The New York State Office of the Medicaid Inspector General (OMIG) considers an “effective compliance program” to be a compliance initiative that is adopted and implemented by the health-care provider that, at a minimum, satisfies compliance program requirements and is designed to be compatible with the provider’s characteristics.
A provider that is not effectively monitoring its compliance with state and federal Medicaid requirements is potentially exposed to increased operational, reputational, service and audit risks, as well as sanctions and the repayment of identified Medicaid overpayments.
One of the most recent statutory requirements that health-care providers need to be aware of in order to maintain an effective compliance program is 18 NYCRR Part 521. Effective on April 1, 2020, the Social Services Law (SOS) 363-D was amended to make changes to the mandatory compliance program requirements and permit the imposition of a monetary penalty for failing to adopt and implement an effective compliance program. Following years of updates, OMIG released the final 18 NYCRR Part 521 regulations to meet the amendments of the Social Service Law Section 363-D on December 28, 2022. Now, as of March 28, 2023, New York State providers are susceptible to compliance-program audits — and corresponding sanctions or penalties related to these updated guidelines.
To maintain an effective compliance program in accordance with these updated regulations, and avoid non-compliance penalties associated with compliance-program audits, providers must ensure they fully understand these compliance-program updates and implement the appropriate changes within their organization.
OMIG recently released a Compliance Program Guidance document designed to assist providers who must adopt and implement programs designed to detect, prevent, report and correct incidents of fraud, waste, and abuse in the Medicaid program. Addendum A to this guidance document identifies the changes in compliance program requirements between 18 NYCRR Part 521 (effective July 1, 2009) and SubPart 521-1 (effective Dec. 28, 2022). Some of the key updates include the following:
1. Establishment of a Compliance Committee
To demonstrate that their compliance program is well-integrated into the company’s operations, and supported by the highest levels of the organization, providers must appoint a compliance committee. This committee must consist of senior leadership, coordinate with the organization’s designated compliance officer and report directly to the chief executive and governing body. The committee must also meet on a quarterly basis and possess a charter, which is to be reviewed at least once annually.
Examples of documentation that the provider may use to demonstrate it has met the compliance-committee requirements include a committee charter, list of committee members, minutes from quarterly committee meetings, evidence of annual committee charter reviews, organization charts demonstrating the reporting structure of the committee and quarterly reports from the committee to the organization’s chief executive and governing body.
2. Policies and Procedures
Under the new compliance-program regulations, providers must have written policies, procedures and standards of conduct outlining the structure of the compliance program, the responsibilities of all affected individuals in carrying out the functions of the program, and the methods and procedures for communicating compliance issues or concerns, compliance investigations, and non-retaliation for good-faith participations. Once drafted, these written policies and procedures should be distributed to all affected individuals. These policies, procedures, and standards must also be reviewed at least once annually and updated as necessary.
Evidence that can be provided during compliance-program audits to prove written policies and procedures were in effect, include a detailed set of written compliance policies, documentation of annual review of these policies, evidence that the policies were distributed to all affected individuals and demonstration that the policies were operating — such as training conducted, investigations commenced, and corrective actions administered.
3. Assessment of Compliance Program Effectiveness
As part of the recently finalized regulations, New York State providers must also complete an annual compliance program effectiveness review. This review can be conducted internally by the compliance officer of the compliance committee, as well as an external auditor, and should include on-site visits, interviews with staff, record review and surveys. Providers should also review and update their policies and procedures, survey their culture of compliance and conduct testing to confirm their established controls are working. A compliance program can be deemed effective when it is fully rooted into all aspects of an organization.
Providers should be sure to document implementation of the review. All results and corrective actions implemented should also be documented and shared with the compliance committee, chief executive, and governing body.
As previously stated, the compliance-program requirements are not an exhaustive list of the new 18 NYCRR Part 521 regulations and represent only a selection of key updates. In order to maintain an effective compliance program in accordance with these new regulations, providers must diligently familiarize themselves with the entirety of the regulatory changes. Organizations may also consider aligning with a trusted advisor who can provide further guidance and ensure their compliance program satisfies the necessary requirements.
Paul Mayer is a partner with The Bonadio Group’s Compliance Solutions Division with more than 15 years of experience in not-for-profit settings. He has held positions of corporate compliance officer, director of corporate compliance, process integrity coordinator, and case manager for organizations regulated by local state and federal laws.