Healthcare Law Alert: Office of Medicaid Inspector General’s Proposed Compliance Program Regulations will require significant updates to Provider Compliance Program and Policies

Following up on changes made in April of 2020 to NY Social Services Law Section 363-d, OMIG published proposed compliance program regulations on July 13, 2022. The full text of the proposed regulations is available from OMIG’s website:

For providers conversant with OMIG’s previously published guidance, the Compliance Program Effectiveness Tool, many of these concepts will be familiar. However, the proposed rules expand on that guidance, making previous “best practices” mandatory requirements under the new regime. While some of these changes were foreshadowed in the April 2020 updates to Section 363-d, the new regulations, if adopted as proposed, will require significant updates to Compliance Program policies and procedures. The changes are also likely to require the dedication of significant additional resources to compliance departments.

If you are feeling overwhelmed, you are in good company. We detail below the significant proposed changes, outlining those areas mostly likely to need updating should the proposed regulations be finalized in their current form.

  • Required Providers. Medicaid managed care organizations, including managed long term plans, are now included among those providers required to maintain a Compliance Program.
  • Risk Areas and Affected Individuals. Previously, the Compliance Program had to take into consideration six specific risk areas, as well as one “catch-all” category. Two new Risk Areas have now been identified by OMIG: 1) ordered services; and 2) contractor, subcontractor, agent or independent contract oversight. This definition dovetails with the definition of those “Affected Individuals” who must be subject to the Compliance Program, which OMIG defines to include “all persons who are affected by the required provider’s risk areas including the required provider’s employees, the chief executive and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, and governing body and corporate officers.” So any contractor who would be “affected by” the provider’s risk areas must agree to adhere to the Compliance Program. In addition, the provider must have the ability to terminate any contract for failure to adhere to the Compliance Program. Additional Risk Areas apply to Managed Care Organizations.
  • Effective Compliance Program. OMIG includes a specific definition for what it means by “effective” which: is “a compliance program adopted and implemented by the required provider that, at a minimum, satisfies the requirements of [Part 521]”; is “well-integrated” into provider operations, including support by the CEO, senior management and governing body; and “promotes adherence” to the provider’s legal and ethical obligations. Recall that the existence of an effective Compliance Program is also a “condition of payment”, meaning that a provider’s receipt of Medicaid reimbursement could be jeopardized for failure to maintain a Compliance Program that satisfies the new requirements.
  • Written Policies. While the need for extensive written policies is not new, OMIG now says these policies must be available, accessible and applicable to all Affected Individuals, suggesting that all written policies should be posted on the provider’s website. A new challenge will be adequately documenting “implementation” of written policies. Policies and procedures must also describe the “structure” of the Compliance Program, including the responsibilities of all Affected Individuals in carrying out the functions of the Compliance Program.
  • Disciplinary Standards. Provider’s written policies must “establish the degrees of disciplinary actions” the provider will take, “with intentional or reckless behavior being subject to more significant sanctions.” Written policies must also “outline the procedures for taking disciplinary action and sanctioning individuals.”
  • Annual Review and Audit of the Compliance Program. Written policies and procedures must be reviewed at least annually to determine if standards have been “implemented”; whether Affected Individuals are following the policies; and whether any updates are required. The effectiveness of the Compliance Program must also be audited on an annual basis, and as described below, there is a strong suggestion that such audits must be completed externally.
  • Compliance Officer. As announced with the statutory changes, this individual no longer needs to be a W-2 employee. OMIG will now make it a regulatory requirement for the Compliance Officer to draft compliance work plans outlining the proposed strategy for meeting OMIG’s compliance program requirements. The work plan should give specific emphasis to written policies; training and education; auditing; and the provider’s response to compliance issues. The Compliance Officer must report directly to the governing body, CEO and compliance committee at least quarterly.
  • Compliance Committee. As announced with the statutory change, providers must have a designated Compliance Committee. This committee must now have a written charter detailing its responsibilities, membership and designation of a chair, and must be reviewed and updated annually. The committee must (i) meet at least quarterly; (ii) include participation by “senior managers”; and(iii) report directly to the CEO and the governing body.
  • Training and Education. Training must include a review of the provider’s Risk Areas and “Organizational Experience” with compliance, which is defined by OMIG as a provider’s: “(i) knowledge, skill, practice and understanding in operating its compliance program; (ii) identification of any issues or risk areas in the course of its internal monitoring and auditing activities; (iii) experience, knowledge, skill, practice and understanding of its participation in the MA program and the results of any audits, investigations, or reviews it has been the subject of; or (iv) awareness of any issues it should have reasonably become aware of for its category or categories of service.” Training should also include a review of the provider’s disciplinary standards, coding and billing practices, claim development and submission (as applicable), and Medicaid requirements specific to the provider’s categories of service. Each provider must also develop a “training plan” outlining the subjects for training; the timing and frequency of training; who will attend; and how attendance will be tracked. The Compliance Officer and all Affected Individuals must receive training annually.
  • Lines of Communication. While providers are certainly familiar with the need to maintain a compliance “hotline”, a new twist is that the lines of communication to the Compliance Officer must also be publicized to Medicaid beneficiaries. In addition, Compliance Program information “shall” be made available on the provider’s website, including the provider’s standards of conduct.
  • Auditing and Monitoring. Providers must perform “ongoing audits by internal or external auditors” with experience in state and federal Medicaid program requirements and applicable law. As noted above, OMIG includes a specific requirement that the Compliance Program must be audited at least annually. Moreover, because this review must be conducted by individuals who are “independent from the functions being reviewed”, there is a strong suggestion that such audits would need to be conducted by an external auditor.
  • Excluded Providers. Though most providers likely conduct exclusion checks on a monthly basis as a best practice, the proposed regulations make the monthly check a regulatory requirement.
  • Responding to Compliance Issues. The proposed regulations include detailed requirements for how compliance investigations are documented, requiring a description of alleged violations; the investigative process; copies of interview notes; and other “documents essential for demonstrating that the required provider completed a thorough investigation of the issue.”
  • Medicaid Overpayments. The proposed regulations further codify changes to Section 363-d regarding reporting and returning Medicaid overpayments and add regulatory formality to OMIG’s Self-Disclosure Program. Reiterating the statutory language, the regulations provide that a person has “identified an overpayment when that person has or should have through the exercise of reasonable diligence, determined that they have received an overpayment and quantified the amount of the overpayment,” and that such overpayment must be returned within 60 days from the date it was identified or the date any corresponding cost report is due.
  • Record Retention. Providers would be required to retain all records demonstrating adoption, implementation and operation of an Effective Compliance Program for six years from the date of implementation or amendment. Managed Care Organizations would be required to maintain such documentation for 10 years.

As noted, these regulations are proposed and will not be binding until finalized. Public comments on the proposed regulations may be submitted to until September 12, 2022.


This communication is for informational purposes and is not intended as legal advice.