Skip to main content

CMS Issues Extensive New Anti-Fraud Measures

The Centers for Medicare & Medicaid Services (CMS) recently issued a final rule (84 Fed. Reg. 47794) that includes several anti-fraud measures and significantly expands the agency’s authority to exclude new and current providers and suppliers that are identified as posing an undue risk of fraud, waste, or abuse. Importantly, the new measures require providers and suppliers to disclose upon CMS request and upon application for initial enrollment or revalidation, any “affiliations” with parties who have one or more defined “disclosable events.” The final rule goes into effect on Nov. 4, 2019.

Disclosure of Affiliations With Individuals or Entities That Have a Disclosable Event

The new disclosure measure requires all providers to disclose any current or prior affiliations (within the past five years) the provider or any of its owning or managing employees or organizations has or had with a current or former Medicare provider with a “disclosable event.”

A “disclosable event” is broadly defined to include:

  • An uncollected debt to CMS;
  • Current or previous payment suspension from a federal health care program;
  • Current or previous exclusion from a federal health care program; or
  • Previous denial, revocation, or termination of Medicare, Medicaid, or CHIP billing privileges.1

“Affiliation” is also broadly defined to include:

  • A 5% or greater direct or indirect ownership in another organization;
  • A general or limited partnership interest in another organization;
  • An interest in which the entity or individual “exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization”;
  • An interest in which the individual acts as “an officer or director of a corporation”; or
  • Any reassignment relationship under 42 C.F.R. § 424.80.2

If there is a triggering affiliation, the provider must disclose certain information about its affiliate, such as the legal and d/b/a names, tax identification number, National Provider Identifier (NPI), reason for disclosure, length of the relationship, type of relationship, degree of affiliation, and (if applicable) reason for termination.

The risk in having a triggering affiliation is that CMS can deny or revoke enrollment if it determines the affiliation “poses an undue risk of fraud, waste, or abuse.”3 This power extends to reported and unreported affiliations. CMS can also deny enrollment or revoke an existing enrollment if it requests information about the affiliation and the provider fails to “fully and completely disclose” the required information when it “knew or should have known of th[e] information.”4

Naturally, the breadth of this rule generated a significant number of comments. But a common theme that resonated across these comments was a pressing concern over CMS’s wide discretion to determine that an affiliation will result in an undue risk of fraud, waste, or abuse. CMS sought to address this concern with a mere promise that actions against a provider will only be taken “after careful consideration of the facts and circumstances.”

Other Anti-Fraud Measures

In addition to establishing the new disclosure requirement, the rule gives CMS more authority and discretion to revoke or deny Medicare enrollment. For example, CMS will now be able to revoke or deny Medicare enrollment if:

  • The agency determines that a previously excluded provider or supplier is attempting to reenter the program under a different identifier (name, numeral identifier, business identity);
  • A provider or supplier bills for services or items that it knew or should have reasonably known are from non-compliant locations;
  • A physician or eligible professional exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services, or drugs; or
  • A provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the Treasury Department.

Other important changes include CMS’s new authority to prohibit a provider from enrolling in Medicare for up to three years if the basis for its initial enrollment denial was the submission of false or misleading information in its application, and an extension of the reenrollment bar against previously excluded providers from three to up to 10 years. Moreover, providers or suppliers that are revoked from Medicare for a second time may be prohibited from applying to re-enroll in the program for up to 20 years.

GT is actively advising clients on compliance with this new rule. Please let us know if you have concerns about your risk under this new final rule or are interested in promulgating policies to comply with the new final rule.


2 84 Fed. Reg. 47794, 47852 (Sept. 10, 2019).

3Id. at 47853.


* Special thanks to Law Clerk Cynthia Adjain for her valuable assistance in preparing this GT Alert.