The awaited final version of the New York State Office of the Medicaid Inspector General’s (OMIG’s) amended compliance program regulations was published in the New York State Register on December 28, 2022. The adopted regulations repealed and replaced the existing regulations governing provider compliance programs in favor of three new subparts addressing compliance programs; Medicaid managed care organization fraud, waste, and abuse prevention; and the OMIG self-disclosure program.
OMIG’s new regulations significantly revise the compliance-related obligations of New York State Medicaid program providers. These changes require providers to review and revise their compliance program–related documents and to dedicate additional resources, potentially including new staff, to ensure compliance with the new requirements by March 28, 2023. The following is a summary of the key changes set out in the new regulations.
Affected Providers
Much like the prior compliance program regulations, only certain Medicaid-enrolled providers must adopt and implement a compliance plan. Along with those provider types specifically set out in the regulations, a person who knows or reasonably expects the Medicaid program to be a “substantial portion of their business operations” is considered a required provider and must adopt and implement a compliance program. The threshold amount of Medicaid claims or receipts needed for a “substantial portion of business operations” is one important area of change under OMIG’s adopted regulations. The regulations increased the threshold amount of Medicaid claims or receipts a provider must have, or is reasonably expected to have, in any consecutive 12-month period from $500,000 to $1 million. The increased threshold amount will relieve many providers of their obligation to adhere to the compliance program requirements based on Medicaid claims or receipts. However, providers who meet the new $1 million threshold or who are one of the provider types set out in the regulations will need to continue to adhere to OMIG’s compliance program requirements.
Contractors
The new OMIG compliance program regulations explicitly include contractors, agents, subcontractors, and independent contractors (collectively referred to as contractors) affected by the required provider’s risk areas in the definition of “affected individuals” to whom a provider’s compliance program must apply. The new regulations also include specific provisions that must be included in agreements between providers and contractors. Providers must now ensure that these contracts include provisions specifying that the contractor is subject to the provider’s compliance program and allowing for termination of the agreement in the event that the contractor fails to adhere to the requirements of the provider’s compliance program. Importantly, however, contractors need only be subject to the provider’s compliance program to the extent that the contractor is affected by the provider’s compliance risk areas and only within the contractor’s contracted authority and the affected risk areas.
Compliance Risk Areas
OMIG’s new regulations set out 10 “risk areas,” or areas of operation affected by the compliance program that the program must apply to. Two of these risk areas—ordered services and contractor oversight—are new to providers familiar with OMIG’s previous compliance program requirements.
Additionally, OMIG’s previous catchall risk area—other risk areas that are or should with due diligence by identified by the provider—now encompasses risk areas that are or should reasonably be identified by the provider through “organizational experience.” The term organizational experience is defined in the new regulations and includes the provider’s knowledge, skill, practice, and understanding in operating its compliance program and its participation in the Medicaid program, including the results of audits, investigations, or reviews. Any issues or risk areas identified in the course of internal monitoring and auditing, as well as a provider’s awareness of any issues it should have reasonably become aware of for the provider’s categories of service, are also included in the definition.
Compliance Officers
In contrast to OMIG’s previous requirement that providers designate an employee that would be responsible for the operation of the provider’s compliance program, the new regulations require providers to designate a compliance officer—who need not be an employee but must be the focal point of the compliance program—to oversee, monitor, review, and be responsible for the day-to-day operation of the compliance program. The new regulations also require the provider to ensure that the compliance officer has sufficient staff and resources to satisfactorily perform their duties. The compliance officer’s responsibilities are described in detail in the new regulations and include drafting, implementing, and updating a compliance work plan for the coming year at least annually or as otherwise needed, among others.
The regulations also require compliance officers to meet reporting obligations, including reporting to the provider’s governing body, chief executive, and compliance committee on the progress of adopting, implementing, and maintaining the compliance program on at least a quarterly basis. Compliance officers are now also explicitly responsible for investigating and independently acting on matters related to the compliance program, including designing, coordinating, and documenting internal investigations and corrective actions.
Compliance Committees
The duties, responsibilities, and composition of providers’ compliance committees are also revised by the new compliance program regulations. These characteristics, as well as the committee’s membership (which consists of, at a minimum, senior managers), the designation of a chair, and frequency of meetings (at least quarterly) must be outlined in a charter, which the committee must review and update at least annually. Among other new responsibilities, compliance committees are obligated to advocate for sufficient funding, resources, and staff to allow the compliance officer to fully perform their duties and for the adoption and implementation of any required modifications to the provider’s compliance program.
Education and Training
The new regulations continue to require a compliance training and education program for the compliance officer and all affected individuals. Notably, this training and education must now occur at least annually (rather than periodically), and the regulations set out the minimum topics to be addressed. For example, compliance training and education must include the provider’s risk areas and organizational experience, reporting obligations, and disciplinary standards related to the compliance program.
Providers are now also required to develop and maintain a training plan. This plan must outline at least the subjects or topics for training and education, the timing and frequency of the training, the affected individuals that are required to attend, the method for tracking attendance, and how the effectiveness of the training provided will be periodically evaluated.
Written Policies and Procedures
According to the new regulations, providers must have written policies, procedures, and standards of conduct (formerly a code of conduct) that govern their compliance program. The written policies and procedures must cover several topics including, for example, dealing with compliance issues; a description of how compliance issues are investigated and resolved; disciplinary action for failure to comply with the policies, procedures, and applicable law; and a nonintimidation and nonretaliation policy for good-faith program participation. These policies and procedures must be reviewed at least annually, and providers must have a documented and established process for drafts, revisions, and approvals.
Compliance Program Effectiveness Reviews
OMIG’s new regulations obligate providers to perform an annual compliance program effectiveness review, which should include on-site visits, interviews with affected individuals, and a review of records and surveys. The process for, and the results of, the review should be documented and shared with the chief executive, senior management, compliance committee, and governing body.
Record Retention and Documentation Requirements
Where OMIG’s previous regulations were silent as to record retention requirements, the new regulations specify that providers must retain all records demonstrating the adoption, implementation, and operation of an effective compliance program and that all regulatory requirements have been met for at least six years from the date the program is implemented or amended.
Specific documentation requirements are also set out in the new regulations. For example, providers must ensure that compliance investigations are documented, including any alleged violations, a description of the investigative process, copies of interview notes, and any other documents that are essential to demonstrate that a thorough investigation of the issue was completed. Moreover, the design, implementation, and results of internal and external audits and the sharing of these results with the compliance committee and governing body must be documented.
Next Steps for Providers
OMIG’s new regulatory obligations essentially require a complete overhaul of any compliance programs that providers may currently have in place. Critically, a provider’s failure to review and revise their compliance program can lead to substantial negative consequences—such as recoupment of Medicaid program payments—as OMIG’s new regulations make clear that the adoption, implementation, and maintenance of an effective compliance program is a condition of Medicaid program payment. Additionally, OMIG may conduct, and the provider must respond to, compliance program reviews. These reviews can result in monetary penalties and even termination of a provider’s participation in the Medicaid program, and providers should expect enhanced scrutiny as a result of this review authority.
Attorneys on Barclay Damon’s Health & Human Services Providers Team are available to assist with reviewing and revising compliance plans and programs and will continue to monitor any developments and best practices.
If you have any questions about the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com, or another member of the firm’s Health & Human Services Providers Team.
iAccording to New York Social Services Law § 363-d(3)(c), enforcement of OMIG’s new compliance program regulations will not begin until 90 days after the regulations’ effective date, December 28, 2022.