On January 31, 2023, the New York State Office of the Medicaid Inspector General (OMIG) issued extensive guidance on how it views and will measure the efficacy of mandatory compliance programs for certain Medicaid-participating providers. This guidance follows OMIG’s December 28, 2022, issuance of final regulations overhauling the requirements for health care provider compliance programs.
One major element of the new regulations is that having an “effective” compliance program has been made a “condition of payment” for Medicaid claims. This means if a provider does not have (or cannot prove that it has) an effective compliance program, payment of its Medicaid claims can be at risk. For this reason, the guidance focuses on how OMIG (and therefore affected providers) will determine whether a compliance program is “effective”.
An “effective compliance program” is defined as one that:
- is well-integrated into the company’s operations and supported by the highest levels of the organization, including the chief executive, senior management, and the governing body;
- promotes adherence to the required provider’s legal and ethical obligations; and
- is reasonably designed and implemented to prevent, detect, and correct non-compliance with [Medicaid] program requirements, including fraud, waste, and abuse most likely to occur for the required provider’s risk areas and organizational experience. 18 NYCRR 521-1.2(b)(3).
The regulations also lay out the following eight required elements of mandated compliance programs:
- written policies and procedures and standards of conduct;
- a designated Compliance Officer;
- a Compliance Committee;
- training and education;
- effective lines of communication;
- disciplinary standards for identified noncompliance;
- auditing and monitoring; and
- systems for responding to compliance issues.
The guidance gives examples of what documentation OMIG believes can serve as objective evidence that each separate element of the mandated compliance program is “effective”. For example, the guidance suggests that evidence of effective lines of communication relative to compliance issues may include documentation identifying how the various lines of communication to the Compliance Officer were publicized, including dated distribution letters to all Medicaid recipients of services and Affected Individuals (e.g., employees, independent contractors, senior executives, Board members, etc.); screenshots of intranet communications on lines of communication with affirmations as to the dates during which such notifications were available on the intranet; and compliance posters identifying how to access lines of communication, along with affirmations as to when and where such posters were placed.
Another significant addition to the new regulations is the requirement that providers annually assess the efficacy of their compliance programs, with the regulations suggesting that external audits are preferred (to avoid conflicts of interest in the assessment). The focus on evidence of “effectiveness” suggests that providers should secure written reviews of their compliance program effectiveness annually and adjust their policies, procedures and/or work plans to address any shortcomings such reviews expose.
The guidance also includes a description of OMIG’s internal review procedures for determining whether a provider’s compliance program satisfies the legal requirements. This description includes several noteworthy points, such as:
- Documentation must be dated to show the documents (or versions of them) were in place throughout the audit period; and
- OMIG will assess provider performance on each required element, assign a PER MONTH score for each element, and calculate an average monthly score for each month during the audit period. An average monthly score of 60% or higher is required to avoid the possible imposition of financial penalties.
The guidance also references an online Review Module that providers undergoing an OMIG review must complete and submit. That module is not currently available on OMIG’s website; once available it will likewise assist providers in understanding exactly what information and supporting documentation OMIG may be looking for. For the time being, the examples in the guidance can help providers collect, maintain, and put in place documentation and other evidence supporting the efficacy of their compliance program.
We will provide updates as more information is available. Any providers with questions about the new regulations and the focus on compliance program effectiveness are encouraged to contact any of the attorneys in our Healthcare Industry Group.
 The guidance notably combines the discussion of the Compliance Officer and the Compliance Committee into one element. Thus, the guidance references only seven elements.