On March 22, 2007, along with a letter addressed to the state Medicaid directors, the Centers for Medicare and Medicaid Services (“CMS”) issued a document setting forth 71 “frequently asked questions” (“FAQs”) providing additional guidance regarding the requirements of Section 6032 of the Deficit Reduction Act of 2005 (“Section 6032”). Effective January 1, 2007, Section 6032 requires entities that make or receive annual Medicaid payments of $5 million or more in any state, to establish and disseminate certain written policies applicable to their employees, certain contractors and agents (collectively “contractors”) and to include information about the policies in any employee handbooks. The required policies must provide detailed information about applicable state and federal false claims laws and the entities’ policies and procedures for preventing fraud, waste and abuse.
The FAQs address a number of key issues, including but not limited to: which entities and contractors are covered by Section 6032; how the $5 million threshold should be measured; how entities should disseminate the mandated policies; and enforcement by state Medicaid agencies. As with prior guidance for Section 6032 issued by CMS, some of the answers may raise additional questions for providers attempting to meet Section 6032’s often unclear requirements. The following summarizes the highlights of this new guidance.
Definition of “Entity”
Section 6032 applies to “any entity that receives or makes annual payments under the state [Medicaid] plan of at least 5 million dollars” annually. Several of the FAQs address questions relating to what constitutes an “entity” when an organization consists of multiple parts (e.g., a parent corporation with multiple subsidiaries). The FAQs repeatedly indicate that, “[f]or purposes of Section 6032 compliance, the entity is the largest separate organizational unit that furnishes Medicaid health care items or services, and includes all sub-units of that organizational unit that furnish [such] items or services, even if the components are separately incorporated or located in different states.” An entity can potentially include a number of organizations with multiple subsidiaries, locations, tax identifier numbers, and provider numbers.
The FAQs indicate that unless an organizational unit is part of a health system, each organizational unit is viewed separately for purposes of determining whether the $5 million threshold has been met, and whether the other requirements of Section 6032 are applicable. With respect to a heath system, CMS believes that the parent corporation, partnership, government agency or other owner, and its sub-units, are all integrally involved in furnishing Medicaid items or services. Therefore, CMS views the entire health system organization as the entity for purposes of Section 6032 compliance.
The FAQs also address scenarios in which an organization such as a state, municipal government, or a university, have components that furnish Medicaid healthcare items and services, while the rest of the organization performs other (non-healthcare) functions. CMS does not clearly answer this question, but simply reiterates that “the entity is the largest separate organizational unit that furnishes Medicaid healthcare items or services, and includes all sub-units of that organizational unit that furnishes Medicaid healthcare items or services.” This suggests that if the part of the government agency or university which furnishes Medicaid healthcare items or services is a separate “organizational unit,” only that unit would be required to comply with Section 6032. Though CMS provides no additional guidance, presumably a subpart of a government agency or university can constitute a “separate organizational unit” even though it is not separately chartered, incorporated or otherwise formally constituted as a separate legal entity.
Determining whether the $5 Million Threshold is Met
CMS indicates that for purposes of determining whether an entity meets the $5 million threshold for any given year, the relevant time period is the immediately preceding federal fiscal year. For example, in determining whether an entity must comply for calendar year 2007, the organization would determine whether it has received or made payments totaling $5 million during the period October 1, 2005 to September 30, 2006.
Notably, entities which receive payments both from a state Medicaid agency and from Medicaid managed care organizations (“MCOs”) are only required to count the funds received from the Medicaid agency, and need not count amounts received from Medicaid MCOs. Similarly, patient cost sharing amounts need not be included.
When an entity receives payments from multiple states, those payments are not aggregated in determining whether the threshold is met. However, once an organization meeting the definition of an “entity” satisfies the $5 million annual threshold in one state, the entity must comply with Section 6032 with respect to its employees in all the states in which it operates.
When a corporate parent has several components operating in the same state, the amounts received or paid by its various subsidiaries must be aggregated if the parent itself: (1) is either a health system (as noted above); or (2) itself provides Medicaid health care items or services, in which case the parent would constitute the “entity” under the guidelines described above.
Application to Contractors
A number of the FAQs address the applicability of Section 6032 to contractors of entities. CMS has previously indicated that covered contractors include those which, on behalf of the entity, furnish or otherwise authorize the furnishing of Medicaid health care items or services, or are involved in monitoring health care provided by the entity. CMS indicates that this includes supply vendors that provide products used in the furnishing of Medicaid health care services. It also includes contractors such as contract therapists, physicians (including but not limited to, house staff, hospitalists and independent contractors) and pharmacies. Although the FAQs do not address the issue, presumably medical staff members who are not paid by the hospital are generally not deemed to be “contractors.” Contractors not associated with the provision of Medicaid health care items or services, such as copy or shredding services, grounds maintenance or a hospital cafeteria or gift shop services, are also excluded from the definition of “contractor.”
The FAQs address some issues which have caused considerable consternation in connection with an entity’s obligations with respect to its contractors. Providers have previously expressed concern that requiring contractors to adopt the policies of multiple entities would be unworkable and would subject the contractors to a multiplicity of potentially conflicting obligations. The FAQs continue to require that entities disseminate their policies to their contractors and that the contractors adopt them. However, CMS clarifies that a contractor is only required to abide by the policies of each entity in connection with the work the contractor performs for that entity.
CMS further clarifies that parties which contract with multiple entities must abide by each entity’s policies only to the extent that they are relevant to the interaction between each individual entity and the contractor. Adoption by a contractor of an entity’s policies (e.g., requiring internal audits) would not necessarily require the contractor to institute the same practices for its own activities or activities with other entities. For example, to the extent that an entity’s policies provide for reviews or audits of claims for services, the contractor could satisfy Section 6032’s requirements by participating in those reviews or audits to the extent required by the entity. It would not be required to perform audits in connection with its other activities.
Content and Dissemination of Policies
The FAQs indicate that CMS will not provide any model language for policies required under Section 6032, nor will it prescribe the level of detail that such policies must include. However, CMS has obtained from the Department of Justice a summary of the Federal False Claims Act which entities can use in preparing their policies. The summary was disseminated by CMS to the state Medicaid directors along with the FAQs, and is posted on the CMS website.
The FAQs clarify the requirements for entities and their contractors to disseminate the required policies. CMS indicates that policies can either be disseminated in paper or electronic form. If the latter approach is used, the policies can be posted on a website, provided they are readily available on that website to all employees and covered contractors, and that those parties are aware of their existence and location.
After policies are disseminated to an entity’s contractors, the FAQs indicate that the contractor must make them available to those employees who are involved in performing work for the entity. Contractors can comply with this requirement in the manner described above, e.g., by electronic posting on an accessible website that is appropriately publicized to the contractor’s relevant employees. CMS declines to prescribe how often an entity must disseminate its policies to its contractors, leaving this issue up to each state for determination.
One piece of guidance found in the FAQs which appears problematic addresses employee handbooks. CMS indicates that “[i]f there is an employee handbook, policies and procedures required by Section 6032 must be included in the handbook.” Read literally, this suggests that all of an entity’s required policies must be fully set out in any employee handbook. Hopefully, however, CMS means that handbooks can include descriptions of the policies, along with information that advises its employees of the existence and location of the policies. Provided the policies are readily available to all employees at the specified location, this approach would appear to be consistent with guidance found elsewhere in the FAQs.
CMS indicates that enforcement of Section 6032 will be left up to the states, which will be provided with broad discretion on a number of issues. CMS will not prescribe the manner in which the states should enforce Section 6032, but will require each state to include in its state plan amendment a description of the methodology it will use to perform compliance oversight. CMS also reserves the right to independently determine compliance through audits of entities, or other means by which an entity may be required to produce documentation of compliance to CMS or its contractors.
States are mandated to include the requirements of Section 6032 in amendments to their state Medicaid plans, which were required to be completed by March 31, 2007, unless the state has obtained approval for delayed implementation from CMS. However, CMS reiterates that the requirements of Section 6032 are effective January 1, 2007, and states there is no “grace period.” Thus, CMS suggests that an entity could be found noncompliant if it has not taken appropriate steps to comply with Section 6032 on or before that date.
The FAQs, along with a cover letter from CMS to state Medicaid agencies and Department of Justice’s summary of the Federal False Claims Act, can be found on the CMS website at http://www.cms.hhs.gov/SMDL/SMD/. For further information, see Foley’s previous Health Law e-Alerts, Deadline For DRA Compliance Is January 1, 2007: Are You Ready? and DRA Compliance: CMS Issues December 13, 2006 Guidance, and CMS Briefing On DRA Section 6032 Compliance Answers Some Questions, Raises Others.
If you have any questions about the foregoing, or need additional information, please contact any of the attorneys listed below or the lawyer in the firm who generally handles your legal matters.
Janice A. Anderson
Richard L. Prebil
R. Michael Scarano
Robert D. Sevell
Lawrence W. Vernaglia
Cheryl L. Wagonhurst
Judith A. Waltz
J. Mark Waxman