United States: Providers Should Be Alert To New CMS Provider Enrollment Revalidation Processes

Under new Patient Protection and Affordable Care Act requirements, providers enrolled in Medicare prior to March 25, 2011, must submit complete enrollment revalidation information within 60 days of a CMS request, or risk interruption of Medicare billing privileges.

Medicare Revalidation Requirements

The United States' Patient Protection and Affordable Care Act of 2010 (PPACA) established new enrollment screening criteria, including a requirement that all providers enrolled prior to March 25, 2011, must revalidate their Medicare enrollment information.  However, eligible providers submit a revalidation application only after receiving a revalidation notice from their respective Medicare Administrative Contractor (MAC).  The MAC will send revalidation notices to all providers in an intermittent (though steady) basis from now until March 25, 2015.  A list of providers that have been sent revalidation request letters has been posted on the Centers for Medicare & Medicaid Services' (CMS) Medicare Provider Supplier Enrollment Revalidation page.  Providers can check the list to see if they have been sent a revalidation notice that may have been overlooked.

Upon receipt of the revalidation request, a provider has 60 days from the date of the MAC's letter to submit complete enrollment forms.  Revalidation can be accomplished via the internet-based Provider Enrollment, Chain, and Ownership System (PECOS), or via the CMS-855 paper application form.  Failure to submit the enrollment forms as requested can result in the deactivation of the provider's Medicare billing privileges.  As long as the provider submits the requested information within the original 60-day window, it is not expected that the provider will experience interruption of billing privileges, regardless of how long it takes the MAC to process the revalidation.  If the provider's number is deactivated for failure to meet the 60-day window, the provider's number may be reinstated if the revalidation documents are received by the MAC within 120 days of the postmark of the original revalidation notice.

Revalidation Information

Revalidation processes under the new PPACA requirements not only require that the provider restate and verify existing enrollment information, but also require that the provider is screened under the new program integrity rules that went into effect under the PPACA.  For example, the provider will be required to submit information on the new 2011 enrollment forms (i.e., the 855 forms), which contain certain changes discussed below.  Among other screening requirements, Medicare placed both newly enrolling and existing providers in one of three levels of categorical screening: limited, moderate or high.  The risk levels denote the level of the contractor's screening of the provider when it initially enrolled in Medicare, adds a new practice location or revalidates its enrollment information.  For example, the limited risk category includes hospitals and skilled nursing facilities, which require significant capital investment and compliance with extensive licensure requirements.  Screening of limited risk providers will entail verification that a provider or supplier meets applicable federal and state requirements for its provider type, verification that licensure requirements are met and database checks pre- and post-enrollment to ensure enrollment criteria continue to be met.  CMS has reserved the right to perform off-cycle validations and may follow up with site visits to the providers.

Changes to the CMS-855A Form

Among new data elements in the July 2011 version of the CMS-855A form is a question asking if the provider is a physician-owned hospital; if so, additional information must be completed for ownership and investment interest in the provider.  CMS also now requires more detailed information regarding 5 percent or greater direct and indirect ownership and control interests in a provider, including identifying whether the organization is a medical provider/supplier, a management services company, a medical provider/supplier, a holding company, an investment firm, a bank or other financial institution, or a consulting firm.  The CMS form provides examples of how to calculate 5 percent or greater direct and indirect ownership or control interests through multiple levels of ownership and control, and providers are cautioned to ensure they are using the most recent version of the CMS-855A form.

Disclosure of Ownership and Control Interests for Directors/Officers of a Nonprofit

The CMS-855 form also requires that an entity disclose "full and complete information" as to the identity of each person with an "ownership and control interest" in the entity.  See 42 U.S.C. §1320a-3 (2010).  A person with an "ownership and control interest" is defined to include an officer or a director of an entity if the entity is organized as a corporation—even if the corporation is a nonprofit or charitable entity without any "owners."  "Full and complete information" includes the social security number (SSN) of each of the directors and officers, as well as date and place of birth.

While this is not technically a "new" requirement, CMS has stepped up its enforcement of this requirement and now expects entities to disclose this information.  CMS cites ongoing efforts to combat fraud and abuse as the reason for collecting this information.  The SSN is used as an identifier in federal and state databases that list individuals who are excluded from such programs because of the large number of individuals on these lists whose identity can only be distinguished by use of the SSN.  However, many directors and officers of provider entities, in particular nonprofit board members not used to disclosing this type of information, may be reluctant to do so absent guarantees of the confidentiality and security of their personal information.

CMS is governed by the Privacy Act of 1974, which prohibits the disclosure of an individual's personally identifiable information collected by the government, absent the written consent of the individual, unless that disclosure is pursuant to certain statutory exceptions (including law enforcement requests, court orders and the agency's "need to know").  The Privacy Act contains criminal and civil penalties for violation of the statute.  For more information on the Privacy Act of 1974, see www.justice.gov/opcl/1974privacyact-overview.htm.

Compliance with the Revalidation Process

In light of the 60-day window for submission of the revalidation paperwork to the MAC and the serious consequences that can result from failure to submit the required documentation, providers are cautioned to be on the alert for a revalidation letter from their MAC and geared for compliance with the revalidation process.  MACs have been requested to send revalidation requests to providers in a colored envelope to differentiate the letter from other mail providers receive in the usual course of business, as well as to telephone providers to notify them the notice has been sent.  Providers should also be aware that it may take time and effort to collect this information, in particular the information regarding ownership and control interests (i.e., the SSNs, dates and places of birth for the officers and directors of the entities), which may not be readily available.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.