Key Takeaways:

• CMS wants to add teeth to its Open Payments audit powers, so it’s proposing a new enforcement mechanism.
• If finalized, failing to respond to an audit request for 30 days would trigger CMPs.
• Comments are due June 15, 2026.

The Centers for Medicare & Medicaid Services (CMS) recently included in its Proposed Rule on Interoperability Standards a proposal to bolster its Open Payments audit authority. CMS previously codified its audit authority under 42 C.F.R. § 403.912(e)(2), which states that “HHS, CMS, OIG or their designees may audit, inspect, investigate and evaluate any books, contracts, records, documents, and other evidence of applicable manufacturers and applicable group purchasing organizations that pertain to their compliance with the requirement to timely, accurately or completely submit information in accordance with the rules established under this subpart.”

Though CMS began exercising its audit authority in 2022 by requiring select reporting entities to provide relevant documentation pertaining to their reported records to verify payments had been reported accurately, CMS found that some entities “thwarted” its audit efforts by refusing to participate. To put a number on it: the Proposed Rule notes that in the 2022 to 2023 cycle, roughly one-quarter of sampled entities failed to comply with audit requests. Presently, CMS has “no way to compel an Open Payment program reporting entity to comply with our audit request.”

To address this, CMS is proposing a formal definition of “failure to report” under 42 C.F.R. § 403.902. Specifically, the proposed definition would include a failure to timely, accurately, and completely provide to the Department of Health & Human Services (HHS), CMS, Office of the Inspector General (OIG), or their designees the records subject to CMS’s audit authority. If finalized, failing to provide all requested documents within 30 days of the audit request would constitute a “failure to report” and would trigger civil monetary penalties (CMPs). These penalties would apply on a per-year, per-record basis—think penalties for each withheld document, such as copies of checks, written agreements, ledgers, and the like. Steeper penalties would apply for a “knowing” failure.

The effort comes while a much larger, coordinated effort is simultaneously underway across the Administration to crack down on fraud, waste, and abuse (FWA) in the health care system. We’ve previously covered DOJ’s efforts to stand up a new National Fraud Enforcement Division, as well as a new anti-fraud initiative pairing False Claims Act cases with data mining. 

Comments to the Proposed Rule are due June 15, 2026.  If you have any questions about this article or need assistance with Open Payments or FWA matters, please reach out to our team members or your Reed Smith contact.