VIEWPOINT: The Structural Requirements for an Effective Compliance Program

As a condition of Medicaid payment, New York State requires certain Medicaid providers, including managed care and managed long-term care companies, to develop and implement effective compliance programs to deter fraud and waste and correct non-compliance with Medicaid requirements. 

New York State made amendments in 2020 to the Social Services Law section 363-d (“SSL 363-d”). This established monetary penalties for failure to meet the law’s requirements of up to $5,000 per calendar month (first offense) and $10,000 per calendar month (if a prior penalty was imposed within the previous five years) for a maximum of 12 calendar months in each case. Other changes were made to the compliance requirements, but as of the date of this article, conforming regulations have not been proposed. Operating an effective compliance program will be the best way to avoid those penalties and satisfy the Medicaid condition of payment noted above.

To have an effective compliance program that meets New York’s Medicaid requirements, it is critical to have a structure that meets SSL 363-d’s requirements. The following summarizes the structural requirements in the 2020 amendment to SSL 363-d. 

1. Written policies and procedures

Organizations must create written policies and procedures that articulate the provider’s commitment to comply with all applicable federal and state standards. These must articulate the following: describe compliance expectations as embodied in the standards of conduct; implement the operation of the compliance program; provide guidance to employees and other parties on dealing with potential compliance issues; identify how to communicate compliance issues to appropriate compliance personnel; describe how potential compliance issues are investigated and resolved; include a policy of non-intimidation and non-retaliation for good-faith participation in the compliance program; and, lastly, meet all requirements under 42 U.S.C.1396-a(a)(68).

2. Compliance officer and compliance committee

The amendment removed the employment requirement for the compliance officer and the requirement for a direct reporting line by the compliance officer to the governing body, but the existing regulations still retain those requirements. The compliance officer must now be supported by a compliance committee, both of which report directly to the chief executive or other senior management personnel. 

A good practice is for the compliance officer and compliance committee to serve as the coordinators for the compliance effort, but an effective compliance program is more than just the compliance officer and compliance committee. The compliance effort would likely include efforts to regularly analyze the regulatory environment, review and revise policies and procedures, investigate/document allegations, and implement, review, and revise annual compliance workplans. 

3. Training and education

Implementation of effective training and education of the compliance officer and the provider’s employees, chief executive, and other senior administrators, managers, and governing-body members are required. Training is now required to be performed at least annually and should be made part of orientation for new employees, and the new appointments of a chief executive, manager, or governing body member. 

Although the amendment does not address the specific content of the training and education, it should likely include content within the compliance plan and standards of conduct; an overview of the importance of compliance; department-specific risk areas; summary of fraud and abuse laws; how to report non-compliance; and confidentiality and non-retaliation for reporting, among other topics. 

A good practice is to target the training curriculum to address specific compliance risks based upon job functions/responsibilities. For example, training for governing-body members is likely to be different from the training offered to those in the billing and coding functions. This allows the organization to address specific risk areas that may exist for the varying functions and allows for remedial training for specific groups if a compliance issue is identified in that function. 

4. Effective, confidential communications 

Establishment and implementation of effective lines of communication that ensure confidentiality between the compliance officer, the compliance committee, employees, managers, and governing-body members are required. Communication lines should also include a method for anonymous and confidential good-faith reporting of potential compliance issues as they are identified. 

A properly implemented hotline can serve as a method for meeting the requirement for an anonymous reporting method. 

5. Enforcement of compliance standards 

Once compliance standards are created, they need to be enforced and followed. The amendment reinforced the expectation that disciplinary standards are adopted that encourage good-faith participation in the compliance program by all affected individuals and that those standards must be well-publicized. 

However, programs may still wish to include a non-exclusive list of what could result in discipline. This could include failing to report suspected compliance issues; participating in non-compliant behavior; or encouraging, directing, facilitating, or permitting non-compliant behavior, among others. 

6. Identification of compliance-risk areas 

A system for routine monitoring and identification of compliance risk should be established and implemented. In addition to a system for internal monitoring and auditing and using external audits, evaluation of the provider’s compliance with Medicaid requirements and the overall effectiveness of the compliance program to the list of what should be monitored and audited is now required. 

Establishing a regular internal-audit schedule that is supplemented by external audits creates the most visible output for the operation of an effective compliance program. External audits can include not only any agreed-upon procedures audit, but also the annual financial audit or audits/investigations undertaken by government entities like Office of the Medicaid Inspector General (OMIG). 

7. Response, resolution, and follow-up 

Once a compliance issue is raised, established, and implemented, procedures are expected to support a system for prompt response. This includes investigating potential compliance problems that are identified during self-evaluations and audits; correcting identified problems promptly and thoroughly to reduce the potential for recurrence; and ensuring ongoing compliance with Medicaid’s requirements. 

Although the requirement for refunding overpayments was removed from the compliance-program requirements in SSL 363-d subsection 2, a new subsection 6 was added that establishes a procedure outlining the obligation to report and return overpayments to the OMIG. 

Protect against fraud through effective compliance

Effectiveness is more than having the required compliance structure documented on your bookshelf. To be considered effective, the government expects Medicaid providers to prove their compliance structure is implemented and operating so it is likely to detect fraud, waste, and correct non-compliance with Medicaid requirements. How a compliance program operates and what a provider does with the output of its operation can provide evidence that the compliance program’s structure is implemented, operating, and effective.                      

Matthew Babcock is a principal with The Bonadio Group’s Compliance Solutions Division.

Author’s disclaimer: This article addresses compliance-program requirements for New York State Medicaid providers. Federal requirements are outside the scope of this article. The information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader.