- The CRUSH RFI is part of a broader, coordinated anti-fraud crackdown. On February 25, 2026, the administration announced a package of major anti-fraud actions, including a $259.5 million deferral of federal Medicaid funding to Minnesota, a nationwide six-month moratorium on new DMEPOS supplier enrollment in Medicare, and a Request for Information (RFI) soliciting stakeholder feedback on potential regulatory and programmatic changes that could be included in a future proposed rule titled “Comprehensive Regulations to Uncover Suspicious Healthcare,” or the “CRUSH Rule.” Together, these actions signal the administration’s intent to significantly expand CMS’s fraud prevention, detection, and enforcement capabilities across all major federal health care programs.
- The RFI spans a broad range of topics with significant implications for providers, suppliers, Medicare Advantage organizations, DME suppliers, laboratories, Medicaid programs, and exchanges. CMS is seeking input on over a dozen subject areas, including enhanced provider enrollment screening, identity proofing and ownership requirements, preclusion list reforms, laboratory test fraud, DMEPOS supplier oversight, claim filing deadlines, AI-assisted coding, beneficiary solicitation protections, surety bonds, Medicaid and CHIP fraud, and Marketplace program integrity.
- The comment window is short. Stakeholders have only 30 days to respond. Comments must be submitted within 30 days of the RFI’s publication in the Federal Register. Given the breadth and potential impact of the topics covered, health care companies should begin evaluating the RFI immediately and consider submitting comments to shape the forthcoming rulemaking. In the comments, commenters may want to consider identifying CMS’s legal limitations (e.g., key constitutional and statutory limits) raised by the topics CMS identified in the RFI, in addition to providing the specific factual information requested by CMS.
Background
On February 25, 2026, at a White House event with HHS Secretary Robert F. Kennedy, Jr. and CMS Administrator Dr. Oz, the administration announced a coordinated package of anti-fraud enforcement actions. The CRUSH RFI was one of three major actions announced simultaneously, alongside a deferral of $259.5 million in federal Medicaid funding to Minnesota and a nationwide six-month moratorium on new Medicare enrollment for certain DMEPOS suppliers.
These actions build on what CMS described as significant progress in combating fraud in 2025, including suspending $5.7 billion in suspected fraudulent Medicare payments, denying 122,658 Medicare claims for unnecessary items and services, revoking 5,586 providers and suppliers from the Medicare program, sending 372 fraud referrals encompassing $3.7 billion in billing to law enforcement, and initiating a CMS-State Tax Fraud partnership with 28 states and the U.S. Virgin Islands.
As part of this broader initiative, CMS published an RFI related to the “Comprehensive Regulations to Uncover Suspicious Healthcare” initiative, which CMS is referring to as the CRUSH Rule. The RFI follows the June 6, 2025, Presidential Memorandum on Eliminating Waste, Fraud, and Abuse in Medicaid and reflects the administration’s broader commitment to aggressive anti-fraud enforcement in Medicare, Medicaid, CHIP, and the Health Insurance Marketplace.
This RFI is not itself a proposed rule; it is a pre-rulemaking solicitation designed to gather stakeholder input that CMS will actively consider as it develops its future CRUSH regulatory proposals as well as potentially other rulemakings, policy guidance and other enforcement activities. CMS expressly notes that the RFI “does not necessarily solicit comments on the full scope of topics that could be included in a potential, future CRUSH Rule,” suggesting the eventual proposed rule and associated anti-fraud policies may be even broader than the topics outlined here.
Summary of Key Topics in the RFI
A. Modifications to Program Integrity Requirements
CMS is seeking feedback on how to strengthen its existing fraud-fighting tools, including provider enrollment screening, payment suspensions, data analytics, pre-payment claims edits, investigations, audits, revocations, and re-enrollment bans. CMS specifically asks whether existing statutory authorities, regulations, memoranda, administrative orders, and subregulatory guidance documents could be modified to increase CMS’s ability to promote payment accuracy and efficiency and to more expeditiously prevent bad actors from engaging in fraud, waste, and abuse.
Notably, CMS also asks whether it should establish regulatory authority to direct Medicare Advantage (MA) organizations and Part D plan sponsors to suspend payments to providers and suppliers under circumstances similar to the payment suspension authority that exists for Traditional Medicare under 42 CFR 405.371. This would represent a significant expansion of CMS’s enforcement reach into Part C and Part D.
B. Enhanced Identity Proofing and Ownership Requirements
CMS has identified significant concerns that Medicare fraud is increasingly perpetrated through international fraud schemes characterized by opacity of ownership structures, often involving owners who reside outside the United States. CMS is seeking feedback on potential provisions that would require enhanced identity proofing of individuals associated with Medicare-enrolled entities and impose U.S. citizenship or legal permanent residency requirements for all individuals with an ownership or control interest of 5 percent or greater. CMS is also considering whether fingerprinting and criminal background check requirements—currently applicable to owners with a 5 percent or greater interest in “high” risk category organizations—should be expanded to managing employees, smaller-percentage owners, and other affiliated individuals.
Healthcare entities with foreign parent companies, international investors, or cross-border business structures should pay close attention to this section, as CMS has specifically asked about the challenges these requirements could create for such organizations.
C. Preclusion List and Medicare Advantage Enrollment Requirements
CMS has identified gaps in the preclusion list that allow providers and suppliers revoked from Traditional Medicare to shift billing operations to MA plans. Under current policy, providers revoked for reasons not considered “detrimental to the best interests of the Medicare program” are not included on the preclusion list, enabling them to continue receiving payment through MA. CMS is seeking feedback on whether all providers and suppliers should be required to enroll in Traditional Medicare (Fee-for-Service) as a condition of billing MA plans—a requirement that could impose significant new operational, administrative, and financial burdens on providers that currently bill only MA plans.
D. Laboratory Test Fraud
CMS is focused on combating fraud related to clinical diagnostic laboratory tests, particularly genetic tests and molecular diagnostic tests. In 2024, Medicare Part B spending on lab tests totaled $8.4 billion, with genetic tests accounting for 43 percent ($3.6 billion) of that spending despite representing only 5 percent of lab tests paid. CMS highlights the work of its Fraud Defense Operations Center (FDOC), a high-tech unit formed in 2025 that has resulted in $1.8 billion in taxpayer savings, including over $100 million related to suspect laboratories. CMS is asking whether laboratories should be required to register in the Molecular Diagnostic Services Program (MolDX Program) and what new statutory or regulatory authorities would help CMS more effectively address lab test fraud.
E. DMEPOS Supplier Fraud in Medicare Advantage
CMS and the OIG have identified that non-participating DMEPOS suppliers are fraudulently billing MA plans for millions of dollars in services not rendered and not needed. CMS is seeking feedback on whether non-participating DMEPOS suppliers should be required to meet accreditation and enrollment standards similar to those in Traditional Medicare and what data-driven approaches could strengthen MA organizations’ ability to detect and prevent fraudulent activity.
F. Shorter Claim Filing Deadlines
CMS is exploring whether to reduce the current one-calendar-year claim filing deadline for high-risk items and services (including DMEPOS) to as short as 90 to 180 calendar days, consistent with private industry norms. CMS is also asking whether this shorter deadline should apply to all items and services, not just high-risk categories. Providers and suppliers should consider the operational impact of significantly compressed filing timelines and whether existing flexibilities under 42 CFR 424.44 would be sufficient.
G. Artificial Intelligence in Coding Oversight and Hospital Billing
CMS is seeking input on the use of artificial intelligence (AI) to assist with accurately and efficiently abstracting diagnoses from medical record documentation as part of medical records review. CMS’s questions focus on available AI solutions, key features for accuracy and error prevention (including “hallucination” mitigation), compliance risks, pricing structures, and potential applications for both overpayment and underpayment identification as well as hospital billing efficiency.
H. Beneficiary Solicitation Protections
CMS is considering expanding the existing prohibition on unsolicited telephone contact by DMEPOS suppliers (codified at 42 CFR 424.57(c)(11)) to other forms of communication, such as email, text message, and social media, and potentially to other provider and supplier types through legislation. CMS also asks whether DMEPOS suppliers should be explicitly prohibited from collaborating with marketing agencies or other third parties to perform solicitation on their behalf.
I. Beneficiary Contact and Fraud Reporting
CMS is exploring whether additional or alternative communication methods could improve beneficiary awareness of potentially suspicious claims and ease of reporting. This includes the possibility of prepayment verification outreach to beneficiaries, raising questions about privacy, burden, and how to distinguish legitimate CMS communications from potential scams.
J. Surety Bonds
CMS is requesting feedback on strengthening the existing $50,000 surety bond requirement for DMEPOS suppliers, including potentially increasing the bond amount, expanding the types of providers and suppliers that must maintain surety bonds, and strengthening surety bond requirements in Medicaid and CHIP.
K. Medicaid and CHIP Fraud
CMS is seeking broad stakeholder feedback on expanding its regulatory authority to prevent, identify, and address fraud in Medicaid and CHIP. CMS highlights several high-risk service areas including housing stabilization services, behavioral health services, personal care assistant (PCA) services, and nonemergency medical transportation. CMS also asks about more frequent provider revalidation (currently required every 5 years for high-risk providers), enhanced use of technologies including AI, and improved coordination among states, the federal government, and law enforcement.
L. State-Specific Medicaid and CHIP Questions
CMS is soliciting feedback on statutory or regulatory changes needed to strengthen states’ fraud-fighting capabilities, including the use of federal databases like Do Not Pay (DNP), best practices from states with successful anti-fraud programs, and strategies for addressing fraud in supplemental payments, state directed payments, waiver programs under section 1915 of the Social Security Act, and demonstration projects under section 1115 of the Social Security Act.
M. Health Insurance Marketplace Integrity
CMS is seeking input on how to strengthen program integrity and fraud prevention in both the Federally Facilitated Exchange (FFE) and State-Based Exchanges (SBEs). Key areas of focus include oversight of agents, brokers, web-brokers, and direct enrollment entities; prevention of unauthorized enrollment changes; income verification accuracy and fraud prevention; enhanced oversight of enhanced direct enrollment (EDE) partners; and detection of improper dual enrollment in Medicaid/CHIP and subsidized Exchange plans. CMS also asks about leveraging AI and advanced technologies for fraud prevention in Exchange programs.
What Healthcare Companies Should Do Now
The CRUSH RFI represents one of the most comprehensive fraud-prevention information-gathering efforts CMS has undertaken. While the RFI is not itself rulemaking, it provides insights into the administration’s regulatory priorities. The breadth of topics covered—from provider enrollment and identity proofing to AI-assisted coding and Marketplace fraud—signals that the eventual CRUSH Rule could affect virtually every segment of the health care industry.
Healthcare companies should take the following steps:
- Carefully review the specific questions CMS has posed in each section of the RFI that is relevant to their operations.
- Evaluate the potential operational, financial, and compliance impacts of the contemplated changes, particularly around identity proofing requirements, MA enrollment mandates, shortened claim filing deadlines, and expanded solicitation prohibitions.
- Consider submitting comments during the 30-day comment period.
- Develop comments by including supporting facts, research, evidence, and citations to referenced materials. Commenters may also want to consider highlighting CMS’s legal limitations (e.g., statutory and constitutional limits) in the areas identified by the agency.
- Take this opportunity to evaluate current compliance practices and update compliance policies and procedures as necessary.
