CMS Announces Final Rule Risk Category

Published in Government Relations on December 28, 2022

On Nov. 23, 2022, CMS passed a final rule [87 FR 722931] that significantly changed the risk categories for certain providers and suppliers (including DMEPOS) when they initiate enrollment actions. These changes will be effective on Jan. 1, 2023.  

“I will review the provider and supplier types affected (collectively “providers”), the fingerprinting process involved, and the effects these changes will have on these providers as they attempt to enroll new entities or undergo change of ownership (CHOW) applications,” said Mark Higley, VP of Regulatory Affairs, VGM Government Relations. 

As required by the Affordable Care Act, CMS established risk categories identifying what level of scrutiny to apply to new enrollment applications, CHOWs, and revalidations by provider type. The risk categories are “limited,” “moderate,” and “high.” 

Providers in the high-risk categories are subject to additional requirements that include fingerprint-based criminal background checks as part of the enrollment process. A provider type can be in different categories depending on the enrollment action being requested. For example, a provider can be in the high-risk category when attempting to enroll a new entity and in the moderate-risk category when seeking to revalidate that same entity. In addition, providers of any type can be elevated to a high-risk category and subject to fingerprinting-based background checks if certain sanctions have been imposed on the provider, such as a CMS payment suspension or OIG exclusions. 

Provider Types Affected: 

  • Durable Medical Equipment, Prosthetics, and Orthotics (DMEPOS) suppliers 
  • Home Health Agencies (HHAs)  
  • Medicare Diabetes Prevention Program suppliers (MDPP)   
  • Opioid Treatment Program providers (OTP) 

DMEPOS suppliers, HHAs, MDPP suppliers, and OTP providers will be considered high-risk and subject to intense scrutiny when attempting to report a change of ownership with CMS. These providers were previously considered high-risk for a new CMS enrollment, but not for CHOW applications. 

Effective Jan. 1, 2023, DMEPOS suppliers, HHAs, MDPP suppliers, and OTP providers that were certified by the Substance Abuse and Mental Health Services Administration after Oct. 24, 2018, submitting either: (1) a change of ownership application or (2) an application to report any new owner must have the new owner submit to fingerprint-based criminal background check requirements. In either scenario, the new owner must have a 5% or greater interest. 

  • Skilled Nursing Facilities (SNF) 

Since the regulation requires CMS to place providers in categories, skilled nursing facilities (SNFs) were categorized as a limited risk for all enrollment actions. However, with the implementation of this final rule, SNFs will be considered high risk and subject to intense scrutiny when attempting to initially enroll or report a CHOW with CMS. In addition, SNF revalidations will be processed under a moderate level of scrutiny. 

The most burdensome part of this change for SNFs will be the fingerprint-based criminal background check requirements. When a SNF initially enrolls, then anyone who owns 5% or more of the SNF must submit fingerprints and undergo a criminal background check in connection with the enrollment application. Fingerprint-based background checks will also be required if an enrolled SNF reports a change of ownership with a new 5% or more owner. 

Fingerprinting and Background Check Procedures 

CMS has contracted with Accurate Biometrics to conduct a fingerprint-based background check on all individuals with a 5% or greater ownership in a provider or supplier that falls under the high-risk category for purposes of enrollment screening. If a provider is required to process fingerprints through Accurate Biometrics, they will receive a letter from the Medicare Administrative Contractor.  

Click here for more information. 

Then, the provider must print the fingerprint and affidavit forms available on the Accurate Biometrics website and take them to a law enforcement agency or fingerprint vendor to have the fingerprints done. Then, the form and affidavit must be mailed to Accurate Biometrics. There is a link on the website to check the status of the fingerprint and background check processing.  

Effects of These Changes on Providers 

The fingerprinting process will slow down initial enrollment applications and CHOWs when these affected providers are forming a new entity or undergoing a change of ownership transaction. To complicate the process further for DMEPOS suppliers, CMS recently eradicated the National Supplier Clearinghouse for Medicare enrollment applications for DMEPOS suppliers. Effective on Nov. 7, 2022, there is now a National Provider Enrollment East administered by Novitas Solutions and a National Provider Enrollment West administered by Palmetto GBA. DMEPOS suppliers will now process Medicare enrollments through one of these National Provider Enrollment contractors depending on state location. As these contractors transition to their new roles, pending enrollment applications for DMEPOS suppliers are likely to be affected. 

Another interesting aspect of the increased scrutiny will be how CMS will enforce the fingerprinting-based criminal background checks for affected provider types when the owners or new owners with 5% or more interest are corporations or private entity firms. The statute designates that “individuals” who maintain a 5% or greater direct or indirect ownership interest in the provider or supplier are subject to the high screening requirements. As private equity firm’s involvement in the healthcare system continues to increase, CMS will have to determine how to screen owners who are not individuals. 

We will keep you updated when we learn more. 


  1. regulatory
  2. vgm
  3. vgm government

From Our Experts

Audit Climate – Taking The Temperature thumbnail Audit Climate – Taking The Temperature As we near the midpoint of 2024, what are the main billing/reimbursement headaches being faced by providers? [Vlog] Oxygen Policy Update thumbnail [Vlog] Oxygen Policy Update Listen in as Ronda Buhrmester clarifies the language of the oxygen policy around the co-signature that is highly recommended. Elimination of Noncompete Agreements - FTC Final Rule thumbnail Elimination of Noncompete Agreements - FTC Final Rule A 570-page final rule released by the FTC on April 23 will effectively put an end to the use of noncompete agreements between employers and employees. The final rule is scheduled for publication in the Federal Register on May 7, 2024, and will go into effect 120 days from publication (September 4, 2024), barring the results of any legal challenges to the rule. OMEPA Celebrates Another Successful Capitol Rally Day thumbnail OMEPA Celebrates Another Successful Capitol Rally Day On April 23, OMEPA members gathered at the Oklahoma Capitol in support of HB1712. Government Relations: Speak With One Voice thumbnail Government Relations: Speak With One Voice The DMEPOS industry must show a unified front, speak with a unified voice, and together be champions of change. Clarification on Standard Written Orders thumbnail Clarification on Standard Written Orders Recently the DME MACs released a Dear Physician Letter that clarified language on a standard written order (SWO) specifically related to CPAP masks. While the article was great news being welcomed by the industry, it also initiated additional conversation for other PAP supplies such as interfaces and tubing. Ronda Vlog: Further Updates on Refill Requirements and Dear Physician Letter thumbnail Ronda Vlog: Further Updates on Refill Requirements and Dear Physician Letter Be sure to watch this update from Ronda Buhrmester, Sr. Director of Payer Relations and Reimbursement, where she gives updates on the change to the refill requirement, effective Jan. 1, 2024 and the Dear Physician letter released in February. Change Health Resources thumbnail Change Health Resources VGM recognizes that many of our members in the DMEPOS provider community have been negatively impacted by the cyberattack on Change Healthcare that occurred on February 21, 2024. We continue to monitor the situation and promote the creation of resources to help providers navigate through this with as little negative impact to their business as possible.