Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

December 15, 2014

Office of the Medicaid Inspector General Publishes New Compliance Guidelines/Annual Certification Reminder

New Compliance Guidelines

On October 7, 2014, the New York State Office of the Medicaid Inspector General's ("OMIG") Bureau of Compliance published three Compliance Guidelines pertaining to adult rehabilitative mental health providers, transportation providers, and providers of comprehensive psychiatric emergency services. The Compliance Guidelines provide general guidance to assist those subject to the mandatory compliance program obligations in New York State Social Services Law § 363-d and 18 NYCRR Part 521. The Compliance Guidelines contain examples for providers to consider when assessing compliance risk areas during self-evaluations or audits to determine where compliance management or staff resources should be deployed to reduce, minimize, or eliminate compliance-related failures. Below are summaries of the Compliance Guidelines and examples contained therein. We recommend that applicable providers include the specific risk areas outlined in their compliance reviews.

1. Compliance Guideline 2014-05, Common Risk Areas for Mental Health Providers – Comprehensive Psychiatric Emergency Programs

When considering documentation risk areas, providers should consider whether a patient's medical record appropriately documents the Comprehensive Psychiatric Emergency Program ("CPEP") services provided; whether all brief emergency CPEP visits include a face-to-face interaction between the patient and staff physician; whether all full emergency CPEP visits include a face-to-face interaction between the patient and psychiatrist and other clinical staff as necessary; and whether the written records of a reimbursed unit of service include complete case records, discharge plans, and summaries, and conform to the requirements of 14 NYCRR Part 590.

When considering quality of care risk areas, providers should consider whether all full emergency CPEP visits include a psychiatric or mental health diagnostic examination, psychosocial assessment, and medical examination; whether required physician examinations are initiated within six hours of admission to CPEP; whether services are performed beyond 24 hours in the CPEP without admission to an extended observation bed or psychiatric in-patient bed; and whether patients are in extended observation beds for less than 72 hours from the time a patient was received into the emergency room.

When considering billing and payment risk areas, providers should consider whether multiple visits are billed for emergency or crisis CPEP services for the same calendar day; whether billed interim crisis CPEP services are performed more than 5 days after discharge from CPEP; and whether there is a system in place to ensure that brief emergency CPEP visits are not billed as full emergency CPEP visits.

When considering credentialing and workforce risk areas, providers should consider whether psychiatrists or staff physicians providing services in the CPEP are properly licensed by New York State.

2. Compliance Guideline 2014-06, Common Risk Areas for Mental Health Providers – Rehabilitation Adult Services

When considering documentation risk areas, providers should consider whether the dates and duration of each rehabilitative service performed are documented in the case record; whether each rehabilitative service billed to Medicaid is of at least 15 minutes in duration; whether case records include appropriate service plans; and whether all provided services are identified in the recipient's current service plan.

When considering quality of care risk areas, providers should consider whether all initial service plans are developed within four weeks of admission to the program; whether each service plan is reviewed at least every three months; whether service plans are reviewed and signed by Qualified Mental Health Staff Persons; and whether all billed Medicaid services are covered by a physician's authorization or reauthorization.

When considering billing and payment risk areas, providers should consider whether there is a system in place to ensure billing does not occur for a month of rehabilitative services when a resident is not in residence for at least 21 days in a month or a half month of rehabilitative services when a resident is not in residence for at least 11 days in a month.

When considering credentialing and workforce risk areas, providers should consider whether the persons providing the service are being billed properly and are properly licensed or credentialed to provide the service; and whether the names of those providing the services are properly documented in the record.

3. Compliance Guideline 2014-07, Common Risk Areas for Transportation Providers

When considering documentation risk areas, providers should consider whether the transportation records contain all required information for each leg of the trip; whether electronic transportation records are time-stamped or whether another method is utilized to show that the records are contemporaneous with the services provided as required; and whether transportation services are provided to or from a location where Medicaid-covered services are provided.

When considering quality of care risk areas, providers should consider whether the vehicles used to provide transportation services are properly maintained, registered, licensed, inspected, and insured; whether personal assistance is provided by the driver to the enrollee when necessary as required; and whether the mode of transportation provided is designed and equipped to provide the non-emergency transport with the appropriate capacities, i.e., wheelchair-carrying capacity, stretcher-carrying capacity, or the ability to carry individuals with disabilities.

When considering billing and payment risk areas, providers should consider whether prior authorization was obtained for all non-emergency transportation services; whether there is a process in place to determine if enrollees are covered by a managed care or managed long-term care plan that includes transportation; whether the correct driver license number of the driver and vehicle registration number of the vehicle used to provide the transportation service is indicated on claims; for group rides, whether claimed mileage and tolls are allowed under Medicaid rules; whether the required claim fields are completed; and whether claims are submitted in connection to actual services provided and not based on transportation rosters.

When considering credentialing and workforce risk areas, providers should consider whether all drivers who provide Medicaid transportation services have a valid driver's license in the appropriate license class; whether all ambulette drivers maintain appropriate driver license endorsements and 19A certification; and whether providers and drivers are appropriately licensed by local taxi and limousine commissions.

Providers should keep in mind that the Compliance Guidelines do not set out all points that OMIG will consider or use when assessing if compliance programs meet statutory and regulatory requirements. These new guidelines, however, do set forth specific areas that should be included in a provider's identified risk areas and as topics for internal auditing practices, along with any other risk areas that have been identified by the provider.

Compliance Certification

It is December and that means it is time to certify as to the effectiveness of your compliance plans. The process is generally the same as it has been in prior years but the forms have been updated as of December 1, 2014. OMIG reminds providers that they only need to submit the certification forms; they do not need to forward their plans or their assessment forms unless they are requested by OMIG at a later time.

Medicaid providers are subject to two sets of certification requirements, a federal requirement under the Deficit Reduction Act of 2005 ("DRA") and a New York State requirement under Social Services Law § 363-d(3). Under both laws, providers must certify compliance for the year 2014 by December 31, 2014, which is accomplished by completing the forms located on OMIG's website. OMIG is tasked with administering both the federal and state certification process in New York. New York State requires completion of the forms in December of each year.

The DRA requires health care entities that receive or make $5 million or more in Medicaid payments during the federal fiscal year (October 1 to September 30) to certify annually that they are in compliance with the federal DRA. The DRA requires providers to establish written policies and procedures designed to inform employees, contractors, and agents about the federal and state false claims acts and whistleblower protections. Each year, the provider must certify that it maintains written policies, that its employee handbook includes the materials required by the DRA, that the materials have been properly adopted by the entity, and that the materials have been disseminated to employees, contractors, and agents. We note that OMIG has started to separately assess compliance plans for these requirements. The link to the DRA certification is

NYS Social Services Law § 363-d(3) requires the following providers to certify that they have an effective compliance plan:

  • Those providers subject to Article 28 and Article 36 of the Public Health Law (e.g., hospitals, clinics);
  • Those providers subject to Articles 16 and 31 of the Mental Hygiene Law (e.g., OMH and OPWDD providers); and
  • Those providers for which Medicaid is a "substantial portion of business operations." That has been interpreted to mean those that claim, order or receive payment for services or supplies directly or indirectly, or submit claims totaling at least $500,000 a year.

The link to the SSL certification can be found at

The eight elements of an effective compliance plan are set forth in Social Services Law § 363-d(2): 1) written compliance policies and procedures; 2) designation of an employee to be its compliance officer; 3) training for all employees, executives, and board members regarding its compliance program; 4) available communication lines to the compliance officer; 5) disciplinary procedures to encourage good faith participation; 6) identification of compliance risk areas; 7) institution of a system for responding to and investigating reports of non-compliance; and 8) a policy of non-intimidation and non-retaliation for good faith participation in the compliance program. Having an effective compliance program is extremely important. OMIG has been reviewing the effectiveness of provider plans and will continue to do so in the coming year. OMIG has posted its Assessment of results as of March 31, 2014, which includes Best Practices, Opportunities for Enhancement, and Identified Insufficiencies with respect to compliance plan effectiveness reviews. These documents, which can be found at, detail each specific element and how providers have met or not met those elements.

Failure to certify is a violation of statutory and regulatory requirements. Providers' certification history is reviewed and OMIG has stated that certification history is the first metric it will use to identify providers who will become the subject of a compliance program effectiveness review. New Medicaid providers will not be able to complete the enrollment process without certifying. The certification is an official document. Therefore, you must ensure a reasonable level of diligence is taken to ensure that no false or incorrect statements are being made.

Should you need assistance with the certification process or a review of the effectiveness of any current plan, contact Margaret Surowka Rossi, Melissa M. Zambri or any member of our Firm's Health Care and Human Services Practice Area.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


Connecticut Joins the Ranks of States Proposing Landmark AI Legislation


NYS PSC Modifies Pole Attachment Rules to Accelerate Broadband and Cellular Service Deployment


NYS Department of Health Publishes Amended Proposed Cybersecurity Regulations for Hospitals


FTC Noncompete Rule Survives—For Now


New York Trial Court Finds Uber Is Not Vicariously Liable for Driver's Negligence


ERISA Forfeiture Lawsuits: Navigating the Emerging Legal Landscape

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out