Many healthcare organizations and their boards struggle to know whether their compliance programs are meeting baseline effectiveness expectations. One way to judge a compliance program is to look at various mandatory program requirements imposed by state or federal governments. New York (NY) offers one such guidepost. Significant changes to mandatory compliance program requirements for NY healthcare providers and health plans are now in effect. On December 28, 2022, the NY State (NYS) Office of the Medicaid Inspector General (OMIG) adopted 18 NY Codes, Rules and Regulations (NYCRR) Part 521-1 (Part 521-1), which repealed the former regulations governing compliance programs for providers to detect and prevent fraud, waste, and abuse in the Medicaid program.[1] Noncompliance may result in exclusion and removal from the Medicaid program along with other monetary penalties and sanctions. While the requirements are only applicable to entities doing business in NY, out-of-state providers should pay close attention to OMIG’s mandates and potentially consider incorporating some of the changes into their own compliance programs on a voluntary basis.
NY providers must ensure they have implemented the proper changes into their compliance programs. As of March 28, 2023, OMIG stated it would begin enforcing the requirements of Part 521-1, and as of July 3, 2023, OMIG indicated that it will begin initiating compliance program reviews with a review period beginning on April 1, 2023 (a look back period). Observers are taking particular note of the amendments made to Part 521-1 as OMIG has long stated that eligibility to receive Medicaid payments required compliance with these regulations. This principle is codified in statute as a “condition of payment” for Medicaid claims.[2] Noncompliance may result in exclusion, removal from the Medicaid program, and other monetary penalties and sanctions. Monetary penalties against providers may begin at $5,000 per calendar month for a maximum of 12 calendar months. If a monetary penalty was previously imposed on a provider within five years, an additional penalty of up to $10,000 per calendar month for a maximum of 12 calendar months may be imposed. The requirements of Part 521-1 now apply to managed care providers or managed long-term care plans (collectively referred to as MMCOs), and there are new sections applicable solely to MMCOs.
Compared with the previous version of Part 521-1, the new amendments are substantially more detailed and designed to compel providers to focus on ensuring that their compliance programs are tailored to address their particular areas of potential risk (as subsequently described in more detail) and continually optimize and grow their programs to prevent recurring issues. Many of the mandatory compliance program requirements are consistent with current voluntary standards recommended by the U.S. Department of Health and Human Services Office of the Inspector General and Federal Sentencing Guidelines.[3] But there are areas where OMIG regulations go beyond what some currently, well-designed compliance programs may have in place. Consequently, providers and health plans operating in NY and doing business with the state Medicaid program should assess whether any changes to their programs are required. Additionally, the revised Part 521-1 includes some thoughtful commentary that entities not subject to the mandatory provisions could consider in terms of voluntary compliance.
Providers must certify to the OMIG annually that their compliance program meets these requirements.
In addition to the mandatory compliance program changes, as of August 21, 2023, OMIG has updated and introduced a new process for Medicaid providers to report, return, and explain overpaid Medicaid funds. NY Medicaid providers should be aware that they are required to report any overpayments involving possible fraud, waste, abuse, or inappropriate payment of funds to OMIG “within 60 days of identification, or by the date any corresponding cost report was due, whichever is later.”[4] Providers who discover overpayments through self-review, compliance programs, or internal control should be cognizant that there is no dollar threshold for reporting, and all self-identified inappropriate Medicaid payments received should be disclosed in the manner set forth below.
Certain key amendments to Part 521-1 and to the self-disclosure program that providers should be aware of are summarized as follows:
Part 521-1: Notable definition changes
Effective compliance program
As mentioned previously mentioned, having an “effective compliance program” is now a condition of receiving payment under the Medicaid program. While always a highly subjective standard and one that many organizations internally assess, under Part 521-1, an effective compliance program means a compliance program adopted and implemented by the required provider that, at a minimum, satisfies the requirements of Subpart 521-1. The program must be supported by the highest levels of the organization, including the chief executive, senior management, and the governing body. Additionally, the program must be well-integrated into the company’s operations, promote adherence to legal and ethical obligations, and be reasonably designed and implemented to prevent, detect, and correct noncompliance with Medicaid program requirements.
Required providers
Those required to have effective compliance programs include:
-
Any person or entity subject to the provision of Articles 28 or 36 of the Public Health Law;[5]
-
Any person or entity subject to the provisions of Articles 16 and 31 of the Mental Hygiene Law;[6]
-
Managed care providers, including managed long-term care plans, which is an expansion of the prior regulations;
-
Any other person or entity for whom the Medicaid program is, or is reasonably expected by the person to be, a substantial portion of their business operations;
-
Substantial portion of business operations is now defined as when a person claims or has claimed or receives or has received at least $1 million in the aggregate in any consecutive 12-month period, directly or indirectly, from the Medicaid program. (Note that this reflects an increase from the prior threshold of $500,000 per year, which should allow many smaller medical practices and other providers to avoid the mandatory compliance requirements. And it should be remembered that the $1 million is not revenue from all sources. It only counts revenue that comes, directly or indirectly, from the Medicaid program.)
-
Affected individuals (new)
The compliance program must apply to the following “affected individuals”: All persons impacted by the provider’s risk areas (subsequently defined in more detail), including employees, the chief executive, and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, the governing body, and corporate officers.
Going forward, providers must scrutinize their relationships with independent contractors (1099s) and services organizations to determine if they meet the definition of an affected individual and are performing services associated with the provider’s identified “risk areas.” If so, the provider must require the affected individuals to comply with the compliance program and related policies and procedures. However, in light of the breadth of “risk areas”—particularly as expanded by the revised Part 521-1 rules—it would appear that a large number of contractors could potentially fall within the scope of the compliance program obligations. This application will be among the most challenging aspects of the new Part 521-1 rules, so providers should consider this a priority change to their compliance programs if it does not already exist. For example, template contract terms should be created for consideration in all agreements with third parties.
Risk areas
OMIG has expanded (see subsequent words in italics) the “risk areas,” defined as “those areas of operation affected by the compliance program,” to which compliance programs must apply. In addition to what previously existed in the original Part 521-1 (which includes billing, payment, medical necessity, governance, mandatory reporting, credentialing, and a “catch-all” of other risk areas that are or should reasonably be identified by the provider through its “organizational experience”); the expanded risk areas now include the following:
-
Billings;
-
Payments;
-
Ordered services;
-
Medical necessity;
-
Quality of care;
-
Governance;
-
Mandatory reporting;
-
Credentialing;
-
Contractor, subcontractor, agent, or independent contract oversight, which remains a challenging risk area to maintain best practice compliance for many organizations;
-
Other risk areas that are or should reasonably be identified by the provider through its organizational experience; and
-
A detailed set of additional risk areas for MMCOs.
Organizational experience (new)
“Organizational experience” is a newly defined term that provides valuable insight into how OMIG expects providers to conduct their compliance programs. Specifically, organizational experience means the required providers’:
-
Knowledge, skill, practice, and understanding in operating its compliance program;
-
Identification of any issues or risk areas in the course of its internal monitoring and auditing activities;
-
Experience, knowledge, skill, practice, and understanding of its participation in the Medicaid program and the results of any audits, investigations, or reviews it has been the subject of; or
-
Awareness of any issues it should have reasonably become aware of for its service categories.
OMIG expects that providers will learn from their previously made errors and incorporate new solutions as they improve their compliance programs.