Medicare Compliance for Medical Practices: CMS Requirements

Participation in Medicare comes with a substantial set of compliance obligations that extend well beyond submitting accurate claims. The Centers for Medicare and Medicaid Services (CMS), together with the OIG and the Department of Justice, actively enforce these requirements through audits, investigations, and enforcement actions. For medical practices, understanding and meeting these obligations is not optional — failure to comply can result in exclusion from Medicare, civil monetary penalties, recoupment of payments, and even criminal prosecution in cases of fraud. This guide covers the key Medicare compliance requirements that every participating practice must address.

PECOS Enrollment and Maintenance

The Provider Enrollment, Chain, and Ownership System (PECOS) is the gateway to Medicare participation. Every provider and practice must maintain current, accurate enrollment information. This includes updating PECOS within 90 days of any change in practice location, ownership, managing control, adverse legal actions, or changes to the authorized and delegated officials on the enrollment record. Failure to update enrollment information timely can result in deactivation of your Medicare billing privileges. Enrollment revalidation is required every five years (every three years for DMEPOS suppliers), and CMS may request revalidation at any time. Practice managers should track revalidation due dates proactively and ensure that all provider credentials (licenses, DEA registrations, board certifications) referenced in the enrollment are current. A deactivated enrollment means no Medicare payments — a situation that can create immediate financial distress for any practice.

Billing Compliance Fundamentals

Accurate billing is the foundation of Medicare compliance. Practices must ensure that every claim submitted to Medicare accurately reflects the services provided, is supported by adequate documentation, is coded to the correct level of service, and meets medical necessity criteria. Common billing compliance risks for physician practices include upcoding (billing for a higher level of service than documented), unbundling (separately billing components of a procedure that should be billed as a single code), billing for services not rendered, inadequate documentation to support the billed level of service, and modifier misuse. CMS and its contractors use data analytics to identify billing patterns that deviate from peer norms, and practices with outlier billing patterns are prioritized for audits. Implementing internal billing audits — reviewing a sample of claims monthly or quarterly to verify coding accuracy — is one of the most effective compliance measures a practice can take.

Stark Law (Physician Self-Referral)

The Stark Law (42 U.S.C. 1395nn) prohibits a physician from referring Medicare patients for designated health services (DHS) to an entity in which the physician or an immediate family member has a financial relationship, unless a specific exception applies. Designated health services include clinical laboratory services, physical therapy, radiology and imaging, DME, home health, outpatient prescription drugs, and inpatient and outpatient hospital services, among others. The law is a strict liability statute — there is no intent requirement. If a referral violates Stark and no exception applies, the resulting claims are false regardless of whether the referral was clinically appropriate. Common Stark issues in medical practices include compensation arrangements with referring physicians that do not meet fair market value requirements, office lease arrangements that provide below-market rent to referring sources, and physician ownership interests in entities to which they refer. Every financial relationship between your practice and any referring physician must be evaluated against the applicable Stark exceptions and documented accordingly.

Anti-Kickback Statute

The Anti-Kickback Statute (42 U.S.C. 1320a-7b) makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive anything of value to induce or reward referrals of items or services reimbursable by federal healthcare programs. Unlike Stark, the AKS requires intent, but the OIG has interpreted this broadly — if one purpose of the arrangement is to induce referrals, it can violate the AKS even if the arrangement has other legitimate purposes. Safe harbors provide protection for certain common arrangements (such as bona fide employment relationships, personal services contracts at fair market value, and certain investment interests), but each safe harbor has specific requirements that must be met precisely. Practices should scrutinize any arrangement that involves payment to or from a referral source — this includes marketing arrangements, medical directorships, consulting agreements, and even gifts, meals, and entertainment provided to referral sources.

Emergency Preparedness

CMS's Emergency Preparedness Rule (42 CFR 482.15 and related provisions) requires certain Medicare-participating providers to develop and maintain comprehensive emergency preparedness programs. While the full scope of the rule applies primarily to hospitals and long-term care facilities, physician practices that participate in Medicare should have emergency preparedness plans that address how patient care will continue during emergencies, communication plans for contacting staff, patients, and authorities, policies and procedures for managing medical records and medications during emergencies, and training and testing of the emergency plan at least annually. Even where the formal CMS Emergency Preparedness Rule does not directly mandate a practice-level plan, having documented emergency preparedness procedures is a best practice that protects patients and demonstrates operational maturity during surveys or audits.

Responding to Medicare Audits

Medicare audits can come from multiple entities: Medicare Administrative Contractors (MACs), Recovery Audit Contractors (RACs), Zone Program Integrity Contractors (ZPICs), the OIG, and CMS directly. Each has different authority and scope. When you receive an audit request, respond within the timeframe specified — failure to respond can result in automatic overpayment determinations. Gather the requested medical records, ensure they are complete and legible, and review them for consistency with the billed codes before submission. If an adverse determination is issued, you have appeal rights through a multi-level process (redetermination, reconsideration by a QIC, ALJ hearing, Medicare Appeals Council, and federal court). The majority of initial adverse determinations that are appealed are overturned at some level of appeal, so it is worth exercising your appeal rights when you believe the determination is incorrect.

How GuardWell Compliance Helps

GuardWell's CMS compliance module gives medical practices a centralized system for managing Medicare compliance obligations. The platform tracks PECOS enrollment status and revalidation deadlines, provides billing compliance checklists and audit workflows, includes Stark Law and Anti-Kickback Statute self-assessment tools, monitors emergency preparedness plan requirements, and integrates CMS compliance into your practice's overall compliance score. For practices that participate in Medicare, GuardWell ensures that CMS-specific obligations are tracked alongside HIPAA, OSHA, and OIG requirements in a single platform, reducing the risk that any requirement falls through the cracks.