On December 28, 2022, the New York State Office of the Medicaid Inspector General (OMIG) issued new, detailed regulations that require Medicaid-enrolled providers and contractors of providers to maintain provider compliance programs and require Medicaid managed care organizations (MMCOs) to maintain fraud, waste, and abuse prevention programs and codify in regulation obligations to self-disclose Medicaid overpayments. The OMIG’s new regulations entirely replace the former 18 NYCRR Part 521, which was comparatively brief.
Although many parts of the OMIG’s new regulations reflect existing state and federal law and guidance, other requirements are new. Compliance officers are encouraged to review their compliance programs to ensure they remain consistent with the OMIG’s new regulations.
New Provider Compliance Program Requirements
Although providers have long been required to maintain compliance programs, the new standards in 18 NYCRR Subpart 521-1 are significantly more detailed. Additionally, the old regulations included a presumption that a provider’s compliance program was adequate if it complied with industry-specific guidance published by the federal Department of Health and Human Services Office of Inspector General (OIG). The OMIG’s new regulations contain no such presumption; instead, they directly specify the elements that all provider compliance programs must contain.
Highlights from the new Subpart 521-1 include:
- Providers must have a compliance officer responsible for the day-to-day operation of the compliance program—the compliance officer must update the compliance program at least annually
- Providers must designate a compliance committee that coordinates with the compliance officer to ensure that the provider is conducting its operations consistent with the compliance program
- Notably, the compliance committee must be comprised of, at a minimum, “senior managers” who meet at least quarterly—the term “senior manager” is not defined
- Providers must adopt and implement an annual training program that covers nine different topic areas, including, but not limited to, risk areas, policies and procedures, compliance officer and compliance committee roles, internal reporting of potential compliance issues, and claim, coding, and billing requirements
- Compliance programs must address the risk areas identified in the regulation, including, but not limited to, billing, medical necessity, quality of care, mandatory reporting, and other risk areas that “should reasonably be identified” by the provider—those risk areas should come as no surprise, but the regulations now include additional detail
- Significantly, if a provider’s contractor is “affected by” any risk areas, the contract between the parties must specify that the contractor is subject to the provider’s compliance program in those risk areas
- The OMIG’s regulations do not explain how to determine whether a contractor is “affected by” a provider’s risk area
- The OMIG indicated that it would issue guidance for those contractors subject to both the contractor’s own provider compliance program and the compliance programs of other providers
- The OMIG’s pending guidance may also address how to determine whether a contractor is “affected by” a risk area
- In the meantime, providers are encouraged to evaluate their contracted services on a case-by-case basis to determine whether any contract service could be deemed “affected by” a particular risk area
- Additionally, contracts for services that are affected by a risk area must contain a clause that allows the provider to terminate the contract if the contractor fails to adhere to the provider’s compliance program
- In its response to public comments, the OMIG stated that it will only enforce this requirement “for contracts executed or renewed starting 90 days and no later than [two] years from the effective date” of the new regulations—i.e., from March 28, 2023, until December 28, 2024—and that this enforcement policy will be “confirmed in guidance”
- Compliance programs must, among other requirements, include written policies and procedures that describe the provider’s internal compliance expectations “as embodied in standards of conduct,” document the compliance program’s structure and individual roles, explain how compliance issues will be addressed, and establish policies for both employee discipline and non-retaliation
- These requirements are largely consistent with existing state law and federal guidance; however, the regulations establishing these requirements are now substantially more detailed
- Providers must implement systems to receive and address reports, including confidential reports, of compliance issues
- Providers must perform “routine” audits, using internal and/or external auditors, which focus on the required risk areas—government audits do not count
- Providers must also review their compliance programs at least annually and document their findings
- Providers will continue to annually certify that their compliance programs meet the requirements of the OMIG’s regulations
- Additionally, MMCOs will be required to collect these certifications from participating providers via a website or dedicated email address
Significantly, the OMIG’s new regulations apply only to those providers that claim or receive at least $1 million annually from the New York State Medicaid program—an increase from the previous threshold of $500,000 in Medicaid revenue.
The OMIG must notify a provider whenever it intends to review the provider’s compliance program. Providers will have 30 days to respond to such a notice, which the OMIG may extend by an additional 30 days “for good cause shown.”
New Self-Disclosure Regulations
Consistent with the federal Affordable Care Act, providers continue to have an affirmative obligation to report, return, and explain any overpayments from the NYS Medicaid Program to the OMIG. In general, the deadline for returning overpayments to the OMIG is the later of (i) 60 days after the overpayment is identified or (ii) the date any corresponding cost report is due. An overpayment is identified when a person has identified, or “should have” identified, the overpayment “through the exercise of reasonable diligence.” This deadline is tolled when the OMIG’s Self-Disclosure Program acknowledges receipt of a Self-Disclosure Statement.
The OMIG’s new regulations largely codify previous self-disclosure policies. The regulations now specify that a provider’s Self-Disclosure Statement must contain a “detailed explanation” of the circumstances that gave rise to the overpayment, how the overpayment was discovered, and the provider’s corrective actions, among other required elements. Notably, the provider’s compliance officer must sign the Self-Disclosure Statement.
Providers that submit a Self-Disclosure Statement by the regulatory deadline may request a waiver of interest and a repayment plan. (A provider is not eligible to make these requests, however, if the OMIG was already auditing, investigating, or reviewing an overpayment related to the provider’s self-disclosure.) The OMIG’s Self-Disclosure Form and instructions are available online.
If the OMIG agrees to waive interest and allow repayments by installment, the OMIG will memorialize the repayment terms in a Self-Disclosure and Compliance Agreement (SDCA), which the provider must timely execute and return. The new regulations provide that the OMIG will terminate the SDCA if the OMIG determines that the provider gave false information or withheld material information or if the OMIG determines that the provider has “attempt[ed] to defeat or evade” its repayment obligations. If the OMIG terminates the SDCA, the regulations state that the full amount of the overpayment will become due.