CMS Clarifies Certain Compliance Mandates in the Deficit Reduction Act of 2005

On February 8, 2006, President Bush signed the Deficit Reduction Act of 2005 (the “DRA”).  Certain provisions of the DRA are intended to reduce and control federal spending on Medicaid program benefits.  Section 6032 of the DRA sets forth new conditions that will require certain entities participating in Medicaid programs to inform their employees, contractors, and agents about the details of state and federal false claims statutes and whistleblower protections.  Congress established January 1, 2007 as the deadline for compliance with Section 6032.  The penalty for noncompliance may be harsh: Providers can lose all of their Medicaid reimbursement.

Section 6032 of the DRA

DRA Section 6032, entitled “Employee Education About False Claims Recovery,” mandates that each state Medicaid plan require entities receiving or making annual Medicaid payments of at least $5,000,000 to establish certain written policies for all of their employees, contractors, and agents.  Importantly, doing so is a prerequisite to receiving Medicaid reimbursement.

More specifically, as of January 1, 2007, the states must require such entities to:

(1)  Establish written policies for all employees of the entity (including management), and any contractor or agent of the entity, that provide detailed information about:

(a)  the Federal False Claims Act;

(b)  remedies for false claims and statements;

(c)  any state laws pertaining to civil or criminal penalties for false claims and statements;

(d)  the whistleblower protections under the Federal False Claims Act and state laws; and

(e)  the role of such laws in preventing and detecting fraud, waste, and abuse in Federal health care programs.

(2)  Include, as part of their written policies, detailed provisions regarding the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse.  This is essentially the organization’s compliance program.

(3)  Include, in any employee handbook for the entity, a specific discussion of:

(a)  the state and federal laws referenced above;

(b)  the rights of employees to be protected as whistleblowers; and

(c)  the entity’s policies and procedures for detecting fraud, waste, and abuse.

Organizations presented with the task of complying with Section 6032 of the DRA will likely find that certain fundamental questions are unanswered.  Accordingly, despite good-faith and concerted efforts, they will not have confidence that they have complied with the DRA’s mandates.  Neither Section 6032 nor any of the other provisions within the DRA address (i) what or how much information would constitute “detailed information” or (ii) how an entity should inform its employees, contractors, and agents of the necessary false claims law information and written policies (other than inclusion in the employee handbook).  Also missing are definitions of “entity,” “employee,” “contractor,” and “agent,” which are all critical terms in Section 6032.

December 13, 2006:   CMS Issues Guidance on Section 6032

On December 13, 2006, the Centers for Medicare & Medicaid Services (“CMS”) issued a letter to State Medicaid Directors offering “guidance” on how they might implement the requirements of DRA’s Section 6032 into their State Medicaid Plans, which will then become binding on providers (  CMS also provided sample State Plan language for their consideration(  The letter reiterates the elements of Section 6032 and confirms the January 1, 2007 deadline for compliance with them.  In addition, the letter purports to clarify which “entities” will be subject to the requirements of Section 6032 and provides that “[a]n ‘entity’ includes a governmental agency, organization, unit, corporation, partnership, or other business arrangement (including any Medicaid managed care organization, irrespective of the form of business structure or arrangement by which it exists), whether for-profit or not for profit, which receives or makes payments, under a State plan approved under title XIX or under waiver of such plan, totaling at least $5,000,000 annually.”  The letter further provides that the $5,000,000 annual threshold is met if the aggregate reimbursement to an entity reaches $5,000,000.

This definition appears to encompass any type of business arrangement where the aggregate Medicaid payments totaled at least $5,000,000 during the preceding federal fiscal year.  According to CMS, the $5,000,000 threshold may be met even if:  (i) the items or services are provided at more than a single location; (ii) the items or services are under more than one contractual or other payment arrangement; or (iii) the entity submits claims for payments using one or more provider identification or tax identification numbers.  This definition ignores the separateness of legal entities and provider numbers and leaves providers to wonder whether their particular “business arrangements” subject them to the mandates in Section 6032.

CMS has also offered definitions of “employees” (any officer or employee of the entity) and “contractor” or agent” (which encompasses “any contractor, subcontractor, agent, or other person which or who, on behalf of the entity, furnishes or otherwise authorizes the furnishing of Medicaid health care items or services, performs billing or coding functions, or is involved in monitoring of health care provided by the entity”).  This is good news for providers because it limits these otherwise expansive terms to people and entities that actually have something to do with Medicaid billing, coding, or monitoring.

CMS also confirmed that each entity must establish written compliance policies, but the letter goes further and provides that it is also the responsibility of each entity to disseminate such written policies.  While an entity’s written policies may be on paper or in electronic format, they must be readily available to all employees, contractors, or agents.  Even though Section 6032 refers to inclusion of certain information in an employee handbook, providers who do not have such a handbook need not create one.  CMS has also gone a step further than simply clarifying Section 6032 by requiring that the written policies be adopted by an entity’s contractors or agents.  This, of course, creates another challenge:  How will providers ensure that these third parties “adopt” the provider’s policies?

CMS has also provided some guidance on what actions an entity should take to comply with Section 6302.  However, it is still not clear what or how much information a provider would need to communicate to employees, contractors, and agents to satisfy the mandate for “detailed information.”  Further, CMS has indicated that a provider must disseminate its written policies, but it has not clarified the acceptable methods for doing so.  In addition, while Section 6032 is entitled “Employee Education About False Claims Recovery,” there is no explicit requirement in Section 6032 or the CMS guidance that requires providers to “educate” their employees.  The only such requirement is the guidance that providers should “disseminate” certain information.  This is especially confusing because of the title of the Section and the fact that education is a component of every effective compliance program.

Another wrinkle is that the CMS guidance letter suggests that entities must be in compliance with Section 6032 by January 1, 2007, even if states have not yet amended their Medicaid Plans.   If a state determines that it needs legislation to change its Plan, however, it must request through CMS that the Secretary of HHS concur with the determination that legislation is required.  It is therefore not a foregone conclusion that providers will be in violation of Section 6032 for failure to comply with its mandates by January 1, 2007, if their applicable State Plan has not been amended.  Yet, CMS has indicated that it reserves the right to begin auditing providers’ compliance with these standards.  

In summary, it seems that without further guidance, entities that fall within the requirements of Section 6032 will be forced to take an overly broad approach when attempting to comply with its requirements.  They should endeavor to be in compliance by January 1, 2007, notwithstanding the unanswered questions.

Lawyer Contact

For further information, please contact your principal Firm representative or the lawyer listed below. General e-mail messages may be sent using our “Contact Us” form, which can be found at

Frank E. Sheeder III

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our web site at  The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the author and do not necessarily reflect those of the Firm.