Fingerprint-based background checks intended to “detect bad actors” enrolled or attempting to enroll in federal health programs

More than three years after publication of final regulations to implement Affordable Care Act (ACA) provisions that strengthen provider and supplier enrollment screening provisions under federal health care programs, the Centers for Medicare & Medicaid Services (CMS) has selected a Fingerprint-Based Background Check Contractor (FBBC) and intends to phase in fingerprint-based background checks beginning in 2014.

By way of background, CMS published a final rule on February 2, 2011 pursuant to Section 640 of the ACA, which required the Department of Health and Human Services to establish procedures for screening providers and suppliers participating in federal health care programs (specifically, Medicare, Medicaid, and the Children’s Health Insurance Program).  Among other things, the final rule applies various screening tools, including unannounced site visits, background checks, and fingerprinting, based on the level of risk associated with different provider and supplier types.  CMS established three levels of risk – limited, moderate, and high – and every provider and supplier category is assigned to one of these three levels.  Individuals who maintain a 5 percent or greater direct or indirect ownership interest in a provider or supplier in the high risk category — including newly-enrolling home health agencies (HHAs) and newly-enrolling durable medical equipment, orthotics, prosthetics, and supplies (DMEPOS) suppliers — are subject to a fingerprint-based criminal history report check of the Federal Bureau of Investigations (FBI) Integrated Automated Fingerprint Identification System.

While the final rule was effective March 25, 2011, as mandated by the ACA, CMS delayed the effective date of the fingerprint-based criminal history record check provision until after additional subregulatory guidance was issued.   CMS awarded a $4.19 million FBBC contract to Accurate Biometrics, Inc. in March 2014, a significant step in the implementation process.  Following this award, CMS issued a provider update announcing that it intends to phase in the fingerprint-based background check implementation beginning in 2014.  Not all providers and suppliers in the “high” level of risk category will initially be a part of the fingerprint-based background check requirement, but eventually the fingerprint-based background check will be completed on all individuals with a 5 percent or greater ownership interest in a provider or supplier that falls under the high-risk category.

Providers and suppliers subject to the fingerprint requirements will receive a notification letter from their Medicare Administrative Contractor (MAC), and applicable individuals will have 30 days from the date of the notification letter to be fingerprinted at one of at least three locations identified by the FBBC (individuals will incur the cost of having their fingerprints taken). After fingerprinting is complete, the fingerprints will be forwarded to the FBI, which will compile the background history and share results with the FBBC within 24 hours of receipt. The FBBC will assess the data and provide a “fitness recommendation” to CMS indicating whether the criminal history record information contains enrollment violations or otherwise fails to meet requirements or guidelines established by CMS for enrollment of a Medicare provider or supplier; CMS will then make the final determination about the provider or supplier. CMS will notify providers and suppliers if the assessment of the fingerprint-based background check results in the denial of an enrollment application or revocation of existing Medicare billing privileges. The CMS guidance also provides information on standards for securing the data under the review process.

This announcement marks the latest steps in seemingly ever-escalating CMS efforts to clamp down on fraud and abuse in the Medicare and Medicaid programs. While the initial targets of the fingerprint-based background requirements are new DMEPOS suppliers and HHAs, the policy also will apply to those who are elevated to the high risk category in accordance with enrollment screening regulations, which could include providers/suppliers coming back into the Medicare fee-for-service program after a moratorium is lifted, or providers which have been subject to a payment suspension, exclusion, or revocation. It is likely that some “owners” of entities, such principals of investment firms with financial interests in providers and suppliers, will balk at the whole idea of being fingerprinted. Moreover, the pending fingerprint process will doubtless provide even more opportunities for administrative missteps, and erroneous and time-consuming supplier/provider number revocations.