It is axiomatic that New York State requires every Medicaid provider to have an “effective” compliance program. New York Social Services Law § 363-d. In July 2022, the New York State Office of the Medicaid Inspector General (“OMIG”) proposed extensive modifications to the regulatory requirements governing compliance programs for entities receiving “significant” Medicaid revenue (increased by these regulations from a threshold of $500,000 to $1 million). These regulations were proposed to implement portions of the New York State 2020-2021 Budget Bill amending the mandatory compliance program requirements. The regulations were finalized in December 2022, with an effective date of March 28, 2023, and an enforcement moratorium that has just ended. The final regulations, codified at 18 N.Y.C.R.R. Part 521, make several important changes that will affect all Medicaid Providers’ compliance programs throughout New York State. The majority of the changes will have the effect of making mandatory elements of an effective compliance program that were previously “recommended”.
Changes of note include:
- The implementation of an “Effective Compliance Program” is now a condition of receiving payment under the Medicaid program. An Effective Compliance Program is one that:
- Is well integrated into the provider’s operations;
- Is supported at the highest levels, including the Chief Executive, Senior Management, and Governing Body;
- Has a Compliance Officer, who is an “individual” responsible for:
- overseeing and revising the Compliance Program;
- overseeing a Compliance Work Plan that is created at least annually;
- Has a Compliance Committee:
- that is responsible for coordinating with the Compliance Officer to ensure that the required provider is conducting business in an ethical and responsible manner, consistent with its Compliance Program;
- that advocates for the allocation of sufficient funding, resources and staff for the Compliance Officer;
- Promotes adherence to legal and ethical obligations;
- Is reasonably designed and implemented to prevent, detect, and correct non-compliance most likely to occur for the required provider’s risk areas and organizational experience;
- Has established disciplinary standards and implemented procedures for the enforcement of such standards to address potential violations and encourage good-faith participation by all Affected Individuals in the Compliance Program;
- Establishes an effective compliance training and education program for its Compliance Officer and all Affected Individuals;
- Is reviewed annually through on-site visits, interviews with Affected Individuals, review of records, surveys, or any other comparable method the required provider deems appropriate so long as it does not compromise the independence or integrity of the review. The results must be shared with the Chief Executive, Senior Management, Compliance Committee and the Governing Body; and
- Retains all records demonstrating that the Compliance Program has been adopted, implemented, and operated by the organization for at least six (6) years.
- Providers must certify implementation of a Compliance Program satisfying the regulatory requirements upon enrollment and annually thereafter. The new regulations drill deeper into program requirements other than the eight required elements of a compliance program. For example, to be considered an effective Compliance Program, the policies and procedures must:
- Establish an expectation that Affected Individuals (discussed below) will act in accordance with the Medicaid provider’s Standards of Conduct;
- Require Affected Individuals to refuse to participate in unethical or illegal conduct, and report any unethical or illegal conduct to the Compliance Officer;
- Address certain required elements; and
- Be reviewed annually for effectiveness.
- New Self-Disclosure Program rules (amendments to N.Y. Social Services Law § 363-d) codified in New York State law federal requirements and OMIG policies require Medicaid providers who have received an overpayment to report, return, and explain the overpayment by making a disclosure to OMIG within sixty (60) days of identifying the overpayment.
- Monetary penalties are authorized for:
- Not having an Effective Compliance Program;
- Failure to grant timely access to records and facilities;
- Failure to timely report, return, and explain overpayments within sixty (60) days; and
- Employing or contracting with an individual or entity that has been excluded or suspended from the Medicaid program.
- “Affected Individuals” is a newly defined term that specifies which staff associated with a provider are covered by the organization’s Compliance Program requirements, including:
- Employees;
- Chief Executive and other Senior Administrators;
- Managers;
- Contractors, Subcontractors, and Independent Contractors;
- Agents;
- Governing Body; and
- Corporate Officers
- Risk Areas. An organization’s Compliance Program should apply to the Medicaid provider’s risk areas, which are those areas of operation affected by the Compliance Program and applicable to:
- Billings;
- Payments;
- Ordered services;
- Medical necessity;
- Quality of care;
- Governance;
- Mandatory reporting;
- Credentialing;
- Contractor, subcontractor, agent, or independent contract oversight; and
- Other risk areas that are or should reasonably be identified by the provider through its organizational experience.
- “Organizational Experience” is another newly defined term used to help a provider make their Compliance Program specific to the organization, and to the specific issues or risk areas likely to be encountered by the provider.
- Lines of Communication. Lines of communication regarding compliance issues must satisfy specified criteria, including a method for anonymous reporting for potential fraud, waste, and abuse issues directly to the organization’s Compliance Officer.
All covered New York Medicaid providers should ensure that their Chief Compliance Officer and counsel have assessed the organization’s Compliance Program to ensure its compliance with these regulatory changes. No doubt, the existing policies and procedures of many such entities will already adhere to many of the proposed changes, as they are generally considered best practices. However, certain policies and procedures will likely need to be updated, as may vendor contracts and their compliance addenda, in order to ensure full compliance with the new regulations. Additional resources will also likely need to be allocated to Compliance Program activities in many cases.
Please contact Arthur J. Fried at (212) 351-4710 / afried@ebglaw.com and Allison Ness at (212) 351-5516 / aness@ebglaw.com with any questions.
Blog Editors
Authors
- Member of the Firm
- Senior Counsel