The Deficit Reduction Act of 2005 (the "DRA"), signed into law February 8, 2006, contained a number of provisions intended to bolster Medicaid fraud and abuse enforcement. These new provisions mean that there is likely to be an increase in fraud enforcement activities at the state level against those health firms involved directly or indirectly in Medicaid related claims.

First, Congress authorized the establishment of a new Medicaid Integrity Program with specific contractors to monitor fraud and abuse in the various state Medicaid programs. For many years, the vast majority of states have had Medicaid Fraud Control Units (MFCU) to coordinate statewide efforts to uncover and prosecute fraud in the Medicaid context. Although the MFCUs will continue in combatting health care fraud, the DRA—with its development of the Medicaid Integrity Program—significantly expanded the federal government's role by establishing new contractors and funding for additional federal staff to address Medicaid fraud.

Second, Congress adopted a provision that provides states with an incentive to adopt state false claims acts that substantially mirror the requirements of the Federal False Claims Act. States that adopt a state false claims act that satisfies these requirements can increase their share of the amounts recovered against providers for engaging in improper conduct. Specifically, if a state brings an action under its state false claims law against a Medicaid provider, then the state can be entitled to receive 10 percent of the federal government's share of any recovery.1  Congress provided that the Office of Inspector General (OIG) would be responsible for determining whether a state has adopted a false claims act that meets these requirements and the OIG published in the Federal Register guidelines that it will apply in reviewing state false claims acts.2  Based upon publicly available letters from the OIG to the states, it appears that only (10) states have submitted their false claims laws to the OIG for review (California, Florida, Illinois, Indiana, Louisiana, Massachusetts, Michigan, Nevada, Tennessee and Texas) and that of these ten (10) states, only three (3) state false claims laws (Illinois, Massachusetts and Tennessee) were found to satisfy the DRA requirements.3

The third fraud and abuse provision included in the DRA, which has received the greatest amount of attention is that, effective January 1, 2007, state Medicaid plans are required to ensure that any entity that receives or makes payments under the state plan of at least $5 million per year must provide certain information to its employees, contractors and agents concerning federal and state false claims act provisions, penalties and protections. As a result of this provision, entities that are subject to these requirements must review their corporate compliance programs, policies and procedures, and their employee handbooks (if such a handbook does, in fact, exist) to ensure that the requisite information is being provided to employees, contractors and agents. It is this third provision that is the focus of this Special Alert.

 Despite the dissemination of certain information from the Centers for Medicare and Medicaid Services ("CMS") in December 2006 guidance as well as during a teleconference that was held in January 2007, there is still ambiguity and confusion within the health care industry, and even among health lawyers, as to whom the law applies to and what this law requires. To this end, CMS has promised additional guidance "as soon as possible." In the meantime, entities subject to this provision must carefully analyze this provision in order to determine whether any additional action steps must be taken in an attempt to come into compliance. 

In addition to the requirements being imposed on health care entities under the DRA, certain segments of the health care industry are now required to have adopted a corporate compliance program as a result of a contractual obligation, in order to receive accreditation, or because the state has adopted a law or regulation that specifically mandates the creation of such a program. Therefore, the time is ripe for organizations to examine (or re-examine) their compliance programs to ensure that they are, in fact, "effective." To facilitate this process, Epstein Becker & Green has developed a checklist of issues, topics and questions that it believes should be examined as part of an audit of an organization's compliance program. A copy of this checklist is attached to this Special Alert.

Overview of Section 6032 of the DRA

Section 6032 of the DRA requires state Medicaid plans to provide that any entity that receives or makes annual payments under the state plan of at least $5,000,000, as a condition of receiving such payments:

(A) establish written policies for all employees of the entity (including management), and of any contractor or agent of the entity, that provide detailed information about the False Claims Act established under sections 3729 through 3733 of title 31, United States Code, administrative remedies for false claims and statements established under chapter 38 of title 31, United States Code, any state laws pertaining to civil or criminal penalties for false claims and statements, and whistleblower protections under such laws, with respect to the role of such laws in preventing and detecting fraud, waste, and abuse in Federal health care programs (as defined in section 1128B(f));

(B) include as part of such written policies, detailed provisions regarding the entity's policies and procedures for detecting and preventing fraud, waste, and abuse; and

(C) include in any employee handbook for the entity, a specific discussion of the laws described in subparagraph (A), the rights of employees to be protected as whistleblowers, and the entity's policies and procedures for detecting and preventing fraud, waste, and abuse.

Codified at 42 U.S.C. 1396a(a)(68).

On December 13, 2005, CMS issued a guidance letter to the State Medicaid Directors and provided the states with a State Plan Preprint (the "State Guidance Letter") ( The State Guidance Letter provides that CMS is "writing to offer guidance to State Medicaid agencies on the implementation of section 6032 of the Deficit Reduction Act of 2005"(emphasis added). CMS did not state that the "State Guidance Letter" was guidance to members of the health care industry. Instead, CMS said that this was a guidance letter for the State Medicaid Program Directors. This distinction is important because the explicit language of DRA Section 6032, taken in context, applies directly to the states, and, therefore, it is each states' responsibility to then provide that state's guidance on how that state intends to apply and interpret this requirement.

As this provision resulted in a large number of requests for clarification from CMS, CMS organized a teleconference that took place on January 11, 2007 during which time Rob Miller, Acting Director of the CMS Medicaid Integrity Group, addressed an audience of about 900 people/organizations, answered a number of questions, and otherwise stated that other questions would need to be addressed by CMS sometime in the future.

A number of the issues that continue to receive attention are as follows:

What constitutes an "entity" and how is the $5 million threshold calculated?

The State Guidance Letter provides that an "entity" includes: "a governmental agency, organization, unit, corporation, partnership, or other business arrangement (including any Medicaid managed care organization, irrespective of the form of business structure or arrangement by which it exists), whether for-profit or not-for-profit, which receives or makes payments, under a state plan approved under title XIX or under any waiver of such plan, totaling at least $5,000,000 annually." The State Guidance Letter also provides that: "If an entity furnishes items or services at more than a single location or under more than one contractual or other payment arrangement, the provisions of section 1902(a)(68) apply if the aggregate payments to that entity meet the $5,000,000 annual threshold.  This applies whether the entity submits claims for payments using or more provider identification or tax identification numbers."4

During the CMS Teleconference, CMS answered a number of questions related to both the calculation of the $5 million threshold and which entities are considered to fall within the purview of Section 6032. While we believe that a number of the answers provided by CMS during this Teleconference may change when CMS provides additional written guidance, in the meantime, CMS stated as follows:

  • Payments made to health care entities by individual beneficiaries (e.g., Medicaid beneficiary co-payments) are not to be included in the $5 million calculation.
  • The states are to decide whether health care entities should focus on the date of service or date of payment in making the $5 million calculation.
  • The final adjudicated payment from a respective Medicaid program, and not the amount billed to a Medicaid program, is the amount to consider for purposes of the $5 million calculation.
  • The $5 million calculation should be considered on a state-by-state basis, e.g., compliance will only be required if the $5 million threshold is met with respect to any one given state.

 In addition, the CMS representative stated that CMS would be providing additional guidance with respect its position on how a number of corporate structures would be impacted by Section 6032. For example, CMS stated that it would provide its position on whether a corporation which does not have any direct relationships with a state Medicaid plan but owns a number of separate legal entities that individually do not exceed the $5 million threshold will be found to fall within these requirements if all the enrolled entities in that state exceed this threshold in the aggregate.

Are pharmaceutical and device manufacturers "entities" for
purposes of this requirement?

During the teleconference, CMS stated that neither medical device manufacturers nor pharmaceutical manufacturers are "entities" for purposes of this requirement. Nonetheless, there is an argument that could be made by entities responsible for interpreting and enforcing the law, that pharmaceutical manufacturers, by virtue of their Medicaid drug rebate rebate agreements with the state Medicaid programs, may fall within the purview of Section 6032. As the CMS statement is not formal guidance, pharmaceutical and device manufacturers should carefully consider (in consultation with legal counsel) whether the organization could, in fact, be characterized as an "entity" for purposes of this requirement.

What are entities required to do under Section 6032?

An entity that meets the $5 million Medicaid threshold must establish certain written policies and procedures and amend its employee handbook, only if the entity has already created such a handbook. The State Guidance Letter does not provide a great deal of direction on how the states should require their providers to comply with the establishment of written policies pursuant to Section 6032. In fact, CMS explicitly provided during the CMS Teleconference that it did not want to be too prescriptive in this respect. However, on March 2, 2007, CMS circulated an email in which the Department of Justice provided a description of the Federal False Claims Act for states and entities to use "if they so choose." This DOJ developed description includes a recitation of the statute, a summary of the qui tam provisions, and a few examples of how liability can arise under the statute. However, no information has been circulated regarding the level of detail required on describing either the administrative remedies for false claims under Chapter 38 of title 31 or state laws.

Must an entity "train" its "employees, contractors and agents" on these issues?

No. We have found that this is one of the areas of greatest confusion. Although the original Senate bill required states to ensure that affected entities provide "mandatory training" for employees, contractors and agents on the topics covered by the required written policy, the House bill, in contrast, did not include any such language.5  As a result of the conference agreement between the members of the Senate and House of Representatives, the "mandatory training" language in the Senate bill was struck. Although the Conference Report provides no rationale for the elimination of the training requirement, the Conference Report provides that: "The conference agreement follows the Senate bill, but applies only to entities receiving annual Medicaid payments of at least $5 million and does not require the establishment of protocols and procedures for the training of employees (i.e. only written policies are required)." (emphasis added).6

Therefore, even though the heading to Section 6032 of the DRA continues to read "Employee Education about False Claims Recovery" (emphasis added), the statute, as enacted, does not include any language that requires education or training; instead it merely requires that there be written policies and procedures (e.g., that describe the False Claims Act, state laws, whistleblower protections) and that this information be made available to employees, agents and contractors.

During the January 11, 2007 Teleconference, the CMS representative confirmed that CMS takes the position that DRA Section 6032 does not mandate "training." However, there may be situations that employee training may be appropriate within an organization in order to ensure consistency with other aspects of the organization's compliance program.

Who/what constitutes an "agent" or "contractor" under Section 6032?

In the State Guidance Letter, CMS states that a "'contractor' or 'agent' includes any contractor, subcontractor, agent, or other person which or who, on behalf of the entity, furnishes, or otherwise authorizes the furnishing of Medicaid health care items or services, performs billing or coding functions, or is involved in monitoring of health care provided by the entity." During the CMS Teleconference, the CMS representative provided that it wanted to focus contractors or agents to be those involved in health care delivery and did not want "contractors" or "agents" for Section 6032 purposes, to apply to, for example, a health care entity's lawn care or cafeteria service contractors.
Based upon a number of questions during the CMS Teleconference, CMS also stated that CMS needs to examine further how it intends to apply the term "contractors" and "agents" to individuals such as physicians who have staff privileges at a hospital or serve as an attending physician for a patient in a nursing home.

What is an entity required to do with its contractors and agents?

Section 6032 requires the establishment of certain written policies, the DRA does not explicitly require that policies need to be "disseminated" to or "adopted" by "contractors" and "agents." However, in the State Guidance Letter, CMS took the position that it is the responsibility of each entity to "establish" and "disseminate" its written policies "which must also be adopted by its contractors or agents." (emphasis added)

During the CMS Teleconference, a number of questions were raised about how CMS expected entities to ensure that contractors and agents adopted an entity's written policies and to ensure that these contractors and agents received information on state and federal false claims act provisions. Moreover, a number of callers asked whether contractor agreements would need to be amended to include this as a requirement. CMS stated that it did not believe the law required an entity to amend its agreements and that CMS wanted entities to have flexibility in determining how best to comply with the law. The CMS representative also stated that it was necessary that CMS reconsider its position on whether policies must, in fact, be adopted by contractors and agents.

What should health care entities do now?

Entities that are (or may be) subject to these requirements should continue to: (1) review and analyze existing policies and procedures in an effort to directly comply with Section 6032, (2) continue to monitor the development of the implementation of Section 6032 by CMS and the states, and (3) if appropriate, seek additional guidance from CMS and the states.

Moreover, if an organization is not otherwise required by contract, state law or as a condition to receiving accreditation to have adopted a corporate compliance program, then the organization should consider the benefits of adopting such a program. If an organization has adopted a corporate compliance program, then it is necessary that an audit of the compliance program be performed to ensure that the compliance program is "effective" and otherwise has incorporated the DRA requirements. Epstein Becker & Green has worked with clients in all sectors of the health care and life sciences industry in building new corporate compliance programs, assessing the effectiveness of existing corporate compliance programs and developing policies and procedures in an attempt to comply with the requirements of the DRA. Included with this Special Alert is a checklist prepared by Epstein Becker & Green that includes a brief summary of the issues, topics and questions that should be examined when evaluating an organization's compliance program.



[1] Deficit Reduction Act. Pub. L. 109-171, §§ 6031-33 (2006) codified at 42 U.S.C. § 1396h(a).

[2] 71 Fed. Reg. 48552-48554. (Aug. 21, 2006).

[3] Specific State Laws Reviewed by OIG, Office of Inspector General, Department of Health and Human Services (Available at: Notwithstanding the OIG's review of only ten (10) state false claims acts, there are a number of other states that possess false claims acts many of which have been, and continue to be reviewed, by the legal and health care communities.

[4] The State Guidance Letter also provides that: "A governmental component providing Medicaid health care items or services for which Medicaid payments are made would qualify as an entity (e.g., a State mental health facility or school district providing school-based health services). A government agency which merely administers the Medicaid program, in whole or part (e.g., managing the claims processing system or determining beneficiary eligibility), is not, for these purposes, considered to be an entity."

[5] See S. 1932, § 6024(a)(3)(C) and H.R. 4241, 109th Cong. (2005).

[6] H.R. Conf. Rep. 109-362. The Senate passed its version of the DRA on November 3, 2005; the House of Representatives passed its version on November 18, 2005. A conference committee report, No. 109-362, was approved by the House on December 19, 2005, but the Senate defeated this conference report and substituted its own version of the legislation on December 21. This required the House to vote once again on the legislation and the House approved the Senate substitute on February 1, 2006. Although Conference Report No. 109-362 was defeated by the Senate and a new conference report was not issued, 109-362 still remains the most complete explanation of the DRA.



Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.