, most States do some checking of in-State
provider licenses, but the extent of scrutiny varies. For example, in
some States, the existence of the license may be verified, but little
attention might be given to any restrictions on the license.
b. Site Visits--Medicare
Pursuant to Sec. 424.517, Medicare conducts the following site
visits and takes the following actions, generally through private
contractors under CMS direction:
The National Supplier Clearinghouse (NSC) Medicare
Administrative Contractor (the Medicare contractor that processes
enrollment applications for suppliers of DMEPOS) conducts pre-
enrollment site visits to DMEPOS suppliers that are not associated with
a chain supplier of DMEPOS (a chain supplier of DMEPOS is a supplier
with 25 or more distinct practice locations.)
The NSC also conducts unannounced post-enrollment site
visits to DMEPOS suppliers for which CMS or the NSC believes there is a
likelihood of fraudulent or abusive activities to ensure those DMEPOS
suppliers remain in compliance with the supplier standards found at
Sec. 424.57(c). CMS at times exercises its right to--
Have the NSC conduct ad hoc pre- and post-enrollment site
visits to any DMEPOS supplier;
Have Medicare contractors conduct pre-enrollment site
visits to all IDTFs; and
Conduct ad hoc pre-and post enrollment site visits to any
prospective Medicare provider and supplier or any enrolled Medicare
provider or supplier.
In addition, under 42 CFR parts 488 and 489, a State survey agency
or an approved national accreditation organization with deeming
authority conducts pre-enrollment surveys for certified providers and
suppliers to determine whether they meet the applicable Federal
conditions and requirements for their provider or supplier type before
they can participate in the Medicare program.
We note that the site visits discussed here and elsewhere within
this preamble and the final regulations are separate and apart from the
site visits that are conducted pursuant to the Clinical Laboratory
Improvement Amendments (CLIA). We will work with our State survey
agency partners in coordinating these site visits so as to avoid
duplication and burden on providers.
c. Database Checks--Medicare
Under existing regulation, Medicare contractors employ database
checks of eligible professionals, owners, authorized officials,
delegated officials, managing employees, medical directors, and
supervising physicians (at IDTFs and laboratories) as part of the
Medicare provider and supplier enrollment process. These include
database checks with the Social Security Administration (SSA) (to
verify an individual's SSN), the National Plan and Provider Enumeration
System (NPPES) to verify the National Provider Identifier (NPI) of an
eligible professional, and State licensing board checks to determine if
an eligible professional is appropriately licensed to furnish medical
services within a given State. These checks also include checking a
provider or supplier against the HHS OIG's List of Excluded
Individuals/Entities (LEIE) and the General Service Administration's
Excluded Parties List System (EPLS). All of the database checks have
been used to assess the eligibility and qualifications of providers and
suppliers to enroll in the Medicare program, to confirm the identity of
an eligible professional to ensure that he or she may be considered for
enrollment in the Medicare program.
Also, on a monthly basis, CMS' Medicare contractors systematically
compare enrolled providers, suppliers, and eligible professionals
against the information in the Medicare Exclusions Database. The
Medicare Exclusions Database identifies providers, suppliers, and
eligible professionals who have been excluded from the Medicare and
Medicaid programs by the HHS OIG. When a match is found, the HHS OIG
exclusion information is systematically noted in the Medicare
enrollment record of the provider, supplier, or eligible professional.
In the Medicare program, we deny or revoke the billing privileges of
providers, suppliers, and eligible professionals who have been excluded
by the HHS OIG. If the HHS OIG lifts the exclusion, the provider,
supplier or eligible professional must reapply for enrollment in the
Medicare program. In addition, Medicare contractors also review State
licensure Web sites on a monthly basis to ensure that eligible
professionals continue to meet State licensing requirements.
In addition, since January 2009, we have compared date of death
information obtained from the Social Security Administration Death
Master File (SSA DMF) with the information maintained in the National
Plan and Provider Enumeration System (NPPES), the system that assigns
an NPI to individuals and organizations. Based on this comparison and
the subsequent verification, we have deactivated the NPIs of more than
11,500 individuals who were previously assigned a type 1 (individual)
NPI. We automatically transfer this information from NPPES to the
Provider Enrollment, Chain, and Ownership System (PECOS), CMS' national
Medicare enrollment repository to deactivate a deceased individual's
Medicare billing privileges. In addition, Medicare contractors are
required to review and act upon monthly files that contain a list of
non-practitioner individuals enrolled in the Medicare program who have
been reported to the SSA as deceased. These individuals include:
Owners, authorized officials, and delegated officials.
MAOs, as required by Sec. 422.204, generally use database checks
to verify licensure and licensure sanctions and limitations with State
licensing boards and the Federation of State Medical Boards, DEA
certificates with the National Technical Information Service (NTIS),
history of adverse professional review actions and malpractice from the
National Practitioner Data Bank (NPDB), accreditation status of
institutional providers and suppliers with national accrediting boards,
such as The Joint Commission (TJC), and search for HHS OIG exclusions
using the HHS OIG Web site http://oig.hhs.gov/fraud/exclusions/exclusions_list.asp.
d. Criminal Background Checks--Medicare
Section 6401(a) of the ACA amended Section 1866(j) of the Act
authorized the Secretary to perform criminal background checks. As
described in Sec. 424.530(a) and Sec. 424.535(a), CMS or its

[[Page 5867]]

designated Medicare contractor may deny or revoke the Medicare billing
privileges of the owner of a provider or supplier, a physician or non-
physician practitioner, and terminate any corresponding provider or
supplier agreement for a number of reasons, including an exclusion from
the Medicare, Medicaid, and any other Federal health care program, a
felony within the preceding 10 years that is considered detrimental to
the Medicare program, and/or submission of false or misleading
information on the Medicare enrollment application. While we require
our Medicare contractors to verify data submitted on, and as part of,
the Medicare provider/supplier enrollment application, our contractors
are not able to verify information that may have been purposefully
omitted or changed in a manner to obfuscate any previous criminal
activity. A 2005 report issued by the National Task Force on the
Criminal Backgrounding of America, sponsored by the Bureau of Justice
Statistics and the U.S. Department of Justice, defined a Criminal
History Record Check as a check that returns records from official
criminal repositories (meaning State repositories and the Federal
Bureau of Investigations (FBI) Interstate Identification Index that
links Federal and State criminal record systems), and the FBI uses the
same terminology. For purposes of responding to comments in this
document we use the term criminal history record check to mean criminal
background checks when referring to such fingerprint-based checks.
Criminal History Record Checks have not been historically used in the
FFS Medicare enrollment screening process.
e. Medicare MAO Requirements
As mentioned earlier in this section, MAOs already employ a number
of screening procedures in accordance with regulations and CMS manual
instructions. Specifically, under Sec. 422.204(b)(3) in the case of
providers meeting the definition of ``provider of services'' in section
1861(u) of the Act, basic benefits may only be provided through
providers if they have a provider agreement with us permitting them to
furnish services under original Medicare. With respect to other
entities like suppliers, Sec. 422.204(b)(3) requires that they ``meet
the applicable requirements of title XVIII and Part A of title XI of
the Act.'' Given these requirements we considered to what extent MAOs
would be required to apply the identical screening requirements we
proposed for the original Medicare program or whether substantively
similar alternative approaches adopted by MAOs would be acceptable.
Accordingly, we solicited public comments on whether or to what extent
MAOs should be required to implement the same enhanced screening
requirements for providers, suppliers and physicians that we proposed
for the original Medicare program.
f. Fingerprinting--Medicare
Previous to this final rule with comment period fingerprinting and
fingerprint-based criminal history record information from the FBI was
not used in the Medicare enrollment screening process.
g. Screening--Medicaid and CHIP
States vary in the degree to which they employ screening methods
such as unscheduled and unannounced site visits and database checks,
including such checks across State lines, criminal background checks,
and fingerprinting. However, at least a few States utilize each of
those methods.
States also varied in what they require their managed care entities
(MCEs) \2\ to do in terms of screening network-level providers that are
not also enrolled in the Medicaid program as FFS providers. We
considered to what extent States must require their MCEs to apply the
identical screening requirements we proposed for the States or whether
substantively similar alternative approaches adopted by MCEs are
acceptable. Accordingly, we solicited public comments on whether or to
what extent MCEs should be required to implement the same enhanced
screening requirements for Medicaid and CHIP providers that we proposed
for State Medicaid and CHIP programs.
---------------------------------------------------------------------------

\2\ For purposes of this preamble and the final regulations,
``managed care entity'' and ``MCE'' will have the meaning Medicaid
managed care organization (MCO), primary care case manager (PCCM),
prepaid inpatient health plan (PIHP), prepaid ambulatory health plan
(PAHP), and health insuring organization (HIO). This definition
differs from the meaning in section 1932(a)(1)(B) of the Social
Security Act, which limits MCEs to Medicaid MCOs and PCCMs. We are
using a more inclusive definition for the regulation so that all
those entities in States' managed care programs will provide
disclosure information.
---------------------------------------------------------------------------

We again stress that the provider enrollment verification tools
that we are currently using--including, but not limited to, those
described previously--will not in any way be diminished as a result of
this final rule with comment period. In other words, the validation
techniques in this rule do not supplant those that are presently in
use.
3. General Screening of Providers--Medicare
a. Proposed Screening Requirements
Section 1866(j)(2)(B) of the Act requires the Secretary to
determine the level of screening applicable to providers and suppliers
according to the risk of fraud, waste, and abuse the Secretary
determines is posed by particular provider and supplier categories.
In considering how to establish consistent screening standards, we
proposed to designate provider and supplier categories that are subject
to certain screening procedures based on CMS' assessment of fraud,
waste and abuse risk of the provider or supplier category, taking into
consideration a variety of factors. These factors include our own
experience with claims data used to identify fraudulent billing
practices as well as the expertise developed by our contractors charged
with investigating and identifying instances of Medicare fraud across a
broad spectrum of providers. In addition, CMS has relied on insights
gained from numerous studies conducted by the HHS-OIG, GAO, and other
sources. We have designated categories of providers or suppliers (for
example, ``newly enrolling DME suppliers'' or ``currently enrolled home
health agencies'') that are subject to screening procedures based on
our assessment of the level of screening based on the risk presented by
the category of provider. There are three levels of screening and
associated risk: ``limited,'' ``moderate'' and ``high,'' and each
provider/supplier category is assigned to one of these three screening
levels. The categories described below and associated risk levels
assigned are designed to identify those categories of providers and
suppliers that pose a risk of fraud, waste, and abuse.
The screening procedures applicable to each screening level are set
by us and are included in this final rule with comment period. Under
this approach, the relevant Medicare contractor (for example, fiscal
intermediary, regional home health intermediary, carriers, Part A or
Part B Medicare Administrative Contractor (A/B MAC), or the NSC
Administrative Contractor) would utilize the screening tools mandated
by us for the screening level assigned to a particular provider or
supplier category.
We solicited comments on the proposed assignment of specific
provider and supplier types to the proposed risk screening levels,
including what criteria should be considered in making such
assignments, whether such assignments should be

[[Page 5868]]

released publicly, whether they should be subject to agency review and
updated according to an established schedule (that is, annually, bi-
annually), and the extent to which they should be updated according to
evolving risks. We also solicited comments on any additional database
checks that we should consider as a type of screening.
Based on the level of screening assigned, we proposed that the
Medicare contractors would establish and conduct the following
categorical screenings.

Table 1--Proposed Screening Levels and Procedures for Medicare Physicians, Non-Physician Practitioners,
Providers, and Suppliers
----------------------------------------------------------------------------------------------------------------
Type of screening required Limited Moderate High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier[dash]specific X X X
requirements established by Medicare........................
Conduct license verifications, (may include licensure checks X X X
across States)..............................................
Database Checks (to verify Social Security Number (SSN), the X X X
National Provider Identifier (NPI), the National
Practitioner Data Bank (NPDB) licensure, an OIG exclusion;
taxpayer identification number; tax delinquency; death of
individual practitioner, owner, authorized official,
delegated official, or supervising physician)...............
Unscheduled or Unannounced Site Visits....................... ............... X X
Criminal Background Check.................................... ............... ............... X
Fingerprinting............................................... ............... ............... X
----------------------------------------------------------------------------------------------------------------

As described previously, we already require Medicare contractors to
ensure that every provider or supplier meets any applicable Federal
regulations or State requirements, including applicable licensure
requirements \3\ for the provider or supplier type prior to making an
enrollment determination. In addition, we also require that Medicare
contractors conduct monthly reviews of State licensing board actions to
determine if an individual practitioner, such as a physician or non-
physician practitioner continues to meet State licensing requirements.
In the case of organizational entities, we also require our Medicare
contractors to conduct monthly or periodic checks to determine if an
organizational entity continues to meet the Federal and State
requirements for its provider or supplier type. Such verifications help
ensure that a prospective provider or supplier is eligible to
participate in the Medicare program or that an existing provider or
supplier is eligible to maintain its Medicare billing privileges.
---------------------------------------------------------------------------

\3\ We note that under section 408 of the reauthorized Indian
Health Care Improvement Act, ``[a]ny requirement for participation
as a provider of health care services under a Federal health care
program that an entity be licensed or recognized under the State or
local law where the entity is located to furnish health care
services shall be deemed to have been met in the case of an entity
operated by the [Indian Health] Service, an Indian tribe, tribal
organization, or urban Indian organization if the entity meets all
the applicable standards for such licensure or recognition,
regardless of whether the entity obtains a license or other
documentation under such State or local law.'' 25 U.S.C. 1647a.
---------------------------------------------------------------------------

Previous to this final rule with comment period, in the Medicare
program, DMEPOS suppliers were required to re-enroll every 3 years, and
other providers were required to revalidate their enrollment every 5
years. The terms revalidation and re-enrollment were often used
interchangeably, but are actually specific to these provider types. To
eliminate any confusion about which term applies to which provider or
supplier, we proposed language at Sec. 424.57(e) to change all
references from re-enroll or re-enrollment to revalidate or
revalidation. In addition, the ACA requires that no provider or
supplier shall be allowed to enroll in Medicare or revalidate its
enrollment in Medicare after March 23, 2013 without being screened
pursuant to the authorities covered by this final rule with comment
period. To assist us in assuring that the statutory effective date is
met, we proposed at Sec. 424.515 to permit us to require that a
provider or supplier revalidate its enrollment at any time. After the
revalidation, the current cycle for revalidation (3 years for DMEPOS,
and 5 years for all other providers) would apply.
(1) Limited
Based on our own analysis of historical trends and our own
experience with provider screening and enrollment we proposed that, as
a category, the following providers and suppliers pose a limited risk
to the Medicare program: Physician or non-physician practitioners and
medical groups or clinics; providers or suppliers that are publicly
traded on the NYSE or NASDAQ; ambulatory surgical centers (ASCs); end-
stage renal disease (ERSD) facilities; Federally qualified health
centers (FQHCs); histocompatibility laboratories; hospitals, including
critical access hospitals (CAHs); Indian Health Service (IHS)
facilities; mammography screening centers; organ procurement
organizations (OPOs); mass immunization roster billers, portable x-ray
suppliers; religious nonmedical health care institutions (RNHCIs);
rural health clinics (RHCs); radiation therapy centers; skilled nursing
facilities (SNFs), and public or government-owned ambulance services
suppliers.
In Sec. 424.518(a), we proposed that the following screening tools
will apply to providers and suppliers in categories designated as
limited risk: (1) Verification that a provider or supplier meets any
applicable Federal regulations, or State requirements for the provider
or supplier type prior to making an enrollment determination; (2)
verification that a provider or supplier meets applicable licensure
requirements; and (3) database checks on a pre- and post-enrollment
basis to ensure that providers and suppliers continue to meet the
enrollment criteria for their provider/supplier type.
To assist readers in understanding the type of providers and
suppliers that we proposed to include in the limited risk screening
level, we are providing the following table.

Table 2--Proposed Medicare Providers and Suppliers Designated as a
``Limited'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Physician or non[dash]physician practitioners and medical groups or
clinics.
Providers or suppliers that are publicly traded on the NYSE or NASDAQ.

[[Page 5869]]

Ambulatory surgical centers, end[dash]stage renal disease facilities,
Federally qualified health centers, histocompatibility laboratories,
hospitals, including critical access hospitals, Indian Health Service
facilities, mammography screening centers, organ procurement
organizations, mass immunization roster billers, portable x[dash]ray
supplier, religious non[dash]medical health care institutions, rural
health clinics, radiation therapy centers, skilled nursing facilities,
and public or government[dash]owned or [dash]affiliated ambulance
service suppliers.
------------------------------------------------------------------------

(2) Moderate
Based on our experience, we proposed that community mental health
centers (CMHCs); comprehensive outpatient rehabilitation facilities
(CORFs); hospice organizations; independent diagnostic testing
facilities (IDTFs); independent clinical laboratories; and non-public,
non-government owned or affiliated ambulance services suppliers pose a
moderate risk to the Medicare program. However, we provided that any
such provider or supplier that is publicly traded on the NYSE or NASDAQ
would be considered limited risk. Furthermore, we proposed that
currently enrolled (revalidating) home health agencies would be
considered ``moderate'' risk, except any such provider that is publicly
traded on the NYSE or NASDAQ would be considered limited risk. Finally,
we proposed that currently enrolled (re-validating) suppliers of DMEPOS
pose a moderate risk, except that any such supplier that is publicly
traded on the NYSE or NASDAQ would be considered ``limited'' risk. We
provide our rationale for these categories in this section below.
For those provider and supplier categories in the ``moderate''
screening level, we proposed that Medicare contractors would conduct
unannounced pre- and/or post-enrollment site visits in addition to
those screening tools applicable to the limited level of screening.
Based on the success of pre-and/or post enrollment site visits
conducted by the NSC during the enrollment process for suppliers of
DMEPOS and a similar process established by carriers and A/B MACs
during the enrollment of IDTFs, we believe that unscheduled and
unannounced pre-and post-enrollment site visits help ensure that
suppliers are operational and meet applicable supplier standards or
performance standards. In addition, we believe that unscheduled and
unannounced pre-and post-enrollment site visits are an essential tool
in determining whether a provider or supplier is in compliance with its
reporting responsibilities, including the requirement in Sec. 424.516
to notify the Medicare contractor of any change of practice location.
Moreover, Sec. 424.530(a)(5) and Sec. 424.535(a)(5) give us the
authority to deny or revoke Medicare billing privileges for providers
and suppliers if the provider or supplier is not operational or the
provider does not maintain the established provider or supplier
performance standards. And while we do not believe that unscheduled or
unannounced site visits are necessary for all providers and suppliers,
we do believe that a number of businesses, like the ones mentioned
below, pose an increased risk to the Medicare program, due at least in
part to the lack of individual professional licensure.
In addition, as discussed below, we have found that certain types
of providers and suppliers that easily enter a line or business without
clinical or business experience--for example, by leasing minimal office
space and equipment--present a higher risk of possible fraud to our
programs. As such, we believe that because these types of providers
pose an increased risk of fraud they should be subject to substantial
scrutiny before being permitted to enroll and bill Medicare, Medicaid,
or CHIP. This type of pre-enrollment scrutiny will help us move away
from the ``pay and chase'' approach.
Most of the provider and supplier categories in the moderate
screening level are generally highly dependent on Medicare, Medicaid,
or CHIP to pay their salaries and other operating expenses and are
subject to less additional government or professional oversight than
the providers and suppliers in the limited risk screening level.
Accordingly, we believe it is appropriate and necessary to conduct
unscheduled and unannounced pre-enrollment site visits to ensure that
these prospective providers and suppliers meet our enrollment
requirements prior to enrolling in the Medicare program. Moreover, we
believe that post-enrollment site visits are also important to ensure
that the enrolled provider or supplier remains a viable health care
provider or supplier in the Medicare program.
Accordingly, we proposed in Sec. 424.518(b) that in addition to
the categorical screening tools used with respect to limited risk
providers and suppliers, Medicare contractors would conduct unannounced
and unscheduled site visits prior to enrolling the providers and
suppliers assigned to the moderate risk screening level, as set forth
earlier in this Section.
In the proposed rule, we set forth our rationale for the assessment
of risk ascribed to the providers and suppliers assigned to the
``moderate'' level of screening. First, we noted that HHS OIG and GAO
have issued studies indicating that several of the provider and
supplier types cited previously pose an elevated risk of fraud, waste
and abuse to the Medicare and Medicare programs and CHIP. In an October
2007 report titled, ``Growth in Advanced Imaging Paid under the
Medicare Physician Fee Schedule'' (OEI-01-06-00260), the HHS OIG
recommended that CMS consider conducting site visits to monitor IDTFs'
compliance with Medicare requirements.'' In addition, in an April 2007
report titled, ``Medicare Hospices: Certification and Centers for
Medicare & Medicaid Services Oversight'' (OEI-06-05-00260), the HHS OIG
recommended that CMS seek legislation to establish additional
enforcement remedies for poor hospice performance. In response to this
recommendation, CMS stated that it was considering whether to pursue
new enforcement remedies for poor hospice performance. While the
Medicare enrollment process is not designed to verify the conditions of
participation, we do believe that more frequent onsite visits may help
identify those hospice organizations that are no longer operational at
the practice location identified on the Medicare enrollment
application.
In a January 2006 report titled, ``Medicare Payments for Ambulance
Transports'' (OEI-05-02-000590), the HHS OIG found that ``25 percent of
ambulance transports did not meet Medicare's program requirements,
resulting in an estimated $402 million in improper payments.''
In an August 2004 report titled, ``Comprehensive Outpatient
Rehabilitation Facilities: High Medicare Payments in Florida Raise
Program Integrity Concerns'' (GAO-04-709), the GAO concluded that,
``[s]izeable disparities between Medicare therapy payments per patient
to Florida CORFs and other facility-based outpatient therapy providers
in 2002--with no clear indication of differences in patient needs--
raise questions about the appropriateness of CORF billing practices.
After finding high rates of medically unnecessary therapy services to
CORFs, CMS's claims administration

[[Page 5870]]

contractor for Florida took steps to ensure appropriate claim payments
for a small, targeted group of CORF patients. Despite its limited
success, billing irregularities continued among some CORFs and many
CORFs continued to receive relatively high payments the following year.
This suggests that the contractor's efforts were too limited in scope
to be effective with all CORF providers.''
In addition to GAO and HHS OIG studies and reports, a number of
Zone Program Integrity Contractors (ZPIC) and Program Safeguard
Contractors (PSC) used by CMS in helping to fight fraud in Medicare,
have taken a number of administrative actions including payment
suspensions and increased medical review, for the provider and supplier
types shown previously. For example, the Zone 7 ZPIC contractor in
South Florida has conducted onsite reviews at 62 CORFs since January
2010 and recommended revocation for 51 CORFs, or 82 percent of the
CORFS in the area. The same contractor has conducted an onsite reviews
at 38 CMHCs located in Dade, Broward, and Palm Beach County since
January 2010, and recommended that 30 CMHCs be revoked for
noncompliance (79 percent of the CMHCs in the area). In each instance
where the ZPIC requested a revocation, the CMHC was also placed on
prepay review. We have also conducted an analysis of IDTF licensure
requirements and have found several circumstances that indicate
irregularity and potential risk of fraud. Although independent clinical
laboratories are subject to survey against CLIA requirements, there are
nonetheless a number of potentials for fraud, not the least of which is
the sheer volume of service and associated billing generated by these
entities.
We believe that there is ample evidence to support the use of post-
enrollment site visits as a reliable and effective tool to ensure that
a current supplier of DMEPOS remains operational and continues to meet
the supplier standards found in Sec. 424.57(c). In a March 2007 report
titled, ``Medical Equipment Suppliers Compliance with Medicare
Enrollment Requirements'' (OEI-04-05-00380), the HHS OIG concluded
that, ``By helping to ensure the legitimacy of DMEPOS suppliers, out-
of-cycle site visits may help to prevent fraud, waste, and abuse in the
Medicare program. CMS may want to consider the findings of our study as
they determine how and to what extent out-of-cycle site visits of
DMEPOS suppliers will occur.'' Today, the NSC MAC utilizes post-
enrollment site visits as the primary screening to determine ongoing
compliance with the enrollment criteria set forth in Sec. 424.57(c).
Therefore, we have included currently enrolled DMEPOS suppliers in the
``moderate'' category.
We also noted that, in addition to the new screening measures
proposed in the proposed rule under the existing regulation at Sec.
424.517, a Medicare contractor may conduct an unannounced or
unscheduled site visit at any time for any provider or supplier type
prior to enrolling a prospective provider or supplier or for any
existing provider or supplier enrolled in the Medicare program. While
the primary purpose of an unannounced and unscheduled site visit is to
ensure that a provider or supplier is operational at the practice
location found on the Medicare enrollment application, a Medicare
contractor may also verify established supplier standards or
performance standards other than conditions of participation (CoP)
subject to survey and certification by the State Survey agency, where
applicable, to ensure that the supplier remains in compliance with
program requirements.
To assist readers in understanding the type of providers and
suppliers that we proposed to be in the ``moderate'' risk screening
level, we are providing the following table.

Table 3--Proposed Medicare Providers and Suppliers Designated as a
``Moderate'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Community mental health centers; comprehensive outpatient rehabilitation
facilities; hospice organizations; independent diagnostic testing
facilities; independent clinical laboratories; and non-public, non-
government owned or affiliated ambulance services suppliers. (Except
that any such provider or supplier that is publicly traded on the NYSE
or NASDAQ is considered ``limited'' risk.)
Currently enrolled (revalidating) home health agencies. (Except that any
such provider that is publicly traded on the NYSE or NASDAQ is
considered ``limited'' risk.)
Currently enrolled (re[dash]validating) suppliers of DMEPOS. (Except
that any such supplier that is publicly traded on the NYSE or NASDAQ is
considered ``limited'' risk.)
------------------------------------------------------------------------

(3) High
For those provider and supplier categories assigned the ``high''
level of screening, we proposed that, in addition to the screening
tools applicable to the limited and moderate level of screening,
Medicare contractors would use the following screening tools in the
enrollment process: (1) Criminal background check; and (2) submission
of fingerprints using the FD-258 standard fingerprint card. (The FD-258
fingerprint card is recognized nationally and can be found at local,
county or State law enforcement agencies where, for a fee, agencies
will supply the card and take the fingerprints.) We proposed that these
tools would be applied to owners, authorized or delegated officials or
managing employees of any provider or supplier assigned to the ``high''
level of screening. We believe that criminal background checks will
assist us in determining if such individuals submitted a complete and
truthful Medicare enrollment application and whether an individual is
eligible to enroll in the Medicare program or maintain Medicare billing
privileges. We believe that this position is supported by testimony of
the GAO before the subcommittees for Health and Oversight and Ways and
Means within the House of Representatives on June 15, 2010, stating in
part that ``[c]hecking the background of providers at the time they
apply to become Medicare providers is a crucial step to reduce the risk
of enrolling providers intent on defrauding or abusing the program. In
particular, we have recommended stricter scrutiny of enrollment
processes for two types of providers whose services and items CMS has
identified as especially vulnerable to improper payments--home health
agencies (HHAs) and suppliers of durable medical equipment,
prosthetics, orthotics, and supplies (DMEPOS).''
In Sec. 424.518(c)(1), we proposed that, unless they are publicly
traded on the NYSE or NASDAQ, newly enrolling HHAs and suppliers of
DMEPOS would be assigned to the high risk screening level. Based on our
experience and on work conducted by the HHS OIG and the GAO, and
because we do not have the monitoring experience with newly enrolling
DMEPOS suppliers or HHAs that we have with those currently enrolled, we
assigned these providers and suppliers to the ``high'' risk screening
level. We are especially concerned about newly enrolling HHAs and
suppliers of DMEPOS because of the high number of HHAs and suppliers of
DMEPOS already enrolled in the Medicare program and program
vulnerabilities that these entities pose to the Medicare program. Below
is a list of HHS OIG and GAO reports identifying home health agencies
and suppliers of DMEPOS as posing an elevated risk to the Medicare
program.
In a December 2009 report titled, ``Aberrant Medicare Home
Health Outlier Payment Patterns in Miami-Dade County and Other
Geographic

[[Page 5871]]

Areas in 2008'' (OEI-04-08-00570), the HHS OIG recommended that CMS
continue with efforts to strengthen enrollment standards for home
health providers to prevent illegitimate HHAs from obtaining billing
privileges.
In a February 2009 report titled, ``Medicare: Improvements
Needed to Address Improper Payments in Home Health'' (GAO-09-185), the
GAO concluded that the Medicare enrollment process does not routinely
include verification of the criminal history of applicants, and without
this information individuals and businesses that misrepresent their
criminal histories or have a history of relevant convictions, such as
for fraud, could be allowed to enter the Medicare program. In addition,
the GAO recommended that CMS assess the feasibility of verifying the
criminal history of all key officials named on the Medicare enrollment
application.
In a February 2008 report titled, ``Los Angeles County
Suppliers' Compliance with Medicare Standards: Results from Unannounced
Visits'' (OEI-09-07-00550) and in a March 2007 report titled, ``South
Florida Suppliers' Compliance with Medicare Standards: Results from
Unannounced Visits (OEI-03-07-00150), the HHS OIG recommended that CMS
strengthen the Medicare DMEPOS supplier enrollment process and ensure
that suppliers meet Medicare supplier standards. The HHS OIG provided
several options to implement this recommendation including: (1)
Conducting more unannounced site visits to suppliers; (2) performing
more rigorous background checks on applicants; (3) assessing the fraud
risk of suppliers; and (4) targeting, monitoring, and enforcement of
high risk suppliers.
In a September 2005 report titled, ``Medicare: More
Effective Screening and Stronger Enrollment Standards Needed for
Medical Equipment Suppliers'' (GAO-05-656), the GAO concluded that,

CMS is responsible for assuring that Medicare beneficiaries have
access to the equipment, supplies, and services they need, and at
the same time, for protecting the program from abusive billing and
fraud. The supplier standards and NSC's gate keeping activities were
intended to provide assurance that potential suppliers are qualified
and would comply with Medicare rules. However, there is overwhelming
evidence--in the form of criminal convictions, revocations, and
recoveries--that the enrollment processes and the standards are not
strong enough to thoroughly protect the program from fraudulent
entities. We believe that CMS must focus on strengthening the
standards and overseeing the supplier enrollment process. It needs
to better focus on ways to scrutinize suppliers to ensure that they
are responsible businesses, analogous to Federal standards for
evaluating potential contractors.

We recognize that there may also be circumstances where a
particular provider or supplier or group of providers and suppliers may
pose a higher risk of fraud, waste, and abuse than the screening level
assignment for their category assessed. Therefore, in Sec.
424.518(c)(3), we proposed specific criteria that we would use to
adjust the classification of a provider or supplier into a higher risk
screening level than would generally apply to the entire category of
provider or supplier, in order to address specific program
vulnerabilities. We solicited comments on specific additional
circumstances that might justify shifting a provider or supplier into a
higher screening level than would generally apply to its category. We
also solicited comments on the criteria that we could use to shift the
screening level back down.
In Sec. 424.518(c)(3)(i), we proposed to adjust a provider or
supplier from the limited or ``moderate'' risk screening level to the
``high'' risk screening level when we have evidence from or concerning
a physician or non-physician practitioner that another individual is
using his or her identity within the Medicare program. In Sec.
424.518(c)(3)(ii) and (iii), which in this final rule with comment
period has been redesignated Sec. 424.518(c)(3)(i) and (ii), we
proposed to adjust a provider or supplier from the ``limited'' or
``moderate'' level of screening to the ``high'' screening level when:
The provider or supplier has been placed on a previous payment
suspension within the previous ten years; or the provider or supplier
has been excluded by the HHS OIG or had its Medicare billing privileges
revoked by a Medicare contractor within the previous 10 years and is
attempting to establish additional Medicare billing privileges for a
new practice location or by enrolling as a new provider or supplier. In
addition, we believe that providers that have been terminated or
otherwise precluded from billing Medicaid should be adjusted from the
``limited'' or ``moderate'' screening level to the ``high'' screening
level. We believe that such providers or suppliers pose an elevated
level of risk to the Medicare program.
In Sec. 424.518(c)(3)(iv), redesignated in this final rule with
comment period as Sec. 424.518(c)(3)(iii), we proposed to adjust
providers or suppliers from the ``limited'' or ``moderate'' level of
screening to the ``high'' level of screening for 6 months after we lift
a temporary moratorium (see section II.C. of this final rule with
comment period) applicable to such providers or suppliers. This would
include providers and suppliers revalidating their enrollment if the
moratorium is applicable to the provider or supplier type. We solicited
comments on criteria that would justify reassignment of providers or
suppliers from the ``limited'' or ``moderate'' screening level to the
``high'' screening level. We also solicited comments on criteria
appropriate to the reassignment from ``high'' to ``moderate'' screening
levels or ``limited'' screening levels. We also solicited comment on
the applicability of geographical circumstances as a possible criterion
for adjusting providers or suppliers from one screening level to
another. We also solicited comment on whether non-practitioner owned
facilities and suppliers should be subject to a higher level of
screening than their practitioner-owned counterparts or, whether there
is an appropriate corresponding trigger for non-practitioner owned
facilities and suppliers. We solicited comment on whether providers and
suppliers should be subject to higher levels of screening when the
provider specialty does not match clinic type on an enrollment
application. We solicited comment on what objective conditions might
support a broad set of circumstances or factors that would allow us to
determine that provider screening levels by risk should be based on
``other conditions or factors that CMS determines are necessary to
combat fraud, waste, and abuse.''
We solicited public comment on the appropriateness of using
criminal background checks in the provider enrollment screening
process, including the instances when such background checks might be
appropriate, the process of notifying a provider, supplier or
individual that a criminal background check is to be performed, and the
frequency of such checks.
We solicited comment on the use of fingerprinting as a screening
measure in our programs. We recognized that requesting, collecting,
analyzing, and checking fingerprints from providers and suppliers are
complex and sensitive undertakings that place certain burdens on
affected individuals. There are privacy concerns and operational
concerns about how to assure individual privacy, how to check
fingerprints against appropriate law enforcement fingerprint databases,
and how to store the results of the query of the data bases and also
how to handle the subsequent analysis of the results. As a result, we
solicited comments on how CMS or its contractor should maintain and
store fingerprints, what security processes

[[Page 5872]]

and measures are needed to protect the privacy of individuals, and any
other issues related to the use of fingerprints in the enrollment
screening process. We were interested in comments on possible
circumstances in which fingerprinting would be potentially useful in
provider screening or other fraud prevention efforts. Our proposed
screening approach contemplated requesting fingerprints from providers
and suppliers designated as presenting a ``high'' risk of fraud. We
solicited comment on this requirement, the circumstances under which it
is appropriate, limitations on its use and any alternatives to the
proposed approach regarding fingerprints. Our proposed approach allowed
denial of billing privileges to newly enrolled providers and suppliers
and revocation of billing privileges for revalidating providers and
suppliers if owners or officials of providers or suppliers refused to
submit fingerprints when requested to do so. We solicited comments on
this proposal including its appropriateness and utility as a fraud
prevention tool. In addition, we also solicited comment on the
applicability and appropriateness of using, in addition to or in lieu
of fingerprinting, other enhanced identification techniques and secure
forms of identification including but not limited to other biological
or biometric techniques, passports, United States Military
identification, or Real ID drivers licenses. As technology and secure
identification techniques change, the tools we use may change to
reflect improvements or shifts in technology or in risk identification.
We solicited comment on the appropriate uses of these techniques.
We noted that any physician or non-physician practitioner or
organizational provider or supplier that is denied enrollment into the
Medicare program or whose Medicare billing privileges are revoked is
afforded due process rights under Sec. 405.874.
To assist readers in understanding the type of providers and
suppliers that we proposed to include in the ``high'' risk screening
level, we are providing the following table.

Table 4--Proposed Medicare Pro-viders and Suppliers Designated as a
``High'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Prospective (newly enrolling) home health agencies and suppliers of
DMEPOS. (Except that any such provider or supplier that is publicly
traded on the NYSE or NASDAQ is considered ``limited'' risk.)
------------------------------------------------------------------------

The new screening procedures implemented pursuant to new section
1866(j)(2) of the Act will be applicable to newly enrolling categories
providers and suppliers beginning on March 25, 2011. These new
screening procedures will also be applicable beginning on March 25,
2011 for those providers and suppliers currently enrolled in Medicare,
Medicaid, and CHIP who revalidate their enrollment information. For
Medicare, this will impact those providers and suppliers whose
revalidation cycle results in revalidation occurring between March 25,
2011 and March 23, 2012. Finally, these new procedures will be
applicable to currently enrolled Medicare, Medicaid, and CHIP providers
and suppliers beginning on March 23, 2012, in accordance with section
1866(j)(2)(ii) of the Act. As such, some providers and suppliers may be
required to revalidate their enrollment outside of their regular
revalidation cycle. However, the additional screening procedures for
categories and individuals in the high level of screening, namely, as
discussed below, fingerprint-based criminal history record checks, will
be implemented 60 days following the publication of subregulatory
guidance.
b. Analysis of and Responses to Public Comment on Medicare Screening
Categories
Below is a summary of the comments we received regarding the
screening categories and the validation activities contained within
each category.
Comment: Several commenters expressed concern that we
differentiated between publicly traded and non-publicly traded
entities. Many commenters stated that CMS did not specify how publicly
traded companies were any less of a fraud risk than companies that are
not publicly traded. Several commenters suggested this distinction was
arbitrary and without merit. One commenter stated that being publicly
traded does not offer immunity from risk, and that having one set of
standards for all providers will make it easier for governments,
providers and consumers to identify and address fraud and abuse. One
trade association argued that it preferred an approach that would
elevate its members into a higher risk screening level than to
distinguish among its members based upon whether a particular entity
was publicly traded. Another commenter suggested that CMS withdraw its
proposal; and requested that if CMS decides to implement it, it should
provide the data analysis it used in creating this policy choice and
explain why large privately held companies are a greater risk than
publicly traded companies.
Response: We agree with the arguments the commenters made regarding
distinguishing among screening levels based on a provider or supplier's
publicly traded status, and thus we have eliminated the distinction
between publicly traded and non-publicly traded companies for purposes
of the screening levels. While it has been our general experience that
publicly traded companies have not posed the elevated risk of fraud,
waste or abuse as non-publicly traded companies, we do not believe the
risk differential between publicly traded and non-publicly traded
entities is such as to warrant the automatic assignment of the former
into a lesser screening level.
Comment: Similar to the distinction between publicly traded versus
non-publicly traded, several comments suggested that the distinction
between government-owned or affiliated versus non-government owned or
affiliated ambulance service suppliers was not based on any evidence.
One commenter stated that CMS furnished little or no supporting data
for the position that publicly owned companies pose less of a risk.
Another commenter contended that this distinction presented challenges
that would make it difficult for states to operationalize. Another
commenter believes that the distinction is arbitrary, and noted that
private ambulance companies are, like public companies, held to the
same strict standards, such as the need for them and their personnel to
be State-licensed. The commenter added that there is no evidence to
support the assertion that private ambulance services pose a greater
risk of fraud, waste or abuse than public companies, and that the OIG
report referred to in the proposed rule entitled ``Medicare Payments
for Ambulance Transports'' (OEI-05-02-000590) did not single out
private ambulance services as posing such a risk. Another commenter was
concerned that assigning private ambulance companies to a higher
screening level could put them at a competitive disadvantage vis-
[agrave]-vis their public counterparts.

[[Page 5873]]

Response: We disagree that this distinction would be difficult to
operationalize. The enrollment process generally captures information
on the supplier's ownership; this enables contractors and States to
distinguish between government-owned and non-government owned entities.
However, we do agree with the arguments made regarding the use of
public ownership as a criterion for making a distinction in the level
of screening as determined by the risk of fraud, waste or abuse posed
to the programs, and we have eliminated the distinction between
government-owned and non-government owned ambulance companies for
purposes of the screening level assignments. The available evidence
does not suggest that the risk differential between government-owned
and non-government owned ambulance companies is such as to warrant the
automatic placement of the former into a lower screening level.
Moreover, we note that the ACA requires levels of screening according
to the risk of fraud, waste and abuse posed by categories of providers
and suppliers. The approach taken in this final rule with comment
period whereby we assign specific categories of providers and suppliers
to screening levels determined by a categorical assessment of the risk
of fraud, waste or abuse to the programs--rather than assessing
individual's risk-- is consistent with the requirements of the statute.
While we believe that a more nuanced and precise approach for
classifying specific categories of providers and suppliers into
screening levels, for example using a scoring algorithm to create
categories, could also be consistent with the statute under certain
circumstances and were we able to provide an adequate rationale for the
classification, we do not yet have experience with such an approach,
and are therefore finalizing an approach based on classifications by
entire provider and supplier types. We may consider additional
classifications in future rulemaking.
Comment: A commenter supported CMS's designation of provider fraud
and abuse risk into three levels for Medicare, Medicaid, and CHIP
providers, and stated that CMS appropriately assigned hospitals
(including critical access hospitals) to the limited level.
Response: We appreciate this commenter's support.
Comment: A commenter expressed support for CMS's proposal to move a
provider type from one screening level to another only if it has been
found by CMS to pose more or less of a fraud and abuse risk. However,
the commenter suggested, that CMS: (1) Review a provider class over
pre-prescribed time periods (for example, 24 months), and (2) allow
sufficient time for the provider community to offer comment prior to
changing a provider's screening level.
Response: Our proposal to reassign providers or suppliers or
provider or supplier types to another level of screening was based on
changes in circumstances that contribute to the risk of fraud. We
believe that to restrict ourselves to reassigning providers and
suppliers only at specific, pre-defined time intervals would not
provide us with the flexibility we need to quickly address emerging
program integrity risks. If a situation arose where there was an
immediate risk of fraud that required the imposition of enhanced
screening procedures, we must be able to deal with it rapidly, rather
than wait until a particular prescribed time interval arrives. We will
periodically reexamine screening level classifications for provider and
supplier categories. Should a change in a particular provider or
supplier type's assignment be warranted and should it necessitate a
change in existing regulatory language, we will publish notice of the
change in the Federal Register.
Comment: A commenter expressed support for CMS' inclusion of
physicians, non-physician practitioners, and medical groups or clinics
in the limited screening level. The commenter stated that these
suppliers submit the CMS-855I to enroll in Medicare and are subject to
all of the penalties listed in Section 14 of CMS-855I regarding
falsifying information.
Response: We appreciate the commenter's support.
Comment: A commenter requested that CMS consider moving CMHCs and
CORFs from the ``moderate'' screening level to the ``limited''
screening level. With respect to CORFs, the commenter stated that CMS'
studies regarding program integrity concerns have been limited to the
State of Florida, and contended that it is arbitrary to extrapolate
that experience to the rest of the country.
Response: We disagree with the commenter's assessment of the risk
of fraud associated with CMHCs and CORFs. These risks extend beyond any
single region of the country. As a result we have decided to keep these
provider types assigned to the moderate level of screening. We believe
that the assignment of CMHCs and CORFs into the moderate screening
level was appropriate based on the information we presented in the
proposed rule.
Comment: A commenter expressed support for background checks and
fingerprinting, but requested that they be limited to only providers
and suppliers assigned to the high risk level because of the potential
administrative burden.
Response: The final rule with comment period is clear that
fingerprint-based criminal background checks are only applicable to
providers and suppliers assigned to the high screening level.
Comment: A commenter stated that CMS, in listing various provider
types and the levels of risk into which they were assigned, did not
provide the documentation on which it based its conclusions, therefore
violating the Administrative Procedure Act. The commenter recommended
that CMS furnish the following information by provider/supplier type to
justify its conclusions and to inform the public as to why certain
providers are a limited risk to the Medicare program: (1) Number of
Medicare revocations; (2) number of Medicare deactivations; (3)
Medicare payment suspensions; (4) Medicare civil monetary penalties;
(5) OIG mandatory exclusions; (6) OIG permissive exclusions; (7)
indictments; and (8) felony convictions.
Response: We based our risk assessments on a variety of factors,
including some of those listed by the commenter, as well as others.
However, because our conclusions were not based on any one factor nor
any specific combination of factors, but rather on CMS's aggregate
experience with each provider and supplier type, providing the data
requested by the commenter would not serve to clarify the
determinations of risk.
Comment: Several commenters stated that CMS did not describe how it
will screen providers and suppliers with a designated ``other''
category, or which types of providers and suppliers fall within this
category and how many there are. One commenter stated that providers
and suppliers in the ``Other'' category should be assigned to the high
risk level.
Response: The ``other'' category is largely reserved for future
situations in which a statute is enacted that authorizes a particular
provider or supplier type to bill the Medicare program; it is designed
as a placeholder of sorts pending the revision of the CMS-855
application to accommodate the new provider or supplier type. Since we
cannot predict which new provider or supplier types may be able to bill
Medicare in the future, we are unable to assign them to a particular
screening level in this final rule with comment period.

[[Page 5874]]

Comment: Several commenters stated that CMS did not explain which
risk level outpatient physical therapy/occupational therapy (PT/OT),
speech pathology, and rehabilitation agencies would fall into.
Response: We received a number of comments on this issue. We will
assign occupational therapists, speech language pathology, and
rehabilitation agencies to the ``limited'' level of risk because we do
not have evidence of program integrity risk that suggest that these
entities should be assigned to the moderate or high levels of
screening. However, we will assign physical therapists (including
physical therapy groups) to the moderate screening level. We believe
this classification is supported, in part, by a recent OIG report
entitled ``Questionable Billing for Medicare Outpatient Therapy
Services'' (December 2010) (http://oig.hhs.gov/oei/reports/oei-04-09-00540.pdf), which found, among other things, that Miami-Dade County had
three times, and nineteen other counties had at least twice, the
national level on five of six questionable billing characteristics. Law
enforcement has also identified fraudulent billing schemes involving
physical therapy.
Comment: One commenter stated that CMS did not describe how it
would screen new providers or suppliers types permitted to enroll in
Medicare. Since CMS excluded these providers and suppliers from its
discussion, the commenter recommended that these entities be considered
a high risk.
Response: Since we cannot predict which new provider or supplier
types may be able to bill Medicare in the future, we are unable to
assign them to a particular screening level in this final rule with
comment period. When such entities emerge, we will make an appropriate
determination based on the data sources we have already described in
this final rule with comment period, as to what screening level
assignment is most appropriate for such new entities. As previously
discussed, we will publish notice of these new provider category
assignments in the Federal Register prior to making final any such
assignment.
Comment: One commenter recommended that non-physician owned medical
facilities and groups be considered a higher risk than physician-owned
medical facilities.
Response: In the proposed rule, we solicited comments on whether
non-practitioner owned facilities and suppliers should be subject to a
higher level of screening than practitioner-owned facilities and
suppliers. We received several comments suggesting that the former
category should be subject to higher screening than the latter. We are
declining to adopt this suggestion in this final rule with comment
period, however. As previously stated, the ACA requires levels of
screening according to the risk of fraud, waste and abuse posed by
categories of providers and suppliers. The approach taken in this final
rule with comment period whereby we assign specific categories of
providers and suppliers to risk levels that determine screening
requirements--rather than determining individual risk--is consistent
with the statute.
Comment: Several commenters stated that extending the enhanced
screening requirements to MAOs will prove duplicative and unnecessarily
increase costs for providers. Identifying those providers participating
in multiple health programs and coordinating their screening and
monitoring could, the commenters contended, avoid unnecessary
administrative burden for all involved. Otherwise, by extending the
screening requirements to MAOs, providers will be forced to undergo the
same screening process multiple times, for each MAO with whom they
contract. One commenter stated that it would be more efficient for CMS
and the States to perform the screenings and make that data available
to the MAO plans through a centralized process. Another commenter
recommended that fingerprinting and background checks be restricted to
State and Federal law enforcement agencies, adding that there is no
legitimate purpose for MA or Medicare managed care plans to collect and
maintain this information.
Another commenter opposed applying the proposed requirements to
MAOs and other managed care organizations (MCOs) for several reasons.
First, there are already appropriate screening tools for MAOs for their
providers and suppliers pursuant to Sec. 422.204(b)(3). Second, MAOs
have other requirements, as established in Sec. 422.204, to access
certain data bases to verify licensure, licensure sanctions and other
limitations. Third, traditional Medicare has a greater population to
serve and a wider network of providers and suppliers to process and
screen than individual MA plan networks. Therefore, the processes
should stem from those with oversight and administration of traditional
Medicare, with a trickledown effect and benefit for MAOs. Fourth, if a
limited, moderate or high risk provider has an enrollment verification
letter from Medicare issued after March 25, 2011, the provider has been
appropriately credentialed and needs no further credentials for a MAO.
Fifth, Medicare's enrollment application captures certain elements that
are not currently captured by some insurers' enrollment applications,
such as delegated representative, authorized representative, and
owners. This information would be difficult to capture and verify, and
the workload would increase substantially on the part of MCOs to
credential numerous individuals who may not have a significant role
within the providers/supplier entity.
Response: Because there are a large number of other regulatory
provisions that form the framework for oversight of managed care plans,
and we do not want to duplicate these requirements by imposing
additional screening and enrollment criteria on these organizations, we
have decided not to apply the provisions of this final rule with
comment period to managed care plans and organizations.
Comment: A commenter stated that MCOs design their anti-fraud
initiatives based on the risks they encounter, which may be unique and
different from the risks faced by FFS programs. Consequently, CMS
should give MCOs the flexibility to decide whether to adopt any of the
proposed new screening requirements and, if so, how to do so; CMS
should not extend the screening requirements to MCOs. The commenter
stated that MCOs should be allowed to: (1) Assign providers and
suppliers to a level that is higher or lower than the level assigned by
Medicare FFS or the State FFS Medicaid programs, and (2) deem a
provider as having satisfied its screening requirements if the provider
is enrolled in Medicare FFS and/or a Medicaid FFS program, and has gone
through their screening procedures.
Response: As explained previously, we are concerned that the
application of the screening provisions to MCOs would duplicate
existing oversight and regulatory authority. We therefore have decided
not to apply the provisions of this final rule with comment period to
managed care plans and organizations. This will, as the commenter
suggests, allow MCOs to develop provider screening requirements that
are unique to their circumstances, including (1) assign providers and
suppliers to a level that is higher or lower than that assigned by
Medicare or the State Medicaid program, and (2) deem a provider as
having satisfied their screening requirements if the provider is
enrolled in Medicare and/or a State Medicaid program.
Comment: A commenter stated that applying consistent risk
management

[[Page 5875]]

practices throughout an organization fosters a culture of program
integrity. As such, the commenter recommended that MAOs be required to
implement the same enhanced screening processes that CMS is considering
for the original Medicare program.
Response: As mentioned earlier, we have decided not to apply the
provisions of this final rule with comment period to managed care plans
and organizations.
Comment: A commenter recommended that CMS explain what type of
screening process will be used for Medicare Advantage, managed care
organizations or health maintenance organizations.
Response: As previously stated, there are a large number of other
regulatory provisions that form the framework for oversight of managed
care plans. We do not want to duplicate these requirements by imposing
additional screening and enrollment criteria on these organizations. We
therefore have decided not to apply the provisions of this final rule
with comment period to managed care plans and organizations.
Comment: A commenter recommended that CMS establish screening
criteria for slide preparation facilities and competitive acquisition
program/Part B vendors.
Response: We will not be establishing screening criteria or
prescribing screening levels for slide preparation facilities in this
final rule with comment period. Slide preparation facilities do not
enroll in Medicare at this time; thus, we do not believe it is
appropriate to assign a level of screening to such entities. As for
competitive acquisition program/Part B vendors, these will be assigned
to the limited screening level. It has not been our experience that
this supplier type poses an elevated risk of fraud, waste or abuse to
the Medicare program.
In addition, we are adding portable x-ray suppliers to the moderate
screening level. In support of this classification, we note that the
OIG has analyzed Medicare claims data to identify suppliers with
questionable billing patterns. The unusual claims patterns that were
found raise concerns about the integrity of payments to certain
portable x-ray suppliers. Based on this, and combined with the fact
that there are low barriers to entry for this type of supplier,
portable x-ray suppliers will be placed in the moderate screening
level.
Comment: A commenter recommended that CMS establish higher levels
of screening when: (1) A provider or supplier changes ownership on a
frequent basis; (2) a physician or non-physician practitioner is
enrolled in different States; (3) a physician has a large number of
reassignments or when reassignments cross States; (4) a physician is
engaging or billing in a reciprocal billing or locum tenens billing
arrangement; (5) owners have businesses in different States; and (6)
when owners establish banking relationships in different States from
where their practice is located.
Response: In the proposed rule, we sought comment on what factors
should permit us to elevate an individual provider or supplier to a
higher level of screening. We appreciate the commenter's suggestion.
While we are not adopting these recommendations at this time, such
suggestions may form the basis of future rulemaking. We would first
like to evaluate how the factors we will finalize as part of this rule
will work prior to adopting new factors such as the ones the commenter
has identified.
Comment: One commenter recommended that CMS assign to the higher
screening level any owner or physician who had an final adverse action
within the previous 10 years; has an unrepaid overpayment with
Medicare, Medicaid or CHIP; has a Medicare or Medicaid payment
suspension; exclusion or debarment; a felony conviction; unpaid taxes;
or a Medicare revocation. Another commenter stated that in Table 1, CMS
appears not to consider previous payment suspensions, overpayments, OIG
exclusions, or Medicare revocations in establishing higher risk levels.
The commenter recommended that CMS explain why such actions are not an
indicator of higher program risk and the need for enhanced screening.
Response: As in the proposed rule, we state in Sec. 424.518(c) of
the final rule with comment period that a provider or supplier will be
moved from the ``limited'' or ``moderate'' category to the ``high''
level if it has been excluded by the OIG, or has had its Medicare
billing privileges revoked in the previous ten years. We have added in
the final rule with comment that a provider or supplier that has been
subject to any final adverse action as defined at Sec. 424.502 would
also be moved to the high level of screening. With regard to these
commenters' other proposals, we are generally supportive of them, and
may examine the possibility of future rulemaking to include some of
them as factors that may elevate a provider or supplier to a higher
level of risk. As previously mentioned, however, we would first like to
evaluate how the factors we will finalize as part of this rule will
work prior to adopting new factors.
Comment: A commenter recommended that CMS propose a definition for
the term ``tax delinquency,'' as it is used in Table 1 of the proposed
rule, and clarify whether the term refers to Federal, State and/or
local taxes.
Response: We have removed tax delinquency from the list of database
checks in this final rule with comment period. Though we do have new
authorities to obtain tax information as part of ACA and other recently
enacted statutes, we are not prepared to operationalize this provision
at this time.
Comment: A commenter stated that CMS' categorical risk approach did
not address the individual risk associated with certain owners and
individual practitioners. The commenter recommended that CMS issue a
new proposed rule to establish specific risk factors would increase/
decrease a provider or supplier's screening level.
Response: The ACA requires levels of screening according to the
risk of fraud, waste and abuse posed by categories of providers and
suppliers. The approach taken in the final rule with comment period
whereby we assign specific categories of providers and suppliers to
screening levels determined by risk of fraud, waste and abuse is
consistent with the requirements of the statute. Furthermore, we
believe the approach taken in this final rule with comment period is
objective and allows us to avoid subjective assessments of a provider's
or supplier's risk to the programs.
Comment: A commenter supported the use of background checks to
ensure the identity and integrity of owners and senior managers of home
health and hospice agencies. While supporting the maintenance of the
confidentiality of this information, the commenter believes it should
be used to: (1) Target agencies for special oversight, (2) alert owners
of patterns of criminal behavior on the part of their managers, and (3)
disqualify owners or managers that have criminal histories.
Response: We intend to use this tool in a way that safeguards
personal information and also helps prevent fraud, waste and abuse. The
criminal history record will verify whether a provider, supplier, or an
individual with a 5 percent or greater direct or indirect ownership
interest in such provider or supplier has been convicted of certain
types of felonies that could result in the denial or revocation of
billing privileges under Sec. 424.530 or Sec. 424.535, respectively.
We believe that

[[Page 5876]]

criminal history record checks will confirm the accuracy of information
submitted in enrollment applications, and the discovery of false or
misleading information could result in denial or revocation of billing
privileges under Sec. 424.530 or Sec. 424.535. Providers or suppliers
who have been denied on these bases are afforded all applicable appeals
rights.
While in some instances, such a denial may result in alerting a
provider or supplier of an individual's criminal history, this is not
the purpose or intention of this enrollment screening tool. Rather we
will use this authority for the purpose of verifying eligibility for
Medicare enrollment. We will disseminate guidance and instructions to
providers, suppliers and our enrollment contractors shortly after the
publication of this final rule with comment period regarding the
implementation of the criminal history record check requirement.
Comment: A commenter opposed the proposal to move those who have
previously been placed on a payment suspension or subject to a denial
or revocation in the past year, into a higher screening level. The
commenter stated that a payment suspension may be imposed upon a mere
or false suspicion of wrongdoing, and that the denial or revocation
could have been based on an innocent mistake.
Response: We agree with this commenter with respect to the denial
of billing privileges. Many denials occur simply because the provider
does not meet the requirements to enroll as a particular provider type
or other clerical errors. We have therefore removed the denial of
billing privileges as a basis for moving a provider or supplier into a
higher risk screening level. We have retained revocations of Medicare
billing privileges as such a basis because we believe that such a
provider poses a heightened risk of fraud, waste or abuse to the
Medicare Trust Fund.
Payment suspension is used as a fraud fighting tool only in
instances where facts available point to possible fraud, waste, or
abuse. Consequently, because of the risk to the program posed by
individuals and entities upon which a payment suspension has been
imposed, we believe we are justified in placing them in the high risk
screening level.
Comment: One commenter suggested that in lieu of fingerprinting,
each owner or physician should submit: (1) A U.S. Passport or a Foreign
Passport with their enrollment application, and/or (2) copies of their
Federal Tax Returns.
Response: We agree with the commenter that there may be
alternatives to fingerprint-based criminal history record checks to
verify identity; however information on U.S. or foreign passports and
Federal Tax Returns, such as name, date of birth and Social Security
number are duplicative of information that is captured in the Medicare
enrollment application. Information that would be obtained from a U.S.
or foreign passport or Federal Tax Returns could only be used to
process a name-based criminal history record check, and the FBI does
not process name-based requests for non-criminal justice purposes. The
submission of fingerprints is the only way to obtain a criminal history
record check from the FBI.
Additionally, the National Task Force on the Criminal Backgrounding
of America concluded that fingerprint-based criminal history record
checks are more accurate than name-based checks because ``names tend to
be unreliable because: people lie about their names; obtain names from
false documents; change their names; people have the same name; people
misspell names; people use different versions of their names * * *
people use aliases * * * '' The suppliers assigned to the high
screening level have been so assigned because, in CMS, and its law
enforcement partners' experience, such supplier types have, as a
category, not undergone sufficient scrutiny in the enrollment process.
Some may have gained entry in the past through falsification of an
enrollment application that may have passed a name based check. As a
result, the extra level of screening provided by the submission of
fingerprints for the purposes of an FBI database check has the
potential to deny enrollment to individuals whose sole intent is to
defraud the Medicare program. We believe fingerprint-based criminal
history record checks will be an effective tool to prevent fraud,
waste, and abuse in Federal health care programs by independently
verifying information provided on applications of potential providers
and suppliers in the high screening level.
If, after a sufficient period of evaluation, we conclude that
fingerprint-based FBI criminal history record checks do not fulfill our
program integrity objective of identifying applicants who pose a
heightened risk of fraud, waste, and abuse prior to enrollment or we
determine that supplementary actions are needed, we may pursue
additional rulemaking that seeks to adopt alternative or additional
safeguards consistent with authorities given to the Secretary in the
ACA.
Comment: A commenter stated the screening process described by CMS
does little to ensure that a provider or supplier is submitting
legitimate claims for eligible individuals, since there is no linkage
between the enrollment process and claim submission process. The
commenter contended that it did not appear that CMS considered the
alternative approach of linking its proposed screening requirements to
section 1866(j)(3) of the Act. The commenter recommended that CMS
establish a link between the screening process and the payment process
by establishing payment caps and prepayment claims review as described
in section 1866(j)(3) of the Act.
Response: The commenter references new section 1866(j)(3) of the
Act, which addresses a provisional period of enhanced oversight for new
providers or suppliers of services. We believe that the payment caps
and prepayment claims processes should supplement, but not be used in
lieu of, the procedures outlined in this proposed rule. Payment caps
and prepayment claims processes will be addressed in separate vehicles.
Clearly, the provisions of section 1866(j)(3) of the Act are an
important complement to the pre-enrollment screening provisions in this
rule. We intend to use both to fight fraud. However, this provision is
not part of this final rule with comment period. In fact, the ACA
authorizes the Secretary to implement the provisions of section
1866(j)(3) of the Act through instruction or otherwise.
Comment: A commenter contended that with respect to the limited
risk screening requirements, the language in proposed Sec.
424.518(a)(2)(i) may be overly broad. The commenter believes the intent
of this provision is for the contractor to verify that the provider or
supplier meets only the applicable regulations or requirements that
qualify it for the appropriate provider or supplier type. However, the
commenter stated that, as written, Sec. 424.518(a)(2)(i) could be
construed to require the Medicare contractor to verify the provider or
supplier's compliance with virtually every Federal regulation and State
requirement that applies to the provider or supplier type. This, the
commenter argued, could subject limited categorical risk providers and
suppliers to an overly broad, burdensome, and time-consuming
verification process.
Response: As explained in the proposed rule, the verification
process for limited risk providers and suppliers will be that which is
currently used for most providers and suppliers. The verification will
be limited to enrollment requirements, and will not examine compliance
with all other State

[[Page 5877]]

and Federal regulations unless the other State and Federal regulations
have an impact on whether the provider or supplier meets the
requirements for enrolling or revalidating enrollment in Medicare. The
table that describes the types of screening to be performed for each of
the three screening levels explains clearly the kinds of verification
processes that CMS contractors will be using to verify a provider's or
supplier's eligibility to enroll or remain enrolled in Medicare.
Comment: One commenter requested that CMS explain why it did not
consider compliance plans in establishing its screening criteria.
Response: We solicited comments regarding the use of compliance
plans in combating fraud, waste, and abuse. Because there are a several
complex policy and implementation issues we are pursuing separate
additional rulemaking in this area.
Comment: One commenter stated that CMS did not include a discussion
of low quality of care when it established its screening criteria.
Response: Quality of care is the subject of several other CMS
regulations. Accordingly, we did not include quality consideration in
our development of levels of categorical screening. We believe that the
factors we included in the proposed rule for establishing the screening
criteria support our classifications.
Comment: A commenter recommended that CMS increase the level of
screening for any provider using a billing agent or clearinghouse
convicted of health care fraud. The commenter also recommended that,
similar to the provisions found in section 6503 of the ACA, CMS
establish enrollment standards for clearinghouses and billing agents
for Medicare. CMS, the commenter stated, mentioned in the proposed rule
that ``based on our data analysis including analysis of historical
trends and CMS' own experience with provider screening and enrollment
we believe the following providers and suppliers pose a limited risk.''
The commenter also recommended that CMS furnish the data analysis used
to assign each provider type in the limited screening levels and the
moderate screening levels.
Response: As for the commenter's recommendation regarding billing
agents and clearinghouses, the commenter references section 6503 of
ACA, which calls for billing agents and clearinghouses to register
under Medicaid. The implementation of 6503 of the ACA, is not part of
this rule; however, we will be addressing that provision in the future.
We do not propose to screen billing agents and/or clearinghouses as
part of this rule because such entities do not enroll in Medicare as
providers or suppliers.
With respect to the data analysis we used, we furnished information
in the proposed rule regarding our reasons for assigning certain
provider and supplier types to limited, moderate or high level of
screening. We relied on our experience to identify categories of
providers with a higher incidence of fraud as well as our familiarity
with types of fraudulent schemes that are currently prevalent in
Medicare. In addition, we used the expertise of our contractors charged
with identifying and investigating instances of fraudulent billing
practices in making our decisions regarding the appropriate risk
assessment of various providers. In some instances, we also relied on
the data analysis and expertise of the OIG, GAO, and other sources to
develop screening levels designed to increase scrutiny for specific
categories of providers and suppliers as the risk posed to the Medicare
and Medicaid programs increases.
Comment: A commenter asked whether CMS, in grouping all hospital
types--including specialty hospitals, physician-owned hospitals, short-
term hospitals, and acute hospitals--into one risk level, is stating
that all hospitals have the same risk. If so, the commenter requested
that CMS provide data to support this assertion and to explain why it
believes that all hospitals pose the same risk
Response: Our assignment of hospitals to the limited screening
level should not be construed as meaning that every type of hospital
poses the same exact degree of risk. We did, however, base our
assignment on the premise that all hospital provider types have certain
features in common that make them less likely to be a program integrity
concern on the whole. For example, such entities have significant start
up costs and capital and infrastructure costs. In addition, such
entities are subject to significant government oversight, at both the
State and Federal levels. Finally, such entities often are subject to
oversight from other accrediting bodies through deeming authority.
These features are, in general, less apparent with other provider and
supplier types. We note that these are not the only features we
considered when evaluating hospitals and that these features, by
themselves, are not sufficient to cause us to place a provider or
supplier type in the limited screening category.
Comment: A commenter stated that in Table 1, CMS appears not to
consider previous payment suspensions, overpayments, OIG exclusions, or
Medicare revocations in establishing higher risk levels. The commenter
recommended that CMS explain why such actions are not an indicator of
higher program risk and the need for enhanced screening.
Response: As mentioned previously, we state in this final rule with
comment period that a provider or supplier will be placed into the high
screening level if the provider or supplier (or an individual who
maintains a 5 percent or greater direct or indirect ownership interest
in such provider or supplier) has had a final adverse action--as that
term is defined in Sec. 424.502--imposed against it within the
previous 10 years.
Comment: A commenter stated that because of the wide variation in
DMEPOS items and services and differing levels of behavior, CMS should
subdivide the general category of DMEPOS suppliers and assign
appropriate screening levels to each product category, rather than to
DMEPOS suppliers as a whole.
Response: We think the commenter's suggestion might lead to an
overly complex system of provider screening and related oversight
tools. Accordingly, we have decided not to create such a distinction
based on such sub-categories. At this time, we are not determining the
risk of fraud, waste, and abuse by product category.
Comment: Several commenters requested CMS to change the proposed
rule to state that both publicly traded entities and their wholly-owned
subsidiaries are afforded ``limited categorical risk'' status.
Response: As stated previously, publicly traded status is not being
included as a criterion for assigning provider or supplier categories
to screening levels. The approach taken in this final rule with comment
period whereby we assign specific categories of providers and suppliers
to screening levels determined by the categorical risk of fraud--rather
than determining individual risk--is consistent with the requirements
of the ACA.
Comment: One commenter supported CMS's proposal to place new HHAs
into the high screening level. The commenter stated that much of the
fraud and abuse that has been detected in the home health benefit is
associated with new providers, particularly in areas not subject to
certificate of need (CON) or other State controls on provider
development.
Response: We appreciate this commenter's support.
Comment: One commenter recommended that the proposed rules for
assigning screening levels for

[[Page 5878]]

existing home health and hospice providers be modified so as to more
accurately focus enforcement efforts on certain existing providers
within a particular category. More specifically, the commenter stated
that CMS can use its ample data resources to more precisely
differentiate between agencies with proven histories of good
performance and those that are either untested or have demonstrated
irregular patterns of performance. The commenter recommended that any
nonprofit home health or hospice agency that was certified in Medicare
or Medicaid before October 1, 2000, and has not been identified as
having program integrity problems, be placed in the limited risk
screening level. The commenter added that CMS should also create a
scoring algorithm that would identify those HHAs and hospices at
moderate risk based on criteria such as: (1) Years of program
participation; (2) ownership type; (3) number of medical review
requests; (4) pattern of selectively serving highly profitable cases;
(5) frequent changes in ownership; (6) geographic location; (7)
relationship to other stable (for example, hospital) or less stable
provider types (DMEPOS); and (8) current accreditation status.
Response: We did not base our development of levels of screening on
provider-specific risk assessments. As described previously, the
statutory requirements set forth in ACA guided our approach in
assigning categories of providers and suppliers to screening levels
appropriate to the risk of fraud, rather than pre-screening individuals
prior to the assignment of a screening level. Adopting the type of
scoring algorithm suggested by the commenter would automatically
provide for individual breakdowns of each HHA's or hospice's risk,
which we believe would be inconsistent with the statute and constitute
a pre-screening step in the enrollment process. We do not rule out the
possibility of using scoring algorithms in the future for other program
integrity functions or for provider and supplier enrollment, but we
decline to adopt this suggestion for enrollment screening purposes at
this time. For the reasons stated previously, we believe that the
moderate risk screening level is appropriate for currently enrolled
HHAs and hospices.
Comment: A commenter did not believe that site visits were
necessary to ensure that ambulance providers and suppliers were in
compliance with applicable program requirements. The commenter
expressed concern that the time associated with conducting pre-
enrollment site visits could slow down the enrollment process. The
commenter added that ambulance services are already subject to site
inspections by the State licensing agency (as well as other State and
Federal requirements), and that the existing procedures are sufficient
to ensure that ambulance providers and suppliers are operating in
compliance with program requirements. Another commenter stated that in
this proposed rule, CMS states that it only conducts a limited number
of unscheduled or unannounced site visits for certain provider types.
If this is based on a policy decision, the commenter requested that CMS
explain why it now believes that unscheduled or unannounced site visits
will reduce fraud, waste, and abuse. The commenter also requested a
cost/benefit analysis for its previous onsite efforts to show the
effectiveness of this new strategy. If a fiscal constraint, the
commenter requested that CMS explain: (1) Why it is spending $9 million
on grants to Senior Medicare Patrol (SMP) and millions in advertising
to promote ``Stop Medicare Fraud'' in lieu of conducting unscheduled
and unannounced site visits, and (2) where the additional funds will
come from to conduct thousands of unannounced site visits.
Response: We have been conducting site visits of one kind or
another for years, and have found such visits to be an extremely
effective tool in fighting fraud. We plan to conduct site visits
pursuant to the authorities provided in the ACA and as outlined in this
final rule with comment period. We have received many valuable tips and
other information from SMP volunteers across the country. We believe
that site visits are appropriate for ambulance companies, especially
considering that we have uncovered several instances where an enrolling
ambulance company--contrary to the information it furnished on the CMS-
855B--had no base of operations. Regarding the commenters concern about
the Senior Medicare Patrol initiative, we believe the SMP program is
outside the scope of this regulation.
Comment: With respect to whether non-practitioner-owned facilities
and suppliers should be subject to a higher level of screening than
their practitioner-owned counterparts, a commenter urged CMS to exempt
dually-enrolled physicians from enrollment screening requirements
applicable to entities only enrolling as DMEPOS suppliers. The
commenter believes it would make no sense to consider physicians
``limited risk'' while simultaneously labeling them either ``moderate
risk'' or ``high risk'' when they provide DMEPOS to their own patients.
Response: We disagree. As stated previously, the approach taken in
this final rule with comment period whereby we assign specific
categories of providers and suppliers to screening levels determines by
the assessed categorical risk of fraud--rather than determining
individual risk--is consistent with the requirements of the ACA. We
believe that each provider and supplier category must be considered on
its own merits as an entire class, rather than be sub-categorized based
on whether or not a particular provider is owned by provider subject to
the limited screening level. For reasons we have stated, both in this
final rule with comment period and in the past, newly enrolling DMEPOS
suppliers are currently subject to a higher level of scrutiny and
revalidating DMEPOS suppliers are subject to the moderate level of
screening--such as through the need to comply with the supplier
standards in Sec. 424.57(c)--because of the heightened risk posed by
this class of suppliers as a whole. We therefore decline to exempt
certain types of DMEPOS suppliers from either the moderate level of
screening for revalidating suppliers or the high level of screening for
newly enrolling suppliers.
Comment: A commenter suggested that CMS revise the enrollment
applications to include language in the certification statement so that
CMS' contractors can conduct a criminal background check on any owner,
authorized official, delegated official, managing employees and
individual practitioners during the initial enrollment process or
subsequently thereafter. The commenter believes that CMS is needlessly
limiting its ability to conduct criminal background checks.
Response: We appreciate this comment but decline to adopt this
approach. We will perform fingerprint-based criminal history record
checks of the FBI's Integrated Automated Fingerprint Identification
System consistent with the methodology specified in this rule. We do
not intend to amend the CMS-855 to include language that would expand
the use of such criminal history record checks beyond the requirements
set forth in this final rule with comment period. We think that to
conduct the same screening for all provider categories without taking
into account the variation in risk of fraud, waste or abuse would be an
inappropriate allocation of resources and would be inconsistent with
the provisions of the ACA. As stated previously, if CMS re-assigns
additional categories of providers to the high level of screening, or
expands the use of FBI

[[Page 5879]]

criminal history record checks to the other screening levels, CMS will
publish a notice in the Federal Register.
Comment: A commenter suggested that Medicare, Medicaid, and CHIP
consider bankruptcy and credit report scores during the screening
process and that CMS deny enrollment where an owner, authorized
official, or delegated official has a credit score of less than 720 or
has had a personal or business bankruptcy within the last 5 or 10
years. The commenter stated that credit score is indicative a person's
ability to manage financial assets.
Response: We decline to adopt this approach in this final rule with
comment period. We would need to perform additional study to determine
whether credit scores correlate with program integrity risk. Because we
do not have evidence to support such a relationship, we decline to
adopt this approach at this time.
Comment: Several commenters requested clarification on whether a
Federal agency or a private company will process the fingerprint card,
how CMS will safeguard this information, and how much additional time
fingerprinting will add to the screening process of new applicants.
Another commenter urged CMS to ensure that documentation concerning
fingerprints be tracked from origination to delivery to prevent loss,
and that all information be protected from FOIA disclosure.
Response: The FBI requires that fingerprints be collected and
submitted by FBI-approved ``authorized channelers.'' The FBI currently
has approved 15 such private companies to collect and submit
fingerprints to the FBI CJIS Division's Wide Area Network (WAN),
receive the criminal history record information, and submit the record
to authorized recipients, in this case CMS (or its FBI approved
outsourced contractors) for the determination of eligibility for
enrollment. CMS will use of one or more of the pre-approved authorized
channelers to collect and submit fingerprints directly to the FBI, and
CMS will ensure the written proposal(s) provided by the selected
channeler(s) contains the appropriate assurances of compliance with
privacy and security considerations mandated by the Compact Council
(the national independent authority that regulates and facilitates the
exchange of noncriminal justice criminal history record information)
and as required by 28 CFR part 906. Additionally, CMS will adhere to
the Compact Council's Security and Management Control Outsourcing
Standard for Channelers. The use of authorized channelers effectively
means CMS never has custody of the submitted fingerprints, only the
resulting criminal history record. CMS will, of course, protect the
information in the criminal history record according to existing
Federal standards and procedures that govern personally identifiable
information.
After further consideration of the proposed requirement that all
required applicants submit their fingerprints on the FD-258 card, CMS
has removed the requirement to use only the FD-258 card from this final
rule with comment period. CMS strongly encourages all required
applicants to provide electronic fingerprints to the CMS-selected
authorized channeler, but will also accept the FD-258 card. As stated
previously, CMS and the authorized channeler will safeguard the
information as required by the existing requirements of the Compact
Council, and specifically the Compact Council's Security and Management
Control Outsourcing Standard for Non-Channelers and Channelers and the
FBI's Criminal Justice Information System's Security Policy.
We believe the additional time for a contractor's processing of the
application in light of the fingerprint-based criminal history record
check will be minimal for those applicants who submit electronic
fingerprints. Applicants who submit the FD-258 card will experience an
extended processing time as the authorized channeler selected by CMS
will have to convert the paper print into a electronic submission so
that the FBI can quickly process all requests. The FBI processing of
the electronic prints occurs within 24 hours of receipt from the
authorized channeler, and the authorized channeler will receive and
transmit the report to CMS. The report will be reviewed for
disqualifying felonies and omitted information as outlined in existing
regulations at Sec. 424.530(a) for enrollment and at Sec. 424.535(a)
for revalidation and once the fitness determination has been made, the
appropriate contractor will process the enrollment application as
before. CMS believes this process will not cause significant delays to
the enrollment process.
As stated previously, CMS and our Medicare contractors will protect
individuals' information under the Privacy Act, 5 U.S.C. 552a and the
Privacy Act system of records notice for this information. We recognize
that the safeguarding of individual privacy and ensuring the security
of fingerprints collected under this regulation is a serious concern.
We will ensure that these concerns are addressed and that all necessary
safeguards are implemented to protect this information -from both
privacy and security standpoints--when we issue guidance on
fingerprint-based criminal history record checks following the
publication of this final rule with comment period. We will ensure that
fingerprint documentation is fully protected to the extent required by
Federal law.
As stated previously, the fingerprint-based criminal history record
check will be required 60 days following the publication of
subregulatory guidance. All other screening requirements are effective
on March 25, 2011 for those in the ``high'' screening level. The delay
in the effective date for the fingerprint-based criminal history check
will permit CMS to coordinate the implementation of this new process
with our law enforcement partners, ensure that all concerns related to
privacy are addressed, educate our providers and suppliers about the
new process, and ensure that our contractors are adequately prepared to
implement this new process so that the implementation of this new
process does not cause any undue delay.
Comment: A commenter stated that while CMS assigns CMHCs to the
moderate screening level, CMS has not taken steps to implement section
1301 of the Health Care and Education Reconciliation Act of 2010
(collectively, the Affordable Care Act), which requires that CMHCs
provide at least 40 percent of its services to individuals who are not
eligible for benefits. The commenter recommended that CMS consider
CMHCs as a ``high'' categorical screening risk until CMS implements
section 1301 of the ACA.
Response: For reasons already explained, we believe that CMHCs are
most appropriately assigned to the moderate screening level. Section
1301 of ACA is not a part of this rule.
Comment: Several commenters requested that CMS consider
establishing criteria for making assignments to screening levels before
moving forward with this rule.
Response: We explain in the preamble the criteria and factors we
used for our placement of various provider and supplier types into
particular levels. These factors include our experience with claims
data used to identify fraudulent billing practices, as well as the
expertise developed by our contractors charged with investigating and
identifying instances of Medicare fraud across multiple categories of
providers. In addition, we have relied on insights gained from numerous
studies conducted by the HHS OIG, GAO, and other sources.

[[Page 5880]]

Comment: A commenter requested that a fourth level of ``no risk''
be established. This is to reflect positively on providers who have had
no incidents of fraud, waste or abuse.
Response: We do not believe it is appropriate to create a ``no
risk'' level as the limited level of screening represents the baseline
screening requirements for entry into the Medicare program. We believe
that fraud, waste and abuse can occur at any time and among any
provider or supplier category. Our screening methodology is designed to
match an appropriate level of screening to provider or supplier
categories based on level of risk of fraud, waste or abuse posed by the
provider or supplier category.
Comment: A commenter requested clarification regarding whether CMS
will conduct TIN matches with the IRS via an automated match or whether
the provider will be required to sign an I-9 verification form. The
commenter also asked whether CMS will conduct tax delinquency database
matches with the IRS and the authority for such a match. In both cases,
the commenter recommended that CMS establish new denial and revocation
reasons if the TIN does not match or there is a tax delinquency.
Response: We currently verify the provider's TIN as part of the
enrollment process; if the TIN does not match the provider's legal
business name, the application will be denied, or, if enrolled, the
provider's billing privileges will be revoked. However, we have removed
references to tax delinquencies as a component of the screening
methodology from this rule. While we do plan to implement provisions
that will allow us to coordinate enrollment decisions with data
obtained from the Internal Revenue Service--for instance, potentially
denying an application based on tax delinquency information from the
IRS--such an effort is not a part of this rule.
Comment: A commenter stated that CMS's proposed ``limited risk''
classification for publicly traded companies does not explicitly afford
the same treatment to subsidiaries of publicly traded providers and
suppliers. Several commenters recommended that majority owned
subsidiaries of publicly traded providers and suppliers be treated the
same as their publicly traded parents. Specifically, since subsidiaries
of publicly traded providers and suppliers are subject to substantially
similar oversight and scrutiny, the commenter proposed that all
providers and suppliers--regardless of whether the parent is enrolled--
that are at least majority owned, directly or indirectly, by a publicly
traded provider or supplier be assigned to the limited risk level for
screening. The commenter suggested that proposed Sec. 424.518(a)(2) be
revised to read as follows: ``(2) When CMS designates a provider or
supplier into the ''limited'' categorical level of screening, the
provider or supplier is publicly traded on the New York Stock Exchange
(NYSE) or the National Association of Securities Dealers Automated
Quotation System (NASDAQ), or the provider or supplier is majority
owned, directly or indirectly, by an organization publicly traded on
the NYSE or NASDAQ * * *.''. Another commenter stated that subjecting
different providers under a hospital to different levels of scrutiny
could cause confusion and unnecessary hardship.
Response: For reasons already stated, we have eliminated the
distinction between publicly traded and private companies and have
declined to subcategorize individual providers and suppliers based on
their ownership.
Comment: A commenter stated that while subjecting newly enrolling
DMEPOS suppliers to stringent screening may be proper, an enrolled
DMEPOS supplier that reenrolls following an ownership change should not
be subject to the same screening as a newly established supplier. It
should instead be treated as moderate risk, just as enrolled suppliers
that revalidate their enrollment information. The commenter contended
that the seller's business, much of which remains after the purchase,
has already been verified and authenticated; if CMS and the NSC subject
the purchaser to stringent enrollment screening, they will duplicate
the work that they have already done to validate and inspect the
purchased business, wasting resources. It could also delay the new
owner's receipt of a Medicare number, which could disrupt the
continuity of business and patient care. The commenter added that if
CMS does not agree that an enrollment following an ownership change of
an enrolled DMEPOS supplier should be moderate risk, CMS should
formally state that purchasers of enrolled DMEPOS suppliers will
receive new Medicare numbers with billing privileges retroactive to the
purchase date. In closing, the commenter stated that the proposed rule
is a dramatic change to the existing methods of Medicare enrollment;
while change to prevent fraud and abuse is advisable, such change
should not harm honest providers and suppliers who strive to provide
high quality service to Medicare beneficiaries. Another comment stated
the purchaser of an existing community pharmacy DME supplier store
should be screened as a moderate (not a high) risk supplier during
reenrollment.
Response: We disagree that a DMEPOS supplier undergoing a change of
ownership should be assigned to the as moderate screening level. For
purposes of enrollment, a DMEPOS supplier undergoing a change of
ownership is treated and must enroll as a new supplier. Hence, since
all newly-enrolling DMEPOS suppliers are subject to a ``high'' level of
screening, we believe DMEPOS suppliers undergoing a change of ownership
should also be subject to a ``high'' level of screening. Further, the
screening requirements in the high screening level include a
fingerprint-based criminal history record check of any individual with
direct or indirect ownership of 5 percent or greater. Therefore,
enrollment screening after a change in ownership has clear value to the
enrollment process, and we disagree that it would be a waste of
resources. Currently-enrolled (revalidating) DMEPOS suppliers are
assigned to the moderate level of screening.
Comment: A commenter stated that certified orthotic and prosthetic
DMEPOS suppliers and American Board for Certification in Orthotics and
Prosthetics (ABC)-accredited DMEPOS suppliers should be assigned to the
limited screening level. The commenter stated that accreditation is not
an easy standard to meet, and asked CMS to investigate whether there
are any studies or other evidence that indicate that ABC Accredited
Facilities and/or ABC Certified practitioners as a DMEPOS subcategory
pose an elevated risk to the Medicare program. If there are not, such
suppliers should be subject to limited screening.
Response: We believe the commenter is asserting that accreditation
bodies perform a sufficient level of oversight to ensure that the
entities they accredit are a low program integrity risk. We do not
believe this is true. The accreditation bodies help verify the
supplier's compliance with DMEPOS standards, rather than assess the
supplier's risk of fraud, waste and abuse. Accordingly, we decline to
assign entities accredited by ABC or any other accrediting organization
to the limited screening level solely on that basis.
Comment: A commenter contended that in States without licensure, if
a DMEPOS supplier is practitioner-owned and one or more of the
practitioners is certified by ABC (accrediting body referenced in
section 427 of the Medicare, Medicaid, and SCHIP Benefits Improvement
and Protection Act of 2000 (BIPA)), or if the facility itself has been
accredited by one of these entities, it should be as assigned

[[Page 5881]]

to the limited screening level. The practitioner being credentialed in
either of these ways has demonstrated a commitment to quality.
Response: As already stated, we decline to subcategorize individual
providers and suppliers based on their ownership and do not believe
accreditation--standing alone--should be the foremost indicator of
fraud and abuse risk.
Comment: One commenter stated that chain pharmacies should be
exempt from the increased screening levels and screening procedures, as
they are already subject to significant regulation within their
respective States.
Response: We disagree. For the same reason that we cited for
eliminating the distinction between publicly traded and non-publicly
traded or public or non-public ownership status as a basis for
determining screening level, state regulation of chain DMEPOS suppliers
is not in itself a sufficient indicator of the risk of fraud, waste or
abuse posed by a particular category of provider or supplier. The fact
that a particular provider or supplier type may be regulated by the
State is not adequate grounds for placing it in a lower screening
level.
Comment: A commenter stated that the proposed provisions punish
legitimate providers and that the most egregious fraud is committed by
scam artists and organized crime. The commenter expressed concern that
small practices will be driven out of business. In light of CMS's
proposed exemption for public companies, one or two large national
companies may be the only ones ``left standing'' and will have a
monopoly. CMS, the commenter argued, will then be unable to objectively
compare ``best practices'' or to objectively evaluate trends in care,
and that patients will not have a choice for their care.
Response: As already stated, we have eliminated the distinction
between publicly held and private companies. In addition, we believe
that the proposed provisions will help stem the fraud that both the
commenter and we are concerned about.
Comment: A commenter recommended that CMS provide the analysis for
which it based its risk assignment decisions for limited and moderate
screening levels. The commenter also recommended that CMS consider the
Medicare and Medicaid error rates for each provider or supplier in
establishing its screening levels. Finally, the commenter also
requested the following data for each type of Medicare provider and
supplier for 2008, 2009, and 2010:
Number of Medicare revocations.
Number of Medicare payment suspension.
Number of Medicare overpayment.
Medicare error rate.
Medicaid error rate.
CMPs.
Convictions by the Department of Justice.
HHS OIG mandatory exclusions under 1128 of the Act.
HHS OIG permissive exclusions under 1128 of the Act.
Response: We based our risk assessments on a variety of factors,
including some of those listed by the commenter as well as others.
However, because our conclusions were not based on any one factor nor
any specific combination of factors, but rather on CMS's aggregate
experience with each provider and supplier type, providing the data
requested by the commenter would not serve to clarify the
determinations of risk.
Comment: A commenter stated that the proposed screening approach in
the proposed rule is simplistic at best and flawed at worst. The
commenter did not believe provider type is the only measure of risk of
fraud. To address those individuals and organizations who intend to
enroll for the sole purpose of committing fraud, CMS must: (1) Consider
the provider's past experience with Medicare, Medicaid, or CHIP; (2)
coordinate enrollment and billing issues with commercial health plans,
Medicaid and CHIP; and (3) establish more stringent program
requirements. The commenter believes that CMS did not offer any
enhanced program requirements in the proposed rule, the rule does not
reduce the ``pay and chase'' approach used by CMS and OIG today.
Response: We disagree, and believe that the program safeguard
measures outlined in this final rule with comment period will greatly
assist in reducing fraudulent activity. We believe several of the
elements proposed by the commenter are inherent in this rule. First,
under the final rule with comment period, final adverse actions will
lead to a high screening level assignment and the use of additional
screening tools. Second, with regard to more stringent program
safeguards, we believe there is much in this final rule with comment
period to bolster our efforts at combating fraud, waste, and abuse For
example, in this final rule with comment period, we are expanding the
instances in which we can impose a payment suspension. Furthermore, for
the first time in the history of the programs, we will be able to
impose an enrollment moratorium in order to combat fraud, waste, and
abuse. Accordingly, we believe the new authorities that we are
implementing under the ACA will assist us in strengthening our program
integrity efforts.
Comment: A commenter recommended that the following be placed into
the high screening level: (1) Any provider or supplier that is not
State licensed, and (2) any owner, authorized official, delegated
official, physician or non-physician practitioner who has ever been
excluded by the OIG, revoked by Medicare, or had a State license
revocation or suspension.
Response: We stated previously that merely because a particular
provider or supplier type may be regulated by the State is not in and
of itself adequate grounds for placing it in a lower screening level.
By the same token, we do not believe that a failure to be licensed by
the State should automatically place the provider or supplier in a high
screening level, as the State may not have licensure requirements for
that particular provider or supplier type. In addition, the standards
for licensure vary among the States and Territories such that these are
largely out of our control. With regard to the commenter's second
suggestion, we again note that Sec. 424.518(c) of the final rule with
comment period states that a provider or supplier will be moved from
the ``limited'' or ``moderate'' level to the ``high'' level if it has
had final adverse actions imposed against it.
Comment: A commenter recommended that CMS explain why it did not
consider comments regarding publicly traded companies in the final rule
with comment period; Home Health Prospective Payment System Rate Update
for Calendar Year 2011; Changes in Certification Requirements for Home
Health Agencies and Hospices, when developing the proposed policy found
in the proposed rule to this final rule with comment period.
Response: This rule and the rule that the commenter references deal
with different issues. Each was developed and considered on its own
merits.
Comment: A commenter supported CMS's placement of hospitals and
physicians into the limited screening level. However, the commenter
disagreed that publicly traded DMEPOS suppliers or HHAs would have less
risk. The commenter also stated that the providers and suppliers that
are designated as ``high risk'' or ``moderate risk'' but which are
members of, operate as a part of, or are owned by a hospital or a
health system, should instead fall under the same risk assignment as
the hospital. Such providers and suppliers

[[Page 5882]]

are part of larger established organizations that have high levels of
accountability to their internal governance structures and have
longstanding relationships with and responsibility to their local
communities.
Response: For reasons already stated, we have eliminated the
distinction between publicly traded and private companies and have
declined to subcategorize individual providers and suppliers based on
their ownership.
Comment: Several commenters requested greater specificity regarding
what level of managing employees would be subject to the screening
requirements for high risk providers and suppliers. Some of them
requested that for large provider organizations, only the highest-level
managing employees who operate or manage, or who oversee the operation
of the entire healthcare organization--and not lower-level managers of
individual departments or functions--should be subject to the enhanced
screening procedures.
Response: In this final rule with comment period, we will only
apply the screening requirements for high screening level providers and
suppliers to individuals with a 5 percent or greater direct or indirect
ownership interest. Officers, directors, and managing employees--to the
extent that they do not have a 5 percent or greater ownership
interest--will not be subject to fingerprint-based criminal background
checks. However, we intend to monitor the situation and may seek to
extend the scope of fingerprint-based criminal background checks in the
future if circumstances warrant.
Comment: A commenter stated that hospitals should be exempted from
all screening levels--even the limited screening level--if they are
State-licensed and accredited.
Response: We disagree with this commenter. To exempt a provider or
supplier from any screening level would be the equivalent of stating
that the provider need not undergo even the most basic verification
requirements used under the limited risk level of screening.
Comment: Several commenters supported site visits as a tool to
improve program integrity, but believes that they could disrupt or
administratively burden a legitimate provider or supplier's business
operations. They recommended that CMS limit the purpose of these site
visits to verifying that the provider/supplier exists and is
operational; other matters that would require significant management
and clinical staff time should be handled through separately scheduled
site visits. Several other commenters believe that site visits were
appropriate, but said that the number of such visits must be reasonable
for the circumstances and should only increase if inappropriate
activity is suspected. In addition, another commenter suggested that as
part of a DMEPOS site visit, the auditor should confirm with the owner
of the warehouse or facility the terms of the lease; for HHAs, the
auditor should confirm that the HHA has been using the OASIS form and
that a sample of Patient Plan of Care medical records/files can be
directly linked to an OASIS document.
Response: We decline to state that site visits will always be
limited to verifying whether the provider or supplier is operational.
We must retain the flexibility to conduct a closer on-site review if
warranted.
Comment: One commenter stated that classifying DMEPOS suppliers
that are physician-owned as high risk could pose a significant
disincentive to office-based physicians to continue offering DMEPOS
supplies to their patients. The commenter stated that there has been
little to no documentation of fraud, waste, or abuse in this category
of DMEPOS, and that these suppliers should be exempted from the high
risk level of screening.
Response: For reasons already stated, we have declined to
subcategorize individual providers and suppliers based on their
ownership.
Comment: Several commenters stated that the risk assessments of
specific providers should not be made public.
Response: To the extent allowed by Federal law, we will not release
to the general public the risk assessment of an individual provider or
supplier. Thus when an individual provider or supplier is elevated in
screening level as a result of a triggering event in Sec. 424.518 and
Sec. 455.450, we will not publish the individual provider's or
supplier's name.
Comment: Several commenters supported the creation of limited,
moderate, and high screening levels, as well as the proposal to place
physicians into the limited screening levels. They added that CMS
should use public notice and comment prior to modifying the process or
revising level assignments based on new criteria.
Response: We appreciate the commenters support and will publish
notice in the Federal Register regarding changes in assignment or
levels of screening specified at Sec. 424.518 and Sec. 455. 450.
However, as mentioned previously, we will not publish information about
an individual provider or supplier that meets certain triggering events
as described in these sections.
Comment: A commenter opposed ``geographical circumstances'' as a
possible criterion for adjusting a provider or supplier's screening
level. This would deny all providers and suppliers in the specified
geographic area basic due process and could seriously damage
beneficiary access to health care providers and services in the
impacted area.
Response: We are not adopting ``geographic circumstances'' as a
criterion for adjusting a provider or supplier's screening level at
this time. We believe that should circumstances arise where we have
concerns about a provider or supplier type in a geographic area, the
authority to impose an enrollment moratorium, as detailed in this rule,
will provide program integrity protection. However, we do retain the
authority to add geographic location as a criterion for adjusting a
provider or supplier's screening level through future rulemaking.
Comment: Several commenters opposed the proposal to re-assign
physicians from the ``limited'' or ``moderate'' screening level to the
``high'' screening level when CMS has evidence from or concerning a
physician that another individual is using their identity within the
Medicare program. Classifying physicians who have been the victims of
identity theft to the high screening level would stigmatize the
physician and create a presumption that he/she has engaged in conduct
warranting heightened scrutiny. They urged CMS to establish a fourth
level, which signifies a heightened level of risk to Federal health
care programs as a result of compromised physician identity or identity
theft. Another commenter requested that CMS clarify that it will be the
offender who is subjected to additional scrutiny and that the victim
will not be penalized for the actions of the offender. Another
commenter, however, supported CMS's proposal to adjust the categorical
screening level if a practitioner notifies CMS or its contractor that
another individual is using his or her identity within the Medicare
program, and to require fingerprinting of high risk provider and
supplier types (but not of individual practitioners who have been the
victim of identity or provider number theft).
Response: We stress that we will work closely with law enforcement
against those individuals who are perpetrating Medicare identity theft.
We do not plan to use screening tools to address identity theft
concerns as it would not be an adequate response. We believe

[[Page 5883]]

identity theft concerns are most appropriately handled by our law
enforcement partners.
Comment: A commenter requested clarification as to the screening
level assignment of in-home supportive services (IHSS). If they fall
into the ``moderate'' level, as do home health agencies, the commenter
expressed concern that site visits could burden program recipients.
Response: Medicare does not recognize ``in home supportive
services'' as a specific category of provider or supplier. To the
extent that the IHSS supplier is or will be enrolling in Medicare or
Medicaid as a HHA, it will be subject to the same requirements and
standards as all other HHAs. As for the site visits, they will
generally be conducted at the HHA's physical locations.
Comment: Several commenters expressed concern with the proposal to
re-assign physicians (and other providers/suppliers) from the
``limited'' or ``moderate'' screening levels to the ``high'' screening
level if a physician has had billing privileges revoked by a Medicare
contractor within the previous ten years. Billing privileges can be
revoked for a number of reasons unrelated to fraud, waste, or abuse,
such as a failure to respond to a request for revalidation
documentation within stringent contractor imposed deadlines. They urged
CMS to differentiate between a temporary revocation of billing
privileges and revocations based on actual misconduct by a provider or
supplier.
Response: As stated earlier, revocation is undertaken as an
administrative remedy only if clearly justified. Also, there is an
appeals process in place for provider revocations. Should a revocation
be rescinded, the provider or supplier would be restored to its
previous screening level.
Comment: A commenter urged CMS to exercise the temporary moratorium
authority judiciously and to exempt physicians from re-assignment from
level I (limited) to level III (high) if physicians are ever subject to
the temporary moratorium; this would include an exemption for
physicians enrolled as DMEPOS suppliers if the latter are subject to a
moratorium.
Response: We believe this commenter is addressing a concern that if
a moratorium is imposed on a category of providers that includes
physicians or physician-owned DMEPOS suppliers, that when the
moratorium is lifted the provider or supplier category to which the
moratorium applied would be moved to the high screening level for 6
months following the lifting of the moratorium. The commenter is asking
for an exception to this proposal. A moratorium may be imposed if there
is a heightened risk of fraud, waste or abuse in a particular
geographic area or involving a certain provider or supplier type. If a
particular provider or supplier type posed such a risk as to warrant a
moratorium, it would be inappropriate for us to automatically exempt it
from enhanced screening once the moratorium ends. In the event that we
were to impose a temporary moratorium on physicians or physician-owned
DMEPOS suppliers, the moratorium would be as narrowly tailored as
possible to address specific fraudulent activity.
Comment: A commenter believes that the moderate and high screening
level assignments for community pharmacies are inappropriate and
contended that: (1) all existing community pharmacy DME suppliers, as
well as new locations of existing community pharmacy DME suppliers,
should be designated as limited risk, and (2) newly enrolling community
pharmacy DME suppliers should be treated as posing a moderate risk. The
commenter stated that community pharmacies are already heavily
regulated by the States and Federal government through State boards of
pharmacy, CMS supplier standards and surety bonds, and argued that
community pharmacies are not a major source of fraud. The commenter
also urged CMS to incorporate into its final rule the same exemption
criteria that CMS's uses to exempt certain community pharmacies from
DME supplier accreditation requirements. In addition, the commenter
stated that CMS should designate community pharmacies as limited risk
suppliers if: (1) They have had a supplier number for at least 5 years;
(2) their DME sales are less than 5 percent of their total sales over
the last 3 years; and (3) they have not received a final adverse action
against them in the past 5 years. Another commenter stated that DMEPOS
sales are but a small portion of genuine community pharmacy sales.
Accordingly, the proposal regarding unannounced pre- and/or post-
enrollment site visits for moderate risk suppliers and criminal
background checks and fingerprinting for high risk suppliers may prove
unbearably costly and burdensome to community pharmacies. The commenter
added that it could lead to community pharmacies to stop supplying DME
products, causing access problems.
Response: As already stated, all newly-enrolling DMEPOS suppliers,
regardless of sub-type or ownership, will be placed in the high level
of categorical screening. This includes new DMEPOS locations, which
have long been treated as initial enrollments. Moreover, we do not
believe it is appropriate to apply the community pharmacy exemption for
accreditation to the risk classifications, as the standards for
accreditation are different from the criteria we are using for the risk
classifications.
Comment: A commenter urged CMS to more narrowly tailor its risk
assignments of provider or supplier types by geography, so that DMEPOS
suppliers in many areas of the country are not unfairly grouped into a
higher screening level merely because those same DME supplier types
pose major fraud risks in other limited areas of the country.
Response: We disagree. While some areas of the country are
undeniably more prone to fraud than others, fraudulent activity can
occur anywhere. Furthermore, we believe it most objective to apply the
same standard to all parts of the country and use other tools to
narrowly tailor our approach when necessary, including the enrollment
moratoria provision set forth in this final rule with comment period.
Comment: A commenter requested clarification on whether an existing
community pharmacy DME supplier that seeks to add a new DMEPOS supplier
store would fall under the moderate or high screening level under the
proposed rule. The commenter believes this should fall within the
moderate screening level.
Response: As already stated, the addition of a new DMEPOS location
would be subject to the level or screening specified for providers and
suppliers assigned to the high screening level.
Comment: A commenter expressed concern that the Medicare contractor
may not know which companies are publicly traded.
Response: We have eliminated the distinction between publicly
traded and non-publicly traded companies; as such, this comment is no
longer applicable.
Comment: One commenter stated that on June 23, 2010, the Director
of the Office of Management and Budget published a memorandum titled,
``Enhancing Payment Accuracy'' through a ``Do Not Pay List''; this
Presidential document stated that, ``At a minimum, agencies shall,
before payment and award, check the following existing databases (where
applicable and permitted by law) to verify eligibility: the Social
Security Administration Death Master File, the GSA's EPLS, the
Department of the Treasury's Debt

[[Page 5884]]

Check Database, the Department of Housing and Urban Development's
(DHUD) Credit Alert System or Credit Alert Interactive Voice Response
System and the DHHS OIG LEIE.'' The commenter stated that CMS should
explain why the proposed rule does not mention these verification
sources.
Response: Medicare contractors have long been required to review
the EPLS and the LEIE prior to enrolling a provider or supplier in
Medicare. In addition, providers, suppliers and their owners and
managers are currently reviewed against the SSA Death Master File. As
for the DHUD Credit Alert System and the Department of the Treasury's
Debt Check Database, we understand the Presidential memorandum requires
review of these systems prior to payment or award and will integrate
their use as appropriate in our protocols.
Comment: Several commenters supported the placement of hospitals in
the limited screening level. However, they added that high risk or
moderate risk providers and suppliers that are members of, operate as a
part of, or are owned by a hospital or a health system, should instead
fall under the same limited risk assignment that CMS proposes for
hospitals.
Response: Again, for reasons already mentioned, we have declined to
subcategorize individual providers and suppliers based on their
ownership.
Comment: Several commenters stated that in States with orthotic and
prosthetic licensure, orthotic and prosthetic DMEPOS suppliers should
be designated as limited risk, as there is no evidence of significant
elevated risk for such licensed professionals. In States without
orthotic and prosthetic licensure, several commenters stated that the
supplier should be treated as limited risk if: (1) One or more of the
supplier's practitioners are certified by the American Board for
Certification of Orthotics, Prosthetics and Pedorthics or the Board of
Certification/Accreditation International, or (2) the supplier itself
has been accredited by one of these entities. Other commenters stated
that if the orthotic and prosthetic supplier is not practitioner owned,
but has been in business at least 3 years, it should be considered
limited risk due to a demonstrated lack of inappropriate billings over
time; if it is not practitioner-owned and has not been in business at
least 3 years, it should be rated as a moderate risk. Finally, the
commenters objected to the proposed risk provision for this risk
assignment provision because: (1) Orthotics and prosthetics is not part
of DME, and has significantly lower fraud and abuse risks; and (2)
there has not been sufficient consideration of the impact of number of
years in business, or accreditation/certification status as factors
that diminish risk.
Response: As stated earlier, we do not believe certification or
accreditation to be dispositive of risk for fraud and decline to adopt
this suggestion. While we appreciate the commenter's suggestion that we
should look at length of time in business as a means of supporting the
assessment of risk, we believe that OIG and GAO reports and experiences
are instructive and rely on those as well as our own data to support
the assignment to levels of screening that we finalize in this rule.
Comment: A commenter expressed concern that the time and cost
necessary to comply with the requirements in the proposed rule is a
significant burden on small providers, in light of all of the other
requirements they are subjected to. The commenter stated that for
reasons of reduced risk, time in business and demonstrated commitment
to quality, no certified practitioner or accredited orthotist or
prosthetist facility should be subject to background checks and
fingerprinting.
Response: We decline to adopt this suggestion; to do so would
foreclose the possibility that any high risk practitioner or orthotic
or prosthetic facility would be subject to enhanced scrutiny.
Comment: A commenter questioned whether requirements such as
fingerprinting will accomplish CMS's goal of tracking violators, since
CMS will have no way to ensure that the person providing the
fingerprints is the person rendering the care. The commenter also
questioned whether fingerprinting will help prevent identity theft for
physicians.
Response: We are confident that fingerprint-based criminal history
record checks will enable us to identify individuals who violate CMS
existing regulations at Sec. 424.530(a) and Sec. 424.535(a), and
appropriately deny or revoke Medicare billing privileges in these
circumstances. This screening tool is intended to prevent individuals
who pose an elevated risk of fraud, waste, and abuse from enrolling in
the programs. Physicians will not be subject to the fingerprint-based
criminal history check if they are not in the high screening level.
Physicians as a category are in the limited screening level and
providers and suppliers in the limited screening level are not subject
to fingerprint-based requirements as are individuals and entities in
the high screening level. The submission of fingerprints for the
purposes of an FBI criminal history record check is not intended to
address identity theft concerns.
Comment: A commenter stated that raising a supplier's screening
level seems reasonable only if the supplier has come under a payment
suspension or if after investigation, the type of provider and the
services it will render are not congruent on its enrollment
application.
Response: We disagree. There are, as explained in this final rule
with comment period, a variety of final adverse actions that we believe
warrant the placement of a provider or supplier in a higher screening
level. Payment suspensions and inconsistent information on the
enrollment application should not be the only two grounds for elevating
a provider's screening level.
Comment: A commenter stated that with regard to the ``high''
screening level, although government enforcement efforts to date have
shown fraud, waste and abuse issues with HHAs and DMEPOS suppliers in
certain geographical regions (for example, South Florida, Texas, and
California), it is not clear that issues with such entities are
national. Because the criminal background checks and fingerprints are
onerous requirements that are not currently used by Medicare, the
commenter stated that CMS should limit itself to introducing such
requirements in high risk geographic areas, rather than nationally, at
least at this stage. Moreover, the commenter stated that CMS has
neither provided the data nor made the convincing case that its
proposed changes will deliver results to justify the extent to which
the rules would intrude on normal patient care and business practices.
With respect to orthotic and prosthetic suppliers, the commenter urged
CMS to adopt a more realistic approach that cracks down on fraudulent
providers, without either considering every provider to be a crook, or
adding huge regulatory burdens that could put honest, legitimate, hard-
working orthotic and prosthetic suppliers out of business.
Response: We disagree that our enhanced screening procedures should
initially be restricted to high risk geographical areas. While some
regions of the country evidence fraud, waste and abuse more than
others, fraudulent activity can occur anywhere. In addition, we believe
that a national approach is most objective in implementing the
screening provisions herein. We will rely on other program integrity
tools, including, without limitation, the enrollment moratoria
authority contained within this rule, to

[[Page 5885]]

address concerns in particular locales. Moreover, CMS will monitor
implementation of the final requirements on provider and supplier
screening with respect to patient care and business practices.
Comment: A commenter stated that with respect to changing a health
care provider's level of screening, the basis for this determination
should be on information released during 2011 and beyond.
Response: We disagree. We have found that long-term trends (for
example, data from 2005 through 2009) are often good indicators of
potential fraudulent activity.
Comment: A commenter suggested that CMS establish certain
exemptions to DMEPOS suppliers prior to a company being deemed a
moderate or high risk supplier, such as: (1) A multiple year history as
a DMEPOS provider; (2) award of a DMEPOS competitive bidding contract
(where CMS itself has extensively reviewed the financials of contracted
suppliers); and (3) accreditation by a CMS-approved third party.
Response: We did not base our development of levels of screening
and the assignment of provider and supplier categories to these levels
of screening of fraud, waste or abuse on the past experience of
specific individual providers. Rather, it is based on collective
experience of provider and supplier categories. Furthermore, we do not
believe length of time in business is an appropriate determination of
fraud risk. Similarly, as described previously, we do not believe
accreditation is--in and of itself--an indication that a provider or
supplier should be assigned to the limited screening level. Finally, we
decline to accept the commenter's suggestion that the award of a DMEPOS
competitive bidding contract should provide an exemption from the
assignment specified in this rule. The criteria for competitive bidding
are different than those that we are using to determine the appropriate
screening level appropriate to particular categories of provider or
supplier.
Comment: A commenter stated that any criteria utilized by CMS to
assign screening levels should be made public, and that CMS should
regularly review its assignment to screening levels. The commenter
questioned whether automatically applying the proposed additional
screening measures for providers and suppliers assigned to the moderate
and high levels will be effective in shutting-out sham suppliers and
past violators from participating in Medicare, particularly since these
safeguards do not protect Medicare against criminals who use a shell as
the owner of record to avoid detection. The commenter believes that the
recently implemented accreditation and bonding requirements for DMEPOS
suppliers are a stronger deterrent in ensuring that fraudulent
suppliers are not able to participate in Medicare, and recommended that
CMS first determine whether these requirements adequately deter fraud
before imposing additional and arguably less effective safeguards,
especially considering the cost and burden of these new requirements.
Response: Criteria for the risk assessments were discussed in the
proposed rule and this final rule with comment period. The criteria
will be reviewed on a consistent and ongoing basis, and in the event we
decide to update the assignment of screening levels, we will publish a
regulatory document in the Federal Register. We do not believe, though,
that we should wait for the results of the accreditation and surety
bond requirements before taking additional steps to address program
integrity problems related to DMEPOS suppliers. Indeed, it could take
several years for the full impact of the surety bond and accreditation
requirements to take effect on our anti-fraud efforts. As such, we do
not believe it to be premature to assign newly-enrolling DMEPOS
suppliers to the high screening level and require enhanced screening
pursuant to this rule. It is our expectation that all of these program
integrity protections together will lessen the risk of fraud and abuse
in the Medicare program.
Comment: A commenter stated that the language in Sec. 424.500, et
seq., does not define ``Medicare contractor,'' and the verbiage in the
preamble is somewhat vague. The commenter requested clarification as
to: (1) The contractors that will be conducting the on-site visits, (2)
whether this approach will be uniform across the country, and (3) the
training and experience the individuals conducting these visits will
have.
Response: Since the term ``Medicare contractors,'' as used strictly
in the provider enrollment context, is generally understood and
recognized by the provider community to mean the entities that process
CMS-855 provider enrollment applications, we do not believe it is
necessary to include a formal definition of this term in this final
rule with comment period. The contractors that will conduct site visits
will vary, as will the scope and breadth of individual visits; however,
such site visits will be in accordance with guidance issued by CMS.
Those who will conduct site visits will receive appropriate
instructions and oversight regarding the performance of the visits.
Comment: Several commenters stated that HHAs and hospices are
already subject to a State survey prior to enrollment--as well as on a
periodic basis thereafter--thus making a site visit superfluous. As
such, initially enrolling HHAs and hospices should be included in the
limited screening level rather than in the moderate screening level. A
commenter also stated that including all revalidating HHAs, hospices
and DME suppliers in the moderate screening level is unfair and
inappropriate, as they are already established providers; the commenter
believes it should be exempt from the site visit requirement if it has
been in existence for at least 5 years and there is no reason to
suspect fraudulent activity. The commenter added, however, that
additional site visits and increased medical review during the
provider's first 5 years of enrollment could be performed to ensure
compliance. Another commenter stated that it would be better to conduct
HHA site visits, if they had to be performed, with existing or recent
patients in their homes, since most care is provided to patients in
their homes; care is not provided in the HHA or hospice office.
Response: We do not believe that a site visit is superfluous. Due
to the length of the enrollment, survey, and certification processes,
we believe it is important for us to institute verification activities
at multiple points during this period, and not to restrict its
validation efforts to the enrollment process and the State survey.
Moreover, we do not believe that site visits should be limited to
providers who have been enrolled for less than 5 years, as we do not
have data to suggest that those who have been enrolled for 5 years or
more present less of a fraud, waste, and abuse concern than newly
enrolled providers and suppliers. Finally, and as mentioned earlier,
provider enrollment site visits will be conducted at the HHA's physical
locations.
Comment: A commenter asked CMS to describe the process the Medicare
contractors are using to review State licensing data on a monthly
basis. The commenter also requested clarification as to whether the
reference to ``non-public, non-government owned'' applies only to
affiliated ambulance services suppliers, or extends to the other
provider types listed in the moderate level.
Response: The contractors use various processes to review licensure
data; frequently, this is an automated process. With regard to the
clarification requested, the term as used in the NPRM applied only to
ambulance

[[Page 5886]]

suppliers. However, as we have eliminated the distinction between
public and non-public ambulance service providers, this comment is no
longer applicable.
Comment: A commenter suggested that CMS consider reclassifying
providers and suppliers in the ``moderate'' and ``high'' screening
level to the ``limited'' risk level if the provider or supplier is
subject to State licensure requirements. In addition, the commenter
opposed reclassifying providers or suppliers from one screening level
to another based strictly on their geographical location. To do so
would be arbitrary, and would not reflect the risk associated with
particular provider or supplier types.
Response: As already mentioned, we do not believe that State
licensure is, in and of itself, indicative of a limited risk of fraud.
In addition, we do not plan to reclassify providers or suppliers based
solely on geographical location. As stated earlier, if we identify a
concern among provider and supplier categories in a particular
geographic location, our authority to impose a temporary moratorium
will help to address those concerns. However, we do retain the
authority to add geographic location as a criterion for adjusting a
provider or supplier's screening level through future rulemaking.
Comment: A commenter expressed concern that fingerprinting: (1)
Could be very costly; (2) raises privacy and security concerns once an
organization begins to collect, maintain, administer access and store a
database of fingerprints; and (3) is technologically being replaced by
much more modern and reliable identification techniques. The commenter
urged CMS to avoid requirements for fingerprinting in screening
requirements and to use more modern techniques.
Response: As already mentioned, we believe that fingerprint-based
criminal history record checks will be an effective tool in combating
Medicare waste, fraud, and abuse. In our view, such criminal history
record checks--more effectively than a name-based background check--
will prevent ineligible individuals from enrolling in the Medicare
program. CMS believes that the cost to both the applicants for the
collection of fingerprints, and to CMS for the processing of the prints
is not unduly burdensome either to the providers and suppliers or the
agency. We would like to clarify that CMS will not be collecting and
storing any fingerprints. As mentioned earlier, the selected authorized
channeler will collect and transmit the prints electronically directly
to the FBI CJIS Division's Wide Area Network to check against the
IAFIS, the FBI maintained database. CMS will only receive the criminal
history record information, and will protect that information as the
Privacy Act requires--both from a privacy and security standpoint. In
response to the commenter's third remark, while CMS is aware of the
advances in technology in the biometric market, the FBI and State law
enforcement standard is currently the fingerprint. Once the FBI or
State law enforcement requires a new standard of identification to
access the criminal history record information, we will comply with
that standard.
Comment: A commenter suggested that in implementing the screening
requirements, CMS should minimize duplication of effort. Often the same
providers who participate in traditional Medicare are also
participating in other plans, such as Medicaid. Having separate
screenings could be burdensome and inefficient.
Response: We agree with the commenter that every possible attempt
should be made to avoid duplication of effort. To that end, we have
attempted to address this concern by providing that the States may rely
upon a screening performed by the Medicare program.
Comment: A commenter supported the concept of applying geographical
circumstances when adjusting providers or suppliers from one screening
level to another, and recommended that anti-fraud efforts be
coordinated with other payers--such as through information sharing--
because providers and suppliers perpetrating fraud do so across the
spectrum of payers, and that reality should be integrated into CMS's
overall strategy.
Response: We agree that anti-fraud efforts should be coordinated
among payors and we are taking steps to promote greater coordination.
As stated previously, we believe our temporary moratoria authority
described later in this rule will be an effective tool in particular
geographic locations. We may revisit as a factor for enrollment
screening level in future rulemaking.
Comment: Several commenters stated that new locations of currently
enrolled Medicare DMEPOS providers should be distinguished from other
providers that do not have an established record with the Medicare
program. CMS should therefore screen new locations of Medicare enrolled
suppliers in the same manner as it proposes to screen currently
enrolled providers.
Response: We disagree. As previously stated, the addition of a new
location is considered an initial enrollment. Consequently, a new
DMEPOS location will be subject to the ``high'' level of categorical
screening.
Comment: Several commenters requested that occupational and
physical therapists, including those enrolled or applying to enroll as
DMEPOS suppliers, be placed in the limited risk level.
Response: As stated earlier, all newly-enrolling DMEPOS suppliers
(including those with new practice locations), regardless of sub-type,
and including those that are owned by occupational and/or physical
therapists, will be subject to a high level of categorical screening.
For physical therapists enrolling as individuals or group practices
via, respectively, the CMS-855I and CMS-855B applications, these
suppliers will be placed in the moderate level of screening. As we
explained earlier with respect to physical therapy providers, we
believe the classification of physical therapists in the moderate level
is supported by a recent OIG report entitled ``Questionable Billing for
Medicare Outpatient Therapy Services'' (December 2010) (http://oig.hhs.gov/oei/reports/oei-04-09-00540.pdf), which found, among other
things, that Miami-Dade County had three times, and nineteen other
counties had at least twice, the national level on five of six
questionable billing characteristics.
Comment: A commenter asked whether CMS will identify the
contractors that will perform these screenings, or whether it will
accept screenings performed by commercial screening services widely
used by large employers outside the health care industry.
Response: We believe the commenter is referring to criminal
background screenings. To comply with the FBI requirements that only
authorized channelers submit fingerprints to the Wide Area Network, and
receive the criminal history record information from the FBI, CMS will
contract with a pre-approved FBI authorized channeler. In the future
guidance, CMS will identify the selected authorized channeler(s) where
individuals may have their fingerprints collected, or to whom they may
submit the FD-258 card that was completed at a local law enforcement
agency. In addition to ensuring compliance with FBI security
requirements, such authorized channelers have vendors all over the
country where individuals can have their fingerprints electronically
collected. In addition, individuals may have their prints taken on the
FD-258 paper card at a local law enforcement agency, and then have it
sent to the

[[Page 5887]]

authorized channeler to have it digitized and submitted to the FBI.
Comment: A commenter had several suggestions for screening levels.
The commenter recommended that the limited screening level include
providers affiliated with non-profit acute care hospitals or health
systems; any not-for-profit providers who have been in existence for at
least 20 years and who have filed annual cost reports (if required) for
their line of business; and any for-profit providers in business for 20
years as a single site provider. The moderate screening level should
include all other providers except those indicated in the high
screening level, plus any provider who has entered into a settlement
with a government agency (Federal, State or local) within the past 20
years, up through the most recent 5 years, where such settlement
covered any over-charge allegations. The high screening level should
include any provider who has entered into a settlement with a
government agency (Federal, State or local) for any overpayment in the
past 5 years; and any provider or group of providers which may
currently be under review for possible billing overcharges or other
violations who is seeking either a new provider number or seeking a new
provider location.
Response: We appreciate these suggestions, and may consider them as
part of a future rulemaking effort should circumstances warrant.
However, for now, and for the reasons described previously, we believe
that the screening level assignments discussed in this preamble will
best implement the statute.
Comment: A commenter recommended that CMS refrain from publicly
posting risk levels, particularly as they relate to individual
providers or group practices. The commenter believes that in some
instances this could give a false impression as to the level of risk of
any provider or supplier, and that CMS has not clarified how this
action will assist the agency with fraud prevention.
Response: To the extent permitted by Federal law, we do not plan to
publish risk assessments and the corresponding screening level of
individual providers or suppliers.
Comment: A commenter urged CMS to provide contractors with
sufficient and targeted resources to handle identity theft screening to
ensure that the additional screening precipitated by identity theft
will not delay processing of new enrollment applications.
Response: As mentioned throughout this rule, we do not plan to use
fingerprint-based criminal history record checks to address identity
theft concerns. Identity theft is within the purview of law enforcement
and we will make referrals to our law enforcement partners whenever
appropriate.
Comment: A commenter requested clarification as to whether a
revalidating provider would need to resubmit fingerprints with its
application. The commenter believes this would be burdensome, costly,
and unnecessary, since fingerprints do not change.
Response: If an individual has provided fingerprints on one
occasion, we will not ask such individual to furnish fingerprints a
second time unless required by FBI protocols.
Comment: A commenter disagreed that in all cases publicly traded
entities pose a ``limited'' risk while all HHA companies that are not
publicly traded pose a ``moderate'' risk to the program. The commenter
supported the ``high'' risk assignment for those new to the program,
but stated that the proposed rule does not consider that companies that
have operated successful and compliant HHAs for years would fall into
the high screening level if they were to open a new location or branch
simply based on the arbitrary assignment of the screening level.
Response: As stated earlier, we believe that newly enrolling HHA
locations (for which a CMS-855 is submitted) should be subject to the
enhanced scrutiny of the high risk screening level. Further, as stated
earlier, we have eliminated the distinction between publicly traded and
non-publicly traded companies.
Comment: A commenter urged CMS to expand the definition of limited
risk to include entities that file with the Securities and Exchange
Commission (SEC), even though they do not have securities traded on the
NYSE or NASDAQ. By reason of their debt obligations, such entities are
subject to the same disclosure and reporting requirements under Federal
securities laws as a company that is subject to section 13 or 15(d) of
the Securities Exchange Act of 1934, as amended (the ``Exchange Act'').
Response: As stated earlier, we have eliminated the distinction
between publicly traded and non-publicly traded companies, and the
comment is no longer applicable.
Comment: A commenter stated that adjusting HHAs from the
``limited'' or ``moderate'' screening level to ``high'' risk simply
because they reside in an area for which CMS imposes a moratorium is
arbitrary and punishes good HHAs with no consideration of their
compliant service to the Medicare beneficiaries and the program.
Response: As explained elsewhere in this section and also later in
the general discussion regarding moratoria, a moratorium may be imposed
if there is a heightened risk of fraud, waste, or abuse in a particular
area or involving a certain provider or supplier category. If a
particular provider or supplier type posed such a risk as to warrant a
moratorium, it would be inappropriate for us to automatically exempt it
from enhanced screening once the moratorium ends. To do so would, in
effect, require us to state that once the moratorium ends, that
provider or supplier type no longer poses a risk, a conclusion that we
could not necessarily draw.
Comment: A commenter stated that the assignment of risk should be
based on defined criteria beyond those proposed, such as compliance
history related to billings, medial review, and history of negative
audits from the program safeguard contractors. The commenter added that
defined criteria should also be used to identify when providers are
moved to different screening levels. For instance, brand new HHAs with
no previous enrollment history should be part of the high screening
level; however, upon 5 years of compliant operation, they should be
moved to the moderate screening level. If a company with a 5 year
compliance history opens a HHA, it should not be assigned to the high
screening level; instead, it should be assigned to the moderate
screening level based on its good history with Medicare. Agencies that
have a 7 year or more compliance history should be assigned the limited
screening level.
Response: Though we do not at this point believe that length of
time as a Medicare provider should be a criterion for reducing a
provider's or supplier's screening level, we may consider this as part
of a future rulemaking effort should circumstances warrant.
Comment: A commenter believes that the phrase ``Indian Health
Service facilities'' should be deleted in favor of ``health programs
operated by an Indian Health Program (as that term is defined in
section 4(12) of the Indian Health Care Improvement Act) or an urban
Indian organization (as that term is defined in section 4(29) of the
Indian Health Care Improvement Act) that receives funding from the
Indian Health Service pursuant to Title V of the Indian Health Care
Improvement Act.'' Such language would encompass all Indian and tribal
programs that are carried out pursuant to the Indian Health Care
Improvement Act (IHCIA) and Indian Self-Determination and Education
Assistance Act (ISDEAA). Moreover, to

[[Page 5888]]

ensure that all Indian and tribal health programs are treated as
limited risk, the exception in (b)(1) and (c)(1) should be amended to
refer to Indian and tribal health programs. The commenter stated that
the burden on Indian and tribal providers of meeting new screening
requirements would be significant and duplicative of screening
requirements imposed already under the Indian Child Protection and
Family Violence Act on many of the providers.
Response: We will revise the language in the final regulation as
requested by the commenter to ensure that Indian and tribal health
programs are described accurately and are assigned to the limited
screening level.
Comment: A commenter stated that CMS should designate provider
screening levels in the final rule with comment period, and should
require changes in the risk level for a provider type to be subject to
the rulemaking process.
Response: We have specified the different screening levels in this
final rule with comment period. Should a change in a particular
provider or supplier type's classification be warranted and should it
necessitate a change in existing regulatory language, we will publish
notice of it in the Federal Register. However, we will not publish
notice of the circumstances under which an individual provider or
supplier has been moved to an elevated level of screening as described
in Sec. 424.518(c) and Sec. 455.450(e).
Comment: A commenter stated that ophthalmologists, optometrists,
and opticians who only bill as DMEPOS suppliers for post-cataract
glasses and lenses should fall into the limited screening level.
Response: As detailed previously, currently enrolled DMEPOS
suppliers will be placed in the moderate level of categorical screening
and newly-enrolling DMEPOS suppliers will be assigned to the high level
of screening.
Comment: A commenter opposed CMS' proposal to consider assigning
all providers or suppliers in a specific geographic location to a
higher level of screening, solely because others in that area may be
considered moderate or high risk. The commenter believes this type of
action was arbitrary, and could cause new, limited risk providers to
think twice before entering a geographic market, thus potentially
blocking beneficiary access to needed services.
Response: We did not assign any provider or supplier category to a
screening level based on geography.
Comment: A commenter did not believe independent laboratories
should be placed in the moderate screening level, due to their high
level of regulation. The commenter stated that the sheer volume has no
bearing on risk and that they are already subject to regular site
visits.
Response: We disagree. Based on our experience, we believe that
independent laboratories are appropriately assigned to the moderate
screening level. We note that newly-enrolling DMEPOS suppliers are,
too, subject to site visits, yet they are assigned the high screening
level.
Comment: A commenter stated that all physicians should not be
placed in the limited screening level. Several specialties are
increasingly engaging in abusive self-referral arrangements.
Response: For the reasons stated previously, we believe that
physicians and non-physician practitioners are appropriately classified
in the limited screening level. Moreover, we note that the final rule
with comment period contains provisions for elevating a particular
physician's or practitioner's screening level in certain circumstances.
Comment: One commenter disagreed that geographical circumstances
should justify the adjustment of FQHC providers and suppliers to
elevated screening levels based upon this criterion alone. The
commenter stated that FQHC entities are in an entirely different
classification and should not be subject to the same categorical
movement.
Response: We assume this commenter is concerned about our ability
to reassign providers or suppliers after a temporary moratorium is
lifted such that FQHCs could be classified as high risk in the event
they are located in an area in which a temporary moratorium is lifted.
We intend to finalize the elevated risk factors. We believe it
important to closely monitor all providers and suppliers in the event a
temporary moratorium is imposed--and for a period thereafter. We note
that this would only apply to providers and suppliers to which the
moratorium applied. Unless the moratorium that was lifted had applied
to either all providers and suppliers in a geographic area or to a
category of providers or suppliers that included FQHCs or to FQHC
specifically, the elevation to the high screening level would not apply
to FQHCs or any other provider or supplier category not originally
subject to the moratorium.
Comment: A commenter: (1) Expressed concern about potential
application delays if the Medicare contractors have insufficient funds
to conduct these visits; (2) requested assurances from CMS that
adequate funds will exist; and (3) recommended that CMS provide
guidance to the Medicare contractors on the timeframes within which
enrollment inspections shall occur.
Response: We believe that adequate funds will exist to perform the
required site visits, and we will issue guidance to our contractors
regarding processing times.
Comment: A commenter expressed concern that tax-exempt, faith-based
HHAs will be subject to a higher level of scrutiny than publicly traded
for-profit HHAs. The commenter believes that such faith-based HHAs
should be placed in the limited screening category.
Response: We have eliminated the distinction between publicly
traded and non-publicly traded HHAs. We decline to adopt the
commenter's suggestion to assign faith-based HHAs in the limited level
of screening as it has not been our experience that faith-based HHAs
present a different risk of fraud and abuse than non-faith-based HHAs.
Comment: A commenter stated that the inclusion of CMHCs in the
``moderate'' risk group seems appropriate given the history of fraud in
``for profit'' CMHCs. The commenter believes, however, that in the
future, ``not for profit'' CMHCs be considered for status as a
``limited'' screening level.
Response: We decline to adopt the commenter's suggestion, as it has
not been our experience that non-profit CMHCs pose a different risk
than for-profit CMHCs. We will monitor CMHCs and other provider and
supplier types after this final rule with comment period is implemented
and, if need be, make adjustments to various risk classifications.
Comment: A commenter stated that the fingerprint requirement is
problematic. The FD-258 fingerprint card could be fairly easy to obtain
and complete without the involvement of government officials or by
manipulating the form before forwarding it to the concerned government
representative which could lead to fraudulent data being accepted by
CMS contactors. In order to ensure the validity and acceptability of
fingerprint data, the commenter stated that a clear chain of custody
will be required for the FD-258 cards, providing for uninterrupted and
secure forwarding of the completed cards from an originating law
enforcement office to the CMS contractor. The commenter believes that
consultation with the FBI and other expert agencies on this subject
could prove valuable.
Response: CMS has consulted and will continue to consult with the
FBI regarding the use of the FD-258 card. As noted previously, CMS has
found that in addition to a longer processing time for

[[Page 5889]]

the FD-258, there is a higher cost to CMS for the processing of such
cards. However, individuals who have their prints collected by a local
law enforcement agency must use the FD-258 card and submit it to CMS'
authorized channeler. The authorized channeler will digitize such FD-
258 cards obtained at a local law enforcement agency for submission to
the FBI. The chain of custody will conform to the FBI Security and
Management Control Outsourcing Standard for Channelers and Non-
Channelers and the FBI's Criminal Justice Information Services (CJIS)
Division's Security Policy.
Comment: A commenter recommended that the proposed screening
procedures be applied across the board for all providers and suppliers
in or being introduced into any aspect of the Medicare, Medicaid or
CHIP system.
Response: We disagree with this comment. Different categories of
providers and suppliers pose different risks that must be addressed in
distinct ways.
Comment: A commenter recommended that when determining whether to
adjust an individual DMEPOS supplier's screening level, CMS should
consider the supplier's: (1) Experience in furnishing services; (2)
experience in the geographic area; (3) accreditation status and
compliance with quality standards; and (4) compliance program, as well
as any past fraudulent activity by the supplier or its employees and
the category of DMEPOS it furnishes.
Response: We decline to adopt this approach. First, we believe that
this could be subject to inherently arbitrary implementation. Second,
as has been described previously, we believe the ACA requires us to
assign categories of providers and suppliers to a level of screening
based on the risk for fraud. The criteria the commenter proposes would
necessitate a level of pre-screening that is not feasible for every
applicant CMS must process.
Comment: A commenter stated that providers and suppliers should be
individually notified of the screening level into which they will be
placed and the reasons for such designation. The categorizations should
not be made public because that could easily lead to irreparable damage
to reputations and the companies' business.
Response: The publication of this final rule with comment period
serves as notification to suppliers and providers of the assignment of
their category to a particular screening level. The only new screening
requirement that requires action on the part of a provider or supplier
is the fingerprint-based criminal history record check. As stated,
there will be an additional 60 day period after the publication of
subregulatory guidance prior to its implementation for DMEPOS and HHAs.
In instances where an individual provider or supplier has been
reassigned to a higher level of scrutiny under Sec. 424.518(c)(3), we
anticipate that each provider or supplier will be individually notified
of its newly assigned screening level prior to revalidation. This
process will be clarified in the subregulatory guidance that CMS will
issue as described in this final rule with comment period. Moreover, to
the extent permitted by Federal law, we do not intend to make public a
particular provider or supplier's screening level assignment.
Comment: A commenter requested that CMS expand the limited
screening level defined in the proposed regulation to include the term
``non-physician practitioner.'' This term is frequently used to
describe nurse practitioners, clinical nurse specialists, and
physicians' assistants.
Response: This regulation uses the term ``non-physician
practitioner'' in describing categories of providers assigned to a
level of screening. See Sec. 424.518(a)(1)(i).
Comment: A commenter recommended that, to the extent allowed under
law, CMS disclose limited information about the risk model so as to
avoid reverse-engineering by individuals intent on defrauding the
Medicare program.
Response: We appreciate this comment, but believe it is important
that the provider and supplier communities be made aware of what will
be required as part of the enrollment process.
Comment: A commenter recommended that reimbursement be provided for
the cost of the background check and fingerprint card. With budget cuts
and regulatory mandates, providers are struggling to meet the
increasing costs of delivering health care services in an environment
with decreasing resources. Another commenter suggested, however, that
fingerprinting be done at the cost of the provider prior to the
Medicare contractor receiving the enrollment application.
Response: A fingerprint-based criminal history record check is part
of the Medicare enrollment screening process for specified applicants.
The cost of the having the fingerprints taken and supplying the
fingerprints to the authorized channeler, whether electronic or on the
card, will be borne by the provider or supplier. There will be no cost
to the provider or supplier for the subsequent processing of the prints
or the background check, as CMS will pay for the processing of the
prints and the criminal history record check.
Comment: A commenter recommended that providers be able to have
their fingerprints electronically scanned with a vendor contracting
with the Federal government.
Response: Shortly after the publication of this final rule with
comment period, we will be issuing guidance to the provider and
supplier communities regarding the processes for obtaining
fingerprints. We anticipate that CMS will contract with an FBI-approved
authorized channeler for the collection and transmission of
fingerprints. It is our understanding that such authorized channelers
use electronic technology to collect and process fingerprints. We will
provide more information regarding available technologies and vendors
prior to the implementation of this requirement, as announced 60 days
prior to the effective date through the publication of subregulatory
guidance.
Comment: A commenter stated that CMS needs to ensure that
information used in the classification of suppliers is correct and
appropriate. Thus, CMS should require that only final agency actions be
used as a basis for assigning suppliers. Decisions overturned on appeal
should have no bearing or effect on the supplier's screening level.
Response: We do not believe it is appropriate to wait until a
particular action is final before shifting a provider into a different
screening level. The appeals process can take an extended period,
during which a provider intent on defrauding the Medicare program could
have more time to do so if permitted to remain in a lower screening
level. As already mentioned, should a particular action be rescinded,
the provider will be restored to its previous screening level.
Comment: A commenter stated that pharmacies licensed by the State--
whether newly enrolling or as part of an additional location--should be
specified as limited risk providers.
Response: As we mentioned earlier, State licensure is not
automatically indicative of the screening level that should be ascribed
to a category of provider or supplier.
Comment: A commenter questioned whether hospice organizations are
correctly included within the moderate screening level and should
instead be included in the limited screening level. The commenter did
not believe that sufficient data exists to justify placing

[[Page 5890]]

hospices in the moderate screening level.
Response: For the reasons we explained, we believe that hospices
are most appropriately as assigned to the moderate screening level.
Comment: A commenter stated that if an enrollment moratorium were
placed on a particular geographic area and then lifted, the Medicare
contractor would be required to conduct background checks and
fingerprints on all physicians in that area. The commenter urged CMS to
reconsider the burdens and costs of doing so for large groups of
providers. The delays in processing these applications would deter
physicians from enrolling and revalidating their enrollments. The
commenter also stated that CMS should limit those physicians placed in
the highest level of screening to individuals previously found guilty
of crimes against Medicare or where there is publicly available
evidence to justify such intrusions.
Response: The situation described in the commenter's first sentence
would only apply in the unlikely event that physicians in that area
were subject to a moratorium. As stated earlier, CMS does not believe
that the collection of the fingerprints for the FBI fingerprint-based
criminal history record check will substantially impact the time to
process an enrollment application by the relevant Medicare contractor.
If, as will most likely be the case with any temporary enrollment
moratorium, the moratorium only applies to non-physician provider or
supplier types, physicians would not be affected by the lifting of the
moratorium. We believe we have clarified this point in the final rule
with comment period.
Comment: Regarding fingerprinting and background checks, a
commenter requested clarification regarding: (1) How the information
will be stored and whether it will be destroyed after a period of time;
(2) how the information will be used; (3) what constitutes background
information that rises to the level of a threat to Medicare; (4)
whether the physician or non-physician practitioner be afforded a copy
of the results; (5) the policies that will ensure that the information
is protected and secure and, in the event of a security lapse, whether
the practitioner will be notified; (6) who will be conducting the
background checks; (7) whether the information will be added to State
or Federal databases for other purposes; and (8) whether practitioners
will know prior to or at the time of application submission that they
will be subject to these additional requirements.
Response: We have clarified in this final rule with comment period
that the fingerprint requirement will be used in the context of
obtaining FBI criminal history record information. This information
will be stored according to all Federal requirements as well as the
FBI's Security and Management Control Outsourcing Standard for
Channelers and Non-Channelers and the CJIS Security Policy. CMS will
rely on existing authority to deny and revoke enrollment at Sec.
424.530(a) and Sec. 424.535(a) if an individual who maintains a 5
percent or greater direct or indirect ownership interest in a provider
or supplier has certain prior felony convictions, or if an enrollment
application contains false or misleading information. The FBI will send
the results of the criminal history record check only to the authorized
channeler, who will be permitted to send the results only to the
authorized recipient, or an FBI approved outsourced third party. In the
event of loss of the criminal history record reports, CMS will follow
the established protocol for communicating with the public and
individuals regarding the loss of personally identifiable information.
The criminal history record information is compiled when the FBI
receives the fingerprint and links it to an existing record(s) of
arrest and prosecution in State and FBI databases. Individuals or
entities do not conduct criminal background checks. CMS, through an
authorized channeler, will be accessing existing law enforcement data
on fingerprinted individuals as required by this final rule with
comment period. CMS will inform all relevant individuals of their
requirement to submit fingerprints for the purposes of an FBI criminal
history check as a condition of enrollment. While we are finalizing
this screening method, we do not plan to implement this provision upon
the effective date. Instead, we will be issuing additional guidance to
providers, suppliers, the general public, and our contractors after the
publication of this final rule with comment period to explain the
operational aspects of the fingerprint-based criminal history record
check requirement. As stated previously, we will delay implementation
until 60 days after the publication of subregulatory guidance.
Comment: A commenter asked who will pay the fee for the
fingerprinting and, if the physician or practitioner must pay it,
whether he or she will be reimbursed, given the restrictions on
application fees for certain non-institutional providers.
Response: The relevant individuals who are required to undergo the
criminal history record check will incur the cost of having their
fingerprints taken. Providers and suppliers will not be reimbursed by
Medicare, Medicaid or CHIP for the fingerprint collection costs. CMS
will bear the cost of processing the fingerprint-based criminal history
record check for providers and suppliers that enroll in Medicare. For
Medicaid-only and CHIP-only providers, the States and Federal
government will share these costs.
Comment: A commenter stated that fingerprinting is generally
limited to certain hours of the day. Due to the demands of physicians'
schedules, the commenter asked how CMS will ensure the availability of
fingerprinting for those physicians placed in the high screening level.
Response: Physicians who are enrolled in Medicare as practicing
physicians will generally not be subject to fingerprinting.
Fingerprint-based criminal history record checks will only be required
in the case of providers or suppliers that are assigned to the high
screening level. Physicians are generally assigned to the limited
screening level.
Comment: A commenter urged CMS to ensure that fingerprinting and
background checks do not delay the enrollment of legitimate and honest
physicians.
Response: Physicians are generally assigned to the limited
screening level and, as such, will not be subject to fingerprinting
based on their enrollment as a physician. Physicians who choose to
enroll as DMEPOS suppliers or HHAs will be required to undergo a
fingerprint-based criminal history record check as a requirement of the
high screening level but, as stated previously, CMS does not believe
this requirement will significantly delay the enrollment of any
provider or supplier.
Comment: A commenter stated that hospital-owned HHAs and hospices
should be designated as limited risk and, therefore, should not be
subject to unannounced and unscheduled pre-enrollment and/or post-
enrollment onsite visits.
Response: For the reasons already discussed, newly enrolling HHAs
will be placed in the high screening level, regardless of ownership.
Comment: Several commenters stated that implementing the new
screening procedures by March 23, 2011 is not feasible due to the
coordination efforts required between Medicare and Medicaid. They
recommended that the implementation date be moved to March 23, 2012.
Response: We disagree, and believe that all screening procedures
except the fingerprint-based criminal history record check required for
those in the high level of screening will be in place

[[Page 5891]]

beginning on March 25, 2011. As noted previously, we will delay
implementation of such high screening level until 60 days after the
publication of subregulatory guidance on how this provision will be
implemented. Further, we believe the statute requires the
implementation dates that we have specified.
Comment: A commenter recommended that CMS reconsider the risks
associated with allowing existing enrollees to be exempted from the new
screening procedures until March 23, 2012. The commenter believes this
creates a potential gap in program integrity.
Response: The ACA specifies the effective dates for the new
screening provisions. For newly enrolling providers and suppliers, and
for those currently enrolled whose revalidation is scheduled between
March 25, 2011 and March 23, 2012, the effective date is March 23, 2011
or the date scheduled for the revalidation. For providers and suppliers
assigned to the high screening level, the fingerprint-based criminal
history record check requirement will be implemented through
subregulatory guidance and will be effective 60 days following the
publication of the guidance. All other screening requirements are
effective on March 25, 2011 for those in the high screening level. For
all other currently enrolled providers and suppliers, the statute
established an effective date of March 23, 2012.
Comment: A commenter recommended simplifying the screening process
such that all enrolling providers and suppliers are put into the
moderate level, and then adjust screening interventions based on
specific circumstances related to elevated risk of fraud.
Response: We decline to base the assignment of provider and
supplier types to a level of screening on the assumption that every
provider or supplier is of equal risk upon enrollment into the
Medicare. We see clear differences in risk among categories of
providers and suppliers. Therefore, we do not plan to assign all
provider and supplier categories to the same screening level. In
response to the suggestion that we adjust screening interventions based
on specific circumstances, we believe this process is both unwieldy and
burdensome to implement for every provider as the baseline screening
methods. Although we have identified certain events that will cause a
provider to move from ``limited'' or ``moderate'' to ``high''
screening, we do not believe we should conduct individual assessments.
As stated previously, CMS will assess an individual provider's risk and
potential actions based on the individual provider's enrollment
application and may continue to use existing program integrity tools
that are not addressed by this rule. We believe this approach is the
most objective approach and is consistent with the ACA.
Comment: A commenter requested clarification on how States will be
notified of providers' risk classifications and any changes thereto.
Response: We will disseminate guidance to the States on this topic
shortly after the publication of this final rule with comment period.
Comment: A commenter recommended that CMS explain whether it is
replacing or removing the current revalidation basis in Sec.
424.535(a)(6) with the proposed new Sec. 424.535(a)(6).
Response: We are neither replacing nor removing the current
revalidation basis. We simply proposed an additional reason at Sec.
424.535(a)(6)(i) for the revocation of Medicare billing privileges.
Specifically, we proposed that billing privileges may be revoked if
``An institutional provider does not submit an application fee or
hardship exception request that meets the requirements set forth in
Sec. 424.514 with the Medicare revalidation application,'' or the
hardship exception is not granted. We will renumber the subsections in
Sec. 424.535(a) accordingly.
The commenter refers to the current revalidation basis but cites to
the revocation regulation. To clarify, as stated previously, the
proposed rule proposed to require that a provider or supplier
revalidate its enrollment at any time pursuant to Sec. 424.515. This
new authority to permit off-cycle revalidations does not replace the
current cycle for revalidation (3 years for DMEPOS and 5 years for all
other providers).
Comment: To reduce the paperwork burden imposed on providers and
suppliers and to reduce the administrative expense associated with
processing a revalidation application, several commenters recommend
that CMS allow providers and suppliers in good standing to submit an
annual attestation, rather than a full revalidation application. The
attestation, in other words, would be used in lieu of revalidation, and
would require the provider or supplier to notify CMS of any changes or
to attest that there were no changes within the prior year. This
approach would promote compliance without requiring the provider or
supplier to submit a full revalidation application and a fee.
Response: The burden associated with submitting Medicare enrollment
applications A, B, I, R and CMS-855S is currently approved under Office
of Management and Budget (OMB) control numbers 0938-0685 and 0938-1057,
respectively. Such an attestation, as proposed by the commenter, would
not fulfill the screening requirements of this final rule with comment
period, as re-screening is a condition of revalidation. The screening
requirement and associated application fee are required by the ACA to
minimize the risk of fraud, waste and abuse to the Medicare, Medicaid
programs and CHIP, and cannot be circumvented by a process that would
limit the scope of such screenings.
Comment: One commenter stated that CMS did not furnish sufficient
justification or rationale for its proposal in Sec. 424.515 that CMS
may require a provider or supplier to revalidate its enrollment at any
time. The commenter added that the proposed revision seems punitive and
overly broad because CMS does not furnish ample discussion for the
public to fully evaluate the proposal. The commenter recommended that
CMS remove its proposal because CMS did not: (1) Justify its reasons
for establishing this new authority, (2) describe its existing
authorities and how this proposal is different, and (3) explain or
justify the number of times that CMS can require revalidation within a
given period of time.
Response: We proposed at Sec. 424.515 that we have the ability to
require that a provider or supplier revalidate its enrollment at any
time, and stated that this proposal was designed to help ensure that
the statutory effective date of March 23, 2013 is met. We fully intend
to implement the new authorities provided by the ACA by the deadlines
that have been set out by the Congress.
We stated in the proposed rule that DMEPOS suppliers are required
to re-enroll every 3 years, and other providers and suppliers are
required to revalidate their enrollment every 5 years. For purposes of
clarity, we also proposed language at Sec. 424.57(e) that changes all
references to ``re-enroll'' or ``re-enrollment'' to ``revalidate'' or
``revalidation.'' We have existing authority at Sec. 424.515(d) to
require off-cycle validations in addition to the regular 5 year
revalidations and may request that a provider or supplier recertify the
accuracy of the enrollment information when warranted to assess and
confirm the validity of the enrollment information maintained by us.
Such off-cycle revalidations may be triggered as a result of random
checks, information indicating local health care

[[Page 5892]]

fraud problems, national initiatives, complaints, or other reasons that
cause us to question the compliance of the provider or supplier with
Medicare enrollment requirements. Off cycle revalidations may be
accompanied by site visits. The new authority to conduct off-cycle
validations of providers and suppliers will enable us to apply the new
screening requirements to all currently enrolled providers and
suppliers by the statutory effective date.
The proposed rule stated that once a provider has been subject to
an off-cycle validation under Sec. 424.515(e), the current cycle for
revalidation would apply. This means that if a provider subject to the
5-year revalidation cycle had to revalidate in 2013, the provider or
supplier would next have to revalidate in 2018. However, a provider or
supplier may be required to revalidate under Sec. 424.515(d) during
that time period if there are indicators of the noncompliance for a
particular provider.
Comment: A commenter stated that CMS currently requires contractors
to review State licensing board data on a monthly basis. As such, it
would be more efficient to access a centralized, federated database to
provide CMS with the most comprehensive data on physician licensure
status.
Response: As previously mentioned, we are currently in the process
of re-assessing the provider enrollment process and systems that are
used to support screening and enrollment. We are exploring a number of
options to take advantage of technological advances to improve the
provider screening process. Increased automation of the process is one
of the areas on which we are focusing.
Comment: A commenter stated that, given the ongoing Medicare
backlogs, CMS should provide information regarding: (1) The number of
revalidations started and completed by CMS or its contractors in 2007,
2008, 2009, and 2010, (2) how an estimated 93,000 revalidations per
year beginning in 2010 will impact the processing of new applications
by providers and suppliers, and (3) the amount of money obligated on
provider screening activities for each fiscal year between 2005 and
2010, and (4) how much money CMS expects to obligate for these
activities in 2011. Another commenter recommended that CMS furnish the
number of revalidation applications processed by the National Supplier
Clearinghouse, MACs, carriers, and fiscal intermediaries for each of
the last 5 years.
Response: This final rule with comment period specifically
increases the number of providers and suppliers that will be
revalidated through the use of off-cycle revalidations, for the
explicit purpose of applying the new screening requirements to
currently enrolled providers. Therefore, the number of revalidations
processed in the past 4 or 5 years and the money obligated to that
process is irrelevant to the evaluation of our ability to process
additional revalidations as required by this final rule with comment
period. Additionally, we have undertaken steps to streamline the
enrollment process, both for newly enrolling and revalidating providers
and suppliers. We recognize that there have been challenges in
implementing the new authorities to safeguard the integrity of
Medicare, Medicaid and CHIP, and have demonstrated a willingness to
work with providers and suppliers to reduce unnecessary burdens and
risks that may have accompanied the enrollment processes in the past.
We have communicated with providers via Medicare Learning Networks and
provider Open Door Forums, and will continue to do so throughout the
implementation of the ACA.
We believe that additional resources will be available to enable
the processing of the increased numbers of enrollment applications. We
have actively taken steps to reduce processing times as much as
feasible. Furthermore, we have undertaken many activities to streamline
the enrollment process to reduce the burden upon providers and
suppliers.
Comment: A commenter recommended that CMS employ an expanded data-
driven screening process by using open-source data during the
enrollment and re-enrollment business processes. Such data could
include the current operational status of the firm; chain of ownership
or corporate family linkages; identification of tax liens; presence of
open bankruptcies; and records of government enforcement actions. The
commenter also suggested that each provider and supplier be registered
for post-enrollment data monitoring, which ``pushes'' one or more high
risk updates (for example, bankruptcy filing; a criminal filing
involving a provider executive; or sudden increase in the risk of
financial failure) to CMS automatically. CMS could use such high risk
alerts for the selection and prioritization of unscheduled and
unannounced site visits. Finally, the commenter recommended additional
database checks that would vary by screening level. These included, but
were not limited to, verifying: (1) Corporate chain of ownership, (2)
tax liens, (3) non-HHS government enforcement actions, (4) extent of
any government contracting, and (5) any open lawsuits.
Response: As stated previously, we are continually exploring
additional improvements to our data systems. We are committed to
working with both private and public partners to continue to evaluate
technologies that can provide the scalability and safeguards to
beneficiary access that we need to ensure accurate payments to
legitimate providers for appropriate services.
Comment: A commenter urged CMS to release a proposal for comment
that provides additional detail regarding what CMS believes should
constitute background information relevant to Medicare provider
enrollment that would prevent a practitioner from enrolling in the
Medicare program.
Response: At some point it may be necessary to modify our existing
regulations that address felonies that are relevant to enrollment of
billing privileges. However, we have not yet proposed expansion of our
existing authorities codified in the Code of Federal Regulations. The
requirements for Medicare enrollment are established in other
regulations and manual instructions, and are not--unless otherwise
stated herein--being modified in this final rule with comment. The
criminal background check is intended to verify certain information
provided on the Medicare enrollment application. Under our existing
regulatory authority, we could impose a denial of enrollment or a
revocation of billing privileges based upon the results of the
background check in certain instances. Illustratively, if, through the
background check, CMS learned of a felony conviction that met the
criteria at Sec. 424.530(a)(3) or Sec. 424.535(a)(3), billing
privileges could be denied or revoked, respectively.
Comment: One commenter stated that in its FY 2011 performance
budget, we say that we will create a limited number of MACs to carry
out provider enrollment, and that each contractor would enroll
providers for designated regions of the country. Given the publication
of the proposed rule, the commenter recommended that we explain how
reducing the number of MACs and increasing the workload will help
providers and suppliers and reduce Medicare fraud, waste, and abuse in
the Medicare program. The commenter also requested that CMS furnish an
update on this consolidation effort. Another commenter asked CMS to
explain how it will consolidate provider enrollment activities, conduct
93,000 revalidations, and handle initial applications without
disrupting the provider enrollment

[[Page 5893]]

process and creating additional backlogs and processing delays for
providers of service and suppliers.
Response: We recognize that provider enrollment is a large and
complicated task that requires not only internal consistency but also
understanding and ease of interaction with the provider and supplier
community. As a result, we are currently engaged in a thorough
assessment of the provider enrollment process and in making
improvements as needed to eliminate delays in enrollment and improve
overall system performance. As part of this process, we are working
toward consolidation of the number of enrollment contractors as a means
to achieve economy of scale and greater consistency in the enrollment
process. In developing the provisions of this final rule with comment
period and other regulatory and subregulatory policies, we are mindful
of the overall re-assessment of the provider enrollment process and
supporting systems.
Comment: A commenter urged CMS to refine its provider enrollment
specialty categories to accurately reflect the existing varieties of
practitioners--particularly the categories for dentistry and the dental
specialties--in order to reduce the likelihood that practitioners such
as dentists will be inappropriately categorized and subject to
unwarranted higher levels of screening.
Response: We do not believe it is necessary to further refine the
provider enrollment specialty. Dentists should submit the CMS-855I if
they intend to submit claims directly to Medicare. Further, dentists
would be in the limited screening level.
Comment: A commenter stated that the proposed rule does little to
prevent: (1) Identity theft; (2) health care fraud; (3) money
laundering; and (4) bank fraud. The commenter believes that the
screening levels were too broad and simplistic. To prevent fraud and
abuse, the commenter recommended that CMS: (1) Implement section
6401(a)(3) of the ACA immediately; (2) consider and adopt distinct
screening criteria and program requirements for non-physician owners of
medical clinics and that these providers be placed into a high
screening level, and (3) use the statutory authority in section
6401(a)(3) of the ACA to make sure that the claims being submitted are
valid.
Response: We believe the commenter is referring to new section
1866(j)(3) of the Act, which addresses a provisional period of enhanced
oversight for new providers of services or suppliers. We will implement
all authorities granted under the ACA using the proper procedures. We
disagree with the commenter that the proposed rule and this final rule
with comment period will do little to prevent health care fraud, and
believe that issues of money laundering and bank fraud are beyond the
scope of this final rule with comment period. We strongly believe that
additional site visits, both announced and unannounced, will help to
identify fraudulent providers and suppliers before they are permitted
to enroll in Medicare, Medicaid or CHIP. The temporary moratoria and
payment suspension provisions give us the ability to act as soon as a
problem is detected, preventing money from being paid while balancing
the rights and needs of providers, suppliers, and beneficiaries.
Comment: One commenter stated that CMS's proposed ability to
reenroll DMEPOS suppliers more frequently than every three years could
be burdensome for CMS and the DMEPOS supplier, and suggested that CMS
revalidate every 3 years from the most recent revalidation, rather than
every 3 years from the date billing privileges were granted.
Response: As stated previously, the proposed rule and this final
rule with comment period permit us to require revalidation of DMEPOS
suppliers on or after March 23, 2012 to meet the statutory effective
date for the screening requirements; after that, DMEPOS suppliers would
then be subject to revalidation every 3 years. DMEPOS could be subject
to off-cycle revalidation under existing authority at Sec. 424.515(d)
when CMS has reason to question the compliance of the provider or
supplier with Medicare enrollment requirements.
Comment: One commenter stated that identity theft is a huge problem
in the United States and that Medicare, Medicaid and CHIP should do
everything possible to protect physicians' identities. The commenter
recommended that CMS provide data on the number of physicians and non-
physician practitioners who have practice locations in multiple
States--including States with connecting State boundaries and States
without connecting State boundaries. The commenter also suggested that
CMS explain what efforts, if any, are used to verify a physician that
is establishing a practice location in multiple States and that the
individual's identity is authenticated. Another commenter stated that
it is unclear how fingerprinting and background checks will achieve the
goal of preventing identity theft for physicians.
Response: We agree with the comment that Medicare, Medicaid and
CHIP should use all available authorities to protect physicians'
identities. However, as we have noted previously, we will not use this
screening regulation to identify instances of identity theft. We
disagree that the publication of the number of physicians and non-
physician practitioners who have practice locations in multiple States
will address the issue of identity theft. We also have a process in
place to verify a physician is legitimately establishing practice
locations in multiple States, and have found there are multiple
legitimate reasons why this may be the case.
We believe that criminal history record checks will enable us to
verify information that has been submitted on an enrollment application
is accurate and complete. As stated previously, using fingerprints to
perform such a record check is the only accepted method by the FBI for
non-criminal justice purposes, as it is believed to be the most
accurate link between an individual and their criminal history record.
Comment: A commenter stated that in the proposed rule, CMS does not
justify or explain the rationale for many of its positions, such as:
(1) Placing providers and suppliers into various screening categories,
and (2) its rationale for creating a new revalidation reason (see Sec.
424.515(e)). The commenter recommended that CMS not finalize this
proposed rule, but rather publish a new proposed rule using the
information from this rule.
Response: We disagree that the proposed rule did not explain our
rationale for our approaches. As mentioned earlier, we relied on our
extensive experience to identify categories of providers with a higher
incidence of fraud, waste and abuse. In addition, we used the expertise
of our contractors charged with identifying and investigating instances
of fraudulent billing practices in making our decisions regarding the
appropriate risk classification of various providers. In some
instances, we also relied on the data analysis and expertise of the
OIG, GAO, and other sources to develop a process designed to increase
scrutiny for specific categories of providers and suppliers that
represent a higher risk to the Medicare program. Furthermore, we stated
the new reason for off-cycle validation is to enable us to apply the
new screening requirements to all applicable providers and suppliers by
the statutory effective date of March 23, 2013.
Comment: In response to a request for comments, a commenter stated
that harmonization between Medicare, Medicaid, and MA would be
beneficial

[[Page 5894]]

only to the extent that the programs have enrollment and re-validation
reciprocity and that adequate resources and time were allocated to
ensure that harmonization does not wreak havoc among state Medicaid
programs and MA plans. Reciprocity would ensure that physicians are not
subject numerous times to the same or similar onerous requirements;
this would also represent significant savings for Federal health care
programs.
Response: We agree that harmonization between program requirements
will be beneficial for State Medicaid agencies, providers, and CMS.
This final rule with comment period implements several changes that
minimize the burden on States and providers, including the reciprocity
of Medicare screening for dually enrolled providers and State
responsibility to screen only Medicaid and CHIP-only providers.
Comment: A commenter requested special consideration and/or
exemptions for States with comprehensive licensure statutes for
orthotists and prosthetists.
Response: We do not agree that licensed orthotists and prosthetists
should receive special consideration or exemptions as compared to
orthotists and prosthetists that happen to be located in a State
without what could be deemed `non-comprehensive' licensure statutes.
CMS did not make a distinction based on licensure requirements for any
other category of provider.
Comment: A commenter opposed the proposed language at Sec.
424.515(e) allowing CMS to require additional off-cycle revalidations,
stating it could allow CMS to initiate revalidations frequently and on
a whim. At a minimum, off-cycle revalidations should be exempt from the
$500 application fee.
Response: We disagree with this comment. Section 424.515(e) was
added for a specific purpose and we could not require a provider or
supplier to revalidate off-cycle pursuant to Sec. 424.515(e) more than
once. The application fee was included in the statute to cover exactly
the type of screenings that will be performed during the revalidations,
and we do not believe it is appropriate or necessary to exempt the
revalidations from the fee.
Comment: A commenter suggested that CMS tie an enrollment ban to
those who are trying to enroll in the Medicare program and not just for
those who are already enrolled. That way, fraudulent providers would
never be allowed to enter the program.
Response: We believe the commenter is referring to an enrollment
bar for providers and suppliers whose applications are denied, similar
to that which is currently in place for providers and suppliers whose
Medicare billing privileges are revoked. We appreciate this suggestion.
We are currently not in a position to adopt it, as additional research
is needed to determine its potential effectiveness and the various
circumstances under which it might apply. That said, we may consider it
as part of a future rulemaking effort.
c. Final Screening Provision--Medicare
This final rule with comment period finalizes the provisions of
proposed rule in regards to the Medicare screening requirements with
the following modifications:
In Sec. 424.518(a)(1), we are adding Competitive
Acquisition Program/Part B Vendors to the limited risk screening level.
In Sec. 424.518(a)(1), we are adding pharmacies that are
newly enrolling or revalidating via the CMS-855B to the ``limited''
level of screening.
In Sec. 424.518(a)(1), in response to comments, we have
changed the description for Indian health service providers to state,
``health programs operated by an Indian Health Program (as defined in
section 4(12) of the Indian Health Care Improvement Act) or an urban
Indian organization (as defined in section 4(29) of the Indian Health
Care Improvement Act) that receives funding from the Indian Health
Service pursuant to Title V of the Indian Health Care Improvement Act,
hereinafter (IHS facilities).''
In 424.518(a)(2), we are clarifying that occupational
therapy and speech pathology providers are assigned to the limited
screening level.
In 424.518(a)(1), we are removing physical therapists and
physical therapist groups from the category of non-physician
practitioners that are within the limited screening level.
In 424.518(a)(1), we are removing non-public, non-
government owned or affiliated ambulance suppliers from the limited
screening level.
In Sec. 424.518(a)(2), we are adding portable x-ray
suppliers to the moderate screening level.
In 424.518(a)(2), we are adding physical therapists and
physical therapist groups to the moderate screening level.
In 424.518(a)(2), we are assigning all ambulance suppliers
to the moderate screening level, regardless of whether they are public
or government affiliated.
In Sec. 424.518(a)(1), we are adding pharmacies that are
newly enrolling or revalidating via the CMS-855B to the limited
screening level.
In Sec. 424.518, we also eliminated the distinction
between: (1) Publicly traded and non-publicly traded, and (2) publicly
owned and non-publicly owned as criteria for assignment of any provider
type to a level of screening.
In Sec. 424.518(c)(2)(ii)(A), we have removed the
requirement that fingerprints must be submitted using the FD-258
fingerprint card. Also, the fingerprints must be collected from all
individuals who maintain a 5 percent or greater direct or indirect
ownership interest in the provider or supplier.
In Sec. 424.518(c)(2)(ii)(B), we have replaced ``conducts
a criminal background check'' with ``Conducts a fingerprint-based
criminal history report check of the Federal Bureau of Investigations
Integrated Automated Fingerprint Identification System on all
individuals who maintain a 5 percent or greater direct or indirect
ownership interest in the provider or supplier.''
In Sec. 424.518(d), we have identified owners with a 5
percent or greater direct or indirect ownership as responsible for
providing fingerprints, and the methodology of how to submit the
fingerprints.
Sec. 424.518(c)(3), we have added ``final adverse
action'' as a basis for reassigning a provider or supplier to the high
screening level at Sec. 424.518(c)(3)(iii)(B).
In Sec. 424.518(c)(3), we have added six months as the
length of time a provider or supplier category will be assigned to the
high screening level following the lifting of a temporary enrollment
moratorium.
Finally, in Sec. 424.518(c)(3), we have removed denial of
Medicare billing privileges in the previous ten years as a basis for
reassigning a provider or supplier to the high screening level at Sec.
424.518(c)(3)(iii)(B).
As we have stressed throughout this preamble, we will monitor these
new procedures and their effectiveness and may reconsider or modify our
approach in the future as we gain experience with these procedures. We
further reiterate that nothing in this rule is intended to abridge our
established screening authority under existing statutes and
regulations, or to diminish the screening that providers and suppliers
currently undergo. The provisions specified in this final rule with
comment period are intended to enhance--not replace--our existing
authority. The screening laid out here reflects the minimum
requirements. For example, a contractor may undertake database checks
in addition to the ones listed below as deemed appropriate. Nothing in
this rule should be interpreted as limiting the amount of scrutiny CMS
or its

[[Page 5895]]

contractors may give to an applicant. Tables 5 through 8 below outline
the levels of screening by category that we are finalizing.

Table 5--Final Level of Required Screening for Medicare Physicians, Non-Physician Practitioners, Providers, and
Suppliers
----------------------------------------------------------------------------------------------------------------
Type of screening required Limited Moderate High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier[dash]specific X X X
requirements established by Medicare........................
Conduct license verifications, (may include licensure checks X X X
across States)..............................................
Database Checks (to verify Social Security Number (SSN); the X X X
National Provider Identifier (NPI); the National
Practitioner Data Bank (NPDB) licensure; an OIG exclusion;
taxpayer identification number; death of individual
practitioner, owner, authorized official, delegated
official, or supervising physician..........................
Unscheduled or Unannounced Site Visits....................... ............... X X
Fingerprint[dash]Based Criminal History Record Check of law ............... ............... X
enforcement repositories....................................
----------------------------------------------------------------------------------------------------------------

Table 6--Final Medicare Providers and Suppliers Categories Designated to
the ``Limited'' Level for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Physician or non[dash]physician practitioners and medical groups or
clinics, with the exception of physical therapists and physical
therapist groups.
Ambulatory surgical centers, competitive acquisition program/Part B
vendors, end[dash]stage renal disease facilities, Federally qualified
health centers, histocompatibility laboratories, hospitals, including
critical access hospitals, Indian Health Service facilities,
mammography screening centers, mass immunization roster billers, organ
procurement organizations, pharmacies newly enrolling or revalidating
via the CMS[dash]855B, radiation therapy centers, religious
non[dash]medical health care institutions, rural health clinics, and
skilled nursing facilities.
------------------------------------------------------------------------

Table 7--Final Medicare Providers and Suppliers Categories Designated to
the ``Moderate'' Level for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Ambulance suppliers, community mental health centers; comprehensive
outpatient rehabilitation facilities; hospice organizations;
independent diagnostic testing facilities; independent clinical
laboratories; physical therapy including physical therapy groups and
portable x-ray suppliers.
Currently enrolled (revalidating) home health agencies.
------------------------------------------------------------------------

Table 8--Final Medicare Providers and Suppliers Categories Designated to
the ``High'' Level for Screening Purposes
------------------------------------------------------------------------
Provider/supplier category
-------------------------------------------------------------------------
Prospective (newly enrolling) home health agencies and prospective
(newly enrolling) suppliers of DMEPOS.
------------------------------------------------------------------------

4. General Screening of Providers--Medicaid and CHIP--Proposed
Provisions and Analysis of and Responses to Public Comments
Section 1902(kk)(1) of the Act requires that States comply with the
process for screening providers established by the Secretary under
section 1866(j)(2) of the Act.\4\ Section 2107(e)(1) of the Act
provides that all provisions that apply to Medicaid under sections
1902(a)(77) of the Act,\5\ the State plan mandate for compliance with
provider and supplier screening, oversight, and reporting requirements
in accordance with 1902(kk), and 1902(kk) of the Act, the specific
State plan requirements regarding provider and supplier screening,
oversight, and reporting, shall apply to CHIP. We proposed in new Sec.
457.990 that all the provider screening, provider application, and
moratorium regulations that apply to Medicaid providers will apply to
providers that participate in CHIP. In addition, in this final rule
with comment period, we refer to State Medicaid agencies as responsible
for screening Medicaid-only providers. In some States, CHIP is not
administered by the Medicaid agency. Throughout this final rule with
comment period, with respect to those instances, ``State Medicaid
agency'' should be read to encompass ``Children's Health Insurance
Program agency'' where the two are separate entities.
---------------------------------------------------------------------------

\4\ As noted previously, we believe that the reference to
section 1886(j)(2) of the Act in section 6401(b)(1) of the ACA is a
scrivener's error, and that the Congress intended to refer instead
to section 1866(j)(2) of the Act.
\5\ Section 1902(a)(77) is only broadly referenced in the final
regulations under section Sec. 455.400, as a statutory section
being implemented by the regulation.
---------------------------------------------------------------------------

Because it would be inefficient and costly to require States to
conduct the same screening activities that Medicare contractors perform
for dually-enrolled providers, we proposed that a State may rely on the
results of the screening conducted by a Medicare contractor to meet the
provider screening requirements under Medicaid and CHIP. Similarly, we
proposed in Sec. 455.410 that State Medicaid agencies may rely on the
results of the provider screening performed by the State Medicaid
programs and CHIP of other States. For Medicaid-only providers or CHIP-
only providers, we proposed that States follow the same screening
procedures that CMS or its contractors follow with respect to Medicare
providers and suppliers.
As previously noted, section 1902(kk)(1) of the Act requires that
State screening methods follow those performed under the Medicare
program. For the sake of brevity, we will not restate those methods
verbatim. We proposed that States follow the rationale that we have set
forth for Medicare in section II.A.3. of this final rule with comment
period, and that we use as the basis for Sec. 455.450. For the types
of providers that are recognized as a provider or supplier under the
Medicare program, States will use the same screening level that is
assigned to that category of provider by Medicare. For those Medicaid
and CHIP provider types that are not recognized by Medicare, States
will assess the risk posed by a particular provider or provider type.
States should examine their programs to identify specific providers or
provider types that may present increased risks of fraud, waste or
abuse to their Medicaid programs or CHIP. States are uniquely qualified
to understand issues involved with balancing beneficiaries' access to
medical assistance and ensuring the fiscal integrity of the Medicaid
programs and CHIP. However, where applicable, we expect that States
will assess the risk of fraud, waste, and abuse using similar criteria
to those used in Medicare. For example, physicians and non-physician
practitioners, medical groups and clinics that are State-licensed or
State-regulated would generally be categorized as limited risk. Those
provider types that are generally highly

[[Page 5896]]

dependent on Medicare, Medicaid and CHIP to pay salaries and other
operating expenses and which are not subject to additional government
or professional oversight would be considered moderate risk, and those
provider types identified by the State as being especially vulnerable
to improper payments would be considered high risk. States will then
screen the provider using the screening tools applicable to that risk
assigned. However, we did not propose to limit or otherwise preclude
the ability of States to engage in provider screening activities beyond
those required under section 1866(j)(2) of the Act, including, but not
limited to, assigning a particular provider type to a higher screening
level than the level assigned by Medicare.
As with the proposed screening provisions for Medicare, we
solicited comments on the applicability of these proposals for Medicaid
as well. We solicited comment on the proposed assignment of specific
provider types to established risk categories, including whether such
assignments should be released publicly, whether they should be
reconsidered and updated according to an established schedule, and what
criteria should be considered in making such assignments.
Based on the level of screening assigned to a provider or provider
type, we proposed that States conduct the following screenings:

Table 9--Proposed Level of Risk and Required Screening for Medicaid and CHIP Providers
----------------------------------------------------------------------------------------------------------------
Type of screening required Limited Moderate High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier-specific requirements X X X
established by Medicaid/CHIP................................
Conduct license verifications (may include licensure checks X X X
across State lines).........................................
Database Checks (to verify SSN and NPI, the NPDB, licensure, X X X
a HHS OIG exclusion, taxpayer identification, tax
delinquency, death of individual practitioner, and persons
with an ownership or control interest or who are agents or
managing employees of the provider).........................
Unscheduled or Unannounced Site Visits....................... ............... X X
Criminal Background Check.................................... ............... ............... X
Fingerprinting............................................... ............... ............... X
----------------------------------------------------------------------------------------------------------------

Not all States routinely require persons with an ownership or
control interest or who are agents or managing employees of the
provider to submit SSNs or dates of birth (DOBs). Without such critical
personal identifiers, it is difficult to be certain of the identity of
persons with an ownership or control interest or who are agents or
managing employees of the provider, and it may be difficult for States
to conduct the screening proposed under this rule. Accordingly, and to
be consistent with Medicare requirements, pursuant to our general
rulemaking authority under section 1102 of the Act, we proposed in
Sec. 455.104 to require that States will require submission of SSNs
and DOBs for all persons with an ownership or control interest in a
provider. In addition to the amendment to Sec. 455.104, we proposed to
revise that section for the sake of clarity both for the disclosing
entities' provision and the States' collection of the disclosures. We
recognize that there may be privacy concerns raised by the submission
of this personally identifiable information as well as concerns about
how the States will assure individual privacy as appropriate; however,
we believe this personally identifiable information is necessary for
States to adequately conduct the provider screening activities under
this final rule with comment period. We solicited comment specifically
on this issue.
Although the level of screening may vary depending on the risk of
fraud, waste or abuse the provider represents to the Medicaid program
or CHIP, under section 1866(j)(2)(B)(i) of the Act, all providers would
be subject to licensure checks. Therefore, we proposed that States be
required to verify the status of a provider's license by the State of
issuance and whether there are any current limitations on that license.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers would apply to providers that participate in
CHIP, these requirements for provider screening and assigning of
categories of risk of fraud, waste, or abuse, as well as verification
of licensure, under Sec. 455.412 and Sec. 455.450 will apply in CHIP.
Comment: Commenters expressed concerns about new and existing
disclosure requirements under Sec. 455.104, including our proposal to
add to the disclosure requirements collection of SSNs and DOBs of
persons with an ownership or control interest in the disclosing entity.
Some States support the proposal, already having instituted the
disclosure requirement in their enrollment application procedures.
Other States support the proposal but request additional time for
implementation, including forms and system changes. Two States
expressed concern about the impact the requirement might have upon
beneficiary access to providers.
Response: We will not address the comments directed at the existing
language of Sec. 455.104. The regulation was rearranged for ease of
application by States and disclosing entities, but with the exception
of the addition of SSNs and DOBs, as well as changes suggested by a few
commenters regarding corporate entity addresses and familial
relationships, the language is substantially unchanged from the
language currently in effect. We acknowledge the commenters' concerns
about collection of SSNs and DOBs, however, collection of SSNs and DOBs
is necessary to complete the screening process and be certain of the
identity of the party being screened. We recognize that the addition of
SSNs and DOBs and other improvements in disclosure collection will
require systems and forms changes and States will need time for
implementation. We encourage States to contact us about their specific
timeframes. Furthermore, we do not believe that this requirement will
have an adverse impact on beneficiary access as the majority of
disclosure requirements have not changed, and our experience with the
same requirement in Medicare indicates that such a requirement does not
adversely impact beneficiary access.
Comment: Other commenters made recommendations on language changes
that would clarify Sec. 455.104(b)(1)(i) regarding the address of
corporate entities with ownership or control of disclosing entities;
Sec. 455.104(b)(2) regarding familial relationships; and Sec.
455.104(b)(4) regarding SSNs and DOBs of managing employees.
Response: We agree with the commenters that Sec. 455.104(b)(1)(i)
should be clarified regarding addresses

[[Page 5897]]

of corporate entities with ownership or control of disclosing entities
and accordingly will revise Sec. 455.104(b)(1)(i) to clarify from whom
the name and address must be provided and to require the disclosing
entity to supply primary business address as well as every business
location and P.O. Box address, if applicable. We agree that Sec.
455.104(b)(2) should be clarified regarding to whom the spouse, parent,
child, or sibling is related, and we are revising Sec. 455.104(b)(2)
accordingly. We agree that Sec. 455.104(b)(4) should be clarified to
require managing employees to provide SSNs and DOBs, as that was the
intent of the proposal, and we are revising Sec. 455.104(b)(4)
accordingly.
Comment: Several commenters expressed concern regarding collection
of disclosures under Sec. 455.104. One commenter expressed concern
about the confidentiality and privacy of board member identity and the
protection from disclosure to the general public. Other commenters were
concerned that not-for-profit board members were volunteers and might
not serve were they compelled to provide their SSNs and DOBs as a
condition of the entity being enrolled.
Response: We have previously provided guidance to States that Sec.
455.104 requires disclosures from persons with ownership and control
interests in the disclosing entity, which includes officers and
directors of a disclosing entity that is organized as a corporation,
without regard to the for-profit or not-for-profit status of that
corporation. That guidance is available at http://www.cms.gov/FraudAbuseforProfs/Downloads/bppedisclosure.pdf. We are sensitive to
the concerns related to confidentiality of identifiable information
such as SSNs. We are also concerned about issues that arise out of
identity theft. We encourage States to institute appropriate safeguards
to protect the information they gather as required by these rules.
However, collection of disclosures including the SSNs and DOBs of
persons with ownership and control interests in a disclosing entity,
and of managing employees, is necessary to protect the integrity of the
State Medicaid programs. Therefore, we are finalizing the proposal
requiring provision of SSNs and DOBs.
Comment: One commenter sought clarification whether the disclosure
requirements in Sec. 455.104 apply to IHS providers.
Response: This rule does not make any changes about whom
disclosures must be provided, but rather simply adds additional items
of information that must be disclosed. The boards of IHS facilities
were not previously subject to the--disclosure requirements in Sec.
455.104, and accordingly, are not subject to the additional disclosure
requirements imposed by this rule.
Comment: Commenters expressed concern about the applicability of
Sec. 455.104 to public school districts. Public schools deliver
Medicaid school based health services to Medicaid eligible children and
therefore are enrolled as Medicaid providers. The commenters objected
to the proposed requirement in Sec. 455.104 that the schools provide
the SSNs and DOBs of persons with controlling interests of the
provider, which they interpreted to include the SSNs and DOBs of school
board members. The majority of the commenters stated that the public
school districts were closely regulated by numerous checks and balances
and there was a low likelihood that fraud would be perpetrated in
schools, therefore, the collection of SSNs and DOBs from public school
districts was unnecessary.
Response: As previously noted, this rule does not change about whom
disclosures must be provided, but rather what information must be
disclosed. Except to the extent that any public school districts may be
organized as corporations, they were not previously required to make
disclosures about their boards, nor are they required to under this new
rule.
Comment: Several commenters expressed concern regarding the license
verification requirement in Sec. 455.412. One commenter noted that it
would be administratively inefficient, costly, and unrealistic for
States to verify each provider applicant's licensure status in another
State. Another commenter offered that searching its database containing
multi-State licensure data would be more efficient than requiring
States to search State by State.
Response: Holding a valid professional license should be a
prerequisite in any State prior to assignment of a Medicaid provider
identification number. Medicaid beneficiaries have a right to be
treated only by those providers that have been deemed by the licensing
boards of their States to be eligible to treat them. As a matter of
public policy, it is not unreasonable to expect that licensure status
of all in-State and out-of-State providers be checked prior to
enrollment, and that any limitations on their licenses be checked as
well. Out-of-State provider applicants submit licensure information
including status to the Medicaid agency with their application. While
verification of out-of-State licensure may be challenging, all those
Medicaid agencies that enroll out-of-State providers have the
obligation to verify licensure status of out-of-State providers as
well. We appreciate the commenter's suggestion of its database of
provider information. We are aware that State licensing boards maintain
publicly available information that neighboring States may access. It
is within the States' discretion which databases to check.
Comment: A commenter requested clarification of whether license
verification was required when the chart at 75 FR 58214 states that
license verification ``may include licensure checks across State
lines'' thereby implying that licensure checks across State lines are
permissive, not mandatory.
Response: The State Medicaid agency must verify the licensure of a
provider applicant in the State in which the provider applicant
purports to be licensed. If an out-of-State provider submitted an
application for enrollment, the State Medicaid agency would be required
to verify license across State lines.
a. Database Checks--Medicaid and CHIP
States employ several database checks, including database checks
with the Social Security Administration and the NPPES, to confirm the
identity of an individual or to ensure that a person with an ownership
or control interest is eligible to participate in the Medicaid program.
A critical element of Medicaid program integrity is the assurance
that persons with an ownership or control interest or who are agents or
managing employees of the provider do not receive payments when
excluded or debarred from such payments. Accordingly, in Sec. 455.436,
we proposed that States be required to screen all persons disclosed
under Sec. 455.104 against the OIG's LEIE and the General Services
Administration's EPLS. We proposed that States be required to conduct
such screenings upon initial enrollment and monthly thereafter for as
long as that provider is enrolled in the Medicaid program.
We also proposed at Sec. 455.450, as well as Sec. 455.436, that
database checks be conducted on all providers on a pre- and post-
enrollment basis to ensure that providers continue to meet the
enrollment criteria for their provider type.
As previously stated, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act also apply to CHIP. Because we proposed a new
regulation in Part 457

[[Page 5898]]

under which all provider screening requirements that apply to Medicaid
providers will apply to providers that participate in CHIP, this
requirement for database checks under Sec. 455.436 and Sec. 455.450
apply in CHIP.
We received many comments on the database requirements in Sec.
455.436 from States concerned about the administrative burden presented
by searching several databases upon enrollment, and both the LEIE and
the EPLS on a monthly basis by the names of both the provider and those
with ownership or control interests in the provider and managing
employees of the provider.
Comment: Some commenters questioned whether there were costs
associated with accessing the databases. The commenters suggested that
CMS establish a centralized database that States could access,
including using an automated, rather than manual, search, all at no
cost to States. One State suggested that the databases be accessible
through automated data exchanges and that any cost to the States be
waived to avoid barriers to compliance with the rule. Two other States
questioned whether there were costs associated with accessing the
databases that must be considered. Other commenters suggested a delay
or elimination of the proposed requirement at Sec. 455.436(c)(2) until
CMS established such a centralized database.
Response: We are aware that there may be costs to the State
Medicaid agency associated with checking some databases. However, Sec.
455.436 enumerates databases that most State Medicaid agencies already
check in their routine provider enrollment operations. In addition, we
have previously issued guidance to State Medicaid Directors
recommending searching the LEIE on a monthly basis by the names of
enrolled providers and for providers, by the names of their employees
and contractors. Those guidance documents are available here: http://www.cms.gov/smdl/downloads/SMD061208.pdf and http://www.cms.gov/SMDL/downloads/SMD011609.pdf. Many States have already adopted the
recommendations in their enrollment policies. More recently, in
September 2010, we provided guidance to program integrity directors on
the availability of the LEIE and EPLS for exclusion searches. That
guidance document is available here: http://www.cms.gov/FraudAbuseforProfs/Downloads/bppedisclosure.pdf.
Accordingly, we are finalizing Sec. 455.436 to require State
Medicaid agencies to conduct Federal database checks.
Comment: A commenter questioned whether other databases will be
prescribed in the final rule with comment period or whether States will
be notified of requirements in another fashion.
Response: In Sec. 455.436(b), we proposed that the States be
required to check ``any such other databases as the Secretary may
prescribe.'' We are not prescribing additional databases in the final
rule with comment period. However, in response to evolving
circumstances, the Secretary may issue guidance to States regarding
checking specific databases.
Comment: One commenter sought clarification on which of a
provider's managing employees the State Medicaid agency must search in
the exclusions databases. The commenter noted that some large providers
like hospitals have many managing employees that may be subject to the
proposed database checks.
Response: We recognize the burden that conduct of database checks
of managing employees may pose for providers with managing employees at
multiple levels or locations in its organizations. Nevertheless,
database checks must be conducted for all persons disclosed under Sec.
455.104, including managing employees who could compromise or place in
jeopardy a provider's compliance with Medicare, Medicaid, or CHIP
requirements.
Comment: One commenter noted that State vital statistics
information may be more accurate than the Social Security
Administration's Death Master File. The commenter suggested allowing
States to check against their own vital records systems and not require
the States to check against the Social Security Administration's file.
Response: While on an anecdotal basis State records may be more
accurate than the Social Security Administration's Death Master File,
it is the Death Master File that is the national file of record.
Therefore, we are finalizing the requirement that State Medicaid
agencies check the Social Security Administration's Death Master File.
However, under Sec. 455.436(c)(1) a State may also consult other
appropriate databases to confirm identity upon enrollment and
reenrollment.
Comment: Another commenter noted that the Social Security
Administration only allows SSN verification for W-2 purposes. The
commenter recommended removing the reference to checks of
``applicable'' Social Security Administration databases from the
database check requirement.
Response: We express no opinion as to the accuracy of the
commenter's statement regarding SSN verification, but agree with the
commenter that the database check requirement in this rule should be
more explicit. Accordingly, we are revising Sec. 455.436 to indicate a
check of the ``Social Security Administration's Death Master File''
rather than ``applicable databases''.
Comment: A few commenters requested clarification regarding which
database States must check for verification of tax identifications and
tax delinquencies and how the States would use that information as a
tool for screening providers.
Response: Although we believe that verifying taxpayer
identification and checking for tax delinquencies may be useful
indicators of fraud to a State Medicaid program, access to that
information is limited and may not be feasible in the short term.
Therefore, we are not finalizing those requirements as suggested by
Table 5 under ``Type of Screening Required''.
Comment: One commenter asked whether it was our intention to
require providers also to check their employees for exclusions on a
monthly basis. The proposed regulation at Sec. 455.436 does not
require providers to check their employees for exclusions.
Response: We issued guidance on June 12, 2008, to State Medicaid
Directors recommending that they check their enrolled providers for
exclusions on a monthly basis. We followed up that guidance on January
16, 2009, with guidance to State Medicaid Directors recommending that
they require their enrolled providers to check the providers' employees
and contractors for exclusions on a monthly basis. Those letters are
available at: http://www.cms.gov/smdl/downloads/SMD061208.pdf and
http://www.cms.gov/SMDL/downloads/SMD011609.pdf. Many States made our
recommendations their policy.
Section 455.436 does not mandate that States require their
providers to check the LEIE and EPLS on a monthly basis to determine
whether the providers' employees and contractors have been excluded. We
do, however, recommend that States consider making this a requirement
for all providers and contractors, including managed care contractors
in their Medicaid programs and CHIP.
b. Unscheduled and Unannounced Site Visits--Medicaid and CHIP
Section 1866(j)(2)(B)(ii)(III) of the Act states that the
Secretary, based on the risk of fraud, waste, and abuse, may conduct
unscheduled and unannounced

[[Page 5899]]

site visits, including pre-enrollment site visits, for prospective
providers and those providers already enrolled in the Medicare and
Medicaid programs and CHIP.
Some States already require site visits, often for provider
categories at increased risk of fraud, waste or abuse such as home
health and non-emergency transportation. According to FY 2008 State
Program Integrity Assessment (SPIA) data, at least 16 States report
that they perform some type of site visits. However, such efforts vary
widely across the country and are subject to budget shortfalls.
We proposed to require in Sec. 455.432 and Sec. 455.450(b) that
States must conduct pre-enrollment and post-enrollment site visits for
those categories of providers the State designates as being in the
``moderate'' or ``high'' level of screening.
Further, in Sec. 455.432, pursuant to our general rulemaking
authority under section 1102 of the Act, we proposed that any enrolled
provider must permit the State Medicaid agency and CMS, including CMS'
agents or its designated contractors, to conduct unannounced on-site
inspections to ensure that the provider is operational at any and all
provider locations.
We maintain that site visits are essential in determining whether a
provider is operational at the practice location found on the Medicaid
enrollment agreement. We expect these requirements to increase the
number of both pre-enrollment and post-enrollment site visits for those
provider types that pose an increased financial risk of fraud, waste,
or abuse to the Medicaid program.
We proposed that failure to permit access for site visits would be
a basis for denial or termination of Medicaid enrollment as specified
in Sec. 455.416.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers will apply to providers that participate in CHIP,
this requirement for site visits under Sec. 455.432 apply in CHIP.
Comment: Some commenters were supportive of the proposal for pre-
enrollment and post-enrollment site visits in Sec. 455.432, although
they noted that they would need additional funding for travel or for
contractors to conduct the site visits. Some commenters stated that the
States should have the discretion to define which providers are subject
to pre- and post-enrollment site visits and when the site visits are
conducted, for example, by established risk categories or an automatic
flag that demonstrates that billing has gotten to a certain threshold
thus requiring an onsite visit. A few commenters stated that the site
visits were an undue burden on States. One commenter stated that the
site visits were unnecessary given that other more cost-effective
methods could prevent enrollment of providers who are using fraudulent
identity, such as annual re-enrollment, license verification, and
follow-up when a duplicate provider ID or address is used. Another
commenter noted that pre-enrollment site visits could delay enrollment
as a result of inclement weather.
Response: We recognize that conduct of site visits will place a
burden on State budgets and staff time, and may be difficult to
accomplish in rural areas or in inclement weather. However, site visits
are a requirement depending on the risk the provider represents to the
Medicaid program. In response to the commenters that suggested that
States should have the discretion to define which providers are subject
to pre- and post-enrollment site visits: The site visits are required
for those providers that are determined to be a moderate or high
categorical risk of fraud, waste, or abuse. In addition to the required
site visits for providers in the moderate and high screening levels,
the State may also conduct site visits at its discretion. While there
may be other means to verify whether a provider is a going concern or
whether a provider has a business location, conduct of site visits is
one method that is required by this regulation. The State has the
discretion to utilize other additional methods to prevent enrollment of
non-existent providers or to ensure that spurious applications are not
processed.
Comment: A few commenters sought clarification on what the
expectations were for site visits when the provider performed services
in the beneficiary's home, for example, personal care services; or for
out-of-State providers or rural providers.
Response: If a Medicaid-only provider is in the moderate or high
screening level, the State Medicaid agency does not have the discretion
whether to conduct a site visit: It is required under Sec. 455.432(a)
and Sec. 455.450(b). However, pursuant to Sec. 455.452, States are
permitted to establish additional or more stringent screening measures
than those required by this final rule with comment period. Thus, for
providers that are in the limited screening level, the State has the
discretion to determine whether to conduct site visits, based on
whatever factors the State deems appropriate. We recognize that the
appropriate location of the site visit may differ based upon the
provider type. For example, the personal care services agency is the
enrolled provider, so its location would likely be subject to a site
visit. While its employee the personal care attendant may not be an
enrolled provider with the State Medicaid agency, it may also be
appropriate to conduct a site visit in a beneficiary's home where the
personal care attendant is providing services to ensure that services
are in fact being provided appropriately. It would be within the
discretion of the State Medicaid agency to determine whether to conduct
an additional site visit for a provider in the limited screening level.
With respect to providers in rural locations, the mere fact that the
provider is in a rural location does not absolve the State Medicaid
agency of its responsibility to conduct site visits. Similarly, for
out-of-State providers, the mere fact that a provider in the moderate
or high screening level is located in another State would not negate
the requirement for a site visit, although we note that Sec. 455.410
permits States to rely upon the screening performed by Medicare and by
other State Medicaid programs and CHIP. Therefore, no additional site
visit would be required if the provider is also enrolled by Medicare or
in Medicaid or CHIP in its home State.
c. Provider Enrollment and Provider Termination--Medicaid and CHIP
States may refuse to enroll or may terminate the enrollment
agreement of providers for a number of reasons related to a provider's
status or history, including an exclusion from Medicare, Medicaid, or
any other Federal health care program, conviction of a criminal offense
related to Medicare or Medicaid, or submission of false or misleading
information on the Medicaid enrollment application. Failure to provide
disclosures is another reason for termination from participation in the
Medicaid program.
Federal regulations beginning at Sec. 455.100 require certain
disclosures by providers to States before enrollment. States require
additional disclosures prior to enrollment. Some States require
periodic re-enrollment and disclosure at that time. However, States
vary in the frequency of such re-disclosures. Providers are also
inconsistent in keeping their enrollment information current, including
items as elementary as their address.
We proposed, at Sec. 455.414, pursuant to our general rulemaking
authority

[[Page 5900]]

under section 1102 of the Act, that all providers undergo screening
pursuant to the procedures outlined herein at least once every 5 years,
consistent with current Medicare requirements for revalidation.
In Sec. 455.416, we proposed to establish termination provisions,
requiring States to deny or terminate the enrollment of providers: (1)
Where any person with an ownership or control interest or who is an
agent or managing employee of the provider does not submit timely and
accurate disclosure information or fails to cooperate with all required
screening methods; (2) that are terminated on or after January 1, 2011
by Medicare or any other Medicaid program or CHIP (see section II.F. of
this final rule with comment period); and (3) where the provider or any
person with an ownership or control interest or who is an agent or
managing employee of the provider fails to submit sets of fingerprints
within 30 days of a State agency or CMS request. We proposed to permit
States to deny enrollment to a provider if the provider has falsified
any information on an application or if CMS or the State cannot verify
the identity of the applicant. We also proposed to require States to
deny enrollment to providers, unless States determine in writing that
denial of enrollment is not in the best interests of the State's
Medicaid program, in these circumstances: (1) The provider or a person
with an ownership or control interest or who is an agent or managing
employee of the provider fails to provide accurate information; (2) the
provider fails to provide access to the provider's locations for site
visits, or (3) the provider, or any person with an ownership or control
interest, or who is an agent or managing employee of the provider has
been convicted of a criminal offense related to that person's
involvement in Medicare, Medicaid, or CHIP in the last 10 years. We
believe that providers can significantly reduce the likelihood of
fraud, waste or abuse by providing and maintaining timely and accurate
Medicaid enrollment information. We believe the Medicaid program will
be better protected by not allowing persons with serious criminal
offenses related to Medicare, Medicaid, and CHIP to serve as providers.
We proposed at Sec. 455.416 that the State be allowed to deny an
initial enrollment application or agreement submitted by a provider or
terminate the Medicaid enrollment of a provider, including an
individual physician or non-physician practitioner, if CMS or the State
is not able to verify an individual's identity, eligibility to
participate in the Medicaid program, or determines that information on
the Medicaid enrollment application was falsified.
In Sec. 455.420, we proposed to require that any providers whose
enrollment has been denied or terminated must undergo screening and pay
all appropriate application fees again to enroll or re-enroll as a
Medicaid provider.
We proposed at Sec. 455.422 that in the event of termination under
Sec. 455.416, the State Medicaid agency must give a provider any
appeal rights available under State law or rule.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers will apply to providers that participate in CHIP,
these requirements for provider enrollment, provider termination, and
provider appeal rights under Sec. 455.414, Sec. 455.416, Sec.
455.420, and Sec. 455.422 apply in CHIP.
Comment: Several commenters expressed concern regarding the
requirement under Sec. 455.414 related to a 5 year re-screening
process. Some commenters stated that they already required a periodic
re-enrollment process and CMS should take into consideration the
States' existing processes and grant the States the flexibility to
employ those existing processes.
Other commenters noted that the additional enrollments would place
administrative and fiscal burdens on the States. Several commenters
noted that they would need an extended period to implement the new
requirements of the proposed rule, including the requirement set forth
at Sec. 455.414.
One commenter sought clarification whether all providers currently
enrolled and that have been enrolled for 5 years would be up for
revalidation when the regulation became effective; and whether
currently enrolled providers could be revalidated over a 5-year
timeframe to diminish the administrative burden on State Medicaid
agency staff.
Another commenter sought clarification whether the requirement was
for re-screening or for re-enrollment at least every 5 years; whether
the requirement would apply to all enrolled providers including
rendering providers, or just to ordering or referring physicians and
other professionals who are the subject of the requirements set forth
at Sec. 455.410 and Sec. 455.440; and whether CMS would give affected
providers notice of the need to re-enroll.
Response: Periodic re-validation of enrollment information affords
States the opportunity to ensure their provider rolls do not contain
providers that have been excluded from participation in the Federal
health care programs. The State Medicaid agencies can cull from their
provider rolls those providers that have not submitted claims for
payment or referred claims for payment in several years. Without
removing those providers' numbers during a periodic re-enrollment
process, those providers' numbers might be used at a later date in a
fraudulent scheme: The providers may have been unwitting victims of
identity theft or may have participated in selling their provider
numbers.
The proposed requirement at Sec. 455.414 describes screening of
all providers at least every 5 years. Screening, as performed by the
Medicare Administrative Contractors for all dually participating
providers, and by the State Medicaid agency or CHIP for those providers
that are not also participating in the Medicare program, should be
distinguished from enrollment, a function performed by the State
Medicaid agency or CHIP to participate in the Medicaid program or CHIP
of a given State. Screening would involve various assessments
commensurate to the risk the provider posed to the Medicaid program or
CHIP, including license verification, database checks, site visits,
background checks, and fingerprinting. Enrollment may involve all of
those, as well as collection of disclosures required under Sec.
455.104, Sec. 455.105, and Sec. 455.106, and a host of State-specific
requirements.
We applaud States that already require periodic re-enrollment of
Medicaid providers. For the sake of consistency with the Medicare
program, however, we are finalizing Sec. 455.414 as a 5 year re-
validation of enrollment information, which includes re-screening as
well as the collection of updated disclosure information, for providers
regardless of provider type, including, but not limited to, rendering,
ordering, and referring physicians, and other professionals. The
screening component of the 5 year re-validation will be conducted by
either the Medicare Administrative Contractors (for dually-
participating providers) or by the States (for Medicaid-only or CHIP-
only providers). The collection of updated enrollment information,
including, but not limited to, disclosure information will be the
province of the State Medicaid agencies, and subject to their existing
procedures, therefore, we will not issue notices of the need to

[[Page 5901]]

revalidate enrollment information to the affected providers.
State Medicaid agencies should complete the first re-validation
cycle by 2015, with 20 percent of providers being re-validated each
year beginning 2011. State Medicaid agencies have the discretion to
determine which providers or provider types to re-validate enrollment
first. However, they may want to consider re-validating enrollment in
the first years of the cycle those providers or provider types that
pose the greatest risk of fraud, waste or abuse to the Medicaid program
and CHIP.
Comment: We received comments from States supportive of the
proposed bases for denial of enrollment or termination of enrollment in
Sec. 455.416, but concerned about the time they would need for
implementation to amend State laws and rules and to amend provider
agreements. One State commented that it would be administratively
inefficient, costly, and unrealistic for each State to independently
confirm providers' enrollment status or termination history in another
State's Medicaid program or CHIP.
Response: We believe that the bases for denial of enrollment or
termination of enrollment in Sec. 455.416 are necessary to protect the
integrity of the Medicaid program. Therefore, prompt implementation of
these additional bases for denial or termination will serve each State
and Medicaid programs nationally. We acknowledge the additional burden
that new bases for denial and termination will create for State
Medicaid programs, for example, in changes to systems and forms, and
changes to provider agreements. We are currently examining to what
extent we can support a centralized information sharing solution for
provider enrollment across programs and across States. However, we note
that termination based on termination by Medicare or by another State's
Medicaid program is a statutory requirement effective January 1, 2011.
Comment: One commenter recommended that the reasons for provider
termination should be outlined and given to the provider upon denial or
termination. The commenter noted that the provider would then have the
ability to address or correct deficiencies prior to resubmitting its
enrollment application. This requirement, the commenter noted, would be
in addition to any appeal rights.
Response: We have provided for a right of appeals to the extent
they are available under a State's existing laws or rules. While we
recognize that the commenter's suggestion may be helpful, and States
may elect to adopt it, we will not be disrupting a State's procedures
under its existing laws or rules with this regulation.
Comment: One State recommended an addition to the language of Sec.
455.416(g)(1) to recognize that a provider's omissions may be as
egregious as its falsified statements.
Response: We appreciate the commenter's suggestion to cover all
possible situations when a provider may have misled the State in the
application process. However, Sec. 455.416(d) addresses termination
for a failure to submit timely and accurate information which would
include omissions to provide information. Therefore we decline to
revise section Sec. 455.416(g)(1).
Comment: A State requested clarification on how rigorous the
State's efforts must be to verify the identity of the provider
applicant or whether a background check is sufficient.
Response: The State Medicaid agencies have the discretion to
determine the steps that are appropriate to verify the identity of the
provider applicant, which may include, but would not be limited to,
verification of licensure, database checks, and criminal background
checks.
d. Criminal Background Checks and Fingerprinting--Medicaid and CHIP
Section 1866(j)(2)(B)(ii)(II) of the Act allows the Secretary to
use fingerprinting during the screening process; and while several
States have implemented procedures to require fingerprinting of
physicians and non-physician practitioners as a condition of licensure,
we maintain that if a State designates a provider as within the high
level of screening as described previously, each person with an
ownership interest in that provider should be subject to
fingerprinting.
Adding fingerprinting to State screening processes for those
providers that pose the greatest risk to the Medicaid program will
allow CMS and the State to: (1) Verify the individual's identity; (2)
determine whether the individual is eligible is participate in the
Medicaid program; (3) ensure the validity of information collected
during the Medicaid enrollment process; and (4) prevent and detect
identity theft. Ensuring the identity of ``high'' risk Medicaid
providers through fingerprinting protects both the Medicaid program and
providers whose identities might otherwise be stolen as part of a
scheme to defraud Medicaid.
In addition, while Sec. 455.106 requires providers to submit
information to the Medicaid agency on criminal convictions related to
Medicare and Medicaid and title XX, current regulations do not require
States to verify data submitted as part of the Medicaid enrollment
application and they are sometimes not able to verify information that
was purposefully omitted or changed in a manner to obfuscate any
previous criminal activity. According to fiscal year (FY) 2008 SPIA
data, at least 20 States report that they conduct some type of criminal
background check as part of their Medicaid enrollment practices.
Elements of a robust criminal background check could include, but
not are necessarily limited to: (1) Conducting national and State
criminal records checks; and (2) requiring submission of fingerprints
to be used for conducting the criminal records check and verification
of identity.
We proposed in Sec. 455.434 and Sec. 455.450 for those categories
of providers that a State Medicaid agency determines is within the high
level of screening, the State must: (1) Conduct a criminal background
check of each provider and each person with an ownership or control
interest or who is an agent or managing employee of the provider, and
(2) require that each provider and each person with an ownership or
control interest or who is an agent or managing employee of the
provider to submit his or her fingerprints. The State Medicaid agency
has the discretion to determine the form and manner of submission of
fingerprints.
At Sec. 455.434, we proposed that the State Medicaid agency must
require providers or any person with an ownership or control interest
or who is an agent or managing employee of the provider to submit
fingerprints in response to a State's or CMS' request.
We solicited public comment on the appropriateness of using
criminal background checks in the provider enrollment screening
process, including the instances when such background checks might be
appropriate, the process of notifying a provider or individual that a
criminal background check is to be performed, and the frequency of such
checks.
We also solicited comment on the use of fingerprinting as a
screening measure. We recognize that requesting, collecting, analyzing,
and checking fingerprints from providers are complex and sensitive
undertakings that place certain burdens on affected individuals. There
are privacy concerns and operational concerns about how to assure
individual privacy, how to check fingerprints against appropriate law
enforcement fingerprint data bases, and how to store

[[Page 5902]]

the results of the query of the databases and also how to handle the
subsequent analysis of the results. As a result, we solicited comments
on how CMS or a State Medicaid agency should maintain and store
fingerprints, what security processes and measures are needed to
protect the privacy of individuals, and any other issues related to the
use of fingerprints in the enrollment screening process. We expressed
interest in comments on this and other possible circumstances in which
fingerprinting would be potentially useful in provider screening or
other fraud prevention efforts. Our proposed screening approach
contemplated requesting fingerprints from providers assigned to the
high level for screening. We solicited comments on whether this is an
appropriate requirement, the circumstances under which it might be
appropriate or inappropriate, and any alternatives to the proposed
approach regarding fingerprints. Our proposed approach would allow
States to deny enrollment to newly enrolling providers and to terminate
existing providers if the provider or if individuals who have an
ownership or control interest in the provider or who are agents or
managing employees of the provider refuse to submit fingerprints when
requested to do so. We solicited comments on this proposal including
its appropriateness and utility as a fraud prevention tool.
In addition, we solicited comment on the applicability and
appropriateness of using, in addition to or in lieu of fingerprinting,
other enhanced identification techniques and secure forms of
identification including but not limited to passports, United States
Military identification, or Real ID drivers licenses. As technology and
secure identification techniques change, the tools we or State Medicaid
agencies use may change to reflect changes in technology or in risk
identification. We solicited comment on the appropriate uses of these
techniques and the ways in which we should notify the public about any
tools CMS or State Medicaid agencies would adopt. We also welcomed
comments on whether there should be differences allowed between Federal
and State techniques, or among States, and if so, on what basis.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers will apply to providers that participate in CHIP,
these requirements for criminal background checks and fingerprinting
under Sec. 455.434 will apply in CHIP.
Comment: A number of commenters noted the undue and significant
burden on the States and providers that the criminal background check
requirement in Sec. 455.434, and specifically the fingerprint
requirement, would pose. These commenters noted that State Medicaid
agencies do not have the staff or expertise to conduct the checks. One
commenter stated that enforcement of this provision will have
deleterious effects on the Medicaid provider network and act as a
barrier to care, and recommended removing the fingerprinting and
background check requirements for high risk providers.
Other commenters were supportive of the proposal to conduct
criminal background checks and collection of fingerprints, noting that
the proposal was intended to screen out unscrupulous providers. One
commenter recognized that the proposal to add fingerprinting of high
risk entities was a way to evaluate the background of potential
providers, to identify fraud and prevent individuals with known
criminal backgrounds from participating in Medicaid.
Other commenters were concerned about the relative cost and
efficiency of conducting the criminal background checks. Several
commenters suggested that the background checks be at the States'
discretion. One commenter suggested that CMS conduct any necessary
fingerprinting, regardless of whether the person or entity is enrolled
in Medicare. Another commenter recommended that CMS consider limiting
FBI criminal background checks to cases in which there is reasonable
cause to believe the subject may have a criminal record in another
State.
Response: We have considered all the comments received and are
sensitive to the burden the criminal background checks and
fingerprinting will pose to the State Medicaid agencies and the
affected providers. However, we believe that criminal background checks
are an effective means of evaluating a high risk provider. Furthermore,
we believe that fingerprinting high risk providers and their owners are
worthwhile endeavors to determine identity and whether the provider and
other individuals have been involved in criminal activities that would
adversely impact the Medicaid program. While we are finalizing the
requirement to conduct criminal background checks and collect
fingerprints for high risk providers, the requirement will be limited
to providers and persons with a five percent or more direct or indirect
ownership interest in the provider. There will be no requirement to
conduct criminal background checks on, or collect the fingerprints of,
persons with a control interest in the provider or the agents or
managing employees of high risk providers. However, we intend to
monitor the situation and may seek to extend the scope of fingerprint-
based criminal background checks in the future if circumstances
warrant. We are making the appropriate changes to Sec. 455.434. States
will not be required to implement criminal background checks and
fingerprinting until we issue additional guidance. To the extent that
States have the ability to conduct background checks and collect
fingerprints at this time, it is within their discretion to do so prior
to the delayed implementation date. States have the discretion to
impose more stringent requirements for Medicaid-only and CHIP-only
providers than those we are requiring.
Comment: One commenter asked how results of criminal background
checks would be communicated in data available to States from CMS.
Response: We are currently examining to what extent we can support
a centralized information sharing solution for provider screening
results across programs and across States. The individual results of a
criminal background checks performed, however, would likely be sent
directly to the agency requesting the background check from the entity
that performed the check.
Comment: One commenter asked whether there would be standard
criteria that define the types of convictions that warrant denial of a
provider's application.
Response: Whether to deny enrollment or to terminate enrollment are
decisions that are within the discretion of each State Medicaid agency
in accord with Sec. 455.416. Thus, the types of convictions that
warrant denial of enrollment would be at the discretion of the State
Medicaid agency.
Comment: Some commenters asked what level of background check was
required, for example, were State Medicaid agencies expected to do a
Federal criminal background check or a State criminal background check.
Response: While it is within the State Medicaid agency's discretion
to decide whether to conduct State or Federal background checks for
Medicaid-only providers, we recommend that the State conduct Federal
criminal background checks which would provide information that is
national in scope and therefore would be more complete.

[[Page 5903]]

Comment: A few commenters questioned which databases a States
should consult to compare fingerprints against in order to do the
screening under this provision, in the event that law enforcement is
not available to review the fingerprints?
Response: We are not aware of databases that the State Medicaid
agencies might search, however, there are vendors that provide the
service for a fee.
Comment: One commenter questioned whether the State Medicaid agency
must perform a criminal background check in its State only or in the
neighboring State for a provider applicant that only provides services
in the neighboring State.
Response: The States have the discretion to decide, however, we
would recommend conducting a FBI criminal history record check, which
would provide information that is national in scope and therefore would
be more complete and would be preferable to a State background check in
either the enrolling State or the neighboring State.
Comment: Some commenters noted that fingerprints created a
logistical concern for the State Medicaid agencies. Once they have
obtained the fingerprint cards from the providers, should the States
maintain the files, how should they maintain the cards, and for how
long? If electronic files, how should the States maintain those files?
Response: The State Medicaid agencies should follow their existing
records retention laws and procedures, however we recommend that the
State Medicaid agencies retain the files for at least 5 years, until
the provider's revalidation. To the extent that a State Medicaid agency
itself receives the fingerprints submitted, we expect them to maintain
those files in a secure manner to protect the privacy of the individual
who submitted the fingerprints.
Comment: One commenter suggested that the provision be revised so
that it does not require two copies of the fingerprint card but allows
for collection of two copies if the State determines that two copies
are needed.
Response: We agree, and are making that change to Sec. 455.434.
e. Deactivation and Reactivation of Provider Enrollment--Medicaid and
CHIP
Section 1902(kk)(1) of the Act requires the screening of Medicaid
providers to ensure they are eligible to provide services and receive
payments. In an effort to further protect the Medicaid program and to
be consistent with longstanding Medicare requirements, we proposed in
Sec. 455.418 that any Medicaid provider that has not submitted any
claims or made a referral that resulted in a Medicaid claim for a
period of 12 consecutive months must have its Medicaid provider
enrollment deactivated. Further, under Sec. 455.420, we proposed that
any such provider wishing to be reinstated to the Medicaid program must
first undergo all disclosures and screening required of any other
applicant. In addition, we proposed that the provider must pay any
associated application fees under Sec. 455.426.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers will apply to providers that participate in CHIP,
the proposed requirements for deactivation and reactivation of provider
enrollment under Sec. 455.418 and Sec. 455.420 would apply in CHIP.
Comment: A few commenters supported the proposed requirement as
written. A number of commenters were supportive of the spirit of this
proposed requirement but suggested that we lengthen the timeframe to 24
months. Other commenters expressed concern regarding the applicability
of the application fee when reactivating enrollment and suggested that
Medicaid follow a streamlined reactivation process similar to what
occurs in the Medicare program.
One State commenter expressed concern that the requirement to
deactivate providers would necessitate deactivating one third of the
State's enrolled providers. Other State commenters noted that out-of-
State providers would routinely be deactivated because their billings
are so infrequent.
Response: We recognize that many out-of-State providers provide
occasional emergency treatment to Medicaid beneficiaries, and that
requiring States to deactivate those providers after a year without
billings would cause administrative burdens for the States and the
providers. We believe States should have the discretion to police their
own provider enrollment, although we recommend that States deactivate
provider numbers that have not been used for an extended period of
time.
After reviewing the comments received and other operational
considerations we are not finalizing the requirement for deactivation
of provider numbers after 12 months in Sec. 455.418 at this time.
f. Enrollment and NPI of Ordering or Referring Providers--Medicaid and
CHIP
Section 1902(kk)(7) of the Act provides that States must require
all ordering or referring physicians or other professionals to be
enrolled under a Medicaid State plan or waiver of the plan as a
participating provider. Further, the NPI of such ordering or referring
provider or other professional must be on any Medicaid claim for
payment based on an order or referral from that physician or other
professional.
Providers and suppliers under Medicare and providers in the
Medicaid program are already subject to the requirement that the NPI be
on applications to enroll and on all claims for payment, pursuant to
section 6402(a) of the ACA, amending section 1128J of the Act, and
under Sec. 424.506, Sec. 424.507, and Sec. 431.107, as amended by
the May 5, 2010 interim final rule with comment period (75 FR 24437).
In Sec. 455.410, we proposed that any physician or other
professional ordering or referring services for Medicaid beneficiaries
must be enrolled as a participating provider by the State in the
Medicaid program. We proposed that this would apply equally to fee for
service providers or MCE network-level providers.
Additionally, we proposed to amend Sec. 438.6 to require that
States must include in their contracts with MCEs a requirement that all
ordering and referring network-level MCE providers be enrolled in the
Medicaid program, as are fee for service providers, and thus are
screened directly by the State.
Although the NPI requirements in section 6402(a) of the ACA did not
extend to CHIP providers, section 6401 of the ACA does apply equally to
CHIP, and the proposed requirement for ordering and referring
physicians or other professionals under the Medicaid program apply
equally under CHIP.
In addition, in Sec. 455.440, we proposed that all claims for
payment for services ordered or referred by such a physician or other
professional must include the NPI of the ordering or referring
physician or other professional. We proposed that this would apply
equally to fee for service providers or MCE network-level providers.
It is essential that all such claims have the ordering or referring
NPI and that the State has properly screened the ordering or referring
physician or other professional. Without such assurances,

[[Page 5904]]

it is difficult for CMS or the State to determine the validity of
individual claims for payment or to conduct effective data mining to
identify patterns of fraud, waste, and abuse.
As stated previously, pursuant to section 2107(e)(1) of the Act,
all provisions that apply to Medicaid under sections 1902(a)(77) and
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation
in Part 457 under which all provider screening requirements that apply
to Medicaid providers will apply to providers that participate in CHIP,
these requirements for provider enrollment and NPI under Sec. 455.410
and Sec. 455.440 apply in CHIP.
Comment: Many commenters expressed concern regarding whether the
ordering and referring requirements in the proposed rule applied in the
managed care environment. Many State, MCO, and association commenters
also expressed concern regarding the impact that mandatory enrollment
under Sec. 455.410 would have upon Medicaid beneficiary access to
providers. These commenters stated concerns about the ability to
contract with providers and other professionals if there was a
requirement for those providers to be enrolled with the State as
participating providers. The MCO and association commenters also cited
their concerns about network level providers wanting to control their
practices and not being mandated to participate in the Medicaid program
when their preference was to serve in a Medicaid MCO. In addition, a
State commenter expressed the concern that they be able to attract MCOs
to their programs to provide choice to beneficiaries.
Several State commenters also noted that adding managed care
ordering and referring providers to their rolls in addition to the
proposed requirement for re-enrollment every 5 years, as well as the
other proposed screening requirements would impose administrative and
fiscal burden on State resources.
A few association commenters suggested that States implement a
registration process whereby MCO network level providers would engage
in a process short of full enrollment with the Medicaid agency, solely
for the purpose of screening. Several commenters also expressed
concerned related to: (1) Consistency of screening across Medicare and
Medicaid, and across the MAOs and Medicaid managed care; and (2) who
would conduct the screening. There was some confusion about whether the
MAOs and MCOs would conduct the screening of the network level
providers, or whether Medicare contractors and State Medicaid agencies
would conduct the screening. There was also the issue of MAO providers
not being specifically required to be enrolled to order or refer for
the items and services they ordered or referred for Medicare
beneficiaries to be paid.
A few commenters noted the adequacy of current credentialing
performed by Medicaid MCOs and the absence of any statement to the
contrary justifying enrollment of network level ordering and referring
providers.
Several State commenters questioned how the NPI requirement would
apply in a managed care environment, when risk-based health plans file
claims for payment for the services of their subcontracted network
level providers based on the contract between the State and the risk-
based health plan. The network level providers ordering or referring
items or services do not file claims for payment as fee-for-service
providers do.
Response: After careful consideration of the comments we received,
as well as the statutory language, we have determined that the new
requirements for ordering and referring physicians should not apply in
a risk based managed care context. We do not believe it was the intent
of the Congress to impose stricter requirements on the Medicaid program
than are imposed in Medicare. To require Medicaid managed care
providers that order or refer items or services for Medicaid
beneficiaries to enroll as Medicaid participating providers when MAO
providers are not also required to enroll in the Medicare program to
order or refer items or services for Medicare beneficiaries would be to
treat the programs unequally.
In consideration of the concerns for beneficiary access and the
administrative burden that enrollment of MCO ordering and referring
physicians and other professionals would impose on State Medicaid
agencies, and in consideration of the parity of requirements for the
Medicaid and Medicare programs, we are not requiring that ordering and
referring physicians and other professionals in managed care risk based
health plans enroll as participating providers by State Medicaid
programs. Consequently, we are not finalizing the proposed change to
Sec. 438.6 that would have required State managed care contracts to
require network level providers enroll with the Medicaid agency as
participating providers.
We are limiting the exemption to risk based managed care. Section
1902(kk)(7) requires that States must require all ordering or referring
physicians or other professionals to be enrolled under a Medicaid State
plan or waiver of the plan as a participating provider. We want to give
the greatest effect to the statute while creating the least adverse
impact on beneficiaries. Had we extended the exemption to all forms of
managed care, for example, we would have allowed physicians or other
professionals that participate in primary care case management programs
that operate under State plan waivers to avoid enrollment with a
State's Medicaid program; or we would have allowed home and community
based services program providers that order or refer to avoid
enrollment, to the extent that a State requires such enrollment. We
also gave consideration to the comments we received regarding access,
burden on State processes, and credentialing. The State and managed
care organization commenters expressed concerns about beneficiary
access to managed care networks and providers, which would be likely to
occur in the risk-based forms of managed care, but not in primary care
case management, for example. The States also expressed concerns about
the burden of enrolling as participating providers those physicians and
other professionals in managed care. Again, we interpret their concerns
to be about risk-based forms of managed care, rather than forms of
managed care in which the provider or entity bears no risk, because in
the vast majority of States network level providers in risk-based forms
of managed care are not enrolled with the Medicaid agency. Primary case
care managers, however, are already enrolled with the Medicaid agency
as fee-for-service providers. In addition, risk-based managed care
entities conduct credentialing required under Federal regulations and
subject to the terms of the contracts between the States and the MCOs,
PIHPs, or PAHPs. Providers that participate in non-risk-based forms of
managed care are subject to the various enrollment requirements that
each State may designate.
Given that managed care services are recorded in encounter claims,
we recognize that it is not always possible for such an ordering or
referring physician's or other professional's NPI to be reflected on
such a claim. We leave it to the State's discretion, based in part on
the capability of the State's systems, to require entrance of the NPI
on the encounter record.
Comment: A commenter requested clarification on whether the
requirement for ordering and referring physicians or other
professionals to be enrolled with a State Medicaid agency would apply
to professionals who may not be eligible to

[[Page 5905]]

enroll in a State's Medicaid program but who provide services under the
supervision of an enrolled provider and whose services are billed under
the provider identification number of that eligible Medicaid enrolled
provider.
Response: The requirement for other ordering or referring
professionals to enroll with a State's Medicaid program as a
participating provider would depend on whether a State's Medicaid
program recognized the professional as a Medicaid provider. If it did
not, there would be no requirement to enroll.
Comment: Several commenters expressed concern about the
applicability of Sec. 455.410 and Sec. 455.440 to public school
districts. Public schools deliver Medicaid school based health services
to Medicaid eligible children and therefore are enrolled as Medicaid
providers. Commenters expressed concern about public school-based
providers, for example, speech language therapists, school
psychologists, occupational therapists, and physical therapists,
employed by public school districts being required to enroll with the
Medicaid agency as ordering and referring physicians or other
professionals. The commenters noted that public school based providers
are able, but have not been required in the past, to get an NPI. Public
school districts have included their NPI on claims and the clinicians
are assigned unique provider identification numbers to facilitate
identification of providers and services. Therefore, the commenters
encourage an exemption for public school based providers from the NPI
requirement.
Response: Public school based providers are subject to the ordering
and referring requirements set forth in Sec. 455.410 and Sec.
455.440. However, as a way to minimize the administrative burden of
enrolling additional providers, State Medicaid agencies may implement a
streamlined enrollment process for those providers who only order or
refer, that is, who do not bill for services, similar to the CMS-855-O
process in the Medicare program. Additionally, State Medicaid agencies
may delegate to State or local governmental agencies, such as public
school districts, the responsibility to screen public school based
providers and to assign unique provider identification numbers for
claims identification.
Comment: Several commenters noted that the regulations at Sec.
455.410 do not address whether CMS will provide a reliable mechanism or
national database in which screening results can be shared. Without a
method to obtain results from these other entities, States will have to
screen all Medicaid providers at considerable cost. One commenter noted
that Medicare and CHIP do not define providers the same way which will
lead to confusion over who has been screened through Medicare and the
sister agencies.
Response: We are currently examining to what extent we can support
a centralized information sharing solution for provider enrollment
across programs and across States.
Comment: Several commenters responded that the proposed regulation
would be burdensome on both States and providers, requiring providers
who do not normally work with the Medicaid program and new groups of
providers to enroll. One commenter suggested that rather than being
required to enroll with the Medicaid program, providers be permitted to
use the NPI as evidence of successful Medicare screening and
enrollment.
Response: We are sensitive to the additional burden that obtaining
an NPI will pose, however, inclusion of the NPI on all Medicaid claims
is a statutory requirement. The commenter suggested that providers
enroll with Medicare and use the NPI as evidence of successful
screening and enrollment. Providers should be aware that the NPI is not
evidence of successful Medicare screening and enrollment, but providers
who are actually enrolled in Medicare will not have to be screened
again by the States to be enrolled in the Medicaid programs. The States
may implement a streamlined enrollment process for those providers who
only order or refer, that is, who do not bill for services, similar to
the CMS-855-O process in the Medicare program.
Comment: One commenter described a scenario of a salaried hospital
physician who was not enrolled by the State Medicaid agency, but the
hospital that employed the physician was an enrolled, participating
Medicaid provider. The commenter questioned whether the referral rule
applied to the physician.
Response: Yes, the salaried hospital physician must enroll with the
State Medicaid agency to order or refer for Medicaid beneficiaries.
Comment: A commenter sought clarification whether the order or
referral rule applied when an order or referral was made prior to the
Medicaid beneficiary being eligible for Medicaid.
Response: No, if the order or referral was made before the
beneficiary was Medicaid eligible, then the beneficiary may have the
order filled or the referral fulfilled and the claim for the order or
referral will be paid.
Comment: A commenter asked whether the ordering and referring rule
applied to Medicare crossover claims.
Response: Yes, the beneficiary's claims would be Medicaid claims,
therefore the provider who ordered or referred the Medicaid
beneficiary's services would be required to be enrolled as a Medicaid
participating provider.
Comment: One commenter requested clarification on whether CMS will
be changing claims forms to accommodate the collection of information
regarding ordering and referring providers.
Response: To the extent it is necessary for the State Medicaid
agencies to make changes to their claim forms to accommodate the new
requirement regarding ordering and referring providers, and then the
States should make those changes.
Comment: Several commenters sought clarification on whether the
terms ``ordering and referring physicians or other professionals''
included prescribing providers.
Response: We interpret the statutory terms ``ordering'' and
``referring'' to include prescribing (either drugs or other covered
items) or sending a beneficiary's specimens to a laboratory for testing
or referring a beneficiary to another provider or facility for covered
services.
Comment: Some of the commenters sought clarification on the
definition of the term ``other professional.'' For example, does it
include rendering providers, non-professional providers, or providers
in waiver programs?
Response: Under Sec. 455.410(b) and section 1902(kk) of the Act,
the phrase ``ordering and referring physicians and other
professionals'' does not include rendering providers, as these
authorities impose a new enrollment requirement with respect to
physicians and other professionals that order or refer items or
services for Medicaid beneficiaries. Other professionals include any
person or entity recognized to be enrolled by a State Medicaid agency,
and that may order or refer. Of course, to be able to submit a claim to
a State Medicaid agency, for services rendered or items supplied to a
Medicaid beneficiary, a provider must be enrolled as a participating
provider with that State Medicaid agency.
Comment: One commenter sought clarification whether the requirement
for all ordering and referring physicians or other professionals to be
enrolled with the Medicaid agency as participating providers applied to
IHS providers.
Response: IHS providers are required to comply with Sec.
455.410(b). However,

[[Page 5906]]

as a way to minimize the administrative burden of enrolling additional
providers, State Medicaid agencies may implement a streamlined
enrollment process for those providers who only order or refer, that is
who do not bill for services, similar to the CMS-855-O process in the
Medicare program.
Comment: A commenter questioned whether a provider that has
enrolled as a participating provider to comply with Sec. 455.410(b)
must submit fee-for-service claims to the Medicaid agency, or is the
provider's status as an enrolled provider sufficient for compliance.
Response: Under Sec. 455.410(b), a physician or other professional
need not submit fee-for-service claims to the State Medicaid agency to
remain enrolled as a Medicaid provider.
Comment: With respect to Sec. 455.440, one State asked whether the
provider's NPI must be on each and every claim or whether it is
sufficient for the provider's NPI to be on file with the State Medicaid
agency, and whether the prescribing provider's NPI would be required on
pharmacy claims.
Response: Under Sec. 455.440, ``all claims for payment for items
and services that were ordered or referred'' must contain the NPI. This
is based upon the statutory requirement in section 1902(kk)(7)(B) of
the Act that States require the NPI ``of any ordering and referring
physician or other professional to be specified on any claim for
payment that is based upon an order or referral of the physician or
other professional.'' Therefore, the provider's NPI must be on every
claim, including pharmacy claims; it is not sufficient for the
provider's NPI to be on file.
g. Other State Screening--Medicaid and CHIP
Section 1902(kk)(8) of the Act establishes that States are not
limited in their abilities to engage in provider screening beyond those
required by the Secretary. Accordingly, in Sec. 455.452, we proposed
that States may utilize additional screening methods, in accordance
with their approved State plan.
As stated previously, pursuant to section 2107(e)(1) of the Act and
specified in our regulations in Part 457, all provisions that apply to
Medicaid under sections 1902(a)(77) and 1902(kk) of the Act apply to
CHIP. Because we proposed a new regulation under which all provider
screening requirements that apply to Medicaid providers will apply to
providers that participate in CHIP, this requirement for other State
screening under Sec. 455.452 applies in CHIP.
h. Final Screening Provisions--Medicaid and CHIP
We are adopting the Medicaid and CHIP provider screening
requirements as proposed with the following modifications:
We clarified Sec. 455.104(b)(1) regarding the elements of
corporate addresses.
We clarified Sec. 455.104(b)(2) with regard to whom the
spouse, parent, child, or sibling is related.
We clarified Sec. 455.104(b)(4) to require managing
employees to provide SSNs and DOBs.
We clarified Sec. 455.104(c)(1), and Sec.
455.104(c)(1)(i) and (ii) to include submission of disclosures from
disclosing entities as well as providers.
We clarified Sec. 455.104(c)(1)(iii) to require
submission of disclosures upon the request of the Medicaid agency
during the revalidation of enrollment process.
We are adopting Sec. 455.450 with modifications, having
clarified that the State agency must screen applications both in re-
enrollment and re-validation of enrollment in the introductory
paragraph; deleted the reference to publicly traded companies in Sec.
455.450(a); deleted reference to persons with controlling interests,
agents and managing employees who are required to provide fingerprints
in Sec. 455.450(d); and clarified the basis for adjusting a screening
level related to moratoria Sec. 455.450(e)(2).
At Sec. 455.414 we clarified that States must revalidate
the enrollment information of all providers at least every 5 years.
We are adopting Sec. 455.416 with modifications
clarifying terminations of persons with 5 percent of more direct or
indirect ownership interests in the provider; and deleting reference to
persons with controlling interests, agents and managing employees under
bases for termination for failure to provide fingerprints.
We clarified Sec. 455.434 to require criminal background
checks from providers or persons with a five percent or more direct or
indirect ownership interest in the provider who meet the State Medicaid
agency's criteria as a high risk to the Medicaid program; and to
require fingerprints from providers and person with a five percent or
more direct or indirect ownership interest in the provider, upon the
State Medicaid agency's or CMS' request.
We are not finalizing the proposed provision that States
deactivate the enrollment of any provider that has not billed for 12
months.
And finally, we are not finalizing the proposed
requirement at Sec. 438.6(c)(5)(vi) that required all ordering and
referring Medicaid Managed Care network providers to be enrolled as
participating providers based on commenters' concerns regarding access
to services for beneficiaries.
5. Solicitation of Additional Comments Regarding the Implementation of
the Fingerprinting Requirements
While this final rule with comment period is effective on the date
indicated herein, we strongly believe that certain issues warrant
further discussion. Accordingly, we will continue to seek comment
limited to our implementation of the fingerprinting provisions
contained in Sec. 424.518 and Sec. 455.434 of this rule.
Specifically, we seek comment on methods that we can use to ensure
the privacy and confidentiality of the records that will be generated
pursuant to adopting the criminal history records check provisions
specified herein. As described, we will adopt all protocols issued by
the FBI. However, we are interested in any other privacy concerns that
interested parties may have in addition to thoughts on how best to
address these concerns.
In addition, we seek comment on the means by which we can measure
the effectiveness of our adoption of criminal history records checks.
That is, we are seeking comments on tangible, measureable methods we
should use to demonstrate the effectiveness of these provisions.
In addition, we seek comment on whether we should adopt additional
technology to identify providers and suppliers that are enrolling in
the program. In the proposed rule, we solicited specific comments on
this topic. However, we are interested in receiving additional input
from providers, suppliers, and other interested parties in light of the
provisions set forth in this final rule with comment period.
As noted, we are only seeking comment on the limited areas
previously described. We will accept public comment for 60 days
following publication of this final rule with comment period. To
reiterate, we are finalizing the requirement that providers and
suppliers will be subject to criminal history records checks in the
event they are considered within the ``high'' level of risk as
described in this rule. Providers and suppliers, and all other
commenters, are encouraged to submit comments within the 60-day window
to assist us in best implementing the requirements that we are
finalizing surrounding this

[[Page 5907]]

technology. We are interested in hearing input from all stakeholders,
including the beneficiary advocacy community, law enforcement,
providers, and suppliers that are subject to the requirements set forth
in this final rule with comment period, and any other interested
parties.

B. Application Fee--Medicare, Medicaid, and CHIP

1. Statutory Changes
Section 6401(a) of the ACA, as amended by section 10603 of the ACA,
amended section 1866(j) of the Act and requires the Secretary of DHHS
to impose a fee on each ``institutional provider of medical or other
items or services or supplier.'' The fee would be used by the Secretary
to cover the cost of screening and to carry out screening and other
program integrity efforts, including those under section 1866(j) and
section 1128J of the Act. Since section 10603 of the ACA excludes
eligible professionals, such as physicians and nurse practitioners,
from paying an enrollment application fee, we maintain that an
``institutional provider'' would be any provider or supplier that
submits a paper Medicare enrollment application using the CMS-855A,
CMS-855B (not including physician and non-physician practitioner
organizations), CMS-855S or associated Internet-based PECOS enrollment
application.
Section 1866(j)(2)(D)(i) of the Act states that the new screening
procedures implemented pursuant to section 6401 of the ACA would be
applicable to newly enrolling providers, suppliers, and eligible
professionals who are not enrolled in Medicare, Medicaid, or CHIP by
March 25, 2011. Accordingly, the enrollment application fees for newly
enrolling institutional providers and suppliers would be applicable on
that date as well.
Section 1866(j)(2)(D)(ii) of the Act states that the new screening
procedures will apply to currently enrolled Medicare, Medicaid, and
CHIP providers, suppliers, and eligible professionals beginning on
March 23, 2012. However, because the new procedures are applicable
beginning on March 25, 2011 for those providers, suppliers, (and
eligible professionals) currently enrolled in Medicare, Medicaid, and
CHIP that revalidate their enrollment information, we will begin
collecting the application fee for those revalidating entities for all
revalidation activities beginning after March 25, 2011.
Section 1866(j)(2)(C)(ii) of the Act permits the Secretary, acting
through CMS, to, on a case-by-case basis, exempt a provider or supplier
from the imposition of an application fee if CMS determines that the
imposition of the enrollment application fee would result in a
hardship. It also permits the Secretary to waive the enrollment
application fee for Medicaid providers for whom the State demonstrates
that imposition of the fee would impede Medicaid beneficiaries' access
to care.
Section 1866(j)(2)(C)(i)(I) of the Act establishes a $500
application fee for providers and suppliers in 2010. For 2011 and each
subsequent year, the amount of the fee would be the amount for the
preceding year, adjusted by the percentage change in the consumer price
index for all urban consumers (all items; United States city average),
(CPI-U) for the 12-month period ending with June of the previous year.
To ease the administration of the fee, if the adjustment sets the fee
at an uneven dollar amount, we will round the fee to the nearest whole
dollar amount.
2. Proposed Application Fee Provisions
In Sec. 424.502, we also proposed to establish a definition for an
``institutional provider'' as it relates to the submission of an
application fee. We proposed that an ``institutional provider'' means
any provider or supplier that submits a paper Medicare enrollment
application using the CMS-855A, CMS-855B (but not physician and
nonphysician practitioner organizations), or CMS-855S or associated
Internet-based PECOS enrollment application.
For purposes of Medicare, Medicaid, and CHIP, we interpret the
statutory reference to ``institutional provider[s] of medical or other
items or services or supplier'' to include, but not be limited to: The
range of ambulance service suppliers; ASCs; CMHCs; CORFs; DMEPOS
suppliers; ESRD facilities; FQHCs; histocompatibility laboratories;
HHAs; hospices; hospitals, including but not limited to acute inpatient
facilities, inpatient psychiatric facilities (IPFs), inpatient
rehabilitation facilities (IRFs), and physician-owned specialty
hospitals; CAHs; independent clinical laboratories; IDTFs; mammography
centers; mass immunizers (roster billers); OPOs; outpatient physical
therapy/occupational therapy/speech pathology services, portable x-ray
suppliers; SNFs; radiation therapy centers; RNHCIs; and RHCs.
In addition to the providers and suppliers listed previously, for
purposes of Medicaid and CHIP, we proposed that a State may impose the
application fee on any institutional entity that bills the State
Medicaid program or CHIP on a fee-for-service basis, such as: Personal
care agencies, non-emergency transportation providers, and residential
treatment centers, in accordance with the approved Medicaid or CHIP
State plan.
We proposed that an application fee will not be required from an
eligible professional who reassigns Medicare benefits to another
individual or organization, since it would not create a new enrollment
of an institutional provider or supplier that would result in an
application fee. In addition, we proposed that in no case would the
application fee be required from any individual physician or Part B
medical group/clinic.
We proposed that an application fee will be required with the
submission of an initial enrollment application, the application to
establish a new practice location, as a part of revalidation, or in
response to a CMS revalidation request.
We proposed that prospective institutional providers and suppliers
as well as currently enrolled providers who are revalidating their
enrollment in Medicare must submit the applicable application fee or
submit a request for a hardship exception to the application fee at the
time of filing a Medicare enrollment application on or after March 25,
2011 in the case of prospective providers or suppliers, and in the case
of revalidations. We believe that it is essential that we are able to
receive and deposit the application fee or consider the institutional
provider's request for a hardship exception prior to initiating an
application review. Therefore, we would not begin processing an
application for either a new provider or supplier, or for a provider or
supplier that is currently enrolled, until the enrollment application
fee is received and is credited to the United States Treasury.
The fee would accompany the certification statement that the
provider or supplier signs, dates, and mails to CMS via the appropriate
Medicare contractor if the provider or supplier uses Internet-based
PECOS to enroll or revalidate. The fee would accompany the paper CMS-
855 provider enrollment application if the provider or supplier enrolls
or revalidates by paper. Because the statutory provisions are effective
for newly enrolling providers and suppliers effective March 25, 2011
institutional providers and suppliers will not be required to furnish
the application fee with applications submitted before that date.
However, because the ACA provides that the new procedures will be
applicable beginning on March 25, 2011 for those providers and
suppliers, (and eligible professionals) currently

[[Page 5908]]

enrolled in Medicare, Medicaid, and CHIP that revalidate their
enrollment information, we will begin collecting the application fee
for those revalidating entities for all revalidation activities
beginning after March 25, 2011. We will not collect the fee from
individual physicians and eligible professionals.
We proposed that CMS reject and return to the provider or supplier
an initial enrollment application submitted by a provider or supplier,
without further review as to whether the provider or supplier qualifies
to enroll in the Medicare program, when the Medicare enrollment
application or the Certification Statement is received by the Medicare
contractor and the provider or supplier did not include a request for
hardship exception to the application fee, did not include the
application fee or the appropriate number of application fees, if
applicable. We do not believe that it is appropriate for CMS to begin
the application review process without first having received the
application fee.
We proposed that the CMS reject any initial enrollment applications
submitted after March 23, 2011, if a provider or a supplier did not
furnish the application fee at the time of filing, using Sec.
424.525(a)(3) as the legal basis for the rejection.
In Sec. 424.525(a)(3), we proposed adding a new reason why CMS
could reject an initial enrollment application or an application to
establish a new practice location. Specifically, we proposed a new
Sec. 424.525(a)(3) to state, ``The prospective institutional provider
or supplier does not submit an application fee in the appropriate
amount or a hardship exception request with the Medicare enrollment
application at the time of filing.''
We also believe CMS should be allowed to reject an initial
enrollment application received from a provider or supplier on or after
March 25, 2011, using Sec. 424.525(a)(1) as the legal basis, if, for
any reason, CMS is not able to deposit the full application amount into
a government-owned account or the funds are not able to be credited to
the U.S. Treasury. In the case where a provider or supplier did not
submit the application fee because they requested a hardship exception
that is not granted, a provider or supplier has 30 days from the date
on which the contractor sends notice of the rejection of the hardship
exception request to send in the required application fee and
application forms.
In Sec. 424.535, we proposed adding a new reason why a CMS can
revoke Medicare billing privileges. Specifically, we proposed a new
Sec. 424.535(a)(6)(i) to state that billing privileges may be revoked
if ``An institutional provider does not submit an application fee or
hardship exception request that meets the requirements set forth in
Sec. 424.514 with the Medicare revalidation application or the
hardship exception is not granted.''
In addition, in Sec. 424.535, we proposed a new Sec.
424.535(a)(6)(ii) to state that billing privileges shall be revoked if
``CMS is not able to: deposit the full application amount into a
government-owned account or the funds are not able to be credited to
the U.S. Treasury.''
In Sec. 424.514(b), we proposed that currently enrolled
institutional providers and suppliers that are subject to CMS
revalidation efforts must submit the applicable application fee or
submit a request for a hardship exception to the application fee at the
time of filing a Medicare enrollment application on or after March 23,
2011.
In Sec. 424.514(d)(2)(iii), we proposed that institutional
providers submit the application fee with each initial application,
application to establish a new practice location, or with the
submission of an application in response to a CMS revalidation request.
In Sec. 424.514(d)(2), we proposed that the application fee be
based on the amount calculated by CMS using the CPI-U for the 12-month
period ending June 30 of the previous year and adjusted annually to be
effective January 1st of the following year. In Sec. 424.514(d)(2)(v),
we proposed that the application fee be non-refundable. Neither the
Federal government, its Medicare contractors, State Medicaid agencies
or CHIP should be liable for reimbursement of the application fee to
the provider or supplier if the application fee has been received by
the Medicare contractor and deposited into a government-owned account
and, later, during the course of verifying, validating, and processing
the information in the enrollment application, CMS appropriately denies
the enrollment application. Appropriate denial requires a substantive
reason and applications will not be denied over inconsequential errors
or omissions or over errors or omissions corrected timely.
In Sec. 424.514(d)(4)(vi), we proposed that a provider or supplier
must submit a new application fee if the provider or supplier resubmits
a Medicare enrollment application because a previously submitted
enrollment application was appropriately denied or rejected. In some
cases, a rejected application would be returned to the provider or
supplier along with the application fee; in other cases, the
application would be denied and the application fee retained by the
Federal government because the processing of the application would have
already begun. In those latter cases, CMS funds would have been
expended for some or all of the required screening involved in
processing the application. For example, if a home health agency
enrollment application is rejected because the enrollment application,
or the certification statement generated by Internet-based PECOS, was
not signed, the enrollment application would be rejected and it and the
check for the application fee would both be returned to the home health
agency. If a home health agency enrollment application is denied based
on non-compliance with a provider enrollment requirement or because the
HHA did not meet the conditions of participation for its provider type,
the enrollment would be denied and the application fee would be
retained by the Federal government. If the HHA wishes to send a new
enrollment application, it would have to include another application
fee with that new enrollment application. Similarly, we propose that a
provider or supplier would be required to submit to the Medicare
contractor a new application fee with a subsequent enrollment
application if, among other things, the previous enrollment application
was rejected because the provider or supplier did not timely furnish
the Medicare contractor with the applicable supporting documentation or
information necessary to complete its review and verification of the
previous enrollment application.
In Sec. 424.514(d)(6)(vii), we proposed that the application fee
must be able to be deposited into a government-owned account before an
enrollment application will be approved.
Because we proposed that a State may rely on the results of the
screening conducted by the Medicare contractor to meet the screening
requirements for participation in a State Medicaid program or CHIP, we
proposed that, for dually participating providers, the application fee
would be imposed at the time of the Medicare enrollment application,
consistent with the procedures described previously. Additionally,
because the purpose of the application fee is to, in part, cover the
costs of conducting the provider and supplier screening activities, we
proposed that a provider or supplier enrolled in more than one program
(that is, Medicare and Medicaid or CHIP, or all three programs) would
only be subject to the application fee under Medicare and that the fee
would cover

[[Page 5909]]

screening activities for enrollment in all programs.
Section 1866(j)(2)(C)(iii) of the Act also permits the Secretary to
grant, on a case-by-case basis, exceptions to the application fee for
institutional providers and suppliers enrolled in the Medicare and
Medicaid programs and CHIP if the Secretary determines that imposition
of the fee would result in a hardship. One instance that might support
a request for hardship exception is in the event of a national public
health emergency where a provider or supplier is enrolling for purposes
of furnishing services required as a result of the national public
health emergency situation. Such requests will be considered on a case-
by-case basis, as required by the statute. In addition, we solicited
comments on the appropriate objective criteria that should be used in
making a hardship determination and if there are any other
circumstances in which such exemptions should be allowed. We also
solicited comment on the kinds of documents to be submitted to CMS or
its contractor to exhibit hardship, including any comments on the
financial or legal records that might be needed to make a determination
of hardship. Section 1866(j)(2)(C)(iii) of the Act also permits the
Secretary to waive the application fee for providers enrolled in a
State Medicaid program for whom the State demonstrates that imposition
of the fee would impede beneficiary access to care. We solicited
comments on how waivers from the application fee should be implemented
for Medicaid-only or dually-participating Medicare and Medicaid
providers and suppliers specifically those seeking to furnish services
where beneficiary access issues are prevalent, either geographically or
in the provision of the services.
We are committed to assuring access to care for program
beneficiaries. We are in the process of developing promising practices
related to ensuring access in the Medicaid program and CHIP. We also
solicited comments on the appropriate criteria that we should consider
for purposes of the proposed fee. We were particularly interested in
hearing from States, providers, advocates, and other stakeholders
relating to concrete examples based on experiences in using specific
access criteria.
Based on the statutory requirements for calculating the application
fee, we offer the following example for purely illustrative purposes.
The initial application fee beginning in 2010 is established by law at
$500. However, for the following year, when the annual Consumer Price
Index (CPI-U) is calculated for the period ending June 2010, we would
recalculate the application fee using the CPI-U. Thus, if the CPI
increased by 2.34 percent for the 12 month period ending June 2010, the
application fee would be calculated by multiplying the fee for the year
by the CPI-U. The $500 application fee established by law on in 2010
would be multiplied by 1.0234 to give $511.70. We would then round to
the nearest dollar amount of $512.00. This would be the amount of the
fee in effect for 2011, and would apply to applications received after
the effective date of the statute--March 25, 2011 for newly enrolling
providers and suppliers and for revalidating providers and suppliers. A
similar process, based on the CPI-U for the period of July 1, 2010
through June 30, 2011 would be used to calculate the fee that would
become effective on January 1, 2012, and that would apply to new and
currently enrolled providers or suppliers that submit applications on
or after March 23, 2012. In Sec. 424.514(d)(2), we proposed that the
annually recalculated application fee amount would be effective for the
calendar year during which the application for enrollment is being
submitted.
The amount of the application fee that is required of enrolling
providers or suppliers, would be the amount that is in effect on the
day the provider or supplier mails an enrollment application or
Certification Statement, postmarked by the USPS, or if mailed though a
private mail service the date of receipt by the Medicare contractor.
Because the application fee will become an integral part of the
enrollment process, we believe that it is essential that we notify
State Medicaid Agencies and the public about any changes in the
application fee prior to implementing a change in the fee. Accordingly,
we would afford States and the public with at least 30 days' notice of
any impending change in the application fee. We will make such
notification annually in the Federal Register and by issuing guidance
to the State Medicaid and CHIP Directors, issuing CMS provider and
supplier listserv messages, making announcements at CMS Open Door
Forums, and placing information on the CMS Provider/Supplier Enrollment
Web page (http://www.cms.gov/MedicareProviderSupEnroll).
We proposed that a provider or supplier that believes it is
entitled to a hardship exception from the application fee enclose a
letter with the enrollment application or, if using Internet-based
PECOS, with the Certification Statement, explaining the nature of the
hardship. Further, we proposed that we would not begin to process an
enrollment application submitted with a letter requesting a hardship
exception from the application fee until it makes a decision on whether
to grant the exception. Further, we proposed that we a make hardship
exception determination within 60 days from receipt of the request from
an institutional provider and CMS contractor notify the applicant or
enrolled institutional provider or supplier by letter approving or
denying the request for a hardship exception. Moreover, if we deny the
request for hardship exception, we would provide our reason(s) for
denying the hardship exception.
In Sec. 424.530(a)(9), we proposed adding a new reason why CMS can
deny Medicare billing privileges. Specifically, we proposed a new Sec.
424.530(a)(9) to state, ``An institutional provider's or suppliers
``hardship exception'' request is not granted and the provider or
supplier does not submit the application fee within 30 days of
notification that the hardship exception request was not approved.''
In Sec. 424.535(a)(6)(i), we proposed adding a new reason why CMS
can revoke Medicare billing privileges. Specifically, we proposed a new
Sec. 424.535(a)(6)(i) to state, ``An institutional provider does not
submit an application fee or ``hardship exception'' request that meets
the requirements set forth in Sec. 424.514 with the Medicare
revalidation application or the hardship exception request is not
granted and the institutional provider does not submit the applicable
application form or the application fee within 30 days of being
notified that the hardship exception request was denied.''
We also proposed that an institutional provider may appeal the
determination not to grant a hardship exception from the application
fee using the provider enrollment appeals process established in Sec.
405.874 and found in 1866(j)(2) of the Act.
In Sec. 455.460, we proposed that, for those providers who do not
participate in Medicare, the State may collect the fee established by
the Secretary as outlined previously as the State will be responsible
for conducting the provider screening activities for these providers.
Total fees collected will be used to offset the cost of the Medicaid
and CHIP screening programs. The fees represent an applicable credit
under OMB Circular A-87, entitled ``Cost Principles for State, Local,
and Indian Tribal Governments'' (August 31, 2005 (70 FR 51910)),
codified at 2 CFR part 225, and made applicable to States by 45 CFR

[[Page 5910]]

92.22(b). The cost principles require that the costs a State claims
must be reduced by ``applicable credits,'' or ``those receipts or
reduction of expenditure-type transactions that offset or reduce
expense items allocable to Federal awards as direct or indirect
costs'', (Paragraphs C.1.i., C.4.a. and D.1. of Appendix A to 2 CFR
part 225). If the fees collected by a State agency exceed the cost of
the screening program, the State agency must return that portion of the
fees to the Federal government. CMS will direct these fees to support
program integrity efforts as permitted by the ACA.
3. Analysis of and Responses to Public Comments
Below is a summary of the comments we received regarding the
proposed enrollment application fee.
Comment: Through section 6401 of the ACA, CMS is authorized to
collect and retain an application fee. Some commenters stated that CMS
did not explain or justify the purpose behind the enrollment
application fee, for enrolled providers of service and suppliers,
beyond stating that the Congress mandated it. The commenters urged CMS
to explain whether the revalidation/enrollment fee is meant to ensure
compliance with a provider's or supplier's reporting responsibilities
or to collect monies for the Federal Government.
Response: The ACA authorizes the collection of an application fee
to cover costs of screening, including screening required for providers
and suppliers that are revalidating their enrollment. The ACA specifies
that the fees are to be collected from institutional providers and are
to be used for program integrity efforts, including the costs of
screening.
Comment: Several commenters questioned whether CMS has the
statutory authority to exempt medical clinics and group practices from
the application fee. They contended that while section 10603 of the ACA
strikes the provision found in section 6401 of the ACA relating to
individual provider application fees, section 10603 of the ACA does not
establish a waiver for organizational suppliers, such as groups or
clinics. They also stated that CMS furnished only a limited discussion
of why it decided to give medical groups and clinics an application fee
waiver. They stated that CMS should explain why it is giving medical
groups and clinics a significant financial benefit by excluding them
from the application fee. Another commenter stated that if CMS retains
its policy to exempt medical groups and clinics from the application
fee, CMS should estimate the annual loss in revenue to the Federal
government and explain what this will mean to CMS' efforts to fight
fraud, waste and abuse. Another commenter stated that if CMS retains
this provision, it should exclude the reference to physician and non-
physician practitioner organizations in the proposed definition of
institutional provider.
Response: Section 6401(a) of the ACA that adds section 1866(j)(2)
of the Act specifically excluded physicians from paying the application
fee. Physicians and non-physician practitioners in medical groups and
clinics reassign their Medicare billing privileges to those medical
group and clinics. As such they would be exempt from the fees.
Comment: One commenter asked if a small group practice would be
considered institutional, and whether every practice location would
need to submit a separate application fee.
Response: We will clarify that the application fee is not
applicable to physicians and non-physician practitioners, regardless if
the physician or non-physician practitioner is organized in a small
group practice.
Comment: A commenter urged CMS to consider exceptions to the
required application fee, which, the commenter stated, could impose a
hardship on small home and community based service providers.
Response: We are committed to ensuring access to care and services
for beneficiaries and will clarify that a State, in consultation with
the Secretary, may waive the application fee for Medicaid-only or CHIP-
only providers if the State demonstrates that imposition of such a fee
will impede beneficiary access to care.
Comment: A commenter suggested that CMS develop and issue a
standard enrollment fee ``hardship exception form'' that a provider can
use when requesting an exception to the fee.
Response: Whereas a standard form might be useful, there could be
many situations that justify exception from the fee. We do not want to
limit the basis for fee exceptions for providers and suppliers to a
pre-established list of circumstances. Accordingly we have not listed
options for providers and suppliers to request hardship exceptions from
application fees. As indicated in the preamble to the proposed rule,
each request will be considered on its own merit on a case-by-case
basis.
Comment: A commenter suggested that to avoid processing delays
associated with depositing the application fee into a government-owned
account, CMS should allow newly-enrolling Medicare, Medicaid and CHIP
providers to submit the application fee in advance of submitting a new
enrollment application.
Response: We disagree with the commenter's suggestion. We think
payments should be clearly associated with the CMS-855 application
form. We believe that payments submitted before the CMS-855 could have
a greater likelihood of being disassociated with the appropriate CMS-
855.
Comment: One commenter stated that since the application fee must
be credited to the United States Treasury, CMS should explain how long
it will take before the application fee is paid by a provider or
supplier and when CMS will receive this money to fight fraud, waste and
abuse.
Response: The Treasury Department has existing regulations in place
governing the time frame in which received funds must be deposited and
made available in the U.S. Treasury. We will be working with the Office
of Management and Budget and Department of HHS budget officials to
assure that the full amount collected from application fees will accrue
to CMS for HHS's program integrity work as required by section
1866(j)(2)(C)(iii) of the Act.
Comment: A commenter requested that CMS explain why an application
fee is required by a Competitive Acquisition Program (CAP) Part B Drug
Vendor, since this entity does not bill the Medicare program.
Response: Only institutional providers, as defined in the proposed
rule, are subject to the application fee. Providers and suppliers that
do not bill Medicare on a fee-for-service basis are not subject to the
application fee.
Comment: A commenter stated that in exempting medical groups/
clinics from the application fee, CMS does not distinguish between
clinics owned by physicians/practitioners and non-physicians/non-
practitioners.
Response: We did not distinguish between medical groups/clinics on
the basis of ownership. Medical groups and clinics are exempt from the
fee because as noted previously, they are paid through reassignment of
payments from physicians and non-physician practitioners. Physicians,
non-physician practitioners and other individual practitioners are not
subject to the fee by statute.
Comment: A commenter stated that FQHCs should be exempted from the
application fees for two reasons. First, FQHCs, unlike other providers,
are not permitted to submit one Medicare enrollment application for all
sites, and that consequently, these low-risk entities would pay the
majority of the

[[Page 5911]]

application fees. Second, a significant portion of an FQHC's budget
includes section 330 grant funds. These funds are primarily intended
for the care of uninsured and indigent patients. The application fees
would take a significant portion of those funds away from the neediest
individuals.
Response: While we understand the commenter's concerns, the statute
did not exempt FQHCs from the application fee requirement. However,
FQHCs can request a hardship exception to the fee.
Comment: A commenter recommended that CMS update the CMS-855A, CMS-
855B, and CMS-855S forms to add information about the application fee,
including the basis for this fee, the amount of the fee, and where the
fee should be mailed.
Response: We agree that providers and suppliers need additional
information about the process for submitting the application fee, its
basis and intended use. We plan to have such materials available by the
effective date of the final regulation. We will make these materials
available through our Web site, listservs, open door forums, and other
communication methods. We will also share these documents with
professional and provider and supplier associations in an effort to
provide additional information.
Comment: A commenter noted that section 1866(j)(2)(D)(ii) of the
Act states that the application fee would not apply to current
providers or suppliers until two years after enactment. However, the
commenter argued, CMS was silent on this statutory provision in the
proposed rule. The commenter recommended that CMS explain why section
1866(j)(2)(D)(ii) of the Act does not apply to current providers and
suppliers and why CMS has decided to apply the provisions in section
1866(j)(2)(D)(iii) of the Act instead.
Response: Section 1866(j)(2)(D) of the Act contains conflicting
effective dates for currently enrolled providers and suppliers. In
1866(j)(2)(D)(iii), providers and suppliers that are revalidating are
subject to the fee and the other provisions of the proposed rule 180
days after enactment, or September 19, 2010. In section
1866(j)(2)(D)(ii) of the Act the new screening provisions including the
fee are effective for currently enrolled providers and suppliers on
March 23, 2012. For newly enrolling providers and suppliers the
provisions are effective on March 25, 2011. We recognize the
conflicting effective dates for the same group of currently enrolled
providers and suppliers. As a result, in an effort to promote
consistency in the application of the rule, we proposed two effective
dates for the provisions of the rule for currently enrolled providers
and suppliers. On March 25, 2011, the fees and other requirements of
the regulation are applicable for currently enrolled providers that are
revalidating their enrollment in the period between March 25, 2011 and
March 23, 2012. For all other currently enrolled providers and
suppliers, the fees and other provisions of the proposed rule are
effective on March 23, 2012, as specified in the statute. The statute
authorizes us to begin collecting fees from providers and suppliers
that are revalidating as early as September 23, 2010.
Comment: A commenter recommended that--consistent with section
10603 of the ACA-CMS establish an application fee exemption for
physicians who are sole proprietorships or sole owners and who provide
DMEPOS ``incident to'' their medical service.
Response: Physicians who are enrolled in Medicare as physicians are
exempt from the fee. DMEPOS suppliers, whether owned by physicians or
otherwise, are institutional suppliers and as such, are subject to the
application fee.
Comment: Several commenters urged an exception from the enrollment
fee for: (1) Existing providers, or (2) new providers in under-served
areas. A commenter added, however, that such exceptions should be
limited to nonprofit and governmental entities with low overall
margins. The commenter also stated that CMS should allow enrollment fee
exceptions: (1) For existing providers when it is clearly equitable and
in the public's interest--since to do otherwise simply transfers
limited resources needed for patient care to the enrollment process and
constitutes a tax on an otherwise nontaxable entity--and (2) for any
new nonprofit or public provider that is proposing to establish
services in an underserved area. The commenter did not believe that
for-profit providers should qualify for fee waivers because their
business model is based on their capacity to generate sufficient
capital to start a business and operate profitably.
Response: We recognize that the application fees are a new
financial obligation on nonprofit and public providers and suppliers;
however, the statute provides no blanket exception for providers and
suppliers by financial status. However, the law and rule contain
provisions that would allow institutional providers and suppliers to
apply for hardship exception to the fees for circumstances that are
appropriate to their respective situations. We encourage any provider
or supplier that cannot pay the fee to notify us and provide us with
justification for the exception.
Comment: A commenter stated that the application fee should be
waived for providers that routinely update their Medicare enrollment
information more than once in a five-year period (3 years for DMEPOS).
Response: While we do not discourage providers and suppliers from
submitting revalidation applications more frequently than the
regulatory-prescribed timeframes, we do not believe that the fee should
be waived for providers that do so. As stated in the preamble, the
application fee is to be used by the Secretary to cover the cost of
screening. If the provider or supplier submits a revalidation
application on its own volition, we believe it is appropriate to
require a fee that would cover the cost of processing that application.
Comment: A commenter, expressing concern about the time it can take
for Medicare contractors to process applications, recommended that
payment of the enrollment fee be tied to a corresponding obligation of
the Medicare contractor to complete the enrollment process within a
specified period of time. Specifically, the commenter requested that
CMS create a hardship category that would permit an enrollment fee to
be refunded to the provider or supplier if the Medicare contractor
fails to process the application within a specified period of time (for
example, 30 days from the date a completed enrollment is received by
the Medicare contractor). The commenter stated that such a policy would
create the proper incentive for Medicare contractors to process these
applications in a timely fashion. Other commenters, too, stated that
the fee should be refunded if the Medicare contractor does not process
the application in a timely manner.
Response: We are concerned about any delay in processing enrollment
applications. Our enrollment contractors have clear standards in their
contracts regarding processing enrollment applications. In fact, we are
currently in the process of strengthening such performance standards
for all of our contractors. However, the ACA provides that a provider
may be exempted from the fee only when the imposition of the fee itself
would result in a hardship. We do not interpret the ACA as linking the
application fee to contractor performance standards.
Comment: One commenter stated that it appears that physicians who
also enroll as DMEPOS suppliers so they can furnish DMEPOS to their own
patients

[[Page 5912]]

would be expected to pay an enrollment fee. The commenter believes that
this would be inconsistent with the congressional decision to exempt
physicians and other health professionals from the enrollment fee. It
might also cause some physicians and other health professionals to
decide against enrolling as DMEPOS suppliers, thus they would no longer
be in a position to provide their patients with Medicare-covered
DMEPOS. The commenter also stated that CMS should modify its enrollment
procedures so that physicians who also wish to provide DMEPOS to their
own patients would only need to enroll once, not twice. This approach
would simplify the enrollment process for both physicians and CMS.
Response: Physicians that supply DMEPOS services to patients are
currently required to enroll as both a physician (for medical services)
and as a DMEPOS supplier. The screening required of any DMEPOS
supplier, even one that is incident to a physician's practice, is more
resource intensive than screening for physicians. Accordingly, we think
applying the fee to all DMEPOS suppliers is justified. Moreover, we
think it is a necessary component of our efforts to assure overall
benefit integrity in Medicare to have all DMEPOS suppliers meet the
supplier standards for DMEPOS suppliers. Accordingly, we have no plans
to change the requirements as suggested by the commenter. We note in
addition that a decision to make any such changes would be outside the
scope of this rule.
Comment: A commenter asked why CMS is proposing to exempt a
physician or non-physician practitioner organizations from the
application fee when they submit a CMS-855B application, but the same
physician or non-physician practitioner organization would be required
to pay an application fee if they enrolled using the CMS-855S.
Response: The ACA specifically excluded physicians and nonphysician
practitioners from paying the application fee. Physicians or non-
physician practitioner organizations that elect to apply to enroll in
Medicare as an institution or other entity, for example, submitting an
CMS-855S to enroll as a DMEPOS supplier, are applying to enroll as an
institutional provider not a physician or non-physician practitioner.
Accordingly, applications to enroll as institutional providers are
subject to submitting the application fee.
Comment: Several commenters stated that a $500 application fee for
DMEPOS suppliers who are orthotists and prosthetists is not reasonable,
especially on top of the required annual payment for a surety bond,
accreditation and to maintain licensure. One of these commenters
opposed the proposed rule because it seems redundant in light of other
requirements such as accreditation, licensure, non-mandatory OIG
compliance plans, and HIPAA. The commenter stated that with
reimbursements being cut, expenses increasing, and the government
constantly imposing new, unnecessary fees, it is becoming difficult for
small businesses to survive in this economy. Several other commenters
stated that the fee should be waived for the smallest providers. For
community pharmacies, another commenter urged CMS to either: (1) Impose
a $500 fee upon initial enrollment and in the case of the addition of
new practice locations without imposing any fees for revalidation, or
(2) impose a lower fee of $200 if the fee will apply to revalidation,
as well as initial enrollment and adding new locations.
Response: The ACA sets the initial fee at $500.00 for all types of
institutional providers or suppliers and for revalidating providers.
Because the ACA specifies that the money be used for program integrity
activities, including screening, we believe it is reasonable and
appropriate to impose a fee on new practice location applications which
require us to expend resources to screen for example onsite visits or
background checks may be required. Also, the ACA specifies the formula
for updating the fee. Affected providers and suppliers can request an
exception from the fee if they can demonstrate that it poses a
hardship.
Comment: A commenter requested clarification as to whether a
returned, rejected, or denied application would trigger the need for a
provider to resend another fee when it resubmits its application. The
commenter also asked whether a provider going from one state to another
within Medicare would only be required to submit the fee once.
Response: The proposed rule itemized circumstances when additional
fees would be required. The answer to the commenter's question about
returned, rejected, or denied applications and whether these actions
would trigger a requirement for a new fee will vary depending upon the
circumstances. Providers and suppliers that submitted applications that
were denied because the provider or supplier did not meet the
requirements to enroll would be subject to an additional fee for any
new application they submit. Providers and suppliers that submitted an
application that could not be processed because of a temporary
moratorium would not be required to submit an additional fee.
Applications that were accompanied by a request for hardship exception
waiver to the fee and for which the hardship waiver request was denied
would be required to submit a fee in order for the application to be
processed. If, in this latter circumstance, the provider or supplier
submitted the fee with the application and the hardship exception
waiver request, and the fee was not returned, the provider or supplier
would not be required to submit a new fee payment. Providers
establishing a new practice location in a different enrollment
jurisdiction or as a new provider type would be required to submit a
fee for each new practice location or provider type.
Comment: A commenter stated that CMS should allow application fees
to be held in escrow when an application is denied.
Response: We think it is important for the fee to be associated
clearly and specifically with the application for new enrollment or
revalidation at the time the application for enrollment or revalidation
is being processed. In this way we avoid any administrative errors
involved in associating a fee held in escrow with an instant
application. There are a number of reasons it might be complicated to
associate an escrowed fee with an application, particularly if the
provider or supplier has a different name or identifier, or a large
amount of time has elapsed between applying for enrollment or
revalidation.
Comment: A commenter believes it was inequitable that institutional
providers in the limited level of screening are still subject to the
same $500 application fee as providers in the high level of screening.
The commenter recognized that this is a matter of statute, but stated
that a more equitable policy would be to link the application fee
amount to the assigned level of screening, with a zero or minimal fee
applicable for facilities in the limited screening level and higher
scaled fees applied to the moderate and high screening levels. The
commenter also recommended that CMS use the application fee collected
from ``limited risk'' providers to develop prioritized and expedited
processes and timeframes for contractor review and approval of initial
enrollment applications and revalidations for ``limited risk''
providers.
Response: The ACA established a flat rate of $500 for application
fees to be imposed upon institutional providers and suppliers. In
addition, the ACA does not include provisions to link the

[[Page 5913]]

fee to assigned screening level. Accordingly, the proposed rule
implementing the statute did not link the fee to assigned screening
level.
Comment: A commenter stated that for DMEPOS suppliers, requiring a
$500 application fee at the time of submission of an enrollment
application for each Medicare PTAN is unsupported and improper. A
simple $500 fee per company, or paying for up to four facility
locations (but not more) per company, or $500 for the first location
and $50 for the next 10 makes sense. A flat $500 per location does not
make sense according to the commenter, since clearly larger companies
with multiple locations pose lower risk.
Response: As mentioned previously, the fee amount is included in
the ACA. In addition, the ACA requires each institutional provider to
pay the fee. Providers and suppliers will be charged the fee for each
form CMS-855 they submit for enrollment or revalidation.
Comment: A commenter stated that CMS should not allow contractors
to revoke a provider's billing privileges if an application fee or
hardship waiver does not accompany a revalidation application.
Response: We disagree. We believe that the failure to submit an
application fee or hardship waiver with a reenrollment or revalidation
application should be treated as the equivalent of the non-submission
of the application, which is grounds for revocation under regulation
Sec. 424.535(a)(6). However, we understand the concern expressed and
will instruct our enrollment contractors to contact any enrolling or
revalidating provider or supplier that does not submit the fee with the
enrollment application and afford an opportunity to submit the fee.
Thirty days after the date of the notification, the enrollment
contractor would reject the application and revoke the billing
privileges of the enrolled provider or supplier that has not submitted
the fee. We have modified the regulation provisions in Sec. 424.514(g)
to include the 30 day period.
Comment: Several commenters requested clarification that changes of
information, reactivations, and contractor-solicited, off-cycle
revalidations do not require an application fee.
Response: The ACA authorizes fees for new enrollment and
revalidation of enrollment. Simple changes in the CMS-855, for example,
new phone numbers, new bank account information, new billing
address(es), change in name of provider or supplier, or other such
updates, do not constitute a new enrollment or a revalidation of an
enrollment and therefore would not be subject to an additional fee.
Comment: A commenter stated that there is no justification to
assess new fees to providers to support CMS enforcement activities that
should be ongoing in any event. Moreover, CMS' proposed actions, the
commenter contended, ignore the much more practical and effective
measures to stem fraud and abuse outlined in H.R. 2479, and instead of
stopping the fraud at the outset (as seems to be the stated objective)
rely unduly on straightforward delays in delivering payments to all
providers. This punishes all legitimate providers, and without any
assurance that delays will solve the fraud problem.
Response: Section 1866(j)(2)(C) of the Act authorizes the the
Secretary to collect application fees from institutional providers and
suppliers. This section also specifies that ``the amounts collected as
a result of the imposition of a fee under this subparagraph shall be
used by the Secretary for program integrity efforts, including to cover
the costs of conducting screening under this paragraph and to carry out
this subsection and section 1128J of the Act.'' We are implementing the
provisions of the statute. The application fees collected will be used
for program integrity efforts as specified in the statute.
Comment: A commenter stated that imposition of the fee on
physicians who are enrolled as DMEPOS suppliers is unambiguously beyond
the scope of CMS's statutory authority, would frustrate congressional
intent, and is not warranted, since the vast majority of physicians
would not be subject to additional screening.
Response: The fees are only paid by institutional providers and
suppliers. If a physician is enrolled as a physician and also as a
DMEPOS supplier, the fee is required only for the DMEPOS supplier
enrollment.
Comment: A commenter supported CMS's proposal to exempt physicians
and non-physician practitioners from the application fee. The commenter
stated that with a potential Medicare provider shortage on the horizon,
introducing an application fee to these suppliers would only serve to
drive more providers out of the Medicare system.
Response: The ACA exempts physicians and non-physician
practitioners from paying the application fee.
Comment: A commenter stated that an appropriate course would be to
process the application and require that if the application is accepted
but the hardship waiver is denied, the application fee will be deducted
from future payments. This certainly creates the risk that some
applications would be considered for which no application fee payment
was ultimately available, but that outcome is offset by the need to
avoid draconian requirements with illusory protections.
Response: The ACA requires institutional providers and suppliers
that submit an application to enroll in or revalidate their enrollment
in Medicare to pay the fee. Contractors should not process applications
for new enrollment or revalidation of enrollment without a fee
accompanying the application. In the case of an application that is
accompanied by a request for a hardship waiver that is denied, the
contractor will notify the provider or supplier that a fee is required
for further processing. The provider or supplier has the option to
submit the fee with the application and waiver request as a contingency
to expedite processing should the hardship waiver be denied and the
provider or supplier is concerned about delays associated with the time
required to provide the fee.
Comment: A commenter expressed concern that there was no exception
for governmental providers, including those that are funded by Federal
agencies. To permit Medicare and Medicaid, for instance, to impose
enrollment fees on Indian and tribal providers merely transfers funds
from one health system to Medicare and Medicaid.
Response: Neither the ACA nor the proposed rule provide a blanket
exemption from the fee for Federal institutional providers.
Accordingly, we are unable to grant such an exception. However, Federal
health care providers have the option to seek a hardship exception to
the fee, and could request such an exception with any applications
submitted to enroll in Medicare as an institutional provider.
Comment: A commenter stated that if an application fee or hardship
waiver request is missing from an application, the contractor should--
consistent with Sec. 424.520--treat this as a request for additional
information and give the provider 30 days to furnish the missing items.
Response: We agree. Consistent with Sec. 424.514(g)(3)(ii),
contractors will be instructed to give providers and suppliers 30 days
after the provider or supplier receives notification that the request
for a hardship waiver is denied to submit the enrollment fee.
Comment: A commenter stated that requiring two enrollment fees for
a provider enrolling as two different

[[Page 5914]]

Medicare provider types--such as DMEPOS suppliers and mass immunizers--
would be inconsistent with CMS' proposed one-fee policy for dually
enrolled providers, that is those enrolled in Medicare and Medicaid.
Similarly, a commenter stated that if physicians functioning as DMEPOS
suppliers for their patients are subjected to the additional screening
mechanisms in the ``Moderate'' and ``High'' screening levels, many
physicians will simply relinquish the services they provide as DMEPOS
suppliers with minimal to no benefit to CMS's anti-fraud efforts.
Response: The ACA specifically excludes physicians and nonphysician
practitioners from paying the application fee. Physicians or non-
physician practitioner organizations that elect to apply to enroll in
Medicare as something other than a physician or nonphysician
practitioner, for example, submitting an CMS-855S to enroll as a DMEPOS
supplier, are applying to enroll as an institutional provider not as a
physician or nonphysician practitioner. Accordingly, applications to
enroll as institutional providers are subject to submitting the
application fee. Individual institutional providers that enroll in
Medicare and Medicaid will be required to pay only one application fee
per enrollment. Entities or individuals that enroll only in Medicare or
only in Medicaid as more than one kind of institutional provider, for
example, a DMEPOS supplier and a home health agency, will be required
to submit the fee for each enrollment.
Comment: A commenter suggested that providers submit one
application for all commonly-owned entities, with addenda to address
each specific entity as needed. A single fee for each provider would be
paid by the parent. The commenter added that if multiple application
fees are required for providers and suppliers wholly owned by the
parent entity, a cap of $5,000.00 per year in application fees should
be instituted.
Response: The ACA requires each institutional provider to pay the
fee, in the amount specified in the statute. In general, most providers
and suppliers must report each practice location on the enrollment Form
CMS-855; however, the provider or supplier may list multiple practice
locations on one Form CMS-855. The rules for DMEPOS suppliers, FQHCs
and IDTFs are different; these entities must enroll each practice site
separately--with separate for CMS-855. Because of these differences
among the different categories of providers and suppliers, we believe
it is most prudent to rely upon the requirement that a provider or
supplier will simply pay the application fee whenever a Form CMS-855 is
submitted.
Comment: A commenter suggests that CMS specifically exempt physical
therapists in private practice from paying an enrollment fee when
enrolling as a DMEPOS supplier with NSC. The commenter acknowledges
that physical therapists in private practice are listed under
``eligible professionals.''
Response: As with physicians, physical therapists that enroll as
individual practitioners will be exempt from the fee. DMEPOS suppliers
that are owned by a physical therapist are institutional providers and
as a result are subject to the fee.
Comment: A commenter stated that CMS should exempt recertification,
re-enrollment, or other actions not related to a change in ownership
from the application fee.
Response: The ACA specifically provides for the fee to be paid for
revalidating institutional providers, section 1866(j)(2)(C) of the Act.
Comment: A commenter suggested that a provider or supplier enrolled
in more than one program (that is, Medicare, Medicaid or CHIP) be
subject to only one application fee.
Response: We agree. Dually-participating providers and suppliers
will only be subject to the application fee at the time of Medicare
enrollment or revalidation.
Comment: A commenter requested clarification on whether a fee is
charged: (1) For each individual provider associated with a facility or
institution, or (2) per facility. The commenter recommended a sliding
fee based on the size and number of employees the facility has.
Response: Under the ACA, a fee is required only from institutional
providers. Therefore, if the commenter is referring to individual
physicians or non-physician practitioners who are associated with an
institutional provider or supplier, the individual physician or non-
physician practitioner would not be required to submit an application
fee. Only the facility or institutional provider with which they are
associated would be required to submit the fee. If the commenter was
referring to affiliated entities that would be considered institutional
providers, then each of those institutional providers would be required
to submit the fee as would the institutional provider with which they
are associated.
Comment: The same commenter also recommended a sliding scale for
the fee that would be based on the size of the provider or facility and
the number of employees.
Response: The application fee is derived from a statutorily-
mandated formula. Neither CMS nor the States have the discretion to
change the amount of the fee.
Comment: A number of commenters requested clarification regarding
whether a State is required to collect the application fee for
Medicaid-only or CHIP-only providers, or if the collection of this fee
is at a State's discretion. One commenter stated that it should
continue to be at a State's discretion.
Response: Section 1866(j)(2)(C)(ii) of the Act requires that the
fee be imposed for institutional providers, and the State will be
required to collect the fee in the case of Medicaid-only and CHIP-only
institutional providers. In addition to the providers and suppliers
subject to the application fee under Medicare, Medicaid-only and CHIP-
only institutional providers would include nursing facilities,
intermediate care facilities for persons with mental retardation (ICF/
MR), psychiatric residential treatment facilities, and may include
other institutional provider types designated by a State in accordance
with their approved State plan. Under section 1866(j)(2)(C)(iii) of the
Act, we may grant case-by-case exceptions to the application fee, based
upon a demonstration of hardship, and in those instances, the State
would not be required to collect the fee from Medicaid-only and CHIP-
only institutional providers. Additionally, section 1866(j)(2)(C)(iii)
of the Act permits the Secretary to waive the application fee for
providers enrolled in a State Medicaid program for whom the State
demonstrates the imposition of the fee would impede beneficiary access
to care. If a State is concerned that the imposition of the application
fee may adversely impact beneficiary access to care, we encourage them
to seek a waiver of the fee in those circumstances.
Comment: One commenter asked whether a State could choose to lower
the fee from $500 to a different amount, for example, $250.
Response: The amount of the application fee is derived from a
statutorily-mandated formula. States do not have discretion to change
the amount of the fee that is collected from Medicaid-only or CHIP-only
institutional providers.
Comment: One commenter asked that if a State elects not to collect
the application fee, would the cost of screening be eligible for FFP.
Response: As stated previously, Section 1866(j)(2)(C)(ii) of the
Act requires that the fee be imposed for institutional providers, and
the State will be required to collect the fee in the

[[Page 5915]]

case of Medicaid--only and CHIP--only institutional providers. However,
to the extent that the costs associated with performing the screening
exceed the amounts collected as a result of the application fees, these
costs would be eligible for FFP.
Comment: One commenter requested that CMS describe the process for
determining whether the Medicaid and CHIP application fee exceeds the
cost of provider screening.
Response: States will be required to account for the costs of the
provider screening program and measure it against total fees collected.
If the cost of the program exceeds fees collected, then the State can
claim FFP for excess cost. Note, that this requires that principles of
OMB Circular A-87 be properly applied and that total fees collected
serve as an applicable credit to the Medicaid program.
Comment: One commenter requested that CMS confirm whether the
application fee is intended to cover both State and Federal share of
the costs.
Response: The application fees collected by the State must be used
to offset the total cost, both State and Federal share, of the
screening program. As stated in the proposed rule, if the fees
collected by a State agency exceed the cost of the State's screening
program, the State agency must return that portion of the fees to the
Federal Government.
Comment: One commenter asked if States would be eligible for
enhanced Federal match for changes to provider enrollment and claims
processing systems that implement reporting and screening requirements.
Response: If the changes are to the MMIS for purposes of Medicaid
provider enrollment and Medicaid claims processing, then States may be
eligible for the enhanced match rate (either 90 percent for
enhancements/new functionality or 75 percent for ongoing maintenance
and operations). States must contact their CMS Regional Office to
determine whether an advance planning document (APD) is required.
Comment: One commenter requested clarification on how the state
should record expenditures on necessary MMIS changes to implement the
rule, prior to collecting the application fee.
Response: All State share costs including those involving the
enhancement and operation of the MMIS in addition to administrative
costs related to provider screening and reporting as specified in the
proposed regulation (Sec. 455.460) are to be included in the screening
program costs and offset by the application fees collected by the
State. We understand that the MMIS costs may be matched at higher rates
(90 percent for development and 75 percent for operation). States will
be required to report the 10 percent and 25 percent State share of the
MMIS costs associated with the screening program and offset the
application fee against such costs. In the event that the application
fees are greater than the costs for the screening program for any
reporting period, the State will refund the difference to CMS. Please
refer to OMB Circular A-87, ``Cost Principles for State, Local, and
Indian Tribal Governments'' for guidance in the reporting of the
application fees as an applicable credit.
Comment: One commenter asked if the application fee is an allowable
cost report expense for Medicaid and CHIP providers.
Response: If a Medicaid-only or CHIP-only institutional provider is
subject to the application fee, this could be considered an allowable
cost report expense. This determination would be governed by the
State's approved reimbursement methodology within its State plan.
Comment: One commenter asked if the amount of the fee could be
included in determining a government provider's cost based rates.
Response: Yes, if the application fee is imposed on a government
institutional provider, then the amount of the fee could be included in
determining the government provider's cost-based rates.
Comment: A few commenters asked if a State is permitted to have the
applicant/provider pay the fees associated with fingerprinting and
conducting criminal history checks.
Response: The application fee is intended to cover the costs
associated with the State's Medicaid or CHIP provider screening
program. It is permissible for the State to require the provider to pay
the costs associated with capturing fingerprints. However, we expect
that the amount of funds collected by imposition of the application fee
should be used by the State to fund the costs incurred by the State
associated with processing the fingerprints and conducting the criminal
background checks.
Comment: A number of commenters stated that local education
agencies (that is, public schools) should be exempt from having to pay
the application fee.
Response: To the extent that a State determines, consistent with
the approved State plan, that a local education agency is an
institutional provider for purposes of this provision, then it would be
subject to the application fee.
Comment: A few commenters requested that CMS clarify whether the
application fee applies to institutional providers only under Medicaid
and/or CHIP, and what types of Medicaid and CHIP providers are
considered institutional.
Response: We will clarify in the regulation that the application
fee does not apply to physicians or other individual non-physician
practitioners such as nurse practitioners under Medicaid and/or CHIP.
Medicaid-only and CHIP-only institutional providers that would be
subject to the application fee include: Medicaid-only nursing
facilities, intermediate care facilities for persons with mental
retardation (ICF/MR), and psychiatric residential treatment facilities.
Additionally, a State may impose the application fee on other types of
Medicaid-only or CHIP-only institutional providers, consistent with
their approved State plan.
Comment: One commenter asked if pharmacies are considered
institutional providers for purposes of the application fee.
Response: In the Medicare program, pharmacies are generally
enrolled as DMEPOS suppliers, and thus are considered institutional
providers for the purposes of the application fee. Therefore,
pharmacies would be subject to the application fee, and it would likely
be imposed at the time of Medicare enrollment or revalidation.
Comment: One commenter suggested that the application fee
requirement should provide an exception for providers that are required
to pay a pre-existing State-level application or certification fee to
enroll in the Medicaid program.
Response: The enrollment screening activities are distinct from
State-licensing and certification activities that seek to address
conditions of participation or structures, processes and outcomes to
support quality of care for the beneficiaries. The application fee is
intended to support provider screening activities as part of
enrollment.
Comment: A number of commenters requested that CMS provide further
guidance regarding the manner in which States will be expected to
report the costs associated with screening. One commenter specifically
requested whether CMS will want screening costs detailed per screening,
per provider (for example, detailed travel expenses for site visits) or
if a more generic reporting of screening cost is expected.
Response: We anticipate that a State will be required to report the
costs associated with its provider screening program on a semi-annual
or annual

[[Page 5916]]

basis. Although we do not anticipate requiring States to routinely
report very detailed information such as detailed travel expenses for a
site visit, this information should be maintained by the State and be
made available upon request if necessary for conducting an audit or
other oversight activities. Additional guidance for States will be
forthcoming regarding the specific form and manner of reporting.
Comments: One commenter requested that CMS clarify whether the
application fee be designed to include current program integrity
activities, or whether the State will be expected to track the
increased expenditures of PI activities resulting from this regulation
separate from historic PI activities.
Response: The application fee may only be used by the State to
offset the cost of the provider screening program. It is not
permissible for a State to design the fee in any manner that would
include current program integrity activities. If the fees collected by
a State agency exceed the cost of the screening program, the State
agency must return that portion of fees to the Federal Government.
Comment: One commenter recommended that CMS provide a comprehensive
exception for out-of-State providers providing emergency services to
managed care members, stating that such an exception would allow for
timely access to critical services for managed care enrollees.
Response: After considering the comment, we are not inclined to
provide a comprehensive exception to the application fee in this
circumstance. We believe that the overwhelming majority of providers
that provide emergency services to out-of-State MCO members are dually-
participating providers, and would thus be subject to the application
fee at the time of Medicare enrollment. Furthermore, there are
additional Federal laws that exist to safeguard beneficiary well-being
in emergency situations, such as, the Emergency Medical Treatment and
Active Labor Act (EMTALA).
Comment: A few commenters stated that each State should have the
flexibility to waive the application fee, for particular providers or a
class of providers, if it determines that this would help assure access
to services for beneficiaries.
Response: We agree and will clarify that a State, in consultation
with the Secretary, may waive the application fee for Medicaid-only or
CHIP-only providers if the State demonstrates that imposition of such a
fee will impede beneficiary access to care.
Comment: One commenter stated that providers who have already paid
the fee to their own State's Medicaid or CHIP program should also be
exempt, if the provider is already enrolled in one and applies to the
other.
Response: We agree that providers enrolled in more than one
program, be it Medicare, Medicaid, and CHIP, including Medicaid and
CHIP in multiple States must only be required to pay the application
fee once.
Comment: One commenter urged CMS to expand the exemption provisions
to allow an exemption for providers in medically underserved areas as
well as those whose patient population are overwhelmingly Medicaid
beneficiaries.
Response: We are committed to assuring access to care and services
for program beneficiaries and will clarify that a State, in
consultation with the Secretary, may waive the application fee for
Medicaid-only or CHIP-only providers if the State demonstrates that
imposition of such a fee will impede beneficiary access to care.
Comment: A few commenters expressed concern that requiring
providers to pay a non-refundable application fee to participate in the
Medicaid program will decrease the likelihood that providers will
choose to participate.
Response: We are committed to assuring access to care and services
for program beneficiaries and will clarify that a State, in
consultation with the Secretary, may waive the application fee for
Medicaid-only or CHIP-only providers if the State demonstrates that
imposition of such a fee will impede beneficiary access to care.
Comment: A number of commenters requested clarification as to the
process that a Medicaid agency would use to determine if a provider has
paid an application fee to Medicare or another State. One commenter
specifically requested clarification on whether the Medicare
revalidation fee is applicable to payments made in one calendar year
only when considered for Medicaid program(s). Will waiver programs
honor fees made to Medicare? How will Medicaid honor a Medicare fee
when the revalidation is a different time period?
Response: The basic concept of the screening and enrollment
provisions included in this regulation is that Medicaid will accept
Medicare screening for providers that receive payments from both
Medicare and Medicaid. For dually-participating providers, the
application fee is imposed at the time of Medicare enrollment and no
additional screening fee is imposed by the State regardless of the time
period or revalidation cycle. For institutional providers that
participate only in Medicaid, the State Agency is responsible for
assuring that the provisions of the regulation are met. Institutional
providers will be required to submit the application fee to only one
program. We believe these operational logistics are more appropriately
addressed in subregulatory guidance. We will be issuing subregulatory
guidance to assist States with the operational aspect of implementing
this provision in the near future.
Comment: One commenter supported the proposal that for dually
participating providers, the application fee would be imposed at the
time of Medicare enrollment.
Response: We agree and are finalizing this provision accordingly.
Comment: One commenter encouraged CMS to consider establishing a
lower price point or expedited review for providers in the lower risk
group.
Response: The amount of the application fee is derived from a
statutorily-mandated formula. Neither CMS nor the States have
discretion to change the amount of the fee that is collected from
Medicaid-only or CHIP-only institutional providers.
Comment: One commenter requested clarification that ongoing
resubmissions do not trigger the application fee and that the fee will
merely be levied through the actual recertification process.
Response: The ACA authorizes fees for new enrollment and
revalidation of enrollment. Simple changes to the provider enrollment
information, that is, new phone numbers, new bank account information,
new billing address, change in name of provider or other such updates
are not subject to the fee. They will apply to newly-enrolling
providers, revalidating providers and creation of new practice
locations.
Comment: A commenter noted that the application fee and other
provisions are effective on March 23, 2011. The commenter stated,
however, that CMS must first complete the notice and comment rulemaking
process. The commenter recommended that CMS implement the application
fee only after a final regulation has been issued and the public has
been given at least 60 days notice.
Response: We agree with the commenter and we are finalizing the
regulation in regard to the application fee. It will be displayed for
60 days prior to the effective date on March 25, 2011.
Comment: A commenter stated that some of the provider types listed
under

[[Page 5917]]

the definition of ``institutional provider'' do not bill Medicare on a
fee-for-service basis. For example, RHCs and FQHCs bill Medicare on a
cost-based, all-inclusive rate basis. The commenter believes this
distinction is significant because on past occasions when the Congress
authorized certain incentive payments and linked those payments to the
``fee-for-service'' payment, RHCs and FQHCs were excluded from those
incentive payment programs. The commenter believes it was unfair to
deny certain providers from participating in programs because they are
not ``fee-for-service,'' but then mandate their inclusion in other
initiatives reserved for ``fee-for-service'' providers. Moreover, the
commenter stated that RHCs and FQHCs are by definition located in areas
designated as underserved or serving populations with a demonstrated
problem accessing the healthcare delivery system. Imposing an
application fee on these providers will only serve as a further barrier
to access to care. The commenter believes that the term ``institutional
providers'' should exclude new entities seeking designation as RHCs and
FQHCs and include only those providers that bill Medicare on a fee-for-
service basis. Another commenter believes that the term ``institutional
provider'' refers to providers whose beneficiaries are
institutionalized; the proposed rule's envisioned use of the term is
therefore inappropriate. The commenter suggested using the term ``non-
institutional provider.''
Response: In the NPRM, we proposed a definition of institutional
provider that does not distinguish among providers or suppliers based
on which version of the form 855 they submit, or whether they submit
the form electronically. We are finalizing this definition. The
distinction on payment methods the commenter suggests is not related to
the definition of institutional provider used in this rule. Physician
and practitioner organizations are exempt from the application fee by
statute; the exemption is not affected by how they are reimbursed. In
addition, the inpatient status of patients has no bearing on whether a
provider or supplier is considered an institutional provider in this
rule. For example, hospitals are institutional providers as are home
health agencies and DMEPOS suppliers.
If certain institutional providers and suppliers such as FQHCs and
RHCs may face financial obstacles to paying the application fee, they
can seek a waiver of the fee based upon a request for a hardship
exception for Medicare or a request for a hardship waiver for Medicaid.
Newly enrolling institutional providers and suppliers that are seeking
such a waiver must submit a request for the hardship exception at the
time of filing a Medicare enrollment application on or after March 25,
2011.
Comment: A commenter stated that the proposed rule indicates that
the fee will be applied only to those providers that bill ``Medicare,
Medicaid, or CHIP on a fee-for-service basis.'' The commenter stated
that most Indian and tribal providers are reimbursed either on the
encounter rates established annually by CMS and IHS for Indian health
programs or on FQHC encounter rates. The commenter requested
clarification as to whether Indian and tribal providers will therefore
be exempt from the application fee. The commenter added that the
proposed rate of increase in the fee has often exceeded the increase in
funding for Indian and tribal programs. Finally, the commenter stated
that CMS failed to seek an exchange of views, information, or advice
from the Tribal Technical Advisory Group (TTAG) or to consult directly
with Tribes or confer with urban Indian organizations. Unless Indian
and tribal health programs are exempt from these rules, the commenter
believes that the effective date should be delayed, discussions with
the TTAG and consultation with Tribes held, after which the proposed
rules with any changes that result from the advice and consultation be
published with a new comment period.
Response: We are statutorily unable to exempt IHS, Tribal, and
Urban (I/T/U) Indian health programs from these rules or to delay the
effective date. Moreover, we do understand Tribal concerns about not
having the opportunity to provide advice on this regulation. All I/T/
U's are eligible to apply for the hardship exception to the application
fee and CMS is committed to working with Tribes, the TTAG and I/T/Us in
implementing requests for hardship exceptions.
4. Final Application Fee Provisions--Medicare, Medicaid, and CHIP
This final rule with comment period finalizes the provision of the
proposed rule in regards to the application fees with the following
exceptions:
In Sec. 424.514, we modified our proposal as follows:
Added language to clarify that a provider or supplier may
submit both an application fee and hardship exception waiver to avoid
delays in the processing of the application if the hardship exception
is not approved at Sec. 424.514(a) and (b).
Added language at Sec. 424.514(d)(2) clarifying that the
application fee is non-refundable except in the circumstance where the
provider or supplier opts to submit both an application fee and a
hardship waiver request and the waiver request is subsequently
approved.
Added language to clarify that if a provider submits a
hardship exception request without an application fee, and CMS does not
approve the hardship exception request, CMS will notify the provider or
supplier and allow the provider or supplier thirty (30) days from the
date of notification to submit the application fee at Sec. 424.514(h).
Added language that specifies that States must collect the
applicable application fee from Medicaid-only and CHIP-only providers
and suppliers at Sec. 455.460.

C. Temporary Moratoria on Enrollment of Medicare Providers and
Suppliers, Medicaid and CHIP Providers

1. Statutory Changes
Section 6401(a) of the ACA amended section 1866(j) of the Act by
adding a new section 1866(j)(7) of the Act, which provides that the
Secretary may impose temporary moratoria on the enrollment of new
Medicare, Medicaid, or CHIP providers and suppliers, including
categories of providers and suppliers, if the Secretary determines such
moratoria are necessary to prevent or combat fraud, waste, or abuse
under the programs.
Section 6401(b)(1) of the Act adds specific moratorium language
applicable to Medicaid at section 1902(kk)(4) of the Act, requiring
States to comply with any temporary moratorium imposed by the Secretary
unless the State determines that the imposition of such moratorium
would adversely affect Medicaid beneficiaries' access to care. Section
1902(kk)(4)(B) of the Act further permits States to impose temporary
enrollment moratoria, numerical caps, or other limits, for providers
identified by the Secretary as being at high risk for fraud, waste, or
abuse, if the State determines that the imposition of such moratorium,
cap, or other limits would not adversely impact Medicaid beneficiaries'
access to care.
Section 1866(j)(7) of the Act uses the term ``providers of services
and suppliers.'' Although, as noted previously, the Medicaid program
does not use the term ``suppliers,'' section 1902(kk)(4) of the Act
refers to ``providers and suppliers.'' In this regulation, for
uniformity with sections II A. and B. of this final rule with comment
period, we are using the term

[[Page 5918]]

``providers and suppliers'' in lieu of the term ``provider of services
and suppliers.'' We are using the term ``provider'' or ``Medicaid
provider'' or ``CHIP provider'' in lieu of the term ``provider or
supplier'' when referring to all Medicaid or CHIP health care
providers, including, but not limited to, providers and suppliers of
Medicaid items or services, individual practitioners, and institutional
providers.
2. Proposed Temporary Moratoria Provisions
a. Medicare
We proposed at Sec. 424.570(a) that we may impose a temporary
moratorium on the enrollment of new Medicare providers and suppliers in
6 month increments in situations where-- (1) CMS, based on its review
of existing data, without limitation, identifies a trend that appears
to be associated with a high risk of fraud, waste or abuse, such as
highly disproportionate number of providers or suppliers in a category
relative to the number of beneficiaries or a rapid increase in
enrollment applications within a category suggests that there is a
significant potential for fraud, waste or abuse with respect to a
particular provider or supplier type or particular geographic area or
both; (2) a State has imposed a moratorium on enrollment in a
particular geographic area or on a particular provider of supplier type
or both; or (3) CMS, in consultation with the HHS OIG or the Department
of Justice (DOJ) or both and with the approval of the CMS Administrator
identifies either or both of the following as having a significant
potential for fraud, waste or abuse in the Medicare program:
A particular provider or supplier type.
Any particular geographic area.
As part of the CMS decision making process, we will consider any
recommendation from the DOJ, HHS OIG, or the GAO to impose a temporary
moratorium for a specific provider or supplier type in a specific
geographic area.
We believe that imposing moratoria will, among other things, allow
us to review and consider additional programmatic initiatives,
including the development of additional regulatory and sub regulatory
provisions to ensure that Medicare providers and suppliers are meeting
program requirements, beneficiaries receive quality care, and that an
adequate number of providers of suppliers exists to furnish services to
Medicare beneficiaries.
We also proposed that enrollment moratoria be limited to: (1) Newly
enrolling providers and suppliers (that is, initial enrollment
applications); and (2) the establishment of new practice locations, not
to a change of practice locations. The temporary moratoria will not
apply to existing providers or suppliers of services unless they were
attempting to expand operations to new practice locations where a
temporary moratorium was imposed. Moreover, the temporary moratoria
would not apply in situations involving changes in ownership of
existing providers or suppliers, mergers, or consolidations.
We also proposed at Sec. 424.570(b) that a temporary enrollment
moratorium would be imposed for a period of 6 months, and such
moratorium could be extended by CMS in 6 month increments if we
continue to believe that a moratorium is needed to prevent or combat
fraud, waste, or abuse. The Secretary will re-evaluate whether a
moratorium should continue prior to each 6 month expiration date.
We also proposed at Sec. 424.570(c) that we will deny enrollment
applications received from providers or suppliers covered by an
existing moratorium. We noted that denial of Medicare billing
privileges is subject to the administrative review process established
in Sec. 405.874. Accordingly, we believe that a provider or supplier
also is afforded the right to appeal a Medicare contractor
determination to deny enrollment into the Medicare program.
In Sec. 424.530(a)(10), we proposed adding a new reason why we can
deny Medicare billing privileges. Specifically, we proposed a new Sec.
424.530(a)(10) to state, ``A provider or supplier submits an enrollment
application for a practice location in a geographic area where CMS has
imposed a temporary moratorium.'' Further, in Sec. 498.5(l)(4), we
proposed that the scope of review for appeals of denials under Sec.
424.530(a)(10) based upon a provider or supplier being subject to a
temporary moratorium will be limited to whether the temporary moratoria
applies to that particular provider or supplier.
We noted that section 1866(j)(7) of the Act provides that there
shall be no judicial review of a temporary moratorium. Accordingly, we
proposed that a provider or supplier may administratively appeal an
adverse determination based on the imposition of a temporary moratorium
up to and including the Department Appeal Board (DAB) level of review.
Finally, we proposed at Sec. 424.570(d) that we may lift a
moratorium in the following circumstances: (1) In the case of a
Presidentially declared disaster under the Robert T. Stafford Disaster
Relief and Emergency Assistance Act, 42 U.S.C. 5121 through 5206
(Stafford Act); (2) circumstances warranting the imposition of a
moratorium have abated or CMS has implemented program safeguards to
address any program vulnerability that was the basis for the
moratorium; or (3) in the judgment of the Secretary, the moratorium is
no longer needed.
We also recognized that in a limited number of circumstances a
State Medicaid agency may enroll a provider or supplier into Medicaid
during the temporary moratorium period established by Medicare. If this
occurs and the prospective Medicare provider or supplier applies to
enroll in the Medicare program after the temporary moratorium is
lifted, we would use the screening tools described in section II.A. of
this final rule with comment period.
We also solicited public comment on specific exemptions to the
temporary moratoria criteria proposed previously. Prior to imposing a
moratorium, we would assess Medicare beneficiary access to the type(s)
of services that are furnished by the provider or supplier type and/or
within the geographic area to which the moratorium would apply.
We would announce the implementation of a moratorium at any time
when it is being imposed. The announcement would be made in the Federal
Register and we would also address it in other methods or forums, such
as Press Releases, at CMS Provider Open Door Forums, in CMS provider
listservs, and on the CMS Provider/Supplier Enrollment web page (http://www.cms.gov/MedicareProviderSupEnroll). We would also require our
Medicare contractors to post the moratorium announcement or note the
expiration of a moratorium on their Web sites. Our Federal Register
announcement would explain in detail the rationale for the moratorium
and the rationale for the geographic area(s) in which it would apply.
b. Medicaid and CHIP
Pursuant to section 1902(kk)(4)(A) of the Act, we proposed at Sec.
455.470(a)(2) and (3) that a State Medicaid agency will comply with a
temporary moratorium imposed by the Secretary unless it determines that
the imposition of such a moratorium would adversely affect
beneficiaries' access to medical assistance.
Where the Secretary has imposed a temporary moratorium in
accordance with Sec. 424.570, and the State has determined that
compliance with such a moratorium would adversely impact Medicaid
beneficiaries', or CHIP participants', as the case may be, access

[[Page 5919]]

to medical assistance, section 1902(kk)(4)(A)(ii) of the Act creates an
exception for the State from complying with the moratorium. We proposed
that the State provide the Secretary with written details of the
moratorium's adverse impact on Medicaid beneficiaries. Prior to the
Secretary imposing such a moratorium in any State, we proposed at Sec.
455.470(a)(1) that the Secretary consult with the State, so that the
State may have an opportunity to seek an exception from the moratorium.
Pursuant to section 1902(kk)(4)(B) of the Act, States have
authority to impose moratoria, numerical caps, or other limits for
providers that are identified by the Secretary as being at ``high''
risk for fraud, waste, or abuse. We proposed, at Sec. 455.470(b) that
where the State identifies a category of providers as posing a
significant risk of fraud, waste, or abuse, the State must seek our
concurrence with that determination and provide us with written details
of the proposed moratorium, including the anticipated duration, and
with a substantial justification explaining why disallowing newly
enrolling providers would reduce the risk of fraud. We proposed at
Sec. 455.470(c) that States' moratoria would be imposed for a period
of 6 months and may be extended in 6 month increments.
Section 2107(e)(1) of the Act provides that all provisions that
apply to Medicaid under sections 1902(a)(77) and 1902(kk) of the Act
apply to CHIP. Accordingly, we proposed in new regulation Sec. 457.990
that all the provider screening, provider application, and moratorium
regulations that apply to Medicaid providers also apply in providers
that participate in CHIP.
3. Analysis of and Responses to Public Comment
Below is a summary of the comments we received regarding the
temporary enrollment moratoria.
Comment: A commenter expressed support for our proposal to
establish a moratorium on new providers or new practice locations only
when it is believes through the agency's review that a risk of fraud
and abuse is detected. The commenter, however, requested CMS to: (1) To
review the proposed 6-month timeframe for the moratoria, (2) add more
flexibility to the standard if it is determined that 6 months is too
long, and (3) give the provider community an opportunity to comment
prior to its effective date. Another commenter stated that a moratorium
is a drastic remedy that should only be used when CMS can clearly
articulate the basis for imposing such an extreme measure. CMS must, in
such cases, publish: (1) The data it used to determine a moratorium was
necessary, (2) the steps it will take to resolve the issues that gave
rise to the need for the moratorium, and (3) when it expects to lift
the suspension in new enrollments.
Response: We believe that the rule as proposed directly addressed
the timeframe, standards, and process for imposing, explaining the
rationale for, and lifting an enrollment moratorium; because we
received multiple related comments, this response should be read in
conjunction with the discussion of those comments. The ACA gives the
Secretary broad authority to impose a temporary moratorium on the
enrollment of new providers and suppliers if the Secretary determines
that a moratorium is necessary to prevent fraud, waste or abuse in
Medicare, Medicaid or CHIP. After considerable discussion within CMS
and HHS, the proposed rule was published proposing that an initial
temporary enrollment moratorium would be imposed for a period of 6
months, with possible extensions in 6-month increments should the
Secretary determine that the moratorium was still needed. The 6-month
duration was proposed in the NPRM because it was sufficiently long to
enable an assessment of its impact on the circumstances that the
moratorium was designed to address. The proposed rule also included
criteria for when the Secretary would consider imposition of a
temporary enrollment moratorium, and the circumstances under which such
a temporary enrollment moratorium would be lifted. The proposed rule
also indicated that we would announce the implementation of a
moratorium at any time, that the announcement would be made in the
Federal Register, and that the announcement would explain in detail the
rationale for the moratorium and the rationale for the geographic
area(s) in which it would apply.
Comment: A commenter stated that advance public notice in the
Federal Register of a moratorium should be given. The commenter
recognized that this may lead to a rush to apply prior to the effective
date, but stated that this could be fixed by limiting the length of
time for the advance notice to 30-60 days.
Response: A temporary moratorium on enrollment is an action that
will only be used if necessary to fight fraud, waste or abuse in
Medicare, Medicaid, or CHIP. Moratoria will be imposed only if based on
detailed information indicating a problem that can be addressed through
a temporary enrollment moratorium. Although not required by the ACA to
do so, we will announce the imposition of a moratorium in the Federal
Register. The announcement would explain in detail the rationale for
the moratorium and the rationale for the geographic area(s) in which it
would apply. We will not be providing advance notice of any planned
moratorium as such a notice would likely cause a rush of enrollments of
the type posing the problem that would be addressed by the moratorium.
Comment: Several commenters stated that applying a moratorium to
providers whose enrollment applications are pending would be unfair and
could--in light of the efforts and cost the provider incurred in
attempting to enroll--prove financially harmful. They requested that
CMS limit moratoria to new applications, not those already submitted.
Another commenter requested that the moratorium not apply to
applications submitted prior to public notice of the moratorium being
given in the Federal Register. Another commenter recommended that CMS
explain: (1) What will happen to an application submitted by a new
provider when CMS imposes a temporary moratorium, and (2) whether
pending applications will be processed when a temporary moratorium is
imposed or whether the application will be automatically denied using
Sec. 424.530(a)(10).
Response: In the NPRM, we indicated both in the preamble and the
proposed regulations that an application to enroll in Medicare from a
provider or supplier that is subject to a temporary enrollment
moratorium would be denied. With regard to pending applications, we
interpret the ACA as applying to pending applications. If a temporary
enrollment moratorium is deemed necessary for any provider or supplier
type, or for any geographic area, then all enrollment applications from
unenrolled providers and suppliers of the type subject to the temporary
enrollment moratorium or in the geographic area subject to the
moratorium would be denied. However, we will not deny any enrollment
for which the Medicare enrollment contractor has completed review of
the application and has determined that the provider or supplier meets
all the requirements for enrollment and all that remains is to assign
appropriate billing number(s) and enter the provider or supplier into
PECOS.
Comment: A commenter stated that in CMS's manual instructions, it
describes

[[Page 5920]]

a provider enrollment fraud detection program for high-risk areas, but
that this process is not discussed in the proposed rule. The commenter
requested that CMS explain the nexus, if any, between this fraud
detection program and the policy described in the temporary moratorium
provisions contained in this proposed rule. The commenter also
requested that CMS explain whether it will use data submitted or
obtained from its contractors in determining whether to impose a
temporary moratorium.
Response: We plan to revise our manuals to be consistent with the
provisions of the final rule with comment period. We plan to use data
from many sources in making a decision about imposing a temporary
moratorium--including data from our contractors.
Comment: One commenter recommended that CMS: (1) Explain why it is
not using section 1866(j)(3) of the Act, related to a provisional
period of enhanced oversight for new providers and suppliers, in the
process of establishing a temporary moratorium, and (2) publish a
Federal Register Notice explaining its reasons and rationale for
establishing a temporary moratorium for a provider or supplier.
Response: Section 1866(j)(3) of the Act is not a part of this final
rule with comment period. Moreover, its provisions can be implemented
by subregulatory instructions. We plan to implement the provisions in
that fashion and in concert with the provisions of this rule and other
CMS regulations governing program integrity. As stated in a response to
a previous comment, we will publish a notice of imposition of a
temporary enrollment moratorium in the Federal Register.
Comment: One commenter expressed concern that the language
associated with the temporary moratoria provision: (1) Is vague, (2)
does not provide sufficient information on the specific triggers that
would cause CMS to suspect that a provider or group of providers is
committing fraud, and (3) does not identify the situations in which the
moratoria would be applied. The commenter feared that certain providers
or suppliers could be prevented from providing services in a particular
area without sufficient grounds and that patient access to care could
be hindered in the process. The commenter recommended that CMS
specifically define the parameters and triggers that CMS intends to use
in imposing or enforcing a moratorium on the enrollment of new Medicare
providers or suppliers. Another commenter expressed concern with the
general nature of the proposed temporary moratoria provisions because
it could lead to an abuse of discretion or arbitrary and capricious
decision-making with little recourse beyond the internal review
process. The commenter was also concerned with the proposed length of
the moratorium, stating that a 6 month period: (1) Cannot be reasonably
inferred from the Congress having authorized ``temporary'' moratoria,
(2) cannot be considered ``temporary,'' (3) would have significant
consequences for new physicians interested in enrolling in the Medicare
program, and (4) should not be extended because there is no
congressional authority to do so.
Response: As stated previously, the Affordable Care Act gives the
Secretary broad authority to impose a temporary moratorium. After
considerable discussion within CMS and HHS, the proposed rule was
published proposing that an initial temporary enrollment moratorium
would be imposed for a period of 6 months, with possible extensions in
six month increments should the Secretary determine that the moratorium
was still needed. The 6 month duration was proposed in the NPRM because
it was sufficiently long to enable an assessment of its impact on the
circumstances that the moratorium was designed to address, and would
afford us the opportunity to determine whether the circumstances
warranting the imposition of a temporary enrollment moratorium have
abated or we have implemented program safeguards to address program
vulnerabilities. With regard to the temporary nature of a moratorium,
we would note that the NPRM explicitly indicated that an initial
moratorium would be for a 6 month period, not an indefinite period.
Regarding the impact a temporary enrollment moratorium would have on
beneficiary access to care, we stated in the NPRM that we will assess
Medicare and Medicaid beneficiaries' and CHIP participants access' to
the types of services that are furnished by the provider or supplier
type and/or within the geographic area to which the moratorium would
apply. We take seriously our responsibility to assure that all Medicare
beneficiaries have access to the services and supplies they need. With
regard to extending moratoria, we would note that, as stated
previously, the Secretary has broad authority to impose a moratorium.
The statute confers on the Secretary the responsibility and authority
to make the judgment about the need for moratoria--whether initial or
an extension--if the circumstances requiring the moratorium are still
present.
Comment: A commenter stated that CMS failed to outline the criteria
it will use to make the determination that a moratorium is to be
extended.
Response: We would not impose a temporary enrollment moratorium
without an adequate rationale. Should it be necessary to impose a
temporary enrollment moratorium on any provider or supplier type, we
will discuss the issues associated with the decision to impose a
temporary enrollment moratorium in a public notice in the Federal
Register.
In the NPRM, we listed some examples of circumstances that could
lead to the imposition of a temporary enrollment moratorium in
situations where: (1) CMS, based on its review of existing data,
identifies a trend that appears to be associated with a high risk of
fraud, waste or abuse, such as highly disproportionate number of
providers or suppliers in a category relative to the number of
beneficiaries or a rapid increase in enrollment applications within a
category determines that there is a significant potential for fraud,
waste or abuse with respect to a particular provider or supplier type
or particular geographic area or both, (2) a State has imposed a
temporary enrollment moratorium, or (3) CMS in consultation with the
Department of HHS Office of Inspector General or the Department of
Justice or both identifies either or both a particular provider or
supplier type or a particular geographic area as having significant
potential for fraud, waste, or abuse. We also included in the NPRM the
reasons a temporary enrollment moratorium could be lifted. The decision
to extend a moratorium would be based on the proposals in the NPRM and
would take into account the extent to which the conditions
necessitating the moratorium were still present.
Comment: A commenter requested clarification regarding the term
``geographic area'' as it is used in proposed Sec. 424.530(a)(10).
Response: The geographic area referred to in Sec. 424.530(a)(10)
is the region that is under a temporary enrollment moratorium. For
example, this may constitute a county, a number of counties, state, a
number of states, regions, or MSAs.
Comment: A commenter expressed support for CMS's proposal to impose
a temporary moratorium on the enrollment of new providers or provider
types in a geographic location to prevent fraud and abuse. However, the
commenter urged CMS to ensure that such moratoria do not prevent health
care providers in the geographic

[[Page 5921]]

location from enrolling as an ordering/referring provider, as a
moratorium may impair these practitioners from providing Medicare
beneficiaries with needed care.
Response: We take seriously our responsibility to assure that all
Medicare beneficiaries have access to the services and supplies they
need. As a part of this assurance, we would consider the implications
of a temporary enrollment moratorium for physicians and other eligible
professionals who order and refer services for Medicare. However,
enrollment moratoria imposed on provider types will not distinguish
between the enrollment purpose, that is, enrollment for the right to
bill Medicare versus enrollment solely to order and refer, unless
otherwise specified in the Federal Register. As stated previously, the
notice in the Federal Register will both discuss the issues associated
such the decision, and identify the provider types subject to the
temporary enrollment moratoria. We believe the rationale that supports
a decision to put a temporary enrollment moratorium in place for those
who bill Medicare should extend to those same types of providers who
seek to enroll to order and refer. In addition, the enrollment process
solely to order and refer was established by us for those provider
types that do not typically enroll in Medicare, such as dentists, other
government agency employees (such as the Department of Veterans
Affairs), and pediatricians. Therefore, it will be highly unlikely that
those who were seeking to enroll in order to bill Medicare will
similarly seek to enroll solely to order and refer. Regarding the
impact a temporary enrollment moratorium may have on beneficiary access
to needed care, we stated in the NPRM that we will assess Medicare
beneficiary access to the types of services that are furnished by the
provider or supplier type and/or within the geographic area to which
the moratorium would apply.
Comment: A commenter supported CMS's statement in the preamble to
the proposed rule that a moratorium shall not apply to a change of
practice location or to changes of ownership of existing providers or
suppliers.
Response: We agree and plan to finalize these provisions.
Comment: A commenter recommended that CMS establish a temporary
moratorium on the enrollment of slide preparation Facilities, since
these organizations are not authorized by the Congress to enroll in or
bill the Medicare program.
Response: It would be premature to identify in this rule any
provider or supplier type that might be subject to imposition of a
temporary enrollment moratorium. Should it be necessary to impose a
temporary enrollment moratorium on any provider or supplier type, we
will explain the reasons for the temporary enrollment moratorium in a
public notice in the Federal Register.
Comment: A commenter recommended that CMS develop and implement a
regulatory-defined process to utilize when determining whether or not
to mandate a moratorium. The process should effectively prevent any
negative impact in quality of and access to care for Medicare
beneficiaries or Medicaid program enrollees.
Response: We would consider a number of factors in deciding whether
to impose a temporary enrollment moratorium. These are spelled out in
the proposed rule and include: situations where: (1) CMS, based on its
review of existing data, identifies a trend that appears to be
associated with a high risk of fraud, waste or abuse, such as highly
disproportionate number of providers or suppliers in a category
relative to the number of beneficiaries or a rapid increase in
enrollment applications within a category determines that there is a
significant potential for fraud, waste or abuse with respect to a
particular provider or supplier type or particular geographic area or
both, (2) a State has imposed a temporary enrollment moratorium, or (3)
CMS in consultation with the Department of HHS Office of Inspector
General or the Department of Justice or both identifies either or both
a particular provider or supplier type or a particular geographic area
as having significant potential for fraud, waste, or abuse.
As mentioned elsewhere, we indicated in the NPRM that prior to
imposing a temporary enrollment moratorium we would assess Medicare
beneficiary access to the type(s) of services that are furnished by the
provider or supplier type and/or within the geographic area to which
the moratorium would apply. We also indicated that if a State has
determined that compliance with a Medicare imposed moratorium would
adversely impact Medicaid beneficiaries' or CHIP participants' access
to care, the State would not be required to comply with the moratorium.
We and the States take the assurance of adequate access seriously.
Comment: A commenter requested clarification as to the mechanism--
for instance, via the Federal Register--by which it will announce the
lifting of a temporary moratorium.
Response: We will announce the imposition of any temporary
enrollment moratorium via a notice published in the Federal Register.
We would also provide notice on our Web sites, listservs, and through
open door forums. Similarly, we would provide notice of the lifting of
a moratorium in the Federal Register. We would also provide notice on
our Web sites, listservs, and through open door forums.
Comment: A commenter mentioned that while the preamble of the
proposed rule states that CMS will announce a moratorium in the Federal
Register, the regulation text does not include a reference to Federal
Register. The commenter recommended that the regulation text match the
preamble language.
Response: We agree. We will ensure that the regulation text matches
the preamble and other portions of this document.
Comments: A commenter urged CMS to immediately impose the proposed
6 month moratorium on the new certification of HHAs and hospices in its
final rule with comment period, stating that there is a clear
relationship between rapid development of new home health and hospice
providers and the growth in fraud, abuse and waste. The commenter added
that this will allow some time for other initiatives and proposals in
the proposed rule to reduce fraud and abuse before hundreds of more
providers enter the already saturated home health and hospice programs.
For home health, the commenter stated that the moratorium should be
maintained until new home health conditions of participation (CoPs) are
implemented by CMS and other protections against referral abuse can be
implemented by the OIG. For hospices, the commenter recommended that
the moratorium be maintained until standardized hospice quality
measures and payment system reforms are implemented by CMS.
Response: It would be premature to identify any provider or
supplier type that might be subject to imposition of a temporary
enrollment moratorium, or the circumstances necessitating such an
action. Should it be necessary to impose a temporary enrollment
moratorium on any provider or supplier type, we will explain the
reasons for the temporary enrollment moratorium in a public notice in
the Federal Register. We specified in the NPRM examples of why a
moratorium would be imposed. ``Revisions to the HHA Conditions of
Participation'' is not among the examples we cited for the reason that
moratoria are focused on specific kinds of problems or areas, and are
to be temporary.

[[Page 5922]]

Comments: A commenter requested that CMS clarify the process for
timely notifying the State Medicaid agency of a moratorium imposition,
and whether the process will include advance notice.
Response: We will be issuing subregulatory guidance to assist
States with the operational aspect of implementing this provision in
the near future.
Comments: A commenter stated that while a temporary moratorium
might be reasonable in some limited situations, CMS should make such
decisions based on specialty, not on provider type; for instance, it
would be inappropriate for all DMEPOS suppliers to be put under such a
moratorium when fraud concerns do not include orthotists and
prosthetists.
Response: The ACA gives the Secretary broad authority to impose a
temporary enrollment moratorium. We believe that circumstances could
justify imposing a temporary enrollment moratorium on a category of
providers or suppliers and not a subset within a provider or supplier
type. As stated previously, the Secretary would explain the reasons for
the moratorium in a Federal Register notice.
Comment: A commenter stated that the proposed policies need to be
modified to accommodate newly enrolling physicians (and physicians
establishing new practice locations) in cases where a moratorium
relates to DMEPOS suppliers. In other words, if CMS or a State imposes
a moratorium on DMEPOS suppliers, the moratorium should not apply to
newly enrolling physicians (or physicians establishing a new practice
location) who are now also required to enroll as DMEPOS suppliers if
they wish to furnish DMEPOS to their own patients.
Response: In the example cited by the commenter, physicians
enrolled as physicians to provide medical care would not be subject to
a moratorium on DMEPOS suppliers. Only the new DMEPOS suppliers would
be subject to the temporary enrollment moratorium. Physicians would be
able to enroll in Medicare as physicians for the purpose of providing
medical care (or ordering or referring medical care or services). The
moratorium would only apply to the physician if he or she were newly
applying to be a DMEPOS supplier in the geographic area covered by the
moratorium.
Comment: A commenter suggested that CMS specify that a moratorium
will not be imposed unless: (1) There is significant risk of widespread
fraud, waste, or abuse in a specified and discrete geographic region,
and (2) clear and documented agency analysis showing that the
moratorium will not exacerbate health disparities or create additional
barriers for underserved communities. Also, CMS should include greater
specificity as to what conditions would warrant the imposition of a
moratorium and what factors would be considered to ensure that the harm
does not outweigh the benefit and will not have a disparate adverse
impact on racially and ethnically diverse beneficiaries and physicians.
Response: We appreciate the concerns expressed by the commenter and
we are also concerned about the issues of access and disparities. As
mentioned previously, we indicated in the proposed rule that prior to
imposing a temporary enrollment moratorium we will assess Medicare
beneficiary access to the type(s) of services that are furnished by the
provider or supplier type and/or within the geographic area to which a
moratorium would apply. We also indicated that if a State has
determined that compliance with a Medicare imposed moratorium would
adversely impact Medicaid beneficiaries' or CHIP participants' access
to care, the State would not be required to comply with the moratorium.
CMS and the States take the assurance of adequate access seriously. We
do not intend to impose a moratorium that would impede access to needed
services.
Comment: A commenter expressed concern that CMS's proposed
standards for implementing a temporary moratorium on new enrollment of
potentially high risk providers and suppliers is too broad, and that
CMS could impose a moratorium on new enrollment of all DMEPOS
suppliers, even though only a subset of suppliers or a particular
region or State poses a high risk of fraud. CMS should specify that it
will narrowly limit the moratoria to those provider types or those
narrow geographic regions that generate the fraud concerns. In
particular, the commenter stated that community pharmacies face the
danger that, in the midst of preparing to open up, CMS will impose a
moratorium. The commenter urged that the expansion of an existing
community pharmacy DMEPOS supplier does not pose a fraud risk and such
an expansion should not be subject to a possible moratorium. Another
commenter stated that CMS should adopt a more targeted approach to
moratoria that takes other relevant factors into consideration, such as
the history or trend in proven fraud and/or abusive practices for
specific types or categories of providers or suppliers. The commenter
believes that painting all providers and suppliers in a particular
geographic area with the same broad brush is too extreme a measure, and
that CMS should not use geography, by itself, as a determining factor
in imposing a temporary enrollment moratorium on all providers and
suppliers.
Response: As stated elsewhere in this document, we will publish a
notice in the Federal Register announcing imposition of a temporary
enrollment moratorium. This notice would contain a discussion of the
factors associated with the moratorium. Although there are clear
differences in the levels of fraud in different geographic areas of the
United States, geography by itself without any indication of a risk of
fraud, waste or abuse would not be a cause for a moratorium. Community
pharmacies generally enroll in Medicare as roster billers for purposes
of immunizations, and as such are listed in the limited risk level.
DMEPOS suppliers that are owned by a community pharmacy are enrolled in
Medicare as DMEPOS suppliers and are subject to the supplier standards
for DMEPOS suppliers (except accreditation under certain
circumstances). If we, on behalf of the Secretary, determine that a
moratorium is needed for any particular provider or supplier type or
geographic area or both, we would publish our rationale for the
moratorium in our Federal Register notice. Decisions to impose a
temporary enrollment moratorium would be made based on presenting
circumstances. It would not be appropriate to exclude any provider or
supplier category, for example, DMEPOS suppliers owned by community
pharmacies, from being subject to a moratorium if the circumstances
warrant the imposition of a temporary enrollment moratorium.
Comment: Several commenters recommended that CMS also be permitted
to lift a moratorium if the Secretary of HHS declares a public health
emergency in an area.
Response: The ACA gives the Secretary broad authority to impose
temporary enrollment moratoria as a means to combat fraud, waste or
abuse. The Secretary has considerable discretion to consider all
aspects of the impact of a possible temporary moratorium. In the NPRM
we proposed that the Secretary may lift a moratorium in the following
three circumstances: (1) The President declares an area a disaster
under the Robert T. Stafford Disaster Relief and Emergency Assistance
Act, (2) circumstances warranting imposition of moratorium have abated
or we have implemented safeguards to address the issue that was the
cause of such moratorium, or (3) in the judgment of the Secretary, the
moratorium is no

[[Page 5923]]

longer needed. Based on the comments received in response to the NPRM,
and consistent with the broad authority provided to the Secretary in
the Affordable Care Act, we have decided to add a public health
emergency declared by the Secretary under section 319 of the Public
Health Service Act to the list of circumstances the Secretary could
cite in lifting a moratorium. We would closely evaluate these
circumstances in the decision to continue a temporary enrollment
moratorium.
Comment: A commenter suggested that CMS include the restrictions
listed in the preamble regarding temporary moratoria in the regulation
text at Sec. 424.570.
Response: It is unclear which provisions included in the preamble
of the NPRM are of concern to the commenter. However, we will include
any provisions dealing with imposition of temporary enrollment
moratoria at Sec. 424.570.
Comment: A commenter asserted that new Sec. 424.570 is
inconsistent with the DMEPOS competitive bidding program. Under
competitive bidding, a company might win a contract in a competitive
bidding area (CBA) where a moratorium exists. If so, the company could
not alter its geographic locations to best serve the CBA. The commenter
requested that CMS in the final rule with comment period carefully
delineate how the competitive bidding program and the proposed
temporary moratoria requirements will intersect.
Response: All winners of DMEPOS competitive bidding contracts are
required to be enrolled in Medicare as a condition of their contract.
As a result, these suppliers would not likely be subject to a
moratorium on enrollment after they were awarded a contract, as they
would already be enrolled. However, in a situation where a competitive
bid winner applied to expand to a new practice location, the new
location would need to be enrolled in Medicare. If a moratorium were
imposed on DMEPOS suppliers in the area where the competitive bid
winner was attempting to enroll a new practice location, the
application would in all likelihood be denied based on the existence of
a moratorium.
Comment: The same commenter also suggested that: (1) Suppliers with
10 or more provider transaction account numbers (PTANs) be exempt from
Sec. 424.570 and (2) CMS allow exceptions for bona fide acquisitions
of assets belonging to an existing provider in the area for the
protection of the beneficiaries served by the selling provider.
Response: We will be applying the provisions of this rule to all
enrolled physicians, individual practitioners, providers and suppliers
regardless of the number of PTANs. In addition, as stated in the NPRM,
changes in ownership are not subject to moratoria. Moreover, the
provisions of this rule do not address the conditions under which a
provider or supplier can complete a bona fide acquisition of assets.
Comment: Several commenters stated that new locations of enrolled
suppliers should not be subject to a moratorium. Existing suppliers
with no history of fraud should not be constrained in their ability to
adjust their businesses to best meet the needs of beneficiaries;
indeed, beneficiary access could be impaired if new locations were
affected by a moratorium. Another commenter stated that applying a
moratorium to a new location should only occur when the supplier has an
objectively demonstrated history of fraud or for whom CMS has credible
evidence of fraud.
Response: As mentioned elsewhere in this document, a temporary
enrollment moratorium would not be imposed without adequate rationale.
The decision to impose a temporary enrollment moratorium would not be
made lightly and would only be pursued should one or more of the
conditions for imposing a temporary moratoria exist--as described in
the proposed rule. One factor for imposing a moratorium could be that--
as stated in the NPRM--there are a disproportionate number of providers
or suppliers relative to the number of beneficiaries. For example,
currently enrolled providers and suppliers that are trying to enroll in
or establish new practice locations in areas subject to a moratorium
that has been imposed because there is a disproportionate number of a
particular provider category relative to beneficiaries, should not be
exempt from the moratorium.
Comment: A commenter stated that given that the intensity of a
Certificate of Need program is designed to limit the number of
providers to match beneficiary need, an exception to a temporary
moratorium should be granted in the presence of such a program. Another
commenter agreed that an exemption to the moratorium should be given if
the State has a Certificate of Need program and the State determines
that there is a need for additional providers. Several commenters also
recommended exceptions to a moratorium when a provider is establishing
a branch location within its geographic service area. Branch locations
are subject to the oversight of the established parent location and
operate under the same Medicare provider number. Another commenter
stated that the addition of a branch office to an HHA is not the
equivalent of ``establishing a new practice location.''
Response: We have decided not to provide a link to State CON
programs because these programs vary in effectiveness and are subject
to different standards, coverage and regulations and are not focused on
fraud, waste or abuse prevention as would be a temporary enrollment
moratorium that is authorized in the ACA. To provide an exemption in
States with CON programs would require considerable effort to assure
that all provider types are afforded due process and equal treatment.
Accordingly, we did not propose an exemption from temporary enrollment
moratoria in States with CON programs. We plan to take into account the
impact a CON has on provider supply and beneficiary access when
deciding to impose a moratorium. Regarding the HHA branch offices, we
note that the extent to which the branch office is subject to a
moratorium depends on whether the branch office is to be enrolled
separately.
Comment: A commenter stated that the proposal to allow unlimited 6
month extensions without thorough documentation of supporting data
hardly makes the moratoria temporary and could pose a significant risk
to access to quality care for Medicare beneficiaries.
Response: The ACA gives the Secretary broad authority to impose a
temporary moratorium on the enrollment of new providers and suppliers
if the Secretary determines that a moratorium is necessary to prevent
fraud, waste or abuse in Medicare, Medicaid or CHIP. The statute did
not provide a specific time period for the duration of a moratorium.
After considerable discussion within CMS and HHS, the proposed rule was
published proposing that an initial temporary enrollment moratorium
would be imposed for a period of 6 months, with possible extensions in
6 month increments should the Secretary determine that the moratorium
was still needed. We proposed the 6 month duration because it would be
sufficiently long to enable an assessment of its impact on the
circumstances that the moratorium was designed to address, and would
afford us the opportunity to determine whether the circumstances
warranting the imposition of a temporary enrollment moratorium have
abated or whether we have implemented program

[[Page 5924]]

safeguards to address program vulnerabilities. The 6 month period would
also afford the Secretary reasonable opportunity to determine whether
the moratorium was no longer needed. With regard to the temporary
nature of a moratorium, we would note that the NPRM explicitly
indicated that an initial moratorium would be for a 6 month period, not
an indefinite period. Regarding the impact a temporary enrollment
moratorium would have on beneficiary access to needed care, we stated
in the NPRM that we will assess Medicare beneficiary access to the
types of services that are furnished by the provider or supplier type
and/or within the geographic area to which the moratorium would apply.
We take seriously our responsibility to assure that all Medicare
beneficiaries have access to the services and supplies they need. With
regard to extending moratoria, the statute confers on the Secretary the
responsibility and authority to make the judgment about the need for
moratoria--whether initial or an extension--if the circumstances
requiring the moratorium are still present.
Comment: A commenter stated that as part of the implementation of a
temporary moratorium and any extension thereof, CMS should publish data
and research that support their decision to impose the moratorium. The
data should be thorough and indicate the ``actual increased'' risk
rather than perceived risk for fraud and abuse, in addition to
supportive material data. Another commenter added that CMS should
ensure that beneficiary access is not curtailed in an area where a
moratorium is imposed.
Response: As stated earlier, the ACA gives the Secretary broad
authority to impose temporary enrollment moratoria when necessary to
prevent or combat fraud, waste or abuse. We will announce any temporary
enrollment moratoria in the Federal Register, including a discussion of
the issues associated with the decision to impose a temporary
enrollment moratorium. We are concerned about the effect imposition of
a temporary enrollment moratorium would have on beneficiary access, and
would consider access to care as one possible factor related to
imposition of a moratorium. The ACA specifically mentions access to
Medicaid services as a reason that States should consider in making
decisions to implement moratoria.
Comment: A commenter stated that the proposed rule should be
amended to state that a moratorium does not apply to instances where
the new provider is a result of a merger, change of ownership, or
consolidation. Also, the fact that the moratorium would not apply where
there is a change in practice location should be stated directly in the
rule.
Response: We agree. All of these instances are addressed in the
final rule with comment period.
Comment: A commenter requested that FQHCs be exempt from any
geographical moratoria established by CMS. FQHCs are required to
contract with State Medicaid and CHIP programs within certain specified
locations. Inclusion in a moratorium would force these FQHCs to provide
services without compensation.
Response: The ACA gives the Secretary authority to impose a
moratorium when necessary to combat fraud waste and abuse in Medicare,
Medicaid, or CHIP. Should there ever be a reason to impose a temporary
enrollment moratorium on FQHCs, we would need to be able to do so. As
mentioned previously, we indicated in the NPRM that prior to imposing a
temporary enrollment moratorium we would assess Medicare beneficiary
access to the type(s) of services that are furnished by the provider or
supplier type and/or within the geographic area to which the moratorium
would apply. We also indicated that if a State has determined that
compliance with a Medicare imposed moratorium would adversely impact
Medicaid beneficiaries' or CHIP participants' access to care, the State
would not be required to comply with the moratorium. We and the States
take the assurance of adequate access seriously.
Comment: The commenter also stated that Indian and Tribal providers
should be exempt from the temporary moratoria provisions, as their
programs are not viable without third-party revenue (especially
Medicare and Medicaid) and that a moratorium could impede the programs
and harm access to care.
Response: The ACA gives the Secretary authority to impose a
temporary enrollment moratorium when necessary to combat fraud, waste
and abuse in Medicare, Medicaid, or CHIP. Should there ever be a reason
to impose a temporary enrollment moratorium on Indian or Tribal
providers, we would need to be able to do so. As mentioned previously,
we indicated in the NPRM that prior to imposing a temporary enrollment
moratorium we would assess Medicare beneficiary access to the type(s)
of services that are furnished by the provider or supplier type and/or
within the geographic area to which the moratorium would apply. We also
indicated that if a State has determined that compliance with a
Medicare imposed moratorium would adversely impact Medicaid
beneficiaries' or CHIP participants' access to care, the State would
not be required to comply with the moratorium. We and the States take
the assurance of adequate access seriously.
Comment: A commenter stated that the moratorium exceptions should
be very limited. The commenter agreed with CMS's proposal for an
exemption for health crisis situations related to, for example, a
natural disaster. The commenter also recommended that exceptions should
be granted in areas: (1) With active CON programs, (2) not being served
by any provider or (3) where the provider(s) (other than the applicant
for the exception) attest that they lack the capacity to meet current
demand. Still, the commenter stated that exemptions should only be
granted in such exceptional circumstances and not become a vehicle for
routine circumvention of the moratorium.
Response: We agree with the intent of these comments. Temporary
enrollment moratoria must be considered carefully and the reasons for
their imposition must be clear. Prior to imposing a moratorium, we will
consider a number of factors, such as, any potential effect on access
to care for beneficiaries. CON programs are not factored in to CMS
decisions regarding exceptions.
Comment: A commenter requested clarification as to whether the
temporary moratoria provisions apply to managed care organizations.
Response: This provision does not apply to Medicaid managed care
entities. Medicaid risk based managed care is subject to contracts
between States and the managed care entities, and the States rely upon
those contracts to ensure that Medicaid beneficiaries have access to
providers and a choice of networks within the managed care programs the
State maintains. We would not impose moratoria on managed care programs
that could restrict the ability of States to ensure beneficiary access
and choice.
Comment: A commenter stated that an enrollment moratorium should
not apply to publicly traded companies, since CMS can look to the board
of directors and similar organizational structures to provide
appropriate oversight and accountability. Moreover, after a moratorium
is lifted, publicly traded providers and suppliers that were subject to
the moratorium should not be lifted to a high screening level; to do so
would be inconsistent with CMS's own statements in the preamble that
publicly traded providers and suppliers pose a limited risk.

[[Page 5925]]

Response: It would be inappropriate for us to identify any one
provider or supplier characteristic, such as being publicly traded, as
a basis for not being subject to a temporary enrollment moratorium. In
addition, as noted below, in the screening portion of this final rule
with comment period, we have decided not to draw a distinction between
publicly traded and other providers and suppliers. Should there ever be
a reason to impose a temporary enrollment moratorium in a geographic
area or on a particular provider or supplier category; we would need to
be able to do so. We cannot state that there will never be
circumstances that warrant imposition of a temporary enrollment
moratorium that will affect providers and suppliers that are publicly
traded or that these providers and suppliers will never be subject to a
temporary enrollment moratorium. We have in response to many comments
on this issue, has decided to eliminate the distinction between
publicly traded and non-publicly traded status as a determinant of
assignment of provider or supplier types to risk levels. Temporary
enrollment moratoria will not be imposed without adequate rationale for
how the moratorium would address fraud, waste and abuse in Medicare,
Medicaid and CHIP. Such moratoria would be imposed based on careful
analysis and assessment of circumstances that are present.
Comment: CMS, according to one commenter, states repeatedly that
the application of the temporary moratoria could be to either a
particular provider or supplier type or a particular geographic area.
The commenter urged CMS to reconsider whether it is appropriate to ever
apply moratoria on particular geographic areas for all provider and
supplier types--such as physicians, whom CMS assigns to the limited
level of screening. The commenter believes that physicians should be
exempt from geographic provider/supplier enrollment moratoria.
Response: We would not likely impose a temporary enrollment
moratorium on all provider and supplier types in a particular
geographic area particularly given the potential impact on beneficiary
access. However, if circumstances were to be such that a temporary
enrollment moratorium in a particular geographic area should apply to
all provider and supplier types in that area, we would need to be able
to impose such a moratorium. As stated elsewhere in this document, we
would publish notice of any moratorium and would include in the notice
the rationale for the imposition of a temporary enrollment moratorium.
Also, as stated earlier, we would consider access issues as well.
Comment: A commenter urged that the final rule with comment period
be revised to clarify that it is only to be used as an option of last
resort, when less onerous enforcement efforts have failed to reduce
program abuse by a significant number of providers or suppliers of the
same type. The commenter also stated that it should be imposed only if
there is irrefutable evidence of fraud, waste or program abuse by a
significant portion of the population of providers that are targeted by
the moratorium.
Response: The ACA gives the Secretary broad authority to impose
temporary enrollment moratoria in instances where the Secretary has
determined that the moratorium is necessary to combat fraud, waste or
abuse in Medicare, Medicaid or CHIP. A moratorium would not be imposed
without adequate justification. We would announce in the Federal
Register the imposition of any temporary enrollment moratorium and
would include a discussion of the issues associated with the decision
to impose the temporary enrollment moratorium.
In the NPRM, we did list circumstances that could lead to the
imposition of a temporary enrollment moratorium in situations where:
(1) Based on our review of existing data, identifies a trend that
appears to be associated with a high risk of fraud, waste or abuse,
such as when a highly disproportionate number of providers or suppliers
in a category relative to the number of beneficiaries or a rapid
increase in enrollment applications within a category is associated
with a significant potential for fraud, waste or abuse with respect to
a particular provider or supplier type or particular geographic area or
both, (2) a State has imposed a temporary enrollment moratorium, or (3)
CMS in consultation with the Department of HHS Office of Inspector
General or the Department of Justice or both identifies either or both
a particular provider or supplier type or a particular geographic area
as having significant potential for fraud, waste, or abuse. We also
included in the NPRM the reasons a temporary enrollment moratorium
could be lifted. The decision to extend a moratorium would be based on
the proposals in the NPRM and would take into account the extent to
which the conditions necessitating the moratorium were still present.
Comment: A commenter stated that CMS and Medicaid should be
permitted to extend a temporary moratorium by a maximum of one
additional 6 month period. Twelve months is more than a sufficient
amount of time for CMS to consider additional programmatic initiatives.
The commenter added that CMS's statement in the preamble that it
``would assess Medicare beneficiary access to the type(s) of services
that are furnished by the provider or supplier type and/or within the
geographic area to which the moratorium would apply'' before imposing a
moratorium, should be included in the regulatory text.
Response: We reserve the option to extend a temporary moratorium if
circumstances warrant the continuation. We do not want to limit our
ability to keep a temporary enrollment moratorium in place if
necessary. Conversely, if the Secretary determines that a moratorium is
no longer needed, consistent with the provisions of the proposed rule,
the moratorium could be lifted at any time. We have modified the
regulation text to make this clarification. We will consider safeguards
for beneficiary access related to the imposition of an enrollment
moratorium at Sec. 424.570.
Comment: A commenter stated that CMS should exempt new practice
locations from the moratoria and should limit the moratorium to newly-
enrolling providers and suppliers.
Response: Currently enrolled providers and suppliers that are
trying to establish additional new practice locations as a means to
enroll in areas that are subject to a moratorium, and the provider is
of the type for which the temporary enrollment moratorium is imposed,
should not be exempt from the moratorium. However, if an enrolled
provider or supplier is merely changing its practice location from a
current location to a new location--not an additional new location--
then that new location would not be subject to a temporary enrollment
moratorium.
Comment: A commenter stated that CMS should establish an
administrative appeals mechanism to address adverse determinations
based on the imposition of a temporary moratorium that would also
permit providers and suppliers to question whether CMS has an
appropriate statutory or evidentiary basis for imposing a temporary
moratorium.
Response: The ACA specifies that there is no judicial review under
sections 1869 and 1878 of the Act, or otherwise of the decision to
impose a temporary enrollment moratorium
However, as stated in the NPRM, we note that a provider or supplier
may use the existing appeal procedures at 42 CFR part 498 to
administratively appeal a denial of billing privileges based on the
imposition of a temporary moratorium.

[[Page 5926]]

Comment: One commenter stated that CMS should allow exceptions to
the moratorium, such as: (1) A low ratio of the provider or supplier
type to the number of beneficiaries in the targeted area, (2) pandemics
and other threats to beneficiary health that would be served by the
provider or supplier type, and (3) other circumstances as the Secretary
or the State Medicaid director determine are in the best interests of
the program.
Response: As discussed previously, the ACA gives the Secretary
broad authority to impose temporary enrollment moratoria. We also
stated earlier that we listed in the NPRM circumstances that could lead
to the imposition of a temporary enrollment moratorium in situations.
We also indicated in the NPRM that prior to imposing a temporary
enrollment moratorium we would assess Medicare beneficiary access
issues. And we indicated that if a State has determined that compliance
with a Medicare imposed temporary enrollment moratorium would adversely
impact Medicaid beneficiaries', or CHIP participants' access to care,
the State would not be required to comply with the temporary enrollment
moratorium. We and the States take the assurance of adequate access
seriously.
Comment: A commenter believes that CMS moratoria authority was
open-ended to the point where CMS could, towards the end of a fiscal
year, announce the suspension of provider enrollment in a variety of
categories not to stem fraud and abuse, but rather to achieve some
budgetary goal of reducing Medicare expenditures. The commenter
requested that CMS clarify: (1) Who will decide what constitutes a
highly disproportionate number of providers relative to the number of
beneficiaries, (2) the standards that will be used to determine the
number of providers necessary relative to the number of beneficiaries,
and (3) whether this is a de facto return of the certificate of need
process.
Response: We proposed and sought comments on factors that would
have to be in place to impose a temporary enrollment moratorium,
including identifiable trends in CMS data, State imposition of a
moratoria, or consultation with the Office of Inspector General or the
Department of Justice. The ACA requires that any moratorium imposed be
implemented to reduce fraud, waste and abuse in the Medicare, Medicaid
and CHIP programs. Additionally, we will not deny any enrollment for
which the Medicare enrollment contractor has completed review of the
application and has determined that the provider or supplier meets all
the requirements for enrollment and all that remains is to assign
appropriate billing number(s) and enter the provider or supplier into
PECOS. Actively enrolled providers and suppliers will still be
reimbursed for claims for services that are provided, and reimbursement
would be at levels preceding the moratoria. The process for imposing a
moratorium in this rule provides no opportunity for us to use the
temporary enrollment moratoria to stop payments to enrolled providers
and suppliers, and there is no intention for us to use temporary
moratoria for purposes other than the ones authorized under the ACA.
Additionally, as stated previously, we would provide notice in the
Federal Register of the imposition of a temporary enrollment moratorium
and would include a discussion of the issues associated with the
decision to impose a temporary enrollment moratorium. We will decide
what constitutes a disproportionate number of providers relative to
beneficiaries. We indicated in the NPRM that prior to imposing a
temporary enrollment moratorium we would assess Medicare beneficiary
access to the type(s) of services that are furnished by the provider or
supplier type and/or within the geographic area to which the temporary
enrollment moratorium would apply. As a part of this process, we would
examine the levels of providers in a given area and make a judgment
about whether any temporary enrollment moratorium would adversely
affect the delivery of needed services to beneficiaries. Regarding
Certificate of Need processes, we would note that a number of States
use the CON process. We have stated elsewhere in this document that we
have not linked this proposed rule to the CON process. The CON programs
vary in effectiveness and coverage and are subject to different
standards and regulations. If there were a need to impose a temporary
enrollment moratorium in any part of a State that has a CON
requirement, we would impose the temporary enrollment moratorium in
that part of the State, as needed.
Comment: A commenter stated that CMS should exclude from any
moratoria those providers and suppliers: (1) Assigned to the limited
level of screening, and (2) that have completed and passed a State
licensure process. Another commenter urged that a moratorium be applied
only to providers included within the moderate or high screening
levels, and then only after: (1) Appropriate appeals measures have been
established, and (2) CMS has addressed any beneficiary access to care
issues.
Response: The ACA provides that the Secretary can impose a
moratorium if she decides that it is necessary to combat fraud, waste
or abuse. Accordingly the decision to impose a temporary enrollment
moratorium will be based on a variety of factors, including the
potential risk of fraud in the Medicare program that could be posed by
a particular category of provider or supplier in a specific geographic
area. The ACA gives the Secretary authority to impose a moratorium when
necessary to combat fraud waste and abuse in Medicare, Medicaid, or
CHIP. Should there ever be a reason to impose a temporary enrollment
moratorium on any category of providers or suppliers, we would need to
be able to do so--regardless of the screening level to which they were
assigned as part of the provider and supplier screening process
described in this regulation. We cannot state that providers and
suppliers in the ``limited'' screening level will never be subject to a
temporary enrollment moratorium. Nor are we prepared to state that
providers or suppliers that are licensed would never be subject to a
temporary enrollment moratorium. With regard to access to care, we
indicated in the NPRM that prior to imposing a temporary enrollment
moratorium we would assess Medicare beneficiary access to the type(s)
of services that are furnished by the provider or supplier type and/or
within the geographic area to which the temporary enrollment moratorium
would apply. We also indicated that if a State has determined that
compliance with a Medicare imposed temporary enrollment moratorium
would adversely impact Medicaid beneficiaries', or CHIP participants'
access to care, the State would not be required to comply with the
temporary enrollment moratorium. We and the States take the assurance
of adequate access seriously.
Comment: A commenter stated that while the preamble mentions that
advanced notice of a moratorium will be given, this is not specified in
the regulation text. The commenter stated that the text should be
amended to reflect the advanced notice requirement.
Response: The preamble to the proposed rule says that we will
announce the imposition of a temporary enrollment moratorium in the
Federal Register. The preamble does not say we will give advance
notice. We have stated in response to other comments that we do not
think we should provide advance notice as this may foster an increase
in applications for enrollment in an

[[Page 5927]]

attempt to circumvent the intent of the temporary enrollment
moratorium. Accordingly, we did not include any language about advance
notice in the regulation text.
Comment: A commenter requested clarification as to what the term
``significant potential for fraud'' means in the context of the
moratorium and the datasets that will be used to determine whether such
a trend exists.
Response: We offered examples in the NPRM of the kinds of
circumstances that might warrant imposition of a temporary enrollment
moratorium. We plan to draw on data and information from many sources
in coming to a decision about imposition of temporary enrollment
moratoria--including existing CMS claims and enrollment data as well as
other public data as well as data from our contractors or from law
enforcement entities.
Comment: A commenter noted that CMS proposes to allow a Medicare
enrollment moratorium where a State Medicaid program has imposed a
moratorium on a group of providers who are also eligible to enroll in
Medicare. The commenter stated that the proposal does not clarify
whether CMS intends for such a moratorium to apply only to those
providers within the affected State or whether that moratorium could
apply nationwide in the event that the moratorium pertains to provider
type. The commenter believes that for a State-imposed moratorium to
have such a drastic effect across the country without evidence of a
nationwide problem would be an overly broad and unnecessary imposition
of CMS authority, and urged CMS to craft this provision more narrowly.
Response: We agree that imposing a moratorium on a national level
based on one State's action in its State would be an unnecessarily
broad action for us to take. The intent of that provision in the NPRM
was to afford Medicare the option to adopt a State moratorium in a
State or part of a State if appropriate.
Comment: A commenter stated that in the case of a moratorium, CMS
and the States should explain their actions and provide an opportunity
for notice and comment.
Response: We have said that we plan to provide notice of imposition
of a temporary enrollment moratorium in the Federal Register,
explaining the rationale for the imposition. We will not be providing
an opportunity for comment prior to the imposition of a temporary
enrollment moratorium, because it is not a rulemaking effort. Moreover,
we think that providing advance notice of a temporary enrollment
moratorium might foster a spike in enrollment applications from
providers or suppliers that would be subject to the moratorium. If we
determine that a temporary enrollment moratorium is needed, we would
not want to provide opportunities for providers and suppliers to
circumvent the moratorium's purpose.
Comment: A commenter recommended that CMS impose a temporary
moratorium nationally on any Medicare-certified HHAs. As an
alternative, the commenter suggested a moratorium in any State without
either HHA licensure or a certificate of need, or in any State where
the growth in new HHAs in the most recent 4 years has exceeded 15
percent.
Response: At this time, we are not contemplating the imposition of
national moratoria. Moreover, it would be premature to identify any
provider or supplier type that might be subject to imposition of a
temporary enrollment moratorium. Should it be necessary to impose a
temporary enrollment moratorium on any provider or supplier type, we
will explain the reasons for the temporary enrollment moratorium in a
public notice in the Federal Register.
Comment: One commenter stated that while they are in agreement with
the proposal that State Medicaid agencies should have the authority to
impose temporary moratoria on the enrollment of new providers or impose
numerical caps or other limits on the providers assigned to the high
screening level by the Secretary, the State Medicaid agency should also
be allowed the discretion to identify providers that are high risk by
State standards.
Response: We agree that the State Medicaid agency has the
discretion to identify providers that are high risk by State standards.
However, section 1902(kk)(4)(B) of the Act explicitly states that the
designation of ``high risk'' providers for purposes of this provision
must be made by the Secretary. Thus, we are finalizing the requirement
that when a State Medicaid agency identifies a category of providers
that are high risk of fraud, waste or abuse by State standards, the
State must seek our concurrence with that assignment prior to imposing
any type of moratoria, numerical caps or other limits on the enrollment
of these providers.
Comment: One commenter requested that the rule be clarified to
allow a State to complete any provider enrollment initiated prior to a
Federally imposed moratorium.
Response: If a moratorium is deemed necessary, then we believe that
all unenrolled providers should be subject to the moratorium. However,
we would not require the State to deny any enrollment for which the
State has completed its review of the enrollment application and has
made a determination that the provider meets all requirements for
enrollment.
Comment: A few commenters requested additional information
regarding the process that should be used by State Medicaid agencies to
notify CMS that imposition of a temporary moratorium would adversely
impact beneficiaries' access to medical assistance, including the
documentation that will be required and the standards CMS will use for
its review.
Response: We believe that additional information regarding the
operational processes that should be used by States regarding temporary
moratorium are more appropriately addressed in subregulatory guidance.
We will be issuing subregulatory guidance to assist States with the
operational impact of implementing this provision in the near future.
Comment: Regarding State ``identification'' of providers with a
``significant potential for fraud, waste or abuse,'' one commenter
asked that documentation of the significant risk be required, as well
as a description of the rationale used to arrive at numerical caps or
other limits on enrollment of that provider type.
Response: Consistent with section 1902(kk)(4)(B) of the Act, when a
State Medicaid agency identifies a category of providers that is high
risk by State standards, the State must seek our concurrence with that
designation prior to imposing any type of moratorium, numerical cap or
other limit on the enrollment of these providers. We will expect the
State to provide rationale and justification for assigning providers to
the high screening level when seeking our concurrence. We will be
issuing subregulatory guidance to assist States with the operational
aspect of implementing this provision in the near future. We agree a
temporary enrollment moratorium should be imposed only with adequate
rationale. A temporary enrollment moratorium on any category of
provider that a State identifies as posing a significant potential for
fraud, waste, or abuse, should be supported by adequate rationale to
justify the imposition of a temporary moratorium, numerical caps or
other limits on enrollment of that provider type.
Comment: One commenter requested that CMS add an exception where
the State has other measures in place that adequately control for the
potential fraud, waste, and abuse that is the basis for the proposed
moratorium.

[[Page 5928]]

Response: The ACA does not allow us to grant such an exception to
States even when the State has other fraud controls in place.
Additionally, we believe this additional program integrity safeguard is
necessary to prevent loss to Medicare, Medicaid and CHIP programs when
existing safeguards have not prevented an emergent trend in fraudulent,
wasteful, or abusive practices. We believe the authority to impose
temporary enrollment moratorium when appropriate will be a useful tool
for both CMS and the States.
Comment: Several commenters requested clarification regarding
whether this requirement applies to Medicaid managed care. These
commenters specifically asked CMS to provide an explicit exception to
temporary moratoria for Medicaid managed care entities so to ensure
that the adequacy of these plans' provider networks is not compromised
and in turn, impede beneficiary access to care.
Response: As stated previously, this provision does not apply to
Medicaid managed care entities. Medicaid risk based managed care is
subject to contracts between States and the managed care entities, and
the States rely upon those contracts to ensure that Medicaid
beneficiaries have access to providers and a choice of networks within
the managed care programs the State maintains. We would not impose
moratoria on managed care programs that could restrict the ability of
States to ensure beneficiary access and choice.
Comment: One commenter requested the development of a process for
an individual provider exemption from a moratorium or, in the
alternative, the establishment of a more focused process for imposing
any necessary moratoria.
Response: As mentioned previously, we will take action to impose a
temporary moratorium only if justified. Accordingly, the decision to
impose a temporary enrollment moratorium will be based on the potential
risk of fraud, waste or abuse in the Medicare or Medicaid programs.
Comment: A commenter stated that CMS, should it proceed with this
proposed rule, must introduce much better controls to limit over-
reaching and to assure providers due process rights. The commenter
cited CMS's proposed ability to impose a temporary enrollment
moratorium on potentially high risk providers and suppliers with no
rights of judicial review of the agency's decision. The commenter
stated that the absence of defined rights for orthotic and prosthetic
suppliers in the proposed rule could, in some instances, appear to be a
Federal ``taking'' without due process.
Response: As stated previously, we will provide a discussion of the
factors for imposing a moratorium on a case by case basis when the
notice of such a moratorium is published in the Federal Register. If a
provider or supplier's billing privileges are denied due to the
imposition of a temporary enrollment moratorium, the denial of billing
privileges can be challenged administratively through the existing
enrollment appeal procedures at 42 CFR part 498. Further, we disagree
with the commenter's characterization of a temporary moratoria of
newly-enrolling providers and suppliers as a Federal ``taking.''
4. Final Temporary Moratoria on Enrollment of Medicare Providers and
Suppliers, Medicaid and CHIP Provisions
This final rule with comment period finalizes the provision of the
proposed rule in regards to the temporary enrollment moratoria with the
following exceptions:
In Sec. 424.570, we modified our proposal as follows:
Added language to clarify that we will fully assess the
impact of a temporary enrollment moratorium would have on beneficiary
access to services that will be subject to the temporary enrollment
moratorium at Sec. 424.570(a).
Added language that specifies we will announce any
temporary enrollment moratorium in a notice in the Federal Register
that will include the rational for the imposition of the moratorium,
the particular provider or supplier type or the establishment of new
practice locations of a particular type in a particular geographic area
at Sec. 424.570(a).
Added language to clarify that Medicare contractor will
deny enrollment applications from a provider or supplier subject to a
moratorium specified in paragraph (a) including providers and suppliers
with pending enrollment applications, EXCEPT such applications that
have been approved by the enrollment contractor before the imposition
of a moratorium at Sec. 424.530(a)(10).
Added language that adopts a public commenter's proposal
that the Secretary may lift a temporary enrollment moratorium in the
event of a public health emergency in the affected geographic area at
Sec. 424.570(d).
Added language that specifies we will publish notice of
lifting the moratorium in the Federal Register at Sec. 424.570(d).

D. Suspension of Payments

1. Medicare
a. Background
In section 6402(h) of the ACA, the Congress amended section 1862 of
the Act by adding a new paragraph (o), under which the Secretary may
suspend payments to a provider or supplier pending an investigation of
a credible allegation of fraud unless the Secretary determines that
there is good cause not to suspend payments. This section requires that
the Secretary consult with the HHS OIG in determining whether there is
a credible allegation of fraud against a provider or supplier. For
purposes of this Medicare payment suspension regulation, we will refer
to providers and suppliers collectively as ``providers''.
b. Previous Medicare Regulations
We have long been authorized to suspend payments in cases of
suspected fraudulent activity. On December 2, 1996, we finalized
regulations Sec. 405.370 through Sec. 405.379 that provides for
suspension of payments to providers for several scenarios, including
when we possess reliable information that fraud or willful
misrepresentation exists. The rule provides that we may suspend
payments to a provider in whole or in part based upon possession of
reliable information that an overpayment or fraud or willful
misrepresentation exists or that the payments to be made may not be
correct, although additional evidence may be needed for a
determination.
The existing rule provides that a suspension of payments is limited
to 180 days, unless it meets one of several exceptions. A Medicare
contractor may request a one-time only extension of the suspension
period for up to 180 additional days if it is unable to complete its
examination of the information that serves as the basis for the
suspension. Also, OIG or a law enforcement agency may request a one-
time only extension for up to 180 additional days to complete its
investigation in cases of fraud and willful misrepresentation. The rule
provides that these time limits do not apply if the case has been
referred to and is being considered by the OIG for administrative
action, such as civil monetary penalties. We may also grant an
extension beyond the 180 additional days if DOJ requests that the
suspension of payments be continued based on the ongoing investigation
and anticipated filing of criminal or civil actions. The DOJ extension
is limited to the amount

[[Page 5929]]

of time needed to implement the criminal or civil proceedings.
c. Proposed Medicare Suspension of Payments Requirements
Section 6402(h) of the ACA requires that the Secretary consult with
the OIG in determining whether there is a credible allegation of fraud
against a provider. If a credible allegation of fraud exists, the
Secretary may impose a suspension of payments pending an investigation
of the allegations, unless the Secretary determines that there is good
cause not to suspend payments. We proposed to revise Sec. 405.370 to
add a definition of what constitutes a ``credible allegation of
fraud,'' to include an allegation from any source, including but not
limited to fraud hotline complaints, claims data mining, patterns
identified through provider audits, civil False Claims Act, and law
enforcement investigations. Allegations are considered to be credible
when they have indicia of reliability. Many issues related to this
definition will need to be determined on a case-by-case basis by
looking at all the factors, circumstances and issues at hand. We
continue to believe that CMS or its contractors must review all
allegations, facts, and information carefully and act judiciously on a
case-by-case basis when contemplating a payment suspension, mindful of
the impact that payment suspension may have upon a provider.
We received the following comments:
Comment: We received numerous comments suggesting that the proposed
definition of ``credible allegation of fraud'' was ambiguous and fails
to detail a precise evidentiary standard that CMS and OIG will employ
in determining if a payment suspension is warranted. Commenters were
also concerned that including fraud hotline complaints as a source of
allegations would inevitably lead to disingenuous allegations from
competitors and/or disgruntled former employees that would lead to
unjustified payment suspensions.
Response: We did not intend to detail a precise evidentiary
standard in this definition; rather we intended to give examples of the
typical sources of allegations of fraud and explain that assessing the
reliability of an allegation is a process that will occur on a case-by-
case basis. CMS and OIG fully understand the need to act judiciously
when corroborating information and investigating allegations of fraud,
especially when the source of the allegation is an anonymous fraud
hotline complaint. The statutorily required consultation between CMS
and the OIG prior to implementing a payment suspension will provide
ample opportunity for the credibility of an allegation to be assessed
and for a preliminary investigation into the allegation of fraud to
occur sufficient to meet a reasonable evidentiary standard.
We additionally proposed modifying the existing Sec. 405.370 to
add a definition for ``resolution of an investigation.'' The ACA
provides for the suspension of payments pending the investigation of a
credible allegation of fraud, and we believe that this provision
necessitates defining when an investigation has concluded and the basis
for the suspension of payments no longer exists. The definition
proposed in the proposed rule and finalized here is that a resolution
of an investigation occurs when legal action is terminated by
settlement, judgment, or dismissal, or when the case is closed or
dropped because of insufficient evidence. We solicited comments on an
alternative definition of the term ``resolution of an investigation''
which is that it occurs when a legal action is initiated or the case is
closed or dropped because of insufficient evidence to support the
allegations of fraud. We did not receive any comments that specifically
addressed a preference for either of these definitions.
We proposed modifying the existing Sec. 405.371(a) to
differentiate between suspensions based on either reliable information
that an overpayment exists or that payments to be made may not be
correct, and suspensions based upon a credible allegation of fraud. As
required by the ACA, we proposed in this section that CMS or its
contractor must consult with the OIG, and as appropriate, the
Department of Justice (DOJ) in determining whether a credible
allegation of fraud exists prior to suspending payments on the basis of
alleged fraud.
We also proposed in accordance with the ACA that we retain
discretion regarding whether or not to impose a suspension or continue
a suspension, as there may be good cause not to suspend payments or not
to continue to suspend payments to providers or suppliers in certain
circumstances. We proposed to add a new Sec. 405.371(b) to describe
circumstances that may qualify as good cause not to suspend payments or
not to continue to suspend payments despite credible allegations of
fraud.
In paragraph (b)(1), we proposed a good cause exception based upon
specific requests by law enforcement that CMS not suspend payments.
There are numerous reasons for which law enforcement personnel might
make such a request, including that imposing a payment suspension might
alert a potential perpetrator to an investigation at an inopportune or
particularly sensitive time, jeopardize an undercover investigation, or
potentially expose whistleblowers or confidential sources.
In paragraph (b)(2), we proposed a good cause exception not to
suspend payments if we determine that beneficiary access to necessary
items or services may be jeopardized. We envision there may be
scenarios in which a payment suspension to a provider might jeopardize
a provider's ability to continue rendering services to Medicare
beneficiaries whose access to items or services would be so jeopardized
as to cause a danger to life or health.
In paragraph (b)(3) of the proposed rule, we proposed a good cause
exception not to suspend payments if CMS determines that other
available remedies implemented by or on behalf of CMS more effectively
or quickly protect Medicare funds than would implementing a payment
suspension. For example, law enforcement personnel might request that a
court immediately enjoin potentially unlawful conduct or prevent the
withdrawal, removal, transfer, disposal, or dissipation of assets,
either or both of which might protect Medicare funds more fully or
quickly than would imposition of a payment suspension.
More generally, in paragraph (b)(4) of the proposed rule, we
proposed a good cause exception based upon a determination by us that a
payment suspension or continuation of a payment suspension is not in
the best interests of the Medicare program. We further proposed that we
will conduct an evaluation of whether there is good cause not to
continue a suspension every 180 days after the initiation of a
suspension based on credible allegations of fraud. We believe that
circumstances surrounding a specific case may change as an
investigation progresses, and it may become in the best of interests of
the Medicare program to terminate a payment suspension prior to the
resolution of an investigation. As part of this ongoing evaluation, we
will request a certification from the OIG or other law enforcement
agency as to whether that agency continues to investigate the matter.
We considered additional specific circumstances and scenarios that
may qualify as good cause not to continue a payment suspension prior to
the resolution of an investigation, and solicited comments on this
approach. For example, one scenario that we considered as additional
good cause not to continue a suspension is when a

[[Page 5930]]

suspension has been in place for a specific length of time, such as 2
years or 3 years, and the investigation has not been resolved. We
anticipated that on a case by case basis, we would evaluate the status
of a particular investigation and the nature of the alleged fraud in
determining whether keeping a payment suspension in effect beyond a
certain length of time may not be in the best interests of the Medicare
program. We chose not to propose specific language on duration in the
regulatory text. However, we solicited comment on this approach.
Comment: Numerous commenters supported an additional good cause
exception not to continue a payment suspension when the accompanying
investigation continued beyond a certain length of time. Several
commenters supported this exception, however most believe that 2 years
or 3 years was much too long for a suspension to be in effect and the
length of time associated with this good cause exception should be much
shorter.
Response: We agree with the commenters who support the additional
good cause exception not to continue a payment suspension when an
investigation has continued beyond a certain length of time, in certain
cases. We believe that 18 months is the appropriate timeframe for a
good cause-based exception beyond which a payment suspension ought not
continue except under certain limited circumstances. Therefore, good
cause not to continue a payment suspension beyond 18 months shall be
deemed to exist unless one of two specific criteria is met. The first
of these criteria is if the case has been referred to, and is being
considered by, the OIG for administrative action (for example, civil
money penalties) or such administrative action is pending. The second
of these criteria is if the Department of Justice submits a written
request to CMS that the suspension of payments be continued based on
the ongoing investigation and anticipated filing of criminal and/or
civil actions or based on a pending criminal and/or civil action. We
are adopting these two law enforcement specific scenarios that will
serve as the criteria for extending a payment suspension beyond 18
months and are based upon the longstanding criteria for extending
suspensions found in the Medicare payment suspension regulations.
We proposed modifying the existing Sec. 405.372 to reflect the
changes made in Sec. 405.371 which divides the payment suspension
authority into situations involving overpayments and situations
involving allegations of fraud. In Sec. 405.372(c) we clarify the
subsequent action requirements to distinguish between suspensions based
on credible allegations of fraud and those that are based on other
factors, such as overpayments. For suspensions that are not based on
credible allegations of fraud, CMS and its contractors will continue to
take timely action to obtain additional information needed to make an
overpayment determination and make all reasonable efforts to expedite
the determination. Once the determination is made, notice of the
determination will be given to the provider or supplier and the payment
suspension will be terminated. If the payment suspension is based on
credible allegations of fraud, CMS and its contractors will take
subsequent action to determine if an overpayment exists or if the
payments may be made, however the termination of the suspension and the
issuance of a final determination notice to the provider or supplier
may be delayed until resolution of the investigation. At the end of the
fraud investigation, it is possible that the Medicare contractor will
not have completed its overpayment determination, but will have
reliable evidence of an overpayment or will have evidence that the
payments to be made may not be correct. This typically occurs when a
law enforcement investigation results in civil or criminal resolution
prior to the Medicare contractor having had sufficient time to complete
its overpayment determination. In such a situation, we would allow the
suspension to continue as an overpayment suspension.
We proposed modifying the existing Sec. 405.372(d) concerning the
duration of suspension of payment. In Sec. 405.372(d)(3) we except
suspensions based on credible allegations of fraud from the established
time limits specified in paragraphs (d)(1) and (d)(2). We believe the
strict time constraints found in paragraphs (d)(1) and (d)(2) should
only be applied to suspensions based on reliable information of an
overpayment or where payments to be made may not be correct, both of
which require a speedy overpayment determination. When credible
allegations of fraud are present, we believe we should have the
flexibility to maintain a suspension beyond these established time
limits in order for an investigation to be completed or the matter to
be resolved. However, we noted that by excepting suspensions based on
credible allegations of fraud from these previously established
timeframes, we do not intend to suspend payments to providers and
suppliers indefinitely. We will be actively evaluating the progress of
any investigation to determine if good cause exists to no longer
continue the suspension of payments, as suspensions are designed to be
a temporary measure. As part of this recurring evaluation, we will
request a certification from the OIG or other law enforcement agency
that the matter continues to be under investigation.
We also proposed eliminating the two other existing scenarios in
paragraph (d)(3) for extending payment suspensions beyond the time
limits in paragraphs (d)(1) and (d)(2), which are when the OIG is
considering administrative action such as civil monetary penalties and
also when the DOJ requests an extension based on an ongoing
investigation and the anticipated filing of criminal and/or civil
actions. We have removed these two scenarios from the existing duration
provisions in Sec. 405.372(d), however we have added similar criteria
for extending suspensions to the good cause criteria at Sec. 405.371
(b)(3), based on these law enforcement scenarios.
Comment: We received numerous comments raising concern over the
perceived lack of due process afforded to the provider community in
this proposed rule and numerous comments suggesting that more attention
needs to be paid to establishing clear criteria for suspensions and
basic due process rights before implementing this provision. Commenters
also pointed out that the ACA does not mandate a deadline for
implementing this policy and commenters recommend we withdraw the
suspension provision from the final rule with comment period and work
to develop defined standards with meaningful due process protections.
Response: We believe that the proposed rule affords providers who
have had their payments suspended based on credible allegations of
fraud ample opportunity to submit information to us in the established
rebuttal statement process to demonstrate their case for why a
suspension is unjustified. We believe that the criteria for suspension
of payments are clear. We reiterate that this authority will be
exercised judiciously by CMS, in consultation with the OIG, and that
only in the most egregious cases will payment suspensions last longer
than the previously established timeframes for payment suspensions. We
will not withdraw the suspension provision from the final rule with
comment period as we believe the due process

[[Page 5931]]

protections are more than adequate and the evidentiary standards for
payment suspensions cannot be more precisely defined.
Comment: A commenter suggested that the proposed rule lacks
specificity around the required consultation between CMS and the OIG
and the DOJ and asked which entity ultimately decides whether an
allegation is credible and whether a unanimous determination is
required.
Response: We retain the ultimate authority regarding whether or not
a payment suspension will be implemented in a given case. The mechanics
of the consultation between CMS and our law enforcement partners to
determine the credibility of allegations will be detailed in a
Memorandum of Understanding between the respective agencies and we do
not believe it is appropriate to detail this process in the final rule
with comment period.
Comment: A commenter questions why there is no defined time
requirement for CMS to provide written notice of a suspension that was
imposed without prior notice, similar to the time limits required of
States in the Medicaid payment suspension rule.
Response: The Medicare and Medicaid payment suspension rules need
not mirror each other in every respect. We have long suspended payments
without prior notice to providers in cases of suspected fraud and have
an established track record for providing written notice to providers
as soon as is practicable after implementing a suspension. We do not
believe it is necessary to impose a strictly defined time period for
providing notice to providers who were suspended without prior notice
based on credible allegations of fraud, and we do not believe that a
30, 60, or 90 day limit is necessary as in nearly all historical cases
we have provided notice to providers well within these suggested time
limits.
Comment: One commenter expressed concern over CMS treatment of
payment suspensions in the cases of overpayments without credible
allegations of fraud and pointed out that there are a multitude of
scenarios under which physicians might be overpaid due to inadvertent
billing errors or Medicare contractor claims processing errors that are
no fault of the provider.
Response: We believe that we must retain the ability to suspend
payments in both cases of potential fraud and cases that do not involve
potential fraud but are based solely on potential overpayments. We have
long had the authority to suspend payments without evidence of fraud
but historically have not often used the suspension tool in these
cases. We will determine on a case-by-case basis whether a suspension
of payments is appropriate in cases that do not involve fraud, and
factors such as Medicare contractor claims processing errors and
provider billing history are certainly considered.
Comment: One commenter requested that CMS provide clarification on
whether the proposed rule's suspension provisions apply to the Medicare
Part D program and suggested that the proposed rule seems to conflict
with legislation and CMS promulgated rules regarding prompt payment of
Medicare Part D claims.
Response: The Medicare payment suspension authority is applicable
to providers under both the Part A and Part B programs. Separate
authorities are available to address potential fraud by plans
participating in the Part C and D programs.
Comment: One commenter believes that Federally Qualified Health
Centers (FQHCs) should be exempted from the potential application of
the suspension of payments because payment to FQHCs is premised on
reimbursement of reasonable costs and FQHCs are subject to an annual
reconciliation process under which surplus payments in excess of
reasonable Medicare costs are returned to the CMS contractor.
Response: All providers in Medicare Part A and Part B are subject
to the payment suspension provisions, regardless of the method of
reimbursement. The annual reconciliation process under which surplus
payments are returned does not necessarily account for credible
allegations of fraud and we reserve the right to impose a payment
suspension on any provider for whom there is a credible allegation of
fraud.
We are adopting the provisions of the proposed rule, with one
exception. In Sec. 405.371(b)(3), we state that good cause shall be
deemed to exist to not continue to suspend payments if a payment
suspension has been in effect for a period of 18 months unless certain
conditions are met.
2. Medicaid
a. Background
In section 6402(h) of the ACA, the Congress amended section
1903(i)(2) of the Act to provide that Federal Financial Participation
(FFP) in the Medicaid program shall not be made with respect to any
amount expended for items or services (other than an emergency item or
service, not including items or services furnished in an emergency room
of a hospital) furnished by an individual or entity to whom a State has
failed to suspend payments under the plan during any period when there
is pending an investigation of a credible allegation of fraud against
the individual or entity as determined by the State in accordance with
these regulations, unless the State determines in accordance with these
regulations that good cause exists not to suspend such payments.
b. Previous Medicaid Regulations
State Medicaid agencies have long been authorized to withhold
payments in cases of fraud or willful misrepresentation. On December
28, 1987, DHHS finalized regulations at Sec. 455.23 that they
described as specifically encouraging State Medicaid agencies to
withhold program payments to providers without first granting
administrative review where the State agency has reliable evidence of
fraudulent activity by the provider. The regulations were issued by the
HHS OIG based on a concern that State administrative hearings could
interfere with investigations conducted by HHS OIG's Office of
Investigations or by the State's Medicaid fraud control unit (MFCU).
The requirements of an administrative hearing could jeopardize criminal
cases and investigators were reluctant to agree to a State's
withholding payment, thus risking additional overpayments. (See the
December 28, 1987 final rule (52 FR 48814)). The December 28, 1987
final rule remains in effect and has remained unchanged since it was
promulgated.
At the time the rule was proposed, the Department was in the
process of reorganizing its fraud and abuse regulations to reflect
authorities transferred to HHS OIG in 1983, as well as those retained
by CMS. HHS OIG authorities were transferred to a new 42 CFR chapter V,
while CMS' Medicaid program integrity authorities were retained at 42
CFR part 455. (See the September 30, 1986 final rule (51 FR 34764)).
This current rule provides that a State Medicaid agency may
withhold payments to a provider in whole or in part based upon receipt
of reliable evidence that the need for withholding payments involves
fraud or willful misrepresentation under the Medicaid program. At the
time this rule was published, commenters questioned what constituted
``reliable evidence of fraud.'' The HHS OIG declined to provide a
specific definition, noting that what constitutes ``reliable evidence''
is not easily and readily definable. The HHS OIG noted that while the
existence of an

[[Page 5932]]

ongoing criminal or civil investigation against a provider may be a
factor in determining whether reliable evidence exists, that reliable
evidence should be determined on a case-by-case basis with the State
agency looking at all the factors, circumstances, and issues at hand,
and acting judiciously on this information.
The 1987 regulations also permitted payments to be suspended in
whole or in part. Commenters had suggested that ``clean claims''
continue to be processed without delay, and that any withholding ought
to be targeted to only the type of Medicaid claims under investigation.
The HHS OIG responded that it is usually difficult to determine which
claims are ``clean'' until after an investigation has been completed,
but noted that where an investigation is solely and definitively
centered upon a specific type of claim that a State could, at its
discretion, withhold payments on just those types of claims. The HHS
OIG also agreed to commenters' requests to clarify that the withholding
provisions apply only to alleged fraud or willful misrepresentation
related to improperly received Medicaid payments and not to ancillary
unrelated matters such as deceptive advertising.
c. Proposed Medicaid Suspension of Payments Requirements
The current regulation at Sec. 455.23 formed the framework for
these final regulations. State Medicaid agencies have long had the
authority to withhold payments in cases of alleged fraud or willful
misrepresentation. Section 6402(h)(2) of the ACA now mandates that
States not receive FFP in cases where they fail to suspend Medicaid
payments during any period when there is pending an investigation of a
credible allegation of fraud against an individual or entity as
determined by the State in accordance with these proposed regulations
unless the State determines that good cause exists for a State not to
suspend such payments. To conform the existing regulation to the
terminology of the ACA, we proposed to change the phrase ``withhold
payments'' to ``suspend payments,'' a change we believe is merely
semantic.
We proposed to implement section 6402(h)(2) of the ACA by modifying
the existing Sec. 455.23(a) to make payment suspensions mandatory
where an investigation of a credible allegation of fraud under the
Medicaid program exists. Based on the ACA's use of just the term
``fraud,'' we did not propose to retain the existing term ``willful
misrepresentation.'' We believe that fraud encompasses willful
misrepresentation as well as other acts that may constitute civil or
criminal fraud; thus we do not believe this proposal represents a
substantive change nor do we intend it to have a substantive effect
insofar as reducing or limiting a State's authority to suspend Medicaid
payments. We solicited comments on this approach.
To conform the proposed regulation to the requirements of the ACA,
we proposed to modify terminology in the existing Sec. 455.23(a) that
now refers to ``receipt of reliable evidence'' to instead refer to a
``pending investigation of a credible allegation of fraud.'' In
contrast to the semantic change from ``withhold payments'' to ``suspend
payments,'' in this case we believe that there is a substantive
difference between the threshold level of certainty or proof necessary
to identify a ``credible allegation'' versus the heightened requirement
of ``reliable evidence'' in the current regulation.
We do not believe that the phrase ``when there is pending an
investigation of a credible allegation of fraud'' necessarily demands
that an investigation originate in or with a law enforcement agency.
Rather, State Medicaid agencies have program integrity units that, in
the normal course of business, receive, and conduct investigations
based upon, tips alleging fraud, and which also conduct proactive
investigations based upon internal data analyses and other fraud
detection techniques. We believe that State agency investigations,
though they may be preliminary in the sense that they lead to a
referral to a law enforcement agency for continued investigation, are
adequate vehicles by which it may be determined that a credible
allegation of fraud exists sufficient to trigger a payment suspension
to protect Medicaid funds.
This threshold by which a State agency investigation may give rise
to a payment suspension is a somewhat lesser threshold than that in the
current regulation. The preamble to the current regulation specified
that it was anticipated the State agency would confer with, and receive
the concurrence of, investigative or prosecuting authorities prior to
imposing a withholding action. However, that preamble also stated that
it was establishing mere minimum requirements, and that States could
exercise broader power where State law or regulation so provided. Most
States have availed themselves of the existing Federal authority (or
broader state authority) to withhold payments, and we believe that
experience over the past 20 years offers no indication this authority
has been misused against providers. Moreover, we believe this proposed
threshold is consistent with the phrase ``pending investigation of a
credible allegation of fraud'' of the ACA. We do anticipate that
payment suspension authority will be used more frequently because the
ACA dictates that where there is a pending investigation of credible
allegations of fraud against a provider, a State that fails to suspend
payments to that provider will not receive FFP with respect to such
payments unless good cause exists not to suspend them.
We proposed to adopt at Sec. 455.2 the same broad definition of
``credible allegation'' proposed previously in the context of the
Medicare program. In many cases, what constitutes a ``credible
allegation'' must be determined on a case-by-case basis with the State
agency looking at all the factors, circumstances, and issues at hand.
Guided by the experience of more than 20 years, we are aware that
States have been able to identify ``reliable evidence'' through a
variety of means including, but not limited to, fraud hotline
complaints, Medicaid claims data mining, and patterns identified
through provider audits, along with the appropriate level of additional
investigation that accompanies each of these. Moreover, States have
received referrals from State MFCUs, other law enforcement agencies,
and other State benefits program investigative units. We continue to
believe that State agencies must review all allegations, facts, and
evidence carefully and act judiciously on a case-by-case basis when
contemplating a payment suspension, mindful of the impact that payment
suspension may have upon a provider.
We proposed at Sec. 455.23(b) that the State agency notify a
provider of a payment suspension in a way very similar to the mechanism
currently specified in regulation, by which the State agency is
required to notify a provider, specifying certain details, within 5
days of taking such action. However, we did propose to provide for a
30-day period, renewable in writing up to twice for a total not to
exceed 90 days, by which law enforcement may, in writing, request the
State agency to delay notification to a provider. We proposed this
because we believe that occasionally an investigation may be at a
sensitive stage, perhaps involving undercover personnel or a
confidential informant, where required notification to the provider at
a particular time might jeopardize the investigation. We do not believe
we should extend the delay notification beyond 90 days out of fairness
to a provider and, in any event, a provider deriving any significant

[[Page 5933]]

revenue stream from Medicaid is likely to itself discern the fact of a
payment suspension well in advance of 90 days.
We proposed only minor changes to the current provisions in Sec.
455.23(c) on the duration of a suspension. To comport with the ACA, we
change the term ``withholding'' to ``suspension''; this is a semantic
change that, as noted previously, has been made throughout. In the new
Sec. 455.23(c)(2), we propose to require a State to notify a provider
of the termination of a payment suspension and, where applicable, to
specify the availability to a provider of any appeal rights under State
law and regulation.
Substantively, we did not propose significant change to the
existing duration provisions, which specify that withholding (now,
suspension) will be temporary and will not continue after: (1)
Authorities discern that there is insufficient evidence of fraud upon
which to base a legal action; or (2) legal proceedings related to the
alleged fraud are completed.
We believe that maintaining the existing duration provisions is
consistent with the ACA that requires that FFP not be made when a State
fails to suspend payments ``during any period when there is pending an
investigation of a credible allegation of fraud against an individual
or entity.'' We further recognized that the Act applies a very similar
standard to the Medicare program. We solicited comments on our proposal
to maintain the existing duration provisions.
In Sec. 455.23(d) of the proposed rule, we proposed to require a
State to make a formal, written suspected fraud referral to its MFCU
or, where a State does not have a MFCU to an appropriate law
enforcement agency, for each instance of payment suspension as the
result of a State agency's preliminary investigation of a credible
allegation of fraud. This will ensure that an appropriate full
investigation by a law enforcement agency timely ensues. If the MFCU or
other law enforcement agency declines to accept the referral, we
proposed to require the State to immediately release the payment
suspension unless the State refers the matter to another law
enforcement entity or unless the State has alternative Federal or State
authority by which it may impose a suspension. In the latter case, the
requirements of that alternative authority, including any notice and
due process or other safeguards, will be applicable.
We proposed to require that a State's formal, written suspected
fraud referral meets fraud referral performance standards issued by the
Secretary. The currently applicable fraud referral performance
standards were issued by CMS on September 30, 2008.
In Sec. 455.23(d)(3), we proposed that on a quarterly basis a
State must request a certification from the MFCU or other law
enforcement agency that any matter accepted on the basis of a referral
continues to be under investigation or in the course of enforcement
proceedings warranting continuation of the payment suspension. We
recognized that due to various constraints, law enforcement agencies
may not be able to provide specific updates on matters under
investigation. In recognition of the fact that payment suspensions are
only temporary, however, we proposed to require such quarterly
certifications to ensure, for example, that a suspension will not be
continued long after a law enforcement agency has closed an
investigation but neglected to alert a State agency of that fact. To
maximize State flexibility to implement this requirement, we are not
prescribing the precise format such certifications must take.
Consistent with the new ACA provision, we also proposed to create
several ``good cause'' exceptions by which States may determine good
cause exists not to suspend payments or to suspend payments only in
part. In new Sec. 455.23(e) we included several circumstances that we
believe constitute ``good cause'' for a State to determine not to
suspend payments, or not to continue a payment suspension previously
imposed, to an individual or entity despite a pending investigation of
a credible allegation of fraud. In Sec. 455.23(e)(1), we proposed a
good cause exception based upon specific requests by law enforcement
that State officials not suspend (or continue to suspend) payment.
There are numerous reasons for which law enforcement personnel might
make such a request, including that imposing a payment suspension might
alert a potential perpetrator to an investigation at an inopportune or
particularly sensitive time, jeopardize an undercover investigation, or
potentially expose whistleblowers or confidential sources.
In Sec. 455.23(e)(2), we proposed a good cause exception if a
State determines that other available remedies implemented by the State
could more effectively or quickly protect Medicaid funds than would
implementing (or continuing) a payment suspension. For example, law
enforcement personnel might request that a court immediately enjoin
potentially unlawful conduct or prevent the withdrawal, removal,
transfer, disposal, or dissipation of assets, either or both of which
might protect Medicaid funds more fully or quickly than would
imposition of a payment suspension.
Paragraph (e)(3) proposed a good cause exception based upon a
determination by the State agency that a payment suspension is not in
the best interests of the Medicaid program. It is conceivable that a
State may, in rare situations, face exigent circumstances with respect
to a suspension situation not addressed by the other good cause
exceptions specified here but where it otherwise determines suspension
would not be in the State Medicaid program's best interests. This broad
standard is intended to reflect that payment suspension is a very
serious action that can potentially lead to dire consequences, but that
it is impossible to specify detailed contingencies with respect to
every possible scenario that might arise. We did not anticipate that
States will frequently make use of this exception; however where this
exception is utilized we do require that States document their use of
this exception, and will closely monitor its implementation to
determine whether further regulation is necessary. We solicited
comments on this approach.
In paragraph (e)(4), we proposed a good cause exception based upon
a determination by the State of an adverse effect of the suspension on
beneficiary access to necessary items or services. We envision there
may be scenarios in which a payment suspension to a provider might
jeopardize a provider's ability to continue rendering services to
Medicaid beneficiaries, thus threatening Medicaid beneficiaries' access
to care. Utilizing a standard identical to that which CMS and the HHS
OIG apply in assessing requests for waivers of exclusion at Parts 402
and 1001 of Title 42, for example, we posit one basis for a good cause
exception from payment suspension is if a provider under investigation
is a sole community physician or the sole source of specialized
services available in a community. Likewise, in Federally-designated
medically underserved areas the potential impact of a payment
suspension upon a large provider might equally threaten recipient
access, thus this underlies a second access exception. We welcomed
comments on this approach, including comments with respect to other
metrics by which to assess potential beneficiary jeopardy in terms of
access to necessary items or services.
Finally, in paragraph (e)(5) we proposed a good cause exception
that would permit (but not require) a State to discontinue an existing
suspension to the extent law enforcement declines to cooperate in
certifying under the

[[Page 5934]]

requirements of paragraph (d)(3) that a matter continues to be under
investigation and therefore warrants continuing the suspension.
We do not interpret the new provision in the ACA as mandating that
a State must always suspend all payments to a provider in cases of an
investigation of a credible allegation of fraud. In general, we
continue to believe a payment suspension should apply to all of a
provider's claims consistent with the HHS OIG's responses to comments
in the 1987 regulations that it is usually difficult to determine which
claims are clean claims until after an investigation is completed, and
one purpose of payment suspension is to build a type of escrow account
out of which any overpayments can be deducted when an investigation is
concluded.
With certain new constraints, however, we have chosen to continue
to allow States the flexibility to suspend payments in part. For
example, as stated in the preamble to the current regulation, there may
be times where an investigation is solely and definitively centered on
only a specific type of claim in which case a State may determine it is
appropriate to impose a payment suspension on only that type of claim.
Likewise, a State might determine that an investigation of a credible
allegation of fraud is limited to a particular business unit or
component of a provider such that a suspension need not apply to
certain business units or components of a provider.
Balancing these approaches, we proposed to allow States to
implement a partial payment suspension, or, where appropriate, to
convert a previously imposed full payment suspension to a partial
payment suspension, if justified via a good cause exception. The good
cause exceptions for partial suspension at paragraphs (f)(1) and (2)
mirror those at paragraphs (e)(4) and (3), respectively, and allow the
State to adopt a partial payment suspension where suspension in whole
would so jeopardize a recipient's access to items or services as to
endanger the recipient's life or health, or where the State deems it in
the best interests of the Medicaid program. At paragraph (f)(3), we
proposed that a State may avail itself of the good cause exception to
suspend payments only in part if the nature of the credible allegation
is focused solely and definitively on only a specific type of claim or
arises from only a specific business unit of a provider, and the State
determines and documents in writing that a payment suspension in part
would effectively ensure that potentially fraudulent claims were not
continuing to be paid. Many such cases will still demand suspension in
full, but this provision, which we anticipate States would exercise
sparingly, gives States flexibility to act otherwise in those limited
circumstances where appropriate. Finally, at paragraph (f)(4), we
proposed that a State may avail itself of the good cause exception to
convert a payment suspension in whole to one only in part to the extent
law enforcement declines to cooperate in certifying under the
requirements of paragraph (d)(3) that a matter continues to be under
investigation. We solicited comment on these proposed approaches.
We proposed in new paragraph (g) to add several reporting and
document retention guidelines to Sec. 455.23. Payment suspension
authority is critically important to protect Medicaid funds, but
payment suspension can have dire consequences to a provider. Payment
suspension authority, including a State's exercise of a good cause
exception to otherwise address a suspension situation, must be
exercised responsibly by a State at all stages, from the inception to
the termination of the suspension. Through, among other things, our
State Program Integrity Reviews, we expect to maintain close oversight
of State utilization of suspension authority. However, to be clear, we
expressly and explicitly do not expect State compliance (or
noncompliance) with these documentation or retention provisions to give
rise to any enforceable right of a provider aggrieved by any real or
perceived failures with respect to these requirements to seek any form
of redress (administratively, judicially, or otherwise).
Under these final reporting and retention guidelines, States are
required to maintain for a minimum of 5 years from the date of issuance
all materials documenting the life cycle of a payment suspension that
is imposed, including: (1) All notices of suspension of payment in
whole or part; (2) all fraud referrals to MFCUs or other law
enforcement agencies; (3) all quarterly certifications by law
enforcement that a matter continues to be under investigation; and (4)
all notices documenting the termination of a suspension. Likewise, we
proposed to require States to maintain for the same period all
documentation justifying the exercise of the good cause exceptions.
Finally, we proposed to require States to annually report to the
Secretary information regarding the life cycle of each payment
suspension imposed and any determinations to exercise the good cause
exceptions not to suspend payment, to suspend payment only in part, or
to discontinue a payment suspension.
To effectuate section 6402(h)(2) of the ACA's prohibition on
expenditure of FFP where a State fails to suspend payments that should,
by virtue of the ACA standard and this proposed rule, have been
suspended, we proposed to add a new Sec. 447.90. Paragraph (a) of
proposed Sec. 447.90 specifies the basis and purpose for the new
provision, while paragraph (b) specifies the general rule that FFP
would not be available with respect to items or services furnished by
an individual or entity to whom the State has failed to suspend
Medicaid payments during any period where there is pending an
investigation of a credible allegation of fraud against the individual
or entity except in specified circumstances that include certain
emergency circumstances, or if good cause exists as specified at Sec.
455.23(e) or (f).
As mentioned, we anticipate that CMS' enforcement and monitoring of
these provisions will largely be accomplished through measures such as
State Program Integrity reviews conducted by CMS. Such reviews will,
among other things, evaluate States' complaint intake and investigation
efforts, and assess whether States have an effective process to move
matters where there are found to be credible allegations of fraud to
the point where they are evaluated for payment suspension. However, we
do not believe it is viable to require States to report and document to
CMS every instance of where any allegation of fraud arises and further
qualify which ones rise to the level of credible allegation. We want to
foster effective and efficient State program integrity efforts with
respect to which payment suspension is an integral component, but we do
not want to create a system so procedurally onerous that it overwhelms
a State's ability to substantively perform this critical work.
Nevertheless, we will thoroughly investigate and act by, among other
things, deferring and/or disallowing FFP in accordance with Sec.
430.40 and Sec. 430.42, if program integrity reviews or other methods
of ensuring State compliance with Medicaid program requirements reveal
a State is failing to suspend payments (or inappropriately applying a
good cause exception) where pending investigations of credible
allegations of fraud do exist. A State may not claim (on its Form CMS-
64) FFP for payments that are suspended. Any State that does not
suspend payments, or that suspends payments but continues to claim FFP
with respect to what would have been paid had no suspension been in
place,

[[Page 5935]]

puts that FFP at risk. In such cases, we would pursue a deferral and/or
disallowance to reclaim the Federal portion of such payment. We
solicited comments on CMS' proposed oversight approach.
Finally, three provisions were proposed to be added to the
regulations at Sec. 1007.9 that specify the State MFCU's relationship
to, and agreement with, the State Medicaid agency. These proposed
revisions were necessary to effectuate the proposed revisions under
Sec. 455.23. The regulations at 42 CFR part 1007 are enforced by HHS
OIG as part of its delegated authority to certify and fund the State
MFCUs. (See August 15, 1979 final rule (44 FR 47811). However, we are
including amendments to part 1007 here to ensure a comprehensive
regulatory package that sets forth in one location the Department's
implementation of the suspension provisions of section 6402(h) of the
ACA.
The first of these provisions proposes to add a new paragraph (e)
to Sec. 1007.9 that specifies that the MFCU may refer to the State
agency any provider against which there is pending an investigation of
a credible allegation of fraud for purposes of payment suspension in
accord with Sec. 455.23. Allegations of potential fraud may first be
identified by the MFCU rather than by the State agency, so this
provision merely formalizes a path from the MFCU to the State agency so
a payment suspension may be implemented where appropriate. This
provision also proposed that any referral to the State agency for
consideration of a payment suspension be in writing. The written
referral need not be extensive, but must include information adequate
to enable the State agency to identify the provider and a brief
explanation of the credible allegations forming the grounds for the
payment suspension. The second proposed addition to Sec. 1007.9
proposed to add a new paragraph (f) providing that any request by the
unit to the State agency to delay notification of suspension to a
provider pursuant to the provisions of the proposed Sec.
455.23(b)(1)(ii) come in writing. Requiring that such requests be made
in writing (which could take the form of an email) provides for an
audit trail to ensure that proper procedures are followed. However, we
expressly do not intend for this requirement to create any substantive
right upon which a provider might lodge objection or other legal
challenge to the extent the proper procedures were not followed. Last,
a new paragraph (g) was proposed to require the unit to notify the
State agency in writing when it has accepted or declined a case
referred by the State agency. Aside from also creating an audit trail,
this proposed provision is important in that it would alert the State
agency as to the status of a referral, which would shape how the State
agency would handle a suspension under the proposed revisions to Sec.
455.23.
We received the following comments:
Comment: Several commenters expressed concern regarding the
definition of ``credible allegation of fraud.'' Specifically, several
commenters requested that CMS provide an exact definition of ``credible
allegation of fraud'' as well as specific standards and guidelines for
providers to follow to make a determination regarding what is a
credible allegation of fraud. One commenter suggested removing the word
``fraud'' from the term. Other commenters indicated that the definition
of what is credible or reliable under the proposed rule is circular,
that is, an allegation is credible if it has ``indicia of
reliability.'' In addition, several commenters have suggested that the
new evidentiary threshold is too low.
Response: The term ``credible allegation of fraud'' is a statutory
term as reflected in section 6402(h) of the ACA. Accordingly, we do not
have the authority to change the term. We have considered these
comments but decline to provide a more exact definition, recognizing
that different States may have different considerations in determining
what may be a ``credible allegation of fraud.'' Accordingly, we believe
that States should have the flexibility to determine what constitutes a
``credible allegation of fraud'' consistent with individual State law.
We will neither seek to limit what States may determine qualifies as a
``credible allegation of fraud'' nor will we require States to consult
with HHS in making such a determination.
Comment: One commenter suggested that CMS should update its
policies and procedures and develop consistent and standard guidance to
State Medicaid programs regarding the determination of credible
allegations of fraud.
Response: We will review our current policies and procedures in
light of the regulatory changes contained in this rule, and will
provide updated guidance to States as necessary.
Comment: Several commenters expressed concern that the evidentiary
standard is too low and urged CMS to retain the current standard, by
which they suggested defining a ``credible allegation of fraud'' as
``reliable information that fraud or willful misrepresentation exists''
as a component of the basis for suspension of payments under Sec.
455.23(a).
Response: In the proposed rule, we acknowledged that the proposed
threshold for triggering a payment suspension is lower than what is
contemplated in current regulations, but we also indicated that we
believe this result is dictated by the ACA. However, in this final rule
with comment period, we are amending the definition of ``credible
allegation of fraud'' at Sec. 455.2, which in the proposed rule read,
in pertinent part, ``[a]llegations are considered to be credible when
they have indicia of reliability'' to include the following: ``and the
State Medicaid agency has reviewed all allegations, facts, and evidence
carefully and acts judiciously on a case-by-case basis.'' Due to use of
just the word ``fraud'' in section 6402(h)(2) of the ACA, we proposed
to remove the term ``willful misrepresentation'' from existing
regulation, though as we noted in the proposed rule, we take the
position that ``fraud'' includes ``willful misrepresentation.''
Comment: A few commenters suggested that the final regulation
should include a requirement and a discussion to provide technical
guidance to State Medicaid programs that clarifies the term ``fraud''
as a legal term and one that carries evidence of a willful intent to
deceive.
Response: The definition of fraud, for purposes of Medicaid program
integrity, is reflected in existing regulations at Sec. 455.2 and
reads as follows: ``an intentional deception or misrepresentation made
by a person with the knowledge that the deception could result in some
unauthorized benefit to himself or some other person. It includes any
act that constitutes fraud under applicable Federal or State law.''
Medicaid fraud is addressed through, for example, civil remedies
imposed under Federal and State false claims acts, as well as through
criminal prosecutions.
Comment: Numerous commenters expressed concerns regarding the list
of potential sources of credible allegations of fraud. Specifically,
several commenters expressed concern about false reports of fraud that
may be generated by competitors or disgruntled employees. In addition,
there were numerous comments that expressed concern over allegations
received through a fraud hotline and whether such allegations could be
considered to be reliable. Another commenter suggested that anonymous
hotlines should refer to State-operated Medicaid fraud hotlines as well
as specify to

[[Page 5936]]

whom or what entity the fraud hotline complaints are being made.
Response: First, we will not seek to limit the potential sources
from which States may derive credible allegations of fraud. We provided
examples of sources for States to consider and will clarify in the
final regulation that we are not limiting such sources. We recognize
that credible allegations may come from a variety of sources. Second,
with respect to identifying fraud hotlines as a potential source of a
credible allegation of fraud, we recognize that there may be irrelevant
or false reports made through hotlines. Due to the potential for not
just false allegations, but also the equal possibility of honest
mistakes and the like, we encourage States to not solely rely on a
singular allegation without considering the total facts and
circumstances surrounding such allegations. In the proposed rule, we
indicated that States ``must review all allegations, facts, and
evidence carefully and act judiciously on a case-by-case basis * * *''.
As noted previously, we are including this language in the final rule
with comment period in the definition of ``credible allegation of
fraud'' at Sec. 455.2. We take the position that States should have
the flexibility to determine what they deem to be reliable sources for
credible allegations of fraud. Finally, we will not identify which
specific fraud hotlines States may use. We are aware that there may be
a variety of hotlines. For example, States may have different
components within their respective agencies that utilize hotlines or
State law enforcement agencies may also utilize hotlines from which
credible allegations may be generated. Accordingly, we will not seek to
limit the type of hotline States use as sources for credible
allegations of fraud.
Comment: Commenters indicated that discussions of investigations
and credible allegations of fraud need to defer to State and Federal
legal definitions of ``fraud.'' In addition, commenters suggested that
existing Federal regulations indicate that investigating fraud is the
responsibility of State Medicaid Fraud Control Units (MFCU).
Accordingly, MFCUs should be the designated investigators of
allegations of fraud.
Response: First, as noted previously, ``fraud'' is defined in
existing regulations at Sec. 455.2. Second, we disagree that only the
MFCU may investigate allegations of fraud. While MFCUs clearly play a
key role in investigating and prosecuting Medicaid fraud, most, if not
all, States have program integrity units that, in the normal course of
business, receive hotline and other tips about potential fraud, and
conduct proactive investigations based upon internal data analyses and
other fraud detection techniques. Program integrity units have the
responsibility under existing Federal regulations at Sec. 455.14 and
Sec. 455.15(a)(1) and the proposed regulation at Sec. 455.23(d) of
determining whether allegations constitute fraud, and if they do,
referring the matter to the MFCU or an appropriate law enforcement
agency for further investigations. Thus, we do not believe MFCUs are
the sole investigators of fraud.
Comment: Several commenters requested that CMS clarify whether a
finding of billing errors during an audit that are not related to
allegations of fraud would trigger a payment suspension.
Response: Irrespective of the circumstances, absent pending
investigations of credible allegations of fraud, payment suspensions
would not be triggered under these regulations, although that does not
preclude the possibility that a State may exercise its own broader
suspension authority in other circumstances.
Comment: Several commenters requested clarification regarding
whether States should determine the credibility of an allegation of
fraud prior to initiating a suspension action.
Response: Due to the potential for not just false allegations, but
also for good faith mistakes, misunderstandings, and misinterpretations
regarding reports of alleged fraud as well as data analysis errors, we
encourage States not to rely on any singular allegation or data run but
rather States should review all allegations, facts, and data carefully
and act judiciously on a case-by-case basis, mindful of the potential
impact a payment suspension may have on a provider.
Comment: One commenter suggested that we include the term ``abuse''
as a basis for payment suspension and not limit such suspensions to
investigations of ``credible allegations of fraud.''
Response: We decline to add the term ``abuse'' to Federal
regulations in the context of payment suspensions, as the phrase we
have adopted, ``credible allegation of fraud'' has a statutory basis
reflected in section 6402(h) of the ACA. As a practical matter,
however, conduct that constitutes abuse as opposed to fraud (we note
that both terms are defined at Sec. 455.2) may be indistinguishable
not just at the outset of an investigation but even through the course
of an investigation and enforcement proceedings and may hinge on fine
factual distinctions or legal points including knowledge and intent,
and this regulation would not preclude the imposition of a suspension
in such a circumstance so long as there is a credible allegation of
fraud. Moreover, this regulation presents a floor for protection of
Medicaid funds and does not bar a State from setting a higher bar
allowing for imposition of suspensions in other circumstances.
Comment: One commenter expressed concern regarding Federal
oversight and whether such oversight will amount to second-guessing a
State's determination of what constitutes a credible allegation of
fraud.
Response: We do not intend to second-guess State determinations
regarding credible allegations of fraud. We intend to work
collaboratively with States to prevent critical Medicaid funds. The
purpose of Federal oversight is to ensure that States have effective
processes in place in order to make determinations regarding credible
allegations of fraud.
Comment: Several commenters expressed concern regarding the lack of
a definition for the phrase ``indicia of reliability'' and requested
CMS to provide one.
Response: We have considered the concerns of commenters, but
decline in this final rule with comment period to define ``indicia of
reliability.'' We recognize the possibility that there may be differing
standards among States with respect to what may be considered ``indicia
of reliability,'' but also, as we have noted several times in these
responses, we expect States to gauge the credibility of allegations
through a lens after reviewing all allegations, facts, data, and
evidence carefully and that State action will be exercised judiciously
on a case-by-case basis.
Comment: Several commenters want CMS to define ``investigation'' of
a credible allegation of fraud. One commenter inquired whether a State
may rely on its MFCU to determine if an allegation of fraud is
credible. Other commenters suggested that the State and its
investigators are in the best position to determine when credible
allegations of fraud should lead to a payment suspension, such that CMS
should rely on the judgment of these individuals in deciding whether to
withhold FFP. Certain commenters also wanted to know if the process of
determining whether an allegation of fraud is credible is sufficient to
trigger a payment suspension.
Response: We recognize that the process to determine whether an
allegation of fraud is credible may vary among States, and we defer to
States--applying the principles of careful review and judicious action
to which we refer several times in these responses

[[Page 5937]]

and which we now include in the final rule with comment period--to
determine whether an allegation or complaint rises to the level of a
credible allegation of fraud. We do not want to limit a State's due
diligence process or preliminary investigations with respect to its
assessment of credibility. Nor do the proposed regulations specify or
limit who, or what other agency, may assist the State agency with the
investigation or validation of credible allegations of fraud.
Nevertheless, if it is determined that an allegation is credible, a
State must still submit a formal written referral to its MFCU
irrespective of whether the MFCU assisted in validating an allegation's
credibility. Finally, the mere fact of an investigation to assess the
credibility of a fraud allegation is insufficient to trigger a payment
suspension. Rather, a payment suspension is triggered when that there
is, in fact, a pending investigation of a credible allegation of fraud.
We will clarify this in the regulation.
Comment: One commenter suggested that the notice of suspension to
providers should be sent by certified mail, set forth the specific (not
general) allegations and inform the providers of the State's
administrative review process and provide appropriate citation. Another
commenter suggested revising the language in Sec. 455.23(b)(2)(v)
regarding notice of suspension to include information about any
administrative appeal procedures that are available under State law.
Other commenters suggested that notice be furnished to providers prior
to the implementation of an adverse action such as payment suspensions.
One commenter suggested giving States more discretion regarding when
notices of suspension should be furnished to providers. One commenter
in particular indicated that bi-weekly remittance advisories are issued
to providers that would, in effect, disclose the State's actions.
Response: We believe that we should afford States the flexibility
to determine the best method of delivery of notices of suspension so we
decline to take an overly prescriptive approach in this regulation.
However, we agree that a notice of suspension furnished to a provider
should appropriately reference the general allegations upon which a
suspension is based as well as any existing State appeals process.
Accordingly, we will revise the proposed language to reflect the
inclusion of State administrative appeal procedures in the notice of
suspension to providers. We do not agree that providers should be given
notice of a payment suspension prior to such action being taken. We
recognize the sensitive nature of a fraud investigation which may be
jeopardized by such notice, and expect that State agencies will act
appropriately so as not to jeopardize any investigation.
Comment: Commenters suggested that if a provider or supplier who is
subject to a payment suspension submits an acceptable written rebuttal
statement as to why the suspension should be removed, then this should
qualify as ``good cause'' as currently permitted under Sec.
405.372(b). In other words, a rebuttal could establish a good cause
exception to end a payment suspension. Several other commenters
suggested that in cases of economic hardship, a provider should be able
to submit evidence of this fact for consideration by the State in
determining whether to terminate a payment suspension, and requested
that CMS create an expedited review process. Commenters also suggested
that the regulations should acknowledge the severe financial impact of
a payment suspension and should limit the scope of the suspension to
the services under review.
Response: We believe that the proposed regulation as written allows
a State to account for a provider's rebuttal statement. Specifically,
as proposed at Sec. 455.23(e), States have the flexibility to make a
determination that a payment suspension is not in the best interests of
the Medicaid program. States also have the option to suspend payments
only in part if there is good cause. Therefore, we do not believe that
an additional good cause exception is necessary. Moreover, as the
existing Medicaid suspension has for more than 20 years, we continue to
defer to any State administrative (or judicial) review processes, and
therefore decline to require States to adopt an expedited review
process. Nevertheless, we are including new good cause exceptions in
this final rule with comment period at Sec. 455.23(e)(3) and (f)(2) to
allow a State to terminate a whole payment suspension or impose a
payment suspension only in part if a provider furnishes written
evidence that persuades the State that a payment suspension should be
terminated or imposed only in part. Furthermore, the preamble
acknowledges and requests States to be mindful of the impact that
suspensions may have upon providers.
Comment: One commenter inquired whether ``good cause'' is
established if the items or services are furnished as an emergency.
Response: Section 1903(i)(2) of the Act provides for a limited
exception for payment to be made with respect to emergency items or
services, though not including items or services furnished in the
emergency room of a hospital. We believe this statutory exception
speaks for itself and we do not need to otherwise address or expand
upon it in these regulations.
Comment: Commenters have suggested that the proposed ``good cause''
regulatory provisions should include the language contained in the
preamble acknowledging that ``reliable evidence should be determined on
a case-by-case basis with the State agency looking at all the factors,
circumstances, and issues at hand * * * '' (75 FR 58224).
Response: We disagree that this language belongs in the ``good
cause'' regulatory provisions. Instead, we have revised the definition
of ``credible allegation of fraud'' to reflect that States must
carefully review all allegations, facts and evidence on a case-by-case
basis. Accordingly, we do not see the need to include this language in
the ``good cause'' regulatory provisions.
Comment: One commenter suggested that CMS consider placing the
catchall of ``not in the best interests of the Medicaid program''
reflected in Sec. 455.23(e)(3) and similarly the catchall reflected at
subparagraph (f)(2) of ``* * * payment suspension in part is in the
best interests of the Medicaid program'' at the end of the respective
subparagraphs.
Response: We agree and will make such changes in the final
regulation.
Comment: One of the good cause exceptions not to suspend payments
to Medicaid providers is when ``an individual or entity is the sole
community physician or the sole source of essential specialized
services in a community.'' (emphasis added) One commenter suggested
replacing ``in a community'' with ``for a particular beneficiary
population.''
Response: We disagree. We are concerned about negatively impacting
beneficiary access to care so this exception does not turn on whether a
provider serves a particular beneficiary population, but on whether a
beneficiary's access to necessary care is impeded. Thus, the good cause
exception may be applied when a beneficiary's access to care is
jeopardized because he/she cannot obtain necessary services from a
particular provider type.
Comment: Several commenters questioned whether the requirements of
this section would apply to Medicaid managed care, including whether
the term ``provider'' includes managed care entities, whether managed
care capitation payments are included in suspensions when an individual
network provider is under investigation;

[[Page 5938]]

and what would be the process for notifying a managed care entity of a
credible allegation of fraud.
Response: The rules governing payment suspensions based upon
pending investigations of credible allegations of fraud apply to
Medicaid managed care entities. If there is a pending investigation of
a credible allegation of fraud against a Medicaid managed care
organization (MCO), prepaid inpatient health plan (PIHP), prepaid
ambulatory health plan (PAHP), or health insuring organization (HIO) at
the plan level, the State should address the issue either through
imposing a payment suspension or through other authorities that may be
available to them under State law or as part of the State's negotiated
agreement with the Medicaid MCO, PIHP, PAHP, or HIO. The same would
hold true for pending investigations of credible allegations of fraud
regarding individual network providers. Managed care capitation
payments may be included in a suspension when an individual network
provider is under investigation based upon credible allegations of
fraud, depending on the allegations at issue. We would expect the
process regarding the notice of suspension to a Medicaid MCO, PIHP,
PAHP, or HIO to follow the criteria as outlined in this final rule with
comment period.
Comment: Some commenters requested clarification regarding whether
FFP extends to managed care entities' capitation payment.
Response: FFP extends to Medicaid MCOs', PIHPs', PAHPs', and HIOs'
capitation payments. Accordingly, if a State fails to suspend payments
to such an entity for which there is a pending investigation of a
credible allegation of fraud, without good cause, FFP may be disallowed
with regard to such payments to the managed care entity.
Comment: Several commenters requested that CMS clarify whether
interest accrued on suspended payments to providers is eligible for
FFP.
Response: FFP is not available for interest accrued on suspended
payments to providers.
Comment: Commenters asked how CMS will notify a State that FFP is
to be suspended as a result of payment to an entity for items or
services for which the State has received a credible allegation of
fraud. Will the State receive advanced notice of the FFP suspension and
be given the opportunity to correct or will the suspension be
immediate?
Response: The process for deferring and disallowing FFP is governed
by Sec. 430.40 and Sec. 430.42, respectively. Generally, we take
action to defer the claim (by excluding the claimed amount from the
grant award) within 60 days after the receipt of a Quarterly Statement
of Expenditures (prepared in accordance with our instructions) that
includes that claim. The notice of deferral to the State is provided by
CMS within 15 days of such deferral. The notice should identify the
type and amount of the deferred claim and specify the reason for
deferral. The State is also requested to make available all the
documents and materials that CMS believes are necessary to determine
the allow-ability of the claim. However, prior to taking action to
defer or disallow FFP, we may engage States to request that
impermissible claims for FFP are removed from the Quarterly Medicaid
Statement of Expenditures for the Medicaid Assistance Program (Form
CMS-64).
Comment: One commenter asked, if CMS suspends a State's FFP, and
the allegations of fraud are cleared after the fact, what the process
will be to restore FFP.
Response: When we determine claims associated with deferred or
disallowed FFP are permissible, we will release the deferred or
disallowed funds to the State by providing FFP for the subject claims.
Comment: One commenter expressed concern regarding what the
commenter saw as a ``shift in evaluation of the appropriateness of
suspensions away from the Medicaid agency and entities investigating
the allegations of fraud to the exclusive and unilateral discretion of
CMS'' as well as a broad and sweeping increase in CMS's ability to
impose a deferral of FFP.
Response: We have long had the authority to withhold FFP and the
payment suspension rule is not an attempt to inappropriately withhold
FFP from States. Instead, the rule is intended to protect precious
Medicaid dollars from fraudulent providers, an effort in which we view
the States as partners. Generally, we will withhold FFP only where a
State has unreasonably or repeatedly failed to suspend payments or
otherwise terminate a payment suspension where there are credible
allegations of fraud.
Comment: One commenter suggested that the proposed rule regarding
suspension of payments to Medicaid providers gives Medicaid agencies an
improper incentive to aggressively deny payments to providers or risk
losing FFP.
Response: We disagree. As we explained in the proposed rule, State
Medicaid agencies have long had the authority to suspend payments to
providers based upon suspected fraudulent conduct. Our goal is to
ensure that State agencies appropriately suspend payments from
potentially fraudulent providers, in order to protect critical Medicaid
dollars from falling into the hands of such providers. In this rule we
encourage State agencies to suspend payment based upon pending
investigations of credible allegations of fraud only after reviewing
all of the facts and circumstances surrounding a particular case and
making a determination that such suspension is in fact warranted.
Comment: One commenter suggested that the suspension of payments
could be interpreted to have retroactive application to providers who
have already been referred to MFCUs or other law enforcement agencies:
Response: We will not require States to retroactively apply the law
regarding suspension of payments based on pending investigations of
credible allegations of fraud. However, upon the effective date of this
final rule with comment period, we expect States; to the extent they
have not already done so, to suspend payments to providers against whom
there exist pending investigations of credible allegations of fraud.
Comment: Commenters have sought clarification regarding whether the
proposed rule applies to individual providers who are employed or
contracted by institutional providers.
Response: The payment suspension rule applies to institutional
providers as well as enrolled providers who are employed or contracted
by such institutional providers.
Comment: One commenter wanted CMS to clarify whether the
``individual or entity'' under investigation is the same ``individual
or entity'' subject to the payment suspension.
Response: Yes, the ``individual or entity'' under investigation is
the same ``individual or entity'' that is subject to the payment
suspension.
Comment: Several commenters expressed concern with States'
compliance dates with the Medicaid payment suspension rule because some
States may require State law or regulatory changes in order to be able
to implement the rule. Certain commenters also expressed similar
concerns that the proposed document retention requirements exceed time
frames currently required by their State laws.
Response: We encourage the State Medicaid or program integrity
director of any State that faces State legislative, regulatory, or
administrative implementation obstacles to contact us

[[Page 5939]]

in order to work out a plan of resolution.
Comment: One commenter suggested that the process for quarterly
reporting and certification at Sec. 455.23(d) is onerous to the State
and the MFCU. The commenter further indicated that reporting is already
addressed in Memoranda of Understanding between the States and the
MFCUs, and therefore, additional reporting requirements would be
burdensome on the State.
Response: We disagree, and in the proposed rule stated that we
would not prescribe the format that such certifications must take to
maximize State flexibility. The Memoranda of Understanding between the
States and the MFCUs routinely do not address reporting and
documentation to the degree that will be required by Sec. 455.23(d).
Moreover, in the proposed rule we emphasized that payment suspensions
should be temporary and we noted the profound impact that a payment
suspension can have upon a provider. We believe that the quarterly
reporting and certification process is an important protection for
providers to ensure that suspensions do not continue after law
enforcement has concluded its investigation but did not report this
information to the State Medicaid agency.
Comment: Some commenters suggested that documentation and record
retention in instances regarding the decision to not suspend payments
is expensive and unnecessary given the high volume of unfounded
allegations. These commenters also suggested that the requirement to
report summary information to the Secretary is duplicative given that
CMS will be reviewing State actions on suspension of payment during
periodic on-site program integrity reviews.
Response: We disagree. As we generally discuss in both these
responses and in the proposed rule, we are balancing a number of
interests including: (1) A statutory directive from the ACA that FFP
not be paid in certain circumstances; (2) a payment suspension
provision that, if not rigorously and carefully administered, can
detrimentally impact honest providers; and (3) CMS' intent to maintain
its appropriate oversight role but at the same time not to arbitrarily
or unreasonably second-guess State decision-making. As such, we believe
rigorous documentation requirements that go beyond what may be reviewed
during on-site program integrity reviews actually serve to protect
everyone's interests. Moreover, we believe it is particularly important
that States carefully document those processes that require special
judgment calls, such as with respect to exercising the various good
cause exceptions, so that, upon CMS review, FFP is not inappropriately
withheld.
Comment: One commenter recommended that Medicaid State agencies
should be allowed to share potentially helpful information with their
MFCUs without following the requirements in the proposed rule regarding
documentation and timing of the referral of a credible allegation of
fraud.
Response: We fully agree with the notion that States may share
information or otherwise consult with their MFCUs, recognizing that
States may need to consult and/or exchange information with their
respective MFCUs prior to making a formal referral, and do not seek to
limit or otherwise define the circumstances by which States make such
communications. We disagree, however, with the proposition that States
should not need to follow our proposed MFCU documentation/referral
requirements, which we believe are important for reasons similar to
those addressed in the previous response, thus we will not alter the
proposed documentation and timing requirements.
Comment: Certain commenters have suggested that it will be
cumbersome to require the State to obtain a written certification from
the MFCU or other law enforcement agency that any matter that is
accepted on the basis of a referral continues to be under investigation
or in the course of enforcement proceedings warranting continuation of
the payment suspension every 90 days. In addition, these commenters
expressed concern that this requirement will result in a substantial
increase in workload and could result in increased staffing levels.
Commenters also suggested that existing methods of communication
regarding caseload and referrals between the States and the MFCUs
should be sufficient.
Response: We disagree with the proposition that the quarterly law
enforcement certification requirement is overly cumbersome or that the
documentation requirements finalized here will result in substantial
increases in workload. As we have indicated previously in these
responses and in the proposed rule, we believe rigorous documentation
requirements are in everyone's interest. Moreover, to maintain State
flexibility, we are not prescriptive with respect to the format of the
quarterly certification. States have long had authority to implement
payment suspensions and, though we formalize certain documentation and
referral requirements here, we believe that most States that have used
suspension authority likely have rigorous documentation requirements
already in place to ensure they are able to adequately justify
suspension actions and withstand any provider challenges.
Comment: With regard to formal fraud referrals issued by the State
to the MFCU or other law enforcement agency, one commenter suggested
combining the relevant NPIs of the affected providers into one referral
instead of referring individual cases.
Response: This is outside the scope of the proposed rule and
therefore we will not address this issue at this time.
Comment: One commenter suggested that the regulation at Sec.
455.23(g) proposing to require States to annually report to the
Secretary information regarding the life cycle of each payment
suspension imposed and any determinations to exercise the good cause
exceptions not to suspend payment, to suspend payment only in part, or
to discontinue a payment suspension, be modified. Specifically, the
commenter suggested that such annual report be filed only if such
information is shared by law enforcement.
Response: We disagree with the commenter's proposition for two
reasons. First, a number of the elements the commenter points out are
not contingent on any response from law enforcement. Second, we
certainly appreciate that States can only report on the information
that is in their possession, but believe that annual reporting should
not be contingent on whether law enforcement has shared such
information. Importantly, to the extent that annual reporting reveals
gaps where law enforcement has neglected or refused to share
information it will illustrate where CMS may have to exercise
additional oversight authority to attempt to close such gaps. Likewise,
law enforcement's ``failure to communicate'' may be a significant
factor in a State's decision to exercise certain of the rule's good
cause exception authorities.
Comment: One commenter suggested that CMS include in the final
regulation at Sec. 455.23(d)(4), as reflected in the preamble to the
proposed rule, a requirement for States to immediately release the
payment suspension ``unless the State has alternative Federal or State
authority by which it may impose a suspension.'' (75 FR 58225). The
proposed regulation does not reflect this additional language governing
the immediate release of a payment suspension when MFCU or law

[[Page 5940]]

enforcement declines to accept the fraud referral.
Response: We agree, and are including this language in the final
rule with comment period.
Comment: Certain commenters suggested revising the proposed
language to include a 180 day time limit for the duration of a
suspension of payment in the Medicaid program, similar to the proposed
process under Medicare.
Response: Aside from the general constraints and protections built
in to the rule around the notion that suspensions are intended to be
temporary, we believe that States need the flexibility to decide the
duration of payment suspensions in order to accommodate State laws and
legal processes. Because Medicare is a national program there is more
uniformity surrounding the disposition of Medicare program suspensions.
So while a specific time limit may be adequate there, we believe a more
flexible approach, nearly identical to the approach used with respect
to Medicaid payment suspensions for more than 20 years, is necessary to
address the needs of 50 plus States and territories.
Comment: One commenter suggested that the duration of a payment
suspension by States should be permanent where the provider is later
convicted of the offense.
Response: Payment suspensions are intended to stem the flow of
Medicaid dollars to providers against whom there are credible
allegations of fraud, during the pendency of the investigation, which
includes any related proceedings. Separate authorities, some
administered by other agencies, including possible exclusion from
participation in Federal health care programs, may be implemented upon
a provider's conviction.
Comment: One commenter indicated that while the proposed rule gives
States authority to immediately release payment suspensions if a timely
investigation by law enforcement does not ensue, that ``timely,'' is
not clearly defined.
Response: We believe that when a State learns that law enforcement
has declined to investigate a fraud referral from the State in
connection with a payment suspension or otherwise discontinues a
pending investigation, the State should immediately take steps to
terminate a payment suspension. As discussed several times in these
responses, we proposed a requirement for States to obtain quarterly
certifications from law enforcement to help address this type of
scenario so that providers are not subject to a continuing payment
suspension based upon a fraud referral that was declined by law
enforcement or an investigation that has been concluded without the
State's knowledge.
Comment: Certain commenters requested clarification regarding the
resolution of an investigation for purposes of terminating a payment
suspension.
Response: Generally, a payment suspension is temporary and will not
continue after the State Medicaid agency or the prosecuting authorities
determine that there is insufficient evidence of fraud by the provider
or legal proceedings related to the alleged fraud are completed.
Comment: One commenter suggested that the proposed rule be changed
to defer to State law to dictate how long and under what circumstances
a payment suspension can be imposed.
Response: As we noted in an earlier response, this rule presents a
floor for protection of Medicaid funds and does not bar a State from
setting a higher bar allowing for imposition of suspensions with other
conditions or in other circumstances.
Comment: Several commenters suggested that the proposed rule does
not provide adequate due process for providers facing suspension of
payments. Certain commenters also suggested that the proposed rule
could result in a de facto termination from the Medicaid program
without any meaningful due process. Commenters expressed concern that
non-fraudulent providers may effectively be terminated by lengthy
suspensions. Commenters also suggested shortening the length of
suspensions or in the alternative, maintaining the current permitted
duration without extension. Another commenter indicated that the
proposed rule does not create a right to challenge the ongoing validity
of a payment suspension.
Response: Under the proposed rule, providers have an opportunity to
submit written evidence for consideration by the Medicaid agency
regarding payment suspensions. Based upon this written evidence, a
State may determine whether there is good cause to terminate a
suspension of payment. Accordingly, we believe there are adequate due
process protections in place pursuant to which a provider may establish
good cause to terminate a payment suspension. In addition, this process
was already accounted for in existing Medicaid regulations and we did
not change the process. We are not aware of any issues associated with
this process which has been in existence for more than 20 years.
Moreover, we expressed in the proposed rule that suspensions, because
of their significant impact upon providers, are only temporary. We
provided in the rule several protections (such as the quarterly law
enforcement certification and State documentation requirements) and
also various ``good cause'' exceptions. Moreover, the duration of
suspension provisions of the proposed rule, finalized here, are
essentially the same as have been in place for more than 20 years with
the existing Medicaid payment suspension rule. We believe that the
significant built-in protections, in conjunction with the fact that we
are not aware that the current Medicaid suspension process has caused
significant undue hardship with providers having payments wrongly
suspended, lend adequate safeguards to the process. CMS will also
monitor States' implementation of the Medicaid payment suspension rule
through the various documentation requirements and State program
integrity reviews, to ensure that there are no marked shortcomings with
regard to States' processes.
Comment: One commenter suggested that the final regulation should
require State Medicaid programs to establish and codify a Medicaid
administrative review process with regard to the review of payment
suspensions.
Response: We recognize that individual State laws vary with regard
to their respective administrative review processes, and believe that
most or all States have established such processes. As previously
stated, we will revise the proposed language in the regulations to
reflect the inclusion of State administrative appeal procedures in the
notice of suspension furnished to providers. In addition, we believe
the notice should also include relevant citations to State law, where
applicable.
Comment: A couple of commenters suggested that CMS develop a system
or process for exposing and penalizing those who make false fraud
complaints.
Response: This is outside the scope of the proposed rule and
therefore we will not consider this suggestion at this time.
Comment: One commenter requested clarification regarding the fraud
referral standards established by CMS as a result of an OIG January
2007 report entitled ``Suspected Medicaid Fraud Referrals'' (OEI 07-04-
00181).
Response: We issued fraud referral standards on September 30, 2008.
The link to CMS' Web site where the fraud referral standards may be
found is: http://www.cms.gov/FraudAbuseforProfs/downloads/fraudreferralperformancestandardsstateagencytomfcu.pdf.

[[Page 5941]]

Comment: One commenter suggested that the content of a fraud
referral should be left to the discretion of each State. This commenter
suggested that a continuing collaborative environment will fulfill the
regulatory provisions regarding content of fraud referrals.
Response: We encourage States to collaborate with their MFCU. A
fraud referral must contain, at a minimum, the elements as outlined in
the proposed regulation and finalized here, but it is within a State's
discretion to the extent it wishes to add additional information.
Comment: One commenter suggested that FQHCs should be exempted from
the application of payment suspensions.
Response: We disagree. There is no statutory requirement to carve
out an exception for any particular category of provider. We believe
that payment suspensions apply to fraudulent conduct regardless of
provider type.
Comment: One commenter suggested that payment suspensions should
only apply to providers in the limited screening level, as that term is
defined and used in connection with the provider screening rules, under
only the most extraordinary circumstances.
Response: We decline to carve out an exception for providers in the
limited screening level in the context of a payment suspension. This
assignment to the limited level applies in the context of provider
screening, not for suspension of payments. The determination regarding
whether to impose a payment suspension is driven by credible
allegations of fraudulent conduct and not whether a provider is
assigned to a certain level for purposes of screening.
Comment: One commenter requested clarification regarding the
application of payment suspensions to billing providers as opposed to
prescribing providers. Another commenter requested a guarantee that
payment suspensions will not be imposed against a billing provider.
Response: We understand that there are circumstances in which the
prescribing provider may be different from the furnishing provider and/
or billing provider. Generally, we believe that payment suspension is
not the appropriate mechanism to recover Medicaid funds from one
provider who inescapably, but innocently, happens to be associated with
the fraudulent conduct of another provider. Because payment suspensions
only apply based upon credible allegations of fraud, payment
suspensions are generally not the appropriate vehicle by which to
recover reimbursement for items and/or services furnished by a provider
against whom there are no allegations of fraud. Nevertheless, there is
no guarantee that a payment suspension will only be imposed against the
billing provider as, particularly at the outset of an investigation of
a credible allegation of fraud, it may be impossible to precisely
determine the locus of the fraud or whether it involved collusion or
conspiracy.
Comment: One commenter requested clarification regarding whether
States with authority under existing State law may impose suspensions
for reasons other than where there is a credible allegation of fraud.
This commenter suggested that where such authority exists, the
requirements proposed under Sec. 455.23, including those concerning
referrals to the MFCU and the duration of suspension should not apply.
Response: The requirements for payment suspensions under the
proposed rule are based upon credible allegations of fraud. As we have
noted several times in both these responses and in the proposed rule,
nothing in these rules bar a State from exercising other broader
authorities to suspend payments to providers.
We are adopting the provisions of the proposed rule with the
exception of the following changes:
In Sec. 455.2, we have revised the definition of
``credible allegation of fraud'' to address the issue of the State's
verification of the allegation.
In Sec. 455.23(a)(1), we have added the verbiage ``after
the agency determines there is a credible allegation of fraud for
which'' after the term ``provider.''
In Sec. 455.23(b)(2), we have added a new subsection (vi)
that reads: ``Set forth the applicable State administrative appeals
process and corresponding citations to State law.''
In Sec. 455.23(d), we have added the verbiage ``has
alternative Federal or State authority by which it may impose a
suspension or'' before ``makes a fraud referral to another law
enforcement agency.''
In Sec. 455.23(e), we have revised subsection (3) to
state: ``The State determines, based upon the submission of written
evidence by the individual or entity that is the subject of the payment
suspension, that the suspension should be removed.''
In Sec. 455.23(e), we have added a new subsection (6)
that states: ``The State determines that payment suspension is not in
the best interests of the Medicaid program.''
In Sec. 455.23(f), we have revised subsection (2) to
read: ``The State determines, based upon the submission of written
evidence by the individual or entity that is the subject of a whole
payment suspension, that such suspension should be imposed only in
part.''
In Sec. 455.23(f), we have added a new subsection (5)
that states: ``The State determines that payment suspension only in
part is in the best interests of the Medicaid program.''

E. Proposed Approach and Solicitation of Comments for Sections 6102 and
6401(a) of the Affordable Care Act --Ethics and Compliance Program

1. Statutory Changes
Under section 6102 of the ACA which established new section 1128I
of the Act, a nursing facility (NF) or SNF shall have in operation a
compliance and ethics program that is effective in preventing and
detecting criminal, civil, and administrative violations and in
promoting quality of care, consistent with regulations developed by the
Secretary, working jointly with the HHS OIG. The regulations to
establish the compliance and ethics program for operating organizations
may include a model compliance program. The statute requires that in
the case of an organization that has five or more facilities, the
formality or specific elements of the program vary with the size of the
organization. The statute also requires that not later than 3 years
after the effective date of the regulations, the Secretary shall
complete an evaluation of the programs to determine if such programs
led to changes in deficiency citations, changes in quality performance,
or changes in the quality of resident care. The Secretary shall submit
to the Congress a report on such evaluation with recommendations for
changes in the requirements, as the Secretary deems appropriate.
Similarly, under section 6401(a) of the ACA, which established a
new section 1866(j)(8) of the Act, a provider of medical or other items
or services or a supplier shall, as a condition of enrollment in
Medicare, Medicaid or CHIP, establish a compliance program that
contains certain ``core elements.'' The statute requires the Secretary,
in consultation with the HHS OIG, to establish the core elements for
providers or suppliers within a particular industry or category. The
statute allows the Secretary to determine the date that providers and
suppliers need to establish the required core elements as a condition
of enrollment in Medicare, Medicaid, and CHIP. The statute requires the
Secretary to consider the extent to which the adoption of compliance
programs by providers or suppliers is widespread in a particular
industry sector or particular provider or supplier category. Please
note, NFs and

[[Page 5942]]

SNFs are subject to both compliance plan requirements under sections
6102 and 6401(a) since section 6401(a) of the ACA includes all
providers and suppliers enrolling into Medicare, Medicaid and CHIP. We
intend to establish compliance program core elements per section
6401(a) of the ACA for NFs and SNFs that closely match the required
components of a compliance program per section 6102 of the ACA.
2. Proposed Ethics and Compliance Program Provisions
In order to consider the views of industry stakeholders, we
solicited comments on compliance program requirements included in the
ACA. We do not intend to finalize compliance plan requirements in this
final rule with comment period; rather, we intend to do further
rulemaking on compliance plan requirements and will advance specific
proposals at some point in the future. We were most interested in
receiving comments on the following:
The use of the seven elements of an effective compliance and ethics
program as described in Chapter 8 of the U.S. Federal Sentencing
Guidelines Manual (http://www.ussc.gov/2010guid/20100503_Reader_Friendly_Proposed_Amendments.pdf, pp. 31-35) as the basis for the
core elements of the required compliance programs for Medicare,
Medicaid and CHIP enrollment. These elements instill a commitment to
prevent, detect and correct inappropriate behavior and ensure
compliance with all applicable laws, regulations and requirements, and
include:
The development and distribution of written policies,
procedures and standards of conduct to prevent and detect inappropriate
behavior;
The designation of a chief compliance officer and other
appropriate bodies (for example a corporate compliance committee)
charged with the responsibility of operating and monitoring the
compliance program and who report directly to high-level personnel and
the governing body;
The use of reasonable efforts not to include any
individual in the substantial authority personnel whom the organization
knew, or should have known, has engaged in illegal activities or other
conduct inconsistent with an effective compliance and ethics program;
The development and implementation of regular, effective
education and training programs for the governing body, all employees,
including high-level personnel, and, as appropriate, the organization's
agents;
The maintenance of a process, such as a hotline, to
receive complaints and the adoption of procedures to protect the
anonymity of complainants and to protect whistleblowers from
retaliation;
The development of a system to respond to allegations of
improper conduct and the enforcement of appropriate disciplinary action
against employees who have violated internal compliance policies,
applicable statutes, regulations or Federal health care program
requirements;
The use of audits and/or other evaluation techniques to
monitor compliance and assist in the reduction of identified problem
areas; and
The investigation and remediation of identified systemic
problems including making any necessary modifications to the
organization's compliance and ethics program.
In addition, we are particularly interested in comments about the
following:
The extent to which, and the manner in which, providers
and suppliers already incorporate each of the seven U.S. Federal
Sentencing Guidelines elements into their compliance programs or
business operations. We are interested in how and to what degree each
element has been incorporated effectively into the compliance programs
of different types of providers and suppliers considering their risk
areas, business model and industry sector or particular provider or
supplier category.
Any other suggestions for compliance program elements
beyond, or related to, the seven elements referenced previously
considering provider or supplier risk areas, business model and
industry sector or particular provider or supplier category including
whether external and/or internal quality monitoring should be a
required for hospitals and long-term care facilities.
The costs and benefits of compliance programs or
operations including aggregate or component costs and benefits of
implementing particular elements and how these costs and benefits were
measured.
The types of systems necessary for effective compliance,
the costs associated with these systems and the degree to which
providers and suppliers already have these systems including, but not
limited to, tracking systems, data capturing systems and electronic
claims submission systems. We anticipate having providers and suppliers
evaluate the effectiveness of their compliance plans using electronic
data.
The existence of and experience with State or other
compliance requirements for various providers and suppliers and
foreseeable conflicts or duplication from multiple requirements.
The criteria we should consider when determining whether,
and if so, how to divide providers and suppliers into groupings that
would be subject to similar compliance requirements including whether
individuals should have different compliance obligations from
corporations.
Available research or individual experience regarding the
current rate of adoption and level of sophistication of compliance
programs for providers or suppliers based on their business model and
industry sector or particular provider or supplier category.
How effective compliance programs have been for varied
providers and suppliers and how the level of effectiveness was
measured.
The extent to which providers and suppliers currently use
third party resources, such as consultants, review organizations, and
auditors, in their compliance efforts.
The extent to which providers and suppliers have already
identified staff responsible for compliance and, for those who already
have staff responsible for compliance, the positions of these staff.
A reasonable timeline for establishment of a required
compliance program for various types and sizes of providers and
suppliers, assuming the compliance program core elements were based on
the aforementioned U.S. Federal Sentencing Guidelines' seven elements
of an effective compliance and ethics program, considering business
model and industry sector or particular provider or supplier category.
We welcomed any information concerning how the industry views
compliance program elements and how we can establish required
compliance program elements to protect Medicare, Medicaid, and CHIP
from fraud and abuse.
3. Analysis of and Responses to Public Comment
We received numerous comments on compliance program elements in
response to this request. Though we will not respond to those comments
within this final rule with comment period, these will be considered
for further rulemaking on compliance plan requirements.
4. Final Provisions--Ethics and Compliance Program
We are not finalizing these provisions in this final regulation. We
are in the process of developing a new Notice of Proposed Rule Making
incorporating the

[[Page 5943]]

compliance plan provisions and comments received that will be published
at a later date. The proposed rule will also have an opportunity for
further public comment.

F. Termination of Provider Participation Under the Medicaid Program and
CHIP if Terminated Under the Medicare Program or Another State Medicaid
Program or CHIP

1. Statutory Change
Section 6501 of the ACA amends section 1902(a)(39) of the Act to
require a State Medicaid program to terminate any provider, be it an
individual or entity, participating in that program, subject to the
limitations on exclusions in sections 1128(c)(3)(B) and 1128(d)(3)(B)
of the Act, if the provider's participation has been terminated under
title XVIII of the Act or another State's Medicaid program. Effective
provider screening prevents excluded providers from enrolling in
government health care programs and being paid with Federal and State
funds. Effective screening of providers barred from participation can
reduce the risk of fraud, waste, and abuse in the Medicare and Medicaid
programs and CHIP
When a State terminates a provider but does not share that
information with any other State, all other States become vulnerable to
potential fraud, waste, and abuse committed by that provider.
Similarly, a provider, supplier, or eligible professional that has been
terminated from Medicare or has had Medicare billing privileges revoked
may enroll with a State Medicaid program or with CHIP when a State is
not aware of the Medicare termination or revocation. We may terminate
or revoke the billing privileges of a provider, supplier, or eligible
professional under Medicare for a number of reasons, as set forth at
Sec. 424.535, including exclusion from health care programs,
government-wide debarment, and conviction of certain violent felonies
and financial crimes.
Section 6501 of the ACA requires a State's Medicaid program to
terminate an individual or entity's participation in the program
(subject to certain limitations on exclusions in sections 1128(c)(3)(B)
and 1128(d)(3)(B) of the Act), if the individual or entity has been
terminated under Medicare or another State's Medicaid program. Although
the term ``termination'' only applies to providers under Medicare whose
billing privileges have been revoked (and does not apply to Medicare
suppliers or eligible professionals), we believe it was the intent of
the Congress that this requirement also be applicable to suppliers and
eligible professionals that have had their billing privileges under
Medicare revoked as well. Therefore, we proposed that ``termination''
be inclusive of situations where an individual's or entity's billing
privileges have been revoked. The requirement for States to terminate
would only apply in cases where providers, suppliers, or eligible
professionals were terminated or had their billing privileges revoked
for cause. ``For cause'' may include fraud, integrity or quality, but
not cases where the providers, suppliers, or eligible professionals
were terminated or had their billing privileges revoked based upon
voluntary action taken by the provider to end its participation in the
program, except where that voluntary action is taken to avoid a
sanction, or where a State removes inactive providers from its
enrollment files.
In addition, State Medicaid programs would terminate a provider
only after the provider had exhausted all available appeal rights in
the Medicare program or in the State that originally terminated the
provider or the timeline for such appeal has expired.
Section 6501 of the ACA builds upon the requirements in section
6401(b)(2) of the ACA, which requires that we establish a process to
make available Medicare provider, supplier, and eligible professional
and CHIP provider termination information to State Medicaid programs.
Section 1902(kk)(6) of the Act also requires States to report adverse
provider actions to CMS, including criminal convictions, sanctions, and
negative licensure actions.
When States are apprised of the terminations or revocations of
billing privileges, as the case may be, of providers, suppliers, and
eligible professionals that have occurred in other State Medicaid
programs, CHIP, or in Medicare, States have the information they need
to protect their programs.
2. Proposed Provisions for Termination of Provider Participation Under
the Medicaid Program and CHIP if Terminated Under the Medicare Program
or Another State Medicaid Program or CHIP
We proposed at Sec. 455.416(c) that a State Medicaid program must
deny enrollment or terminate the enrollment of a provider that is
terminated on or after January 1, 2011 under Medicare, or has had its
billing privileges revoked, or is terminated on or after January 1,
2011 under any other State's Medicaid program or CHIP.
While section 6501 of the ACA does not expressly require that
individuals or entities that have been terminated under Medicare or
Medicaid also be terminated from CHIP, we also proposed, under our
general rulemaking authority pursuant to section 1102 of the Act, to
require in CHIP regulations that CHIP take similar action to terminate
a provider terminated or revoked under Medicare, or terminated under
any other State's Medicaid program or CHIP.
We also proposed to add a definition at Sec. 455.101 for
termination for purposes of this section. That definition distinguishes
between Medicaid providers and Medicare providers, suppliers, and
eligible professionals and specifies that termination means a State
Medicaid program or the Medicare program has taken action to revoke the
Medicaid provider's or Medicare provider, supplier or eligible
professional's billing privileges and the provider, supplier or
eligible professional has exhausted all applicable appeal rights. There
is no expectation on the part of the provider, supplier, or eligible
professional or the State or Medicare program that the termination or
revocation is temporary. The provider, supplier or eligible
professional would be required to reenroll with the applicable program
if they wish billing privileges to be reinstated.
3. Analysis of and Responses to Public Comment
We received the following comments:
Comment: One commenter stated that while there is value to the
States to have additional authority under which to deny or terminate
Medicaid providers, it will be necessary to amend current statute and
regulations to include new reasons for denials and terminations, and
additional time will be required.
Response: In accordance with section 6508(b) of the ACA, a State
may delay implementation of this provision if the Secretary determines
that State legislation is required.
Comment: Commenters asked for clarification regarding ACA section
6401(b)(2) that requires CMS to establish a process to make available
Medicare provider, supplier, and eligible professional and CHIP
termination information to State Medicaid programs. Commenters asked if
a mechanism was in place for States to check for terminated providers
starting January 1, 2011. One commenter requested clarification as to
how State Medicaid programs would communicate with Medicare contractors
when the States had revoked or suspended a Medicaid enrollment. Another
commenter asked if the Provider Enrollment, Chain, and Ownership System
(PECOS) would be

[[Page 5944]]

used. Another commenter stated it would be ``next to impossible'' to
carry out this provision without an effective way to obtain information
from Medicare regarding terminated providers. One commenter urged CMS
to establish a national database that contains Medicare, CHIP
termination and exclusion information as well as information on
terminations from all State Medicaid programs.
Response: We are in the process of establishing a secure web-based
portal that will allow States to share information regarding terminated
providers. Using this web-based portal, a State will be able to upload
as well as download information regarding its terminated providers and
download information regarding terminated providers in other States and
Medicare. States will not be required to report those providers who
were terminated prior to January 1, 2011. Access to the information-
sharing portal is limited to users that we have approved.
Comment: Some commenters requested that CMS clarify the timeframes
for State reporting of terminations.
Response: States should report terminations on a monthly basis in
order to assist other States and the Medicare program in protecting
themselves from providers who pose an increased risk to government
health care programs.
Comment: One commenter requested that States be granted real time
access to the exclusion database. Another commenter suggested that CMS
consider leveraging existing Federal databases such as the NPI and
NPPES.
Response: We are in the process of exploring potential
opportunities to leverage existing databases and infrastructure that
would enable timely access to provider enrollment data across programs.
We are currently examining to what extent we can support such a
centralized information sharing solution.
Comment: One commenter requested clarification that Medicaid
termination should only last as long as the Medicare termination,
especially in States where ``terminate'' means ``permanent exclusion.''
Response: When a State terminates a provider based on the fact that
the provider was terminated by Medicare, the duration of the State's
termination action should be consistent with State law, and not
necessarily driven by the length of the Medicare termination. The same
would hold true when a State terminates a provider based on a
termination action in another State. We do not wish to dictate to
States the duration of their terminations.
Comment: One commenter contended that the proposed rule did not
detail the parameters of the termination process. Specifically, it did
not state what would happen if a provider is wrongfully terminated from
participation in Medicare or another public benefit, or the different
termination scenarios--such as the effect on a group practice if a
provider in that group is suspected of fraud. The commenter also
requested further explanation and clarification regarding the timeline
and parameters for termination of provider participation in Medicare,
Medicaid, and CHIP.
Response: For purposes of the Medicaid program, the parameters of
the termination process would be governed by the terminating State's
administrative appeals processes. Accordingly, the timeline and
parameters for termination will vary depending on the State in which
the termination occurs. State Medicaid agencies and CHIP must deny
enrollment or terminate the enrollment of any provider that is
terminated by Medicare or another State's Medicaid program or CHIP on
or after January 1, 2011. If a provider is wrongfully terminated from
Medicare or another State's Medicaid program or CHIP, and a subsequent
State has already terminated such provider from its Medicaid program or
CHIP, the subsequent State should reinstate the provider once the
subsequent State has evidence demonstrating that the provider was
wrongfully terminated.
When an individual provider is terminated by a State Medicaid
program or CHIP, the effect on a group practice would be that the
individual provider who is terminated may not participate in the
Medicaid or CHIP programs until that provider is eligible to, and does
re-enroll. Therefore, neither the individual provider, nor the group
practice would be able to bill Medicaid or CHIP for care and/or
services provided by the individual provider that has been terminated.
Comment: One commenter stated that termination is defined to be
inclusive of situations where an individual or entity's billing
privileges have been revoked. The commenter requested clarification
because not all providers have billing privileges. For example, a
particular pharmacist may be denied participation in a State's Medicaid
program; however, because the pharmacist does not have direct billing
privileges, another State would not have to also terminate that
provider.
Response: The requirement for termination is not limited to
situations in which a provider is billing the Medicaid program. The
requirement for termination applies to enrolled providers generally,
not just billing providers. An enrolled provider that has had its
billing privileges revoked by Medicare must be terminated by the
States' Medicaid programs, regardless of whether the provider is
submitting claims.
Comment: One commenter requested clarification for States regarding
termination when a provider has more than one NPI or Medicare ID
number. A commenter inquired if CMS will terminate a provider's NPI,
Medicare legacy number or both. This commenter also asked if a provider
has multiple NPIs and/or Medicare numbers, does Medicare terminate a
provider under one number but allow them to continue to participate
under other NPI/Medicare numbers. This commenter indicated that if the
response is yes, would a State be expected to follow suit, that is,
terminate only the NPI that Medicare has terminated. Finally, the
commenter asked what States should do in cases where providers have
multiple legacy Medicaid numbers that crosswalk to a single NPI.
Response: It is the provider, not the provider's identifiers, which
are to be terminated under this provision. Thus, to the extent that
Medicare terminated one or multiple NPIs/Medicare legacy numbers for
cause that are tied to one provider we generally expect that State
Medicaid agencies will follow suit. Accordingly, if one provider has
multiple Medicaid identification numbers, then the State would be
required to terminate such provider numbers if the State determines
there is cause for such termination and the provider has exhausted its
appeal rights.
Comment: Several commenters expressed concern over the potential
for terminations of affiliated providers when one provider had been
terminated in another State. One commenter asked if other State
Medicaid agencies will be compelled to terminate affiliates that have a
common corporate parent. A commenter asked if terminations for a
corporation apply to any branches or franchises of that corporation.
Response: Section 6501 of the ACA does not require the termination
of affiliates of terminated entities. Accordingly, we are not requiring
States at this time to terminate affiliates of those individuals or
entities that have been terminated by another Medicaid program or had
their billing privileges revoked by the Medicare program.
Comment: One commenter stated that it is a common State statutory
requirement or best practice for a provider to form a legal corporate
entity

[[Page 5945]]

unique to the State. The commenter requested clarification for the
legal basis for Federal enforceability of termination from or denied
enrollment into a State's program based upon the termination or denial
status in another State where the provider and its principals are the
same individuals but the ``provider'' is a separate legally
incorporated entity under State law.
Response: Section 1902(a)(39) of the Act requires State Medicaid
agencies to terminate the participation of any individual or entity
that has been terminated under Medicare or another State's Medicaid
program. When a State is contemplating a termination as a result of a
termination that was initiated by another State's Medicaid program, and
there is a question regarding the identity of the provider who is the
subject of the termination, it is generally up to the subsequent
terminating State to determine whether a provider in their State is the
same provider that was initially terminated by another State's Medicaid
program. In order to determine whether a provider in one State is the
same provider that was terminated in another State, a State could look
at a variety of factors, including, but not limited to, NPI and
correspondence address. The State could also communicate with the
Medicaid agency that originally terminated the provider to help resolve
the question of the provider's identity. If the State believes that
background checks are required to verify the identity of a provider,
then States should conduct such background checks. We believe the
States should have flexibility to determine the best method for
identity verification.
Comment: One commenter suggested that the regulatory definition of
termination at Sec. 455.101 should be revised to include the
termination of persons or entities with an ownership or control
interest or who is an agent or managing employee of a provider.
Response: The ACA does not contemplate termination based upon
ownership or control. The statute requires termination of the same
individual or entity that was terminated by Medicare or another State's
Medicaid program.
Comment: A few commenters requested that CMS clarify in the final
rule with comment period that termination from the Medicaid program
must only occur when a provider has had billing privileges revoked or
terminated by Medicare for cause.
Response: The requirement for States to terminate would only apply
in cases where providers, suppliers or eligible professionals were
terminated or had their billing privileges revoked for cause which may
include, but is not limited to, fraud, integrity or quality issues. In
addition, we have defined ``termination'' in the final rule with
comment period as occurring when a State Medicaid program has taken
action to terminate a provider and the provider has exhausted all
applicable appeal rights that are available in the State or the
Medicare program, or the timeline for appeal has expired, whichever is
applicable.
Comment: One commenter requested information regarding how managed
care organizations will be able to access provider termination
information.
Response: We encourage States to share such information with their
managed care entities.
Comment: One commenter requested that an appeals process be
established for providers and suppliers that would permit a provider/
supplier to continue to provide care under a program if they can
demonstrate ``good cause exemptions.''
Response: While we appreciate the commenter's suggestion, section
6501 of the ACA requires States to terminate the participation of any
provider that has been terminated under Medicare or another State's
Medicaid program, and allows for exceptions only as permitted under
sections 1128(c)(3)(B) and 1128(d)(3)(B) of the Act.
Comment: Commenters expressed concern that the proposed rule allows
for the imposition of sanctions based upon findings made outside the
agency. For example, if Medicare revokes a provider's billing
privileges and a State initiates a termination action as a result of
such revocation, then, in the commenter's view, the proposed rule gives
the provider a right to use the State administrative appeal process to
challenge anew the Medicare revocation.
Response: We disagree. The provider is not provided a new forum in
which to litigate the Medicare termination action. The ACA does not
give a State the authority to review a Medicare termination action. The
statute requires a State to terminate a provider that was terminated by
Medicare or another State's Medicaid program, with certain limited
exceptions.
Comment: A few commenters indicated that the proposed regulation
fails to state that termination from the Medicaid program must only
occur in situations in which the provider or supplier had its billing
privileges terminated or revoked for cause, that is, fraud, integrity
or quality issues.
Response: We agree. In the regulatory definition for
``termination,'' we will state that the requirement for States to
terminate would only apply in cases where providers, suppliers or
eligible professionals were terminated or had their billing privileges
revoked for cause which may include, but is not limited to, fraud,
integrity or quality issues.
Comment: Certain commenters requested a specific timeline for due
process in connection with the appeal of termination actions and the
parameters of the termination process in Medicaid.
Response: As we have indicated previously in these responses, we
believe that States should have the flexibility to decide termination
actions consistent with their individual State administrative appeals
process. In addition, since State law and regulations may vary with
regard to this issue, we defer to the States regarding their existing
termination processes.
Comment: One commenter suggested that reciprocal termination must
be limited to revocations of privileges due to fraud and where the
physician has exhausted all possible appeal rights.
Response: We agree. As stated in the proposed rule, the requirement
for States to terminate would only apply in cases where providers,
suppliers or eligible professionals were terminated or had their
billing privileges revoked for cause. In addition, we defined
``termination'' as occurring when a State Medicaid program has taken
action to revoke a Medicaid provider's billing privileges and the
provider has exhausted all applicable appeal rights that are available
in that State, or the timeline for appeal has expired, or when the
Medicare program has revoked the provider or supplier's billing
privileges and the provider or supplier has exhausted all applicable
appeal rights, or the timeline for appeal has expired.
Comment: One commenter requested a definition of ``eligible
professional.''
Response: In the context of terminations, ``eligible professional''
is a term that is specific to the Medicare program. For purposes of the
Medicare program, an eligible professional may include a physician
assistant, nurse practitioner, or clinical nurse specialist, certified
nurse-midwife, clinical social worker, clinical psychologist,
registered dietitian or nutrition professional. See section 1842(b)(18)
of the Act.
Comment: Certain commenters requested clarification regarding when
a termination is triggered under the statute.
Response: A termination in a subsequent State is triggered when
Medicare or a State Medicaid program has taken action to revoke a
provider's billing privileges for cause and the provider has exhausted
all applicable appeal rights that are available in

[[Page 5946]]

Medicare or the originally-terminating State or the timeline for appeal
has expired.
Comment: A commenter stated that section 6 of Executive Order 13132
requires that: (1) Each agency have an accountable process to ensure
meaningful and timely input by State officials in the development of
regulatory policies that have Federalism implications, and (2) no
agency shall promulgate any regulation that has Federalism implications
that imposes substantial direct compliance cost on State governments.
The commenter recommended that CMS explain the process that was used to
ensure that meaningful and timely input was received from the States
prior to the development of this proposed rule.
Response: We have worked closely with State Medicaid agencies on
the proposed rule and in the development of the final rule with comment
period.
Comment: One commenter requested clarification regarding the
process of how Medicare reinstatements will be communicated to States
and whether States will be required to automatically reinstate a
provider in the Medicaid program once a provider ``finishes the
Medicare termination/revocation period.''
Response: Presumably, States will be notified by providers who are
seeking re-enrollment or reinstatement in the Medicaid program. It is
the responsibility of the States to validate the status of a provider's
termination with Medicare. When a provider may seek re-enrollment is up
to the discretion of the States and should be consistent with State
law. Similarly, the duration of termination should be consistent with
existing State law.
4. Final Provisions for Termination of Provider Participation Under the
Medicaid Program and CHIP if Terminated Under the Medicare Program or
Another State Medicaid Program or CHIP
We have retained the provisions of the proposed rule, with the
exception of the following:
In Sec. 455.101, we have added the following subsection
(3) to the definition of termination: ``The requirement for termination
applies in cases where providers, suppliers, or eligible professionals
were terminated or had their billing privileges revoked for cause which
may include, but is not limited to: (i) Fraud; (ii) integrity; or (iii)
quality.''

G. Additional Medicare Provider Enrollment Provisions

1. Statutory Changes
Section 6501 of the ACA requires States to terminate a provider or
supplier under the Medicaid program when the provider or supplier has
been terminated by Medicare or by another State's Medicaid program. We
believe that permitting CMS to revoke Medicare billing privileges when
a State Medicaid agency terminates, revokes, or suspends a provider or
supplier's Medicaid enrollment or billing privileges works in tandem
with section 6501 of the ACA.
2. Proposed Provisions for Additional Medicare Provider Enrollment
In Sec. 424.535(a)(11), we proposed allowing CMS, directly or
through its contractor, to revoke Medicare billing privileges when a
State Medicaid agency terminates, revokes, or suspends a provider or
supplier's Medicaid enrollment or billing privileges. Moreover, we
believe that providers and suppliers whose enrollment has been
terminated by a State Medicaid program may pose an increased risk to
the Medicare program.
3. Analysis of and Response to Public Comments
We received one comment on the proposed provision related to
Medicare termination.
Comment: A commenter stated that proposed Sec. 424.535(a)(11)
contains an editorial error that makes the language of the proposed
rule difficult to understand.
Response: Section 424.535(a) lists reasons for revocation of
Medicare enrollment. Sec. 424.535(a)(12) is one such reason--if a
State has terminated a provider from Medicaid, Medicare can terminate
the provider from Medicare. We will reword the language in Sec.
424.535(a)(12) to clarify the circumstances being addressed.
4. Final Provisions for Additional Medicare Provider Enrollment
This final rule with comment period finalizes the provisions of the
proposed rule in regards to our discretion to revoke a provider or
supplier's Medicare billing privileges when terminated, revoked or
suspended by a State Medicaid agency with no modifications.

H. Technical and General Comments

Comment: A commenter stated that the definition of ``provider of
services'' in section 1861(u) of the Act and ``supplier'' in section
1861(d) of the Act differs from the meaning of ``provider of services''
and ``supplier,'' respectively, in the proposed rule. The commenter
also was unclear as to whether the proposed rule's references to
``providers'' refer to ``provider of services.'' The commenter
requested clarification on both issues.
Response: The proposed rule stated that in Medicare, the term
provider of services under section 1861(u) of the Act means health care
entities that furnish services primarily payable under Part A of
Medicare, such as hospitals, home health agencies (including home
health agencies providing services under Part B), hospices, and skilled
nursing facilities. The term ``suppliers'' defined in section 1861(d)
of the Act refers to health care entities that furnish services
primarily payable under Part B of Medicare, such as independent
diagnostic testing facilities (IDTFs), durable medical equipment
prosthetics, orthotics, and supplies (DMEPOS) suppliers, and eligible
professionals, which refers to health care suppliers who are
individuals, that is, physicians and the other professionals listed in
section 1848(k)(3)(B) of the Act. For Medicaid and CHIP, we use the
terms ``providers'' or ``Medicaid providers'' or ``CHIP providers''
when referring to all Medicaid or CHIP health care providers, including
individual practitioners, institutional providers, and providers of
medical equipment or goods related to care. The term ``supplier'' has
no meaning in the Medicaid program or CHIP.
Comment: A commenter suggested that to avoid misinterpretation,
non-physician practitioners should be clearly defined in the final rule
with comment period.
Response: The proposed and final rule with comment period refer to
non-physician practitioners to mean any non-physician practitioner who
is eligible to enroll in Medicare, Medicaid or CHIP under existing
regulations and statutes. In addition, this term is already defined at
section 1848(b)(18)(C) of the Act.
Comment: A commenter stated that with the issuance of CMS-1510-F on
November 2, 2010, CMS should renumber the denial and revocation reasons
found in this proposed rule. In CMS-1510-F, CMS finalized a new denial
reason in Sec. 424.530(a)(8) and a new revocation reason in Sec.
424.535(a)(12).
Response: We have revised these provisions in the regulatory text.
Comment: A commenter stated that CMS violated section 6(a) of
Executive Order 12866 by not giving the public a 60 day review period
for this rule and that CMS only allowed a 55 day review period. The
commenter also could not

[[Page 5947]]

find a CMS Press Release or information on the CMS Web site indicating
that CMS notified the public that it placed this rule on display and
began the public comment period in advance of the publication of the
proposed rule in the Federal Register. The commenter recommended that
CMS reissue a new proposed rule or extend the comment period for this
proposed rule by additional 60 days.
Response: The Department of Health and Human Services released a
press release on September 20, 2010 accessible on its Web site that
announced the display of the proposed rule at the Federal Register. The
press release is accessible at: http://www.hhs.gov/news/press/2010pres/09/20100920e.html. Additional media outlets reported the proposed rule
display on September 17th, 2010. We do not believe it is appropriate to
extend the comment period for an additional 60 days, and we have taken
into account all comments received during the comment period.
Comment: Several commenters stated that the proposed timeframe for
implementation and compliance is extremely aggressive. First, smaller,
rural providers and suppliers may not be organizationally able to fully
comply without significant cost and effort, thus impacting access to
care. Second, the DME MACs and the NSC will have to be able to identify
suppliers and implement payment edits, both by specialty code.
Response: As stated previously, the timeline is a required under
the ACA. We have been working closely with our contractors and with
providers and suppliers to ensure that compliance with this final rule
with comment period will not affect patients' access to health care.
Comment: Several commenters stated that the implementation
timetables for this proposed rule were too ambitious, and that
sufficient lead time is necessary for CMS to have operational computer
programs in place to administer these requirements correctly and
consistently.
Response: This final rule with comment period is implementing
provisions of the ACA which sets forth deadlines for implementation of
the screening provisions.
Comment: A commenter stated that in its manual instructions, CMS
describes the verification of legalized status for physicians and non-
physician practitioners. However, the commenter stated that the
proposed rule is silent regarding the verification or screening process
that will be used to determine legal status of an owner, authorized
official, delegated official, managing employee, physician or non-
physician. The commenter recommended that CMS explain this process in
the proposed rule. Another commenter urged CMS to revise its existing
CMS-855 enrollment applications to include questions on residency,
legal status, and/or citizenship, arguing that this would help reduce
fraud.
Response: Information collected on the CMS-855 enrollment
applications are used to verify residency, including the Social
Security Number and the Date of Birth. This process is a part of the
general screening process, and is applied to all screening levels,
including limited.
Comment: A commenter stated that since illegal immigrants are not
legally authorized to work in the United States or own or operate a
business in the United States, CMS should: (1) Coordinate and verify
both the identity and work status of any individual practitioner or
owner with the United States Citizenship and Immigration Services, and
(2) establish new Medicare, Medicaid and CHIP denial and revocation
reasons when an individual is not authorized to work in the United
States legally and that CMS refer any individuals to the appropriate
authorities for expulsion from the United States.
Response: As stated previously, we have existing procedures in
place that verify an applicant's eligibility to work in the United
States.
Comment: One commenter recommended that CMS furnish the number of
providers and suppliers by specialty type that have or do not have an
enrollment record in PECOS. This will, the commenter believes, help
clarify the impact of this rule on providers and suppliers.
Response: This final rule with comment period does not impact the
enrollment requirements related to PECOS for providers and suppliers.
In May of 2010, we published CMS--6010-IFC which required all
physicians and eligible professionals who order and refer home health
services or Part B items and services (excluding Part B drugs) to
Medicare to be enrolled in PECOS. Additional communications have been
published with regard to that interim final rule with comment period,
and do not impact the provisions finalized here. This final rule with
comment period established the screening requirements for providers
under Medicare, Medicaid and CHIP, and application fees for newly
enrolling or revalidating providers. All newly enrolling or
revalidating providers must establish records in PECOS as this is the
only available enrollment option at this time.
Comment: A commenter stated that Medicare, Medicaid and CHIP must
work in tandem to assure compliance, so that bad actors cannot move
from one program to another and shelter themselves through the lack of
coordinated data, standards, information and enforcement.
Response: We concur with this comment. This final rule with comment
period implements the ACA provision that requires State Medicaid
Agencies, to terminate a provider when a provider has been terminated
by Medicare added at Sec. 455.416. This final rule with comment period
also implements regulations at Sec. 455.470 that authorizes State
Medicaid agencies to impose a temporary moratoria when Medicare imposes
such a moratoria, except when the State Medicaid agency determines an
imposition would affect beneficiaries' access. These provisions are
directly aimed at eliminating the type of program abuses addressed by
the commenter.
Comment: A commenter stated that despite the additional burdens it
will create, it supported the proposed rule because there is no
alternative. The commenter stated that if fraud, abuse and waste are
not eliminated and quality improvement is not made central to home
health and hospice, it feared for the future of home-based care when it
is needed most.
Response: We agree with the commenter. We believe that these
provisions are intended to protect the integrity of these programs for
future generations.
Comment: A commenter suggested that CMS should change its
contractors' claims processing system to a system similar to that used
by credit card companies. This will help ensure that fraud and abuse
can be detected in real time, rather than later.
Response: We are continually exploring additional improvements to
our data systems, but disagree with the commenter's suggestion that we
must change all of our contractors systems to implement real time data
analysis. We are committed to working with both private and public
partners to evaluate technologies that can provide the scalability and
safeguards to beneficiary access that are necessary to ensure accurate
payments to legitimate providers for appropriate services supplied to
enrolled beneficiaries.
Comment: A commenter stated that CMS should establish a new
requirement that organized medical staffs and hospitals report the
provision of (but not the results of) peer review as

[[Page 5948]]

a quality indicator, and that CMS should post the quality indicator for
each hospital department on its Hospital Compare Web site, together
with an explanation of the importance of peer review to assure patient
safety, quality, and identification of medically unnecessary services.
Response: This comment is beyond the scope of this rule. This final
rule with comment period does not address the reporting of quality
indicators or the Hospital Compare Web site.
Comment: A commenter stated that MACs should no longer accept
certain CPT codes for laboratory test payments.
Response: This comment is beyond the scope of this rule. This final
rule with comment period does not address our coverage and payment
decisions for CPT codes.
Comment: A commenter stated that CMS should consider bidding out
laboratory coding to a contractor, similar to the manner in which the
PDAC operates for DME coding.
Response: This comment is beyond the scope of this rule. This final
rule with comment period does not address the bidding of laboratory
coding to a contractor.
Comment: A commenter expressed support for many of the details and
provisions contained within the proposed rule and requested that CMS
continue to seek input from all stakeholders about matters related to
hospitals and health systems.
Response: We concur with the commenter's request to continue to
seek input from all stakeholders, and fully intend to do so in regard
to the requirements of this final rule with comment, as well as annual
payment regulations.
Comment: A commenter expressed concern that anti-fraud laws and
regulations, adopted to root out unscrupulous activity resulting from
criminal intent, are increasingly used to impose harsh penalties for
inadvertent mistakes and contribute to the escalating costs of health
care as providers attempt to comply with increasingly voluminous and
sophisticated systems and requirements.
Response: We continually balance the necessity to eliminate fraud,
waste, and abuse with reducing the burden on legitimate providers,
suppliers, and beneficiaries. Section 6401 of the ACA requires that the
Secretary determine the level of screening according to the risk of
fraud, waste, and abuse. This final rule with comment period implements
this provision by instituting levels of screening based on risk of
fraud, waste, and abuse, and has the flexibility to adapt to future
developments by adjusting the categories as appropriate. We will use
this new authority to prevent just such situations as described by the
commenter, and will reduce the burden on legitimate providers who may
make mistakes, and target fraud prevention resources appropriately.
Comment: A commenter stated that serial number tracking should be
considered for much of the equipment provided by DMEPOS suppliers,
similar to the Vehicle Identifier Number (VIN) system used in the
transportation manufacturing industry.
Response: While we appreciate this comment, it appears to be
outside the scope of this rule. Also, this comment would require a
thorough evaluation of the cost of such a requirement on DMEPOS
suppliers, the access issues it could potentially cause to
beneficiaries if we mandated that only serial numbered equipment must
be provided to beneficiaries, the additional system requirements that
we would need to enhance to track such equipment, and the estimated
benefit from such a requirement.
Comment: A commenter stated that the fight against health care
fraud would be bolstered if Medicare, Medicaid and private insurers
would share information about providers' enrollment and billing
patterns. The commenter therefore recommended that CMS: (1) Revise its
regulations and the CMS-855 to collect information about all other
health care payers, and (2) share the information it collects via the
enrollment and payment process with private payers, Medicaid, and
Medicare Advantage Organizations.
Response: We would have to carefully evaluate the commenter's
proposal. We must go through notice of rulemaking and comment period
before revising any regulation. Additionally, we would have to
carefully consider the privacy issues that accompany increased data
sharing, especially with private payers, and weigh the potential
concerns of providers and suppliers with the expected benefit of such a
measure. However, we have been working closely with private and public
partners regarding strategies to effectively work together to have a
broad view of the health care claim landscape, and will continue to
evaluate opportunities to collaborate on the improved detection of
health care fraud.
Comment: A commenter urged CMS to consider ways to enhance Medicare
CoPs for home health and hospice providers to achieve more lasting
changes. The commenter stated that CMS withdrew the proposed CoPs
changes for home health in 1997 and has not taken further action. The
commenter recommended that CMS consult with provider groups to revise
and finalize the CoPs for home health as quickly as possible.
Response: This comment is outside of the scope of the final rule
with comment period.
Comment: A commenter recommended that CMS: (1) Provide the direct
savings that have resulted from provider screening activities between
2000 and 2010, (2) calculate the savings to the Medicare Trust Funds
and the General Fund based on this proposed rule, and (3) explain
whether the estimated savings will result in fewer actual dollars spent
on health care or whether the changes proposed will only slow the
expenditure growth.
Response: We believe that all of the agency's program integrity
activities have resulted in savings to the Trust Fund and the General
Fund. We are not required to report a return on investment regarding
historical screening initiatives, or project savings regarding the
statutory requirements. The fact that we have in the past denied any
application means that we have prevented an unqualified provider or
supplier from providing services and/or care to Medicare beneficiaries
that could have resulted in physical harm or financial loss to such a
beneficiary.
Comment: One commenter stated that this proposed rule will be
ineffective in halting fraud because it is reactive, and it is
impossible for any government entity to react in a timely manner.
Response: We disagree with the comment that the new authorities in
this final rule with comment period are reactive. Particularly, the
screening requirements for newly enrolling providers which will
proactively prevent individuals from entering the Medicare, Medicaid
and CHIP programs for the sole purpose of defrauding taxpayers.
Temporary moratoria will also permit the agency to develop a strategy
to mitigate the risk of fraud while stopping the pace of potentially
fraudulent enrolling providers. We believe these new tools will enable
us to become a more proactive gatekeeper of the Medicare Trust Fund.
Comment: A commenter recommended that all providers and suppliers
be subject to the provisions associated with section 6401(a)(3) of the
ACA.
Response: This comment is outside of the scope of this final rule
with comment period.
Comment: A commenter contended that CMS's statement in the preamble
that Medicare is the primary payer of health care for 45 million
enrolled

[[Page 5949]]

beneficiaries is incorrect. The correct number should be more than 47
million. The commenter also recommended that CMS provide the number of
Medicare beneficiaries that are enrolled in Medicare Advantage plans.
Response: We will address this correction in the preamble. The
provisions of this final rule with comment period do not apply to
Medicare Advantage plans, so the number of Medicare Advantage-enrolled
beneficiaries would not be relevant to the preamble.
Comment: A commenter questioned whether CMS could implement the
provisions of this proposed rule when information on its provider
enrollment Web site is not regularly updated.
Response: We are implementing provisions of this proposed rule, and
are working with the provider community in various outlets, including
its provider Web site. The provider enrollment Web site will reflect
the requirements of this final rule with comment period.
Comment: Several commenters stated that the Federal and State
programs will be more efficient if they recognize another program's
enrollment determinations, decisions to suspend payments, and
imposition of moratoria. To handle the complexity and coordination of
monitoring participation and appropriately suspending payments or
terminating contracts with providers and suppliers, the commenter
recommended CMS develop and maintain a central, consolidated database
for housing participation status, suspension of payments and imposed
moratoria for all three programs. The commenters stated that CMS should
also strengthen and expand efforts to coordinate data sharing between
government health programs across the various Federal agencies, as well
sharing of information with MAOs, MCOs and CHIP sponsors.
Response: We agree with the previous comment that we should seek to
become more efficient by sharing screening determinations, decisions to
suspend payments and imposition of enrollment moratoria to the extent
possible under applicable laws. We are continually evaluating and
strengthening efforts to coordinate data sharing between health
programs across various agencies.
Comment: A commenter stated that regulators and industry need to
work together to minimize the impact of sham companies and other
instances of fraud, and that this proposed regulation is a step in the
right direction.
Response: We agree with this comment.

III. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995, we are required to
provide 60-day notice in the Federal Register and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act
of 1995 requires that we solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
We solicited public comment on each of these issues for the
following sections of this document that contain information collection
requirements (ICRs):
For this final rule with comment period, we will be retaining the
Collection of Information estimates in the proposed rule, in accordance
with the discussion below.

A. ICRs Regarding Medicare Application Fee Hardship Exception (Sec.
424.514)

Section 424.514(e) states that a provider or supplier that believes
it has a hardship that justifies a waiver exception of the application
fee must include with its enrollment application a letter that
describes the hardship and why the hardship justifies a waiver
exception. The burden associated with this requirement is the time and
effort necessary to submit a Medicare enrollment application, which is
required currently of any individual or entity enrolling in Medicare.
In addition to the enrollment application, a provider or supplier would
have the new burden of drafting and submitting a letter to justify its
hardship waiver request should it choose to submit one. The burden
associated with submitting Medicare enrollment applications A, B, I, R
and CMS-855S, are currently approved under Office of Management and
Budget (OMB) control numbers 0938-0685 and 0938-1057, respectively).
Although we have no way of knowing for certain how many entities will
actually submit an application with a letter requesting a waiver, we
know that there are likely to be more such requests in the early years
of implementation than in later years. We estimated that in the first
year, 12,000 providers or suppliers--or slightly over 50 percent of the
total number of providers and suppliers that we believe will be subject
to the application fee--will submit waiver request letters as part of
their application packages. (As stated in the preamble, the application
fee does not apply to individual eligible professionals nor to group
practices of these individual professionals.) We also estimated that it
will take each provider or supplier 1 hour to develop the letter. The
total estimated annual burden associated with this requirement is
therefore 12,000 hours at a cost of $600,000, or $50.00 per waiver
request.

B. ICRs Regarding Medicare Fingerprinting Requirement (Sec. 424.518)

Consistent with Sec. 424.518 we will require the submission of a
set of fingerprints--either electronically collected by CMS' authorized
channeler or using the FD-258 standard fingerprint card obtained from
the local law enforcement agency that collected the fingerprints--from
all individuals who maintain a 5 percent or greater direct or indirect
ownership interest in a prospective HHA or DMEPOS supplier that is
enrolling in Medicare. We estimate that CMS or its designated
contractors will make 7,000 such requests per year. This is predicated
on our projection that--based on 2009 statistics--roughly 7,000 DMEPOS
suppliers and HHAs will annually enroll in Medicare. For purposes of
this ICR statement only, and to ensure that we do not underestimate the
possible burden, we estimate that all of these providers and suppliers
will be required to submit fingerprints. We further estimate that an
average of five individuals per provider or supplier will be required
to comply with this request. (It must be noted that for purposes of
this ICR and the RIA below, we sought comments on whether the estimate
of five individuals per applicant is accurate. No comments were
received.) Additionally, we estimate that it will take each of the
35,000 respondents (7,000 provider requests x 5 respondents per
provider request) an average of 2 hours to obtain and submit
fingerprints. Consequently, the total estimated annual burden
associated with this requirement is 70,000 hours (35,000 responses x 2
hours per response) at a cost of $3.5 million (70,000 hours x $50 per
hour).
Sections 424.518(c)(3)(ii) and (iii) call for the submission of a
set of fingerprints for a national background

[[Page 5950]]

check from all individuals who maintain a 5 percent or greater direct
or indirect ownership interest in a provider or supplier that has moved
into the ``high'' risk category based on an adverse action or the
lifting of a moratorium. The burden associated with this requirement is
the time and effort necessary for the individual to submit the required
information upon request. We estimate that CMS or its designated
contractors will make 2,000 requests per year. This is based on the
number of providers and suppliers that we estimate will attempt to
enroll in Medicare: (1) After the lifting of a moratorium for their
respective provider or supplier type, or (2) that have had one of the
adverse actions in Sec. 424.518(c)(3)(ii) imposed against it. This
estimate of course, cannot be conclusively quantified because it is
impossible for us to say with certainty which provider and supplier
types will be subject to a moratorium. To ensure that we do not
underestimate the potential burden, we also calculated projections
should 5,000 or 10,000 requests be made.
We estimate that an average of five individuals per provider or
supplier will be required to comply with this request. We further
project that it will take each of the 10,000 respondents (2,000
provider or suppliers requests x 5 respondents per provider or supplier
request) an average of 2 hours to obtain and submit the fingerprints.
The estimated annual burden associated with this requirement, based on
2,000 requests is 20,000 hours (10,000 respondents x 1 response per
respondent x 2 hours per response) at a cost of $1 million (20,000
hours x $50 per hour). If 5,000 requests are made, the burden is 50,000
hours at a cost of $2.5 million (5,000 requests x 5 responses per
request x 2 hours per response x $50 per hour.) If 10,000 requests are
made, the burden is 100,000 hours at a cost of $5 million (10,000
requests x 5 responses per request x 2 hours per response x $50 per
hour).\6\
---------------------------------------------------------------------------

\6\ Note that these figures pertain only to individuals who are
not physicians. Physicians are addressed in the following paragraph.
---------------------------------------------------------------------------

In addition, there are some limited circumstances when CMS could
ask a physician to submit fingerprints. For example, a provider or
supplier that is being enrolled in Medicare after the lifting of a
temporary moratorium could automatically be classified as ``high'' risk
and, as such, would be subject to criminal background checks and
fingerprinting of owners of the company. If a physician were to have a
5 percent or greater direct or indirect ownership interest in the
provider or supplier, CMS would have the authority to request
fingerprints from him or her. Other circumstances might include when a
physician has had an adverse action imposed against him or her and, in
accordance with Sec. 424.518(c)(3)(ii), has been placed in the
``high'' risk category. We estimate that CMS or its designated
contractors will make 500 such requests for fingerprints per year. We
further estimate that it will take each of the 500 respondents a total
of 2 hours to obtain and submit the fingerprints. The total estimated
annual burden associated with this requirement is 1,000 hours (500
respondents x 1 response per respondent x 2 hours per response) at a
cost of $50,000 (1,000 hours x $50 per hour).
Therefore, assuming that 2,000 post-moratorium requests for
fingerprints are made, the total estimated annual burden associated
with the Medicare requirements in this ICR is 103,000 hours at a cost
of $5,150,000. If 5,000 post-moratorium requests are made, the
estimated annual burden is 133,000 hours at a cost of $6,650,000. If
10,000 post-moratorium requests are made, the estimated annual burden
is 183,000 hours at a cost of $9,150,000.
Comment: In the collection of information requirements section of
this proposed rule, CMS used 2009 statistics for estimating the number
of individuals that will need to undergo fingerprinting. A commenter
recommended that CMS update these estimates using 2010 data.
Response: We believe it is more appropriate to use the most recent
full year's data.
Comment: A commenter contended that CMS's estimate that it will
take 2 hours to obtain a set of fingerprints using the FD-258 standard
fingerprint card seems low. The commenter recommended that CMS provide
the analysis used, including literature review, to estimate the time it
will take to obtain a set of fingerprints using the FD-258 fingerprint
card. The commenter also asked that CMS explain whether there are any
alternatives to the FD-258 standard fingerprint card and, if there are,
the costs associated with these alternatives.
Response: We believe that the 2 hour figure, which was based on our
analysis of a number of materials, is accurate. Since the FD-258 is the
standard fingerprint card, we focused primarily on the use of this
format in the proposed rule. However, as explained in the preamble to
this final rule with comment period, electronic fingerprints will be an
alternative--and one that we will encourage--to the FD-258.

C. ICRs Regarding Medicaid Fingerprinting Requirement (Sec. 455.434)

Section 455.434 states that when a State Medicaid agency determines
that a provider is ``high'' risk, the State Medicaid agency will
require that provider to submit fingerprints. We anticipate that States
will be collecting fingerprints on a significantly smaller number of
providers. However, as with our estimates of the potential burden for
the Medicare requirements, we preferred to overestimate the potential
burden rather than underestimate it. Therefore, we anticipate that
States may require an additional 26,000 individuals to submit
fingerprints prior to enrolling in a State's Medicaid program or CHIP.
The total estimated annual burden associated with this requirement for
Medicaid and CHIP is 52,000 hours (26,000 respondents x 1 response per
respondent x 2 hours per response) at a cost of $2.6 million (52,000
hours x $50 per hour).

D. ICRs Regarding Suspension of Payments in Cases of Fraud or Willful
Misrepresentation (Sec. 455.23)

As stated in Sec. 455.23(a), a State Medicaid agency must suspend
all Medicaid payments to a provider when there is pending an
investigation of a credible allegation of fraud under the Medicaid
program against an individual or entity unless it has good cause to not
suspend payments or to suspend payment only in part. The State Medicaid
agency may suspend payments without first notifying the provider of its
intention to suspend such payments. A provider may request, and must be
granted, administrative review where State law so requires.
The burden associated with this requirement is the time and effort
necessary for a provider to request administrative review where State
law so requires. While this requirement is subject to the PRA, we
believe the associated burden is exempt in accordance with 5 CFR
1320.4.

E. ICRs Regarding Collection of SSNs and DOBs for Medicaid and CHIP
Providers (Sec. 455.104)

As stated in Sec. 455.104(b)(1), the State Medicaid agency must
require that all persons with an ownership or control interest in a
provider submit their SSN and DOB. The burden associated with the
Medicaid requirements in Sec. 455.104(b)(1) is the time and effort
necessary for a provider to report the SSN and DOB for all persons with
an ownership or control interest in a provider.
Although our data on Medicaid provider enrollment at the national
level

[[Page 5951]]

is very limited, we do collect annual data on State Medicaid program
integrity activities. This annual data collection, known as the State
Program Integrity Assessment (SPIA) program, approved under OCN 0938-
1033, consists of self-reported data by States regarding a variety of
program integrity related activities. The information is self-reported
and has not been independently verified by CMS, and it undoubtedly
represents some unknown degree of duplication among providers across
States. Consequently, the estimated number of Medicaid providers
nationally is likely overstated.
According to SPIA data for FFYs 2007 and 2008, there has been an
average of 1,855,070 existing Medicaid providers nationally over the 2
year period of FFY 2007 and FFY 2008. We estimate that one-fifth or
371,014 (1,855,070 x 20 percent) of existing Medicaid providers would
be required to re-enroll each year. Additionally, we estimate that
there will be 56,250 newly enrolling Medicaid providers each year, for
a total of 427,264 Medicaid providers that will be subject to the SSN
and DOB reporting requirements each year. We further estimate that it
will take each provider an average of 2 minutes to report the SSN and
DOB for all persons with an ownership or control interest. Thus, the
estimated annual burden associated with this requirement for Medicaid
providers is 14,242 hours (427,264 x (2 minutes, divided by 60 minutes
per hour)) at a cost of $712,100 (14,242 hours x $50 per hour).

F. ICRs Regarding Site Visits for Medicaid-Only or CHIP-Only Providers
(Sec. 455.450)

As stated in Sec. 455.450(b), a State Medicaid agency must conduct
on-site visits for providers it determines to be ``moderate'' or
``high'' categorical risk. We anticipate that Medicare contractors will
perform the screening activities for the overwhelming majority of
providers that are dually enrolled in both Medicare and Medicaid and
thus, we estimate that State Medicaid agencies will conduct
approximately 5,000 site visits for Medicaid-only providers nationally
per year. We further estimate that it will take one individual 8 hours
to perform each on-site visit (including travel time). Thus, the total
estimated annual burden associated with this requirement for Medicaid
is 40,000 hours (5,000 site visits x 8 hours) at a cost of $2,000,000
(40,000 hours x $50 per hour).

G. ICRs Regarding the Rescreening of Medicaid Providers Every 5 Years
(Sec. 455.414)

As stated in Sec. 455.414, a State Medicaid agency must screen all
providers at least every 5 years. This requirement is consistent with
the Medicare requirement that providers, suppliers, and eligible
professionals must re-enroll at least every 5 years (more often for
certain types of suppliers). The burden associated with this
requirement would be the time and effort necessary for Medicaid-only
providers to re-enroll in Medicaid, and the time and effort necessary
for a State to conduct the provider screening,
Although our data on Medicaid provider enrollment at the national
level is very limited, we do collect annual data on State Medicaid
program integrity activities. As previously explained, this annual data
collection, known as the State Program Integrity Assessment (SPIA)
program, consists of self-reported data by States regarding a variety
of program integrity related activities. The information is self-
reported and has not been independently verified by CMS, and it
undoubtedly represents some unknown degree of duplication among
providers across States. Consequently, the estimated number of Medicaid
providers nationally is likely overstated.
According to SPIA data for FFYs 2007 and 2008, there has been an
average of 1,855,070 existing Medicaid providers nationally over the 2
year period of FFY 2007 and FFY 2008. We estimate that one fifth, or
371,014 (1,855,070 x 20 percent), of existing Medicaid providers would
be required to re-enroll each year. Although provider enrollment
requirements vary by State, we further estimate that it will take each
provider an average of 2 hours to complete the Medicaid re-enrollment
requirements. Thus, the estimated annual burden associated with this
requirement for Medicaid providers is 742,028 hours (371,014 responses
x 2 hours per response) at a cost of $37,101,400 (742,028 hours x $50
per hour).
In addition, we estimate that 80 percent of Medicaid providers also
participate in Medicare, and thus would have provider screening
activities performed by the Medicare contractors. Thus, we estimate
that States would be required to conduct provider screening activities
for 74,203 (371,014 x 20 percent) re-enrolling Medicaid-only providers
each year. We further estimate that it will take States, on average, 4
hours to perform the required provider screening activities--noting
that currently enrolled providers would generally be categorized as
lower risk than newly-enrolling providers. The estimated burden
associated with this requirement for State Medicaid agencies is 296,812
hours (74,203 responses x 4 hours per response) at a cost of
$14,840,600 (296,812 hours x $50 per hour). We believe that the burden
on States will be in large part offset by the application fees
collected and by the Federal share for the amounts not covered by the
application fee.
The total estimate annual burden associated with the Medicaid
prescreening requirement is 1,038,840 hours at a cost of $51,942,000
($37,101,400 + $14,840,600).

Table 10--Estimated Annual Reporting/Recordkeeping Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Hourly Total
OMB Burden per Total labor cost labor cost Total
Regulation section(s) Control Respondents Responses response annual of of capital/ Total cost
No. (hours) burden reporting reporting maintenance ($)
(hours) ($) ($) costs ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec. 424.514(e)**...................... 0938-0685; 12,000 12,000 1 12,000 50 600,000 0 600,000
0938-1057
Sec. 424.518(c)(2)(b) and (d).......... 0938-New 35,000 35,000 2 70,000 50 3,500,000 0 3,500,000
Sec. 424.518(c)(3)(iv) and (d)......... 0938-New 10,500 10,500 2 21,000 50 1,050,000 0 1,050,000
Sec. 455.434........................... 0938-New 26,000 26,000 2 52,000 50 2,600,000 0 2,600,000
Sec. 455.104........................... 0938-New 427,264 427,264 .033 14,242 50 712,100 0 712,100
Sec. 455.450........................... 0938-New 5000 5000 8 40,000 50 2,000,000 0 2,000,000
Sec. 455.414 (Providers)............... 0938-New 371,014 371,014 2 742,028 50 37,101,400 0 37,101,400
Sec. 455.414 (State Medicaid Agencies). 0938-New 74,203 74,203 4 296,812 50 14,840,600 ........... 14,840,600
--------------------------------------------------------------------------------------------------------------

[[Page 5952]]

Total................................ .......... 960,981 960,981 ........... 1,248,082 .......... .......... ........... 62,404,100
--------------------------------------------------------------------------------------------------------------------------------------------------------
** Denotes that we will be submitting revisions of the currently approved information collection requests for OMB review and approval.

Comment: A commenter requested clarification on whether the dollar
figure of $62 million in Table 6 of the proposed rule (entitled
``Estimated Annual Reporting/Recordkeeping Burden'') is the cost shared
by the Federal Medicare programs as well as all of the State Medicaid
agencies collectively.
Response: It includes Medicare costs, and those of the State
Medicaid agencies.

IV. Response to Comments

Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
by the date and time specified in the ``DATES'' section of this
preamble, and, when we proceed with a subsequent document, we will
respond to the comments in the preamble to that document.

V. Regulatory Impact Analysis

A. Statement of Need

This final rule with comment period is needed to implement the
following provisions of the ACA: (1) Section 6401(a) and section
6401(b) of the ACA added section 1866(j)(2) to the Act and requires the
establishment of screening procedures for providers and suppliers in
the Medicare, Medicaid and CHIP programs; (2) section 6401(a) of the
ACA added section 1866(j)(2)(C) to the Act and requires the
establishment of application fees for institutional providers and
suppliers; (3) section 6401(a) of the ACA added a new section
1866(j)(7) to the act establishing the use of temporary moratoria
regarding the enrollment of providers and suppliers in Medicare, and
section 6401(b)(1) of the ACA added a new section 1902(kk)(4) of the
Act for a parallel requirement in the Medicaid and CHIP programs; (4)
section 6501 of the ACA added section 1902(a)(39) to the Act
establishing guidance for States regarding the termination of providers
from Medicaid and CHIP if terminated by Medicare or another Medicaid
State plan or CHIP; and permitting guidance regarding the termination
of providers and suppliers from Medicare if terminated by a Medicaid
State agency; and (5) Section 6402(h) of the ACA added 1862(o) to the
Act establishing the requirements for the suspension of payments
pending credible allegations of fraud in the Medicare and Medicaid
programs. As previously explained, we believe these provisions are
necessary to assist us in preventing fraud, waste and abuse in the
Medicare, Medicaid and CHIP programs.

B. Overall Impact

We have examined the impact of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 1993), the
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354),
section 1102(b) of the Social Security Act, section 202 of the Unfunded
Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on
Federalism (August 4, 1999), and the Congressional Review Act (U.S.C.
804(s)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts; and equity). A regulatory impact
analysis (RIA) must be prepared for rules with economically significant
effects ($100 million or more in any 1 year). This final rule with
comment period does reach the economic threshold and thus is considered
an economically significant rule.
The RFA requires agencies to analyze options for regulatory relief
for small businesses. Under the RFA, we must either prepare an Initial
Regulatory Flexibility Analysis or certify that the final rule with
comment period will not have a significant impact on a substantial
number of small entities. For purposes of the RFA, small entities
include small businesses, nonprofit organizations, and government
agencies. Most hospitals and most other providers and suppliers are
small entities, either by nonprofit status or by having revenues of
less than $7.0 to $34.5 million (depending on provider type) in any one
year. Individuals and States are not included in the definition of a
small entity. We do not believe that our application fees will have a
significant impact on any small entities. Likewise, we do not believe
that other screening provisions, such as the provision of fingerprints
or accommodating unannounced visits, will have a significant impact on
any small entities. We believe this final rule with comment period
could have significant impact on a relatively small proportion of small
businesses in terms of restrictions on federal health monies paid to
small businesses participating in the Medicare or Medicaid programs or
CHIP. Clearly, imposition of an enrollment moratorium would have an
impact on a small business that is attempting to do business with any
of the Federal health programs. Similarly, suspension of payments to
any small entity could create a significant impact on that entity.
However, we have no basis for estimating how many entities might be
affected by these provisions. Finally, we believe that this final rule
with comment period will reduce fraud and abuse among potential
providers.
We believe there will be a significant impact on their ability to
defraud the taxpayer in several ways. First, closer screening of
certain high-risk providers and suppliers will better enable CMS to
detect those individuals and entities that pose a risk to the Medicare
program. We expect that the prevention of unqualified providers and
suppliers from enrolling in Medicare will protect the Medicare Trust
Fund and save the taxpayers millions of dollars. Second, the temporary
moratoria provisions will enable CMS to restrict the entry of certain
providers and suppliers into Medicare in order to prevent or combat
fraud, waste, and abuse, thus, again, saving millions of Federal
dollars. While we cannot quantify with exactitude the amount of money
that the Medicare program will save as a result of these measures, we
do believe that the figure will exceed the costs outlined in this RIA.
We solicited comment on the overall proposed screening processes of the
proposed rule, including how the risk of fraud is determined, the
administrative

[[Page 5953]]

interventions proposed to address the risk, and the criteria for
exceptions to the enrollment application fee and any temporary
enrollment moratoria. We requested that small businesses comment on
these provisions and offer suggestions about how to mitigate what they
might see as adverse administrative or financial impacts. This RIA,
taken together with the remainder of the preamble, constitutes an
Initial Regulatory Flexibility Analysis under the RFA.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 604 of the RFA. For
purposes of section 1102(b) of the Act, we define a small rural
hospital as a hospital that is located outside of a Metropolitan
Statistical Area and has fewer than 100 beds. We did not prepare an
analysis for section 1102(b) of the Act because we have determined that
this final rule with comment period will not have a significant impact
on the operations of a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule that may result in expenditure in any 1 year by State,
local, or tribal governments, in the aggregate, or by the private
sector, of $135 million. This rule does mandate expenditures by State
and local governments, in order to enforce the Medicaid-related
provisions, but we believe that those expenditures will be relatively
minor. The mandated costs on providers--primarily for application
fees--may approach or exceed the threshold for the private sector.
Accordingly, this RIA constitutes the required assessment of costs and
benefits under UMRA.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications. Since this final rule with comment period would not
impose any substantial direct requirement costs on State or local
governments, preempt State law, or otherwise have Federalism
implication, the requirements of E.O. 13132 are not applicable.
We received several comments on the RIA. They are as follows:
Comment: A commenter noted that, under the proposed rule, Medicare
contractors will not begin processing an enrollment application until
the application fee is received and credited to the United States
Treasury. The commenter recommended that CMS estimate the increase in
enrollment application processing times due to the fee requirement and
the impact this additional time will have on private sector.
Response: It is not possible to qualify the additional time, if
any, that this requirement would have on processing times. Moreover, we
do not believe that a minor delay in processing would result in any
quantifiable and definable monetary cost to a particular provider.
Comment: Several commenters contended that CMS did not comply with
section 6(a)(3)(C)(i) of Executive Order 12866. Specifically, CMS: (1)
Did not include an assessment or quantification of benefits associated
from this regulatory action; (2) the underlying analysis of the costs
and benefits of potentially effective and reasonably feasible
alternatives to the planned regulation; (3) explain why the planned
regulatory action is preferable to the identified potential
alternatives; (4) include any feasible alternatives to the planned
screening process; (5) include alternatives to the payment suspension
portions; (6) include the cost impact on health care providers due to
increased processing times; (7) solicit comments on or consider the
costs or benefits of reasonably feasible alternatives, such as
assessing the application fee by NPI or TIN or assessing the risk based
on as past experience with the Medicare program or other health plans;
or (8) consider the Medicare error rate in determining the category of
risk. The commenter stated that CMS should therefore not finalize the
provisions of this proposed rule until a new proposed rule is
published.
Response: The proposed rule and the final rule with comment period
both contain a Regulatory Impact Analysis as required by Executive
Order 12866. As explained in section IV.E. and throughout this final
rule with comment period, we believe that this regulation will have a
significant benefit by reducing the ability of potential providers to
defraud taxpayers. The proposed rule solicited comments on the proposed
screening categories, on the use of fingerprinting and other
alternatives to identity verification, on the kind of documentation
that must be submitted to assert a hardship exception to the
application fee, an alternative definition of the term ``resolution of
an investigation,'' on criteria that would justify the reclassification
of a provider from one risk category to another, on the applicability
of geography in the determination of a risk category, and on additional
triggers that would move a provider into a different risk category.
We did not believe the use of NPIs or TINs in the assessment of the
application fee was appropriate because the requirement to submit an
enrollment application is separate from the requirement to have an NPI
or a TIN. We believe that basing the fee on the submission of an
application is most consistent with the statute. With respect to the
Medicare error rate, an erroneously paid claim does not necessarily
mean that the claim was fraudulently submitted. For this reason, we
believe it would be improper to use it in our placement of providers
into risk categories when there were other factors--including
comprehensive studies of fraudulent behavior, such as OIG and GAO
reports--that were more conclusive. We have solicited comments on
proposals and potential alternatives, and have considered such comments
in the development of this final rule with comment period.
Comment: A commenter stated that the proposed rule contained a
number of internal inconsistencies between the preamble and regulation
impact statement, such as: (1) use of 2.34 percent as the CPI in
preamble and 3.0 percent as the CPI in the regulation impact section;
(2) the lack of an ``Alternatives Considered'' section in the
regulation impact section, and (3) a failure to account for the cost or
impact of the additional off-cycle revalidations in the regulation
impact section. The commenter recommended that CMS publish a new
proposed rule.
Response: The use of 2.34 percent in the preamble was simply for
illustrative purposes. Having said that we have revised the 3 percent
figure to more accurately reflect actual and projected CPI-U statistics
we have received. Specifically, the rates we used for 2011, 2012, 2013,
2014 and 2015 are, respectively, 1.0 percent, 2.0 percent, 2.0 percent,
2.0 percent and 2.0 percent. The figure for 2011 is based on data
obtained from the Bureau of Labor Statistics, while the data for years
2012 through 2015 represent the estimated CPI-U figures offered in the
Budget of the U.S. Government, Fiscal Year 2011. The CPI-U figures
reflect the percentage change in the consumer price index for all urban
consumers (all items; United States city average), for the 12-month
period ending with June of the previous year. Moreover, we have added
an ``Alternative Considered'' section to the RIA.
As stated previously, we solicited comments on multiple issues in
the

[[Page 5954]]

proposed rule. Additionally, we are implementing provisions of the ACA
that had already outlined certain requirements for the regulations. The
ACA, for example, required that we determine the level of screening to
be conducted with respect to the category of provider or supplier, to
require an application fee of $500 adjusted after 2010 for the consumer
price index, and to suspend payments pending an investigation of
credible allegations of fraud.
The RIA took into account the cost of revalidations beginning on
March 25, 2011, prior to the date at which CMS could begin off-cycle
validations under Sec. 424.515(e), but the same date at which the new
screening requirements will go into effect. Any provider validated
after March 25, 2011 but before March 23, 2012 will not be subject to
off-cycle revalidation and any provider that is revalidated will begin
a new cycle of revalidation requirements. Therefore, any off-cycle
revalidations that occur after March 23, 2012 will restart the
revalidation cycle, and only DMEPOS suppliers who are on 3 year
validations will be revalidated, in cycle, prior to the end of CY 2015.
We believe the RIA is valid.
Comment: A commenter noted that, under the proposed rule, Medicare
contractors will not begin processing an enrollment application until
the application fee is received and credited to the United States
Treasury. The commenter recommended that CMS estimate the increase in
enrollment application processing times due to the fee requirement and
the impact this additional time will have on private sector.
Response: It is not possible to qualify the additional time, if
any, that this requirement would have on processing times. Moreover, we
do not believe that a minor delay in processing would result in any
quantifiable and definable monetary cost to a particular provider.
Comment: One commenter stated that the preamble of this proposed
regulation uses 2.34 percent as the Consumer Price Index (CPI) for the
application fee, while the regulatory impact section uses 3 percent as
the CPI for the application fee. The commenter recommended that CMS:
(1) Use the official percentage by the Bureau of Labor Statistics in
calculating the change in application fee year by year, (2) explain if
a negative CPI will result in a decrease in the application fee, and
(3) use the actual CPI for 2010 in developing the final rule with
comment period and establishing the application fee that must be paid
by providers and suppliers in 2011.
Response: We agree and, as previously explained, have incorporated
more accurate CPI-U rates into this final rule with comment period. A
negative CPI would result in a fee decrease; however, the RIA projects
a continued increase in the CPI.
Comment: A commenter noted that CMS states in the RIA that 400,000
providers and suppliers would need to revalidate their enrollment over
a 5 year period. However, CMS excluded groups and clinics from the
impact of the application fee. The commenter did not believe there are
400,000 providers and suppliers to revalidate, since a large number of
providers and suppliers are designated as medical groups/clinics. The
commenter recommended that CMS furnish a breakdown of the providers and
suppliers that would be required to revalidate their enrollment in
Medicare and adjust, if necessary, the amount collected via the
application fee. The commenter also suggested that CMS provide the
number of providers and suppliers by year that were subject to
revalidation since 2006.
Response: We do not believe that a specific breakdown by provider
type and year is necessary, and maintain our view that approximately
400,000 providers and suppliers will revalidate their enrollment over a
5 year period--even accounting for medical groups/clinics. This figure,
admittedly, may be a little high, but we would prefer to overestimate
the potential burden than underestimate it.
In light of these comments, we have revised our calculations based
on new and more accurate CPI-U rates and have added an ``Alternative
Considered'' section.

C. Anticipated Effects

1. Medicare
a. Enhanced Screening Procedures--Medicare
Based on statistics obtained from PECOS and our Medicare
contractors, there are approximately 400,000 providers and suppliers
currently enrolled in the Medicare program. (This does not include
eligible professionals.) This figure includes ambulance service
suppliers; ambulatory surgical centers; community mental health
centers; comprehensive outpatient rehabilitation facilities; suppliers
of DMEPOS; end-stage renal disease facilities; federally qualified
health centers; histocompatibility laboratories; home health agencies;
hospices; hospitals, including physician-owned specialty hospitals;
critical access hospitals; independent clinical laboratories;
independent diagnostic testing facilities; Indian health service
facilities; mammography centers; mass immunizers (roster billers);
medical groups/clinics, including single and multi-specialty clinics;
organ procurement organizations; outpatient physical therapy/
occupational therapy/speech pathology services; portable x-ray
suppliers; skilled nursing facilities; radiation therapy centers;
religious non-medical health care institutions; and rural health
clinics. We note the following in section III. of this final rule with
comment period:
Based on 2009 experience we estimated that there will be
7,000 DMEPOS suppliers and HHAs that will submit an application to
become a new Medicare enrolled provider in 2011. We would require
approximately 35,000 individuals (7,000 providers/suppliers x 5
individuals per applicant) to undergo fingerprinting to participate in
the Medicare program as an owner of an HHA or supplier of DMEPOS. We
have found that the cost of having a set (two prints) of fingerprints
done through law enforcement is approximately $50.00 per individual.
(This includes the time spent in obtaining the fingerprints.) The cost
of this fingerprinting requirement would therefore be $1.75 million per
year (35,000 individuals x $50).
We estimated that 10,000 individuals (2,000 providers or
suppliers x 5 individuals per applicant) would undergo fingerprinting
following the lifting of a moratorium on a particular provider or
supplier type, at a cost of $500,000 per year (10,000 x $50). Should
requests be made of 5,000 providers or suppliers, the annual figure
would be $1,250,000 (5,000 x 5 individuals per applicant x $50). Should
requests be made of 10,000 providers or suppliers, the annual figure
would be $2.5 million (10,000 x 5 x $50).
We estimate that 500 physicians would undergo
fingerprinting per year, at a cost of $25,000.
This results in a total cost of the fingerprinting requirement of
$2,275,000 per year ($1,750,000 + $500,000 + $25,000), or $11,375,000
over 5 years. If 5,000 post-moratorium requests are made, the annual
cost is $3,025,000, with a 5 year cost of $15,125,000. Should 10,000
post-moratorium requests be made, the annual cost is $4,275,000, with a
5 year cost of $21,375,000.
As we believe that 2,000 post-moratorium requests is the most
likely scenario, we will hereafter use the $2,275,000 amount as the
annual cost of this requirement. This results in an estimated 5 year
cost of $11,375,000.

[[Page 5955]]

b. Application Fee--Medicare
The Secretary shall impose an application fee on each institutional
provider. The amount of the fee is $500 per provider or supplier for
2010. For 2011 and each subsequent year, the fee amount will be
determined by the statutorily required formula using the consumer price
index for all urban consumers (CPI-U). The enrollment application fee
does not apply to individual eligible professionals (for example,
physicians). The fee is to be paid by institutional providers only. The
new screening provisions are applicable to new and revalidating
providers and suppliers effective March 25, 2011, and to currently
enrolled providers and suppliers as of March 23, 2012. We will to begin
collecting the enrollment application fee for new providers and
suppliers and for currently enrolled providers revalidating enrollment
effective March 25, 2011.
c. General Enrollment Framework
(1) New Enrollment
Medicare contractors report that over the last several years,
approximately 32,000 is the annual number of newly enrolling providers
and suppliers that would--without accounting for the possible granting
of waivers--be subject to the enrollment application fee--
(approximately 20,000 for Medicare Part B, approximately 7,000 DMEPOS
suppliers and HHAs (as explained in the Collection of Information
section), and approximately 5,000 non-HHA Medicare Part A
providers).\7\
---------------------------------------------------------------------------

\7\ For purposes of the calculations in this RIA, newly-
enrolling Medicare providers and suppliers include those that were
once enrolled, departed, and are now seeking to enroll again.
---------------------------------------------------------------------------

We assumed that no more than 2.5 percent of these 32,000 providers
and suppliers--or 800--will receive a hardship exception; as indicated
earlier, exceptions will only be approved infrequently.
In CY 2011, we reduced the estimate number of institutional
providers subject to the application fee by 25 percent because the
application fee will not begin until March 25, 2011. Accordingly, the
number of institutional providers that we anticipate paying the
application fee will be 23,400 (or 31,200 x .75) in CY 2011. Therefore,
the impacts of the enrollment application fee are as follows. If we use
23,400 as the number of newly enrolling providers and suppliers in 2011
and multiply this number by an application fee of $505 (or $500 x 1.0
percent), we get $ 11,817,000 collected for the first year (that is, CY
2011). If we assume that the number of newly enrolling providers and
suppliers will remain constant at 31,200 for years 2012 through 2015,
the cost to the number of newly enrolling providers and suppliers would
be $78,054,600. Although we have no way to predict that the number of
new enrollments will change in future years, it is possible that the
number of enrolling providers and suppliers vary from what has been the
norm. If our estimate of the number of newly enrolling providers is
inaccurate and we enroll a different number of providers and suppliers
after the effective date of the new screening and other provisions
contained in the ACA, we estimate based on the $500 enrollment
application fee--a rough difference of $1 million for each increment of
2,000 new enrollments, whether fewer or greater.

Table 11--Cumulative Application Fees for Newly Enrolling Medicare Providers and Suppliers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Newly enrolling
institutional
Newly enrolling providers and
institutional suppliers paying CPI-U increase Consumer price Total fees for Cumulative fees
Calendar year providers and the application (%) index adjusted each year in in dollars
suppliers fee (based on a fee in dollars * dollars
2.5% hardship
exception rate)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011....................................... 24,000 23,400 1.0 505 11,817,000 11,817,000
2012....................................... 32,000 31,200 2.0 515 16,068,000 27,885,000
2013....................................... 32,000 31,200 2.0 525 16,380,000 44,265,000
2014....................................... 32,000 31,200 2.0 536 16,723,200 60,988,200
2015....................................... 32,000 31,200 2.0 547 17,066,400 78,054,600
------------------------------------------------------------------------------------------------------------
Total.................................. ................ ................. ................ ................ 78,054,600 78,054,600
--------------------------------------------------------------------------------------------------------------------------------------------------------
* As already mentioned, section 6401(a)(3) of the ACA called for a $500 application fee for institutional providers in 2010. Since the effective date of
this final rule with comment period is March 25, 2011, we have added a 1.0 percent increase to the $500 fee for 2011. Moreover, each fee amount in
this category was rounded up to the nearest dollar.

(2) Revalidation
There are approximately 100,000 currently enrolled suppliers of
DMEPOS who are required to revalidate their enrollment every 3 years
and 300,000 additional providers and suppliers that do not provide
DMEPOS that are required to revalidate their enrollment every 5 years.
On a yearly basis, we estimate that approximately 33,000 DMEPOS
suppliers (one-third of the total) and 60,000 other, non-DMEPOS
providers/suppliers (one-fifth of the total) would revalidate their
enrollment in Medicare, for an annual total of 93,000. Since, as
explained earlier, we estimate that no more than 2.5 percent of these
providers and suppliers will receive a waiver from the application fee,
we project that 90,675 such providers and suppliers will be subject to
the fee.
This final rule with comment period contemplates collecting the
application fee for currently enrolled providers that revalidate their
enrollment on or after March 25, 2011--almost 3 months into CY 2011.
Therefore, we have adjusted the number of existing Medicare
institutional providers subject to an application fee by 25 percent,
from 90,675 to 68,006 (or 90,675 x .75) in CY 2011. With respect to the
period between CY 2012 and 2015, it is possible that, as previously
alluded to in the preamble, we may perform an elevated number of
revalidations early in this 4-year timeframe--specifically, in CY 2012.
This would be done

[[Page 5956]]

pursuant to our authority under Sec. 424.515(e) to require off-cycle
revalidations. We cannot say for certain how many will be performed in
CY 2012. For purposes of this RIA only, however, we will estimate that
111,000 will be conducted in CY 2012, with 87,000 performed in each of
the remaining 3 years. Further accounting for projected annual CPI-U
rate increases, we estimate that the cost associated with these fees
for revalidating providers and suppliers would be approximately
$226,477,505 over the first 5 years that the ACA provisions are in
effect, as shown in Table 12.

Table 12--Cumulative Application Fees for Revalidating Medicare Providers and Suppliers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Revalidating
institutional
Revalidating providers &
institutional suppliers paying Consumer price Total fees for Cumulative fees
Calendar year providers and application fee CPI-U increase index adjusted each year (in (in dollars)
suppliers (based on 2.5% fee in dollars dollars)
hardship
exception rate)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011........................................ 69,750 68,006 1.0% 505 34,343,030 34,343,030
2012........................................ 111,000 108,225 2.0% 515 55,735,875 90,078,905
2013........................................ 87,000 84,825 2.0% 525 44,533,125 134,612,030
2014........................................ 87,000 84,825 2.0% 536 45,466,200 180,078,230
2015........................................ 87,000 84,825 2.0% 547 46,399,275 226,477,505
-----------------------------------------------------------------------------------------------------------
Total................................... ................ ................ ................ ................ 226,477,505 226,477,505
--------------------------------------------------------------------------------------------------------------------------------------------------------

Therefore, we estimate that the total impact of the provisions for
the application fee to be approximately $304,532,105 over the next 5
years. This number was approximated by adding the cumulative
application fees for newly enrolling providers and suppliers
($78,054,600 as shown in Table 11) to the cumulative application fees
for revalidating providers and suppliers ($226,477,505).
2. Medicaid
a. Enhanced Screening Procedures
Although our data on Medicaid provider enrollment at the national
level is very limited, we do collect annual data on State Medicaid
program integrity activities. This annual data collection, known as the
State Program Integrity Assessment (SPIA) program, consists of self-
reported data by States regarding a variety of program integrity
related activities. The information is self-reported and has not been
independently verified by CMS, and it undoubtedly represents some
unknown degree of duplication among providers across States.
Consequently, the estimated number of Medicaid providers nationally is
likely overstated. According to SPIA data for FFYs 2007 and 2008, there
has been an average of 1,855,070 existing Medicaid providers nationally
over the 2-year period of FFY 2007 and FFY 2008. This universe of
Medicaid providers includes all provider types, both institutional
providers and individual practitioners. In the Medicare program,
eligible practitioners make up approximately 70 percent of the total
universe of providers, suppliers, and eligible practitioners. Because
we do not have detailed information regarding the breakdown of Medicaid
providers by type nationally, we will apply the same ratio to determine
the percentage of institutional Medicaid providers. Therefore, we
estimate that there are approximately 556,521 Medicaid-only providers
nationally that are not individual practitioners.
We also estimate almost all CHIP providers are also Medicaid
providers. So, for purposes of this section, we are considering CHIP
providers to also be Medicaid providers and will subsequently refer to
them only as Medicaid providers.
As previously stated in the Medicare section of the analysis, we
estimated that we would require the following:
Approximately 35,000 individuals will undergo
fingerprinting to enroll in the Medicare program as owners, of a home
health agency or supplier of DMEPOS. Based on data collected as part of
the State survey and certification activities for home health agencies,
less than 1 percent of home health agencies are Medicaid-only. And,
although there is no data available on the number of Medicaid-only
suppliers of DMEPOS, we estimated that the number is minimal as well,
as a number of States require suppliers of DMEPOS to be enrolled in
Medicare prior to enrolling in Medicaid. Therefore, we estimated that
States may require approximately 1,000 additional individuals with
ownership interests in suppliers of DMEPOS or home health agencies, to
undergo fingerprinting for enrollment in the Medicaid program. The cost
of this fingerprinting requirement would be approximately $50,000
(1,000 x $50 = $50,000), though we solicited comments on the accuracy
of this figure.
We anticipated that Medicare contractors will perform the
screening activities for the overwhelming majority of providers
following the lifting of a Secretary-imposed temporary moratorium and
for the limited circumstances in which physicians may be fingerprinted.
However, given that States may also classify certain Medicaid-only
providers as ``high'' categorical risks, we are estimating that States
may require approximately 25,000 additional individuals to undergo
fingerprinting prior to enrolling in a State's Medicaid program, at a
cost of $1,250,000 (25,000 x $50 = $1,250,000).
Consequently, we estimated that fingerprinting individuals for
purposes of Medicaid enrollment will cost $1,300,000. When averaged
across 50 States, the District of Columbia and Puerto Rico, the annual
cost of fingerprinting per State will be $26,000.
b. Application Fee--Medicaid
For those providers not screened by Medicare, the State may impose
a fee on each institutional provider being screened. The amount of the
fee is $500 per provider for 2010. For 2011 and each subsequent year,
the amount will be determined by the statutorily-required formula using
the consumer price index for all urban consumers (CPI-U).

[[Page 5957]]

c. General Enrollment Framework
For purposes of this section, we assume that 80 percent of
institutional Medicaid providers will be dually participating in both
Medicare and Medicaid, and thus will be subject to the application fee
as part of the Medicare screening and enrollment. Therefore we
estimated that 20 percent, or 111,304 (556,521 x 20 percent), of the
institutional Medicaid-only providers will not be screened by Medicare
and thus will be subject to the application fee under Medicaid. We
project that a significant number of existing and future Medicaid
providers will request a hardship exception, or that a State will
request a waiver of the application fee for certain Medicaid provider
types of the application fee on the basis of ensuring access to care.
For purposes of this section, although we have no way to estimate the
exact number of providers that will ultimately request and be approved
for a hardship exception, or the number of States that will request a
waiver of the fee for certain Medicaid provider types, we predict that
25 percent of all Medicaid providers subject to the fee will receive
the hardship exception or be granted a waiver of the fee on the basis
of ensuring beneficiary access to care. We recognize that this 25
percent figure is significantly higher than the 2.5 percent waiver rate
we are using for Medicare application fees. Yet we believe the
difference is justified because of the greater access to care issues
that may arise in Medicaid. Consequently, we estimated that 83,478
existing Medicaid providers will be required to pay the application fee
(111,304 existing Medicaid providers that are not dually enrolled less
25 percent or 27,826 existing providers).
(1) New Enrollments
We apply the 80 percent rate for newly-enrolling Medicaid
institutional providers that will be dually participating in both
Medicare and Medicaid and thus not subject to the fee under Medicaid,
and 25 percent hardship exception rate to the annual number of newly-
enrolling Medicaid institutional providers not dually enrolled. The
45,000 newly-enrolling Medicare institutional providers annually
represent 80 percent of the total newly-enrolling Medicaid
institutional providers annually. Therefore, we estimate that there
will be 11,250 newly-enrolling Medicaid institutional providers
annually that are subject to the application fee under Medicaid (45,000
providers divided by 80 percent, - 45,000 = 11,250). We project another
25 percent will be exempted for hardship or be granted a waiver of the
fee on the basis of ensuring beneficiary access to care, resulting in
8,438 newly-enrolling Medicaid institutional providers being subject to
the application fee each year nationally.
Consistent with the Medicare analysis, in CY 2011, we reduced the
estimated number of institutional providers subject to the application
fee by 25 percent because the application fee will not begin until
March 25, 2011. Accordingly, the number of institutional providers that
we anticipate paying the application fee will be 6,329 in CY 2011.
Consequently, we projected the dollars due from application fees for
newly-enrolling Medicaid institutional providers who are not dually
enrolled to be $21,110,019 for the first 5 years in total. When
averaged across 50 States, the District of Columbia and Puerto Rico,
the total application fees for the 5 years in total per State will be
approximately $405,962.

Table 13--Cumulative Application Fees for Newly Enrolled Medicaid Providers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
New Medicaid
providers not Consumer price Total fees for
Calendar year exempted from CPI-U increase index adjusted each year (in Cumulative fees
the application fee (in dollars) (in dollars)
fee dollars)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011.......................................................... 6,329 1.0% 505 3,196,145 3,196,145
2012.......................................................... 8,438 2.01.1% 515 4,345,570 7,541,715
2013.......................................................... 8,438 2.0% 525 4,429,950 11,971,665
2014.......................................................... 8,438 2.0% 536 4,522,768 16,494,433
2015.......................................................... 8,438 2.0% 547 4,615,586 21,110,019
-----------------------------------------------------------------------------------------
Total..................................................... ................ ................ ................ 21,110,019 21,110,019
--------------------------------------------------------------------------------------------------------------------------------------------------------

(2) Re-enrollment
This rule contemplates that States would require Medicaid providers
to re-enroll every 5 years. On a yearly basis, we estimate that
approximately 16,696 Medicaid institutional providers (one fifth of the
total) would re-enroll with the State Medicaid agency. We contemplate
collecting the application fee for currently enrolled providers
beginning on March 24, 2011. States would not collect an application
fee with any re-enrollments until that time--almost 3 months into CY
2011. Therefore, we have adjusted the number of existing Medicaid
institutional providers subject to an application fee by 25 percent,
from 16,696 to 12,522 in CY 2011. Consequently, we project the dollars
due from application fees for currently-enrolled Medicaid institutional
providers who are not dually enrolled is $41,769,218 for the first 5
years in total. When averaged across 50 States, the District of
Columbia and Puerto Rico, the total application fees for the 5 years in
total per State will be approximately $803,254.

Table 14--Cumulative Application Fees for Re-Enrolling Medicaid Providers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
Existing
Medicaid
providers not Consumer price Total fees for Cumulative fees
Calendar year exempted from CPI-U increase index adjusted each year in in dollars
the application fee in dollars dollars
fee
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011........................................................ 12,522 1.0% 505 6,323,610 6,323,610

[[Page 5958]]

2012........................................................ 16,696 2.0% 515 8,598,440 14,922,050
2013........................................................ 16,696 2.0% 525 8,765,400 23,687,450
2014........................................................ 16,696 2.0% 536 8,949,056 32,636,506
2015........................................................ 16,696 2.0% 547 9,132,712 41,769,218
-------------------------------------------------------------------------------------------
Total................................................... ................ ................ ................ 41,769,218 41,769,218
--------------------------------------------------------------------------------------------------------------------------------------------------------

3. Medicare and Medicaid
a. Moratoria on Enrollment of New Medicare Providers and Suppliers and
Medicaid Providers
Although we have no way of predicting the exact cost savings
associated with enrollment moratoria, we expect there will be program
savings achieved by implementation of this section. As stated
previously, these provisions will enable us to restrict the entry of
certain providers and suppliers into Medicare in order to prevent or
combat fraud, waste, and abuse. However, there are no cost burdens to
the public or to the provider community. Therefore, we have not
estimated the cost impacts of this provision.
b. Suspension of Payments in Medicare and Medicaid
As with payment moratoria, although we have no way of predicting
the exact cost savings to Medicare and Medicaid associated with
implementation of the provisions contained in this final rule with
comment period, we certainly expect that there will be program savings
that result from implementation of this provision. CMS and its law
enforcement partners already have a process for payment suspension when
possible fraud is involved. The changes finalized in this rule will
strengthen the existing process and its applicability to Medicaid, but
it will not create any different impact or burden on the provider
community in circumstances of payment suspension. There are no new cost
burdens to the public or the provider community associated with this
provision.

D. Accounting Statement and Table

As required by OMB Circular A-4 (available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/circulars/a004/a-4.pdf), we have prepared an accounting statement. This statement only
addresses: (1) The costs of the fingerprinting requirement, and (2) the
monetary transfer associated with the application fee. It does not
address the potential financial benefits of these two requirements from
the standpoint of their possible effectiveness in deterring certain
unscrupulous providers and suppliers from enrolling in or maintaining
their enrollment in Medicare and Medicaid. This is because it is
impossible for us to quantify these benefits in monetary terms.
Moreover, we cannot predict how many potentially fraudulent providers
and suppliers will be kept out of the Medicare and Medicaid programs
due to these requirements.
1. Medicare
As stated previously, we estimate a total cost of the
fingerprinting requirement of $2,275,000 per year ($1,750,000 +
$500,000 + $25,000), or $11,375,000 over 5 years, if 2,000 post-
moratorium requests are made. If 5,000 post-moratorium requests are
made, the annual cost is $3,025,000, with a 5 year cost of $15,125,000.
Should 10,000 post-moratorium requests be made, the annual cost is
$4,275,000, with a 5 year cost of $21,375,000. We also stated in the
RIA that the expected total application fees:
For newly enrolling providers and suppliers would be
$11,817,000 in 2011, $16,068,000 in 2012, $16,380,000 in 2013,
$16,723,200 in 2014, and $17,066,400 in 2015. This results in a 5 year
total of $78,054,600.
For revalidating providers and suppliers would be
$34,343,030 in 2011, $55,735,875 in 2012, $44,533,125 in 2013,
$45,466,200 in 2014, and $46,399,275 in 2015. This results in a 5-year
total of $226,477,505.
The accounting statement reflects the: (1) Annual cost of the
fingerprinting requirement, and (2) the application of the 3 percent
and 7 percent discount rate to the combined amounts of the application
fees for CY 2012--that is, $16,068,000 (newly enrolling) plus
$55,735,875 (revalidations), for a total of $71,803,875; this
constitutes a transfer of funds to the Federal government. We chose the
CY 2012 figures so as to reflect the maximum amount of transferred
funds in a given year during the initial 5-year period.
2. Medicaid
As stated in the RIA, we estimate that the annual cost of the
fingerprint requirement for Medicaid will be $1,300,000, or $6,500,000
over a 5 year period. We also stated in the RIA that the expected total
application fees:
For newly enrolling providers and suppliers would be
$3,196,145 in 2011, $4,345,570 in 2012, $4,429,950 in 2013, $4,522,768
in 2014, and $4,615,586 in 2015. This results in a 5-year total of
$21,110,019.
For revalidating providers and suppliers would be
$6,323,610 in 2011; $8,598,440 in 2012; $8,765,400 in 2013; $8,949,056
in 2014; and $9,132,712 in 2015. This results in a 5-year total of
$41,769,218.
The accounting statement reflects: (1) The annual cost of the
fingerprinting requirement: And (2) the application of the 3 percent
and 7 percent discount rate to the combined amounts of the application
fees for CY 2015--specifically, $4,615,586 (new applicants) plus
$9,132,712 (revalidations), for a total of $13,748,298. This
constitutes a transfer of funds to the Federal government. We chose the
figures from CY 2015 for Medicaid so as to reflect the maximum amount
of transferred funds in a given year during the initial 5-year period.

[[Page 5959]]

Table 15--Accounting Statement: Classification of Estimated Expenditures and Costs from CY 2011 to CY 2015 (in
Millions)
----------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------
Medicare Fingerprint Requirement COSTS
----------------------------------------------------------------------------------------------------------------
3 percent Discount Rate 7 percent Discount Rate
Annualized Monetized Costs (2,000 post[dash]moratorium $2.275 $2.275
requests)..................................................
----------------------------------------------------------------------------------------------------------------
Annualized Monetized Costs (5,000 post[dash]moratorium $3.025 $3.025
requests)..................................................
----------------------------------------------------------------------------------------------------------------
Annualized Monetized Costs (10,000 post[dash]moratorium $4.275 $4.275
requests)..................................................
----------------------------------------------------------------------------------------------------------------
Who is Affected? Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
Medicare Application Fee TRANSFERS
----------------------------------------------------------------------------------------------------------------
3 percent Discount Rate 7 percent Discount Rate
Annualized Monetized Transfers (through 2015)............... $48.2 $47.3
----------------------------------------------------------------------------------------------------------------
From Whom to Whom? Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
Medicaid Fingerprint Requirement COSTS
----------------------------------------------------------------------------------------------------------------
3 percent Discount Rate 7 percent Discount Rate
Annualized Monetized Costs.................................. $1.3 $1.3
----------------------------------------------------------------------------------------------------------------
Who is Affected? Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
Medicaid Application Fee TRANSFERS
----------------------------------------------------------------------------------------------------------------
3 percent Discount Rate 7 percent Discount Rate
Annualized Monetized Costs.................................. $10.1 $10.0
----------------------------------------------------------------------------------------------------------------
From Whom to Whom? Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
BENEFITS
----------------------------------------------------------------------------------------------------------------
Qualitative: The above[dash]referenced requirements will: (1) Allow CMS to more closely screen providers and
suppliers that pose risks to the Medicare and Medicaid programs; (2) help offset the costs of administering the
Medicare and Medicaid programs; (3) limit, via the imposition of moratoria, the entry of certain categories of
providers and suppliers into Medicare if this is deemed necessary to protect the Medicare Trust Fund; and (4)
suspend payments to certain providers and suppliers that pose a risk to the Trust Fund. We believe these and
other financial benefits outlined in this rule will exceed the costs outlined above............................
----------------------------------------------------------------------------------------------------------------

E. Alternatives Considered

1. General Burden Minimization Efforts
The RFA requires agencies to analyze options for the regulatory
relief of small entities. In compliance with section 604 of the RFA, we
have incorporated several options designed to minimize the burden of
the requirements in this final rule with comment period.
First, we have waived the application fee for individual
physicians, non-physician practitioners, and physician and non-
physician practitioner groups, which are generally small businesses. We
believe this is consistent with congressional intention as expressed in
section 6401(a) of ACA. We also believe this will ease the financial
burden on this large category of small businesses.
Second, the high-risk category is limited to relatively few types
of providers and suppliers. We could have elected to include many more
providers and supplier types within this category and, subsequently,
subjected them to the enhanced screening requirements of fingerprint-
based criminal background checks. However, in part so as not to overly
burden these entities, many of which are small businesses, we chose to
restrict the high-risk category to a limited number of provider types.
2. Fingerprinting
We received several comments proposing alternatives to
fingerprinting as a screening mechanism. The two principal suggested
alternatives were the submission of a: (1) U.S. or foreign passport;
and (2) copies of the individual's Federal tax returns. However, we
explained in the preamble, we are adopting fingerprint-based criminal
background checks.
There are several reasons for our decision to proceed with
fingerprinting as opposed to passports and tax returns. First, we are,
to a large extent, combining the fingerprinting and criminal background
check processes for providers and suppliers. These will be done though
the FBI IAFIS, which we believe is the most reliable and appropriate
avenue available. The submission of fingerprints is the only way to
obtain a criminal history record check from the FBI IAFIS. Information
from a U.S. or foreign passport or a Federal tax return, on the other
hand, could only be used to process a name-based criminal history
record check--and the FBI does not process name-based requests for non-
criminal justice purposes.
Second, we believe that fingerprinting--more than any other
mechanism--will allow us to conclusively identify the individuals that
will be participating in the Medicare program. Indeed, a tax return,
while containing certain identifying information, does not--in our
view--produce the level of assurance in this area that fingerprinting
does.
Finally, the use of passports or tax returns would require CMS to
forgo the unified approach of the FBI IAFIS and instead have two
separate processes--one for verifying identify and another for
analyzing the person's criminal history. This would result in: (1) A
verification process that is not as reliable as fingerprinting, and (2)
a

[[Page 5960]]

distinct and potentially costly process for criminal background checks
through private entities that, we believe, will probably not involve
access to the scope of data that the FBI has.
We believe that the overall costs involved in maintaining such a
two-part approach would, in the end, exceed that of the FBI IAFIS
approach, especially if--as we expect--the overwhelming majority of
individuals subject to the fingerprinting requirement submit them
electronically. Indeed, with respect to the cost differential between
the paper and electronic fingerprinting processes, we stated earlier in
the RIA that we estimate an average annual cost of the fingerprinting
requirement of $2,275,000 (if 2,000 post-moratorium requests are made),
based on: (1) The fingerprinting of 45,500 individuals; and (2) a $50
cost per person for obtaining a set of fingerprints via the FD-258. We
believe that the per person cost for submitting fingerprints
electronically will be approximately $35. If we assume that 40,000 of
the 45,500 individuals submit fingerprints electronically and the
remaining 5,500 use the FD-258, this results in an annual cost of
$1,675,000, or $600,000 less than $2,275,000. This leads to a savings
over 5 years of $3,000,000 ($600,000 x 5).
It is not possible for us to quantify the costs involved in having
the FBI IAFIS perform the criminal background checks. However, we can
estimate that it would cost approximately $40 per person to perform a
criminal background check via private entities. This would result in an
annual cost of $1,820,000, or $9,100,000 over 5 years. With the
efficiency furnished through the use of the FBI-IAFIS, we do not
believe the cost of these checks would ultimately exceed $9,100,000.
We concede that the submission of a passport or tax return would
not involve the processing costs that would come with fingerprinting.
But the ability to verify one's identity via fingerprinting is, we
believe, sufficiently greater than with the latter two documents, such
that the overall program integrity savings would substantially exceed
any additional cost incurred in using fingerprints in lieu of passports
and tax returns.
3. Other Suggested Alternatives
We received several other suggested alternatives to our proposed
provisions. One was to assess the application fee based on the NPI or
TIN. As stated earlier in this RIA, we did not believe this approach
was appropriate because the requirement to submit an enrollment
application is separate from the requirement to have an NPI or a TIN.
We believe that basing the fee on the submission of an application is
most consistent with the statute. Another involved taking into account
factors such as: (1) Error rates; (2) past history with Medicare,
Medicaid and other health plans; and (3) ownership, when assessing a
provider or supplier's risk. In section II of this final rule with
comment period, we stated that the ACA requires levels of screening
according to the risk of fraud, waste, and abuse posed by categories of
providers and suppliers as a whole. The approach taken in this final
rule with comment period whereby we assign specific categories of
providers and suppliers to screening levels determined by risk of
fraud, waste, and abuse is consistent with the requirements of the
statute. Therefore, in general, we chose to use a categorical approach
to our classifications, rather than assign individual providers within
a particular provider type to certain risk levels.

F. Conclusion

This final rule with comment period contains provisions that are of
critical importance in the transition of CMS' antifraud activities from
``pay and chase'' to fraud prevention. ``Pay and chase'' refers to the
traditional approach under which we met our obligations to provide
beneficiaries access to qualified providers and suppliers and to pay
claims quickly by making it relatively easy for providers to sign up to
bill Medicare, Medicaid or CHIP, paying their claims rapidly, and then
detecting overpayments or fraudulent bills and pursuing recoveries of
overpayments after the fact. That system functions reasonably well when
the problems arise with legitimate providers and suppliers that will be
solvent and in business when CMS seeks to recover overpayments or law
enforcement pursues civil or criminal penalties. It is not adequate
when the fraud is committed by sham operations that provide no services
or supplies and exist simply to steal from Medicare or Medicaid and
thrive on stealing or subverting the identities of beneficiaries and
providers.
This final rule with comment period strikes a balance that will
permit us to continue to assure that eligible beneficiaries receive
appropriate services from qualified providers whose claims are paid on
a timely basis while implementing enhanced measures to prevent outright
fraud. The new and strengthened provisions in the ACA that are the
subject of this final rule with comment period will help assure that
only legitimate providers and suppliers are enrolled in Medicare,
Medicaid, and CHIP, and that only legitimate claims will be paid. These
provisions are applied according to the level of risk of fraud, waste,
and abuse posed by different provider and supplier types. We will use
screening tools for a particular provider or supplier type based on 3
distinct categories of risk: (1) Limited; (2) moderate; and (3) high.
Limited risk providers will have enrollment requirements, license and
database verifications; moderate risk will have those verifications
plus unscheduled site visits; high risk will have verifications,
unscheduled site visits, criminal background check and fingerprinting.
CMS and the States will impose moratoria on the enrollment of new
providers in situations when doing so is necessary to protect against a
high risk of fraud. Working in conjunction with the OIG, CMS and States
will suspend payments pending an investigation of a credible allegation
of fraud and legitimate providers will be assisted in avoiding problems
by implementing effective compliance programs.
This final rule with comment period is an essential tool in
protecting public resources and assuring that they are devoted to
providing health care rather than enriching fraudulent actors.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.

List of Subjects

42 CFR Part 405

Administrative practice and procedure, Health facilities, Health
professions, Kidney diseases, Medical devices, Medicare, Reporting and
recordkeeping requirements, Rural areas, X-rays.

42 CFR Part 424

Emergency medical services, Health facilities, Health professions,
Medicare, and Reporting and recordkeeping requirements.

42 CFR Part 438

Grant programs--health, Medicaid, Reporting and recordkeeping
requirements.

42 CFR Part 447

Accounting, Administrative practice and procedure, Drugs, Grant
programs--health, Health facilities, Health professions, Medicaid,
Reporting and recordkeeping requirements, and Rural areas.

[[Page 5961]]

42 CFR Part 455

Fraud, Grant programs--health, Health facilities, Health
professions, Investigations, Medicaid, and Reporting and recordkeeping
requirements.

42 CFR Part 457

Administrative practice and procedure, Grant programs--health,
Health insurance, and Reporting and recordkeeping requirements.

42 CFR Part 498

Administrative practice and procedure, Health facilities, Health
professions, Medicare, Reporting and recordkeeping requirements.

42 CFR Part 1007

Administrative practice and procedure, Fraud, Grant programs--
health, Medicaid, and Reporting and recordkeeping requirements.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services amends 42 CFR chapter IV and the Office of the
Inspector General amends 42 CFR chapter V, as set forth below:

CHAPTER IV--CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF
HEALTH AND HUMAN SERVICES

PART 405--FEDERAL HEALTH INSURANCE FOR THE AGED AND DISABLED

0
1. The authority citation for part 405 continues to read as follows:

Authority: Secs. 205(a), 1102, 1861, 1862(a), 1869, 1871, 1874,
1881, and 1886(k) of the Social Security Act (42 U.S.C. 405(a),
1302, 1395x, 1395y(a), 1395ff, 1395hh, 1395kk, 1395rr and
1395ww(k)), and sec. 353 of the Public Health Service Act (42 U.S.C.
263a).

Subpart C--Suspension of Payment, Recovery of Overpayments, and
Repayment of Scholarships and Loans

0
2. The authority citation for subpart C is revised to read as follows:

Authority: Secs. 1102, 1815, 1833, 1842, 1862, 1866, 1870,
1871, 1879 and 1892 of the Social Security Act (42 U.S.C. 1302,
1395g, 1395l, 1395u, 1395y, 1395cc, 1395gg, 1395hh, 1395pp and
1395ccc) and 31 U.S.C. 3711.

0
3. In subpart C, remove the phrase ``intermediary or carrier'' wherever
it appears and add the phrase ``Medicare contractor'' in its place.

0
4. Section 405.370 is amended as follows:
0
A. In paragraph (a), adding the definitions of ``Credible allegation of
fraud,'' ``Medicare contractor,'' and ``Resolution of an
investigation'' in alphabetical order.
0
B. In paragraph (a), revising the definitions of ``Offset,''
``Recoupment,'' and ``Suspension of payment''.
The additions and revisions read as follows:

Sec. 405.370 Definitions.

(a) * * *
Credible allegation of fraud. A credible allegation of fraud is an
allegation from any source, including but not limited to the following:
(1) Fraud hotline complaints.
(2) Claims data mining.
(3) Patterns identified through provider audits, civil false claims
cases, and law enforcement investigations. Allegations are considered
to be credible when they have indicia of reliability.
Medicare contractor. Unless the context otherwise requires,
includes, but is not limited to the any of following:
(1) A fiscal intermediary.
(2) A carrier.
(3) Program safeguard contractor.
(4) Zone program integrity contractor.
(5) Part A/Part B Medicare administrative contractor.
Offset. The recovery by Medicare of a non-Medicare debt by reducing
present or future Medicare payments and applying the amount withheld to
the indebtedness. (Examples are Public Health Service debts or Medicaid
debts recovered by CMS).
Recoupment. The recovery by Medicare of any outstanding Medicare
debt by reducing present or future Medicare payments and applying the
amount withheld to the indebtedness.
Resolution of an investigation. An investigation of credible
allegations of fraud will be considered resolved when legal action is
terminated by settlement, judgment, or dismissal, or when the case is
closed or dropped because of insufficient evidence to support the
allegations of fraud.
Suspension of payment. The withholding of payment by a Medicare
contractor from a provider or supplier of an approved Medicare payment
amount before a determination of the amount of the overpayment exists,
or until the resolution of an investigation of a credible allegation of
fraud.
* * * * *

0
5. Section 405.371 is revised to read as follows:

Sec. 405.371 Suspension, offset, and recoupment of Medicare payments
to providers and suppliers of services.

(a) General rules. Medicare payments to providers and suppliers, as
authorized under this subchapter (excluding payments to beneficiaries),
may be--
(1) Suspended, in whole or in part, by CMS or a Medicare contractor
if CMS or the Medicare contractor possesses reliable information that
an overpayment exists or that the payments to be made may not be
correct, although additional information may be needed for a
determination;
(2) In cases of suspected fraud, suspended, in whole or in part, by
CMS or a Medicare contractor if CMS or the Medicare contractor has
consulted with the OIG, and, as appropriate, the Department of Justice,
and determined that a credible allegation of fraud exists against a
provider or supplier, unless there is good cause not to suspend
payments; or
(3) Offset or recouped, in whole or in part, by a Medicare
contractor if the Medicare contractor or CMS has determined that the
provider or supplier to whom payments are to be made has been overpaid.
(b) Good cause exceptions applicable to payment suspensions.
(1) CMS may find that good cause exists not to suspend payments or
not to continue to suspend payments to an individual or entity against
which there are credible allegations of fraud if--
(i) OIG or other law enforcement agency has specifically requested
that a payment suspension not be imposed because such a payment
suspension may compromise or jeopardize an investigation;
(ii) It is determined that beneficiary access to items or services
would be so jeopardized by a payment suspension in whole or part as to
cause a danger to life or health;
(iii) It is determined that other available remedies implemented by
CMS or a Medicare contractor more effectively or quickly protect
Medicare funds than would implementing a payment suspension; or
(iv) CMS determines that a payment suspension or a continuation of
a payment suspension is not in the best interests of the Medicare
program.
(2) Every 180 days after the initiation of a suspension of payments
based on credible allegations of fraud, CMS will--
(i) Evaluate whether there is good cause to not continue such
suspension under this section; and
(ii) Request a certification from the OIG or other law enforcement
agency that the matter continues to be under investigation warranting
continuation of the suspension.
(3) Good cause not to continue to suspend payments to an individual
or

[[Page 5962]]

entity against which there are credible allegations of fraud must be
deemed to exist if a payment suspension has been in effect for 18
months and there has not been a resolution of the investigation, except
CMS may extend a payment suspension beyond that point if --
(i) The case has been referred to, and is being considered by, the
OIG for administrative action (for example, civil money penalties); or
such administrative action is pending or
(ii) The Department of Justice submits a written request to CMS
that the suspension of payments be continued based on the ongoing
investigation and anticipated filing of criminal or civil action or
both or based on a pending criminal or civil action or both. At a
minimum, the request must include the following:
(A) Identification of the entity under suspension.
(B) The amount of time needed for continued suspension in order to
conclude the criminal or civil proceeding or both.
(C) A statement of why or how criminal or civil action or both may
be affected if the requested extension is not granted.
(c) Steps necessary for suspension of payment, offset, and
recoupment.
(1) Except as provided in paragraph (d) of this section, CMS or the
Medicare contractor suspends payments only after it has complied with
the procedural requirements set forth at Sec. 405.372.
(2) The Medicare contractor offsets or recoups payments only after
it has complied with the procedural requirements set forth at Sec.
405.373.
(d) Suspension of payment in the case of unfiled cost reports. (1)
If a provider has failed to timely file an acceptable cost report,
payment to the provider is immediately suspended in whole or in part
until a cost report is filed and determined by the Medicare contractor
to be acceptable.
(2) In the case of an unfiled cost report, the provisions of Sec.
405.372 do not apply. (See Sec. 405.372(a)(2) concerning failure to
furnish other information.)

0
6. Section 405.372 is amended as follows:
0
A. Remove the phrase ``intermediary, carrier'' wherever it appears and
adding the phrase ``Medicare contractor'' in its place.
0
B. Revising paragraphs (a)(4), (c), and (d)(3).
0
C. In paragraph (e), removing the cross-reference ``Sec. 405.371(b)''
and adding the cross-reference ``Sec. 405.371(a)'' in its place.

Sec. 405.372 Proceeding for suspension of payment.

(a) * * *
(4) Fraud. If the intended suspension of payment involves credible
allegations of fraud under Sec. 405.371(a)(2), CMS--
(i) In consultation with OIG and, as appropriate, the Department of
Justice, determines whether to impose the suspension and if prior
notice is appropriate;
(ii) Directs the Medicare contractor as to the timing and content
of the notification to the provider or supplier; and
(iii) Is the real party in interest and is responsible for the
decision.
* * * * *
(c) Subsequent action. (1) If a suspension of payment is put into
effect under Sec. 405.371(a)(1), CMS or the Medicare contractor takes
timely action after the suspension to obtain the additional information
it may need to make a determination as to whether an overpayment exists
or the payments may be made.
(i) CMS or the Medicare contractor makes all reasonable efforts to
expedite the determination.
(ii) As soon as the determination is made, CMS or the Medicare
contractor informs the provider or supplier and, if appropriate, the
suspension is rescinded or any existing recoupment or offset is
adjusted to take into account the determination.
(2)(i) If a suspension of payment is based upon credible
allegations of fraud in accordance with Sec. 405.371(a)(2), subsequent
action must be taken by CMS or the Medicare contractor to make a
determination as to whether an overpayment exists.
(ii) The rescission of the suspension and the issuance of a final
overpayment determination to the provider or supplier may be delayed
until resolution of the investigation.
(d) * * *
(3) Exceptions to the time limits. (i) The time limits specified in
paragraphs (d)(1) and (d)(2) of this section do not apply if the
suspension of payments is based upon credible allegations of fraud
under Sec. 405.371(a)(2).
(ii) Although the time limits specified in paragraphs (d)(1) and
(d)(2) of this section do not apply to suspensions based on credible
allegations of fraud, all suspensions of payment in accordance with
Sec. 405.371(a)(2) will be temporary and will not continue after the
resolution of an investigation, unless a suspension is warranted
because of reliable evidence of an overpayment or that the payments to
be made may not be correct, as specified in Sec. 405.371(a)(1).
* * * * *

PART 424--CONDITIONS FOR MEDICARE PAYMENT

0
7. The authority citation for part 424 continues to read as follows:

Authority: Secs. 1102 and 1871 of the Social Security Act (42
U.S.C. 1302 and 1395hh).

0
8. Section 424.57 is amended by revising paragraph (e) to read as
follows:

Sec. 424.57 Special payment rules for items furnished by DMEPOS
suppliers and issuance of DMEPOS supplier billing privileges.

* * * * *
(e) Revalidation of billing privileges. A supplier must revalidate
its application for billing privileges every 3 years after the billing
privileges are first granted. (Each supplier must complete a new
application for billing privileges 3 years after its last
revalidation.)
* * * * *

0
9. Section 424.502 is amended by adding the definition of
``Institutional provider'' in alphabetical order to read as follows:

Sec. 424.502 Definitions.

* * * * *
Institutional provider means any provider or supplier that submits
a paper Medicare enrollment application using the CMS-855A, CMS-855B
(not including physician and nonphysician practitioner organizations),
CMS-855S or associated Internet-based PECOS enrollment application.
* * * * *

0
10. Section 424.514 is added to read as follows:

Sec. 424.514 Application fee.

(a) Application fee requirements for prospective institutional
providers. Beginning on or after March 25, 2011, prospective
institutional providers that are submitting an initial application or
currently enrolled institutional providers that are submitting an
application to establish a new practice location must submit either or
both of the following:
(1) The applicable application fee.
(2) A request for a hardship exception to the application fee at
the time of filing a Medicare enrollment application.
(b) Application fee requirements for revalidating institutional
providers. Beginning March 25, 2011, institutional providers that are
subject to CMS revalidation efforts must submit either or both of the
following:

[[Page 5963]]

(1) The applicable application fee.
(2) A request for a hardship exception to the application fee at
the time of filing a Medicare enrollment application.
(c) Hardship exception for disaster areas. CMS will assess on a
case-by-case basis whether institutional providers enrolling in a
geographic area that is a Presidentially-declared disaster under the
Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42
U.S.C. 5121-5206 (Stafford Act) should receive an exception to the
application fee.
(d) Application fee. The application fee and associated
requirements are as follows:
(1) For 2010, $500.00.
(2) For 2011 and subsequent years--
(i) Is adjusted by the percentage change in the consumer price
index for all urban consumers (all items; United States city average)
for the 12-month period ending with June of the previous year;
(ii) Is effective from January 1 to December 31 of a calendar year;
(iii) Is based on the submission of an initial application,
application to establish a new practice location or the submission of
an application in response to a CMS revalidation request;
(iv) Must be in the amount calculated by CMS in effect for the year
during which the application for enrollment is being submitted;
(v) Is nonrefundable, except if submitted with one of the
following:
(A) A request for hardship exception that is subsequently approved;
(B) An application that is rejected prior to initiation of
screening processes;
(C) An application that is subsequently denied as a result of the
imposition of a temporary moratorium;
(e) Denial or revocation based on application fee. A Medicare
contractor may deny or revoke Medicare billing privileges of a provider
or supplier based on noncompliance if, in the absence of a written
request for a hardship exception from the application fee that
accompanies a Medicare enrollment application, the bank account on
which the check that is submitted with the enrollment application is
drawn does not contain sufficient funds to pay the application fee.
(f) Information needed for submission of a hardship exception
request. A provider or supplier requesting an exception from the
application fee must include with its enrollment application a letter
that describes the hardship and why the hardship justifies an
exception.
(g) Failure to submit application fee or hardship exception
request. A Medicare contractor may--
(1) Reject an enrollment application from a newly-enrolling
institutional provider that, with the exceptions described in Sec.
424.514(b), is not accompanied by the application fee or by a letter
requesting a hardship exception from the application fee.
(2) Revoke the billing privileges of a currently enrolled
institutional provider that, with the exceptions described in Sec.
424.514(b), is not accompanied by the application fee or by a letter
requesting a hardship exception from the application fee.
(3)(i) Notwithstanding the foregoing, the contractor must first
inform the provider that the application fee was not submitted in
accordance with this section.
(ii) Within 30 days after the date of the notification, the
contractor may reject the application of the newly-enrolling
institutional provider or revoke the billing privileges of the
currently enrolled institutional provider that has not submitted the
fee.
(h) Consideration of hardship exception request. CMS has 60 days in
which to approve or disapprove a hardship exception request. If a
provider submits a request for hardship exception to the fee and the
provider or supplier has not already submitted the fee consistent with
provisions in Sec. 424.514(a) and (b), and the request for hardship
exception is not approved, CMS notifies the provider or supplier that
the hardship exception request was not approved and allows the provider
or supplier 30 days from the date of notification to submit the
application fee.
(1) A Medicare contractor does not--
(i) Begin processing an enrollment application that is accompanied
by a hardship exception request until CMS has made a decision to
approve or disapprove the hardship exception request; and
(ii) Deny an enrollment application that is accompanied by a
hardship exception request unless the hardship exception request is
denied by CMS and the provider or supplier fails to submit the required
application fee within 30 days of being notified that the request for a
hardship exception was denied.
(2) A hardship exception determination made by CMS is appealable
using Sec. 405.874 of this chapter.

0
11. Section 424.515 is amended by adding a new paragraph (e) to read as
follows:

Sec. 424.515 Requirements for reporting changes and updates to, and
the periodic revalidation of Medicare enrollment information.

* * * * *
(e) Additional off-cycle revalidation. On or after March 23, 2012,
Medicare providers and suppliers, including DMEPOS suppliers, may be
required to revalidate their enrollment outside the routine 5-year
revalidation cycle (3-year DMEPOS supplier revalidation cycle).
(1) CMS will contact providers or suppliers to revalidate their
enrollment for off-cycle revalidation.
(2) As with all revalidations, revalidations described in this
paragraph are conducted in accordance with the screening procedures
specified at Sec. 424.518.

0
12. Section 424.518 is added to read as follows:

Sec. 424.518 Screening levels for Medicare providers and suppliers.

A Medicare contractor is required to screen all initial
applications, including applications for a new practice location, and
any applications received in response to a revalidation request based
on a CMS assessment of risk and assignment to a level of ``limited,''
``moderate,'' or ``high.''
(a) Limited categorical risk. (1) Limited categorical risk:
Provider and supplier categories. CMS has designated the following
providers and suppliers as ``limited'' categorical risk:
(i) Physician or nonphysician practitioners (including nurse
practitioners, CRNAs, occupational therapists, speech/language
pathologists, and audiologists) and medical groups or clinics.
(ii) Ambulatory surgical centers.
(iii) Competitive Acquisition Program/Part B Vendors.
(iv) End-stage renal disease facilities.
(v) Federally qualified health centers.
(vi) Histocompatibility laboratories.
(vii) Hospitals, including critical access hospitals, Department of
Veterans Affairs hospitals, and other federally owned hospital
facilities.
(viii) Health programs operated by an Indian Health Program (as
defined in section 4(12) of the Indian Health Care Improvement Act) or
an urban Indian organization (as defined in section 4(29) of the Indian
Health Care Improvement Act) that receives funding from the Indian
Health Service pursuant to Title V of the Indian Health Care
Improvement Act.
(ix) Mammography screening centers.
(x) Mass immunization roster billers
(xi) Organ procurement organizations.
(xii) Pharmacies newly enrolling or revalidating via the CMS-855B
application.

[[Page 5964]]

(xiii) Radiation therapy centers.
(xiv) Religious non-medical health care institutions.
(xv) Rural health clinics.
(xvi) Skilled nursing facilities.
(2) Limited screening level: Screening requirements. When CMS
designates a provider or supplier as a ``limited'' categorical level of
risk, the Medicare contractor does all of the following:
(i) Verifies that a provider or supplier meets all applicable
Federal regulations and State requirements for the provider or supplier
type prior to making an enrollment determination.
(ii) Conducts license verifications, including licensure
verifications across State lines for physicians or nonphysician
practitioners and providers and suppliers that obtain or maintain
Medicare billing privileges as a result of State licensure, including
State licensure in States other than where the provider or supplier is
enrolling.
(iii) Conducts database checks on a pre- and post-enrollment basis
to ensure that providers and suppliers continue to meet the enrollment
criteria for their provider/supplier type.
(b) Moderate categorical risk. (1) Moderate categorical risk:
Provider and supplier categories. CMS has designated the following
providers and suppliers as ``moderate'' categorical risk:
(i) Ambulance service suppliers.
(ii) Community mental health centers.
(iii) Comprehensive outpatient rehabilitation facilities.
(iv) Hospice organizations.
(v) Independent clinical laboratories.
(vi) Independent diagnostic testing facilities.
(vii) Physical therapists enrolling as individuals or as group
practices.
(viii) Portable x-ray suppliers.
(ix) Revalidating home health agencies.
(x) Revalidating DMEPOS suppliers.
(2) Moderate screening level: Screening requirements. When CMS
designates a provider or supplier as a ``moderate'' categorical level
of risk, the Medicare contractor does all of the following:
(i) Performs the ``limited'' screening requirements described in
paragraph (a)(2) of this section.
(ii) Conducts an on-site visit.
(c) High categorical risk. (1) High categorical risk: Provider and
supplier categories. CMS has designated the following home health
agencies and suppliers of DMEPOS as ``high'' categorical risk:
(i) Prospective (newly enrolling) home health agencies.
(ii) Prospective (newly enrolling) DMEPOS suppliers.
(2) High screening level: Screening requirements. When CMS
designates a provider or supplier as a ``high'' categorical level of
risk, the Medicare contractor does all of the following:
(i) Performs the ``limited'' and ``moderate'' screening
requirements described in paragraphs (a)(2) and (b)(2) of this section.
(ii)(A) Requires the submission of a set of fingerprints for a
national background check from all individuals who maintain a 5 percent
or greater direct or indirect ownership interest in the provider or
supplier; and
(B) Conducts a fingerprint-based criminal history record check of
the Federal Bureau of Investigation's Integrated Automated Fingerprint
Identification System on all individuals who maintain a 5 percent or
greater direct or indirect ownership interest in the provider or
supplier.
(3) Adjustment in the categorical risk. CMS adjusts the screening
level from ``limited'' or ``moderate'' to ``high'' if any of the
following occur:
(i) CMS imposes a payment suspension on a provider or supplier at
any time in the last 10 years.
(ii) The provider or supplier--
(A) Has been excluded from Medicare by the OIG; or
(B) Had billing privileges revoked by a Medicare contractor within
the previous 10 years and is attempting to establish additional
Medicare billing privileges by--
(1) Enrolling as a new provider or supplier; or
(2) Billing privileges for a new practice location;
(C) Has been terminated or is otherwise precluded from billing
Medicaid;
(D) Has been excluded from any Federal health care program; or
(E) Has been subject to any final adverse action, as defined at
Sec. 424.502, within the previous 10 years.
(iii) CMS lifts a temporary moratorium for a particular provider or
supplier type and a provider or supplier that was prevented from
enrolling based on the moratorium, applies for enrollment as a Medicare
provider or supplier at any time within 6 months from the date the
moratorium was lifted.
(d) Fingerprinting requirements. An individual subject to the
fingerprint-based criminal history record check requirement specified
in paragraph (c)(2)(ii)(B) of this section--
(1) Must submit a set of fingerprints for a national background
check.
(i) Upon submission of a Medicare enrollment application; or
(ii) Within 30 days of a Medicare contractor request.
(2) In the event the individual(s) required to submit fingerprints
under paragraph (c)(2) of this section fail to submit such fingerprints
in accordance with paragraph (d)(1) of this section, the provider or
supplier will have its billing privileges--
(i) Denied under Sec. 424.530(a)(1); or
(ii) Revoked under Sec. 424.535(a)(1).

0
13. Section 424.525 is amended by:
0
A. Revising paragraph (a) introductory text.
0
B. Adding a new paragraph (a)(3).
The revision and addition read as follows:

Sec. 424.525 Rejection of a provider or supplier's enrollment
application for Medicare enrollment.

(a) Reasons for rejection. CMS may reject a provider's or
supplier's enrollment application for any of the following reasons:
* * * * *
(3) The prospective institutional provider or supplier does not
submit the application fee in the designated amount or a hardship
waiver request with the Medicare enrollment application at the time of
filing.
* * * * *

0
14. Section 424.530 is amended by adding new paragraphs (a)(9) and
(a)(10) to read as follows:

Sec. 424.530 Denial of enrollment in the Medicare program.

(a) * * *
(9) Application fee/hardship exception. An institutional provider's
or supplier's hardship exception request is not granted, and the
provider or supplier does not submit the application fee within 30 days
of notification that the hardship exception request was not approved.
(10) Temporary moratorium. A provider or supplier submits an
enrollment application for a practice location in a geographic area
where CMS has imposed a temporary moratorium.
* * * * *

0
15. Section 424.535 is amended as follows:
0
A. Revising paragraph (a)(6).
0
B. Adding a new paragraph (a)(12).
0
C. Revising paragraph (c).

Sec. 424.535 Revocation of enrollment billing and billing privileges
in the Medicare program.

(a) * * *
(6) Grounds related to provider and supplier screening
requirements. (i)(A) An institutional provider does not submit an
application fee or hardship exception request that meets the
requirements set forth in Sec. 424.514 with

[[Page 5965]]

the Medicare revalidation application; or
(B) The hardship exception is not granted and the institutional
provider does not submit the applicable application form or application
fee within 30 days of being notified that the hardship exception
request was denied.
(ii)(A) Either of the following occurs:
(1) CMS is not able to deposit the full application amount into a
government-owned account.
(2) The funds are not able to be credited to the U.S. Treasury.
(B) The provider or supplier lacks sufficient funds in the account
at the banking institution whose name is imprinted on the check or
other banking instrument to pay the application fee; or
(C) There is any other reason why CMS or its Medicare contractor is
unable to deposit the application fee into a government-owned account.
* * * * *
(12) Medicaid termination. (i) Medicaid billing privileges are
terminated or revoked by a State Medicaid Agency.
(ii) Medicare may not terminate unless and until a provider or
supplier has exhausted all applicable appeal rights.
* * * * *
(c) Reapplying after revocation. (1) After a provider, supplier,
delegated official, or authorizing official has had its billing
privileges revoked, it is barred from participating in the Medicare
program from the effective date of the revocation until the end of the
re-enrollment bar.
(2) The re-enrollment bar is a minimum of 1 year, but not greater
than 3 years depending on the severity of the basis for revocation.
(3) CMS may waive the re-enrollment bar if it has revoked a
provider or supplier under Sec. 424.535(a)(6)(i) based upon the
failure of the provider or supplier to submit an application fee or a
hardship exception request with an enrollment application upon
revalidation.
* * * * *

0
16. A new Sec. 424.570 is added to read as follows:

Sec. 424.570 Moratoria on newly enrolling Medicare providers and
suppliers.

(a) Temporary moratoria. (1) General rules. (i) CMS may impose a
moratorium on the enrollment of new Medicare providers and suppliers of
a particular type or the establishment of new practice locations of a
particular type in a particular geographic area.
(ii) CMS will announce the temporary enrollment moratorium in a
Federal Register document that includes the rationale for imposition of
the temporary enrollment moratorium.
(iii) The temporary moratorium does not apply to changes in
practice location, changes in provider or supplier information such as
phone number, address or changes in ownership (except changes in
ownership of home health agencies that would require an initial
enrollment under Sec. 424.550).
(iv) The temporary enrollment moratorium does not apply to any
enrollment application that has been approved by the enrollment
contractor but not yet entered into PECOS at the time the moratorium is
imposed.
(2) Imposition of a temporary moratoria. CMS may impose the
temporary moratorium if--
(i) CMS determines that there is a significant potential for fraud,
waste or abuse with respect to a particular provider or supplier type
or particular geographic area or both. CMS's determination is based on
its review of existing data, and without limitation, identifies a trend
that appears to be associated with a high risk of fraud, waste or
abuse, such as a--
(A) Highly disproportionate number of providers or suppliers in a
category relative to the number of beneficiaries; or
(B) Rapid increase in enrollment applications within a category;
(ii) A State Medicaid program has imposed a moratorium on a group
of Medicaid providers or suppliers that are also eligible to enroll in
the Medicare program;
(iii) A State has imposed a moratorium on enrollment in a
particular geographic area or on a particular provider or supplier type
or both; or
(iv) CMS, in consultation the HHS OIG or the Department of Justice
or both and with the approval of the CMS Administrator identifies
either or both of the following as having a significant potential for
fraud, waste or abuse in the Medicare program:
(A) A particular provider or supplier type.
(B) Any particular geographic area.
(b) Duration of moratoria. A moratorium under this section may be
imposed for a period of 6 months and, if deemed necessary by CMS, may
be extended in 6-month increments. CMS will publish a document in the
Federal Register when it extends a moratorium.
(c) Denial of enrollment: Moratoria. A Medicare contractor denies
the enrollment application of a provider or supplier if the provider or
supplier is subject to a moratorium as specified in paragraph (a) of
this section.
(d) Lifting moratoria. CMS will publish a document in the Federal
Register when a moratorium is lifted. CMS may lift a temporary
moratorium at any time after imposition of the moratorium if one of the
following occur:
(1) The President declares an area a disaster under the Robert T.
Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. 5121-
5206 (Stafford Act).
(2) Circumstances warranting the imposition of a moratorium have
abated or CMS has implemented program safeguards to address the program
vulnerability.
(3) The Secretary has declared a public health emergency under
section 319 of the Public Health Service Act in the area subject to a
temporary moratorium.
(4) In the judgment of the Secretary, the moratorium is no longer
needed.

PART 447--PAYMENT FOR SERVICES

0
19. The authority citation for part 447 continues to read as follows:

Authority: Sec. 1102 of the Social Security Act (42 U.S.C.
1302).

0
20. A new Sec. 447.90 is added to subpart A to read as follows:

Sec. 447.90 FFP: Conditions related to pending investigations of
credible allegations of fraud against the Medicaid program.

(a) Basis and purpose. This section implements section
1903(i)(2)(C) of the Act which prohibits payment of FFP with respect to
items or services furnished by an individual or entity with respect to
which there is pending an investigation of a credible allegation of
fraud except under specified circumstances.
(b) Denial of FFP. No FFP is available with respect to any amount
expended for an item or service furnished by any individual or entity
to whom a State has failed to suspend payments in whole or part as
required by Sec. 455.23 of this chapter unless--
(1) The item or service is furnished as an emergency item or
service, but not including items or services furnished in an emergency
room of a hospital; or
(2) The State determines and documents that good cause as specified
at Sec. 455.23(e) or (f) of this chapter exists not to suspend such
payments, to suspend payments only in part, or to discontinue a
previously imposed payment suspension.

[[Page 5966]]

PART 455--PROGRAM INTEGRITY: MEDICAID

0
21. The authority citation for part 455 continues to read as follows:

Authority: Sec. 1102 of the Social Security Act (42 U.S.C.
1302).

0
22. Section 455.2 is amended by adding the definition of ``Credible
allegation of fraud'' to read as follows:

Sec. 455.2 Definitions.

* * * * *
Credible allegation of fraud. A credible allegation of fraud may be
an allegation, which has been verified by the State, from any source,
including but not limited to the following:
(1) Fraud hotline complaints.
(2) Claims data mining.
(3) Patterns identified through provider audits, civil false claims
cases, and law enforcement investigations. Allegations are considered
to be credible when they have indicia of reliability and the State
Medicaid agency has reviewed all allegations, facts, and evidence
carefully and acts judiciously on a case-by-case basis.
* * * * *

0
23. Section 455.23 is revised to read as follows:

Sec. 455.23 Suspension of payments in cases of fraud.

(a) Basis for suspension. (1) The State Medicaid agency must
suspend all Medicaid payments to a provider after the agency determines
there is a credible allegation of fraud for which an investigation is
pending under the Medicaid program against an individual or entity
unless the agency has good cause to not suspend payments or to suspend
payment only in part.
(2) The State Medicaid agency may suspend payments without first
notifying the provider of its intention to suspend such payments.
(3) A provider may request, and must be granted, administrative
review where State law so requires.
(b) Notice of suspension. (1) The State agency must send notice of
its suspension of program payments within the following timeframes:
(i) Five days of taking such action unless requested in writing by
a law enforcement agency to temporarily withhold such notice.
(ii) Thirty days if requested by law enforcement in writing to
delay sending such notice, which request for delay may be renewed in
writing up to twice and in no event may exceed 90 days.
(2) The notice must include or address all of the following:
(i) State that payments are being suspended in accordance with this
provision.
(ii) Set forth the general allegations as to the nature of the
suspension action, but need not disclose any specific information
concerning an ongoing investigation.
(iii) State that the suspension is for a temporary period, as
stated in paragraph (c) of this section, and cite the circumstances
under which the suspension will be terminated.
(iv) Specify, when applicable, to which type or types of Medicaid
claims or business units of a provider suspension is effective.
(v) Inform the provider of the right to submit written evidence for
consideration by State Medicaid Agency.
(vi) Set forth the applicable State administrative appeals process
and corresponding citations to State law.
(c) Duration of suspension. (1) All suspension of payment actions
under this section will be temporary and will not continue after either
of the following:
(i) The agency or the prosecuting authorities determine that there
is insufficient evidence of fraud by the provider.
(ii) Legal proceedings related to the provider's alleged fraud are
completed.
(2) A State must document in writing the termination of a
suspension including, where applicable and appropriate, any appeal
rights available to a provider.
(d) Referrals to the Medicaid fraud control unit. (1) Whenever a
State Medicaid agency investigation leads to the initiation of a
payment suspension in whole or part, the State Medicaid Agency must
make a fraud referral to either of the following:
(i) To a Medicaid fraud control unit established and certified
under part 1007 of this title; or
(ii) In States with no certified Medicaid fraud control unit, to an
appropriate law enforcement agency.
(2) The fraud referral made under paragraph (d)(1) of this section
must meet all of the following requirements:
(i) Be made in writing and provided to the Medicaid fraud control
unit not later than the next business day after the suspension is
enacted.
(ii) Conform to fraud referral performance standards issued by the
Secretary.
(3)(i) If the Medicaid fraud control unit or other law enforcement
agency accepts the fraud referral for investigation, the payment
suspension may be continued until such time as the investigation and
any associated enforcement proceedings are completed.
(ii) On a quarterly basis, the State must request a certification
from the Medicaid fraud control unit or other law enforcement agency
that any matter accepted on the basis of a referral continues to be
under investigation thus warranting continuation of the suspension.
(4) If the Medicaid fraud control unit or other law enforcement
agency declines to accept the fraud referral for investigation the
payment suspension must be discontinued unless the State Medicaid
agency has alternative Federal or State authority by which it may
impose a suspension or makes a fraud referral to another law
enforcement agency. In that situation, the provisions of paragraph
(d)(3) of this section apply equally to that referral as well.
(5) A State's decision to exercise the good cause exceptions in
paragraphs (e) or (f) of this section not to suspend payments or to
suspend payments only in part does not relieve the State of the
obligation to refer any credible allegation of fraud as provided in
paragraph (d)(1) of this section.
(e) Good cause not to suspend payments. A State may find that good
cause exists not to suspend payments, or not to continue a payment
suspension previously imposed, to an individual or entity against which
there is an investigation of a credible allegation of fraud if any of
the following are applicable:
(1) Law enforcement officials have specifically requested that a
payment suspension not be imposed because such a payment suspension may
compromise or jeopardize an investigation.
(2) Other available remedies implemented by the State more
effectively or quickly protect Medicaid funds.
(3) The State determines, based upon the submission of written
evidence by the individual or entity that is the subject of the payment
suspension, that the suspension should be removed.
(4) Recipient access to items or services would be jeopardized by a
payment suspension because of either of the following:
(i) An individual or entity is the sole community physician or the
sole source of essential specialized services in a community.
(ii) The individual or entity serves a large number of recipients
within a HRSA-designated medically underserved area.
(5) Law enforcement declines to certify that a matter continues to
be under investigation per the requirements of paragraph (d)(3) of this
section.

[[Page 5967]]

(6) The State determines that payment suspension is not in the best
interests of the Medicaid program.
(f) Good cause to suspend payment only in part. A State may find
that good cause exists to suspend payments in part, or to convert a
payment suspension previously imposed in whole to one only in part, to
an individual or entity against which there is an investigation of a
credible allegation of fraud if any of the following are applicable:
(1) Recipient access to items or services would be jeopardized by a
payment suspension in whole or part because of either of the following:
(i) An individual or entity is the sole community physician or the
sole source of essential specialized services in a community.
(ii) The individual or entity serves a large number of recipients
within a HRSA-designated medically underserved area.
(2) The State determines, based upon the submission of written
evidence by the individual or entity that is the subject of a whole
payment suspension, that such suspension should be imposed only in
part.
(3)(i) The credible allegation focuses solely and definitively on
only a specific type of claim or arises from only a specific business
unit of a provider; and
(ii) The State determines and documents in writing that a payment
suspension in part would effectively ensure that potentially fraudulent
claims were not continuing to be paid.
(4) Law enforcement declines to certify that a matter continues to
be under investigation per the requirements of paragraph (d)(3) of this
section.
(5) The State determines that payment suspension only in part is in
the best interests of the Medicaid program.
(g) Documentation and record retention. State Medicaid agencies
must meet the following requirements:
(1) Maintain for a minimum of 5 years from the date of issuance all
materials documenting the life cycle of a payment suspension that was
imposed in whole or part, including the following:
(i) All notices of suspension of payment in whole or part.
(ii) All fraud referrals to the Medicaid fraud control unit or
other law enforcement agency.
(iii) All quarterly certifications of continuing investigation
status by law enforcement.
(iv) All notices documenting the termination of a suspension.
(2)(i) Maintain for a minimum of 5 years from the date of issuance
all materials documenting each instance where a payment suspension was
not imposed, imposed only in part, or discontinued for good cause.
(ii) This type of documentation must include, at a minimum,
detailed information on the basis for the existence of the good cause
not to suspend payments, to suspend payments only in part, or to
discontinue a payment suspension and, where applicable, must specify
how long the State anticipates such good cause will exist.
(3) Annually report to the Secretary summary information on each of
following:
(i) Suspension of payment, including the nature of the suspected
fraud, the basis for suspension, and the outcome of the suspension.
(ii) Situation in which the State determined good cause existed to
not suspend payments, to suspend payments only in part, or to
discontinue a payment suspension as described in this section,
including describing the nature of the suspected fraud and the nature
of the good cause.

0
24. Section 455.101 is amended by adding the definitions of ``Health
insuring organization (HIO),'' ``Managed care entity (MCE),'' ``Prepaid
ambulatory health plan (PAHP),'' ``Prepaid inpatient health plan
(PIHP),'' ``Primary care case manager (PCCM),'' and ``Termination'' in
alphabetical order to read as follows:

Sec. 455.101 Definitions.

* * * * *
Health insuring organization (HIO) has the meaning specified in
Sec. 438.2.
* * * * *
Managed care entity (MCE) means managed care organizations (MCOs),
PIHPs, PAHPs, PCCMs, and HIOs.
* * * * *
Prepaid ambulatory health plan (PAHP) has the meaning specified in
Sec. 438.2.
Prepaid inpatient health plan (PIHP) has the meaning specified in
Sec. 438.2.
Primary care case manager (PCCM) has the meaning specified in Sec.
438.2.
* * * * *
Termination means--
(1) For a--
(i) Medicaid or CHIP provider, a State Medicaid program or CHIP has
taken an action to revoke the provider's billing privileges, and the
provider has exhausted all applicable appeal rights or the timeline for
appeal has expired; and
(ii) Medicare provider, supplier or eligible professional, the
Medicare program has revoked the provider or supplier's billing
privileges, and the provider has exhausted all applicable appeal rights
or the timeline for appeal has expired.
(2)(i) In all three programs, there is no expectation on the part
of the provider or supplier or the State or Medicare program that the
revocation is temporary.
(ii) The provider, supplier, or eligible professional will be
required to reenroll with the applicable program if they wish billing
privileges to be reinstated.
(3) The requirement for termination applies in cases where
providers, suppliers, or eligible professionals were terminated or had
their billing privileges revoked for cause which may include, but is
not limited to--
(i) Fraud;
(ii) Integrity; or
(iii) Quality.
* * * * *

0
25. Section 455.104 is revised to read as follows:

Sec. 455.104 Disclosure by Medicaid providers and fiscal agents:
Information on ownership and control.

(a) Who must provide disclosures. The Medicaid agency must obtain
disclosures from disclosing entities, fiscal agents, and managed care
entities.
(b) What disclosures must be provided. The Medicaid agency must
require that disclosing entities, fiscal agents, and managed care
entities provide the following disclosures:
(1)(i) The name and address of any person (individual or
corporation) with an ownership or control interest in the disclosing
entity, fiscal agent, or managed care entity. The address for corporate
entities must include as applicable primary business address, every
business location, and P.O. Box address.
(ii) Date of birth and Social Security Number (in the case of an
individual).
(iii) Other tax identification number (in the case of a
corporation) with an ownership or control interest in the disclosing
entity (or fiscal agent or managed care entity) or in any subcontractor
in which the disclosing entity (or fiscal agent or managed care entity)
has a 5 percent or more interest.
(2) Whether the person (individual or corporation) with an
ownership or control interest in the disclosing entity (or fiscal agent
or managed care entity) is related to another person with ownership or
control interest in the disclosing entity as a spouse, parent, child,
or sibling; or whether the person (individual or corporation) with an
ownership or control interest in any subcontractor in which the
disclosing entity (or fiscal agent or managed care entity) has a 5
percent or more interest is related to another person with

[[Page 5968]]

ownership or control interest in the disclosing entity as a spouse,
parent, child, or sibling.
(3) The name of any other disclosing entity (or fiscal agent or
managed care entity) in which an owner of the disclosing entity (or
fiscal agent or managed care entity) has an ownership or control
interest.
(4) The name, address, date of birth, and Social Security Number of
any managing employee of the disclosing entity (or fiscal agent or
managed care entity).
(c) When the disclosures must be provided.
(1) Disclosures from providers or disclosing entities. Disclosure
from any provider or disclosing entity is due at any of the following
times:
(i) Upon the provider or disclosing entity submitting the provider
application.
(ii) Upon the provider or disclosing entity executing the provider
agreement.
(iii) Upon request of the Medicaid agency during the re-validation
of enrollment process under Sec. 455.414.
(iv) Within 35 days after any change in ownership of the disclosing
entity.
(2) Disclosures from fiscal agents. Disclosures from fiscal agents
are due at any of the following times:
(i) Upon the fiscal agent submitting the proposal in accordance
with the State's procurement process.
(ii) Upon the fiscal agent executing the contract with the State.
(iii) Upon renewal or extension of the contract.
(iv) Within 35 days after any change in ownership of the fiscal
agent.
(3) Disclosures from managed care entities. Disclosures from
managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are
due at any of the following times:
(i) Upon the managed care entity submitting the proposal in
accordance with the State's procurement process.
(ii) Upon the managed care entity executing the contract with the
State.
(iii) Upon renewal or extension of the contract.
(iv) Within 35 days after any change in ownership of the managed
care entity.
(4) Disclosures from PCCMs. PCCMs will comply with disclosure
requirements under paragraph (c)(1) of this section.
(d) To whom must the disclosures be provided. All disclosures must
be provided to the Medicaid agency.
(e) Consequences for failure to provide required disclosures.
Federal financial participation (FFP) is not available in payments made
to a disclosing entity that fails to disclose ownership or control
information as required by this section.

0
26. A new subpart E is added to part 455 to read as follows:
Subpart E--Provider Screening and Enrollment
Sec.
455.400 Purpose.
455.405 State plan requirements.
455.410 Enrollment and screening of providers.
455.412 Verification of provider licenses.
455.414 Revalidation of enrollment.
455.416 Termination or denial of enrollment.
455.420 Reactivation of provider enrollment.
455.422 Appeal rights.
455.432 Site visits.
455.434 Criminal background checks.
455.436 Federal database checks.
455.440 National Provider Identifier.
455.450 Screening levels for Medicaid providers.
455.452 Other State screening methods.
455.460 Application fee.
455.470 Temporary moratoria.

Subpart E--Provider Screening and Enrollment

Sec. 455.400 Purpose.

This subpart implements sections 1866(j), 1902(a)(39), 1902(a)(77),
and 1902(a)(78) of the Act. It sets forth State plan requirements
regarding the following:
(a) Provider screening and enrollment requirements.
(b) Fees associated with provider screening.
(c) Temporary moratoria on enrollment of providers.

Sec. 455.405 State plan requirements.

A State plan must provide that the requirements of Sec. 455.410
through Sec. 455.450 and Sec. 455.470 are met.

Sec. 455.410 Enrollment and screening of providers.

(a) The State Medicaid agency must require all enrolled providers
to be screened under to this subpart.
(b) The State Medicaid agency must require all ordering or
referring physicians or other professionals providing services under
the State plan or under a waiver of the plan to be enrolled as
participating providers.
(c) The State Medicaid agency may rely on the results of the
provider screening performed by any of the following:
(1) Medicare contractors.
(2) Medicaid agencies or Children's Health Insurance Programs of
other States.

Sec. 455.412 Verification of provider licenses.

The State Medicaid agency must--
(a) Have a method for verifying that any provider purporting to be
licensed in accordance with the laws of any State is licensed by such
State.
(b) Confirm that the provider's license has not expired and that
there are no current limitations on the provider's license.

Sec. 455.414 Revalidation of enrollment.

The State Medicaid agency must revalidate the enrollment of all
providers regardless of provider type at least every 5 years.

Sec. 455.416 Termination or denial of enrollment.

The State Medicaid agency--
(a) Must terminate the enrollment of any provider where any person
with a 5 percent or greater direct or indirect ownership interest in
the provider did not submit timely and accurate information and
cooperate with any screening methods required under this subpart.
(b) Must deny enrollment or terminate the enrollment of any
provider where any person with a 5 percent or greater direct or
indirect ownership interest in the provider has been convicted of a
criminal offense related to that person's involvement with the
Medicare, Medicaid, or title XXI program in the last 10 years, unless
the State Medicaid agency determines that denial or termination of
enrollment is not in the best interests of the Medicaid program and the
State Medicaid agency documents that determination in writing.
(c) Must deny enrollment or terminate the enrollment of any
provider that is terminated on or after January 1, 2011, under title
XVIII of the Act or under the Medicaid program or CHIP of any other
State.
(d) Must terminate the provider's enrollment or deny enrollment of
the provider if the provider or a person with an ownership or control
interest or who is an agent or managing employee of the provider fails
to submit timely or accurate information, unless the State Medicaid
agency determines that termination or denial of enrollment is not in
the best interests of the Medicaid program and the State Medicaid
agency documents that determination in writing.
(e) Must terminate or deny enrollment if the provider, or any
person with a 5 percent or greater direct or indirect ownership
interest in the provider, fails to submit sets of fingerprints in a
form and manner to be determined by the Medicaid agency within 30 days
of a CMS or a State Medicaid agency request, unless the State Medicaid

[[Page 5969]]

agency determines that termination or denial of enrollment is not in
the best interests of the Medicaid program and the State Medicaid
agency documents that determination in writing.
(f) Must terminate or deny enrollment if the provider fails to
permit access to provider locations for any site visits under Sec.
455.432, unless the State Medicaid agency determines that termination
or denial of enrollment is not in the best interests of the Medicaid
program and the State Medicaid agency documents that determination in
writing.
(g) May terminate or deny the provider's enrollment if CMS or the
State Medicaid agency--
(1) Determines that the provider has falsified any information
provided on the application; or
(2) Cannot verify the identity of any provider applicant.

Sec. 455.420 Reactivation of provider enrollment.

After deactivation of a provider enrollment number for any reason,
before the provider's enrollment may be reactivated, the State Medicaid
agency must re-screen the provider and require payment of associated
provider application fees under Sec. 455.460.

Sec. 455.422 Appeal rights.

The State Medicaid agency must give providers terminated or denied
under Sec. 455.416 any appeal rights available under procedures
established by State law or regulations.

Sec. 455.432 Site visits.

The State Medicaid agency--
(a) Must conduct pre-enrollment and post-enrollment site visits of
providers who are designated as ``moderate'' or ``high'' categorical
risks to the Medicaid program. The purpose of the site visit will be to
verify that the information submitted to the State Medicaid agency is
accurate and to determine compliance with Federal and State enrollment
requirements.
(b) Must require any enrolled provider to permit CMS, its agents,
its designated contractors, or the State Medicaid agency to conduct
unannounced on-site inspections of any and all provider locations.

Sec. 455.434 Criminal background checks.

The State Medicaid agency--
(a) As a condition of enrollment, must require providers to consent
to criminal background checks including fingerprinting when required to
do so under State law or by the level of screening based on risk of
fraud, waste or abuse as determined for that category of provider.
(b) Must establish categorical risk levels for providers and
provider categories who pose an increased financial risk of fraud,
waste or abuse to the Medicaid program.
(1) Upon the State Medicaid agency determining that a provider, or
a person with a 5 percent or more direct or indirect ownership interest
in the provider, meets the State Medicaid agency's criteria hereunder
for criminal background checks as a ``high'' risk to the Medicaid
program, the State Medicaid agency will require that each such provider
or person submit fingerprints.
(2) The State Medicaid agency must require a provider, or any
person with a 5 percent or more direct or indirect ownership interest
in the provider, to submit a set of fingerprints, in a form and manner
to be determined by the State Medicaid agency, within 30 days upon
request from CMS or the State Medicaid agency.

Sec. 455.436 Federal database checks.

The State Medicaid agency must do all of the following:
(a) Confirm the identity and determine the exclusion status of
providers and any person with an ownership or control interest or who
is an agent or managing employee of the provider through routine checks
of Federal databases.
(b) Check the Social Security Administration's Death Master File,
the National Plan and Provider Enumeration System (NPPES), the List of
Excluded Individuals/Entities (LEIE), the Excluded Parties List System
(EPLS), and any such other databases as the Secretary may prescribe.
(c)(1) Consult appropriate databases to confirm identity upon
enrollment and reenrollment; and
(2) Check the LEIE and EPLS no less frequently than monthly.

Sec. 455.440 National Provider Identifier.

The State Medicaid agency must require all claims for payment for
items and services that were ordered or referred to contain the
National Provider Identifier (NPI) of the physician or other
professional who ordered or referred such items or services.

Sec. 455.450 Screening levels for Medicaid providers.

A State Medicaid agency must screen all initial applications,
including applications for a new practice location, and any
applications received in response to a re-enrollment or revalidation of
enrollment request based on a categorical risk level of ``limited,''
``moderate,'' or ``high.'' If a provider could fit within more than one
risk level described in this section, the highest level of screening is
applicable.
(a) Screening for providers designated as limited categorical risk.
When the State Medicaid agency designates a provider as a limited
categorical risk, the State Medicaid agency must do all of the
following:
(1) Verify that a provider meets any applicable Federal
regulations, or State requirements for the provider type prior to
making an enrollment determination.
(2) Conduct license verifications, including State licensure
verifications in States other than where the provider is enrolling, in
accordance with Sec. 455.412.
(3) Conduct database checks on a pre- and post-enrollment basis to
ensure that providers continue to meet the enrollment criteria for
their provider type, in accordance with Sec. 455.436.
(b) Screening for providers designated as moderate categorical
risk. When the State Medicaid agency designates a provider as a
``moderate'' categorical risk, a State Medicaid agency must do both of
the following:
(1) Perform the ``limited'' screening requirements described in
paragraph (a) of this section.
(2) Conduct on-site visits in accordance with Sec. 455.432.
(c) Screening for providers designated as high categorical risk.
When the State Medicaid agency designates a provider as a ``high''
categorical risk, a State Medicaid agency must do both of the
following:
(1) Perform the ``limited'' and ``moderate'' screening requirements
described in paragraphs (a) and (b) of this section.
(2)(i) Conduct a criminal background check; and
(ii) Require the submission of a set of fingerprints in accordance
with Sec. 455.434.
(d) Denial or termination of enrollment. A provider, or any person
with 5 percent or greater direct or indirect ownership in the provider,
who is required by the State Medicaid agency or CMS to submit a set of
fingerprints and fails to do so may have its--
(1) Application denied under Sec. 455.434; or
(2) Enrollment terminated under Sec. 455.416.
(e) Adjustment of risk level. The State agency must adjust the
categorical risk level from ``limited'' or ``moderate'' to ``high''
when any of the following occurs:
(1) The State Medicaid agency imposes a payment suspension on a
provider based on credible allegation of fraud, waste or abuse, the
provider has

[[Page 5970]]

an existing Medicaid overpayment, or the provider has been excluded by
the OIG or another State's Medicaid program within the previous 10
years.
(2) The State Medicaid agency or CMS in the previous 6 months
lifted a temporary moratorium for the particular provider type and a
provider that was prevented from enrolling based on the moratorium
applies for enrollment as a provider at any time within 6 months from
the date the moratorium was lifted.

Sec. 455.452 Other State screening methods.

Nothing in this subpart must restrict the State Medicaid agency
from establishing provider screening methods in addition to or more
stringent than those required by this subpart.

Sec. 455.460 Application fee.

(a) Beginning on or after March 25, 2011, States must collect the
applicable application fee prior to executing a provider agreement from
a prospective or re-enrolling provider other than either of the
following:
(1) Individual physicians or nonphysician practitioners.
(2)(i) Providers who are enrolled in either of the following:
(A) Title XVIII of the Act.
(B) Another State's title XIX or XXI plan.
(ii) Providers that have paid the applicable application fee to--
(A) A Medicare contractor; or
(B) Another State.
(b) If the fees collected by a State agency in accordance with
paragraph (a) of this section exceed the cost of the screening program,
the State agency must return that portion of the fees to the Federal
government.

Sec. 455.470 Temporary moratoria.

(a)(1) The Secretary consults with any affected State Medicaid
agency regarding imposition of temporary moratoria on enrollment of new
providers or provider types prior to imposition of the moratoria, in
accordance with Sec. 424.570 of this chapter.
(2) The State Medicaid agency will impose temporary moratoria on
enrollment of new providers or provider types identified by the
Secretary as posing an increased risk to the Medicaid program.
(3)(i) The State Medicaid agency is not required to impose such a
moratorium if the State Medicaid agency determines that imposition of a
temporary moratorium would adversely affect beneficiaries' access to
medical assistance.
(ii) If a State Medicaid agency makes such a determination, the
State Medicaid agency must notify the Secretary in writing.
(b)(1) A State Medicaid agency may impose temporary moratoria on
enrollment of new providers, or impose numerical caps or other limits
that the State Medicaid agency identifies as having a significant
potential for fraud, waste, or abuse and that the Secretary has
identified as being at high risk for fraud, waste, or abuse.
(2) Before implementing the moratoria, caps, or other limits, the
State Medicaid agency must determine that its action would not
adversely impact beneficiaries' access to medical assistance.
(3) The State Medicaid agency must notify the Secretary in writing
in the event the State Medicaid agency seeks to impose such moratoria,
including all details of the moratoria; and obtain the Secretary's
concurrence with imposition of the moratoria.
(c)(1) The State Medicaid agency must impose the moratorium for an
initial period of 6 months.
(2) If the State Medicaid agency determines that it is necessary,
the State Medicaid agency may extend the moratorium in 6-month
increments.
(3) Each time, the State Medicaid agency must document in writing
the necessity for extending the moratorium.

PART 457--ALLOTMENTS AND GRANTS TO STATES

0
27. The authority citation for part 457 continues to read as follows:

Authority: Section 1102 of the Social Security Act (42 U.S.C.
1302).

0
28. Section 457.900 is amended by adding a new paragraph (a)(2)(x) to
read as follows:

Sec. 457.900 Basis, scope and applicability.

(a) * * *
(2) * * *
(x) Sections 1902(a)(77) and 1902(kk) of the Act relating to
provider and supplier screening, oversight, and reporting requirements.
* * * * *

0
29. A new Sec. 457.990 is added to subpart I to read as follows:

Sec. 457.990 Provider and supplier screening, oversight, and
reporting requirements.

The following provisions and their corresponding regulations apply
to a State under title XXI of the Act, in the same manner as these
provisions and regulations apply to a State under title XIX of the Act:
(a) Part 455, Subpart E, of this chapter.
(b) Sections 1902(a)(77) and 1902(kk) of the Act pertaining to
provider and supplier screening, oversight, and reporting requirements.

PART 498--APPEALS PROCEDURES FOR DETERMINATIONS THAT AFFECT
PARTICIPATION IN THE MEDICARE PROGRAM AND FOR DETERMINATIONS THAT
AFFECT THE PARTICIPATION OF ICFs/MR AND CERTAIN NFs IN THE MEDICAID
PROGRAM

0
30. The authority citation for part 498 continues to read as follows:

Authority: Secs. 1102 and 1871 of the Social Security Act (42
U.S.C. 1302 and 1395hh).

0
31. Section 498.5 is amended by adding a new paragraph (l)(4) to read
as follows:

Sec. 498.5 Appeal rights.

* * * * *
(l) * * *
(4) Scope of review. For appeals of denials based on Sec.
424.530(a)(9) of this chapter related to temporary moratoria, the scope
of review will be limited to whether the temporary moratorium applies
to the provider or supplier appealing the denial. The agency's basis
for imposing a temporary moratorium is not subject to review.

CHAPTER V-OFFICE OF INSPECTOR GENERAL-HEALTH CARE, DEPARTMENT OF HEALTH
AND HUMAN SERVICES

PART 1007--STATE MEDICAID FRAUD CONTROL UNITS

0
32. The authority citation for part 1007 continues to read as follows:

Authority: 42 U.S.C. 1320 and 1395hh.

0
33. Section 1007.9 is amended by adding paragraphs (e) through (g) to
read as follows:

Sec. 1007.9 Relationship to, and agreement with, the Medicaid agency.

* * * * *
(e)(1) The unit may refer any provider with respect to which there
is pending an investigation of a credible allegation of fraud under the
Medicaid program to the State Medicaid agency for payment suspension in
whole or part under Sec. 455.23 of this title.
(2) Referrals may be brief, but must be in writing and include
sufficient information to allow the State Medicaid agency to identify
the provider and to explain the credible allegations forming the
grounds for the payment suspension.
(f) Any request by the unit to the State Medicaid agency to delay
notification to the provider of a payment suspension under Sec. 455.23
of this title must be in writing.

[[Page 5971]]

(g) When the unit accepts or declines a case referred by the State
Medicaid agency, the unit notifies the State Medicaid agency in writing
of the acceptance or declination of the case.

Catalog of Federal Domestic Assistance Program No. 93.778, Medical
Assistance Program) (Catalog of Federal Domestic Assistance Program
No. 93.773, Medicare--Hospital Insurance; and Program No. 93.774,
Medicare--Supplementary Medical Insurance Program)

Dated: January 14, 2011.
Donald Berwick,
Administrator, Centers for Medicare & Medicaid Services.
Approved: January 21, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-1686 Filed 1-24-11; 12:15 pm]
BILLING CODE 4120-01-P