Subpart 521-1 is added to replace what was formerly Part 521, Provider Compliance Programs, to conform to changes made to Social Services Law (SOS) § 363-d to align State and Federal provisions related to compliance programs.

Section 521-1.1 is added to establish the scope of the regulation setting forth the requirements for the adoption and implementation of effective compliance programs. Consistent with statutory requirements, the regulation applies to any person (referred to as a “Required Provider”) subject to Articles 28 or 36 of the Public Health Law, Articles 16 or 31 of the Mental Hygiene Law, Medicaid managed care organizations, including managed long term care plans, referred to collectively as “MMCO,” and any other person for whom the Medicaid program is a substantial portion of their business operations.

Section 521-1.2 is added to define certain terms.

Section 521-1.3 is added to specify the duties of a Required Provider.

Section 521-1.3(a) sets forth the general obligation of Required Providers to adopt, implement and maintain an effective compliance program.

Section 521-1.3(b) is added to establish the obligation of Required Providers to retain records relevant to their adoption, implementation and maintenance of a compliance program under the regulation, and to make such records available to OMIG, DOH or the New York State Medicaid Fraud Control Unit (MFCU). It also establishes the record retention period which is consistent with the requirements of 18 NYCRR § 504.3(a) and § 517.3, except that MMCOs shall retain records for a period of 10 years, consistent with the terms of the contracts between the MMCOs and DOH.

Section 521-1.3(c) is added to specify compliance program requirements relevant to any Required Provider’s contractor, agent, subcontractor or independent contractor.

Section 521-1.3(d) is added to specify the “Risk Areas” that shall be applicable to the Required Provider and specify additional risk areas applicable to MMCOs.

Section 521-1.3(e) is added to require that Required Providers comply with the directives of DOH and OMIG with respect to compliance programs required by the regulation.

Section 521-1.3(f) is added to specify, consistent with statutory requirements, that Required Providers certify to DOH that they have adopted and implemented an effective compliance program upon enrollment and annually thereafter, and to clarify certification requirements for MMCO Participating Providers.

Section 521-1.3(g) is added to specify that Required Providers must comply with Subpart 521-3 of this Part to report, return and explain overpayments.

Section 521-1.4 is added to clarify, consistent with statutory requirements, the seven (7) elements of an effective compliance program, and to provide direction to Required Providers in the adoption and implementation of such programs.

Section 521-1.4(a) is added to clarify the requirements for the development of written policies and procedures, and the types of written policies and procedures that the Required Provider is required to develop and maintain.

Section 521-1.4(b) is added to clarify the requirements for the designation of a compliance officer, their primary responsibilities, the reporting structure, and other provisions related to the compliance officer being able to effectively carry out their responsibilities.

Section 521-1.4(c) is added to clarify the requirements for the establishment of a compliance committee, its primary responsibilities, the requirement for a compliance committee charter, and reporting structure.

Section 521-1.4(d) is added to clarify the requirements for establishing and implementing an effective training program for the Required Provider’s compliance officer and all Affected Individuals.

Section 521-1.4(e) is added to clarify the requirements for establishing and implementing effective lines of communication, including accessibility, publication, a method for anonymous reporting, and confidentiality.

Section 521-1.4(f) is added to clarify the requirements for the publication and enforcement of the Required Provider’s disciplinary procedures, and the requirement that such procedures be enforced fairly and consistently.

Section 521-1.4(g) is added to clarify the requirements for the Required Provider’s auditing and monitoring, including the types of audits the Required Provider must undertake, the frequency of such audits, and other requirements related to internal and external auditing. It also includes a requirement that the Required Provider actively monitor its Affected Individuals to identify persons who have been excluded from participation in the Medicaid program.

Section 521-1.4(h) is added to clarify the requirements for responding to compliance issues, including procedures for the detection of compliance issues, documentation of such issues, and reporting of any violations of State or Federal law.

Section 521-1.5 is added to specify the procedures for OMIG compliance program reviews. Sections 521-1.5(a)-(d) outlines the scope of the review, notifications to the Required Provider, and how OMIG or DOH will communicate its determination.

Subpart 521-2 is added to establish the requirements, consistent with SOS § 364-j(39), for Medicaid Managed Care Fraud, Waste and Abuse Prevention Programs.

Section 521-2.1(a)-(c) is added to set forth the scope of the Subpart, that it shall apply to MMCOs, and to acknowledge related regulations in 10 NYCRR § 98-1.21 and 11 NYCRR § 86.6.

Section 521-2.2(a) is added to define certain terms.

Section 521-2.3(a) is added to establish the general requirement that MMCOs adopt and implement policies and procedures designed to detect and prevent fraud, waste and abuse.

Section 521-2.3(b) is added to specify the MMCO’s record retention and cooperation obligations relevant to the adoption and implementation of its fraud, waste and abuse prevention program under this Subpart.

Section 521-2.3(c) is added to specify requirements relative to an MMCO’s contractors, agents, subcontractors, and independent contractors with respect to its fraud, waste and abuse prevention program.

Section 521-2.4(a) is added to specify, consistent with statutory requirements, that MMCOs, as part of their fraud, waste and abuse prevention programs, adopt, implement, and maintain an effective compliance program pursuant to Subpart 521-1, and to specify the requirements for incorporating elements of the prevention program into the compliance program.

Section 521-2.4(b) is added to specify requirements for the establishment of special investigation units (SIU), including staffing requirements, investigator qualifications, lead investigator obligations, the obligation to prepare an SIU work plan, and requirements for delegating the MMCO’s SIU function to a management contractor.

Section 521-2.4(c) is added to specify audit and investigation requirements including the scope of audits to be undertaken and the general requirements for conducting such audits and investigations.

Section 521-2.4(d) is added to require MMCOs to report cases of fraud, waste and abuse to OMIG in accordance with the provisions of the MMCO’s contract with DOH.

Section 521-2.4(e) is added to clarify that MMCOs and their subcontractors shall refer reasonably suspected criminal activity to OMIG and MFCU in accordance with contractual obligations.

Section 521-2.4(f) is added to clarify that MMCOs, consistent with Federal and contractual requirements, shall have policies and procedures for providers to report, return and explain overpayments to the MMCO within sixty (60) days of identification, and that the MMCO shall report such recoveries to OMIG and DOH in accordance with the terms of the MMCO’s contract with the department.

Section 521-2.4(g) is added to require the MMCO to develop a fraud, waste and abuse procedures manual for the use of its employees.

Section 521-2.4(h) is added to specify additional program integrity obligations, including the development and publication of a fraud, waste and abuse public awareness program and the publication of the policies and procedures for providers to report, return and explain overpayments to the MMCO.

Section 521-2.4(i) is added to clarify the MMCO’s obligation to prepare and file with OMIG a fraud, waste and abuse prevention plan. Section 521-2.4(j)(4) specifies that OMIG will accept a fraud and abuse prevention plan that has been prepared in accordance with the provisions of 10 NYCRR § 98-1.21 or 11 NYCRR § 86.6, provided that any additional requirements under Subpart 521-2 are included with the submission.

Section 521-2.4(j) is added to specify the deadline for submitting and the elements to include in the annual report the MMCO is required to submit to OMIG on its performance under the fraud, waste and abuse prevention program.

Section 521-2.4(k) is added to clarify an MMCO’s obligation to report information required by the regulation and contract.

Subpart 521-3 is added to establish the requirements, consistent with the statutory requirements, that persons shall report, return and explain overpayments consistent with SOS § 363-d(6), and to explain the requirements of the self-disclosure program administered by OMIG consistent with SOS § 363-d(7).

Section 521-3.1(a)-(c) is added to set forth the scope and applicability of the Subpart.

Section 521-3.2 is added to define certain terms.

Section 521-3.3(a) is added to clarify the requirements for reporting and returning overpayments received from the Medicaid program.

Section 521-3.3(b) is added to clarify the timeframes for reporting, returning and explaining overpayments received from the Medicaid program.

Section 521-3.4(a) is added to identify OMIG’s Self-Disclosure Program as the mechanism by which a person reports, returns and explains an overpayment received from the Medicaid program.

Section 521-3.4(b) is added to set forth the general requirements for OMIG’s Self-Disclosure Program, including eligibility of a person to participate in the program.

Section 521-3.4(c) is added to specify the information required to be submitted by the person seeking to report, return and explain an overpayment through OMIG’s Self-Disclosure Program.

Section 521-3.4(d) is added to outline OMIG’s process for receiving and reviewing self-disclosure submissions.

Section 521-3.4(e) is added to clarify the requirements for Self-Disclosure and Compliance Agreements and the requirements for executing such agreements.

Section 521-3.4(f) is added to clarify the circumstances under which and the process by which OMIG may terminate a person’s participation in the Self-Disclosure Program.

Section 521-3.5 is added to specify the requirements, following the completion of OMIG’s review of the person’s self-disclosure, for the person to remit the overpayment, including interest, if applicable, to the department.

Section 521-3.6 is added to specify the requirements applicable to all notifications OMIG issues to the person under Subpart 521-3.

Section 521-3.7 is added to clarify how the requirements of Subpart 521-3 will be enforced where a person fails to report, return and explain an overpayment by the deadline specified in law and regulation.

Statutory Authority

The Office of the Medicaid Inspector General (OMIG) is an independent office within the Department of Health (“Department”) responsible for the prevention, detection, and investigation of fraud and abuse in New York State’s Medical Assistance (Medicaid) program pursuant to New York State Public Health Law (“PBH”) § 31. PBH § 32(20) sets forth the functions, duties and responsibilities of OMIG, and specifically authorizes OMIG to “implement and amend, as needed, rules and regulations related to the prevention, detection, investigation and referral of fraud and abuse within the medical assistance program and the recovery of improperly expended medical assistance program funds.” New York State Social Services Law (“SOS”) § 363-d requires that certain Medicaid providers (including managed care plans) adopt and implement a compliance program and establishes the State requirement that persons shall report, return and explain overpayments within sixty (60) days of identification, and codifies the requirements of the self-disclosure program administered by OMIG and authorizes OMIG, in consultation with the Department, to promulgate regulations. SOS § 364-j(39) requires managed care plans, including managed long term care plans (collectively “MMCO”) to adopt and implement policies and procedures designed to detect and prevent fraud, waste and abuse, and authorizes OMIG, in consultation with the department, to promulgate regulations.

Legislative Objectives

The legislative objective is to protect the fiscal integrity of the Medicaid program and promote provider and MMCO compliance with Medicaid program laws, rules and requirements.

Subdivisions 1-7 of SOS § 363-d were amended to better align the elements of New York State’s mandatory compliance program with the elements found in Federal regulations and guidance, to codify the federal requirement that a person report, return and explain Medicaid overpayments in State law, and to codify the requirements of OMIG’s self-disclosure program. In addition, the statute was updated to include a monetary penalty for any provider who fails to adopt and implement an effective compliance program and for any person who fails to report return and explain an identified overpayment received from the Medicaid program. The provisions relating to the monetary penalty were promulgated in OMIG’s October 2020 rulemaking amending 18 NYCRR Part 516.

Subdivision 39 of SOS § 364-j was added to require MMCOs to adopt and implement policies and procedures designed to detect and prevent fraud, waste and abuse under the Medicaid program. These policies and procedures include a compliance program, consistent with the requirements of SOS § 363-d, and the establishment of a special investigation unit (SIU) if the MMCO meets certain enrolled population thresholds.

Needs and Benefits

This rulemaking is necessary for the State to implement provisions of the State Fiscal Year 2020-2021 Enacted Budget (Chapter 56 of the Laws of 2020, Part QQ) and Medicaid program integrity reform initiatives of the MRT II. SOS § 363-d sets forth the general requirements for providers to adopt and implement a compliance program, requires providers to report, return and explain overpayments from the Medicaid program, and codifies OMIG’s self-disclosure program. SOS § 364-j(39) requires MMCOs to adopt and implement fraud, waste and abuse prevention programs. This rulemaking repeals and replaces Part 521 and creates three (3) new Subparts to address these requirements.

Subpart 521-1 further defines and clarifies the standards and requirements for the adoption and implementation of an effective compliance program. The prior version of Part 521 largely mirrored the language in the statute and relied on guidance documents to further define compliance program requirements. This rulemaking will provide clarity and direction to providers and set expectations prior to a compliance program review by OMIG.

Subpart 521-2 establishes the standards and requirements for the adoption and implementation of policies and procedures to detect and prevent fraud, waste and abuse for MMCOs. The statute requires MMCOs with a certain number of enrolled Medicaid recipients to establish an SIU. Existing DOH and DFS regulations require certain health plans to establish an SIU and have a fraud and abuse prevention plan. This new Subpart creates a standard for the Medicaid program that will be consistent across all plans participating in the Medicaid program.

Subpart 521-3 clarifies the requirement that persons shall report, return and explain overpayments within sixty (60) days of identification and codifies the requirements of the self-disclosure program administered by OMIG.

Costs

Generally, any costs that may be incurred by providers, MMCOs or other persons would be a direct result of the statutory authority and not this rulemaking. Furthermore, most, if not all, of the statutory authority were either modifications of existing statutory obligations, or codification of existing Federal requirements. The requirement that certain Medicaid providers adopt and implement a compliance program was established in SOS § 363-d in 2006. The current amendments did not change the pre-existing obligation to adopt and implement an effective compliance program or the scope of who was required to do so, nor the requirement to report, return and explain identified overpayments received from the Medicaid program. Rather, it aligned the State compliance program requirement more closely with the standard used at the Federal level and codified the Federal requirement that a person who has received and identified an overpayment from the Medicaid program, report, return and explain the overpayment to the Medicaid program. Likewise, many MMCOs are required to have a fraud and abuse prevention plan pursuant to existing DOH or DFS regulation. This rule will expand the requirement to establish an SIU to additional MMCOs. It is anticipated that this rulemaking will achieve savings for both providers and taxpayers as it provides direction and clarification of the statutory requirements, which will be subject to review by OMIG, and could result in the recovery of overpayments and/or the imposition of monetary penalties.

Costs to Regulated Parties

As a result of this rulemaking, regulated parties are not expected to incur additional costs for continuing compliance with SOS § 363-d. Under the statute, specific categories of providers are required to adopt, and implement effective compliance programs as well as the obligation to report, return and explain overpayments. Furthermore, this rulemaking amends the existing definition of “substantial portion of business operations,” to increase the value of claims submitted to the Medicaid program or payments received from the Medicaid program, from $500,000 to $1,000,000, and eliminates the category of “ordering.” The result is that fewer providers will be subject to the provisions of Subpart 521-1. Aligning the Federal and State standards for compliance programs should also reduce costs to Medicaid providers, such as MMCOs, who participate in other government programs with similar requirements.

Many MMCOs participating in the Medicaid program are currently required to have a fraud and abuse prevention plan and establish an SIU. The requirement that an MMCO with a certain enrolled Medicaid population must establish an SIU is set forth in statute, and therefore any costs associated with that requirement are the result of the statute, not this rulemaking. This rulemaking seeks to provide clarity and consistency in MMCO requirements within the Medicaid program. It is expected that MMCOs will incur additional costs associated with the staffing requirements for SIUs, particularly where an MMCO does not have an existing SIU. However, the rulemaking provides flexibility with regard to staffing and other provisions to allow for innovation on the part of MMCOs in meeting the SIU staffing requirement of Subpart 521-2.

Costs to State Government and the State Agency

State government and the Medicaid Inspector General are not expected to incur any additional costs as a result of this rulemaking. Agency personnel will continue to conduct compliance program reviews, audits, investigations, and reviews of individuals and entities participating in the Medicaid program.

Costs to Local Government

There will be no additional costs to local government as a result of this rulemaking.

Local Government Mandates

The proposed rulemaking does not impose any new program, services, duties, or responsibilities upon any county, city, town, village, school district, fire district, or other special district.

Paperwork

No additional paperwork requirements will be imposed upon regulated parties under the proposed regulation. Medicaid providers and MMCOs who are subject to the proposed regulations are already required to maintain documents associated with their compliance programs.

Duplication

The statute incorporates requirements under 42 U.S.C.1396-a(a)(68), which requires providers who makes or receives payments from government programs (i.e., Medicaid) of more than $5,000,000, to have policies, procedures, and education regarding Federal and State False Claims Act provisions and related Federal or State laws. Providers who are subject to this Federal statute are also required to adopt and implement an effective compliance program under SOS § 363-d. Its inclusion in the statute, and this rulemaking, does not create any overlapping or conflicting requirements. Rather it will ensure that OMIG reviews of compliance with the Federal requirement will be conducted in conjunction with its review of a provider’s compliance program, which is more efficient for both the provider and the State.

The department is required, pursuant to 42 C.F.R. § 438.608, to require MMCOs, through the MMCO’s contract with the department, to adopt and implement an effective compliance program. The amendments made to SOS § 363-d and this rulemaking align with the requirements of the Federal regulation and the MMCO’s contract with the department and provides clarification on the general requirements outlined in the contract.

The statute also includes a provision that a provider whose compliance program is accepted by the Federal Office of Inspector General for the Department of Health and Human Services, or for MMCOs whose compliance program satisfies the requirements of the MMCO’s contract with the department, that such programs may satisfy the requirements of the statute if it adequately addresses "medical assistance risk areas and compliance issues."

MMCO’s subject to this rulemaking may already be required to adopt and implement policies and procedures designed to detect and prevent fraud and abuse pursuant to 10 NYCRR § 98-1.21 or 11 NYCRR § 86.6. To the extent it is appropriate for the Medicaid program, the requirements of Subpart 521-2 were drafted to be consistent with existing requirements.

Alternatives

There were no significant alternatives considered as the changes were made to align to the revised statutory obligations.

Federal Standards

There are no mandatory Federal standards or requirements for compliance programs for Medicaid providers. However, as noted previously, 42 U.S.C.1396-a(a)(68), requires providers who make or receive payments, directly or indirectly, from a government program (i.e., Medicaid) of more than $5,000,000, to have policies, procedures and education regarding Federal and State False Claims Act provisions and other similar Federal or State laws. This rulemaking exceeds the Federal requirement by requiring all providers subject to the provisions of SOS § 363-d to have policies and procedures pursuant to 42 U.S.C.1396-a(a)(68), regardless of whether they meet the billing threshold. The rule exceeds this federal requirement because SOS § 363-d broadly requires providers to have written policies and procedures, as well as training programs, which address the provider’s compliance with State and Federal standards. The policies and procedures of 42 U.S.C.1396-a(a)(68) fall within this broad standard, and it is not expected that providers would incur any significant costs incorporating this requirement into their compliance programs. Finally, having policies and procedures, as well as education, regarding the State and Federal false claims act as part of a provider’s compliance program, which includes the rights of employees to be protected as whistleblowers, is an important safeguard in the prevention and detection of fraud and abuse in the Medicaid program.

Further, the amendments to SOS § 363-d and this rulemaking generally align with Federal requirements requiring overpayments from the Medicaid program be reported, returned and explained under 42 U.S.C. 1320-7k(d).

Compliance Schedule

Subparts 521-1,521-2 and 521-3 will take effect upon publication of a Notice of Adoption in the State Register. As noted in SOS § 363-d(3)(c), enforcement of compliance program requirements under Subpart 521-1 will not begin until 90 days after the effective date of the regulation. Similarly, enforcement of the Subpart 521-2 requirements will not begin until 90 days after the effective date of the regulation.

The proposed regulation applies to certain providers (defined by statute) participating in the Medicaid program, including some small businesses; modifies existing requirements for adopting and implementing required compliance programs; imposes an obligation for Medicaid managed care organizations and managed long term care plans (collectively “MMCO”) to establish a fraud, waste and abuse prevention program, and certain MMCOs to establish an SIU; establishes the requirement that persons shall report, return and explain overpayments to the Medicaid program; and codifies the requirements of the self-disclosure program administered by OMIG.

1. Effect of rule:

The proposed regulations require that certain Medicaid providers, including small businesses adopt and implement a compliance program. In addition, all MMCOs participating in the Medicaid program are required to adopt and implement a fraud, waste and abuse prevention program under Subpart 521-2. The proposed regulations relating to compliance programs (Subpart 521-1) will apply to any businesses that fall under one or more of four general categories:

1. providers that are subject to the provisions of Articles 28 or 36 of the public health law;

2. providers that are subject to the provisions of Articles 16 or 31 of the mental hygiene law;

3. managed care providers; and

4. persons who submit Medicaid claims or receive Medicaid payments totaling $1,000,000 or greater in a twelve-month period.

These categories of providers are required by SOS § 363-d to adopt, implement and maintain a compliance program. The proposed regulations are consistent with those statutory requirements. The fourth category of providers previously had a threshold of $500,000 of Medicaid claims within a twelve-month period, and the amendment to this regulation increases the threshold to $1,000,000. This change will enable OMIG to focus on providers with significant potential impact on the Medicaid program, and it may result in cost savings for some small businesses and local governments which will no longer be required to maintain a compliance program which satisfies the requirements of Subpart 521-1. While OMIG is unable to estimate the number of small businesses impacted by this rulemaking, it is anticipated that with the changes fewer small businesses will be subject to and impacted by these requirements.

Small businesses that meet the criteria listed above will continue to be required to have a compliance program. The types of small business providers that may be subject to these regulations include, but are not limited to, MMCOs, pharmacies, physicians, dentists, durable medical equipment businesses, service bureaus, and transportation providers.

It is estimated, based on information available to OMIG, that approximately 276 local government providers, including some school districts, fall under one or more of the categories of providers that are required to establish compliance programs. These entities will be required to comply with the existing statute and proposed regulations. As with small businesses, with these changes OMIG estimates that at least 55 local government providers who were subject to the prior version of Part 521 will not be subject to this rulemaking.

The proposed regulation also requires MMCOs to establish a fraud, waste and abuse prevention program (Subpart 521-2). MMCOs subject to this Subpart include Medicaid managed care organization and managed long term care plans. Such plans vary in the size and complexity of operations, but in general, this Subpart should not adversely affect small business and local governments.

The proposed regulation also clarifies a person’s obligation to report, return, and explain identified overpayments received from the MA program, consistent with statutory requirements.

2. Compliance requirements:

Any small business or local government that is subject to the proposed regulations will be required to adopt and implement a compliance program and to report, return and explain overpayments received from the MA program in accordance with the requirements contained in SOS § 363-d and as further defined in the proposed regulations.

Many providers are already required to adopt and implement a compliance program under existing law, but depending on what policies, procedures and controls a provider has already instituted, additional action may be necessary. No additional affirmative acts will likely be required for a provider if that provider already has an effective compliance program that satisfies the elements contained in law and further defined in the proposed regulations.

3. Professional services:

Many providers are already required to adopt and implement a compliance program; however, they may require or continue to utilize the services of certain professionals, including medical professionals, auditors, attorneys, and compliance professionals, in order to update their policies, procedures, and controls in order to maintain an effective compliance program.

4. Compliance costs:

The requirement that certain Medicaid providers adopt and implement compliance programs is already a statutory requirement in SOS § 363-d. Providers and MMCOs may incur additional costs to comply with this rulemaking. These costs may result from additional reporting, recordkeeping and compliance costs. However, the costs incurred by these providers are a direct result of that statute and not this rulemaking. This rulemaking clarifies the types of providers that are subject to the compliance program requirement and must therefore incur costs, if any, associated with such a program.

The costs incurred by regulated parties in order to comply with the proposed rulemaking will vary depending upon existing control measures the provider has in place at the time the regulation takes effect. For those providers who already have an operating compliance program, potentially little or no costs may be incurred in order to modify a compliance program that satisfies the required elements in law and further defined in the proposed regulations. The extent of those costs will depend on the level of effort that is necessary for the provider to establish a compliance program that satisfies each of the mandatory elements.

The costs will also vary depending upon the size and other specific attributes of the provider. SOS § 363-d states that a provider's compliance plan should reflect the provider's size, complexity, resources, and culture. Thus, a large, complex provider may incur more costs in establishing a compliance program than a smaller provider might incur.

The proposed rulemaking will not impose costs on local governments in general, but local government entities that fall within the definition of a "required provider,” including school districts, will be required to implement a compliance program. The cost analysis would be the same as other similarly situated providers covered by the statute.

It is estimated that increasing the threshold to $1,000,000 in Medicaid claims for the definition of “substantial portion of business operations” will reduce the number of providers subject to Subpart 521-1 by approximately 2,300, which may result in cost savings to small businesses and local governments no longer subject to the specific requirements of this regulation. In assessing the costs that may be incurred by a provider when it maintains a compliance program, pursuant to SOS § 363-d and the proposed regulations, OMIG also considered the cost savings that could result from the implementation of an effective compliance program due to risk mitigation and other factors. These cost savings should diminish, if not completely offset, any costs incurred by providers in the implementation and maintenance of an effective compliance program, or in the case of an MMCO, a fraud, waste and abuse prevention program.

5. Economic and technological feasibility:

Although there may be some costs involved for some providers in modifying existing compliance programs to comply with the proposed regulations, OMIG anticipates those costs will be lessened or offset entirely by the cost savings that Medicaid providers could realize once the program is implemented.

There are no new technologically challenging aspects to the requirements of the proposed rulemaking that do not already exist as requirements in current statutes, such as HIPAA, as a compliance program would establish measures to ensure compliance with laws relevant to the Medicaid program.

For these reasons, OMIG concludes that the proposed regulations will be economically and technically feasible for any affected small businesses and local governments.

6. Minimizing adverse impact:

SOS § 363-d states in part: "The legislature. . . recognizes the wide variety of provider types in the medical assistance program and the need for compliance programs that reflect a provider's size, complexity, resources, and culture. For a compliance program to be effective, it must be designed to be compatible with the provider's characteristics."

While each required provider will need to develop a compliance program that adequately addresses each of the elements listed in SOS § 363-d and further defined in the proposed regulations, OMIG will give due consideration and attention to the concerns noted by the legislature and review compliance programs for appropriateness consistent with the provider's specific characteristics.

The benefits associated with implementation of a compliance program, and for MMCOs, a fraud, waste and abuse prevention program, far outweigh any adverse economic impact. An effective compliance program will assist providers in preventing inappropriate payments and avoiding costs, such as reimbursements, penalties, and other adverse consequences, that might otherwise be incurred due to violations. The compliance program requirement will also help to ensure that: Medicaid funds are used properly and that payments are made only for legitimate claims; providers systematically identify, report, and return overpayments; medical care, services, and supplies provided meet required standards of care; individuals can report unacceptable practices, such as fraud, directly and safely; and that providers establish accountability in governance structures.

Although there are no mandatory federal standards or requirements for compliance programs for Medicaid providers, the federal government has issued guidance for many types of providers interested in voluntary compliance programs. OMIG has issued guidance on compliance programs, and DOH also issues advisory opinions on appropriate standards of compliance. Local government entities required to comply with this regulation can utilize those no cost guidelines and advisory opinions when developing an effective compliance program pursuant to this regulation.

7. Small business and local government participation:

These proposed regulations arise from a change in State law pursuant to Chapter 56 of the Laws of 2020, Part QQ. The initiatives were recommended by the MRT II following a series of public meetings where stakeholders had the opportunity to comment and collaborate on ideas to aid in the development of these program integrity initiatives. In addition, the MRT II was comprised of representatives of providers and MMCOs, amongst others. OMIG will comply with SAPA section 202-b(6) by providing MMCO associations, provider associations, many of whom represent small businesses, and NY county and local government organizations and associations with a summary of the rule prior to the public comment period, publishing the proposed amendment in the State Register and posting the proposed amendment on its website. OMIG welcomes comments on the proposed regulations from local governments and businesses, and any other program stakeholders.

1. Types and estimated numbers of rural areas:

This rulemaking implements Social Services Law (SOS) § 363-d which requires certain Medicaid providers to adopt and implement required compliance programs and to report, return and explain overpayments received from the Medicaid program. In addition, it implements SOS § 364-j(39) which requires Medicaid managed care organizations and managed long term care plans (collectively “MMCO”) to adopt and implement procedures to detect and prevent fraud, waste and abuse in the Medicaid program. SOS §§ 363-d and 364-j(39), and these proposed regulations apply uniformly to Medicaid providers and MMCOs throughout all 62 counties of the State, including those operating in rural areas of the State.

2. Reporting, recordkeeping and other compliance requirements; and professional services:

Medicaid providers and MMCOs in rural areas may be subject to additional reporting, recordkeeping, or other compliance requirements as the implementation of a compliance program, or in the case of an MMCO, a fraud, waste and abuse prevention, program requires maintenance of records to demonstrate the adoption and implementation of such programs. These additional compliance requirements are expected to be minimal. All Medicaid providers, including MMCOs, are already subject to existing statutory and regulatory requirements for adopting and implementing compliance programs. Depending on what control measures a provider has already instituted, additional action may be necessary for a provider to meet the updated requirements of a Medicaid provider compliance program. Moreover, pursuant to SOS § 363-d the adoption and implementation of an effective compliance program is a condition, for those providers subject to the requirement, of being eligible to receive reimbursement under the Medicaid program, and Medicaid providers have existing requirements to maintain records demonstrating their right to receive payment. Furthermore, MMCOs have existing requirements in state and federal law and contract to maintain records and provide reporting to the state related to fraud, waste and abuse.

Many providers and MMCOs are already required to adopt and implement a compliance program or a fraud and abuse prevention plan; however, they may require or continue to utilize the services of certain professionals, including medical professionals, auditors, attorneys, and compliance professionals, in order to update their policies, procedures, and controls in order to maintain an effective compliance program.

3. Costs:

Providers and MMCOs may incur additional costs to comply with this rulemaking. These costs may result from additional reporting, recordkeeping and compliance costs. In the case of MMCOs, it may result from new requirements relating to the staffing of the MMCO’s special investigation unit (“SIU”). There are also training requirements for the provider’s or MMCO’s “affected individuals.” However, any costs should be minimal as most providers and MMCOs who are subject to this rulemaking, including those in rural areas, were required to have a compliance program under the prior iteration of the rule, and this rulemaking clarifies the types of providers that are subject to the compliance program requirement and likely to incur costs, if any, associated with such a program. It is anticipated that fewer providers will be subject to this regulation than under the prior version. Likewise, many MMCOs already have established fraud and abuse prevention programs, including the establishment of an SIU, and related requirements under contract.

In assessing the costs that may be incurred by a provider when it establishes a compliance program or an MMCO establishing a fraud, waste and abuse prevention program, OMIG also considered the cost savings that could result from the implementation such programs due to risk mitigation and other factors. These cost savings should diminish, if not completely offset, any costs incurred by providers and MMCOs in the development and implementation of the programs required under this regulation.

4. Minimizing adverse impact:

This rulemaking uniformly affects Medicaid providers and MMCOs located in both rural and non-rural areas in New York. It should not have an adverse impact on rural areas.

SOS § 363-d states in part: "The legislature. . . recognizes the wide variety of provider types in the medical assistance program and the need for compliance programs that reflect a provider's size, complexity, resources, and culture. For a compliance program to be effective, it must be designed to be compatible with the provider's characteristics."

While each required provider will need to develop a compliance program that adequately addresses each of the elements listed in SOS § 363-d and further defined in the proposed regulations, OMIG will give due consideration and attention to the concerns noted by the legislature and review compliance programs for appropriateness consistent with the provider's specific characteristics.

The benefits associated with implementation of a compliance program, and for MMCOs, a fraud, waste and abuse prevention program, far outweigh any adverse economic impact. An effective compliance program will assist providers in preventing inappropriate payments and avoiding costs, such as reimbursements, penalties, and other adverse consequences, that might otherwise be incurred due to violations. The compliance program requirement will also help to ensure that: Medicaid funds are used properly and that payments are made only for legitimate claims; providers systematically identify, report, and return overpayments; medical care, services, and supplies provided meet required standards of care; individuals can report unacceptable practices, such as fraud, directly and safely; and that providers establish accountability in governance structures.

Although there are no mandatory federal standards or requirements for compliance programs for Medicaid providers, the federal government has issued guidance for many types of providers interested in voluntary compliance programs. OMIG has also issued guidance on compliance programs. Providers and MMCOs in rural areas required to comply with this regulation can utilize those no cost guidelines when developing an effective compliance program pursuant to this regulation.

5. Rural area participation:

These proposed regulations arise from a change in State law pursuant to Chapter 56 of the Laws of 2020, Part QQ. The initiatives were recommended by the MRT II following a series of public meetings where stakeholders had the opportunity to comment and collaborate on ideas to aid in the development of these program integrity initiatives. In addition, the MRT II was comprised of representatives of providers and MMCOs, amongst others. OMIG will comply with SAPA section 202-bb(7) by providing MMCO associations and provider associations, many of whom represent providers and MMCOs in rural areas, with a summary of the rule prior to the public comment period, publishing the proposed amendment in the State Register and posting the proposed amendment on its website. OMIG welcomes comments on the proposed regulations from providers and MMCOs operating in rural areas.

The legislature has determined that Medicaid providers should be required to adopt and implement a compliance program in order to reduce errors and identify fraud in Medicaid billing and to report, return and explain overpayments. The legislature also determined that managed care plans and managed long term care plan (collectively “MMCO”) shall be required to adopt and implement policies and procedures designed to detect and prevent fraud, waste and abuse in the Medical Assistance (Medicaid) program. This rulemaking is necessary in order to implement the statutory mandate in Social Services Law (SOS) § 363-d and SOS § 364-j(39). This rulemaking will also ensure that the regulated community is given appropriate notice as to which providers must implement a compliance program.

This rulemaking is part of an overall effort by New York State to enhance the integrity of its Medicaid program. The compliance program requirement in existing law helps to ensure that Medicaid funds are used properly and that payments are made only for legitimate claims. Although this rulemaking will require providers that are subject to the statute to implement guidelines further defined in the regulation for employee training and education and designate an employee with the responsibility of overseeing the compliance program, those providers may also realize benefits associated with the implementation of a compliance program. An effective compliance program will assist a provider in preventing inappropriate payments and avoiding costs, reimbursements, penalties, and other adverse consequences that might otherwise be incurred due to violations.

Likewise, Subpart 521-2 of this rulemaking proposes staffing requirements for MMCOs related to the establishment of a special investigation unit. It is expected that MMCOs already have staffing in place that is consistent with the standards established in the regulation due to existing contractual obligations. In addition, the regulation allows the MMCO flexibility to propose alternative staffing levels, provided it can show the effectiveness of its proposal in achieving the objectives of this rulemaking. Finally, it is expected that MMCOs will realize benefits, including increased recoveries or cost avoidance, through stepped up fraud, waste and abuse prevention and detection activities.

The costs incurred by regulated parties in order to comply with the proposed rulemaking will vary depending upon existing control measures the provider has in place at the time the regulation takes effect. Many providers are already required to adopt and implement a compliance program, all must report, return and explain overpayments, and many MMCO’s are already required to have fraud and abuse prevention plans. However, they may require the services of certain professionals, including medical professionals, auditors, attorneys, and compliance professionals, to update their policies, procedures, and controls in order to maintain an effective compliance program. For those providers who already have an operating compliance program, potentially little or no costs may be incurred in order to meet the requirements in statute and in the proposed regulations. However, for those providers who do not have a program in place that meets the requirements set forth in this proposed rulemaking, some costs will be incurred in order to achieve compliance. The extent of those costs will depend on the level of effort that is necessary for the provider to establish a compliance program that satisfies each of the mandatory elements. Those elements are listed and described in both the proposed regulations and SOS § 363-d.

The requirement that certain Medicaid providers implement compliance programs and the requirement that all persons who have identified overpayments must report, return and explain overpayments is established by statute in SOS § 363-d. Likewise, the requirement that MMCOs adopt and implement a fraud, waste and abuse prevention program is established by statute in SOS § 364-j(39). Therefore, any adverse impact on jobs or employment opportunities that may be incurred by these providers would be a direct result of that statute and not this rulemaking. This rulemaking clarifies the types of providers that are subject to the compliance program requirement and must therefore incur costs, if any, associated with such a program.

In assessing the adverse impact on jobs or employment opportunities incurred by a provider when it establishes a compliance program, or the obligation to report, return and explain overpayments pursuant to SOS § 363-d or when an MMCO establishes a fraud, waste and abuse prevention program pursuant to SOS § 364-j(39) and the proposed regulations, due consideration should be given to the cost savings that may result from the implementation of such programs due to risk mitigation and other factors. These cost savings should diminish, if not completely offset, any costs incurred by providers or adverse impacts on jobs or employment opportunities in the implementation these requirements.

It is anticipated that the total impact on jobs and employment opportunities associated with establishing a provider compliance program, the obligation to report, return and explain overpayments, or MMCO fraud, waste and abuse prevention program will be relatively modest, particularly for providers or MMCOs who already have a full or partial program in place. For those providers and MMCOs who do not yet have an established program, the cost savings associated with such a program will help to offset the expense of implementing the program.

Therefore, the statutorily required compliance program for certain Medicaid providers, the obligation to report, return and explain overpayments, and fraud, waste and abuse program for MMCOs, as implemented by this rulemaking, should not have a substantial adverse impact on jobs and employment opportunities.