CMS Compliance in 2023: What You Need to Know

CMS Compliance

5 min read

Reading Time: 5 minutes

However, please note that regulations and CMS compliance requirements can change over time, so it’s essential to consult the most recent and authoritative sources for the latest information in 2023.

Here are some general points to consider regarding CMS compliance:

Quality Reporting and Measurement:

Not-for-profit entities and health plans must maintain and report on quality metrics to ensure the accuracy of information reported to CMS and the marketplace.
The programs include several quality reporting programs, including Star Ratings, Value-Based Purchasing, Hospital-Acquired Condition (HAC) reduction goals, Value-Based Payment Modifier (VBP), and the Hospital Readmissions Reduction Program.

Competitive Bidding:

Competitive bidding is required for Medicare and Medicaid Advantage plans, Part D prescription drug plans, the Pharmacy Choice Program for non-Medicare authorized health plan enrollees, third-party administrators, or other vendors providing services to these plan/beneficiary organizations. It also includes a list of required contract provisions when submitting a proposal for competitive bidding.

Health Insurance Exchanges:

CMS has set up health insurance exchanges nationwide to allow citizens to purchase health insurance. These marketplaces operate independently, so check that your information about them is current and accurate.

Anti-kickback Statute:

The Anti-kickback Statute increases the risk of fines and penalties against organizations and individuals who engage in prohibited activities with Medicaid-related payments or reimbursable services. The ACA increased potential penalties for violations.

Electronic Health Records (EHRs):

CMS has begun to enforce a new regulation regarding e-prescribing. It has issued a final rule that provides new requirements for electronic prescribing, including deadlines for adoption and compliance and the penalties for noncompliance.

The final rule also sets new minimum standards for electronic prescribing software (which includes any software that assists physicians and other healthcare professionals in writing prescriptions) and the documentation that must be created when drugs are being electronically transmitted to the pharmacy (including the EHR). It is another emerging area likely to become a significant focus within the next few years.

It aims to transition all healthcare providers to electronic health records by 2023. Qualifying for incentive payments from Medicare, providers must report on the use of modern patient-centered tools such as electronic health records.

Providers’ need to maintain information about their patients in electronic health records has become the most significant and prevalent CMS compliance requirement. Providers who fail to comply can face substantial fines and the risk of losing Medicaid certification for their facility.

Security Standards:

With the recent cyber attacks and breaches, security has moved to the top of the CMS compliance priority list. Requirements to secure EHRs, patient data, and other sensitive information have increased significantly over the last several years. Business phone features like call recordings will save the data and can be retrieved anytime.

Sharing Payment Data:

The requirement for providers to share payment data with third parties is another area where CMS compliance is rising rapidly among healthcare providers.

EHR Interoperability:

The requirements for providers to share patient data and other patient-related information among various healthcare providers and devices have been a growing compliance concern for years as it has directed providers to make patient data available through a web portal, which could significantly increase the risk of pressure by third-party vendors to share data with business partners or competitors.

HIPAA Privacy Controls:

With so much personal information being electronically stored. HIPAA privacy controls are a significant priority for providers to protect all patient data.

Providers are also required to comply with many other regulations and guidelines.

Learn more about HIPAA Compliance

Medicare Solvency:

Insurance companies that have submitted their bids under this program will be subject to a solvency test for 10 years. The test examines actuarial methods used in setting premiums, including using models and techniques like Standard of Medical Care (SMC) and Social Security age as demographic factors. Insurers may apply for an extension but may only request up to three extensions up to 2028 within the first round of testing.

Contingent Staffing:

It is important to note that contingent staffing arrangements between healthcare institutions and staffing agencies (such as temporary staffing companies) are “business associates” of each other under HIPAA rules. As such, they must agree on a Business Associate Agreement that includes provisions for protecting healthcare data before they can work together on a project.

Billing and Coding Accuracy:

It relies on accurate billing and coding data from healthcare providers. Providers must adhere to correct billing, coding documentation, and classification protocols or risk sacrificing payment.

Documentation of Patient Care:

It requires formal patient care documentation for certain treatment activities, including immunizations, screening mammography, contraception counseling, HIV counseling and testing, tobacco cessation counseling, and behavioral counseling for patients with chronic conditions. Providers not complying with these requirements may be fined or penalized.

Providers Recertification:

To continue receiving federal reimbursement for providing services within a program, providers may need to undergo recertification.

Quality Improvement:

It may require a Healthcare Improvement Organization (HIO) to manage quality improvement activities at a healthcare facility. The role of an HIO is to help providers identify and implement process improvement strategies that can lead to improvements in care and cost savings for all stakeholders. In those cases, the HIO will significantly ensure the healthcare provider or organization meets quality improvement requirements.

Provider Collaboration:

The programs require collaboration between providers on specific projects. For example, a hospital may need to collaborate with other community providers as part of their Hospital ACO (Accountable Care Organization) participation requirement under the Medicare Shared Savings Program (MSSP). Unified communications as a service, like video conferencing, is used for a better experience.

Provider Network Development:

Programs are based on provider networks. Auditors may expect to see networks for a new or existing program that are in place before the provider recertifies for that program.


Some providers must adhere to a cohort validation process to recertify for specific quality improvement programs, including value-based contracting or accountable care models.

Data Integrity and Security:

Data integrity and security are critical requirements that providers must comply with when participating in specific Medicaid programs, includes the

  • Hospital Readmissions Reduction Program
  • Prevention Quality Demonstration Program
  • Value-Based Purchasing Programs and
  • Star Ratings Programs

Provider Data Submission:

It is essential to know that there are different types of provider data highlighters for each of the Medicare programs, including the following:

(a) Provider Number identifies providers who sign up for the Medicare Shared Savings Program (MSSP). Each provider signing onto the MSSP must have a Provider ID number and submit data using the appropriate Authorized Healthcare Organization Data Highlighter.
(b) Providers must use the data highlighter to submit their electronic claims following applicable regulations. All electronic claims should scan and submit using a compliant data highlighter or system.
(c) Providers must submit paper claims using the CMS-approved highlighter of their choice. However, it does not accept hard copy claims for payment.
(d) Submit Electronic Medicare Claims (EMC 1) only through an authorized data highlighter.
(e) Provider organizations involved in a collaborative management method with CMS must submit data using the organization’s valid data highlighter.


Hospitals with the best small business phone services and Urgent Care Centers are considered Medicare-participating healthcare providers (MPHCPs) for all purposes, including programs such as the Hospital Readmissions Reduction Program. As such, these organizations must meet all program requirements, including placing documentation in the CMS-approved highlighter when submitting claims.

Published: October 5th, 2023