The Consolidated Appropriations Act of 2026, HR 7148 (the Act), just signed into law on February 3, 2026, ended a brief government shutdown and includes multiple provisions with a critical impact on health care organizations. We have previously covered the Act’s renewal and extension through 2027 of COVID-era Medicare telehealth flexibilities and its revisions to pending rate cuts and reporting deadlines for certain clinical laboratories.

Health care organizations should be aware of another section of the Act that newly imposes mandatory attestation and National Provider Identifier (NPI) requirements on off-campus outpatient departments of Medicare-enrolled hospitals (i.e., HOPD(s)) by January 1, 2028. This new requirement is likely to pose a significant compliance burden and may foreshadow additional scrutiny on off-campus hospital sites of outpatient services.

HOPDs: Attestation and NPI Requirements

Subject to specific regulatory conditions, departments of a Medicare-enrolled hospital provider that are “off campus,” i.e., generally more than 250 yards from the provider’s main campus or a remote location, are allowed to bill as provider-based departments of the hospital. For many years, whether a particular off-campus location met all regulatory requirements for provider-based status was the subject of an honor system for Medicare enrollment purposes, with organizations having the option to submit an attestation of provider-based status to the Centers for Medicare and Medicaid Services (CMS) (through the assigned CMS Medicare Administrative Contractor). These submissions were voluntary and offered the advantage of potentially reducing liability for overpayments if a location was determined not to meet the applicable requirements, but not all hospitals elected to submit them for their HOPDs.

Now, § 6225 of the Act removes the previous optionality by imposing two additional requirements for off-campus outpatient departments of a hospital to continue receiving payment from Medicare for services furnished as provider-based on or after January 1, 2028:

  1. Attestation. Under the Act, each off-campus HOPD location must now submit an attestation of compliance with the provider-based regulatory requirements. The provider (i.e., main hospital) of an off-campus department must submit an initial attestation for existing departments before January 1, 2028. Providers must also submit subsequent attestations according to a timeframe and process to be determined by the Secretary of the Department of Health and Human Services (DHHS) through future regulations. Initial attestations will also be subject to the DHHS’ future process, but the statute permits providers to use the current attestation process for the initial attestation until the new process has been established. The uncertain regulatory process and timing for new attestation requirements in advance of the January 1, 2028, deadline creates additional uncertainty for hospitals nationwide.
  2. NPI. Starting January 1, 2028, each off-campus provider-based department must obtain and bill under its own NPI number rather than continue to bill under its provider’s NPI number.

Assessing and Strengthening Departmental and Provider Regulatory Compliance

Providers should assess whether their current off-campus department locations independently meet all applicable CMS regulatory requirements. Of note, certain Medicare Administrative Contractors offer checklists that can be used to compare against current provider-based status requirements, but organizations would also be well-advised to anticipate additional guidance from CMS.

Preparing for Enhanced Government Scrutiny

The Act directs DHHS to engage in rulemaking to determine the methods to review and determine compliance with the NPI and attestation requirements. Although site visits and remote audits are cited as potential methods for verifying compliance, the Act gives DHHS discretion to use other means “as determined appropriate.” This directive, in combination with the upcoming NPI requirement, may indicate a broader trend toward increased scrutiny of providers and more dynamic enforcement in the future. Providers should proactively prepare for potential investigations and ensure their attestations continue to be comprehensive and defensible, minimizing the risk of enforcement actions as the standards continue to evolve.

Photo of Conor Duffy Conor Duffy

Conor Duffy is co-chair of Robinson+Cole’s Health Law Group and a member of the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters…

Conor Duffy is co-chair of Robinson+Cole’s Health Law Group and a member of the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.

Read more about Conor Duffy
Show more Show less
Photo of Josh Yoo Josh Yoo

Chanho (Josh) Yoo focuses his practice on counseling health systems, hospitals, physician groups, community providers, and other health care entities on corporate, transactional, and regulatory health law matters. Read his full rc.com bio here.

Read more about Josh Yoo