Alert

Provider-Based Attestation: A Compliance Requirement Hospitals Can’t Ignore

Marisol Cooke, Director, Health Care Consulting Practice
Brian Restivo, Partner, Health Care

February 25, 2026
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button

Provider-based attestation compliance for off-campus hospital outpatient departments (HOPD) remains a high-risk Medicare issue for hospitals, particularly for off-campus clinics and recently acquired physician practices.

Provider-based status allows hospitals to bill under the Hospital Outpatient Prospective Payment System (OPPS) at more favorable rates designed to cover higher hospital overhead, and allow the ability to utilize the 340B drug program at these locations. The Consolidated Appropriations Act of 2026 formally requires attestation of compliance with complex regulations and significantly penalizes noncompliance.

Hospitals need to start preparing a compliance framework to review their provider-based compliance and to outline how it will meet the new attestation requirements. The underlying regulations that need to be reviewed under 42 CFR § 413.65 are not changing, so hospitals shouldn’t wait until Centers for Medicare & Medicaid Services (CMS) issues new implementation instructions to start their review.

CMS hasn’t required hospitals to submit attestations to confirm compliance with the regulations under 42 CFR § 413.65 for over 20 years. Attestations were voluntary yet beneficial in reducing financial risk of being out of compliance. Other than the voluntary attestation process, hospitals needed to act in good faith that the regulations were being followed.

With the passage of The Consolidated Appropriations Act on February 3, 2026, hospitals must be aware of the new requirements on the attestation process for HOPDs and act accordingly or lose the status.

The Consolidated Appropriations Act of 2026 Key Takeaways

Here’s what you need to know about the Consolidated Appropriations Act of 2026 as it relates to provider-based attestation compliance.

  • For hospitals to maintain provider-based status and the associated benefits, hospitals must submit an initial attestation between January 1, 2026, and December 31, 2027. Any location that fails to submit will have its provider-based status automatically revoked.
  • CMS must still go through the proposed rulemaking and comment process to finalize any new attestation processes that hospitals are to follow—if any; establish a review process including but not limited to on-site visits; and establish a schedule in which hospitals will have to submit an additional attestation.
  • Hospitals can follow the current voluntary attestation process under 42 CFR § 413.65(b)(3) prior to the issuance of a new process.
  • Hospitals are required to obtain a separate NPI for each off-campus provider-based department.
  • Each location will need its own attestation.
  • Losing status means losing the added reimbursement and likely access to 340B pricing related to services in those locations.

What Is Provider-Based Attestation?

Provider-based attestation is the hospital’s formal representation to CMS that a clinic, department, or facility qualifies as a department of the hospital, rather than a freestanding entity. When a location meets provider-based requirements, the hospital may bill Medicare under the OPPS, including a facility fee.

Through the attestation process, hospitals must maintain documentation of the basis for its attestations and make that documentation available to CMS and to CMS contractors upon request. 

The attestation process will extend to all hospitals that operate an off-campus provider-based department located more than 250 yards from the hospital. While not specified, Critical Access Hospitals (CAH) should be ready to follow the same process. While CAH are not reimbursed under OPPS, their ability to bill as part of the hospital and receive cost-based reimbursement is subject to the same regulations under 42 CFR § 413.65.

Compliance Perspective on Provider-Based Attestation

From a compliance perspective, the greatest risk is misalignment between the attestation and actual operations. CMS is expected to focus on ownership and control, clinical and financial integration, public awareness, and Emergency Medical Treatment and Labor Act (EMTALA) compliance when applicable. Changes in staffing models, management agreements, branding, billing, workflows, or cost reporting can quietly undermine provider-based status over time.

Potential noncompliance of all provider-based regulations can lead to overpayment issues and fraud, waste and abuse issues, and the ability to enroll a location into the 340B program.

Common Audit Findings

CMS audits typically relate to one or more of these items.

  • Clinics operating with independent clinical or operational control
  • Expenses and revenues aren’t clearly included in the hospital cost report
  • Public-facing materials that resemble freestanding practices
  • Staff unfamiliar with their status as a hospital department
  • Beneficiary disclosures
  • Off-campus locations not enrolled on the hospital’s 855A
  • Co-location or shared space compliance
  • Improper billing, such as modifier usage and place of service codes

CMS audits often rely heavily on staff interviews and operational validation. When operational reality contradicts the attestation, hospitals may face retroactive repayment of facility fees, reclassification of the site, and corrective action requirements.

Net revenue will be reduced to site-neutrality levels. Reductions can be significant given that HOPD reimbursement can be 1.5–3x higher than standard non-hospital outpatient reimbursement.

Our Recommendation

Hospitals should treat provider-based status as a living compliance obligation, not a one-time designation. Periodic assessments, alignment between operations and billing, and leadership-level risk review are essential to mitigating audit exposure and start now because mitigation efforts can take time.

Provider-based attestation is not about checking a box for reimbursement. It’s about demonstrating, every day, that a location truly functions as part of the hospital.

If CMS audited tomorrow, your operations—not your paperwork—would decide the outcome. That’s the standard hospitals should be prepared to meet.

The provider-based attestation process is time-consuming and complex to navigate. To learn more about provider-based attestation and how it can help your organization in meeting these requirements, contact your firm professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
Site Neutrality and What’s Next for Hospitals
Site-neutral outpatient payment reform could be implemented as soon as 2027. See how hospitals can prepare for this change.
Article
Article
Uncompensated Care Trends in 2026
See how hospitals can manage the proposed 2026 IPPS changes to UCC payments, Medicaid redetermination, and 340B eligibility.
Article
Article
Prepare for TEAM Model Mandatory Payments
Learn about the benefits and requirements of the TEAM Model, as well as how selected hospitals can begin preparing now.
Article
Article
Why the Wage Index Matters to Hospitals
Even small changes in the wage index, a factor that directly influences Medicare reimbursement, can have substantial financial impacts on hospitals.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Baker Tilly Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.