In the CY 2027 Hospital Outpatient Prospective Payment System (OPPS) Proposed Rule, the Centers for Medicare and Medicaid Services (CMS) made proposals to implement new requirements for provider-based departments (PBDs) established by statutory provisions in Section 6225 of the Consolidated Appropriations Act, 2026 (CAA of 2026). CMS's proposals provide further detail on the form, timing, and verification process it will use to review newly mandatory provider-based attestations (PBAs).
As background, Section 6225 of the CAA of 2026 requires that, starting January 1, 2028, Medicare will no longer make payments under the OPPS for services billed by off-campus outpatient departments unless two conditions are satisfied: (1) the department bills under its own separate National Provider Identifier (NPI), and (2) the main provider has submitted an attestation (within the preceding two years) confirming the department meets the provider-based requirements at 42 C.F.R. § 413.65.
Providers preparing for these new requirements should understand the serious consequences of noncompliance. Failure to satisfy the provider-based rules – or to obtain the NPIs and PBAs mandated by the new regulations implementing Section 6225 – could trigger overpayment refunds to Medicare, civil monetary penalties for "false" provider-based claims, administrative remedies such as a Corporate Integrity Agreement, or treble damages under the federal False Claims Act. Because compliance with these requirements will be a prerequisite for Medicare payments to provider-based departments beginning January 1, 2028, providers should submit comments on the feasibility of these proposals and begin taking steps toward compliance now.
CMS's Proposals to Codify Section 6225 of the CAA of 2026
Initial PBAs
CMS proposes that the new Section 6225 requirements would apply to off-campus PBDs, defined as departments of a provider that are not located on the main campus of the main provider nor within 250 yards of a remote location of a hospital.
To receive Medicare reimbursement for services furnished on and after January 1, 2028, CMS proposes that off-campus PBDs must satisfy the following requirements.
- Apply for and begin billing under a PBD-specific NPI. CMS proposes that, prior to submitting a PBA, main providers must obtain a separate NPI for each off-campus PBD and update the Provider Enrollment, Chain, and Ownership System (PECOS) to reflect the new NPI. Each off-campus PBD must obtain its own NPI before January 1, 2028, and all items and services furnished by that department under the OPPS must be billed under the PBD-specific NPI rather than the NPI of the main provider.
- Submit an initial PBA for each off-campus PBD on behalf of the main provider. CMS proposes to establish a standardized attestation form that would replace current Medicare Administrative Contractor-(MAC) specific templates. A draft is located for comment here. The attestation would include identifying information for the main provider and the PBD (such as name, address, and NPI), along with a list of the requirements at § 413.65(d), (e), (g), and (h) that must be individually affirmed by checkbox, and a certifying statement affirming compliance, signed by an authorized official of the main provider as identified in PECOS.
CMS proposes that main providers would submit the attestation through a centralized electronic system. Until the standardized form and centralized electronic system are finalized, providers may continue to submit attestations in accordance with existing § 413.65(b)(3)(ii) to their servicing MAC.
Upon submission, CMS or its agents will send written acknowledgment of receipt, review the attestation for completeness and consistency, and make a determination as to whether the department is provider-based. Likely in an effort to streamline the process, CMS is proposing to modify the attestation review process so that CMS's contractors, including MACs, conduct standardized review and validation activities in support of initial determination regarding compliance with 413.65, rather than requiring separate CMS review of each attestation recommendation. For providers that submit attestations for more than one off-campus outpatient department, CMS is considering streamlined supporting documentation requirements, and is seeking comments on how to minimize burden.
CMS proposes to employ automated validation, risk-based screening, and targeted documentation review to identify attestations requiring additional review. Providers selected for additional review would generally be given up to 60 days to furnish any requested supporting documentation. If the attestation demonstrates compliance, an approval notice would be issued; if it fails to demonstrate compliance, a denial would be issued with applicable appeal rights.
Off-campus provider-based departments that begin providing services after January 1, 2028, would be required to submit an attestation within two years prior to when the billed services are delivered. In addition, providers who submit initial attestations within the two-year period prior to January 1, 2028, would meet the attestation requirements of Section 6225 even if they have not received a provider-based status determination from CMS by January 1, 2028.
CMS is seeking comments on the initial mandatory attestation process for provider departments that received a determination of provider-based status before January 1, 2026, and remain in compliance with provider-based regulations. CMS is considering allowing an authorized official to attest with a letter to CMS, with evidence of the CMS determination attached, affirming continued compliance with § 413.65.
Subsequent PBAs
CMS has proposed a maximum five-year interval for subsequent attestations but has indicated it anticipates addressing the specific schedule for subsequent attestations in the 2028 rulemaking cycle. CMS has invited comments on the subsequent attestation requirement at this time.
Documentation Requirements and CMS Program Integrity Mechanisms
CMS proposals include specific documentation that will be required to demonstrate compliance with applicable provisions of § 413.65 related to location, licensure, clinical services integration, financial integration, public awareness, hospital outpatient department obligations, and main provider ownership, control, administration, and supervision of off-campus departments. CMS does not anticipate requiring all of this documentation at the time of the initial attestation; instead, CMS contractors will employ risk-based screening and targeted documentation review to identify attestations for which additional documentation is warranted.
Attestations that pass automated validation would be processed for initial determination.
Attestations that present indicators of incompleteness, inconsistency, or elevated compliance risk would be flagged for targeted documentation review, during which CMS or its contractors may request that the provider furnish supporting documentation from any or all of the categories described.
At the extended review stage, CMS and its contractors, including program integrity contractors, would employ risk-based methodologies to select a subset of attestations for more extensive compliance review. Such methodologies may include remote audits of provider records and documentation, site visits conducted by CMS or contractors to verify that the attested department meets the physical, financial, clinical, and administrative integration requirements of § 413.65, or investigations of potential non-compliance identified through data analysis, referral, or other sources.
Takeaways
Providers should be aware that CMS is proposing to use program integrity mechanisms available to CMS (now or in the future) to evaluate compliance with provider-based requirements and identify attestations requiring additional oversight. Failure to submit requested documentation within the timeframe specified by CMS may result in a determination of noncompliance and recovery of payments.
CMS is seeking public comment on its proposed policies and processes to implement Section 6225 of the CAA, 2026. Specifically, CMS is seeking feedback from stakeholders regarding feasibility, operational impact, implementation considerations, potential burden, and any unintended consequences associated with these proposals. Comments must be received by CMS by August 31, 2026.
For more information about the updated requirements for provider-based attestations, further analysis regarding these issues, or legal guidance regarding compliance with provider-based regulations, please contact Allison M. Cohen, Alissa D. Fleming, Katie Salsbury, Samuel Cottle, or any other member of Baker Donelson's Health Law Group.