[Federal Register Volume 76, Number 22 (Wednesday, February 2, 2011)]
[Rules and Regulations]
[Pages 5862-5971]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-1686]



[[Page 5861]]

Vol. 76

Wednesday,

No. 22

February 2, 2011

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



Centers for Medicare & Medicaid Services



-----------------------------------------------------------------------



42 CFR Parts 405, 424, 447 et al.



-----------------------------------------------------------------------



Office of Inspector General



-----------------------------------------------------------------------

42 CFR Part 1007



Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers; Final Rule

  Federal Register / Vol. 76 , No. 22 / Wednesday, February 2, 2011 / 
Rules and Regulations  

[[Page 5862]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Parts 405, 424, 447, 455, 457, and 498

Office of Inspector General

42 CFR Part 1007

[CMS-6028-FC]
RIN 0938-AQ20


Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers

AGENCY: Centers for Medicare & Medicaid Services (CMS); Office of 
Inspector General (OIG), HHS.

ACTION: Final rule with comment period.

-----------------------------------------------------------------------

SUMMARY: This final rule with comment period will implement provisions 
of the ACA that establish: Procedures under which screening is 
conducted for providers of medical or other services and suppliers in 
the Medicare program, providers in the Medicaid program, and providers 
in the Children's Health Insurance Program (CHIP); an application fee 
imposed on institutional providers and suppliers; temporary moratoria 
that may be imposed if necessary to prevent or combat fraud, waste, and 
abuse under the Medicare and Medicaid programs, and CHIP; guidance for 
States regarding termination of providers from Medicaid and CHIP if 
terminated by Medicare or another Medicaid State plan or CHIP; guidance 
regarding the termination of providers and suppliers from Medicare if 
terminated by a Medicaid State agency; and requirements for suspension 
of payments pending credible allegations of fraud in the Medicare and 
Medicaid programs. This final rule with comment period also discusses 
our earlier solicitation of comments regarding provisions of the ACA 
that require providers of medical or other items or services or 
suppliers within a particular industry sector or category to establish 
compliance programs.
    We have identified specific provisions surrounding our 
implementation of fingerprinting for certain providers and suppliers 
for which we may make changes if warranted by the public comments 
received. We expect to publish our response to those comments, 
including any possible changes to the rule made as a result of them, as 
soon as possible following the end of the comment period. Furthermore, 
we clarify that we are finalizing the adoption of fingerprinting 
pursuant to the terms and conditions set forth herein.

DATES: Effective date: These regulations are effective on March 25, 
2011. Comment date: We will consider public comments only on the 
Fingerprinting Requirements, contained in Sec. Sec.  424.518 and 
455.434 and discussed in section II.A.5. of the preamble of this 
document, if we receive them at one of the addresses provided below, no 
later than 5 p.m. on April 4, 2011.

ADDRESSES: In commenting, please refer to file code CMS-6028-FC. 
Because of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to http://www.regulations.gov. Follow the instructions for 
``submitting a comment.''
    2. By regular mail. You may mail written comments to the following 
address ONLY: Centers for Medicare & Medicaid Services, Department of 
Health and Human Services, Attention: CMS-6028-FC, P.O. Box 8013, 
Baltimore, MD 21244-8013.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address ONLY: Centers for Medicare & Medicaid Services, 
Department of Health and Human Services, Attention: CMS-6028-FC, Mail 
Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
    4. By hand or courier. If you prefer, you may deliver (by hand or 
courier) your written comments before the close of the comment period 
to either of the following addresses: a. For delivery in Washington, 
DC--Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Room 445-G, Hubert H. Humphrey Building, 200 
Independence Avenue, SW., Washington, DC 20201.
    (Because access to the interior of the Hubert H. Humphrey Building 
is not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, 7500 Security 
Boulevard, Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
please call telephone number (410) 786-9994 in advance to schedule your 
arrival with one of our staff members.
    Comments mailed to the addresses indicated as appropriate for hand 
or courier delivery may be delayed and received after the comment 
period.

FOR FURTHER INFORMATION CONTACT: Frank Whelan (410) 786-1302 for 
Medicare enrollment issues. Claudia Simonson (312) 353-2115 for 
Medicaid and CHIP enrollment issues. Lori Bellan (410) 786-2048 for 
Medicaid payment suspension issues and Medicaid termination issues. 
Joseph Strazzire (410) 786-2775 for Medicare payment suspension issues. 
Laura Minassian-Kiefel (410) 786-4641 for compliance program issues.

SUPPLEMENTARY INFORMATION: Due to the many organizations and terms to 
which we refer by acronym in this final rule with comment period, we 
are listing these acronyms and their corresponding terms in 
alphabetical order below. In addition, we are providing a table of 
contents which follows the list of acronyms to assist readers in 
referencing sections contained in this preamble.

Acronyms

ABC American Board for Certification in Orthotics and Prosthetics
A/B MAC Part A or Part B Medicare Administrative Contractor
ACA ``Affordable Care Act''
APD Advance planning document
ASC Ambulatory surgical center
BBA Balanced Budget Act of 1997 (Pub. L. 105-33)
BIPA Medicare Medicaid, and SCHIP Benefits Improvement Protection 
Act of 2000 (Pub. L. 106-544)
CAH Critical access hospital
CAP Competitive acquisition program
CBA Competitive bidding area
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CJIS Criminal Justice Information Services
CLIA Clinical laboratory improvement amendments
CMHC Community mental health centers
CMS Centers for Medicare & Medicaid Services
CON Certificate of Need
CoP Condition of participation
CORF Comprehensive outpatient rehabilitation facility
CPI-U Consumer price index for all urban consumers
DAB Department Appeal Board

[[Page 5863]]

DEA Drug Enforcement Agency
DHUD Department of Housing and Urban Development
DME Durable medical equipment
DMEPOS Durable medical equipment prosthetics, orthotics, and 
supplies
DOB Dates of birth
DOJ Department of Justice
EIN Employer Identification Number
EMTALA Emergency Medical Treatment and Active Labor Act
VIN Vehicle Identifier Number
ESRD End-stage renal disease
EPLS General Service Administration's Excluded Parties List System
FBI Federal Bureau of Investigation
FFP Federal Financial Participation
FFS Medicare fee-for-service program
FQHC Federally qualified health center
GAO Government Accountability Office
HHAs Home health agencies
HHS [Department of] Health and Human Services
HIO Health insuring organization
IAFIS Integrated Automated Fingerprint Identification System
ICF/MR Intermediate care facilities for persons with mental 
retardation
IDTF Independent diagnostic testing facility
IHCIA Indian Health Care Improvement Act
IHS Indian Health Service
IHSS In-home supportive services
IPF Inpatient psychiatric facility
IRF Inpatient rehabilitation facility
ISDEAA Indian Self-Determination and Education Assistance Act
LEIE List of Excluded Individuals/Entities
MCEs Managed care entities
MFCU Medicaid fraud control unit
MAO Medicare Advantage organizations
MMA Medicare Prescription Drug, Improvement, and Modernization Act 
of 2003 (Pub. L. 108-173)
NASDAQ National Association of Securities Dealers Automated 
Quotation System
NF Nursing facility
NPI National Provider Identifier
NPPES National Plan and Provider Enumeration System
NSC National Supplier Clearinghouse
NTIS National Technical Information Service
NPDB National Practitioner Data Bank
NYSE New York Stock Exchange
OIG Office of Inspector General
OMB Office of Management and Budget
OPO Organ procurement organization
PAHP Prepaid ambulatory health plan
PECOS Provider Enrollment, Chain, and Ownership System
PIHP Prepaid inpatient health plan
PSC Program Safeguard Contractors
PTAN Provider transaction account number
RFA Regulatory Flexibility Act
RHC Rural health clinic
RNHCI Religious nonmedical health care institution
SEC Securities and Exchange Commission
SMP Senior Medicare Patrol
SNFs Skilled nursing facilities
SPIA State Program Integrity Assessment
SSA Social Security Administration
SSA DMF Social Security Administration Death Master File
SSN Social Security Number
TTAG Tribal Technical Advisory Group
WAN [FBI CJIS Division's] Wide Area Network
ZPIC Zone Program Integrity Contractors

Table of Contents

I. Background
II. Proposed Provisions and Responses to Public Comments
    A. Provider Screening Under Medicare, Medicaid, and CHIP
    1. Statutory Changes
    2. Summary of Existing Screening Measures
    a. Licensure Requirements--Medicare and Medicaid
    b. Site Visits--Medicare
    c. Database Checks--Medicare
    d. Criminal Background Checks--Medicare
    e. Medicare MAO Requirements
    f. Fingerprinting--Medicare
    g. Screening--Medicaid and CHIP
    3. General Screening of Providers--Medicare
    a. Proposed Screening Requirements
    (1) Limited
    (2) Moderate
    (3) High
    b. Analysis of and Responses to Public Comment on Medicare 
Screening Categories
    c. Final Screening Provision--Medicare
    4. General Screening of Providers--Medicaid and CHIP: Proposed 
Provisions and Analysis of and Responses to Public Comments
    a. Database Checks--Medicaid and CHIP
    b. Unscheduled and Unannounced Site Visits--Medicaid and CHIP
    c. Provider Enrollment and Provider Termination--Medicaid and 
CHIP
    d. Criminal Background Checks and Fingerprinting--Medicaid and 
CHIP
    e. Deactivation and Reactivation of Provider Enrollment--
Medicaid and CHIP
    f. Enrollment and NPI of Ordering or Referring Providers--
Medicaid and CHIP
    g. Other State Screening--Medicaid and CHIP
    h. Final Screening Provisions--Medicaid and CHIP
    5. Solicitation of Additional Comments Regarding the 
Implementation of the
    Fingerprinting Requirements
    B. Application Fee--Medicare, Medicaid, and CHIP
    1. Statutory Changes
    2. Proposed Application Fee Provisions
    C. Temporary Moratoria on Enrollment of Medicare Providers and 
Suppliers, Medicaid and CHIP Providers
    1. Statutory Changes
    2. Proposed Temporary Moratoria Provisions
    a. Medicare
    b. Medicaid and CHIP
    3. Analysis of and Responses to Public Comment
    4. Final Temporary Moratoria on Enrollment of Medicare Providers 
and Suppliers, Medicaid and CHIP Provisions
    D. Suspension of Payments
    1. Medicare
    a. Background
    b. Previous Medicare Regulations
    c. Proposed Medicare Suspension of Payments Requirements
    2. Medicaid
    a. Background
    b. Previous Medicaid Regulations
    c. Proposed Medicaid Suspension of Payments Requirements
    E. Proposed Approach and Solicitation of Comments for Sections 
6102 and 6401(a) of the Affordable Care Act--Ethics and Compliance 
Program
    1. Statutory Changes
    2. Proposed Ethics and Compliance Program Provisions
    3. Analysis of and Responses to Public Comment
    4. Final Provisions--Ethics and Compliance Program
    F. Termination of Provider Participation Under the Medicaid 
Program and CHIP if Terminated Under the Medicare Program or Another 
State Medicaid Program or CHIP
    1. Statutory Change
    2. Proposed Provisions for Termination of Provider Participation 
Under the Medicaid Program and CHIP if Terminated Under the Medicare 
Program or Another State Medicaid Program or CHIP
    3. Analysis of and Responses to Public Comment
    4. Final Provisions for Termination of Provider Participation 
Under the Medicaid Program and CHIP if Terminated Under the Medicare 
Program or Another State Medicaid Program or CHIP
    G. Additional Medicare Provider Enrollment Provisions
    1. Statutory Changes
    2. Proposed Provisions for Additional Medicare Provider 
Enrollment
    3. Analysis of and Response to Public Comments
    4. Final Provisions for Additional Medicare Provider Enrollment
    H. Technical and General Comments
III. Collection of Information Requirements
    A. ICRs Regarding Medicare Application Fee Hardship Exception 
(Sec.  424.514)
    B. ICRs Regarding Medicare Fingerprinting Requirement (Sec.  
424.518)
    C. ICRs Regarding Medicaid Fingerprinting Requirement (Sec.  
455.434)
    D. ICRs Regarding Suspension of Payments in Cases of Fraud or 
Willful Misrepresentation (Sec.  455.23)
    E. ICRs Regarding Collection of SSNs and DOBs for Medicaid and 
CHIP providers (Sec.  455.104)
    F. ICRs Regarding Site Visits for Medicaid-Only or CHIP-Only 
Providers (Sec.  455.450)
    G. ICRs Regarding the Rescreening of Medicaid Providers Every 5 
Years (Sec.  455.414).
IV. Response to Comments
V. Regulatory Impact Analysis
    A. Statement of Need
    B. Overall Impact
    C. Anticipated Effects
    1. Medicare
    a. Enhanced Screening Procedures--Medicare
    b. Application Fee--Medicare

[[Page 5864]]

    c. General Enrollment Framework
    (1) New Enrollment
    (2) Revalidation
    2. Medicaid
    a. Enhanced Screening Procedures
    b. Application Fee--Medicaid
    c. General Enrollment Framework
    (1) New Enrollments
    (2) Re-enrollment
    3. Medicare and Medicaid
    a. Moratoria on Enrollment of New Medicare Providers and 
Suppliers and Medicaid Providers
    b. Suspension of Payments in Medicare and Medicaid
    D. Accounting Statement and Table
    1. Medicare
    2. Medicaid
    E. Alternatives Considered
    1. General Burden Minimization Efforts
    2. Fingerprinting
    3. Other Suggested Alternatives
    F. Conclusion
    Regulations Text

I. Background

    The Medicare program (title XVIII of the Social Security Act (the 
Act)) is the primary payer of health care for 47 million enrolled 
beneficiaries. Under section 1802 of the Act, a beneficiary may obtain 
health services from an individual or an organization qualified to 
participate in the Medicare program. Qualifications to participate are 
specified in statute and in regulations (see, for example, sections 
1814, 1815, 1819, 1833, 1834, 1842, 1861, 1866, and 1891 of the Act; 
and 42 CFR Chapter IV, subchapter G, which concerns standards and 
certification requirements).
    Providers and suppliers furnishing services must comply with the 
Medicare requirements stipulated in the Act and in our regulations. 
These requirements are meant to ensure compliance with applicable 
statutes, as well as to promote the furnishing of high quality care. As 
Medicare program expenditures have grown, we have increased our efforts 
to ensure that only qualified individuals and organizations are allowed 
to enroll or maintain their Medicare billing privileges.
    The Medicaid program (title XIX of the Act) is a joint Federal and 
State health care program for eligible low-income individuals providing 
coverage to more than 51 million people. States have considerable 
flexibility in how they administer their Medicaid programs within a 
broad Federal framework and programs vary from State to State.
    The Children's Health Insurance Program (CHIP) (title XXI of the 
Act) is a joint Federal and State health care program that provides 
health care coverage to more than 7.7 million otherwise uninsured 
children.
    Historically, States, in operating Medicaid and CHIP, have 
permitted the enrollment of providers who meet the State requirements 
for program enrollment.
    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
as amended by the Health Care and Education Reconciliation Act of 2010 
(Pub. L. 111-152) (collectively known as the Affordable Care Act or 
ACA) makes a number of changes to the Medicare and Medicaid programs 
and CHIP that enhance the provider and supplier enrollment process to 
improve the integrity of the programs to reduce fraud, waste, and abuse 
in the programs.
    The following is an overview of some of the statutory authority 
relevant to enrollment in Medicare, Medicaid, and CHIP:
     Sections 1102 and 1871 of the Act provide general 
authority for the Secretary of Health and Human Services (the 
Secretary) to prescribe regulations for the efficient administration of 
the Medicare program. Section 1102 of the Act also provides general 
authority for the Secretary to prescribe regulations for the efficient 
administration of the Medicaid program and CHIP.
     Section 4313 of the Balanced Budget Act of 1997 (BBA) 
(Pub. L. 105-33) amended sections 1124(a)(1) and 1124A of the Act to 
require disclosure of both the Employer Identification Number (EIN) and 
Social Security Number (SSN) of each provider or supplier, each person 
with ownership or control interest in the provider or supplier, any 
subcontractor in which the provider or supplier directly or indirectly 
has a 5 percent or more ownership interest, and any managing employees 
including directors and officers of corporations and non-profit 
organizations and charities. The ``Report to Congress on Steps Taken to 
Assure Confidentiality of Social Security Account Numbers as required 
by the Balanced Budget Act'' was signed by the Secretary and sent to 
the Congress on January 26, 1999. This report outlines the provisions 
of a mandatory collection of SSNs and EINs effective on or after April 
26, 1999.
     Section 936(a)(2) of the Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) 
amended the Act to require the Secretary to establish a process for the 
enrollment of providers of services and suppliers. We are authorized to 
collect information on the Medicare enrollment application (that is, 
the CMS-855, (Office of Management and Budget (OMB) approval number 
0938-0685)) to ensure that correct payments are made to providers and 
suppliers under the Medicare program as established by title XVIII of 
the Act.
     Section 1902(a)(27) of the Act provides general authority 
for the Secretary to require provider agreements under the Medicaid 
State Plans with every person or institution providing services under 
the State plan. Under these agreements, the Secretary may require 
information regarding any payments claimed by such person or 
institution for providing services under the State plan.
     Section 2107(e) of the Act, which provides that certain 
title XIX and title XI provisions apply to States under title XXI, 
including 1902(a)(4)(C) of the Act, relating to conflict of interest 
standards.
     Section 1903(i)(2) of the Act relating to limitations on 
payment.
     Section 1124 of the Act relating to disclosure of 
ownership and related information.
     Sections 6401, 6402, 6501, and 10603 of the ACA and 1304 
of the Health Care and Education Reconciliation Act (Pub. L. 111-152) 
amended the Act by establishing: (1) Procedures under which screening 
is conducted for providers of medical or other services and suppliers 
in the Medicare program, providers in the Medicaid program, and 
providers in the CHIP; (2) an application fee to be imposed on 
providers and suppliers; (3) temporary moratoria that the Secretary may 
impose if necessary to prevent or combat fraud, waste, and abuse under 
the Medicare and Medicaid programs and CHIP; (4) requirements that 
State Medicaid agencies must terminate any provider that is terminated 
by Medicare or another State plan; (5) requirements for suspensions of 
payments pending credible allegations of fraud in both the Medicare and 
Medicaid programs.

II. Proposed Provisions and Responses to Public Comments

    We received approximately 300 timely pieces of correspondence 
containing multiple comments on the Additional Screening Requirements, 
Application Fees, Temporary Enrollment Moratoria, Payment Suspensions 
and Compliance Plans for Providers and Suppliers proposed rule 
published September 23, 2010 (75 FR 58204). We note that we received 
some comments that were outside the scope of the proposed rule. These 
comments are not addressed in this final rule with comment period. 
Summaries of the public comments that are within the scope of the 
proposals and our responses to those comments are set forth in the 
various sections of this final rule with comment period under the 
appropriate headings.

[[Page 5865]]

A. Provider Screening Under Medicare, Medicaid, and CHIP

1. Statutory Changes
    Section 6401(a) of the ACA, as amended by section 10603 of the ACA, 
amends section 1866(j) of the Act to add a new paragraph, paragraph 
``(2) Provider Screening.'' Section 1866(j)(2)(A) of the Act requires 
the Secretary, in consultation with the Department of Health of Human 
Services' Office of the Inspector General (HHS OIG), to establish 
procedures under which screening is conducted with respect to providers 
of medical or other items or services and suppliers under Medicare, 
Medicaid, and CHIP. Section 1866(j)(2)(B) of the Act requires the 
Secretary to determine the level of screening to be conducted according 
to the risk of fraud, waste, and abuse with respect to the category of 
provider of medical or other items or services or supplier. The 
provision states that the screening shall include a licensure check, 
which may include such checks across State lines; and the screening 
may, as the Secretary determines appropriate based on the risk of 
fraud, waste, and abuse, include a criminal background check; 
fingerprinting; unscheduled or unannounced site visits, including pre-
enrollment site visits; database checks, including such checks across 
State lines; and such other screening as the Secretary determines 
appropriate. Section 1866(j)(2)(C) of the Act requires the Secretary to 
impose a fee on each institutional provider of medical or other items 
or services or supplier that would be used by the Secretary for program 
integrity efforts including to cover the cost of screening and to carry 
out the provisions of sections 1866(j) and 1128J of the Act. We 
discussed the fee in section II.B. of the proposed rule.
    Section 6401(b) of the ACA amends section 1902 of the Act to add 
new paragraph (a)(77) and (ii), which requires States to comply with 
the process for screening providers and suppliers as established by the 
Secretary under 1866(j)(2) of the Act.\1\ Note that section 6401(b) of 
the ACA erroneously added a duplicate section 1902(ii) to the Act. 
Therefore, in the Medicare and Medicaid Extenders Act of 2010 (Pub. L. 
111-309), the Congress enacted a technical correction to redesignate 
the section 1902(ii) of the Act added by section 6401(b) of ACA as 
section 1902(kk) of the Act. In this regulation, we therefore reference 
section 1902(kk) of the Act when referring to the provisions added by 
section 6401(b) of the ACA.
---------------------------------------------------------------------------

    \1\ We believe that the reference to section 1886(j)(2) of the 
Act in section 6401(b)(1) of the ACA is a scrivener's error. We 
believe the Congress intended to refer to section 1866(j)(2) of the 
Act, which, as amended by section 6401(a) of the ACA, requires the 
Secretary to establish a process for screening providers and 
suppliers. Because the drafting error is apparent, and a literal 
reading of the reference to section 1886(j)(2) of the Act would 
produce absurd results, we interpret the cross-reference to section 
1886(j)(2) in the new section 1902(kk) of the Act as if the 
reference were to section 1866(j)(2).
---------------------------------------------------------------------------

    We noted in the proposed rule that the statute uses the terms 
``providers of medical or other items or services,'' ``institutional 
providers,'' and ``suppliers.'' The Medicare program enrolls a variety 
of providers and suppliers, some of which are referred to as 
``providers of services,'' ``institutional providers,'' ``certified 
providers,'' ``certified suppliers,'' and ``suppliers.'' In Medicare, 
the term ``providers of services'' under section 1861(u) of the Act 
means health care entities that furnish services primarily payable 
under Part A of Medicare, such as hospitals, home health agencies 
(including home health agencies providing services under Part B), 
hospices, and skilled nursing facilities. The term ``suppliers'' 
defined in section 1861(d) of the Act refers to health care entities 
that furnish services primarily payable under Part B of Medicare, such 
as independent diagnostic testing facilities (IDTFs), durable medical 
equipment prosthetics, orthotics, and supplies (DMEPOS) suppliers, and 
eligible professionals, which refers to health care suppliers who are 
individuals, that is, physicians and the other professionals listed in 
section 1848(k)(3)(B) of the Act. For Medicaid and CHIP, we use the 
terms ``providers'' or ``Medicaid providers'' or ``CHIP providers'' 
when referring to all Medicaid or CHIP health care providers, including 
individual practitioners, institutional providers, and providers of 
medical equipment or goods related to care. The term ``supplier'' has 
no meaning in the Medicaid program or CHIP.
    The new screening procedures implemented pursuant to new section 
1866(j)(2) of the Act are applicable to newly enrolling providers and 
suppliers, including eligible professionals, beginning on March 25, 
2011. These new procedures are applicable to currently enrolled 
Medicare, Medicaid, and CHIP providers, suppliers, and eligible 
professionals beginning on March 23, 2012. These new screening 
procedures implemented pursuant to new section 1866(j)(2) of the Act 
are applicable beginning on March 25, 2011 for those providers and 
suppliers currently enrolled in Medicare, Medicaid, and CHIP who 
revalidate their enrollment information. Within Medicare, the March 25, 
2011 implementation date will impact those current providers and 
suppliers whose 5-year revalidation cycle (or 3-year revalidation cycle 
for DMEPOS suppliers) results in revalidation occurring on or after 
March 25, 2011 and before March 23, 2012.
    The requirements for revalidation are discussed in Sec.  424.515. 
It is important to note that revalidation--for purposes of both 
provider enrollment in general and this final rule with comment 
period--does not include routine changes of information as described in 
Sec.  424.516(d) and (e), such as address changes or changes in phone 
number.
2. Summary of Existing Screening Measures
    Before we outline the new measures we are finalizing under the ACA, 
it may be helpful to provide a summary of some of the screening 
measures already being utilized in Medicare, Medicaid, and CHIP. 
Pursuant to other authority, but with the notable exception of 
background checks and fingerprinting, Medicare, generally through 
private contractors, already employs a number of the screening 
practices described in section 1866(j)(2)(B) of the Act to determine if 
a provider or supplier is in compliance with Federal and State 
requirements to enroll or to maintain enrollment in the Medicare 
program.
    We also believe it important to note that nothing in this rule is 
intended to abridge our established screening authority under existing 
statutes and regulations or to diminish the screening that providers 
and suppliers currently undergo. To the contrary; the provisions 
specified in this final rule with comment period are intended to 
enhance our existing authority. This rule's provisions, in other words, 
set ``floors''--not ceilings--on enrollment requirements for each 
screening level.
a. Licensure Requirements--Medicare and Medicaid
    Over the past several years, we have taken a number of steps to 
strengthen our ability to deny or revoke Medicare billing privileges 
when providers or suppliers do not have or do not maintain the 
applicable State licensure requirements for their provider or supplier 
type or profession. We established reporting responsibilities for all 
providers, suppliers, and eligible professionals in earlier regulations 
at Sec.  424.516(b) through (e). To ensure that only qualified 
providers and suppliers remain in the Medicare fee-for-service (FFS) 
program, we require that Medicare

[[Page 5866]]

contractors review State licensing board data on a monthly basis to 
determine if providers and suppliers remain in compliance with State 
licensure requirements. Medicare billing privileges would be revoked 
for those providers and suppliers who do not report a final adverse 
action (for example, license revocation or suspension, felony 
conviction) within the applicable reporting period, as required in 
Sec.  424.516(b) through (e). Medicare suppliers of DMEPOS and IDTFs 
are already subject to similar provisions in Sec.  424.57(c) and Sec.  
410.33(g), respectively. DMEPOS suppliers are also subject to 
additional requirements including accreditation and surety bonding, 
pursuant to Sec.  424.57(c)(22) through (26) and Sec.  424.57(d).
    Medicare Advantage organizations (MAOs) are required to verify 
licensure of providers and suppliers, including physicians and other 
health care professionals, in accordance with Sec.  422.204.
    For Medicaid and CHIP, most States do some checking of in-State 
provider licenses, but the extent of scrutiny varies. For example, in 
some States, the existence of the license may be verified, but little 
attention might be given to any restrictions on the license.
b. Site Visits--Medicare
    Pursuant to Sec.  424.517, Medicare conducts the following site 
visits and takes the following actions, generally through private 
contractors under CMS direction:
     The National Supplier Clearinghouse (NSC) Medicare 
Administrative Contractor (the Medicare contractor that processes 
enrollment applications for suppliers of DMEPOS) conducts pre-
enrollment site visits to DMEPOS suppliers that are not associated with 
a chain supplier of DMEPOS (a chain supplier of DMEPOS is a supplier 
with 25 or more distinct practice locations.)
     The NSC also conducts unannounced post-enrollment site 
visits to DMEPOS suppliers for which CMS or the NSC believes there is a 
likelihood of fraudulent or abusive activities to ensure those DMEPOS 
suppliers remain in compliance with the supplier standards found at 
Sec.  424.57(c). CMS at times exercises its right to--
     Have the NSC conduct ad hoc pre- and post-enrollment site 
visits to any DMEPOS supplier;
     Have Medicare contractors conduct pre-enrollment site 
visits to all IDTFs; and
     Conduct ad hoc pre-and post enrollment site visits to any 
prospective Medicare provider and supplier or any enrolled Medicare 
provider or supplier.
    In addition, under 42 CFR parts 488 and 489, a State survey agency 
or an approved national accreditation organization with deeming 
authority conducts pre-enrollment surveys for certified providers and 
suppliers to determine whether they meet the applicable Federal 
conditions and requirements for their provider or supplier type before 
they can participate in the Medicare program.
    We note that the site visits discussed here and elsewhere within 
this preamble and the final regulations are separate and apart from the 
site visits that are conducted pursuant to the Clinical Laboratory 
Improvement Amendments (CLIA). We will work with our State survey 
agency partners in coordinating these site visits so as to avoid 
duplication and burden on providers.
c. Database Checks--Medicare
    Under existing regulation, Medicare contractors employ database 
checks of eligible professionals, owners, authorized officials, 
delegated officials, managing employees, medical directors, and 
supervising physicians (at IDTFs and laboratories) as part of the 
Medicare provider and supplier enrollment process. These include 
database checks with the Social Security Administration (SSA) (to 
verify an individual's SSN), the National Plan and Provider Enumeration 
System (NPPES) to verify the National Provider Identifier (NPI) of an 
eligible professional, and State licensing board checks to determine if 
an eligible professional is appropriately licensed to furnish medical 
services within a given State. These checks also include checking a 
provider or supplier against the HHS OIG's List of Excluded 
Individuals/Entities (LEIE) and the General Service Administration's 
Excluded Parties List System (EPLS). All of the database checks have 
been used to assess the eligibility and qualifications of providers and 
suppliers to enroll in the Medicare program, to confirm the identity of 
an eligible professional to ensure that he or she may be considered for 
enrollment in the Medicare program.
    Also, on a monthly basis, CMS' Medicare contractors systematically 
compare enrolled providers, suppliers, and eligible professionals 
against the information in the Medicare Exclusions Database. The 
Medicare Exclusions Database identifies providers, suppliers, and 
eligible professionals who have been excluded from the Medicare and 
Medicaid programs by the HHS OIG. When a match is found, the HHS OIG 
exclusion information is systematically noted in the Medicare 
enrollment record of the provider, supplier, or eligible professional. 
In the Medicare program, we deny or revoke the billing privileges of 
providers, suppliers, and eligible professionals who have been excluded 
by the HHS OIG. If the HHS OIG lifts the exclusion, the provider, 
supplier or eligible professional must reapply for enrollment in the 
Medicare program. In addition, Medicare contractors also review State 
licensure Web sites on a monthly basis to ensure that eligible 
professionals continue to meet State licensing requirements.
    In addition, since January 2009, we have compared date of death 
information obtained from the Social Security Administration Death 
Master File (SSA DMF) with the information maintained in the National 
Plan and Provider Enumeration System (NPPES), the system that assigns 
an NPI to individuals and organizations. Based on this comparison and 
the subsequent verification, we have deactivated the NPIs of more than 
11,500 individuals who were previously assigned a type 1 (individual) 
NPI. We automatically transfer this information from NPPES to the 
Provider Enrollment, Chain, and Ownership System (PECOS), CMS' national 
Medicare enrollment repository to deactivate a deceased individual's 
Medicare billing privileges. In addition, Medicare contractors are 
required to review and act upon monthly files that contain a list of 
non-practitioner individuals enrolled in the Medicare program who have 
been reported to the SSA as deceased. These individuals include: 
Owners, authorized officials, and delegated officials.
    MAOs, as required by Sec.  422.204, generally use database checks 
to verify licensure and licensure sanctions and limitations with State 
licensing boards and the Federation of State Medical Boards, DEA 
certificates with the National Technical Information Service (NTIS), 
history of adverse professional review actions and malpractice from the 
National Practitioner Data Bank (NPDB), accreditation status of 
institutional providers and suppliers with national accrediting boards, 
such as The Joint Commission (TJC), and search for HHS OIG exclusions 
using the HHS OIG Web site http://oig.hhs.gov/fraud/exclusions/exclusions_list.asp.
d. Criminal Background Checks--Medicare
    Section 6401(a) of the ACA amended Section 1866(j) of the Act 
authorized the Secretary to perform criminal background checks. As 
described in Sec.  424.530(a) and Sec.  424.535(a), CMS or its

[[Page 5867]]

designated Medicare contractor may deny or revoke the Medicare billing 
privileges of the owner of a provider or supplier, a physician or non-
physician practitioner, and terminate any corresponding provider or 
supplier agreement for a number of reasons, including an exclusion from 
the Medicare, Medicaid, and any other Federal health care program, a 
felony within the preceding 10 years that is considered detrimental to 
the Medicare program, and/or submission of false or misleading 
information on the Medicare enrollment application. While we require 
our Medicare contractors to verify data submitted on, and as part of, 
the Medicare provider/supplier enrollment application, our contractors 
are not able to verify information that may have been purposefully 
omitted or changed in a manner to obfuscate any previous criminal 
activity. A 2005 report issued by the National Task Force on the 
Criminal Backgrounding of America, sponsored by the Bureau of Justice 
Statistics and the U.S. Department of Justice, defined a Criminal 
History Record Check as a check that returns records from official 
criminal repositories (meaning State repositories and the Federal 
Bureau of Investigations (FBI) Interstate Identification Index that 
links Federal and State criminal record systems), and the FBI uses the 
same terminology. For purposes of responding to comments in this 
document we use the term criminal history record check to mean criminal 
background checks when referring to such fingerprint-based checks. 
Criminal History Record Checks have not been historically used in the 
FFS Medicare enrollment screening process.
e. Medicare MAO Requirements
    As mentioned earlier in this section, MAOs already employ a number 
of screening procedures in accordance with regulations and CMS manual 
instructions. Specifically, under Sec.  422.204(b)(3) in the case of 
providers meeting the definition of ``provider of services'' in section 
1861(u) of the Act, basic benefits may only be provided through 
providers if they have a provider agreement with us permitting them to 
furnish services under original Medicare. With respect to other 
entities like suppliers, Sec.  422.204(b)(3) requires that they ``meet 
the applicable requirements of title XVIII and Part A of title XI of 
the Act.'' Given these requirements we considered to what extent MAOs 
would be required to apply the identical screening requirements we 
proposed for the original Medicare program or whether substantively 
similar alternative approaches adopted by MAOs would be acceptable. 
Accordingly, we solicited public comments on whether or to what extent 
MAOs should be required to implement the same enhanced screening 
requirements for providers, suppliers and physicians that we proposed 
for the original Medicare program.
f. Fingerprinting--Medicare
    Previous to this final rule with comment period fingerprinting and 
fingerprint-based criminal history record information from the FBI was 
not used in the Medicare enrollment screening process.
g. Screening--Medicaid and CHIP
    States vary in the degree to which they employ screening methods 
such as unscheduled and unannounced site visits and database checks, 
including such checks across State lines, criminal background checks, 
and fingerprinting. However, at least a few States utilize each of 
those methods.
    States also varied in what they require their managed care entities 
(MCEs) \2\ to do in terms of screening network-level providers that are 
not also enrolled in the Medicaid program as FFS providers. We 
considered to what extent States must require their MCEs to apply the 
identical screening requirements we proposed for the States or whether 
substantively similar alternative approaches adopted by MCEs are 
acceptable. Accordingly, we solicited public comments on whether or to 
what extent MCEs should be required to implement the same enhanced 
screening requirements for Medicaid and CHIP providers that we proposed 
for State Medicaid and CHIP programs.
---------------------------------------------------------------------------

    \2\ For purposes of this preamble and the final regulations, 
``managed care entity'' and ``MCE'' will have the meaning Medicaid 
managed care organization (MCO), primary care case manager (PCCM), 
prepaid inpatient health plan (PIHP), prepaid ambulatory health plan 
(PAHP), and health insuring organization (HIO). This definition 
differs from the meaning in section 1932(a)(1)(B) of the Social 
Security Act, which limits MCEs to Medicaid MCOs and PCCMs. We are 
using a more inclusive definition for the regulation so that all 
those entities in States' managed care programs will provide 
disclosure information.
---------------------------------------------------------------------------

    We again stress that the provider enrollment verification tools 
that we are currently using--including, but not limited to, those 
described previously--will not in any way be diminished as a result of 
this final rule with comment period. In other words, the validation 
techniques in this rule do not supplant those that are presently in 
use.
3. General Screening of Providers--Medicare
a. Proposed Screening Requirements
    Section 1866(j)(2)(B) of the Act requires the Secretary to 
determine the level of screening applicable to providers and suppliers 
according to the risk of fraud, waste, and abuse the Secretary 
determines is posed by particular provider and supplier categories.
    In considering how to establish consistent screening standards, we 
proposed to designate provider and supplier categories that are subject 
to certain screening procedures based on CMS' assessment of fraud, 
waste and abuse risk of the provider or supplier category, taking into 
consideration a variety of factors. These factors include our own 
experience with claims data used to identify fraudulent billing 
practices as well as the expertise developed by our contractors charged 
with investigating and identifying instances of Medicare fraud across a 
broad spectrum of providers. In addition, CMS has relied on insights 
gained from numerous studies conducted by the HHS-OIG, GAO, and other 
sources. We have designated categories of providers or suppliers (for 
example, ``newly enrolling DME suppliers'' or ``currently enrolled home 
health agencies'') that are subject to screening procedures based on 
our assessment of the level of screening based on the risk presented by 
the category of provider. There are three levels of screening and 
associated risk: ``limited,'' ``moderate'' and ``high,'' and each 
provider/supplier category is assigned to one of these three screening 
levels. The categories described below and associated risk levels 
assigned are designed to identify those categories of providers and 
suppliers that pose a risk of fraud, waste, and abuse.
    The screening procedures applicable to each screening level are set 
by us and are included in this final rule with comment period. Under 
this approach, the relevant Medicare contractor (for example, fiscal 
intermediary, regional home health intermediary, carriers, Part A or 
Part B Medicare Administrative Contractor (A/B MAC), or the NSC 
Administrative Contractor) would utilize the screening tools mandated 
by us for the screening level assigned to a particular provider or 
supplier category.
    We solicited comments on the proposed assignment of specific 
provider and supplier types to the proposed risk screening levels, 
including what criteria should be considered in making such 
assignments, whether such assignments should be

[[Page 5868]]

released publicly, whether they should be subject to agency review and 
updated according to an established schedule (that is, annually, bi-
annually), and the extent to which they should be updated according to 
evolving risks. We also solicited comments on any additional database 
checks that we should consider as a type of screening.
    Based on the level of screening assigned, we proposed that the 
Medicare contractors would establish and conduct the following 
categorical screenings.

     Table 1--Proposed Screening Levels and Procedures for Medicare Physicians, Non-Physician Practitioners,
                                            Providers, and Suppliers
----------------------------------------------------------------------------------------------------------------
                  Type of screening required                       Limited          Moderate           High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier[dash]specific                         X                X                X
 requirements established by Medicare........................
Conduct license verifications, (may include licensure checks                X                X                X
 across States)..............................................
Database Checks (to verify Social Security Number (SSN), the                X                X                X
 National Provider Identifier (NPI), the National
 Practitioner Data Bank (NPDB) licensure, an OIG exclusion;
 taxpayer identification number; tax delinquency; death of
 individual practitioner, owner, authorized official,
 delegated official, or supervising physician)...............
Unscheduled or Unannounced Site Visits.......................  ...............               X                X
Criminal Background Check....................................  ...............  ...............               X
Fingerprinting...............................................  ...............  ...............               X
----------------------------------------------------------------------------------------------------------------

    As described previously, we already require Medicare contractors to 
ensure that every provider or supplier meets any applicable Federal 
regulations or State requirements, including applicable licensure 
requirements \3\ for the provider or supplier type prior to making an 
enrollment determination. In addition, we also require that Medicare 
contractors conduct monthly reviews of State licensing board actions to 
determine if an individual practitioner, such as a physician or non-
physician practitioner continues to meet State licensing requirements. 
In the case of organizational entities, we also require our Medicare 
contractors to conduct monthly or periodic checks to determine if an 
organizational entity continues to meet the Federal and State 
requirements for its provider or supplier type. Such verifications help 
ensure that a prospective provider or supplier is eligible to 
participate in the Medicare program or that an existing provider or 
supplier is eligible to maintain its Medicare billing privileges.
---------------------------------------------------------------------------

    \3\ We note that under section 408 of the reauthorized Indian 
Health Care Improvement Act, ``[a]ny requirement for participation 
as a provider of health care services under a Federal health care 
program that an entity be licensed or recognized under the State or 
local law where the entity is located to furnish health care 
services shall be deemed to have been met in the case of an entity 
operated by the [Indian Health] Service, an Indian tribe, tribal 
organization, or urban Indian organization if the entity meets all 
the applicable standards for such licensure or recognition, 
regardless of whether the entity obtains a license or other 
documentation under such State or local law.'' 25 U.S.C. 1647a.
---------------------------------------------------------------------------

    Previous to this final rule with comment period, in the Medicare 
program, DMEPOS suppliers were required to re-enroll every 3 years, and 
other providers were required to revalidate their enrollment every 5 
years. The terms revalidation and re-enrollment were often used 
interchangeably, but are actually specific to these provider types. To 
eliminate any confusion about which term applies to which provider or 
supplier, we proposed language at Sec.  424.57(e) to change all 
references from re-enroll or re-enrollment to revalidate or 
revalidation. In addition, the ACA requires that no provider or 
supplier shall be allowed to enroll in Medicare or revalidate its 
enrollment in Medicare after March 23, 2013 without being screened 
pursuant to the authorities covered by this final rule with comment 
period. To assist us in assuring that the statutory effective date is 
met, we proposed at Sec.  424.515 to permit us to require that a 
provider or supplier revalidate its enrollment at any time. After the 
revalidation, the current cycle for revalidation (3 years for DMEPOS, 
and 5 years for all other providers) would apply.
(1) Limited
    Based on our own analysis of historical trends and our own 
experience with provider screening and enrollment we proposed that, as 
a category, the following providers and suppliers pose a limited risk 
to the Medicare program: Physician or non-physician practitioners and 
medical groups or clinics; providers or suppliers that are publicly 
traded on the NYSE or NASDAQ; ambulatory surgical centers (ASCs); end-
stage renal disease (ERSD) facilities; Federally qualified health 
centers (FQHCs); histocompatibility laboratories; hospitals, including 
critical access hospitals (CAHs); Indian Health Service (IHS) 
facilities; mammography screening centers; organ procurement 
organizations (OPOs); mass immunization roster billers, portable x-ray 
suppliers; religious nonmedical health care institutions (RNHCIs); 
rural health clinics (RHCs); radiation therapy centers; skilled nursing 
facilities (SNFs), and public or government-owned ambulance services 
suppliers.
    In Sec.  424.518(a), we proposed that the following screening tools 
will apply to providers and suppliers in categories designated as 
limited risk: (1) Verification that a provider or supplier meets any 
applicable Federal regulations, or State requirements for the provider 
or supplier type prior to making an enrollment determination; (2) 
verification that a provider or supplier meets applicable licensure 
requirements; and (3) database checks on a pre- and post-enrollment 
basis to ensure that providers and suppliers continue to meet the 
enrollment criteria for their provider/supplier type.
    To assist readers in understanding the type of providers and 
suppliers that we proposed to include in the limited risk screening 
level, we are providing the following table.

   Table 2--Proposed Medicare Providers and Suppliers Designated as a
           ``Limited'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Physician or non[dash]physician practitioners and medical groups or
 clinics.
Providers or suppliers that are publicly traded on the NYSE or NASDAQ.

[[Page 5869]]

 
Ambulatory surgical centers, end[dash]stage renal disease facilities,
 Federally qualified health centers, histocompatibility laboratories,
 hospitals, including critical access hospitals, Indian Health Service
 facilities, mammography screening centers, organ procurement
 organizations, mass immunization roster billers, portable x[dash]ray
 supplier, religious non[dash]medical health care institutions, rural
 health clinics, radiation therapy centers, skilled nursing facilities,
 and public or government[dash]owned or [dash]affiliated ambulance
 service suppliers.
------------------------------------------------------------------------

(2) Moderate
    Based on our experience, we proposed that community mental health 
centers (CMHCs); comprehensive outpatient rehabilitation facilities 
(CORFs); hospice organizations; independent diagnostic testing 
facilities (IDTFs); independent clinical laboratories; and non-public, 
non-government owned or affiliated ambulance services suppliers pose a 
moderate risk to the Medicare program. However, we provided that any 
such provider or supplier that is publicly traded on the NYSE or NASDAQ 
would be considered limited risk. Furthermore, we proposed that 
currently enrolled (revalidating) home health agencies would be 
considered ``moderate'' risk, except any such provider that is publicly 
traded on the NYSE or NASDAQ would be considered limited risk. Finally, 
we proposed that currently enrolled (re-validating) suppliers of DMEPOS 
pose a moderate risk, except that any such supplier that is publicly 
traded on the NYSE or NASDAQ would be considered ``limited'' risk. We 
provide our rationale for these categories in this section below.
    For those provider and supplier categories in the ``moderate'' 
screening level, we proposed that Medicare contractors would conduct 
unannounced pre- and/or post-enrollment site visits in addition to 
those screening tools applicable to the limited level of screening. 
Based on the success of pre-and/or post enrollment site visits 
conducted by the NSC during the enrollment process for suppliers of 
DMEPOS and a similar process established by carriers and A/B MACs 
during the enrollment of IDTFs, we believe that unscheduled and 
unannounced pre-and post-enrollment site visits help ensure that 
suppliers are operational and meet applicable supplier standards or 
performance standards. In addition, we believe that unscheduled and 
unannounced pre-and post-enrollment site visits are an essential tool 
in determining whether a provider or supplier is in compliance with its 
reporting responsibilities, including the requirement in Sec.  424.516 
to notify the Medicare contractor of any change of practice location.
    Moreover, Sec.  424.530(a)(5) and Sec.  424.535(a)(5) give us the 
authority to deny or revoke Medicare billing privileges for providers 
and suppliers if the provider or supplier is not operational or the 
provider does not maintain the established provider or supplier 
performance standards. And while we do not believe that unscheduled or 
unannounced site visits are necessary for all providers and suppliers, 
we do believe that a number of businesses, like the ones mentioned 
below, pose an increased risk to the Medicare program, due at least in 
part to the lack of individual professional licensure.
    In addition, as discussed below, we have found that certain types 
of providers and suppliers that easily enter a line or business without 
clinical or business experience--for example, by leasing minimal office 
space and equipment--present a higher risk of possible fraud to our 
programs. As such, we believe that because these types of providers 
pose an increased risk of fraud they should be subject to substantial 
scrutiny before being permitted to enroll and bill Medicare, Medicaid, 
or CHIP. This type of pre-enrollment scrutiny will help us move away 
from the ``pay and chase'' approach.
    Most of the provider and supplier categories in the moderate 
screening level are generally highly dependent on Medicare, Medicaid, 
or CHIP to pay their salaries and other operating expenses and are 
subject to less additional government or professional oversight than 
the providers and suppliers in the limited risk screening level. 
Accordingly, we believe it is appropriate and necessary to conduct 
unscheduled and unannounced pre-enrollment site visits to ensure that 
these prospective providers and suppliers meet our enrollment 
requirements prior to enrolling in the Medicare program. Moreover, we 
believe that post-enrollment site visits are also important to ensure 
that the enrolled provider or supplier remains a viable health care 
provider or supplier in the Medicare program.
    Accordingly, we proposed in Sec.  424.518(b) that in addition to 
the categorical screening tools used with respect to limited risk 
providers and suppliers, Medicare contractors would conduct unannounced 
and unscheduled site visits prior to enrolling the providers and 
suppliers assigned to the moderate risk screening level, as set forth 
earlier in this Section.
    In the proposed rule, we set forth our rationale for the assessment 
of risk ascribed to the providers and suppliers assigned to the 
``moderate'' level of screening. First, we noted that HHS OIG and GAO 
have issued studies indicating that several of the provider and 
supplier types cited previously pose an elevated risk of fraud, waste 
and abuse to the Medicare and Medicare programs and CHIP. In an October 
2007 report titled, ``Growth in Advanced Imaging Paid under the 
Medicare Physician Fee Schedule'' (OEI-01-06-00260), the HHS OIG 
recommended that CMS consider conducting site visits to monitor IDTFs' 
compliance with Medicare requirements.'' In addition, in an April 2007 
report titled, ``Medicare Hospices: Certification and Centers for 
Medicare & Medicaid Services Oversight'' (OEI-06-05-00260), the HHS OIG 
recommended that CMS seek legislation to establish additional 
enforcement remedies for poor hospice performance. In response to this 
recommendation, CMS stated that it was considering whether to pursue 
new enforcement remedies for poor hospice performance. While the 
Medicare enrollment process is not designed to verify the conditions of 
participation, we do believe that more frequent onsite visits may help 
identify those hospice organizations that are no longer operational at 
the practice location identified on the Medicare enrollment 
application.
    In a January 2006 report titled, ``Medicare Payments for Ambulance 
Transports'' (OEI-05-02-000590), the HHS OIG found that ``25 percent of 
ambulance transports did not meet Medicare's program requirements, 
resulting in an estimated $402 million in improper payments.''
    In an August 2004 report titled, ``Comprehensive Outpatient 
Rehabilitation Facilities: High Medicare Payments in Florida Raise 
Program Integrity Concerns'' (GAO-04-709), the GAO concluded that, 
``[s]izeable disparities between Medicare therapy payments per patient 
to Florida CORFs and other facility-based outpatient therapy providers 
in 2002--with no clear indication of differences in patient needs--
raise questions about the appropriateness of CORF billing practices. 
After finding high rates of medically unnecessary therapy services to 
CORFs, CMS's claims administration

[[Page 5870]]

contractor for Florida took steps to ensure appropriate claim payments 
for a small, targeted group of CORF patients. Despite its limited 
success, billing irregularities continued among some CORFs and many 
CORFs continued to receive relatively high payments the following year. 
This suggests that the contractor's efforts were too limited in scope 
to be effective with all CORF providers.''
    In addition to GAO and HHS OIG studies and reports, a number of 
Zone Program Integrity Contractors (ZPIC) and Program Safeguard 
Contractors (PSC) used by CMS in helping to fight fraud in Medicare, 
have taken a number of administrative actions including payment 
suspensions and increased medical review, for the provider and supplier 
types shown previously. For example, the Zone 7 ZPIC contractor in 
South Florida has conducted onsite reviews at 62 CORFs since January 
2010 and recommended revocation for 51 CORFs, or 82 percent of the 
CORFS in the area. The same contractor has conducted an onsite reviews 
at 38 CMHCs located in Dade, Broward, and Palm Beach County since 
January 2010, and recommended that 30 CMHCs be revoked for 
noncompliance (79 percent of the CMHCs in the area). In each instance 
where the ZPIC requested a revocation, the CMHC was also placed on 
prepay review. We have also conducted an analysis of IDTF licensure 
requirements and have found several circumstances that indicate 
irregularity and potential risk of fraud. Although independent clinical 
laboratories are subject to survey against CLIA requirements, there are 
nonetheless a number of potentials for fraud, not the least of which is 
the sheer volume of service and associated billing generated by these 
entities.
    We believe that there is ample evidence to support the use of post-
enrollment site visits as a reliable and effective tool to ensure that 
a current supplier of DMEPOS remains operational and continues to meet 
the supplier standards found in Sec.  424.57(c). In a March 2007 report 
titled, ``Medical Equipment Suppliers Compliance with Medicare 
Enrollment Requirements'' (OEI-04-05-00380), the HHS OIG concluded 
that, ``By helping to ensure the legitimacy of DMEPOS suppliers, out-
of-cycle site visits may help to prevent fraud, waste, and abuse in the 
Medicare program. CMS may want to consider the findings of our study as 
they determine how and to what extent out-of-cycle site visits of 
DMEPOS suppliers will occur.'' Today, the NSC MAC utilizes post-
enrollment site visits as the primary screening to determine ongoing 
compliance with the enrollment criteria set forth in Sec.  424.57(c). 
Therefore, we have included currently enrolled DMEPOS suppliers in the 
``moderate'' category.
    We also noted that, in addition to the new screening measures 
proposed in the proposed rule under the existing regulation at Sec.  
424.517, a Medicare contractor may conduct an unannounced or 
unscheduled site visit at any time for any provider or supplier type 
prior to enrolling a prospective provider or supplier or for any 
existing provider or supplier enrolled in the Medicare program. While 
the primary purpose of an unannounced and unscheduled site visit is to 
ensure that a provider or supplier is operational at the practice 
location found on the Medicare enrollment application, a Medicare 
contractor may also verify established supplier standards or 
performance standards other than conditions of participation (CoP) 
subject to survey and certification by the State Survey agency, where 
applicable, to ensure that the supplier remains in compliance with 
program requirements.
    To assist readers in understanding the type of providers and 
suppliers that we proposed to be in the ``moderate'' risk screening 
level, we are providing the following table.

   Table 3--Proposed Medicare Providers and Suppliers Designated as a
          ``Moderate'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Community mental health centers; comprehensive outpatient rehabilitation
 facilities; hospice organizations; independent diagnostic testing
 facilities; independent clinical laboratories; and non-public, non-
 government owned or affiliated ambulance services suppliers. (Except
 that any such provider or supplier that is publicly traded on the NYSE
 or NASDAQ is considered ``limited'' risk.)
Currently enrolled (revalidating) home health agencies. (Except that any
 such provider that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
Currently enrolled (re[dash]validating) suppliers of DMEPOS. (Except
 that any such supplier that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
------------------------------------------------------------------------

(3) High
    For those provider and supplier categories assigned the ``high'' 
level of screening, we proposed that, in addition to the screening 
tools applicable to the limited and moderate level of screening, 
Medicare contractors would use the following screening tools in the 
enrollment process: (1) Criminal background check; and (2) submission 
of fingerprints using the FD-258 standard fingerprint card. (The FD-258 
fingerprint card is recognized nationally and can be found at local, 
county or State law enforcement agencies where, for a fee, agencies 
will supply the card and take the fingerprints.) We proposed that these 
tools would be applied to owners, authorized or delegated officials or 
managing employees of any provider or supplier assigned to the ``high'' 
level of screening. We believe that criminal background checks will 
assist us in determining if such individuals submitted a complete and 
truthful Medicare enrollment application and whether an individual is 
eligible to enroll in the Medicare program or maintain Medicare billing 
privileges. We believe that this position is supported by testimony of 
the GAO before the subcommittees for Health and Oversight and Ways and 
Means within the House of Representatives on June 15, 2010, stating in 
part that ``[c]hecking the background of providers at the time they 
apply to become Medicare providers is a crucial step to reduce the risk 
of enrolling providers intent on defrauding or abusing the program. In 
particular, we have recommended stricter scrutiny of enrollment 
processes for two types of providers whose services and items CMS has 
identified as especially vulnerable to improper payments--home health 
agencies (HHAs) and suppliers of durable medical equipment, 
prosthetics, orthotics, and supplies (DMEPOS).''
    In Sec.  424.518(c)(1), we proposed that, unless they are publicly 
traded on the NYSE or NASDAQ, newly enrolling HHAs and suppliers of 
DMEPOS would be assigned to the high risk screening level. Based on our 
experience and on work conducted by the HHS OIG and the GAO, and 
because we do not have the monitoring experience with newly enrolling 
DMEPOS suppliers or HHAs that we have with those currently enrolled, we 
assigned these providers and suppliers to the ``high'' risk screening 
level. We are especially concerned about newly enrolling HHAs and 
suppliers of DMEPOS because of the high number of HHAs and suppliers of 
DMEPOS already enrolled in the Medicare program and program 
vulnerabilities that these entities pose to the Medicare program. Below 
is a list of HHS OIG and GAO reports identifying home health agencies 
and suppliers of DMEPOS as posing an elevated risk to the Medicare 
program.
     In a December 2009 report titled, ``Aberrant Medicare Home 
Health Outlier Payment Patterns in Miami-Dade County and Other 
Geographic

[[Page 5871]]

Areas in 2008'' (OEI-04-08-00570), the HHS OIG recommended that CMS 
continue with efforts to strengthen enrollment standards for home 
health providers to prevent illegitimate HHAs from obtaining billing 
privileges.
     In a February 2009 report titled, ``Medicare: Improvements 
Needed to Address Improper Payments in Home Health'' (GAO-09-185), the 
GAO concluded that the Medicare enrollment process does not routinely 
include verification of the criminal history of applicants, and without 
this information individuals and businesses that misrepresent their 
criminal histories or have a history of relevant convictions, such as 
for fraud, could be allowed to enter the Medicare program. In addition, 
the GAO recommended that CMS assess the feasibility of verifying the 
criminal history of all key officials named on the Medicare enrollment 
application.
     In a February 2008 report titled, ``Los Angeles County 
Suppliers' Compliance with Medicare Standards: Results from Unannounced 
Visits'' (OEI-09-07-00550) and in a March 2007 report titled, ``South 
Florida Suppliers' Compliance with Medicare Standards: Results from 
Unannounced Visits (OEI-03-07-00150), the HHS OIG recommended that CMS 
strengthen the Medicare DMEPOS supplier enrollment process and ensure 
that suppliers meet Medicare supplier standards. The HHS OIG provided 
several options to implement this recommendation including: (1) 
Conducting more unannounced site visits to suppliers; (2) performing 
more rigorous background checks on applicants; (3) assessing the fraud 
risk of suppliers; and (4) targeting, monitoring, and enforcement of 
high risk suppliers.
     In a September 2005 report titled, ``Medicare: More 
Effective Screening and Stronger Enrollment Standards Needed for 
Medical Equipment Suppliers'' (GAO-05-656), the GAO concluded that,

CMS is responsible for assuring that Medicare beneficiaries have 
access to the equipment, supplies, and services they need, and at 
the same time, for protecting the program from abusive billing and 
fraud. The supplier standards and NSC's gate keeping activities were 
intended to provide assurance that potential suppliers are qualified 
and would comply with Medicare rules. However, there is overwhelming 
evidence--in the form of criminal convictions, revocations, and 
recoveries--that the enrollment processes and the standards are not 
strong enough to thoroughly protect the program from fraudulent 
entities. We believe that CMS must focus on strengthening the 
standards and overseeing the supplier enrollment process. It needs 
to better focus on ways to scrutinize suppliers to ensure that they 
are responsible businesses, analogous to Federal standards for 
evaluating potential contractors.

    We recognize that there may also be circumstances where a 
particular provider or supplier or group of providers and suppliers may 
pose a higher risk of fraud, waste, and abuse than the screening level 
assignment for their category assessed. Therefore, in Sec.  
424.518(c)(3), we proposed specific criteria that we would use to 
adjust the classification of a provider or supplier into a higher risk 
screening level than would generally apply to the entire category of 
provider or supplier, in order to address specific program 
vulnerabilities. We solicited comments on specific additional 
circumstances that might justify shifting a provider or supplier into a 
higher screening level than would generally apply to its category. We 
also solicited comments on the criteria that we could use to shift the 
screening level back down.
    In Sec.  424.518(c)(3)(i), we proposed to adjust a provider or 
supplier from the limited or ``moderate'' risk screening level to the 
``high'' risk screening level when we have evidence from or concerning 
a physician or non-physician practitioner that another individual is 
using his or her identity within the Medicare program. In Sec.  
424.518(c)(3)(ii) and (iii), which in this final rule with comment 
period has been redesignated Sec.  424.518(c)(3)(i) and (ii), we 
proposed to adjust a provider or supplier from the ``limited'' or 
``moderate'' level of screening to the ``high'' screening level when: 
The provider or supplier has been placed on a previous payment 
suspension within the previous ten years; or the provider or supplier 
has been excluded by the HHS OIG or had its Medicare billing privileges 
revoked by a Medicare contractor within the previous 10 years and is 
attempting to establish additional Medicare billing privileges for a 
new practice location or by enrolling as a new provider or supplier. In 
addition, we believe that providers that have been terminated or 
otherwise precluded from billing Medicaid should be adjusted from the 
``limited'' or ``moderate'' screening level to the ``high'' screening 
level. We believe that such providers or suppliers pose an elevated 
level of risk to the Medicare program.
    In Sec.  424.518(c)(3)(iv), redesignated in this final rule with 
comment period as Sec.  424.518(c)(3)(iii), we proposed to adjust 
providers or suppliers from the ``limited'' or ``moderate'' level of 
screening to the ``high'' level of screening for 6 months after we lift 
a temporary moratorium (see section II.C. of this final rule with 
comment period) applicable to such providers or suppliers. This would 
include providers and suppliers revalidating their enrollment if the 
moratorium is applicable to the provider or supplier type. We solicited 
comments on criteria that would justify reassignment of providers or 
suppliers from the ``limited'' or ``moderate'' screening level to the 
``high'' screening level. We also solicited comments on criteria 
appropriate to the reassignment from ``high'' to ``moderate'' screening 
levels or ``limited'' screening levels. We also solicited comment on 
the applicability of geographical circumstances as a possible criterion 
for adjusting providers or suppliers from one screening level to 
another. We also solicited comment on whether non-practitioner owned 
facilities and suppliers should be subject to a higher level of 
screening than their practitioner-owned counterparts or, whether there 
is an appropriate corresponding trigger for non-practitioner owned 
facilities and suppliers. We solicited comment on whether providers and 
suppliers should be subject to higher levels of screening when the 
provider specialty does not match clinic type on an enrollment 
application. We solicited comment on what objective conditions might 
support a broad set of circumstances or factors that would allow us to 
determine that provider screening levels by risk should be based on 
``other conditions or factors that CMS determines are necessary to 
combat fraud, waste, and abuse.''
    We solicited public comment on the appropriateness of using 
criminal background checks in the provider enrollment screening 
process, including the instances when such background checks might be 
appropriate, the process of notifying a provider, supplier or 
individual that a criminal background check is to be performed, and the 
frequency of such checks.
    We solicited comment on the use of fingerprinting as a screening 
measure in our programs. We recognized that requesting, collecting, 
analyzing, and checking fingerprints from providers and suppliers are 
complex and sensitive undertakings that place certain burdens on 
affected individuals. There are privacy concerns and operational 
concerns about how to assure individual privacy, how to check 
fingerprints against appropriate law enforcement fingerprint databases, 
and how to store the results of the query of the data bases and also 
how to handle the subsequent analysis of the results. As a result, we 
solicited comments on how CMS or its contractor should maintain and 
store fingerprints, what security processes

[[Page 5872]]

and measures are needed to protect the privacy of individuals, and any 
other issues related to the use of fingerprints in the enrollment 
screening process. We were interested in comments on possible 
circumstances in which fingerprinting would be potentially useful in 
provider screening or other fraud prevention efforts. Our proposed 
screening approach contemplated requesting fingerprints from providers 
and suppliers designated as presenting a ``high'' risk of fraud. We 
solicited comment on this requirement, the circumstances under which it 
is appropriate, limitations on its use and any alternatives to the 
proposed approach regarding fingerprints. Our proposed approach allowed 
denial of billing privileges to newly enrolled providers and suppliers 
and revocation of billing privileges for revalidating providers and 
suppliers if owners or officials of providers or suppliers refused to 
submit fingerprints when requested to do so. We solicited comments on 
this proposal including its appropriateness and utility as a fraud 
prevention tool. In addition, we also solicited comment on the 
applicability and appropriateness of using, in addition to or in lieu 
of fingerprinting, other enhanced identification techniques and secure 
forms of identification including but not limited to other biological 
or biometric techniques, passports, United States Military 
identification, or Real ID drivers licenses. As technology and secure 
identification techniques change, the tools we use may change to 
reflect improvements or shifts in technology or in risk identification. 
We solicited comment on the appropriate uses of these techniques.
    We noted that any physician or non-physician practitioner or 
organizational provider or supplier that is denied enrollment into the 
Medicare program or whose Medicare billing privileges are revoked is 
afforded due process rights under Sec.  405.874.
    To assist readers in understanding the type of providers and 
suppliers that we proposed to include in the ``high'' risk screening 
level, we are providing the following table.


   Table 4--Proposed Medicare Pro-viders and Suppliers Designated as a
            ``High'' Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Prospective (newly enrolling) home health agencies and suppliers of
 DMEPOS. (Except that any such provider or supplier that is publicly
 traded on the NYSE or NASDAQ is considered ``limited'' risk.)
------------------------------------------------------------------------

    The new screening procedures implemented pursuant to new section 
1866(j)(2) of the Act will be applicable to newly enrolling categories 
providers and suppliers beginning on March 25, 2011. These new 
screening procedures will also be applicable beginning on March 25, 
2011 for those providers and suppliers currently enrolled in Medicare, 
Medicaid, and CHIP who revalidate their enrollment information. For 
Medicare, this will impact those providers and suppliers whose 
revalidation cycle results in revalidation occurring between March 25, 
2011 and March 23, 2012. Finally, these new procedures will be 
applicable to currently enrolled Medicare, Medicaid, and CHIP providers 
and suppliers beginning on March 23, 2012, in accordance with section 
1866(j)(2)(ii) of the Act. As such, some providers and suppliers may be 
required to revalidate their enrollment outside of their regular 
revalidation cycle. However, the additional screening procedures for 
categories and individuals in the high level of screening, namely, as 
discussed below, fingerprint-based criminal history record checks, will 
be implemented 60 days following the publication of subregulatory 
guidance.
b. Analysis of and Responses to Public Comment on Medicare Screening 
Categories
    Below is a summary of the comments we received regarding the 
screening categories and the validation activities contained within 
each category.
    Comment: Several commenters expressed concern that we 
differentiated between publicly traded and non-publicly traded 
entities. Many commenters stated that CMS did not specify how publicly 
traded companies were any less of a fraud risk than companies that are 
not publicly traded. Several commenters suggested this distinction was 
arbitrary and without merit. One commenter stated that being publicly 
traded does not offer immunity from risk, and that having one set of 
standards for all providers will make it easier for governments, 
providers and consumers to identify and address fraud and abuse. One 
trade association argued that it preferred an approach that would 
elevate its members into a higher risk screening level than to 
distinguish among its members based upon whether a particular entity 
was publicly traded. Another commenter suggested that CMS withdraw its 
proposal; and requested that if CMS decides to implement it, it should 
provide the data analysis it used in creating this policy choice and 
explain why large privately held companies are a greater risk than 
publicly traded companies.
    Response: We agree with the arguments the commenters made regarding 
distinguishing among screening levels based on a provider or supplier's 
publicly traded status, and thus we have eliminated the distinction 
between publicly traded and non-publicly traded companies for purposes 
of the screening levels. While it has been our general experience that 
publicly traded companies have not posed the elevated risk of fraud, 
waste or abuse as non-publicly traded companies, we do not believe the 
risk differential between publicly traded and non-publicly traded 
entities is such as to warrant the automatic assignment of the former 
into a lesser screening level.
    Comment: Similar to the distinction between publicly traded versus 
non-publicly traded, several comments suggested that the distinction 
between government-owned or affiliated versus non-government owned or 
affiliated ambulance service suppliers was not based on any evidence. 
One commenter stated that CMS furnished little or no supporting data 
for the position that publicly owned companies pose less of a risk. 
Another commenter contended that this distinction presented challenges 
that would make it difficult for states to operationalize. Another 
commenter believes that the distinction is arbitrary, and noted that 
private ambulance companies are, like public companies, held to the 
same strict standards, such as the need for them and their personnel to 
be State-licensed. The commenter added that there is no evidence to 
support the assertion that private ambulance services pose a greater 
risk of fraud, waste or abuse than public companies, and that the OIG 
report referred to in the proposed rule entitled ``Medicare Payments 
for Ambulance Transports'' (OEI-05-02-000590) did not single out 
private ambulance services as posing such a risk. Another commenter was 
concerned that assigning private ambulance companies to a higher 
screening level could put them at a competitive disadvantage vis-
[agrave]-vis their public counterparts.

[[Page 5873]]

    Response: We disagree that this distinction would be difficult to 
operationalize. The enrollment process generally captures information 
on the supplier's ownership; this enables contractors and States to 
distinguish between government-owned and non-government owned entities. 
However, we do agree with the arguments made regarding the use of 
public ownership as a criterion for making a distinction in the level 
of screening as determined by the risk of fraud, waste or abuse posed 
to the programs, and we have eliminated the distinction between 
government-owned and non-government owned ambulance companies for 
purposes of the screening level assignments. The available evidence 
does not suggest that the risk differential between government-owned 
and non-government owned ambulance companies is such as to warrant the 
automatic placement of the former into a lower screening level. 
Moreover, we note that the ACA requires levels of screening according 
to the risk of fraud, waste and abuse posed by categories of providers 
and suppliers. The approach taken in this final rule with comment 
period whereby we assign specific categories of providers and suppliers 
to screening levels determined by a categorical assessment of the risk 
of fraud, waste or abuse to the programs--rather than assessing 
individual's risk-- is consistent with the requirements of the statute. 
While we believe that a more nuanced and precise approach for 
classifying specific categories of providers and suppliers into 
screening levels, for example using a scoring algorithm to create 
categories, could also be consistent with the statute under certain 
circumstances and were we able to provide an adequate rationale for the 
classification, we do not yet have experience with such an approach, 
and are therefore finalizing an approach based on classifications by 
entire provider and supplier types. We may consider additional 
classifications in future rulemaking.
    Comment: A commenter supported CMS's designation of provider fraud 
and abuse risk into three levels for Medicare, Medicaid, and CHIP 
providers, and stated that CMS appropriately assigned hospitals 
(including critical access hospitals) to the limited level.
    Response: We appreciate this commenter's support.
    Comment: A commenter expressed support for CMS's proposal to move a 
provider type from one screening level to another only if it has been 
found by CMS to pose more or less of a fraud and abuse risk. However, 
the commenter suggested, that CMS: (1) Review a provider class over 
pre-prescribed time periods (for example, 24 months), and (2) allow 
sufficient time for the provider community to offer comment prior to 
changing a provider's screening level.
    Response: Our proposal to reassign providers or suppliers or 
provider or supplier types to another level of screening was based on 
changes in circumstances that contribute to the risk of fraud. We 
believe that to restrict ourselves to reassigning providers and 
suppliers only at specific, pre-defined time intervals would not 
provide us with the flexibility we need to quickly address emerging 
program integrity risks. If a situation arose where there was an 
immediate risk of fraud that required the imposition of enhanced 
screening procedures, we must be able to deal with it rapidly, rather 
than wait until a particular prescribed time interval arrives. We will 
periodically reexamine screening level classifications for provider and 
supplier categories. Should a change in a particular provider or 
supplier type's assignment be warranted and should it necessitate a 
change in existing regulatory language, we will publish notice of the 
change in the Federal Register.
    Comment: A commenter expressed support for CMS' inclusion of 
physicians, non-physician practitioners, and medical groups or clinics 
in the limited screening level. The commenter stated that these 
suppliers submit the CMS-855I to enroll in Medicare and are subject to 
all of the penalties listed in Section 14 of CMS-855I regarding 
falsifying information.
    Response: We appreciate the commenter's support.
    Comment: A commenter requested that CMS consider moving CMHCs and 
CORFs from the ``moderate'' screening level to the ``limited'' 
screening level. With respect to CORFs, the commenter stated that CMS' 
studies regarding program integrity concerns have been limited to the 
State of Florida, and contended that it is arbitrary to extrapolate 
that experience to the rest of the country.
    Response: We disagree with the commenter's assessment of the risk 
of fraud associated with CMHCs and CORFs. These risks extend beyond any 
single region of the country. As a result we have decided to keep these 
provider types assigned to the moderate level of screening. We believe 
that the assignment of CMHCs and CORFs into the moderate screening 
level was appropriate based on the information we presented in the 
proposed rule.
    Comment: A commenter expressed support for background checks and 
fingerprinting, but requested that they be limited to only providers 
and suppliers assigned to the high risk level because of the potential 
administrative burden.
    Response: The final rule with comment period is clear that 
fingerprint-based criminal background checks are only applicable to 
providers and suppliers assigned to the high screening level.
    Comment: A commenter stated that CMS, in listing various provider 
types and the levels of risk into which they were assigned, did not 
provide the documentation on which it based its conclusions, therefore 
violating the Administrative Procedure Act. The commenter recommended 
that CMS furnish the following information by provider/supplier type to 
justify its conclusions and to inform the public as to why certain 
providers are a limited risk to the Medicare program: (1) Number of 
Medicare revocations; (2) number of Medicare deactivations; (3) 
Medicare payment suspensions; (4) Medicare civil monetary penalties; 
(5) OIG mandatory exclusions; (6) OIG permissive exclusions; (7) 
indictments; and (8) felony convictions.
    Response: We based our risk assessments on a variety of factors, 
including some of those listed by the commenter, as well as others. 
However, because our conclusions were not based on any one factor nor 
any specific combination of factors, but rather on CMS's aggregate 
experience with each provider and supplier type, providing the data 
requested by the commenter would not serve to clarify the 
determinations of risk.
    Comment: Several commenters stated that CMS did not describe how it 
will screen providers and suppliers with a designated ``other'' 
category, or which types of providers and suppliers fall within this 
category and how many there are. One commenter stated that providers 
and suppliers in the ``Other'' category should be assigned to the high 
risk level.
    Response: The ``other'' category is largely reserved for future 
situations in which a statute is enacted that authorizes a particular 
provider or supplier type to bill the Medicare program; it is designed 
as a placeholder of sorts pending the revision of the CMS-855 
application to accommodate the new provider or supplier type. Since we 
cannot predict which new provider or supplier types may be able to bill 
Medicare in the future, we are unable to assign them to a particular 
screening level in this final rule with comment period.

[[Page 5874]]

    Comment: Several commenters stated that CMS did not explain which 
risk level outpatient physical therapy/occupational therapy (PT/OT), 
speech pathology, and rehabilitation agencies would fall into.
    Response: We received a number of comments on this issue. We will 
assign occupational therapists, speech language pathology, and 
rehabilitation agencies to the ``limited'' level of risk because we do 
not have evidence of program integrity risk that suggest that these 
entities should be assigned to the moderate or high levels of 
screening. However, we will assign physical therapists (including 
physical therapy groups) to the moderate screening level. We believe 
this classification is supported, in part, by a recent OIG report 
entitled ``Questionable Billing for Medicare Outpatient Therapy 
Services'' (December 2010) (http://oig.hhs.gov/oei/reports/oei-04-09-00540.pdf), which found, among other things, that Miami-Dade County had 
three times, and nineteen other counties had at least twice, the 
national level on five of six questionable billing characteristics. Law 
enforcement has also identified fraudulent billing schemes involving 
physical therapy.
    Comment: One commenter stated that CMS did not describe how it 
would screen new providers or suppliers types permitted to enroll in 
Medicare. Since CMS excluded these providers and suppliers from its 
discussion, the commenter recommended that these entities be considered 
a high risk.
    Response: Since we cannot predict which new provider or supplier 
types may be able to bill Medicare in the future, we are unable to 
assign them to a particular screening level in this final rule with 
comment period. When such entities emerge, we will make an appropriate 
determination based on the data sources we have already described in 
this final rule with comment period, as to what screening level 
assignment is most appropriate for such new entities. As previously 
discussed, we will publish notice of these new provider category 
assignments in the Federal Register prior to making final any such 
assignment.
    Comment: One commenter recommended that non-physician owned medical 
facilities and groups be considered a higher risk than physician-owned 
medical facilities.
    Response: In the proposed rule, we solicited comments on whether 
non-practitioner owned facilities and suppliers should be subject to a 
higher level of screening than practitioner-owned facilities and 
suppliers. We received several comments suggesting that the former 
category should be subject to higher screening than the latter. We are 
declining to adopt this suggestion in this final rule with comment 
period, however. As previously stated, the ACA requires levels of 
screening according to the risk of fraud, waste and abuse posed by 
categories of providers and suppliers. The approach taken in this final 
rule with comment period whereby we assign specific categories of 
providers and suppliers to risk levels that determine screening 
requirements--rather than determining individual risk--is consistent 
with the statute.
    Comment: Several commenters stated that extending the enhanced 
screening requirements to MAOs will prove duplicative and unnecessarily 
increase costs for providers. Identifying those providers participating 
in multiple health programs and coordinating their screening and 
monitoring could, the commenters contended, avoid unnecessary 
administrative burden for all involved. Otherwise, by extending the 
screening requirements to MAOs, providers will be forced to undergo the 
same screening process multiple times, for each MAO with whom they 
contract. One commenter stated that it would be more efficient for CMS 
and the States to perform the screenings and make that data available 
to the MAO plans through a centralized process. Another commenter 
recommended that fingerprinting and background checks be restricted to 
State and Federal law enforcement agencies, adding that there is no 
legitimate purpose for MA or Medicare managed care plans to collect and 
maintain this information.
    Another commenter opposed applying the proposed requirements to 
MAOs and other managed care organizations (MCOs) for several reasons. 
First, there are already appropriate screening tools for MAOs for their 
providers and suppliers pursuant to Sec.  422.204(b)(3). Second, MAOs 
have other requirements, as established in Sec.  422.204, to access 
certain data bases to verify licensure, licensure sanctions and other 
limitations. Third, traditional Medicare has a greater population to 
serve and a wider network of providers and suppliers to process and 
screen than individual MA plan networks. Therefore, the processes 
should stem from those with oversight and administration of traditional 
Medicare, with a trickledown effect and benefit for MAOs. Fourth, if a 
limited, moderate or high risk provider has an enrollment verification 
letter from Medicare issued after March 25, 2011, the provider has been 
appropriately credentialed and needs no further credentials for a MAO. 
Fifth, Medicare's enrollment application captures certain elements that 
are not currently captured by some insurers' enrollment applications, 
such as delegated representative, authorized representative, and 
owners. This information would be difficult to capture and verify, and 
the workload would increase substantially on the part of MCOs to 
credential numerous individuals who may not have a significant role 
within the providers/supplier entity.
    Response: Because there are a large number of other regulatory 
provisions that form the framework for oversight of managed care plans, 
and we do not want to duplicate these requirements by imposing 
additional screening and enrollment criteria on these organizations, we 
have decided not to apply the provisions of this final rule with 
comment period to managed care plans and organizations.
    Comment: A commenter stated that MCOs design their anti-fraud 
initiatives based on the risks they encounter, which may be unique and 
different from the risks faced by FFS programs. Consequently, CMS 
should give MCOs the flexibility to decide whether to adopt any of the 
proposed new screening requirements and, if so, how to do so; CMS 
should not extend the screening requirements to MCOs. The commenter 
stated that MCOs should be allowed to: (1) Assign providers and 
suppliers to a level that is higher or lower than the level assigned by 
Medicare FFS or the State FFS Medicaid programs, and (2) deem a 
provider as having satisfied its screening requirements if the provider 
is enrolled in Medicare FFS and/or a Medicaid FFS program, and has gone 
through their screening procedures.
    Response: As explained previously, we are concerned that the 
application of the screening provisions to MCOs would duplicate 
existing oversight and regulatory authority. We therefore have decided 
not to apply the provisions of this final rule with comment period to 
managed care plans and organizations. This will, as the commenter 
suggests, allow MCOs to develop provider screening requirements that 
are unique to their circumstances, including (1) assign providers and 
suppliers to a level that is higher or lower than that assigned by 
Medicare or the State Medicaid program, and (2) deem a provider as 
having satisfied their screening requirements if the provider is 
enrolled in Medicare and/or a State Medicaid program.
    Comment: A commenter stated that applying consistent risk 
management

[[Page 5875]]

practices throughout an organization fosters a culture of program 
integrity. As such, the commenter recommended that MAOs be required to 
implement the same enhanced screening processes that CMS is considering 
for the original Medicare program.
    Response: As mentioned earlier, we have decided not to apply the 
provisions of this final rule with comment period to managed care plans 
and organizations.
    Comment: A commenter recommended that CMS explain what type of 
screening process will be used for Medicare Advantage, managed care 
organizations or health maintenance organizations.
    Response: As previously stated, there are a large number of other 
regulatory provisions that form the framework for oversight of managed 
care plans. We do not want to duplicate these requirements by imposing 
additional screening and enrollment criteria on these organizations. We 
therefore have decided not to apply the provisions of this final rule 
with comment period to managed care plans and organizations.
    Comment: A commenter recommended that CMS establish screening 
criteria for slide preparation facilities and competitive acquisition 
program/Part B vendors.
    Response: We will not be establishing screening criteria or 
prescribing screening levels for slide preparation facilities in this 
final rule with comment period. Slide preparation facilities do not 
enroll in Medicare at this time; thus, we do not believe it is 
appropriate to assign a level of screening to such entities. As for 
competitive acquisition program/Part B vendors, these will be assigned 
to the limited screening level. It has not been our experience that 
this supplier type poses an elevated risk of fraud, waste or abuse to 
the Medicare program.
    In addition, we are adding portable x-ray suppliers to the moderate 
screening level. In support of this classification, we note that the 
OIG has analyzed Medicare claims data to identify suppliers with 
questionable billing patterns. The unusual claims patterns that were 
found raise concerns about the integrity of payments to certain 
portable x-ray suppliers. Based on this, and combined with the fact 
that there are low barriers to entry for this type of supplier, 
portable x-ray suppliers will be placed in the moderate screening 
level.
    Comment: A commenter recommended that CMS establish higher levels 
of screening when: (1) A provider or supplier changes ownership on a 
frequent basis; (2) a physician or non-physician practitioner is 
enrolled in different States; (3) a physician has a large number of 
reassignments or when reassignments cross States; (4) a physician is 
engaging or billing in a reciprocal billing or locum tenens billing 
arrangement; (5) owners have businesses in different States; and (6) 
when owners establish banking relationships in different States from 
where their practice is located.
    Response: In the proposed rule, we sought comment on what factors 
should permit us to elevate an individual provider or supplier to a 
higher level of screening. We appreciate the commenter's suggestion. 
While we are not adopting these recommendations at this time, such 
suggestions may form the basis of future rulemaking. We would first 
like to evaluate how the factors we will finalize as part of this rule 
will work prior to adopting new factors such as the ones the commenter 
has identified.
    Comment: One commenter recommended that CMS assign to the higher 
screening level any owner or physician who had an final adverse action 
within the previous 10 years; has an unrepaid overpayment with 
Medicare, Medicaid or CHIP; has a Medicare or Medicaid payment 
suspension; exclusion or debarment; a felony conviction; unpaid taxes; 
or a Medicare revocation. Another commenter stated that in Table 1, CMS 
appears not to consider previous payment suspensions, overpayments, OIG 
exclusions, or Medicare revocations in establishing higher risk levels. 
The commenter recommended that CMS explain why such actions are not an 
indicator of higher program risk and the need for enhanced screening.
    Response: As in the proposed rule, we state in Sec.  424.518(c) of 
the final rule with comment period that a provider or supplier will be 
moved from the ``limited'' or ``moderate'' category to the ``high'' 
level if it has been excluded by the OIG, or has had its Medicare 
billing privileges revoked in the previous ten years. We have added in 
the final rule with comment that a provider or supplier that has been 
subject to any final adverse action as defined at Sec.  424.502 would 
also be moved to the high level of screening. With regard to these 
commenters' other proposals, we are generally supportive of them, and 
may examine the possibility of future rulemaking to include some of 
them as factors that may elevate a provider or supplier to a higher 
level of risk. As previously mentioned, however, we would first like to 
evaluate how the factors we will finalize as part of this rule will 
work prior to adopting new factors.
    Comment: A commenter recommended that CMS propose a definition for 
the term ``tax delinquency,'' as it is used in Table 1 of the proposed 
rule, and clarify whether the term refers to Federal, State and/or 
local taxes.
    Response: We have removed tax delinquency from the list of database 
checks in this final rule with comment period. Though we do have new 
authorities to obtain tax information as part of ACA and other recently 
enacted statutes, we are not prepared to operationalize this provision 
at this time.
    Comment: A commenter stated that CMS' categorical risk approach did 
not address the individual risk associated with certain owners and 
individual practitioners. The commenter recommended that CMS issue a 
new proposed rule to establish specific risk factors would increase/
decrease a provider or supplier's screening level.
    Response: The ACA requires levels of screening according to the 
risk of fraud, waste and abuse posed by categories of providers and 
suppliers. The approach taken in the final rule with comment period 
whereby we assign specific categories of providers and suppliers to 
screening levels determined by risk of fraud, waste and abuse is 
consistent with the requirements of the statute. Furthermore, we 
believe the approach taken in this final rule with comment period is 
objective and allows us to avoid subjective assessments of a provider's 
or supplier's risk to the programs.
    Comment: A commenter supported the use of background checks to 
ensure the identity and integrity of owners and senior managers of home 
health and hospice agencies. While supporting the maintenance of the 
confidentiality of this information, the commenter believes it should 
be used to: (1) Target agencies for special oversight, (2) alert owners 
of patterns of criminal behavior on the part of their managers, and (3) 
disqualify owners or managers that have criminal histories.
    Response: We intend to use this tool in a way that safeguards 
personal information and also helps prevent fraud, waste and abuse. The 
criminal history record will verify whether a provider, supplier, or an 
individual with a 5 percent or greater direct or indirect ownership 
interest in such provider or supplier has been convicted of certain 
types of felonies that could result in the denial or revocation of 
billing privileges under Sec.  424.530 or Sec.  424.535, respectively. 
We believe that

[[Page 5876]]

criminal history record checks will confirm the accuracy of information 
submitted in enrollment applications, and the discovery of false or 
misleading information could result in denial or revocation of billing 
privileges under Sec.  424.530 or Sec.  424.535. Providers or suppliers 
who have been denied on these bases are afforded all applicable appeals 
rights.
    While in some instances, such a denial may result in alerting a 
provider or supplier of an individual's criminal history, this is not 
the purpose or intention of this enrollment screening tool. Rather we 
will use this authority for the purpose of verifying eligibility for 
Medicare enrollment. We will disseminate guidance and instructions to 
providers, suppliers and our enrollment contractors shortly after the 
publication of this final rule with comment period regarding the 
implementation of the criminal history record check requirement.
    Comment: A commenter opposed the proposal to move those who have 
previously been placed on a payment suspension or subject to a denial 
or revocation in the past year, into a higher screening level. The 
commenter stated that a payment suspension may be imposed upon a mere 
or false suspicion of wrongdoing, and that the denial or revocation 
could have been based on an innocent mistake.
    Response: We agree with this commenter with respect to the denial 
of billing privileges. Many denials occur simply because the provider 
does not meet the requirements to enroll as a particular provider type 
or other clerical errors. We have therefore removed the denial of 
billing privileges as a basis for moving a provider or supplier into a 
higher risk screening level. We have retained revocations of Medicare 
billing privileges as such a basis because we believe that such a 
provider poses a heightened risk of fraud, waste or abuse to the 
Medicare Trust Fund.
    Payment suspension is used as a fraud fighting tool only in 
instances where facts available point to possible fraud, waste, or 
abuse. Consequently, because of the risk to the program posed by 
individuals and entities upon which a payment suspension has been 
imposed, we believe we are justified in placing them in the high risk 
screening level.
    Comment: One commenter suggested that in lieu of fingerprinting, 
each owner or physician should submit: (1) A U.S. Passport or a Foreign 
Passport with their enrollment application, and/or (2) copies of their 
Federal Tax Returns.
    Response: We agree with the commenter that there may be 
alternatives to fingerprint-based criminal history record checks to 
verify identity; however information on U.S. or foreign passports and 
Federal Tax Returns, such as name, date of birth and Social Security 
number are duplicative of information that is captured in the Medicare 
enrollment application. Information that would be obtained from a U.S. 
or foreign passport or Federal Tax Returns could only be used to 
process a name-based criminal history record check, and the FBI does 
not process name-based requests for non-criminal justice purposes. The 
submission of fingerprints is the only way to obtain a criminal history 
record check from the FBI.
    Additionally, the National Task Force on the Criminal Backgrounding 
of America concluded that fingerprint-based criminal history record 
checks are more accurate than name-based checks because ``names tend to 
be unreliable because: people lie about their names; obtain names from 
false documents; change their names; people have the same name; people 
misspell names; people use different versions of their names * * * 
people use aliases * * * '' The suppliers assigned to the high 
screening level have been so assigned because, in CMS, and its law 
enforcement partners' experience, such supplier types have, as a 
category, not undergone sufficient scrutiny in the enrollment process. 
Some may have gained entry in the past through falsification of an 
enrollment application that may have passed a name based check. As a 
result, the extra level of screening provided by the submission of 
fingerprints for the purposes of an FBI database check has the 
potential to deny enrollment to individuals whose sole intent is to 
defraud the Medicare program. We believe fingerprint-based criminal 
history record checks will be an effective tool to prevent fraud, 
waste, and abuse in Federal health care programs by independently 
verifying information provided on applications of potential providers 
and suppliers in the high screening level.
    If, after a sufficient period of evaluation, we conclude that 
fingerprint-based FBI criminal history record checks do not fulfill our 
program integrity objective of identifying applicants who pose a 
heightened risk of fraud, waste, and abuse prior to enrollment or we 
determine that supplementary actions are needed, we may pursue 
additional rulemaking that seeks to adopt alternative or additional 
safeguards consistent with authorities given to the Secretary in the 
ACA.
    Comment: A commenter stated the screening process described by CMS 
does little to ensure that a provider or supplier is submitting 
legitimate claims for eligible individuals, since there is no linkage 
between the enrollment process and claim submission process. The 
commenter contended that it did not appear that CMS considered the 
alternative approach of linking its proposed screening requirements to 
section 1866(j)(3) of the Act. The commenter recommended that CMS 
establish a link between the screening process and the payment process 
by establishing payment caps and prepayment claims review as described 
in section 1866(j)(3) of the Act.
    Response: The commenter references new section 1866(j)(3) of the 
Act, which addresses a provisional period of enhanced oversight for new 
providers or suppliers of services. We believe that the payment caps 
and prepayment claims processes should supplement, but not be used in 
lieu of, the procedures outlined in this proposed rule. Payment caps 
and prepayment claims processes will be addressed in separate vehicles. 
Clearly, the provisions of section 1866(j)(3) of the Act are an 
important complement to the pre-enrollment screening provisions in this 
rule. We intend to use both to fight fraud. However, this provision is 
not part of this final rule with comment period. In fact, the ACA 
authorizes the Secretary to implement the provisions of section 
1866(j)(3) of the Act through instruction or otherwise.
    Comment: A commenter contended that with respect to the limited 
risk screening requirements, the language in proposed Sec.  
424.518(a)(2)(i) may be overly broad. The commenter believes the intent 
of this provision is for the contractor to verify that the provider or 
supplier meets only the applicable regulations or requirements that 
qualify it for the appropriate provider or supplier type. However, the 
commenter stated that, as written, Sec.  424.518(a)(2)(i) could be 
construed to require the Medicare contractor to verify the provider or 
supplier's compliance with virtually every Federal regulation and State 
requirement that applies to the provider or supplier type. This, the 
commenter argued, could subject limited categorical risk providers and 
suppliers to an overly broad, burdensome, and time-consuming 
verification process.
    Response: As explained in the proposed rule, the verification 
process for limited risk providers and suppliers will be that which is 
currently used for most providers and suppliers. The verification will 
be limited to enrollment requirements, and will not examine compliance 
with all other State

[[Page 5877]]

and Federal regulations unless the other State and Federal regulations 
have an impact on whether the provider or supplier meets the 
requirements for enrolling or revalidating enrollment in Medicare. The 
table that describes the types of screening to be performed for each of 
the three screening levels explains clearly the kinds of verification 
processes that CMS contractors will be using to verify a provider's or 
supplier's eligibility to enroll or remain enrolled in Medicare.
    Comment: One commenter requested that CMS explain why it did not 
consider compliance plans in establishing its screening criteria.
    Response: We solicited comments regarding the use of compliance 
plans in combating fraud, waste, and abuse. Because there are a several 
complex policy and implementation issues we are pursuing separate 
additional rulemaking in this area.
    Comment: One commenter stated that CMS did not include a discussion 
of low quality of care when it established its screening criteria.
    Response: Quality of care is the subject of several other CMS 
regulations. Accordingly, we did not include quality consideration in 
our development of levels of categorical screening. We believe that the 
factors we included in the proposed rule for establishing the screening 
criteria support our classifications.
    Comment: A commenter recommended that CMS increase the level of 
screening for any provider using a billing agent or clearinghouse 
convicted of health care fraud. The commenter also recommended that, 
similar to the provisions found in section 6503 of the ACA, CMS 
establish enrollment standards for clearinghouses and billing agents 
for Medicare. CMS, the commenter stated, mentioned in the proposed rule 
that ``based on our data analysis including analysis of historical 
trends and CMS' own experience with provider screening and enrollment 
we believe the following providers and suppliers pose a limited risk.'' 
The commenter also recommended that CMS furnish the data analysis used 
to assign each provider type in the limited screening levels and the 
moderate screening levels.
    Response: As for the commenter's recommendation regarding billing 
agents and clearinghouses, the commenter references section 6503 of 
ACA, which calls for billing agents and clearinghouses to register 
under Medicaid. The implementation of 6503 of the ACA, is not part of 
this rule; however, we will be addressing that provision in the future. 
We do not propose to screen billing agents and/or clearinghouses as 
part of this rule because such entities do not enroll in Medicare as 
providers or suppliers.
    With respect to the data analysis we used, we furnished information 
in the proposed rule regarding our reasons for assigning certain 
provider and supplier types to limited, moderate or high level of 
screening. We relied on our experience to identify categories of 
providers with a higher incidence of fraud as well as our familiarity 
with types of fraudulent schemes that are currently prevalent in 
Medicare. In addition, we used the expertise of our contractors charged 
with identifying and investigating instances of fraudulent billing 
practices in making our decisions regarding the appropriate risk 
assessment of various providers. In some instances, we also relied on 
the data analysis and expertise of the OIG, GAO, and other sources to 
develop screening levels designed to increase scrutiny for specific 
categories of providers and suppliers as the risk posed to the Medicare 
and Medicaid programs increases.
    Comment: A commenter asked whether CMS, in grouping all hospital 
types--including specialty hospitals, physician-owned hospitals, short-
term hospitals, and acute hospitals--into one risk level, is stating 
that all hospitals have the same risk. If so, the commenter requested 
that CMS provide data to support this assertion and to explain why it 
believes that all hospitals pose the same risk
    Response: Our assignment of hospitals to the limited screening 
level should not be construed as meaning that every type of hospital 
poses the same exact degree of risk. We did, however, base our 
assignment on the premise that all hospital provider types have certain 
features in common that make them less likely to be a program integrity 
concern on the whole. For example, such entities have significant start 
up costs and capital and infrastructure costs. In addition, such 
entities are subject to significant government oversight, at both the 
State and Federal levels. Finally, such entities often are subject to 
oversight from other accrediting bodies through deeming authority. 
These features are, in general, less apparent with other provider and 
supplier types. We note that these are not the only features we 
considered when evaluating hospitals and that these features, by 
themselves, are not sufficient to cause us to place a provider or 
supplier type in the limited screening category.
    Comment: A commenter stated that in Table 1, CMS appears not to 
consider previous payment suspensions, overpayments, OIG exclusions, or 
Medicare revocations in establishing higher risk levels. The commenter 
recommended that CMS explain why such actions are not an indicator of 
higher program risk and the need for enhanced screening.
    Response: As mentioned previously, we state in this final rule with 
comment period that a provider or supplier will be placed into the high 
screening level if the provider or supplier (or an individual who 
maintains a 5 percent or greater direct or indirect ownership interest 
in such provider or supplier) has had a final adverse action--as that 
term is defined in Sec.  424.502--imposed against it within the 
previous 10 years.
    Comment: A commenter stated that because of the wide variation in 
DMEPOS items and services and differing levels of behavior, CMS should 
subdivide the general category of DMEPOS suppliers and assign 
appropriate screening levels to each product category, rather than to 
DMEPOS suppliers as a whole.
    Response: We think the commenter's suggestion might lead to an 
overly complex system of provider screening and related oversight 
tools. Accordingly, we have decided not to create such a distinction 
based on such sub-categories. At this time, we are not determining the 
risk of fraud, waste, and abuse by product category.
    Comment: Several commenters requested CMS to change the proposed 
rule to state that both publicly traded entities and their wholly-owned 
subsidiaries are afforded ``limited categorical risk'' status.
    Response: As stated previously, publicly traded status is not being 
included as a criterion for assigning provider or supplier categories 
to screening levels. The approach taken in this final rule with comment 
period whereby we assign specific categories of providers and suppliers 
to screening levels determined by the categorical risk of fraud--rather 
than determining individual risk--is consistent with the requirements 
of the ACA.
    Comment: One commenter supported CMS's proposal to place new HHAs 
into the high screening level. The commenter stated that much of the 
fraud and abuse that has been detected in the home health benefit is 
associated with new providers, particularly in areas not subject to 
certificate of need (CON) or other State controls on provider 
development.
    Response: We appreciate this commenter's support.
    Comment: One commenter recommended that the proposed rules for 
assigning screening levels for

[[Page 5878]]

existing home health and hospice providers be modified so as to more 
accurately focus enforcement efforts on certain existing providers 
within a particular category. More specifically, the commenter stated 
that CMS can use its ample data resources to more precisely 
differentiate between agencies with proven histories of good 
performance and those that are either untested or have demonstrated 
irregular patterns of performance. The commenter recommended that any 
nonprofit home health or hospice agency that was certified in Medicare 
or Medicaid before October 1, 2000, and has not been identified as 
having program integrity problems, be placed in the limited risk 
screening level. The commenter added that CMS should also create a 
scoring algorithm that would identify those HHAs and hospices at 
moderate risk based on criteria such as: (1) Years of program 
participation; (2) ownership type; (3) number of medical review 
requests; (4) pattern of selectively serving highly profitable cases; 
(5) frequent changes in ownership; (6) geographic location; (7) 
relationship to other stable (for example, hospital) or less stable 
provider types (DMEPOS); and (8) current accreditation status.
    Response: We did not base our development of levels of screening on 
provider-specific risk assessments. As described previously, the 
statutory requirements set forth in ACA guided our approach in 
assigning categories of providers and suppliers to screening levels 
appropriate to the risk of fraud, rather than pre-screening individuals 
prior to the assignment of a screening level. Adopting the type of 
scoring algorithm suggested by the commenter would automatically 
provide for individual breakdowns of each HHA's or hospice's risk, 
which we believe would be inconsistent with the statute and constitute 
a pre-screening step in the enrollment process. We do not rule out the 
possibility of using scoring algorithms in the future for other program 
integrity functions or for provider and supplier enrollment, but we 
decline to adopt this suggestion for enrollment screening purposes at 
this time. For the reasons stated previously, we believe that the 
moderate risk screening level is appropriate for currently enrolled 
HHAs and hospices.
    Comment: A commenter did not believe that site visits were 
necessary to ensure that ambulance providers and suppliers were in 
compliance with applicable program requirements. The commenter 
expressed concern that the time associated with conducting pre-
enrollment site visits could slow down the enrollment process. The 
commenter added that ambulance services are already subject to site 
inspections by the State licensing agency (as well as other State and 
Federal requirements), and that the existing procedures are sufficient 
to ensure that ambulance providers and suppliers are operating in 
compliance with program requirements. Another commenter stated that in 
this proposed rule, CMS states that it only conducts a limited number 
of unscheduled or unannounced site visits for certain provider types. 
If this is based on a policy decision, the commenter requested that CMS 
explain why it now believes that unscheduled or unannounced site visits 
will reduce fraud, waste, and abuse. The commenter also requested a 
cost/benefit analysis for its previous onsite efforts to show the 
effectiveness of this new strategy. If a fiscal constraint, the 
commenter requested that CMS explain: (1) Why it is spending $9 million 
on grants to Senior Medicare Patrol (SMP) and millions in advertising 
to promote ``Stop Medicare Fraud'' in lieu of conducting unscheduled 
and unannounced site visits, and (2) where the additional funds will 
come from to conduct thousands of unannounced site visits.
    Response: We have been conducting site visits of one kind or 
another for years, and have found such visits to be an extremely 
effective tool in fighting fraud. We plan to conduct site visits 
pursuant to the authorities provided in the ACA and as outlined in this 
final rule with comment period. We have received many valuable tips and 
other information from SMP volunteers across the country. We believe 
that site visits are appropriate for ambulance companies, especially 
considering that we have uncovered several instances where an enrolling 
ambulance company--contrary to the information it furnished on the CMS-
855B--had no base of operations. Regarding the commenters concern about 
the Senior Medicare Patrol initiative, we believe the SMP program is 
outside the scope of this regulation.
    Comment: With respect to whether non-practitioner-owned facilities 
and suppliers should be subject to a higher level of screening than 
their practitioner-owned counterparts, a commenter urged CMS to exempt 
dually-enrolled physicians from enrollment screening requirements 
applicable to entities only enrolling as DMEPOS suppliers. The 
commenter believes it would make no sense to consider physicians 
``limited risk'' while simultaneously labeling them either ``moderate 
risk'' or ``high risk'' when they provide DMEPOS to their own patients.
    Response: We disagree. As stated previously, the approach taken in 
this final rule with comment period whereby we assign specific 
categories of providers and suppliers to screening levels determines by 
the assessed categorical risk of fraud--rather than determining 
individual risk--is consistent with the requirements of the ACA. We 
believe that each provider and supplier category must be considered on 
its own merits as an entire class, rather than be sub-categorized based 
on whether or not a particular provider is owned by provider subject to 
the limited screening level. For reasons we have stated, both in this 
final rule with comment period and in the past, newly enrolling DMEPOS 
suppliers are currently subject to a higher level of scrutiny and 
revalidating DMEPOS suppliers are subject to the moderate level of 
screening--such as through the need to comply with the supplier 
standards in Sec.  424.57(c)--because of the heightened risk posed by 
this class of suppliers as a whole. We therefore decline to exempt 
certain types of DMEPOS suppliers from either the moderate level of 
screening for revalidating suppliers or the high level of screening for 
newly enrolling suppliers.
    Comment: A commenter suggested that CMS revise the enrollment 
applications to include language in the certification statement so that 
CMS' contractors can conduct a criminal background check on any owner, 
authorized official, delegated official, managing employees and 
individual practitioners during the initial enrollment process or 
subsequently thereafter. The commenter believes that CMS is needlessly 
limiting its ability to conduct criminal background checks.
    Response: We appreciate this comment but decline to adopt this 
approach. We will perform fingerprint-based criminal history record 
checks of the FBI's Integrated Automated Fingerprint Identification 
System consistent with the methodology specified in this rule. We do 
not intend to amend the CMS-855 to include language that would expand 
the use of such criminal history record checks beyond the requirements 
set forth in this final rule with comment period. We think that to 
conduct the same screening for all provider categories without taking 
into account the variation in risk of fraud, waste or abuse would be an 
inappropriate allocation of resources and would be inconsistent with 
the provisions of the ACA. As stated previously, if CMS re-assigns 
additional categories of providers to the high level of screening, or 
expands the use of FBI

[[Page 5879]]

criminal history record checks to the other screening levels, CMS will 
publish a notice in the Federal Register.
    Comment: A commenter suggested that Medicare, Medicaid, and CHIP 
consider bankruptcy and credit report scores during the screening 
process and that CMS deny enrollment where an owner, authorized 
official, or delegated official has a credit score of less than 720 or 
has had a personal or business bankruptcy within the last 5 or 10 
years. The commenter stated that credit score is indicative a person's 
ability to manage financial assets.
    Response: We decline to adopt this approach in this final rule with 
comment period. We would need to perform additional study to determine 
whether credit scores correlate with program integrity risk. Because we 
do not have evidence to support such a relationship, we decline to 
adopt this approach at this time.
    Comment: Several commenters requested clarification on whether a 
Federal agency or a private company will process the fingerprint card, 
how CMS will safeguard this information, and how much additional time 
fingerprinting will add to the screening process of new applicants. 
Another commenter urged CMS to ensure that documentation concerning 
fingerprints be tracked from origination to delivery to prevent loss, 
and that all information be protected from FOIA disclosure.
    Response: The FBI requires that fingerprints be collected and 
submitted by FBI-approved ``authorized channelers.'' The FBI currently 
has approved 15 such private companies to collect and submit 
fingerprints to the FBI CJIS Division's Wide Area Network (WAN), 
receive the criminal history record information, and submit the record 
to authorized recipients, in this case CMS (or its FBI approved 
outsourced contractors) for the determination of eligibility for 
enrollment. CMS will use of one or more of the pre-approved authorized 
channelers to collect and submit fingerprints directly to the FBI, and 
CMS will ensure the written proposal(s) provided by the selected 
channeler(s) contains the appropriate assurances of compliance with 
privacy and security considerations mandated by the Compact Council 
(the national independent authority that regulates and facilitates the 
exchange of noncriminal justice criminal history record information) 
and as required by 28 CFR part 906. Additionally, CMS will adhere to 
the Compact Council's Security and Management Control Outsourcing 
Standard for Channelers. The use of authorized channelers effectively 
means CMS never has custody of the submitted fingerprints, only the 
resulting criminal history record. CMS will, of course, protect the 
information in the criminal history record according to existing 
Federal standards and procedures that govern personally identifiable 
information.
    After further consideration of the proposed requirement that all 
required applicants submit their fingerprints on the FD-258 card, CMS 
has removed the requirement to use only the FD-258 card from this final 
rule with comment period. CMS strongly encourages all required 
applicants to provide electronic fingerprints to the CMS-selected 
authorized channeler, but will also accept the FD-258 card. As stated 
previously, CMS and the authorized channeler will safeguard the 
information as required by the existing requirements of the Compact 
Council, and specifically the Compact Council's Security and Management 
Control Outsourcing Standard for Non-Channelers and Channelers and the 
FBI's Criminal Justice Information System's Security Policy.
    We believe the additional time for a contractor's processing of the 
application in light of the fingerprint-based criminal history record 
check will be minimal for those applicants who submit electronic 
fingerprints. Applicants who submit the FD-258 card will experience an 
extended processing time as the authorized channeler selected by CMS 
will have to convert the paper print into a electronic submission so 
that the FBI can quickly process all requests. The FBI processing of 
the electronic prints occurs within 24 hours of receipt from the 
authorized channeler, and the authorized channeler will receive and 
transmit the report to CMS. The report will be reviewed for 
disqualifying felonies and omitted information as outlined in existing 
regulations at Sec.  424.530(a) for enrollment and at Sec.  424.535(a) 
for revalidation and once the fitness determination has been made, the 
appropriate contractor will process the enrollment application as 
before. CMS believes this process will not cause significant delays to 
the enrollment process.
    As stated previously, CMS and our Medicare contractors will protect 
individuals' information under the Privacy Act, 5 U.S.C. 552a and the 
Privacy Act system of records notice for this information. We recognize 
that the safeguarding of individual privacy and ensuring the security 
of fingerprints collected under this regulation is a serious concern. 
We will ensure that these concerns are addressed and that all necessary 
safeguards are implemented to protect this information -from both 
privacy and security standpoints--when we issue guidance on 
fingerprint-based criminal history record checks following the 
publication of this final rule with comment period. We will ensure that 
fingerprint documentation is fully protected to the extent required by 
Federal law.
    As stated previously, the fingerprint-based criminal history record 
check will be required 60 days following the publication of 
subregulatory guidance. All other screening requirements are effective 
on March 25, 2011 for those in the ``high'' screening level. The delay 
in the effective date for the fingerprint-based criminal history check 
will permit CMS to coordinate the implementation of this new process 
with our law enforcement partners, ensure that all concerns related to 
privacy are addressed, educate our providers and suppliers about the 
new process, and ensure that our contractors are adequately prepared to 
implement this new process so that the implementation of this new 
process does not cause any undue delay.
    Comment: A commenter stated that while CMS assigns CMHCs to the 
moderate screening level, CMS has not taken steps to implement section 
1301 of the Health Care and Education Reconciliation Act of 2010 
(collectively, the Affordable Care Act), which requires that CMHCs 
provide at least 40 percent of its services to individuals who are not 
eligible for benefits. The commenter recommended that CMS consider 
CMHCs as a ``high'' categorical screening risk until CMS implements 
section 1301 of the ACA.
    Response: For reasons already explained, we believe that CMHCs are 
most appropriately assigned to the moderate screening level. Section 
1301 of ACA is not a part of this rule.
    Comment: Several commenters requested that CMS consider 
establishing criteria for making assignments to screening levels before 
moving forward with this rule.
    Response: We explain in the preamble the criteria and factors we 
used for our placement of various provider and supplier types into 
particular levels. These factors include our experience with claims 
data used to identify fraudulent billing practices, as well as the 
expertise developed by our contractors charged with investigating and 
identifying instances of Medicare fraud across multiple categories of 
providers. In addition, we have relied on insights gained from numerous 
studies conducted by the HHS OIG, GAO, and other sources.

[[Page 5880]]

    Comment: A commenter requested that a fourth level of ``no risk'' 
be established. This is to reflect positively on providers who have had 
no incidents of fraud, waste or abuse.
    Response: We do not believe it is appropriate to create a ``no 
risk'' level as the limited level of screening represents the baseline 
screening requirements for entry into the Medicare program. We believe 
that fraud, waste and abuse can occur at any time and among any 
provider or supplier category. Our screening methodology is designed to 
match an appropriate level of screening to provider or supplier 
categories based on level of risk of fraud, waste or abuse posed by the 
provider or supplier category.
    Comment: A commenter requested clarification regarding whether CMS 
will conduct TIN matches with the IRS via an automated match or whether 
the provider will be required to sign an I-9 verification form. The 
commenter also asked whether CMS will conduct tax delinquency database 
matches with the IRS and the authority for such a match. In both cases, 
the commenter recommended that CMS establish new denial and revocation 
reasons if the TIN does not match or there is a tax delinquency.
    Response: We currently verify the provider's TIN as part of the 
enrollment process; if the TIN does not match the provider's legal 
business name, the application will be denied, or, if enrolled, the 
provider's billing privileges will be revoked. However, we have removed 
references to tax delinquencies as a component of the screening 
methodology from this rule. While we do plan to implement provisions 
that will allow us to coordinate enrollment decisions with data 
obtained from the Internal Revenue Service--for instance, potentially 
denying an application based on tax delinquency information from the 
IRS--such an effort is not a part of this rule.
    Comment: A commenter stated that CMS's proposed ``limited risk'' 
classification for publicly traded companies does not explicitly afford 
the same treatment to subsidiaries of publicly traded providers and 
suppliers. Several commenters recommended that majority owned 
subsidiaries of publicly traded providers and suppliers be treated the 
same as their publicly traded parents. Specifically, since subsidiaries 
of publicly traded providers and suppliers are subject to substantially 
similar oversight and scrutiny, the commenter proposed that all 
providers and suppliers--regardless of whether the parent is enrolled--
that are at least majority owned, directly or indirectly, by a publicly 
traded provider or supplier be assigned to the limited risk level for 
screening. The commenter suggested that proposed Sec.  424.518(a)(2) be 
revised to read as follows: ``(2) When CMS designates a provider or 
supplier into the ''limited'' categorical level of screening, the 
provider or supplier is publicly traded on the New York Stock Exchange 
(NYSE) or the National Association of Securities Dealers Automated 
Quotation System (NASDAQ), or the provider or supplier is majority 
owned, directly or indirectly, by an organization publicly traded on 
the NYSE or NASDAQ * * *.''. Another commenter stated that subjecting 
different providers under a hospital to different levels of scrutiny 
could cause confusion and unnecessary hardship.
    Response: For reasons already stated, we have eliminated the 
distinction between publicly traded and private companies and have 
declined to subcategorize individual providers and suppliers based on 
their ownership.
    Comment: A commenter stated that while subjecting newly enrolling 
DMEPOS suppliers to stringent screening may be proper, an enrolled 
DMEPOS supplier that reenrolls following an ownership change should not 
be subject to the same screening as a newly established supplier. It 
should instead be treated as moderate risk, just as enrolled suppliers 
that revalidate their enrollment information. The commenter contended 
that the seller's business, much of which remains after the purchase, 
has already been verified and authenticated; if CMS and the NSC subject 
the purchaser to stringent enrollment screening, they will duplicate 
the work that they have already done to validate and inspect the 
purchased business, wasting resources. It could also delay the new 
owner's receipt of a Medicare number, which could disrupt the 
continuity of business and patient care. The commenter added that if 
CMS does not agree that an enrollment following an ownership change of 
an enrolled DMEPOS supplier should be moderate risk, CMS should 
formally state that purchasers of enrolled DMEPOS suppliers will 
receive new Medicare numbers with billing privileges retroactive to the 
purchase date. In closing, the commenter stated that the proposed rule 
is a dramatic change to the existing methods of Medicare enrollment; 
while change to prevent fraud and abuse is advisable, such change 
should not harm honest providers and suppliers who strive to provide 
high quality service to Medicare beneficiaries. Another comment stated 
the purchaser of an existing community pharmacy DME supplier store 
should be screened as a moderate (not a high) risk supplier during 
reenrollment.
    Response: We disagree that a DMEPOS supplier undergoing a change of 
ownership should be assigned to the as moderate screening level. For 
purposes of enrollment, a DMEPOS supplier undergoing a change of 
ownership is treated and must enroll as a new supplier. Hence, since 
all newly-enrolling DMEPOS suppliers are subject to a ``high'' level of 
screening, we believe DMEPOS suppliers undergoing a change of ownership 
should also be subject to a ``high'' level of screening. Further, the 
screening requirements in the high screening level include a 
fingerprint-based criminal history record check of any individual with 
direct or indirect ownership of 5 percent or greater. Therefore, 
enrollment screening after a change in ownership has clear value to the 
enrollment process, and we disagree that it would be a waste of 
resources. Currently-enrolled (revalidating) DMEPOS suppliers are 
assigned to the moderate level of screening.
    Comment: A commenter stated that certified orthotic and prosthetic 
DMEPOS suppliers and American Board for Certification in Orthotics and 
Prosthetics (ABC)-accredited DMEPOS suppliers should be assigned to the 
limited screening level. The commenter stated that accreditation is not 
an easy standard to meet, and asked CMS to investigate whether there 
are any studies or other evidence that indicate that ABC Accredited 
Facilities and/or ABC Certified practitioners as a DMEPOS subcategory 
pose an elevated risk to the Medicare program. If there are not, such 
suppliers should be subject to limited screening.
    Response: We believe the commenter is asserting that accreditation 
bodies perform a sufficient level of oversight to ensure that the 
entities they accredit are a low program integrity risk. We do not 
believe this is true. The accreditation bodies help verify the 
supplier's compliance with DMEPOS standards, rather than assess the 
supplier's risk of fraud, waste and abuse. Accordingly, we decline to 
assign entities accredited by ABC or any other accrediting organization 
to the limited screening level solely on that basis.
    Comment: A commenter contended that in States without licensure, if 
a DMEPOS supplier is practitioner-owned and one or more of the 
practitioners is certified by ABC (accrediting body referenced in 
section 427 of the Medicare, Medicaid, and SCHIP Benefits Improvement 
and Protection Act of 2000 (BIPA)), or if the facility itself has been 
accredited by one of these entities, it should be as assigned

[[Page 5881]]

to the limited screening level. The practitioner being credentialed in 
either of these ways has demonstrated a commitment to quality.
    Response: As already stated, we decline to subcategorize individual 
providers and suppliers based on their ownership and do not believe 
accreditation--standing alone--should be the foremost indicator of 
fraud and abuse risk.
    Comment: One commenter stated that chain pharmacies should be 
exempt from the increased screening levels and screening procedures, as 
they are already subject to significant regulation within their 
respective States.
    Response: We disagree. For the same reason that we cited for 
eliminating the distinction between publicly traded and non-publicly 
traded or public or non-public ownership status as a basis for 
determining screening level, state regulation of chain DMEPOS suppliers 
is not in itself a sufficient indicator of the risk of fraud, waste or 
abuse posed by a particular category of provider or supplier. The fact 
that a particular provider or supplier type may be regulated by the 
State is not adequate grounds for placing it in a lower screening 
level.
    Comment: A commenter stated that the proposed provisions punish 
legitimate providers and that the most egregious fraud is committed by 
scam artists and organized crime. The commenter expressed concern that 
small practices will be driven out of business. In light of CMS's 
proposed exemption for public companies, one or two large national 
companies may be the only ones ``left standing'' and will have a 
monopoly. CMS, the commenter argued, will then be unable to objectively 
compare ``best practices'' or to objectively evaluate trends in care, 
and that patients will not have a choice for their care.
    Response: As already stated, we have eliminated the distinction 
between publicly held and private companies. In addition, we believe 
that the proposed provisions will help stem the fraud that both the 
commenter and we are concerned about.
    Comment: A commenter recommended that CMS provide the analysis for 
which it based its risk assignment decisions for limited and moderate 
screening levels. The commenter also recommended that CMS consider the 
Medicare and Medicaid error rates for each provider or supplier in 
establishing its screening levels. Finally, the commenter also 
requested the following data for each type of Medicare provider and 
supplier for 2008, 2009, and 2010:
     Number of Medicare revocations.
     Number of Medicare payment suspension.
     Number of Medicare overpayment.
     Medicare error rate.
     Medicaid error rate.
     CMPs.
     Convictions by the Department of Justice.
     HHS OIG mandatory exclusions under 1128 of the Act.
     HHS OIG permissive exclusions under 1128 of the Act.
    Response: We based our risk assessments on a variety of factors, 
including some of those listed by the commenter as well as others. 
However, because our conclusions were not based on any one factor nor 
any specific combination of factors, but rather on CMS's aggregate 
experience with each provider and supplier type, providing the data 
requested by the commenter would not serve to clarify the 
determinations of risk.
    Comment: A commenter stated that the proposed screening approach in 
the proposed rule is simplistic at best and flawed at worst. The 
commenter did not believe provider type is the only measure of risk of 
fraud. To address those individuals and organizations who intend to 
enroll for the sole purpose of committing fraud, CMS must: (1) Consider 
the provider's past experience with Medicare, Medicaid, or CHIP; (2) 
coordinate enrollment and billing issues with commercial health plans, 
Medicaid and CHIP; and (3) establish more stringent program 
requirements. The commenter believes that CMS did not offer any 
enhanced program requirements in the proposed rule, the rule does not 
reduce the ``pay and chase'' approach used by CMS and OIG today.
    Response: We disagree, and believe that the program safeguard 
measures outlined in this final rule with comment period will greatly 
assist in reducing fraudulent activity. We believe several of the 
elements proposed by the commenter are inherent in this rule. First, 
under the final rule with comment period, final adverse actions will 
lead to a high screening level assignment and the use of additional 
screening tools. Second, with regard to more stringent program 
safeguards, we believe there is much in this final rule with comment 
period to bolster our efforts at combating fraud, waste, and abuse For 
example, in this final rule with comment period, we are expanding the 
instances in which we can impose a payment suspension. Furthermore, for 
the first time in the history of the programs, we will be able to 
impose an enrollment moratorium in order to combat fraud, waste, and 
abuse. Accordingly, we believe the new authorities that we are 
implementing under the ACA will assist us in strengthening our program 
integrity efforts.
    Comment: A commenter recommended that the following be placed into 
the high screening level: (1) Any provider or supplier that is not 
State licensed, and (2) any owner, authorized official, delegated 
official, physician or non-physician practitioner who has ever been 
excluded by the OIG, revoked by Medicare, or had a State license 
revocation or suspension.
    Response: We stated previously that merely because a particular 
provider or supplier type may be regulated by the State is not in and 
of itself adequate grounds for placing it in a lower screening level. 
By the same token, we do not believe that a failure to be licensed by 
the State should automatically place the provider or supplier in a high 
screening level, as the State may not have licensure requirements for 
that particular provider or supplier type. In addition, the standards 
for licensure vary among the States and Territories such that these are 
largely out of our control. With regard to the commenter's second 
suggestion, we again note that Sec.  424.518(c) of the final rule with 
comment period states that a provider or supplier will be moved from 
the ``limited'' or ``moderate'' level to the ``high'' level if it has 
had final adverse actions imposed against it.
    Comment: A commenter recommended that CMS explain why it did not 
consider comments regarding publicly traded companies in the final rule 
with comment period; Home Health Prospective Payment System Rate Update 
for Calendar Year 2011; Changes in Certification Requirements for Home 
Health Agencies and Hospices, when developing the proposed policy found 
in the proposed rule to this final rule with comment period.
    Response: This rule and the rule that the commenter references deal 
with different issues. Each was developed and considered on its own 
merits.
    Comment: A commenter supported CMS's placement of hospitals and 
physicians into the limited screening level. However, the commenter 
disagreed that publicly traded DMEPOS suppliers or HHAs would have less 
risk. The commenter also stated that the providers and suppliers that 
are designated as ``high risk'' or ``moderate risk'' but which are 
members of, operate as a part of, or are owned by a hospital or a 
health system, should instead fall under the same risk assignment as 
the hospital. Such providers and suppliers

[[Page 5882]]

are part of larger established organizations that have high levels of 
accountability to their internal governance structures and have 
longstanding relationships with and responsibility to their local 
communities.
    Response: For reasons already stated, we have eliminated the 
distinction between publicly traded and private companies and have 
declined to subcategorize individual providers and suppliers based on 
their ownership.
    Comment: Several commenters requested greater specificity regarding 
what level of managing employees would be subject to the screening 
requirements for high risk providers and suppliers. Some of them 
requested that for large provider organizations, only the highest-level 
managing employees who operate or manage, or who oversee the operation 
of the entire healthcare organization--and not lower-level managers of 
individual departments or functions--should be subject to the enhanced 
screening procedures.
    Response: In this final rule with comment period, we will only 
apply the screening requirements for high screening level providers and 
suppliers to individuals with a 5 percent or greater direct or indirect 
ownership interest. Officers, directors, and managing employees--to the 
extent that they do not have a 5 percent or greater ownership 
interest--will not be subject to fingerprint-based criminal background 
checks. However, we intend to monitor the situation and may seek to 
extend the scope of fingerprint-based criminal background checks in the 
future if circumstances warrant.
    Comment: A commenter stated that hospitals should be exempted from 
all screening levels--even the limited screening level--if they are 
State-licensed and accredited.
    Response: We disagree with this commenter. To exempt a provider or 
supplier from any screening level would be the equivalent of stating 
that the provider need not undergo even the most basic verification 
requirements used under the limited risk level of screening.
    Comment: Several commenters supported site visits as a tool to 
improve program integrity, but believes that they could disrupt or 
administratively burden a legitimate provider or supplier's business 
operations. They recommended that CMS limit the purpose of these site 
visits to verifying that the provider/supplier exists and is 
operational; other matters that would require significant management 
and clinical staff time should be handled through separately scheduled 
site visits. Several other commenters believe that site visits were 
appropriate, but said that the number of such visits must be reasonable 
for the circumstances and should only increase if inappropriate 
activity is suspected. In addition, another commenter suggested that as 
part of a DMEPOS site visit, the auditor should confirm with the owner 
of the warehouse or facility the terms of the lease; for HHAs, the 
auditor should confirm that the HHA has been using the OASIS form and 
that a sample of Patient Plan of Care medical records/files can be 
directly linked to an OASIS document.
    Response: We decline to state that site visits will always be 
limited to verifying whether the provider or supplier is operational. 
We must retain the flexibility to conduct a closer on-site review if 
warranted.
    Comment: One commenter stated that classifying DMEPOS suppliers 
that are physician-owned as high risk could pose a significant 
disincentive to office-based physicians to continue offering DMEPOS 
supplies to their patients. The commenter stated that there has been 
little to no documentation of fraud, waste, or abuse in this category 
of DMEPOS, and that these suppliers should be exempted from the high 
risk level of screening.
    Response: For reasons already stated, we have declined to 
subcategorize individual providers and suppliers based on their 
ownership.
    Comment: Several commenters stated that the risk assessments of 
specific providers should not be made public.
    Response: To the extent allowed by Federal law, we will not release 
to the general public the risk assessment of an individual provider or 
supplier. Thus when an individual provider or supplier is elevated in 
screening level as a result of a triggering event in Sec.  424.518 and 
Sec.  455.450, we will not publish the individual provider's or 
supplier's name.
    Comment: Several commenters supported the creation of limited, 
moderate, and high screening levels, as well as the proposal to place 
physicians into the limited screening levels. They added that CMS 
should use public notice and comment prior to modifying the process or 
revising level assignments based on new criteria.
    Response: We appreciate the commenters support and will publish 
notice in the Federal Register regarding changes in assignment or 
levels of screening specified at Sec.  424.518 and Sec.  455. 450. 
However, as mentioned previously, we will not publish information about 
an individual provider or supplier that meets certain triggering events 
as described in these sections.
    Comment: A commenter opposed ``geographical circumstances'' as a 
possible criterion for adjusting a provider or supplier's screening 
level. This would deny all providers and suppliers in the specified 
geographic area basic due process and could seriously damage 
beneficiary access to health care providers and services in the 
impacted area.
    Response: We are not adopting ``geographic circumstances'' as a 
criterion for adjusting a provider or supplier's screening level at 
this time. We believe that should circumstances arise where we have 
concerns about a provider or supplier type in a geographic area, the 
authority to impose an enrollment moratorium, as detailed in this rule, 
will provide program integrity protection. However, we do retain the 
authority to add geographic location as a criterion for adjusting a 
provider or supplier's screening level through future rulemaking.
    Comment: Several commenters opposed the proposal to re-assign 
physicians from the ``limited'' or ``moderate'' screening level to the 
``high'' screening level when CMS has evidence from or concerning a 
physician that another individual is using their identity within the 
Medicare program. Classifying physicians who have been the victims of 
identity theft to the high screening level would stigmatize the 
physician and create a presumption that he/she has engaged in conduct 
warranting heightened scrutiny. They urged CMS to establish a fourth 
level, which signifies a heightened level of risk to Federal health 
care programs as a result of compromised physician identity or identity 
theft. Another commenter requested that CMS clarify that it will be the 
offender who is subjected to additional scrutiny and that the victim 
will not be penalized for the actions of the offender. Another 
commenter, however, supported CMS's proposal to adjust the categorical 
screening level if a practitioner notifies CMS or its contractor that 
another individual is using his or her identity within the Medicare 
program, and to require fingerprinting of high risk provider and 
supplier types (but not of individual practitioners who have been the 
victim of identity or provider number theft).
    Response: We stress that we will work closely with law enforcement 
against those individuals who are perpetrating Medicare identity theft. 
We do not plan to use screening tools to address identity theft 
concerns as it would not be an adequate response. We believe

[[Page 5883]]

identity theft concerns are most appropriately handled by our law 
enforcement partners.
    Comment: A commenter requested clarification as to the screening 
level assignment of in-home supportive services (IHSS). If they fall 
into the ``moderate'' level, as do home health agencies, the commenter 
expressed concern that site visits could burden program recipients.
    Response: Medicare does not recognize ``in home supportive 
services'' as a specific category of provider or supplier. To the 
extent that the IHSS supplier is or will be enrolling in Medicare or 
Medicaid as a HHA, it will be subject to the same requirements and 
standards as all other HHAs. As for the site visits, they will 
generally be conducted at the HHA's physical locations.
    Comment: Several commenters expressed concern with the proposal to 
re-assign physicians (and other providers/suppliers) from the 
``limited'' or ``moderate'' screening levels to the ``high'' screening 
level if a physician has had billing privileges revoked by a Medicare 
contractor within the previous ten years. Billing privileges can be 
revoked for a number of reasons unrelated to fraud, waste, or abuse, 
such as a failure to respond to a request for revalidation 
documentation within stringent contractor imposed deadlines. They urged 
CMS to differentiate between a temporary revocation of billing 
privileges and revocations based on actual misconduct by a provider or 
supplier.
    Response: As stated earlier, revocation is undertaken as an 
administrative remedy only if clearly justified. Also, there is an 
appeals process in place for provider revocations. Should a revocation 
be rescinded, the provider or supplier would be restored to its 
previous screening level.
    Comment: A commenter urged CMS to exercise the temporary moratorium 
authority judiciously and to exempt physicians from re-assignment from 
level I (limited) to level III (high) if physicians are ever subject to 
the temporary moratorium; this would include an exemption for 
physicians enrolled as DMEPOS suppliers if the latter are subject to a 
moratorium.
    Response: We believe this commenter is addressing a concern that if 
a moratorium is imposed on a category of providers that includes 
physicians or physician-owned DMEPOS suppliers, that when the 
moratorium is lifted the provider or supplier category to which the 
moratorium applied would be moved to the high screening level for 6 
months following the lifting of the moratorium. The commenter is asking 
for an exception to this proposal. A moratorium may be imposed if there 
is a heightened risk of fraud, waste or abuse in a particular 
geographic area or involving a certain provider or supplier type. If a 
particular provider or supplier type posed such a risk as to warrant a 
moratorium, it would be inappropriate for us to automatically exempt it 
from enhanced screening once the moratorium ends. In the event that we 
were to impose a temporary moratorium on physicians or physician-owned 
DMEPOS suppliers, the moratorium would be as narrowly tailored as 
possible to address specific fraudulent activity.
    Comment: A commenter believes that the moderate and high screening 
level assignments for community pharmacies are inappropriate and 
contended that: (1) all existing community pharmacy DME suppliers, as 
well as new locations of existing community pharmacy DME suppliers, 
should be designated as limited risk, and (2) newly enrolling community 
pharmacy DME suppliers should be treated as posing a moderate risk. The 
commenter stated that community pharmacies are already heavily 
regulated by the States and Federal government through State boards of 
pharmacy, CMS supplier standards and surety bonds, and argued that 
community pharmacies are not a major source of fraud. The commenter 
also urged CMS to incorporate into its final rule the same exemption 
criteria that CMS's uses to exempt certain community pharmacies from 
DME supplier accreditation requirements. In addition, the commenter 
stated that CMS should designate community pharmacies as limited risk 
suppliers if: (1) They have had a supplier number for at least 5 years; 
(2) their DME sales are less than 5 percent of their total sales over 
the last 3 years; and (3) they have not received a final adverse action 
against them in the past 5 years. Another commenter stated that DMEPOS 
sales are but a small portion of genuine community pharmacy sales. 
Accordingly, the proposal regarding unannounced pre- and/or post-
enrollment site visits for moderate risk suppliers and criminal 
background checks and fingerprinting for high risk suppliers may prove 
unbearably costly and burdensome to community pharmacies. The commenter 
added that it could lead to community pharmacies to stop supplying DME 
products, causing access problems.
    Response: As already stated, all newly-enrolling DMEPOS suppliers, 
regardless of sub-type or ownership, will be placed in the high level 
of categorical screening. This includes new DMEPOS locations, which 
have long been treated as initial enrollments. Moreover, we do not 
believe it is appropriate to apply the community pharmacy exemption for 
accreditation to the risk classifications, as the standards for 
accreditation are different from the criteria we are using for the risk 
classifications.
    Comment: A commenter urged CMS to more narrowly tailor its risk 
assignments of provider or supplier types by geography, so that DMEPOS 
suppliers in many areas of the country are not unfairly grouped into a 
higher screening level merely because those same DME supplier types 
pose major fraud risks in other limited areas of the country.
    Response: We disagree. While some areas of the country are 
undeniably more prone to fraud than others, fraudulent activity can 
occur anywhere. Furthermore, we believe it most objective to apply the 
same standard to all parts of the country and use other tools to 
narrowly tailor our approach when necessary, including the enrollment 
moratoria provision set forth in this final rule with comment period.
    Comment: A commenter requested clarification on whether an existing 
community pharmacy DME supplier that seeks to add a new DMEPOS supplier 
store would fall under the moderate or high screening level under the 
proposed rule. The commenter believes this should fall within the 
moderate screening level.
    Response: As already stated, the addition of a new DMEPOS location 
would be subject to the level or screening specified for providers and 
suppliers assigned to the high screening level.
    Comment: A commenter expressed concern that the Medicare contractor 
may not know which companies are publicly traded.
    Response: We have eliminated the distinction between publicly 
traded and non-publicly traded companies; as such, this comment is no 
longer applicable.
    Comment: One commenter stated that on June 23, 2010, the Director 
of the Office of Management and Budget published a memorandum titled, 
``Enhancing Payment Accuracy'' through a ``Do Not Pay List''; this 
Presidential document stated that, ``At a minimum, agencies shall, 
before payment and award, check the following existing databases (where 
applicable and permitted by law) to verify eligibility: the Social 
Security Administration Death Master File, the GSA's EPLS, the 
Department of the Treasury's Debt

[[Page 5884]]

Check Database, the Department of Housing and Urban Development's 
(DHUD) Credit Alert System or Credit Alert Interactive Voice Response 
System and the DHHS OIG LEIE.'' The commenter stated that CMS should 
explain why the proposed rule does not mention these verification 
sources.
    Response: Medicare contractors have long been required to review 
the EPLS and the LEIE prior to enrolling a provider or supplier in 
Medicare. In addition, providers, suppliers and their owners and 
managers are currently reviewed against the SSA Death Master File. As 
for the DHUD Credit Alert System and the Department of the Treasury's 
Debt Check Database, we understand the Presidential memorandum requires 
review of these systems prior to payment or award and will integrate 
their use as appropriate in our protocols.
    Comment: Several commenters supported the placement of hospitals in 
the limited screening level. However, they added that high risk or 
moderate risk providers and suppliers that are members of, operate as a 
part of, or are owned by a hospital or a health system, should instead 
fall under the same limited risk assignment that CMS proposes for 
hospitals.
    Response: Again, for reasons already mentioned, we have declined to 
subcategorize individual providers and suppliers based on their 
ownership.
    Comment: Several commenters stated that in States with orthotic and 
prosthetic licensure, orthotic and prosthetic DMEPOS suppliers should 
be designated as limited risk, as there is no evidence of significant 
elevated risk for such licensed professionals. In States without 
orthotic and prosthetic licensure, several commenters stated that the 
supplier should be treated as limited risk if: (1) One or more of the 
supplier's practitioners are certified by the American Board for 
Certification of Orthotics, Prosthetics and Pedorthics or the Board of 
Certification/Accreditation International, or (2) the supplier itself 
has been accredited by one of these entities. Other commenters stated 
that if the orthotic and prosthetic supplier is not practitioner owned, 
but has been in business at least 3 years, it should be considered 
limited risk due to a demonstrated lack of inappropriate billings over 
time; if it is not practitioner-owned and has not been in business at 
least 3 years, it should be rated as a moderate risk. Finally, the 
commenters objected to the proposed risk provision for this risk 
assignment provision because: (1) Orthotics and prosthetics is not part 
of DME, and has significantly lower fraud and abuse risks; and (2) 
there has not been sufficient consideration of the impact of number of 
years in business, or accreditation/certification status as factors 
that diminish risk.
    Response: As stated earlier, we do not believe certification or 
accreditation to be dispositive of risk for fraud and decline to adopt 
this suggestion. While we appreciate the commenter's suggestion that we 
should look at length of time in business as a means of supporting the 
assessment of risk, we believe that OIG and GAO reports and experiences 
are instructive and rely on those as well as our own data to support 
the assignment to levels of screening that we finalize in this rule.
    Comment: A commenter expressed concern that the time and cost 
necessary to comply with the requirements in the proposed rule is a 
significant burden on small providers, in light of all of the other 
requirements they are subjected to. The commenter stated that for 
reasons of reduced risk, time in business and demonstrated commitment 
to quality, no certified practitioner or accredited orthotist or 
prosthetist facility should be subject to background checks and 
fingerprinting.
    Response: We decline to adopt this suggestion; to do so would 
foreclose the possibility that any high risk practitioner or orthotic 
or prosthetic facility would be subject to enhanced scrutiny.
    Comment: A commenter questioned whether requirements such as 
fingerprinting will accomplish CMS's goal of tracking violators, since 
CMS will have no way to ensure that the person providing the 
fingerprints is the person rendering the care. The commenter also 
questioned whether fingerprinting will help prevent identity theft for 
physicians.
    Response: We are confident that fingerprint-based criminal history 
record checks will enable us to identify individuals who violate CMS 
existing regulations at Sec.  424.530(a) and Sec.  424.535(a), and 
appropriately deny or revoke Medicare billing privileges in these 
circumstances. This screening tool is intended to prevent individuals 
who pose an elevated risk of fraud, waste, and abuse from enrolling in 
the programs. Physicians will not be subject to the fingerprint-based 
criminal history check if they are not in the high screening level. 
Physicians as a category are in the limited screening level and 
providers and suppliers in the limited screening level are not subject 
to fingerprint-based requirements as are individuals and entities in 
the high screening level. The submission of fingerprints for the 
purposes of an FBI criminal history record check is not intended to 
address identity theft concerns.
    Comment: A commenter stated that raising a supplier's screening 
level seems reasonable only if the supplier has come under a payment 
suspension or if after investigation, the type of provider and the 
services it will render are not congruent on its enrollment 
application.
    Response: We disagree. There are, as explained in this final rule 
with comment period, a variety of final adverse actions that we believe 
warrant the placement of a provider or supplier in a higher screening 
level. Payment suspensions and inconsistent information on the 
enrollment application should not be the only two grounds for elevating 
a provider's screening level.
    Comment: A commenter stated that with regard to the ``high'' 
screening level, although government enforcement efforts to date have 
shown fraud, waste and abuse issues with HHAs and DMEPOS suppliers in 
certain geographical regions (for example, South Florida, Texas, and 
California), it is not clear that issues with such entities are 
national. Because the criminal background checks and fingerprints are 
onerous requirements that are not currently used by Medicare, the 
commenter stated that CMS should limit itself to introducing such 
requirements in high risk geographic areas, rather than nationally, at 
least at this stage. Moreover, the commenter stated that CMS has 
neither provided the data nor made the convincing case that its 
proposed changes will deliver results to justify the extent to which 
the rules would intrude on normal patient care and business practices. 
With respect to orthotic and prosthetic suppliers, the commenter urged 
CMS to adopt a more realistic approach that cracks down on fraudulent 
providers, without either considering every provider to be a crook, or 
adding huge regulatory burdens that could put honest, legitimate, hard-
working orthotic and prosthetic suppliers out of business.
    Response: We disagree that our enhanced screening procedures should 
initially be restricted to high risk geographical areas. While some 
regions of the country evidence fraud, waste and abuse more than 
others, fraudulent activity can occur anywhere. In addition, we believe 
that a national approach is most objective in implementing the 
screening provisions herein. We will rely on other program integrity 
tools, including, without limitation, the enrollment moratoria 
authority contained within this rule, to

[[Page 5885]]

address concerns in particular locales. Moreover, CMS will monitor 
implementation of the final requirements on provider and supplier 
screening with respect to patient care and business practices.
    Comment: A commenter stated that with respect to changing a health 
care provider's level of screening, the basis for this determination 
should be on information released during 2011 and beyond.
    Response: We disagree. We have found that long-term trends (for 
example, data from 2005 through 2009) are often good indicators of 
potential fraudulent activity.
    Comment: A commenter suggested that CMS establish certain 
exemptions to DMEPOS suppliers prior to a company being deemed a 
moderate or high risk supplier, such as: (1) A multiple year history as 
a DMEPOS provider; (2) award of a DMEPOS competitive bidding contract 
(where CMS itself has extensively reviewed the financials of contracted 
suppliers); and (3) accreditation by a CMS-approved third party.
    Response: We did not base our development of levels of screening 
and the assignment of provider and supplier categories to these levels 
of screening of fraud, waste or abuse on the past experience of 
specific individual providers. Rather, it is based on collective 
experience of provider and supplier categories. Furthermore, we do not 
believe length of time in business is an appropriate determination of 
fraud risk. Similarly, as described previously, we do not believe 
accreditation is--in and of itself--an indication that a provider or 
supplier should be assigned to the limited screening level. Finally, we 
decline to accept the commenter's suggestion that the award of a DMEPOS 
competitive bidding contract should provide an exemption from the 
assignment specified in this rule. The criteria for competitive bidding 
are different than those that we are using to determine the appropriate 
screening level appropriate to particular categories of provider or 
supplier.
    Comment: A commenter stated that any criteria utilized by CMS to 
assign screening levels should be made public, and that CMS should 
regularly review its assignment to screening levels. The commenter 
questioned whether automatically applying the proposed additional 
screening measures for providers and suppliers assigned to the moderate 
and high levels will be effective in shutting-out sham suppliers and 
past violators from participating in Medicare, particularly since these 
safeguards do not protect Medicare against criminals who use a shell as 
the owner of record to avoid detection. The commenter believes that the 
recently implemented accreditation and bonding requirements for DMEPOS 
suppliers are a stronger deterrent in ensuring that fraudulent 
suppliers are not able to participate in Medicare, and recommended that 
CMS first determine whether these requirements adequately deter fraud 
before imposing additional and arguably less effective safeguards, 
especially considering the cost and burden of these new requirements.
    Response: Criteria for the risk assessments were discussed in the 
proposed rule and this final rule with comment period. The criteria 
will be reviewed on a consistent and ongoing basis, and in the event we 
decide to update the assignment of screening levels, we will publish a 
regulatory document in the Federal Register. We do not believe, though, 
that we should wait for the results of the accreditation and surety 
bond requirements before taking additional steps to address program 
integrity problems related to DMEPOS suppliers. Indeed, it could take 
several years for the full impact of the surety bond and accreditation 
requirements to take effect on our anti-fraud efforts. As such, we do 
not believe it to be premature to assign newly-enrolling DMEPOS 
suppliers to the high screening level and require enhanced screening 
pursuant to this rule. It is our expectation that all of these program 
integrity protections together will lessen the risk of fraud and abuse 
in the Medicare program.
    Comment: A commenter stated that the language in Sec.  424.500, et 
seq., does not define ``Medicare contractor,'' and the verbiage in the 
preamble is somewhat vague. The commenter requested clarification as 
to: (1) The contractors that will be conducting the on-site visits, (2) 
whether this approach will be uniform across the country, and (3) the 
training and experience the individuals conducting these visits will 
have.
    Response: Since the term ``Medicare contractors,'' as used strictly 
in the provider enrollment context, is generally understood and 
recognized by the provider community to mean the entities that process 
CMS-855 provider enrollment applications, we do not believe it is 
necessary to include a formal definition of this term in this final 
rule with comment period. The contractors that will conduct site visits 
will vary, as will the scope and breadth of individual visits; however, 
such site visits will be in accordance with guidance issued by CMS. 
Those who will conduct site visits will receive appropriate 
instructions and oversight regarding the performance of the visits.
    Comment: Several commenters stated that HHAs and hospices are 
already subject to a State survey prior to enrollment--as well as on a 
periodic basis thereafter--thus making a site visit superfluous. As 
such, initially enrolling HHAs and hospices should be included in the 
limited screening level rather than in the moderate screening level. A 
commenter also stated that including all revalidating HHAs, hospices 
and DME suppliers in the moderate screening level is unfair and 
inappropriate, as they are already established providers; the commenter 
believes it should be exempt from the site visit requirement if it has 
been in existence for at least 5 years and there is no reason to 
suspect fraudulent activity. The commenter added, however, that 
additional site visits and increased medical review during the 
provider's first 5 years of enrollment could be performed to ensure 
compliance. Another commenter stated that it would be better to conduct 
HHA site visits, if they had to be performed, with existing or recent 
patients in their homes, since most care is provided to patients in 
their homes; care is not provided in the HHA or hospice office.
    Response: We do not believe that a site visit is superfluous. Due 
to the length of the enrollment, survey, and certification processes, 
we believe it is important for us to institute verification activities 
at multiple points during this period, and not to restrict its 
validation efforts to the enrollment process and the State survey. 
Moreover, we do not believe that site visits should be limited to 
providers who have been enrolled for less than 5 years, as we do not 
have data to suggest that those who have been enrolled for 5 years or 
more present less of a fraud, waste, and abuse concern than newly 
enrolled providers and suppliers. Finally, and as mentioned earlier, 
provider enrollment site visits will be conducted at the HHA's physical 
locations.
    Comment: A commenter asked CMS to describe the process the Medicare 
contractors are using to review State licensing data on a monthly 
basis. The commenter also requested clarification as to whether the 
reference to ``non-public, non-government owned'' applies only to 
affiliated ambulance services suppliers, or extends to the other 
provider types listed in the moderate level.
    Response: The contractors use various processes to review licensure 
data; frequently, this is an automated process. With regard to the 
clarification requested, the term as used in the NPRM applied only to 
ambulance

[[Page 5886]]

suppliers. However, as we have eliminated the distinction between 
public and non-public ambulance service providers, this comment is no 
longer applicable.
    Comment: A commenter suggested that CMS consider reclassifying 
providers and suppliers in the ``moderate'' and ``high'' screening 
level to the ``limited'' risk level if the provider or supplier is 
subject to State licensure requirements. In addition, the commenter 
opposed reclassifying providers or suppliers from one screening level 
to another based strictly on their geographical location. To do so 
would be arbitrary, and would not reflect the risk associated with 
particular provider or supplier types.
    Response: As already mentioned, we do not believe that State 
licensure is, in and of itself, indicative of a limited risk of fraud. 
In addition, we do not plan to reclassify providers or suppliers based 
solely on geographical location. As stated earlier, if we identify a 
concern among provider and supplier categories in a particular 
geographic location, our authority to impose a temporary moratorium 
will help to address those concerns. However, we do retain the 
authority to add geographic location as a criterion for adjusting a 
provider or supplier's screening level through future rulemaking.
    Comment: A commenter expressed concern that fingerprinting: (1) 
Could be very costly; (2) raises privacy and security concerns once an 
organization begins to collect, maintain, administer access and store a 
database of fingerprints; and (3) is technologically being replaced by 
much more modern and reliable identification techniques. The commenter 
urged CMS to avoid requirements for fingerprinting in screening 
requirements and to use more modern techniques.
    Response: As already mentioned, we believe that fingerprint-based 
criminal history record checks will be an effective tool in combating 
Medicare waste, fraud, and abuse. In our view, such criminal history 
record checks--more effectively than a name-based background check--
will prevent ineligible individuals from enrolling in the Medicare 
program. CMS believes that the cost to both the applicants for the 
collection of fingerprints, and to CMS for the processing of the prints 
is not unduly burdensome either to the providers and suppliers or the 
agency. We would like to clarify that CMS will not be collecting and 
storing any fingerprints. As mentioned earlier, the selected authorized 
channeler will collect and transmit the prints electronically directly 
to the FBI CJIS Division's Wide Area Network to check against the 
IAFIS, the FBI maintained database. CMS will only receive the criminal 
history record information, and will protect that information as the 
Privacy Act requires--both from a privacy and security standpoint. In 
response to the commenter's third remark, while CMS is aware of the 
advances in technology in the biometric market, the FBI and State law 
enforcement standard is currently the fingerprint. Once the FBI or 
State law enforcement requires a new standard of identification to 
access the criminal history record information, we will comply with 
that standard.
    Comment: A commenter suggested that in implementing the screening 
requirements, CMS should minimize duplication of effort. Often the same 
providers who participate in traditional Medicare are also 
participating in other plans, such as Medicaid. Having separate 
screenings could be burdensome and inefficient.
    Response: We agree with the commenter that every possible attempt 
should be made to avoid duplication of effort. To that end, we have 
attempted to address this concern by providing that the States may rely 
upon a screening performed by the Medicare program.
    Comment: A commenter supported the concept of applying geographical 
circumstances when adjusting providers or suppliers from one screening 
level to another, and recommended that anti-fraud efforts be 
coordinated with other payers--such as through information sharing--
because providers and suppliers perpetrating fraud do so across the 
spectrum of payers, and that reality should be integrated into CMS's 
overall strategy.
    Response: We agree that anti-fraud efforts should be coordinated 
among payors and we are taking steps to promote greater coordination. 
As stated previously, we believe our temporary moratoria authority 
described later in this rule will be an effective tool in particular 
geographic locations. We may revisit as a factor for enrollment 
screening level in future rulemaking.
    Comment: Several commenters stated that new locations of currently 
enrolled Medicare DMEPOS providers should be distinguished from other 
providers that do not have an established record with the Medicare 
program. CMS should therefore screen new locations of Medicare enrolled 
suppliers in the same manner as it proposes to screen currently 
enrolled providers.
    Response: We disagree. As previously stated, the addition of a new 
location is considered an initial enrollment. Consequently, a new 
DMEPOS location will be subject to the ``high'' level of categorical 
screening.
    Comment: Several commenters requested that occupational and 
physical therapists, including those enrolled or applying to enroll as 
DMEPOS suppliers, be placed in the limited risk level.
    Response: As stated earlier, all newly-enrolling DMEPOS suppliers 
(including those with new practice locations), regardless of sub-type, 
and including those that are owned by occupational and/or physical 
therapists, will be subject to a high level of categorical screening. 
For physical therapists enrolling as individuals or group practices 
via, respectively, the CMS-855I and CMS-855B applications, these 
suppliers will be placed in the moderate level of screening. As we 
explained earlier with respect to physical therapy providers, we 
believe the classification of physical therapists in the moderate level 
is supported by a recent OIG report entitled ``Questionable Billing for 
Medicare Outpatient Therapy Services'' (December 2010) (http://oig.hhs.gov/oei/reports/oei-04-09-00540.pdf), which found, among other 
things, that Miami-Dade County had three times, and nineteen other 
counties had at least twice, the national level on five of six 
questionable billing characteristics.
    Comment: A commenter asked whether CMS will identify the 
contractors that will perform these screenings, or whether it will 
accept screenings performed by commercial screening services widely 
used by large employers outside the health care industry.
    Response: We believe the commenter is referring to criminal 
background screenings. To comply with the FBI requirements that only 
authorized channelers submit fingerprints to the Wide Area Network, and 
receive the criminal history record information from the FBI, CMS will 
contract with a pre-approved FBI authorized channeler. In the future 
guidance, CMS will identify the selected authorized channeler(s) where 
individuals may have their fingerprints collected, or to whom they may 
submit the FD-258 card that was completed at a local law enforcement 
agency. In addition to ensuring compliance with FBI security 
requirements, such authorized channelers have vendors all over the 
country where individuals can have their fingerprints electronically 
collected. In addition, individuals may have their prints taken on the 
FD-258 paper card at a local law enforcement agency, and then have it 
sent to the

[[Page 5887]]

authorized channeler to have it digitized and submitted to the FBI.
    Comment: A commenter had several suggestions for screening levels. 
The commenter recommended that the limited screening level include 
providers affiliated with non-profit acute care hospitals or health 
systems; any not-for-profit providers who have been in existence for at 
least 20 years and who have filed annual cost reports (if required) for 
their line of business; and any for-profit providers in business for 20 
years as a single site provider. The moderate screening level should 
include all other providers except those indicated in the high 
screening level, plus any provider who has entered into a settlement 
with a government agency (Federal, State or local) within the past 20 
years, up through the most recent 5 years, where such settlement 
covered any over-charge allegations. The high screening level should 
include any provider who has entered into a settlement with a 
government agency (Federal, State or local) for any overpayment in the 
past 5 years; and any provider or group of providers which may 
currently be under review for possible billing overcharges or other 
violations who is seeking either a new provider number or seeking a new 
provider location.
    Response: We appreciate these suggestions, and may consider them as 
part of a future rulemaking effort should circumstances warrant. 
However, for now, and for the reasons described previously, we believe 
that the screening level assignments discussed in this preamble will 
best implement the statute.
    Comment: A commenter recommended that CMS refrain from publicly 
posting risk levels, particularly as they relate to individual 
providers or group practices. The commenter believes that in some 
instances this could give a false impression as to the level of risk of 
any provider or supplier, and that CMS has not clarified how this 
action will assist the agency with fraud prevention.
    Response: To the extent permitted by Federal law, we do not plan to 
publish risk assessments and the corresponding screening level of 
individual providers or suppliers.
    Comment: A commenter urged CMS to provide contractors with 
sufficient and targeted resources to handle identity theft screening to 
ensure that the additional screening precipitated by identity theft 
will not delay processing of new enrollment applications.
    Response: As mentioned throughout this rule, we do not plan to use 
fingerprint-based criminal history record checks to address identity 
theft concerns. Identity theft is within the purview of law enforcement 
and we will make referrals to our law enforcement partners whenever 
appropriate.
    Comment: A commenter requested clarification as to whether a 
revalidating provider would need to resubmit fingerprints with its 
application. The commenter believes this would be burdensome, costly, 
and unnecessary, since fingerprints do not change.
    Response: If an individual has provided fingerprints on one 
occasion, we will not ask such individual to furnish fingerprints a 
second time unless required by FBI protocols.
    Comment: A commenter disagreed that in all cases publicly traded 
entities pose a ``limited'' risk while all HHA companies that are not 
publicly traded pose a ``moderate'' risk to the program. The commenter 
supported the ``high'' risk assignment for those new to the program, 
but stated that the proposed rule does not consider that companies that 
have operated successful and compliant HHAs for years would fall into 
the high screening level if they were to open a new location or branch 
simply based on the arbitrary assignment of the screening level.
    Response: As stated earlier, we believe that newly enrolling HHA 
locations (for which a CMS-855 is submitted) should be subject to the 
enhanced scrutiny of the high risk screening level. Further, as stated 
earlier, we have eliminated the distinction between publicly traded and 
non-publicly traded companies.
    Comment: A commenter urged CMS to expand the definition of limited 
risk to include entities that file with the Securities and Exchange 
Commission (SEC), even though they do not have securities traded on the 
NYSE or NASDAQ. By reason of their debt obligations, such entities are 
subject to the same disclosure and reporting requirements under Federal 
securities laws as a company that is subject to section 13 or 15(d) of 
the Securities Exchange Act of 1934, as amended (the ``Exchange Act'').
    Response: As stated earlier, we have eliminated the distinction 
between publicly traded and non-publicly traded companies, and the 
comment is no longer applicable.
    Comment: A commenter stated that adjusting HHAs from the 
``limited'' or ``moderate'' screening level to ``high'' risk simply 
because they reside in an area for which CMS imposes a moratorium is 
arbitrary and punishes good HHAs with no consideration of their 
compliant service to the Medicare beneficiaries and the program.
    Response: As explained elsewhere in this section and also later in 
the general discussion regarding moratoria, a moratorium may be imposed 
if there is a heightened risk of fraud, waste, or abuse in a particular 
area or involving a certain provider or supplier category. If a 
particular provider or supplier type posed such a risk as to warrant a 
moratorium, it would be inappropriate for us to automatically exempt it 
from enhanced screening once the moratorium ends. To do so would, in 
effect, require us to state that once the moratorium ends, that 
provider or supplier type no longer poses a risk, a conclusion that we 
could not necessarily draw.
    Comment: A commenter stated that the assignment of risk should be 
based on defined criteria beyond those proposed, such as compliance 
history related to billings, medial review, and history of negative 
audits from the program safeguard contractors. The commenter added that 
defined criteria should also be used to identify when providers are 
moved to different screening levels. For instance, brand new HHAs with 
no previous enrollment history should be part of the high screening 
level; however, upon 5 years of compliant operation, they should be 
moved to the moderate screening level. If a company with a 5 year 
compliance history opens a HHA, it should not be assigned to the high 
screening level; instead, it should be assigned to the moderate 
screening level based on its good history with Medicare. Agencies that 
have a 7 year or more compliance history should be assigned the limited 
screening level.
    Response: Though we do not at this point believe that length of 
time as a Medicare provider should be a criterion for reducing a 
provider's or supplier's screening level, we may consider this as part 
of a future rulemaking effort should circumstances warrant.
    Comment: A commenter believes that the phrase ``Indian Health 
Service facilities'' should be deleted in favor of ``health programs 
operated by an Indian Health Program (as that term is defined in 
section 4(12) of the Indian Health Care Improvement Act) or an urban 
Indian organization (as that term is defined in section 4(29) of the 
Indian Health Care Improvement Act) that receives funding from the 
Indian Health Service pursuant to Title V of the Indian Health Care 
Improvement Act.'' Such language would encompass all Indian and tribal 
programs that are carried out pursuant to the Indian Health Care 
Improvement Act (IHCIA) and Indian Self-Determination and Education 
Assistance Act (ISDEAA). Moreover, to

[[Page 5888]]

ensure that all Indian and tribal health programs are treated as 
limited risk, the exception in (b)(1) and (c)(1) should be amended to 
refer to Indian and tribal health programs. The commenter stated that 
the burden on Indian and tribal providers of meeting new screening 
requirements would be significant and duplicative of screening 
requirements imposed already under the Indian Child Protection and 
Family Violence Act on many of the providers.
    Response: We will revise the language in the final regulation as 
requested by the commenter to ensure that Indian and tribal health 
programs are described accurately and are assigned to the limited 
screening level.
    Comment: A commenter stated that CMS should designate provider 
screening levels in the final rule with comment period, and should 
require changes in the risk level for a provider type to be subject to 
the rulemaking process.
    Response: We have specified the different screening levels in this 
final rule with comment period. Should a change in a particular 
provider or supplier type's classification be warranted and should it 
necessitate a change in existing regulatory language, we will publish 
notice of it in the Federal Register. However, we will not publish 
notice of the circumstances under which an individual provider or 
supplier has been moved to an elevated level of screening as described 
in Sec.  424.518(c) and Sec.  455.450(e).
    Comment: A commenter stated that ophthalmologists, optometrists, 
and opticians who only bill as DMEPOS suppliers for post-cataract 
glasses and lenses should fall into the limited screening level.
    Response: As detailed previously, currently enrolled DMEPOS 
suppliers will be placed in the moderate level of categorical screening 
and newly-enrolling DMEPOS suppliers will be assigned to the high level 
of screening.
    Comment: A commenter opposed CMS' proposal to consider assigning 
all providers or suppliers in a specific geographic location to a 
higher level of screening, solely because others in that area may be 
considered moderate or high risk. The commenter believes this type of 
action was arbitrary, and could cause new, limited risk providers to 
think twice before entering a geographic market, thus potentially 
blocking beneficiary access to needed services.
    Response: We did not assign any provider or supplier category to a 
screening level based on geography.
    Comment: A commenter did not believe independent laboratories 
should be placed in the moderate screening level, due to their high 
level of regulation. The commenter stated that the sheer volume has no 
bearing on risk and that they are already subject to regular site 
visits.
    Response: We disagree. Based on our experience, we believe that 
independent laboratories are appropriately assigned to the moderate 
screening level. We note that newly-enrolling DMEPOS suppliers are, 
too, subject to site visits, yet they are assigned the high screening 
level.
    Comment: A commenter stated that all physicians should not be 
placed in the limited screening level. Several specialties are 
increasingly engaging in abusive self-referral arrangements.
    Response: For the reasons stated previously, we believe that 
physicians and non-physician practitioners are appropriately classified 
in the limited screening level. Moreover, we note that the final rule 
with comment period contains provisions for elevating a particular 
physician's or practitioner's screening level in certain circumstances.
    Comment: One commenter disagreed that geographical circumstances 
should justify the adjustment of FQHC providers and suppliers to 
elevated screening levels based upon this criterion alone. The 
commenter stated that FQHC entities are in an entirely different 
classification and should not be subject to the same categorical 
movement.
    Response: We assume this commenter is concerned about our ability 
to reassign providers or suppliers after a temporary moratorium is 
lifted such that FQHCs could be classified as high risk in the event 
they are located in an area in which a temporary moratorium is lifted. 
We intend to finalize the elevated risk factors. We believe it 
important to closely monitor all providers and suppliers in the event a 
temporary moratorium is imposed--and for a period thereafter. We note 
that this would only apply to providers and suppliers to which the 
moratorium applied. Unless the moratorium that was lifted had applied 
to either all providers and suppliers in a geographic area or to a 
category of providers or suppliers that included FQHCs or to FQHC 
specifically, the elevation to the high screening level would not apply 
to FQHCs or any other provider or supplier category not originally 
subject to the moratorium.
    Comment: A commenter: (1) Expressed concern about potential 
application delays if the Medicare contractors have insufficient funds 
to conduct these visits; (2) requested assurances from CMS that 
adequate funds will exist; and (3) recommended that CMS provide 
guidance to the Medicare contractors on the timeframes within which 
enrollment inspections shall occur.
    Response: We believe that adequate funds will exist to perform the 
required site visits, and we will issue guidance to our contractors 
regarding processing times.
    Comment: A commenter expressed concern that tax-exempt, faith-based 
HHAs will be subject to a higher level of scrutiny than publicly traded 
for-profit HHAs. The commenter believes that such faith-based HHAs 
should be placed in the limited screening category.
    Response: We have eliminated the distinction between publicly 
traded and non-publicly traded HHAs. We decline to adopt the 
commenter's suggestion to assign faith-based HHAs in the limited level 
of screening as it has not been our experience that faith-based HHAs 
present a different risk of fraud and abuse than non-faith-based HHAs.
    Comment: A commenter stated that the inclusion of CMHCs in the 
``moderate'' risk group seems appropriate given the history of fraud in 
``for profit'' CMHCs. The commenter believes, however, that in the 
future, ``not for profit'' CMHCs be considered for status as a 
``limited'' screening level.
    Response: We decline to adopt the commenter's suggestion, as it has 
not been our experience that non-profit CMHCs pose a different risk 
than for-profit CMHCs. We will monitor CMHCs and other provider and 
supplier types after this final rule with comment period is implemented 
and, if need be, make adjustments to various risk classifications.
    Comment: A commenter stated that the fingerprint requirement is 
problematic. The FD-258 fingerprint card could be fairly easy to obtain 
and complete without the involvement of government officials or by 
manipulating the form before forwarding it to the concerned government 
representative which could lead to fraudulent data being accepted by 
CMS contactors. In order to ensure the validity and acceptability of 
fingerprint data, the commenter stated that a clear chain of custody 
will be required for the FD-258 cards, providing for uninterrupted and 
secure forwarding of the completed cards from an originating law 
enforcement office to the CMS contractor. The commenter believes that 
consultation with the FBI and other expert agencies on this subject 
could prove valuable.
    Response: CMS has consulted and will continue to consult with the 
FBI regarding the use of the FD-258 card. As noted previously, CMS has 
found that in addition to a longer processing time for

[[Page 5889]]

the FD-258, there is a higher cost to CMS for the processing of such 
cards. However, individuals who have their prints collected by a local 
law enforcement agency must use the FD-258 card and submit it to CMS' 
authorized channeler. The authorized channeler will digitize such FD-
258 cards obtained at a local law enforcement agency for submission to 
the FBI. The chain of custody will conform to the FBI Security and 
Management Control Outsourcing Standard for Channelers and Non-
Channelers and the FBI's Criminal Justice Information Services (CJIS) 
Division's Security Policy.
    Comment: A commenter recommended that the proposed screening 
procedures be applied across the board for all providers and suppliers 
in or being introduced into any aspect of the Medicare, Medicaid or 
CHIP system.
    Response: We disagree with this comment. Different categories of 
providers and suppliers pose different risks that must be addressed in 
distinct ways.
    Comment: A commenter recommended that when determining whether to 
adjust an individual DMEPOS supplier's screening level, CMS should 
consider the supplier's: (1) Experience in furnishing services; (2) 
experience in the geographic area; (3) accreditation status and 
compliance with quality standards; and (4) compliance program, as well 
as any past fraudulent activity by the supplier or its employees and 
the category of DMEPOS it furnishes.
    Response: We decline to adopt this approach. First, we believe that 
this could be subject to inherently arbitrary implementation. Second, 
as has been described previously, we believe the ACA requires us to 
assign categories of providers and suppliers to a level of screening 
based on the risk for fraud. The criteria the commenter proposes would 
necessitate a level of pre-screening that is not feasible for every 
applicant CMS must process.
    Comment: A commenter stated that providers and suppliers should be 
individually notified of the screening level into which they will be 
placed and the reasons for such designation. The categorizations should 
not be made public because that could easily lead to irreparable damage 
to reputations and the companies' business.
    Response: The publication of this final rule with comment period 
serves as notification to suppliers and providers of the assignment of 
their category to a particular screening level. The only new screening 
requirement that requires action on the part of a provider or supplier 
is the fingerprint-based criminal history record check. As stated, 
there will be an additional 60 day period after the publication of 
subregulatory guidance prior to its implementation for DMEPOS and HHAs. 
In instances where an individual provider or supplier has been 
reassigned to a higher level of scrutiny under Sec.  424.518(c)(3), we 
anticipate that each provider or supplier will be individually notified 
of its newly assigned screening level prior to revalidation. This 
process will be clarified in the subregulatory guidance that CMS will 
issue as described in this final rule with comment period. Moreover, to 
the extent permitted by Federal law, we do not intend to make public a 
particular provider or supplier's screening level assignment.
    Comment: A commenter requested that CMS expand the limited 
screening level defined in the proposed regulation to include the term 
``non-physician practitioner.'' This term is frequently used to 
describe nurse practitioners, clinical nurse specialists, and 
physicians' assistants.
    Response: This regulation uses the term ``non-physician 
practitioner'' in describing categories of providers assigned to a 
level of screening. See Sec.  424.518(a)(1)(i).
    Comment: A commenter recommended that, to the extent allowed under 
law, CMS disclose limited information about the risk model so as to 
avoid reverse-engineering by individuals intent on defrauding the 
Medicare program.
    Response: We appreciate this comment, but believe it is important 
that the provider and supplier communities be made aware of what will 
be required as part of the enrollment process.
    Comment: A commenter recommended that reimbursement be provided for 
the cost of the background check and fingerprint card. With budget cuts 
and regulatory mandates, providers are struggling to meet the 
increasing costs of delivering health care services in an environment 
with decreasing resources. Another commenter suggested, however, that 
fingerprinting be done at the cost of the provider prior to the 
Medicare contractor receiving the enrollment application.
    Response: A fingerprint-based criminal history record check is part 
of the Medicare enrollment screening process for specified applicants. 
The cost of the having the fingerprints taken and supplying the 
fingerprints to the authorized channeler, whether electronic or on the 
card, will be borne by the provider or supplier. There will be no cost 
to the provider or supplier for the subsequent processing of the prints 
or the background check, as CMS will pay for the processing of the 
prints and the criminal history record check.
    Comment: A commenter recommended that providers be able to have 
their fingerprints electronically scanned with a vendor contracting 
with the Federal government.
    Response: Shortly after the publication of this final rule with 
comment period, we will be issuing guidance to the provider and 
supplier communities regarding the processes for obtaining 
fingerprints. We anticipate that CMS will contract with an FBI-approved 
authorized channeler for the collection and transmission of 
fingerprints. It is our understanding that such authorized channelers 
use electronic technology to collect and process fingerprints. We will 
provide more information regarding available technologies and vendors 
prior to the implementation of this requirement, as announced 60 days 
prior to the effective date through the publication of subregulatory 
guidance.
    Comment: A commenter stated that CMS needs to ensure that 
information used in the classification of suppliers is correct and 
appropriate. Thus, CMS should require that only final agency actions be 
used as a basis for assigning suppliers. Decisions overturned on appeal 
should have no bearing or effect on the supplier's screening level.
    Response: We do not believe it is appropriate to wait until a 
particular action is final before shifting a provider into a different 
screening level. The appeals process can take an extended period, 
during which a provider intent on defrauding the Medicare program could 
have more time to do so if permitted to remain in a lower screening 
level. As already mentioned, should a particular action be rescinded, 
the provider will be restored to its previous screening level.
    Comment: A commenter stated that pharmacies licensed by the State--
whether newly enrolling or as part of an additional location--should be 
specified as limited risk providers.
    Response: As we mentioned earlier, State licensure is not 
automatically indicative of the screening level that should be ascribed 
to a category of provider or supplier.
    Comment: A commenter questioned whether hospice organizations are 
correctly included within the moderate screening level and should 
instead be included in the limited screening level. The commenter did 
not believe that sufficient data exists to justify placing

[[Page 5890]]

hospices in the moderate screening level.
    Response: For the reasons we explained, we believe that hospices 
are most appropriately as assigned to the moderate screening level.
    Comment: A commenter stated that if an enrollment moratorium were 
placed on a particular geographic area and then lifted, the Medicare 
contractor would be required to conduct background checks and 
fingerprints on all physicians in that area. The commenter urged CMS to 
reconsider the burdens and costs of doing so for large groups of 
providers. The delays in processing these applications would deter 
physicians from enrolling and revalidating their enrollments. The 
commenter also stated that CMS should limit those physicians placed in 
the highest level of screening to individuals previously found guilty 
of crimes against Medicare or where there is publicly available 
evidence to justify such intrusions.
    Response: The situation described in the commenter's first sentence 
would only apply in the unlikely event that physicians in that area 
were subject to a moratorium. As stated earlier, CMS does not believe 
that the collection of the fingerprints for the FBI fingerprint-based 
criminal history record check will substantially impact the time to 
process an enrollment application by the relevant Medicare contractor. 
If, as will most likely be the case with any temporary enrollment 
moratorium, the moratorium only applies to non-physician provider or 
supplier types, physicians would not be affected by the lifting of the 
moratorium. We believe we have clarified this point in the final rule 
with comment period.
    Comment: Regarding fingerprinting and background checks, a 
commenter requested clarification regarding: (1) How the information 
will be stored and whether it will be destroyed after a period of time; 
(2) how the information will be used; (3) what constitutes background 
information that rises to the level of a threat to Medicare; (4) 
whether the physician or non-physician practitioner be afforded a copy 
of the results; (5) the policies that will ensure that the information 
is protected and secure and, in the event of a security lapse, whether 
the practitioner will be notified; (6) who will be conducting the 
background checks; (7) whether the information will be added to State 
or Federal databases for other purposes; and (8) whether practitioners 
will know prior to or at the time of application submission that they 
will be subject to these additional requirements.
    Response: We have clarified in this final rule with comment period 
that the fingerprint requirement will be used in the context of 
obtaining FBI criminal history record information. This information 
will be stored according to all Federal requirements as well as the 
FBI's Security and Management Control Outsourcing Standard for 
Channelers and Non-Channelers and the CJIS Security Policy. CMS will 
rely on existing authority to deny and revoke enrollment at Sec.  
424.530(a) and Sec.  424.535(a) if an individual who maintains a 5 
percent or greater direct or indirect ownership interest in a provider 
or supplier has certain prior felony convictions, or if an enrollment 
application contains false or misleading information. The FBI will send 
the results of the criminal history record check only to the authorized 
channeler, who will be permitted to send the results only to the 
authorized recipient, or an FBI approved outsourced third party. In the 
event of loss of the criminal history record reports, CMS will follow 
the established protocol for communicating with the public and 
individuals regarding the loss of personally identifiable information. 
The criminal history record information is compiled when the FBI 
receives the fingerprint and links it to an existing record(s) of 
arrest and prosecution in State and FBI databases. Individuals or 
entities do not conduct criminal background checks. CMS, through an 
authorized channeler, will be accessing existing law enforcement data 
on fingerprinted individuals as required by this final rule with 
comment period. CMS will inform all relevant individuals of their 
requirement to submit fingerprints for the purposes of an FBI criminal 
history check as a condition of enrollment. While we are finalizing 
this screening method, we do not plan to implement this provision upon 
the effective date. Instead, we will be issuing additional guidance to 
providers, suppliers, the general public, and our contractors after the 
publication of this final rule with comment period to explain the 
operational aspects of the fingerprint-based criminal history record 
check requirement. As stated previously, we will delay implementation 
until 60 days after the publication of subregulatory guidance.
    Comment: A commenter asked who will pay the fee for the 
fingerprinting and, if the physician or practitioner must pay it, 
whether he or she will be reimbursed, given the restrictions on 
application fees for certain non-institutional providers.
    Response: The relevant individuals who are required to undergo the 
criminal history record check will incur the cost of having their 
fingerprints taken. Providers and suppliers will not be reimbursed by 
Medicare, Medicaid or CHIP for the fingerprint collection costs. CMS 
will bear the cost of processing the fingerprint-based criminal history 
record check for providers and suppliers that enroll in Medicare. For 
Medicaid-only and CHIP-only providers, the States and Federal 
government will share these costs.
    Comment: A commenter stated that fingerprinting is generally 
limited to certain hours of the day. Due to the demands of physicians' 
schedules, the commenter asked how CMS will ensure the availability of 
fingerprinting for those physicians placed in the high screening level.
    Response: Physicians who are enrolled in Medicare as practicing 
physicians will generally not be subject to fingerprinting. 
Fingerprint-based criminal history record checks will only be required 
in the case of providers or suppliers that are assigned to the high 
screening level. Physicians are generally assigned to the limited 
screening level.
    Comment: A commenter urged CMS to ensure that fingerprinting and 
background checks do not delay the enrollment of legitimate and honest 
physicians.
    Response: Physicians are generally assigned to the limited 
screening level and, as such, will not be subject to fingerprinting 
based on their enrollment as a physician. Physicians who choose to 
enroll as DMEPOS suppliers or HHAs will be required to undergo a 
fingerprint-based criminal history record check as a requirement of the 
high screening level but, as stated previously, CMS does not believe 
this requirement will significantly delay the enrollment of any 
provider or supplier.
    Comment: A commenter stated that hospital-owned HHAs and hospices 
should be designated as limited risk and, therefore, should not be 
subject to unannounced and unscheduled pre-enrollment and/or post-
enrollment onsite visits.
    Response: For the reasons already discussed, newly enrolling HHAs 
will be placed in the high screening level, regardless of ownership.
    Comment: Several commenters stated that implementing the new 
screening procedures by March 23, 2011 is not feasible due to the 
coordination efforts required between Medicare and Medicaid. They 
recommended that the implementation date be moved to March 23, 2012.
    Response: We disagree, and believe that all screening procedures 
except the fingerprint-based criminal history record check required for 
those in the high level of screening will be in place

[[Page 5891]]

beginning on March 25, 2011. As noted previously, we will delay 
implementation of such high screening level until 60 days after the 
publication of subregulatory guidance on how this provision will be 
implemented. Further, we believe the statute requires the 
implementation dates that we have specified.
    Comment: A commenter recommended that CMS reconsider the risks 
associated with allowing existing enrollees to be exempted from the new 
screening procedures until March 23, 2012. The commenter believes this 
creates a potential gap in program integrity.
    Response: The ACA specifies the effective dates for the new 
screening provisions. For newly enrolling providers and suppliers, and 
for those currently enrolled whose revalidation is scheduled between 
March 25, 2011 and March 23, 2012, the effective date is March 23, 2011 
or the date scheduled for the revalidation. For providers and suppliers 
assigned to the high screening level, the fingerprint-based criminal 
history record check requirement will be implemented through 
subregulatory guidance and will be effective 60 days following the 
publication of the guidance. All other screening requirements are 
effective on March 25, 2011 for those in the high screening level. For 
all other currently enrolled providers and suppliers, the statute 
established an effective date of March 23, 2012.
    Comment: A commenter recommended simplifying the screening process 
such that all enrolling providers and suppliers are put into the 
moderate level, and then adjust screening interventions based on 
specific circumstances related to elevated risk of fraud.
    Response: We decline to base the assignment of provider and 
supplier types to a level of screening on the assumption that every 
provider or supplier is of equal risk upon enrollment into the 
Medicare. We see clear differences in risk among categories of 
providers and suppliers. Therefore, we do not plan to assign all 
provider and supplier categories to the same screening level. In 
response to the suggestion that we adjust screening interventions based 
on specific circumstances, we believe this process is both unwieldy and 
burdensome to implement for every provider as the baseline screening 
methods. Although we have identified certain events that will cause a 
provider to move from ``limited'' or ``moderate'' to ``high'' 
screening, we do not believe we should conduct individual assessments. 
As stated previously, CMS will assess an individual provider's risk and 
potential actions based on the individual provider's enrollment 
application and may continue to use existing program integrity tools 
that are not addressed by this rule. We believe this approach is the 
most objective approach and is consistent with the ACA.
    Comment: A commenter requested clarification on how States will be 
notified of providers' risk classifications and any changes thereto.
    Response: We will disseminate guidance to the States on this topic 
shortly after the publication of this final rule with comment period.
    Comment: A commenter recommended that CMS explain whether it is 
replacing or removing the current revalidation basis in Sec.  
424.535(a)(6) with the proposed new Sec.  424.535(a)(6).
    Response: We are neither replacing nor removing the current 
revalidation basis. We simply proposed an additional reason at Sec.  
424.535(a)(6)(i) for the revocation of Medicare billing privileges. 
Specifically, we proposed that billing privileges may be revoked if 
``An institutional provider does not submit an application fee or 
hardship exception request that meets the requirements set forth in 
Sec.  424.514 with the Medicare revalidation application,'' or the 
hardship exception is not granted. We will renumber the subsections in 
Sec.  424.535(a) accordingly.
    The commenter refers to the current revalidation basis but cites to 
the revocation regulation. To clarify, as stated previously, the 
proposed rule proposed to require that a provider or supplier 
revalidate its enrollment at any time pursuant to Sec.  424.515. This 
new authority to permit off-cycle revalidations does not replace the 
current cycle for revalidation (3 years for DMEPOS and 5 years for all 
other providers).
    Comment: To reduce the paperwork burden imposed on providers and 
suppliers and to reduce the administrative expense associated with 
processing a revalidation application, several commenters recommend 
that CMS allow providers and suppliers in good standing to submit an 
annual attestation, rather than a full revalidation application. The 
attestation, in other words, would be used in lieu of revalidation, and 
would require the provider or supplier to notify CMS of any changes or 
to attest that there were no changes within the prior year. This 
approach would promote compliance without requiring the provider or 
supplier to submit a full revalidation application and a fee.
    Response: The burden associated with submitting Medicare enrollment 
applications A, B, I, R and CMS-855S is currently approved under Office 
of Management and Budget (OMB) control numbers 0938-0685 and 0938-1057, 
respectively. Such an attestation, as proposed by the commenter, would 
not fulfill the screening requirements of this final rule with comment 
period, as re-screening is a condition of revalidation. The screening 
requirement and associated application fee are required by the ACA to 
minimize the risk of fraud, waste and abuse to the Medicare, Medicaid 
programs and CHIP, and cannot be circumvented by a process that would 
limit the scope of such screenings.
    Comment: One commenter stated that CMS did not furnish sufficient 
justification or rationale for its proposal in Sec.  424.515 that CMS 
may require a provider or supplier to revalidate its enrollment at any 
time. The commenter added that the proposed revision seems punitive and 
overly broad because CMS does not furnish ample discussion for the 
public to fully evaluate the proposal. The commenter recommended that 
CMS remove its proposal because CMS did not: (1) Justify its reasons 
for establishing this new authority, (2) describe its existing 
authorities and how this proposal is different, and (3) explain or 
justify the number of times that CMS can require revalidation within a 
given period of time.
    Response: We proposed at Sec.  424.515 that we have the ability to 
require that a provider or supplier revalidate its enrollment at any 
time, and stated that this proposal was designed to help ensure that 
the statutory effective date of March 23, 2013 is met. We fully intend 
to implement the new authorities provided by the ACA by the deadlines 
that have been set out by the Congress.
    We stated in the proposed rule that DMEPOS suppliers are required 
to re-enroll every 3 years, and other providers and suppliers are 
required to revalidate their enrollment every 5 years. For purposes of 
clarity, we also proposed language at Sec.  424.57(e) that changes all 
references to ``re-enroll'' or ``re-enrollment'' to ``revalidate'' or 
``revalidation.'' We have existing authority at Sec.  424.515(d) to 
require off-cycle validations in addition to the regular 5 year 
revalidations and may request that a provider or supplier recertify the 
accuracy of the enrollment information when warranted to assess and 
confirm the validity of the enrollment information maintained by us. 
Such off-cycle revalidations may be triggered as a result of random 
checks, information indicating local health care

[[Page 5892]]

fraud problems, national initiatives, complaints, or other reasons that 
cause us to question the compliance of the provider or supplier with 
Medicare enrollment requirements. Off cycle revalidations may be 
accompanied by site visits. The new authority to conduct off-cycle 
validations of providers and suppliers will enable us to apply the new 
screening requirements to all currently enrolled providers and 
suppliers by the statutory effective date.
    The proposed rule stated that once a provider has been subject to 
an off-cycle validation under Sec.  424.515(e), the current cycle for 
revalidation would apply. This means that if a provider subject to the 
5-year revalidation cycle had to revalidate in 2013, the provider or 
supplier would next have to revalidate in 2018. However, a provider or 
supplier may be required to revalidate under Sec.  424.515(d) during 
that time period if there are indicators of the noncompliance for a 
particular provider.
    Comment: A commenter stated that CMS currently requires contractors 
to review State licensing board data on a monthly basis. As such, it 
would be more efficient to access a centralized, federated database to 
provide CMS with the most comprehensive data on physician licensure 
status.
    Response: As previously mentioned, we are currently in the process 
of re-assessing the provider enrollment process and systems that are 
used to support screening and enrollment. We are exploring a number of 
options to take advantage of technological advances to improve the 
provider screening process. Increased automation of the process is one 
of the areas on which we are focusing.
    Comment: A commenter stated that, given the ongoing Medicare 
backlogs, CMS should provide information regarding: (1) The number of 
revalidations started and completed by CMS or its contractors in 2007, 
2008, 2009, and 2010, (2) how an estimated 93,000 revalidations per 
year beginning in 2010 will impact the processing of new applications 
by providers and suppliers, and (3) the amount of money obligated on 
provider screening activities for each fiscal year between 2005 and 
2010, and (4) how much money CMS expects to obligate for these 
activities in 2011. Another commenter recommended that CMS furnish the 
number of revalidation applications processed by the National Supplier 
Clearinghouse, MACs, carriers, and fiscal intermediaries for each of 
the last 5 years.
    Response: This final rule with comment period specifically 
increases the number of providers and suppliers that will be 
revalidated through the use of off-cycle revalidations, for the 
explicit purpose of applying the new screening requirements to 
currently enrolled providers. Therefore, the number of revalidations 
processed in the past 4 or 5 years and the money obligated to that 
process is irrelevant to the evaluation of our ability to process 
additional revalidations as required by this final rule with comment 
period. Additionally, we have undertaken steps to streamline the 
enrollment process, both for newly enrolling and revalidating providers 
and suppliers. We recognize that there have been challenges in 
implementing the new authorities to safeguard the integrity of 
Medicare, Medicaid and CHIP, and have demonstrated a willingness to 
work with providers and suppliers to reduce unnecessary burdens and 
risks that may have accompanied the enrollment processes in the past. 
We have communicated with providers via Medicare Learning Networks and 
provider Open Door Forums, and will continue to do so throughout the 
implementation of the ACA.
    We believe that additional resources will be available to enable 
the processing of the increased numbers of enrollment applications. We 
have actively taken steps to reduce processing times as much as 
feasible. Furthermore, we have undertaken many activities to streamline 
the enrollment process to reduce the burden upon providers and 
suppliers.
    Comment: A commenter recommended that CMS employ an expanded data-
driven screening process by using open-source data during the 
enrollment and re-enrollment business processes. Such data could 
include the current operational status of the firm; chain of ownership 
or corporate family linkages; identification of tax liens; presence of 
open bankruptcies; and records of government enforcement actions. The 
commenter also suggested that each provider and supplier be registered 
for post-enrollment data monitoring, which ``pushes'' one or more high 
risk updates (for example, bankruptcy filing; a criminal filing 
involving a provider executive; or sudden increase in the risk of 
financial failure) to CMS automatically. CMS could use such high risk 
alerts for the selection and prioritization of unscheduled and 
unannounced site visits. Finally, the commenter recommended additional 
database checks that would vary by screening level. These included, but 
were not limited to, verifying: (1) Corporate chain of ownership, (2) 
tax liens, (3) non-HHS government enforcement actions, (4) extent of 
any government contracting, and (5) any open lawsuits.
    Response: As stated previously, we are continually exploring 
additional improvements to our data systems. We are committed to 
working with both private and public partners to continue to evaluate 
technologies that can provide the scalability and safeguards to 
beneficiary access that we need to ensure accurate payments to 
legitimate providers for appropriate services.
    Comment: A commenter urged CMS to release a proposal for comment 
that provides additional detail regarding what CMS believes should 
constitute background information relevant to Medicare provider 
enrollment that would prevent a practitioner from enrolling in the 
Medicare program.
    Response: At some point it may be necessary to modify our existing 
regulations that address felonies that are relevant to enrollment of 
billing privileges. However, we have not yet proposed expansion of our 
existing authorities codified in the Code of Federal Regulations. The 
requirements for Medicare enrollment are established in other 
regulations and manual instructions, and are not--unless otherwise 
stated herein--being modified in this final rule with comment. The 
criminal background check is intended to verify certain information 
provided on the Medicare enrollment application. Under our existing 
regulatory authority, we could impose a denial of enrollment or a 
revocation of billing privileges based upon the results of the 
background check in certain instances. Illustratively, if, through the 
background check, CMS learned of a felony conviction that met the 
criteria at Sec.  424.530(a)(3) or Sec.  424.535(a)(3), billing 
privileges could be denied or revoked, respectively.
    Comment: One commenter stated that in its FY 2011 performance 
budget, we say that we will create a limited number of MACs to carry 
out provider enrollment, and that each contractor would enroll 
providers for designated regions of the country. Given the publication 
of the proposed rule, the commenter recommended that we explain how 
reducing the number of MACs and increasing the workload will help 
providers and suppliers and reduce Medicare fraud, waste, and abuse in 
the Medicare program. The commenter also requested that CMS furnish an 
update on this consolidation effort. Another commenter asked CMS to 
explain how it will consolidate provider enrollment activities, conduct 
93,000 revalidations, and handle initial applications without 
disrupting the provider enrollment

[[Page 5893]]

process and creating additional backlogs and processing delays for 
providers of service and suppliers.
    Response: We recognize that provider enrollment is a large and 
complicated task that requires not only internal consistency but also 
understanding and ease of interaction with the provider and supplier 
community. As a result, we are currently engaged in a thorough 
assessment of the provider enrollment process and in making 
improvements as needed to eliminate delays in enrollment and improve 
overall system performance. As part of this process, we are working 
toward consolidation of the number of enrollment contractors as a means 
to achieve economy of scale and greater consistency in the enrollment 
process. In developing the provisions of this final rule with comment 
period and other regulatory and subregulatory policies, we are mindful 
of the overall re-assessment of the provider enrollment process and 
supporting systems.
    Comment: A commenter urged CMS to refine its provider enrollment 
specialty categories to accurately reflect the existing varieties of 
practitioners--particularly the categories for dentistry and the dental 
specialties--in order to reduce the likelihood that practitioners such 
as dentists will be inappropriately categorized and subject to 
unwarranted higher levels of screening.
    Response: We do not believe it is necessary to further refine the 
provider enrollment specialty. Dentists should submit the CMS-855I if 
they intend to submit claims directly to Medicare. Further, dentists 
would be in the limited screening level.
    Comment: A commenter stated that the proposed rule does little to 
prevent: (1) Identity theft; (2) health care fraud; (3) money 
laundering; and (4) bank fraud. The commenter believes that the 
screening levels were too broad and simplistic. To prevent fraud and 
abuse, the commenter recommended that CMS: (1) Implement section 
6401(a)(3) of the ACA immediately; (2) consider and adopt distinct 
screening criteria and program requirements for non-physician owners of 
medical clinics and that these providers be placed into a high 
screening level, and (3) use the statutory authority in section 
6401(a)(3) of the ACA to make sure that the claims being submitted are 
valid.
    Response: We believe the commenter is referring to new section 
1866(j)(3) of the Act, which addresses a provisional period of enhanced 
oversight for new providers of services or suppliers. We will implement 
all authorities granted under the ACA using the proper procedures. We 
disagree with the commenter that the proposed rule and this final rule 
with comment period will do little to prevent health care fraud, and 
believe that issues of money laundering and bank fraud are beyond the 
scope of this final rule with comment period. We strongly believe that 
additional site visits, both announced and unannounced, will help to 
identify fraudulent providers and suppliers before they are permitted 
to enroll in Medicare, Medicaid or CHIP. The temporary moratoria and 
payment suspension provisions give us the ability to act as soon as a 
problem is detected, preventing money from being paid while balancing 
the rights and needs of providers, suppliers, and beneficiaries.
    Comment: One commenter stated that CMS's proposed ability to 
reenroll DMEPOS suppliers more frequently than every three years could 
be burdensome for CMS and the DMEPOS supplier, and suggested that CMS 
revalidate every 3 years from the most recent revalidation, rather than 
every 3 years from the date billing privileges were granted.
    Response: As stated previously, the proposed rule and this final 
rule with comment period permit us to require revalidation of DMEPOS 
suppliers on or after March 23, 2012 to meet the statutory effective 
date for the screening requirements; after that, DMEPOS suppliers would 
then be subject to revalidation every 3 years. DMEPOS could be subject 
to off-cycle revalidation under existing authority at Sec.  424.515(d) 
when CMS has reason to question the compliance of the provider or 
supplier with Medicare enrollment requirements.
    Comment: One commenter stated that identity theft is a huge problem 
in the United States and that Medicare, Medicaid and CHIP should do 
everything possible to protect physicians' identities. The commenter 
recommended that CMS provide data on the number of physicians and non-
physician practitioners who have practice locations in multiple 
States--including States with connecting State boundaries and States 
without connecting State boundaries. The commenter also suggested that 
CMS explain what efforts, if any, are used to verify a physician that 
is establishing a practice location in multiple States and that the 
individual's identity is authenticated. Another commenter stated that 
it is unclear how fingerprinting and background checks will achieve the 
goal of preventing identity theft for physicians.
    Response: We agree with the comment that Medicare, Medicaid and 
CHIP should use all available authorities to protect physicians' 
identities. However, as we have noted previously, we will not use this 
screening regulation to identify instances of identity theft. We 
disagree that the publication of the number of physicians and non-
physician practitioners who have practice locations in multiple States 
will address the issue of identity theft. We also have a process in 
place to verify a physician is legitimately establishing practice 
locations in multiple States, and have found there are multiple 
legitimate reasons why this may be the case.
    We believe that criminal history record checks will enable us to 
verify information that has been submitted on an enrollment application 
is accurate and complete. As stated previously, using fingerprints to 
perform such a record check is the only accepted method by the FBI for 
non-criminal justice purposes, as it is believed to be the most 
accurate link between an individual and their criminal history record.
    Comment: A commenter stated that in the proposed rule, CMS does not 
justify or explain the rationale for many of its positions, such as: 
(1) Placing providers and suppliers into various screening categories, 
and (2) its rationale for creating a new revalidation reason (see Sec.  
424.515(e)). The commenter recommended that CMS not finalize this 
proposed rule, but rather publish a new proposed rule using the 
information from this rule.
    Response: We disagree that the proposed rule did not explain our 
rationale for our approaches. As mentioned earlier, we relied on our 
extensive experience to identify categories of providers with a higher 
incidence of fraud, waste and abuse. In addition, we used the expertise 
of our contractors charged with identifying and investigating instances 
of fraudulent billing practices in making our decisions regarding the 
appropriate risk classification of various providers. In some 
instances, we also relied on the data analysis and expertise of the 
OIG, GAO, and other sources to develop a process designed to increase 
scrutiny for specific categories of providers and suppliers that 
represent a higher risk to the Medicare program. Furthermore, we stated 
the new reason for off-cycle validation is to enable us to apply the 
new screening requirements to all applicable providers and suppliers by 
the statutory effective date of March 23, 2013.
    Comment: In response to a request for comments, a commenter stated 
that harmonization between Medicare, Medicaid, and MA would be 
beneficial

[[Page 5894]]

only to the extent that the programs have enrollment and re-validation 
reciprocity and that adequate resources and time were allocated to 
ensure that harmonization does not wreak havoc among state Medicaid 
programs and MA plans. Reciprocity would ensure that physicians are not 
subject numerous times to the same or similar onerous requirements; 
this would also represent significant savings for Federal health care 
programs.
    Response: We agree that harmonization between program requirements 
will be beneficial for State Medicaid agencies, providers, and CMS. 
This final rule with comment period implements several changes that 
minimize the burden on States and providers, including the reciprocity 
of Medicare screening for dually enrolled providers and State 
responsibility to screen only Medicaid and CHIP-only providers.
    Comment: A commenter requested special consideration and/or 
exemptions for States with comprehensive licensure statutes for 
orthotists and prosthetists.
    Response: We do not agree that licensed orthotists and prosthetists 
should receive special consideration or exemptions as compared to 
orthotists and prosthetists that happen to be located in a State 
without what could be deemed `non-comprehensive' licensure statutes. 
CMS did not make a distinction based on licensure requirements for any 
other category of provider.
    Comment: A commenter opposed the proposed language at Sec.  
424.515(e) allowing CMS to require additional off-cycle revalidations, 
stating it could allow CMS to initiate revalidations frequently and on 
a whim. At a minimum, off-cycle revalidations should be exempt from the 
$500 application fee.
    Response: We disagree with this comment. Section 424.515(e) was 
added for a specific purpose and we could not require a provider or 
supplier to revalidate off-cycle pursuant to Sec.  424.515(e) more than 
once. The application fee was included in the statute to cover exactly 
the type of screenings that will be performed during the revalidations, 
and we do not believe it is appropriate or necessary to exempt the 
revalidations from the fee.
    Comment: A commenter suggested that CMS tie an enrollment ban to 
those who are trying to enroll in the Medicare program and not just for 
those who are already enrolled. That way, fraudulent providers would 
never be allowed to enter the program.
    Response: We believe the commenter is referring to an enrollment 
bar for providers and suppliers whose applications are denied, similar 
to that which is currently in place for providers and suppliers whose 
Medicare billing privileges are revoked. We appreciate this suggestion. 
We are currently not in a position to adopt it, as additional research 
is needed to determine its potential effectiveness and the various 
circumstances under which it might apply. That said, we may consider it 
as part of a future rulemaking effort.
c. Final Screening Provision--Medicare
    This final rule with comment period finalizes the provisions of 
proposed rule in regards to the Medicare screening requirements with 
the following modifications:
     In Sec.  424.518(a)(1), we are adding Competitive 
Acquisition Program/Part B Vendors to the limited risk screening level.
     In Sec.  424.518(a)(1), we are adding pharmacies that are 
newly enrolling or revalidating via the CMS-855B to the ``limited'' 
level of screening.
     In Sec.  424.518(a)(1), in response to comments, we have 
changed the description for Indian health service providers to state, 
``health programs operated by an Indian Health Program (as defined in 
section 4(12) of the Indian Health Care Improvement Act) or an urban 
Indian organization (as defined in section 4(29) of the Indian Health 
Care Improvement Act) that receives funding from the Indian Health 
Service pursuant to Title V of the Indian Health Care Improvement Act, 
hereinafter (IHS facilities).''
     In 424.518(a)(2), we are clarifying that occupational 
therapy and speech pathology providers are assigned to the limited 
screening level.
     In 424.518(a)(1), we are removing physical therapists and 
physical therapist groups from the category of non-physician 
practitioners that are within the limited screening level.
     In 424.518(a)(1), we are removing non-public, non-
government owned or affiliated ambulance suppliers from the limited 
screening level.
     In Sec.  424.518(a)(2), we are adding portable x-ray 
suppliers to the moderate screening level.
     In 424.518(a)(2), we are adding physical therapists and 
physical therapist groups to the moderate screening level.
     In 424.518(a)(2), we are assigning all ambulance suppliers 
to the moderate screening level, regardless of whether they are public 
or government affiliated.
     In Sec.  424.518(a)(1), we are adding pharmacies that are 
newly enrolling or revalidating via the CMS-855B to the limited 
screening level.
     In Sec.  424.518, we also eliminated the distinction 
between: (1) Publicly traded and non-publicly traded, and (2) publicly 
owned and non-publicly owned as criteria for assignment of any provider 
type to a level of screening.
     In Sec.  424.518(c)(2)(ii)(A), we have removed the 
requirement that fingerprints must be submitted using the FD-258 
fingerprint card. Also, the fingerprints must be collected from all 
individuals who maintain a 5 percent or greater direct or indirect 
ownership interest in the provider or supplier.
     In Sec.  424.518(c)(2)(ii)(B), we have replaced ``conducts 
a criminal background check'' with ``Conducts a fingerprint-based 
criminal history report check of the Federal Bureau of Investigations 
Integrated Automated Fingerprint Identification System on all 
individuals who maintain a 5 percent or greater direct or indirect 
ownership interest in the provider or supplier.''
     In Sec.  424.518(d), we have identified owners with a 5 
percent or greater direct or indirect ownership as responsible for 
providing fingerprints, and the methodology of how to submit the 
fingerprints.
     Sec.  424.518(c)(3), we have added ``final adverse 
action'' as a basis for reassigning a provider or supplier to the high 
screening level at Sec.  424.518(c)(3)(iii)(B).
     In Sec.  424.518(c)(3), we have added six months as the 
length of time a provider or supplier category will be assigned to the 
high screening level following the lifting of a temporary enrollment 
moratorium.
     Finally, in Sec.  424.518(c)(3), we have removed denial of 
Medicare billing privileges in the previous ten years as a basis for 
reassigning a provider or supplier to the high screening level at Sec.  
424.518(c)(3)(iii)(B).
    As we have stressed throughout this preamble, we will monitor these 
new procedures and their effectiveness and may reconsider or modify our 
approach in the future as we gain experience with these procedures. We 
further reiterate that nothing in this rule is intended to abridge our 
established screening authority under existing statutes and 
regulations, or to diminish the screening that providers and suppliers 
currently undergo. The provisions specified in this final rule with 
comment period are intended to enhance--not replace--our existing 
authority. The screening laid out here reflects the minimum 
requirements. For example, a contractor may undertake database checks 
in addition to the ones listed below as deemed appropriate. Nothing in 
this rule should be interpreted as limiting the amount of scrutiny CMS 
or its

[[Page 5895]]

contractors may give to an applicant. Tables 5 through 8 below outline 
the levels of screening by category that we are finalizing.

 Table 5--Final Level of Required Screening for Medicare Physicians, Non-Physician Practitioners, Providers, and
                                                    Suppliers
----------------------------------------------------------------------------------------------------------------
                  Type of screening required                       Limited          Moderate           High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier[dash]specific                         X                X                X
 requirements established by Medicare........................
Conduct license verifications, (may include licensure checks                X                X                X
 across States)..............................................
Database Checks (to verify Social Security Number (SSN); the                X                X                X
 National Provider Identifier (NPI); the National
 Practitioner Data Bank (NPDB) licensure; an OIG exclusion;
 taxpayer identification number; death of individual
 practitioner, owner, authorized official, delegated
 official, or supervising physician..........................
Unscheduled or Unannounced Site Visits.......................  ...............               X                X
Fingerprint[dash]Based Criminal History Record Check of law    ...............  ...............               X
 enforcement repositories....................................
----------------------------------------------------------------------------------------------------------------


Table 6--Final Medicare Providers and Suppliers Categories Designated to
              the ``Limited'' Level for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Physician or non[dash]physician practitioners and medical groups or
 clinics, with the exception of physical therapists and physical
 therapist groups.
Ambulatory surgical centers, competitive acquisition program/Part B
 vendors, end[dash]stage renal disease facilities, Federally qualified
 health centers, histocompatibility laboratories, hospitals, including
 critical access hospitals, Indian Health Service facilities,
 mammography screening centers, mass immunization roster billers, organ
 procurement organizations, pharmacies newly enrolling or revalidating
 via the CMS[dash]855B, radiation therapy centers, religious
 non[dash]medical health care institutions, rural health clinics, and
 skilled nursing facilities.
------------------------------------------------------------------------


Table 7--Final Medicare Providers and Suppliers Categories Designated to
              the ``Moderate'' Level for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Ambulance suppliers, community mental health centers; comprehensive
 outpatient rehabilitation facilities; hospice organizations;
 independent diagnostic testing facilities; independent clinical
 laboratories; physical therapy including physical therapy groups and
 portable x-ray suppliers.
Currently enrolled (revalidating) home health agencies.
------------------------------------------------------------------------


Table 8--Final Medicare Providers and Suppliers Categories Designated to
                the ``High'' Level for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Prospective (newly enrolling) home health agencies and prospective
 (newly enrolling) suppliers of DMEPOS.
------------------------------------------------------------------------

4. General Screening of Providers--Medicaid and CHIP--Proposed 
Provisions and Analysis of and Responses to Public Comments
    Section 1902(kk)(1) of the Act requires that States comply with the 
process for screening providers established by the Secretary under 
section 1866(j)(2) of the Act.\4\ Section 2107(e)(1) of the Act 
provides that all provisions that apply to Medicaid under sections 
1902(a)(77) of the Act,\5\ the State plan mandate for compliance with 
provider and supplier screening, oversight, and reporting requirements 
in accordance with 1902(kk), and 1902(kk) of the Act, the specific 
State plan requirements regarding provider and supplier screening, 
oversight, and reporting, shall apply to CHIP. We proposed in new Sec.  
457.990 that all the provider screening, provider application, and 
moratorium regulations that apply to Medicaid providers will apply to 
providers that participate in CHIP. In addition, in this final rule 
with comment period, we refer to State Medicaid agencies as responsible 
for screening Medicaid-only providers. In some States, CHIP is not 
administered by the Medicaid agency. Throughout this final rule with 
comment period, with respect to those instances, ``State Medicaid 
agency'' should be read to encompass ``Children's Health Insurance 
Program agency'' where the two are separate entities.
---------------------------------------------------------------------------

    \4\ As noted previously, we believe that the reference to 
section 1886(j)(2) of the Act in section 6401(b)(1) of the ACA is a 
scrivener's error, and that the Congress intended to refer instead 
to section 1866(j)(2) of the Act.
    \5\ Section 1902(a)(77) is only broadly referenced in the final 
regulations under section Sec.  455.400, as a statutory section 
being implemented by the regulation.
---------------------------------------------------------------------------

    Because it would be inefficient and costly to require States to 
conduct the same screening activities that Medicare contractors perform 
for dually-enrolled providers, we proposed that a State may rely on the 
results of the screening conducted by a Medicare contractor to meet the 
provider screening requirements under Medicaid and CHIP. Similarly, we 
proposed in Sec.  455.410 that State Medicaid agencies may rely on the 
results of the provider screening performed by the State Medicaid 
programs and CHIP of other States. For Medicaid-only providers or CHIP-
only providers, we proposed that States follow the same screening 
procedures that CMS or its contractors follow with respect to Medicare 
providers and suppliers.
    As previously noted, section 1902(kk)(1) of the Act requires that 
State screening methods follow those performed under the Medicare 
program. For the sake of brevity, we will not restate those methods 
verbatim. We proposed that States follow the rationale that we have set 
forth for Medicare in section II.A.3. of this final rule with comment 
period, and that we use as the basis for Sec.  455.450. For the types 
of providers that are recognized as a provider or supplier under the 
Medicare program, States will use the same screening level that is 
assigned to that category of provider by Medicare. For those Medicaid 
and CHIP provider types that are not recognized by Medicare, States 
will assess the risk posed by a particular provider or provider type. 
States should examine their programs to identify specific providers or 
provider types that may present increased risks of fraud, waste or 
abuse to their Medicaid programs or CHIP. States are uniquely qualified 
to understand issues involved with balancing beneficiaries' access to 
medical assistance and ensuring the fiscal integrity of the Medicaid 
programs and CHIP. However, where applicable, we expect that States 
will assess the risk of fraud, waste, and abuse using similar criteria 
to those used in Medicare. For example, physicians and non-physician 
practitioners, medical groups and clinics that are State-licensed or 
State-regulated would generally be categorized as limited risk. Those 
provider types that are generally highly

[[Page 5896]]

dependent on Medicare, Medicaid and CHIP to pay salaries and other 
operating expenses and which are not subject to additional government 
or professional oversight would be considered moderate risk, and those 
provider types identified by the State as being especially vulnerable 
to improper payments would be considered high risk. States will then 
screen the provider using the screening tools applicable to that risk 
assigned. However, we did not propose to limit or otherwise preclude 
the ability of States to engage in provider screening activities beyond 
those required under section 1866(j)(2) of the Act, including, but not 
limited to, assigning a particular provider type to a higher screening 
level than the level assigned by Medicare.
    As with the proposed screening provisions for Medicare, we 
solicited comments on the applicability of these proposals for Medicaid 
as well. We solicited comment on the proposed assignment of specific 
provider types to established risk categories, including whether such 
assignments should be released publicly, whether they should be 
reconsidered and updated according to an established schedule, and what 
criteria should be considered in making such assignments.
    Based on the level of screening assigned to a provider or provider 
type, we proposed that States conduct the following screenings:

             Table 9--Proposed Level of Risk and Required Screening for Medicaid and CHIP Providers
----------------------------------------------------------------------------------------------------------------
                  Type of screening required                       Limited          Moderate           High
----------------------------------------------------------------------------------------------------------------
Verification of any provider/supplier-specific requirements                 X                X                X
 established by Medicaid/CHIP................................
Conduct license verifications (may include licensure checks                 X                X                X
 across State lines).........................................
Database Checks (to verify SSN and NPI, the NPDB, licensure,                X                X                X
 a HHS OIG exclusion, taxpayer identification, tax
 delinquency, death of individual practitioner, and persons
 with an ownership or control interest or who are agents or
 managing employees of the provider).........................
Unscheduled or Unannounced Site Visits.......................  ...............               X                X
Criminal Background Check....................................  ...............  ...............               X
Fingerprinting...............................................  ...............  ...............               X
----------------------------------------------------------------------------------------------------------------

    Not all States routinely require persons with an ownership or 
control interest or who are agents or managing employees of the 
provider to submit SSNs or dates of birth (DOBs). Without such critical 
personal identifiers, it is difficult to be certain of the identity of 
persons with an ownership or control interest or who are agents or 
managing employees of the provider, and it may be difficult for States 
to conduct the screening proposed under this rule. Accordingly, and to 
be consistent with Medicare requirements, pursuant to our general 
rulemaking authority under section 1102 of the Act, we proposed in 
Sec.  455.104 to require that States will require submission of SSNs 
and DOBs for all persons with an ownership or control interest in a 
provider. In addition to the amendment to Sec.  455.104, we proposed to 
revise that section for the sake of clarity both for the disclosing 
entities' provision and the States' collection of the disclosures. We 
recognize that there may be privacy concerns raised by the submission 
of this personally identifiable information as well as concerns about 
how the States will assure individual privacy as appropriate; however, 
we believe this personally identifiable information is necessary for 
States to adequately conduct the provider screening activities under 
this final rule with comment period. We solicited comment specifically 
on this issue.
    Although the level of screening may vary depending on the risk of 
fraud, waste or abuse the provider represents to the Medicaid program 
or CHIP, under section 1866(j)(2)(B)(i) of the Act, all providers would 
be subject to licensure checks. Therefore, we proposed that States be 
required to verify the status of a provider's license by the State of 
issuance and whether there are any current limitations on that license.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers would apply to providers that participate in 
CHIP, these requirements for provider screening and assigning of 
categories of risk of fraud, waste, or abuse, as well as verification 
of licensure, under Sec.  455.412 and Sec.  455.450 will apply in CHIP.
    Comment: Commenters expressed concerns about new and existing 
disclosure requirements under Sec.  455.104, including our proposal to 
add to the disclosure requirements collection of SSNs and DOBs of 
persons with an ownership or control interest in the disclosing entity. 
Some States support the proposal, already having instituted the 
disclosure requirement in their enrollment application procedures. 
Other States support the proposal but request additional time for 
implementation, including forms and system changes. Two States 
expressed concern about the impact the requirement might have upon 
beneficiary access to providers.
    Response: We will not address the comments directed at the existing 
language of Sec.  455.104. The regulation was rearranged for ease of 
application by States and disclosing entities, but with the exception 
of the addition of SSNs and DOBs, as well as changes suggested by a few 
commenters regarding corporate entity addresses and familial 
relationships, the language is substantially unchanged from the 
language currently in effect. We acknowledge the commenters' concerns 
about collection of SSNs and DOBs, however, collection of SSNs and DOBs 
is necessary to complete the screening process and be certain of the 
identity of the party being screened. We recognize that the addition of 
SSNs and DOBs and other improvements in disclosure collection will 
require systems and forms changes and States will need time for 
implementation. We encourage States to contact us about their specific 
timeframes. Furthermore, we do not believe that this requirement will 
have an adverse impact on beneficiary access as the majority of 
disclosure requirements have not changed, and our experience with the 
same requirement in Medicare indicates that such a requirement does not 
adversely impact beneficiary access.
    Comment: Other commenters made recommendations on language changes 
that would clarify Sec.  455.104(b)(1)(i) regarding the address of 
corporate entities with ownership or control of disclosing entities; 
Sec.  455.104(b)(2) regarding familial relationships; and Sec.  
455.104(b)(4) regarding SSNs and DOBs of managing employees.
    Response: We agree with the commenters that Sec.  455.104(b)(1)(i) 
should be clarified regarding addresses

[[Page 5897]]

of corporate entities with ownership or control of disclosing entities 
and accordingly will revise Sec.  455.104(b)(1)(i) to clarify from whom 
the name and address must be provided and to require the disclosing 
entity to supply primary business address as well as every business 
location and P.O. Box address, if applicable. We agree that Sec.  
455.104(b)(2) should be clarified regarding to whom the spouse, parent, 
child, or sibling is related, and we are revising Sec.  455.104(b)(2) 
accordingly. We agree that Sec.  455.104(b)(4) should be clarified to 
require managing employees to provide SSNs and DOBs, as that was the 
intent of the proposal, and we are revising Sec.  455.104(b)(4) 
accordingly.
    Comment: Several commenters expressed concern regarding collection 
of disclosures under Sec.  455.104. One commenter expressed concern 
about the confidentiality and privacy of board member identity and the 
protection from disclosure to the general public. Other commenters were 
concerned that not-for-profit board members were volunteers and might 
not serve were they compelled to provide their SSNs and DOBs as a 
condition of the entity being enrolled.
    Response: We have previously provided guidance to States that Sec.  
455.104 requires disclosures from persons with ownership and control 
interests in the disclosing entity, which includes officers and 
directors of a disclosing entity that is organized as a corporation, 
without regard to the for-profit or not-for-profit status of that 
corporation. That guidance is available at http://www.cms.gov/FraudAbuseforProfs/Downloads/bppedisclosure.pdf. We are sensitive to 
the concerns related to confidentiality of identifiable information 
such as SSNs. We are also concerned about issues that arise out of 
identity theft. We encourage States to institute appropriate safeguards 
to protect the information they gather as required by these rules. 
However, collection of disclosures including the SSNs and DOBs of 
persons with ownership and control interests in a disclosing entity, 
and of managing employees, is necessary to protect the integrity of the 
State Medicaid programs. Therefore, we are finalizing the proposal 
requiring provision of SSNs and DOBs.
    Comment: One commenter sought clarification whether the disclosure 
requirements in Sec.  455.104 apply to IHS providers.
    Response: This rule does not make any changes about whom 
disclosures must be provided, but rather simply adds additional items 
of information that must be disclosed. The boards of IHS facilities 
were not previously subject to the--disclosure requirements in Sec.  
455.104, and accordingly, are not subject to the additional disclosure 
requirements imposed by this rule.
    Comment: Commenters expressed concern about the applicability of 
Sec.  455.104 to public school districts. Public schools deliver 
Medicaid school based health services to Medicaid eligible children and 
therefore are enrolled as Medicaid providers. The commenters objected 
to the proposed requirement in Sec.  455.104 that the schools provide 
the SSNs and DOBs of persons with controlling interests of the 
provider, which they interpreted to include the SSNs and DOBs of school 
board members. The majority of the commenters stated that the public 
school districts were closely regulated by numerous checks and balances 
and there was a low likelihood that fraud would be perpetrated in 
schools, therefore, the collection of SSNs and DOBs from public school 
districts was unnecessary.
    Response: As previously noted, this rule does not change about whom 
disclosures must be provided, but rather what information must be 
disclosed. Except to the extent that any public school districts may be 
organized as corporations, they were not previously required to make 
disclosures about their boards, nor are they required to under this new 
rule.
    Comment: Several commenters expressed concern regarding the license 
verification requirement in Sec.  455.412. One commenter noted that it 
would be administratively inefficient, costly, and unrealistic for 
States to verify each provider applicant's licensure status in another 
State. Another commenter offered that searching its database containing 
multi-State licensure data would be more efficient than requiring 
States to search State by State.
    Response: Holding a valid professional license should be a 
prerequisite in any State prior to assignment of a Medicaid provider 
identification number. Medicaid beneficiaries have a right to be 
treated only by those providers that have been deemed by the licensing 
boards of their States to be eligible to treat them. As a matter of 
public policy, it is not unreasonable to expect that licensure status 
of all in-State and out-of-State providers be checked prior to 
enrollment, and that any limitations on their licenses be checked as 
well. Out-of-State provider applicants submit licensure information 
including status to the Medicaid agency with their application. While 
verification of out-of-State licensure may be challenging, all those 
Medicaid agencies that enroll out-of-State providers have the 
obligation to verify licensure status of out-of-State providers as 
well. We appreciate the commenter's suggestion of its database of 
provider information. We are aware that State licensing boards maintain 
publicly available information that neighboring States may access. It 
is within the States' discretion which databases to check.
    Comment: A commenter requested clarification of whether license 
verification was required when the chart at 75 FR 58214 states that 
license verification ``may include licensure checks across State 
lines'' thereby implying that licensure checks across State lines are 
permissive, not mandatory.
    Response: The State Medicaid agency must verify the licensure of a 
provider applicant in the State in which the provider applicant 
purports to be licensed. If an out-of-State provider submitted an 
application for enrollment, the State Medicaid agency would be required 
to verify license across State lines.
a. Database Checks--Medicaid and CHIP
    States employ several database checks, including database checks 
with the Social Security Administration and the NPPES, to confirm the 
identity of an individual or to ensure that a person with an ownership 
or control interest is eligible to participate in the Medicaid program.
    A critical element of Medicaid program integrity is the assurance 
that persons with an ownership or control interest or who are agents or 
managing employees of the provider do not receive payments when 
excluded or debarred from such payments. Accordingly, in Sec.  455.436, 
we proposed that States be required to screen all persons disclosed 
under Sec.  455.104 against the OIG's LEIE and the General Services 
Administration's EPLS. We proposed that States be required to conduct 
such screenings upon initial enrollment and monthly thereafter for as 
long as that provider is enrolled in the Medicaid program.
    We also proposed at Sec.  455.450, as well as Sec.  455.436, that 
database checks be conducted on all providers on a pre- and post-
enrollment basis to ensure that providers continue to meet the 
enrollment criteria for their provider type.
    As previously stated, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act also apply to CHIP. Because we proposed a new 
regulation in Part 457

[[Page 5898]]

under which all provider screening requirements that apply to Medicaid 
providers will apply to providers that participate in CHIP, this 
requirement for database checks under Sec.  455.436 and Sec.  455.450 
apply in CHIP.
    We received many comments on the database requirements in Sec.  
455.436 from States concerned about the administrative burden presented 
by searching several databases upon enrollment, and both the LEIE and 
the EPLS on a monthly basis by the names of both the provider and those 
with ownership or control interests in the provider and managing 
employees of the provider.
    Comment: Some commenters questioned whether there were costs 
associated with accessing the databases. The commenters suggested that 
CMS establish a centralized database that States could access, 
including using an automated, rather than manual, search, all at no 
cost to States. One State suggested that the databases be accessible 
through automated data exchanges and that any cost to the States be 
waived to avoid barriers to compliance with the rule. Two other States 
questioned whether there were costs associated with accessing the 
databases that must be considered. Other commenters suggested a delay 
or elimination of the proposed requirement at Sec.  455.436(c)(2) until 
CMS established such a centralized database.
    Response: We are aware that there may be costs to the State 
Medicaid agency associated with checking some databases. However, Sec.  
455.436 enumerates databases that most State Medicaid agencies already 
check in their routine provider enrollment operations. In addition, we 
have previously issued guidance to State Medicaid Directors 
recommending searching the LEIE on a monthly basis by the names of 
enrolled providers and for providers, by the names of their employees 
and contractors. Those guidance documents are available here: http://www.cms.gov/smdl/downloads/SMD061208.pdf and http://www.cms.gov/SMDL/downloads/SMD011609.pdf. Many States have already adopted the 
recommendations in their enrollment policies. More recently, in 
September 2010, we provided guidance to program integrity directors on 
the availability of the LEIE and EPLS for exclusion searches. That 
guidance document is available here: http://www.cms.gov/FraudAbuseforProfs/Downloads/bppedisclosure.pdf.
    Accordingly, we are finalizing Sec.  455.436 to require State 
Medicaid agencies to conduct Federal database checks.
    Comment: A commenter questioned whether other databases will be 
prescribed in the final rule with comment period or whether States will 
be notified of requirements in another fashion.
    Response: In Sec.  455.436(b), we proposed that the States be 
required to check ``any such other databases as the Secretary may 
prescribe.'' We are not prescribing additional databases in the final 
rule with comment period. However, in response to evolving 
circumstances, the Secretary may issue guidance to States regarding 
checking specific databases.
    Comment: One commenter sought clarification on which of a 
provider's managing employees the State Medicaid agency must search in 
the exclusions databases. The commenter noted that some large providers 
like hospitals have many managing employees that may be subject to the 
proposed database checks.
    Response: We recognize the burden that conduct of database checks 
of managing employees may pose for providers with managing employees at 
multiple levels or locations in its organizations. Nevertheless, 
database checks must be conducted for all persons disclosed under Sec.  
455.104, including managing employees who could compromise or place in 
jeopardy a provider's compliance with Medicare, Medicaid, or CHIP 
requirements.
    Comment: One commenter noted that State vital statistics 
information may be more accurate than the Social Security 
Administration's Death Master File. The commenter suggested allowing 
States to check against their own vital records systems and not require 
the States to check against the Social Security Administration's file.
    Response: While on an anecdotal basis State records may be more 
accurate than the Social Security Administration's Death Master File, 
it is the Death Master File that is the national file of record. 
Therefore, we are finalizing the requirement that State Medicaid 
agencies check the Social Security Administration's Death Master File. 
However, under Sec.  455.436(c)(1) a State may also consult other 
appropriate databases to confirm identity upon enrollment and 
reenrollment.
    Comment: Another commenter noted that the Social Security 
Administration only allows SSN verification for W-2 purposes. The 
commenter recommended removing the reference to checks of 
``applicable'' Social Security Administration databases from the 
database check requirement.
    Response: We express no opinion as to the accuracy of the 
commenter's statement regarding SSN verification, but agree with the 
commenter that the database check requirement in this rule should be 
more explicit. Accordingly, we are revising Sec.  455.436 to indicate a 
check of the ``Social Security Administration's Death Master File'' 
rather than ``applicable databases''.
    Comment: A few commenters requested clarification regarding which 
database States must check for verification of tax identifications and 
tax delinquencies and how the States would use that information as a 
tool for screening providers.
    Response: Although we believe that verifying taxpayer 
identification and checking for tax delinquencies may be useful 
indicators of fraud to a State Medicaid program, access to that 
information is limited and may not be feasible in the short term. 
Therefore, we are not finalizing those requirements as suggested by 
Table 5 under ``Type of Screening Required''.
    Comment: One commenter asked whether it was our intention to 
require providers also to check their employees for exclusions on a 
monthly basis. The proposed regulation at Sec.  455.436 does not 
require providers to check their employees for exclusions.
    Response: We issued guidance on June 12, 2008, to State Medicaid 
Directors recommending that they check their enrolled providers for 
exclusions on a monthly basis. We followed up that guidance on January 
16, 2009, with guidance to State Medicaid Directors recommending that 
they require their enrolled providers to check the providers' employees 
and contractors for exclusions on a monthly basis. Those letters are 
available at: http://www.cms.gov/smdl/downloads/SMD061208.pdf and 
http://www.cms.gov/SMDL/downloads/SMD011609.pdf. Many States made our 
recommendations their policy.
    Section 455.436 does not mandate that States require their 
providers to check the LEIE and EPLS on a monthly basis to determine 
whether the providers' employees and contractors have been excluded. We 
do, however, recommend that States consider making this a requirement 
for all providers and contractors, including managed care contractors 
in their Medicaid programs and CHIP.
b. Unscheduled and Unannounced Site Visits--Medicaid and CHIP
    Section 1866(j)(2)(B)(ii)(III) of the Act states that the 
Secretary, based on the risk of fraud, waste, and abuse, may conduct 
unscheduled and unannounced

[[Page 5899]]

site visits, including pre-enrollment site visits, for prospective 
providers and those providers already enrolled in the Medicare and 
Medicaid programs and CHIP.
    Some States already require site visits, often for provider 
categories at increased risk of fraud, waste or abuse such as home 
health and non-emergency transportation. According to FY 2008 State 
Program Integrity Assessment (SPIA) data, at least 16 States report 
that they perform some type of site visits. However, such efforts vary 
widely across the country and are subject to budget shortfalls.
    We proposed to require in Sec.  455.432 and Sec.  455.450(b) that 
States must conduct pre-enrollment and post-enrollment site visits for 
those categories of providers the State designates as being in the 
``moderate'' or ``high'' level of screening.
    Further, in Sec.  455.432, pursuant to our general rulemaking 
authority under section 1102 of the Act, we proposed that any enrolled 
provider must permit the State Medicaid agency and CMS, including CMS' 
agents or its designated contractors, to conduct unannounced on-site 
inspections to ensure that the provider is operational at any and all 
provider locations.
    We maintain that site visits are essential in determining whether a 
provider is operational at the practice location found on the Medicaid 
enrollment agreement. We expect these requirements to increase the 
number of both pre-enrollment and post-enrollment site visits for those 
provider types that pose an increased financial risk of fraud, waste, 
or abuse to the Medicaid program.
    We proposed that failure to permit access for site visits would be 
a basis for denial or termination of Medicaid enrollment as specified 
in Sec.  455.416.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers will apply to providers that participate in CHIP, 
this requirement for site visits under Sec.  455.432 apply in CHIP.
    Comment: Some commenters were supportive of the proposal for pre-
enrollment and post-enrollment site visits in Sec.  455.432, although 
they noted that they would need additional funding for travel or for 
contractors to conduct the site visits. Some commenters stated that the 
States should have the discretion to define which providers are subject 
to pre- and post-enrollment site visits and when the site visits are 
conducted, for example, by established risk categories or an automatic 
flag that demonstrates that billing has gotten to a certain threshold 
thus requiring an onsite visit. A few commenters stated that the site 
visits were an undue burden on States. One commenter stated that the 
site visits were unnecessary given that other more cost-effective 
methods could prevent enrollment of providers who are using fraudulent 
identity, such as annual re-enrollment, license verification, and 
follow-up when a duplicate provider ID or address is used. Another 
commenter noted that pre-enrollment site visits could delay enrollment 
as a result of inclement weather.
    Response: We recognize that conduct of site visits will place a 
burden on State budgets and staff time, and may be difficult to 
accomplish in rural areas or in inclement weather. However, site visits 
are a requirement depending on the risk the provider represents to the 
Medicaid program. In response to the commenters that suggested that 
States should have the discretion to define which providers are subject 
to pre- and post-enrollment site visits: The site visits are required 
for those providers that are determined to be a moderate or high 
categorical risk of fraud, waste, or abuse. In addition to the required 
site visits for providers in the moderate and high screening levels, 
the State may also conduct site visits at its discretion. While there 
may be other means to verify whether a provider is a going concern or 
whether a provider has a business location, conduct of site visits is 
one method that is required by this regulation. The State has the 
discretion to utilize other additional methods to prevent enrollment of 
non-existent providers or to ensure that spurious applications are not 
processed.
    Comment: A few commenters sought clarification on what the 
expectations were for site visits when the provider performed services 
in the beneficiary's home, for example, personal care services; or for 
out-of-State providers or rural providers.
    Response: If a Medicaid-only provider is in the moderate or high 
screening level, the State Medicaid agency does not have the discretion 
whether to conduct a site visit: It is required under Sec.  455.432(a) 
and Sec.  455.450(b). However, pursuant to Sec.  455.452, States are 
permitted to establish additional or more stringent screening measures 
than those required by this final rule with comment period. Thus, for 
providers that are in the limited screening level, the State has the 
discretion to determine whether to conduct site visits, based on 
whatever factors the State deems appropriate. We recognize that the 
appropriate location of the site visit may differ based upon the 
provider type. For example, the personal care services agency is the 
enrolled provider, so its location would likely be subject to a site 
visit. While its employee the personal care attendant may not be an 
enrolled provider with the State Medicaid agency, it may also be 
appropriate to conduct a site visit in a beneficiary's home where the 
personal care attendant is providing services to ensure that services 
are in fact being provided appropriately. It would be within the 
discretion of the State Medicaid agency to determine whether to conduct 
an additional site visit for a provider in the limited screening level. 
With respect to providers in rural locations, the mere fact that the 
provider is in a rural location does not absolve the State Medicaid 
agency of its responsibility to conduct site visits. Similarly, for 
out-of-State providers, the mere fact that a provider in the moderate 
or high screening level is located in another State would not negate 
the requirement for a site visit, although we note that Sec.  455.410 
permits States to rely upon the screening performed by Medicare and by 
other State Medicaid programs and CHIP. Therefore, no additional site 
visit would be required if the provider is also enrolled by Medicare or 
in Medicaid or CHIP in its home State.
c. Provider Enrollment and Provider Termination--Medicaid and CHIP
    States may refuse to enroll or may terminate the enrollment 
agreement of providers for a number of reasons related to a provider's 
status or history, including an exclusion from Medicare, Medicaid, or 
any other Federal health care program, conviction of a criminal offense 
related to Medicare or Medicaid, or submission of false or misleading 
information on the Medicaid enrollment application. Failure to provide 
disclosures is another reason for termination from participation in the 
Medicaid program.
    Federal regulations beginning at Sec.  455.100 require certain 
disclosures by providers to States before enrollment. States require 
additional disclosures prior to enrollment. Some States require 
periodic re-enrollment and disclosure at that time. However, States 
vary in the frequency of such re-disclosures. Providers are also 
inconsistent in keeping their enrollment information current, including 
items as elementary as their address.
    We proposed, at Sec.  455.414, pursuant to our general rulemaking 
authority

[[Page 5900]]

under section 1102 of the Act, that all providers undergo screening 
pursuant to the procedures outlined herein at least once every 5 years, 
consistent with current Medicare requirements for revalidation.
    In Sec.  455.416, we proposed to establish termination provisions, 
requiring States to deny or terminate the enrollment of providers: (1) 
Where any person with an ownership or control interest or who is an 
agent or managing employee of the provider does not submit timely and 
accurate disclosure information or fails to cooperate with all required 
screening methods; (2) that are terminated on or after January 1, 2011 
by Medicare or any other Medicaid program or CHIP (see section II.F. of 
this final rule with comment period); and (3) where the provider or any 
person with an ownership or control interest or who is an agent or 
managing employee of the provider fails to submit sets of fingerprints 
within 30 days of a State agency or CMS request. We proposed to permit 
States to deny enrollment to a provider if the provider has falsified 
any information on an application or if CMS or the State cannot verify 
the identity of the applicant. We also proposed to require States to 
deny enrollment to providers, unless States determine in writing that 
denial of enrollment is not in the best interests of the State's 
Medicaid program, in these circumstances: (1) The provider or a person 
with an ownership or control interest or who is an agent or managing 
employee of the provider fails to provide accurate information; (2) the 
provider fails to provide access to the provider's locations for site 
visits, or (3) the provider, or any person with an ownership or control 
interest, or who is an agent or managing employee of the provider has 
been convicted of a criminal offense related to that person's 
involvement in Medicare, Medicaid, or CHIP in the last 10 years. We 
believe that providers can significantly reduce the likelihood of 
fraud, waste or abuse by providing and maintaining timely and accurate 
Medicaid enrollment information. We believe the Medicaid program will 
be better protected by not allowing persons with serious criminal 
offenses related to Medicare, Medicaid, and CHIP to serve as providers.
    We proposed at Sec.  455.416 that the State be allowed to deny an 
initial enrollment application or agreement submitted by a provider or 
terminate the Medicaid enrollment of a provider, including an 
individual physician or non-physician practitioner, if CMS or the State 
is not able to verify an individual's identity, eligibility to 
participate in the Medicaid program, or determines that information on 
the Medicaid enrollment application was falsified.
    In Sec.  455.420, we proposed to require that any providers whose 
enrollment has been denied or terminated must undergo screening and pay 
all appropriate application fees again to enroll or re-enroll as a 
Medicaid provider.
    We proposed at Sec.  455.422 that in the event of termination under 
Sec.  455.416, the State Medicaid agency must give a provider any 
appeal rights available under State law or rule.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers will apply to providers that participate in CHIP, 
these requirements for provider enrollment, provider termination, and 
provider appeal rights under Sec.  455.414, Sec.  455.416, Sec.  
455.420, and Sec.  455.422 apply in CHIP.
    Comment: Several commenters expressed concern regarding the 
requirement under Sec.  455.414 related to a 5 year re-screening 
process. Some commenters stated that they already required a periodic 
re-enrollment process and CMS should take into consideration the 
States' existing processes and grant the States the flexibility to 
employ those existing processes.
    Other commenters noted that the additional enrollments would place 
administrative and fiscal burdens on the States. Several commenters 
noted that they would need an extended period to implement the new 
requirements of the proposed rule, including the requirement set forth 
at Sec.  455.414.
    One commenter sought clarification whether all providers currently 
enrolled and that have been enrolled for 5 years would be up for 
revalidation when the regulation became effective; and whether 
currently enrolled providers could be revalidated over a 5-year 
timeframe to diminish the administrative burden on State Medicaid 
agency staff.
    Another commenter sought clarification whether the requirement was 
for re-screening or for re-enrollment at least every 5 years; whether 
the requirement would apply to all enrolled providers including 
rendering providers, or just to ordering or referring physicians and 
other professionals who are the subject of the requirements set forth 
at Sec.  455.410 and Sec.  455.440; and whether CMS would give affected 
providers notice of the need to re-enroll.
    Response: Periodic re-validation of enrollment information affords 
States the opportunity to ensure their provider rolls do not contain 
providers that have been excluded from participation in the Federal 
health care programs. The State Medicaid agencies can cull from their 
provider rolls those providers that have not submitted claims for 
payment or referred claims for payment in several years. Without 
removing those providers' numbers during a periodic re-enrollment 
process, those providers' numbers might be used at a later date in a 
fraudulent scheme: The providers may have been unwitting victims of 
identity theft or may have participated in selling their provider 
numbers.
    The proposed requirement at Sec.  455.414 describes screening of 
all providers at least every 5 years. Screening, as performed by the 
Medicare Administrative Contractors for all dually participating 
providers, and by the State Medicaid agency or CHIP for those providers 
that are not also participating in the Medicare program, should be 
distinguished from enrollment, a function performed by the State 
Medicaid agency or CHIP to participate in the Medicaid program or CHIP 
of a given State. Screening would involve various assessments 
commensurate to the risk the provider posed to the Medicaid program or 
CHIP, including license verification, database checks, site visits, 
background checks, and fingerprinting. Enrollment may involve all of 
those, as well as collection of disclosures required under Sec.  
455.104, Sec.  455.105, and Sec.  455.106, and a host of State-specific 
requirements.
    We applaud States that already require periodic re-enrollment of 
Medicaid providers. For the sake of consistency with the Medicare 
program, however, we are finalizing Sec.  455.414 as a 5 year re-
validation of enrollment information, which includes re-screening as 
well as the collection of updated disclosure information, for providers 
regardless of provider type, including, but not limited to, rendering, 
ordering, and referring physicians, and other professionals. The 
screening component of the 5 year re-validation will be conducted by 
either the Medicare Administrative Contractors (for dually-
participating providers) or by the States (for Medicaid-only or CHIP-
only providers). The collection of updated enrollment information, 
including, but not limited to, disclosure information will be the 
province of the State Medicaid agencies, and subject to their existing 
procedures, therefore, we will not issue notices of the need to

[[Page 5901]]

revalidate enrollment information to the affected providers.
    State Medicaid agencies should complete the first re-validation 
cycle by 2015, with 20 percent of providers being re-validated each 
year beginning 2011. State Medicaid agencies have the discretion to 
determine which providers or provider types to re-validate enrollment 
first. However, they may want to consider re-validating enrollment in 
the first years of the cycle those providers or provider types that 
pose the greatest risk of fraud, waste or abuse to the Medicaid program 
and CHIP.
    Comment: We received comments from States supportive of the 
proposed bases for denial of enrollment or termination of enrollment in 
Sec.  455.416, but concerned about the time they would need for 
implementation to amend State laws and rules and to amend provider 
agreements. One State commented that it would be administratively 
inefficient, costly, and unrealistic for each State to independently 
confirm providers' enrollment status or termination history in another 
State's Medicaid program or CHIP.
    Response: We believe that the bases for denial of enrollment or 
termination of enrollment in Sec.  455.416 are necessary to protect the 
integrity of the Medicaid program. Therefore, prompt implementation of 
these additional bases for denial or termination will serve each State 
and Medicaid programs nationally. We acknowledge the additional burden 
that new bases for denial and termination will create for State 
Medicaid programs, for example, in changes to systems and forms, and 
changes to provider agreements. We are currently examining to what 
extent we can support a centralized information sharing solution for 
provider enrollment across programs and across States. However, we note 
that termination based on termination by Medicare or by another State's 
Medicaid program is a statutory requirement effective January 1, 2011.
    Comment: One commenter recommended that the reasons for provider 
termination should be outlined and given to the provider upon denial or 
termination. The commenter noted that the provider would then have the 
ability to address or correct deficiencies prior to resubmitting its 
enrollment application. This requirement, the commenter noted, would be 
in addition to any appeal rights.
    Response: We have provided for a right of appeals to the extent 
they are available under a State's existing laws or rules. While we 
recognize that the commenter's suggestion may be helpful, and States 
may elect to adopt it, we will not be disrupting a State's procedures 
under its existing laws or rules with this regulation.
    Comment: One State recommended an addition to the language of Sec.  
455.416(g)(1) to recognize that a provider's omissions may be as 
egregious as its falsified statements.
    Response: We appreciate the commenter's suggestion to cover all 
possible situations when a provider may have misled the State in the 
application process. However, Sec.  455.416(d) addresses termination 
for a failure to submit timely and accurate information which would 
include omissions to provide information. Therefore we decline to 
revise section Sec.  455.416(g)(1).
    Comment: A State requested clarification on how rigorous the 
State's efforts must be to verify the identity of the provider 
applicant or whether a background check is sufficient.
    Response: The State Medicaid agencies have the discretion to 
determine the steps that are appropriate to verify the identity of the 
provider applicant, which may include, but would not be limited to, 
verification of licensure, database checks, and criminal background 
checks.
d. Criminal Background Checks and Fingerprinting--Medicaid and CHIP
    Section 1866(j)(2)(B)(ii)(II) of the Act allows the Secretary to 
use fingerprinting during the screening process; and while several 
States have implemented procedures to require fingerprinting of 
physicians and non-physician practitioners as a condition of licensure, 
we maintain that if a State designates a provider as within the high 
level of screening as described previously, each person with an 
ownership interest in that provider should be subject to 
fingerprinting.
    Adding fingerprinting to State screening processes for those 
providers that pose the greatest risk to the Medicaid program will 
allow CMS and the State to: (1) Verify the individual's identity; (2) 
determine whether the individual is eligible is participate in the 
Medicaid program; (3) ensure the validity of information collected 
during the Medicaid enrollment process; and (4) prevent and detect 
identity theft. Ensuring the identity of ``high'' risk Medicaid 
providers through fingerprinting protects both the Medicaid program and 
providers whose identities might otherwise be stolen as part of a 
scheme to defraud Medicaid.
    In addition, while Sec.  455.106 requires providers to submit 
information to the Medicaid agency on criminal convictions related to 
Medicare and Medicaid and title XX, current regulations do not require 
States to verify data submitted as part of the Medicaid enrollment 
application and they are sometimes not able to verify information that 
was purposefully omitted or changed in a manner to obfuscate any 
previous criminal activity. According to fiscal year (FY) 2008 SPIA 
data, at least 20 States report that they conduct some type of criminal 
background check as part of their Medicaid enrollment practices.
    Elements of a robust criminal background check could include, but 
not are necessarily limited to: (1) Conducting national and State 
criminal records checks; and (2) requiring submission of fingerprints 
to be used for conducting the criminal records check and verification 
of identity.
    We proposed in Sec.  455.434 and Sec.  455.450 for those categories 
of providers that a State Medicaid agency determines is within the high 
level of screening, the State must: (1) Conduct a criminal background 
check of each provider and each person with an ownership or control 
interest or who is an agent or managing employee of the provider, and 
(2) require that each provider and each person with an ownership or 
control interest or who is an agent or managing employee of the 
provider to submit his or her fingerprints. The State Medicaid agency 
has the discretion to determine the form and manner of submission of 
fingerprints.
    At Sec.  455.434, we proposed that the State Medicaid agency must 
require providers or any person with an ownership or control interest 
or who is an agent or managing employee of the provider to submit 
fingerprints in response to a State's or CMS' request.
    We solicited public comment on the appropriateness of using 
criminal background checks in the provider enrollment screening 
process, including the instances when such background checks might be 
appropriate, the process of notifying a provider or individual that a 
criminal background check is to be performed, and the frequency of such 
checks.
    We also solicited comment on the use of fingerprinting as a 
screening measure. We recognize that requesting, collecting, analyzing, 
and checking fingerprints from providers are complex and sensitive 
undertakings that place certain burdens on affected individuals. There 
are privacy concerns and operational concerns about how to assure 
individual privacy, how to check fingerprints against appropriate law 
enforcement fingerprint data bases, and how to store

[[Page 5902]]

the results of the query of the databases and also how to handle the 
subsequent analysis of the results. As a result, we solicited comments 
on how CMS or a State Medicaid agency should maintain and store 
fingerprints, what security processes and measures are needed to 
protect the privacy of individuals, and any other issues related to the 
use of fingerprints in the enrollment screening process. We expressed 
interest in comments on this and other possible circumstances in which 
fingerprinting would be potentially useful in provider screening or 
other fraud prevention efforts. Our proposed screening approach 
contemplated requesting fingerprints from providers assigned to the 
high level for screening. We solicited comments on whether this is an 
appropriate requirement, the circumstances under which it might be 
appropriate or inappropriate, and any alternatives to the proposed 
approach regarding fingerprints. Our proposed approach would allow 
States to deny enrollment to newly enrolling providers and to terminate 
existing providers if the provider or if individuals who have an 
ownership or control interest in the provider or who are agents or 
managing employees of the provider refuse to submit fingerprints when 
requested to do so. We solicited comments on this proposal including 
its appropriateness and utility as a fraud prevention tool.
    In addition, we solicited comment on the applicability and 
appropriateness of using, in addition to or in lieu of fingerprinting, 
other enhanced identification techniques and secure forms of 
identification including but not limited to passports, United States 
Military identification, or Real ID drivers licenses. As technology and 
secure identification techniques change, the tools we or State Medicaid 
agencies use may change to reflect changes in technology or in risk 
identification. We solicited comment on the appropriate uses of these 
techniques and the ways in which we should notify the public about any 
tools CMS or State Medicaid agencies would adopt. We also welcomed 
comments on whether there should be differences allowed between Federal 
and State techniques, or among States, and if so, on what basis.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers will apply to providers that participate in CHIP, 
these requirements for criminal background checks and fingerprinting 
under Sec.  455.434 will apply in CHIP.
    Comment: A number of commenters noted the undue and significant 
burden on the States and providers that the criminal background check 
requirement in Sec.  455.434, and specifically the fingerprint 
requirement, would pose. These commenters noted that State Medicaid 
agencies do not have the staff or expertise to conduct the checks. One 
commenter stated that enforcement of this provision will have 
deleterious effects on the Medicaid provider network and act as a 
barrier to care, and recommended removing the fingerprinting and 
background check requirements for high risk providers.
    Other commenters were supportive of the proposal to conduct 
criminal background checks and collection of fingerprints, noting that 
the proposal was intended to screen out unscrupulous providers. One 
commenter recognized that the proposal to add fingerprinting of high 
risk entities was a way to evaluate the background of potential 
providers, to identify fraud and prevent individuals with known 
criminal backgrounds from participating in Medicaid.
    Other commenters were concerned about the relative cost and 
efficiency of conducting the criminal background checks. Several 
commenters suggested that the background checks be at the States' 
discretion. One commenter suggested that CMS conduct any necessary 
fingerprinting, regardless of whether the person or entity is enrolled 
in Medicare. Another commenter recommended that CMS consider limiting 
FBI criminal background checks to cases in which there is reasonable 
cause to believe the subject may have a criminal record in another 
State.
    Response: We have considered all the comments received and are 
sensitive to the burden the criminal background checks and 
fingerprinting will pose to the State Medicaid agencies and the 
affected providers. However, we believe that criminal background checks 
are an effective means of evaluating a high risk provider. Furthermore, 
we believe that fingerprinting high risk providers and their owners are 
worthwhile endeavors to determine identity and whether the provider and 
other individuals have been involved in criminal activities that would 
adversely impact the Medicaid program. While we are finalizing the 
requirement to conduct criminal background checks and collect 
fingerprints for high risk providers, the requirement will be limited 
to providers and persons with a five percent or more direct or indirect 
ownership interest in the provider. There will be no requirement to 
conduct criminal background checks on, or collect the fingerprints of, 
persons with a control interest in the provider or the agents or 
managing employees of high risk providers. However, we intend to 
monitor the situation and may seek to extend the scope of fingerprint-
based criminal background checks in the future if circumstances 
warrant. We are making the appropriate changes to Sec.  455.434. States 
will not be required to implement criminal background checks and 
fingerprinting until we issue additional guidance. To the extent that 
States have the ability to conduct background checks and collect 
fingerprints at this time, it is within their discretion to do so prior 
to the delayed implementation date. States have the discretion to 
impose more stringent requirements for Medicaid-only and CHIP-only 
providers than those we are requiring.
    Comment: One commenter asked how results of criminal background 
checks would be communicated in data available to States from CMS.
    Response: We are currently examining to what extent we can support 
a centralized information sharing solution for provider screening 
results across programs and across States. The individual results of a 
criminal background checks performed, however, would likely be sent 
directly to the agency requesting the background check from the entity 
that performed the check.
    Comment: One commenter asked whether there would be standard 
criteria that define the types of convictions that warrant denial of a 
provider's application.
    Response: Whether to deny enrollment or to terminate enrollment are 
decisions that are within the discretion of each State Medicaid agency 
in accord with Sec.  455.416. Thus, the types of convictions that 
warrant denial of enrollment would be at the discretion of the State 
Medicaid agency.
    Comment: Some commenters asked what level of background check was 
required, for example, were State Medicaid agencies expected to do a 
Federal criminal background check or a State criminal background check.
    Response: While it is within the State Medicaid agency's discretion 
to decide whether to conduct State or Federal background checks for 
Medicaid-only providers, we recommend that the State conduct Federal 
criminal background checks which would provide information that is 
national in scope and therefore would be more complete.

[[Page 5903]]

    Comment: A few commenters questioned which databases a States 
should consult to compare fingerprints against in order to do the 
screening under this provision, in the event that law enforcement is 
not available to review the fingerprints?
    Response: We are not aware of databases that the State Medicaid 
agencies might search, however, there are vendors that provide the 
service for a fee.
    Comment: One commenter questioned whether the State Medicaid agency 
must perform a criminal background check in its State only or in the 
neighboring State for a provider applicant that only provides services 
in the neighboring State.
    Response: The States have the discretion to decide, however, we 
would recommend conducting a FBI criminal history record check, which 
would provide information that is national in scope and therefore would 
be more complete and would be preferable to a State background check in 
either the enrolling State or the neighboring State.
    Comment: Some commenters noted that fingerprints created a 
logistical concern for the State Medicaid agencies. Once they have 
obtained the fingerprint cards from the providers, should the States 
maintain the files, how should they maintain the cards, and for how 
long? If electronic files, how should the States maintain those files?
    Response: The State Medicaid agencies should follow their existing 
records retention laws and procedures, however we recommend that the 
State Medicaid agencies retain the files for at least 5 years, until 
the provider's revalidation. To the extent that a State Medicaid agency 
itself receives the fingerprints submitted, we expect them to maintain 
those files in a secure manner to protect the privacy of the individual 
who submitted the fingerprints.
    Comment: One commenter suggested that the provision be revised so 
that it does not require two copies of the fingerprint card but allows 
for collection of two copies if the State determines that two copies 
are needed.
    Response: We agree, and are making that change to Sec.  455.434.
e. Deactivation and Reactivation of Provider Enrollment--Medicaid and 
CHIP
    Section 1902(kk)(1) of the Act requires the screening of Medicaid 
providers to ensure they are eligible to provide services and receive 
payments. In an effort to further protect the Medicaid program and to 
be consistent with longstanding Medicare requirements, we proposed in 
Sec.  455.418 that any Medicaid provider that has not submitted any 
claims or made a referral that resulted in a Medicaid claim for a 
period of 12 consecutive months must have its Medicaid provider 
enrollment deactivated. Further, under Sec.  455.420, we proposed that 
any such provider wishing to be reinstated to the Medicaid program must 
first undergo all disclosures and screening required of any other 
applicant. In addition, we proposed that the provider must pay any 
associated application fees under Sec.  455.426.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers will apply to providers that participate in CHIP, 
the proposed requirements for deactivation and reactivation of provider 
enrollment under Sec.  455.418 and Sec.  455.420 would apply in CHIP.
    Comment: A few commenters supported the proposed requirement as 
written. A number of commenters were supportive of the spirit of this 
proposed requirement but suggested that we lengthen the timeframe to 24 
months. Other commenters expressed concern regarding the applicability 
of the application fee when reactivating enrollment and suggested that 
Medicaid follow a streamlined reactivation process similar to what 
occurs in the Medicare program.
    One State commenter expressed concern that the requirement to 
deactivate providers would necessitate deactivating one third of the 
State's enrolled providers. Other State commenters noted that out-of-
State providers would routinely be deactivated because their billings 
are so infrequent.
    Response: We recognize that many out-of-State providers provide 
occasional emergency treatment to Medicaid beneficiaries, and that 
requiring States to deactivate those providers after a year without 
billings would cause administrative burdens for the States and the 
providers. We believe States should have the discretion to police their 
own provider enrollment, although we recommend that States deactivate 
provider numbers that have not been used for an extended period of 
time.
    After reviewing the comments received and other operational 
considerations we are not finalizing the requirement for deactivation 
of provider numbers after 12 months in Sec.  455.418 at this time.
f. Enrollment and NPI of Ordering or Referring Providers--Medicaid and 
CHIP
    Section 1902(kk)(7) of the Act provides that States must require 
all ordering or referring physicians or other professionals to be 
enrolled under a Medicaid State plan or waiver of the plan as a 
participating provider. Further, the NPI of such ordering or referring 
provider or other professional must be on any Medicaid claim for 
payment based on an order or referral from that physician or other 
professional.
    Providers and suppliers under Medicare and providers in the 
Medicaid program are already subject to the requirement that the NPI be 
on applications to enroll and on all claims for payment, pursuant to 
section 6402(a) of the ACA, amending section 1128J of the Act, and 
under Sec.  424.506, Sec.  424.507, and Sec.  431.107, as amended by 
the May 5, 2010 interim final rule with comment period (75 FR 24437).
    In Sec.  455.410, we proposed that any physician or other 
professional ordering or referring services for Medicaid beneficiaries 
must be enrolled as a participating provider by the State in the 
Medicaid program. We proposed that this would apply equally to fee for 
service providers or MCE network-level providers.
    Additionally, we proposed to amend Sec.  438.6 to require that 
States must include in their contracts with MCEs a requirement that all 
ordering and referring network-level MCE providers be enrolled in the 
Medicaid program, as are fee for service providers, and thus are 
screened directly by the State.
    Although the NPI requirements in section 6402(a) of the ACA did not 
extend to CHIP providers, section 6401 of the ACA does apply equally to 
CHIP, and the proposed requirement for ordering and referring 
physicians or other professionals under the Medicaid program apply 
equally under CHIP.
    In addition, in Sec.  455.440, we proposed that all claims for 
payment for services ordered or referred by such a physician or other 
professional must include the NPI of the ordering or referring 
physician or other professional. We proposed that this would apply 
equally to fee for service providers or MCE network-level providers.
    It is essential that all such claims have the ordering or referring 
NPI and that the State has properly screened the ordering or referring 
physician or other professional. Without such assurances,

[[Page 5904]]

it is difficult for CMS or the State to determine the validity of 
individual claims for payment or to conduct effective data mining to 
identify patterns of fraud, waste, and abuse.
    As stated previously, pursuant to section 2107(e)(1) of the Act, 
all provisions that apply to Medicaid under sections 1902(a)(77) and 
1902(kk) of the Act apply to CHIP. Because we proposed a new regulation 
in Part 457 under which all provider screening requirements that apply 
to Medicaid providers will apply to providers that participate in CHIP, 
these requirements for provider enrollment and NPI under Sec.  455.410 
and Sec.  455.440 apply in CHIP.
    Comment: Many commenters expressed concern regarding whether the 
ordering and referring requirements in the proposed rule applied in the 
managed care environment. Many State, MCO, and association commenters 
also expressed concern regarding the impact that mandatory enrollment 
under Sec.  455.410 would have upon Medicaid beneficiary access to 
providers. These commenters stated concerns about the ability to 
contract with providers and other professionals if there was a 
requirement for those providers to be enrolled with the State as 
participating providers. The MCO and association commenters also cited 
their concerns about network level providers wanting to control their 
practices and not being mandated to participate in the Medicaid program 
when their preference was to serve in a Medicaid MCO. In addition, a 
State commenter expressed the concern that they be able to attract MCOs 
to their programs to provide choice to beneficiaries.
    Several State commenters also noted that adding managed care 
ordering and referring providers to their rolls in addition to the 
proposed requirement for re-enrollment every 5 years, as well as the 
other proposed screening requirements would impose administrative and 
fiscal burden on State resources.
    A few association commenters suggested that States implement a 
registration process whereby MCO network level providers would engage 
in a process short of full enrollment with the Medicaid agency, solely 
for the purpose of screening. Several commenters also expressed 
concerned related to: (1) Consistency of screening across Medicare and 
Medicaid, and across the MAOs and Medicaid managed care; and (2) who 
would conduct the screening. There was some confusion about whether the 
MAOs and MCOs would conduct the screening of the network level 
providers, or whether Medicare contractors and State Medicaid agencies 
would conduct the screening. There was also the issue of MAO providers 
not being specifically required to be enrolled to order or refer for 
the items and services they ordered or referred for Medicare 
beneficiaries to be paid.
    A few commenters noted the adequacy of current credentialing 
performed by Medicaid MCOs and the absence of any statement to the 
contrary justifying enrollment of network level ordering and referring 
providers.
    Several State commenters questioned how the NPI requirement would 
apply in a managed care environment, when risk-based health plans file 
claims for payment for the services of their subcontracted network 
level providers based on the contract between the State and the risk-
based health plan. The network level providers ordering or referring 
items or services do not file claims for payment as fee-for-service 
providers do.
    Response: After careful consideration of the comments we received, 
as well as the statutory language, we have determined that the new 
requirements for ordering and referring physicians should not apply in 
a risk based managed care context. We do not believe it was the intent 
of the Congress to impose stricter requirements on the Medicaid program 
than are imposed in Medicare. To require Medicaid managed care 
providers that order or refer items or services for Medicaid 
beneficiaries to enroll as Medicaid participating providers when MAO 
providers are not also required to enroll in the Medicare program to 
order or refer items or services for Medicare beneficiaries would be to 
treat the programs unequally.
    In consideration of the concerns for beneficiary access and the 
administrative burden that enrollment of MCO ordering and referring 
physicians and other professionals would impose on State Medicaid 
agencies, and in consideration of the parity of requirements for the 
Medicaid and Medicare programs, we are not requiring that ordering and 
referring physicians and other professionals in managed care risk based 
health plans enroll as participating providers by State Medicaid 
programs. Consequently, we are not finalizing the proposed change to 
Sec.  438.6 that would have required State managed care contracts to 
require network level providers enroll with the Medicaid agency as 
participating providers.
    We are limiting the exemption to risk based managed care. Section 
1902(kk)(7) requires that States must require all ordering or referring 
physicians or other professionals to be enrolled under a Medicaid State 
plan or waiver of the plan as a participating provider. We want to give 
the greatest effect to the statute while creating the least adverse 
impact on beneficiaries. Had we extended the exemption to all forms of 
managed care, for example, we would have allowed physicians or other 
professionals that participate in primary care case management programs 
that operate under State plan waivers to avoid enrollment with a 
State's Medicaid program; or we would have allowed home and community 
based services program providers that order or refer to avoid 
enrollment, to the extent that a State requires such enrollment. We 
also gave consideration to the comments we received regarding access, 
burden on State processes, and credentialing. The State and managed 
care organization commenters expressed concerns about beneficiary 
access to managed care networks and providers, which would be likely to 
occur in the risk-based forms of managed care, but not in primary care 
case management, for example. The States also expressed concerns about 
the burden of enrolling as participating providers those physicians and 
other professionals in managed care. Again, we interpret their concerns 
to be about risk-based forms of managed care, rather than forms of 
managed care in which the provider or entity bears no risk, because in 
the vast majority of States network level providers in risk-based forms 
of managed care are not enrolled with the Medicaid agency. Primary case 
care managers, however, are already enrolled with the Medicaid agency 
as fee-for-service providers. In addition, risk-based managed care 
entities conduct credentialing required under Federal regulations and 
subject to the terms of the contracts between the States and the MCOs, 
PIHPs, or PAHPs. Providers that participate in non-risk-based forms of 
managed care are subject to the various enrollment requirements that 
each State may designate.
    Given that managed care services are recorded in encounter claims, 
we recognize that it is not always possible for such an ordering or 
referring physician's or other professional's NPI to be reflected on 
such a claim. We leave it to the State's discretion, based in part on 
the capability of the State's systems, to require entrance of the NPI 
on the encounter record.
    Comment: A commenter requested clarification on whether the 
requirement for ordering and referring physicians or other 
professionals to be enrolled with a State Medicaid agency would apply 
to professionals who may not be eligible to

[[Page 5905]]

enroll in a State's Medicaid program but who provide services under the 
supervision of an enrolled provider and whose services are billed under 
the provider identification number of that eligible Medicaid enrolled 
provider.
    Response: The requirement for other ordering or referring 
professionals to enroll with a State's Medicaid program as a 
participating provider would depend on whether a State's Medicaid 
program recognized the professional as a Medicaid provider. If it did 
not, there would be no requirement to enroll.
    Comment: Several commenters expressed concern about the 
applicability of Sec.  455.410 and Sec.  455.440 to public school 
districts. Public schools deliver Medicaid school based health services 
to Medicaid eligible children and therefore are enrolled as Medicaid 
providers. Commenters expressed concern about public school-based 
providers, for example, speech language therapists, school 
psychologists, occupational therapists, and physical therapists, 
employed by public school districts being required to enroll with the 
Medicaid agency as ordering and referring physicians or other 
professionals. The commenters noted that public school based providers 
are able, but have not been required in the past, to get an NPI. Public 
school districts have included their NPI on claims and the clinicians 
are assigned unique provider identification numbers to facilitate 
identification of providers and services. Therefore, the commenters 
encourage an exemption for public school based providers from the NPI 
requirement.
    Response: Public school based providers are subject to the ordering 
and referring requirements set forth in Sec.  455.410 and Sec.  
455.440. However, as a way to minimize the administrative burden of 
enrolling additional providers, State Medicaid agencies may implement a 
streamlined enrollment process for those providers who only order or 
refer, that is, who do not bill for services, similar to the CMS-855-O 
process in the Medicare program. Additionally, State Medicaid agencies 
may delegate to State or local governmental agencies, such as public 
school districts, the responsibility to screen public school based 
providers and to assign unique provider identification numbers for 
claims identification.
    Comment: Several commenters noted that the regulations at Sec.  
455.410 do not address whether CMS will provide a reliable mechanism or 
national database in which screening results can be shared. Without a 
method to obtain results from these other entities, States will have to 
screen all Medicaid providers at considerable cost. One commenter noted 
that Medicare and CHIP do not define providers the same way which will 
lead to confusion over who has been screened through Medicare and the 
sister agencies.
    Response: We are currently examining to what extent we can support 
a centralized information sharing solution for provider enrollment 
across programs and across States.
    Comment: Several commenters responded that the proposed regulation 
would be burdensome on both States and providers, requiring providers 
who do not normally work with the Medicaid program and new groups of 
providers to enroll. One commenter suggested that rather than being 
required to enroll with the Medicaid program, providers be permitted to 
use the NPI as evidence of successful Medicare screening and 
enrollment.
    Response: We are sensitive to the additional burden that obtaining 
an NPI will pose, however, inclusion of the NPI on all Medicaid claims 
is a statutory requirement. The commenter suggested that providers 
enroll with Medicare and use the NPI as evidence of successful 
screening and enrollment. Providers should be aware that the NPI is not 
evidence of successful Medicare screening and enrollment, but providers 
who are actually enrolled in Medicare will not have to be screened 
again by the States to be enrolled in the Medicaid programs. The States 
may implement a streamlined enrollment process for those providers who 
only order or refer, that is, who do not bill for services, similar to 
the CMS-855-O process in the Medicare program.
    Comment: One commenter described a scenario of a salaried hospital 
physician who was not enrolled by the State Medicaid agency, but the 
hospital that employed the physician was an enrolled, participating 
Medicaid provider. The commenter questioned whether the referral rule 
applied to the physician.
    Response: Yes, the salaried hospital physician must enroll with the 
State Medicaid agency to order or refer for Medicaid beneficiaries.
    Comment: A commenter sought clarification whether the order or 
referral rule applied when an order or referral was made prior to the 
Medicaid beneficiary being eligible for Medicaid.
    Response: No, if the order or referral was made before the 
beneficiary was Medicaid eligible, then the beneficiary may have the 
order filled or the referral fulfilled and the claim for the order or 
referral will be paid.
    Comment: A commenter asked whether the ordering and referring rule 
applied to Medicare crossover claims.
    Response: Yes, the beneficiary's claims would be Medicaid claims, 
therefore the provider who ordered or referred the Medicaid 
beneficiary's services would be required to be enrolled as a Medicaid 
participating provider.
    Comment: One commenter requested clarification on whether CMS will 
be changing claims forms to accommodate the collection of information 
regarding ordering and referring providers.
    Response: To the extent it is necessary for the State Medicaid 
agencies to make changes to their claim forms to accommodate the new 
requirement regarding ordering and referring providers, and then the 
States should make those changes.
    Comment: Several commenters sought clarification on whether the 
terms ``ordering and referring physicians or other professionals'' 
included prescribing providers.
    Response: We interpret the statutory terms ``ordering'' and 
``referring'' to include prescribing (either drugs or other covered 
items) or sending a beneficiary's specimens to a laboratory for testing 
or referring a beneficiary to another provider or facility for covered 
services.
    Comment: Some of the commenters sought clarification on the 
definition of the term ``other professional.'' For example, does it 
include rendering providers, non-professional providers, or providers 
in waiver programs?
    Response: Under Sec.  455.410(b) and section 1902(kk) of the Act, 
the phrase ``ordering and referring physicians and other 
professionals'' does not include rendering providers, as these 
authorities impose a new enrollment requirement with respect to 
physicians and other professionals that order or refer items or 
services for Medicaid beneficiaries. Other professionals include any 
person or entity recognized to be enrolled by a State Medicaid agency, 
and that may order or refer. Of course, to be able to submit a claim to 
a State Medicaid agency, for services rendered or items supplied to a 
Medicaid beneficiary, a provider must be enrolled as a participating 
provider with that State Medicaid agency.
    Comment: One commenter sought clarification whether the requirement 
for all ordering and referring physicians or other professionals to be 
enrolled with the Medicaid agency as participating providers applied to 
IHS providers.
    Response: IHS providers are required to comply with Sec.  
455.410(b). However,

[[Page 5906]]

as a way to minimize the administrative burden of enrolling additional 
providers, State Medicaid agencies may implement a streamlined 
enrollment process for those providers who only order or refer, that is 
who do not bill for services, similar to the CMS-855-O process in the 
Medicare program.
    Comment: A commenter questioned whether a provider that has 
enrolled as a participating provider to comply with Sec.  455.410(b) 
must submit fee-for-service claims to the Medicaid agency, or is the 
provider's status as an enrolled provider sufficient for compliance.
    Response: Under Sec.  455.410(b), a physician or other professional 
need not submit fee-for-service claims to the State Medicaid agency to 
remain enrolled as a Medicaid provider.
    Comment: With respect to Sec.  455.440, one State asked whether the 
provider's NPI must be on each and every claim or whether it is 
sufficient for the provider's NPI to be on file with the State Medicaid 
agency, and whether the prescribing provider's NPI would be required on 
pharmacy claims.
    Response: Under Sec.  455.440, ``all claims for payment for items 
and services that were ordered or referred'' must contain the NPI. This 
is based upon the statutory requirement in section 1902(kk)(7)(B) of 
the Act that States require the NPI ``of any ordering and referring 
physician or other professional to be specified on any claim for 
payment that is based upon an order or referral of the physician or 
other professional.'' Therefore, the provider's NPI must be on every 
claim, including pharmacy claims; it is not sufficient for the 
provider's NPI to be on file.
g. Other State Screening--Medicaid and CHIP
    Section 1902(kk)(8) of the Act establishes that States are not 
limited in their abilities to engage in provider screening beyond those 
required by the Secretary. Accordingly, in Sec.  455.452, we proposed 
that States may utilize additional screening methods, in accordance 
with their approved State plan.
    As stated previously, pursuant to section 2107(e)(1) of the Act and 
specified in our regulations in Part 457, all provisions that apply to 
Medicaid under sections 1902(a)(77) and 1902(kk) of the Act apply to 
CHIP. Because we proposed a new regulation under which all provider 
screening requirements that apply to Medicaid providers will apply to 
providers that participate in CHIP, this requirement for other State 
screening under Sec.  455.452 applies in CHIP.
h. Final Screening Provisions--Medicaid and CHIP
    We are adopting the Medicaid and CHIP provider screening 
requirements as proposed with the following modifications:
     We clarified Sec.  455.104(b)(1) regarding the elements of 
corporate addresses.
     We clarified Sec.  455.104(b)(2) with regard to whom the 
spouse, parent, child, or sibling is related.
     We clarified Sec.  455.104(b)(4) to require managing 
employees to provide SSNs and DOBs.
     We clarified Sec.  455.104(c)(1), and Sec.  
455.104(c)(1)(i) and (ii) to include submission of disclosures from 
disclosing entities as well as providers.
     We clarified Sec.  455.104(c)(1)(iii) to require 
submission of disclosures upon the request of the Medicaid agency 
during the revalidation of enrollment process.
     We are adopting Sec.  455.450 with modifications, having 
clarified that the State agency must screen applications both in re-
enrollment and re-validation of enrollment in the introductory 
paragraph; deleted the reference to publicly traded companies in Sec.  
455.450(a); deleted reference to persons with controlling interests, 
agents and managing employees who are required to provide fingerprints 
in Sec.  455.450(d); and clarified the basis for adjusting a screening 
level related to moratoria Sec.  455.450(e)(2).
     At Sec.  455.414 we clarified that States must revalidate 
the enrollment information of all providers at least every 5 years.
     We are adopting Sec.  455.416 with modifications 
clarifying terminations of persons with 5 percent of more direct or 
indirect ownership interests in the provider; and deleting reference to 
persons with controlling interests, agents and managing employees under 
bases for termination for failure to provide fingerprints.
     We clarified Sec.  455.434 to require criminal background 
checks from providers or persons with a five percent or more direct or 
indirect ownership interest in the provider who meet the State Medicaid 
agency's criteria as a high risk to the Medicaid program; and to 
require fingerprints from providers and person with a five percent or 
more direct or indirect ownership interest in the provider, upon the 
State Medicaid agency's or CMS' request.
     We are not finalizing the proposed provision that States 
deactivate the enrollment of any provider that has not billed for 12 
months.
     And finally, we are not finalizing the proposed 
requirement at Sec.  438.6(c)(5)(vi) that required all ordering and 
referring Medicaid Managed Care network providers to be enrolled as 
participating providers based on commenters' concerns regarding access 
to services for beneficiaries.
5. Solicitation of Additional Comments Regarding the Implementation of 
the Fingerprinting Requirements
    While this final rule with comment period is effective on the date 
indicated herein, we strongly believe that certain issues warrant 
further discussion. Accordingly, we will continue to seek comment 
limited to our implementation of the fingerprinting provisions 
contained in Sec.  424.518 and Sec.  455.434 of this rule.
    Specifically, we seek comment on methods that we can use to ensure 
the privacy and confidentiality of the records that will be generated 
pursuant to adopting the criminal history records check provisions 
specified herein. As described, we will adopt all protocols issued by 
the FBI. However, we are interested in any other privacy concerns that 
interested parties may have in addition to thoughts on how best to 
address these concerns.
    In addition, we seek comment on the means by which we can measure 
the effectiveness of our adoption of criminal history records checks. 
That is, we are seeking comments on tangible, measureable methods we 
should use to demonstrate the effectiveness of these provisions.
    In addition, we seek comment on whether we should adopt additional 
technology to identify providers and suppliers that are enrolling in 
the program. In the proposed rule, we solicited specific comments on 
this topic. However, we are interested in receiving additional input 
from providers, suppliers, and other interested parties in light of the 
provisions set forth in this final rule with comment period.
    As noted, we are only seeking comment on the limited areas 
previously described. We will accept public comment for 60 days 
following publication of this final rule with comment period. To 
reiterate, we are finalizing the requirement that providers and 
suppliers will be subject to criminal history records checks in the 
event they are considered within the ``high'' level of risk as 
described in this rule. Providers and suppliers, and all other 
commenters, are encouraged to submit comments within the 60-day window 
to assist us in best implementing the requirements that we are 
finalizing surrounding this

[[Page 5907]]

technology. We are interested in hearing input from all stakeholders, 
including the beneficiary advocacy community, law enforcement, 
providers, and suppliers that are subject to the requirements set forth 
in this final rule with comment period, and any other interested 
parties.

B. Application Fee--Medicare, Medicaid, and CHIP

1. Statutory Changes
    Section 6401(a) of the ACA, as amended by section 10603 of the ACA, 
amended section 1866(j) of the Act and requires the Secretary of DHHS 
to impose a fee on each ``institutional provider of medical or other 
items or services or supplier.'' The fee would be used by the Secretary 
to cover the cost of screening and to carry out screening and other 
program integrity efforts, including those under section 1866(j) and 
section 1128J of the Act. Since section 10603 of the ACA excludes 
eligible professionals, such as physicians and nurse practitioners, 
from paying an enrollment application fee, we maintain that an 
``institutional provider'' would be any provider or supplier that 
submits a paper Medicare enrollment application using the CMS-855A, 
CMS-855B (not including physician and non-physician practitioner 
organizations), CMS-855S or associated Internet-based PECOS enrollment 
application.
    Section 1866(j)(2)(D)(i) of the Act states that the new screening 
procedures implemented pursuant to section 6401 of the ACA would be 
applicable to newly enrolling providers, suppliers, and eligible 
professionals who are not enrolled in Medicare, Medicaid, or CHIP by 
March 25, 2011. Accordingly, the enrollment application fees for newly 
enrolling institutional providers and suppliers would be applicable on 
that date as well.
    Section 1866(j)(2)(D)(ii) of the Act states that the new screening 
procedures will apply to currently enrolled Medicare, Medicaid, and 
CHIP providers, suppliers, and eligible professionals beginning on 
March 23, 2012. However, because the new procedures are applicable 
beginning on March 25, 2011 for those providers, suppliers, (and 
eligible professionals) currently enrolled in Medicare, Medicaid, and 
CHIP that revalidate their enrollment information, we will begin 
collecting the application fee for those revalidating entities for all 
revalidation activities beginning after March 25, 2011.
    Section 1866(j)(2)(C)(ii) of the Act permits the Secretary, acting 
through CMS, to, on a case-by-case basis, exempt a provider or supplier 
from the imposition of an application fee if CMS determines that the 
imposition of the enrollment application fee would result in a 
hardship. It also permits the Secretary to waive the enrollment 
application fee for Medicaid providers for whom the State demonstrates 
that imposition of the fee would impede Medicaid beneficiaries' access 
to care.
    Section 1866(j)(2)(C)(i)(I) of the Act establishes a $500 
application fee for providers and suppliers in 2010. For 2011 and each 
subsequent year, the amount of the fee would be the amount for the 
preceding year, adjusted by the percentage change in the consumer price 
index for all urban consumers (all items; United States city average), 
(CPI-U) for the 12-month period ending with June of the previous year. 
To ease the administration of the fee, if the adjustment sets the fee 
at an uneven dollar amount, we will round the fee to the nearest whole 
dollar amount.
2. Proposed Application Fee Provisions
    In Sec.  424.502, we also proposed to establish a definition for an 
``institutional provider'' as it relates to the submission of an 
application fee. We proposed that an ``institutional provider'' means 
any provider or supplier that submits a paper Medicare enrollment 
application using the CMS-855A, CMS-855B (but not physician and 
nonphysician practitioner organizations), or CMS-855S or associated 
Internet-based PECOS enrollment application.
    For purposes of Medicare, Medicaid, and CHIP, we interpret the 
statutory reference to ``institutional provider[s] of medical or other 
items or services or supplier'' to include, but not be limited to: The 
range of ambulance service suppliers; ASCs; CMHCs; CORFs; DMEPOS 
suppliers; ESRD facilities; FQHCs; histocompatibility laboratories; 
HHAs; hospices; hospitals, including but not limited to acute inpatient 
facilities, inpatient psychiatric facilities (IPFs), inpatient 
rehabilitation facilities (IRFs), and physician-owned specialty 
hospitals; CAHs; independent clinical laboratories; IDTFs; mammography 
centers; mass immunizers (roster billers); OPOs; outpatient physical 
therapy/occupational therapy/speech pathology services, portable x-ray 
suppliers; SNFs; radiation therapy centers; RNHCIs; and RHCs.
    In addition to the providers and suppliers listed previously, for 
purposes of Medicaid and CHIP, we proposed that a State may impose the 
application fee on any institutional entity that bills the State 
Medicaid program or CHIP on a fee-for-service basis, such as: Personal 
care agencies, non-emergency transportation providers, and residential 
treatment centers, in accordance with the approved Medicaid or CHIP 
State plan.
    We proposed that an application fee will not be required from an 
eligible professional who reassigns Medicare benefits to another 
individual or organization, since it would not create a new enrollment 
of an institutional provider or supplier that would result in an 
application fee. In addition, we proposed that in no case would the 
application fee be required from any individual physician or Part B 
medical group/clinic.
    We proposed that an application fee will be required with the 
submission of an initial enrollment application, the application to 
establish a new practice location, as a part of revalidation, or in 
response to a CMS revalidation request.
    We proposed that prospective institutional providers and suppliers 
as well as currently enrolled providers who are revalidating their 
enrollment in Medicare must submit the applicable application fee or 
submit a request for a hardship exception to the application fee at the 
time of filing a Medicare enrollment application on or after March 25, 
2011 in the case of prospective providers or suppliers, and in the case 
of revalidations. We believe that it is essential that we are able to 
receive and deposit the application fee or consider the institutional 
provider's request for a hardship exception prior to initiating an 
application review. Therefore, we would not begin processing an 
application for either a new provider or supplier, or for a provider or 
supplier that is currently enrolled, until the enrollment application 
fee is received and is credited to the United States Treasury.
    The fee would accompany the certification statement that the 
provider or supplier signs, dates, and mails to CMS via the appropriate 
Medicare contractor if the provider or supplier uses Internet-based 
PECOS to enroll or revalidate. The fee would accompany the paper CMS-
855 provider enrollment application if the provider or supplier enrolls 
or revalidates by paper. Because the statutory provisions are effective 
for newly enrolling providers and suppliers effective March 25, 2011 
institutional providers and suppliers will not be required to furnish 
the application fee with applications submitted before that date. 
However, because the ACA provides that the new procedures will be 
applicable beginning on March 25, 2011 for those providers and 
suppliers, (and eligible professionals) currently

[[Page 5908]]

enrolled in Medicare, Medicaid, and CHIP that revalidate their 
enrollment information, we will begin collecting the application fee 
for those revalidating entities for all revalidation activities 
beginning after March 25, 2011. We will not collect the fee from 
individual physicians and eligible professionals.
    We proposed that CMS reject and return to the provider or supplier 
an initial enrollment application submitted by a provider or supplier, 
without further review as to whether the provider or supplier qualifies 
to enroll in the Medicare program, when the Medicare enrollment 
application or the Certification Statement is received by the Medicare 
contractor and the provider or supplier did not include a request for 
hardship exception to the application fee, did not include the 
application fee or the appropriate number of application fees, if 
applicable. We do not believe that it is appropriate for CMS to begin 
the application review process without first having received the 
application fee.
    We proposed that the CMS reject any initial enrollment applications 
submitted after March 23, 2011, if a provider or a supplier did not 
furnish the application fee at the time of filing, using Sec.  
424.525(a)(3) as the legal basis for the rejection.
    In Sec.  424.525(a)(3), we proposed adding a new reason why CMS 
could reject an initial enrollment application or an application to 
establish a new practice location. Specifically, we proposed a new 
Sec.  424.525(a)(3) to state, ``The prospective institutional provider 
or supplier does not submit an application fee in the appropriate 
amount or a hardship exception request with the Medicare enrollment 
application at the time of filing.''
    We also believe CMS should be allowed to reject an initial 
enrollment application received from a provider or supplier on or after 
March 25, 2011, using Sec.  424.525(a)(1) as the legal basis, if, for 
any reason, CMS is not able to deposit the full application amount into 
a government-owned account or the funds are not able to be credited to 
the U.S. Treasury. In the case where a provider or supplier did not 
submit the application fee because they requested a hardship exception 
that is not granted, a provider or supplier has 30 days from the date 
on which the contractor sends notice of the rejection of the hardship 
exception request to send in the required application fee and 
application forms.
    In Sec.  424.535, we proposed adding a new reason why a CMS can 
revoke Medicare billing privileges. Specifically, we proposed a new 
Sec.  424.535(a)(6)(i) to state that billing privileges may be revoked 
if ``An institutional provider does not submit an application fee or 
hardship exception request that meets the requirements set forth in 
Sec.  424.514 with the Medicare revalidation application or the 
hardship exception is not granted.''
    In addition, in Sec.  424.535, we proposed a new Sec.  
424.535(a)(6)(ii) to state that billing privileges shall be revoked if 
``CMS is not able to: deposit the full application amount into a 
government-owned account or the funds are not able to be credited to 
the U.S. Treasury.''
    In Sec.  424.514(b), we proposed that currently enrolled 
institutional providers and suppliers that are subject to CMS 
revalidation efforts must submit the applicable application fee or 
submit a request for a hardship exception to the application fee at the 
time of filing a Medicare enrollment application on or after March 23, 
2011.
    In Sec.  424.514(d)(2)(iii), we proposed that institutional 
providers submit the application fee with each initial application, 
application to establish a new practice location, or with the 
submission of an application in response to a CMS revalidation request.
    In Sec.  424.514(d)(2), we proposed that the application fee be 
based on the amount calculated by CMS using the CPI-U for the 12-month 
period ending June 30 of the previous year and adjusted annually to be 
effective January 1st of the following year. In Sec.  424.514(d)(2)(v), 
we proposed that the application fee be non-refundable. Neither the 
Federal government, its Medicare contractors, State Medicaid agencies 
or CHIP should be liable for reimbursement of the application fee to 
the provider or supplier if the application fee has been received by 
the Medicare contractor and deposited into a government-owned account 
and, later, during the course of verifying, validating, and processing 
the information in the enrollment application, CMS appropriately denies 
the enrollment application. Appropriate denial requires a substantive 
reason and applications will not be denied over inconsequential errors 
or omissions or over errors or omissions corrected timely.
    In Sec.  424.514(d)(4)(vi), we proposed that a provider or supplier 
must submit a new application fee if the provider or supplier resubmits 
a Medicare enrollment application because a previously submitted 
enrollment application was appropriately denied or rejected. In some 
cases, a rejected application would be returned to the provider or 
supplier along with the application fee; in other cases, the 
application would be denied and the application fee retained by the 
Federal government because the processing of the application would have 
already begun. In those latter cases, CMS funds would have been 
expended for some or all of the required screening involved in 
processing the application. For example, if a home health agency 
enrollment application is rejected because the enrollment application, 
or the certification statement generated by Internet-based PECOS, was 
not signed, the enrollment application would be rejected and it and the 
check for the application fee would both be returned to the home health 
agency. If a home health agency enrollment application is denied based 
on non-compliance with a provider enrollment requirement or because the 
HHA did not meet the conditions of participation for its provider type, 
the enrollment would be denied and the application fee would be 
retained by the Federal government. If the HHA wishes to send a new 
enrollment application, it would have to include another application 
fee with that new enrollment application. Similarly, we propose that a 
provider or supplier would be required to submit to the Medicare 
contractor a new application fee with a subsequent enrollment 
application if, among other things, the previous enrollment application 
was rejected because the provider or supplier did not timely furnish 
the Medicare contractor with the applicable supporting documentation or 
information necessary to complete its review and verification of the 
previous enrollment application.
    In Sec.  424.514(d)(6)(vii), we proposed that the application fee 
must be able to be deposited into a government-owned account before an 
enrollment application will be approved.
    Because we proposed that a State may rely on the results of the 
screening conducted by the Medicare contractor to meet the screening 
requirements for participation in a State Medicaid program or CHIP, we 
proposed that, for dually participating providers, the application fee 
would be imposed at the time of the Medicare enrollment application, 
consistent with the procedures described previously. Additionally, 
because the purpose of the application fee is to, in part, cover the 
costs of conducting the provider and supplier screening activities, we 
proposed that a provider or supplier enrolled in more than one program 
(that is, Medicare and Medicaid or CHIP, or all three programs) would 
only be subject to the application fee under Medicare and that the fee 
would cover

[[Page 5909]]

screening activities for enrollment in all programs.
    Section 1866(j)(2)(C)(iii) of the Act also permits the Secretary to 
grant, on a case-by-case basis, exceptions to the application fee for 
institutional providers and suppliers enrolled in the Medicare and 
Medicaid programs and CHIP if the Secretary determines that imposition 
of the fee would result in a hardship. One instance that might support 
a request for hardship exception is in the event of a national public 
health emergency where a provider or supplier is enrolling for purposes 
of furnishing services required as a result of the national public 
health emergency situation. Such requests will be considered on a case-
by-case basis, as required by the statute. In addition, we solicited 
comments on the appropriate objective criteria that should be used in 
making a hardship determination and if there are any other 
circumstances in which such exemptions should be allowed. We also 
solicited comment on the kinds of documents to be submitted to CMS or 
its contractor to exhibit hardship, including any comments on the 
financial or legal records that might be needed to make a determination 
of hardship. Section 1866(j)(2)(C)(iii) of the Act also permits the 
Secretary to waive the application fee for providers enrolled in a 
State Medicaid program for whom the State demonstrates that imposition 
of the fee would impede beneficiary access to care. We solicited 
comments on how waivers from the application fee should be implemented 
for Medicaid-only or dually-participating Medicare and Medicaid 
providers and suppliers specifically those seeking to furnish services 
where beneficiary access issues are prevalent, either geographically or 
in the provision of the services.
    We are committed to assuring access to care for program 
beneficiaries. We are in the process of developing promising practices 
related to ensuring access in the Medicaid program and CHIP. We also 
solicited comments on the appropriate criteria that we should consider 
for purposes of the proposed fee. We were particularly interested in 
hearing from States, providers, advocates, and other stakeholders 
relating to concrete examples based on experiences in using specific 
access criteria.
    Based on the statutory requirements for calculating the application 
fee, we offer the following example for purely illustrative purposes. 
The initial application fee beginning in 2010 is established by law at 
$500. However, for the following year, when the annual Consumer Price 
Index (CPI-U) is calculated for the period ending June 2010, we would 
recalculate the application fee using the CPI-U. Thus, if the CPI 
increased by 2.34 percent for the 12 month period ending June 2010, the 
application fee would be calculated by multiplying the fee for the year 
by the CPI-U. The $500 application fee established by law on in 2010 
would be multiplied by 1.0234 to give $511.70. We would then round to 
the nearest dollar amount of $512.00. This would be the amount of the 
fee in effect for 2011, and would apply to applications received after 
the effective date of the statute--March 25, 2011 for newly enrolling 
providers and suppliers and for revalidating providers and suppliers. A 
similar process, based on the CPI-U for the period of July 1, 2010 
through June 30, 2011 would be used to calculate the fee that would 
become effective on January 1, 2012, and that would apply to new and 
currently enrolled providers or suppliers that submit applications on 
or after March 23, 2012. In Sec.  424.514(d)(2), we proposed that the 
annually recalculated application fee amount would be effective for the 
calendar year during which the application for enrollment is being 
submitted.
    The amount of the application fee that is required of enrolling 
providers or suppliers, would be the amount that is in effect on the 
day the provider or supplier mails an enrollment application or 
Certification Statement, postmarked by the USPS, or if mailed though a 
private mail service the date of receipt by the Medicare contractor. 
Because the application fee will become an integral part of the 
enrollment process, we believe that it is essential that we notify 
State Medicaid Agencies and the public about any changes in the 
application fee prior to implementing a change in the fee. Accordingly, 
we would afford States and the public with at least 30 days' notice of 
any impending change in the application fee. We will make such 
notification annually in the Federal Register and by issuing guidance 
to the State Medicaid and CHIP Directors, issuing CMS provider and 
supplier listserv messages, making announcements at CMS Open Door 
Forums, and placing information on the CMS Provider/Supplier Enrollment 
Web page (http://www.cms.gov/MedicareProviderSupEnroll).
    We proposed that a provider or supplier that believes it is 
entitled to a hardship exception from the application fee enclose a 
letter with the enrollment application or, if using Internet-based 
PECOS, with the Certification Statement, explaining the nature of the 
hardship. Further, we proposed that we would not begin to process an 
enrollment application submitted with a letter requesting a hardship 
exception from the application fee until it makes a decision on whether 
to grant the exception. Further, we proposed that we a make hardship 
exception determination within 60 days from receipt of the request from 
an institutional provider and CMS contractor notify the applicant or 
enrolled institutional provider or supplier by letter approving or 
denying the request for a hardship exception. Moreover, if we deny the 
request for hardship exception, we would provide our reason(s) for 
denying the hardship exception.
    In Sec.  424.530(a)(9), we proposed adding a new reason why CMS can 
deny Medicare billing privileges. Specifically, we proposed a new Sec.  
424.530(a)(9) to state, ``An institutional provider's or suppliers 
``hardship exception'' request is not granted and the provider or 
supplier does not submit the application fee within 30 days of 
notification that the hardship exception request was not approved.''
    In Sec.  424.535(a)(6)(i), we proposed adding a new reason why CMS 
can revoke Medicare billing privileges. Specifically, we proposed a new 
Sec.  424.535(a)(6)(i) to state, ``An institutional provider does not 
submit an application fee or ``hardship exception'' request that meets 
the requirements set forth in Sec.  424.514 with the Medicare 
revalidation application or the hardship exception request is not 
granted and the institutional provider does not submit the applicable 
application form or the application fee within 30 days of being 
notified that the hardship exception request was denied.''
    We also proposed that an institutional provider may appeal the 
determination not to grant a hardship exception from the application 
fee using the provider enrollment appeals process established in Sec.  
405.874 and found in 1866(j)(2) of the Act.
    In Sec.  455.460, we proposed that, for those providers who do not 
participate in Medicare, the State may collect the fee established by 
the Secretary as outlined previously as the State will be responsible 
for conducting the provider screening activities for these providers. 
Total fees collected will be used to offset the cost of the Medicaid 
and CHIP screening programs. The fees represent an applicable credit 
under OMB Circular A-87, entitled ``Cost Principles for State, Local, 
and Indian Tribal Governments'' (August 31, 2005 (70 FR 51910)), 
codified at 2 CFR part 225, and made applicable to States by 45 CFR

[[Page 5910]]

92.22(b). The cost principles require that the costs a State claims 
must be reduced by ``applicable credits,'' or ``those receipts or 
reduction of expenditure-type transactions that offset or reduce 
expense items allocable to Federal awards as direct or indirect 
costs'', (Paragraphs C.1.i., C.4.a. and D.1. of Appendix A to 2 CFR 
part 225). If the fees collected by a State agency exceed the cost of 
the screening program, the State agency must return that portion of the 
fees to the Federal government. CMS will direct these fees to support 
program integrity efforts as permitted by the ACA.
3. Analysis of and Responses to Public Comments
    Below is a summary of the comments we received regarding the 
proposed enrollment application fee.
    Comment: Through section 6401 of the ACA, CMS is authorized to 
collect and retain an application fee. Some commenters stated that CMS 
did not explain or justify the purpose behind the enrollment 
application fee, for enrolled providers of service and suppliers, 
beyond stating that the Congress mandated it. The commenters urged CMS 
to explain whether the revalidation/enrollment fee is meant to ensure 
compliance with a provider's or supplier's reporting responsibilities 
or to collect monies for the Federal Government.
    Response: The ACA authorizes the collection of an application fee 
to cover costs of screening, including screening required for providers 
and suppliers that are revalidating their enrollment. The ACA specifies 
that the fees are to be collected from institutional providers and are 
to be used for program integrity efforts, including the costs of 
screening.
    Comment: Several commenters questioned whether CMS has the 
statutory authority to exempt medical clinics and group practices from 
the application fee. They contended that while section 10603 of the ACA 
strikes the provision found in section 6401 of the ACA relating to 
individual provider application fees, section 10603 of the ACA does not 
establish a waiver for organizational suppliers, such as groups or 
clinics. They also stated that CMS furnished only a limited discussion 
of why it decided to give medical groups and clinics an application fee 
waiver. They stated that CMS should explain why it is giving medical 
groups and clinics a significant financial benefit by excluding them 
from the application fee. Another commenter stated that if CMS retains 
its policy to exempt medical groups and clinics from the application 
fee, CMS should estimate the annual loss in revenue to the Federal 
government and explain what this will mean to CMS' efforts to fight 
fraud, waste and abuse. Another commenter stated that if CMS retains 
this provision, it should exclude the reference to physician and non-
physician practitioner organizations in the proposed definition of 
institutional provider.
    Response: Section 6401(a) of the ACA that adds section 1866(j)(2) 
of the Act specifically excluded physicians from paying the application 
fee. Physicians and non-physician practitioners in medical groups and 
clinics reassign their Medicare billing privileges to those medical 
group and clinics. As such they would be exempt from the fees.
    Comment: One commenter asked if a small group practice would be 
considered institutional, and whether every practice location would 
need to submit a separate application fee.
    Response: We will clarify that the application fee is not 
applicable to physicians and non-physician practitioners, regardless if 
the physician or non-physician practitioner is organized in a small 
group practice.
    Comment: A commenter urged CMS to consider exceptions to the 
required application fee, which, the commenter stated, could impose a 
hardship on small home and community based service providers.
    Response: We are committed to ensuring access to care and services 
for beneficiaries and will clarify that a State, in consultation with 
the Secretary, may waive the application fee for Medicaid-only or CHIP-
only providers if the State demonstrates that imposition of such a fee 
will impede beneficiary access to care.
    Comment: A commenter suggested that CMS develop and issue a 
standard enrollment fee ``hardship exception form'' that a provider can 
use when requesting an exception to the fee.
    Response: Whereas a standard form might be useful, there could be 
many situations that justify exception from the fee. We do not want to 
limit the basis for fee exceptions for providers and suppliers to a 
pre-established list of circumstances. Accordingly we have not listed 
options for providers and suppliers to request hardship exceptions from 
application fees. As indicated in the preamble to the proposed rule, 
each request will be considered on its own merit on a case-by-case 
basis.
    Comment: A commenter suggested that to avoid processing delays 
associated with depositing the application fee into a government-owned 
account, CMS should allow newly-enrolling Medicare, Medicaid and CHIP 
providers to submit the application fee in advance of submitting a new 
enrollment application.
    Response: We disagree with the commenter's suggestion. We think 
payments should be clearly associated with the CMS-855 application 
form. We believe that payments submitted before the CMS-855 could have 
a greater likelihood of being disassociated with the appropriate CMS-
855.
    Comment: One commenter stated that since the application fee must 
be credited to the United States Treasury, CMS should explain how long 
it will take before the application fee is paid by a provider or 
supplier and when CMS will receive this money to fight fraud, waste and 
abuse.
    Response: The Treasury Department has existing regulations in place 
governing the time frame in which received funds must be deposited and 
made available in the U.S. Treasury. We will be working with the Office 
of Management and Budget and Department of HHS budget officials to 
assure that the full amount collected from application fees will accrue 
to CMS for HHS's program integrity work as required by section 
1866(j)(2)(C)(iii) of the Act.
    Comment: A commenter requested that CMS explain why an application 
fee is required by a Competitive Acquisition Program (CAP) Part B Drug 
Vendor, since this entity does not bill the Medicare program.
    Response: Only institutional providers, as defined in the proposed 
rule, are subject to the application fee. Providers and suppliers that 
do not bill Medicare on a fee-for-service basis are not subject to the 
application fee.
    Comment: A commenter stated that in exempting medical groups/
clinics from the application fee, CMS does not distinguish between 
clinics owned by physicians/practitioners and non-physicians/non-
practitioners.
    Response: We did not distinguish between medical groups/clinics on 
the basis of ownership. Medical groups and clinics are exempt from the 
fee because as noted previously, they are paid through reassignment of 
payments from physicians and non-physician practitioners. Physicians, 
non-physician practitioners and other individual practitioners are not 
subject to the fee by statute.
    Comment: A commenter stated that FQHCs should be exempted from the 
application fees for two reasons. First, FQHCs, unlike other providers, 
are not permitted to submit one Medicare enrollment application for all 
sites, and that consequently, these low-risk entities would pay the 
majority of the

[[Page 5911]]

application fees. Second, a significant portion of an FQHC's budget 
includes section 330 grant funds. These funds are primarily intended 
for the care of uninsured and indigent patients. The application fees 
would take a significant portion of those funds away from the neediest 
individuals.
    Response: While we understand the commenter's concerns, the statute 
did not exempt FQHCs from the application fee requirement. However, 
FQHCs can request a hardship exception to the fee.
    Comment: A commenter recommended that CMS update the CMS-855A, CMS-
855B, and CMS-855S forms to add information about the application fee, 
including the basis for this fee, the amount of the fee, and where the 
fee should be mailed.
    Response: We agree that providers and suppliers need additional 
information about the process for submitting the application fee, its 
basis and intended use. We plan to have such materials available by the 
effective date of the final regulation. We will make these materials 
available through our Web site, listservs, open door forums, and other 
communication methods. We will also share these documents with 
professional and provider and supplier associations in an effort to 
provide additional information.
    Comment: A commenter noted that section 1866(j)(2)(D)(ii) of the 
Act states that the application fee would not apply to current 
providers or suppliers until two years after enactment. However, the 
commenter argued, CMS was silent on this statutory provision in the 
proposed rule. The commenter recommended that CMS explain why section 
1866(j)(2)(D)(ii) of the Act does not apply to current providers and 
suppliers and why CMS has decided to apply the provisions in section 
1866(j)(2)(D)(iii) of the Act instead.
    Response: Section 1866(j)(2)(D) of the Act contains conflicting 
effective dates for currently enrolled providers and suppliers. In 
1866(j)(2)(D)(iii), providers and suppliers that are revalidating are 
subject to the fee and the other provisions of the proposed rule 180 
days after enactment, or September 19, 2010. In section 
1866(j)(2)(D)(ii) of the Act the new screening provisions including the 
fee are effective for currently enrolled providers and suppliers on 
March 23, 2012. For newly enrolling providers and suppliers the 
provisions are effective on March 25, 2011. We recognize the 
conflicting effective dates for the same group of currently enrolled 
providers and suppliers. As a result, in an effort to promote 
consistency in the application of the rule, we proposed two effective 
dates for the provisions of the rule for currently enrolled providers 
and suppliers. On March 25, 2011, the fees and other requirements of 
the regulation are applicable for currently enrolled providers that are 
revalidating their enrollment in the period between March 25, 2011 and 
March 23, 2012. For all other currently enrolled providers and 
suppliers, the fees and other provisions of the proposed rule are 
effective on March 23, 2012, as specified in the statute. The statute 
authorizes us to begin collecting fees from providers and suppliers 
that are revalidating as early as September 23, 2010.
    Comment: A commenter recommended that--consistent with section 
10603 of the ACA-CMS establish an application fee exemption for 
physicians who are sole proprietorships or sole owners and who provide 
DMEPOS ``incident to'' their medical service.
    Response: Physicians who are enrolled in Medicare as physicians are 
exempt from the fee. DMEPOS suppliers, whether owned by physicians or 
otherwise, are institutional suppliers and as such, are subject to the 
application fee.
    Comment: Several commenters urged an exception from the enrollment 
fee for: (1) Existing providers, or (2) new providers in under-served 
areas. A commenter added, however, that such exceptions should be 
limited to nonprofit and governmental entities with low overall 
margins. The commenter also stated that CMS should allow enrollment fee 
exceptions: (1) For existing providers when it is clearly equitable and 
in the public's interest--since to do otherwise simply transfers 
limited resources needed for patient care to the enrollment process and 
constitutes a tax on an otherwise nontaxable entity--and (2) for any 
new nonprofit or public provider that is proposing to establish 
services in an underserved area. The commenter did not believe that 
for-profit providers should qualify for fee waivers because their 
business model is based on their capacity to generate sufficient 
capital to start a business and operate profitably.
    Response: We recognize that the application fees are a new 
financial obligation on nonprofit and public providers and suppliers; 
however, the statute provides no blanket exception for providers and 
suppliers by financial status. However, the law and rule contain 
provisions that would allow institutional providers and suppliers to 
apply for hardship exception to the fees for circumstances that are 
appropriate to their respective situations. We encourage any provider 
or supplier that cannot pay the fee to notify us and provide us with 
justification for the exception.
    Comment: A commenter stated that the application fee should be 
waived for providers that routinely update their Medicare enrollment 
information more than once in a five-year period (3 years for DMEPOS).
    Response: While we do not discourage providers and suppliers from 
submitting revalidation applications more frequently than the 
regulatory-prescribed timeframes, we do not believe that the fee should 
be waived for providers that do so. As stated in the preamble, the 
application fee is to be used by the Secretary to cover the cost of 
screening. If the provider or supplier submits a revalidation 
application on its own volition, we believe it is appropriate to 
require a fee that would cover the cost of processing that application.
    Comment: A commenter, expressing concern about the time it can take 
for Medicare contractors to process applications, recommended that 
payment of the enrollment fee be tied to a corresponding obligation of 
the Medicare contractor to complete the enrollment process within a 
specified period of time. Specifically, the commenter requested that 
CMS create a hardship category that would permit an enrollment fee to 
be refunded to the provider or supplier if the Medicare contractor 
fails to process the application within a specified period of time (for 
example, 30 days from the date a completed enrollment is received by 
the Medicare contractor). The commenter stated that such a policy would 
create the proper incentive for Medicare contractors to process these 
applications in a timely fashion. Other commenters, too, stated that 
the fee should be refunded if the Medicare contractor does not process 
the application in a timely manner.
    Response: We are concerned about any delay in processing enrollment 
applications. Our enrollment contractors have clear standards in their 
contracts regarding processing enrollment applications. In fact, we are 
currently in the process of strengthening such performance standards 
for all of our contractors. However, the ACA provides that a provider 
may be exempted from the fee only when the imposition of the fee itself 
would result in a hardship. We do not interpret the ACA as linking the 
application fee to contractor performance standards.
    Comment: One commenter stated that it appears that physicians who 
also enroll as DMEPOS suppliers so they can furnish DMEPOS to their own 
patients

[[Page 5912]]

would be expected to pay an enrollment fee. The commenter believes that 
this would be inconsistent with the congressional decision to exempt 
physicians and other health professionals from the enrollment fee. It 
might also cause some physicians and other health professionals to 
decide against enrolling as DMEPOS suppliers, thus they would no longer 
be in a position to provide their patients with Medicare-covered 
DMEPOS. The commenter also stated that CMS should modify its enrollment 
procedures so that physicians who also wish to provide DMEPOS to their 
own patients would only need to enroll once, not twice. This approach 
would simplify the enrollment process for both physicians and CMS.
    Response: Physicians that supply DMEPOS services to patients are 
currently required to enroll as both a physician (for medical services) 
and as a DMEPOS supplier. The screening required of any DMEPOS 
supplier, even one that is incident to a physician's practice, is more 
resource intensive than screening for physicians. Accordingly, we think 
applying the fee to all DMEPOS suppliers is justified. Moreover, we 
think it is a necessary component of our efforts to assure overall 
benefit integrity in Medicare to have all DMEPOS suppliers meet the 
supplier standards for DMEPOS suppliers. Accordingly, we have no plans 
to change the requirements as suggested by the commenter. We note in 
addition that a decision to make any such changes would be outside the 
scope of this rule.
    Comment: A commenter asked why CMS is proposing to exempt a 
physician or non-physician practitioner organizations from the 
application fee when they submit a CMS-855B application, but the same 
physician or non-physician practitioner organization would be required 
to pay an application fee if they enrolled using the CMS-855S.
    Response: The ACA specifically excluded physicians and nonphysician 
practitioners from paying the application fee. Physicians or non-
physician practitioner organizations that elect to apply to enroll in 
Medicare as an institution or other entity, for example, submitting an 
CMS-855S to enroll as a DMEPOS supplier, are applying to enroll as an 
institutional provider not a physician or non-physician practitioner. 
Accordingly, applications to enroll as institutional providers are 
subject to submitting the application fee.
    Comment: Several commenters stated that a $500 application fee for 
DMEPOS suppliers who are orthotists and prosthetists is not reasonable, 
especially on top of the required annual payment for a surety bond, 
accreditation and to maintain licensure. One of these commenters 
opposed the proposed rule because it seems redundant in light of other 
requirements such as accreditation, licensure, non-mandatory OIG 
compliance plans, and HIPAA. The commenter stated that with 
reimbursements being cut, expenses increasing, and the government 
constantly imposing new, unnecessary fees, it is becoming difficult for 
small businesses to survive in this economy. Several other commenters 
stated that the fee should be waived for the smallest providers. For 
community pharmacies, another commenter urged CMS to either: (1) Impose 
a $500 fee upon initial enrollment and in the case of the addition of 
new practice locations without imposing any fees for revalidation, or 
(2) impose a lower fee of $200 if the fee will apply to revalidation, 
as well as initial enrollment and adding new locations.
    Response: The ACA sets the initial fee at $500.00 for all types of 
institutional providers or suppliers and for revalidating providers. 
Because the ACA specifies that the money be used for program integrity 
activities, including screening, we believe it is reasonable and 
appropriate to impose a fee on new practice location applications which 
require us to expend resources to screen for example onsite visits or 
background checks may be required. Also, the ACA specifies the formula 
for updating the fee. Affected providers and suppliers can request an 
exception from the fee if they can demonstrate that it poses a 
hardship.
    Comment: A commenter requested clarification as to whether a 
returned, rejected, or denied application would trigger the need for a 
provider to resend another fee when it resubmits its application. The 
commenter also asked whether a provider going from one state to another 
within Medicare would only be required to submit the fee once.
    Response: The proposed rule itemized circumstances when additional 
fees would be required. The answer to the commenter's question about 
returned, rejected, or denied applications and whether these actions 
would trigger a requirement for a new fee will vary depending upon the 
circumstances. Providers and suppliers that submitted applications that 
were denied because the provider or supplier did not meet the 
requirements to enroll would be subject to an additional fee for any 
new application they submit. Providers and suppliers that submitted an 
application that could not be processed because of a temporary 
moratorium would not be required to submit an additional fee. 
Applications that were accompanied by a request for hardship exception 
waiver to the fee and for which the hardship waiver request was denied 
would be required to submit a fee in order for the application to be 
processed. If, in this latter circumstance, the provider or supplier 
submitted the fee with the application and the hardship exception 
waiver request, and the fee was not returned, the provider or supplier 
would not be required to submit a new fee payment. Providers 
establishing a new practice location in a different enrollment 
jurisdiction or as a new provider type would be required to submit a 
fee for each new practice location or provider type.
    Comment: A commenter stated that CMS should allow application fees 
to be held in escrow when an application is denied.
    Response: We think it is important for the fee to be associated 
clearly and specifically with the application for new enrollment or 
revalidation at the time the application for enrollment or revalidation 
is being processed. In this way we avoid any administrative errors 
involved in associating a fee held in escrow with an instant 
application. There are a number of reasons it might be complicated to 
associate an escrowed fee with an application, particularly if the 
provider or supplier has a different name or identifier, or a large 
amount of time has elapsed between applying for enrollment or 
revalidation.
    Comment: A commenter believes it was inequitable that institutional 
providers in the limited level of screening are still subject to the 
same $500 application fee as providers in the high level of screening. 
The commenter recognized that this is a matter of statute, but stated 
that a more equitable policy would be to link the application fee 
amount to the assigned level of screening, with a zero or minimal fee 
applicable for facilities in the limited screening level and higher 
scaled fees applied to the moderate and high screening levels. The 
commenter also recommended that CMS use the application fee collected 
from ``limited risk'' providers to develop prioritized and expedited 
processes and timeframes for contractor review and approval of initial 
enrollment applications and revalidations for ``limited risk'' 
providers.
    Response: The ACA established a flat rate of $500 for application 
fees to be imposed upon institutional providers and suppliers. In 
addition, the ACA does not include provisions to link the

[[Page 5913]]

fee to assigned screening level. Accordingly, the proposed rule 
implementing the statute did not link the fee to assigned screening 
level.
    Comment: A commenter stated that for DMEPOS suppliers, requiring a 
$500 application fee at the time of submission of an enrollment 
application for each Medicare PTAN is unsupported and improper. A 
simple $500 fee per company, or paying for up to four facility 
locations (but not more) per company, or $500 for the first location 
and $50 for the next 10 makes sense. A flat $500 per location does not 
make sense according to the commenter, since clearly larger companies 
with multiple locations pose lower risk.
    Response: As mentioned previously, the fee amount is included in 
the ACA. In addition, the ACA requires each institutional provider to 
pay the fee. Providers and suppliers will be charged the fee for each 
form CMS-855 they submit for enrollment or revalidation.
    Comment: A commenter stated that CMS should not allow contractors 
to revoke a provider's billing privileges if an application fee or 
hardship waiver does not accompany a revalidation application.
    Response: We disagree. We believe that the failure to submit an 
application fee or hardship waiver with a reenrollment or revalidation 
application should be treated as the equivalent of the non-submission 
of the application, which is grounds for revocation under regulation 
Sec.  424.535(a)(6). However, we understand the concern expressed and 
will instruct our enrollment contractors to contact any enrolling or 
revalidating provider or supplier that does not submit the fee with the 
enrollment application and afford an opportunity to submit the fee. 
Thirty days after the date of the notification, the enrollment 
contractor would reject the application and revoke the billing 
privileges of the enrolled provider or supplier that has not submitted 
the fee. We have modified the regulation provisions in Sec.  424.514(g) 
to include the 30 day period.
    Comment: Several commenters requested clarification that changes of 
information, reactivations, and contractor-solicited, off-cycle 
revalidations do not require an application fee.
    Response: The ACA authorizes fees for new enrollment and 
revalidation of enrollment. Simple changes in the CMS-855, for example, 
new phone numbers, new bank account information, new billing 
address(es), change in name of provider or supplier, or other such 
updates, do not constitute a new enrollment or a revalidation of an 
enrollment and therefore would not be subject to an additional fee.
    Comment: A commenter stated that there is no justification to 
assess new fees to providers to support CMS enforcement activities that 
should be ongoing in any event. Moreover, CMS' proposed actions, the 
commenter contended, ignore the much more practical and effective 
measures to stem fraud and abuse outlined in H.R. 2479, and instead of 
stopping the fraud at the outset (as seems to be the stated objective) 
rely unduly on straightforward delays in delivering payments to all 
providers. This punishes all legitimate providers, and without any 
assurance that delays will solve the fraud problem.
    Response: Section 1866(j)(2)(C) of the Act authorizes the the 
Secretary to collect application fees from institutional providers and 
suppliers. This section also specifies that ``the amounts collected as 
a result of the imposition of a fee under this subparagraph shall be 
used by the Secretary for program integrity efforts, including to cover 
the costs of conducting screening under this paragraph and to carry out 
this subsection and section 1128J of the Act.'' We are implementing the 
provisions of the statute. The application fees collected will be used 
for program integrity efforts as specified in the statute.
    Comment: A commenter stated that imposition of the fee on 
physicians who are enrolled as DMEPOS suppliers is unambiguously beyond 
the scope of CMS's statutory authority, would frustrate congressional 
intent, and is not warranted, since the vast majority of physicians 
would not be subject to additional screening.
    Response: The fees are only paid by institutional providers and 
suppliers. If a physician is enrolled as a physician and also as a 
DMEPOS supplier, the fee is required only for the DMEPOS supplier 
enrollment.
    Comment: A commenter supported CMS's proposal to exempt physicians 
and non-physician practitioners from the application fee. The commenter 
stated that with a potential Medicare provider shortage on the horizon, 
introducing an application fee to these suppliers would only serve to 
drive more providers out of the Medicare system.
    Response: The ACA exempts physicians and non-physician 
practitioners from paying the application fee.
    Comment: A commenter stated that an appropriate course would be to 
process the application and require that if the application is accepted 
but the hardship waiver is denied, the application fee will be deducted 
from future payments. This certainly creates the risk that some 
applications would be considered for which no application fee payment 
was ultimately available, but that outcome is offset by the need to 
avoid draconian requirements with illusory protections.
    Response: The ACA requires institutional providers and suppliers 
that submit an application to enroll in or revalidate their enrollment 
in Medicare to pay the fee. Contractors should not process applications 
for new enrollment or revalidation of enrollment without a fee 
accompanying the application. In the case of an application that is 
accompanied by a request for a hardship waiver that is denied, the 
contractor will notify the provider or supplier that a fee is required 
for further processing. The provider or supplier has the option to 
submit the fee with the application and waiver request as a contingency 
to expedite processing should the hardship waiver be denied and the 
provider or supplier is concerned about delays associated with the time 
required to provide the fee.
    Comment: A commenter expressed concern that there was no exception 
for governmental providers, including those that are funded by Federal 
agencies. To permit Medicare and Medicaid, for instance, to impose 
enrollment fees on Indian and tribal providers merely transfers funds 
from one health system to Medicare and Medicaid.
    Response: Neither the ACA nor the proposed rule provide a blanket 
exemption from the fee for Federal institutional providers. 
Accordingly, we are unable to grant such an exception. However, Federal 
health care providers have the option to seek a hardship exception to 
the fee, and could request such an exception with any applications 
submitted to enroll in Medicare as an institutional provider.
    Comment: A commenter stated that if an application fee or hardship 
waiver request is missing from an application, the contractor should--
consistent with Sec.  424.520--treat this as a request for additional 
information and give the provider 30 days to furnish the missing items.
    Response: We agree. Consistent with Sec.  424.514(g)(3)(ii), 
contractors will be instructed to give providers and suppliers 30 days 
after the provider or supplier receives notification that the request 
for a hardship waiver is denied to submit the enrollment fee.
    Comment: A commenter stated that requiring two enrollment fees for 
a provider enrolling as two different

[[Page 5914]]

Medicare provider types--such as DMEPOS suppliers and mass immunizers--
would be inconsistent with CMS' proposed one-fee policy for dually 
enrolled providers, that is those enrolled in Medicare and Medicaid. 
Similarly, a commenter stated that if physicians functioning as DMEPOS 
suppliers for their patients are subjected to the additional screening 
mechanisms in the ``Moderate'' and ``High'' screening levels, many 
physicians will simply relinquish the services they provide as DMEPOS 
suppliers with minimal to no benefit to CMS's anti-fraud efforts.
    Response: The ACA specifically excludes physicians and nonphysician 
practitioners from paying the application fee. Physicians or non-
physician practitioner organizations that elect to apply to enroll in 
Medicare as something other than a physician or nonphysician 
practitioner, for example, submitting an CMS-855S to enroll as a DMEPOS 
supplier, are applying to enroll as an institutional provider not as a 
physician or nonphysician practitioner. Accordingly, applications to 
enroll as institutional providers are subject to submitting the 
application fee. Individual institutional providers that enroll in 
Medicare and Medicaid will be required to pay only one application fee 
per enrollment. Entities or individuals that enroll only in Medicare or 
only in Medicaid as more than one kind of institutional provider, for 
example, a DMEPOS supplier and a home health agency, will be required 
to submit the fee for each enrollment.
    Comment: A commenter suggested that providers submit one 
application for all commonly-owned entities, with addenda to address 
each specific entity as needed. A single fee for each provider would be 
paid by the parent. The commenter added that if multiple application 
fees are required for providers and suppliers wholly owned by the 
parent entity, a cap of $5,000.00 per year in application fees should 
be instituted.
    Response: The ACA requires each institutional provider to pay the 
fee, in the amount specified in the statute. In general, most providers 
and suppliers must report each practice location on the enrollment Form 
CMS-855; however, the provider or supplier may list multiple practice 
locations on one Form CMS-855. The rules for DMEPOS suppliers, FQHCs 
and IDTFs are different; these entities must enroll each practice site 
separately--with separate for CMS-855. Because of these differences 
among the different categories of providers and suppliers, we believe 
it is most prudent to rely upon the requirement that a provider or 
supplier will simply pay the application fee whenever a Form CMS-855 is 
submitted.
    Comment: A commenter suggests that CMS specifically exempt physical 
therapists in private practice from paying an enrollment fee when 
enrolling as a DMEPOS supplier with NSC. The commenter acknowledges 
that physical therapists in private practice are listed under 
``eligible professionals.''
    Response: As with physicians, physical therapists that enroll as 
individual practitioners will be exempt from the fee. DMEPOS suppliers 
that are owned by a physical therapist are institutional providers and 
as a result are subject to the fee.
    Comment: A commenter stated that CMS should exempt recertification, 
re-enrollment, or other actions not related to a change in ownership 
from the application fee.
    Response: The ACA specifically provides for the fee to be paid for 
revalidating institutional providers, section 1866(j)(2)(C) of the Act.
    Comment: A commenter suggested that a provider or supplier enrolled 
in more than one program (that is, Medicare, Medicaid or CHIP) be 
subject to only one application fee.
    Response: We agree. Dually-participating providers and suppliers 
will only be subject to the application fee at the time of Medicare 
enrollment or revalidation.
    Comment: A commenter requested clarification on whether a fee is 
charged: (1) For each individual provider associated with a facility or 
institution, or (2) per facility. The commenter recommended a sliding 
fee based on the size and number of employees the facility has.
    Response: Under the ACA, a fee is required only from institutional 
providers. Therefore, if the commenter is referring to individual 
physicians or non-physician practitioners who are associated with an 
institutional provider or supplier, the individual physician or non-
physician practitioner would not be required to submit an application 
fee. Only the facility or institutional provider with which they are 
associated would be required to submit the fee. If the commenter was 
referring to affiliated entities that would be considered institutional 
providers, then each of those institutional providers would be required 
to submit the fee as would the institutional provider with which they 
are associated.
    Comment: The same commenter also recommended a sliding scale for 
the fee that would be based on the size of the provider or facility and 
the number of employees.
    Response: The application fee is derived from a statutorily-
mandated formula. Neither CMS nor the States have the discretion to 
change the amount of the fee.
    Comment: A number of commenters requested clarification regarding 
whether a State is required to collect the application fee for 
Medicaid-only or CHIP-only providers, or if the collection of this fee 
is at a State's discretion. One commenter stated that it should 
continue to be at a State's discretion.
    Response: Section 1866(j)(2)(C)(ii) of the Act requires that the 
fee be imposed for institutional providers, and the State will be 
required to collect the fee in the case of Medicaid-only and CHIP-only 
institutional providers. In addition to the providers and suppliers 
subject to the application fee under Medicare, Medicaid-only and CHIP-
only institutional providers would include nursing facilities, 
intermediate care facilities for persons with mental retardation (ICF/
MR), psychiatric residential treatment facilities, and may include 
other institutional provider types designated by a State in accordance 
with their approved State plan. Under section 1866(j)(2)(C)(iii) of the 
Act, we may grant case-by-case exceptions to the application fee, based 
upon a demonstration of hardship, and in those instances, the State 
would not be required to collect the fee from Medicaid-only and CHIP-
only institutional providers. Additionally, section 1866(j)(2)(C)(iii) 
of the Act permits the Secretary to waive the application fee for 
providers enrolled in a State Medicaid program for whom the State 
demonstrates the imposition of the fee would impede beneficiary access 
to care. If a State is concerned that the imposition of the application 
fee may adversely impact beneficiary access to care, we encourage them 
to seek a waiver of the fee in those circumstances.
    Comment: One commenter asked whether a State could choose to lower 
the fee from $500 to a different amount, for example, $250.
    Response: The amount of the application fee is derived from a 
statutorily-mandated formula. States do not have discretion to change 
the amount of the fee that is collected from Medicaid-only or CHIP-only 
institutional providers.
    Comment: One commenter asked that if a State elects not to collect 
the application fee, would the cost of screening be eligible for FFP.
    Response: As stated previously, Section 1866(j)(2)(C)(ii) of the 
Act requires that the fee be imposed for institutional providers, and 
the State will be required to collect the fee in the

[[Page 5915]]

case of Medicaid--only and CHIP--only institutional providers. However, 
to the extent that the costs associated with performing the screening 
exceed the amounts collected as a result of the application fees, these 
costs would be eligible for FFP.
    Comment: One commenter requested that CMS describe the process for 
determining whether the Medicaid and CHIP application fee exceeds the 
cost of provider screening.
    Response: States will be required to account for the costs of the 
provider screening program and measure it against total fees collected. 
If the cost of the program exceeds fees collected, then the State can 
claim FFP for excess cost. Note, that this requires that principles of 
OMB Circular A-87 be properly applied and that total fees collected 
serve as an applicable credit to the Medicaid program.
    Comment: One commenter requested that CMS confirm whether the 
application fee is intended to cover both State and Federal share of 
the costs.
    Response: The application fees collected by the State must be used 
to offset the total cost, both State and Federal share, of the 
screening program. As stated in the proposed rule, if the fees 
collected by a State agency exceed the cost of the State's screening 
program, the State agency must return that portion of the fees to the 
Federal Government.
    Comment: One commenter asked if States would be eligible for 
enhanced Federal match for changes to provider enrollment and claims 
processing systems that implement reporting and screening requirements.
    Response: If the changes are to the MMIS for purposes of Medicaid 
provider enrollment and Medicaid claims processing, then States may be 
eligible for the enhanced match rate (either 90 percent for 
enhancements/new functionality or 75 percent for ongoing maintenance 
and operations). States must contact their CMS Regional Office to 
determine whether an advance planning document (APD) is required.
    Comment: One commenter requested clarification on how the state 
should record expenditures on necessary MMIS changes to implement the 
rule, prior to collecting the application fee.
    Response: All State share costs including those involving the 
enhancement and operation of the MMIS in addition to administrative 
costs related to provider screening and reporting as specified in the 
proposed regulation (Sec.  455.460) are to be included in the screening 
program costs and offset by the application fees collected by the 
State. We understand that the MMIS costs may be matched at higher rates 
(90 percent for development and 75 percent for operation). States will 
be required to report the 10 percent and 25 percent State share of the 
MMIS costs associated with the screening program and offset the 
application fee against such costs. In the event that the application 
fees are greater than the costs for the screening program for any 
reporting period, the State will refund the difference to CMS. Please 
refer to OMB Circular A-87, ``Cost Principles for State, Local, and 
Indian Tribal Governments'' for guidance in the reporting of the 
application fees as an applicable credit.
    Comment: One commenter asked if the application fee is an allowable 
cost report expense for Medicaid and CHIP providers.
    Response: If a Medicaid-only or CHIP-only institutional provider is 
subject to the application fee, this could be considered an allowable 
cost report expense. This determination would be governed by the 
State's approved reimbursement methodology within its State plan.
    Comment: One commenter asked if the amount of the fee could be 
included in determining a government provider's cost based rates.
    Response: Yes, if the application fee is imposed on a government 
institutional provider, then the amount of the fee could be included in 
determining the government provider's cost-based rates.
    Comment: A few commenters asked if a State is permitted to have the 
applicant/provider pay the fees associated with fingerprinting and 
conducting criminal history checks.
    Response: The application fee is intended to cover the costs 
associated with the State's Medicaid or CHIP provider screening 
program. It is permissible for the State to require the provider to pay 
the costs associated with capturing fingerprints. However, we expect 
that the amount of funds collected by imposition of the application fee 
should be used by the State to fund the costs incurred by the State 
associated with processing the fingerprints and conducting the criminal 
background checks.
    Comment: A number of commenters stated that local education 
agencies (that is, public schools) should be exempt from having to pay 
the application fee.
    Response: To the extent that a State determines, consistent with 
the approved State plan, that a local education agency is an 
institutional provider for purposes of this provision, then it would be 
subject to the application fee.
    Comment: A few commenters requested that CMS clarify whether the 
application fee applies to institutional providers only under Medicaid 
and/or CHIP, and what types of Medicaid and CHIP providers are 
considered institutional.
    Response: We will clarify in the regulation that the application 
fee does not apply to physicians or other individual non-physician 
practitioners such as nurse practitioners under Medicaid and/or CHIP. 
Medicaid-only and CHIP-only institutional providers that would be 
subject to the application fee include: Medicaid-only nursing 
facilities, intermediate care facilities for persons with mental 
retardation (ICF/MR), and psychiatric residential treatment facilities. 
Additionally, a State may impose the application fee on other types of 
Medicaid-only or CHIP-only institutional providers, consistent with 
their approved State plan.
    Comment: One commenter asked if pharmacies are considered 
institutional providers for purposes of the application fee.
    Response: In the Medicare program, pharmacies are generally 
enrolled as DMEPOS suppliers, and thus are considered institutional 
providers for the purposes of the application fee. Therefore, 
pharmacies would be subject to the application fee, and it would likely 
be imposed at the time of Medicare enrollment or revalidation.
    Comment: One commenter suggested that the application fee 
requirement should provide an exception for providers that are required 
to pay a pre-existing State-level application or certification fee to 
enroll in the Medicaid program.
    Response: The enrollment screening activities are distinct from 
State-licensing and certification activities that seek to address 
conditions of participation or structures, processes and outcomes to 
support quality of care for the beneficiaries. The application fee is 
intended to support provider screening activities as part of 
enrollment.
    Comment: A number of commenters requested that CMS provide further 
guidance regarding the manner in which States will be expected to 
report the costs associated with screening. One commenter specifically 
requested whether CMS will want screening costs detailed per screening, 
per provider (for example, detailed travel expenses for site visits) or 
if a more generic reporting of screening cost is expected.
    Response: We anticipate that a State will be required to report the 
costs associated with its provider screening program on a semi-annual 
or annual

[[Page 5916]]

basis. Although we do not anticipate requiring States to routinely 
report very detailed information such as detailed travel expenses for a 
site visit, this information should be maintained by the State and be 
made available upon request if necessary for conducting an audit or 
other oversight activities. Additional guidance for States will be 
forthcoming regarding the specific form and manner of reporting.
    Comments: One commenter requested that CMS clarify whether the 
application fee be designed to include current program integrity 
activities, or whether the State will be expected to track the 
increased expenditures of PI activities resulting from this regulation 
separate from historic PI activities.
    Response: The application fee may only be used by the State to 
offset the cost of the provider screening program. It is not 
permissible for a State to design the fee in any manner that would 
include current program integrity activities. If the fees collected by 
a State agency exceed the cost of the screening program, the State 
agency must return that portion of fees to the Federal Government.
    Comment: One commenter recommended that CMS provide a comprehensive 
exception for out-of-State providers providing emergency services to 
managed care members, stating that such an exception would allow for 
timely access to critical services for managed care enrollees.
    Response: After considering the comment, we are not inclined to 
provide a comprehensive exception to the application fee in this 
circumstance. We believe that the overwhelming majority of providers 
that provide emergency services to out-of-State MCO members are dually-
participating providers, and would thus be subject to the application 
fee at the time of Medicare enrollment. Furthermore, there are 
additional Federal laws that exist to safeguard beneficiary well-being 
in emergency situations, such as, the Emergency Medical Treatment and 
Active Labor Act (EMTALA).
    Comment: A few commenters stated that each State should have the 
flexibility to waive the application fee, for particular providers or a 
class of providers, if it determines that this would help assure access 
to services for beneficiaries.
    Response: We agree and will clarify that a State, in consultation 
with the Secretary, may waive the application fee for Medicaid-only or 
CHIP-only providers if the State demonstrates that imposition of such a 
fee will impede beneficiary access to care.
    Comment: One commenter stated that providers who have already paid 
the fee to their own State's Medicaid or CHIP program should also be 
exempt, if the provider is already enrolled in one and applies to the 
other.
    Response: We agree that providers enrolled in more than one 
program, be it Medicare, Medicaid, and CHIP, including Medicaid and 
CHIP in multiple States must only be required to pay the application 
fee once.
    Comment: One commenter urged CMS to expand the exemption provisions 
to allow an exemption for providers in medically underserved areas as 
well as those whose patient population are overwhelmingly Medicaid 
beneficiaries.
    Response: We are committed to assuring access to care and services 
for program beneficiaries and will clarify that a State, in 
consultation with the Secretary, may waive the application fee for 
Medicaid-only or CHIP-only providers if the State demonstrates that 
imposition of such a fee will impede beneficiary access to care.
    Comment: A few commenters expressed concern that requiring 
providers to pay a non-refundable application fee to participate in the 
Medicaid program will decrease the likelihood that providers will 
choose to participate.
    Response: We are committed to assuring access to care and services 
for program beneficiaries and will clarify that a State, in 
consultation with the Secretary, may waive the application fee for 
Medicaid-only or CHIP-only providers if the State demonstrates that 
imposition of such a fee will impede beneficiary access to care.
    Comment: A number of commenters requested clarification as to the 
process that a Medicaid agency would use to determine if a provider has 
paid an application fee to Medicare or another State. One commenter 
specifically requested clarification on whether the Medicare 
revalidation fee is applicable to payments made in one calendar year 
only when considered for Medicaid program(s). Will waiver programs 
honor fees made to Medicare? How will Medicaid honor a Medicare fee 
when the revalidation is a different time period?
    Response: The basic concept of the screening and enrollment 
provisions included in this regulation is that Medicaid will accept 
Medicare screening for providers that receive payments from both 
Medicare and Medicaid. For dually-participating providers, the 
application fee is imposed at the time of Medicare enrollment and no 
additional screening fee is imposed by the State regardless of the time 
period or revalidation cycle. For institutional providers that 
participate only in Medicaid, the State Agency is responsible for 
assuring that the provisions of the regulation are met. Institutional 
providers will be required to submit the application fee to only one 
program. We believe these operational logistics are more appropriately 
addressed in subregulatory guidance. We will be issuing subregulatory 
guidance to assist States with the operational aspect of implementing 
this provision in the near future.
    Comment: One commenter supported the proposal that for dually 
participating providers, the application fee would be imposed at the 
time of Medicare enrollment.
    Response: We agree and are finalizing this provision accordingly.
    Comment: One commenter encouraged CMS to consider establishing a 
lower price point or expedited review for providers in the lower risk 
group.
    Response: The amount of the application fee is derived from a 
statutorily-mandated formula. Neither CMS nor the States have 
discretion to change the amount of the fee that is collected from 
Medicaid-only or CHIP-only institutional providers.
    Comment: One commenter requested clarification that ongoing 
resubmissions do not trigger the application fee and that the fee will 
merely be levied through the actual recertification process.
    Response: The ACA authorizes fees for new enrollment and 
revalidation of enrollment. Simple changes to the provider enrollment 
information, that is, new phone numbers, new bank account information, 
new billing address, change in name of provider or other such updates 
are not subject to the fee. They will apply to newly-enrolling 
providers, revalidating providers and creation of new practice 
locations.
    Comment: A commenter noted that the application fee and other 
provisions are effective on March 23, 2011. The commenter stated, 
however, that CMS must first complete the notice and comment rulemaking 
process. The commenter recommended that CMS implement the application 
fee only after a final regulation has been issued and the public has 
been given at least 60 days notice.
    Response: We agree with the commenter and we are finalizing the 
regulation in regard to the application fee. It will be displayed for 
60 days prior to the effective date on March 25, 2011.
    Comment: A commenter stated that some of the provider types listed 
under

[[Page 5917]]

the definition of ``institutional provider'' do not bill Medicare on a 
fee-for-service basis. For example, RHCs and FQHCs bill Medicare on a 
cost-based, all-inclusive rate basis. The commenter believes this 
distinction is significant because on past occasions when the Congress 
authorized certain incentive payments and linked those payments to the 
``fee-for-service'' payment, RHCs and FQHCs were excluded from those 
incentive payment programs. The commenter believes it was unfair to 
deny certain providers from participating in programs because they are 
not ``fee-for-service,'' but then mandate their inclusion in other 
initiatives reserved for ``fee-for-service'' providers. Moreover, the 
commenter stated that RHCs and FQHCs are by definition located in areas 
designated as underserved or serving populations with a demonstrated 
problem accessing the healthcare delivery system. Imposing an 
application fee on these providers will only serve as a further barrier 
to access to care. The commenter believes that the term ``institutional 
providers'' should exclude new entities seeking designation as RHCs and 
FQHCs and include only those providers that bill Medicare on a fee-for-
service basis. Another commenter believes that the term ``institutional 
provider'' refers to providers whose beneficiaries are 
institutionalized; the proposed rule's envisioned use of the term is 
therefore inappropriate. The commenter suggested using the term ``non-
institutional provider.''
    Response: In the NPRM, we proposed a definition of institutional 
provider that does not distinguish among providers or suppliers based 
on which version of the form 855 they submit, or whether they submit 
the form electronically. We are finalizing this definition. The 
distinction on payment methods the commenter suggests is not related to 
the definition of institutional provider used in this rule. Physician 
and practitioner organizations are exempt from the application fee by 
statute; the exemption is not affected by how they are reimbursed. In 
addition, the inpatient status of patients has no bearing on whether a 
provider or supplier is considered an institutional provider in this 
rule. For example, hospitals are institutional providers as are home 
health agencies and DMEPOS suppliers.
    If certain institutional providers and suppliers such as FQHCs and 
RHCs may face financial obstacles to paying the application fee, they 
can seek a waiver of the fee based upon a request for a hardship 
exception for Medicare or a request for a hardship waiver for Medicaid. 
Newly enrolling institutional providers and suppliers that are seeking 
such a waiver must submit a request for the hardship exception at the 
time of filing a Medicare enrollment application on or after March 25, 
2011.
    Comment: A commenter stated that the proposed rule indicates that 
the fee will be applied only to those providers that bill ``Medicare, 
Medicaid, or CHIP on a fee-for-service basis.'' The commenter stated 
that most Indian and tribal providers are reimbursed either on the 
encounter rates established annually by CMS and IHS for Indian health 
programs or on FQHC encounter rates. The commenter requested 
clarification as to whether Indian and tribal providers will therefore 
be exempt from the application fee. The commenter added that the 
proposed rate of increase in the fee has often exceeded the increase in 
funding for Indian and tribal programs. Finally, the commenter stated 
that CMS failed to seek an exchange of views, information, or advice 
from the Tribal Technical Advisory Group (TTAG) or to consult directly 
with Tribes or confer with urban Indian organizations. Unless Indian 
and tribal health programs are exempt from these rules, the commenter 
believes that the effective date should be delayed, discussions with 
the TTAG and consultation with Tribes held, after which the proposed 
rules with any changes that result from the advice and consultation be 
published with a new comment period.
    Response: We are statutorily unable to exempt IHS, Tribal, and 
Urban (I/T/U) Indian health programs from these rules or to delay the 
effective date. Moreover, we do understand Tribal concerns about not 
having the opportunity to provide advice on this regulation. All I/T/
U's are eligible to apply for the hardship exception to the application 
fee and CMS is committed to working with Tribes, the TTAG and I/T/Us in 
implementing requests for hardship exceptions.
4. Final Application Fee Provisions--Medicare, Medicaid, and CHIP
    This final rule with comment period finalizes the provision of the 
proposed rule in regards to the application fees with the following 
exceptions:
    In Sec.  424.514, we modified our proposal as follows:
     Added language to clarify that a provider or supplier may 
submit both an application fee and hardship exception waiver to avoid 
delays in the processing of the application if the hardship exception 
is not approved at Sec.  424.514(a) and (b).
     Added language at Sec.  424.514(d)(2) clarifying that the 
application fee is non-refundable except in the circumstance where the 
provider or supplier opts to submit both an application fee and a 
hardship waiver request and the waiver request is subsequently 
approved.
     Added language to clarify that if a provider submits a 
hardship exception request without an application fee, and CMS does not 
approve the hardship exception request, CMS will notify the provider or 
supplier and allow the provider or supplier thirty (30) days from the 
date of notification to submit the application fee at Sec.  424.514(h).
     Added language that specifies that States must collect the 
applicable application fee from Medicaid-only and CHIP-only providers 
and suppliers at Sec.  455.460.

C. Temporary Moratoria on Enrollment of Medicare Providers and 
Suppliers, Medicaid and CHIP Providers

1. Statutory Changes
    Section 6401(a) of the ACA amended section 1866(j) of the Act by 
adding a new section 1866(j)(7) of the Act, which provides that the 
Secretary may impose temporary moratoria on the enrollment of new 
Medicare, Medicaid, or CHIP providers and suppliers, including 
categories of providers and suppliers, if the Secretary determines such 
moratoria are necessary to prevent or combat fraud, waste, or abuse 
under the programs.
    Section 6401(b)(1) of the Act adds specific moratorium language 
applicable to Medicaid at section 1902(kk)(4) of the Act, requiring 
States to comply with any temporary moratorium imposed by the Secretary 
unless the State determines that the imposition of such moratorium 
would adversely affect Medicaid beneficiaries' access to care. Section 
1902(kk)(4)(B) of the Act further permits States to impose temporary 
enrollment moratoria, numerical caps, or other limits, for providers 
identified by the Secretary as being at high risk for fraud, waste, or 
abuse, if the State determines that the imposition of such moratorium, 
cap, or other limits would not adversely impact Medicaid beneficiaries' 
access to care.
    Section 1866(j)(7) of the Act uses the term ``providers of services 
and suppliers.'' Although, as noted previously, the Medicaid program 
does not use the term ``suppliers,'' section 1902(kk)(4) of the Act 
refers to ``providers and suppliers.'' In this regulation, for 
uniformity with sections II A. and B. of this final rule with comment 
period, we are using the term

[[Page 5918]]

``providers and suppliers'' in lieu of the term ``provider of services 
and suppliers.'' We are using the term ``provider'' or ``Medicaid 
provider'' or ``CHIP provider'' in lieu of the term ``provider or 
supplier'' when referring to all Medicaid or CHIP health care 
providers, including, but not limited to, providers and suppliers of 
Medicaid items or services, individual practitioners, and institutional 
providers.
2. Proposed Temporary Moratoria Provisions
a. Medicare
    We proposed at Sec.  424.570(a) that we may impose a temporary 
moratorium on the enrollment of new Medicare providers and suppliers in 
6 month increments in situations where-- (1) CMS, based on its review 
of existing data, without limitation, identifies a trend that appears 
to be associated with a high risk of fraud, waste or abuse, such as 
highly disproportionate number of providers or suppliers in a category 
relative to the number of beneficiaries or a rapid increase in 
enrollment applications within a category suggests that there is a 
significant potential for fraud, waste or abuse with respect to a 
particular provider or supplier type or particular geographic area or 
both; (2) a State has imposed a moratorium on enrollment in a 
particular geographic area or on a particular provider of supplier type 
or both; or (3) CMS, in consultation with the HHS OIG or the Department 
of Justice (DOJ) or both and with the approval of the CMS Administrator 
identifies either or both of the following as having a significant 
potential for fraud, waste or abuse in the Medicare program:
     A particular provider or supplier type.
     Any particular geographic area.
    As part of the CMS decision making process, we will consider any 
recommendation from the DOJ, HHS OIG, or the GAO to impose a temporary 
moratorium for a specific provider or supplier type in a specific 
geographic area.
    We believe that imposing moratoria will, among other things, allow 
us to review and consider additional programmatic initiatives, 
including the development of additional regulatory and sub regulatory 
provisions to ensure that Medicare providers and suppliers are meeting 
program requirements, beneficiaries receive quality care, and that an 
adequate number of providers of suppliers exists to furnish services to 
Medicare beneficiaries.
    We also proposed that enrollment moratoria be limited to: (1) Newly 
enrolling providers and suppliers (that is, initial enrollment 
applications); and (2) the establishment of new practice locations, not 
to a change of practice locations. The temporary moratoria will not 
apply to existing providers or suppliers of services unless they were 
attempting to expand operations to new practice locations where a 
temporary moratorium was imposed. Moreover, the temporary moratoria 
would not apply in situations involving changes in ownership of 
existing providers or suppliers, mergers, or consolidations.
    We also proposed at Sec.  424.570(b) that a temporary enrollment 
moratorium would be imposed for a period of 6 months, and such 
moratorium could be extended by CMS in 6 month increments if we 
continue to believe that a moratorium is needed to prevent or combat 
fraud, waste, or abuse. The Secretary will re-evaluate whether a 
moratorium should continue prior to each 6 month expiration date.
    We also proposed at Sec.  424.570(c) that we will deny enrollment 
applications received from providers or suppliers covered by an 
existing moratorium. We noted that denial of Medicare billing 
privileges is subject to the administrative review process established 
in Sec.  405.874. Accordingly, we believe that a provider or supplier 
also is afforded the right to appeal a Medicare contractor 
determination to deny enrollment into the Medicare program.
    In Sec.  424.530(a)(10), we proposed adding a new reason why we can 
deny Medicare billing privileges. Specifically, we proposed a new Sec.  
424.530(a)(10) to state, ``A provider or supplier submits an enrollment 
application for a practice location in a geographic area where CMS has 
imposed a temporary moratorium.'' Further, in Sec.  498.5(l)(4), we 
proposed that the scope of review for appeals of denials under Sec.  
424.530(a)(10) based upon a provider or supplier being subject to a 
temporary moratorium will be limited to whether the temporary moratoria 
applies to that particular provider or supplier.
    We noted that section 1866(j)(7) of the Act provides that there 
shall be no judicial review of a temporary moratorium. Accordingly, we 
proposed that a provider or supplier may administratively appeal an 
adverse determination based on the imposition of a temporary moratorium 
up to and including the Department Appeal Board (DAB) level of review.
    Finally, we proposed at Sec.  424.570(d) that we may lift a 
moratorium in the following circumstances: (1) In the case of a 
Presidentially declared disaster under the Robert T. Stafford Disaster 
Relief and Emergency Assistance Act, 42 U.S.C. 5121 through 5206 
(Stafford Act); (2) circumstances warranting the imposition of a 
moratorium have abated or CMS has implemented program safeguards to 
address any program vulnerability that was the basis for the 
moratorium; or (3) in the judgment of the Secretary, the moratorium is 
no longer needed.
    We also recognized that in a limited number of circumstances a 
State Medicaid agency may enroll a provider or supplier into Medicaid 
during the temporary moratorium period established by Medicare. If this 
occurs and the prospective Medicare provider or supplier applies to 
enroll in the Medicare program after the temporary moratorium is 
lifted, we would use the screening tools described in section II.A. of 
this final rule with comment period.
    We also solicited public comment on specific exemptions to the 
temporary moratoria criteria proposed previously. Prior to imposing a 
moratorium, we would assess Medicare beneficiary access to the type(s) 
of services that are furnished by the provider or supplier type and/or 
within the geographic area to which the moratorium would apply.
    We would announce the implementation of a moratorium at any time 
when it is being imposed. The announcement would be made in the Federal 
Register and we would also address it in other methods or forums, such 
as Press Releases, at CMS Provider Open Door Forums, in CMS provider 
listservs, and on the CMS Provider/Supplier Enrollment web page (http://www.cms.gov/MedicareProviderSupEnroll). We would also require our 
Medicare contractors to post the moratorium announcement or note the 
expiration of a moratorium on their Web sites. Our Federal Register 
announcement would explain in detail the rationale for the moratorium 
and the rationale for the geographic area(s) in which it would apply.
b. Medicaid and CHIP
    Pursuant to section 1902(kk)(4)(A) of the Act, we proposed at Sec.  
455.470(a)(2) and (3) that a State Medicaid agency will comply with a 
temporary moratorium imposed by the Secretary unless it determines that 
the imposition of such a moratorium would adversely affect 
beneficiaries' access to medical assistance.
    Where the Secretary has imposed a temporary moratorium in 
accordance with Sec.  424.570, and the State has determined that 
compliance with such a moratorium would adversely impact Medicaid 
beneficiaries', or CHIP participants', as the case may be, access

[[Page 5919]]

to medical assistance, section 1902(kk)(4)(A)(ii) of the Act creates an 
exception for the State from complying with the moratorium. We proposed 
that the State provide the Secretary with written details of the 
moratorium's adverse impact on Medicaid beneficiaries. Prior to the 
Secretary imposing such a moratorium in any State, we proposed at Sec.  
455.470(a)(1) that the Secretary consult with the State, so that the 
State may have an opportunity to seek an exception from the moratorium.
    Pursuant to section 1902(kk)(4)(B) of the Act, States have 
authority to impose moratoria, numerical caps, or other limits for 
providers that are identified by the Secretary as being at ``high'' 
risk for fraud, waste, or abuse. We proposed, at Sec.  455.470(b) that 
where the State identifies a category of providers as posing a 
significant risk of fraud, waste, or abuse, the State must seek our 
concurrence with that determination and provide us with written details 
of the proposed moratorium, including the anticipated duration, and 
with a substantial justification explaining why disallowing newly 
enrolling providers would reduce the risk of fraud. We proposed at 
Sec.  455.470(c) that States' moratoria would be imposed for a period 
of 6 months and may be extended in 6 month increments.
    Section 2107(e)(1) of the Act provides that all provisions that 
apply to Medicaid under sections 1902(a)(77) and 1902(kk) of the Act 
apply to CHIP. Accordingly, we proposed in new regulation Sec.  457.990 
that all the provider screening, provider application, and moratorium 
regulations that apply to Medicaid providers also apply in providers 
that participate in CHIP.
3. Analysis of and Responses to Public Comment
    Below is a summary of the comments we received regarding the 
temporary enrollment moratoria.
    Comment: A commenter expressed support for our proposal to 
establish a moratorium on new providers or new practice locations only 
when it is believes through the agency's review that a risk of fraud 
and abuse is detected. The commenter, however, requested CMS to: (1) To 
review the proposed 6-month timeframe for the moratoria, (2) add more 
flexibility to the standard if it is determined that 6 months is too 
long, and (3) give the provider community an opportunity to comment 
prior to its effective date. Another commenter stated that a moratorium 
is a drastic remedy that should only be used when CMS can clearly 
articulate the basis for imposing such an extreme measure. CMS must, in 
such cases, publish: (1) The data it used to determine a moratorium was 
necessary, (2) the steps it will take to resolve the issues that gave 
rise to the need for the moratorium, and (3) when it expects to lift 
the suspension in new enrollments.
    Response: We believe that the rule as proposed directly addressed 
the timeframe, standards, and process for imposing, explaining the 
rationale for, and lifting an enrollment moratorium; because we 
received multiple related comments, this response should be read in 
conjunction with the discussion of those comments. The ACA gives the 
Secretary broad authority to impose a temporary moratorium on the 
enrollment of new providers and suppliers if the Secretary determines 
that a moratorium is necessary to prevent fraud, waste or abuse in 
Medicare, Medicaid or CHIP. After considerable discussion within CMS 
and HHS, the proposed rule was published proposing that an initial 
temporary enrollment moratorium would be imposed for a period of 6 
months, with possible extensions in 6-month increments should the 
Secretary determine that the moratorium was still needed. The 6-month 
duration was proposed in the NPRM because it was sufficiently long to 
enable an assessment of its impact on the circumstances that the 
moratorium was designed to address. The proposed rule also included 
criteria for when the Secretary would consider imposition of a 
temporary enrollment moratorium, and the circumstances under which such 
a temporary enrollment moratorium would be lifted. The proposed rule 
also indicated that we would announce the implementation of a 
moratorium at any time, that the announcement would be made in the 
Federal Register, and that the announcement would explain in detail the 
rationale for the moratorium and the rationale for the geographic 
area(s) in which it would apply.
    Comment: A commenter stated that advance public notice in the 
Federal Register of a moratorium should be given. The commenter 
recognized that this may lead to a rush to apply prior to the effective 
date, but stated that this could be fixed by limiting the length of 
time for the advance notice to 30-60 days.
    Response: A temporary moratorium on enrollment is an action that 
will only be used if necessary to fight fraud, waste or abuse in 
Medicare, Medicaid, or CHIP. Moratoria will be imposed only if based on 
detailed information indicating a problem that can be addressed through 
a temporary enrollment moratorium. Although not required by the ACA to 
do so, we will announce the imposition of a moratorium in the Federal 
Register. The announcement would explain in detail the rationale for 
the moratorium and the rationale for the geographic area(s) in which it 
would apply. We will not be providing advance notice of any planned 
moratorium as such a notice would likely cause a rush of enrollments of 
the type posing the problem that would be addressed by the moratorium.
    Comment: Several commenters stated that applying a moratorium to 
providers whose enrollment applications are pending would be unfair and 
could--in light of the efforts and cost the provider incurred in 
attempting to enroll--prove financially harmful. They requested that 
CMS limit moratoria to new applications, not those already submitted. 
Another commenter requested that the moratorium not apply to 
applications submitted prior to public notice of the moratorium being 
given in the Federal Register. Another commenter recommended that CMS 
explain: (1) What will happen to an application submitted by a new 
provider when CMS imposes a temporary moratorium, and (2) whether 
pending applications will be processed when a temporary moratorium is 
imposed or whether the application will be automatically denied using 
Sec.  424.530(a)(10).
    Response: In the NPRM, we indicated both in the preamble and the 
proposed regulations that an application to enroll in Medicare from a 
provider or supplier that is subject to a temporary enrollment 
moratorium would be denied. With regard to pending applications, we 
interpret the ACA as applying to pending applications. If a temporary 
enrollment moratorium is deemed necessary for any provider or supplier 
type, or for any geographic area, then all enrollment applications from 
unenrolled providers and suppliers of the type subject to the temporary 
enrollment moratorium or in the geographic area subject to the 
moratorium would be denied. However, we will not deny any enrollment 
for which the Medicare enrollment contractor has completed review of 
the application and has determined that the provider or supplier meets 
all the requirements for enrollment and all that remains is to assign 
appropriate billing number(s) and enter the provider or supplier into 
PECOS.
    Comment: A commenter stated that in CMS's manual instructions, it 
describes

[[Page 5920]]

a provider enrollment fraud detection program for high-risk areas, but 
that this process is not discussed in the proposed rule. The commenter 
requested that CMS explain the nexus, if any, between this fraud 
detection program and the policy described in the temporary moratorium 
provisions contained in this proposed rule. The commenter also 
requested that CMS explain whether it will use data submitted or 
obtained from its contractors in determining whether to impose a 
temporary moratorium.
    Response: We plan to revise our manuals to be consistent with the 
provisions of the final rule with comment period. We plan to use data 
from many sources in making a decision about imposing a temporary 
moratorium--including data from our contractors.
    Comment: One commenter recommended that CMS: (1) Explain why it is 
not using section 1866(j)(3) of the Act, related to a provisional 
period of enhanced oversight for new providers and suppliers, in the 
process of establishing a temporary moratorium, and (2) publish a 
Federal Register Notice explaining its reasons and rationale for 
establishing a temporary moratorium for a provider or supplier.
    Response: Section 1866(j)(3) of the Act is not a part of this final 
rule with comment period. Moreover, its provisions can be implemented 
by subregulatory instructions. We plan to implement the provisions in 
that fashion and in concert with the provisions of this rule and other 
CMS regulations governing program integrity. As stated in a response to 
a previous comment, we will publish a notice of imposition of a 
temporary enrollment moratorium in the Federal Register.
    Comment: One commenter expressed concern that the language 
associated with the temporary moratoria provision: (1) Is vague, (2) 
does not provide sufficient information on the specific triggers that 
would cause CMS to suspect that a provider or group of providers is 
committing fraud, and (3) does not identify the situations in which the 
moratoria would be applied. The commenter feared that certain providers 
or suppliers could be prevented from providing services in a particular 
area without sufficient grounds and that patient access to care could 
be hindered in the process. The commenter recommended that CMS 
specifically define the parameters and triggers that CMS intends to use 
in imposing or enforcing a moratorium on the enrollment of new Medicare 
providers or suppliers. Another commenter expressed concern with the 
general nature of the proposed temporary moratoria provisions because 
it could lead to an abuse of discretion or arbitrary and capricious 
decision-making with little recourse beyond the internal review 
process. The commenter was also concerned with the proposed length of 
the moratorium, stating that a 6 month period: (1) Cannot be reasonably 
inferred from the Congress having authorized ``temporary'' moratoria, 
(2) cannot be considered ``temporary,'' (3) would have significant 
consequences for new physicians interested in enrolling in the Medicare 
program, and (4) should not be extended because there is no 
congressional authority to do so.
    Response: As stated previously, the Affordable Care Act gives the 
Secretary broad authority to impose a temporary moratorium. After 
considerable discussion within CMS and HHS, the proposed rule was 
published proposing that an initial temporary enrollment moratorium 
would be imposed for a period of 6 months, with possible extensions in 
six month increments should the Secretary determine that the moratorium 
was still needed. The 6 month duration was proposed in the NPRM because 
it was sufficiently long to enable an assessment of its impact on the 
circumstances that the moratorium was designed to address, and would 
afford us the opportunity to determine whether the circumstances 
warranting the imposition of a temporary enrollment moratorium have 
abated or we have implemented program safeguards to address program 
vulnerabilities. With regard to the temporary nature of a moratorium, 
we would note that the NPRM explicitly indicated that an initial 
moratorium would be for a 6 month period, not an indefinite period. 
Regarding the impact a temporary enrollment moratorium would have on 
beneficiary access to care, we stated in the NPRM that we will assess 
Medicare and Medicaid beneficiaries' and CHIP participants access' to 
the types of services that are furnished by the provider or supplier 
type and/or within the geographic area to which the moratorium would 
apply. We take seriously our responsibility to assure that all Medicare 
beneficiaries have access to the services and supplies they need. With 
regard to extending moratoria, we would note that, as stated 
previously, the Secretary has broad authority to impose a moratorium. 
The statute confers on the Secretary the responsibility and authority 
to make the judgment about the need for moratoria--whether initial or 
an extension--if the circumstances requiring the moratorium are still 
present.
    Comment: A commenter stated that CMS failed to outline the criteria 
it will use to make the determination that a moratorium is to be 
extended.
    Response: We would not impose a temporary enrollment moratorium 
without an adequate rationale. Should it be necessary to impose a 
temporary enrollment moratorium on any provider or supplier type, we 
will discuss the issues associated with the decision to impose a 
temporary enrollment moratorium in a public notice in the Federal 
Register.
    In the NPRM, we listed some examples of circumstances that could 
lead to the imposition of a temporary enrollment moratorium in 
situations where: (1) CMS, based on its review of existing data, 
identifies a trend that appears to be associated with a high risk of 
fraud, waste or abuse, such as highly disproportionate number of 
providers or suppliers in a category relative to the number of 
beneficiaries or a rapid increase in enrollment applications within a 
category determines that there is a significant potential for fraud, 
waste or abuse with respect to a particular provider or supplier type 
or particular geographic area or both, (2) a State has imposed a 
temporary enrollment moratorium, or (3) CMS in consultation with the 
Department of HHS Office of Inspector General or the Department of 
Justice or both identifies either or both a particular provider or 
supplier type or a particular geographic area as having significant 
potential for fraud, waste, or abuse. We also included in the NPRM the 
reasons a temporary enrollment moratorium could be lifted. The decision 
to extend a moratorium would be based on the proposals in the NPRM and 
would take into account the extent to which the conditions 
necessitating the moratorium were still present.
    Comment: A commenter requested clarification regarding the term 
``geographic area'' as it is used in proposed Sec.  424.530(a)(10).
    Response: The geographic area referred to in Sec.  424.530(a)(10) 
is the region that is under a temporary enrollment moratorium. For 
example, this may constitute a county, a number of counties, state, a 
number of states, regions, or MSAs.
    Comment: A commenter expressed support for CMS's proposal to impose 
a temporary moratorium on the enrollment of new providers or provider 
types in a geographic location to prevent fraud and abuse. However, the 
commenter urged CMS to ensure that such moratoria do not prevent health 
care providers in the geographic

[[Page 5921]]

location from enrolling as an ordering/referring provider, as a 
moratorium may impair these practitioners from providing Medicare 
beneficiaries with needed care.
    Response: We take seriously our responsibility to assure that all 
Medicare beneficiaries have access to the services and supplies they 
need. As a part of this assurance, we would consider the implications 
of a temporary enrollment moratorium for physicians and other eligible 
professionals who order and refer services for Medicare. However, 
enrollment moratoria imposed on provider types will not distinguish 
between the enrollment purpose, that is, enrollment for the right to 
bill Medicare versus enrollment solely to order and refer, unless 
otherwise specified in the Federal Register. As stated previously, the 
notice in the Federal Register will both discuss the issues associated 
such the decision, and identify the provider types subject to the 
temporary enrollment moratoria. We believe the rationale that supports 
a decision to put a temporary enrollment moratorium in place for those 
who bill Medicare should extend to those same types of providers who 
seek to enroll to order and refer. In addition, the enrollment process 
solely to order and refer was established by us for those provider 
types that do not typically enroll in Medicare, such as dentists, other 
government agency employees (such as the Department of Veterans 
Affairs), and pediatricians. Therefore, it will be highly unlikely that 
those who were seeking to enroll in order to bill Medicare will 
similarly seek to enroll solely to order and refer. Regarding the 
impact a temporary enrollment moratorium may have on beneficiary access 
to needed care, we stated in the NPRM that we will assess Medicare 
beneficiary access to the types of services that are furnished by the 
provider or supplier type and/or within the geographic area to which 
the moratorium would apply.
    Comment: A commenter supported CMS's statement in the preamble to 
the proposed rule that a moratorium shall not apply to a change of 
practice location or to changes of ownership of existing providers or 
suppliers.
    Response: We agree and plan to finalize these provisions.
    Comment: A commenter recommended that CMS establish a temporary 
moratorium on the enrollment of slide preparation Facilities, since 
these organizations are not authorized by the Congress to enroll in or 
bill the Medicare program.
    Response: It would be premature to identify in this rule any 
provider or supplier type that might be subject to imposition of a 
temporary enrollment moratorium. Should it be necessary to impose a 
temporary enrollment moratorium on any provider or supplier type, we 
will explain the reasons for the temporary enrollment moratorium in a 
public notice in the Federal Register.
    Comment: A commenter recommended that CMS develop and implement a 
regulatory-defined process to utilize when determining whether or not 
to mandate a moratorium. The process should effectively prevent any 
negative impact in quality of and access to care for Medicare 
beneficiaries or Medicaid program enrollees.
    Response: We would consider a number of factors in deciding whether 
to impose a temporary enrollment moratorium. These are spelled out in 
the proposed rule and include: situations where: (1) CMS, based on its 
review of existing data, identifies a trend that appears to be 
associated with a high risk of fraud, waste or abuse, such as highly 
disproportionate number of providers or suppliers in a category 
relative to the number of beneficiaries or a rapid increase in 
enrollment applications within a category determines that there is a 
significant potential for fraud, waste or abuse with respect to a 
particular provider or supplier type or particular geographic area or 
both, (2) a State has imposed a temporary enrollment moratorium, or (3) 
CMS in consultation with the Department of HHS Office of Inspector 
General or the Department of Justice or both identifies either or both 
a particular provider or supplier type or a particular geographic area 
as having significant potential for fraud, waste, or abuse.
    As mentioned elsewhere, we indicated in the NPRM that prior to 
imposing a temporary enrollment moratorium we would assess Medicare 
beneficiary access to the type(s) of services that are furnished by the 
provider or supplier type and/or within the geographic area to which 
the moratorium would apply. We also indicated that if a State has 
determined that compliance with a Medicare imposed moratorium would 
adversely impact Medicaid beneficiaries' or CHIP participants' access 
to care, the State would not be required to comply with the moratorium. 
We and the States take the assurance of adequate access seriously.
    Comment: A commenter requested clarification as to the mechanism--
for instance, via the Federal Register--by which it will announce the 
lifting of a temporary moratorium.
    Response: We will announce the imposition of any temporary 
enrollment moratorium via a notice published in the Federal Register. 
We would also provide notice on our Web sites, listservs, and through 
open door forums. Similarly, we would provide notice of the lifting of 
a moratorium in the Federal Register. We would also provide notice on 
our Web sites, listservs, and through open door forums.
    Comment: A commenter mentioned that while the preamble of the 
proposed rule states that CMS will announce a moratorium in the Federal 
Register, the regulation text does not include a reference to Federal 
Register. The commenter recommended that the regulation text match the 
preamble language.
    Response: We agree. We will ensure that the regulation text matches 
the preamble and other portions of this document.
    Comments: A commenter urged CMS to immediately impose the proposed 
6 month moratorium on the new certification of HHAs and hospices in its 
final rule with comment period, stating that there is a clear 
relationship between rapid development of new home health and hospice 
providers and the growth in fraud, abuse and waste. The commenter added 
that this will allow some time for other initiatives and proposals in 
the proposed rule to reduce fraud and abuse before hundreds of more 
providers enter the already saturated home health and hospice programs. 
For home health, the commenter stated that the moratorium should be 
maintained until new home health conditions of participation (CoPs) are 
implemented by CMS and other protections against referral abuse can be 
implemented by the OIG. For hospices, the commenter recommended that 
the moratorium be maintained until standardized hospice quality 
measures and payment system reforms are implemented by CMS.
    Response: It would be premature to identify any provider or 
supplier type that might be subject to imposition of a temporary 
enrollment moratorium, or the circumstances necessitating such an 
action. Should it be necessary to impose a temporary enrollment 
moratorium on any provider or supplier type, we will explain the 
reasons for the temporary enrollment moratorium in a public notice in 
the Federal Register. We specified in the NPRM examples of why a 
moratorium would be imposed. ``Revisions to the HHA Conditions of 
Participation'' is not among the examples we cited for the reason that 
moratoria are focused on specific kinds of problems or areas, and are 
to be temporary.

[[Page 5922]]

    Comments: A commenter requested that CMS clarify the process for 
timely notifying the State Medicaid agency of a moratorium imposition, 
and whether the process will include advance notice.
    Response: We will be issuing subregulatory guidance to assist 
States with the operational aspect of implementing this provision in 
the near future.
    Comments: A commenter stated that while a temporary moratorium 
might be reasonable in some limited situations, CMS should make such 
decisions based on specialty, not on provider type; for instance, it 
would be inappropriate for all DMEPOS suppliers to be put under such a 
moratorium when fraud concerns do not include orthotists and 
prosthetists.
    Response: The ACA gives the Secretary broad authority to impose a 
temporary enrollment moratorium. We believe that circumstances could 
justify imposing a temporary enrollment moratorium on a category of 
providers or suppliers and not a subset within a provider or supplier 
type. As stated previously, the Secretary would explain the reasons for 
the moratorium in a Federal Register notice.
    Comment: A commenter stated that the proposed policies need to be 
modified to accommodate newly enrolling physicians (and physicians 
establishing new practice locations) in cases where a moratorium 
relates to DMEPOS suppliers. In other words, if CMS or a State imposes 
a moratorium on DMEPOS suppliers, the moratorium should not apply to 
newly enrolling physicians (or physicians establishing a new practice 
location) who are now also required to enroll as DMEPOS suppliers if 
they wish to furnish DMEPOS to their own patients.
    Response: In the example cited by the commenter, physicians 
enrolled as physicians to provide medical care would not be subject to 
a moratorium on DMEPOS suppliers. Only the new DMEPOS suppliers would 
be subject to the temporary enrollment moratorium. Physicians would be 
able to enroll in Medicare as physicians for the purpose of providing 
medical care (or ordering or referring medical care or services). The 
moratorium would only apply to the physician if he or she were newly 
applying to be a DMEPOS supplier in the geographic area covered by the 
moratorium.
    Comment: A commenter suggested that CMS specify that a moratorium 
will not be imposed unless: (1) There is significant risk of widespread 
fraud, waste, or abuse in a specified and discrete geographic region, 
and (2) clear and documented agency analysis showing that the 
moratorium will not exacerbate health disparities or create additional 
barriers for underserved communities. Also, CMS should include greater 
specificity as to what conditions would warrant the imposition of a 
moratorium and what factors would be considered to ensure that the harm 
does not outweigh the benefit and will not have a disparate adverse 
impact on racially and ethnically diverse beneficiaries and physicians.
    Response: We appreciate the concerns expressed by the commenter and 
we are also concerned about the issues of access and disparities. As 
mentioned previously, we indicated in the proposed rule that prior to 
imposing a temporary enrollment moratorium we will assess Medicare 
beneficiary access to the type(s) of services that are furnished by the 
provider or supplier type and/or within the geographic area to which a 
moratorium would apply. We also indicated that if a State has 
determined that compliance with a Medicare imposed moratorium would 
adversely impact Medicaid beneficiaries' or CHIP participants' access 
to care, the State would not be required to comply with the moratorium. 
CMS and the States take the assurance of adequate access seriously. We 
do not intend to impose a moratorium that would impede access to needed 
services.
    Comment: A commenter expressed concern that CMS's proposed 
standards for implementing a temporary moratorium on new enrollment of 
potentially high risk providers and suppliers is too broad, and that 
CMS could impose a moratorium on new enrollment of all DMEPOS 
suppliers, even though only a subset of suppliers or a particular 
region or State poses a high risk of fraud. CMS should specify that it 
will narrowly limit the moratoria to those provider types or those 
narrow geographic regions that generate the fraud concerns. In 
particular, the commenter stated that community pharmacies face the 
danger that, in the midst of preparing to open up, CMS will impose a 
moratorium. The commenter urged that the expansion of an existing 
community pharmacy DMEPOS supplier does not pose a fraud risk and such 
an expansion should not be subject to a possible moratorium. Another 
commenter stated that CMS should adopt a more targeted approach to 
moratoria that takes other relevant factors into consideration, such as 
the history or trend in proven fraud and/or abusive practices for 
specific types or categories of providers or suppliers. The commenter 
believes that painting all providers and suppliers in a particular 
geographic area with the same broad brush is too extreme a measure, and 
that CMS should not use geography, by itself, as a determining factor 
in imposing a temporary enrollment moratorium on all providers and 
suppliers.
    Response: As stated elsewhere in this document, we will publish a 
notice in the Federal Register announcing imposition of a temporary 
enrollment moratorium. This notice would contain a discussion of the 
factors associated with the moratorium. Although there are clear 
differences in the levels of fraud in different geographic areas of the 
United States, geography by itself without any indication of a risk of 
fraud, waste or abuse would not be a cause for a moratorium. Community 
pharmacies generally enroll in Medicare as roster billers for purposes 
of immunizations, and as such are listed in the limited risk level. 
DMEPOS suppliers that are owned by a community pharmacy are enrolled in 
Medicare as DMEPOS suppliers and are subject to the supplier standards 
for DMEPOS suppliers (except accreditation under certain 
circumstances). If we, on behalf of the Secretary, determine that a 
moratorium is needed for any particular provider or supplier type or 
geographic area or both, we would publish our rationale for the 
moratorium in our Federal Register notice. Decisions to impose a 
temporary enrollment moratorium would be made based on presenting 
circumstances. It would not be appropriate to exclude any provider or 
supplier category, for example, DMEPOS suppliers owned by community 
pharmacies, from being subject to a moratorium if the circumstances 
warrant the imposition of a temporary enrollment moratorium.
    Comment: Several commenters recommended that CMS also be permitted 
to lift a moratorium if the Secretary of HHS declares a public health 
emergency in an area.
    Response: The ACA gives the Secretary broad authority to impose 
temporary enrollment moratoria as a means to combat fraud, waste or 
abuse. The Secretary has considerable discretion to consider all 
aspects of the impact of a possible temporary moratorium. In the NPRM 
we proposed that the Secretary may lift a moratorium in the following 
three circumstances: (1) The President declares an area a disaster 
under the Robert T. Stafford Disaster Relief and Emergency Assistance 
Act, (2) circumstances warranting imposition of moratorium have abated 
or we have implemented safeguards to address the issue that was the 
cause of such moratorium, or (3) in the judgment of the Secretary, the 
moratorium is no

[[Page 5923]]

longer needed. Based on the comments received in response to the NPRM, 
and consistent with the broad authority provided to the Secretary in 
the Affordable Care Act, we have decided to add a public health 
emergency declared by the Secretary under section 319 of the Public 
Health Service Act to the list of circumstances the Secretary could 
cite in lifting a moratorium. We would closely evaluate these 
circumstances in the decision to continue a temporary enrollment 
moratorium.
    Comment: A commenter suggested that CMS include the restrictions 
listed in the preamble regarding temporary moratoria in the regulation 
text at Sec.  424.570.
    Response: It is unclear which provisions included in the preamble 
of the NPRM are of concern to the commenter. However, we will include 
any provisions dealing with imposition of temporary enrollment 
moratoria at Sec.  424.570.
    Comment: A commenter asserted that new Sec.  424.570 is 
inconsistent with the DMEPOS competitive bidding program. Under 
competitive bidding, a company might win a contract in a competitive 
bidding area (CBA) where a moratorium exists. If so, the company could 
not alter its geographic locations to best serve the CBA. The commenter 
requested that CMS in the final rule with comment period carefully 
delineate how the competitive bidding program and the proposed 
temporary moratoria requirements will intersect.
    Response: All winners of DMEPOS competitive bidding contracts are 
required to be enrolled in Medicare as a condition of their contract. 
As a result, these suppliers would not likely be subject to a 
moratorium on enrollment after they were awarded a contract, as they 
would already be enrolled. However, in a situation where a competitive 
bid winner applied to expand to a new practice location, the new 
location would need to be enrolled in Medicare. If a moratorium were 
imposed on DMEPOS suppliers in the area where the competitive bid 
winner was attempting to enroll a new practice location, the 
application would in all likelihood be denied based on the existence of 
a moratorium.
    Comment: The same commenter also suggested that: (1) Suppliers with 
10 or more provider transaction account numbers (PTANs) be exempt from 
Sec.  424.570 and (2) CMS allow exceptions for bona fide acquisitions 
of assets belonging to an existing provider in the area for the 
protection of the beneficiaries served by the selling provider.
    Response: We will be applying the provisions of this rule to all 
enrolled physicians, individual practitioners, providers and suppliers 
regardless of the number of PTANs. In addition, as stated in the NPRM, 
changes in ownership are not subject to moratoria. Moreover, the 
provisions of this rule do not address the conditions under which a 
provider or supplier can complete a bona fide acquisition of assets.
    Comment: Several commenters stated that new locations of enrolled 
suppliers should not be subject to a moratorium. Existing suppliers 
with no history of fraud should not be constrained in their ability to 
adjust their businesses to best meet the needs of beneficiaries; 
indeed, beneficiary access could be impaired if new locations were 
affected by a moratorium. Another commenter stated that applying a 
moratorium to a new location should only occur when the supplier has an 
objectively demonstrated history of fraud or for whom CMS has credible 
evidence of fraud.
    Response: As mentioned elsewhere in this document, a temporary 
enrollment moratorium would not be imposed without adequate rationale. 
The decision to impose a temporary enrollment moratorium would not be 
made lightly and would only be pursued should one or more of the 
conditions for imposing a temporary moratoria exist--as described in 
the proposed rule. One factor for imposing a moratorium could be that--
as stated in the NPRM--there are a disproportionate number of providers 
or suppliers relative to the number of beneficiaries. For example, 
currently enrolled providers and suppliers that are trying to enroll in 
or establish new practice locations in areas subject to a moratorium 
that has been imposed because there is a disproportionate number of a 
particular provider category relative to beneficiaries, should not be 
exempt from the moratorium.
    Comment: A commenter stated that given that the intensity of a 
Certificate of Need program is designed to limit the number of 
providers to match beneficiary need, an exception to a temporary 
moratorium should be granted in the presence of such a program. Another 
commenter agreed that an exemption to the moratorium should be given if 
the State has a Certificate of Need program and the State determines 
that there is a need for additional providers. Several commenters also 
recommended exceptions to a moratorium when a provider is establishing 
a branch location within its geographic service area. Branch locations 
are subject to the oversight of the established parent location and 
operate under the same Medicare provider number. Another commenter 
stated that the addition of a branch office to an HHA is not the 
equivalent of ``establishing a new practice location.''
    Response: We have decided not to provide a link to State CON 
programs because these programs vary in effectiveness and are subject 
to different standards, coverage and regulations and are not focused on 
fraud, waste or abuse prevention as would be a temporary enrollment 
moratorium that is authorized in the ACA. To provide an exemption in 
States with CON programs would require considerable effort to assure 
that all provider types are afforded due process and equal treatment. 
Accordingly, we did not propose an exemption from temporary enrollment 
moratoria in States with CON programs. We plan to take into account the 
impact a CON has on provider supply and beneficiary access when 
deciding to impose a moratorium. Regarding the HHA branch offices, we 
note that the extent to which the branch office is subject to a 
moratorium depends on whether the branch office is to be enrolled 
separately.
    Comment: A commenter stated that the proposal to allow unlimited 6 
month extensions without thorough documentation of supporting data 
hardly makes the moratoria temporary and could pose a significant risk 
to access to quality care for Medicare beneficiaries.
    Response: The ACA gives the Secretary broad authority to impose a 
temporary moratorium on the enrollment of new providers and suppliers 
if the Secretary determines that a moratorium is necessary to prevent 
fraud, waste or abuse in Medicare, Medicaid or CHIP. The statute did 
not provide a specific time period for the duration of a moratorium. 
After considerable discussion within CMS and HHS, the proposed rule was 
published proposing that an initial temporary enrollment moratorium 
would be imposed for a period of 6 months, with possible extensions in 
6 month increments should the Secretary determine that the moratorium 
was still needed. We proposed the 6 month duration because it would be 
sufficiently long to enable an assessment of its impact on the 
circumstances that the moratorium was designed to address, and would 
afford us the opportunity to determine whether the circumstances 
warranting the imposition of a temporary enrollment moratorium have 
abated or whether we have implemented program

[[Page 5924]]

safeguards to address program vulnerabilities. The 6 month period would 
also afford the Secretary reasonable opportunity to determine whether 
the moratorium was no longer needed. With regard to the temporary 
nature of a moratorium, we would note that the NPRM explicitly 
indicated that an initial moratorium would be for a 6 month period, not 
an indefinite period. Regarding the impact a temporary enrollment 
moratorium would have on beneficiary access to needed care, we stated 
in the NPRM that we will assess Medicare beneficiary access to the 
types of services that are furnished by the provider or supplier type 
and/or within the geographic area to which the moratorium would apply. 
We take seriously our responsibility to assure that all Medicare 
beneficiaries have access to the services and supplies they need. With 
regard to extending moratoria, the statute confers on the Secretary the 
responsibility and authority to make the judgment about the need for 
moratoria--whether initial or an extension--if the circumstances 
requiring the moratorium are still present.
    Comment: A commenter stated that as part of the implementation of a 
temporary moratorium and any extension thereof, CMS should publish data 
and research that support their decision to impose the moratorium. The 
data should be thorough and indicate the ``actual increased'' risk 
rather than perceived risk for fraud and abuse, in addition to 
supportive material data. Another commenter added that CMS should 
ensure that beneficiary access is not curtailed in an area where a 
moratorium is imposed.
    Response: As stated earlier, the ACA gives the Secretary broad 
authority to impose temporary enrollment moratoria when necessary to 
prevent or combat fraud, waste or abuse. We will announce any temporary 
enrollment moratoria in the Federal Register, including a discussion of 
the issues associated with the decision to impose a temporary 
enrollment moratorium. We are concerned about the effect imposition of 
a temporary enrollment moratorium would have on beneficiary access, and 
would consider access to care as one possible factor related to 
imposition of a moratorium. The ACA specifically mentions access to 
Medicaid services as a reason that States should consider in making 
decisions to implement moratoria.
    Comment: A commenter stated that the proposed rule should be 
amended to state that a moratorium does not apply to instances where 
the new provider is a result of a merger, change of ownership, or 
consolidation. Also, the fact that the moratorium would not apply where 
there is a change in practice location should be stated directly in the 
rule.
    Response: We agree. All of these instances are addressed in the 
final rule with comment period.
    Comment: A commenter requested that FQHCs be exempt from any 
geographical moratoria established by CMS. FQHCs are required to 
contract with State Medicaid and CHIP programs within certain specified 
locations. Inclusion in a moratorium would force these FQHCs to provide 
services without compensation.
    Response: The ACA gives the Secretary authority to impose a 
moratorium when necessary to combat fraud waste and abuse in Medicare, 
Medicaid, or CHIP. Should there ever be a reason to impose a temporary 
enrollment moratorium on FQHCs, we would need to be able to do so. As 
mentioned previously, we indicated in the NPRM that prior to imposing a 
temporary enrollment moratorium we would assess Medicare beneficiary 
access to the type(s) of services that are furnished by the provider or 
supplier type and/or within the geographic area to which the moratorium 
would apply. We also indicated that if a State has determined that 
compliance with a Medicare imposed moratorium would adversely impact 
Medicaid beneficiaries' or CHIP participants' access to care, the State 
would not be required to comply with the moratorium. We and the States 
take the assurance of adequate access seriously.
    Comment: The commenter also stated that Indian and Tribal providers 
should be exempt from the temporary moratoria provisions, as their 
programs are not viable without third-party revenue (especially 
Medicare and Medicaid) and that a moratorium could impede the programs 
and harm access to care.
    Response: The ACA gives the Secretary authority to impose a 
temporary enrollment moratorium when necessary to combat fraud, waste 
and abuse in Medicare, Medicaid, or CHIP. Should there ever be a reason 
to impose a temporary enrollment moratorium on Indian or Tribal 
providers, we would need to be able to do so. As mentioned previously, 
we indicated in the NPRM that prior to imposing a temporary enrollment 
moratorium we would assess Medicare beneficiary access to the type(s) 
of services that are furnished by the provider or supplier type and/or 
within the geographic area to which the moratorium would apply. We also 
indicated that if a State has determined that compliance with a 
Medicare imposed moratorium would adversely impact Medicaid 
beneficiaries' or CHIP participants' access to care, the State would 
not be required to comply with the moratorium. We and the States take 
the assurance of adequate access seriously.
    Comment: A commenter stated that the moratorium exceptions should 
be very limited. The commenter agreed with CMS's proposal for an 
exemption for health crisis situations related to, for example, a 
natural disaster. The commenter also recommended that exceptions should 
be granted in areas: (1) With active CON programs, (2) not being served 
by any provider or (3) where the provider(s) (other than the applicant 
for the exception) attest that they lack the capacity to meet current 
demand. Still, the commenter stated that exemptions should only be 
granted in such exceptional circumstances and not become a vehicle for 
routine circumvention of the moratorium.
    Response: We agree with the intent of these comments. Temporary 
enrollment moratoria must be considered carefully and the reasons for 
their imposition must be clear. Prior to imposing a moratorium, we will 
consider a number of factors, such as, any potential effect on access 
to care for beneficiaries. CON programs are not factored in to CMS 
decisions regarding exceptions.
    Comment: A commenter requested clarification as to whether the 
temporary moratoria provisions apply to managed care organizations.
    Response: This provision does not apply to Medicaid managed care 
entities. Medicaid risk based managed care is subject to contracts 
between States and the managed care entities, and the States rely upon 
those contracts to ensure that Medicaid beneficiaries have access to 
providers and a choice of networks within the managed care programs the 
State maintains. We would not impose moratoria on managed care programs 
that could restrict the ability of States to ensure beneficiary access 
and choice.
    Comment: A commenter stated that an enrollment moratorium should 
not apply to publicly traded companies, since CMS can look to the board 
of directors and similar organizational structures to provide 
appropriate oversight and accountability. Moreover, after a moratorium 
is lifted, publicly traded providers and suppliers that were subject to 
the moratorium should not be lifted to a high screening level; to do so 
would be inconsistent with CMS's own statements in the preamble that 
publicly traded providers and suppliers pose a limited risk.

[[Page 5925]]

    Response: It would be inappropriate for us to identify any one 
provider or supplier characteristic, such as being publicly traded, as 
a basis for not being subject to a temporary enrollment moratorium. In 
addition, as noted below, in the screening portion of this final rule 
with comment period, we have decided not to draw a distinction between 
publicly traded and other providers and suppliers. Should there ever be 
a reason to impose a temporary enrollment moratorium in a geographic 
area or on a particular provider or supplier category; we would need to 
be able to do so. We cannot state that there will never be 
circumstances that warrant imposition of a temporary enrollment 
moratorium that will affect providers and suppliers that are publicly 
traded or that these providers and suppliers will never be subject to a 
temporary enrollment moratorium. We have in response to many comments 
on this issue, has decided to eliminate the distinction between 
publicly traded and non-publicly traded status as a determinant of 
assignment of provider or supplier types to risk levels. Temporary 
enrollment moratoria will not be imposed without adequate rationale for 
how the moratorium would address fraud, waste and abuse in Medicare, 
Medicaid and CHIP. Such moratoria would be imposed based on careful 
analysis and assessment of circumstances that are present.
    Comment: CMS, according to one commenter, states repeatedly that 
the application of the temporary moratoria could be to either a 
particular provider or supplier type or a particular geographic area. 
The commenter urged CMS to reconsider whether it is appropriate to ever 
apply moratoria on particular geographic areas for all provider and 
supplier types--such as physicians, whom CMS assigns to the limited 
level of screening. The commenter believes that physicians should be 
exempt from geographic provider/supplier enrollment moratoria.
    Response: We would not likely impose a temporary enrollment 
moratorium on all provider and supplier types in a particular 
geographic area particularly given the potential impact on beneficiary 
access. However, if circumstances were to be such that a temporary 
enrollment moratorium in a particular geographic area should apply to 
all provider and supplier types in that area, we would need to be able 
to impose such a moratorium. As stated elsewhere in this document, we 
would publish notice of any moratorium and would include in the notice 
the rationale for the imposition of a temporary enrollment moratorium. 
Also, as stated earlier, we would consider access issues as well.
    Comment: A commenter urged that the final rule with comment period 
be revised to clarify that it is only to be used as an option of last 
resort, when less onerous enforcement efforts have failed to reduce 
program abuse by a significant number of providers or suppliers of the 
same type. The commenter also stated that it should be imposed only if 
there is irrefutable evidence of fraud, waste or program abuse by a 
significant portion of the population of providers that are targeted by 
the moratorium.
    Response: The ACA gives the Secretary broad authority to impose 
temporary enrollment moratoria in instances where the Secretary has 
determined that the moratorium is necessary to combat fraud, waste or 
abuse in Medicare, Medicaid or CHIP. A moratorium would not be imposed 
without adequate justification. We would announce in the Federal 
Register the imposition of any temporary enrollment moratorium and 
would include a discussion of the issues associated with the decision 
to impose the temporary enrollment moratorium.
    In the NPRM, we did list circumstances that could lead to the 
imposition of a temporary enrollment moratorium in situations where: 
(1) Based on our review of existing data, identifies a trend that 
appears to be associated with a high risk of fraud, waste or abuse, 
such as when a highly disproportionate number of providers or suppliers 
in a category relative to the number of beneficiaries or a rapid 
increase in enrollment applications within a category is associated 
with a significant potential for fraud, waste or abuse with respect to 
a particular provider or supplier type or particular geographic area or 
both, (2) a State has imposed a temporary enrollment moratorium, or (3) 
CMS in consultation with the Department of HHS Office of Inspector 
General or the Department of Justice or both identifies either or both 
a particular provider or supplier type or a particular geographic area 
as having significant potential for fraud, waste, or abuse. We also 
included in the NPRM the reasons a temporary enrollment moratorium 
could be lifted. The decision to extend a moratorium would be based on 
the proposals in the NPRM and would take into account the extent to 
which the conditions necessitating the moratorium were still present.
    Comment: A commenter stated that CMS and Medicaid should be 
permitted to extend a temporary moratorium by a maximum of one 
additional 6 month period. Twelve months is more than a sufficient 
amount of time for CMS to consider additional programmatic initiatives. 
The commenter added that CMS's statement in the preamble that it 
``would assess Medicare beneficiary access to the type(s) of services 
that are furnished by the provider or supplier type and/or within the 
geographic area to which the moratorium would apply'' before imposing a 
moratorium, should be included in the regulatory text.
    Response: We reserve the option to extend a temporary moratorium if 
circumstances warrant the continuation. We do not want to limit our 
ability to keep a temporary enrollment moratorium in place if 
necessary. Conversely, if the Secretary determines that a moratorium is 
no longer needed, consistent with the provisions of the proposed rule, 
the moratorium could be lifted at any time. We have modified the 
regulation text to make this clarification. We will consider safeguards 
for beneficiary access related to the imposition of an enrollment 
moratorium at Sec.  424.570.
    Comment: A commenter stated that CMS should exempt new practice 
locations from the moratoria and should limit the moratorium to newly-
enrolling providers and suppliers.
    Response: Currently enrolled providers and suppliers that are 
trying to establish additional new practice locations as a means to 
enroll in areas that are subject to a moratorium, and the provider is 
of the type for which the temporary enrollment moratorium is imposed, 
should not be exempt from the moratorium. However, if an enrolled 
provider or supplier is merely changing its practice location from a 
current location to a new location--not an additional new location--
then that new location would not be subject to a temporary enrollment 
moratorium.
    Comment: A commenter stated that CMS should establish an 
administrative appeals mechanism to address adverse determinations 
based on the imposition of a temporary moratorium that would also 
permit providers and suppliers to question whether CMS has an 
appropriate statutory or evidentiary basis for imposing a temporary 
moratorium.
    Response: The ACA specifies that there is no judicial review under 
sections 1869 and 1878 of the Act, or otherwise of the decision to 
impose a temporary enrollment moratorium
    However, as stated in the NPRM, we note that a provider or supplier 
may use the existing appeal procedures at 42 CFR part 498 to 
administratively appeal a denial of billing privileges based on the 
imposition of a temporary moratorium.

[[Page 5926]]

    Comment: One commenter stated that CMS should allow exceptions to 
the moratorium, such as: (1) A low ratio of the provider or supplier 
type to the number of beneficiaries in the targeted area, (2) pandemics 
and other threats to beneficiary health that would be served by the 
provider or supplier type, and (3) other circumstances as the Secretary 
or the State Medicaid director determine are in the best interests of 
the program.
    Response: As discussed previously, the ACA gives the Secretary 
broad authority to impose temporary enrollment moratoria. We also 
stated earlier that we listed in the NPRM circumstances that could lead 
to the imposition of a temporary enrollment moratorium in situations. 
We also indicated in the NPRM that prior to imposing a temporary 
enrollment moratorium we would assess Medicare beneficiary access 
issues. And we indicated that if a State has determined that compliance 
with a Medicare imposed temporary enrollment moratorium would adversely 
impact Medicaid beneficiaries', or CHIP participants' access to care, 
the State would not be required to comply with the temporary enrollment 
moratorium. We and the States take the assurance of adequate access 
seriously.
    Comment: A commenter believes that CMS moratoria authority was 
open-ended to the point where CMS could, towards the end of a fiscal 
year, announce the suspension of provider enrollment in a variety of 
categories not to stem fraud and abuse, but rather to achieve some 
budgetary goal of reducing Medicare expenditures. The commenter 
requested that CMS clarify: (1) Who will decide what constitutes a 
highly disproportionate number of providers relative to the number of 
beneficiaries, (2) the standards that will be used to determine the 
number of providers necessary relative to the number of beneficiaries, 
and (3) whether this is a de facto return of the certificate of need 
process.
    Response: We proposed and sought comments on factors that would 
have to be in place to impose a temporary enrollment moratorium, 
including identifiable trends in CMS data, State imposition of a 
moratoria, or consultation with the Office of Inspector General or the 
Department of Justice. The ACA requires that any moratorium imposed be 
implemented to reduce fraud, waste and abuse in the Medicare, Medicaid 
and CHIP programs. Additionally, we will not deny any enrollment for 
which the Medicare enrollment contractor has completed review of the 
application and has determined that the provider or supplier meets all 
the requirements for enrollment and all that remains is to assign 
appropriate billing number(s) and enter the provider or supplier into 
PECOS. Actively enrolled providers and suppliers will still be 
reimbursed for claims for services that are provided, and reimbursement 
would be at levels preceding the moratoria. The process for imposing a 
moratorium in this rule provides no opportunity for us to use the 
temporary enrollment moratoria to stop payments to enrolled providers 
and suppliers, and there is no intention for us to use temporary 
moratoria for purposes other than the ones authorized under the ACA.
    Additionally, as stated previously, we would provide notice in the 
Federal Register of the imposition of a temporary enrollment moratorium 
and would include a discussion of the issues associated with the 
decision to impose a temporary enrollment moratorium. We will decide 
what constitutes a disproportionate number of providers relative to 
beneficiaries. We indicated in the NPRM that prior to imposing a 
temporary enrollment moratorium we would assess Medicare beneficiary 
access to the type(s) of services that are furnished by the provider or 
supplier type and/or within the geographic area to which the temporary 
enrollment moratorium would apply. As a part of this process, we would 
examine the levels of providers in a given area and make a judgment 
about whether any temporary enrollment moratorium would adversely 
affect the delivery of needed services to beneficiaries. Regarding 
Certificate of Need processes, we would note that a number of States 
use the CON process. We have stated elsewhere in this document that we 
have not linked this proposed rule to the CON process. The CON programs 
vary in effectiveness and coverage and are subject to different 
standards and regulations. If there were a need to impose a temporary 
enrollment moratorium in any part of a State that has a CON 
requirement, we would impose the temporary enrollment moratorium in 
that part of the State, as needed.
    Comment: A commenter stated that CMS should exclude from any 
moratoria those providers and suppliers: (1) Assigned to the limited 
level of screening, and (2) that have completed and passed a State 
licensure process. Another commenter urged that a moratorium be applied 
only to providers included within the moderate or high screening 
levels, and then only after: (1) Appropriate appeals measures have been 
established, and (2) CMS has addressed any beneficiary access to care 
issues.
    Response: The ACA provides that the Secretary can impose a 
moratorium if she decides that it is necessary to combat fraud, waste 
or abuse. Accordingly the decision to impose a temporary enrollment 
moratorium will be based on a variety of factors, including the 
potential risk of fraud in the Medicare program that could be posed by 
a particular category of provider or supplier in a specific geographic 
area. The ACA gives the Secretary authority to impose a moratorium when 
necessary to combat fraud waste and abuse in Medicare, Medicaid, or 
CHIP. Should there ever be a reason to impose a temporary enrollment 
moratorium on any category of providers or suppliers, we would need to 
be able to do so--regardless of the screening level to which they were 
assigned as part of the provider and supplier screening process 
described in this regulation. We cannot state that providers and 
suppliers in the ``limited'' screening level will never be subject to a 
temporary enrollment moratorium. Nor are we prepared to state that 
providers or suppliers that are licensed would never be subject to a 
temporary enrollment moratorium. With regard to access to care, we 
indicated in the NPRM that prior to imposing a temporary enrollment 
moratorium we would assess Medicare beneficiary access to the type(s) 
of services that are furnished by the provider or supplier type and/or 
within the geographic area to which the temporary enrollment moratorium 
would apply. We also indicated that if a State has determined that 
compliance with a Medicare imposed temporary enrollment moratorium 
would adversely impact Medicaid beneficiaries', or CHIP participants' 
access to care, the State would not be required to comply with the 
temporary enrollment moratorium. We and the States take the assurance 
of adequate access seriously.
    Comment: A commenter stated that while the preamble mentions that 
advanced notice of a moratorium will be given, this is not specified in 
the regulation text. The commenter stated that the text should be 
amended to reflect the advanced notice requirement.
    Response: The preamble to the proposed rule says that we will 
announce the imposition of a temporary enrollment moratorium in the 
Federal Register. The preamble does not say we will give advance 
notice. We have stated in response to other comments that we do not 
think we should provide advance notice as this may foster an increase 
in applications for enrollment in an

[[Page 5927]]

attempt to circumvent the intent of the temporary enrollment 
moratorium. Accordingly, we did not include any language about advance 
notice in the regulation text.
    Comment: A commenter requested clarification as to what the term 
``significant potential for fraud'' means in the context of the 
moratorium and the datasets that will be used to determine whether such 
a trend exists.
    Response: We offered examples in the NPRM of the kinds of 
circumstances that might warrant imposition of a temporary enrollment 
moratorium. We plan to draw on data and information from many sources 
in coming to a decision about imposition of temporary enrollment 
moratoria--including existing CMS claims and enrollment data as well as 
other public data as well as data from our contractors or from law 
enforcement entities.
    Comment: A commenter noted that CMS proposes to allow a Medicare 
enrollment moratorium where a State Medicaid program has imposed a 
moratorium on a group of providers who are also eligible to enroll in 
Medicare. The commenter stated that the proposal does not clarify 
whether CMS intends for such a moratorium to apply only to those 
providers within the affected State or whether that moratorium could 
apply nationwide in the event that the moratorium pertains to provider 
type. The commenter believes that for a State-imposed moratorium to 
have such a drastic effect across the country without evidence of a 
nationwide problem would be an overly broad and unnecessary imposition 
of CMS authority, and urged CMS to craft this provision more narrowly.
    Response: We agree that imposing a moratorium on a national level 
based on one State's action in its State would be an unnecessarily 
broad action for us to take. The intent of that provision in the NPRM 
was to afford Medicare the option to adopt a State moratorium in a 
State or part of a State if appropriate.
    Comment: A commenter stated that in the case of a moratorium, CMS 
and the States should explain their actions and provide an opportunity 
for notice and comment.
    Response: We have said that we plan to provide notice of imposition 
of a temporary enrollment moratorium in the Federal Register, 
explaining the rationale for the imposition. We will not be providing 
an opportunity for comment prior to the imposition of a temporary 
enrollment moratorium, because it is not a rulemaking effort. Moreover, 
we think that providing advance notice of a temporary enrollment 
moratorium might foster a spike in enrollment applications from 
providers or suppliers that would be subject to the moratorium. If we 
determine that a temporary enrollment moratorium is needed, we would 
not want to provide opportunities for providers and suppliers to 
circumvent the moratorium's purpose.
    Comment: A commenter recommended that CMS impose a temporary 
moratorium nationally on any Medicare-certified HHAs. As an 
alternative, the commenter suggested a moratorium in any State without 
either HHA licensure or a certificate of need, or in any State where 
the growth in new HHAs in the most recent 4 years has exceeded 15 
percent.
    Response: At this time, we are not contemplating the imposition of 
national moratoria. Moreover, it would be premature to identify any 
provider or supplier type that might be subject to imposition of a 
temporary enrollment moratorium. Should it be necessary to impose a 
temporary enrollment moratorium on any provider or supplier type, we 
will explain the reasons for the temporary enrollment moratorium in a 
public notice in the Federal Register.
    Comment: One commenter stated that while they are in agreement with 
the proposal that State Medicaid agencies should have the authority to 
impose temporary moratoria on the enrollment of new providers or impose 
numerical caps or other limits on the providers assigned to the high 
screening level by the Secretary, the State Medicaid agency should also 
be allowed the discretion to identify providers that are high risk by 
State standards.
    Response: We agree that the State Medicaid agency has the 
discretion to identify providers that are high risk by State standards. 
However, section 1902(kk)(4)(B) of the Act explicitly states that the 
designation of ``high risk'' providers for purposes of this provision 
must be made by the Secretary. Thus, we are finalizing the requirement 
that when a State Medicaid agency identifies a category of providers 
that are high risk of fraud, waste or abuse by State standards, the 
State must seek our concurrence with that assignment prior to imposing 
any type of moratoria, numerical caps or other limits on the enrollment 
of these providers.
    Comment: One commenter requested that the rule be clarified to 
allow a State to complete any provider enrollment initiated prior to a 
Federally imposed moratorium.
    Response: If a moratorium is deemed necessary, then we believe that 
all unenrolled providers should be subject to the moratorium. However, 
we would not require the State to deny any enrollment for which the 
State has completed its review of the enrollment application and has 
made a determination that the provider meets all requirements for 
enrollment.
    Comment: A few commenters requested additional information 
regarding the process that should be used by State Medicaid agencies to 
notify CMS that imposition of a temporary moratorium would adversely 
impact beneficiaries' access to medical assistance, including the 
documentation that will be required and the standards CMS will use for 
its review.
    Response: We believe that additional information regarding the 
operational processes that should be used by States regarding temporary 
moratorium are more appropriately addressed in subregulatory guidance. 
We will be issuing subregulatory guidance to assist States with the 
operational impact of implementing this provision in the near future.
    Comment: Regarding State ``identification'' of providers with a 
``significant potential for fraud, waste or abuse,'' one commenter 
asked that documentation of the significant risk be required, as well 
as a description of the rationale used to arrive at numerical caps or 
other limits on enrollment of that provider type.
    Response: Consistent with section 1902(kk)(4)(B) of the Act, when a 
State Medicaid agency identifies a category of providers that is high 
risk by State standards, the State must seek our concurrence with that 
designation prior to imposing any type of moratorium, numerical cap or 
other limit on the enrollment of these providers. We will expect the 
State to provide rationale and justification for assigning providers to 
the high screening level when seeking our concurrence. We will be 
issuing subregulatory guidance to assist States with the operational 
aspect of implementing this provision in the near future. We agree a 
temporary enrollment moratorium should be imposed only with adequate 
rationale. A temporary enrollment moratorium on any category of 
provider that a State identifies as posing a significant potential for 
fraud, waste, or abuse, should be supported by adequate rationale to 
justify the imposition of a temporary moratorium, numerical caps or 
other limits on enrollment of that provider type.
    Comment: One commenter requested that CMS add an exception where 
the State has other measures in place that adequately control for the 
potential fraud, waste, and abuse that is the basis for the proposed 
moratorium.

[[Page 5928]]

    Response: The ACA does not allow us to grant such an exception to 
States even when the State has other fraud controls in place. 
Additionally, we believe this additional program integrity safeguard is 
necessary to prevent loss to Medicare, Medicaid and CHIP programs when 
existing safeguards have not prevented an emergent trend in fraudulent, 
wasteful, or abusive practices. We believe the authority to impose 
temporary enrollment moratorium when appropriate will be a useful tool 
for both CMS and the States.
    Comment: Several commenters requested clarification regarding 
whether this requirement applies to Medicaid managed care. These 
commenters specifically asked CMS to provide an explicit exception to 
temporary moratoria for Medicaid managed care entities so to ensure 
that the adequacy of these plans' provider networks is not compromised 
and in turn, impede beneficiary access to care.
    Response: As stated previously, this provision does not apply to 
Medicaid managed care entities. Medicaid risk based managed care is 
subject to contracts between States and the managed care entities, and 
the States rely upon those contracts to ensure that Medicaid 
beneficiaries have access to providers and a choice of networks within 
the managed care programs the State maintains. We would not impose 
moratoria on managed care programs that could restrict the ability of 
States to ensure beneficiary access and choice.
    Comment: One commenter requested the development of a process for 
an individual provider exemption from a moratorium or, in the 
alternative, the establishment of a more focused process for imposing 
any necessary moratoria.
    Response: As mentioned previously, we will take action to impose a 
temporary moratorium only if justified. Accordingly, the decision to 
impose a temporary enrollment moratorium will be based on the potential 
risk of fraud, waste or abuse in the Medicare or Medicaid programs.
    Comment: A commenter stated that CMS, should it proceed with this 
proposed rule, must introduce much better controls to limit over-
reaching and to assure providers due process rights. The commenter 
cited CMS's proposed ability to impose a temporary enrollment 
moratorium on potentially high risk providers and suppliers with no 
rights of judicial review of the agency's decision. The commenter 
stated that the absence of defined rights for orthotic and prosthetic 
suppliers in the proposed rule could, in some instances, appear to be a 
Federal ``taking'' without due process.
    Response: As stated previously, we will provide a discussion of the 
factors for imposing a moratorium on a case by case basis when the 
notice of such a moratorium is published in the Federal Register. If a 
provider or supplier's billing privileges are denied due to the 
imposition of a temporary enrollment moratorium, the denial of billing 
privileges can be challenged administratively through the existing 
enrollment appeal procedures at 42 CFR part 498. Further, we disagree 
with the commenter's characterization of a temporary moratoria of 
newly-enrolling providers and suppliers as a Federal ``taking.''
4. Final Temporary Moratoria on Enrollment of Medicare Providers and 
Suppliers, Medicaid and CHIP Provisions
    This final rule with comment period finalizes the provision of the 
proposed rule in regards to the temporary enrollment moratoria with the 
following exceptions:
    In Sec.  424.570, we modified our proposal as follows:
     Added language to clarify that we will fully assess the 
impact of a temporary enrollment moratorium would have on beneficiary 
access to services that will be subject to the temporary enrollment 
moratorium at Sec.  424.570(a).
     Added language that specifies we will announce any 
temporary enrollment moratorium in a notice in the Federal Register 
that will include the rational for the imposition of the moratorium, 
the particular provider or supplier type or the establishment of new 
practice locations of a particular type in a particular geographic area 
at Sec.  424.570(a).
     Added language to clarify that Medicare contractor will 
deny enrollment applications from a provider or supplier subject to a 
moratorium specified in paragraph (a) including providers and suppliers 
with pending enrollment applications, EXCEPT such applications that 
have been approved by the enrollment contractor before the imposition 
of a moratorium at Sec.  424.530(a)(10).
     Added language that adopts a public commenter's proposal 
that the Secretary may lift a temporary enrollment moratorium in the 
event of a public health emergency in the affected geographic area at 
Sec.  424.570(d).
     Added language that specifies we will publish notice of 
lifting the moratorium in the Federal Register at Sec.  424.570(d).

D. Suspension of Payments

1. Medicare
a. Background
    In section 6402(h) of the ACA, the Congress amended section 1862 of 
the Act by adding a new paragraph (o), under which the Secretary may 
suspend payments to a provider or supplier pending an investigation of 
a credible allegation of fraud unless the Secretary determines that 
there is good cause not to suspend payments. This section requires that 
the Secretary consult with the HHS OIG in determining whether there is 
a credible allegation of fraud against a provider or supplier. For 
purposes of this Medicare payment suspension regulation, we will refer 
to providers and suppliers collectively as ``providers''.
b. Previous Medicare Regulations
    We have long been authorized to suspend payments in cases of 
suspected fraudulent activity. On December 2, 1996, we finalized 
regulations Sec.  405.370 through Sec.  405.379 that provides for 
suspension of payments to providers for several scenarios, including 
when we possess reliable information that fraud or willful 
misrepresentation exists. The rule provides that we may suspend 
payments to a provider in whole or in part based upon possession of 
reliable information that an overpayment or fraud or willful 
misrepresentation exists or that the payments to be made may not be 
correct, although additional evidence may be needed for a 
determination.
    The existing rule provides that a suspension of payments is limited 
to 180 days, unless it meets one of several exceptions. A Medicare 
contractor may request a one-time only extension of the suspension 
period for up to 180 additional days if it is unable to complete its 
examination of the information that serves as the basis for the 
suspension. Also, OIG or a law enforcement agency may request a one-
time only extension for up to 180 additional days to complete its 
investigation in cases of fraud and willful misrepresentation. The rule 
provides that these time limits do not apply if the case has been 
referred to and is being considered by the OIG for administrative 
action, such as civil monetary penalties. We may also grant an 
extension beyond the 180 additional days if DOJ requests that the 
suspension of payments be continued based on the ongoing investigation 
and anticipated filing of criminal or civil actions. The DOJ extension 
is limited to the amount

[[Page 5929]]

of time needed to implement the criminal or civil proceedings.
c. Proposed Medicare Suspension of Payments Requirements
    Section 6402(h) of the ACA requires that the Secretary consult with 
the OIG in determining whether there is a credible allegation of fraud 
against a provider. If a credible allegation of fraud exists, the 
Secretary may impose a suspension of payments pending an investigation 
of the allegations, unless the Secretary determines that there is good 
cause not to suspend payments. We proposed to revise Sec.  405.370 to 
add a definition of what constitutes a ``credible allegation of 
fraud,'' to include an allegation from any source, including but not 
limited to fraud hotline complaints, claims data mining, patterns 
identified through provider audits, civil False Claims Act, and law 
enforcement investigations. Allegations are considered to be credible 
when they have indicia of reliability. Many issues related to this 
definition will need to be determined on a case-by-case basis by 
looking at all the factors, circumstances and issues at hand. We 
continue to believe that CMS or its contractors must review all 
allegations, facts, and information carefully and act judiciously on a 
case-by-case basis when contemplating a payment suspension, mindful of 
the impact that payment suspension may have upon a provider.
    We received the following comments:
    Comment: We received numerous comments suggesting that the proposed 
definition of ``credible allegation of fraud'' was ambiguous and fails 
to detail a precise evidentiary standard that CMS and OIG will employ 
in determining if a payment suspension is warranted. Commenters were 
also concerned that including fraud hotline complaints as a source of 
allegations would inevitably lead to disingenuous allegations from 
competitors and/or disgruntled former employees that would lead to 
unjustified payment suspensions.
    Response: We did not intend to detail a precise evidentiary 
standard in this definition; rather we intended to give examples of the 
typical sources of allegations of fraud and explain that assessing the 
reliability of an allegation is a process that will occur on a case-by-
case basis. CMS and OIG fully understand the need to act judiciously 
when corroborating information and investigating allegations of fraud, 
especially when the source of the allegation is an anonymous fraud 
hotline complaint. The statutorily required consultation between CMS 
and the OIG prior to implementing a payment suspension will provide 
ample opportunity for the credibility of an allegation to be assessed 
and for a preliminary investigation into the allegation of fraud to 
occur sufficient to meet a reasonable evidentiary standard.
    We additionally proposed modifying the existing Sec.  405.370 to 
add a definition for ``resolution of an investigation.'' The ACA 
provides for the suspension of payments pending the investigation of a 
credible allegation of fraud, and we believe that this provision 
necessitates defining when an investigation has concluded and the basis 
for the suspension of payments no longer exists. The definition 
proposed in the proposed rule and finalized here is that a resolution 
of an investigation occurs when legal action is terminated by 
settlement, judgment, or dismissal, or when the case is closed or 
dropped because of insufficient evidence. We solicited comments on an 
alternative definition of the term ``resolution of an investigation'' 
which is that it occurs when a legal action is initiated or the case is 
closed or dropped because of insufficient evidence to support the 
allegations of fraud. We did not receive any comments that specifically 
addressed a preference for either of these definitions.
    We proposed modifying the existing Sec.  405.371(a) to 
differentiate between suspensions based on either reliable information 
that an overpayment exists or that payments to be made may not be 
correct, and suspensions based upon a credible allegation of fraud. As 
required by the ACA, we proposed in this section that CMS or its 
contractor must consult with the OIG, and as appropriate, the 
Department of Justice (DOJ) in determining whether a credible 
allegation of fraud exists prior to suspending payments on the basis of 
alleged fraud.
    We also proposed in accordance with the ACA that we retain 
discretion regarding whether or not to impose a suspension or continue 
a suspension, as there may be good cause not to suspend payments or not 
to continue to suspend payments to providers or suppliers in certain 
circumstances. We proposed to add a new Sec.  405.371(b) to describe 
circumstances that may qualify as good cause not to suspend payments or 
not to continue to suspend payments despite credible allegations of 
fraud.
    In paragraph (b)(1), we proposed a good cause exception based upon 
specific requests by law enforcement that CMS not suspend payments. 
There are numerous reasons for which law enforcement personnel might 
make such a request, including that imposing a payment suspension might 
alert a potential perpetrator to an investigation at an inopportune or 
particularly sensitive time, jeopardize an undercover investigation, or 
potentially expose whistleblowers or confidential sources.
    In paragraph (b)(2), we proposed a good cause exception not to 
suspend payments if we determine that beneficiary access to necessary 
items or services may be jeopardized. We envision there may be 
scenarios in which a payment suspension to a provider might jeopardize 
a provider's ability to continue rendering services to Medicare 
beneficiaries whose access to items or services would be so jeopardized 
as to cause a danger to life or health.
    In paragraph (b)(3) of the proposed rule, we proposed a good cause 
exception not to suspend payments if CMS determines that other 
available remedies implemented by or on behalf of CMS more effectively 
or quickly protect Medicare funds than would implementing a payment 
suspension. For example, law enforcement personnel might request that a 
court immediately enjoin potentially unlawful conduct or prevent the 
withdrawal, removal, transfer, disposal, or dissipation of assets, 
either or both of which might protect Medicare funds more fully or 
quickly than would imposition of a payment suspension.
    More generally, in paragraph (b)(4) of the proposed rule, we 
proposed a good cause exception based upon a determination by us that a 
payment suspension or continuation of a payment suspension is not in 
the best interests of the Medicare program. We further proposed that we 
will conduct an evaluation of whether there is good cause not to 
continue a suspension every 180 days after the initiation of a 
suspension based on credible allegations of fraud. We believe that 
circumstances surrounding a specific case may change as an 
investigation progresses, and it may become in the best of interests of 
the Medicare program to terminate a payment suspension prior to the 
resolution of an investigation. As part of this ongoing evaluation, we 
will request a certification from the OIG or other law enforcement 
agency as to whether that agency continues to investigate the matter.
    We considered additional specific circumstances and scenarios that 
may qualify as good cause not to continue a payment suspension prior to 
the resolution of an investigation, and solicited comments on this 
approach. For example, one scenario that we considered as additional 
good cause not to continue a suspension is when a

[[Page 5930]]

suspension has been in place for a specific length of time, such as 2 
years or 3 years, and the investigation has not been resolved. We 
anticipated that on a case by case basis, we would evaluate the status 
of a particular investigation and the nature of the alleged fraud in 
determining whether keeping a payment suspension in effect beyond a 
certain length of time may not be in the best interests of the Medicare 
program. We chose not to propose specific language on duration in the 
regulatory text. However, we solicited comment on this approach.
    Comment: Numerous commenters supported an additional good cause 
exception not to continue a payment suspension when the accompanying 
investigation continued beyond a certain length of time. Several 
commenters supported this exception, however most believe that 2 years 
or 3 years was much too long for a suspension to be in effect and the 
length of time associated with this good cause exception should be much 
shorter.
    Response: We agree with the commenters who support the additional 
good cause exception not to continue a payment suspension when an 
investigation has continued beyond a certain length of time, in certain 
cases. We believe that 18 months is the appropriate timeframe for a 
good cause-based exception beyond which a payment suspension ought not 
continue except under certain limited circumstances. Therefore, good 
cause not to continue a payment suspension beyond 18 months shall be 
deemed to exist unless one of two specific criteria is met. The first 
of these criteria is if the case has been referred to, and is being 
considered by, the OIG for administrative action (for example, civil 
money penalties) or such administrative action is pending. The second 
of these criteria is if the Department of Justice submits a written 
request to CMS that the suspension of payments be continued based on 
the ongoing investigation and anticipated filing of criminal and/or 
civil actions or based on a pending criminal and/or civil action. We 
are adopting these two law enforcement specific scenarios that will 
serve as the criteria for extending a payment suspension beyond 18 
months and are based upon the longstanding criteria for extending 
suspensions found in the Medicare payment suspension regulations.
    We proposed modifying the existing Sec.  405.372 to reflect the 
changes made in Sec.  405.371 which divides the payment suspension 
authority into situations involving overpayments and situations 
involving allegations of fraud. In Sec.  405.372(c) we clarify the 
subsequent action requirements to distinguish between suspensions based 
on credible allegations of fraud and those that are based on other 
factors, such as overpayments. For suspensions that are not based on 
credible allegations of fraud, CMS and its contractors will continue to 
take timely action to obtain additional information needed to make an 
overpayment determination and make all reasonable efforts to expedite 
the determination. Once the determination is made, notice of the 
determination will be given to the provider or supplier and the payment 
suspension will be terminated. If the payment suspension is based on 
credible allegations of fraud, CMS and its contractors will take 
subsequent action to determine if an overpayment exists or if the 
payments may be made, however the termination of the suspension and the 
issuance of a final determination notice to the provider or supplier 
may be delayed until resolution of the investigation. At the end of the 
fraud investigation, it is possible that the Medicare contractor will 
not have completed its overpayment determination, but will have 
reliable evidence of an overpayment or will have evidence that the 
payments to be made may not be correct. This typically occurs when a 
law enforcement investigation results in civil or criminal resolution 
prior to the Medicare contractor having had sufficient time to complete 
its overpayment determination. In such a situation, we would allow the 
suspension to continue as an overpayment suspension.
    We proposed modifying the existing Sec.  405.372(d) concerning the 
duration of suspension of payment. In Sec.  405.372(d)(3) we except 
suspensions based on credible allegations of fraud from the established 
time limits specified in paragraphs (d)(1) and (d)(2). We believe the 
strict time constraints found in paragraphs (d)(1) and (d)(2) should 
only be applied to suspensions based on reliable information of an 
overpayment or where payments to be made may not be correct, both of 
which require a speedy overpayment determination. When credible 
allegations of fraud are present, we believe we should have the 
flexibility to maintain a suspension beyond these established time 
limits in order for an investigation to be completed or the matter to 
be resolved. However, we noted that by excepting suspensions based on 
credible allegations of fraud from these previously established 
timeframes, we do not intend to suspend payments to providers and 
suppliers indefinitely. We will be actively evaluating the progress of 
any investigation to determine if good cause exists to no longer 
continue the suspension of payments, as suspensions are designed to be 
a temporary measure. As part of this recurring evaluation, we will 
request a certification from the OIG or other law enforcement agency 
that the matter continues to be under investigation.
    We also proposed eliminating the two other existing scenarios in 
paragraph (d)(3) for extending payment suspensions beyond the time 
limits in paragraphs (d)(1) and (d)(2), which are when the OIG is 
considering administrative action such as civil monetary penalties and 
also when the DOJ requests an extension based on an ongoing 
investigation and the anticipated filing of criminal and/or civil 
actions. We have removed these two scenarios from the existing duration 
provisions in Sec.  405.372(d), however we have added similar criteria 
for extending suspensions to the good cause criteria at Sec.  405.371 
(b)(3), based on these law enforcement scenarios.
    Comment: We received numerous comments raising concern over the 
perceived lack of due process afforded to the provider community in 
this proposed rule and numerous comments suggesting that more attention 
needs to be paid to establishing clear criteria for suspensions and 
basic due process rights before implementing this provision. Commenters 
also pointed out that the ACA does not mandate a deadline for 
implementing this policy and commenters recommend we withdraw the 
suspension provision from the final rule with comment period and work 
to develop defined standards with meaningful due process protections.
    Response: We believe that the proposed rule affords providers who 
have had their payments suspended based on credible allegations of 
fraud ample opportunity to submit information to us in the established 
rebuttal statement process to demonstrate their case for why a 
suspension is unjustified. We believe that the criteria for suspension 
of payments are clear. We reiterate that this authority will be 
exercised judiciously by CMS, in consultation with the OIG, and that 
only in the most egregious cases will payment suspensions last longer 
than the previously established timeframes for payment suspensions. We 
will not withdraw the suspension provision from the final rule with 
comment period as we believe the due process

[[Page 5931]]

protections are more than adequate and the evidentiary standards for 
payment suspensions cannot be more precisely defined.
    Comment: A commenter suggested that the proposed rule lacks 
specificity around the required consultation between CMS and the OIG 
and the DOJ and asked which entity ultimately decides whether an 
allegation is credible and whether a unanimous determination is 
required.
    Response: We retain the ultimate authority regarding whether or not 
a payment suspension will be implemented in a given case. The mechanics 
of the consultation between CMS and our law enforcement partners to 
determine the credibility of allegations will be detailed in a 
Memorandum of Understanding between the respective agencies and we do 
not believe it is appropriate to detail this process in the final rule 
with comment period.
    Comment: A commenter questions why there is no defined time 
requirement for CMS to provide written notice of a suspension that was 
imposed without prior notice, similar to the time limits required of 
States in the Medicaid payment suspension rule.
    Response: The Medicare and Medicaid payment suspension rules need 
not mirror each other in every respect. We have long suspended payments 
without prior notice to providers in cases of suspected fraud and have 
an established track record for providing written notice to providers 
as soon as is practicable after implementing a suspension. We do not 
believe it is necessary to impose a strictly defined time period for 
providing notice to providers who were suspended without prior notice 
based on credible allegations of fraud, and we do not believe that a 
30, 60, or 90 day limit is necessary as in nearly all historical cases 
we have provided notice to providers well within these suggested time 
limits.
    Comment: One commenter expressed concern over CMS treatment of 
payment suspensions in the cases of overpayments without credible 
allegations of fraud and pointed out that there are a multitude of 
scenarios under which physicians might be overpaid due to inadvertent 
billing errors or Medicare contractor claims processing errors that are 
no fault of the provider.
    Response: We believe that we must retain the ability to suspend 
payments in both cases of potential fraud and cases that do not involve 
potential fraud but are based solely on potential overpayments. We have 
long had the authority to suspend payments without evidence of fraud 
but historically have not often used the suspension tool in these 
cases. We will determine on a case-by-case basis whether a suspension 
of payments is appropriate in cases that do not involve fraud, and 
factors such as Medicare contractor claims processing errors and 
provider billing history are certainly considered.
    Comment: One commenter requested that CMS provide clarification on 
whether the proposed rule's suspension provisions apply to the Medicare 
Part D program and suggested that the proposed rule seems to conflict 
with legislation and CMS promulgated rules regarding prompt payment of 
Medicare Part D claims.
    Response: The Medicare payment suspension authority is applicable 
to providers under both the Part A and Part B programs. Separate 
authorities are available to address potential fraud by plans 
participating in the Part C and D programs.
    Comment: One commenter believes that Federally Qualified Health 
Centers (FQHCs) should be exempted from the potential application of 
the suspension of payments because payment to FQHCs is premised on 
reimbursement of reasonable costs and FQHCs are subject to an annual 
reconciliation process under which surplus payments in excess of 
reasonable Medicare costs are returned to the CMS contractor.
    Response: All providers in Medicare Part A and Part B are subject 
to the payment suspension provisions, regardless of the method of 
reimbursement. The annual reconciliation process under which surplus 
payments are returned does not necessarily account for credible 
allegations of fraud and we reserve the right to impose a payment 
suspension on any provider for whom there is a credible allegation of 
fraud.
    We are adopting the provisions of the proposed rule, with one 
exception. In Sec.  405.371(b)(3), we state that good cause shall be 
deemed to exist to not continue to suspend payments if a payment 
suspension has been in effect for a period of 18 months unless certain 
conditions are met.
2. Medicaid
a. Background
    In section 6402(h) of the ACA, the Congress amended section 
1903(i)(2) of the Act to provide that Federal Financial Participation 
(FFP) in the Medicaid program shall not be made with respect to any 
amount expended for items or services (other than an emergency item or 
service, not including items or services furnished in an emergency room 
of a hospital) furnished by an individual or entity to whom a State has 
failed to suspend payments under the plan during any period when there 
is pending an investigation of a credible allegation of fraud against 
the individual or entity as determined by the State in accordance with 
these regulations, unless the State determines in accordance with these 
regulations that good cause exists not to suspend such payments.
b. Previous Medicaid Regulations
    State Medicaid agencies have long been authorized to withhold 
payments in cases of fraud or willful misrepresentation. On December 
28, 1987, DHHS finalized regulations at Sec.  455.23 that they 
described as specifically encouraging State Medicaid agencies to 
withhold program payments to providers without first granting 
administrative review where the State agency has reliable evidence of 
fraudulent activity by the provider. The regulations were issued by the 
HHS OIG based on a concern that State administrative hearings could 
interfere with investigations conducted by HHS OIG's Office of 
Investigations or by the State's Medicaid fraud control unit (MFCU). 
The requirements of an administrative hearing could jeopardize criminal 
cases and investigators were reluctant to agree to a State's 
withholding payment, thus risking additional overpayments. (See the 
December 28, 1987 final rule (52 FR 48814)). The December 28, 1987 
final rule remains in effect and has remained unchanged since it was 
promulgated.
    At the time the rule was proposed, the Department was in the 
process of reorganizing its fraud and abuse regulations to reflect 
authorities transferred to HHS OIG in 1983, as well as those retained 
by CMS. HHS OIG authorities were transferred to a new 42 CFR chapter V, 
while CMS' Medicaid program integrity authorities were retained at 42 
CFR part 455. (See the September 30, 1986 final rule (51 FR 34764)).
    This current rule provides that a State Medicaid agency may 
withhold payments to a provider in whole or in part based upon receipt 
of reliable evidence that the need for withholding payments involves 
fraud or willful misrepresentation under the Medicaid program. At the 
time this rule was published, commenters questioned what constituted 
``reliable evidence of fraud.'' The HHS OIG declined to provide a 
specific definition, noting that what constitutes ``reliable evidence'' 
is not easily and readily definable. The HHS OIG noted that while the 
existence of an

[[Page 5932]]

ongoing criminal or civil investigation against a provider may be a 
factor in determining whether reliable evidence exists, that reliable 
evidence should be determined on a case-by-case basis with the State 
agency looking at all the factors, circumstances, and issues at hand, 
and acting judiciously on this information.
    The 1987 regulations also permitted payments to be suspended in 
whole or in part. Commenters had suggested that ``clean claims'' 
continue to be processed without delay, and that any withholding ought 
to be targeted to only the type of Medicaid claims under investigation. 
The HHS OIG responded that it is usually difficult to determine which 
claims are ``clean'' until after an investigation has been completed, 
but noted that where an investigation is solely and definitively 
centered upon a specific type of claim that a State could, at its 
discretion, withhold payments on just those types of claims. The HHS 
OIG also agreed to commenters' requests to clarify that the withholding 
provisions apply only to alleged fraud or willful misrepresentation 
related to improperly received Medicaid payments and not to ancillary 
unrelated matters such as deceptive advertising.
c. Proposed Medicaid Suspension of Payments Requirements
    The current regulation at Sec.  455.23 formed the framework for 
these final regulations. State Medicaid agencies have long had the 
authority to withhold payments in cases of alleged fraud or willful 
misrepresentation. Section 6402(h)(2) of the ACA now mandates that 
States not receive FFP in cases where they fail to suspend Medicaid 
payments during any period when there is pending an investigation of a 
credible allegation of fraud against an individual or entity as 
determined by the State in accordance with these proposed regulations 
unless the State determines that good cause exists for a State not to 
suspend such payments. To conform the existing regulation to the 
terminology of the ACA, we proposed to change the phrase ``withhold 
payments'' to ``suspend payments,'' a change we believe is merely 
semantic.
    We proposed to implement section 6402(h)(2) of the ACA by modifying 
the existing Sec.  455.23(a) to make payment suspensions mandatory 
where an investigation of a credible allegation of fraud under the 
Medicaid program exists. Based on the ACA's use of just the term 
``fraud,'' we did not propose to retain the existing term ``willful 
misrepresentation.'' We believe that fraud encompasses willful 
misrepresentation as well as other acts that may constitute civil or 
criminal fraud; thus we do not believe this proposal represents a 
substantive change nor do we intend it to have a substantive effect 
insofar as reducing or limiting a State's authority to suspend Medicaid 
payments. We solicited comments on this approach.
    To conform the proposed regulation to the requirements of the ACA, 
we proposed to modify terminology in the existing Sec.  455.23(a) that 
now refers to ``receipt of reliable evidence'' to instead refer to a 
``pending investigation of a credible allegation of fraud.'' In 
contrast to the semantic change from ``withhold payments'' to ``suspend 
payments,'' in this case we believe that there is a substantive 
difference between the threshold level of certainty or proof necessary 
to identify a ``credible allegation'' versus the heightened requirement 
of ``reliable evidence'' in the current regulation.
    We do not believe that the phrase ``when there is pending an 
investigation of a credible allegation of fraud'' necessarily demands 
that an investigation originate in or with a law enforcement agency. 
Rather, State Medicaid agencies have program integrity units that, in 
the normal course of business, receive, and conduct investigations 
based upon, tips alleging fraud, and which also conduct proactive 
investigations based upon internal data analyses and other fraud 
detection techniques. We believe that State agency investigations, 
though they may be preliminary in the sense that they lead to a 
referral to a law enforcement agency for continued investigation, are 
adequate vehicles by which it may be determined that a credible 
allegation of fraud exists sufficient to trigger a payment suspension 
to protect Medicaid funds.
    This threshold by which a State agency investigation may give rise 
to a payment suspension is a somewhat lesser threshold than that in the 
current regulation. The preamble to the current regulation specified 
that it was anticipated the State agency would confer with, and receive 
the concurrence of, investigative or prosecuting authorities prior to 
imposing a withholding action. However, that preamble also stated that 
it was establishing mere minimum requirements, and that States could 
exercise broader power where State law or regulation so provided. Most 
States have availed themselves of the existing Federal authority (or 
broader state authority) to withhold payments, and we believe that 
experience over the past 20 years offers no indication this authority 
has been misused against providers. Moreover, we believe this proposed 
threshold is consistent with the phrase ``pending investigation of a 
credible allegation of fraud'' of the ACA. We do anticipate that 
payment suspension authority will be used more frequently because the 
ACA dictates that where there is a pending investigation of credible 
allegations of fraud against a provider, a State that fails to suspend 
payments to that provider will not receive FFP with respect to such 
payments unless good cause exists not to suspend them.
    We proposed to adopt at Sec.  455.2 the same broad definition of 
``credible allegation'' proposed previously in the context of the 
Medicare program. In many cases, what constitutes a ``credible 
allegation'' must be determined on a case-by-case basis with the State 
agency looking at all the factors, circumstances, and issues at hand. 
Guided by the experience of more than 20 years, we are aware that 
States have been able to identify ``reliable evidence'' through a 
variety of means including, but not limited to, fraud hotline 
complaints, Medicaid claims data mining, and patterns identified 
through provider audits, along with the appropriate level of additional 
investigation that accompanies each of these. Moreover, States have 
received referrals from State MFCUs, other law enforcement agencies, 
and other State benefits program investigative units. We continue to 
believe that State agencies must review all allegations, facts, and 
evidence carefully and act judiciously on a case-by-case basis when 
contemplating a payment suspension, mindful of the impact that payment 
suspension may have upon a provider.
    We proposed at Sec.  455.23(b) that the State agency notify a 
provider of a payment suspension in a way very similar to the mechanism 
currently specified in regulation, by which the State agency is 
required to notify a provider, specifying certain details, within 5 
days of taking such action. However, we did propose to provide for a 
30-day period, renewable in writing up to twice for a total not to 
exceed 90 days, by which law enforcement may, in writing, request the 
State agency to delay notification to a provider. We proposed this 
because we believe that occasionally an investigation may be at a 
sensitive stage, perhaps involving undercover personnel or a 
confidential informant, where required notification to the provider at 
a particular time might jeopardize the investigation. We do not believe 
we should extend the delay notification beyond 90 days out of fairness 
to a provider and, in any event, a provider deriving any significant

[[Page 5933]]

revenue stream from Medicaid is likely to itself discern the fact of a 
payment suspension well in advance of 90 days.
    We proposed only minor changes to the current provisions in Sec.  
455.23(c) on the duration of a suspension. To comport with the ACA, we 
change the term ``withholding'' to ``suspension''; this is a semantic 
change that, as noted previously, has been made throughout. In the new 
Sec.  455.23(c)(2), we propose to require a State to notify a provider 
of the termination of a payment suspension and, where applicable, to 
specify the availability to a provider of any appeal rights under State 
law and regulation.
    Substantively, we did not propose significant change to the 
existing duration provisions, which specify that withholding (now, 
suspension) will be temporary and will not continue after: (1) 
Authorities discern that there is insufficient evidence of fraud upon 
which to base a legal action; or (2) legal proceedings related to the 
alleged fraud are completed.
    We believe that maintaining the existing duration provisions is 
consistent with the ACA that requires that FFP not be made when a State 
fails to suspend payments ``during any period when there is pending an 
investigation of a credible allegation of fraud against an individual 
or entity.'' We further recognized that the Act applies a very similar 
standard to the Medicare program. We solicited comments on our proposal 
to maintain the existing duration provisions.
    In Sec.  455.23(d) of the proposed rule, we proposed to require a 
State to make a formal, written suspected fraud referral to its MFCU 
or, where a State does not have a MFCU to an appropriate law 
enforcement agency, for each instance of payment suspension as the 
result of a State agency's preliminary investigation of a credible 
allegation of fraud. This will ensure that an appropriate full 
investigation by a law enforcement agency timely ensues. If the MFCU or 
other law enforcement agency declines to accept the referral, we 
proposed to require the State to immediately release the payment 
suspension unless the State refers the matter to another law 
enforcement entity or unless the State has alternative Federal or State 
authority by which it may impose a suspension. In the latter case, the 
requirements of that alternative authority, including any notice and 
due process or other safeguards, will be applicable.
    We proposed to require that a State's formal, written suspected 
fraud referral meets fraud referral performance standards issued by the 
Secretary. The currently applicable fraud referral performance 
standards were issued by CMS on September 30, 2008.
    In Sec.  455.23(d)(3), we proposed that on a quarterly basis a 
State must request a certification from the MFCU or other law 
enforcement agency that any matter accepted on the basis of a referral 
continues to be under investigation or in the course of enforcement 
proceedings warranting continuation of the payment suspension. We 
recognized that due to various constraints, law enforcement agencies 
may not be able to provide specific updates on matters under 
investigation. In recognition of the fact that payment suspensions are 
only temporary, however, we proposed to require such quarterly 
certifications to ensure, for example, that a suspension will not be 
continued long after a law enforcement agency has closed an 
investigation but neglected to alert a State agency of that fact. To 
maximize State flexibility to implement this requirement, we are not 
prescribing the precise format such certifications must take.
    Consistent with the new ACA provision, we also proposed to create 
several ``good cause'' exceptions by which States may determine good 
cause exists not to suspend payments or to suspend payments only in 
part. In new Sec.  455.23(e) we included several circumstances that we 
believe constitute ``good cause'' for a State to determine not to 
suspend payments, or not to continue a payment suspension previously 
imposed, to an individual or entity despite a pending investigation of 
a credible allegation of fraud. In Sec.  455.23(e)(1), we proposed a 
good cause exception based upon specific requests by law enforcement 
that State officials not suspend (or continue to suspend) payment. 
There are numerous reasons for which law enforcement personnel might 
make such a request, including that imposing a payment suspension might 
alert a potential perpetrator to an investigation at an inopportune or 
particularly sensitive time, jeopardize an undercover investigation, or 
potentially expose whistleblowers or confidential sources.
    In Sec.  455.23(e)(2), we proposed a good cause exception if a 
State determines that other available remedies implemented by the State 
could more effectively or quickly protect Medicaid funds than would 
implementing (or continuing) a payment suspension. For example, law 
enforcement personnel might request that a court immediately enjoin 
potentially unlawful conduct or prevent the withdrawal, removal, 
transfer, disposal, or dissipation of assets, either or both of which 
might protect Medicaid funds more fully or quickly than would 
imposition of a payment suspension.
    Paragraph (e)(3) proposed a good cause exception based upon a 
determination by the State agency that a payment suspension is not in 
the best interests of the Medicaid program. It is conceivable that a 
State may, in rare situations, face exigent circumstances with respect 
to a suspension situation not addressed by the other good cause 
exceptions specified here but where it otherwise determines suspension 
would not be in the State Medicaid program's best interests. This broad 
standard is intended to reflect that payment suspension is a very 
serious action that can potentially lead to dire consequences, but that 
it is impossible to specify detailed contingencies with respect to 
every possible scenario that might arise. We did not anticipate that 
States will frequently make use of this exception; however where this 
exception is utilized we do require that States document their use of 
this exception, and will closely monitor its implementation to 
determine whether further regulation is necessary. We solicited 
comments on this approach.
    In paragraph (e)(4), we proposed a good cause exception based upon 
a determination by the State of an adverse effect of the suspension on 
beneficiary access to necessary items or services. We envision there 
may be scenarios in which a payment suspension to a provider might 
jeopardize a provider's ability to continue rendering services to 
Medicaid beneficiaries, thus threatening Medicaid beneficiaries' access 
to care. Utilizing a standard identical to that which CMS and the HHS 
OIG apply in assessing requests for waivers of exclusion at Parts 402 
and 1001 of Title 42, for example, we posit one basis for a good cause 
exception from payment suspension is if a provider under investigation 
is a sole community physician or the sole source of specialized 
services available in a community. Likewise, in Federally-designated 
medically underserved areas the potential impact of a payment 
suspension upon a large provider might equally threaten recipient 
access, thus this underlies a second access exception. We welcomed 
comments on this approach, including comments with respect to other 
metrics by which to assess potential beneficiary jeopardy in terms of 
access to necessary items or services.
    Finally, in paragraph (e)(5) we proposed a good cause exception 
that would permit (but not require) a State to discontinue an existing 
suspension to the extent law enforcement declines to cooperate in 
certifying under the

[[Page 5934]]

requirements of paragraph (d)(3) that a matter continues to be under 
investigation and therefore warrants continuing the suspension.
    We do not interpret the new provision in the ACA as mandating that 
a State must always suspend all payments to a provider in cases of an 
investigation of a credible allegation of fraud. In general, we 
continue to believe a payment suspension should apply to all of a 
provider's claims consistent with the HHS OIG's responses to comments 
in the 1987 regulations that it is usually difficult to determine which 
claims are clean claims until after an investigation is completed, and 
one purpose of payment suspension is to build a type of escrow account 
out of which any overpayments can be deducted when an investigation is 
concluded.
    With certain new constraints, however, we have chosen to continue 
to allow States the flexibility to suspend payments in part. For 
example, as stated in the preamble to the current regulation, there may 
be times where an investigation is solely and definitively centered on 
only a specific type of claim in which case a State may determine it is 
appropriate to impose a payment suspension on only that type of claim. 
Likewise, a State might determine that an investigation of a credible 
allegation of fraud is limited to a particular business unit or 
component of a provider such that a suspension need not apply to 
certain business units or components of a provider.
    Balancing these approaches, we proposed to allow States to 
implement a partial payment suspension, or, where appropriate, to 
convert a previously imposed full payment suspension to a partial 
payment suspension, if justified via a good cause exception. The good 
cause exceptions for partial suspension at paragraphs (f)(1) and (2) 
mirror those at paragraphs (e)(4) and (3), respectively, and allow the 
State to adopt a partial payment suspension where suspension in whole 
would so jeopardize a recipient's access to items or services as to 
endanger the recipient's life or health, or where the State deems it in 
the best interests of the Medicaid program. At paragraph (f)(3), we 
proposed that a State may avail itself of the good cause exception to 
suspend payments only in part if the nature of the credible allegation 
is focused solely and definitively on only a specific type of claim or 
arises from only a specific business unit of a provider, and the State 
determines and documents in writing that a payment suspension in part 
would effectively ensure that potentially fraudulent claims were not 
continuing to be paid. Many such cases will still demand suspension in 
full, but this provision, which we anticipate States would exercise 
sparingly, gives States flexibility to act otherwise in those limited 
circumstances where appropriate. Finally, at paragraph (f)(4), we 
proposed that a State may avail itself of the good cause exception to 
convert a payment suspension in whole to one only in part to the extent 
law enforcement declines to cooperate in certifying under the 
requirements of paragraph (d)(3) that a matter continues to be under 
investigation. We solicited comment on these proposed approaches.
    We proposed in new paragraph (g) to add several reporting and 
document retention guidelines to Sec.  455.23. Payment suspension 
authority is critically important to protect Medicaid funds, but 
payment suspension can have dire consequences to a provider. Payment 
suspension authority, including a State's exercise of a good cause 
exception to otherwise address a suspension situation, must be 
exercised responsibly by a State at all stages, from the inception to 
the termination of the suspension. Through, among other things, our 
State Program Integrity Reviews, we expect to maintain close oversight 
of State utilization of suspension authority. However, to be clear, we 
expressly and explicitly do not expect State compliance (or 
noncompliance) with these documentation or retention provisions to give 
rise to any enforceable right of a provider aggrieved by any real or 
perceived failures with respect to these requirements to seek any form 
of redress (administratively, judicially, or otherwise).
    Under these final reporting and retention guidelines, States are 
required to maintain for a minimum of 5 years from the date of issuance 
all materials documenting the life cycle of a payment suspension that 
is imposed, including: (1) All notices of suspension of payment in 
whole or part; (2) all fraud referrals to MFCUs or other law 
enforcement agencies; (3) all quarterly certifications by law 
enforcement that a matter continues to be under investigation; and (4) 
all notices documenting the termination of a suspension. Likewise, we 
proposed to require States to maintain for the same period all 
documentation justifying the exercise of the good cause exceptions. 
Finally, we proposed to require States to annually report to the 
Secretary information regarding the life cycle of each payment 
suspension imposed and any determinations to exercise the good cause 
exceptions not to suspend payment, to suspend payment only in part, or 
to discontinue a payment suspension.
    To effectuate section 6402(h)(2) of the ACA's prohibition on 
expenditure of FFP where a State fails to suspend payments that should, 
by virtue of the ACA standard and this proposed rule, have been 
suspended, we proposed to add a new Sec.  447.90. Paragraph (a) of 
proposed Sec.  447.90 specifies the basis and purpose for the new 
provision, while paragraph (b) specifies the general rule that FFP 
would not be available with respect to items or services furnished by 
an individual or entity to whom the State has failed to suspend 
Medicaid payments during any period where there is pending an 
investigation of a credible allegation of fraud against the individual 
or entity except in specified circumstances that include certain 
emergency circumstances, or if good cause exists as specified at Sec.  
455.23(e) or (f).
    As mentioned, we anticipate that CMS' enforcement and monitoring of 
these provisions will largely be accomplished through measures such as 
State Program Integrity reviews conducted by CMS. Such reviews will, 
among other things, evaluate States' complaint intake and investigation 
efforts, and assess whether States have an effective process to move 
matters where there are found to be credible allegations of fraud to 
the point where they are evaluated for payment suspension. However, we 
do not believe it is viable to require States to report and document to 
CMS every instance of where any allegation of fraud arises and further 
qualify which ones rise to the level of credible allegation. We want to 
foster effective and efficient State program integrity efforts with 
respect to which payment suspension is an integral component, but we do 
not want to create a system so procedurally onerous that it overwhelms 
a State's ability to substantively perform this critical work. 
Nevertheless, we will thoroughly investigate and act by, among other 
things, deferring and/or disallowing FFP in accordance with Sec.  
430.40 and Sec.  430.42, if program integrity reviews or other methods 
of ensuring State compliance with Medicaid program requirements reveal 
a State is failing to suspend payments (or inappropriately applying a 
good cause exception) where pending investigations of credible 
allegations of fraud do exist. A State may not claim (on its Form CMS-
64) FFP for payments that are suspended. Any State that does not 
suspend payments, or that suspends payments but continues to claim FFP 
with respect to what would have been paid had no suspension been in 
place,

[[Page 5935]]

puts that FFP at risk. In such cases, we would pursue a deferral and/or 
disallowance to reclaim the Federal portion of such payment. We 
solicited comments on CMS' proposed oversight approach.
    Finally, three provisions were proposed to be added to the 
regulations at Sec.  1007.9 that specify the State MFCU's relationship 
to, and agreement with, the State Medicaid agency. These proposed 
revisions were necessary to effectuate the proposed revisions under 
Sec.  455.23. The regulations at 42 CFR part 1007 are enforced by HHS 
OIG as part of its delegated authority to certify and fund the State 
MFCUs. (See August 15, 1979 final rule (44 FR 47811). However, we are 
including amendments to part 1007 here to ensure a comprehensive 
regulatory package that sets forth in one location the Department's 
implementation of the suspension provisions of section 6402(h) of the 
ACA.
    The first of these provisions proposes to add a new paragraph (e) 
to Sec.  1007.9 that specifies that the MFCU may refer to the State 
agency any provider against which there is pending an investigation of 
a credible allegation of fraud for purposes of payment suspension in 
accord with Sec.  455.23. Allegations of potential fraud may first be 
identified by the MFCU rather than by the State agency, so this 
provision merely formalizes a path from the MFCU to the State agency so 
a payment suspension may be implemented where appropriate. This 
provision also proposed that any referral to the State agency for 
consideration of a payment suspension be in writing. The written 
referral need not be extensive, but must include information adequate 
to enable the State agency to identify the provider and a brief 
explanation of the credible allegations forming the grounds for the 
payment suspension. The second proposed addition to Sec.  1007.9 
proposed to add a new paragraph (f) providing that any request by the 
unit to the State agency to delay notification of suspension to a 
provider pursuant to the provisions of the proposed Sec.  
455.23(b)(1)(ii) come in writing. Requiring that such requests be made 
in writing (which could take the form of an email) provides for an 
audit trail to ensure that proper procedures are followed. However, we 
expressly do not intend for this requirement to create any substantive 
right upon which a provider might lodge objection or other legal 
challenge to the extent the proper procedures were not followed. Last, 
a new paragraph (g) was proposed to require the unit to notify the 
State agency in writing when it has accepted or declined a case 
referred by the State agency. Aside from also creating an audit trail, 
this proposed provision is important in that it would alert the State 
agency as to the status of a referral, which would shape how the State 
agency would handle a suspension under the proposed revisions to Sec.  
455.23.
    We received the following comments:
    Comment: Several commenters expressed concern regarding the 
definition of ``credible allegation of fraud.'' Specifically, several 
commenters requested that CMS provide an exact definition of ``credible 
allegation of fraud'' as well as specific standards and guidelines for 
providers to follow to make a determination regarding what is a 
credible allegation of fraud. One commenter suggested removing the word 
``fraud'' from the term. Other commenters indicated that the definition 
of what is credible or reliable under the proposed rule is circular, 
that is, an allegation is credible if it has ``indicia of 
reliability.'' In addition, several commenters have suggested that the 
new evidentiary threshold is too low.
    Response: The term ``credible allegation of fraud'' is a statutory 
term as reflected in section 6402(h) of the ACA. Accordingly, we do not 
have the authority to change the term. We have considered these 
comments but decline to provide a more exact definition, recognizing 
that different States may have different considerations in determining 
what may be a ``credible allegation of fraud.'' Accordingly, we believe 
that States should have the flexibility to determine what constitutes a 
``credible allegation of fraud'' consistent with individual State law. 
We will neither seek to limit what States may determine qualifies as a 
``credible allegation of fraud'' nor will we require States to consult 
with HHS in making such a determination.
    Comment: One commenter suggested that CMS should update its 
policies and procedures and develop consistent and standard guidance to 
State Medicaid programs regarding the determination of credible 
allegations of fraud.
    Response: We will review our current policies and procedures in 
light of the regulatory changes contained in this rule, and will 
provide updated guidance to States as necessary.
    Comment: Several commenters expressed concern that the evidentiary 
standard is too low and urged CMS to retain the current standard, by 
which they suggested defining a ``credible allegation of fraud'' as 
``reliable information that fraud or willful misrepresentation exists'' 
as a component of the basis for suspension of payments under Sec.  
455.23(a).
    Response: In the proposed rule, we acknowledged that the proposed 
threshold for triggering a payment suspension is lower than what is 
contemplated in current regulations, but we also indicated that we 
believe this result is dictated by the ACA. However, in this final rule 
with comment period, we are amending the definition of ``credible 
allegation of fraud'' at Sec.  455.2, which in the proposed rule read, 
in pertinent part, ``[a]llegations are considered to be credible when 
they have indicia of reliability'' to include the following: ``and the 
State Medicaid agency has reviewed all allegations, facts, and evidence 
carefully and acts judiciously on a case-by-case basis.'' Due to use of 
just the word ``fraud'' in section 6402(h)(2) of the ACA, we proposed 
to remove the term ``willful misrepresentation'' from existing 
regulation, though as we noted in the proposed rule, we take the 
position that ``fraud'' includes ``willful misrepresentation.''
    Comment: A few commenters suggested that the final regulation 
should include a requirement and a discussion to provide technical 
guidance to State Medicaid programs that clarifies the term ``fraud'' 
as a legal term and one that carries evidence of a willful intent to 
deceive.
    Response: The definition of fraud, for purposes of Medicaid program 
integrity, is reflected in existing regulations at Sec.  455.2 and 
reads as follows: ``an intentional deception or misrepresentation made 
by a person with the knowledge that the deception could result in some 
unauthorized benefit to himself or some other person. It includes any 
act that constitutes fraud under applicable Federal or State law.'' 
Medicaid fraud is addressed through, for example, civil remedies 
imposed under Federal and State false claims acts, as well as through 
criminal prosecutions.
    Comment: Numerous commenters expressed concerns regarding the list 
of potential sources of credible allegations of fraud. Specifically, 
several commenters expressed concern about false reports of fraud that 
may be generated by competitors or disgruntled employees. In addition, 
there were numerous comments that expressed concern over allegations 
received through a fraud hotline and whether such allegations could be 
considered to be reliable. Another commenter suggested that anonymous 
hotlines should refer to State-operated Medicaid fraud hotlines as well 
as specify to

[[Page 5936]]

whom or what entity the fraud hotline complaints are being made.
    Response: First, we will not seek to limit the potential sources 
from which States may derive credible allegations of fraud. We provided 
examples of sources for States to consider and will clarify in the 
final regulation that we are not limiting such sources. We recognize 
that credible allegations may come from a variety of sources. Second, 
with respect to identifying fraud hotlines as a potential source of a 
credible allegation of fraud, we recognize that there may be irrelevant 
or false reports made through hotlines. Due to the potential for not 
just false allegations, but also the equal possibility of honest 
mistakes and the like, we encourage States to not solely rely on a 
singular allegation without considering the total facts and 
circumstances surrounding such allegations. In the proposed rule, we 
indicated that States ``must review all allegations, facts, and 
evidence carefully and act judiciously on a case-by-case basis * * *''. 
As noted previously, we are including this language in the final rule 
with comment period in the definition of ``credible allegation of 
fraud'' at Sec.  455.2. We take the position that States should have 
the flexibility to determine what they deem to be reliable sources for 
credible allegations of fraud. Finally, we will not identify which 
specific fraud hotlines States may use. We are aware that there may be 
a variety of hotlines. For example, States may have different 
components within their respective agencies that utilize hotlines or 
State law enforcement agencies may also utilize hotlines from which 
credible allegations may be generated. Accordingly, we will not seek to 
limit the type of hotline States use as sources for credible 
allegations of fraud.
    Comment: Commenters indicated that discussions of investigations 
and credible allegations of fraud need to defer to State and Federal 
legal definitions of ``fraud.'' In addition, commenters suggested that 
existing Federal regulations indicate that investigating fraud is the 
responsibility of State Medicaid Fraud Control Units (MFCU). 
Accordingly, MFCUs should be the designated investigators of 
allegations of fraud.
    Response: First, as noted previously, ``fraud'' is defined in 
existing regulations at Sec.  455.2. Second, we disagree that only the 
MFCU may investigate allegations of fraud. While MFCUs clearly play a 
key role in investigating and prosecuting Medicaid fraud, most, if not 
all, States have program integrity units that, in the normal course of 
business, receive hotline and other tips about potential fraud, and 
conduct proactive investigations based upon internal data analyses and 
other fraud detection techniques. Program integrity units have the 
responsibility under existing Federal regulations at Sec.  455.14 and 
Sec.  455.15(a)(1) and the proposed regulation at Sec.  455.23(d) of 
determining whether allegations constitute fraud, and if they do, 
referring the matter to the MFCU or an appropriate law enforcement 
agency for further investigations. Thus, we do not believe MFCUs are 
the sole investigators of fraud.
    Comment: Several commenters requested that CMS clarify whether a 
finding of billing errors during an audit that are not related to 
allegations of fraud would trigger a payment suspension.
    Response: Irrespective of the circumstances, absent pending 
investigations of credible allegations of fraud, payment suspensions 
would not be triggered under these regulations, although that does not 
preclude the possibility that a State may exercise its own broader 
suspension authority in other circumstances.
    Comment: Several commenters requested clarification regarding 
whether States should determine the credibility of an allegation of 
fraud prior to initiating a suspension action.
    Response: Due to the potential for not just false allegations, but 
also for good faith mistakes, misunderstandings, and misinterpretations 
regarding reports of alleged fraud as well as data analysis errors, we 
encourage States not to rely on any singular allegation or data run but 
rather States should review all allegations, facts, and data carefully 
and act judiciously on a case-by-case basis, mindful of the potential 
impact a payment suspension may have on a provider.
    Comment: One commenter suggested that we include the term ``abuse'' 
as a basis for payment suspension and not limit such suspensions to 
investigations of ``credible allegations of fraud.''
    Response: We decline to add the term ``abuse'' to Federal 
regulations in the context of payment suspensions, as the phrase we 
have adopted, ``credible allegation of fraud'' has a statutory basis 
reflected in section 6402(h) of the ACA. As a practical matter, 
however, conduct that constitutes abuse as opposed to fraud (we note 
that both terms are defined at Sec.  455.2) may be indistinguishable 
not just at the outset of an investigation but even through the course 
of an investigation and enforcement proceedings and may hinge on fine 
factual distinctions or legal points including knowledge and intent, 
and this regulation would not preclude the imposition of a suspension 
in such a circumstance so long as there is a credible allegation of 
fraud. Moreover, this regulation presents a floor for protection of 
Medicaid funds and does not bar a State from setting a higher bar 
allowing for imposition of suspensions in other circumstances.
    Comment: One commenter expressed concern regarding Federal 
oversight and whether such oversight will amount to second-guessing a 
State's determination of what constitutes a credible allegation of 
fraud.
    Response: We do not intend to second-guess State determinations 
regarding credible allegations of fraud. We intend to work 
collaboratively with States to prevent critical Medicaid funds. The 
purpose of Federal oversight is to ensure that States have effective 
processes in place in order to make determinations regarding credible 
allegations of fraud.
    Comment: Several commenters expressed concern regarding the lack of 
a definition for the phrase ``indicia of reliability'' and requested 
CMS to provide one.
    Response: We have considered the concerns of commenters, but 
decline in this final rule with comment period to define ``indicia of 
reliability.'' We recognize the possibility that there may be differing 
standards among States with respect to what may be considered ``indicia 
of reliability,'' but also, as we have noted several times in these 
responses, we expect States to gauge the credibility of allegations 
through a lens after reviewing all allegations, facts, data, and 
evidence carefully and that State action will be exercised judiciously 
on a case-by-case basis.
    Comment: Several commenters want CMS to define ``investigation'' of 
a credible allegation of fraud. One commenter inquired whether a State 
may rely on its MFCU to determine if an allegation of fraud is 
credible. Other commenters suggested that the State and its 
investigators are in the best position to determine when credible 
allegations of fraud should lead to a payment suspension, such that CMS 
should rely on the judgment of these individuals in deciding whether to 
withhold FFP. Certain commenters also wanted to know if the process of 
determining whether an allegation of fraud is credible is sufficient to 
trigger a payment suspension.
    Response: We recognize that the process to determine whether an 
allegation of fraud is credible may vary among States, and we defer to 
States--applying the principles of careful review and judicious action 
to which we refer several times in these responses

[[Page 5937]]

and which we now include in the final rule with comment period--to 
determine whether an allegation or complaint rises to the level of a 
credible allegation of fraud. We do not want to limit a State's due 
diligence process or preliminary investigations with respect to its 
assessment of credibility. Nor do the proposed regulations specify or 
limit who, or what other agency, may assist the State agency with the 
investigation or validation of credible allegations of fraud. 
Nevertheless, if it is determined that an allegation is credible, a 
State must still submit a formal written referral to its MFCU 
irrespective of whether the MFCU assisted in validating an allegation's 
credibility. Finally, the mere fact of an investigation to assess the 
credibility of a fraud allegation is insufficient to trigger a payment 
suspension. Rather, a payment suspension is triggered when that there 
is, in fact, a pending investigation of a credible allegation of fraud. 
We will clarify this in the regulation.
    Comment: One commenter suggested that the notice of suspension to 
providers should be sent by certified mail, set forth the specific (not 
general) allegations and inform the providers of the State's 
administrative review process and provide appropriate citation. Another 
commenter suggested revising the language in Sec.  455.23(b)(2)(v) 
regarding notice of suspension to include information about any 
administrative appeal procedures that are available under State law. 
Other commenters suggested that notice be furnished to providers prior 
to the implementation of an adverse action such as payment suspensions. 
One commenter suggested giving States more discretion regarding when 
notices of suspension should be furnished to providers. One commenter 
in particular indicated that bi-weekly remittance advisories are issued 
to providers that would, in effect, disclose the State's actions.
    Response: We believe that we should afford States the flexibility 
to determine the best method of delivery of notices of suspension so we 
decline to take an overly prescriptive approach in this regulation. 
However, we agree that a notice of suspension furnished to a provider 
should appropriately reference the general allegations upon which a 
suspension is based as well as any existing State appeals process. 
Accordingly, we will revise the proposed language to reflect the 
inclusion of State administrative appeal procedures in the notice of 
suspension to providers. We do not agree that providers should be given 
notice of a payment suspension prior to such action being taken. We 
recognize the sensitive nature of a fraud investigation which may be 
jeopardized by such notice, and expect that State agencies will act 
appropriately so as not to jeopardize any investigation.
    Comment: Commenters suggested that if a provider or supplier who is 
subject to a payment suspension submits an acceptable written rebuttal 
statement as to why the suspension should be removed, then this should 
qualify as ``good cause'' as currently permitted under Sec.  
405.372(b). In other words, a rebuttal could establish a good cause 
exception to end a payment suspension. Several other commenters 
suggested that in cases of economic hardship, a provider should be able 
to submit evidence of this fact for consideration by the State in 
determining whether to terminate a payment suspension, and requested 
that CMS create an expedited review process. Commenters also suggested 
that the regulations should acknowledge the severe financial impact of 
a payment suspension and should limit the scope of the suspension to 
the services under review.
    Response: We believe that the proposed regulation as written allows 
a State to account for a provider's rebuttal statement. Specifically, 
as proposed at Sec.  455.23(e), States have the flexibility to make a 
determination that a payment suspension is not in the best interests of 
the Medicaid program. States also have the option to suspend payments 
only in part if there is good cause. Therefore, we do not believe that 
an additional good cause exception is necessary. Moreover, as the 
existing Medicaid suspension has for more than 20 years, we continue to 
defer to any State administrative (or judicial) review processes, and 
therefore decline to require States to adopt an expedited review 
process. Nevertheless, we are including new good cause exceptions in 
this final rule with comment period at Sec.  455.23(e)(3) and (f)(2) to 
allow a State to terminate a whole payment suspension or impose a 
payment suspension only in part if a provider furnishes written 
evidence that persuades the State that a payment suspension should be 
terminated or imposed only in part. Furthermore, the preamble 
acknowledges and requests States to be mindful of the impact that 
suspensions may have upon providers.
    Comment: One commenter inquired whether ``good cause'' is 
established if the items or services are furnished as an emergency.
    Response: Section 1903(i)(2) of the Act provides for a limited 
exception for payment to be made with respect to emergency items or 
services, though not including items or services furnished in the 
emergency room of a hospital. We believe this statutory exception 
speaks for itself and we do not need to otherwise address or expand 
upon it in these regulations.
    Comment: Commenters have suggested that the proposed ``good cause'' 
regulatory provisions should include the language contained in the 
preamble acknowledging that ``reliable evidence should be determined on 
a case-by-case basis with the State agency looking at all the factors, 
circumstances, and issues at hand * * * '' (75 FR 58224).
    Response: We disagree that this language belongs in the ``good 
cause'' regulatory provisions. Instead, we have revised the definition 
of ``credible allegation of fraud'' to reflect that States must 
carefully review all allegations, facts and evidence on a case-by-case 
basis. Accordingly, we do not see the need to include this language in 
the ``good cause'' regulatory provisions.
    Comment: One commenter suggested that CMS consider placing the 
catchall of ``not in the best interests of the Medicaid program'' 
reflected in Sec.  455.23(e)(3) and similarly the catchall reflected at 
subparagraph (f)(2) of ``* * * payment suspension in part is in the 
best interests of the Medicaid program'' at the end of the respective 
subparagraphs.
    Response: We agree and will make such changes in the final 
regulation.
    Comment: One of the good cause exceptions not to suspend payments 
to Medicaid providers is when ``an individual or entity is the sole 
community physician or the sole source of essential specialized 
services in a community.'' (emphasis added) One commenter suggested 
replacing ``in a community'' with ``for a particular beneficiary 
population.''
    Response: We disagree. We are concerned about negatively impacting 
beneficiary access to care so this exception does not turn on whether a 
provider serves a particular beneficiary population, but on whether a 
beneficiary's access to necessary care is impeded. Thus, the good cause 
exception may be applied when a beneficiary's access to care is 
jeopardized because he/she cannot obtain necessary services from a 
particular provider type.
    Comment: Several commenters questioned whether the requirements of 
this section would apply to Medicaid managed care, including whether 
the term ``provider'' includes managed care entities, whether managed 
care capitation payments are included in suspensions when an individual 
network provider is under investigation;

[[Page 5938]]

and what would be the process for notifying a managed care entity of a 
credible allegation of fraud.
    Response: The rules governing payment suspensions based upon 
pending investigations of credible allegations of fraud apply to 
Medicaid managed care entities. If there is a pending investigation of 
a credible allegation of fraud against a Medicaid managed care 
organization (MCO), prepaid inpatient health plan (PIHP), prepaid 
ambulatory health plan (PAHP), or health insuring organization (HIO) at 
the plan level, the State should address the issue either through 
imposing a payment suspension or through other authorities that may be 
available to them under State law or as part of the State's negotiated 
agreement with the Medicaid MCO, PIHP, PAHP, or HIO. The same would 
hold true for pending investigations of credible allegations of fraud 
regarding individual network providers. Managed care capitation 
payments may be included in a suspension when an individual network 
provider is under investigation based upon credible allegations of 
fraud, depending on the allegations at issue. We would expect the 
process regarding the notice of suspension to a Medicaid MCO, PIHP, 
PAHP, or HIO to follow the criteria as outlined in this final rule with 
comment period.
    Comment: Some commenters requested clarification regarding whether 
FFP extends to managed care entities' capitation payment.
    Response: FFP extends to Medicaid MCOs', PIHPs', PAHPs', and HIOs' 
capitation payments. Accordingly, if a State fails to suspend payments 
to such an entity for which there is a pending investigation of a 
credible allegation of fraud, without good cause, FFP may be disallowed 
with regard to such payments to the managed care entity.
    Comment: Several commenters requested that CMS clarify whether 
interest accrued on suspended payments to providers is eligible for 
FFP.
    Response: FFP is not available for interest accrued on suspended 
payments to providers.
    Comment: Commenters asked how CMS will notify a State that FFP is 
to be suspended as a result of payment to an entity for items or 
services for which the State has received a credible allegation of 
fraud. Will the State receive advanced notice of the FFP suspension and 
be given the opportunity to correct or will the suspension be 
immediate?
    Response: The process for deferring and disallowing FFP is governed 
by Sec.  430.40 and Sec.  430.42, respectively. Generally, we take 
action to defer the claim (by excluding the claimed amount from the 
grant award) within 60 days after the receipt of a Quarterly Statement 
of Expenditures (prepared in accordance with our instructions) that 
includes that claim. The notice of deferral to the State is provided by 
CMS within 15 days of such deferral. The notice should identify the 
type and amount of the deferred claim and specify the reason for 
deferral. The State is also requested to make available all the 
documents and materials that CMS believes are necessary to determine 
the allow-ability of the claim. However, prior to taking action to 
defer or disallow FFP, we may engage States to request that 
impermissible claims for FFP are removed from the Quarterly Medicaid 
Statement of Expenditures for the Medicaid Assistance Program (Form 
CMS-64).
    Comment: One commenter asked, if CMS suspends a State's FFP, and 
the allegations of fraud are cleared after the fact, what the process 
will be to restore FFP.
    Response: When we determine claims associated with deferred or 
disallowed FFP are permissible, we will release the deferred or 
disallowed funds to the State by providing FFP for the subject claims.
    Comment: One commenter expressed concern regarding what the 
commenter saw as a ``shift in evaluation of the appropriateness of 
suspensions away from the Medicaid agency and entities investigating 
the allegations of fraud to the exclusive and unilateral discretion of 
CMS'' as well as a broad and sweeping increase in CMS's ability to 
impose a deferral of FFP.
    Response: We have long had the authority to withhold FFP and the 
payment suspension rule is not an attempt to inappropriately withhold 
FFP from States. Instead, the rule is intended to protect precious 
Medicaid dollars from fraudulent providers, an effort in which we view 
the States as partners. Generally, we will withhold FFP only where a 
State has unreasonably or repeatedly failed to suspend payments or 
otherwise terminate a payment suspension where there are credible 
allegations of fraud.
    Comment: One commenter suggested that the proposed rule regarding 
suspension of payments to Medicaid providers gives Medicaid agencies an 
improper incentive to aggressively deny payments to providers or risk 
losing FFP.
    Response: We disagree. As we explained in the proposed rule, State 
Medicaid agencies have long had the authority to suspend payments to 
providers based upon suspected fraudulent conduct. Our goal is to 
ensure that State agencies appropriately suspend payments from 
potentially fraudulent providers, in order to protect critical Medicaid 
dollars from falling into the hands of such providers. In this rule we 
encourage State agencies to suspend payment based upon pending 
investigations of credible allegations of fraud only after reviewing 
all of the facts and circumstances surrounding a particular case and 
making a determination that such suspension is in fact warranted.
    Comment: One commenter suggested that the suspension of payments 
could be interpreted to have retroactive application to providers who 
have already been referred to MFCUs or other law enforcement agencies:
    Response: We will not require States to retroactively apply the law 
regarding suspension of payments based on pending investigations of 
credible allegations of fraud. However, upon the effective date of this 
final rule with comment period, we expect States; to the extent they 
have not already done so, to suspend payments to providers against whom 
there exist pending investigations of credible allegations of fraud.
    Comment: Commenters have sought clarification regarding whether the 
proposed rule applies to individual providers who are employed or 
contracted by institutional providers.
    Response: The payment suspension rule applies to institutional 
providers as well as enrolled providers who are employed or contracted 
by such institutional providers.
    Comment: One commenter wanted CMS to clarify whether the 
``individual or entity'' under investigation is the same ``individual 
or entity'' subject to the payment suspension.
    Response: Yes, the ``individual or entity'' under investigation is 
the same ``individual or entity'' that is subject to the payment 
suspension.
    Comment: Several commenters expressed concern with States' 
compliance dates with the Medicaid payment suspension rule because some 
States may require State law or regulatory changes in order to be able 
to implement the rule. Certain commenters also expressed similar 
concerns that the proposed document retention requirements exceed time 
frames currently required by their State laws.
    Response: We encourage the State Medicaid or program integrity 
director of any State that faces State legislative, regulatory, or 
administrative implementation obstacles to contact us

[[Page 5939]]

in order to work out a plan of resolution.
    Comment: One commenter suggested that the process for quarterly 
reporting and certification at Sec.  455.23(d) is onerous to the State 
and the MFCU. The commenter further indicated that reporting is already 
addressed in Memoranda of Understanding between the States and the 
MFCUs, and therefore, additional reporting requirements would be 
burdensome on the State.
    Response: We disagree, and in the proposed rule stated that we 
would not prescribe the format that such certifications must take to 
maximize State flexibility. The Memoranda of Understanding between the 
States and the MFCUs routinely do not address reporting and 
documentation to the degree that will be required by Sec.  455.23(d). 
Moreover, in the proposed rule we emphasized that payment suspensions 
should be temporary and we noted the profound impact that a payment 
suspension can have upon a provider. We believe that the quarterly 
reporting and certification process is an important protection for 
providers to ensure that suspensions do not continue after law 
enforcement has concluded its investigation but did not report this 
information to the State Medicaid agency.
    Comment: Some commenters suggested that documentation and record 
retention in instances regarding the decision to not suspend payments 
is expensive and unnecessary given the high volume of unfounded 
allegations. These commenters also suggested that the requirement to 
report summary information to the Secretary is duplicative given that 
CMS will be reviewing State actions on suspension of payment during 
periodic on-site program integrity reviews.
    Response: We disagree. As we generally discuss in both these 
responses and in the proposed rule, we are balancing a number of 
interests including: (1) A statutory directive from the ACA that FFP 
not be paid in certain circumstances; (2) a payment suspension 
provision that, if not rigorously and carefully administered, can 
detrimentally impact honest providers; and (3) CMS' intent to maintain 
its appropriate oversight role but at the same time not to arbitrarily 
or unreasonably second-guess State decision-making. As such, we believe 
rigorous documentation requirements that go beyond what may be reviewed 
during on-site program integrity reviews actually serve to protect 
everyone's interests. Moreover, we believe it is particularly important 
that States carefully document those processes that require special 
judgment calls, such as with respect to exercising the various good 
cause exceptions, so that, upon CMS review, FFP is not inappropriately 
withheld.
    Comment: One commenter recommended that Medicaid State agencies 
should be allowed to share potentially helpful information with their 
MFCUs without following the requirements in the proposed rule regarding 
documentation and timing of the referral of a credible allegation of 
fraud.
    Response: We fully agree with the notion that States may share 
information or otherwise consult with their MFCUs, recognizing that 
States may need to consult and/or exchange information with their 
respective MFCUs prior to making a formal referral, and do not seek to 
limit or otherwise define the circumstances by which States make such 
communications. We disagree, however, with the proposition that States 
should not need to follow our proposed MFCU documentation/referral 
requirements, which we believe are important for reasons similar to 
those addressed in the previous response, thus we will not alter the 
proposed documentation and timing requirements.
    Comment: Certain commenters have suggested that it will be 
cumbersome to require the State to obtain a written certification from 
the MFCU or other law enforcement agency that any matter that is 
accepted on the basis of a referral continues to be under investigation 
or in the course of enforcement proceedings warranting continuation of 
the payment suspension every 90 days. In addition, these commenters 
expressed concern that this requirement will result in a substantial 
increase in workload and could result in increased staffing levels. 
Commenters also suggested that existing methods of communication 
regarding caseload and referrals between the States and the MFCUs 
should be sufficient.
    Response: We disagree with the proposition that the quarterly law 
enforcement certification requirement is overly cumbersome or that the 
documentation requirements finalized here will result in substantial 
increases in workload. As we have indicated previously in these 
responses and in the proposed rule, we believe rigorous documentation 
requirements are in everyone's interest. Moreover, to maintain State 
flexibility, we are not prescriptive with respect to the format of the 
quarterly certification. States have long had authority to implement 
payment suspensions and, though we formalize certain documentation and 
referral requirements here, we believe that most States that have used 
suspension authority likely have rigorous documentation requirements 
already in place to ensure they are able to adequately justify 
suspension actions and withstand any provider challenges.
    Comment: With regard to formal fraud referrals issued by the State 
to the MFCU or other law enforcement agency, one commenter suggested 
combining the relevant NPIs of the affected providers into one referral 
instead of referring individual cases.
    Response: This is outside the scope of the proposed rule and 
therefore we will not address this issue at this time.
    Comment: One commenter suggested that the regulation at Sec.  
455.23(g) proposing to require States to annually report to the 
Secretary information regarding the life cycle of each payment 
suspension imposed and any determinations to exercise the good cause 
exceptions not to suspend payment, to suspend payment only in part, or 
to discontinue a payment suspension, be modified. Specifically, the 
commenter suggested that such annual report be filed only if such 
information is shared by law enforcement.
    Response: We disagree with the commenter's proposition for two 
reasons. First, a number of the elements the commenter points out are 
not contingent on any response from law enforcement. Second, we 
certainly appreciate that States can only report on the information 
that is in their possession, but believe that annual reporting should 
not be contingent on whether law enforcement has shared such 
information. Importantly, to the extent that annual reporting reveals 
gaps where law enforcement has neglected or refused to share 
information it will illustrate where CMS may have to exercise 
additional oversight authority to attempt to close such gaps. Likewise, 
law enforcement's ``failure to communicate'' may be a significant 
factor in a State's decision to exercise certain of the rule's good 
cause exception authorities.
    Comment: One commenter suggested that CMS include in the final 
regulation at Sec.  455.23(d)(4), as reflected in the preamble to the 
proposed rule, a requirement for States to immediately release the 
payment suspension ``unless the State has alternative Federal or State 
authority by which it may impose a suspension.'' (75 FR 58225). The 
proposed regulation does not reflect this additional language governing 
the immediate release of a payment suspension when MFCU or law

[[Page 5940]]

enforcement declines to accept the fraud referral.
    Response: We agree, and are including this language in the final 
rule with comment period.
    Comment: Certain commenters suggested revising the proposed 
language to include a 180 day time limit for the duration of a 
suspension of payment in the Medicaid program, similar to the proposed 
process under Medicare.
    Response: Aside from the general constraints and protections built 
in to the rule around the notion that suspensions are intended to be 
temporary, we believe that States need the flexibility to decide the 
duration of payment suspensions in order to accommodate State laws and 
legal processes. Because Medicare is a national program there is more 
uniformity surrounding the disposition of Medicare program suspensions. 
So while a specific time limit may be adequate there, we believe a more 
flexible approach, nearly identical to the approach used with respect 
to Medicaid payment suspensions for more than 20 years, is necessary to 
address the needs of 50 plus States and territories.
    Comment: One commenter suggested that the duration of a payment 
suspension by States should be permanent where the provider is later 
convicted of the offense.
    Response: Payment suspensions are intended to stem the flow of 
Medicaid dollars to providers against whom there are credible 
allegations of fraud, during the pendency of the investigation, which 
includes any related proceedings. Separate authorities, some 
administered by other agencies, including possible exclusion from 
participation in Federal health care programs, may be implemented upon 
a provider's conviction.
    Comment: One commenter indicated that while the proposed rule gives 
States authority to immediately release payment suspensions if a timely 
investigation by law enforcement does not ensue, that ``timely,'' is 
not clearly defined.
    Response: We believe that when a State learns that law enforcement 
has declined to investigate a fraud referral from the State in 
connection with a payment suspension or otherwise discontinues a 
pending investigation, the State should immediately take steps to 
terminate a payment suspension. As discussed several times in these 
responses, we proposed a requirement for States to obtain quarterly 
certifications from law enforcement to help address this type of 
scenario so that providers are not subject to a continuing payment 
suspension based upon a fraud referral that was declined by law 
enforcement or an investigation that has been concluded without the 
State's knowledge.
    Comment: Certain commenters requested clarification regarding the 
resolution of an investigation for purposes of terminating a payment 
suspension.
    Response: Generally, a payment suspension is temporary and will not 
continue after the State Medicaid agency or the prosecuting authorities 
determine that there is insufficient evidence of fraud by the provider 
or legal proceedings related to the alleged fraud are completed.
    Comment: One commenter suggested that the proposed rule be changed 
to defer to State law to dictate how long and under what circumstances 
a payment suspension can be imposed.
    Response: As we noted in an earlier response, this rule presents a 
floor for protection of Medicaid funds and does not bar a State from 
setting a higher bar allowing for imposition of suspensions with other 
conditions or in other circumstances.
    Comment: Several commenters suggested that the proposed rule does 
not provide adequate due process for providers facing suspension of 
payments. Certain commenters also suggested that the proposed rule 
could result in a de facto termination from the Medicaid program 
without any meaningful due process. Commenters expressed concern that 
non-fraudulent providers may effectively be terminated by lengthy 
suspensions. Commenters also suggested shortening the length of 
suspensions or in the alternative, maintaining the current permitted 
duration without extension. Another commenter indicated that the 
proposed rule does not create a right to challenge the ongoing validity 
of a payment suspension.
    Response: Under the proposed rule, providers have an opportunity to 
submit written evidence for consideration by the Medicaid agency 
regarding payment suspensions. Based upon this written evidence, a 
State may determine whether there is good cause to terminate a 
suspension of payment. Accordingly, we believe there are adequate due 
process protections in place pursuant to which a provider may establish 
good cause to terminate a payment suspension. In addition, this process 
was already accounted for in existing Medicaid regulations and we did 
not change the process. We are not aware of any issues associated with 
this process which has been in existence for more than 20 years. 
Moreover, we expressed in the proposed rule that suspensions, because 
of their significant impact upon providers, are only temporary. We 
provided in the rule several protections (such as the quarterly law 
enforcement certification and State documentation requirements) and 
also various ``good cause'' exceptions. Moreover, the duration of 
suspension provisions of the proposed rule, finalized here, are 
essentially the same as have been in place for more than 20 years with 
the existing Medicaid payment suspension rule. We believe that the 
significant built-in protections, in conjunction with the fact that we 
are not aware that the current Medicaid suspension process has caused 
significant undue hardship with providers having payments wrongly 
suspended, lend adequate safeguards to the process. CMS will also 
monitor States' implementation of the Medicaid payment suspension rule 
through the various documentation requirements and State program 
integrity reviews, to ensure that there are no marked shortcomings with 
regard to States' processes.
    Comment: One commenter suggested that the final regulation should 
require State Medicaid programs to establish and codify a Medicaid 
administrative review process with regard to the review of payment 
suspensions.
    Response: We recognize that individual State laws vary with regard 
to their respective administrative review processes, and believe that 
most or all States have established such processes. As previously 
stated, we will revise the proposed language in the regulations to 
reflect the inclusion of State administrative appeal procedures in the 
notice of suspension furnished to providers. In addition, we believe 
the notice should also include relevant citations to State law, where 
applicable.
    Comment: A couple of commenters suggested that CMS develop a system 
or process for exposing and penalizing those who make false fraud 
complaints.
    Response: This is outside the scope of the proposed rule and 
therefore we will not consider this suggestion at this time.
    Comment: One commenter requested clarification regarding the fraud 
referral standards established by CMS as a result of an OIG January 
2007 report entitled ``Suspected Medicaid Fraud Referrals'' (OEI 07-04-
00181).
    Response: We issued fraud referral standards on September 30, 2008. 
The link to CMS' Web site where the fraud referral standards may be 
found is: http://www.cms.gov/FraudAbuseforProfs/downloads/fraudreferralperformancestandardsstateagencytomfcu.pdf.

[[Page 5941]]

    Comment: One commenter suggested that the content of a fraud 
referral should be left to the discretion of each State. This commenter 
suggested that a continuing collaborative environment will fulfill the 
regulatory provisions regarding content of fraud referrals.
    Response: We encourage States to collaborate with their MFCU. A 
fraud referral must contain, at a minimum, the elements as outlined in 
the proposed regulation and finalized here, but it is within a State's 
discretion to the extent it wishes to add additional information.
    Comment: One commenter suggested that FQHCs should be exempted from 
the application of payment suspensions.
    Response: We disagree. There is no statutory requirement to carve 
out an exception for any particular category of provider. We believe 
that payment suspensions apply to fraudulent conduct regardless of 
provider type.
    Comment: One commenter suggested that payment suspensions should 
only apply to providers in the limited screening level, as that term is 
defined and used in connection with the provider screening rules, under 
only the most extraordinary circumstances.
    Response: We decline to carve out an exception for providers in the 
limited screening level in the context of a payment suspension. This 
assignment to the limited level applies in the context of provider 
screening, not for suspension of payments. The determination regarding 
whether to impose a payment suspension is driven by credible 
allegations of fraudulent conduct and not whether a provider is 
assigned to a certain level for purposes of screening.
    Comment: One commenter requested clarification regarding the 
application of payment suspensions to billing providers as opposed to 
prescribing providers. Another commenter requested a guarantee that 
payment suspensions will not be imposed against a billing provider.
    Response: We understand that there are circumstances in which the 
prescribing provider may be different from the furnishing provider and/
or billing provider. Generally, we believe that payment suspension is 
not the appropriate mechanism to recover Medicaid funds from one 
provider who inescapably, but innocently, happens to be associated with 
the fraudulent conduct of another provider. Because payment suspensions 
only apply based upon credible allegations of fraud, payment 
suspensions are generally not the appropriate vehicle by which to 
recover reimbursement for items and/or services furnished by a provider 
against whom there are no allegations of fraud. Nevertheless, there is 
no guarantee that a payment suspension will only be imposed against the 
billing provider as, particularly at the outset of an investigation of 
a credible allegation of fraud, it may be impossible to precisely 
determine the locus of the fraud or whether it involved collusion or 
conspiracy.
    Comment: One commenter requested clarification regarding whether 
States with authority under existing State law may impose suspensions 
for reasons other than where there is a credible allegation of fraud. 
This commenter suggested that where such authority exists, the 
requirements proposed under Sec.  455.23, including those concerning 
referrals to the MFCU and the duration of suspension should not apply.
    Response: The requirements for payment suspensions under the 
proposed rule are based upon credible allegations of fraud. As we have 
noted several times in both these responses and in the proposed rule, 
nothing in these rules bar a State from exercising other broader 
authorities to suspend payments to providers.
    We are adopting the provisions of the proposed rule with the 
exception of the following changes:
     In Sec.  455.2, we have revised the definition of 
``credible allegation of fraud'' to address the issue of the State's 
verification of the allegation.
     In Sec.  455.23(a)(1), we have added the verbiage ``after 
the agency determines there is a credible allegation of fraud for 
which'' after the term ``provider.''
     In Sec.  455.23(b)(2), we have added a new subsection (vi) 
that reads: ``Set forth the applicable State administrative appeals 
process and corresponding citations to State law.''
     In Sec.  455.23(d), we have added the verbiage ``has 
alternative Federal or State authority by which it may impose a 
suspension or'' before ``makes a fraud referral to another law 
enforcement agency.''
     In Sec.  455.23(e), we have revised subsection (3) to 
state: ``The State determines, based upon the submission of written 
evidence by the individual or entity that is the subject of the payment 
suspension, that the suspension should be removed.''
     In Sec.  455.23(e), we have added a new subsection (6) 
that states: ``The State determines that payment suspension is not in 
the best interests of the Medicaid program.''
     In Sec.  455.23(f), we have revised subsection (2) to 
read: ``The State determines, based upon the submission of written 
evidence by the individual or entity that is the subject of a whole 
payment suspension, that such suspension should be imposed only in 
part.''
     In Sec.  455.23(f), we have added a new subsection (5) 
that states: ``The State determines that payment suspension only in 
part is in the best interests of the Medicaid program.''

E. Proposed Approach and Solicitation of Comments for Sections 6102 and 
6401(a) of the Affordable Care Act --Ethics and Compliance Program

1. Statutory Changes
    Under section 6102 of the ACA which established new section 1128I 
of the Act, a nursing facility (NF) or SNF shall have in operation a 
compliance and ethics program that is effective in preventing and 
detecting criminal, civil, and administrative violations and in 
promoting quality of care, consistent with regulations developed by the 
Secretary, working jointly with the HHS OIG. The regulations to 
establish the compliance and ethics program for operating organizations 
may include a model compliance program. The statute requires that in 
the case of an organization that has five or more facilities, the 
formality or specific elements of the program vary with the size of the 
organization. The statute also requires that not later than 3 years 
after the effective date of the regulations, the Secretary shall 
complete an evaluation of the programs to determine if such programs 
led to changes in deficiency citations, changes in quality performance, 
or changes in the quality of resident care. The Secretary shall submit 
to the Congress a report on such evaluation with recommendations for 
changes in the requirements, as the Secretary deems appropriate.
    Similarly, under section 6401(a) of the ACA, which established a 
new section 1866(j)(8) of the Act, a provider of medical or other items 
or services or a supplier shall, as a condition of enrollment in 
Medicare, Medicaid or CHIP, establish a compliance program that 
contains certain ``core elements.'' The statute requires the Secretary, 
in consultation with the HHS OIG, to establish the core elements for 
providers or suppliers within a particular industry or category. The 
statute allows the Secretary to determine the date that providers and 
suppliers need to establish the required core elements as a condition 
of enrollment in Medicare, Medicaid, and CHIP. The statute requires the 
Secretary to consider the extent to which the adoption of compliance 
programs by providers or suppliers is widespread in a particular 
industry sector or particular provider or supplier category. Please 
note, NFs and

[[Page 5942]]

SNFs are subject to both compliance plan requirements under sections 
6102 and 6401(a) since section 6401(a) of the ACA includes all 
providers and suppliers enrolling into Medicare, Medicaid and CHIP. We 
intend to establish compliance program core elements per section 
6401(a) of the ACA for NFs and SNFs that closely match the required 
components of a compliance program per section 6102 of the ACA.
2. Proposed Ethics and Compliance Program Provisions
    In order to consider the views of industry stakeholders, we 
solicited comments on compliance program requirements included in the 
ACA. We do not intend to finalize compliance plan requirements in this 
final rule with comment period; rather, we intend to do further 
rulemaking on compliance plan requirements and will advance specific 
proposals at some point in the future. We were most interested in 
receiving comments on the following:
    The use of the seven elements of an effective compliance and ethics 
program as described in Chapter 8 of the U.S. Federal Sentencing 
Guidelines Manual (http://www.ussc.gov/2010guid/20100503_Reader_Friendly_Proposed_Amendments.pdf, pp. 31-35) as the basis for the 
core elements of the required compliance programs for Medicare, 
Medicaid and CHIP enrollment. These elements instill a commitment to 
prevent, detect and correct inappropriate behavior and ensure 
compliance with all applicable laws, regulations and requirements, and 
include:
     The development and distribution of written policies, 
procedures and standards of conduct to prevent and detect inappropriate 
behavior;
     The designation of a chief compliance officer and other 
appropriate bodies (for example a corporate compliance committee) 
charged with the responsibility of operating and monitoring the 
compliance program and who report directly to high-level personnel and 
the governing body;
     The use of reasonable efforts not to include any 
individual in the substantial authority personnel whom the organization 
knew, or should have known, has engaged in illegal activities or other 
conduct inconsistent with an effective compliance and ethics program;
     The development and implementation of regular, effective 
education and training programs for the governing body, all employees, 
including high-level personnel, and, as appropriate, the organization's 
agents;
     The maintenance of a process, such as a hotline, to 
receive complaints and the adoption of procedures to protect the 
anonymity of complainants and to protect whistleblowers from 
retaliation;
     The development of a system to respond to allegations of 
improper conduct and the enforcement of appropriate disciplinary action 
against employees who have violated internal compliance policies, 
applicable statutes, regulations or Federal health care program 
requirements;
     The use of audits and/or other evaluation techniques to 
monitor compliance and assist in the reduction of identified problem 
areas; and
     The investigation and remediation of identified systemic 
problems including making any necessary modifications to the 
organization's compliance and ethics program.
    In addition, we are particularly interested in comments about the 
following:
     The extent to which, and the manner in which, providers 
and suppliers already incorporate each of the seven U.S. Federal 
Sentencing Guidelines elements into their compliance programs or 
business operations. We are interested in how and to what degree each 
element has been incorporated effectively into the compliance programs 
of different types of providers and suppliers considering their risk 
areas, business model and industry sector or particular provider or 
supplier category.
     Any other suggestions for compliance program elements 
beyond, or related to, the seven elements referenced previously 
considering provider or supplier risk areas, business model and 
industry sector or particular provider or supplier category including 
whether external and/or internal quality monitoring should be a 
required for hospitals and long-term care facilities.
     The costs and benefits of compliance programs or 
operations including aggregate or component costs and benefits of 
implementing particular elements and how these costs and benefits were 
measured.
     The types of systems necessary for effective compliance, 
the costs associated with these systems and the degree to which 
providers and suppliers already have these systems including, but not 
limited to, tracking systems, data capturing systems and electronic 
claims submission systems. We anticipate having providers and suppliers 
evaluate the effectiveness of their compliance plans using electronic 
data.
     The existence of and experience with State or other 
compliance requirements for various providers and suppliers and 
foreseeable conflicts or duplication from multiple requirements.
     The criteria we should consider when determining whether, 
and if so, how to divide providers and suppliers into groupings that 
would be subject to similar compliance requirements including whether 
individuals should have different compliance obligations from 
corporations.
     Available research or individual experience regarding the 
current rate of adoption and level of sophistication of compliance 
programs for providers or suppliers based on their business model and 
industry sector or particular provider or supplier category.
     How effective compliance programs have been for varied 
providers and suppliers and how the level of effectiveness was 
measured.
     The extent to which providers and suppliers currently use 
third party resources, such as consultants, review organizations, and 
auditors, in their compliance efforts.
     The extent to which providers and suppliers have already 
identified staff responsible for compliance and, for those who already 
have staff responsible for compliance, the positions of these staff.
     A reasonable timeline for establishment of a required 
compliance program for various types and sizes of providers and 
suppliers, assuming the compliance program core elements were based on 
the aforementioned U.S. Federal Sentencing Guidelines' seven elements 
of an effective compliance and ethics program, considering business 
model and industry sector or particular provider or supplier category.
    We welcomed any information concerning how the industry views 
compliance program elements and how we can establish required 
compliance program elements to protect Medicare, Medicaid, and CHIP 
from fraud and abuse.
3. Analysis of and Responses to Public Comment
    We received numerous comments on compliance program elements in 
response to this request. Though we will not respond to those comments 
within this final rule with comment period, these will be considered 
for further rulemaking on compliance plan requirements.
4. Final Provisions--Ethics and Compliance Program
    We are not finalizing these provisions in this final regulation. We 
are in the process of developing a new Notice of Proposed Rule Making 
incorporating the

[[Page 5943]]

compliance plan provisions and comments received that will be published 
at a later date. The proposed rule will also have an opportunity for 
further public comment.

F. Termination of Provider Participation Under the Medicaid Program and 
CHIP if Terminated Under the Medicare Program or Another State Medicaid 
Program or CHIP

1. Statutory Change
    Section 6501 of the ACA amends section 1902(a)(39) of the Act to 
require a State Medicaid program to terminate any provider, be it an 
individual or entity, participating in that program, subject to the 
limitations on exclusions in sections 1128(c)(3)(B) and 1128(d)(3)(B) 
of the Act, if the provider's participation has been terminated under 
title XVIII of the Act or another State's Medicaid program. Effective 
provider screening prevents excluded providers from enrolling in 
government health care programs and being paid with Federal and State 
funds. Effective screening of providers barred from participation can 
reduce the risk of fraud, waste, and abuse in the Medicare and Medicaid 
programs and CHIP
    When a State terminates a provider but does not share that 
information with any other State, all other States become vulnerable to 
potential fraud, waste, and abuse committed by that provider. 
Similarly, a provider, supplier, or eligible professional that has been 
terminated from Medicare or has had Medicare billing privileges revoked 
may enroll with a State Medicaid program or with CHIP when a State is 
not aware of the Medicare termination or revocation. We may terminate 
or revoke the billing privileges of a provider, supplier, or eligible 
professional under Medicare for a number of reasons, as set forth at 
Sec.  424.535, including exclusion from health care programs, 
government-wide debarment, and conviction of certain violent felonies 
and financial crimes.
    Section 6501 of the ACA requires a State's Medicaid program to 
terminate an individual or entity's participation in the program 
(subject to certain limitations on exclusions in sections 1128(c)(3)(B) 
and 1128(d)(3)(B) of the Act), if the individual or entity has been 
terminated under Medicare or another State's Medicaid program. Although 
the term ``termination'' only applies to providers under Medicare whose 
billing privileges have been revoked (and does not apply to Medicare 
suppliers or eligible professionals), we believe it was the intent of 
the Congress that this requirement also be applicable to suppliers and 
eligible professionals that have had their billing privileges under 
Medicare revoked as well. Therefore, we proposed that ``termination'' 
be inclusive of situations where an individual's or entity's billing 
privileges have been revoked. The requirement for States to terminate 
would only apply in cases where providers, suppliers, or eligible 
professionals were terminated or had their billing privileges revoked 
for cause. ``For cause'' may include fraud, integrity or quality, but 
not cases where the providers, suppliers, or eligible professionals 
were terminated or had their billing privileges revoked based upon 
voluntary action taken by the provider to end its participation in the 
program, except where that voluntary action is taken to avoid a 
sanction, or where a State removes inactive providers from its 
enrollment files.
    In addition, State Medicaid programs would terminate a provider 
only after the provider had exhausted all available appeal rights in 
the Medicare program or in the State that originally terminated the 
provider or the timeline for such appeal has expired.
    Section 6501 of the ACA builds upon the requirements in section 
6401(b)(2) of the ACA, which requires that we establish a process to 
make available Medicare provider, supplier, and eligible professional 
and CHIP provider termination information to State Medicaid programs. 
Section 1902(kk)(6) of the Act also requires States to report adverse 
provider actions to CMS, including criminal convictions, sanctions, and 
negative licensure actions.
    When States are apprised of the terminations or revocations of 
billing privileges, as the case may be, of providers, suppliers, and 
eligible professionals that have occurred in other State Medicaid 
programs, CHIP, or in Medicare, States have the information they need 
to protect their programs.
2. Proposed Provisions for Termination of Provider Participation Under 
the Medicaid Program and CHIP if Terminated Under the Medicare Program 
or Another State Medicaid Program or CHIP
    We proposed at Sec.  455.416(c) that a State Medicaid program must 
deny enrollment or terminate the enrollment of a provider that is 
terminated on or after January 1, 2011 under Medicare, or has had its 
billing privileges revoked, or is terminated on or after January 1, 
2011 under any other State's Medicaid program or CHIP.
    While section 6501 of the ACA does not expressly require that 
individuals or entities that have been terminated under Medicare or 
Medicaid also be terminated from CHIP, we also proposed, under our 
general rulemaking authority pursuant to section 1102 of the Act, to 
require in CHIP regulations that CHIP take similar action to terminate 
a provider terminated or revoked under Medicare, or terminated under 
any other State's Medicaid program or CHIP.
    We also proposed to add a definition at Sec.  455.101 for 
termination for purposes of this section. That definition distinguishes 
between Medicaid providers and Medicare providers, suppliers, and 
eligible professionals and specifies that termination means a State 
Medicaid program or the Medicare program has taken action to revoke the 
Medicaid provider's or Medicare provider, supplier or eligible 
professional's billing privileges and the provider, supplier or 
eligible professional has exhausted all applicable appeal rights. There 
is no expectation on the part of the provider, supplier, or eligible 
professional or the State or Medicare program that the termination or 
revocation is temporary. The provider, supplier or eligible 
professional would be required to reenroll with the applicable program 
if they wish billing privileges to be reinstated.
3. Analysis of and Responses to Public Comment
    We received the following comments:
    Comment: One commenter stated that while there is value to the 
States to have additional authority under which to deny or terminate 
Medicaid providers, it will be necessary to amend current statute and 
regulations to include new reasons for denials and terminations, and 
additional time will be required.
    Response: In accordance with section 6508(b) of the ACA, a State 
may delay implementation of this provision if the Secretary determines 
that State legislation is required.
    Comment: Commenters asked for clarification regarding ACA section 
6401(b)(2) that requires CMS to establish a process to make available 
Medicare provider, supplier, and eligible professional and CHIP 
termination information to State Medicaid programs. Commenters asked if 
a mechanism was in place for States to check for terminated providers 
starting January 1, 2011. One commenter requested clarification as to 
how State Medicaid programs would communicate with Medicare contractors 
when the States had revoked or suspended a Medicaid enrollment. Another 
commenter asked if the Provider Enrollment, Chain, and Ownership System 
(PECOS) would be

[[Page 5944]]

used. Another commenter stated it would be ``next to impossible'' to 
carry out this provision without an effective way to obtain information 
from Medicare regarding terminated providers. One commenter urged CMS 
to establish a national database that contains Medicare, CHIP 
termination and exclusion information as well as information on 
terminations from all State Medicaid programs.
    Response: We are in the process of establishing a secure web-based 
portal that will allow States to share information regarding terminated 
providers. Using this web-based portal, a State will be able to upload 
as well as download information regarding its terminated providers and 
download information regarding terminated providers in other States and 
Medicare. States will not be required to report those providers who 
were terminated prior to January 1, 2011. Access to the information-
sharing portal is limited to users that we have approved.
    Comment: Some commenters requested that CMS clarify the timeframes 
for State reporting of terminations.
    Response: States should report terminations on a monthly basis in 
order to assist other States and the Medicare program in protecting 
themselves from providers who pose an increased risk to government 
health care programs.
    Comment: One commenter requested that States be granted real time 
access to the exclusion database. Another commenter suggested that CMS 
consider leveraging existing Federal databases such as the NPI and 
NPPES.
    Response: We are in the process of exploring potential 
opportunities to leverage existing databases and infrastructure that 
would enable timely access to provider enrollment data across programs. 
We are currently examining to what extent we can support such a 
centralized information sharing solution.
    Comment: One commenter requested clarification that Medicaid 
termination should only last as long as the Medicare termination, 
especially in States where ``terminate'' means ``permanent exclusion.''
    Response: When a State terminates a provider based on the fact that 
the provider was terminated by Medicare, the duration of the State's 
termination action should be consistent with State law, and not 
necessarily driven by the length of the Medicare termination. The same 
would hold true when a State terminates a provider based on a 
termination action in another State. We do not wish to dictate to 
States the duration of their terminations.
    Comment: One commenter contended that the proposed rule did not 
detail the parameters of the termination process. Specifically, it did 
not state what would happen if a provider is wrongfully terminated from 
participation in Medicare or another public benefit, or the different 
termination scenarios--such as the effect on a group practice if a 
provider in that group is suspected of fraud. The commenter also 
requested further explanation and clarification regarding the timeline 
and parameters for termination of provider participation in Medicare, 
Medicaid, and CHIP.
    Response: For purposes of the Medicaid program, the parameters of 
the termination process would be governed by the terminating State's 
administrative appeals processes. Accordingly, the timeline and 
parameters for termination will vary depending on the State in which 
the termination occurs. State Medicaid agencies and CHIP must deny 
enrollment or terminate the enrollment of any provider that is 
terminated by Medicare or another State's Medicaid program or CHIP on 
or after January 1, 2011. If a provider is wrongfully terminated from 
Medicare or another State's Medicaid program or CHIP, and a subsequent 
State has already terminated such provider from its Medicaid program or 
CHIP, the subsequent State should reinstate the provider once the 
subsequent State has evidence demonstrating that the provider was 
wrongfully terminated.
    When an individual provider is terminated by a State Medicaid 
program or CHIP, the effect on a group practice would be that the 
individual provider who is terminated may not participate in the 
Medicaid or CHIP programs until that provider is eligible to, and does 
re-enroll. Therefore, neither the individual provider, nor the group 
practice would be able to bill Medicaid or CHIP for care and/or 
services provided by the individual provider that has been terminated.
    Comment: One commenter stated that termination is defined to be 
inclusive of situations where an individual or entity's billing 
privileges have been revoked. The commenter requested clarification 
because not all providers have billing privileges. For example, a 
particular pharmacist may be denied participation in a State's Medicaid 
program; however, because the pharmacist does not have direct billing 
privileges, another State would not have to also terminate that 
provider.
    Response: The requirement for termination is not limited to 
situations in which a provider is billing the Medicaid program. The 
requirement for termination applies to enrolled providers generally, 
not just billing providers. An enrolled provider that has had its 
billing privileges revoked by Medicare must be terminated by the 
States' Medicaid programs, regardless of whether the provider is 
submitting claims.
    Comment: One commenter requested clarification for States regarding 
termination when a provider has more than one NPI or Medicare ID 
number. A commenter inquired if CMS will terminate a provider's NPI, 
Medicare legacy number or both. This commenter also asked if a provider 
has multiple NPIs and/or Medicare numbers, does Medicare terminate a 
provider under one number but allow them to continue to participate 
under other NPI/Medicare numbers. This commenter indicated that if the 
response is yes, would a State be expected to follow suit, that is, 
terminate only the NPI that Medicare has terminated. Finally, the 
commenter asked what States should do in cases where providers have 
multiple legacy Medicaid numbers that crosswalk to a single NPI.
    Response: It is the provider, not the provider's identifiers, which 
are to be terminated under this provision. Thus, to the extent that 
Medicare terminated one or multiple NPIs/Medicare legacy numbers for 
cause that are tied to one provider we generally expect that State 
Medicaid agencies will follow suit. Accordingly, if one provider has 
multiple Medicaid identification numbers, then the State would be 
required to terminate such provider numbers if the State determines 
there is cause for such termination and the provider has exhausted its 
appeal rights.
    Comment: Several commenters expressed concern over the potential 
for terminations of affiliated providers when one provider had been 
terminated in another State. One commenter asked if other State 
Medicaid agencies will be compelled to terminate affiliates that have a 
common corporate parent. A commenter asked if terminations for a 
corporation apply to any branches or franchises of that corporation.
    Response: Section 6501 of the ACA does not require the termination 
of affiliates of terminated entities. Accordingly, we are not requiring 
States at this time to terminate affiliates of those individuals or 
entities that have been terminated by another Medicaid program or had 
their billing privileges revoked by the Medicare program.
    Comment: One commenter stated that it is a common State statutory 
requirement or best practice for a provider to form a legal corporate 
entity

[[Page 5945]]

unique to the State. The commenter requested clarification for the 
legal basis for Federal enforceability of termination from or denied 
enrollment into a State's program based upon the termination or denial 
status in another State where the provider and its principals are the 
same individuals but the ``provider'' is a separate legally 
incorporated entity under State law.
    Response: Section 1902(a)(39) of the Act requires State Medicaid 
agencies to terminate the participation of any individual or entity 
that has been terminated under Medicare or another State's Medicaid 
program. When a State is contemplating a termination as a result of a 
termination that was initiated by another State's Medicaid program, and 
there is a question regarding the identity of the provider who is the 
subject of the termination, it is generally up to the subsequent 
terminating State to determine whether a provider in their State is the 
same provider that was initially terminated by another State's Medicaid 
program. In order to determine whether a provider in one State is the 
same provider that was terminated in another State, a State could look 
at a variety of factors, including, but not limited to, NPI and 
correspondence address. The State could also communicate with the 
Medicaid agency that originally terminated the provider to help resolve 
the question of the provider's identity. If the State believes that 
background checks are required to verify the identity of a provider, 
then States should conduct such background checks. We believe the 
States should have flexibility to determine the best method for 
identity verification.
    Comment: One commenter suggested that the regulatory definition of 
termination at Sec.  455.101 should be revised to include the 
termination of persons or entities with an ownership or control 
interest or who is an agent or managing employee of a provider.
    Response: The ACA does not contemplate termination based upon 
ownership or control. The statute requires termination of the same 
individual or entity that was terminated by Medicare or another State's 
Medicaid program.
    Comment: A few commenters requested that CMS clarify in the final 
rule with comment period that termination from the Medicaid program 
must only occur when a provider has had billing privileges revoked or 
terminated by Medicare for cause.
    Response: The requirement for States to terminate would only apply 
in cases where providers, suppliers or eligible professionals were 
terminated or had their billing privileges revoked for cause which may 
include, but is not limited to, fraud, integrity or quality issues. In 
addition, we have defined ``termination'' in the final rule with 
comment period as occurring when a State Medicaid program has taken 
action to terminate a provider and the provider has exhausted all 
applicable appeal rights that are available in the State or the 
Medicare program, or the timeline for appeal has expired, whichever is 
applicable.
    Comment: One commenter requested information regarding how managed 
care organizations will be able to access provider termination 
information.
    Response: We encourage States to share such information with their 
managed care entities.
    Comment: One commenter requested that an appeals process be 
established for providers and suppliers that would permit a provider/
supplier to continue to provide care under a program if they can 
demonstrate ``good cause exemptions.''
    Response: While we appreciate the commenter's suggestion, section 
6501 of the ACA requires States to terminate the participation of any 
provider that has been terminated under Medicare or another State's 
Medicaid program, and allows for exceptions only as permitted under 
sections 1128(c)(3)(B) and 1128(d)(3)(B) of the Act.
    Comment: Commenters expressed concern that the proposed rule allows 
for the imposition of sanctions based upon findings made outside the 
agency. For example, if Medicare revokes a provider's billing 
privileges and a State initiates a termination action as a result of 
such revocation, then, in the commenter's view, the proposed rule gives 
the provider a right to use the State administrative appeal process to 
challenge anew the Medicare revocation.
    Response: We disagree. The provider is not provided a new forum in 
which to litigate the Medicare termination action. The ACA does not 
give a State the authority to review a Medicare termination action. The 
statute requires a State to terminate a provider that was terminated by 
Medicare or another State's Medicaid program, with certain limited 
exceptions.
    Comment: A few commenters indicated that the proposed regulation 
fails to state that termination from the Medicaid program must only 
occur in situations in which the provider or supplier had its billing 
privileges terminated or revoked for cause, that is, fraud, integrity 
or quality issues.
    Response: We agree. In the regulatory definition for 
``termination,'' we will state that the requirement for States to 
terminate would only apply in cases where providers, suppliers or 
eligible professionals were terminated or had their billing privileges 
revoked for cause which may include, but is not limited to, fraud, 
integrity or quality issues.
    Comment: Certain commenters requested a specific timeline for due 
process in connection with the appeal of termination actions and the 
parameters of the termination process in Medicaid.
    Response: As we have indicated previously in these responses, we 
believe that States should have the flexibility to decide termination 
actions consistent with their individual State administrative appeals 
process. In addition, since State law and regulations may vary with 
regard to this issue, we defer to the States regarding their existing 
termination processes.
    Comment: One commenter suggested that reciprocal termination must 
be limited to revocations of privileges due to fraud and where the 
physician has exhausted all possible appeal rights.
    Response: We agree. As stated in the proposed rule, the requirement 
for States to terminate would only apply in cases where providers, 
suppliers or eligible professionals were terminated or had their 
billing privileges revoked for cause. In addition, we defined 
``termination'' as occurring when a State Medicaid program has taken 
action to revoke a Medicaid provider's billing privileges and the 
provider has exhausted all applicable appeal rights that are available 
in that State, or the timeline for appeal has expired, or when the 
Medicare program has revoked the provider or supplier's billing 
privileges and the provider or supplier has exhausted all applicable 
appeal rights, or the timeline for appeal has expired.
    Comment: One commenter requested a definition of ``eligible 
professional.''
    Response: In the context of terminations, ``eligible professional'' 
is a term that is specific to the Medicare program. For purposes of the 
Medicare program, an eligible professional may include a physician 
assistant, nurse practitioner, or clinical nurse specialist, certified 
nurse-midwife, clinical social worker, clinical psychologist, 
registered dietitian or nutrition professional. See section 1842(b)(18) 
of the Act.
    Comment: Certain commenters requested clarification regarding when 
a termination is triggered under the statute.
    Response: A termination in a subsequent State is triggered when 
Medicare or a State Medicaid program has taken action to revoke a 
provider's billing privileges for cause and the provider has exhausted 
all applicable appeal rights that are available in

[[Page 5946]]

Medicare or the originally-terminating State or the timeline for appeal 
has expired.
    Comment: A commenter stated that section 6 of Executive Order 13132 
requires that: (1) Each agency have an accountable process to ensure 
meaningful and timely input by State officials in the development of 
regulatory policies that have Federalism implications, and (2) no 
agency shall promulgate any regulation that has Federalism implications 
that imposes substantial direct compliance cost on State governments. 
The commenter recommended that CMS explain the process that was used to 
ensure that meaningful and timely input was received from the States 
prior to the development of this proposed rule.
    Response: We have worked closely with State Medicaid agencies on 
the proposed rule and in the development of the final rule with comment 
period.
    Comment: One commenter requested clarification regarding the 
process of how Medicare reinstatements will be communicated to States 
and whether States will be required to automatically reinstate a 
provider in the Medicaid program once a provider ``finishes the 
Medicare termination/revocation period.''
    Response: Presumably, States will be notified by providers who are 
seeking re-enrollment or reinstatement in the Medicaid program. It is 
the responsibility of the States to validate the status of a provider's 
termination with Medicare. When a provider may seek re-enrollment is up 
to the discretion of the States and should be consistent with State 
law. Similarly, the duration of termination should be consistent with 
existing State law.
4. Final Provisions for Termination of Provider Participation Under the 
Medicaid Program and CHIP if Terminated Under the Medicare Program or 
Another State Medicaid Program or CHIP
    We have retained the provisions of the proposed rule, with the 
exception of the following:
     In Sec.  455.101, we have added the following subsection 
(3) to the definition of termination: ``The requirement for termination 
applies in cases where providers, suppliers, or eligible professionals 
were terminated or had their billing privileges revoked for cause which 
may include, but is not limited to: (i) Fraud; (ii) integrity; or (iii) 
quality.''

G. Additional Medicare Provider Enrollment Provisions

1. Statutory Changes
    Section 6501 of the ACA requires States to terminate a provider or 
supplier under the Medicaid program when the provider or supplier has 
been terminated by Medicare or by another State's Medicaid program. We 
believe that permitting CMS to revoke Medicare billing privileges when 
a State Medicaid agency terminates, revokes, or suspends a provider or 
supplier's Medicaid enrollment or billing privileges works in tandem 
with section 6501 of the ACA.
2. Proposed Provisions for Additional Medicare Provider Enrollment
    In Sec.  424.535(a)(11), we proposed allowing CMS, directly or 
through its contractor, to revoke Medicare billing privileges when a 
State Medicaid agency terminates, revokes, or suspends a provider or 
supplier's Medicaid enrollment or billing privileges. Moreover, we 
believe that providers and suppliers whose enrollment has been 
terminated by a State Medicaid program may pose an increased risk to 
the Medicare program.
3. Analysis of and Response to Public Comments
    We received one comment on the proposed provision related to 
Medicare termination.
    Comment: A commenter stated that proposed Sec.  424.535(a)(11) 
contains an editorial error that makes the language of the proposed 
rule difficult to understand.
    Response: Section 424.535(a) lists reasons for revocation of 
Medicare enrollment. Sec.  424.535(a)(12) is one such reason--if a 
State has terminated a provider from Medicaid, Medicare can terminate 
the provider from Medicare. We will reword the language in Sec.  
424.535(a)(12) to clarify the circumstances being addressed.
4. Final Provisions for Additional Medicare Provider Enrollment
    This final rule with comment period finalizes the provisions of the 
proposed rule in regards to our discretion to revoke a provider or 
supplier's Medicare billing privileges when terminated, revoked or 
suspended by a State Medicaid agency with no modifications.

H. Technical and General Comments

    Comment: A commenter stated that the definition of ``provider of 
services'' in section 1861(u) of the Act and ``supplier'' in section 
1861(d) of the Act differs from the meaning of ``provider of services'' 
and ``supplier,'' respectively, in the proposed rule. The commenter 
also was unclear as to whether the proposed rule's references to 
``providers'' refer to ``provider of services.'' The commenter 
requested clarification on both issues.
    Response: The proposed rule stated that in Medicare, the term 
provider of services under section 1861(u) of the Act means health care 
entities that furnish services primarily payable under Part A of 
Medicare, such as hospitals, home health agencies (including home 
health agencies providing services under Part B), hospices, and skilled 
nursing facilities. The term ``suppliers'' defined in section 1861(d) 
of the Act refers to health care entities that furnish services 
primarily payable under Part B of Medicare, such as independent 
diagnostic testing facilities (IDTFs), durable medical equipment 
prosthetics, orthotics, and supplies (DMEPOS) suppliers, and eligible 
professionals, which refers to health care suppliers who are 
individuals, that is, physicians and the other professionals listed in 
section 1848(k)(3)(B) of the Act. For Medicaid and CHIP, we use the 
terms ``providers'' or ``Medicaid providers'' or ``CHIP providers'' 
when referring to all Medicaid or CHIP health care providers, including 
individual practitioners, institutional providers, and providers of 
medical equipment or goods related to care. The term ``supplier'' has 
no meaning in the Medicaid program or CHIP.
    Comment: A commenter suggested that to avoid misinterpretation, 
non-physician practitioners should be clearly defined in the final rule 
with comment period.
    Response: The proposed and final rule with comment period refer to 
non-physician practitioners to mean any non-physician practitioner who 
is eligible to enroll in Medicare, Medicaid or CHIP under existing 
regulations and statutes. In addition, this term is already defined at 
section 1848(b)(18)(C) of the Act.
    Comment: A commenter stated that with the issuance of CMS-1510-F on 
November 2, 2010, CMS should renumber the denial and revocation reasons 
found in this proposed rule. In CMS-1510-F, CMS finalized a new denial 
reason in Sec.  424.530(a)(8) and a new revocation reason in Sec.  
424.535(a)(12).
    Response: We have revised these provisions in the regulatory text.
    Comment: A commenter stated that CMS violated section 6(a) of 
Executive Order 12866 by not giving the public a 60 day review period 
for this rule and that CMS only allowed a 55 day review period. The 
commenter also could not

[[Page 5947]]

find a CMS Press Release or information on the CMS Web site indicating 
that CMS notified the public that it placed this rule on display and 
began the public comment period in advance of the publication of the 
proposed rule in the Federal Register. The commenter recommended that 
CMS reissue a new proposed rule or extend the comment period for this 
proposed rule by additional 60 days.
    Response: The Department of Health and Human Services released a 
press release on September 20, 2010 accessible on its Web site that 
announced the display of the proposed rule at the Federal Register. The 
press release is accessible at: http://www.hhs.gov/news/press/2010pres/09/20100920e.html. Additional media outlets reported the proposed rule 
display on September 17th, 2010. We do not believe it is appropriate to 
extend the comment period for an additional 60 days, and we have taken 
into account all comments received during the comment period.
    Comment: Several commenters stated that the proposed timeframe for 
implementation and compliance is extremely aggressive. First, smaller, 
rural providers and suppliers may not be organizationally able to fully 
comply without significant cost and effort, thus impacting access to 
care. Second, the DME MACs and the NSC will have to be able to identify 
suppliers and implement payment edits, both by specialty code.
    Response: As stated previously, the timeline is a required under 
the ACA. We have been working closely with our contractors and with 
providers and suppliers to ensure that compliance with this final rule 
with comment period will not affect patients' access to health care.
    Comment: Several commenters stated that the implementation 
timetables for this proposed rule were too ambitious, and that 
sufficient lead time is necessary for CMS to have operational computer 
programs in place to administer these requirements correctly and 
consistently.
    Response: This final rule with comment period is implementing 
provisions of the ACA which sets forth deadlines for implementation of 
the screening provisions.
    Comment: A commenter stated that in its manual instructions, CMS 
describes the verification of legalized status for physicians and non-
physician practitioners. However, the commenter stated that the 
proposed rule is silent regarding the verification or screening process 
that will be used to determine legal status of an owner, authorized 
official, delegated official, managing employee, physician or non-
physician. The commenter recommended that CMS explain this process in 
the proposed rule. Another commenter urged CMS to revise its existing 
CMS-855 enrollment applications to include questions on residency, 
legal status, and/or citizenship, arguing that this would help reduce 
fraud.
    Response: Information collected on the CMS-855 enrollment 
applications are used to verify residency, including the Social 
Security Number and the Date of Birth. This process is a part of the 
general screening process, and is applied to all screening levels, 
including limited.
    Comment: A commenter stated that since illegal immigrants are not 
legally authorized to work in the United States or own or operate a 
business in the United States, CMS should: (1) Coordinate and verify 
both the identity and work status of any individual practitioner or 
owner with the United States Citizenship and Immigration Services, and 
(2) establish new Medicare, Medicaid and CHIP denial and revocation 
reasons when an individual is not authorized to work in the United 
States legally and that CMS refer any individuals to the appropriate 
authorities for expulsion from the United States.
    Response: As stated previously, we have existing procedures in 
place that verify an applicant's eligibility to work in the United 
States.
    Comment: One commenter recommended that CMS furnish the number of 
providers and suppliers by specialty type that have or do not have an 
enrollment record in PECOS. This will, the commenter believes, help 
clarify the impact of this rule on providers and suppliers.
    Response: This final rule with comment period does not impact the 
enrollment requirements related to PECOS for providers and suppliers. 
In May of 2010, we published CMS--6010-IFC which required all 
physicians and eligible professionals who order and refer home health 
services or Part B items and services (excluding Part B drugs) to 
Medicare to be enrolled in PECOS. Additional communications have been 
published with regard to that interim final rule with comment period, 
and do not impact the provisions finalized here. This final rule with 
comment period established the screening requirements for providers 
under Medicare, Medicaid and CHIP, and application fees for newly 
enrolling or revalidating providers. All newly enrolling or 
revalidating providers must establish records in PECOS as this is the 
only available enrollment option at this time.
    Comment: A commenter stated that Medicare, Medicaid and CHIP must 
work in tandem to assure compliance, so that bad actors cannot move 
from one program to another and shelter themselves through the lack of 
coordinated data, standards, information and enforcement.
    Response: We concur with this comment. This final rule with comment 
period implements the ACA provision that requires State Medicaid 
Agencies, to terminate a provider when a provider has been terminated 
by Medicare added at Sec.  455.416. This final rule with comment period 
also implements regulations at Sec.  455.470 that authorizes State 
Medicaid agencies to impose a temporary moratoria when Medicare imposes 
such a moratoria, except when the State Medicaid agency determines an 
imposition would affect beneficiaries' access. These provisions are 
directly aimed at eliminating the type of program abuses addressed by 
the commenter.
    Comment: A commenter stated that despite the additional burdens it 
will create, it supported the proposed rule because there is no 
alternative. The commenter stated that if fraud, abuse and waste are 
not eliminated and quality improvement is not made central to home 
health and hospice, it feared for the future of home-based care when it 
is needed most.
    Response: We agree with the commenter. We believe that these 
provisions are intended to protect the integrity of these programs for 
future generations.
    Comment: A commenter suggested that CMS should change its 
contractors' claims processing system to a system similar to that used 
by credit card companies. This will help ensure that fraud and abuse 
can be detected in real time, rather than later.
    Response: We are continually exploring additional improvements to 
our data systems, but disagree with the commenter's suggestion that we 
must change all of our contractors systems to implement real time data 
analysis. We are committed to working with both private and public 
partners to evaluate technologies that can provide the scalability and 
safeguards to beneficiary access that are necessary to ensure accurate 
payments to legitimate providers for appropriate services supplied to 
enrolled beneficiaries.
    Comment: A commenter stated that CMS should establish a new 
requirement that organized medical staffs and hospitals report the 
provision of (but not the results of) peer review as

[[Page 5948]]

a quality indicator, and that CMS should post the quality indicator for 
each hospital department on its Hospital Compare Web site, together 
with an explanation of the importance of peer review to assure patient 
safety, quality, and identification of medically unnecessary services.
    Response: This comment is beyond the scope of this rule. This final 
rule with comment period does not address the reporting of quality 
indicators or the Hospital Compare Web site.
    Comment: A commenter stated that MACs should no longer accept 
certain CPT codes for laboratory test payments.
    Response: This comment is beyond the scope of this rule. This final 
rule with comment period does not address our coverage and payment 
decisions for CPT codes.
    Comment: A commenter stated that CMS should consider bidding out 
laboratory coding to a contractor, similar to the manner in which the 
PDAC operates for DME coding.
    Response: This comment is beyond the scope of this rule. This final 
rule with comment period does not address the bidding of laboratory 
coding to a contractor.
    Comment: A commenter expressed support for many of the details and 
provisions contained within the proposed rule and requested that CMS 
continue to seek input from all stakeholders about matters related to 
hospitals and health systems.
    Response: We concur with the commenter's request to continue to 
seek input from all stakeholders, and fully intend to do so in regard 
to the requirements of this final rule with comment, as well as annual 
payment regulations.
    Comment: A commenter expressed concern that anti-fraud laws and 
regulations, adopted to root out unscrupulous activity resulting from 
criminal intent, are increasingly used to impose harsh penalties for 
inadvertent mistakes and contribute to the escalating costs of health 
care as providers attempt to comply with increasingly voluminous and 
sophisticated systems and requirements.
    Response: We continually balance the necessity to eliminate fraud, 
waste, and abuse with reducing the burden on legitimate providers, 
suppliers, and beneficiaries. Section 6401 of the ACA requires that the 
Secretary determine the level of screening according to the risk of 
fraud, waste, and abuse. This final rule with comment period implements 
this provision by instituting levels of screening based on risk of 
fraud, waste, and abuse, and has the flexibility to adapt to future 
developments by adjusting the categories as appropriate. We will use 
this new authority to prevent just such situations as described by the 
commenter, and will reduce the burden on legitimate providers who may 
make mistakes, and target fraud prevention resources appropriately.
    Comment: A commenter stated that serial number tracking should be 
considered for much of the equipment provided by DMEPOS suppliers, 
similar to the Vehicle Identifier Number (VIN) system used in the 
transportation manufacturing industry.
    Response: While we appreciate this comment, it appears to be 
outside the scope of this rule. Also, this comment would require a 
thorough evaluation of the cost of such a requirement on DMEPOS 
suppliers, the access issues it could potentially cause to 
beneficiaries if we mandated that only serial numbered equipment must 
be provided to beneficiaries, the additional system requirements that 
we would need to enhance to track such equipment, and the estimated 
benefit from such a requirement.
    Comment: A commenter stated that the fight against health care 
fraud would be bolstered if Medicare, Medicaid and private insurers 
would share information about providers' enrollment and billing 
patterns. The commenter therefore recommended that CMS: (1) Revise its 
regulations and the CMS-855 to collect information about all other 
health care payers, and (2) share the information it collects via the 
enrollment and payment process with private payers, Medicaid, and 
Medicare Advantage Organizations.
    Response: We would have to carefully evaluate the commenter's 
proposal. We must go through notice of rulemaking and comment period 
before revising any regulation. Additionally, we would have to 
carefully consider the privacy issues that accompany increased data 
sharing, especially with private payers, and weigh the potential 
concerns of providers and suppliers with the expected benefit of such a 
measure. However, we have been working closely with private and public 
partners regarding strategies to effectively work together to have a 
broad view of the health care claim landscape, and will continue to 
evaluate opportunities to collaborate on the improved detection of 
health care fraud.
    Comment: A commenter urged CMS to consider ways to enhance Medicare 
CoPs for home health and hospice providers to achieve more lasting 
changes. The commenter stated that CMS withdrew the proposed CoPs 
changes for home health in 1997 and has not taken further action. The 
commenter recommended that CMS consult with provider groups to revise 
and finalize the CoPs for home health as quickly as possible.
    Response: This comment is outside of the scope of the final rule 
with comment period.
    Comment: A commenter recommended that CMS: (1) Provide the direct 
savings that have resulted from provider screening activities between 
2000 and 2010, (2) calculate the savings to the Medicare Trust Funds 
and the General Fund based on this proposed rule, and (3) explain 
whether the estimated savings will result in fewer actual dollars spent 
on health care or whether the changes proposed will only slow the 
expenditure growth.
    Response: We believe that all of the agency's program integrity 
activities have resulted in savings to the Trust Fund and the General 
Fund. We are not required to report a return on investment regarding 
historical screening initiatives, or project savings regarding the 
statutory requirements. The fact that we have in the past denied any 
application means that we have prevented an unqualified provider or 
supplier from providing services and/or care to Medicare beneficiaries 
that could have resulted in physical harm or financial loss to such a 
beneficiary.
    Comment: One commenter stated that this proposed rule will be 
ineffective in halting fraud because it is reactive, and it is 
impossible for any government entity to react in a timely manner.
    Response: We disagree with the comment that the new authorities in 
this final rule with comment period are reactive. Particularly, the 
screening requirements for newly enrolling providers which will 
proactively prevent individuals from entering the Medicare, Medicaid 
and CHIP programs for the sole purpose of defrauding taxpayers. 
Temporary moratoria will also permit the agency to develop a strategy 
to mitigate the risk of fraud while stopping the pace of potentially 
fraudulent enrolling providers. We believe these new tools will enable 
us to become a more proactive gatekeeper of the Medicare Trust Fund.
    Comment: A commenter recommended that all providers and suppliers 
be subject to the provisions associated with section 6401(a)(3) of the 
ACA.
    Response: This comment is outside of the scope of this final rule 
with comment period.
    Comment: A commenter contended that CMS's statement in the preamble 
that Medicare is the primary payer of health care for 45 million 
enrolled

[[Page 5949]]

beneficiaries is incorrect. The correct number should be more than 47 
million. The commenter also recommended that CMS provide the number of 
Medicare beneficiaries that are enrolled in Medicare Advantage plans.
    Response: We will address this correction in the preamble. The 
provisions of this final rule with comment period do not apply to 
Medicare Advantage plans, so the number of Medicare Advantage-enrolled 
beneficiaries would not be relevant to the preamble.
    Comment: A commenter questioned whether CMS could implement the 
provisions of this proposed rule when information on its provider 
enrollment Web site is not regularly updated.
    Response: We are implementing provisions of this proposed rule, and 
are working with the provider community in various outlets, including 
its provider Web site. The provider enrollment Web site will reflect 
the requirements of this final rule with comment period.
    Comment: Several commenters stated that the Federal and State 
programs will be more efficient if they recognize another program's 
enrollment determinations, decisions to suspend payments, and 
imposition of moratoria. To handle the complexity and coordination of 
monitoring participation and appropriately suspending payments or 
terminating contracts with providers and suppliers, the commenter 
recommended CMS develop and maintain a central, consolidated database 
for housing participation status, suspension of payments and imposed 
moratoria for all three programs. The commenters stated that CMS should 
also strengthen and expand efforts to coordinate data sharing between 
government health programs across the various Federal agencies, as well 
sharing of information with MAOs, MCOs and CHIP sponsors.
    Response: We agree with the previous comment that we should seek to 
become more efficient by sharing screening determinations, decisions to 
suspend payments and imposition of enrollment moratoria to the extent 
possible under applicable laws. We are continually evaluating and 
strengthening efforts to coordinate data sharing between health 
programs across various agencies.
    Comment: A commenter stated that regulators and industry need to 
work together to minimize the impact of sham companies and other 
instances of fraud, and that this proposed regulation is a step in the 
right direction.
    Response: We agree with this comment.

III. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 60-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    We solicited public comment on each of these issues for the 
following sections of this document that contain information collection 
requirements (ICRs):
    For this final rule with comment period, we will be retaining the 
Collection of Information estimates in the proposed rule, in accordance 
with the discussion below.

A. ICRs Regarding Medicare Application Fee Hardship Exception (Sec.  
424.514)

    Section 424.514(e) states that a provider or supplier that believes 
it has a hardship that justifies a waiver exception of the application 
fee must include with its enrollment application a letter that 
describes the hardship and why the hardship justifies a waiver 
exception. The burden associated with this requirement is the time and 
effort necessary to submit a Medicare enrollment application, which is 
required currently of any individual or entity enrolling in Medicare. 
In addition to the enrollment application, a provider or supplier would 
have the new burden of drafting and submitting a letter to justify its 
hardship waiver request should it choose to submit one. The burden 
associated with submitting Medicare enrollment applications A, B, I, R 
and CMS-855S, are currently approved under Office of Management and 
Budget (OMB) control numbers 0938-0685 and 0938-1057, respectively). 
Although we have no way of knowing for certain how many entities will 
actually submit an application with a letter requesting a waiver, we 
know that there are likely to be more such requests in the early years 
of implementation than in later years. We estimated that in the first 
year, 12,000 providers or suppliers--or slightly over 50 percent of the 
total number of providers and suppliers that we believe will be subject 
to the application fee--will submit waiver request letters as part of 
their application packages. (As stated in the preamble, the application 
fee does not apply to individual eligible professionals nor to group 
practices of these individual professionals.) We also estimated that it 
will take each provider or supplier 1 hour to develop the letter. The 
total estimated annual burden associated with this requirement is 
therefore 12,000 hours at a cost of $600,000, or $50.00 per waiver 
request.

B. ICRs Regarding Medicare Fingerprinting Requirement (Sec.  424.518)

    Consistent with Sec.  424.518 we will require the submission of a 
set of fingerprints--either electronically collected by CMS' authorized 
channeler or using the FD-258 standard fingerprint card obtained from 
the local law enforcement agency that collected the fingerprints--from 
all individuals who maintain a 5 percent or greater direct or indirect 
ownership interest in a prospective HHA or DMEPOS supplier that is 
enrolling in Medicare. We estimate that CMS or its designated 
contractors will make 7,000 such requests per year. This is predicated 
on our projection that--based on 2009 statistics--roughly 7,000 DMEPOS 
suppliers and HHAs will annually enroll in Medicare. For purposes of 
this ICR statement only, and to ensure that we do not underestimate the 
possible burden, we estimate that all of these providers and suppliers 
will be required to submit fingerprints. We further estimate that an 
average of five individuals per provider or supplier will be required 
to comply with this request. (It must be noted that for purposes of 
this ICR and the RIA below, we sought comments on whether the estimate 
of five individuals per applicant is accurate. No comments were 
received.) Additionally, we estimate that it will take each of the 
35,000 respondents (7,000 provider requests x 5 respondents per 
provider request) an average of 2 hours to obtain and submit 
fingerprints. Consequently, the total estimated annual burden 
associated with this requirement is 70,000 hours (35,000 responses x 2 
hours per response) at a cost of $3.5 million (70,000 hours x $50 per 
hour).
    Sections 424.518(c)(3)(ii) and (iii) call for the submission of a 
set of fingerprints for a national background

[[Page 5950]]

check from all individuals who maintain a 5 percent or greater direct 
or indirect ownership interest in a provider or supplier that has moved 
into the ``high'' risk category based on an adverse action or the 
lifting of a moratorium. The burden associated with this requirement is 
the time and effort necessary for the individual to submit the required 
information upon request. We estimate that CMS or its designated 
contractors will make 2,000 requests per year. This is based on the 
number of providers and suppliers that we estimate will attempt to 
enroll in Medicare: (1) After the lifting of a moratorium for their 
respective provider or supplier type, or (2) that have had one of the 
adverse actions in Sec.  424.518(c)(3)(ii) imposed against it. This 
estimate of course, cannot be conclusively quantified because it is 
impossible for us to say with certainty which provider and supplier 
types will be subject to a moratorium. To ensure that we do not 
underestimate the potential burden, we also calculated projections 
should 5,000 or 10,000 requests be made.
    We estimate that an average of five individuals per provider or 
supplier will be required to comply with this request. We further 
project that it will take each of the 10,000 respondents (2,000 
provider or suppliers requests x 5 respondents per provider or supplier 
request) an average of 2 hours to obtain and submit the fingerprints. 
The estimated annual burden associated with this requirement, based on 
2,000 requests is 20,000 hours (10,000 respondents x 1 response per 
respondent x 2 hours per response) at a cost of $1 million (20,000 
hours x $50 per hour). If 5,000 requests are made, the burden is 50,000 
hours at a cost of $2.5 million (5,000 requests x 5 responses per 
request x 2 hours per response x $50 per hour.) If 10,000 requests are 
made, the burden is 100,000 hours at a cost of $5 million (10,000 
requests x 5 responses per request x 2 hours per response x $50 per 
hour).\6\
---------------------------------------------------------------------------

    \6\ Note that these figures pertain only to individuals who are 
not physicians. Physicians are addressed in the following paragraph.
---------------------------------------------------------------------------

    In addition, there are some limited circumstances when CMS could 
ask a physician to submit fingerprints. For example, a provider or 
supplier that is being enrolled in Medicare after the lifting of a 
temporary moratorium could automatically be classified as ``high'' risk 
and, as such, would be subject to criminal background checks and 
fingerprinting of owners of the company. If a physician were to have a 
5 percent or greater direct or indirect ownership interest in the 
provider or supplier, CMS would have the authority to request 
fingerprints from him or her. Other circumstances might include when a 
physician has had an adverse action imposed against him or her and, in 
accordance with Sec.  424.518(c)(3)(ii), has been placed in the 
``high'' risk category. We estimate that CMS or its designated 
contractors will make 500 such requests for fingerprints per year. We 
further estimate that it will take each of the 500 respondents a total 
of 2 hours to obtain and submit the fingerprints. The total estimated 
annual burden associated with this requirement is 1,000 hours (500 
respondents x 1 response per respondent x 2 hours per response) at a 
cost of $50,000 (1,000 hours x $50 per hour).
    Therefore, assuming that 2,000 post-moratorium requests for 
fingerprints are made, the total estimated annual burden associated 
with the Medicare requirements in this ICR is 103,000 hours at a cost 
of $5,150,000. If 5,000 post-moratorium requests are made, the 
estimated annual burden is 133,000 hours at a cost of $6,650,000. If 
10,000 post-moratorium requests are made, the estimated annual burden 
is 183,000 hours at a cost of $9,150,000.
    Comment: In the collection of information requirements section of 
this proposed rule, CMS used 2009 statistics for estimating the number 
of individuals that will need to undergo fingerprinting. A commenter 
recommended that CMS update these estimates using 2010 data.
    Response: We believe it is more appropriate to use the most recent 
full year's data.
    Comment: A commenter contended that CMS's estimate that it will 
take 2 hours to obtain a set of fingerprints using the FD-258 standard 
fingerprint card seems low. The commenter recommended that CMS provide 
the analysis used, including literature review, to estimate the time it 
will take to obtain a set of fingerprints using the FD-258 fingerprint 
card. The commenter also asked that CMS explain whether there are any 
alternatives to the FD-258 standard fingerprint card and, if there are, 
the costs associated with these alternatives.
    Response: We believe that the 2 hour figure, which was based on our 
analysis of a number of materials, is accurate. Since the FD-258 is the 
standard fingerprint card, we focused primarily on the use of this 
format in the proposed rule. However, as explained in the preamble to 
this final rule with comment period, electronic fingerprints will be an 
alternative--and one that we will encourage--to the FD-258.

C. ICRs Regarding Medicaid Fingerprinting Requirement (Sec.  455.434)

    Section 455.434 states that when a State Medicaid agency determines 
that a provider is ``high'' risk, the State Medicaid agency will 
require that provider to submit fingerprints. We anticipate that States 
will be collecting fingerprints on a significantly smaller number of 
providers. However, as with our estimates of the potential burden for 
the Medicare requirements, we preferred to overestimate the potential 
burden rather than underestimate it. Therefore, we anticipate that 
States may require an additional 26,000 individuals to submit 
fingerprints prior to enrolling in a State's Medicaid program or CHIP. 
The total estimated annual burden associated with this requirement for 
Medicaid and CHIP is 52,000 hours (26,000 respondents x 1 response per 
respondent x 2 hours per response) at a cost of $2.6 million (52,000 
hours x $50 per hour).

D. ICRs Regarding Suspension of Payments in Cases of Fraud or Willful 
Misrepresentation (Sec.  455.23)

    As stated in Sec.  455.23(a), a State Medicaid agency must suspend 
all Medicaid payments to a provider when there is pending an 
investigation of a credible allegation of fraud under the Medicaid 
program against an individual or entity unless it has good cause to not 
suspend payments or to suspend payment only in part. The State Medicaid 
agency may suspend payments without first notifying the provider of its 
intention to suspend such payments. A provider may request, and must be 
granted, administrative review where State law so requires.
    The burden associated with this requirement is the time and effort 
necessary for a provider to request administrative review where State 
law so requires. While this requirement is subject to the PRA, we 
believe the associated burden is exempt in accordance with 5 CFR 
1320.4.

E. ICRs Regarding Collection of SSNs and DOBs for Medicaid and CHIP 
Providers (Sec.  455.104)

    As stated in Sec.  455.104(b)(1), the State Medicaid agency must 
require that all persons with an ownership or control interest in a 
provider submit their SSN and DOB. The burden associated with the 
Medicaid requirements in Sec.  455.104(b)(1) is the time and effort 
necessary for a provider to report the SSN and DOB for all persons with 
an ownership or control interest in a provider.
    Although our data on Medicaid provider enrollment at the national 
level

[[Page 5951]]

is very limited, we do collect annual data on State Medicaid program 
integrity activities. This annual data collection, known as the State 
Program Integrity Assessment (SPIA) program, approved under OCN 0938-
1033, consists of self-reported data by States regarding a variety of 
program integrity related activities. The information is self-reported 
and has not been independently verified by CMS, and it undoubtedly 
represents some unknown degree of duplication among providers across 
States. Consequently, the estimated number of Medicaid providers 
nationally is likely overstated.
    According to SPIA data for FFYs 2007 and 2008, there has been an 
average of 1,855,070 existing Medicaid providers nationally over the 2 
year period of FFY 2007 and FFY 2008. We estimate that one-fifth or 
371,014 (1,855,070 x 20 percent) of existing Medicaid providers would 
be required to re-enroll each year. Additionally, we estimate that 
there will be 56,250 newly enrolling Medicaid providers each year, for 
a total of 427,264 Medicaid providers that will be subject to the SSN 
and DOB reporting requirements each year. We further estimate that it 
will take each provider an average of 2 minutes to report the SSN and 
DOB for all persons with an ownership or control interest. Thus, the 
estimated annual burden associated with this requirement for Medicaid 
providers is 14,242 hours (427,264 x (2 minutes, divided by 60 minutes 
per hour)) at a cost of $712,100 (14,242 hours x $50 per hour).

F. ICRs Regarding Site Visits for Medicaid-Only or CHIP-Only Providers 
(Sec.  455.450)

    As stated in Sec.  455.450(b), a State Medicaid agency must conduct 
on-site visits for providers it determines to be ``moderate'' or 
``high'' categorical risk. We anticipate that Medicare contractors will 
perform the screening activities for the overwhelming majority of 
providers that are dually enrolled in both Medicare and Medicaid and 
thus, we estimate that State Medicaid agencies will conduct 
approximately 5,000 site visits for Medicaid-only providers nationally 
per year. We further estimate that it will take one individual 8 hours 
to perform each on-site visit (including travel time). Thus, the total 
estimated annual burden associated with this requirement for Medicaid 
is 40,000 hours (5,000 site visits x 8 hours) at a cost of $2,000,000 
(40,000 hours x $50 per hour).

G. ICRs Regarding the Rescreening of Medicaid Providers Every 5 Years 
(Sec.  455.414)

    As stated in Sec.  455.414, a State Medicaid agency must screen all 
providers at least every 5 years. This requirement is consistent with 
the Medicare requirement that providers, suppliers, and eligible 
professionals must re-enroll at least every 5 years (more often for 
certain types of suppliers). The burden associated with this 
requirement would be the time and effort necessary for Medicaid-only 
providers to re-enroll in Medicaid, and the time and effort necessary 
for a State to conduct the provider screening,
    Although our data on Medicaid provider enrollment at the national 
level is very limited, we do collect annual data on State Medicaid 
program integrity activities. As previously explained, this annual data 
collection, known as the State Program Integrity Assessment (SPIA) 
program, consists of self-reported data by States regarding a variety 
of program integrity related activities. The information is self-
reported and has not been independently verified by CMS, and it 
undoubtedly represents some unknown degree of duplication among 
providers across States. Consequently, the estimated number of Medicaid 
providers nationally is likely overstated.
    According to SPIA data for FFYs 2007 and 2008, there has been an 
average of 1,855,070 existing Medicaid providers nationally over the 2 
year period of FFY 2007 and FFY 2008. We estimate that one fifth, or 
371,014 (1,855,070 x 20 percent), of existing Medicaid providers would 
be required to re-enroll each year. Although provider enrollment 
requirements vary by State, we further estimate that it will take each 
provider an average of 2 hours to complete the Medicaid re-enrollment 
requirements. Thus, the estimated annual burden associated with this 
requirement for Medicaid providers is 742,028 hours (371,014 responses 
x 2 hours per response) at a cost of $37,101,400 (742,028 hours x $50 
per hour).
    In addition, we estimate that 80 percent of Medicaid providers also 
participate in Medicare, and thus would have provider screening 
activities performed by the Medicare contractors. Thus, we estimate 
that States would be required to conduct provider screening activities 
for 74,203 (371,014 x 20 percent) re-enrolling Medicaid-only providers 
each year. We further estimate that it will take States, on average, 4 
hours to perform the required provider screening activities--noting 
that currently enrolled providers would generally be categorized as 
lower risk than newly-enrolling providers. The estimated burden 
associated with this requirement for State Medicaid agencies is 296,812 
hours (74,203 responses x 4 hours per response) at a cost of 
$14,840,600 (296,812 hours x $50 per hour). We believe that the burden 
on States will be in large part offset by the application fees 
collected and by the Federal share for the amounts not covered by the 
application fee.
    The total estimate annual burden associated with the Medicaid 
prescreening requirement is 1,038,840 hours at a cost of $51,942,000 
($37,101,400 + $14,840,600).

                                                Table 10--Estimated Annual Reporting/Recordkeeping Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                           Hourly       Total
                                               OMB                               Burden per     Total    labor cost  labor cost     Total
          Regulation section(s)              Control   Respondents   Responses    response     annual        of          of        capital/   Total cost
                                               No.                                (hours)      burden     reporting   reporting  maintenance      ($)
                                                                                               (hours)       ($)         ($)      costs  ($)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   424.514(e)**......................  0938-0685;       12,000      12,000        1          12,000          50     600,000            0     600,000
                                            0938-1057
Sec.   424.518(c)(2)(b) and (d)..........    0938-New       35,000      35,000        2          70,000          50   3,500,000            0   3,500,000
Sec.   424.518(c)(3)(iv) and (d).........    0938-New       10,500      10,500        2          21,000          50   1,050,000            0   1,050,000
Sec.   455.434...........................    0938-New       26,000      26,000        2          52,000          50   2,600,000            0   2,600,000
Sec.   455.104...........................    0938-New      427,264     427,264         .033      14,242          50     712,100            0     712,100
Sec.   455.450...........................    0938-New         5000        5000        8          40,000          50   2,000,000            0   2,000,000
Sec.   455.414 (Providers)...............    0938-New      371,014     371,014        2         742,028          50  37,101,400            0  37,101,400
Sec.   455.414 (State Medicaid Agencies).    0938-New       74,203      74,203        4         296,812          50  14,840,600  ...........  14,840,600
                                          --------------------------------------------------------------------------------------------------------------

[[Page 5952]]

 
    Total................................  ..........      960,981     960,981  ...........   1,248,082  ..........  ..........  ...........  62,404,100
--------------------------------------------------------------------------------------------------------------------------------------------------------
** Denotes that we will be submitting revisions of the currently approved information collection requests for OMB review and approval.

    Comment: A commenter requested clarification on whether the dollar 
figure of $62 million in Table 6 of the proposed rule (entitled 
``Estimated Annual Reporting/Recordkeeping Burden'') is the cost shared 
by the Federal Medicare programs as well as all of the State Medicaid 
agencies collectively.
    Response: It includes Medicare costs, and those of the State 
Medicaid agencies.

IV. Response to Comments

    Because of the large number of public comments we normally receive 
on Federal Register documents, we are not able to acknowledge or 
respond to them individually. We will consider all comments we receive 
by the date and time specified in the ``DATES'' section of this 
preamble, and, when we proceed with a subsequent document, we will 
respond to the comments in the preamble to that document.

V. Regulatory Impact Analysis

A. Statement of Need

    This final rule with comment period is needed to implement the 
following provisions of the ACA: (1) Section 6401(a) and section 
6401(b) of the ACA added section 1866(j)(2) to the Act and requires the 
establishment of screening procedures for providers and suppliers in 
the Medicare, Medicaid and CHIP programs; (2) section 6401(a) of the 
ACA added section 1866(j)(2)(C) to the Act and requires the 
establishment of application fees for institutional providers and 
suppliers; (3) section 6401(a) of the ACA added a new section 
1866(j)(7) to the act establishing the use of temporary moratoria 
regarding the enrollment of providers and suppliers in Medicare, and 
section 6401(b)(1) of the ACA added a new section 1902(kk)(4) of the 
Act for a parallel requirement in the Medicaid and CHIP programs; (4) 
section 6501 of the ACA added section 1902(a)(39) to the Act 
establishing guidance for States regarding the termination of providers 
from Medicaid and CHIP if terminated by Medicare or another Medicaid 
State plan or CHIP; and permitting guidance regarding the termination 
of providers and suppliers from Medicare if terminated by a Medicaid 
State agency; and (5) Section 6402(h) of the ACA added 1862(o) to the 
Act establishing the requirements for the suspension of payments 
pending credible allegations of fraud in the Medicare and Medicaid 
programs. As previously explained, we believe these provisions are 
necessary to assist us in preventing fraud, waste and abuse in the 
Medicare, Medicaid and CHIP programs.

B. Overall Impact

    We have examined the impact of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 1993), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act, section 202 of the Unfunded 
Mandates Reform Act of 1995 (Pub. L. 104-4), Executive Order 13132 on 
Federalism (August 4, 1999), and the Congressional Review Act (U.S.C. 
804(s)).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts; and equity). A regulatory impact 
analysis (RIA) must be prepared for rules with economically significant 
effects ($100 million or more in any 1 year). This final rule with 
comment period does reach the economic threshold and thus is considered 
an economically significant rule.
    The RFA requires agencies to analyze options for regulatory relief 
for small businesses. Under the RFA, we must either prepare an Initial 
Regulatory Flexibility Analysis or certify that the final rule with 
comment period will not have a significant impact on a substantial 
number of small entities. For purposes of the RFA, small entities 
include small businesses, nonprofit organizations, and government 
agencies. Most hospitals and most other providers and suppliers are 
small entities, either by nonprofit status or by having revenues of 
less than $7.0 to $34.5 million (depending on provider type) in any one 
year. Individuals and States are not included in the definition of a 
small entity. We do not believe that our application fees will have a 
significant impact on any small entities. Likewise, we do not believe 
that other screening provisions, such as the provision of fingerprints 
or accommodating unannounced visits, will have a significant impact on 
any small entities. We believe this final rule with comment period 
could have significant impact on a relatively small proportion of small 
businesses in terms of restrictions on federal health monies paid to 
small businesses participating in the Medicare or Medicaid programs or 
CHIP. Clearly, imposition of an enrollment moratorium would have an 
impact on a small business that is attempting to do business with any 
of the Federal health programs. Similarly, suspension of payments to 
any small entity could create a significant impact on that entity. 
However, we have no basis for estimating how many entities might be 
affected by these provisions. Finally, we believe that this final rule 
with comment period will reduce fraud and abuse among potential 
providers.
    We believe there will be a significant impact on their ability to 
defraud the taxpayer in several ways. First, closer screening of 
certain high-risk providers and suppliers will better enable CMS to 
detect those individuals and entities that pose a risk to the Medicare 
program. We expect that the prevention of unqualified providers and 
suppliers from enrolling in Medicare will protect the Medicare Trust 
Fund and save the taxpayers millions of dollars. Second, the temporary 
moratoria provisions will enable CMS to restrict the entry of certain 
providers and suppliers into Medicare in order to prevent or combat 
fraud, waste, and abuse, thus, again, saving millions of Federal 
dollars. While we cannot quantify with exactitude the amount of money 
that the Medicare program will save as a result of these measures, we 
do believe that the figure will exceed the costs outlined in this RIA. 
We solicited comment on the overall proposed screening processes of the 
proposed rule, including how the risk of fraud is determined, the 
administrative

[[Page 5953]]

interventions proposed to address the risk, and the criteria for 
exceptions to the enrollment application fee and any temporary 
enrollment moratoria. We requested that small businesses comment on 
these provisions and offer suggestions about how to mitigate what they 
might see as adverse administrative or financial impacts. This RIA, 
taken together with the remainder of the preamble, constitutes an 
Initial Regulatory Flexibility Analysis under the RFA.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 604 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital as a hospital that is located outside of a Metropolitan 
Statistical Area and has fewer than 100 beds. We did not prepare an 
analysis for section 1102(b) of the Act because we have determined that 
this final rule with comment period will not have a significant impact 
on the operations of a substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule that may result in expenditure in any 1 year by State, 
local, or tribal governments, in the aggregate, or by the private 
sector, of $135 million. This rule does mandate expenditures by State 
and local governments, in order to enforce the Medicaid-related 
provisions, but we believe that those expenditures will be relatively 
minor. The mandated costs on providers--primarily for application 
fees--may approach or exceed the threshold for the private sector. 
Accordingly, this RIA constitutes the required assessment of costs and 
benefits under UMRA.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has Federalism 
implications. Since this final rule with comment period would not 
impose any substantial direct requirement costs on State or local 
governments, preempt State law, or otherwise have Federalism 
implication, the requirements of E.O. 13132 are not applicable.
    We received several comments on the RIA. They are as follows:
    Comment: A commenter noted that, under the proposed rule, Medicare 
contractors will not begin processing an enrollment application until 
the application fee is received and credited to the United States 
Treasury. The commenter recommended that CMS estimate the increase in 
enrollment application processing times due to the fee requirement and 
the impact this additional time will have on private sector.
    Response: It is not possible to qualify the additional time, if 
any, that this requirement would have on processing times. Moreover, we 
do not believe that a minor delay in processing would result in any 
quantifiable and definable monetary cost to a particular provider.
    Comment: Several commenters contended that CMS did not comply with 
section 6(a)(3)(C)(i) of Executive Order 12866. Specifically, CMS: (1) 
Did not include an assessment or quantification of benefits associated 
from this regulatory action; (2) the underlying analysis of the costs 
and benefits of potentially effective and reasonably feasible 
alternatives to the planned regulation; (3) explain why the planned 
regulatory action is preferable to the identified potential 
alternatives; (4) include any feasible alternatives to the planned 
screening process; (5) include alternatives to the payment suspension 
portions; (6) include the cost impact on health care providers due to 
increased processing times; (7) solicit comments on or consider the 
costs or benefits of reasonably feasible alternatives, such as 
assessing the application fee by NPI or TIN or assessing the risk based 
on as past experience with the Medicare program or other health plans; 
or (8) consider the Medicare error rate in determining the category of 
risk. The commenter stated that CMS should therefore not finalize the 
provisions of this proposed rule until a new proposed rule is 
published.
    Response: The proposed rule and the final rule with comment period 
both contain a Regulatory Impact Analysis as required by Executive 
Order 12866. As explained in section IV.E. and throughout this final 
rule with comment period, we believe that this regulation will have a 
significant benefit by reducing the ability of potential providers to 
defraud taxpayers. The proposed rule solicited comments on the proposed 
screening categories, on the use of fingerprinting and other 
alternatives to identity verification, on the kind of documentation 
that must be submitted to assert a hardship exception to the 
application fee, an alternative definition of the term ``resolution of 
an investigation,'' on criteria that would justify the reclassification 
of a provider from one risk category to another, on the applicability 
of geography in the determination of a risk category, and on additional 
triggers that would move a provider into a different risk category.
    We did not believe the use of NPIs or TINs in the assessment of the 
application fee was appropriate because the requirement to submit an 
enrollment application is separate from the requirement to have an NPI 
or a TIN. We believe that basing the fee on the submission of an 
application is most consistent with the statute. With respect to the 
Medicare error rate, an erroneously paid claim does not necessarily 
mean that the claim was fraudulently submitted. For this reason, we 
believe it would be improper to use it in our placement of providers 
into risk categories when there were other factors--including 
comprehensive studies of fraudulent behavior, such as OIG and GAO 
reports--that were more conclusive. We have solicited comments on 
proposals and potential alternatives, and have considered such comments 
in the development of this final rule with comment period.
    Comment: A commenter stated that the proposed rule contained a 
number of internal inconsistencies between the preamble and regulation 
impact statement, such as: (1) use of 2.34 percent as the CPI in 
preamble and 3.0 percent as the CPI in the regulation impact section; 
(2) the lack of an ``Alternatives Considered'' section in the 
regulation impact section, and (3) a failure to account for the cost or 
impact of the additional off-cycle revalidations in the regulation 
impact section. The commenter recommended that CMS publish a new 
proposed rule.
    Response: The use of 2.34 percent in the preamble was simply for 
illustrative purposes. Having said that we have revised the 3 percent 
figure to more accurately reflect actual and projected CPI-U statistics 
we have received. Specifically, the rates we used for 2011, 2012, 2013, 
2014 and 2015 are, respectively, 1.0 percent, 2.0 percent, 2.0 percent, 
2.0 percent and 2.0 percent. The figure for 2011 is based on data 
obtained from the Bureau of Labor Statistics, while the data for years 
2012 through 2015 represent the estimated CPI-U figures offered in the 
Budget of the U.S. Government, Fiscal Year 2011. The CPI-U figures 
reflect the percentage change in the consumer price index for all urban 
consumers (all items; United States city average), for the 12-month 
period ending with June of the previous year. Moreover, we have added 
an ``Alternative Considered'' section to the RIA.
    As stated previously, we solicited comments on multiple issues in 
the

[[Page 5954]]

proposed rule. Additionally, we are implementing provisions of the ACA 
that had already outlined certain requirements for the regulations. The 
ACA, for example, required that we determine the level of screening to 
be conducted with respect to the category of provider or supplier, to 
require an application fee of $500 adjusted after 2010 for the consumer 
price index, and to suspend payments pending an investigation of 
credible allegations of fraud.
    The RIA took into account the cost of revalidations beginning on 
March 25, 2011, prior to the date at which CMS could begin off-cycle 
validations under Sec.  424.515(e), but the same date at which the new 
screening requirements will go into effect. Any provider validated 
after March 25, 2011 but before March 23, 2012 will not be subject to 
off-cycle revalidation and any provider that is revalidated will begin 
a new cycle of revalidation requirements. Therefore, any off-cycle 
revalidations that occur after March 23, 2012 will restart the 
revalidation cycle, and only DMEPOS suppliers who are on 3 year 
validations will be revalidated, in cycle, prior to the end of CY 2015. 
We believe the RIA is valid.
    Comment: A commenter noted that, under the proposed rule, Medicare 
contractors will not begin processing an enrollment application until 
the application fee is received and credited to the United States 
Treasury. The commenter recommended that CMS estimate the increase in 
enrollment application processing times due to the fee requirement and 
the impact this additional time will have on private sector.
    Response: It is not possible to qualify the additional time, if 
any, that this requirement would have on processing times. Moreover, we 
do not believe that a minor delay in processing would result in any 
quantifiable and definable monetary cost to a particular provider.
    Comment: One commenter stated that the preamble of this proposed 
regulation uses 2.34 percent as the Consumer Price Index (CPI) for the 
application fee, while the regulatory impact section uses 3 percent as 
the CPI for the application fee. The commenter recommended that CMS: 
(1) Use the official percentage by the Bureau of Labor Statistics in 
calculating the change in application fee year by year, (2) explain if 
a negative CPI will result in a decrease in the application fee, and 
(3) use the actual CPI for 2010 in developing the final rule with 
comment period and establishing the application fee that must be paid 
by providers and suppliers in 2011.
    Response: We agree and, as previously explained, have incorporated 
more accurate CPI-U rates into this final rule with comment period. A 
negative CPI would result in a fee decrease; however, the RIA projects 
a continued increase in the CPI.
    Comment: A commenter noted that CMS states in the RIA that 400,000 
providers and suppliers would need to revalidate their enrollment over 
a 5 year period. However, CMS excluded groups and clinics from the 
impact of the application fee. The commenter did not believe there are 
400,000 providers and suppliers to revalidate, since a large number of 
providers and suppliers are designated as medical groups/clinics. The 
commenter recommended that CMS furnish a breakdown of the providers and 
suppliers that would be required to revalidate their enrollment in 
Medicare and adjust, if necessary, the amount collected via the 
application fee. The commenter also suggested that CMS provide the 
number of providers and suppliers by year that were subject to 
revalidation since 2006.
    Response: We do not believe that a specific breakdown by provider 
type and year is necessary, and maintain our view that approximately 
400,000 providers and suppliers will revalidate their enrollment over a 
5 year period--even accounting for medical groups/clinics. This figure, 
admittedly, may be a little high, but we would prefer to overestimate 
the potential burden than underestimate it.
    In light of these comments, we have revised our calculations based 
on new and more accurate CPI-U rates and have added an ``Alternative 
Considered'' section.

C. Anticipated Effects

1. Medicare
a. Enhanced Screening Procedures--Medicare
    Based on statistics obtained from PECOS and our Medicare 
contractors, there are approximately 400,000 providers and suppliers 
currently enrolled in the Medicare program. (This does not include 
eligible professionals.) This figure includes ambulance service 
suppliers; ambulatory surgical centers; community mental health 
centers; comprehensive outpatient rehabilitation facilities; suppliers 
of DMEPOS; end-stage renal disease facilities; federally qualified 
health centers; histocompatibility laboratories; home health agencies; 
hospices; hospitals, including physician-owned specialty hospitals; 
critical access hospitals; independent clinical laboratories; 
independent diagnostic testing facilities; Indian health service 
facilities; mammography centers; mass immunizers (roster billers); 
medical groups/clinics, including single and multi-specialty clinics; 
organ procurement organizations; outpatient physical therapy/
occupational therapy/speech pathology services; portable x-ray 
suppliers; skilled nursing facilities; radiation therapy centers; 
religious non-medical health care institutions; and rural health 
clinics. We note the following in section III. of this final rule with 
comment period:
     Based on 2009 experience we estimated that there will be 
7,000 DMEPOS suppliers and HHAs that will submit an application to 
become a new Medicare enrolled provider in 2011. We would require 
approximately 35,000 individuals (7,000 providers/suppliers x 5 
individuals per applicant) to undergo fingerprinting to participate in 
the Medicare program as an owner of an HHA or supplier of DMEPOS. We 
have found that the cost of having a set (two prints) of fingerprints 
done through law enforcement is approximately $50.00 per individual. 
(This includes the time spent in obtaining the fingerprints.) The cost 
of this fingerprinting requirement would therefore be $1.75 million per 
year (35,000 individuals x $50).
     We estimated that 10,000 individuals (2,000 providers or 
suppliers x 5 individuals per applicant) would undergo fingerprinting 
following the lifting of a moratorium on a particular provider or 
supplier type, at a cost of $500,000 per year (10,000 x $50). Should 
requests be made of 5,000 providers or suppliers, the annual figure 
would be $1,250,000 (5,000 x 5 individuals per applicant x $50). Should 
requests be made of 10,000 providers or suppliers, the annual figure 
would be $2.5 million (10,000 x 5 x $50).
     We estimate that 500 physicians would undergo 
fingerprinting per year, at a cost of $25,000.
    This results in a total cost of the fingerprinting requirement of 
$2,275,000 per year ($1,750,000 + $500,000 + $25,000), or $11,375,000 
over 5 years. If 5,000 post-moratorium requests are made, the annual 
cost is $3,025,000, with a 5 year cost of $15,125,000. Should 10,000 
post-moratorium requests be made, the annual cost is $4,275,000, with a 
5 year cost of $21,375,000.
    As we believe that 2,000 post-moratorium requests is the most 
likely scenario, we will hereafter use the $2,275,000 amount as the 
annual cost of this requirement. This results in an estimated 5 year 
cost of $11,375,000.

[[Page 5955]]

b. Application Fee--Medicare
    The Secretary shall impose an application fee on each institutional 
provider. The amount of the fee is $500 per provider or supplier for 
2010. For 2011 and each subsequent year, the fee amount will be 
determined by the statutorily required formula using the consumer price 
index for all urban consumers (CPI-U). The enrollment application fee 
does not apply to individual eligible professionals (for example, 
physicians). The fee is to be paid by institutional providers only. The 
new screening provisions are applicable to new and revalidating 
providers and suppliers effective March 25, 2011, and to currently 
enrolled providers and suppliers as of March 23, 2012. We will to begin 
collecting the enrollment application fee for new providers and 
suppliers and for currently enrolled providers revalidating enrollment 
effective March 25, 2011.
c. General Enrollment Framework
(1) New Enrollment
    Medicare contractors report that over the last several years, 
approximately 32,000 is the annual number of newly enrolling providers 
and suppliers that would--without accounting for the possible granting 
of waivers--be subject to the enrollment application fee--
(approximately 20,000 for Medicare Part B, approximately 7,000 DMEPOS 
suppliers and HHAs (as explained in the Collection of Information 
section), and approximately 5,000 non-HHA Medicare Part A 
providers).\7\
---------------------------------------------------------------------------

    \7\ For purposes of the calculations in this RIA, newly-
enrolling Medicare providers and suppliers include those that were 
once enrolled, departed, and are now seeking to enroll again.
---------------------------------------------------------------------------

    We assumed that no more than 2.5 percent of these 32,000 providers 
and suppliers--or 800--will receive a hardship exception; as indicated 
earlier, exceptions will only be approved infrequently.
    In CY 2011, we reduced the estimate number of institutional 
providers subject to the application fee by 25 percent because the 
application fee will not begin until March 25, 2011. Accordingly, the 
number of institutional providers that we anticipate paying the 
application fee will be 23,400 (or 31,200 x .75) in CY 2011. Therefore, 
the impacts of the enrollment application fee are as follows. If we use 
23,400 as the number of newly enrolling providers and suppliers in 2011 
and multiply this number by an application fee of $505 (or $500 x 1.0 
percent), we get $ 11,817,000 collected for the first year (that is, CY 
2011). If we assume that the number of newly enrolling providers and 
suppliers will remain constant at 31,200 for years 2012 through 2015, 
the cost to the number of newly enrolling providers and suppliers would 
be $78,054,600. Although we have no way to predict that the number of 
new enrollments will change in future years, it is possible that the 
number of enrolling providers and suppliers vary from what has been the 
norm. If our estimate of the number of newly enrolling providers is 
inaccurate and we enroll a different number of providers and suppliers 
after the effective date of the new screening and other provisions 
contained in the ACA, we estimate based on the $500 enrollment 
application fee--a rough difference of $1 million for each increment of 
2,000 new enrollments, whether fewer or greater.

            Table 11--Cumulative Application Fees for Newly Enrolling Medicare Providers and Suppliers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                Newly enrolling
                                                                 institutional
                                              Newly enrolling    providers and
                                               institutional    suppliers paying   CPI-U increase    Consumer price    Total fees for    Cumulative fees
               Calendar year                   providers and    the application          (%)         index adjusted     each year in       in dollars
                                                 suppliers      fee  (based on a                    fee in dollars *       dollars
                                                                 2.5% hardship
                                                                exception rate)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011.......................................            24,000             23,400               1.0               505        11,817,000        11,817,000
2012.......................................            32,000             31,200               2.0               515        16,068,000        27,885,000
2013.......................................            32,000             31,200               2.0               525        16,380,000        44,265,000
2014.......................................            32,000             31,200               2.0               536        16,723,200        60,988,200
2015.......................................            32,000             31,200               2.0               547        17,066,400        78,054,600
                                            ------------------------------------------------------------------------------------------------------------
    Total..................................  ................  .................  ................  ................        78,054,600        78,054,600
--------------------------------------------------------------------------------------------------------------------------------------------------------
* As already mentioned, section 6401(a)(3) of the ACA called for a $500 application fee for institutional providers in 2010. Since the effective date of
  this final rule with comment period is March 25, 2011, we have added a 1.0 percent increase to the $500 fee for 2011. Moreover, each fee amount in
  this category was rounded up to the nearest dollar.

(2) Revalidation
    There are approximately 100,000 currently enrolled suppliers of 
DMEPOS who are required to revalidate their enrollment every 3 years 
and 300,000 additional providers and suppliers that do not provide 
DMEPOS that are required to revalidate their enrollment every 5 years. 
On a yearly basis, we estimate that approximately 33,000 DMEPOS 
suppliers (one-third of the total) and 60,000 other, non-DMEPOS 
providers/suppliers (one-fifth of the total) would revalidate their 
enrollment in Medicare, for an annual total of 93,000. Since, as 
explained earlier, we estimate that no more than 2.5 percent of these 
providers and suppliers will receive a waiver from the application fee, 
we project that 90,675 such providers and suppliers will be subject to 
the fee.
    This final rule with comment period contemplates collecting the 
application fee for currently enrolled providers that revalidate their 
enrollment on or after March 25, 2011--almost 3 months into CY 2011. 
Therefore, we have adjusted the number of existing Medicare 
institutional providers subject to an application fee by 25 percent, 
from 90,675 to 68,006 (or 90,675 x .75) in CY 2011. With respect to the 
period between CY 2012 and 2015, it is possible that, as previously 
alluded to in the preamble, we may perform an elevated number of 
revalidations early in this 4-year timeframe--specifically, in CY 2012. 
This would be done

[[Page 5956]]

pursuant to our authority under Sec.  424.515(e) to require off-cycle 
revalidations. We cannot say for certain how many will be performed in 
CY 2012. For purposes of this RIA only, however, we will estimate that 
111,000 will be conducted in CY 2012, with 87,000 performed in each of 
the remaining 3 years. Further accounting for projected annual CPI-U 
rate increases, we estimate that the cost associated with these fees 
for revalidating providers and suppliers would be approximately 
$226,477,505 over the first 5 years that the ACA provisions are in 
effect, as shown in Table 12.

             Table 12--Cumulative Application Fees for Revalidating Medicare Providers and Suppliers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  Revalidating
                                                                  institutional
                                                Revalidating       providers &
                                                institutional   suppliers paying                     Consumer price    Total fees for    Cumulative fees
                Calendar year                   providers and    application fee   CPI-U increase    index adjusted    each year  (in     (in dollars)
                                                  suppliers       (based on 2.5%                     fee in dollars       dollars)
                                                                    hardship
                                                                 exception rate)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011........................................            69,750            68,006              1.0%               505        34,343,030        34,343,030
2012........................................           111,000           108,225              2.0%               515        55,735,875        90,078,905
2013........................................            87,000            84,825              2.0%               525        44,533,125       134,612,030
2014........................................            87,000            84,825              2.0%               536        45,466,200       180,078,230
2015........................................            87,000            84,825              2.0%               547        46,399,275       226,477,505
                                             -----------------------------------------------------------------------------------------------------------
    Total...................................  ................  ................  ................  ................       226,477,505       226,477,505
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Therefore, we estimate that the total impact of the provisions for 
the application fee to be approximately $304,532,105 over the next 5 
years. This number was approximated by adding the cumulative 
application fees for newly enrolling providers and suppliers 
($78,054,600 as shown in Table 11) to the cumulative application fees 
for revalidating providers and suppliers ($226,477,505).
2. Medicaid
a. Enhanced Screening Procedures
    Although our data on Medicaid provider enrollment at the national 
level is very limited, we do collect annual data on State Medicaid 
program integrity activities. This annual data collection, known as the 
State Program Integrity Assessment (SPIA) program, consists of self-
reported data by States regarding a variety of program integrity 
related activities. The information is self-reported and has not been 
independently verified by CMS, and it undoubtedly represents some 
unknown degree of duplication among providers across States. 
Consequently, the estimated number of Medicaid providers nationally is 
likely overstated. According to SPIA data for FFYs 2007 and 2008, there 
has been an average of 1,855,070 existing Medicaid providers nationally 
over the 2-year period of FFY 2007 and FFY 2008. This universe of 
Medicaid providers includes all provider types, both institutional 
providers and individual practitioners. In the Medicare program, 
eligible practitioners make up approximately 70 percent of the total 
universe of providers, suppliers, and eligible practitioners. Because 
we do not have detailed information regarding the breakdown of Medicaid 
providers by type nationally, we will apply the same ratio to determine 
the percentage of institutional Medicaid providers. Therefore, we 
estimate that there are approximately 556,521 Medicaid-only providers 
nationally that are not individual practitioners.
    We also estimate almost all CHIP providers are also Medicaid 
providers. So, for purposes of this section, we are considering CHIP 
providers to also be Medicaid providers and will subsequently refer to 
them only as Medicaid providers.
    As previously stated in the Medicare section of the analysis, we 
estimated that we would require the following:
     Approximately 35,000 individuals will undergo 
fingerprinting to enroll in the Medicare program as owners, of a home 
health agency or supplier of DMEPOS. Based on data collected as part of 
the State survey and certification activities for home health agencies, 
less than 1 percent of home health agencies are Medicaid-only. And, 
although there is no data available on the number of Medicaid-only 
suppliers of DMEPOS, we estimated that the number is minimal as well, 
as a number of States require suppliers of DMEPOS to be enrolled in 
Medicare prior to enrolling in Medicaid. Therefore, we estimated that 
States may require approximately 1,000 additional individuals with 
ownership interests in suppliers of DMEPOS or home health agencies, to 
undergo fingerprinting for enrollment in the Medicaid program. The cost 
of this fingerprinting requirement would be approximately $50,000 
(1,000 x $50 = $50,000), though we solicited comments on the accuracy 
of this figure.
     We anticipated that Medicare contractors will perform the 
screening activities for the overwhelming majority of providers 
following the lifting of a Secretary-imposed temporary moratorium and 
for the limited circumstances in which physicians may be fingerprinted. 
However, given that States may also classify certain Medicaid-only 
providers as ``high'' categorical risks, we are estimating that States 
may require approximately 25,000 additional individuals to undergo 
fingerprinting prior to enrolling in a State's Medicaid program, at a 
cost of $1,250,000 (25,000 x $50 = $1,250,000).
    Consequently, we estimated that fingerprinting individuals for 
purposes of Medicaid enrollment will cost $1,300,000. When averaged 
across 50 States, the District of Columbia and Puerto Rico, the annual 
cost of fingerprinting per State will be $26,000.
b. Application Fee--Medicaid
    For those providers not screened by Medicare, the State may impose 
a fee on each institutional provider being screened. The amount of the 
fee is $500 per provider for 2010. For 2011 and each subsequent year, 
the amount will be determined by the statutorily-required formula using 
the consumer price index for all urban consumers (CPI-U).

[[Page 5957]]

c. General Enrollment Framework
    For purposes of this section, we assume that 80 percent of 
institutional Medicaid providers will be dually participating in both 
Medicare and Medicaid, and thus will be subject to the application fee 
as part of the Medicare screening and enrollment. Therefore we 
estimated that 20 percent, or 111,304 (556,521 x 20 percent), of the 
institutional Medicaid-only providers will not be screened by Medicare 
and thus will be subject to the application fee under Medicaid. We 
project that a significant number of existing and future Medicaid 
providers will request a hardship exception, or that a State will 
request a waiver of the application fee for certain Medicaid provider 
types of the application fee on the basis of ensuring access to care. 
For purposes of this section, although we have no way to estimate the 
exact number of providers that will ultimately request and be approved 
for a hardship exception, or the number of States that will request a 
waiver of the fee for certain Medicaid provider types, we predict that 
25 percent of all Medicaid providers subject to the fee will receive 
the hardship exception or be granted a waiver of the fee on the basis 
of ensuring beneficiary access to care. We recognize that this 25 
percent figure is significantly higher than the 2.5 percent waiver rate 
we are using for Medicare application fees. Yet we believe the 
difference is justified because of the greater access to care issues 
that may arise in Medicaid. Consequently, we estimated that 83,478 
existing Medicaid providers will be required to pay the application fee 
(111,304 existing Medicaid providers that are not dually enrolled less 
25 percent or 27,826 existing providers).
(1) New Enrollments
    We apply the 80 percent rate for newly-enrolling Medicaid 
institutional providers that will be dually participating in both 
Medicare and Medicaid and thus not subject to the fee under Medicaid, 
and 25 percent hardship exception rate to the annual number of newly-
enrolling Medicaid institutional providers not dually enrolled. The 
45,000 newly-enrolling Medicare institutional providers annually 
represent 80 percent of the total newly-enrolling Medicaid 
institutional providers annually. Therefore, we estimate that there 
will be 11,250 newly-enrolling Medicaid institutional providers 
annually that are subject to the application fee under Medicaid (45,000 
providers divided by 80 percent, - 45,000 = 11,250). We project another 
25 percent will be exempted for hardship or be granted a waiver of the 
fee on the basis of ensuring beneficiary access to care, resulting in 
8,438 newly-enrolling Medicaid institutional providers being subject to 
the application fee each year nationally.
    Consistent with the Medicare analysis, in CY 2011, we reduced the 
estimated number of institutional providers subject to the application 
fee by 25 percent because the application fee will not begin until 
March 25, 2011. Accordingly, the number of institutional providers that 
we anticipate paying the application fee will be 6,329 in CY 2011. 
Consequently, we projected the dollars due from application fees for 
newly-enrolling Medicaid institutional providers who are not dually 
enrolled to be $21,110,019 for the first 5 years in total. When 
averaged across 50 States, the District of Columbia and Puerto Rico, 
the total application fees for the 5 years in total per State will be 
approximately $405,962.

                   Table 13--Cumulative Application Fees for Newly Enrolled Medicaid Providers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  New Medicaid
                                                                  providers not                      Consumer price    Total fees for
                         Calendar year                            exempted from    CPI-U increase    index adjusted     each year (in    Cumulative fees
                                                                 the application                        fee  (in          dollars)        (in dollars)
                                                                       fee                              dollars)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011..........................................................             6,329              1.0%               505         3,196,145         3,196,145
2012..........................................................             8,438           2.01.1%               515         4,345,570         7,541,715
2013..........................................................             8,438              2.0%               525         4,429,950        11,971,665
2014..........................................................             8,438              2.0%               536         4,522,768        16,494,433
2015..........................................................             8,438              2.0%               547         4,615,586        21,110,019
                                                               -----------------------------------------------------------------------------------------
    Total.....................................................  ................  ................  ................        21,110,019        21,110,019
--------------------------------------------------------------------------------------------------------------------------------------------------------

(2) Re-enrollment
    This rule contemplates that States would require Medicaid providers 
to re-enroll every 5 years. On a yearly basis, we estimate that 
approximately 16,696 Medicaid institutional providers (one fifth of the 
total) would re-enroll with the State Medicaid agency. We contemplate 
collecting the application fee for currently enrolled providers 
beginning on March 24, 2011. States would not collect an application 
fee with any re-enrollments until that time--almost 3 months into CY 
2011. Therefore, we have adjusted the number of existing Medicaid 
institutional providers subject to an application fee by 25 percent, 
from 16,696 to 12,522 in CY 2011. Consequently, we project the dollars 
due from application fees for currently-enrolled Medicaid institutional 
providers who are not dually enrolled is $41,769,218 for the first 5 
years in total. When averaged across 50 States, the District of 
Columbia and Puerto Rico, the total application fees for the 5 years in 
total per State will be approximately $803,254.

                    Table 14--Cumulative Application Fees for Re-Enrolling Medicaid Providers for the First 5 Years of the Provision
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  Existing
                                                                  Medicaid
                                                                providers not                      Consumer price     Total fees for    Cumulative fees
                        Calendar year                           exempted from    CPI-U increase    index adjusted      each year in        in dollars
                                                               the application                     fee in dollars        dollars
                                                                     fee
--------------------------------------------------------------------------------------------------------------------------------------------------------
2011........................................................            12,522              1.0%               505          6,323,610          6,323,610

[[Page 5958]]

 
2012........................................................            16,696              2.0%               515          8,598,440         14,922,050
2013........................................................            16,696              2.0%               525          8,765,400         23,687,450
2014........................................................            16,696              2.0%               536          8,949,056         32,636,506
2015........................................................            16,696              2.0%               547          9,132,712         41,769,218
                                                             -------------------------------------------------------------------------------------------
    Total...................................................  ................  ................  ................         41,769,218         41,769,218
--------------------------------------------------------------------------------------------------------------------------------------------------------

3. Medicare and Medicaid
a. Moratoria on Enrollment of New Medicare Providers and Suppliers and 
Medicaid Providers
    Although we have no way of predicting the exact cost savings 
associated with enrollment moratoria, we expect there will be program 
savings achieved by implementation of this section. As stated 
previously, these provisions will enable us to restrict the entry of 
certain providers and suppliers into Medicare in order to prevent or 
combat fraud, waste, and abuse. However, there are no cost burdens to 
the public or to the provider community. Therefore, we have not 
estimated the cost impacts of this provision.
b. Suspension of Payments in Medicare and Medicaid
    As with payment moratoria, although we have no way of predicting 
the exact cost savings to Medicare and Medicaid associated with 
implementation of the provisions contained in this final rule with 
comment period, we certainly expect that there will be program savings 
that result from implementation of this provision. CMS and its law 
enforcement partners already have a process for payment suspension when 
possible fraud is involved. The changes finalized in this rule will 
strengthen the existing process and its applicability to Medicaid, but 
it will not create any different impact or burden on the provider 
community in circumstances of payment suspension. There are no new cost 
burdens to the public or the provider community associated with this 
provision.

D. Accounting Statement and Table

    As required by OMB Circular A-4 (available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/circulars/a004/a-4.pdf), we have prepared an accounting statement. This statement only 
addresses: (1) The costs of the fingerprinting requirement, and (2) the 
monetary transfer associated with the application fee. It does not 
address the potential financial benefits of these two requirements from 
the standpoint of their possible effectiveness in deterring certain 
unscrupulous providers and suppliers from enrolling in or maintaining 
their enrollment in Medicare and Medicaid. This is because it is 
impossible for us to quantify these benefits in monetary terms. 
Moreover, we cannot predict how many potentially fraudulent providers 
and suppliers will be kept out of the Medicare and Medicaid programs 
due to these requirements.
1. Medicare
    As stated previously, we estimate a total cost of the 
fingerprinting requirement of $2,275,000 per year ($1,750,000 + 
$500,000 + $25,000), or $11,375,000 over 5 years, if 2,000 post-
moratorium requests are made. If 5,000 post-moratorium requests are 
made, the annual cost is $3,025,000, with a 5 year cost of $15,125,000. 
Should 10,000 post-moratorium requests be made, the annual cost is 
$4,275,000, with a 5 year cost of $21,375,000. We also stated in the 
RIA that the expected total application fees:
     For newly enrolling providers and suppliers would be 
$11,817,000 in 2011, $16,068,000 in 2012, $16,380,000 in 2013, 
$16,723,200 in 2014, and $17,066,400 in 2015. This results in a 5 year 
total of $78,054,600.
     For revalidating providers and suppliers would be 
$34,343,030 in 2011, $55,735,875 in 2012, $44,533,125 in 2013, 
$45,466,200 in 2014, and $46,399,275 in 2015. This results in a 5-year 
total of $226,477,505.
    The accounting statement reflects the: (1) Annual cost of the 
fingerprinting requirement, and (2) the application of the 3 percent 
and 7 percent discount rate to the combined amounts of the application 
fees for CY 2012--that is, $16,068,000 (newly enrolling) plus 
$55,735,875 (revalidations), for a total of $71,803,875; this 
constitutes a transfer of funds to the Federal government. We chose the 
CY 2012 figures so as to reflect the maximum amount of transferred 
funds in a given year during the initial 5-year period.
2. Medicaid
    As stated in the RIA, we estimate that the annual cost of the 
fingerprint requirement for Medicaid will be $1,300,000, or $6,500,000 
over a 5 year period. We also stated in the RIA that the expected total 
application fees:
     For newly enrolling providers and suppliers would be 
$3,196,145 in 2011, $4,345,570 in 2012, $4,429,950 in 2013, $4,522,768 
in 2014, and $4,615,586 in 2015. This results in a 5-year total of 
$21,110,019.
     For revalidating providers and suppliers would be 
$6,323,610 in 2011; $8,598,440 in 2012; $8,765,400 in 2013; $8,949,056 
in 2014; and $9,132,712 in 2015. This results in a 5-year total of 
$41,769,218.
    The accounting statement reflects: (1) The annual cost of the 
fingerprinting requirement: And (2) the application of the 3 percent 
and 7 percent discount rate to the combined amounts of the application 
fees for CY 2015--specifically, $4,615,586 (new applicants) plus 
$9,132,712 (revalidations), for a total of $13,748,298. This 
constitutes a transfer of funds to the Federal government. We chose the 
figures from CY 2015 for Medicaid so as to reflect the maximum amount 
of transferred funds in a given year during the initial 5-year period.

[[Page 5959]]



 Table 15--Accounting Statement: Classification of Estimated Expenditures and Costs from CY 2011 to CY 2015 (in
                                                    Millions)
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
              Medicare Fingerprint Requirement                                       COSTS
----------------------------------------------------------------------------------------------------------------
                                                              3 percent Discount Rate   7 percent Discount Rate
Annualized Monetized Costs (2,000 post[dash]moratorium                         $2.275                    $2.275
 requests)..................................................
----------------------------------------------------------------------------------------------------------------
Annualized Monetized Costs (5,000 post[dash]moratorium                         $3.025                    $3.025
 requests)..................................................
----------------------------------------------------------------------------------------------------------------
Annualized Monetized Costs (10,000 post[dash]moratorium                        $4.275                    $4.275
 requests)..................................................
----------------------------------------------------------------------------------------------------------------
                      Who is Affected?                                      Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
                  Medicare Application Fee                                         TRANSFERS
----------------------------------------------------------------------------------------------------------------
                                                              3 percent Discount Rate   7 percent Discount Rate
Annualized Monetized Transfers (through 2015)...............                    $48.2                     $47.3
----------------------------------------------------------------------------------------------------------------
                     From Whom to Whom?                          Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
              Medicaid Fingerprint Requirement                                       COSTS
----------------------------------------------------------------------------------------------------------------
                                                              3 percent Discount Rate   7 percent Discount Rate
Annualized Monetized Costs..................................                     $1.3                      $1.3
----------------------------------------------------------------------------------------------------------------
                      Who is Affected?                                      Providers and Suppliers
----------------------------------------------------------------------------------------------------------------
                  Medicaid Application Fee                                         TRANSFERS
----------------------------------------------------------------------------------------------------------------
                                                              3 percent Discount Rate   7 percent Discount Rate
Annualized Monetized Costs..................................                    $10.1                     $10.0
----------------------------------------------------------------------------------------------------------------
                     From Whom to Whom?                       Providers and Suppliers to Federal Government
----------------------------------------------------------------------------------------------------------------
                                                              BENEFITS
----------------------------------------------------------------------------------------------------------------
Qualitative: The above[dash]referenced requirements will: (1) Allow CMS to more closely screen providers and
 suppliers that pose risks to the Medicare and Medicaid programs; (2) help offset the costs of administering the
 Medicare and Medicaid programs; (3) limit, via the imposition of moratoria, the entry of certain categories of
 providers and suppliers into Medicare if this is deemed necessary to protect the Medicare Trust Fund; and (4)
 suspend payments to certain providers and suppliers that pose a risk to the Trust Fund. We believe these and
 other financial benefits outlined in this rule will exceed the costs outlined above............................
----------------------------------------------------------------------------------------------------------------

E. Alternatives Considered

1. General Burden Minimization Efforts
    The RFA requires agencies to analyze options for the regulatory 
relief of small entities. In compliance with section 604 of the RFA, we 
have incorporated several options designed to minimize the burden of 
the requirements in this final rule with comment period.
    First, we have waived the application fee for individual 
physicians, non-physician practitioners, and physician and non-
physician practitioner groups, which are generally small businesses. We 
believe this is consistent with congressional intention as expressed in 
section 6401(a) of ACA. We also believe this will ease the financial 
burden on this large category of small businesses.
    Second, the high-risk category is limited to relatively few types 
of providers and suppliers. We could have elected to include many more 
providers and supplier types within this category and, subsequently, 
subjected them to the enhanced screening requirements of fingerprint-
based criminal background checks. However, in part so as not to overly 
burden these entities, many of which are small businesses, we chose to 
restrict the high-risk category to a limited number of provider types.
2. Fingerprinting
    We received several comments proposing alternatives to 
fingerprinting as a screening mechanism. The two principal suggested 
alternatives were the submission of a: (1) U.S. or foreign passport; 
and (2) copies of the individual's Federal tax returns. However, we 
explained in the preamble, we are adopting fingerprint-based criminal 
background checks.
    There are several reasons for our decision to proceed with 
fingerprinting as opposed to passports and tax returns. First, we are, 
to a large extent, combining the fingerprinting and criminal background 
check processes for providers and suppliers. These will be done though 
the FBI IAFIS, which we believe is the most reliable and appropriate 
avenue available. The submission of fingerprints is the only way to 
obtain a criminal history record check from the FBI IAFIS. Information 
from a U.S. or foreign passport or a Federal tax return, on the other 
hand, could only be used to process a name-based criminal history 
record check--and the FBI does not process name-based requests for non-
criminal justice purposes.
    Second, we believe that fingerprinting--more than any other 
mechanism--will allow us to conclusively identify the individuals that 
will be participating in the Medicare program. Indeed, a tax return, 
while containing certain identifying information, does not--in our 
view--produce the level of assurance in this area that fingerprinting 
does.
    Finally, the use of passports or tax returns would require CMS to 
forgo the unified approach of the FBI IAFIS and instead have two 
separate processes--one for verifying identify and another for 
analyzing the person's criminal history. This would result in: (1) A 
verification process that is not as reliable as fingerprinting, and (2) 
a

[[Page 5960]]

distinct and potentially costly process for criminal background checks 
through private entities that, we believe, will probably not involve 
access to the scope of data that the FBI has.
    We believe that the overall costs involved in maintaining such a 
two-part approach would, in the end, exceed that of the FBI IAFIS 
approach, especially if--as we expect--the overwhelming majority of 
individuals subject to the fingerprinting requirement submit them 
electronically. Indeed, with respect to the cost differential between 
the paper and electronic fingerprinting processes, we stated earlier in 
the RIA that we estimate an average annual cost of the fingerprinting 
requirement of $2,275,000 (if 2,000 post-moratorium requests are made), 
based on: (1) The fingerprinting of 45,500 individuals; and (2) a $50 
cost per person for obtaining a set of fingerprints via the FD-258. We 
believe that the per person cost for submitting fingerprints 
electronically will be approximately $35. If we assume that 40,000 of 
the 45,500 individuals submit fingerprints electronically and the 
remaining 5,500 use the FD-258, this results in an annual cost of 
$1,675,000, or $600,000 less than $2,275,000. This leads to a savings 
over 5 years of $3,000,000 ($600,000 x 5).
    It is not possible for us to quantify the costs involved in having 
the FBI IAFIS perform the criminal background checks. However, we can 
estimate that it would cost approximately $40 per person to perform a 
criminal background check via private entities. This would result in an 
annual cost of $1,820,000, or $9,100,000 over 5 years. With the 
efficiency furnished through the use of the FBI-IAFIS, we do not 
believe the cost of these checks would ultimately exceed $9,100,000.
    We concede that the submission of a passport or tax return would 
not involve the processing costs that would come with fingerprinting. 
But the ability to verify one's identity via fingerprinting is, we 
believe, sufficiently greater than with the latter two documents, such 
that the overall program integrity savings would substantially exceed 
any additional cost incurred in using fingerprints in lieu of passports 
and tax returns.
3. Other Suggested Alternatives
    We received several other suggested alternatives to our proposed 
provisions. One was to assess the application fee based on the NPI or 
TIN. As stated earlier in this RIA, we did not believe this approach 
was appropriate because the requirement to submit an enrollment 
application is separate from the requirement to have an NPI or a TIN. 
We believe that basing the fee on the submission of an application is 
most consistent with the statute. Another involved taking into account 
factors such as: (1) Error rates; (2) past history with Medicare, 
Medicaid and other health plans; and (3) ownership, when assessing a 
provider or supplier's risk. In section II of this final rule with 
comment period, we stated that the ACA requires levels of screening 
according to the risk of fraud, waste, and abuse posed by categories of 
providers and suppliers as a whole. The approach taken in this final 
rule with comment period whereby we assign specific categories of 
providers and suppliers to screening levels determined by risk of 
fraud, waste, and abuse is consistent with the requirements of the 
statute. Therefore, in general, we chose to use a categorical approach 
to our classifications, rather than assign individual providers within 
a particular provider type to certain risk levels.

F. Conclusion

    This final rule with comment period contains provisions that are of 
critical importance in the transition of CMS' antifraud activities from 
``pay and chase'' to fraud prevention. ``Pay and chase'' refers to the 
traditional approach under which we met our obligations to provide 
beneficiaries access to qualified providers and suppliers and to pay 
claims quickly by making it relatively easy for providers to sign up to 
bill Medicare, Medicaid or CHIP, paying their claims rapidly, and then 
detecting overpayments or fraudulent bills and pursuing recoveries of 
overpayments after the fact. That system functions reasonably well when 
the problems arise with legitimate providers and suppliers that will be 
solvent and in business when CMS seeks to recover overpayments or law 
enforcement pursues civil or criminal penalties. It is not adequate 
when the fraud is committed by sham operations that provide no services 
or supplies and exist simply to steal from Medicare or Medicaid and 
thrive on stealing or subverting the identities of beneficiaries and 
providers.
    This final rule with comment period strikes a balance that will 
permit us to continue to assure that eligible beneficiaries receive 
appropriate services from qualified providers whose claims are paid on 
a timely basis while implementing enhanced measures to prevent outright 
fraud. The new and strengthened provisions in the ACA that are the 
subject of this final rule with comment period will help assure that 
only legitimate providers and suppliers are enrolled in Medicare, 
Medicaid, and CHIP, and that only legitimate claims will be paid. These 
provisions are applied according to the level of risk of fraud, waste, 
and abuse posed by different provider and supplier types. We will use 
screening tools for a particular provider or supplier type based on 3 
distinct categories of risk: (1) Limited; (2) moderate; and (3) high. 
Limited risk providers will have enrollment requirements, license and 
database verifications; moderate risk will have those verifications 
plus unscheduled site visits; high risk will have verifications, 
unscheduled site visits, criminal background check and fingerprinting. 
CMS and the States will impose moratoria on the enrollment of new 
providers in situations when doing so is necessary to protect against a 
high risk of fraud. Working in conjunction with the OIG, CMS and States 
will suspend payments pending an investigation of a credible allegation 
of fraud and legitimate providers will be assisted in avoiding problems 
by implementing effective compliance programs.
    This final rule with comment period is an essential tool in 
protecting public resources and assuring that they are devoted to 
providing health care rather than enriching fraudulent actors.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

List of Subjects

42 CFR Part 405

    Administrative practice and procedure, Health facilities, Health 
professions, Kidney diseases, Medical devices, Medicare, Reporting and 
recordkeeping requirements, Rural areas, X-rays.

42 CFR Part 424

    Emergency medical services, Health facilities, Health professions, 
Medicare, and Reporting and recordkeeping requirements.

42 CFR Part 438

    Grant programs--health, Medicaid, Reporting and recordkeeping 
requirements.

42 CFR Part 447

    Accounting, Administrative practice and procedure, Drugs, Grant 
programs--health, Health facilities, Health professions, Medicaid, 
Reporting and recordkeeping requirements, and Rural areas.

[[Page 5961]]

42 CFR Part 455

    Fraud, Grant programs--health, Health facilities, Health 
professions, Investigations, Medicaid, and Reporting and recordkeeping 
requirements.

42 CFR Part 457

    Administrative practice and procedure, Grant programs--health, 
Health insurance, and Reporting and recordkeeping requirements.

42 CFR Part 498

    Administrative practice and procedure, Health facilities, Health 
professions, Medicare, Reporting and recordkeeping requirements.

42 CFR Part 1007

    Administrative practice and procedure, Fraud, Grant programs--
health, Medicaid, and Reporting and recordkeeping requirements.
    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services amends 42 CFR chapter IV and the Office of the 
Inspector General amends 42 CFR chapter V, as set forth below:

CHAPTER IV--CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF 
HEALTH AND HUMAN SERVICES

PART 405--FEDERAL HEALTH INSURANCE FOR THE AGED AND DISABLED

0
1. The authority citation for part 405 continues to read as follows:

    Authority:  Secs. 205(a), 1102, 1861, 1862(a), 1869, 1871, 1874, 
1881, and 1886(k) of the Social Security Act (42 U.S.C. 405(a), 
1302, 1395x, 1395y(a), 1395ff, 1395hh, 1395kk, 1395rr and 
1395ww(k)), and sec. 353 of the Public Health Service Act (42 U.S.C. 
263a).

Subpart C--Suspension of Payment, Recovery of Overpayments, and 
Repayment of Scholarships and Loans

0
2. The authority citation for subpart C is revised to read as follows:

    Authority:  Secs. 1102, 1815, 1833, 1842, 1862, 1866, 1870, 
1871, 1879 and 1892 of the Social Security Act (42 U.S.C. 1302, 
1395g, 1395l, 1395u, 1395y, 1395cc, 1395gg, 1395hh, 1395pp and 
1395ccc) and 31 U.S.C. 3711.


0
3. In subpart C, remove the phrase ``intermediary or carrier'' wherever 
it appears and add the phrase ``Medicare contractor'' in its place.


0
4. Section 405.370 is amended as follows:
0
A. In paragraph (a), adding the definitions of ``Credible allegation of 
fraud,'' ``Medicare contractor,'' and ``Resolution of an 
investigation'' in alphabetical order.
0
B. In paragraph (a), revising the definitions of ``Offset,'' 
``Recoupment,'' and ``Suspension of payment''.
    The additions and revisions read as follows:


Sec.  405.370  Definitions.

    (a) * * *
    Credible allegation of fraud. A credible allegation of fraud is an 
allegation from any source, including but not limited to the following:
    (1) Fraud hotline complaints.
    (2) Claims data mining.
    (3) Patterns identified through provider audits, civil false claims 
cases, and law enforcement investigations. Allegations are considered 
to be credible when they have indicia of reliability.
    Medicare contractor. Unless the context otherwise requires, 
includes, but is not limited to the any of following:
    (1) A fiscal intermediary.
    (2) A carrier.
    (3) Program safeguard contractor.
    (4) Zone program integrity contractor.
    (5) Part A/Part B Medicare administrative contractor.
    Offset. The recovery by Medicare of a non-Medicare debt by reducing 
present or future Medicare payments and applying the amount withheld to 
the indebtedness. (Examples are Public Health Service debts or Medicaid 
debts recovered by CMS).
    Recoupment. The recovery by Medicare of any outstanding Medicare 
debt by reducing present or future Medicare payments and applying the 
amount withheld to the indebtedness.
    Resolution of an investigation. An investigation of credible 
allegations of fraud will be considered resolved when legal action is 
terminated by settlement, judgment, or dismissal, or when the case is 
closed or dropped because of insufficient evidence to support the 
allegations of fraud.
    Suspension of payment. The withholding of payment by a Medicare 
contractor from a provider or supplier of an approved Medicare payment 
amount before a determination of the amount of the overpayment exists, 
or until the resolution of an investigation of a credible allegation of 
fraud.
* * * * *


0
5. Section 405.371 is revised to read as follows:


Sec.  405.371  Suspension, offset, and recoupment of Medicare payments 
to providers and suppliers of services.

    (a) General rules. Medicare payments to providers and suppliers, as 
authorized under this subchapter (excluding payments to beneficiaries), 
may be--
    (1) Suspended, in whole or in part, by CMS or a Medicare contractor 
if CMS or the Medicare contractor possesses reliable information that 
an overpayment exists or that the payments to be made may not be 
correct, although additional information may be needed for a 
determination;
    (2) In cases of suspected fraud, suspended, in whole or in part, by 
CMS or a Medicare contractor if CMS or the Medicare contractor has 
consulted with the OIG, and, as appropriate, the Department of Justice, 
and determined that a credible allegation of fraud exists against a 
provider or supplier, unless there is good cause not to suspend 
payments; or
    (3) Offset or recouped, in whole or in part, by a Medicare 
contractor if the Medicare contractor or CMS has determined that the 
provider or supplier to whom payments are to be made has been overpaid.
    (b) Good cause exceptions applicable to payment suspensions.
    (1) CMS may find that good cause exists not to suspend payments or 
not to continue to suspend payments to an individual or entity against 
which there are credible allegations of fraud if--
    (i) OIG or other law enforcement agency has specifically requested 
that a payment suspension not be imposed because such a payment 
suspension may compromise or jeopardize an investigation;
    (ii) It is determined that beneficiary access to items or services 
would be so jeopardized by a payment suspension in whole or part as to 
cause a danger to life or health;
    (iii) It is determined that other available remedies implemented by 
CMS or a Medicare contractor more effectively or quickly protect 
Medicare funds than would implementing a payment suspension; or
    (iv) CMS determines that a payment suspension or a continuation of 
a payment suspension is not in the best interests of the Medicare 
program.
    (2) Every 180 days after the initiation of a suspension of payments 
based on credible allegations of fraud, CMS will--
    (i) Evaluate whether there is good cause to not continue such 
suspension under this section; and
    (ii) Request a certification from the OIG or other law enforcement 
agency that the matter continues to be under investigation warranting 
continuation of the suspension.
    (3) Good cause not to continue to suspend payments to an individual 
or

[[Page 5962]]

entity against which there are credible allegations of fraud must be 
deemed to exist if a payment suspension has been in effect for 18 
months and there has not been a resolution of the investigation, except 
CMS may extend a payment suspension beyond that point if --
    (i) The case has been referred to, and is being considered by, the 
OIG for administrative action (for example, civil money penalties); or 
such administrative action is pending or
    (ii) The Department of Justice submits a written request to CMS 
that the suspension of payments be continued based on the ongoing 
investigation and anticipated filing of criminal or civil action or 
both or based on a pending criminal or civil action or both. At a 
minimum, the request must include the following:
    (A) Identification of the entity under suspension.
    (B) The amount of time needed for continued suspension in order to 
conclude the criminal or civil proceeding or both.
    (C) A statement of why or how criminal or civil action or both may 
be affected if the requested extension is not granted.
    (c) Steps necessary for suspension of payment, offset, and 
recoupment.
    (1) Except as provided in paragraph (d) of this section, CMS or the 
Medicare contractor suspends payments only after it has complied with 
the procedural requirements set forth at Sec.  405.372.
    (2) The Medicare contractor offsets or recoups payments only after 
it has complied with the procedural requirements set forth at Sec.  
405.373.
    (d) Suspension of payment in the case of unfiled cost reports. (1) 
If a provider has failed to timely file an acceptable cost report, 
payment to the provider is immediately suspended in whole or in part 
until a cost report is filed and determined by the Medicare contractor 
to be acceptable.
    (2) In the case of an unfiled cost report, the provisions of Sec.  
405.372 do not apply. (See Sec.  405.372(a)(2) concerning failure to 
furnish other information.)

0
6. Section 405.372 is amended as follows:
0
A. Remove the phrase ``intermediary, carrier'' wherever it appears and 
adding the phrase ``Medicare contractor'' in its place.
0
B. Revising paragraphs (a)(4), (c), and (d)(3).
0
C. In paragraph (e), removing the cross-reference ``Sec.  405.371(b)'' 
and adding the cross-reference ``Sec.  405.371(a)'' in its place.


Sec.  405.372  Proceeding for suspension of payment.

    (a) * * *
    (4) Fraud. If the intended suspension of payment involves credible 
allegations of fraud under Sec.  405.371(a)(2), CMS--
    (i) In consultation with OIG and, as appropriate, the Department of 
Justice, determines whether to impose the suspension and if prior 
notice is appropriate;
    (ii) Directs the Medicare contractor as to the timing and content 
of the notification to the provider or supplier; and
    (iii) Is the real party in interest and is responsible for the 
decision.
* * * * *
    (c) Subsequent action. (1) If a suspension of payment is put into 
effect under Sec.  405.371(a)(1), CMS or the Medicare contractor takes 
timely action after the suspension to obtain the additional information 
it may need to make a determination as to whether an overpayment exists 
or the payments may be made.
    (i) CMS or the Medicare contractor makes all reasonable efforts to 
expedite the determination.
    (ii) As soon as the determination is made, CMS or the Medicare 
contractor informs the provider or supplier and, if appropriate, the 
suspension is rescinded or any existing recoupment or offset is 
adjusted to take into account the determination.
    (2)(i) If a suspension of payment is based upon credible 
allegations of fraud in accordance with Sec.  405.371(a)(2), subsequent 
action must be taken by CMS or the Medicare contractor to make a 
determination as to whether an overpayment exists.
    (ii) The rescission of the suspension and the issuance of a final 
overpayment determination to the provider or supplier may be delayed 
until resolution of the investigation.
    (d) * * *
    (3) Exceptions to the time limits. (i) The time limits specified in 
paragraphs (d)(1) and (d)(2) of this section do not apply if the 
suspension of payments is based upon credible allegations of fraud 
under Sec.  405.371(a)(2).
    (ii) Although the time limits specified in paragraphs (d)(1) and 
(d)(2) of this section do not apply to suspensions based on credible 
allegations of fraud, all suspensions of payment in accordance with 
Sec.  405.371(a)(2) will be temporary and will not continue after the 
resolution of an investigation, unless a suspension is warranted 
because of reliable evidence of an overpayment or that the payments to 
be made may not be correct, as specified in Sec.  405.371(a)(1).
* * * * *

PART 424--CONDITIONS FOR MEDICARE PAYMENT

0
7. The authority citation for part 424 continues to read as follows:

    Authority:  Secs. 1102 and 1871 of the Social Security Act (42 
U.S.C. 1302 and 1395hh).


0
8. Section 424.57 is amended by revising paragraph (e) to read as 
follows:


Sec.  424.57  Special payment rules for items furnished by DMEPOS 
suppliers and issuance of DMEPOS supplier billing privileges.

* * * * *
    (e) Revalidation of billing privileges. A supplier must revalidate 
its application for billing privileges every 3 years after the billing 
privileges are first granted. (Each supplier must complete a new 
application for billing privileges 3 years after its last 
revalidation.)
* * * * *

0
9. Section 424.502 is amended by adding the definition of 
``Institutional provider'' in alphabetical order to read as follows:


Sec.  424.502  Definitions.

* * * * *
    Institutional provider means any provider or supplier that submits 
a paper Medicare enrollment application using the CMS-855A, CMS-855B 
(not including physician and nonphysician practitioner organizations), 
CMS-855S or associated Internet-based PECOS enrollment application.
* * * * *

0
10. Section 424.514 is added to read as follows:


Sec.  424.514  Application fee.

    (a) Application fee requirements for prospective institutional 
providers. Beginning on or after March 25, 2011, prospective 
institutional providers that are submitting an initial application or 
currently enrolled institutional providers that are submitting an 
application to establish a new practice location must submit either or 
both of the following:
    (1) The applicable application fee.
    (2) A request for a hardship exception to the application fee at 
the time of filing a Medicare enrollment application.
    (b) Application fee requirements for revalidating institutional 
providers. Beginning March 25, 2011, institutional providers that are 
subject to CMS revalidation efforts must submit either or both of the 
following:

[[Page 5963]]

    (1) The applicable application fee.
    (2) A request for a hardship exception to the application fee at 
the time of filing a Medicare enrollment application.
    (c) Hardship exception for disaster areas. CMS will assess on a 
case-by-case basis whether institutional providers enrolling in a 
geographic area that is a Presidentially-declared disaster under the 
Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 
U.S.C. 5121-5206 (Stafford Act) should receive an exception to the 
application fee.
    (d) Application fee. The application fee and associated 
requirements are as follows:
    (1) For 2010, $500.00.
    (2) For 2011 and subsequent years--
    (i) Is adjusted by the percentage change in the consumer price 
index for all urban consumers (all items; United States city average) 
for the 12-month period ending with June of the previous year;
    (ii) Is effective from January 1 to December 31 of a calendar year;
    (iii) Is based on the submission of an initial application, 
application to establish a new practice location or the submission of 
an application in response to a CMS revalidation request;
    (iv) Must be in the amount calculated by CMS in effect for the year 
during which the application for enrollment is being submitted;
    (v) Is nonrefundable, except if submitted with one of the 
following:
    (A) A request for hardship exception that is subsequently approved;
    (B) An application that is rejected prior to initiation of 
screening processes;
    (C) An application that is subsequently denied as a result of the 
imposition of a temporary moratorium;
    (e) Denial or revocation based on application fee. A Medicare 
contractor may deny or revoke Medicare billing privileges of a provider 
or supplier based on noncompliance if, in the absence of a written 
request for a hardship exception from the application fee that 
accompanies a Medicare enrollment application, the bank account on 
which the check that is submitted with the enrollment application is 
drawn does not contain sufficient funds to pay the application fee.
    (f) Information needed for submission of a hardship exception 
request. A provider or supplier requesting an exception from the 
application fee must include with its enrollment application a letter 
that describes the hardship and why the hardship justifies an 
exception.
    (g) Failure to submit application fee or hardship exception 
request. A Medicare contractor may--
    (1) Reject an enrollment application from a newly-enrolling 
institutional provider that, with the exceptions described in Sec.  
424.514(b), is not accompanied by the application fee or by a letter 
requesting a hardship exception from the application fee.
    (2) Revoke the billing privileges of a currently enrolled 
institutional provider that, with the exceptions described in Sec.  
424.514(b), is not accompanied by the application fee or by a letter 
requesting a hardship exception from the application fee.
    (3)(i) Notwithstanding the foregoing, the contractor must first 
inform the provider that the application fee was not submitted in 
accordance with this section.
    (ii) Within 30 days after the date of the notification, the 
contractor may reject the application of the newly-enrolling 
institutional provider or revoke the billing privileges of the 
currently enrolled institutional provider that has not submitted the 
fee.
    (h) Consideration of hardship exception request. CMS has 60 days in 
which to approve or disapprove a hardship exception request. If a 
provider submits a request for hardship exception to the fee and the 
provider or supplier has not already submitted the fee consistent with 
provisions in Sec.  424.514(a) and (b), and the request for hardship 
exception is not approved, CMS notifies the provider or supplier that 
the hardship exception request was not approved and allows the provider 
or supplier 30 days from the date of notification to submit the 
application fee.
    (1) A Medicare contractor does not--
    (i) Begin processing an enrollment application that is accompanied 
by a hardship exception request until CMS has made a decision to 
approve or disapprove the hardship exception request; and
    (ii) Deny an enrollment application that is accompanied by a 
hardship exception request unless the hardship exception request is 
denied by CMS and the provider or supplier fails to submit the required 
application fee within 30 days of being notified that the request for a 
hardship exception was denied.
    (2) A hardship exception determination made by CMS is appealable 
using Sec.  405.874 of this chapter.

0
11. Section 424.515 is amended by adding a new paragraph (e) to read as 
follows:


Sec.  424.515  Requirements for reporting changes and updates to, and 
the periodic revalidation of Medicare enrollment information.

* * * * *
    (e) Additional off-cycle revalidation. On or after March 23, 2012, 
Medicare providers and suppliers, including DMEPOS suppliers, may be 
required to revalidate their enrollment outside the routine 5-year 
revalidation cycle (3-year DMEPOS supplier revalidation cycle).
    (1) CMS will contact providers or suppliers to revalidate their 
enrollment for off-cycle revalidation.
    (2) As with all revalidations, revalidations described in this 
paragraph are conducted in accordance with the screening procedures 
specified at Sec.  424.518.

0
12. Section 424.518 is added to read as follows:


Sec.  424.518  Screening levels for Medicare providers and suppliers.

    A Medicare contractor is required to screen all initial 
applications, including applications for a new practice location, and 
any applications received in response to a revalidation request based 
on a CMS assessment of risk and assignment to a level of ``limited,'' 
``moderate,'' or ``high.''
    (a) Limited categorical risk. (1) Limited categorical risk: 
Provider and supplier categories. CMS has designated the following 
providers and suppliers as ``limited'' categorical risk:
    (i) Physician or nonphysician practitioners (including nurse 
practitioners, CRNAs, occupational therapists, speech/language 
pathologists, and audiologists) and medical groups or clinics.
    (ii) Ambulatory surgical centers.
    (iii) Competitive Acquisition Program/Part B Vendors.
    (iv) End-stage renal disease facilities.
    (v) Federally qualified health centers.
    (vi) Histocompatibility laboratories.
    (vii) Hospitals, including critical access hospitals, Department of 
Veterans Affairs hospitals, and other federally owned hospital 
facilities.
    (viii) Health programs operated by an Indian Health Program (as 
defined in section 4(12) of the Indian Health Care Improvement Act) or 
an urban Indian organization (as defined in section 4(29) of the Indian 
Health Care Improvement Act) that receives funding from the Indian 
Health Service pursuant to Title V of the Indian Health Care 
Improvement Act.
    (ix) Mammography screening centers.
    (x) Mass immunization roster billers
    (xi) Organ procurement organizations.
    (xii) Pharmacies newly enrolling or revalidating via the CMS-855B 
application.

[[Page 5964]]

    (xiii) Radiation therapy centers.
    (xiv) Religious non-medical health care institutions.
    (xv) Rural health clinics.
    (xvi) Skilled nursing facilities.
    (2) Limited screening level: Screening requirements. When CMS 
designates a provider or supplier as a ``limited'' categorical level of 
risk, the Medicare contractor does all of the following:
    (i) Verifies that a provider or supplier meets all applicable 
Federal regulations and State requirements for the provider or supplier 
type prior to making an enrollment determination.
    (ii) Conducts license verifications, including licensure 
verifications across State lines for physicians or nonphysician 
practitioners and providers and suppliers that obtain or maintain 
Medicare billing privileges as a result of State licensure, including 
State licensure in States other than where the provider or supplier is 
enrolling.
    (iii) Conducts database checks on a pre- and post-enrollment basis 
to ensure that providers and suppliers continue to meet the enrollment 
criteria for their provider/supplier type.
    (b) Moderate categorical risk. (1) Moderate categorical risk: 
Provider and supplier categories. CMS has designated the following 
providers and suppliers as ``moderate'' categorical risk:
    (i) Ambulance service suppliers.
    (ii) Community mental health centers.
    (iii) Comprehensive outpatient rehabilitation facilities.
    (iv) Hospice organizations.
    (v) Independent clinical laboratories.
    (vi) Independent diagnostic testing facilities.
    (vii) Physical therapists enrolling as individuals or as group 
practices.
    (viii) Portable x-ray suppliers.
    (ix) Revalidating home health agencies.
    (x) Revalidating DMEPOS suppliers.
    (2) Moderate screening level: Screening requirements. When CMS 
designates a provider or supplier as a ``moderate'' categorical level 
of risk, the Medicare contractor does all of the following:
    (i) Performs the ``limited'' screening requirements described in 
paragraph (a)(2) of this section.
    (ii) Conducts an on-site visit.
    (c) High categorical risk. (1) High categorical risk: Provider and 
supplier categories. CMS has designated the following home health 
agencies and suppliers of DMEPOS as ``high'' categorical risk:
    (i) Prospective (newly enrolling) home health agencies.
    (ii) Prospective (newly enrolling) DMEPOS suppliers.
    (2) High screening level: Screening requirements. When CMS 
designates a provider or supplier as a ``high'' categorical level of 
risk, the Medicare contractor does all of the following:
    (i) Performs the ``limited'' and ``moderate'' screening 
requirements described in paragraphs (a)(2) and (b)(2) of this section.
    (ii)(A) Requires the submission of a set of fingerprints for a 
national background check from all individuals who maintain a 5 percent 
or greater direct or indirect ownership interest in the provider or 
supplier; and
    (B) Conducts a fingerprint-based criminal history record check of 
the Federal Bureau of Investigation's Integrated Automated Fingerprint 
Identification System on all individuals who maintain a 5 percent or 
greater direct or indirect ownership interest in the provider or 
supplier.
    (3) Adjustment in the categorical risk. CMS adjusts the screening 
level from ``limited'' or ``moderate'' to ``high'' if any of the 
following occur:
    (i) CMS imposes a payment suspension on a provider or supplier at 
any time in the last 10 years.
    (ii) The provider or supplier--
    (A) Has been excluded from Medicare by the OIG; or
    (B) Had billing privileges revoked by a Medicare contractor within 
the previous 10 years and is attempting to establish additional 
Medicare billing privileges by--
    (1) Enrolling as a new provider or supplier; or
    (2) Billing privileges for a new practice location;
    (C) Has been terminated or is otherwise precluded from billing 
Medicaid;
    (D) Has been excluded from any Federal health care program; or
    (E) Has been subject to any final adverse action, as defined at 
Sec.  424.502, within the previous 10 years.
    (iii) CMS lifts a temporary moratorium for a particular provider or 
supplier type and a provider or supplier that was prevented from 
enrolling based on the moratorium, applies for enrollment as a Medicare 
provider or supplier at any time within 6 months from the date the 
moratorium was lifted.
    (d) Fingerprinting requirements. An individual subject to the 
fingerprint-based criminal history record check requirement specified 
in paragraph (c)(2)(ii)(B) of this section--
    (1) Must submit a set of fingerprints for a national background 
check.
    (i) Upon submission of a Medicare enrollment application; or
    (ii) Within 30 days of a Medicare contractor request.
    (2) In the event the individual(s) required to submit fingerprints 
under paragraph (c)(2) of this section fail to submit such fingerprints 
in accordance with paragraph (d)(1) of this section, the provider or 
supplier will have its billing privileges--
    (i) Denied under Sec.  424.530(a)(1); or
    (ii) Revoked under Sec.  424.535(a)(1).

0
13. Section 424.525 is amended by:
0
A. Revising paragraph (a) introductory text.
0
B. Adding a new paragraph (a)(3).
    The revision and addition read as follows:


Sec.  424.525  Rejection of a provider or supplier's enrollment 
application for Medicare enrollment.

    (a) Reasons for rejection. CMS may reject a provider's or 
supplier's enrollment application for any of the following reasons:
* * * * *
    (3) The prospective institutional provider or supplier does not 
submit the application fee in the designated amount or a hardship 
waiver request with the Medicare enrollment application at the time of 
filing.
* * * * *

0
14. Section 424.530 is amended by adding new paragraphs (a)(9) and 
(a)(10) to read as follows:


Sec.  424.530  Denial of enrollment in the Medicare program.

    (a) * * *
    (9) Application fee/hardship exception. An institutional provider's 
or supplier's hardship exception request is not granted, and the 
provider or supplier does not submit the application fee within 30 days 
of notification that the hardship exception request was not approved.
    (10) Temporary moratorium. A provider or supplier submits an 
enrollment application for a practice location in a geographic area 
where CMS has imposed a temporary moratorium.
* * * * *

0
15. Section 424.535 is amended as follows:
0
A. Revising paragraph (a)(6).
0
B. Adding a new paragraph (a)(12).
0
C. Revising paragraph (c).


Sec.  424.535  Revocation of enrollment billing and billing privileges 
in the Medicare program.

    (a) * * *
    (6) Grounds related to provider and supplier screening 
requirements. (i)(A) An institutional provider does not submit an 
application fee or hardship exception request that meets the 
requirements set forth in Sec.  424.514 with

[[Page 5965]]

the Medicare revalidation application; or
    (B) The hardship exception is not granted and the institutional 
provider does not submit the applicable application form or application 
fee within 30 days of being notified that the hardship exception 
request was denied.
    (ii)(A) Either of the following occurs:
    (1) CMS is not able to deposit the full application amount into a 
government-owned account.
    (2) The funds are not able to be credited to the U.S. Treasury.
    (B) The provider or supplier lacks sufficient funds in the account 
at the banking institution whose name is imprinted on the check or 
other banking instrument to pay the application fee; or
    (C) There is any other reason why CMS or its Medicare contractor is 
unable to deposit the application fee into a government-owned account.
* * * * *
    (12) Medicaid termination. (i) Medicaid billing privileges are 
terminated or revoked by a State Medicaid Agency.
    (ii) Medicare may not terminate unless and until a provider or 
supplier has exhausted all applicable appeal rights.
* * * * *
    (c) Reapplying after revocation. (1) After a provider, supplier, 
delegated official, or authorizing official has had its billing 
privileges revoked, it is barred from participating in the Medicare 
program from the effective date of the revocation until the end of the 
re-enrollment bar.
    (2) The re-enrollment bar is a minimum of 1 year, but not greater 
than 3 years depending on the severity of the basis for revocation.
    (3) CMS may waive the re-enrollment bar if it has revoked a 
provider or supplier under Sec.  424.535(a)(6)(i) based upon the 
failure of the provider or supplier to submit an application fee or a 
hardship exception request with an enrollment application upon 
revalidation.
* * * * *

0
16. A new Sec.  424.570 is added to read as follows:


Sec.  424.570  Moratoria on newly enrolling Medicare providers and 
suppliers.

    (a) Temporary moratoria. (1) General rules. (i) CMS may impose a 
moratorium on the enrollment of new Medicare providers and suppliers of 
a particular type or the establishment of new practice locations of a 
particular type in a particular geographic area.
    (ii) CMS will announce the temporary enrollment moratorium in a 
Federal Register document that includes the rationale for imposition of 
the temporary enrollment moratorium.
    (iii) The temporary moratorium does not apply to changes in 
practice location, changes in provider or supplier information such as 
phone number, address or changes in ownership (except changes in 
ownership of home health agencies that would require an initial 
enrollment under Sec.  424.550).
    (iv) The temporary enrollment moratorium does not apply to any 
enrollment application that has been approved by the enrollment 
contractor but not yet entered into PECOS at the time the moratorium is 
imposed.
    (2) Imposition of a temporary moratoria. CMS may impose the 
temporary moratorium if--
    (i) CMS determines that there is a significant potential for fraud, 
waste or abuse with respect to a particular provider or supplier type 
or particular geographic area or both. CMS's determination is based on 
its review of existing data, and without limitation, identifies a trend 
that appears to be associated with a high risk of fraud, waste or 
abuse, such as a--
    (A) Highly disproportionate number of providers or suppliers in a 
category relative to the number of beneficiaries; or
    (B) Rapid increase in enrollment applications within a category;
    (ii) A State Medicaid program has imposed a moratorium on a group 
of Medicaid providers or suppliers that are also eligible to enroll in 
the Medicare program;
    (iii) A State has imposed a moratorium on enrollment in a 
particular geographic area or on a particular provider or supplier type 
or both; or
    (iv) CMS, in consultation the HHS OIG or the Department of Justice 
or both and with the approval of the CMS Administrator identifies 
either or both of the following as having a significant potential for 
fraud, waste or abuse in the Medicare program:
    (A) A particular provider or supplier type.
    (B) Any particular geographic area.
    (b) Duration of moratoria. A moratorium under this section may be 
imposed for a period of 6 months and, if deemed necessary by CMS, may 
be extended in 6-month increments. CMS will publish a document in the 
Federal Register when it extends a moratorium.
    (c) Denial of enrollment: Moratoria. A Medicare contractor denies 
the enrollment application of a provider or supplier if the provider or 
supplier is subject to a moratorium as specified in paragraph (a) of 
this section.
    (d) Lifting moratoria. CMS will publish a document in the Federal 
Register when a moratorium is lifted. CMS may lift a temporary 
moratorium at any time after imposition of the moratorium if one of the 
following occur:
    (1) The President declares an area a disaster under the Robert T. 
Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. 5121-
5206 (Stafford Act).
    (2) Circumstances warranting the imposition of a moratorium have 
abated or CMS has implemented program safeguards to address the program 
vulnerability.
    (3) The Secretary has declared a public health emergency under 
section 319 of the Public Health Service Act in the area subject to a 
temporary moratorium.
    (4) In the judgment of the Secretary, the moratorium is no longer 
needed.

PART 447--PAYMENT FOR SERVICES

0
19. The authority citation for part 447 continues to read as follows:

    Authority: Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).


0
20. A new Sec.  447.90 is added to subpart A to read as follows:


Sec.  447.90  FFP: Conditions related to pending investigations of 
credible allegations of fraud against the Medicaid program.

    (a) Basis and purpose. This section implements section 
1903(i)(2)(C) of the Act which prohibits payment of FFP with respect to 
items or services furnished by an individual or entity with respect to 
which there is pending an investigation of a credible allegation of 
fraud except under specified circumstances.
    (b) Denial of FFP. No FFP is available with respect to any amount 
expended for an item or service furnished by any individual or entity 
to whom a State has failed to suspend payments in whole or part as 
required by Sec.  455.23 of this chapter unless--
    (1) The item or service is furnished as an emergency item or 
service, but not including items or services furnished in an emergency 
room of a hospital; or
    (2) The State determines and documents that good cause as specified 
at Sec.  455.23(e) or (f) of this chapter exists not to suspend such 
payments, to suspend payments only in part, or to discontinue a 
previously imposed payment suspension.

[[Page 5966]]

PART 455--PROGRAM INTEGRITY: MEDICAID

0
21. The authority citation for part 455 continues to read as follows:

    Authority: Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).


0
22. Section 455.2 is amended by adding the definition of ``Credible 
allegation of fraud'' to read as follows:


Sec.  455.2  Definitions.

* * * * *
    Credible allegation of fraud. A credible allegation of fraud may be 
an allegation, which has been verified by the State, from any source, 
including but not limited to the following:
    (1) Fraud hotline complaints.
    (2) Claims data mining.
    (3) Patterns identified through provider audits, civil false claims 
cases, and law enforcement investigations. Allegations are considered 
to be credible when they have indicia of reliability and the State 
Medicaid agency has reviewed all allegations, facts, and evidence 
carefully and acts judiciously on a case-by-case basis.
* * * * *

0
23. Section 455.23 is revised to read as follows:


Sec.  455.23  Suspension of payments in cases of fraud.

    (a) Basis for suspension. (1) The State Medicaid agency must 
suspend all Medicaid payments to a provider after the agency determines 
there is a credible allegation of fraud for which an investigation is 
pending under the Medicaid program against an individual or entity 
unless the agency has good cause to not suspend payments or to suspend 
payment only in part.
    (2) The State Medicaid agency may suspend payments without first 
notifying the provider of its intention to suspend such payments.
    (3) A provider may request, and must be granted, administrative 
review where State law so requires.
    (b) Notice of suspension. (1) The State agency must send notice of 
its suspension of program payments within the following timeframes:
    (i) Five days of taking such action unless requested in writing by 
a law enforcement agency to temporarily withhold such notice.
    (ii) Thirty days if requested by law enforcement in writing to 
delay sending such notice, which request for delay may be renewed in 
writing up to twice and in no event may exceed 90 days.
    (2) The notice must include or address all of the following:
    (i) State that payments are being suspended in accordance with this 
provision.
    (ii) Set forth the general allegations as to the nature of the 
suspension action, but need not disclose any specific information 
concerning an ongoing investigation.
    (iii) State that the suspension is for a temporary period, as 
stated in paragraph (c) of this section, and cite the circumstances 
under which the suspension will be terminated.
    (iv) Specify, when applicable, to which type or types of Medicaid 
claims or business units of a provider suspension is effective.
    (v) Inform the provider of the right to submit written evidence for 
consideration by State Medicaid Agency.
    (vi) Set forth the applicable State administrative appeals process 
and corresponding citations to State law.
    (c) Duration of suspension. (1) All suspension of payment actions 
under this section will be temporary and will not continue after either 
of the following:
    (i) The agency or the prosecuting authorities determine that there 
is insufficient evidence of fraud by the provider.
    (ii) Legal proceedings related to the provider's alleged fraud are 
completed.
    (2) A State must document in writing the termination of a 
suspension including, where applicable and appropriate, any appeal 
rights available to a provider.
    (d) Referrals to the Medicaid fraud control unit. (1) Whenever a 
State Medicaid agency investigation leads to the initiation of a 
payment suspension in whole or part, the State Medicaid Agency must 
make a fraud referral to either of the following:
    (i) To a Medicaid fraud control unit established and certified 
under part 1007 of this title; or
    (ii) In States with no certified Medicaid fraud control unit, to an 
appropriate law enforcement agency.
    (2) The fraud referral made under paragraph (d)(1) of this section 
must meet all of the following requirements:
    (i) Be made in writing and provided to the Medicaid fraud control 
unit not later than the next business day after the suspension is 
enacted.
    (ii) Conform to fraud referral performance standards issued by the 
Secretary.
    (3)(i) If the Medicaid fraud control unit or other law enforcement 
agency accepts the fraud referral for investigation, the payment 
suspension may be continued until such time as the investigation and 
any associated enforcement proceedings are completed.
    (ii) On a quarterly basis, the State must request a certification 
from the Medicaid fraud control unit or other law enforcement agency 
that any matter accepted on the basis of a referral continues to be 
under investigation thus warranting continuation of the suspension.
    (4) If the Medicaid fraud control unit or other law enforcement 
agency declines to accept the fraud referral for investigation the 
payment suspension must be discontinued unless the State Medicaid 
agency has alternative Federal or State authority by which it may 
impose a suspension or makes a fraud referral to another law 
enforcement agency. In that situation, the provisions of paragraph 
(d)(3) of this section apply equally to that referral as well.
    (5) A State's decision to exercise the good cause exceptions in 
paragraphs (e) or (f) of this section not to suspend payments or to 
suspend payments only in part does not relieve the State of the 
obligation to refer any credible allegation of fraud as provided in 
paragraph (d)(1) of this section.
    (e) Good cause not to suspend payments. A State may find that good 
cause exists not to suspend payments, or not to continue a payment 
suspension previously imposed, to an individual or entity against which 
there is an investigation of a credible allegation of fraud if any of 
the following are applicable:
    (1) Law enforcement officials have specifically requested that a 
payment suspension not be imposed because such a payment suspension may 
compromise or jeopardize an investigation.
    (2) Other available remedies implemented by the State more 
effectively or quickly protect Medicaid funds.
    (3) The State determines, based upon the submission of written 
evidence by the individual or entity that is the subject of the payment 
suspension, that the suspension should be removed.
    (4) Recipient access to items or services would be jeopardized by a 
payment suspension because of either of the following:
    (i) An individual or entity is the sole community physician or the 
sole source of essential specialized services in a community.
    (ii) The individual or entity serves a large number of recipients 
within a HRSA-designated medically underserved area.
    (5) Law enforcement declines to certify that a matter continues to 
be under investigation per the requirements of paragraph (d)(3) of this 
section.

[[Page 5967]]

    (6) The State determines that payment suspension is not in the best 
interests of the Medicaid program.
    (f) Good cause to suspend payment only in part. A State may find 
that good cause exists to suspend payments in part, or to convert a 
payment suspension previously imposed in whole to one only in part, to 
an individual or entity against which there is an investigation of a 
credible allegation of fraud if any of the following are applicable:
    (1) Recipient access to items or services would be jeopardized by a 
payment suspension in whole or part because of either of the following:
    (i) An individual or entity is the sole community physician or the 
sole source of essential specialized services in a community.
    (ii) The individual or entity serves a large number of recipients 
within a HRSA-designated medically underserved area.
    (2) The State determines, based upon the submission of written 
evidence by the individual or entity that is the subject of a whole 
payment suspension, that such suspension should be imposed only in 
part.
    (3)(i) The credible allegation focuses solely and definitively on 
only a specific type of claim or arises from only a specific business 
unit of a provider; and
    (ii) The State determines and documents in writing that a payment 
suspension in part would effectively ensure that potentially fraudulent 
claims were not continuing to be paid.
    (4) Law enforcement declines to certify that a matter continues to 
be under investigation per the requirements of paragraph (d)(3) of this 
section.
    (5) The State determines that payment suspension only in part is in 
the best interests of the Medicaid program.
    (g) Documentation and record retention. State Medicaid agencies 
must meet the following requirements:
    (1) Maintain for a minimum of 5 years from the date of issuance all 
materials documenting the life cycle of a payment suspension that was 
imposed in whole or part, including the following:
    (i) All notices of suspension of payment in whole or part.
    (ii) All fraud referrals to the Medicaid fraud control unit or 
other law enforcement agency.
    (iii) All quarterly certifications of continuing investigation 
status by law enforcement.
    (iv) All notices documenting the termination of a suspension.
    (2)(i) Maintain for a minimum of 5 years from the date of issuance 
all materials documenting each instance where a payment suspension was 
not imposed, imposed only in part, or discontinued for good cause.
    (ii) This type of documentation must include, at a minimum, 
detailed information on the basis for the existence of the good cause 
not to suspend payments, to suspend payments only in part, or to 
discontinue a payment suspension and, where applicable, must specify 
how long the State anticipates such good cause will exist.
    (3) Annually report to the Secretary summary information on each of 
following:
    (i) Suspension of payment, including the nature of the suspected 
fraud, the basis for suspension, and the outcome of the suspension.
    (ii) Situation in which the State determined good cause existed to 
not suspend payments, to suspend payments only in part, or to 
discontinue a payment suspension as described in this section, 
including describing the nature of the suspected fraud and the nature 
of the good cause.

0
24. Section 455.101 is amended by adding the definitions of ``Health 
insuring organization (HIO),'' ``Managed care entity (MCE),'' ``Prepaid 
ambulatory health plan (PAHP),'' ``Prepaid inpatient health plan 
(PIHP),'' ``Primary care case manager (PCCM),'' and ``Termination'' in 
alphabetical order to read as follows:


Sec.  455.101  Definitions.

* * * * *
    Health insuring organization (HIO) has the meaning specified in 
Sec.  438.2.
* * * * *
    Managed care entity (MCE) means managed care organizations (MCOs), 
PIHPs, PAHPs, PCCMs, and HIOs.
* * * * *
    Prepaid ambulatory health plan (PAHP) has the meaning specified in 
Sec.  438.2.
    Prepaid inpatient health plan (PIHP) has the meaning specified in 
Sec.  438.2.
    Primary care case manager (PCCM) has the meaning specified in Sec.  
438.2.
* * * * *
    Termination means--
    (1) For a--
    (i) Medicaid or CHIP provider, a State Medicaid program or CHIP has 
taken an action to revoke the provider's billing privileges, and the 
provider has exhausted all applicable appeal rights or the timeline for 
appeal has expired; and
    (ii) Medicare provider, supplier or eligible professional, the 
Medicare program has revoked the provider or supplier's billing 
privileges, and the provider has exhausted all applicable appeal rights 
or the timeline for appeal has expired.
    (2)(i) In all three programs, there is no expectation on the part 
of the provider or supplier or the State or Medicare program that the 
revocation is temporary.
    (ii) The provider, supplier, or eligible professional will be 
required to reenroll with the applicable program if they wish billing 
privileges to be reinstated.
    (3) The requirement for termination applies in cases where 
providers, suppliers, or eligible professionals were terminated or had 
their billing privileges revoked for cause which may include, but is 
not limited to--
    (i) Fraud;
    (ii) Integrity; or
    (iii) Quality.
* * * * *

0
25. Section 455.104 is revised to read as follows:


Sec.  455.104  Disclosure by Medicaid providers and fiscal agents: 
Information on ownership and control.

    (a) Who must provide disclosures. The Medicaid agency must obtain 
disclosures from disclosing entities, fiscal agents, and managed care 
entities.
    (b) What disclosures must be provided. The Medicaid agency must 
require that disclosing entities, fiscal agents, and managed care 
entities provide the following disclosures:
    (1)(i) The name and address of any person (individual or 
corporation) with an ownership or control interest in the disclosing 
entity, fiscal agent, or managed care entity. The address for corporate 
entities must include as applicable primary business address, every 
business location, and P.O. Box address.
    (ii) Date of birth and Social Security Number (in the case of an 
individual).
    (iii) Other tax identification number (in the case of a 
corporation) with an ownership or control interest in the disclosing 
entity (or fiscal agent or managed care entity) or in any subcontractor 
in which the disclosing entity (or fiscal agent or managed care entity) 
has a 5 percent or more interest.
    (2) Whether the person (individual or corporation) with an 
ownership or control interest in the disclosing entity (or fiscal agent 
or managed care entity) is related to another person with ownership or 
control interest in the disclosing entity as a spouse, parent, child, 
or sibling; or whether the person (individual or corporation) with an 
ownership or control interest in any subcontractor in which the 
disclosing entity (or fiscal agent or managed care entity) has a 5 
percent or more interest is related to another person with

[[Page 5968]]

ownership or control interest in the disclosing entity as a spouse, 
parent, child, or sibling.
    (3) The name of any other disclosing entity (or fiscal agent or 
managed care entity) in which an owner of the disclosing entity (or 
fiscal agent or managed care entity) has an ownership or control 
interest.
    (4) The name, address, date of birth, and Social Security Number of 
any managing employee of the disclosing entity (or fiscal agent or 
managed care entity).
    (c) When the disclosures must be provided.
    (1) Disclosures from providers or disclosing entities. Disclosure 
from any provider or disclosing entity is due at any of the following 
times:
    (i) Upon the provider or disclosing entity submitting the provider 
application.
    (ii) Upon the provider or disclosing entity executing the provider 
agreement.
    (iii) Upon request of the Medicaid agency during the re-validation 
of enrollment process under Sec.  455.414.
    (iv) Within 35 days after any change in ownership of the disclosing 
entity.
    (2) Disclosures from fiscal agents. Disclosures from fiscal agents 
are due at any of the following times:
    (i) Upon the fiscal agent submitting the proposal in accordance 
with the State's procurement process.
    (ii) Upon the fiscal agent executing the contract with the State.
    (iii) Upon renewal or extension of the contract.
    (iv) Within 35 days after any change in ownership of the fiscal 
agent.
    (3) Disclosures from managed care entities. Disclosures from 
managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are 
due at any of the following times:
    (i) Upon the managed care entity submitting the proposal in 
accordance with the State's procurement process.
    (ii) Upon the managed care entity executing the contract with the 
State.
    (iii) Upon renewal or extension of the contract.
    (iv) Within 35 days after any change in ownership of the managed 
care entity.
    (4) Disclosures from PCCMs. PCCMs will comply with disclosure 
requirements under paragraph (c)(1) of this section.
    (d) To whom must the disclosures be provided. All disclosures must 
be provided to the Medicaid agency.
    (e) Consequences for failure to provide required disclosures. 
Federal financial participation (FFP) is not available in payments made 
to a disclosing entity that fails to disclose ownership or control 
information as required by this section.


0
26. A new subpart E is added to part 455 to read as follows:
Subpart E--Provider Screening and Enrollment
Sec.
455.400 Purpose.
455.405 State plan requirements.
455.410 Enrollment and screening of providers.
455.412 Verification of provider licenses.
455.414 Revalidation of enrollment.
455.416 Termination or denial of enrollment.
455.420 Reactivation of provider enrollment.
455.422 Appeal rights.
455.432 Site visits.
455.434 Criminal background checks.
455.436 Federal database checks.
455.440 National Provider Identifier.
455.450 Screening levels for Medicaid providers.
455.452 Other State screening methods.
455.460 Application fee.
455.470 Temporary moratoria.

Subpart E--Provider Screening and Enrollment


Sec.  455.400  Purpose.

    This subpart implements sections 1866(j), 1902(a)(39), 1902(a)(77), 
and 1902(a)(78) of the Act. It sets forth State plan requirements 
regarding the following:
    (a) Provider screening and enrollment requirements.
    (b) Fees associated with provider screening.
    (c) Temporary moratoria on enrollment of providers.


Sec.  455.405  State plan requirements.

    A State plan must provide that the requirements of Sec.  455.410 
through Sec.  455.450 and Sec.  455.470 are met.


Sec.  455.410  Enrollment and screening of providers.

    (a) The State Medicaid agency must require all enrolled providers 
to be screened under to this subpart.
    (b) The State Medicaid agency must require all ordering or 
referring physicians or other professionals providing services under 
the State plan or under a waiver of the plan to be enrolled as 
participating providers.
    (c) The State Medicaid agency may rely on the results of the 
provider screening performed by any of the following:
    (1) Medicare contractors.
    (2) Medicaid agencies or Children's Health Insurance Programs of 
other States.


Sec.  455.412  Verification of provider licenses.

    The State Medicaid agency must--
    (a) Have a method for verifying that any provider purporting to be 
licensed in accordance with the laws of any State is licensed by such 
State.
    (b) Confirm that the provider's license has not expired and that 
there are no current limitations on the provider's license.


Sec.  455.414  Revalidation of enrollment.

    The State Medicaid agency must revalidate the enrollment of all 
providers regardless of provider type at least every 5 years.


Sec.  455.416  Termination or denial of enrollment.

    The State Medicaid agency--
    (a) Must terminate the enrollment of any provider where any person 
with a 5 percent or greater direct or indirect ownership interest in 
the provider did not submit timely and accurate information and 
cooperate with any screening methods required under this subpart.
    (b) Must deny enrollment or terminate the enrollment of any 
provider where any person with a 5 percent or greater direct or 
indirect ownership interest in the provider has been convicted of a 
criminal offense related to that person's involvement with the 
Medicare, Medicaid, or title XXI program in the last 10 years, unless 
the State Medicaid agency determines that denial or termination of 
enrollment is not in the best interests of the Medicaid program and the 
State Medicaid agency documents that determination in writing.
    (c) Must deny enrollment or terminate the enrollment of any 
provider that is terminated on or after January 1, 2011, under title 
XVIII of the Act or under the Medicaid program or CHIP of any other 
State.
    (d) Must terminate the provider's enrollment or deny enrollment of 
the provider if the provider or a person with an ownership or control 
interest or who is an agent or managing employee of the provider fails 
to submit timely or accurate information, unless the State Medicaid 
agency determines that termination or denial of enrollment is not in 
the best interests of the Medicaid program and the State Medicaid 
agency documents that determination in writing.
    (e) Must terminate or deny enrollment if the provider, or any 
person with a 5 percent or greater direct or indirect ownership 
interest in the provider, fails to submit sets of fingerprints in a 
form and manner to be determined by the Medicaid agency within 30 days 
of a CMS or a State Medicaid agency request, unless the State Medicaid

[[Page 5969]]

agency determines that termination or denial of enrollment is not in 
the best interests of the Medicaid program and the State Medicaid 
agency documents that determination in writing.
    (f) Must terminate or deny enrollment if the provider fails to 
permit access to provider locations for any site visits under Sec.  
455.432, unless the State Medicaid agency determines that termination 
or denial of enrollment is not in the best interests of the Medicaid 
program and the State Medicaid agency documents that determination in 
writing.
    (g) May terminate or deny the provider's enrollment if CMS or the 
State Medicaid agency--
    (1) Determines that the provider has falsified any information 
provided on the application; or
    (2) Cannot verify the identity of any provider applicant.


Sec.  455.420  Reactivation of provider enrollment.

    After deactivation of a provider enrollment number for any reason, 
before the provider's enrollment may be reactivated, the State Medicaid 
agency must re-screen the provider and require payment of associated 
provider application fees under Sec.  455.460.


Sec.  455.422  Appeal rights.

    The State Medicaid agency must give providers terminated or denied 
under Sec.  455.416 any appeal rights available under procedures 
established by State law or regulations.


Sec.  455.432  Site visits.

    The State Medicaid agency--
    (a) Must conduct pre-enrollment and post-enrollment site visits of 
providers who are designated as ``moderate'' or ``high'' categorical 
risks to the Medicaid program. The purpose of the site visit will be to 
verify that the information submitted to the State Medicaid agency is 
accurate and to determine compliance with Federal and State enrollment 
requirements.
    (b) Must require any enrolled provider to permit CMS, its agents, 
its designated contractors, or the State Medicaid agency to conduct 
unannounced on-site inspections of any and all provider locations.


Sec.  455.434  Criminal background checks.

    The State Medicaid agency--
    (a) As a condition of enrollment, must require providers to consent 
to criminal background checks including fingerprinting when required to 
do so under State law or by the level of screening based on risk of 
fraud, waste or abuse as determined for that category of provider.
    (b) Must establish categorical risk levels for providers and 
provider categories who pose an increased financial risk of fraud, 
waste or abuse to the Medicaid program.
    (1) Upon the State Medicaid agency determining that a provider, or 
a person with a 5 percent or more direct or indirect ownership interest 
in the provider, meets the State Medicaid agency's criteria hereunder 
for criminal background checks as a ``high'' risk to the Medicaid 
program, the State Medicaid agency will require that each such provider 
or person submit fingerprints.
    (2) The State Medicaid agency must require a provider, or any 
person with a 5 percent or more direct or indirect ownership interest 
in the provider, to submit a set of fingerprints, in a form and manner 
to be determined by the State Medicaid agency, within 30 days upon 
request from CMS or the State Medicaid agency.


Sec.  455.436  Federal database checks.

    The State Medicaid agency must do all of the following:
    (a) Confirm the identity and determine the exclusion status of 
providers and any person with an ownership or control interest or who 
is an agent or managing employee of the provider through routine checks 
of Federal databases.
    (b) Check the Social Security Administration's Death Master File, 
the National Plan and Provider Enumeration System (NPPES), the List of 
Excluded Individuals/Entities (LEIE), the Excluded Parties List System 
(EPLS), and any such other databases as the Secretary may prescribe.
    (c)(1) Consult appropriate databases to confirm identity upon 
enrollment and reenrollment; and
    (2) Check the LEIE and EPLS no less frequently than monthly.


Sec.  455.440  National Provider Identifier.

    The State Medicaid agency must require all claims for payment for 
items and services that were ordered or referred to contain the 
National Provider Identifier (NPI) of the physician or other 
professional who ordered or referred such items or services.


Sec.  455.450  Screening levels for Medicaid providers.

    A State Medicaid agency must screen all initial applications, 
including applications for a new practice location, and any 
applications received in response to a re-enrollment or revalidation of 
enrollment request based on a categorical risk level of ``limited,'' 
``moderate,'' or ``high.'' If a provider could fit within more than one 
risk level described in this section, the highest level of screening is 
applicable.
    (a) Screening for providers designated as limited categorical risk. 
When the State Medicaid agency designates a provider as a limited 
categorical risk, the State Medicaid agency must do all of the 
following:
    (1) Verify that a provider meets any applicable Federal 
regulations, or State requirements for the provider type prior to 
making an enrollment determination.
    (2) Conduct license verifications, including State licensure 
verifications in States other than where the provider is enrolling, in 
accordance with Sec.  455.412.
    (3) Conduct database checks on a pre- and post-enrollment basis to 
ensure that providers continue to meet the enrollment criteria for 
their provider type, in accordance with Sec.  455.436.
    (b) Screening for providers designated as moderate categorical 
risk. When the State Medicaid agency designates a provider as a 
``moderate'' categorical risk, a State Medicaid agency must do both of 
the following:
    (1) Perform the ``limited'' screening requirements described in 
paragraph (a) of this section.
    (2) Conduct on-site visits in accordance with Sec.  455.432.
    (c) Screening for providers designated as high categorical risk. 
When the State Medicaid agency designates a provider as a ``high'' 
categorical risk, a State Medicaid agency must do both of the 
following:
    (1) Perform the ``limited'' and ``moderate'' screening requirements 
described in paragraphs (a) and (b) of this section.
    (2)(i) Conduct a criminal background check; and
    (ii) Require the submission of a set of fingerprints in accordance 
with Sec.  455.434.
    (d) Denial or termination of enrollment. A provider, or any person 
with 5 percent or greater direct or indirect ownership in the provider, 
who is required by the State Medicaid agency or CMS to submit a set of 
fingerprints and fails to do so may have its--
    (1) Application denied under Sec.  455.434; or
    (2) Enrollment terminated under Sec.  455.416.
    (e) Adjustment of risk level. The State agency must adjust the 
categorical risk level from ``limited'' or ``moderate'' to ``high'' 
when any of the following occurs:
    (1) The State Medicaid agency imposes a payment suspension on a 
provider based on credible allegation of fraud, waste or abuse, the 
provider has

[[Page 5970]]

an existing Medicaid overpayment, or the provider has been excluded by 
the OIG or another State's Medicaid program within the previous 10 
years.
    (2) The State Medicaid agency or CMS in the previous 6 months 
lifted a temporary moratorium for the particular provider type and a 
provider that was prevented from enrolling based on the moratorium 
applies for enrollment as a provider at any time within 6 months from 
the date the moratorium was lifted.


Sec.  455.452  Other State screening methods.

    Nothing in this subpart must restrict the State Medicaid agency 
from establishing provider screening methods in addition to or more 
stringent than those required by this subpart.


Sec.  455.460  Application fee.

    (a) Beginning on or after March 25, 2011, States must collect the 
applicable application fee prior to executing a provider agreement from 
a prospective or re-enrolling provider other than either of the 
following:
    (1) Individual physicians or nonphysician practitioners.
    (2)(i) Providers who are enrolled in either of the following:
    (A) Title XVIII of the Act.
    (B) Another State's title XIX or XXI plan.
    (ii) Providers that have paid the applicable application fee to--
    (A) A Medicare contractor; or
    (B) Another State.
    (b) If the fees collected by a State agency in accordance with 
paragraph (a) of this section exceed the cost of the screening program, 
the State agency must return that portion of the fees to the Federal 
government.


Sec.  455.470  Temporary moratoria.

    (a)(1) The Secretary consults with any affected State Medicaid 
agency regarding imposition of temporary moratoria on enrollment of new 
providers or provider types prior to imposition of the moratoria, in 
accordance with Sec.  424.570 of this chapter.
    (2) The State Medicaid agency will impose temporary moratoria on 
enrollment of new providers or provider types identified by the 
Secretary as posing an increased risk to the Medicaid program.
    (3)(i) The State Medicaid agency is not required to impose such a 
moratorium if the State Medicaid agency determines that imposition of a 
temporary moratorium would adversely affect beneficiaries' access to 
medical assistance.
    (ii) If a State Medicaid agency makes such a determination, the 
State Medicaid agency must notify the Secretary in writing.
    (b)(1) A State Medicaid agency may impose temporary moratoria on 
enrollment of new providers, or impose numerical caps or other limits 
that the State Medicaid agency identifies as having a significant 
potential for fraud, waste, or abuse and that the Secretary has 
identified as being at high risk for fraud, waste, or abuse.
    (2) Before implementing the moratoria, caps, or other limits, the 
State Medicaid agency must determine that its action would not 
adversely impact beneficiaries' access to medical assistance.
    (3) The State Medicaid agency must notify the Secretary in writing 
in the event the State Medicaid agency seeks to impose such moratoria, 
including all details of the moratoria; and obtain the Secretary's 
concurrence with imposition of the moratoria.
    (c)(1) The State Medicaid agency must impose the moratorium for an 
initial period of 6 months.
    (2) If the State Medicaid agency determines that it is necessary, 
the State Medicaid agency may extend the moratorium in 6-month 
increments.
    (3) Each time, the State Medicaid agency must document in writing 
the necessity for extending the moratorium.

PART 457--ALLOTMENTS AND GRANTS TO STATES

0
27. The authority citation for part 457 continues to read as follows:

    Authority:  Section 1102 of the Social Security Act (42 U.S.C. 
1302).



0
28. Section 457.900 is amended by adding a new paragraph (a)(2)(x) to 
read as follows:


Sec.  457.900  Basis, scope and applicability.

    (a) * * *
    (2) * * *
    (x) Sections 1902(a)(77) and 1902(kk) of the Act relating to 
provider and supplier screening, oversight, and reporting requirements.
* * * * *

0
29. A new Sec.  457.990 is added to subpart I to read as follows:


Sec.  457.990  Provider and supplier screening, oversight, and 
reporting requirements.

    The following provisions and their corresponding regulations apply 
to a State under title XXI of the Act, in the same manner as these 
provisions and regulations apply to a State under title XIX of the Act:
    (a) Part 455, Subpart E, of this chapter.
    (b) Sections 1902(a)(77) and 1902(kk) of the Act pertaining to 
provider and supplier screening, oversight, and reporting requirements.

PART 498--APPEALS PROCEDURES FOR DETERMINATIONS THAT AFFECT 
PARTICIPATION IN THE MEDICARE PROGRAM AND FOR DETERMINATIONS THAT 
AFFECT THE PARTICIPATION OF ICFs/MR AND CERTAIN NFs IN THE MEDICAID 
PROGRAM

0
30. The authority citation for part 498 continues to read as follows:

    Authority:  Secs. 1102 and 1871 of the Social Security Act (42 
U.S.C. 1302 and 1395hh).

0
31. Section 498.5 is amended by adding a new paragraph (l)(4) to read 
as follows:


Sec.  498.5  Appeal rights.

* * * * *
    (l) * * *
    (4) Scope of review. For appeals of denials based on Sec.  
424.530(a)(9) of this chapter related to temporary moratoria, the scope 
of review will be limited to whether the temporary moratorium applies 
to the provider or supplier appealing the denial. The agency's basis 
for imposing a temporary moratorium is not subject to review.

CHAPTER V-OFFICE OF INSPECTOR GENERAL-HEALTH CARE, DEPARTMENT OF HEALTH 
AND HUMAN SERVICES

PART 1007--STATE MEDICAID FRAUD CONTROL UNITS

0
32. The authority citation for part 1007 continues to read as follows:

    Authority: 42 U.S.C. 1320 and 1395hh.


0
33. Section 1007.9 is amended by adding paragraphs (e) through (g) to 
read as follows:


Sec.  1007.9  Relationship to, and agreement with, the Medicaid agency.

* * * * *
    (e)(1) The unit may refer any provider with respect to which there 
is pending an investigation of a credible allegation of fraud under the 
Medicaid program to the State Medicaid agency for payment suspension in 
whole or part under Sec.  455.23 of this title.
    (2) Referrals may be brief, but must be in writing and include 
sufficient information to allow the State Medicaid agency to identify 
the provider and to explain the credible allegations forming the 
grounds for the payment suspension.
    (f) Any request by the unit to the State Medicaid agency to delay 
notification to the provider of a payment suspension under Sec.  455.23 
of this title must be in writing.

[[Page 5971]]

    (g) When the unit accepts or declines a case referred by the State 
Medicaid agency, the unit notifies the State Medicaid agency in writing 
of the acceptance or declination of the case.

Catalog of Federal Domestic Assistance Program No. 93.778, Medical 
Assistance Program) (Catalog of Federal Domestic Assistance Program 
No. 93.773, Medicare--Hospital Insurance; and Program No. 93.774, 
Medicare--Supplementary Medical Insurance Program)


    Dated: January 14, 2011.
Donald Berwick,
Administrator, Centers for Medicare & Medicaid Services.
    Approved: January 21, 2011.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2011-1686 Filed 1-24-11; 12:15 pm]
BILLING CODE 4120-01-P