On September 10, 2019, CMS issued a final rule with comment period that, among other things, implements a provision of the Social Security Act (the “Act”) requiring Medicare, Medicaid, and Children’s Health Insurance Program (“CHIP”) providers and suppliers to disclose any current and previous affiliations, whether direct or indirect, with any other provider or supplier that:

• Has uncollected debt (i.e., Medicare, Medicaid, or CHIP overpayments for which CMS or a state has sent notice of the debt to the affiliated provider or supplier or civil money penalties or assessments imposed under Title 42 of the Code of Federal Regulations);
• Has been or is subject to a payment suspension under a federal health care program;
• Has been or is excluded by the Office of Inspector General from Medicare, Medicaid, or CHIP;
• Has had its Medicare, Medicaid or CHIP billing privileges denied or revoked.

CMS determined that initially it will only require a provider or supplier to disclose these affiliations if CMS determines through its own research and analysis that a provider or supplier has one or more such affiliations. Upon such a determination, CMS will request the provider or supplier to disclose these affiliations in accordance with 42 C.F.R. § 424.519. CMS will not begin requesting these disclosures until it revises the Form CMS-855 applications to include section(s) to collect information about such affiliations. Providers or suppliers who are not enrolled in Medicare and are only enrolled in Medicaid and/or CHIP will be subject to the affiliation disclosure requirements in 42 C.F.R. § 455.507.

However, CMS noted that it does not have the authority under the Act to limit permanently the disclosure of these affiliations. All providers and suppliers will eventually be required to disclose these affiliations. Therefore, providers and suppliers may benefit from taking a proactive approach and should consider whether they should begin collecting and retaining information about these affiliations.

Pursuant to the Act, the Secretary of the U.S. Department of Health and Human Services (“Secretary”) may, based on the affiliations, deny or revoke a provider’s or supplier’s enrollment if the Secretary determines that the affiliation poses an undue risk of fraud, waste, or abuse. CMS will consider the following factors in determining whether the disclosed affiliations pose an undue risk of fraud, waste, or abuse:

• The duration of the affiliation;
• Whether the affiliation still exists and, if not, how long ago it ended;
• The degree and extent of the affiliation;
• If applicable, the reason for the termination of the affiliation;
• Regarding the affiliated provider’s or supplier’s disclosable event

o The type of disclosable event;
o When the disclosable event occurred or was imposed;
o Whether the affiliation existed when the disclosable event occurred or was imposed;
o If the disclosable event is an uncollected debt: (a) the amount of the debt, (b) whether the affiliated provider or supplier is repaying the debt, and (c) to whom the debt is owed; and
o If a denial, revocation, termination, exclusion, or payment suspension is involved, the reason for the disclosable event; and

• Any other evidence that CMS deems relevant to its determination.

CMS advised that it will only exercise its denial and revocation authority after a careful consideration of the factors and emphasized that the existence or past existence of an affiliation does not automatically mean that an undue risk of fraud, waste, or abuse exists. CMS may also deny or revoke a provider’s or supplier’s enrollment if the provider or supplier knew or should reasonably have known about the affiliation and did not fully and completely disclose the required information about the affiliation.

The final rule will be effective November 4, 2019 and any comments to the final rule must be received by CMS by November 4, 2019. CMS indicated it will issue further rules and sub-regulatory guidance related to affiliation disclosures, including to clarify the level of effort that is required in securing the relevant affiliation information and the process by which undue risk determinations will be made.