Risk Management and Governance Implications Associated with CMS’ Final Rule on Program Integrity Enhancements to the Provider Enrollment Process
This Briefing is brought to you by AHLA’s Enterprise Risk Management Task Force; ACE Affinity Group of the RAP Practice Group; and Governance Affinity Group of the BLG Practice Group.
- October 29, 2019
- Susan N. Goodman , Pivot Health Law LLC
- William W. Horton , Jones Walker LLP
- Colin P. McCarthy , McGuireWoods LLP
Unpacking all the implications of the Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process Final Rule1 (Final Rule) and the risks and challenges arising from its enhanced disclosure requirements is difficult at best. With expansive new definitions of “affiliation” and “disclosable event” in the context of provider/supplier enrollments and revalidations, the Centers for Medicare & Medicaid Services (CMS) has raised the stakes for providers and suppliers in terms of due diligence on those persons and entities with whom they do business. At first blush, compliance/risk/governance professionals may be tempted simply to rely on the fact that CMS decided, in the Final Rule, to phase in the disclosure of affiliation requirements under 42 C.F.R. §424.519(b).2 Essentially, this Final Rule change means that CMS will perform the initial research and analytics behind the scenes through its available information. If CMS uncovers “at least one” disclosable or triggering event, it will then require that the provider or supplier disclose all affiliations under section 424.519(b) during enrollment or revalidation. While a “wait and hope” approach to implementation of this Final Rule requirement is tempting, a delay in tackling the internal processes and system challenges associated with Final Rule implementation will be particularly problematic if CMS comes knocking and asking for a thorough affiliation disclosure based on its analytics. Accordingly, it is important to understand the Final Rule implications and begin strategizing implementation approaches for your organization.
CMS initially proposed changes to 42 C.F.R. part 424, subpart P and other program integrity provisions3 in March 2016,4 with the stated goal of shutting down pathways for serial bad actors to continue to defraud federal programs through ownership, name, or identity changes, or inter-provider relationships intended to make these changes more difficult to connect to fraudulent individuals and entities. As adopted, the Final Rule provides CMS with additional authority to deny or revoke provider enrollment and establishes increased penalty periods for enrollment/reenrollment after a denial or revocation.5
The Final Rule imposes disclosure burdens on all suppliers and providers to identify and disclose all direct and indirect affiliations6 with suppliers and/or providers who have uncollected debt7 and/or those subject to payment suspension, Office of Inspector General (OIG) exclusion, or enrollment denial/revocation.8 The mechanism of disclosure would be associated with forthcoming revised prompts on the Form CMS-855 for use during enrollment and revalidation. The Final Rule sets forth generally similar processes for Medicaid and the Children’s Health Insurance Program.
In addition to denial/revocation authority for affiliations that pose undue risk or for failure to report affiliations, CMS sought to ensure that individuals and entities who pose risk to program integrity were kept out of these programs—from both the reentry and the multiple enrollment perspectives. To that end, denial/revocation enrollment authority has been expanded to attempt to capture all practice locations and businesses of a provider or supplier. Further, CMS lengthened the reenrollment bar time period and added a reapplication bar.
The risk management and governance implications posed by the Final Rule changes are many. Large organizations may have hundreds of providers with reassignment relationships and complex direct and indirect ownership structures with many entities owning 5% or more of the enrolled providers or suppliers within the organization. As a result, organizations need to review current tracking mechanisms to elicit, track, and continually update the various organizational interests of suppliers and providers. While CMS indicated it would not automatically revoke enrollment privileges for problematic affiliations when “the failure to disclose was based on an honest inability to obtain relevant information,”9 suppliers and providers should not assume that existing practices are enough to capture the information that CMS now seeks.
A common challenge for health care systems comes from departmental (and perhaps information system) segmentation in data collection and storage. Various pieces of information are gathered by credentialing, contract management, supply chain, and other departments, yet such information may not roll up to a common data source. As a starting point to comply with Final Rule mandates, the risk management/compliance professional team may want to begin with understanding what affiliation and/or disclosable event data the organization currently collects and how it is stored. From a system perspective, organizations may want to review the capability of contract management software to understand whether an opportunity exists to add fields to capture tracking information that gives rise to an organizational affiliation under the Final Rule. Once a “gap analysis” is completed, the organization can develop process and system improvement strategies designed to meet the demands of the Final Rule.
A starting point for system improvements may be a focus on contract provisions and conflict-of-interest disclosures. Given that a significant organizational risk may arise from incomplete, inadequate, or even intentionally disingenuous conflict-of-interest disclosures by contract counterparties, the organization may need to add additional contract language to support contractual indemnification provisions if non-disclosed (or incompletely disclosed) conflicts lead to enrollment issues. This contract review goes beyond just employment or professional services agreements. The organization will also need to review supply contracts to ensure that these agreements include disclosure expectations. Term and termination provisions as well as indemnification provisions may need updating. It may also be necessary to revise medical staff bylaws and rules and regulations documents/processes to clarify expectations and penalties associated with failure to disclose affiliations and disclosable events as required. The organization should also review associated policies and procedures and/or corporate compliance policies for necessary updating.
While CMS has acknowledged the data challenges associated with uncovering problematic affiliations/disclosable events, prudent organizations should nevertheless begin defining best-practice processes to support the inference of an “honest attempt” to uncover such information. Simply searching the OIG List of Excluded Individuals/Entities will not be enough. Larger organizations may already have a third-party vendor in place to assist with background checks and exclusion screening. Again, reviewing the capabilities and documentation support flowing from these existing relationships is important, as is documenting any information enhancements that are implemented to better comply with the Final Rule.
CMS developed the Final Rule with the stated intent of shutting down pathways for bad actors to exploit government health care programs. As part of this process, CMS wants to also shut down affiliations that pose an undue risk of fraud, abuse, or waste. Accordingly, organizations will need to update risk management and governance practices to demonstrate efforts to appropriately identify affiliations that could be subject to further review.
For an in-depth overview of the Final Rule and how providers and suppliers can begin preparing for its implementation, please join RAP and the ACE Affinity Group’s webinar on November 6, 2019 from 2-3:30 EST, “New CMS Program Integrity Final Rule Is Here-Guideposts for Operationalizing the New Disclosure Requirements,” presented by Ross Sallade (Polsinelli) and Jeanne Vance (Salem & Green). More information and registration at: https://distancelearning.healthlawyers.org/p/W-FRH19.
1 84 Fed. Reg. 47794-47857, Sept. 10, 2019, effective Nov. 4, 2019.
2 Id. at p. 47853.
3 42 C.F.R. parts 405, 455, and 457, as cited 84 Fed. Reg. 47794.
4 81 Fed. Reg. 10720, Mar. 16, 2016. For an excellent discussion of the proposed rule and its implications, seeMedicare Enrollment Revocations and Reenrollment Bans: The Scary New Enrollment Landscape for Providers and Suppliers, Jennifer M Nelson Carney and David M. Johnston, Bricker & Eckler LLP, Columbus, OH, AHLA Connections, Aug. 2017.
5 84 Fed. Reg. at 47795.
6 The Final Rule adopted the proposed definition of “affiliation” to include: 5% or greater direct/indirect ownership; general/limited partnership interest; direct/indirect operational or managerial control; acting as a director; and, any reassignment relationship. Id. at 47798.
7 Defined as “any debt stemming from a Medicare, Medicaid, or CHIP overpayment for which CMS or the state has sent a notice of the debt, such as a demand letter or other formal request for payment, to the affiliated provider or supplier and which has not been fully repaid.” 84 Fed. Reg. at 47806.
8 84 Fed. Reg. at 47794-95.
9 Id. at 47820.