CMS Proposes Stronger Enforcement Tools for Open Payments Audits
June 22, 2026The Physician Payments Sunshine Act, a.k.a., the Open Payments Program, is changing, again. A proposed rule included within the Centers for Medicare and Medicaid Services' (CMS) Interoperability Standards and Prior Authorization for Drugs rulemaking (CMS-2026-1255) would significantly strengthen the agency's ability to compel participation in Open Payments audits. The public comment period closed on June 15, 2026, and medical products companies should evaluate audit readiness now.
Why Is CMS Proposing Stronger Open Payments Audit Penalties?
CMS began auditing select drug and device manufacturers under the Open Payments program in 2022 to verify the accuracy of reported transfers of value to healthcare providers. These audits are ongoing and may be initiated either through random selection or based on specific compliance concerns identified by CMS, as well as law enforcement authorities.
According to CMS, although it already has authority to audit Open Payments submissions, it lacks an effective enforcement mechanism when reporting entities refuse to provide requested records. CMS states that some entities declined to comply with audit requests, preventing CMS from evaluating their reporting compliance. As a result, CMS believes additional enforcement authority is necessary to ensure effective oversight of Open Payments reporting obligations.
Importantly, CMS is not proposing to expand the scope of its existing audit authority. Rather, CMS is proposing to clarify that refusing to provide records requested during an authorized Open Payments audit constitutes a "failure to report" that may give rise to civil monetary penalties.
If finalized, the proposal would effectively convert a reporting entity's refusal to provide requested audit documentation from a procedural obstacle into a standalone basis for civil monetary penalty exposure.
“Not every Open Payments audit is triggered by a suspected problem. CMS conducts both random and targeted audits, which means any company could be selected. If finalized, this proposal would raise the stakes considerably by creating meaningful consequences for companies that are unable or unwilling to provide requested records during an audit, making audit readiness just as important as reporting accuracy.”
Amanda Johnston, Partner
What the Proposed Rule Would Change
1. Redefining "Failure to Report."
CMS proposes adding a definition of "failure to report" to 42 C.F.R. § 403.902. Under the proposal, the failure by an applicable manufacturer or applicable GPO to provide requested documentation timely, accurately, and completely in connection with an Open Payments audit would constitute a "failure to report" and could subject the entity to civil monetary penalties. The proposed definition would expressly apply to information requested by HHS, CMS, OIG, or their designees.
2. A Hard 30-Day Deadline.
CMS proposes requiring applicable manufacturers and GPOs to provide requested books, contracts, records, documents, and other supporting evidence within 30 calendar days of an audit request.
3. Per-Record CMPs.
If an entity fails to provide requested documents within the 30-day period, CMS proposes that each requested document not provided could be treated as a separate "failure to report" for purposes of calculating civil monetary penalties, subject to the applicable statutory caps. CMS specifically notes that it would continue to calculate penalties on a per-record basis and is not proposing to change the existing statutory CMP framework. These amounts, established by Congress, are adjusted annually for inflation under 45 C.F.R. part 102:
- Unintentional failures: Up to $10,000 per record, capped at $150,000 per year
- Knowing failures: Up to $100,000 per record, capped at $1,000,000 per year
For companies with large volumes of reportable transactions, per-record penalties could accumulate rapidly and reach the applicable annual statutory caps. In addition, conduct that CMS views as a "knowing failure to report" may result in substantially higher penalties than an ordinary reporting violation.
4. Existing "Knowing Failure to Report" Standard Remains.
CMS is not proposing to change the existing statutory distinction, set by Congress, between ordinary reporting failures and knowing reporting failures. However, CMS notes that a failure to provide audit documentation may, under existing standards, constitute a "knowing failure to report," potentially exposing the entity to significantly higher penalties.
How to Prepare Now for Open Payments Audits
Although the proposal is not yet final, CMS is already conducting Open Payments audits. Companies can take several practical steps now to improve audit readiness and reduce compliance risk:
- Conduct a mock audit. Test whether your team can locate and compile all supporting documentation (contracts, FMV analyses, invoices, sign-in sheets, meal receipts, payment confirmations) within 30 days. Identify bottlenecks now.
- Centralize your records. If records are scattered across finance, commercial, medical affairs, and legal, consolidate them into a single, searchable repository.
- Reconcile reported data against source documents. Ensure every payment reported in Open Payments ties back to a written agreement, FMV assessment, and proof of services rendered.
- Review document retention policies. Open Payments regulations generally require supporting records to be retained for at least five years, and certain research-related payments may warrant longer retention periods. Confirm that records are not being deleted or archived in a manner that would impair audit readiness.
- Train your teams. The documents your commercial, medical affairs, and finance personnel create and retain are the documents CMS will request. Build audit awareness into your compliance training.
- Designate an audit response team. Identify in advance who will coordinate the response, who owns each category of records, and who has authority to engage outside counsel. A 30-day response period leaves little room to establish roles and responsibilities after an audit request arrives.
- Monitor the final rule. A final rule could take effect as early as late 2026 or early 2027.
How Gardner Law Can Help
If your organization needs assistance assessing audit readiness, strengthening Open Payments compliance, or building a defensible transparency reporting program, Gardner Law can help. We advise companies on Open Payments compliance, including audit preparation, record retention, reconciliation of reported payments against source documents, and response strategy when CMS requests supporting records. We can also help companies respond to CMS audit requests and navigate the associated regulatory and enforcement risks.