Today, a final rule issued by the Centers for Medicare & Medicaid Services (CMS) establishing new enforcement initiatives aimed at removing and excluding previously sanctioned entities from Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP) goes into effect.[1] Published September 10 with a comment period that also closed today, the new rule expands CMS’s “program integrity enhancement” capabilities by introducing new revocation and denial authorities and increasing reapplication and enrollment bars as part of the Trump Administration’s efforts to reduce spending. While CMS suggests that only “bad actors” will face additional burdens from the regulation, the new policies will have significant impacts on all providers and suppliers participating in Medicare, Medicaid, and CHIP.[2]


The New “Affiliations” Revocation Authority

The new “affiliations” enforcement framework—the regulation’s most significant expansion of CMS’s revocation authority—permits CMS to revoke or deny a provider’s or supplier’s enrollment in Medicare if CMS determines an “affiliation” with a problematic entity presents undue risk of fraud, waste, or abuse. Generally to bill Medicare, providers and suppliers not only must submit an enrollment application to CMS for initial enrollment, but also must recertify enrollment, reactivate enrollment, change ownership, and to change certain information.[3] In the rule’s current form, providers or suppliers submitting an enrollment application or recertification to CMS (“applicants”) will be required to submit affiliation disclosures upon CMS’s request if the agency determines the entity likely has an affiliation with a problematic entity as described below.[4] CMS will base its request on a review of various data, including Medicare Provider Enrollment, Chain, and Ownership System data and other CMS and external databases that might indicate problematic behavior, such as patterns of improper billing.[5] Upon CMS’s request, applicants identified as having at least one affiliation with a problematic entity would be required to report any current or previous direct or indirect “affiliations” to CMS.[6]

The Affiliation Determination Process

Once the applicant provides the disclosure information, CMS’s assessment of the application includes (1) determining whether an “affiliation” exists, (2) identifying whether the other affiliated entity experienced a relevant “disclosable event” of misconduct, and (3) assessing whether the affiliation presents an undue risk of fraud, waste, or abuse.

(1)    Determining the Existence of an “Affiliation”

CMS defines an “affiliation” between an applicant and another entity as being formed when the applicant’s current owner or managing employee currently or within the past five years had ownership or managerial control over another provider or supplier organization in the following circumstances:

  • a 5 percent or greater direct or indirect ownership interest,
  • a general or limited partnership interest,
  • an interest in which the individual exercised operational or managerial control or directly or indirectly conducted day-to-day operations,
  •  an interest in which an individual acted as an officer or director, or
  • any reassignment relationship under 42 C.F.R. § 424.80.[7]

Once the relationship meets the definition of “affiliation,” both parties are deemed to have an affiliation going forward.[8] Notably, CMS emphasized it would still consider affiliations that occurred even before the applicant enrolled in Medicare, Medicaid, or CHIP if the affiliation occurred within the five-year look-back period.[9] Once CMS determines one affiliation exists, the agency might seek additional information about disclosures.[10]

(2)   Identifying a “Disclosable Event”

CMS will then decide whether the other party identified (“the disclosing party”) experienced a “disclosable event” that might result in the affiliation creating an undue risk of fraud, waste, or abuse based on whether the disclosing party has experienced any of the following:

  • uncollected debt, including overpayments from Medicare, Medicaid, or CHIP, and civil money penalties; [11]
  • current or previous payment suspension under a federal health care program;[12]
  • previous exclusion from Medicare, Medicaid, or CHIP by the U.S. Department of Health and Services’ Office of Inspector General; [13] and/or
  • denials, revocations, or terminations of Medicare, Medicaid, or CHIP billing privileges, regardless of reason. [14]

CMS’s considerations for disclosable events cover a broad scope of behavior. Significantly, unlike the five-year look-back period CMS established for determining an affiliation, the agency specifically declined to set a look-back period for disclosable events (except for debts), so CMS will not limit its analysis to the time period of the affiliation but will instead consider disclosable events that occurred any time in the past, including before the affiliation began or after it ended.[15] CMS will also consider an event to be disclosable even if it is under appeal at the time of the application assessment.[16]

(3)   Analyzing “Undue Risk”

After identifying an affiliation and a disclosable event, CMS would determine whether it should deny the applicant’s enrollment if the affiliation poses an undue risk of fraud, waste, or abuse, particularly focusing on the following:

  • The length and period of the affiliation. CMS will consider the duration of the affiliation, whether the affiliation still exists, and time elapsed since the affiliation ended.
  • The nature and extent of the affiliation. CMS will consider the degree of the affiliation, such as ownership percentage and the reason for terminating the affiliation.
  • The type of disclosable event and when it occurred. CMS will consider whether the affiliation existed when the action occurred, the amount or repayment owed for uncollected debts, and the reason for any denials, revocations, terminations, exclusions, or payment suspensions from federal health programs.[17]

Under the “undue risk” analysis, CMS would make a case-by-case determination based on evidence of whether the “provider or supplier knew or should have [reasonably] known” of instances when—among other circumstances—the disclosing party did not comply with Medicare, had its enrollment revoked, or attempted to circumvent revocation.[18] CMS plans to issue guidance on the vague “should reasonably have known” and “undue risk” standard it will use to deny or revoke Medicare participation.[19]

If CMS determines the affiliation poses an undue risk of fraud, waste, or abuse, the agency would deny the initial enrollment application, preventing admittance into the program, or revoke the provider’s or supplier’s Medicare enrollment, effective 30 days after CMS sends notice of its determination that enrollment will be terminated.[20] Providers or suppliers may appeal a denial or revocation under 42 CFR Part 498.[21]

Transitioning from the Phase-In Approach to Impact All Providers and Suppliers

CMS estimates the targeted approach of selecting the applicants required to make disclosures will affect between 2,500 to 4,000 providers and suppliers per year.[22] However, CMS plans to ultimately require all Medicare providers and supplier enrollment applicants to disclose any current or previous direct or indirect affiliations when submitting an enrollment application.[23] When comments to the proposed rule raised concerns about the increased regulatory burden involved in research, tracking, and reporting to comply with the rule, CMS limited the disclosure requirements to the current scope of applicants identified by CMS as potentially having at least one affiliation involving a disclosable event.[24] CMS released the rule with a comment period seeking public feedback on the timing, mechanism, and priority of phasing in the disclosure requirement and whether to start with considerations of risk of fraud, waste, and abuse; provider type; size; initial enrollment applications versus revalidations; or other criteria such as location.[25] The comment period also closed today, and CMS plans to issue a notice of proposed rulemaking addressing the issue in the future.[26]

Other New Revocation Authorities

CMS introduced three other revocation and denial authorities that may similarly threaten providers’ and suppliers’ Medicare enrollment. Significantly, the following revocation authorities only apply to the Medicare program.[27]

  • CMS may deny or revoke Medicare enrollment of a provider or supplier currently revoked under a different name, numerical identifier, or business identity.[28] CMS will identify the provider or supplier by investigating the “degree of commonality” with the barred entity by examining the owning and managing employees and organizations, geographic locations, provider or supplier type, business structure, or any evidence indicating the parties are similar or identical or that the party is attempting to circumvent revocation or reenrollment bars.[29]
  • CMS may revoke Medicare enrollment at all of the provider’s or supplier’s practice locations if the entity billed for services or furnished items from a location it “knew or should reasonably have known did not comply” with enrollment requirements. [30] For example, CMS might bar a provider or supplier that continues performing or providing services at locations while knowing the site does not comply with Medicare requirements, such as when a site of a multi-practice location is non-operational, the site fails to comply with durable medical equipment, prosthetics, orthotics, and supplies (or “DMEPOS”) or independent diagnostic testing facility standards, or the site is otherwise noncompliant.[31] CMS might revoke enrollment of any other site effectively controlled by that provider or supplier even if the site has a different numerical identifier or business name.[32] CMS will consider factors such as the reason for the location’s non-compliance, the number of locations involved, the provider’s or supplier’s history, the degree of risk imposed, the length of noncompliance, and the amount billed to Medicare during the period of noncompliance.[33]
  • CMS may revoke Medicare enrollment of physicians or eligible professionals identified as having a “pattern or practice of ordering, certifying, referring, or prescribing Medicare Part A or B services, items, or drugs that is abusive, represents a threat to the health and safety of Medicare beneficiaries, or otherwise fails to meet Medicare requirements.”[34] CMS would consider patterns of submitting noncompliant claims, such as claims that fail to meet Medicare’s “reasonable and necessary” requirement or misrepresenting diagnoses to justify services or tests.[35] To identify patterns, CMS will assess factors including the number and type of disciplinary actions taken against the provider or professional, the history of adverse actions, the length of time of the pattern, malpractice suits, or previous restrictions on practice ability.[36]

Re-enrollment Bar Changes

In addition to the revocation authorities, the regulation bolsters CMS’s enforcement capabilities through the enhancement of reapplication and enrollment bars.

  •  The regulation increases the maximum Medicare enrollment bar following a revocation to 10 years, a significant increase from the prior three-year maximum, depending on the “facts, circumstances, and scope of the provider's or supplier's conduct.” [37] CMS may also bar a revoked entity from reenrollment for up to 20 years upon facing revocation for a second time.[38] CMS’s considerations will include the reason for the revocation, the length of time between revocations, and other history of final adverse actions or payment suspensions.[39] To maintain flexibility when exercising its discretion, CMS declined to specify exact reenrollment bar lengths for particular acts but emphasized that the 10-year time frame would generally be restricted to serious behavior considering the facts, circumstances, and scope of the provider’s or supplier’s conduct.[40] CMS similarly stated it would use its discretion to establish reenrollment bars specifically for Medicare and that longer enrollment bars would not be restricted to felony convictions related to the conduct.[41]
  • CMS may add up to an additional three years to an enrollment bar if a revoked entity attempts to circumvent the enrollment bar by submitting an application with false, misleading, or omitted information.[42] CMS will consider materiality of the information, evidence the information was deliberately furnished or omitted, history of adverse actions or payment suspensions, and other relevant information.[43] The additional years would be added to original enrollment bars.[44] The provider or supplier could appeal the additional years to the existing enrollment bar using procedures in 42 CFR part 498 but may not appeal the original reenrollment bar.[45]
  • CMS may revoke a provider’s or supplier’s Medicare enrollment if the entity has an existing overpayment or debt that has been referred to the U.S. Department of the Treasury. [46] CMS will consider the reason the entity failed to repay, attempts to repay, responses to requests, the amount of debt, history of final adverse actions or payment suspensions, and other information.[47]

The regulation also permits CMS to deny a provider’s or supplier’s enrollment application if the provider or supplier is currently terminated or suspended in a state Medicaid program or any other federal health program or if the provider’s or supplier’s license is revoked in a state other than where the provider or supplier is enrolling.[48] The rule additionally includes revocation provisions for physicians, practitioners, and suppliers failing to report change of ownership, final adverse actions, or practice location changes as required.[49] CMS may also deny Medicare enrollment applications of owners, physicians, or non-physician practitioners under Medicare payment suspension.[50] If CMS determines a provider or supplier previously voluntarily terminated to avoid a revocation, CMS may revoke Medicare enrollment.[51]


Despite CMS’s assertion that the new regulatory scheme targets “fraudsters” and “unscrupulous providers,” providers and suppliers acting in compliance with the rules and regulations still face dramatic consequences.[52] An unintentional or unknowing association with a purported bad actor creates a real risk of the destruction of a provider’s or supplier’s business. Moreover, actions that may previously have been considered simple noncompliance—possibly correctable through education or monetary penalties—might now result in complete business cessation. CMS approximates that the revocation authorities, in their current targeted form, will result in 2,600 revocations per year, while CMS projects that the re-enrollment and reapplication bar provisions will apply to 400 revocations per year.[53] CMS estimates that the other provisions might similarly lead to a significant increase in denials and revocations each year, including 8,000 for different names or numerical identifiers; 4,000 for abusive ordering; 2,000 for debt referred to the U.S. Department of the Treasury; 10,000 for failing to meet reporting requirements; 1,000 for payment suspensions; and 2,500 for denials and revocations for other federal program terminations or suspensions.[54]

Significantly, meeting disclosure requirements to ensure continuation of Medicare enrollment will likely impose significant administrative cost burdens. Using average administrative staff wage data, CMS projects providers’ and suppliers’ total annual cost burden for information collection to be $937,500 for each of the first three years of the program under the assumption CMS would make 2,500 requests for information per year.[55] The purported estimate assumes providers and suppliers would only require an average of 10 hours to obtain and furnish data for all current and prior affiliations despite the five-year affiliations look-back period and the undefined disclosableevent period. When responding to comments, CMS acknowledged that large providers and suppliers would likely require a higher time expenditure than the predicted 10 hours but opted to preserve the 10-hour estimate to take into account smaller providers who might require less time.[56]

CMS responded to comments discussing the potential difficulty in obtaining data of disclosable events from past affiliates, particularly for disclosable events occurring outside the affiliation period, but chose not to further limit the scope of disclosure required and emphasized it would release additional sub-regulatory guidance to clarify expectations “regarding the level of effort that is required in securing the relevant affiliation information.” [57]


Providers and suppliers must proactively address the regulatory changes and identify potential issues CMS might consider as raising risks of fraud, abuse, and waste, particularly given the broadly defined criteria CMS plans to use in its determinations. While the affiliation provision is currently limited to providers identified by CMS—who should immediately be concerned with whether an affiliation with another entity might endanger the applicant’s enrollment status and lead to a revocation or denial—all providers and suppliers should similarly prepare given CMS’s intention to ultimately expand the disclosure requirement to all participating entities.

Providers and suppliers must closely examine both their affiliates and current and prior activities of their affiliates to identify any flags that might merit reporting. In light of the new rule, providers and suppliers considering actions that might form an affiliation—such as hiring a managing employee or adding new ownership connected to another provider or supplier—should increase the scope of “due diligence” to avoid actions that might later jeopardize Medicare enrollment. Any provider or supplier preparing for an initial enrollment or a reenrollment should carefully review each and every affiliation that they have had over the past five years that CMS considers in its review and also identify any possible disclosable events of affiliated entities from any time period.

Finally, it is important to note that the affiliations provision and most of the regulatory changes will also apply to Medicaid and CHIP provider and suppliers. The rule permits states to select one of two options to implement the affiliation disclosure requirement to either require all providers not enrolled in Medicare but newly applying for or revalidating Medicaid enrollment to disclose or require submission of disclosures upon request of the state, both in consultation with CMS.[58] During a September 18 Home Health, Hospice & Durable Medical Equipment Open Door Forum call, CMS said it expected that state Medicaid agencies would provide additional guidance sometime after the regulation’s effective date before operationalizing the regulation within states, so Medicaid-participating providers should similarly also maintain awareness of state-based policy changes.[59]



[1] Press Release,, CMS Announces New Enforcement Authorities to Reduce Criminal Behavior in Medicare, Medicaid, and CHIP (Sep. 05, 2019) (on file at (hereinafter, “CMS Press Release”); Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process, 82 Fed. Reg. 47794-47857 (Sept. 10, 2019),
[2] CMS Press Release.
[3] 82 Fed. Reg. 47794, 47796.
[4] Id. at 47803, 47804.
[5] Id. at 47804.
[6] Id.
[7] Id. at 47852.
[8] Id. at 47803.
[9] Id. at 47802.
[10] Id. at 47820.
[11] Id. at 47804.
[12] Id. at 47802.
[13] Id.
[14] Id.
[15] Id.
[16] Id.
[17] Id. at 47812.
[18] Id. at 47810.
[19] Id. at 47809, 47811, 47813.
[20] Id. at 47812; 42 C.F.R. § 424.535 (2019).
[21] 82 Fed. Reg. 47794, 47811.
[22] Id. at 47804.
[23] Id.
[24] Id. at 47803.
[25] Id.
[26] Id. at 47804.
[27] Id. at 4782.
[28] Id. at 47795.
[29] Id. at 47823.
[30] Id.
[31] Id.
[32] Id.
[33] Id. at 47855.
[34] Id. at 47825.
[35] Id. at 47822.
[36] Id. at 47825.
[37] Id. at 47827.
[38] Id. at 47855.
[39] Id. at 47826.
[40] Id. at 47827-47828.
[41] Id. at 47827.
[42] Id. at 47854.
[43] Id. at 47827.
[44] Id. at 47828.
[45] Id. at 47826.
[46] Id.
[47] Id. at 47828.
[48] Id. at 47795.
[49] Id. at 47828.
[50] Id. at 47830.
[51]Id. at 47833.
[52] CMS Press Release.
[53] 82 Fed. Reg. 47794, 47795.
[54] Id. at 47849.
[55] Id. at 47795.
[56] Id.
[57] Id. at 47809, 47811, 47813.
[58] Id. at 47816.
[59] Remarks at Home Health, Hospice & Durable Medical Equipment Open Door Forum, CMS (Sept. 18, 2019) (

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.