Many healthcare organizations and their boards struggle to know whether their compliance programs are meeting baseline effectiveness expectations. One way to judge a compliance program is to look at various mandatory program requirements imposed by state or federal governments. New York (NY) offers one such guidepost. Significant changes to mandatory compliance program requirements for NY healthcare providers and health plans are now in effect. On December 28, 2022, the NY State (NYS) Office of the Medicaid Inspector General (OMIG) adopted 18 NY Codes, Rules and Regulations (NYCRR) Part 521-1 (Part 521-1), which repealed the former regulations governing compliance programs for providers to detect and prevent fraud, waste, and abuse in the Medicaid program.[1] Noncompliance may result in exclusion and removal from the Medicaid program along with other monetary penalties and sanctions. While the requirements are only applicable to entities doing business in NY, out-of-state providers should pay close attention to OMIG’s mandates and potentially consider incorporating some of the changes into their own compliance programs on a voluntary basis.
NY providers must ensure they have implemented the proper changes into their compliance programs. As of March 28, 2023, OMIG stated it would begin enforcing the requirements of Part 521-1, and as of July 3, 2023, OMIG indicated that it will begin initiating compliance program reviews with a review period beginning on April 1, 2023 (a look back period). Observers are taking particular note of the amendments made to Part 521-1 as OMIG has long stated that eligibility to receive Medicaid payments required compliance with these regulations. This principle is codified in statute as a “condition of payment” for Medicaid claims.[2] Noncompliance may result in exclusion, removal from the Medicaid program, and other monetary penalties and sanctions. Monetary penalties against providers may begin at $5,000 per calendar month for a maximum of 12 calendar months. If a monetary penalty was previously imposed on a provider within five years, an additional penalty of up to $10,000 per calendar month for a maximum of 12 calendar months may be imposed. The requirements of Part 521-1 now apply to managed care providers or managed long-term care plans (collectively referred to as MMCOs), and there are new sections applicable solely to MMCOs.
Compared with the previous version of Part 521-1, the new amendments are substantially more detailed and designed to compel providers to focus on ensuring that their compliance programs are tailored to address their particular areas of potential risk (as subsequently described in more detail) and continually optimize and grow their programs to prevent recurring issues. Many of the mandatory compliance program requirements are consistent with current voluntary standards recommended by the U.S. Department of Health and Human Services Office of the Inspector General and Federal Sentencing Guidelines.[3] But there are areas where OMIG regulations go beyond what some currently, well-designed compliance programs may have in place. Consequently, providers and health plans operating in NY and doing business with the state Medicaid program should assess whether any changes to their programs are required. Additionally, the revised Part 521-1 includes some thoughtful commentary that entities not subject to the mandatory provisions could consider in terms of voluntary compliance.
Providers must certify to the OMIG annually that their compliance program meets these requirements.
In addition to the mandatory compliance program changes, as of August 21, 2023, OMIG has updated and introduced a new process for Medicaid providers to report, return, and explain overpaid Medicaid funds. NY Medicaid providers should be aware that they are required to report any overpayments involving possible fraud, waste, abuse, or inappropriate payment of funds to OMIG “within 60 days of identification, or by the date any corresponding cost report was due, whichever is later.”[4] Providers who discover overpayments through self-review, compliance programs, or internal control should be cognizant that there is no dollar threshold for reporting, and all self-identified inappropriate Medicaid payments received should be disclosed in the manner set forth below.
Certain key amendments to Part 521-1 and to the self-disclosure program that providers should be aware of are summarized as follows:
Part 521-1: Notable definition changes
Effective compliance program
As mentioned previously mentioned, having an “effective compliance program” is now a condition of receiving payment under the Medicaid program. While always a highly subjective standard and one that many organizations internally assess, under Part 521-1, an effective compliance program means a compliance program adopted and implemented by the required provider that, at a minimum, satisfies the requirements of Subpart 521-1. The program must be supported by the highest levels of the organization, including the chief executive, senior management, and the governing body. Additionally, the program must be well-integrated into the company’s operations, promote adherence to legal and ethical obligations, and be reasonably designed and implemented to prevent, detect, and correct noncompliance with Medicaid program requirements.
Required providers
Those required to have effective compliance programs include:
-
Any person or entity subject to the provision of Articles 28 or 36 of the Public Health Law;[5]
-
Any person or entity subject to the provisions of Articles 16 and 31 of the Mental Hygiene Law;[6]
-
Managed care providers, including managed long-term care plans, which is an expansion of the prior regulations;
-
Any other person or entity for whom the Medicaid program is, or is reasonably expected by the person to be, a substantial portion of their business operations;
-
Substantial portion of business operations is now defined as when a person claims or has claimed or receives or has received at least $1 million in the aggregate in any consecutive 12-month period, directly or indirectly, from the Medicaid program. (Note that this reflects an increase from the prior threshold of $500,000 per year, which should allow many smaller medical practices and other providers to avoid the mandatory compliance requirements. And it should be remembered that the $1 million is not revenue from all sources. It only counts revenue that comes, directly or indirectly, from the Medicaid program.)
-
Affected individuals (new)
The compliance program must apply to the following “affected individuals”: All persons impacted by the provider’s risk areas (subsequently defined in more detail), including employees, the chief executive, and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, the governing body, and corporate officers.
Going forward, providers must scrutinize their relationships with independent contractors (1099s) and services organizations to determine if they meet the definition of an affected individual and are performing services associated with the provider’s identified “risk areas.” If so, the provider must require the affected individuals to comply with the compliance program and related policies and procedures. However, in light of the breadth of “risk areas”—particularly as expanded by the revised Part 521-1 rules—it would appear that a large number of contractors could potentially fall within the scope of the compliance program obligations. This application will be among the most challenging aspects of the new Part 521-1 rules, so providers should consider this a priority change to their compliance programs if it does not already exist. For example, template contract terms should be created for consideration in all agreements with third parties.
Risk areas
OMIG has expanded (see subsequent words in italics) the “risk areas,” defined as “those areas of operation affected by the compliance program,” to which compliance programs must apply. In addition to what previously existed in the original Part 521-1 (which includes billing, payment, medical necessity, governance, mandatory reporting, credentialing, and a “catch-all” of other risk areas that are or should reasonably be identified by the provider through its “organizational experience”); the expanded risk areas now include the following:
-
Billings;
-
Payments;
-
Ordered services;
-
Medical necessity;
-
Quality of care;
-
Governance;
-
Mandatory reporting;
-
Credentialing;
-
Contractor, subcontractor, agent, or independent contract oversight, which remains a challenging risk area to maintain best practice compliance for many organizations;
-
Other risk areas that are or should reasonably be identified by the provider through its organizational experience; and
-
A detailed set of additional risk areas for MMCOs.
Organizational experience (new)
“Organizational experience” is a newly defined term that provides valuable insight into how OMIG expects providers to conduct their compliance programs. Specifically, organizational experience means the required providers’:
-
Knowledge, skill, practice, and understanding in operating its compliance program;
-
Identification of any issues or risk areas in the course of its internal monitoring and auditing activities;
-
Experience, knowledge, skill, practice, and understanding of its participation in the Medicaid program and the results of any audits, investigations, or reviews it has been the subject of; or
-
Awareness of any issues it should have reasonably become aware of for its service categories.
OMIG expects that providers will learn from their previously made errors and incorporate new solutions as they improve their compliance programs.
Compliance program elements
OMIG has identified the industry-standard and well-known seven elements of an effective compliance program, offering additional gloss on the state’s expectations regarding each.
-
Providers should incorporate legal and ethical obligations related to compliance program requirements into their written policies, procedures, and standards of conduct (Policies). The Policies should also document the implementation of the seven elements and outline the operation of the compliance program. Providers must review Policies annually to determine whether the Policies have been implemented, whether all Affected Individuals are following the Policies, and whether the Policies are effective.
-
Designate a compliance officer responsible for operating the compliance program. The officer is required to develop an annual compliance work plan outlining a strategy for ensuring the company complies with the program requirements. The compliance officer is required to report regularly (at least quarterly) to the governing body on the progress of adopting, implementing, and maintaining the compliance program. In recognition of common practice—particularly with smaller and rural providers—Part 521-1 no longer requires the compliance officer to be an employee of the provider.
A new provision of Part 521-1 that many compliance officers will welcome is that the program now requires the compliance officer to be “allocated sufficient staff and resources to satisfactorily perform their responsibilities for the day-to-day operation of the compliance program.”
Also, the entity must now designate a senior management-level compliance committee that must coordinate with the compliance officer. The compliance committee charter must outline the duties, membership, process for selecting a chairperson, and frequency of committee meetings. The committee must meet at least quarterly and report directly to the required provider’s chief executive and governing body.
-
Develop a training plan to be attended by Affected Individuals outlining the required subjects and the timing and frequency of training. The training plan must be part of orientation and occur “promptly upon hiring” and at least annually. (Pursuant to FAQs, NYS OMIG made clear that training and education may be accomplished “by annually distributing a copy of their compliance manual or all compliance program written Policies that are applicable to such Contractors, along with a letter or memo including [a variety of key information].”)
-
Establish a line of communication between the compliance officer, affected Individuals, and Medicaid recipients to report compliance issues. Anonymous reporting methods must be provided and confidentiality maintained.
-
Establish disciplinary standards addressing compliance violations that are written and shared with affected Individuals. These disciplinary standards must be uniformly applied to all affected Individuals and senior management. Providers may not apply different standards for different levels of individuals.
-
Providers must create systems for the following:
-
Identifying compliance risk areas;
-
Routine auditing and monitoring;
-
Annual compliance program review; and
-
Checking monthly for excluded providers.
-
-
Establish systems for investigating and responding to compliance issues.
Contracting requirements (new)
In addition to providing training plans to Affected Individuals, providers must ensure that their contracts with contractors, agents, subcontractors, and independent contractors (meeting the definition of Affected Individuals) clearly state that those persons/entities are subject to the compliance program.
OMIG indicated that contractors are only subject to the providers’ compliance programs to the extent that the contractors’ services are related to their contracted role and responsibilities within the providers’ identified risk area. For example, OMIG offers an entity contracted to provide “credentialing services.” Such a contractor would be required to comply with the entity’s compliance program related to the provision of “credentialing services.” These contracts must also include termination provisions for failure to adhere to the compliance program. There are many potential issues that may arise here; for example, how should a provider proceed when a party necessary for treatment refuses to sign these contracts? OMIG has provided an additional two years of delayed enforcement for existing contractors. However, the compliance program applicability will be attached for contractors entering new or renewed arrangements as of March 28, 2023. Meeting this requirement does not necessarily mean reopening heavily negotiated agreements. A simple letter agreement signed by the provider and the vendor acknowledging the application of the provider’s compliance policies to their workforce, as a term of the overall relationship, should be sufficient. And going forward, providers should prepare an “NYS Compliance Plan Addendum” to attach to future vendor agreements.
Self-disclosure program
As part of the addition of new processes, OMIG has revised the self-disclosure program to include an abbreviated self-disclosure process—in addition to the full self-disclosure process—that Medicaid entities may utilize to report and explain overpayments. It is important to note that OMIG appears to take a much more expansive view of self-disclosure than many in the industry, including many of the routine transaction-level financial adjustments that happen thousands of times a day.
The distinction between the full self-disclosure process and the abbreviated self-disclosure process is as follows:
Full process
Within 60 days of the overpayment identification, the provider will submit a completed full self-disclosure statement, certification form, and claim data form or mixed payer calculation form for excluded disclosures, if applicable. Confirmation of receipt is sent to the provider via email, confirming that the 60-day time frame has been tolled. The self-disclosure unit will then review the submission and determine if the overpayment is verified or if additional information is necessary. If additional information is needed upon request, the provider will have 15 days to supply any additional information. Following completion of the review, a determination notice will be issued to the provider confirming the total overpayment amount for the overpayment reason(s) disclosed, confirming any amounts already repaid and any balance still due.
Examples of overpayments appropriate for the full self-disclosure process include, but are not limited to, the following:
-
Any error that requires a Medicaid entity/provider to create and implement a formal corrective action plan;
-
Actual, potential, or credible allegations of fraudulent behavior by employees or others;
-
Discovery of an employee on the excluded provider list;
-
Documentation errors that resulted in overpayments;
-
Overpayments that resulted from software or billing systems updates;
-
Systemic billing or claiming issues;
-
Overpayments that involved more than one Medicaid entity/provider (e.g., health homes and care management agencies);
-
Non-claim-based Medicaid overpayments;
-
Any error with substantial monetary or program impacts; and
-
Any instance upon direction by OMIG.
Abbreviated process
The abbreviated process may be utilized to report and explain identified overpayments resulting from routine and transactional errors or meet other defined characteristics that have already been voided or adjusted. Overpaid claims are voided and adjusted by the provider within 60 days of identification and are added to the self-disclosure abbreviated statement form. Providers may aggregate their submissions in a monthly report, which will be submitted by the fifth of the month following the month the claims were voided or adjusted. Confirmation of receipt is sent to the provider by email. If additional information is required upon request, the provider will have 15 calendar days to supply any additional requested information. No determination notice will be issued because overpaid claims reported and explained through the abbreviated process are already repaid by void or adjustment.
This is perhaps the most dramatic change to the customary practices of healthcare providers and a departure from the Centers for Medicare & Medicaid Services (CMS) voluntary refund instructions. Consequently, providers and others doing business with NY Medicaid may need to modify their usual procedures to accommodate OMIG’s instructions.
Examples of overpayments appropriate for the abbreviated self-disclosure process include, but are not limited to, the following:
-
Routine credit balance/coordination of benefits overpayments;
-
Typographical, human errors;
-
Routine net available monthly income adjustments;
-
Instance of missing or faulty authorization for services due to human error;
-
Instance of missing or insufficient support documentation due to human error;
-
Inappropriate rate, procedure, or fee code used due to typographical or human error;
-
Routine recipient enrollment issue.
These new changes to the self-disclosure program provide a notable administrative burden on Medicaid providers, who are now required to report every instance of a payment that was voided or adjusted without a threshold for materiality.
National applications
As previously mentioned, OMIG’s requirements and the self-disclosure program updates are only applicable to and enforceable against providers doing business in NY; however, it is foreseeable that other states that are likely monitoring the updates in NY may implement their own compliance program and self-disclosure program requirements similar to OMIG’s. For this reason, providers should be proactive and closely scrutinize their internal compliance programs regardless of location. Even if there is no indication that rigorous legislation will be passed in a provider’s home state, it is still recommended that providers consider at least some of the elements provided in Sections B and D. A strong compliance program is essential to identify and reduce risks and establish best practices in operating an ethical and compliant healthcare organization. Additionally, added attention to the administration of the compliance program will likely assist providers in monitoring and recognizing potential overpayments for disclosure.
Conclusion
Providers should be fastidious about implementing a compliance program compliant with the Part 521-1 regulations. Providers should be careful not to omit any mandatory elements since OMIG has stated that it intends to strictly enforce these requirements. Providers and plans are advised to undertake a self-assessment of the completeness of their compliance programs at this time.
As previously mentioned, the penalties and sanctions in place are particularly harsh and can even result in non-payment of Medicaid claims and removal from the Medicaid program. Monthly monetary penalties may potentially range from $5,000 to $10,000 for certain repeat offenders. Despite the OMIG’s statement that satisfaction of the Part 521-1 compliance program requirements is a “condition of payment,” we note the Supreme Court’s recent clarification that:
. . . False Claims Act liability for failing to disclose violations of legal requirements does not turn upon whether those requirements were expressly designated as conditions of payment. Defendants can be liable for violating requirements even if they were not expressly designated as conditions of payment. Conversely, even when a requirement is expressly designated a condition of payment, not every violation of such a requirement gives rise to liability. What matters is not the label the Government attaches to a requirement, but whether the defendant knowingly violated a requirement that the defendant knows is material to the Government’s payment decision.[7]
Additionally, providers should implement new policies and processes to educate staff regarding the self-disclosure program requirements and how to utilize both the full and abbreviated self-disclosure processes.
Providers should monitor this matter and OMIG’s continued enforcement going forward.
Takeaway
-
New York State (NYS) Office of the Medicaid Inspector General (OMIG) amended compliance program regulations. Noncompliance may result in severe penalties for NYS providers, including exclusion and removal from the Medicaid program, along with monetary penalties and sanctions. These regulations apply not only to New York providers, but also to those that receive NY Medicaid payments, either directly or indirectly, of at least $1,000,000 in any consecutive 12-month period.
-
As the NYS OMIG Compliance Program Guidance is the most recent governmental statement about how to evaluate whether a provider is operating an “effective compliance program,” it provides a useful reference for organizations that may not be subject to state law.
-
OMIG revised the self-disclosure program to include an abbreviated self-disclosure process, in addition to the full self-disclosure process, that Medicaid entities may utilize to report and explain overpayments that are corrected through amended claims submissions.
-
Monetary penalties begin at $5,000 per calendar month for a maximum of 12 months. If monetary penalties were previously imposed within five years, an additional penalty of up to $10,000 per month (maximum of 12 months) may be imposed.
-
New York providers should be fastidious about implementing a compliance program that complies with the Part 521-1 regulations and be careful not to omit any mandatory elements to avoid potential penalties.