What Healthcare Compliance Officers Should Know About the New CMS Rule on “Bad Actors”

In November 2019, the Centers for Medicare and Medicaid Services (CMS) issued a rule on bad actors.” The term refers to providers or suppliers whose histories demonstrate conduct or relationships that pose risks to taxpayers, patients or program beneficiaries. Conduct from bad actors could include fraudulent billing activity, abusive ordering of services or drugs, reinventing themselves and re-entering the system or existing outstanding debts owed to CMS. According to the new ruling, any healthcare providers that are affiliated with these bad actors are at risk of being denied participation in the Medicare and Medicaid programs. 

“The new CMS rule on bad actors changes the presumption of where fault lies in the event that a 'duty of care' is breached by a party,” says David Reischer, CEO and Founder of LegalAdvice.com and Partner at Reischer & Reischer LLP. “It is critical for all healthcare providers to be proactive to avoid administrative consequences or even legal liability.”

Here’s how the new rule affects the healthcare administration and some proactive steps you can take to protect your organization from bad actors.

Understand “Affiliation” with Bad Actors

Even if your healthcare organization is not a bad actor, you can still be affected by the new rule. Organizations that are affiliated with bad actors could be denied enrollment in Medicare and Medicaid programs. “In the past, providers or suppliers that have been found to engage in fraudulent activity and banned from participating in these government programs would simply circumvent program rules by reinventing themselves,” says Larry Davie, partner at Culhane Meadows PLLC. “They would then re-enter or attempt to re-enter the program under different names or in association with other providers that were not banned.” The new rule will be more proactive in preventing these situations from occurring.

CMS defines affiliation broadly, encompassing reassignment relationships and ownership interests of a healthcare organization, Davie says. Organizations that are found to violate the ruling can be blocked from participation for 10 years, or 20 for repeat offenders, Davie continues. “The new rule also provides CMS the authority to deny providers enrollment in the programs for up to three years for submitting fraudulent or misleading information in their initial enrollment applications,” Davie says.

Prepare for Implementation

This new ruling will have a significant impact on healthcare practice and administration. “Healthcare compliance officers need to be vigilant in conducting due diligence when contracting with and onboarding new providers and/or suppliers,” Davie says. “In light of the new ruling, it’s also a good practice for compliance officers to update their diligence and certifications on current providers and suppliers.”

Although the ruling technically went into effect in November, it will be “phased in” on a state-by-state basis, Davie says. For Medicaid, compliance officers will want to stay abreast of their state’s implementation schedule. For Medicare compliance, CMS may ask for additional information from providers that may be affiliated with bad actors, Davie points out. Healthcare compliance officers can get a head start on the final phase of implementation by pulling and preparing information on their affiliations.

Update Exclusion Screening Processes

To protect your organization, the ruling requires a more extensive screening process for providers and suppliers. “One thing that healthcare compliance officers can do immediately is begin to upgrade their due diligence processes with respect to contracting, credentialing, and background checks to avoid affiliating with individuals or entities with prior regulatory or enforcement actions,” Davie says. The Office of the Inspector General provides a List of Excluded Individuals and Entities that compliance officers can refer to prevent contracting with or onboarding individuals or entities that could put the organization at risk.

Furthermore, Davie says, background check questionnaires can be developed or modified to include language that addresses the new rule. Reischer agrees. “Officers should include language in all written contracts that covers 'representations and warranties' that address the rule’s requirements and the expectations of the involved parties,” he says. This adds an additional layer of protection for your organization. “It forces providers and suppliers to represent and warrant that they do not have any disclosable events and are not otherwise in violation of the rule,” Davie says.

This CMS ruling may sound overwhelming, but taking proactive steps as the ruling continues going into effect can help your organization stay compliant. Collecting and compiling information on current affiliated entities and developing a more rigorous screening process will ultimately protect your organization and your patient population from fraudulent activity.