NYS Office of the Medicaid Inspector General

Mandatory Provider Compliance Programs

Frequently Asked Questions

Mandatory Provider Compliance Programs

(Revised: 12/21/2009)

THE MANDATORY COMPLIANCE LAW

Chapter 442 of the Laws of 2006, which established the New York State Office of the Medicaid Inspector General (OMIG), also created a new Social Services Law § 363-d which requires that Medicaid providers develop, adopt and implement effective compliance programs aimed at detecting fraud, waste, and abuse in the Medicaid program.

WHAT IS THE PURPOSE AND INTENT OF THE MANDATORY COMPLIANCE LAW?

The purpose of directing Medicaid providers to implement a compliance program is to ensure providers establish systemic checks and balances to detect and prevent inaccurate billing and inappropriate practices in the Medicaid program.

ARE THE MANDATORY COMPLIANCE PROVISIONS RELATED TO THE DRA REQUIREMENTS?

While the mandatory compliance requirements contained in Social Services Law § 363-d and 18 NYCRR Part 521, and the Deficit Reduction Act (DRA) obligations found in 42 USC § 1396a (a)(68) address similar areas and each has a certification requirement, there are significant differences in which providers are covered and the scope of provider responsibilities.

Providers required to meet both provisions typically include the DRA requirements in their more comprehensive mandatory compliance programs.

WHO MUST HAVE A COMPLIANCE PROGRAM?

The Mandatory Compliance Law applies to Medicaid providers operating under Articles 28 or 36 of the Public Health Law, Articles 16 or 31 of the Mental Hygiene Law and those providers of care, services and supplies for which the Medicaid program “constitutes a substantial portion of their business operations,” which the Office of the Medicaid Inspector General has defined under 18 NYCRR § 521.2 (b) as ordering, providing, billing or claiming $500,000 or more from Medicaid in a 12-month period. The $500,000 threshold applies if a provider receives the reimbursement directly or indirectly from Medicaid funds. If the provider meets either the statutory provisions or monetary thresholds, there are no exemptions. For example, the law is applicable to early intervention, school supportive, state and county-run providers, etc.

IN MULTIPLE PROVIDER SYSTEMS, WHO IS RESPONSIBLE FOR DEVELOPING PROVIDER COMPLIANCE PROGRAMS?

Each covered provider must develop, adopt and implement an effective compliance program that is appropriate to its characteristics. Affiliated providers may operate under the umbrella compliance program of its parent organization, as long as the compliance program address the core requirements as provided by the regulation and is specific enough to address the structure, operations and risk areas of each affiliate.

*NEW*

IS THERE AN EQUIVALENT “MULTIPLE PROVIDER SYSTEM” APPROACH FOR NON-PUBLIC EI, PRE-SCHOOL AND SCHOOL AGE SPECIAL EDUCATION PROGRAMS?

The OMIG has had several discussions with non-public providers of EI and special education services including §4410 and “853” schools and with county officials and school districts. Given the nature of the referral and billing relationship between/with counties, districts and these types of providers, to avoid unnecessary duplication of effort and costs to contracted providers of services, the OMIG supports an approach where the county/district incorporates (covers) early intervention, pre-school, and school-age special education providers under the county’s or district’s compliance program (including, for example, the sharing of resources - - such as a toll free hot line). In such cases, the OMIG would expect an appropriate written agreement detailing the respective responsibilities of the parties. Such agreements may include, be incorporated in, or be ancillary to, the contract for the provision of such services executed by the county/district and provider which includes provision for Medicaid payments and reimbursement including statements of reassignment, record maintenance, quality assurance review and liability of providers for failure to support the county/district relative to special services and programs paid by or reimbursed through Medicaid.

Notwithstanding the other compliance related functions performed by the County and/or District, the OMIG assumes that early intervention, preschool and school age special education providers will ensure an internal compliance presence by designating an employee who has an understanding of the culture and operations of the provider, to address issues raised by provider staff and to coordinate those compliance initiatives handled by the provider in satisfaction of Part 521 requirements governing compliance officers.

DO ALL PROVIDERS THAT ARE COVERED BY THE LAW, REGARDLESS OF SIZE, HAVE TO MEET THE SAME REQUIREMENTS?

The law contains a set of minimum core requirements that are applicable to all providers, regardless of size. However, the OMIG recognizes that there is no “one size fits all” approach to compliance and an effective compliance program must be tailored to a provider’s size, scope of items or services provided, complexity, resources and culture.

AT A MINIMUM, WHAT MUST A COMPLIANCE PROGRAM CONTAIN?

Provider compliance programs should apply to, at a minimum, billings to and payments from the medical assistance program. The law contains only the minimum requirements, including the following eight core requirements:

→ Write policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on dealing with potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel, and describe how potential compliance problems are investigated and resolved.

→ Designate an employee vested with responsibility for the day-to-day operation of the compliance program; the designated employee's duties may solely relate to compliance or may be combined with other duties so long as compliance responsibilities are satisfactorily carried out; the employee shall report directly to the entity's chief executive or other senior administrator and shall periodically report directly to the governing body on the activities of the compliance program.

→ Train and educate all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations and the compliance program operation. Training shall occur periodically and be made a part of the orientation for a new employee, appointee or associate, executive and governing body member.

→ Establish communication lines to the designated compliance person, accessible to all employees, persons associated with the provider, executives and governing body members, allowing compliance issues to be reported. Communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified.

→ Establish disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assist in their resolution and outline sanctions for:
(1) failing to report suspected problems;
(2) participating in non-compliant behavior; and/or
(3) encouraging, directing, facilitating or permitting non-compliant behavior.

Disciplinary policies shall be fairly and firmly enforced.

→ Create a system for routine identification of compliance risk areas specific to the provider type for self-evaluation, including internal audits, and, when appropriate, external audits for evaluation of potential or identified non-compliance.

→ Establish systems for responding to compliance issues as they are raised; investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting identified problems promptly and thoroughly; implementing policies, procedures and systems to reduce the potential for recurrence; identifying and reporting compliance issues to the OMIG or the DOH; and refunding overpayments.

→ Establish a policy of non-intimidation and non-retaliation for good-faith participation in the compliance program, including but not limited to: reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections seven hundred forty and seven hundred forty-one of the labor law (new whistleblower provisions for health care fraud).

WILL THE OMIG PROVIDE GUIDELINES OR MODEL COMPLIANCE PLANS ON ITS WEBSITE TO ASSIST PROVIDERS?

The OMIG is in the process of drafting industry-specific guidelines that reflect the requirements of the Mandatory Compliance Law and will make them available on its web site. The OMIG does not anticipate issuing model compliance plans or templates.

WILL THE OMIG PROVIDE TECHNICAL ASSISTANCE TO PROVIDERS UPON REQUEST?

The OMIG will offer guidelines on its web site. Additionally, OMIG representatives speak frequently at various provider and representative association events. Providers are encouraged to monitor OMIG Corporate Integrity Agreements (CIAs) for compliance-related provisions. Copies of all executed OMIG CIAs will be published on the OMIG web site.

HOW WILL THE MANDATORY COMPLIANCE LAW IMPACT PROVIDERS?

The OMIG has the authority to determine, at any time, if Medicaid providers covered by the Mandatory Compliance Law have established effective compliance programs. Upon enrollment in the Medicaid program, new providers must satisfactorily meet the requirements of the Mandatory Compliance Law.

WHAT ARE THE POSSIBLE CONSEQUENCES FOR FAILING TO ADOPT AN EFFECTIVE COMPLIANCE PROGRAM?

As of October 1, 2009, the OMIG is authorized to impose sanctions or penalties, including, but not limited to, the revocation of the provider's agreement to participate in the Medicaid program against providers who fail to develop, adopt and implement an effective compliance program.

IS THERE AN EXCEPTION TO THE MANDATORY COMPLIANCE LAW?

The Mandatory Compliance Law provides that “a compliance program that is accepted by the United States Department of Health and Human Services Office of Inspector General and remains in compliance with the standards promulgated by such office shall be deemed in compliance with the provision of this law.” However, the US HHS OIG does not review and “accept” provider compliance plans. A compliance program may be a part of more comprehensive compliance activities so long as the minimum requirements of the law and implementing regulations are met.

WHAT IS THE PROCESS FOR CERTIFICATION UNDER THE MANDATORY COMPLIANCE LAW?

The OMIG has developed an on-line certification form through its web site. Covered providers who apply for enrollment into the MA program will be required to certify upon enrollment and on or before December 31 annually. Participating providers who fall under the requirements of the regulations and who are currently enrolled in the MA program will be required to certify on or before December 31, 2009 and on or before December 31 each year thereafter. The OMIG has modified the Certification form, and the updated version will be posted at www.omig.state.ny.us by Friday, November 20, 2009. Providers who have previously submitted an electronic certification have the option of submitting a new certification form but will not be required to do so.

CAN PROVIDERS SUBMIT PAPER CERTIFICATIONS?

No. Only on-line certifications will be accepted.

WILL PROVIDERS RECEIVE A CONFIRMATION OF RECEIPT?

An electronic confirmation will be generated upon submission of the certification. This electronic confirmation will be in the form of a printable page with a confirmation number on it. The provider should print this confirmation page for their records and retain it as proof of certification. The confirmation page will only be available at the time of the form submission.

NOTE: There will be no confirmation email sent regarding the compliance certification.

WHO SHOULD SIGN THE CERTIFICATION?

The OMIG strongly encourages that someone from senior management (other than the compliance officer) or a member of the governing authority sign the certification as an indication that the provider’s compliance efforts and responsibilities extend beyond the compliance officer.

DOES A PROVIDER HAVE TO SUBMIT A SEPARATE CERTIFICATION FOR EACH LOCATION OR PROVIDER NUMBER?

Providers with multiple locations, affiliates or provider numbers may submit a single certification and list the relevant provider numbers associated with that certification. However, there are separate certification forms for mandatory compliance and DRA requirements.

WHAT IS THE CONSEQUENCE OF A PROVIDER’S FAILURE TO CERTIFY?

The OMIG is authorized to impose administrative sanctions, up to and including exclusion from the program, against providers who fail to certify to the existence of an effective compliance program.

SHOULD PROVIDERS SUBMIT A COPY OF THEIR COMPLIANCE PLAN ALONG WITH THE CERTIFICATION?

No, OMIG will specifically request a copy of a provider’s compliance program when the OMIG is interested in evaluating a particular provider’s compliance with the Mandatory Compliance Law.