CMS Issues Long Awaited Guidance on False Claims Act and Whistleblower Education Requirements



On December 13, 2006, the Centers for Medicare & Medicaid Services (“CMS”) released guidance to State Medicaid agencies on the implementation of Section 6032 of the Deficit Reduction Act of 2005.  Boult, Cummings, Conners & Berry, PLC has highlighted this requirement in previous client alerts, but at the time CMS had not issued this long awaited guidance.

The Deficit Reduction Act of 2005 (the “DRA”) imposes new compliance program requirements on health care entities that receive $5 million dollars or more in Medicaid funds in a fiscal year.  Effective January 1, 2007, the DRA will require these entities to educate their employees, contractors and agents about federal and state false claims acts and about the whistleblower protections under the acts.  The new CMS State Medicaid Director letter is consistent with the guidance Boult Cummings had previously provided, and now clarifies a number of unknowns in how to implement the DRA’s education program requirements.

Those issues are as follows:

  • What is a Covered Entity?  The State Medicaid Director specifically defines an “entity” as the term is used in Section 6032 of the DRA.  If a health care company or provider receives or makes $5 million dollars of aggregate Medicaid payments in a calendar year, they must comply with the training requirement of Section 6032.  CMS’s letter specifically confirms that that threshold will be calculated in the aggregate, regardless of whether a company or provider “furnishes items or services at more than a single location” or “using one or more provider numbers.”  Many institutional health care providers are likely to meet that threshold if they participate in Medicaid.

    For the upcoming 2007 calendar year, an entity meets the $5 million threshold if it made or received payments in that amount during federal fiscal year 2006, which ended on September 30, 2006.  Subsequent year’s cut-offs will be determined by looking at the amount of payments in the prior fiscal year (i.e., fiscal year 2007 for the 2008 calendar year).
  • What is a Contractor or Agent?  Under the DRA provisions, a covered entity must also “establish and disseminate written policies that must be adopted by its contractors and agents.”  The CMS Guidance defines a “contractor or agent” to include any person, company or organization that is involved in providing or otherwise furnishing Medicaid health care items or services of the entity, performs billing or coding functions for the entity, or is involved in monitoring of health care provided by the entity.  At a minimum, CMS’s interpretation of the law will require an entity to send out its policies to its contractors and agents, apprise them of the fraud and abuse provisions of federal and state laws, and ensure that the contractors and agents are knowledgeable about how to report possible fraud or abuse to the entity and governmental agencies.
  • What is the Effective Date?   CMS confirms in its guidance that all state Medicaid agencies must implement the DRA False Claims Act education requirements by January 1, 2007.  Therefore, states are expected to require all providers to be in compliance by that date as well.  CMS expects each state Medicaid program to amend its Medicaid provider contracts to accomplish this.

    CMS expects each state to submit a state plan amendment effective January 1, 2007.  Under CMS rules, a state could submit a state plan amendment as late as March 31, 2007 to be effective retroactively to the first day of the year.  CMS will only allow a state to extend the implementation date if the state can certify to CMS, and CMS agrees, that state legislation is required to implement the provisions.

    CMS also expects state Medicaid agencies to monitor compliance with the new law’s requirements.  In its state plan amendment, a state must include “a description of the methodology of compliance oversight and the frequency with which the State will re-assess compliance on an ongoing basis.”
  • What is required?  The CMS guidance does not change any of the basic requirements to comply with the DRA provisions.  Entities must provide to “all employees, and agents and contractors”:
    • Written policies that include “detailed information” about the federal and state false claim acts, administrative remedies for false claims, whistleblower protections under federal and state laws, and the role of these laws in preventing and detecting fraud, waste, and abuse;
    • Detailed provisions regarding the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse; and
    • Include that information or those policies within any employee handbook, if the entity has such a handbook.

CMS will allow an entity to provide its DRA polices to employees, contractors or agents in paper or electronic form, so long as they are “readily available.”  Providers wishing to post policies on an internal website may do so.  Email may also be an effective way to disseminate those policies to contractors and agents.

To view the CMS State Medicaid Director letter, click here.  If covered entities have not done so, they need to act now in order to ensure at least minimal compliance by January 1, 2007.  Steps entities can take include the following:

  • Reviewing or revising compliance plans and employee handbooks to ensure that the new information required by the DRA, including summaries of the relevant federal and state laws is included.
  • Reviewing your fraud and abuse compliance program against the DRA requirements to identify any gaps. If your entity lacks a formal fraud and abuse reporting and compliance mechanism, one should be established as soon as possible.
  • Establishing a formal grievance procedure.  It should be clear that there is no retaliation toward the employee for reporting any billing irregularities of other concerns.