CMS’s Latest Fraud Crackdown: A Q&A With Pat Naples

CMS has rolled out a broad new anti‑fraud initiative, including withheld Medicaid funding in Minnesota, a nationwide enrollment moratorium for certain durable medical equipment (DME) suppliers, and a shift toward stopping improper payments before they are made. These efforts signal a more data‑driven, AI‑assisted enforcement environment.

In this Q&A, Pat explains what CMS’s latest actions mean for providers facing heightened scrutiny.

Q: CMS’s recently announced fraud crackdown includes several different actions. Can you walk through the legal basis for each?

They do stem from different places.

Starting with the action to withhold certain Medicaid funding from Minnesota, that is based on the Social Security Act. The Social Security Act allows the withholding of funds where a program has not met the federal government’s integrity requirements, which include things like preventing fraud and taking sufficient steps to prevent fraud. Now, whether in the case of Minnesota there is actually a program integrity issue is a separate question that is currently the subject of ongoing federal litigation. But that is the basis for the deferral of funds to the state of Minnesota.

As far as the moratorium is concerned, that is based on the Affordable Care Act. The Affordable Care Act allows for temporary moratoria to be placed where there is significant potential for fraud to occur. We have seen a number of settlements, judgments and enforcement actions involving durable medical equipment suppliers in the past year or two, so that has been a hotbed of activity. The Affordable Care Act is the basis for that action.

The final initiative, the “CRUSH” initiative, is really just a request for information (RFI). The government has broad authority to do that, not just in health care but across a variety of industries, where they are essentially asking the public for comment on ways they can stop fraud. If you look at this particular request for information, while it is broad, it also has a component particularly targeted at durable medical equipment.

So in some ways, the second and third prongs of this action are really working together. The moratorium places a temporary hold on new enrollment, and then you have the RFI seeking longer-term answers about what the administration and the agency can do with respect to durable medical equipment.

Q: HHS Secretary Robert F. Kennedy Jr. and CMS Administrator Mehmet Oz, M.D., MBA, have talked about replacing “pay and chase” with a real-time “detect-and-deploy” strategy, using advanced AI tools to identify fraud and stop improper payments before they go out. What are the legal guardrails on that approach?

There are two primary guardrails. One is that, under the regulations permitting the withholding or deferral of federal funds, there has to be a credible allegation of fraud. That is a showing the department has to make. Now, it is largely within their discretion whether there has been a credible allegation, so the extent to which that is a guardrail in theory versus in practice is a fair question.

The second is that there are procedural requirements on CMS in terms of notice that have to occur with respect to any withholding of federal funds. Those are the two primary guardrails in place.

Q: If an AI system flags a claim as suspicious, does that alone legally justify withholding payment from a physician or practice? And how much transparency does a provider get about why they were flagged?

I’m going to give the classic law school answer: it depends.

It’s hard to say because it is typically a determination made by the administration, and it is something both this administration and past administrations have been looking at. Given the focus on artificial intelligence in the past couple of years, it may seem like something new, and certainly activity involving data mining has increased in recent years. But actually, back in 2011, claims data mining was added to federal health care regulations as a potential basis for a credible allegation of fraud.

So this is something the DOJ has had in the works for quite some time, building out its own system for detecting anomalies in claims data. Practically speaking, is the DOJ or HHS going to take action because of one anomalous claim? Probably not — though it depends on the claim, the circumstances and, to a certain extent, the provider.

More typically, what we have seen is that they are looking for large outliers in the data set to flag and ask, “What’s happening here?” and “Is there a fraud concern?”

Q: If a physician’s payments are withheld after that kind of flag, what recourse do they have? Is there an appeals path?

The physician can submit a written rebuttal statement in response to the withholding and argue that there is not a credible allegation of fraud. That is certainly something physicians can and should do if they think there has been a mistake.

Unfortunately, if you are a physician in that situation, it’s largely within the agency’s discretion whether to consider or reject that written rebuttal statement. Then, if they reject it, the matter has to go through the ordinary administrative review process and agency appeal. Only after that can there be a process for judicial review. So there is review and it can take place, but it can be time-consuming.

Q: Are there limits on using AI to make those calls before a human has reviewed anything? And if AI makes a mistake and funds are withheld, could that create liability for CMS?

In terms of liability for CMS, I think that is highly unlikely. CMS, and government agencies generally, have sovereign immunity from that sort of suit, and that would almost certainly govern here.

What this does underscore is why it is important for providers to monitor their own claims submissions. Particularly if you are a large practice, large hospital system or medical research center, you can use artificial intelligence tools on your own to spot anomalies, understand them and try to guard against them.

And if those anomalies exist and there is some indicia of fraud, the department’s newer policies are encouraging providers to come forward with things like reduced penalties, reduced deferrals and fewer criminal penalties if there is a voluntary self-disclosure that meets the requirements set forth in the policy.

So I think the lesson for providers is: check your own data, stay on top of it, and be prepared so you can take advantage of self-disclosure if that is needed before DOJ comes knocking on the door.

Q: Minnesota is the first state to have funds withheld. What signal does that send to other states, and what could it mean for physicians practicing there right now?

The federal government’s message is to be vigilant at the state level in guarding against fraud. If the federal government does not feel a state is being sufficiently vigilant, then it may step in and take action, as it did in Minnesota.

What I think that means for providers is that, in some respects, this continues a trend we have already been seeing, which is increasing enforcement activity at the state level. Historically, this has largely been an area of federal enforcement, although certainly state attorneys general have been involved to varying degrees depending on the state.

But the message we are seeing from the federal government, I think, will cause an uptick in state-level activity. Some of the more high-profile examples have been in Texas. Those have not involved medical providers as much, but they have involved life sciences companies. Attorney General Ken Paxton has been pretty aggressive in pursuing pharmaceutical companies that the state believes are engaged in fraudulent activities.

So I would expect continued increased activity at the state level that providers should be aware of.

Q: CMS also announced a nationwide moratorium on Medicare enrollment for certain DME suppliers. For a physician or practice that refers patients to those suppliers but does not bill directly, what does this change? Should they be documenting or handling referrals differently?

Yes. Those dealing with referrals to durable medical equipment suppliers should be scrutinizing those relationships and, to the extent there are referral agreements or referral contracts, making sure those fall within CMS safe harbors and are appropriate.

I also think you are going to see increased activity in the durable medical equipment space. Even though the moratorium is really just on new suppliers seeking Medicare enrollment, the signal being sent, both by that and by the crush initiative, is that this is an area of focus for the administration.

Even if, as a provider, you are doing everything by the book and doing everything correctly, and you are not a target of an investigation, you can still be a witness to an investigation involving a durable medical equipment supplier. And that in itself requires devotion of resources, whether you are responding to a subpoena, producing documents or making employees available for interviews. Those things can be disruptive and are a reason to scrutinize supplier relationships and ensure you are working with suppliers that take compliance seriously.

Q: Beyond this announcement, are there other fraud enforcement developments physicians and practices should be watching right now?

There have been a couple.

One is DOJ’s new corporate enforcement policy, which in some ways continues the policy released last year, but in one significant way is different: it is uniform across the country. So you do see an increasing focus on uniformity across jurisdictions, and that is something providers should pay attention to no matter where they are located.

Another is cross-departmental collaboration. There was a joint task force involving HHS, the Office of Inspector General and DOJ that was announced recently, and I think that is also going to generate increased activity.

And then the final one, which has been somewhat well covered in the mainstream media, is the creation of a National Fraud Division. Of course, there has been a fraud branch of the Civil Division for years, so I think it remains to be seen how this National Fraud Division will differ from that fraud branch. But at a minimum, it signals increased focus, increased attention and increased devotion of resources to combating fraud, waste and abuse.

So insofar as fraud is concerned, those are the primary areas to pay attention to.

Q: For small practices, what compliance problems do you see come up again and again that could put them at risk in a stricter enforcement environment?

The first, and probably the most common, is the classic referral relationship and Anti-Kickback Statute issues. If you have consulting relationships with hospitals, manufacturers or suppliers, those referral relationships are a classic source of enforcement and compliance activity. So even for small practices, to the extent you have those relationships, those are things you want to take a hard look at.

Another thing I would focus on in this environment is documentation around claims and billing. Medical necessity determinations are something the administration is increasingly scrutinizing and ensuring are a focus.

The final thing small practices need to be aware of, and large practices too, is cybersecurity and ensuring adequate devotion of resources to that space. There has been a lot of activity and announcements there by DOJ, but also by CMS. Health Insurance Portability and Accountability Act compliance is, in some ways, more complicated than it has been because there is so much activity in the cybersecurity space. So you want to be sure that even as a small practice, you are devoting sufficient resources to the security of your patient records.

Q: Many smaller practices do not have dedicated compliance staff. How do you advise clients who are trying to get this right without a full compliance team?

There are a couple of steps even small practices can take to address compliance efficiently.

One is issue spotting and risk management. Start there. Look at your high-risk areas and determine what they are. Do you deal a lot in durable medical equipment? If so, under this administration, that is something you should be scrutinizing. If you have a lot of consulting relationships, that is another area where you are going to want to be careful.

The second step is implementing proper training. I think we can sometimes overlook onboarding or the annual PowerPoint on compliance and fraud that employees have to click through, but those things matter. If you get a subpoena from DOJ or a civil investigative demand, being able to say, “We have a robust training program that every employee goes through when they begin, and that happens on an annual basis,” can be a relatively straightforward thing to set up but an important signal that even as a small practice, you are taking compliance seriously.

Third, basic monitoring. It does not have to mean a substantial devotion of resources or scrutinizing every contract. But if you have referral relationships, audit them and make sure they are actually complying with your contracts. If you have billing and coding issues, devote some resources to reviewing those areas and making sure your documentation is where it should be.

The final thing small practices can do is, if you do not have a compliance person on staff, build a relationship with compliance consultants or outside counsel who can advise you, at least periodically, about developments in this space, what you should be concerned about and what gaps you might have in your compliance program. A relatively small devotion of resources at one time can really pay off so you do not end up having to devote substantial resources later because of an enforcement action you did not see coming.

Q: Is there anything else you think physicians and practices should be paying attention to right now?

The only other thing I would point out is that we are seeing a significant uptick in activity with respect to telehealth and telemedicine. There are increasing levels of scrutiny, arising out of the pandemic, on telehealth and telemedicine as they have proliferated. So if you are involved in telehealth or telemedicine, know that this is an area of focus for the administration.

Look, to some extent this can feel like something new and something different, but I would say this is really a continuation of a trend that has been in place for years, and we have seen it across administrations. In many ways, this is a continuation of what the Biden administration was doing and what the first Trump administration did before that. There has been a consistent uptick in health care compliance and fraud enforcement for years now.

So I would not expect a change of administration to mean a change in the way health care fraud and compliance are policed. This is not going away. It is something health care providers need to take note of and take action on, so they can be vigilant on the front end and prepared for whatever action may take place going forward.