December 2011 Volume 8 Number 4

Complying with Medicare Enrollment Screening Criteria In a High-Stakes Environment

By Esther R. Scherb, Kathryn M. Almar, Katherine M. Gigliotti, Latham & Watkins LLP, Washington, DC

AuthorAuthorAuthorIn an October 25, 2011 letter to the Secretary of Health and Human Services (“HHS”), top Republicans on the Senate Finance and Judiciary Committees challenged the failure by the Centers for Medicare & Medicaid Services (“CMS”) to fully utilize tools provided by the Patient Protection and Affordable Care Act (“PPACA”)1 to safeguard the Medicare program from waste, fraud, and abuse.2 One such powerful tool — aimed at tightening program integrity oversight on the “front end” through the enrollment process — uses new screening measures.3 Specifically, PPACA directs CMS to create and utilize new risk-based enrollment criteria when screening providers and suppliers (hereinafter collectively “providers”) for participation in the federal healthcare programs.4 The goal of the measures is to prevent unscrupulous or unqualified providers from enrolling in the Medicare program in the first instance, thus helping to move away from the current “pay and chase” approach to program integrity enforcement. With the Office of Inspector General’s (“OIG”) recent findings regarding the ineffectiveness of Zone Program Integrity Contractors (who are responsible for data review and Medicare program audits),5 combined with congressional scrutiny of these measures, increased enforcement activity related to the enrollment process is expected.

This article reviews the new screening procedures that affect all federal healthcare program providers, discusses the consequences of failing to timely and accurately revalidate program enrollment, and offers steps to avoid pitfalls in this area.

I. Enrollment Screening Criteria Used to Reduce Fraud, Waste, and Abuse in Federal Healthcare Programs

When providers seek to initially enroll with the Medicare program or update their existing enrollment files, they are now evaluated under new, enhanced procedures based on three risk categories — limited, moderate, and high. The risk category will determine the level of review undertaken by the Medicare Administrative Contractor (“MAC”).6 The new criteria became effective on March 25, 2011 for new providers and enrolled providers adding locations as of that date. Revalidation of all currently-enrolled providers will proceed on a rolling basis and must be completed by 2015.

To develop the three risk categories, CMS evaluated claims data showing questionable billing practices7 and accounted for factors that may facilitate fraudulent activity by a particular type of business. For businesses with lower entry barriers or less self-regulation, CMS concluded that more rigorous pre-enrollment scrutiny is needed to meet PPACA’s goal of moving away from the “pay and chase” approach to fraud enforcement.8

CMS also identified provider types falling under each risk category. CMS, however, retains discretion to move any individual provider from low or moderate-risk into the high-risk category. This may occur when a provider has a history of payment suspension or exclusion from any federal healthcare program.9

A. Limited-Risk Screening Category

Relying on analysis of historical fraud data trends, CMS determined that providers such as physicians and hospitals pose a low risk for fraud. They undergo the lowest scrutiny level, under which the MAC will (1) verify all applicable federal and state requirements are met; (2) conduct a license verification; and (3) conduct database checks to ensure ongoing compliance with enrollment criteria.10

B. Moderate-Risk Screening Category

CMS determined that providers such as hospice organizations, ambulance suppliers, and revalidating durable medical equipment prosthetics, orthotics, and supplies (“DMEPOS”) suppliers pose a moderate risk of fraud. At this level, the MAC will (1) perform the screening tasks required for the limited risk category and (2) conduct a site visit.11 The timing and scope of the site visit will vary. For example, for revalidating DMEPOS suppliers, the MAC will conduct the site visit prior to a mandatory revalidation. For hospice organizations, the site visit will occur after the CMS regional office issues a tie-in notice for a change of ownership.12

C. High-Risk Screening Category

The high-risk screening category includes newly-enrolling DMEPOS suppliers and newly-enrolling home health agencies (“HHAs”).13 CMS determined that these providers and suppliers necessitate the highest screening level because of the large number currently enrolled in Medicare along with lack of any experience with the newly-enrolling entity.14 The screening will include both the measures for the limited and moderate-risk categories and will require fingerprints from all individuals who maintain a five percent or greater direct or indirect ownership interest in the provider or supplier.15 The fingerprints are to be used to conduct a national background check and criminal history check with the Federal Bureau of Investigation, but this requirement has not yet been implemented, nor has CMS provided an expected date for implementation.

II. Failure to Comply with the Enrollment Process Can Lead to Serious Consequences

Consequences for falling short of enrollment requirements include the following:

  • Rejection of Enrollment: CMS may reject an enrollment application for failure to furnish complete information, required supporting documentation or, in the case of institutional providers, the failure to submit the application fee or a hardship waiver request. No appeal rights attach to the rejection.16
  • Denial of Enrollment: CMS may deny enrollment if at any time a provider is found to be noncompliant with applicable enrollment requirements and has not submitted an acceptable plan of correction. The provider does have appeal rights and, in addition, a provider denied enrollment cannot submit a new application until either (i) the time to appeal has lapsed and the denial is not appealed, or (ii)  the denial is appealed and the determination was upheld.17
  • Revocation of Enrollment and Medicare Billing Privileges: CMS may revoke billing privileges and any corresponding provider agreement for noncompliance with applicable enrollment requirements, or in the enrollment application applicable for its provider type, and has not submitted a corrective action plan. In most instances, providers have an opportunity to correct deficiencies before a final determination is made. When billing privileges are revoked, any provider agreement then in effect is terminated as of the revocation date. The waiting period for re-enrollment is a minimum of one year and may be as great as three years (depending upon the severity of the basis for revocation).18
  • Deactivation of Medicare Billing Privileges: CMS may deactivate Medicare billing privileges for failure to report a change to information supplied on the enrollment application within the designated time. The provider must complete and submit a new enrollment application to reactivate its Medicare billing privileges or, when deemed appropriate, at a minimum, recertify that the enrollment information currently on file with Medicare is correct. Deactivation is considered protection from misuse of a billing number to avoid unnecessary overpayments.19
  • Moratoria on Newly-Enrolling Medicare Providers and Suppliers: CMS may impose a temporary moratorium if there is significant potential for fraud, waste, or abuse regarding a particular provider type or a particular geographic area (e.g., a rapid increase in DMEPOS suppliers in a particular region). A moratorium may be imposed for a period of six months, but can be extended by CMS in six-month increments.20 Some U.S. Senators have recently requested that CMS explain why it has not imposed a single temporary moratorium,21 a pressure that may prompt increased use of this tool.
  • Suspension of Payments: CMS may suspend payment upon a “credible allegation of fraud,” which includes an allegation from any source, including fraud hotline complaints.22
III. Considerations in Light of the New Screening Criteria

Providers should view the current environment as a call to enhance compliance procedures. To avoid possible adverse actions, as well as delays and/or rejections of their enrollment submissions, the following are considerations for providers enrolling for the first time, revalidating current enrollment application, or otherwise supplementing information:

  • Identify an individual with responsibility for ensuring compliance with enrollment procedures, including revalidation. This individual should:
    • Review announcements from CMS and the applicable MAC regarding provider enrollment (particularly for high-risk providers that may soon also be subject to fingerprint screenings);
    • Be alert for the revalidation request from the MAC, which is being issued on a rolling basis;
    • Regularly monitor and review the applicable MAC website, relevant email listservs, and the CMS website at: for information about whether a revalidation request has been sent. CMS will regularly update this site with the list of providers who have been sent a request to revalidate their Medicare enrollment information;
    • Regularly review current enrollment forms and submissions to identify any gaps in information or outdated information, which must timely reported; and
    • Maintain a file documenting all communications with the MAC regarding enrollment and completion of screening measures.
  • Submit the current version of the Medicare enrollment application (CMS-855) and all supporting documentation. Consider providing a cover letter and/or contacting the applicable MAC to further explain supporting documentation if there are any anticipated questions on the information being provided. Lapses in receipt of new certificates of licensure from state regulators or other events impacting the timeliness of submissions to update files are examples of situations that might require such explanations.
  • Respond promptly to any requests from the MAC, but submit a revalidation application only when a revalidation notice is received,23 including the application fee or hardship waiver request.24 The application fee must be paid electronically, whether the provider is submitting the enrollment application electronically or in paper form. With the electronic application, the provider will be prompted when payment is required. When a paper application form is being used, a copy of the receipt of payment must be included with the hard copy of the enrollment application. If fee waivers are applicable, providers should provide sufficient documentation to support the requisite circumstances to show hardship.
  • Ensure electronic capabilities for receipt of subsequent program payments. Providers who are not currently receiving electronic funds transfer (“EFT”) payments will be identified, and required to submit the CMS 588 EFT form with the Provider Enrollment Revalidation application.25
  • When undergoing complex transactions impacting enrollment status, including transactions resulting in a change of ownership, contact the MAC to confirm procedures and avoid processing delays.
  • Consider seeking advice of counsel in responding to any non-routine requests from the MAC.
IV. Conclusion

With the increased government focus on eliminating waste, fraud and abuse in the Medicare and other federal programs, even minor discrepancies in enrollment applications — whether the initial or follow-up submissions — place a provider at risk of delays in obtaining or retaining billing privileges. The stakes are ever-increasing, which translates to a need for heightened vigilance in this area. Providers are well served by ensuring they maintain current and accurate information in their enrollment files and remain up-to-date with any changing enrollment procedures and requirements.


The Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by The Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029 (2010) [hereinafter “PPACA”].

2 See Letter from Senators Orrin Hatch (R-Utah) and Charles Grassley (R-Iowa) to Kathleen Sebelius, Secretary, U.S. Dept. of Health and Human Services (Oct. 25, 2011), available at:

PPACA § 6401(a)(2) & (3), 42 U.S.C.S. § 1395cc(j)(2)(B).


Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862, 5868 (Feb. 2, 2011) [hereinafter “Final Rule”].


Dept. of Health and Human Services, Office of Inspector General, Zone Program Integrity Contractors’ Data Issues Hinder Effective Oversight, Nov. 2011, available at:


Medicare Program Integrity Manual (CMS Pub. 100-08), Chapt. 15, § 19.2.1 (Rev. 380, Aug. 3, 2011), available at [hereinafter “PIM”].


Final Rule, 76 Fed. Reg. at 5867.


Id. at 5869.


42 C.F.R. § 424.518(c)(3); PIM, Chapt. 15, § 19.2.5.


42 C.F.R. §§ 424.518(a)(1) – (2); PIM, Chapt. 15, § 19.2.1.A.


42 C.F.R. §§ 424.518(b) (1) – (2); PIM, Chapt. 15, § 19.2.1.B.


PIM, § 19.2.1.B.


42 C.F.R. § 424.518(c)(1); PIM, Chapt. 15, § 19.2.1.C. CMS guidance indicates that DMEPOS suppliers and HHAs that are adding a new location will also be classified as “high” for screening purposes. See PIM, Chapt. 15, § 19.2.1.C.


Final Rule, 76 Fed. Reg. at 5870.


Id.; see also CMS, Dept. of Health and Human Services, MLN Matters Number: MM7350, Related Change Request (CR) #:7350 (Mar. 25, 2011) available at:


42 C.F.R. 424.525.


Id. at 424.530.


Id. at 424.535.


Id. at 424.540.


42 C.F.R. 424.570.


Supra note 2.


42 C.F.R. 405.371.


Posting of CMS Provider Resource, CMSProviderResouce@CMS.HHS.GOV, to ALL-FFS_PROVIDERS@LIST.NIH.GOV (Aug. 17, 2011).


In mid-September, CMS revised the revalidation letter that contractors sent to providers to clarify who must pay the fee. Posting of CMS Provider Resource, CMSProviderResrouce@CMS.HHS.GOV, to ALL-FFS_PROVIDERS@LIST.NIH.GOV (Nov. 4, 2011)

25 Posting of CMS Provider Resource, CMSProviderResouce@CMS.HHS.GOV, to ALL-FFS_PROVIDERS@LIST.NIH.GOV (Nov. 9, 2011).

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.