Rethinking Compliance: New Requirements for New York Medicaid Providers and Plans

• May 12, 2023

• Jessica Robinson Hanna , Hogan Lovells US LLP
• James Huang , Hogan Lovells US LLP
• Jeffrey Schneider , Hogan Lovells US LLP

New York has recently implemented new and more granular compliance program requirements affecting Medicaid providers and certain Medicaid plans doing business in the state. These changes warrant significant consideration for New York Medicaid enrolled providers and plans and may require re-evaluation of current compliance program operations.

Since 2009, New York has required certain Medicaid providers to implement and maintain an “effective compliance program” under section 363-D of article 5, title 11 of the New York Social Services Law (as amended, collectively with all implementing regulations and guidance, referred to hereinafter as the “Compliance Program Law”).[1] In 2020, the Compliance Program Law was amended by the legislature to significantly enhance the breadth of the law’s requirements. Notably, the 2020 amendment expanded the scope of the compliance program requirements to include Medicaid managed care plans and Medicaid long term care plans (collectively “Medicaid Managed Care Organizations” or MMCOs) and broadened enforcement options available to the New York Office of the Medicaid Inspector General (OMIG). New regulations recently promulgated by OMIG in accordance with the amended statute impose significantly more detailed requirements than previously with respect to compliance program implementation. The new regulations are found at Title 18 of the New York Code of Rules and Regulations, Part 521 (and replace the former Part 521, which contained the more limited requirements).

OMIG’s new regulations implementing the amended Compliance Program Law took effect on March 28, 2023. This means that New York Medicaid enrolled health care providers and plans are now subject to these significant new compliance program requirements. There are three key takeaways for Medicaid enrolled health care providers and plans about the new requirements:

• First, as noted above, the Compliance Program Law now applies to MMCOs. MMCOs should therefore ensure that any existing compliance program is aligned with the new and detailed requirements imposed under the amended Compliance Program Law (and, if any MMCO does not already have a compliance program in place, it should implement one).
• Second, while the Compliance Program Law’s new requirements in some ways parallel existing federal guidance from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG), Department of Justice (DOJ), and the United States Sentencing Commission, those federal guidance materials are voluntary. By contrast, the New York requirements are mandatory for individuals and entities subject to the Compliance Program Law (referred to as “Required Providers”).[2] In multiple important areas, the Compliance Program Law requirements are also more detailed than the existing federal guidance, so entities that have designed their compliance program based on the federal guidance may need to implement enhancements to align with the Compliance Program Law.
• Third, as amended, the Compliance Program Law is also much more detailed than what was previously required under New York state law. So Required Providers with existing compliance programs designed to comply with previous state law obligations are likely to also need to make substantial updates.

The new Compliance Program Law requirements are highly detailed. Selected key provisions of the new Compliance Program Law requirements are summarized below:

• Required Providers. Historically, hospitals, residential health care facilities, home care services agencies, providers of developmental disability services, providers of mental disability services, and other individuals or entities for whom the Medicaid program is a “substantial portion of their business operations” (i.e., if the individual or entity claimed, ordered, or received or can reasonably be expected to claim, order, or receive in any consecutive 12-month period $500,000 or more directly or indirectly from the Medicaid program[3]) have been subject to the Compliance Program Law.[4]
  • The Compliance Program Law continues to apply to the above entities. However, the threshold for “substantial portion” of business operations has increased to $1 million.
  • As noted, the Compliance Program Law now also applies to MMCOs, which reflects the first time that the requirements have been extended to Medicaid plans.[5]

• Risk Areas. The amended Compliance Program Law expands the “risk areas” that are required to be addressed as part of Required Providers’ compliance programs.
  • Historically, New York has only mandated that Required Providers address the risk areas of “billings, payments, medical necessity and quality of care, governance, mandatory reporting, and credentialing.”[6]
  • Under the amended Compliance Program Law, the risk areas that a compliance program must address have been expanded to now also include “ordered services and oversight of contractors and agents,”[7] and, for MMCOs (in addition to the foregoing), compliance with terms of the MMCO's contract with the New York Department of Health (DOH), cost reporting, submission of encounter data, network adequacy and contracting, provider and subcontractor oversight, underutilization, marketing, provision of medically necessary services, payments and claims processing, and statistically valid service verification.
  • In addition, Required Providers are expected to identify other risk areas that may be uniquely relevant to them based on their “organizational experience,” meaning their experience in operating the compliance program, any issues identified via internal auditing and monitoring or as a result of third-party audits or investigations, and any issues the Required Provider “should have reasonably become aware of for its category(ies) of service.”[8]
  • These changes reflect a considerable expansion of the breadth of the risk areas that must be addressed in Required Providers’ compliance programs and may require careful evaluation of whether existing oversight and compliance controls remain adequate.
  • The Required Providers must also provide training and education around their relevant risk areas, and conduct auditing and monitoring around these risk areas.[9]

• Contractors. Required Providers must ensure their contractors that are involved in the Required Provider’s specific risk areas are subject to their compliance program. Agreements between Required Provider and contractors must include the ability for the Required Provider to terminate the contract if the contractor fails to adhere to the Required Provider’s compliance program.

• Penalties.
  • If OMIG determines that a Required Provider has failed to implement a compliance program that satisfactorily meets the requirements of the Compliance Program Law: (i) for the first violation, OMIG may issue a fine of $5,000 per month for up to 12 months; and (ii) for each subsequent violation within a five-year period, OMIG may issue a fine of up to $10,000 per month for up to 12 months.
  • In addition, OMIG may recoup monies paid by the Medicaid program to the Required Provider during the period of non-compliance, terminate a Required Provider’s enrollment in the Medicaid program, and/or impose certain other sanctions up to and including exclusion from participation in the Medicaid program.[10]

• Verification of Compliance. Each Required Provider must: (i) annually certify to DOH that it has met the requirements of the Compliance Program Law; and (ii) maintain records demonstrating its adoption and maintenance of a compliance program in accordance with the Compliance Program Law for six years from the date of implementation of the program or the effective date of any amendments thereto.[11] OMIG may audit those records.

• Compliance Program Elements. The Compliance Program Law imposes detailed requirements in each of the following seven categories. As noted, in many respects, these requirements align to federal compliance program guidance, but in some cases the requirements differ in subtle ways or impose more granular requirements. We have included select examples below for each category to illustrate the breadth and specificity of the new requirements but please note this is not an all-inclusive list:
  • Policies and Procedures (P&Ps)
    • P&Ps must be available, accessible, and applicable to all “persons who are affected by the Required Provider’s risk areas, including employees, the chief executive and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, and governing body and corporate officers” (collectively “affected individuals”).[12]
    • P&Ps must describe, at a minimum, the structure of the compliance program, including the responsibilities of all affected individuals in carrying out the functions of the compliance program.[13]
    • Required Providers must review P&Ps at least annually to determine if the P&Ps have been implemented, if affected individuals are following them, whether they are effective, and if any updates are required.[14]
  • Compliance Officer and Compliance Committee
    • Required Providers must appoint a compliance officer, who must be the focal point for the compliance program and be responsible for the day-to-day operation of the compliance program, including but not limited to, overseeing and monitoring the adoption, implementation, and maintenance of the compliance program and evaluating its effectiveness.
    • The compliance officer must report no less frequently than quarterly to the governing body, chief executive, and compliance committee on the progress of adopting, implementing, and maintaining the compliance program.[15]
    • If the compliance officer is assigned duties in addition to those primary duties outlined in the Compliance Program Law under 18 NYCRR § 521-1.4(b)(1), those other duties may not interfere with or hinder the compliance officer in carrying out their primary duties.[16]
    • Required Providers must designate a compliance committee to be responsible for coordinating with the compliance officer to ensure that the Required Provider is conducting its business in an ethical and responsible manner, consistent with the compliance program. The compliance committee’s duties include, but are not limited to, coordinating with the compliance officer to ensure that P&Ps and standards of conduct are current, accurate, and complete, and that trainings are timely completed, ensuring communication and cooperation by affected individuals on compliance-related issues, and advocating for the allocation of sufficient funding, resources, and staff for the compliance officer to fully perform their responsibilities.
    • Membership of the compliance committee must be comprised of, at a minimum, senior managers.[17]
    • The compliance committee must meet at least quarterly and review the compliance committee charter at least annually.[18]
  • Training and Education
    • Training and education must address, at a minimum, relevant risk areas and organizational experience, P&Ps, the role of the compliance officer and compliance committee, how affected individuals can ask questions and report compliance issues, disciplinary standards, how the Required Provider responds to compliance issues and implements corrective action plans, requirements specific to the Medicaid program and the Required Provider’s category(ies) of service, and if applicable, coding and billing and best practices.[19]
    • Training must occur at least annually.[20]
  • Lines of Communication
    • Required Providers must establish and implement effective lines of communication that are accessible for all affected individuals, are publicized, anonymous, and ensure confidentiality for affected individuals.[21]
  • Disciplinary Standards
    • Required Providers must enforce disciplinary standards fairly and consistently, and the same disciplinary action should apply to all levels of personnel.[22]
    • Disciplinary procedures shall conform with collective bargaining agreements when applicable.[23]
  • Auditing and Monitoring
    • Required Providers must implement an effective system for routinely auditing and monitoring and identifying compliance risks. Audits must be conducted by internal and/or external auditors with expertise in state and federal Medicaid program requirements and applicable laws, rules, and regulations, or who have expertise in the subject area of the audit.[24]
    • The design, implementation, and results of any audit must be documented, and the results shared with the compliance committee and governing body.
    • Required Providers must annually review whether the auditing and monitoring program is meeting all requirements of the Compliance Program Law, and this review should include on-site visits, interviews with affected individuals, review of records, surveys, or any other comparable methods.[25]
    • Required Providers must screen all affected individuals for exclusion and debarment at least every 30 days and require contractors to do so as well.[26]
  • Responding to Compliance Issues
    • Required Providers must establish and implement a system for promptly responding to, investigating, and thoroughly correcting compliance issues, taking steps to reduce the potential for recurrence and ensuring ongoing compliance with applicable laws, regulations, and Medicaid requirements.[27]
    • Each instance of investigation and remediation of a compliance issue must be documented, including any disciplinary action taken.[28]

OMIG has issued a number of guidance documents to assist Required Providers in connection with the new requirements at: https://omig.ny.gov/compliance/compliance-library.

*         *         *

New York Medicaid providers and plans should carefully evaluate their compliance programs in light of the new Compliance Program Law regulations. The highly detailed and granular nature of the new requirements could require some providers and plans to significantly rethink their approach to compliance operations. This could entail major programmatic changes; new lines of oversight, training, and education; and significant overhauls of existing P&Ps and other operating standards. It also bears monitoring how OMIG will enforce the new requirements: The agency has stated that it intends to conduct ongoing compliance reviews and that, during review periods, Required Providers will be required to complete compliance program Review Modules on a monthly basis. An average score of 60% or higher will be required to achieve a “satisfactory” rating and avoid the potential imposition of penalties.[29]

About the Authors

Jessica Hanna advises health and life sciences industry clients on a wide range of regulatory and transactional matters. Her clients include health care providers, pharmaceutical, biotechnology, and medical device manufacturers, managed care plans, and professional and trade associations. Jessica also leads complex health regulatory transactions, including for large health care plans, pharmacy benefit managers, drug and device manufacturers and health systems.

James Huang supports clients on an array of health care regulatory matters. He counsels managed care plans and pharmaceutical and device manufacturers on Medicare coverage and reimbursement policy, Medicare Advantage and Medicare Part D requirements, and Medicaid regulations and policies. He also advises on a range of provider issues, including price transparency, Medicare and Medicaid telehealth requirements, the provider-based rules, Emergency Medical Treatment and Labor Act (EMTALA), cost reporting, and the Medicare Conditions of Participation.

Jeffrey Schneider's representations span the full spectrum of health care providers, including hospitals, academic medical centers, skilled nursing facilities, home health agencies, hospices, and other institutional health care providers, as well as physician groups, health networks, and managed care organizations. Jeff heads Hogan Lovells’ New York office Health practice. Jeff has represented many of the top academic medical centers both in New York and nationwide. He has been involved in many "bet the company" transactions, often involving the acquisition or sale of an academic medical center's primary teaching hospital. In addition to his transactional work, Jeff routinely counsels clients on compliance, governance, coverage and reimbursement, survey and certification, and faculty practice issues. 

*This article has been shared with the members of AHLA’s Payers, Plans, and Managed Care Practice Group.

ARTICLE TAGS

• Payers, Plans, and Managed Care Practice Group
• Compliance Hub
• Fraud and Compliance
• Government Reimbursement