What CMS Rule On Affiliations Means For Health Providers

11 September 2019 Health Care Law Today Blog
Author(s): Judith A. Waltz

Note: This blog post originally appeared on Law360 on September 9, 2019.

On Sept. 5, the Centers for Medicare & Medicaid Services of the U.S. Department of Health and Human Services released its final rule with comment period adding program integrity enhancements to the provider enrollment process. The rule was printed in the Federal Register on Sept. 10 and will take effect on Nov. 4 (although CMS will take comments on the new provisions until that date).

The new Medicare rule, which revises several regulations and adds 42 C.F.R. § 424.519 titled “Disclosure of affiliations,” adds several new authorities to revoke or deny enrollment, including authorizing CMS to deny or revoke enrollment based on the disclosure of certain affiliations that CMS determines poses an undue risk of fraud, waste or abuse.[1]

Although the proposed rule’s affiliations disclosure requirements would have applied to all providers and suppliers, the final rule with comment period adopts a “phased-in” approach. For now, the disclosure requirements are applicable to a targeted subset of providers and suppliers that CMS determines have at least one applicable affiliation. The requirements will be expanded following additional rulemaking and assessment of the phased-in approach.

Similar provisions are also added for Medicaid, and require that a state plan must provide that the specified requirements are met.[2]

Denial or Revocation Based on “Affiliations”

The rule’s affiliation disclosure requirement implements an Affordable Care Act provision that is intended to identify individuals and entities that pose a risk to the programs based on their relationships with previously sanctioned entities.

The rule applies to initially enrolling or revalidating providers or suppliers specifically selected by CMS after it has determined that the provider or supplier may have at least one applicable affiliation. Such a provider or supplier “must disclose any and all affiliations that it or any of its owning or managing employees or organizations ... has or, within the previous 5 years, had with a currently or formerly enrolled Medicare, Medicaid, or CHIP provider or supplier that has a disclosable event.”[3]

In other words, it does not matter whether the affiliation has ended or whether the providers or suppliers were enrolled in a federal health care program at the time of the affiliation. Additionally, if CMS determines a provider has one affiliation and requests a disclosure, the provider must conduct additional diligence to determine whether it has any other applicable affiliations.


The newly added definition of “affiliation” is broad and includes not only ownership interests but even reassignment relationships. Affiliation means:

  • 5% or greater direct or indirect ownership interest that an individual or entity has in another organization;
  • A general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization;
  • An interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization (including ... sole proprietorships), either under contract or through some other arrangement, regardless of whether or not the managing individual or entity is a W–2 employee of the organization;
  • An interest in which an individual is acting as an officer or director of a corporation; or
  • Any reassignment relationship under [42 C.F.R. § 424.80].[4]

The rule’s inclusion of indirect ownership interests in the definition of affiliation includes parties with ownership interests through a publicly traded company, mutual fund or other large investment vehicle.

Disclosable Events

An affiliation must be disclosed when it is with a provider or supplier that has one of the following “disclosable events” (also a newly defined term):

  • Currently has uncollected debt to Medicare, Medicaid or CHIP;
  • Has been or is subject to a payment suspension under a federal health care program;
  • Has been or is excluded from Medicare, Medicaid or CHIP; or
  • Has had its Medicare, Medicaid or CHIP billing privileges denied, revoked or terminated.[5] 

Except for a current uncollected debt, the timing of the disclosable event is irrelevant. Thus, if the enrolled or enrolling provider or supplier had an affiliation with a provider/supplier in the past five years, and that provider/supplier at any point — prior to or after the termination of the affiliation — had a payment suspension, exclusion or a denial, revocation or termination of billing privileges, the affiliation must be disclosed.

Currently, information regarding uncollected debt, payment suspensions and enrollment actions are not generally available to enrolling providers and suppliers. Thus, obtaining such information could prove incredibly difficult if not impossible in some situations. CMS recognized this and noted that it had proposed “a knew or should reasonably have known” standard for determining whether to deny or revoke enrollment.[6]

“Reasonableness” Standard and Undue Risk

In determining whether or not to deny or revoke a provider or supplier’s enrollment, CMS proposed, and finalized, a “reasonableness” standard.[7] Under the standard, CMS would require “information to be reported only if the disclosing provider or supplier knew or should reasonably have known of said data.”[8] CMS noted that a provider or supplier may not necessarily know whether a disclosable event occurred after an affiliation ceases.

CMS reiterated that it would review each situation on a case-by-case basis in determining whether the disclosing entity knew or should have known of the information. The agency intends to issue subregulatory guidance clarifying the level of effort that it expects from the provider/supplier for securing relevant affiliation information.

The factors that CMS will consider in determining whether an affiliation poses an undue risk of fraud, waste or abuse “focus largely, though not exclusively, on – (1) the length and period of the affiliation; (2) the nature and extent of the affiliation; and (3) the type of disclosable event and when it occurred.”[9] The closer, longer and more recent an affiliation, and the more serious the disclosable event (e.g., exclusion or a large uncollected debt), the more likely it is that CMS will find that the affiliation presents a greater risk to the programs compared to a brief affiliation that occurred 5 years ago.

When Will the Affiliations Disclosures Affect the Industry?

As noted above, CMS had initially planned to require all Medicare, Medicaid and CHIP providers and suppliers to begin disclosing applicable affiliations where the affiliated provider or supplier had a disclosable event in the past five years. However, in response to comments on the proposed rule, CMS acknowledged the potentially sizable burden on physician and practitioner organizations and decided to implement a “phased in” approach.

For now, CMS will require the disclosures only from providers or suppliers that it determines have one or more affiliations that would trigger a disclosure. CMS will use Provider Enrollment, Chain, and Ownership System, its electronic enrollment system, and other means to identify affiliations.

The requirement, even for the “phased in” period, will not become effective until CMS revises the enrollment forms (Forms CMS-855) to accommodate the required disclosures, which CMS notes will require notice and comment rulemaking. The application of the disclosure requirement to a broader group of providers would also require additional rulemaking.

Other New Enrollment Authorities in the Rule

The rule also gives CMS additional authorities related to a providers or supplier’s own conduct, including:

  • Allowing for denial or revocation of enrollment/billing privileges if CMS determines that the provider or supplier:
    • Bills for services/items from noncompliant locations;
    • Exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services or drugs;
    • Has an outstanding debt to CMS from an overpayment that was referred to the U.S. Department of the Treasury;
    • Is currently revoked under a different name, numerical identifier or business identity, and the applicable reenrollment bar period has not expired; or
    • Bills for services performed at, or items furnished from, a location that it knew or should reasonably have known did not comply with Medicare enrollment requirements (the revocation would apply to all of the provider or supplier’s practice locations, regardless of whether they are part of the same enrollment).
  • Increasing the maximum reenrollment bar from three to 10 years, with certain exceptions.
  • Prohibiting enrollment in the Medicare program for up to three years if a provider or supplier’s enrollment application is denied because of false or misleading information on or with (or omitted information from) the application to obtain Medicare enrollment.

Although these provisions are seemingly straightforward and apply to the provider or supplier’s own conduct, there could still be some difficulty in implementation. For example, although a pattern or practice is required for denials or revocations based on abusive orders or certifications, the term “abusive” is not defined.

What to Know

For now, providers and suppliers will not be required to disclose affiliations unless CMS determines that the provider or supplier has at least one affiliation that includes any of the four disclosable events and specifically requests it to do so.

Providers and suppliers should not, however, expect this rule to disappear. CMS stated its intention to move forward with an expansion of the disclosure requirements in the following the initial phase-in period. Although the disclosure requirements have the potential to snare honest providers, the rule addresses an identified program integrity issue of sanctioned individuals and entities using affiliations, including opening businesses in the names of friends or family members to avoid detection, to bill the programs and to avoid debt repayment.

For now, providers should begin planning how they will determine and track whether their affiliations — including practitioners who reassign benefits using the Form CMS-855R (including physicians), board members, directors and investors — have a disclosable event. Medicare exclusion and background checks will not be sufficient, and there are currently no public databases of Medicare payment suspensions or revocations.


 [1] 42 C.F.R. § 424.519(f) (factors for determining undue risk).

 [2] See 42 C.F.R. §§ 455.104 – 455.107.

 [3] 42 C.F.R. § 424.519(b).

 [4] 42 C.F.R. § 424.502.

 [5] 42 C.F.R. § 424.502.

 [6] See 42 C.F.R. § 424.519(e).

 [7] See 42 C.F.R. § 424.519(e).

 [8] See preamble to Medicare, Medicaid, and Children's Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process, Final rule with comment period, RIN 0938-AS84 (Sept. 10, 2019).

 [9] See preamble; see 42 C.F.R. § 424.519(f) (factors for determining undue risk).

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services