The proposed regulations would significantly revise the compliance program obligations of New York Medicaid enrolled providers and Medicaid managed care organizations (MMCOs). The rules incorporate some of OMIG’s guidance issued to providers on compliance program best practices and expectations, which was available on OMIG’s website several years ago but has not been posted for some time now. The proposed rules also expand the requirement for MMCOs to have a Special Investigations Unit (SIU); build upon existing requirements related to plans’ fraud, waste and abuse prevention programs; and codify OMIG’s self-disclosure protocols for providers and MMCOs, with a few changes. If adopted, the rules would require providers and plans to review and revise the compliance program governing documents and to dedicate additional resources, and likely additional staff, to ensuring their compliance programs meet the new requirements.
Below we have listed several key changes set forth in the proposed regulations.
Proposed Revisions to Compliance Program Regulations
- Applicability. The proposed regulations would increase, from $500,000 to $1,000,000, the threshold of Medicaid revenue that is received (or reasonably expected to be received) by a provider that would mandate the adoption of a compliance program under this regulation. The proposed regulations also make the compliance program requirements expressly applicable to managed care providers and managed long-term care plans (MMCOs).
- Definitions. The proposed regulations add a definition of, among other terms, “Affected Individuals” who must be subject to and covered by a provider’s or an MMCO’s compliance program. Affected Individuals are defined as “all persons who are affected by the required provider’s risk areas including the required provider’s employees, the chief executive and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, and governing body and corporate officers” (emphasis added). Another notable term used throughout the proposed rule is “organizational experience,” which essentially refers to a provider’s experience in operating its compliance program and its understanding of the risks faced by the organization, given the services it delivers.3
- Condition of Payment. The proposed regulations make clear that the adoption, implementation and maintenance of an effective compliance program is a condition of payment, meaning that failure to adopt, implement or maintain a compliance program could result in a recoupment of Medicaid payments by OMIG.
- Contractors. The proposed regulations would require that all contracts with contractors, agents, subcontractors and independent contractors contain a provision that requires such parties to comply with the compliance program if those parties are Affected Individuals. The regulations also would permit the provider or MMCO to terminate the contract for a party’s failure to comply with the compliance program. If adopted, the rules will require providers and MMCOs to review their contracts with such Affected Individuals to ensure such a provision is included. In addition, the proposed regulations also identify and revise provider and MMCO risk areas and expressly include contractor oversight.
- MMCO Risk Areas. The proposed rules identify ten risk areas that an MMCO’s compliance program must address: cost reporting, encounter data submission, contractual compliance, network adequacy, provider and contractor oversight, underutilization, marketing, provision of medically unnecessary services, payments and claims processing, and statistically valid service verification.
- Annual Certification. The proposed rules would codify a long-standing OMIG requirement for providers (and make a new requirement for MMCOs) to certify at enrollment and annually thereafter that the organization has a compliance program with regard to the regulations, and to furnish a copy of the certification to each MMCO. Under the proposed rule, MMCOs must have a straightforward method for enabling providers to submit the certification on the MMCO’s website, which may include providing a dedicated email address to receive such submissions.
- Additional Requirements for an Effective Compliance Program Most compliance program documents will need to be updated to expressly incorporate and ensure implementation of the following proposed requirements for providers and MMCOs:
- Have a documented and established process for drafting, revising, and approving the required compliance program written policies and procedures.
- Include specific statements related to disciplinary action for failure to comply with the compliance policies and procedures and with applicable law.
- Perform a compliance program effectiveness review annually. This review should include on-site visits; interviews with Affected Individuals; and a review of records, surveys and other methods. The process for and the results of the review should be documented and shared with the chief executive, senior management, the compliance committee and the governing body.
- Require the compliance officer to:
- Draft, implement and update a compliance workplan annually.
- Report on the compliance program at least quarterly to the governing body, chief executive and compliance committee.
- Assist the provider in establishing methods to improve efficiency and quality of services, and in reducing the provider’s vulnerability to fraud, waste and abuse.
- Establish a compliance committee, setting forth its composition, responsibilities and meeting frequency in a dedicated charter.
- Ensure that compliance training and education programs address specific risk areas, organizational experience and other topics. Providers and MMCOs would likely need to create supplemental training if they have purchased off-the-shelf, generic compliance training or fraud, waste and abuse training modules.
- Post information on the compliance program, including the standards of conduct, on the provider’s or MMCO’s website.
- Formalize the audit program, and ensure documentation of the design, implementation, and results of internal and external audits as well as the sharing of results with the compliance committee and governing body.
- Ensure that compliance investigations are documented and include “any alleged violations, a description of the investigative process, copies of interview notes and other documents essential for demonstrating that the required provider completed a thorough investigation of the issue.”
- OMIG Compliance Program Reviews. The proposed regulations set forth the procedures pursuant to which OMIG may conduct, and the provider and MMCO shall respond to, a compliance program review. The regulations reserve OMIG’s right to separately review an MMCO’s compliance program as part of a Medicaid program integrity review. OMIG may impose monetary penalties and terminate a provider’s or MMCO’s participation in the Medicaid program based on its findings in the review.
Proposed Revisions to MMCO Fraud, Waste and Abuse Prevention Programs
The proposed regulations are in addition to the regulations imposed on plans subject to 10 NYCRR 98-1.21 and 11 NYCRR 86.6. However, to the extent that the proposed regulations conflict with those existing regulations, the proposed regulations will apply to MMCOs in regard to their participation in Medicaid. An MMCO’s fraud, waste and abuse prevention program should be incorporated into its compliance program. The most notable proposed regulations are as follows:
- An MMCO that has 1,000 or more members must have a full-time SIU that is separate and distinct from other units or functions of the SIU. Under the existing regulations indicated above, plans licensed under Article 44 of the Public Health Law are required to have an SIU only if they had 10,000 or more enrolled members.
- An MMCO must employ at least one full-time lead investigator and one SIU director. Unless alternative staffing levels are approved by OMIG, additional full-time investigators must be employed for each 60,000 enrollees for most MMCOs but 6,000 enrollees for managed long-term care plans. An MMCO shall employ investigators dedicated to servicing a particular county when that county on its own meets the designated, required investigator-to-enrollee ratio.
- In addition to investigators, the MMCO shall also employ or use existing employees who are certified coders, clinicians, data analysts or pharmacists to support the work of the SIU.
- The SIU investigator qualifications are similar to those set forth in the existing regulations.
- The proposed regulations set forth certain responsibilities that must be included in the SIU contract if the plan delegates the SIU functions (these requirements are in addition to those provisions that must be included given that this would be a delegation of management authority under 10 NYCRR 98-1.1).
- The SIU audits, investigations and reviews must involve at least one percent (1%) of the aggregated Medicare program claims it pays to providers and subcontractors, based on the total prior year’s claims paid by the MMCO. This is actually a smaller percentage than currently is imposed on managed long-term care plans that are required to have SIUs under the current Model Contract.4 Audits, investigations, and reviews must be of clinical and billing records to verify that no duplicate payments were made, appropriate services were rendered and billed, appropriate procedure codes were used, and accurate encounter data was reported to the department.
- The MMCO must post on its website information on how and where to report, return, and explain overpayments to the MMCO.
- The MMCO’s fraud, waste and abuse prevention plan must be submitted to OMIG within 90 calendar days of the effective date of these proposed regulations and upon signing a new contract with the New York State Department of Health. The plan must include, among other things, allocation of an SIU investigator’s efforts devoted to New York cases if the investigator is working across multiple states.
- The proposed regulations contain specific requirements regarding what must be addressed in the annual report on fraud, waste and abuse prevention activities.
Proposed Self-Disclosure Program Regulations
The proposed regulations restate much of the language set forth in subsection 7 of Section 363-d of the Social Services Law, which became effective on April 1, 2020. Stated in the proposed regulations are most of the requirements previously included in prior guidance issued by OMIG and mirrors most of the federal guidance issued on returning overpayments. The proposed regulations state that a “person has identified an overpayment when that person has or should have through the exercise of reasonable diligence, determined that they have received an overpayment and quantified the amount of the overpayment,” and that such overpayment must be returned within 60 days from the date it was identified or the date any corresponding cost report is due.
The proposed regulations also state that a person who reports, returns and explains an overpayment to an MMCO is considered to have met the requirements of the proposed regulations.
The proposed regulations also contain the following notable provisions:
- The Self-Disclosure Statement must be signed by the submitter’s compliance officer, or if a compliance officer is not required under regulation, then by the submitter’s chief executive officer, chief operating officer, senior manager or solo practitioner. OMIG must acknowledge receipt and review the Self-Disclosure Statement within 20 days of the submission. Upon completion of its preliminary review, OMIG must notify the submitter that OMIG either accepts the submission or returns the submission as incomplete (identifying the information and data needed to complete the submission).
- If OMIG requests additional information or data related to the self-disclosure, the submitter must respond with such information or data within 15 days of the request unless there is good cause and OMIG grants an extension based on the showing of such good cause. Failure by a submitter to respond within the required time frame will result in the submission being returned as complete and the tolling of the deadline to report an overpayment.
- Once OMIG has sent the submitter the Self-Disclosure and Compliance Agreement, it must be executed and returned to OMIG within 15 days unless another time frame is authorized by OMIG.
Comments on the proposed regulations will be accepted until Sunday, September 11, 2022 and should be sent to firstname.lastname@example.org.
1 Vol. XLIV, Issue 28 (July 13, 2022), pgs. 14-19, available at https://dos.ny.gov/system/files/documents/2022/07/071322.pdf.
2 Chapter 56 of the Laws of 2020, Part QQ.
3 The full proposed definition of “organizational experience” is the required provider’s “(i) knowledge, skill, practice and understanding in operating its compliance program; (ii) identification of any issues or risk areas in the course of its internal monitoring and auditing activities; (iii) experience, knowledge, skill, practice, and understanding of its participation in the MA program and the results of any audits, investigations or reviews it has been the subject of; or (iv) awareness of any issues it should have reasonably become aware of for its category or categories of service.”
4 See Section Y(4) of Article V of the Managed Long Term Care Partial Capitation Contract.