On December 13, 2006, the Centers for Medicare and Medicaid Services (CMS) released a Letter to State Medicaid Directors (Letter) that provides guidance for implementation of the Medicaid antifraud compliance policy requirements imposed under Section 6032 of the Deficit Reduction Act of 2005 (DRA). CMS also released model language that states could adopt for their state Medicaid plan.
The DRA requires each state to adopt a requirement that any entity that makes or receives payment of $5 million or more under the state Medicaid program must adopt compliance policies that describe federal and state false claims laws and whistleblower protections. States that fail to adopt this requirement before January 1, 2007, risk losing federal matching funds for their state Medicaid program.
CMS’ letter does not offer any information regarding the level of detail about the relevant federal and state statutory provisions expected to be included in an entity’s policies and handbooks, and although the guidance does elaborate on several key points, other questions remain unanswered. The following are some key issues discussed in the letter:
"Entities" Defined: CMS attempts to identify the types of organizations subject to the DRA requirements by defining the term "entity" to include an "organization, unit, corporation, partnership or other business arrangement" (including Medicaid managed care organizations) whether for profit or nonprofit, which receives or makes payments of $5 million under a state Medicaid plan. Several questions remain unresolved, such as whether the DRA requirements apply to all of the subsidiaries of an organization when only a few of the corporate entities pass the $5 million threshold, and whether the requirements apply to manufacturers of medical products that do not receive funds directly from Medicaid.
$5 Million Threshold Applies in the Aggregate: The $5 million threshold applies in the aggregate, meaning that an entity that makes or receives payment of $5 million at multiple locations or that uses several provider numbers will be subject to the DRA requirements if the $5 million threshold is reached.
Dissemination to Contractors and Agents and Others: CMS requires the entity to disseminate its policy describing the relevant anti-fraud laws to any contractor, agent or other person or entity that "furnishes or otherwise authorizes the furnishing of Medicaid health care items or services, performs billing or coding functions, or is involved in monitoring of health care provided by the entity."
Importantly, the Letter states that an entity must "establish and disseminate written policies which must also be adopted by its contractors or agents." This statement potentially imposes two new standards: dissemination to contractors and agents (rather than merely making the policies "available") and adoption of the policies by the contractors and agents. However, in the next sentence, CMS states that written policies may be "on paper or in electronic form, but must be readily available."
Implementation: The Letter obliges states to implement the DRA requirements "no later than January 1, 2007," although a state may request approval for a delayed effective date if state legislation is required. It is not clear that entities must be in compliance prior to the effective date of their states’ provisions, but CMS notes that it may, "at its discretion, independently determine compliance through audits of entities or other means."
The Letter and related "preprint" language are available on CMS’ website.
McDermott Will & Emery has worked with various organizations on the DRA’s compliance obligations and can provide practical advice for the development and implementation of compliance strategies.
McDermott Will & Emery previously published a summary of the DRA's compliance obligations, which is available by clicking here.