Call for a Consultation: 855-571-4151


For many, many years, the general attitude of property and casualty insurance companies toward Medicare compliance has been some version of this:

I think we take Medicare compliance seriously enough. And if we make any mistakes along the way, it’s really not a big deal. The odds of CMS “penalizing” us for it (beyond the occasional letter from the Department of the Treasury) are slim to none.

The result of this approach is that compliance efforts at most P&C insurers have never aimed at achieving “total compliance.” Being “mostly compliant” (as far as it could be known) was good enough, because there was no perceived need to close that final – very difficult – gap.

The Case for Why It’s Different This Time

Medicare compliance vendors like CP Resolutions have been beating the compliance drum for a long time now. I’m sure that to insurance companies we come across as “the boy who cried wolf.” To a certain degree, this characterization has perhaps been true.

Allow me to make the case why … this time … it’s different. The wolf is actually at the gate.

The Significance of CMS Releasing a Final Rule to OIRA about Penalties

When I worked as a regulatory attorney for a state department of insurance, it wasn’t enough for me to write statutorily appropriate rules that had associated penalties. The rules needed to be (a) reasonably followable by the companies; (b) detectible and quantifiable by the regulating agency; and (c) collectible by the agency. This, given an agency’s limited resources, can be very difficult.

I believe that it has taken CMS literally decades to get to the point where they feel confident enough to release a final rule that checks all the boxes.

CMS released its final rule to the Office of Information & Regulatory Affairs (“OIRA”) on March 1, 2022. OIRA has 90 days to review and approve/release the rule or send it back to CMS with instructions for amending.

We will know the fate of the final rule sometime before June 1, 2022.

Enforcement Will Be Feasible … and Mostly Automated

I personally believe that “feasibility of enforcement” has been the hardest nut for CMS to crack. It seems like they believe they have cracked it.

The proposed rules laid out how CMS will detect most infractions automatically – using software – from the data submitted (or not submitted) by Responsible Reporting Entities (or by their vendors).

Only one type of infraction – failure to properly document efforts to obtain all claimant information required to query to discover which claimants are Medicare beneficiaries – seems to require human intervention (i.e. audits).

The Proposed Penalties Are Significant

Per statute, penalties are calculated at a rate of $1,000 (adjusted for inflation) per claimant, per day of non-compliance. In the proposed rules, most infractions carry with them a 90-day minimum penalty, because the infractions would be detected in a quarterly report and could not be made right until the following quarterly report. Some of those penalties were reduced to 25% of the total, increasing each quarter.

Regardless, the penalty for each infraction is certainly non-trivial. Then, when you compare that amount with the number of potential penalizable offenses, you can see where the numbers could get very large, very fast.

Getting to Total Compliance

Becoming “mostly compliant” is achievable by insurance carriers with moderate effort. Unfortunately, it appears that, under the final rules, being mostly compliant could turn out to be quite expensive.

From our experience, achieving “total compliance” requires a whole different level of effort.

And, importantly, getting from mostly compliant to totally compliant takes time. It’s not a 30, 60, 90-day “project” … even if the company hires a vendor to take them step-by-step to where they need to be.

Like all things that an insurance company wants to get exactly right, it takes process, systems, training, and reporting. It almost surely requires changes to a carrier’s claim management system. Depending on the size of the company, it may also take dedicated personnel who do nothing but own Medicare compliance.

In all seriousness, in your experience, how fast do you think your company can make something like that happen?

This is why, in our opinion, the time to act is now, NOT after the final rules are released – after which there will be some delay until the effective date.

I strongly believe that we know enough from the proposed rules to prepare.

There was some good news in the proposed rules. CMS specifically emphasized that they intend to make the rules apply prospectively rather than retrospectively. This means that, even if you know that your Medicare compliance efforts aren’t anywhere close to where they need to be, there is some grace. It appears that any past sins will not be held against you.

Assess Yourself

Here are some questions to consider:

  • Do you know how you are doing with Medicare compliance? Can you quantify what your going-forward exposure would be?
  • Related: Do you track Medicare compliance with management level reports that measure compliance across all relevant KPIs?
  • Do you have processes, systems, and relevant training in place for new and continuing employees?

In the weeks since the March 1st announcement of the imminent release of the final rules, we’ve spoken with several companies that have performed self-assessments of their exposure based on the proposed rules. For some of them, the results were startling – even, in some cases, rising to the level of issues that needed to be presented by the company’s leadership team to its Board of Directors.

That’s the bad news for them. The good news is that, because they did the assessment, they are now acting with earnestness and due haste.

I would suggest that you also do a self-assessment or invite an outside company (like CP Resolutions) to do a friendly third-party assessment.

Join us on May 18th for a free webinar on this topic, where we will dive deeper into the specifics of how to prepare for the final civil monetary penalty rules.

 Receive a free Readiness Checklist after you register for the webinar.

 Register HERE