United States: Legal Compliance For ACOs Under The Medicare Shared Savings Program

Last Updated: November 18 2015
Article by John D. Shire

Previously published by Arlington Healthcare Group

If you are a hospital or health system that owns and operates an accountable care organization (ACO) participating in the Medicare Shared Savings Program (MSSP), or if you are seeking to participate in the MSSP in the future, then you must be in compliance with a host of state and federal laws and regulations that govern your ACO's legal existence, governance, and operations. Pursuant to the MSSP, healthcare providers and suppliers that participate in ACO arrangements receive Medicare fee-for-service payments under Parts A and B; however, the ACOs that meet specified quality and savings requirements may be eligible to receive a shared savings payment.

Recent developments in rulemaking under the MSSP necessitate that you now understand the legal structural compliance requirements contained in the final MSSP implementation regulations (Final Rule), which will determine several outcomes for your ACO, including: (i) legal entity selection; (ii) governance composition, operations and duties; and (iii) legal contents of contractual agreements between your ACO and its contract parties. These regulations were promulgated by CMS, pursuant to the Final Rule, on June 4, 2015 (and published in the Federal Register on June 9, 2015). 80 Fed. Reg. 32692 (June 9, 2015).1

At the state level, your ACO can only exist pursuant to the legal authority pronounced under your state's law. Specifically, state law will dictate ACO corporate form to ensure compliance with several legal hurdles, including: (i) the corporate practice of medicine doctrine; (ii) licensing and/or certification requirements; (iii) fraud and abuse requirements; (iv) provider referral restrictions; (v) antitrust requirements; (vi) privacy and security law; and (vii) state "Blue Sky" laws.

At the federal level, your ACO must be in compliance with fraud and abuse laws and regulations, including the federal anti-kickback statute, 42 U.S.C. § 1320a-7b(b), the federal physician self-referral prohibition, 42 U.S.C. § 1395nn, and civil monetary penalties law provisions, 42 U.S.C. § 1320a-7a; however, the ACA provided authority to the U.S. Department of Health and Human Services (DHHS) to establish waivers from compliance with the federal fraud and abuse laws as necessary to carry out the mission of the MSSP. In the Fourth Quarter of 2011, the Centers for Medicare & Medicaid Services (CMS) and the DHHS, Office of the Inspector General (OIG) released a joint interim Final Rule, 76 Fed. Reg. 67992 (October 20, 2011) with Comment Period governing the MSSP waiver program; however, these waivers only apply to the federal fraud and abuse laws and do not address existing state laws.

Your ACO must also comply with the federal Health Insurance Portability and Accountability Act of 1996, as amended, and implementing regulations ("HIPAA"). In most instances, the ACO will be a business associate under HIPAA and must enter HIPAA-compliant business associate agreements with participating health care providers. Thus, the ACO must comply with the terms of its Data Use Agreement with CMS, as well as the terms of any business associate agreement it enters with individual providers participating in the ACO.

A detailed discussion of the state laws applicable to ACOs, and the impact of these laws on legal structure, governance and operations will follow in our subsequent ACO Compliance Series for Hospitals and Health Systems. We will also explore the federal law issues applicable to ACOs, including an in-depth look at the fraud and abuse waiver program (and state responses to the waiver program), and a discussion of the tax-exemption compliance issues presented by ACO relationships.

In this issue of ACO Compliance Series for Hospitals and Health Systems, we describe the key legal structural compliance requirements contained in the MSSP Final Rule that will determine the following four outcomes for your ACO.

1. Which of your legal entities serves as the operating ACO?

In general, your ACO must be a legal entity, formed under state, federal or tribal law, which is authorized to conduct business in each state in which it operates for the following four purposes: (i) receiving and distributing shared savings; (ii) repaying shares losses or other monies determined to be owned to CMS; (iii) establishing, reporting and ensuring provider compliance with healthcare quality criteria, including quality performance standards; and (iv) fulfilling all ACO functions required by 42 C.F.R § 425.100 et seq. 42 C.F.R. §425.104(a).

Pursuant to the Final Rule, if your ACO includes two (or more) independent ACO participants, then your ACO must be a separately-formed legal entity that is independent from any of the ACO participants. Id. at §425(b). What this means for you is that if your ACO is comprised of multiple ACO participants (and each belongs to the same health system), then the ACO legal entity must be a separately formed entity that is distinct from any one of the multiple providers or suppliers who participate in the ACO. 80 Fed. Reg. 32692, 32716 (June 9, 2015).

Conversely, the Final Rule adds new text to provide that an ACO formed by a single ACO participant may use its existing legal entity (and governing body) for operations; provided, however, that it satisfies all of the general criteria described above and the governance criteria discussed below in (Question 2). 42 C.F.R. §425.104(c).

Existing legal entities (i.e. those entities not specifically formed to participate in the MSSP program as an ACO), such as independent practice associations (IPAs) or physician-hospital organizations (PHOs)) that are typically engaged in activities unrelated to MSSP may only participate in the MSSP as ACOs if all of the entities' members participate in all line of business performed by such entities. As discussed below, the Final Rule amends previous regulations to impose fiduciary duties (i.e. the duty of loyalty) on the members of the governing body of the ACO. Id. § 425.106(b)(3).

2. What requirements control the composition, operations and duties of your ACO's governing body?

a. Composition.

There are five rules controlling the composition of your ACO's governing body. First, your ACO must provide for meaningful participation in the composition (and control) of your ACO's governing body for ACO participants or their designated representatives. 42 C.F.R. §425.106(c). This provision reflects CMS' preference that an ACO be operated by Medicare-enrolled entities that directly provide healthcare services to beneficiaries, but accommodates smaller groups of providers that lack the resources necessary to form an ACO and administer the program requirements on their own. 80 Fed. Reg. 32692, 32718 (June 9, 2015).

Second, your ACO governing body must include one or more Medicare beneficiary representatives who are served by your ACO. Neither the beneficiary representative(s) (nor an immediate family member of the representative(s)) can have a conflict of interest with your ACO. Third, at least 75 percent of the voting control of your ACO's governing body must be held by ACO participants. Fourth, such governing body members may serve in a similar manner for a participant of your ACO.

Finally, if the composition of your ACO's governing body does not comply with the beneficiary rule and the 75 percent test, then you must describe why your composition deviates from the rule and how your ACO will achieve meaningful representation and participation by ACO participants and Medicare beneficiaries. 42 C.F.R. §425.106(c).

b. Operations and Duties.

The governing body of your ACO has the responsibility for oversight and the strategic direction of your ACO's operations, and must hold management accountable for its activities. 42 C.F.R. §425.106(b). Specifically, the governing process must be transparent. The members of the governing body must have a fiduciary duty to your ACO and act in accordance with that fiduciary duty. Id. § 425.106(b)(1)-(3).

To further these objectives, CMS included in the Final Rule conflict of interest safeguards that apply to your ACO's governing body. Specifically, your ACO must establish and implement a conflict of interest policy that requires each member of the governing body to disclose all relevant financial interests and defines a procedure to determine whether a conflict of interest exists and resolving such conflicts to the extent that they exist. Id. § 425.106(d). Finally, the conflict of interest policy must define remedial actions for governing body members that fail to comply with the policy. Id.

3. What substantive provisions must be included in the contractual agreements between your ACO and the providers and/or suppliers who participate with your ACO?

Contractual arrangements between your ACO (on the one hand) and ACO participants and ACO providers and suppliers (on the other hand) are now governed by new provisions to the Final Rule under 42 C.F.R. § 425.116; however, the provisions governing agreements applicable to ACO participants and those applicable to ACO providers/suppliers are materially identical with few exceptions. Id. § 425.116(a) and (b).

There are nine requirements applicable your ACO's agreements with ACO participants.

  1. The parties to the agreements must include only your ACO and the ACO participant. Id. § 425.116(a)(1). This requirement reflects CMS' position that independent practice association and physician-hospital organization contracts are not appropriate or required for purposes of participation in the MSSP.
  2. The signatories to the agreements must be only individuals who are authorized to bind the ACO and the ACO participant. Id. § 425.116(a)(2).
  3. The agreements must state that the ACO participant agrees to participate in the MSSP and to comply with the requirements of the MSSP as well as all of the laws and regulations applicable to the program. Id. § 425.116(a)(3). Similarly, the ACO participant must agree to ensure that each ACO provider/supplier billing through the TIN of the ACO participant agrees to the same participation and compliance obligations as the ACO participant itself. Id.
  4. The agreements must define the ACO participant's rights and obligations in, and representation by, the ACO. Id. § 425.116(a)(4). These requirements include: (i) quality reporting requirements; (ii) beneficiary notification requirements; and (iii) a description of how participation in the MSSP affects the ability of the ACO participant and its ACO providers/suppliers to participate in other Medicare demonstration projects or programs that include shared savings mechanisms. Id.
  5. Your ACO agreements must identify how the opportunity to obtain shared savings will encourage the ACO participant to adhere to the quality assurance and improvement program and evidence-based medicine guidelines established by the ACO. Id. § 425.116(a)(5).
  6. Your ACO agreements must require the ACO participant to update its enrollment data, including the addition and deletion of ACO professionals and ACO providers/suppliers billing through the TIN of the ACO participant, on a timely basis in accordance with the Medicare program requirements and to notify the ACO of any such changes within 30 days after the change. Id. § 425.116(a)(6).
  7. Your ACO agreements must allow the ACO to take corrective action against the ACO participant, including a corrective action plan, denial of incentive payments, and termination of the ACO participant agreement, to address noncompliance with the MSSP and other program integrity issues. Id. § 425.116(a)(7). Similarly, the agreement must ensure that the ACO participant implements similar measures with its ACO providers/suppliers. Id.
  8. The term of your ACO agreements be for at least one year, and identify the consequences for early termination. Id. § 425.116(a)(8).
  9. Your ACO agreement must include completion of a close-out process upon the termination or expiration of the agreement that requires the ACO participant to provide all data necessary to complete the annual assessment of your ACO's quality of care and other relevant matters. Id. § 425.116(a)(9).

The provisions applicable to direct agreements between your ACO and ACO providers/suppliers include all of the provisions (1) – (7) above, which are applicable to contracts between your ACO and ACO participants. Id. § 425.116(b)(1) – (7).

Given the time required for (and complexity of) implementation of these provisions, CMS has given your ACO until January 1, 2017 to satisfy these contractual compliance requirements. Your ACO must submit executed ACO participant agreements for each ACO participant at the time of its initial application, renewal process, and when adding to its list of ACO participants. Id. § 425.116(c).

Click here to view original article


1 The Final Rule codifies existing CMS guidance and is designed to reduce administrative burden and improve MSSP function and transparency in the following categories: (i) data-sharing requirements; (ii) relationships between ACOs and the providers and suppliers that participate in the ACO arrangement; (iii) clarifications and updates to application requirements; (iv) eligibility requirements governing the number of beneficiaries in the ACO, obligatory processes for coordinating care, legal structure and governance; (v) assignment methodology; (vi) financial performance metrics; and (viii) issues governing program integrity and transparency. 80 Fed. Reg. 32692, 32694 (June 9, 2015). In order to achieve these objectives, CMS, in the Final Rule, adopted the following changes to the MSSP program: (i) – (vii).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.