Section 6032 of the Deficit Reduction Act of 2005 (DRA) amended the Social Security Act to require health care entities that make or receive more than $5 million annually under the state Medicaid program to establish written policies for their employees, contractors and agents. The policies should include details about federal and state laws on false claims, false statements and whistleblower protections, as well as the entity’s policies and procedures to detect fraud and abuse.

In March 2007, CMS issued its final guidance on Sec. 6032 requirements. The guidance — in the form of a letter to state Medicaid directors — contains “Frequently Asked Questions” (FAQs) that address some key questions, though many others remain unanswered. Let’s look at some of the most critical elements of the guidance.

Defining an entity
For organizations that are made up of multiple subsidiaries, the CMS FAQs note that an “entity” is the largest separate organizational unit that furnishes Medicare health care items or services and includes all organizational subunits that furnish such items and services, even if the subunits are located in different states or are separately incorporated.

In the case of health systems, however, CMS considers the parent corporation and its subunits to be integrally involved in providing Medicare items or services. Therefore, the entire organization is considered an entity subject to the provisions of the DRA. But CMS’s definition of a “health system” remains unclear and may be subject to interpretation by the states.

Calculating the $5 million threshold
Payments received from Medicaid-managed care organizations and patient cost-sharing amounts aren’t considered in the threshold calculation. Payments made by Medicaid for deductibles or coinsurance for dual-eligible individuals or qualified Medicare beneficiaries should be included, however.

The threshold is calculated based on the federal fiscal year, and each state determines whether to use the date of payment or the date of service to calculate the threshold.

Deriving policy content
Don’t look for help from CMS when drafting your policies and procedures, as CMS has not provided model language for policies required under Sec. 6032.

Entities must disseminate their policies in paper or electronic form to all their employees, contractors and agents. Although CMS isn’t requiring entities to amend their contracts with contractors and agents to include Sec. 6032 language, each state has the discretion to determine how it will decide whether an entity is complying with the law.

To determine your state’s requirements for the manner and frequency of contractor and agent notification, review your state’s plan or contact your state Medicaid agency.

Complying is critical
CMS reiterates that entities must comply with Sec. 6032 as of Jan. 1, 2007. However, each state had until March 31, 2007, to amend its state plan to implement DRA requirements.

Even if your state’s Medicaid plan hasn’t been released, you should make a good-faith effort to comply with DRA requirements. Individual states are charged with the responsibility for implementing and enforcing the requirements of the DRA, so providers that qualify as entities should ensure that their policies, procedures and employee handbooks comply with CMS guidance and the applicable state plan.

To view the entire Practical Health Law newsletter, click here!