Medicare, Medicaid, and Children's Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 58204-58248 [2010-23579]

Agencies

• Centers for Medicare & Medicaid Services
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 75, Number 184 (Thursday, September 23, 2010)]
[Proposed Rules]
[Pages 58204-58248]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-23579]



[[Page 58203]]

-----------------------------------------------------------------------

Part IV





Department of Health and Human Services





-----------------------------------------------------------------------



Centers for Medicare & Medicaid Services



-----------------------------------------------------------------------



42 CFR Parts 405, 424, 438, et al.



Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers; Proposed Rule

Federal Register / Vol. 75 , No. 184 / Thursday, September 23, 2010 / 
Proposed Rules

[[Page 58204]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Parts 405, 424, 438, 447, 455, 457, 498, and 1007

[CMS-6028-P]
RIN 0938-AQ20


Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would implement provisions of the 
Affordable Care Act that establish: Procedures under which screening is 
conducted for providers of medical or other services and suppliers in 
the Medicare program, providers in the Medicaid program, and providers 
in the Children's Health Insurance Program (CHIP); an application fee 
to be imposed on providers and suppliers; temporary moratoria that may 
be imposed if necessary to prevent or combat fraud, waste, and abuse 
under the Medicare and Medicaid programs, and CHIP; guidance for States 
regarding termination of providers from Medicaid and CHIP if terminated 
by Medicare or another Medicaid State plan or CHIP; guidance regarding 
the termination of providers and suppliers from Medicare if terminated 
by a Medicaid State agency; and requirements for suspension of payments 
pending credible allegations of fraud in the Medicare and Medicaid 
programs. This proposed rule would also present an approach and request 
comments on the provisions of the Affordable Care Act that require 
providers of medical or other items or services or suppliers within a 
particular industry sector or category to establish compliance 
programs.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on November 16, 
2010.

ADDRESSES: In commenting, please refer to file code CMS-6028-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (please choose only one 
of the ways listed):
    1. Electronically. You may submit electronic comments on this 
regulation to https://www.regulations.gov. Follow the ``Submit a 
comment'' instructions.
    2. By regular mail. You may mail written comments to the following 
address only:
    Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Attention: CMS-6028-P, P.O. Box 8020, Baltimore, MD 
21244-8020.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. You may send written comments to 
the following address only:
    Centers for Medicare & Medicaid Services, Department of Health and 
Human Services, Attention: CMS-6028-P, Mail Stop C4-26-05, 7500 
Security Boulevard, Baltimore, MD 21244-1850
    4. By hand or courier. If you prefer, you may deliver (by hand or 
courier) your written comments before the close of the comment period 
to either of the following addresses:
    a. For delivery in Washington, DC--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, Room 445-G, Hubert 
H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 
20201.
    (Because access to the interior of the Hubert H. Humphrey Building 
is not readily available to persons without Federal government 
identification, commenters are encouraged to leave their comments in 
the CMS drop slots located in the main lobby of the building. A stamp-
in clock is available for persons wishing to retain a proof of filing 
by stamping in and retaining an extra copy of the comments being 
filed.)
    b. For delivery in Baltimore, MD--Centers for Medicare & Medicaid 
Services, Department of Health and Human Services, 7500 Security 
Boulevard, Baltimore, MD 21244-1850.
    If you intend to deliver your comments to the Baltimore address, 
please call telephone number (410) 786-9994 in advance to schedule your 
arrival with one of our staff members.
    Comments mailed to the addresses indicated as appropriate for hand 
or courier delivery may be delayed and received after the comment 
period.
    Submission of comments on paperwork requirements. You may submit 
comments on this document's paperwork requirements by following the 
instructions at the end of the ``Collection of Information 
Requirements'' section in this document.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Patricia Peyton (410) 786-1812 for 
Medicare enrollment issues. Claudia Simonson (312) 353-2115 for 
Medicaid and CHIP enrollment and Medicaid payment suspension issues.
    Joseph Strazzire (410) 786-2775 for Medicare payment suspension 
issues.
    Laura Minassian-Kiefel (410) 786-4641 for compliance program 
issues.

SUPPLEMENTARY INFORMATION: Inspection of Public Comments: All comments 
received before the close of the comment period are available for 
viewing by the public, including any personally identifiable or 
confidential business information that is included in a comment. We 
post all comments received before the close of the comment period on 
the following Web site as soon as possible after they have been 
received: https://www.regulations.gov. Follow the search instructions on 
that Web site to view public comments.
    Comments received timely will also be available for public 
inspection as they are received, generally beginning approximately 3 
weeks after publication of a document, at the headquarters of the 
Centers for Medicare & Medicaid Services, 7500 Security Boulevard, 
Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 
a.m. to 4 p.m. To schedule an appointment to view public comments, 
phone 1-800-743-3951.

I. Background

    The Medicare program (title XVIII of the Social Security Act (the 
Act)) is the primary payer of health care for 45 million enrolled 
beneficiaries. Under section 1802 of the Act, a beneficiary may obtain 
health services from an individual or an organization qualified to 
participate in the Medicare program. Qualifications to participate are 
specified in statute and in regulations (see, for example, sections 
1814, 1815, 1819, 1833, 1834, 1842, 1861, 1866, and 1891 of the Act; 
and 42 CFR chapter IV, subchapter G, which concerns standards and 
certification requirements).
    Providers and suppliers furnishing services must comply with the 
Medicare requirements stipulated in the Act and in our regulations. 
These requirements are meant to ensure compliance with applicable 
statutes, as well as to promote the furnishing of high quality care. As 
Medicare program expenditures have grown, we have increased our efforts 
to ensure that only qualified individuals and organizations are

[[Page 58205]]

allowed to enroll or maintain their Medicare billing privileges.
    The Medicaid program (title XIX of the Act) is a joint Federal and 
State health care program for eligible low-income individuals. States 
have considerable flexibility in how they administer their Medicaid 
programs within a broad Federal framework and programs vary from State 
to State.
    The Children's Health Insurance Program (CHIP) (title XXI of the 
Act) is a joint Federal and State health care program that provides 
health care coverage to more than 7.7 million otherwise uninsured 
children.
    Historically, States, in operating Medicaid and CHIP, have 
permitted the enrollment of providers who meet the State requirements 
for program enrollment.
    The Patient Protection and Affordable Care Act (Pub. L. 111-148), 
as amended by the Health Care and Education Reconciliation Act of 2010 
(Pub. L. 111-152) (collectively known as the Affordable Care Act) (the 
ACA) makes a number of changes to the Medicare and Medicaid programs 
and CHIP that enhance the provider and supplier enrollment process to 
improve the integrity of the programs to reduce fraud, waste, and abuse 
in the programs.

A. Statutory Authority

    The following is an overview of some of the statutory authority 
relevant to enrollment in Medicare, Medicaid, and CHIP:
     Sections 1102 and 1871 of the Act provide general 
authority for the Secretary of Health and Human Services (the 
Secretary) to prescribe regulations for the efficient administration of 
the Medicare program. Section 1102 of the Act also provides general 
authority for the Secretary to prescribe regulations for the efficient 
administration of the Medicaid program and CHIP.
     Section 4313 of the Balanced Budget Act of 1997 (BBA) 
(Pub. L. 105-33) amended sections 1124(a)(1) and 1124A of the Act to 
require disclosure of both the Employer Identification Number (EIN) and 
Social Security Number (SSN) of each provider or supplier, each person 
with ownership or control interest in the provider or supplier, any 
subcontractor in which the provider or supplier directly or indirectly 
has a 5 percent or more ownership interest, and any managing employees 
including directors and officers of corporations and non-profit 
organizations and charities. The ``Report to Congress on Steps Taken to 
Assure Confidentiality of Social Security Account Numbers as required 
by the Balanced Budget Act'' was signed by the Secretary and sent to 
the Congress on January 26, 1999. This report outlines the provisions 
of a mandatory collection of SSNs and EINs effective on or after April 
26, 1999.
     Section 936(a)(2) of the Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) 
amended the Act to require the Secretary to establish a process for the 
enrollment of providers of services and suppliers. We are authorized to 
collect information on the Medicare enrollment application (that is, 
the CMS-855, (Office of Management and Budget (OMB) approval number 
0938-0685)) to ensure that correct payments are made to providers and 
suppliers under the Medicare program as established by title XVIII of 
the Act.
     Section 1902(a)(27) of the Act provides general authority 
for the Secretary to require provider agreements under the Medicaid 
State Plans with every person or institution providing services under 
the State plan. Under these agreements, the Secretary may require 
information regarding any payments claimed by such person or 
institution for providing services under the State plan.
     Section 2107(e) of the Act, which provides that certain 
title XIX and title XI provisions apply to States under title XXI, 
including 1902(a)(4)(C) of the Act, relating to conflict of interest 
standards.
     Section 1903(i)(2) of the Act relating to limitations on 
payment.
     Section 1124 of the Act relating to disclosure of 
ownership and related information.
     Sections 6401, 6402, 6501,10603, and 1304 of the ACA 
amended the Act by establishing: (1) Procedures under which screening 
is conducted for providers of medical or other services and suppliers 
in the Medicare program, providers in the Medicaid program, and 
providers in the CHIP; (2) an application fee to be imposed on 
providers and suppliers; (3) temporary moratoria that the Secretary may 
impose if necessary to prevent or combat fraud, waste, and abuse under 
the Medicare and Medicaid programs and CHIP; (4) procedures to 
terminate providers if terminated by Medicare or another State plan; 
(5) requirements for suspensions of payments pending credible 
allegations of fraud in both the Medicare and Medicaid programs.

II. Provisions of the Proposed Regulations

A. Provider Screening Under Medicare, Medicaid, and CHIP

1. Statutory Changes
    Section 6401(a) of the ACA, as amended by section 10603 of the ACA, 
amends section 1866(j) of the Act to add a new paragraph, paragraph 
``(2) Provider Screening.'' Section 1866(j)(2)(A) of the Act requires 
the Secretary, in consultation with the Department of Health of Human 
Services' Office of the Inspector General (HHS OIG), to establish 
procedures under which screening is conducted with respect to providers 
of medical or other items or services and suppliers under Medicare, 
Medicaid, and CHIP. Section 1866(j)(2)(B) of the Act requires the 
Secretary to determine the level of screening to be conducted according 
to the risk of fraud, waste, and abuse with respect to the category of 
provider of medical or other items or services or supplier. The 
provision states that the screening shall include a licensure check, 
which may include such checks across State lines; and the screening 
may, as the Secretary determines appropriate based on the risk of 
fraud, waste, and abuse, include a criminal background check; 
fingerprinting; unscheduled or unannounced site visits, including pre-
enrollment site visits; database checks, including such checks across 
State lines; and such other screening as the Secretary determines 
appropriate. Section 1866(j)(2)(C) of the Act requires the Secretary to 
impose a fee on each institutional provider of medical or other items 
or services or supplier that would be used by the Secretary for program 
integrity efforts including to cover the cost of screening and to carry 
out the provisions of sections 1866(j) and 1128J of the Act. We discuss 
the fee in section II.B. of this proposed rule.
    Section 6401(b) of the ACA amends section 1902 of the Act to add 
new paragraphs (a)(77)(i) and (ii), which require States to comply with 
the process for screening providers and suppliers as established by the 
Secretary under 1866(j)(2) of the Act.\1\
---------------------------------------------------------------------------

    \1\ We believe that the reference to section 1886(j)(2) of the 
Act in section 6401(b)(1) of the Affordable Care Act is a 
scrivener's error. We believe the Congress intended to refer to 
section 1866(j)(2) of the Act, which, as amended by section 6401(a) 
of the Affordable Care Act, requires the Secretary to establish a 
process for screening providers and suppliers. Because the drafting 
error is apparent, and a literal reading of the reference to section 
1886(j)(2) of the Act would produce absurd results, we propose to 
interpret the cross-reference to section 1886(j)(2) in the new 
section 1902(ii) of the Act as if the reference were to section 
1866(j)(2).

---------------------------------------------------------------------------

[[Page 58206]]

    We note that the statute uses the terms ``providers of medical or 
other items or services,'' ``institutional providers,'' and 
``suppliers.'' The Medicare program enrolls a variety of providers and 
suppliers, some of which are referred to as ``providers of services,'' 
``institutional providers,'' ``certified providers,'' ``certified 
suppliers,'' and ``suppliers.'' In Medicare, the term ``providers of 
services'' under section 1861(u) of the Act means health care entities 
that furnish services primarily payable under Part A of Medicare, such 
as hospitals, home health agencies (including home health agencies 
providing services under Part B), hospices, and skilled nursing 
facilities. The term ``suppliers'' defined in section 1861(d) of the 
Act refers to health care entities that furnish services primarily 
payable under Part B of Medicare, such as independent diagnostic 
testing facilities (IDTFs), durable medical equipment prosthetics, 
orthotics, and supplies (DMEPOS) suppliers, and eligible professionals, 
which refers to health care suppliers who are individuals, that is, 
physicians and the other professionals listed in section 1848(k)(3)(B) 
of the Act. For Medicaid and CHIP, we use the terms ``providers'' or 
``Medicaid providers'' or ``CHIP providers'' when referring to all 
Medicaid or CHIP health care providers, including individual 
practitioners, institutional providers, and providers of medical 
equipment or goods related to care. The term ``supplier'' has no 
meaning in the Medicaid program or CHIP.
    Section 424.502 contains additional definitions that apply to these 
and other terms used throughout this proposed rule including the 
following:
     Authorized official means an appointed official (for 
example, chief executive officer, chief financial officer, general 
partner, chairman of the board, or direct owner) to whom the 
organization has granted the legal authority to enroll it in the 
Medicare program, to make changes or updates to the organization's 
status in the Medicare program, and to commit the organization to fully 
abide by the statutes, regulations, and program instructions of the 
Medicare program.
     Delegated official means an individual who is delegated by 
the ``Authorized Official,'' the authority to report changes and 
updates to the enrollment record. The delegated official must be an 
individual with ownership or control interest in, or be a W-2 managing 
employee of the provider or supplier.
     Managing employee means a general manager, business 
manager, administrator, director, or other individual that exercises 
operational or managerial control over, or who directly or indirectly 
conducts, the day-to-day operation of the provider or supplier, either 
under contract or through some other arrangement, whether or not the 
individual is a W-2 employee of the provider or supplier.
     Owner means any individual or entity that has any 
partnership interest in, or that has 5 percent or more direct or 
indirect ownership of the provider or supplier as defined in sections 
1124 and 1124A(A) of the Act.
     Physician or nonphysician practitioner organization means 
any physician or nonphysician practitioner entity that enrolls in the 
Medicare program as a sole proprietorship or organizational entity.
    The new screening procedures implemented pursuant to new section 
1866(j)(2) of the Act would be applicable to newly enrolling providers 
and suppliers, including eligible professionals, beginning on March 23, 
2011. These new procedures would be applicable to currently enrolled 
Medicare, Medicaid, and CHIP providers, suppliers, and eligible 
professionals beginning on March 23, 2012. These new screening 
procedures implemented pursuant to new section 1866(j)(2) of the Act 
would be applicable beginning on March 23, 2011 for those providers and 
suppliers currently enrolled in Medicare, Medicaid, and CHIP who 
revalidate their enrollment information. Within Medicare, the March 23, 
2011 implementation date will impact those current providers and 
suppliers whose 5-year revalidation cycle (or 3-year revalidation cycle 
for DMEPOS suppliers) results in revalidation occurring on or after 
March 23, 2011 and before March 23, 2012.
2. Summary of Existing Screening Measures
    Before we outline the new measures we are proposing under the ACA, 
it may be helpful to provide a summary of some of the screening 
measures already being utilized in Medicare, Medicaid, and CHIP. 
Pursuant to other authority, but with the notable exceptions of 
criminal background checks and fingerprinting, Medicare, generally 
through private contractors, already employs a number of the screening 
practices described in section 1866(j)(2)(B) of the Act to determine if 
a provider or supplier is in compliance with Federal and State 
requirements to enroll or to maintain enrollment in the Medicare 
program.
a. Licensure Requirements--Medicare and Medicaid
    Over the past several years, we have taken a number of steps to 
strengthen our ability to deny or revoke Medicare billing privileges 
when providers or suppliers do not have or do not maintain the 
applicable State licensure requirements for their provider or supplier 
type or profession. We established reporting responsibilities for all 
providers, suppliers, and eligible professionals in earlier regulations 
at Sec.  424.516(b) through (e). Today, to ensure that only qualified 
providers and suppliers remain in the Medicare fee-for-service (FFS) 
program, we require that Medicare contractors review State licensing 
board data on a monthly basis to determine if providers and suppliers 
remain in compliance with State licensure requirements. Medicare 
billing privileges would be revoked for those providers and suppliers 
who do not report a final adverse action (for example, license 
revocation or suspension, felony conviction) within the applicable 
reporting period, as required in Sec.  424.516(b) through (e). Medicare 
suppliers of DMEPOS and IDTFs are already subject to similar provisions 
in Sec.  424.57(c) and Sec.  410.33(g), respectively. DMEPOS suppliers 
are also subject to additional requirements including accreditation and 
surety bonding, pursuant to 42 CFR 424.57(c)(22) through (26) and 42 
CFR 424.57(d).
    Medicare Advantage organizations (MAOs) are required to verify 
licensure of providers and suppliers, including physicians and other 
health care professionals, in accordance with Sec.  422.204.
    For Medicaid and CHIP, most States do some checking of in-State 
provider licenses. For example, in some States, the existence of the 
license may be verified, but little attention might be given to any 
restrictions on the license.
b. Site Visits--Medicare
    Pursuant to Sec.  424.517, Medicare conducts the following site 
visits and takes the following actions, generally through private 
contractors under CMS direction:
     The National Supplier Clearinghouse (NSC) Medicare 
Administrative Contractor (the Medicare contractor that processes 
enrollment applications for suppliers of DMEPOS) conducts pre-
enrollment site visits to DMEPOS suppliers that are not associated with 
a chain supplier of

[[Page 58207]]

DMEPOS (a chain supplier of DMEPOS is a supplier with 25 or more 
distinct practice locations.)
     The NSC also conducts unannounced post-enrollment site 
visits to DMEPOS suppliers for which CMS or the NSC believes there is a 
likelihood of fraudulent or abusive activities to ensure those DMEPOS 
suppliers remain in compliance with the supplier standards found at 
Sec.  424.57(c).
     CMS at times exercises its right to--
     Have the NSC conduct ad hoc pre- and post-enrollment site 
visits to any DMEPOS supplier;
     Have Medicare contractors conduct pre-enrollment site 
visits to all IDTFs; and
     Conduct ad hoc pre-and post enrollment site visits to any 
prospective Medicare provider and supplier or any enrolled Medicare 
provider or supplier.
    In addition, under 42 CFR parts 488 and 489, a State survey agency 
or an approved national accreditation organization with deeming 
authority conducts pre-enrollment surveys for certified providers and 
suppliers to determine whether they meet the applicable Federal 
conditions and requirements for their provider or supplier type before 
they can participate in the Medicare program.
    We believe these efforts need to be expanded to include additional 
site visits and site visits to additional provider and supplier types 
in order to protect the Medicare FFS program from unscrupulous or 
potentially fraudulent providers and suppliers.
    We note that the site visits discussed here and elsewhere within 
this preamble and the proposed regulations are separate and apart from 
the site visits that are conducted pursuant to the Clinical Laboratory 
Improvement Amendments (CLIA). We intend to work with our State survey 
agency partners in coordinating these site visits so as to avoid 
duplication and burden on providers.
c. Database Checks--Medicare
    Today, Medicare contractors employ database checks of eligible 
professionals, owners, authorized officials, delegated officials, 
managing employees, medical directors, and supervising physicians (at 
IDTFs and laboratories) as part of the Medicare provider and supplier 
enrollment process. These include database checks with the Social 
Security Administration (SSA) (to verify an individual's SSN), the 
National Plan and Provider Enumeration System (NPPES) to verify the 
National Provider Identifier (NPI) of an eligible professional, and 
State licensing board checks to determine if an eligible professional 
is appropriately licensed to furnish medical services within a given 
State. These checks also include checking a provider or supplier 
against the HHS OIG's List of Excluded Individuals/Entities (LEIE) and 
the General Service Administration's Excluded Parties List System 
(EPLS). All of the database checks are used to assess the eligibility 
and qualifications of providers and suppliers to enroll in the Medicare 
program, to confirm the identity of an eligible professional to ensure 
that he or she may be considered for enrollment in the Medicare 
program.
    Also, on a monthly basis, CMS' Medicare contractors systematically 
compare enrolled providers, suppliers, and eligible professionals 
against the information in the Medicare Exclusions Database. The 
Medicare Exclusions Database identifies providers, suppliers, and 
eligible professionals who have been excluded from the Medicare and 
Medicaid programs by the HHS OIG. When a match is found, the HHS OIG 
exclusion information is systematically noted in the Medicare 
enrollment record of the provider, supplier, or eligible professional. 
In the Medicare program today, we deny or revoke the billing privileges 
of providers, suppliers, and eligible professionals who have been 
excluded by the HHS OIG. If the HHS OIG lifts the exclusion, the 
provider, supplier or eligible professional must reapply for enrollment 
in the Medicare program. In addition, Medicare contractors also review 
State licensure Web sites on a monthly basis to ensure that eligible 
professionals continue to meet State licensing requirements.
    In addition, since January 2009, we have compared date of death 
information obtained from the Social Security Administration Death 
Master File (SSA DMF) with the information maintained in the National 
Plan and Provider Enumeration System (NPPES), the system that assigns a 
NPI to individual and organizations. Based on this comparison and the 
subsequent verification, we have deactivated the NPIs of more than 
11,500 individuals who were previously assigned a type 1 (individual) 
NPI. We automatically transfer this information from NPPES to the 
Provider Enrollment, Chain, and Ownership System (PECOS), CMS' national 
Medicare enrollment repository to deactivate a deceased individual's 
Medicare billing privileges. In addition, Medicare contractors are 
required to review and act upon monthly files that contain a list of 
nonpractitioner individuals enrolled in the Medicare program who have 
been reported to the SSA as deceased. These individuals include: 
Owners, authorized officials, and delegated officials.
    MAOs, as required by Sec.  422.204, generally use database checks 
to verify licensure and licensure sanctions and limitations with State 
licensing boards and the Federation of State Medical Boards, DEA 
certificates with the National Technical Information Service (NTIS), 
history of adverse professional review actions and malpractice from the 
National Practitioner Data Bank (NPDB), accreditation status of 
institutional providers and suppliers with national accrediting boards, 
such as The Joint Commission (TJC), and search for HHS OIG exclusions 
using the HHS OIG Web site https://www.oig.hhs.gov/fraud/exclusions/list 
of excluded.html.
d. Criminal Background Checks--Medicare
    As described in Sec.  424.530(a) and Sec.  424.535(a), CMS or its 
designated Medicare contractor may deny or revoke the Medicare billing 
privileges of the owner of a provider or supplier, a physician or 
nonphysician practitioner, and terminate any corresponding provider or 
supplier agreement for a number of reasons, including an exclusion from 
the Medicare, Medicaid, and any other Federal health care program, a 
felony within the preceding 10 years that is considered detrimental to 
the Medicare program, and/or submission of false or misleading 
information on the Medicare enrollment application. While we currently 
require our Medicare contractors to verify data submitted on, and as 
part of, the Medicare provider/supplier enrollment application, our 
contractors are not able to verify information that may have been 
purposefully omitted or changed in a manner to obfuscate any previous 
criminal activity. In addition, criminal background checks are not 
routinely used in the FFS Medicare screening process.
e. Medicare MAO Requirements
    As mentioned earlier in this section, MAOs already employ a number 
of screening procedures in accordance with regulations and CMS manual 
instructions. Specifically, under Sec.  422.204(b)(3) in the case of 
providers meeting the definition of ``provider of services'' in section 
1861(u) of the Act, basic benefits may only be provided through 
providers if they have a provider agreement with CMS permitting them to 
furnish services under original Medicare. With respect to other 
entities like suppliers, Sec.  422.204(b)(3) requires that they ``meet 
the applicable requirements of title XVIII and Part A of title XI of 
the Act.''

[[Page 58208]]

Given these requirements we are considering to what extent MAOs should 
be required to apply the identical screening requirements we are 
proposing for the original Medicare program or whether substantively 
similar alternative approaches adopted by MAOs would be acceptable. 
Accordingly, we solicit public comments on whether or to what extent 
MAOs should be required to implement the same enhanced screening 
requirements for providers, suppliers and physicians that we are 
proposing for the original Medicare program.
f. Fingerprinting--Medicare
    We do not currently use fingerprinting in the Medicare screening 
process.
g. Screening--Medicaid and CHIP
    States vary in the degree to which they employ screening methods 
such as unscheduled and unannounced site visits and database checks, 
including such checks across State lines, criminal background checks, 
and fingerprinting. However, there are at least a few States that 
utilize each of those methods.
    States also vary in what they require their managed care entities 
(MCEs) \2\ to do in terms of screening network-level providers that are 
not also enrolled in the Medicaid program as FFS providers. We are 
considering to what extent States must require their MCEs to apply the 
identical screening requirements we are proposing for the States or 
whether substantively similar alternative approaches adopted by MCEs 
would be acceptable. Accordingly, we solicit public comments on whether 
or to what extent MCEs should be required to implement the same 
enhanced screening requirements for Medicaid and CHIP providers that we 
are proposing for State Medicaid and CHIP programs.
---------------------------------------------------------------------------

    \2\ For purposes of this preamble and the proposed regulations, 
``managed care entity'' and ``MCE'' will have the meaning Medicaid 
managed care organization (MCO), primary care case manager (PCCM), 
prepaid inpatient health plan (PIHP), prepaid ambulatory health plan 
(PAHP), and health insuring organization (HIO). This definition 
differs from the meaning in section 1932(a)(1)(B) of the Social 
Security Act, which limits MCEs to Medicaid MCOs and PCCMs. We 
propose a more inclusive definition for the regulation so that all 
those entities in States' managed care programs will provide 
disclosure information.
---------------------------------------------------------------------------

3. Proposed Screening Requirements
a. Medicare
    Section 1866(j)(2)(B) of the Act requires the Secretary to 
determine the level of screening applicable to providers and suppliers 
according to the risk of fraud, waste, and abuse the Secretary 
determines is posed by particular categories of providers and 
suppliers.
    In considering how to establish consistent screening standards, we 
are proposing to designate provider and supplier categories that would 
be subject to certain screening procedures based on CMS' assessment of 
fraud, waste and abuse risk of the provider or supplier category, 
taking into consideration a variety of factors including studies 
conducted by the HHS OIG and the GAO and other sources. We would 
designate categories of providers or suppliers (for example, ``newly 
enrolling DME suppliers'' or ``currently enrolled home health 
agencies'') that would be subject to screening procedures in each 
category based on our assessment of the level of risk presented by the 
category of provider. There will be 3 levels of risk: ``limited,'' 
``moderate'' and ``high,'' and each provider/supplier category will be 
assigned to one of these 3 levels. The screening procedures applicable 
to each risk level will be set by us and are included in this proposed 
rule. The categories described below and associated risk levels 
assigned are designed to identify those categories of providers and 
suppliers that pose a risk of fraud, waste, and abuse.
    Under this proposed approach, the relevant Medicare contractor (for 
example, fiscal intermediary, regional home health intermediary, 
carriers, Part A or Part B Medicare Administrative Contractor (A/B 
MAC), or the NSC Administrative Contractor) would utilize the screening 
tools mandated by us for the risk level assigned to a particular 
provider or supplier category.
    We are soliciting comments on the proposed assignment of specific 
provider and supplier types to established risk levels, including what 
criteria should be considered in making such assignments, whether such 
assignments should be released publicly, whether they should be subject 
to agency review and updated according to an established schedule (that 
is, annually, bi-annually), and the extent to which they should be 
updated according to evolving risks. We are also soliciting comments on 
any additional database checks that we should consider as a type of 
screening.
    Based on the level of risk assigned, we propose that the Medicare 
contractors would establish and conduct the following categorical 
screenings.

      Table 1--Category of Risk and Required Screening for Medicare
    Physicians, Non-Physician Practitioners, Providers, and Suppliers
------------------------------------------------------------------------
  Type of screening required       Limited      Moderate        High
------------------------------------------------------------------------
Verification of any provider/             X             X             X
 supplier-specific
 requirements established by
 Medicare.....................
Conduct license verifications,            X             X             X
 (may include licensure checks
 across States)...............
Database Checks (to verify                X             X             X
 Social Security Number (SSN),
 the National Provider
 Identifier (NPI), the
 National Practitioner Data
 Bank (NPDB) licensure, an OIG
 exclusion, taxpayer
 identification number, tax
 delinquency, death of
 individual practitioner,
 owner, authorized official,
 delegated official, or
 supervising physician).......
Unscheduled or Unannounced      ............            X             X
 Site Visits..................
Criminal Background Check.....  ............  ............            X
Fingerprinting................  ............  ............            X
------------------------------------------------------------------------

    As described above, we already require Medicare contractors to 
ensure that every provider or supplier meets any applicable Federal 
regulations or State requirements, including applicable licensure 
requirements \3\ for the provider or supplier type prior to making an 
enrollment determination. In addition, we also require that Medicare

[[Page 58209]]

contractors conduct monthly reviews of State licensing board actions to 
determine if an individual practitioner, such as a physician or non-
physician practitioner continues to meet State licensing requirements. 
In the case of organizational entities, we also require our Medicare 
contractors to conduct monthly or periodic checks to determine if an 
organizational entity continues to meet the Federal and State 
requirements for its provider or supplier type. Such verifications help 
ensure that a prospective provider or supplier is eligible to 
participate in the Medicare program or that an existing provider or 
supplier is eligible to maintain its Medicare billing privileges.
---------------------------------------------------------------------------

    \3\ We note that under section 408 of the reauthorized Indian 
Health Care Improvement Act, ``[a]ny requirement for participation 
as a provider of health care services under a Federal health care 
program that an entity be licensed or recognized under the State or 
local law where the entity is located to furnish health care 
services shall be deemed to have been met in the case of an entity 
operated by the [Indian Health] Service, an Indian tribe, tribal 
organization, or urban Indian organization if the entity meets all 
the applicable standards for such licensure or recognition, 
regardless of whether the entity obtains a license or other 
documentation under such State or local law.''
---------------------------------------------------------------------------

    Currently in the Medicare program, DMEPOS suppliers are required to 
re-enroll every 3 years, and other providers are required to revalidate 
their enrollment every 5 years. The terms revalidation and re-
enrollment are often used interchangeably, but are actually specific to 
these provider types. To eliminate any confusion about which term 
applies to which provider or supplier, we are proposing language at 42 
CFR 424.57(e) to change all references to re-enroll or re-enrollment to 
revalidate or revalidation. In addition, the ACA requires that no 
provider or supplier shall be allowed to enroll in Medicare or 
revalidate its enrollment in Medicare after March 23, 2013 without 
being screened pursuant to the authorities covered by this proposed 
rule. To assist CMS in assuring that the statutory effective date is 
met, we are proposing at 42 CFR 424.515 to permit CMS to require that a 
provider or supplier revalidate its enrollment at any time. After the 
revalidation, the current cycle for revalidation (3 years for DMEPOS, 
and 5 years for all other providers) would apply.
(1) Limited
    In general, we consider physicians, nonphysician practitioners, and 
medical clinics and group practices to pose limited risk because these 
professionals are State licensed and we are not aware of any recent 
studies or other evidence that indicates that these suppliers, as a 
category, pose an elevated risk to the Medicare program.
    Similarly, we believe that a provider or supplier that is publicly 
traded on the New York Stock Exchange (NYSE) or the National 
Association of Securities Dealers Automated Quotation System (NASDAQ) 
poses a limited risk because of the financial oversight provided by 
investors, corporate boards of directors, and the Security and Exchange 
Commission. Finally, based on our own data analysis including analysis 
of historical trends and CMS's own experience with provider screening 
and enrollment we believe that the following providers and suppliers 
currently pose a limited risk to the Medicare program: Ambulatory 
surgical centers (ASCs); end-stage renal disease (ERSD) facilities; 
Federally qualified health centers (FQHCs); histocompatibility 
laboratories; hospitals, including critical access hospitals (CAHs); 
Indian Health Service (IHS) facilities; mammography screening centers; 
organ procurement organizations (OPOs); mass immunization roster 
billers, portable x-ray suppliers; religious nonmedical health care 
institutions (RNHCIs); rural health clinics (RHCs); radiation therapy 
centers; public or government owned or affiliated ambulance services 
suppliers (defined as an ambulance supplier owned in whole or in part 
by a State or local government), and skilled nursing facilities (SNFs). 
Accordingly, we propose to include the categories of providers and 
suppliers listed above within the ``limited'' level of risk. We think 
the additional government oversight of ``government owned or 
affiliated'' ambulance service providers justifies placing these 
providers in the limited category.
    In Sec.  424.518(a), we propose that the following screening tools 
will apply to providers and suppliers in categories designated as 
``limited'' risk: (1) Verification that a provider or supplier meets 
any applicable Federal regulations, or State requirements for the 
provider or supplier type prior to making an enrollment determination; 
(2) verification that a provider or supplier meets applicable licensure 
requirements; and (3) database checks on a pre- and post-enrollment 
basis to ensure that providers and suppliers continue to meet the 
enrollment criteria for their provider/supplier type.
    To assist readers in understanding the type of providers and 
suppliers that we propose to include in the ``limited'' risk level, we 
are providing the following table.

  Table 2--Medicare Providers and Suppliers Designated as a ``Limited''
                 Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Physician or non-physician practitioners and medical groups or clinics.
Providers or suppliers that are publicly traded on the NYSE or NASDAQ.
Ambulatory surgical centers, end-stage renal disease facilities,
 Federally qualified health centers, histocompatibility laboratories,
 hospitals, including critical access hospitals, Indian Health Service
 facilities, mammography screening centers, organ procurement
 organizations, mass immunization roster billers, portable x-ray
 supplier, religious non-medical health care institutions, rural health
 clinics, radiation therapy centers, public or government owned or
 affiliated ambulance services suppliers, and skilled nursing
 facilities.
------------------------------------------------------------------------

(2) Moderate
    For those provider and supplier categories with a ``moderate'' 
level of risk, we propose that Medicare contractors will conduct 
unannounced pre- and/or post-enrollment site visits in addition to 
those screening tools applicable to the ``limited'' level of risk. 
Based on the success of pre- and/or post-enrollment site visits 
conducted by the NSC during the enrollment process for suppliers of 
DMEPOS and a similar process established by carriers and A/B MACs 
during the enrollment of IDTFs, we believe that unscheduled and 
unannounced pre- and post-enrollment site visits help ensure that 
suppliers are operational and meet applicable supplier standards or 
performance standards. In addition, we believe that unscheduled and 
unannounced pre- and post-enrollment site visits are an essential tool 
in determining whether a provider or supplier is in compliance with its 
reporting responsibilities, including the requirement in Sec.  424.516 
to notify the Medicare contractor of any change of practice location.
    Moreover, Sec.  424.530(a)(5) and Sec.  424.535(a)(5) give CMS and 
its Medicare contractors the authority to deny or revoke Medicare 
billing privileges for providers and suppliers respectively if the 
provider or supplier is not operational or the provider does not 
maintain the established provider or supplier performance standards. 
And while we do not believe that unscheduled or unannounced site visits 
are necessary for all providers and

[[Page 58210]]

suppliers, we do believe that a number of businesses, like the ones 
mentioned below, pose an increased risk to the Medicare program, due at 
least in part to the lack of individual professional licensure.
    Moreover, as discussed below, we have found that certain types of 
providers and suppliers that easily enter a line or business without 
clinical or business experience, for example by leasing minimal office 
space and equipment, present a higher risk of possible fraud to our 
programs. As such, we believe that because these types of providers 
pose an increased risk of fraud they should be subject to substantial 
scrutiny before being permitted to enroll and bill Medicare, Medicaid, 
or CHIP. This type of pre-enrollment scrutiny will help us move away 
from the ``pay and chase'' approach. With the exception of providers 
and suppliers that are publicly traded on the NYSE or NASDAQ and 
therefore considered ``limited'' risk, we propose that the following 
prospective provider and supplier types be considered a ``moderate'' 
risk for the purpose of determining the appropriate level of screening: 
nonpublic, non-government owned or affiliated ambulance service 
suppliers, community mental health centers (CMHCs), comprehensive 
outpatient rehabilitation facilities (CORFs), hospice organizations, 
IDTFs, and independent clinical laboratories.
    Most of these provider and supplier types are generally highly 
dependent on Medicare, Medicaid, or CHIP to pay their salaries and 
other operating expenses and are subject to less additional other 
government or professional oversight than the providers and suppliers 
in the limited risk category. Accordingly, we believe it is appropriate 
and necessary to conduct unscheduled and unannounced pre-enrollment 
site visits to ensure that these prospective providers and suppliers 
meet CMS' enrollment requirements prior to enrolling in the Medicare 
program. Moreover, we believe that post-enrollment site visits are also 
important to ensure that the enrolled provider or supplier remains a 
viable health care provider or supplier in the Medicare program.
    Accordingly, we propose in Sec.  424.518(b)(i) that in addition to 
the categorical screening tools used with respect to limited risk 
providers and suppliers that Medicare contractors shall conduct 
unannounced and unscheduled site visits prior to enrolling the 
following prospective providers and suppliers with the exception of 
providers and suppliers that are publicly traded on the NYSE or NASDAQ 
and therefore considered ``limited'' risk: Nonpublic, nongovernment 
owned or affiliated ambulance services suppliers, CMHCs, CORFs, hospice 
organizations, IDTFs, and independent clinical laboratories. In 
addition, we propose that the following currently enrolled Medicare 
providers should be categorized as ``moderate'': Currently enrolled 
(revalidating) home health agencies or suppliers of DMEPOS. (Except 
that any such provider that is publicly traded on the NYSE or NASDAQ is 
considered ``limited'' risk.)
    We believe that the providers and suppliers described above have 
the similar risk level as suppliers of DMEPOS and IDTFs, for both of 
which we already require a pre-enrollment site visit prior to 
completing the enrollment process.
    We are also proposing in Sec.  424.518(b)(ii) that the Medicare 
contractor shall conduct an unannounced and unscheduled pre-enrollment 
and/or post-enrollment on-site visit for the following providers and 
suppliers that are not publicly traded on the NYSE or NASDAQ during the 
revalidation process: non-public, non-government owned or affiliated 
ambulance services suppliers; CMHCs, CORFs, DMEPOS suppliers, HHAs, 
hospice organizations, IDTFs, and independent clinical laboratories. 
For the same reasons that we believe that a Medicare contractor should 
conduct a pre-enrollment site visit, we believe that Medicare 
contractors should conduct post-enrollment site visits during the 
revalidation process for the provider and supplier types described 
above.
    HHS OIG and GAO have issued studies indicating that several of the 
provider and supplier types cited above have an elevated risk. In an 
October 2007 report titled, ``Growth in Advanced Imaging Paid under the 
Medicare Physician Fee Schedule'' (OEI-01-06-00260), the HHS OIG 
recommended that CMS consider conducting site visits to monitor IDTFs' 
compliance with Medicare requirements.'' In addition, in an April 2007 
report titled, ``Medicare Hospices: Certification and Centers for 
Medicare & Medicaid Services Oversight'' (OEI-06-05-00260), the HHS OIG 
recommended that CMS seek legislation to establish additional 
enforcement remedies for poor hospice performance. In response to this 
recommendation, CMS stated that it was considering whether to pursue 
new enforcement remedies for poor hospice performance. While the 
Medicare enrollment process is not designed to verify the conditions of 
participation, we do believe that more frequent onsite visits may help 
identify those hospice organizations that are no longer operational at 
the practice location identified on the Medicare enrollment 
application.
    In a January 2006 report titled, ``Medicare Payments for Ambulance 
Transports'' (OEI-05-02-000590), the HHS OIG found that ``twenty-five 
percent of ambulance transports did not meet Medicare's program 
requirements, resulting in an estimated $402 million in improper 
payments.''
    In an August 2004 report titled, ``Comprehensive Outpatient 
Rehabilitation Facilities: High Medicare Payments in Florida Raise 
Program Integrity Concerns'' (GAO-04-709), the GAO concluded that, 
``[s]izeable disparities between Medicare therapy payments per patient 
to Florida CORFs and other facility-based outpatient therapy providers 
in 2002--with no clear indication of differences in patient needs--
raise questions about the appropriateness of CORF billing practices. 
After finding high rates of medically unnecessary therapy services to 
CORFs, CMS's claims administration contractor for Florida took steps to 
ensure appropriate claim payments for a small, targeted group of CORF 
patients. Despite its limited success, billing irregularities continued 
among some CORFs and many CORFs continued to receive relatively high 
payments the following year. This suggests that the contractor's 
efforts were too limited in scope to be effective with all CORF 
providers.''
    In addition to GAO and HHS OIG studies and reports, a number of 
Zone Program Integrity Contractors (ZPIC) and Program Safeguard 
Contractors (PSC), organizations used by CMS in helping to fight fraud 
in Medicare, have taken a number of administrative actions including 
payment suspensions and increased medical review, for the provider and 
supplier types shown above. For example, the Zone 7 ZPIC contractor in 
South Florida has conducted onsite reviews at 62 CORFs since January 
2010 and recommended revocation for 51 CORFs, or 82 percent of the 
CORFS in the area. The same contractor has conducted an onsite reviews 
at 38 CMHCs located in Dade, Broward and Palm Beach County since 
January 2010, and recommended that 30 CMHCs be revoked for 
noncompliance (79 percent of the CMHCs in the area). In each instance 
where the ZPIC requested a revocation, the CMHC was also placed on 
prepay review. We have also conducted an analysis of IDTF licensure 
requirements and have found several circumstances that indicate

[[Page 58211]]

irregularity and potential risk of fraud. Although independent clinical 
laboratories are subject to survey against CLIA requirements, there are 
nonetheless a number of potentials for fraud, not the least of which is 
the sheer volume of service and associated billing generated by these 
entities.
    Also, while we believe that prospective suppliers of DMEPOS that 
are not publicly-traded on the NYSE or NASDAQ are a ``high'' 
categorical risk (see discussion below), we believe that there is ample 
evidence to support the use of post-enrollment site visits as a 
reliable and effective tool to ensure that a current supplier of DMEPOS 
remains operational and continues to meet the supplier standards found 
in Sec.  424.57(c). In a March 2007 report titled, ``Medical Equipment 
Suppliers Compliance with Medicare Enrollment Requirements'' (OEI-04-
05-00380), the HHS OIG concluded that, ``By helping to ensure the 
legitimacy of DMEPOS suppliers, out-of cycle site visits may help to 
prevent fraud, waste, and abuse in the Medicare program. CMS may want 
to consider the findings of our study as they determine how and to what 
extent out-of-cycle site visits of DMEPOS suppliers will occur.'' 
Today, the NSC MAC utilizes on post-enrollment site visits as the 
primary screening to determine ongoing compliance with the enrollment 
criteria set forth in Sec.  424.57(c). Therefore, we have included 
currently enrolled DMEPOS suppliers in the ``moderate'' category.
    We also note that, in addition to the new screening measures being 
proposed in this rule, under the existing regulation at Sec.  424.517, 
a Medicare contractor may conduct an unannounced or unscheduled site 
visit at any time for any provider or supplier type prior to enrolling 
a prospective provider or supplier or for any existing provider or 
supplier enrolled in the Medicare program. While the primary purpose of 
an unannounced and unscheduled site visit is to ensure that a provider 
or supplier is operational at the practice location found on the 
Medicare enrollment application, a Medicare contractor may also verify 
established supplier standards or performance standards other than 
conditions of participation (CoP) subject to survey and certification 
by the State Survey agency, where applicable, to ensure that the 
supplier remains in compliance with program requirements.
    To assist readers in understanding the type of providers and 
suppliers that we propose to include in the ``moderate'' risk level, we 
are providing the following table.

 Table 3--Medicare Providers and Suppliers Designated as a ``Moderate''
                 Categorical Risk for Screening Purposes
------------------------------------------------------------------------
                       Provider/supplier category
-------------------------------------------------------------------------
Community mental health centers; Comprehensive outpatient rehabilitation
 facilities; Hospice organizations; Independent diagnostic testing
 facilities; Independent clinical laboratories; and Nonpublic,
 Nongovernment owned or affiliated ambulance services suppliers. (Except
 that any such provider or supplier that is publicly traded on the NYSE
 or NASDAQ is considered ``limited'' risk.)
Currently enrolled (revalidating) home health agencies. (Except that any
 such provider that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
Currently enrolled (re-validating) suppliers of DMEPOS.(Except that any
 such supplier that is publicly traded on the NYSE or NASDAQ is
 considered ``limited'' risk.)
------------------------------------------------------------------------

 (3) High
    For those provider and supplier categories within the ``high'' 
level of risk, we propose that, in addition to the screening tools 
applicable to the ``limited'' and ``moderate'' levels of risk, Medicare 
contractors would use the following screening tools in the enrollment 
process: (1) Criminal background check; and (2) submission of 
fingerprints using the FD-258 standard fingerprint card. (The FD-258 
fingerprint card is recognized nationally and can be found at local, 
county or State law enforcement agencies where, for a fee, agencies 
will supply the card and take the fingerprints.) We propose that these 
tools would be applied to owners, authorized or delegated officials or 
managing employees of any provider or supplier within the ``high'' 
level of risk. We believe that criminal background checks will assist 
CMS in determining if an individual, such as an owner, authorized 
official, or delegated official, or managing employee of a high-risk 
provider or supplier type, submitted a complete and truthful Medicare 
enrollment application and whether an individual is eligible to enroll 
in the Medicare program or maintain Medicare billing privileges. We 
also believe that use of fingerprinting will help in verification of an 
individual's identity and help resolve issues associated with identity 
theft as discussed below. We believe that this position is supported by 
testimony of the GAO before the subcommittees for Health and Oversight 
and Ways and Means within the House of Representatives on June 15, 
2010, stating in part that ``[c]hecking the background of providers at 
the time they apply to become Medicare providers is a crucial step to 
reduce the risk of enrolling providers intent on defrauding or abusing 
the program. In particular, we have recommended stricter scrutiny of 
enrollment processes for two types of providers whose services and 
items CMS has identified as especially vulnerable to improper 
payments--home health agencies (HHAs) and suppliers of durable medical 
equipment, prosthetics, orthotics, and supplies (DMEPOS).''
    In Sec.  424.518(c)(1), we are proposing that, unless they are 
publicly traded on the NYSE or NASDAQ, newly enrolling HHAs and 
suppliers of DMEPOS are within the ``high'' risk level. Based on our 
experience and on work conducted by the HHS OIG and the GAO, and 
because we do not have the monitoring experience with newly enrolling 
DMEPOS suppliers or HHAs that we have with those currently enrolled, we 
have placed these providers and suppliers in the ``high'' risk 
category. We are especially concerned about newly enrolling HHAs and 
suppliers of DMEPOS because of the high number of HHAs and suppliers of 
DMEPOS already enrolled in the Medicare program and program 
vulnerabilities that these entities pose to the Medicare program. Below 
is a list of HHS OIG and GAO reports identifying home health agencies 
and suppliers of DMEPOS as posing an elevated risk to the Medicare 
program.
     In a December 2009 report titled, ``Aberrant Medicare Home 
Health Outlier Payment Patterns in Miami-Dade County and Other 
Geographic Areas in 2008'' (OEI-04-08-00570), the HHS OIG recommended 
that CMS continue with efforts to strengthen enrollment standards for 
home health providers to prevent illegitimate HHAs from obtaining 
billing privileges.

[[Page 58212]]

     In a February 2009 report titled, ``Medicare: Improvements 
Needed to Address Improper Payments in Home Health'' (GAO-09-185), the 
GAO concluded that the Medicare enrollment process does not routinely 
include verification of the criminal history of applicants, and without 
this information individuals and businesses that misrepresent their 
criminal histories or have a history of relevant convictions, such as 
for fraud, could be allowed to enter the Medicare program. In addition, 
the GAO recommended that CMS assess the feasibility of verifying the 
criminal history of all key officials named on the Medicare enrollment 
application.
     In a February 2008 report titled, ``Los Angeles County 
Suppliers' Compliance with Medicare Standards: Results from Unannounced 
Visits'' (OEI-09-07-00550) and in a March 2007 report titled, ``South 
Florida Suppliers' Compliance with Medicare Standards: Results from 
Unannounced Visits (OEI-03-07-00150), the HHS OIG recommended that CMS 
strengthen the Medicare DMEPOS supplier enrollment process and ensure 
that suppliers meet Medicare supplier standards. The HHS OIG provided 
several options to implement this recommendation including: (1) 
Conducting more unannounced site visits to suppliers; (2) performing 
more rigorous background checks on applicants; (3) assessing the fraud 
risk of suppliers; and (4) targeting, monitoring, and enforcement of 
high-risk suppliers.
     In a September 2005 report titled, ``Medicare: More 
Effective Screening and Stronger Enrollment Standards Needed for 
Medical Equipment Suppliers'' (GAO-05-656), the GAO concluded that,

    CMS is responsible for assuring that Medicare beneficiaries have 
access to the equipment, supplies, and services they need, and at 
the same time, for protecting the program from abusive billing and 
fraud. The supplier standards and NSC's gate keeping activities were 
intended to provide assurance that potential suppliers are qualified 
and would comply with Medicare rules. However, there is overwhelming 
evidence--in the form of criminal convictions, revocations, and 
recoveries--that the enrollment processes and the standards are not 
strong enough to thoroughly protect the program from fraudulent 
entities. We believe that CMS must focus on strengthening the 
standards and overseeing the supplier enrollment process. It needs 
to better focus on ways to scrutinize suppliers to ensure that they 
are responsible businesses, analogous to Federal standards for 
evaluating potential contractors.

    We recognize that there may also be circumstances where a 
particular provider or supplier or group of providers and suppliers may 
pose a higher risk of fraud, waste, and abuse than the level identified 
for their category generally. Therefore, in Sec.  424.518(c)(3), we are 
proposing specific criteria that we would use to adjust the 
classification of a provider or supplier into a higher risk level than 
would generally apply to the category of provider or supplier, in order 
to address specific program vulnerabilities. We are soliciting comments 
on specific additional circumstances that might justify shifting a 
provider or supplier into a higher risk level than would generally 
apply to its category. We are also soliciting comment on the criteria 
that we could use to shift the risk level back down.
    In Sec.  424.518(c)(3)(i), we are proposing to adjust a provider or 
supplier from the ``limited'' or ``moderate'' risk level to the 
``high'' risk level when CMS has evidence from or concerning a 
physician or nonphysician practitioner that another individual is using 
their identity within the Medicare program. While our Medicare 
contractors have implemented procedures to reduce the possibility of 
identity theft and use of physician's identity for the purposes of 
enrolling and fraudulently billing the Medicare program, we believe 
that we have a responsibility to all individuals participating in the 
Medicare program to take the necessary steps to investigate and resolve 
any allegations of identity theft. We do not intend to fingerprint the 
individual physician or other eligible professional who has been the 
victim of identity or provider number theft.
    In Sec.  424.518(c)(3), we are proposing to adjust a provider or 
supplier from the ``limited'' or ``moderate'' level of risk to the 
``high'' level of risk based on: the provider or supplier having been 
placed on a previous payment suspension; or the provider or supplier 
has been excluded by the HHS OIG or had its Medicare billing privileges 
denied or revoked by a Medicare contractor within the previous 10 years 
and is attempting to establish additional Medicare billing privileges 
for a new practice location or by enrolling as a new provider or 
supplier. In addition, we believe that providers that have been 
terminated or otherwise precluded from billing Medicaid should be 
adjusted from the ``limited'' or ``moderate'' category to the ``high'' 
category. We believe that such providers or suppliers pose an elevated 
level of risk to the Medicare program.
    In Sec.  424.518(c)(3)(iv), we are proposing to adjust providers or 
suppliers from the ``limited'' or ``moderate'' level of risk to the 
``high'' level of risk for 6 months after CMS lifts a temporary 
moratorium (see section II.C. of this proposed rule) applicable to such 
providers or suppliers. This would include providers and su