On February 27, 2026, the Centers for Medicare & Medicaid Services (CMS) published a significant Request for Information (RFI) in the Federal Register titled "Request for Information (RFI) Related to Comprehensive Regulations to Uncover Suspicious Healthcare Transactions" (Federal Register Document No. 2026-03968). This RFI signals a potentially sweeping overhaul of how CMS approaches healthcare fraud detection and enforcement — and every provider, supplier, and healthcare organization billing Medicare or Medicaid needs to pay close attention.
At Certify Consulting, we've guided 200+ clients through regulatory transitions just like this one. In this article, I'll break down what the CRUSH initiative is, what CMS is asking, what may change, and — most importantly — what your organization should be doing right now.
What Is the CMS CRUSH Initiative?
The acronym CRUSH stands for Comprehensive Regulations to Uncover Suspicious Healthcare transactions. According to the February 27, 2026 Federal Register notice, this RFI solicits stakeholder feedback on potential regulatory changes that may be incorporated into a forthcoming CRUSH proposed rule, as well as other programmatic changes that could help CMS become more effective in identifying and stopping fraud against the Medicare and Medicaid programs.
The stated dual mission is clear: protect taxpayer dollars and protect the Americans CMS serves.
This is not a proposed rule yet — it is a Request for Information, which is a formal mechanism CMS uses to gather public input before drafting regulatory language. However, RFIs of this nature are strong leading indicators of regulatory action. Organizations that engage now, during the comment period, have the best opportunity to shape the final rule.
Citation hook: The CMS CRUSH RFI, published February 27, 2026 (Federal Register Doc. 2026-03968), represents CMS's formal solicitation of stakeholder input on a forthcoming proposed rule targeting suspicious healthcare transactions across Medicare and Medicaid programs.
Why This RFI Matters: The Scale of Healthcare Fraud
To understand why CMS is undertaking this initiative, consider the stakes involved:
- Medicare and Medicaid fraud, waste, and abuse (FWA) cost U.S. taxpayers an estimated $100 billion annually, according to the Department of Health and Human Services Office of Inspector General (OIG).
- The HHS OIG reported that in FY 2023, its investigative work resulted in over $4.4 billion in expected recoveries from settlements, judgments, and other actions.
- CMS's Improper Payment Rate for Medicare Fee-for-Service was estimated at 7.66% in 2023, representing approximately $31.2 billion in improper payments.
- The False Claims Act, the primary federal statute used to combat healthcare fraud, generated over $2.9 billion in settlements and judgments in FY 2023 alone.
These numbers illustrate why the federal government is investing significant resources in strengthening its fraud detection and enforcement infrastructure. The CRUSH initiative is the latest — and potentially most comprehensive — step in that effort.
Citation hook: CMS's improper payment rate for Medicare Fee-for-Service reached 7.66% in 2023, representing approximately $31.2 billion in improper payments, underscoring the scale of the problem the CRUSH regulatory initiative is designed to address.
What the CRUSH RFI Is Asking: Key Areas of Inquiry
While CMS has not yet released a proposed rule, the RFI identifies several broad areas where the agency is seeking input. Based on the Federal Register notice and the programmatic direction CMS has signaled, stakeholders should expect questions touching on the following areas:
1. Enhanced Provider Enrollment Scrutiny
CMS is likely examining whether current enrollment standards adequately screen out fraudulent providers before they enter the Medicare/Medicaid billing ecosystem. This could include heightened background checks, expanded use of temporary enrollment moratoria, and more rigorous site visit requirements.
2. Claims Monitoring and Automated Anomaly Detection
The RFI signals interest in leveraging AI and advanced analytics to identify suspicious billing patterns in real time — moving from retrospective audits to prospective detection.
3. Overpayment Identification and Recoupment
Expect questions around tightening the 60-day overpayment self-disclosure rule and potentially expanding the lookback period for certain fraud categories.
4. Transparency and Data Sharing
CMS may be considering expanded data-sharing arrangements between CMS, OIG, DOJ, and state Medicaid Fraud Control Units (MFCUs) to create a more unified enforcement posture.
5. Compliance Program Requirements
Perhaps most significantly for providers, the CRUSH initiative may formalize or expand mandatory compliance program requirements — moving them from voluntary guidelines to regulatory mandates with defined minimum elements.
CRUSH vs. Existing Fraud Prevention Frameworks: How It Compares
| Framework | Scope | Legal Authority | Enforcement Mechanism | Mandatory? |
|---|---|---|---|---|
| False Claims Act (FCA) | Federal programs broadly | 31 U.S.C. § 3729–3733 | Civil & criminal penalties, qui tam suits | N/A (liability-based) |
| Anti-Kickback Statute (AKS) | Medicare/Medicaid referrals | 42 U.S.C. § 1320a-7b(b) | Criminal prosecution, exclusion | Yes (prohibition) |
| Stark Law (PSRR) | Physician self-referral | 42 U.S.C. § 1395nn | Denial of claims, civil money penalties | Yes (prohibition) |
| CMS Program Integrity (PI) Contractors | Claims review | 42 C.F.R. Part 405 | Recoupment, prepayment review | Yes (ongoing) |
| OIG Compliance Guidance | Compliance programs | Advisory (non-binding) | No direct enforcement | Voluntary |
| CRUSH (Proposed Rule — Anticipated) | Suspicious transactions broadly | To be determined | Likely: enrollment denial, enhanced audit triggers | Likely mandatory elements |
The CRUSH initiative is notable because it appears designed to bridge the gap between existing detection mechanisms and proactive, data-driven prevention — potentially with mandatory compliance program elements that currently exist only as voluntary guidance.
Key Dates and Deadlines
This is where urgency matters most. Based on the February 27, 2026 Federal Register publication:
- RFI Publication Date: February 27, 2026
- Comment Period: Typically 60 days from publication for CMS RFIs. Watch for the official comment deadline on the Federal Register notice — this is likely on or around April 28, 2026. Confirm the exact deadline at regulations.gov using Docket ID associated with document 2026-03968.
- Anticipated CRUSH Proposed Rule: No official timeline published, but based on the RFI-to-proposed rule pipeline, a Notice of Proposed Rulemaking (NPRM) could appear as early as Q4 2026 or Q1 2027.
- Final Rule Effective Date: Unknown — but organizations should begin gap assessments now to avoid being caught unprepared.
Citation hook: Healthcare organizations have a narrow window to submit comments on the CMS CRUSH RFI (Federal Register Doc. 2026-03968, published February 27, 2026) before the comment period closes — likely around April 28, 2026 — making immediate internal review of fraud prevention programs a compliance priority.
Action item: Register at regulations.gov and set up notifications for the CRUSH docket to receive automatic updates when the proposed rule is published.
Who Is Affected by the CRUSH Initiative?
The scope of "suspicious healthcare transactions" is deliberately broad. Organizations that should treat this RFI as a direct compliance signal include:
- Hospitals and Health Systems — particularly those with high-volume Medicare/Medicaid billing
- Physician Practices and Group Practices — especially in historically high-risk specialties (home health, DME, behavioral health, oncology)
- Durable Medical Equipment (DME) Suppliers
- Home Health Agencies
- Skilled Nursing Facilities (SNFs)
- Behavioral Health Providers
- Managed Care Organizations (MCOs) and Medicare Advantage plans
- Third-Party Billing Companies — who may face new accountability standards
- Telehealth Providers — given the post-pandemic explosion in telehealth fraud cases
If your organization bills Medicare or Medicaid for any service or product, you are within the scope of what the CRUSH initiative is designed to address.
Practical Compliance Guidance: What To Do Right Now
With over 8 years of FDA and healthcare regulatory consulting experience and a 100% first-time audit pass rate across 200+ client engagements, I've seen what separates organizations that navigate regulatory transitions successfully from those that scramble after a final rule drops. Here's what proactive organizations should be doing today:
Step 1: Conduct a Fraud Risk Assessment
Before you can respond to new requirements, you need to know where your current vulnerabilities lie. Map your billing patterns, referral relationships, and documentation practices against the OIG's existing fraud indicators for your specific provider type.
Step 2: Review and Strengthen Your Compliance Program
If your compliance program still operates on voluntary OIG guidance from the early 2000s, it is almost certainly underbuilt. Ensure your program includes the 7 elements of an effective compliance program as defined by OIG: 1. Written policies and procedures 2. Compliance officer and compliance committee 3. Effective training and education 4. Effective lines of communication 5. Internal monitoring and auditing 6. Enforcement of standards and disciplinary guidelines 7. Prompt response to detected problems
Step 3: Submit a Comment to the RFI
This is a concrete action many organizations overlook. CMS is legally required to consider substantive comments received during the RFI and NPRM comment periods. Your organization's real-world experience with fraud detection, billing complexity, and compliance burden is exactly the kind of input that shapes workable regulations. Don't cede this opportunity to industry groups alone — your direct voice matters.
Step 4: Assess Your Provider Enrollment Status
Given the RFI's likely focus on enrollment integrity, verify that all enrollments are current, accurate, and reflect actual practice locations and ownership. Discrepancies discovered during a CRUSH-triggered audit will be far more costly than proactive corrections now.
Step 5: Engage Legal and Compliance Counsel
An RFI of this scope warrants engagement with specialized regulatory counsel. If your organization lacks in-house expertise, contact Certify Consulting for a compliance readiness assessment tailored to the emerging CRUSH regulatory landscape.
How to Submit Comments on the CRUSH RFI
Submitting comments is straightforward but must be done correctly to be considered:
- Go to: www.regulations.gov
- Search for: Federal Register Document 2026-03968 or search "CRUSH" under CMS dockets
- Format your comment to address specific questions posed in the RFI — vague or general comments receive less weight
- Be specific — quantify burdens, propose alternatives, cite your organization's experience with data
- Submit before the deadline — late comments may not be considered
Organizations with significant Medicare/Medicaid exposure should consider hiring regulatory counsel to draft formal comments, particularly if the anticipated CRUSH rule could materially impact your billing practices or compliance program obligations.
What a CRUSH Final Rule Could Look Like
While CMS has not published proposed regulatory text, the direction of the CRUSH initiative — combined with existing CMS enforcement priorities — suggests the final rule could include:
- Mandatory compliance program requirements codified at 42 C.F.R., moving beyond voluntary guidance for certain provider categories
- Expanded use of AI-driven prepayment review with defined provider appeal rights
- New enrollment documentation requirements for high-risk provider types
- Shortened overpayment self-disclosure timelines or expanded lookback periods
- Interoperability mandates for sharing suspicious activity data across payer types
- Enhanced penalties for failing to maintain an adequate compliance program
Organizations that begin building robust compliance infrastructure now will be positioned to demonstrate good faith compliance when the final rule takes effect — and will face significantly lower remediation costs than those who wait.
The Bottom Line
The CMS CRUSH RFI is not a distant regulatory signal to monitor casually. It is a direct precursor to what is likely to become one of the most consequential healthcare fraud and compliance rulemaking actions in recent years. The comment period window is short, the scope is broad, and the stakes — potentially billions in liability exposure for non-compliant organizations — are high.
At Certify Consulting, we specialize in helping healthcare organizations translate complex regulatory signals into actionable compliance strategies. Whether you need help submitting a substantive RFI comment, conducting a fraud risk assessment, or building a compliance program that will withstand the scrutiny the CRUSH rule is designed to bring — we're here to help.
Frequently Asked Questions About the CMS CRUSH RFI
Q: What is the CMS CRUSH RFI? A: The CMS CRUSH RFI (Federal Register Doc. 2026-03968, published February 27, 2026) is a Request for Information soliciting stakeholder feedback on potential regulatory changes to be included in a forthcoming proposed rule called CRUSH — Comprehensive Regulations to Uncover Suspicious Healthcare transactions — designed to strengthen CMS's ability to detect and prevent Medicare and Medicaid fraud.
Q: When is the comment deadline for the CRUSH RFI? A: The official comment period deadline should be confirmed on regulations.gov using the docket associated with Federal Register document 2026-03968. Based on the February 27, 2026 publication date and CMS's standard 60-day comment periods, comments are likely due on or around April 28, 2026.
Q: Who does the CRUSH initiative affect? A: Any provider, supplier, or organization that bills Medicare or Medicaid is potentially within scope. High-risk categories include home health agencies, DME suppliers, behavioral health providers, telehealth companies, physician practices in high-risk specialties, and third-party billing companies.
Q: Is the CRUSH rule final yet? A: No. As of the February 27, 2026 Federal Register publication, CRUSH is at the RFI (Request for Information) stage — prior to a Notice of Proposed Rulemaking (NPRM). However, RFIs typically precede proposed rules within 6–18 months, making immediate compliance preparation prudent.
Q: How should my organization respond to the CRUSH RFI? A: Organizations should conduct an internal fraud risk assessment, review and strengthen compliance programs against OIG's 7-element framework, verify provider enrollment accuracy, and consider submitting formal comments to the RFI docket on regulations.gov before the deadline. Consulting with a specialized regulatory compliance firm can help ensure your comment and compliance posture are strategically sound.
For more information on healthcare compliance program requirements, see our resources on OIG compliance program elements and Medicare provider enrollment requirements on thefdaexpert.com.
Ready to assess your organization's compliance posture ahead of the CRUSH rule? Visit Certify Consulting to schedule a consultation with Jared Clark and the Certify team.
Last updated: 2026-03-04
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the principal consultant at Certify Consulting, with 8+ years of experience and a 100% first-time audit pass rate across 200+ client engagements in healthcare and FDA-regulated industries.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.