It is axiomatic that New York State requires every Medicaid provider to have an “effective” compliance program.  New York Social Services Law § 363-d.  In July 2022, the New York State Office of the Medicaid Inspector General (“OMIG”) proposed extensive modifications to the regulatory requirements governing compliance programs for entities receiving “significant” Medicaid revenue (increased by these regulations from a threshold of $500,000 to $1 million).  These regulations were proposed to implement portions of the New York State 2020-2021 Budget Bill amending the mandatory compliance program requirements.  The regulations were finalized in December 2022, with an effective date of March 28, 2023, and an enforcement moratorium that has just ended. The final regulations, codified at 18 N.Y.C.R.R. Part 521, make several important changes that will affect all Medicaid Providers’ compliance programs throughout New York State.  The majority of the changes will have the effect of making mandatory elements of an effective compliance program that were previously “recommended”. 

Changes of note include:

  1. The implementation of an “Effective Compliance Program” is now a condition of receiving payment under the Medicaid program.  An Effective Compliance Program is one that:
    • Is well integrated into the provider’s operations;
    • Is supported at the highest levels, including the Chief Executive, Senior Management, and Governing Body;
    • Has a Compliance Officer, who is an “individual” responsible for:
      • overseeing and revising the Compliance Program;
      • overseeing a Compliance Work Plan that is created at least annually;
    • Has a Compliance Committee:
      • that is responsible for coordinating with the Compliance Officer to ensure that the required provider is conducting business in an ethical and responsible manner, consistent with its Compliance Program;
      • that advocates for the allocation of sufficient funding, resources and staff for the Compliance Officer;
    • Promotes adherence to legal and ethical obligations;
    • Is reasonably designed and implemented to prevent, detect, and correct non-compliance most likely to occur for the required provider’s risk areas and organizational experience;
    • Has established disciplinary standards and implemented procedures for the enforcement of such standards to address potential violations and encourage good-faith participation by all Affected Individuals in the Compliance Program;
    • Establishes an effective compliance training and education program for its Compliance Officer and all Affected Individuals;
    • Is reviewed annually through on-site visits, interviews with Affected Individuals, review of records, surveys, or any other comparable method the required provider deems appropriate so long as it does not compromise the independence or integrity of the review.  The results must be shared with the Chief Executive, Senior Management, Compliance Committee and the Governing Body; and
    • Retains all records demonstrating that the Compliance Program has been adopted, implemented, and operated by the organization for at least six (6) years.
  2. Providers must certify implementation of a Compliance Program satisfying the regulatory requirements upon enrollment and annually thereafter.  The new regulations drill deeper into program requirements other than the eight required elements of a compliance program.  For example, to be considered an effective Compliance Program, the policies and procedures must:
    • Establish an expectation that Affected Individuals (discussed below) will act in accordance with the Medicaid provider’s Standards of Conduct;
    • Require Affected Individuals to refuse to participate in unethical or illegal conduct, and report any unethical or illegal conduct to the Compliance Officer;
    • Address certain required elements; and
    • Be reviewed annually for effectiveness. 
  3. New Self-Disclosure Program rules (amendments to N.Y. Social Services Law § 363-d) codified in New York State law federal requirements and OMIG policies require Medicaid providers who have received an overpayment to report, return, and explain the overpayment by making a disclosure to OMIG within sixty (60) days of identifying the overpayment.
  4. Monetary penalties are authorized for:
    • Not having an Effective Compliance Program;
    • Failure to grant timely access to records and facilities;
    • Failure to timely report, return, and explain overpayments within sixty (60) days; and
    • Employing or contracting with an individual or entity that has been excluded or suspended from the Medicaid program.
  5. “Affected Individuals” is a newly defined term that specifies which staff associated with a provider are covered by the organization’s Compliance Program requirements, including:
    • Employees;
    • Chief Executive and other Senior Administrators;
    • Managers;
    • Contractors, Subcontractors, and Independent Contractors;
    • Agents;
    • Governing Body; and
    • Corporate Officers
  6. Risk Areas. An organization’s Compliance Program should apply to the Medicaid provider’s risk areas, which are those areas of operation affected by the Compliance Program and applicable to:
    • Billings;
    • Payments;
    • Ordered services;
    • Medical necessity;
    • Quality of care;
    • Governance;
    • Mandatory reporting;
    • Credentialing;
    • Contractor, subcontractor, agent, or independent contract oversight; and
    • Other risk areas that are or should reasonably be identified by the provider through its organizational experience.
  7. “Organizational Experience” is another newly defined term used to help a provider make their Compliance Program specific to the organization, and to the specific issues or risk areas likely to be encountered by the provider.
  8. Lines of Communication.  Lines of communication regarding compliance issues must satisfy specified criteria, including a method for anonymous reporting for potential fraud, waste, and abuse issues directly to the organization’s Compliance Officer.

All covered New York Medicaid providers should ensure that their Chief Compliance Officer and counsel have assessed the organization’s Compliance Program to ensure its compliance with these regulatory changes.  No doubt, the existing policies and procedures of many such entities will already adhere to many of the proposed changes, as they are generally considered best practices.  However, certain policies and procedures will likely need to be updated, as may vendor contracts and their compliance addenda, in order to ensure full compliance with the new regulations.  Additional resources will also likely need to be allocated to Compliance Program activities in many cases.

Please contact Arthur J. Fried at (212) 351-4710 / and Allison Ness at (212) 351-5516 / with any questions.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.