Page 1 of 73
SUMMARY OF REGULATION
The proposed rulemaking would repeal and add a new 18 NYCRR Part 521 to implement
statutory changes resulting from the recommendations of the Medicaid Redesign Team II as adopted
in the State Fiscal Year 2020-2021 Enacted Budget (Chapter 56 of the Laws of 2020, Part QQ) and to
make other conforming changes related to (1) provider compliance programs, (2) Medicaid managed
care plan fraud, waste and abuse prevention programs under the Medical Assistance (Medicaid)
program, and (3) the obligation to report, return and explain Medicaid overpayments through OMIG’s
Self-Disclosure Program.
SubPart 521-1 is added to replace what was formerly Part 521, Provider Compliance
Programs, to conform to changes made to Social Services Law (SOS) § 363-d to align State and
Federal provisions related to compliance programs.
Section 521-1.1 is added to establish the scope of the regulation setting forth the requirements
for the adoption and implementation of effective compliance programs. Consistent with statutory
requirements, the regulation applies to any person (referred to as a “Required Provider”) subject to
Articles 28 or 36 of the Public Health Law, Articles 16 or 31 of the Mental Hygiene Law, Medicaid
managed care organizations, including managed long term care plans, referred to collectively as
“MMCO,” and any other person for whom the Medicaid program is a substantial portion of their
business operations.
Section 521-1.2 is added to define certain terms.
Section 521-1.3 is added to specify the duties of a Required Provider.
Section 521-1.3(a) sets forth the general obligation of Required Providers to adopt, implement
and maintain an effective compliance program.
Section 521-1.3(b) is added to establish the obligation of Required Providers to retain records
relevant to their adoption, implementation and maintenance of a compliance program under the
regulation, and to make such records available to OMIG, DOH or the New York State Medicaid Fraud
Page 2 of 73
Control Unit (MFCU). It also establishes the record retention period which is consistent with the
requirements of 18 NYCRR § 504.3(a) and § 517.3, except that MMCOs shall retain records for a
period of 10 years, consistent with the terms of the contracts between the MMCOs and DOH.
Section 521-1.3(c) is added to specify compliance program requirements relevant to any
Required Provider’s contractor, agent, subcontractor or independent contractor.
Section 521-1.3(d) is added to specify the “Risk Areas” that shall be applicable to the Required
Provider and specify additional risk areas applicable to MMCOs.
Section 521-1.3(e) is added to require that Required Providers comply with the directives of
DOH and OMIG with respect to compliance programs required by the regulation.
Section 521-1.3(f) is added to specify, consistent with statutory requirements, that Required Providers
certify to DOH that they have adopted and implemented an effective compliance program upon
enrollment and annually thereafter, and to clarify certification requirements for MMCO Participating
Providers.
Section 521-1.3(g) is added to specify that Required Providers must comply with SubPart 521-
3 of this Part to report, return and explain overpayments.
Section 521-1.4 is added to clarify, consistent with statutory requirements, the seven (7)
elements of an effective compliance program, and to provide direction to Required Providers in the
adoption and implementation of such programs.
Section 521-1.4(a) is added to clarify the requirements for the development of written policies
and procedures, and the types of written policies and procedures that the Required Provider is
required to develop and maintain.
Section 521-1.4(b) is added to clarify the requirements for the designation of a compliance
officer, their primary responsibilities, the reporting structure, and other provisions related to the
compliance officer being able to effectively carry out their responsibilities.
Page 3 of 73
Section 521-1.4(c) is added to clarify the requirements for the establishment of a compliance
committee, its primary responsibilities, the requirement for a compliance committee charter, and
reporting structure.
Section 521-1.4(d) is added to clarify the requirements for establishing and implementing an
effective training program for the Required Provider’s compliance officer and all Affected Individuals.
Section 521-1.4(e) is added to clarify the requirements for establishing and implementing
effective lines of communication, including accessibility, publication, a method for anonymous
reporting, and confidentiality.
Section 521-1.4(f) is added to clarify the requirements for the publication and enforcement of
the Required Provider’s disciplinary procedures, and the requirement that such procedures be
enforced fairly and consistently.
Section 521-1.4(g) is added to clarify the requirements for the Required Provider’s auditing and
monitoring, including the types of audits the Required Provider must undertake, the frequency of such
audits, and other requirements related to internal and external auditing. It also includes a
requirement that the Required Provider actively monitor its Affected Individuals to identify persons
who have been excluded from participation in the Medicaid program.
Section 521-1.4(h) is added to clarify the requirements for responding to compliance issues,
including procedures for the detection of compliance issues, documentation of such issues, and
reporting, where such reporting is required, of any violations of State or Federal law.
Section 521-1.5 is added to specify the procedures for OMIG compliance program reviews.
Sections 521-1.5(a)-(d) outlines the scope of the review, notifications to the Required Provider, and
how OMIG or DOH will communicate its determination.
SubPart 521-2 is added to establish the requirements, consistent with SOS § 364-j(39), for
Medicaid Managed Care Fraud, Waste and Abuse Prevention Programs.
Page 4 of 73
Section 521-2.1(a) (c) is added to set forth the scope of the SubPart, that it shall apply to
MMCOs, and to acknowledge related regulations in 10 NYCRR § 98-1.21 and 11 NYCRR § 86.6.
Section 521-2.2(a) is added to define certain terms.
Section 521-2.3(a) is added to establish the general requirement that MMCOs adopt and
implement policies and procedures designed to detect and prevent fraud, waste and abuse.
Section 521-2.3(b) is added to specify the MMCO’s record retention and cooperation obligations
relevant to the adoption and implementation of its fraud, waste and abuse prevention program under
this SubPart.
Section 521-2.3(c) is added to specify requirements relative to an MMCO’s contractors,
agents, subcontractors, and independent contractors with respect to its fraud, waste and abuse
prevention program.
Section 521-2.4(a) is added to specify, consistent with statutory requirements, that MMCOs, as
part of their fraud, waste and abuse prevention programs, adopt, implement, and maintain an
effective compliance program pursuant to SubPart 521-1, and to specify the requirements for
incorporating elements of the prevention program into the compliance program.
Section 521-2.4(b) is added to specify requirements for the establishment of special
investigation units (SIU), including staffing requirements, investigator qualifications, lead investigator
obligations, the obligation to prepare an SIU work plan, and requirements for delegating the MMCO’s
SIU function to a management contractor.
Section 521-2.4(c) is added to specify audit and investigation requirements including the scope
of audits to be undertaken and the general requirements for conducting such audits and
investigations.
Section 521-2.4(d) is added to require MMCOs to report cases of fraud, waste and abuse to
OMIG in accordance with the provisions of the MMCO’s contract with DOH.
Page 5 of 73
Section 521-2.4 (e) is added to clarify that MMCOs and their subcontractors shall refer
reasonably suspected criminal activity to OMIG and MFCU in accordance with contractual
obligations.
Section 521-2.4(f) is added to clarify that MMCOs, consistent with Federal and contractual
requirements, shall have policies and procedures for providers to report, return and explain
overpayments to the MMCO within sixty (60) days of identification, and that the MMCO shall report
such recoveries to OMIG and DOH in accordance with the terms of the MMCO’s contract with the
department.
Section 521-2.4(g) is added to require the MMCO to develop a fraud, waste and abuse
procedures manual for the use of its employees.
Section 521-2.4(h) is added to specify additional program integrity obligations, including the
development and publication of a fraud, waste and abuse public awareness program and the
publication of the policies and procedures for providers to report, return and explain overpayments to
the MMCO.
Section 521-2.4(i) is added to clarify the MMCO’s obligation to prepare and file with OMIG a
fraud, waste and abuse prevention plan. Section 521-2.4(j)(4) specifies that OMIG will accept a fraud
and abuse prevention plan that has been prepared in accordance with the provisions of 10 NYCRR §
98-1.21 or 11 NYCRR § 86.6, provided that any additional requirements under SubPart 521-2 are
included with the submission.
Section 521-2.4(j) is added to specify the deadline for submitting and the elements to include
in the annual report the MMCO is required to submit to OMIG on its performance under the fraud,
waste and abuse prevention program.
Section 521-2.4(k) is added to clarify an MMCO’s obligation to report information required by
the regulation and contract.
Page 6 of 73
SubPart 521-3 is added to establish the requirements, consistent with the statutory
requirements, that persons shall report, return and explain overpayments consistent with SOS § 363-
d (6), and to explain the requirements of the self-disclosure program administered by OMIG
consistent with SOS § 363-d (7).
Section 521-3.1(a) (c) is added to set forth the scope and applicability of the SubPart.
Section 521-3.2 is added to define certain terms.
Section 521-3.3(a) is added to clarify the requirements for reporting and returning
overpayments received from the Medicaid program.
Section 521-3.3(b) is added to clarify the timeframes for reporting, returning and explaining
overpayments received from the Medicaid program.
Section 521-3.4(a) is added to identify OMIG’s Self-Disclosure Program as the mechanism by
which a person reports, returns and explains an overpayment received from the Medicaid program.
Section 521-3.4(b) is added to set forth the general requirements for OMIG’s Self-Disclosure
Program, including eligibility of a person to participate in the program.
Section 521-3.4(c) is added to specify the information required to be submitted by the person
seeking to report, return and explain an overpayment through OMIG’s Self-Disclosure Program.
Section 521-3.4(d) is added to outline OMIG’s process for receiving and reviewing self-
disclosure submissions.
Section 521-3.4(e) is added to clarify the requirements for Self-Disclosure and Compliance
Agreements and the requirements for executing such agreements.
Section 521-3.4(f) is added to clarify the circumstances under which and the process by which
OMIG may terminate a person’s participation in the Self-Disclosure Program.
Section 521-3.5 is added to specify the requirements, following the completion of OMIG’s
review of the person’s self-disclosure, for the person to remit the overpayment, including interest, if
applicable, to the department.
Page 7 of 73
Section 521-3.6 is added to specify the requirements applicable to all notifications OMIG
issues to the person under SubPart 521-3.
Section 521-3.7 is added to clarify how the requirements of SubPart 521-3 will be enforced
where a person fails to report, return and explain an overpayment by the deadline specified in law
and regulation.
Page 8 of 73
18 NYCRR PART 521 FRAUD, WASTE AND ABUSE PREVENTION
Pursuant to the authority vested in the Medicaid Inspector General by Section 32(20) of the Public
Health Law, Part 521 of Title 18 (Social Services) of the Official Compilation of Codes, Rules and
Regulations of the State of New York is repealed and a new Part 521 is added, to be effective upon
publication of a Notice of Adoption in the New York State Register, to read as follows:
Part 521 is repealed and a new Part 521 is adopted to read as follows:
PART 521 FRAUD, WASTE AND ABUSE PREVENTION
SUBPART 521-1 COMPLIANCE PROGRAMS
SUBPART 521-2 MEDICAID MANAGED CARE FRAUD, WASTE AND ABUSE PREVENTION
SUBPART 521-3 SELF-DISCLOSURE PROGRAM
SUBPART 521-1 COMPLIANCE PROGRAMS
521-1.1 Scope and applicability
521-1.2 Definitions
521-1.3 Required provider duties
521-1.4 Compliance program requirements
521-1.5 Compliance program reviews
521-1.1 Scope and applicability.
(a) Scope. Social Services Law requires certain persons participating in the Medical Assistance (MA)
program to adopt and implement programs designed to detect and prevent fraud, waste and abuse in
the MA program. Required providers may be able to detect and correct payment and billing mistakes
and fraud if required to develop and implement a compliance program. This SubPart sets forth the
requirements for establishing and operating effective compliance programs pursuant to section 363-d
of the Social Services Law, the obligation to self-disclose overpayments, and the procedures for
reviewing compliance programs.
Page 9 of 73
(b) Applicability. The following persons shall be subject to the provisions of this SubPart, and shall
hereinafter be referred to as “required providers”:
(1) any person subject to the provisions of articles 28 or 36 of the Public Health Law;
(2) any person subject to the provisions of articles 16 and 31 of the Mental Hygiene Law;
(3) any managed care provider or managed long term care plan, which shall hereinafter be
collectively, unless otherwise noted, referred to asMedicaid managed care organization” or
MMCO;” and
(4) any other person for whom the MA program is, or is reasonably expected by the person to
be, a substantial portion of their business operations.
521-1.2 Definitions.
(a) For purposes of this SubPart, the terms defined in Parts 504 and 515 of this Title, except as
otherwise noted, shall apply.
(b) In addition, for the purposes of this SubPart, the following terms have the following meanings:
(1) “Affected individuals” means all persons who are affected by the required provider’s risk
areas including the required provider’s employees, the chief executive and other senior
administrators, managers, contractors, agents, subcontractors, independent contractors, and
governing body and corporate officers.
(2) “Days” means, unless otherwise noted, calendar days.
(3) “Effective compliance program” means a compliance program adopted and implemented by
the required provider that, at a minimum, satisfies the requirements of this SubPart and that is
designed to be compatible with the provider’s characteristics (i.e., size, complexity, resources,
and culture), which shall mean that it:
(i) is well-integrated into the company’s operations and supported by the highest levels
of the organization, including the chief executive, senior management, and the
governing body;
Page 10 of 73
(ii) promotes adherence to the required provider’s legal and ethical obligations; and
(iii) is reasonably designed and implemented to prevent, detect, and correct non-
compliance with MA program requirements, including fraud, waste, and abuse most
likely to occur for the required provider’s risk areas and organizational experience.
(4) “MA” means medical assistance for needy persons provided under Title 11 of Article 5 of
the Social Services Law.
(5) “Managed care provider” is as defined in subdivision 1 of section 364-j of the Social
Services Law.
(6) “Managed long term care plan” or “MLTCP” means an entity that has received a certificate
of authority pursuant to section 4403-f of the Public Health Law to provide or arrange for health
and long term care services on a capitated basis for a population which the plan is authorized
to enroll.
(7) “Medicaid Fraud Control Unit” or “MFCU” means the Attorney General of the State of New
York operating the program required by 42 C.F.R. Part 1007 and the Social Security Act.
(8) “Office of the Medicaid Inspector General” or “OMIG means the independent office within
the department established pursuant to Title 3 of Article 1 of the New York State Public Health
Law.
(9) “Organizational experience” means the required provider’s:
(i) knowledge, skill, practice and understanding in operating its compliance program;
(ii) identification of any issues or risk areas in the course of its internal monitoring and
auditing activities;
(iii) experience, knowledge, skill, practice and understanding of its participation in the
MA program and the results of any audits, investigations, or reviews it has been the
subject of; or
Page 11 of 73
(iv) awareness of any issues it should have reasonably become aware of for its
category or categories of service.
(10) “Participating provider means a provider of medical care and/or services that has a
provider agreement with an MMCO.
(11) “Substantial portion of business operations” means:
(i) when a person claims or has claimed, or should be reasonably expected to claim, at
least one million dollars ($1,000,000), in the aggregate, in any consecutive twelve-
month period, directly or indirectly, from the MA program; or
(ii) when a person receives or has received, or should be reasonably expected to
receive, at least one million dollars ($1,000,000), in the aggregate, in any consecutive
twelve-month period, directly or indirectly, from the MA program.
521-1.3 Required provider duties.
(a) General. Required providers shall, as a condition of receiving payment under the MA program,
adopt, implement, and maintain an effective compliance program which satisfies the requirements of
this SubPart. The required provider’s compliance program may be a component of more
comprehensive compliance activities by the required provider so long as the requirements of this
SubPart are met. Required providers must implement and maintain a compliance program, adopted
pursuant to this SubPart, for the entire period that the person meets the definition of being a required
provider.
(b) Record retention. A required provider shall retain all records demonstrating that it has adopted,
implemented and operated an effective compliance program and has satisfied the requirements of
this SubPart. The required provider shall make available to the department, OMIG, or MFCU upon
request, copies of such records. Records shall be retained:
(1) by required providers for a period not less than six (6) years from the date such program
was implemented, or any amendments thereto, were made; or
Page 12 of 73
(2) by MMCOs in accordance with the retention periods specified in their contract with the
department to participate as MMCOs.
(c) Contractors, agents, subcontractors, and independent contractors.
(1) Contractors, agents, subcontractors, and independent contractors are hereinafter
referred to collectively, unless otherwise noted, as “contractor” or “contractors”.
(2) The required provider shall ensure that contracts with contractors specify that the
contractors are subject to the required provider’s compliance program, to the extent that
such contractors are affected by the required provider’s risk areas and only within the
scope of the contracted authority and affected risk areas.
(3) The required provider shall ensure that such contracts include termination provisions
for failure to adhere to the required provider’s compliance program requirements.
(4) The required provider is ultimately responsible for the adoption, implementation,
maintenance, enforcement, and effectiveness of its compliance program.
(d) Risk areas. The compliance program shall apply to the required provider’s risk areas, which are
those areas of operation affected by the compliance program and shall apply to:
(1) billings;
(2) payments;
(3) ordered services;
(4) medical necessity;
(5) quality of care;
(6) governance;
(7) mandatory reporting;
(8) credentialing;
(9) contractor, subcontractor, agent or independent contract oversight;
Page 13 of 73
(10) other risk areas that are or should reasonably be identified by the provider through its
organizational experience; and
(11) for MMCOs, in addition to paragraphs (1) (10) of this subdivision, the following risk
areas:
(i) compliance with terms of the MMCO’s contract with the department to participate as
an MMCO;
(ii) cost reporting;
(iii) submission of encounter data to the department;
(iv) network adequacy and contracting;
(v) provider and subcontractor oversight;
(vi) underutilization;
(vii) marketing;
(viii) provision of medically necessary services;
(ix) payments and claims processing; and
(x) statistically valid service verification.
(e) The required provider shall comply with all directives of the department or OMIG with respect to
the adoption, implementation and maintenance of compliance programs required by this SubPart.
(f) Certification.
(1) Required providers shall certify to the department upon enrollment and annually thereafter,
using a form and manner required by OMIG and the department, that the required provider has
met the requirements of section 363-d of the Social Services Law and this SubPart.
(2) Participating providers that are also required providers pursuant to this SubPart shall
provide a copy of the certification, required under the preceding paragraph, to each MMCO for
which they are a participating provider upon signing the provider agreement with the MMCO,
and annually thereafter. MMCOs shall maintain a method for submitting such certification on
Page 14 of 73
the MMCO’s website, which may include a dedicated email address, and shall retain such
certification in accordance with the requirements of subdivision (b) of this section.
(g) Report, return and explain. Required providers shall comply with the requirements of SubPart
521-3 of this Part to report, return and explain overpayments.
521-1.4 Compliance program requirements.
(a) Written policies and procedures.
(1) General. Required providers shall have written policies, procedures, and standards of
conduct. The required provider shall establish a process for drafting, revising, and approving
the written policies and procedures required by this subdivision. The written policies and
procedures described in this subdivision must be available, accessible, and applicable to all
affected individuals.
(2) The written policies and procedures shall:
(i) articulate the required provider’s commitment and obligation to comply with all
applicable federal and state standards. The required provider shall identify governing
laws, and regulations that are applicable to the provider’s risk areas, including any MA
program policies and procedures, as specified in subdivision (d) of section 521-1.3 of
this SubPart or category of service.
(ii) describe compliance expectations as embodied in standards of conduct. The
standards of conduct shall serve as a foundational document which describes the
required provider’s fundamental principles and values, and commitment to conduct its
business in an ethical manner.
(iii) document the implementation of each of the subdivisions under this section and
outline the ongoing operation of the compliance program. Policies and procedures shall
describe, at a minimum, the structure of the compliance program, including the
Page 15 of 73
responsibilities of all affected individuals in carrying out the functions of the compliance
program.
(iv) provide guidance to affected individuals on dealing with potential compliance issues.
Such guidance shall, at a minimum:
(a) assist affected individuals in identifying potential compliance issues,
questions and concerns, set forth expectations for reporting compliance issues,
and explain how to report such issues, questions, and concerns to the
compliance officer; and
(b) establish the expectation that all affected individuals will act in accordance
with the standards of conduct, that they must refuse to participate in unethical or
illegal conduct, and that they must report any unethical or illegal conduct to the
compliance officer.
(v) identify the methods and procedures for communicating compliance issues to the
appropriate compliance personnel.
(vi) describe how potential compliance issues are investigated and resolved by the
required provider and the procedures for documenting the investigation and the
resolution or outcome.
(vii) include a policy of non-intimidation and non-retaliation for good faith participation in
the compliance program, including, but not limited to:
(a) reporting potential compliance issues to appropriate personnel;
(b) participating in investigation of potential compliance issues;
(c) self-evaluations;
(d) audits
(e) remedial actions
(f) reporting instances of intimidation or retaliation; and
Page 16 of 73
(g) reporting potential fraud, waste or abuse to the appropriate State or Federal
entities.
(viii) Disciplinary standards. Include a written statement setting forth the required
provider’s policy regarding affected individuals who fail to comply with the written
policies and procedures, standards of conduct, or State and Federal laws, rules and
regulations.
(a) Such statement shall establish standards for escalating disciplinary actions
that must be taken in response to non-compliance, with intentional or reckless
behavior being subject to more significant sanctions. Sanctions may include oral
or written warnings, suspension, and/or termination.
(b) The written policies and procedures shall also outline the procedures for
taking disciplinary action and sanctioning individuals. Disciplinary procedures
shall conform with collective bargaining agreements when applicable.
(ix) Additionally, notwithstanding the requirement under 42 U.S.C. 1396a(a)(68), which
applies to entities that receive or make annual payments of at least $5,000,000
annually, all required providers shall comply with the provisions of 42 U.S.C.
1396a(a)(68) (United States Code, 2006 edition, Title 42, Chapter 7, SubChapter XIX,
Government Printing Office, https://www.govinfo.gov/content/pkg/USCODE-2006-
title42/pdf/USCODE-2006-title42-chap7-subchapXIX-sec1396a.pdf. A copy of which is
available for copying and inspection at the Office of the Medicaid Inspector General,
800 North Pearl Street, 2
nd
Floor, Albany, NY 12204).
(x) for MMCOs, describe the MMCO’s implementation, where applicable, of the
requirements of SubPart 521-2 of this Part.
(3) The required provider shall review the written policies and procedures, and standards of
conduct required by this subdivision at least annually to determine:
Page 17 of 73
(i) if such written policies, procedures, and standards of conduct have been
implemented;
(ii) whether affected individuals are following the policies, procedures, and standards of
conduct;
(iii) whether such policies, procedures, and standards of conduct are effective; and
(iv) whether any updates are required.
(b) Compliance officer. The required provider shall designate an individual to serve as its compliance
officer. The compliance officer is the focal point for the required provider’s compliance program and
is responsible for the day-to-day operation of the compliance program. The required provider’s
designation of a compliance officer shall meet the following requirements:
(1) The compliance officer’s primary responsibilities shall include:
(i) overseeing and monitoring the adoption, implementation and maintenance of the
compliance program and evaluating its effectiveness;
(ii) drafting, implementing, and updating no less frequently than annually or, as
otherwise necessary, to conform to changes to Federal and State laws, rule,
regulations, policies and standards, a compliance work plan which shall outline the
required provider’s proposed strategy for meeting the requirements of this section for
the coming year, with a specific emphasis on subdivisions (a), (d), (g), (h) of this section
and, if applicable, SubPart 521-2 of this Part;
(iii) reviewing and revising the compliance program, and, in accordance with paragraph
3 of subdivision (a) of this section, the written policies and procedures and standards of
conduct, to incorporate changes based on the required provider’s organizational
experience and promptly incorporate changes to Federal and State laws, rules,
regulations, policies and standards;
Page 18 of 73
(iv) reporting directly, on a regular basis, but no less frequently than quarterly, to the
required provider’s governing body, chief executive, and compliance committee on the
progress of adopting, implementing, and maintaining the compliance program;
(v) assisting the required provider in establishing methods to improve the required
provider’s efficiency, quality of services, and reducing the required provider’s
vulnerability to fraud, waste and abuse;
(vi) investigating and independently acting on matters related to the compliance
program, including designing and coordinating internal investigations and documenting,
reporting, coordinating, and pursuing any resulting corrective action with all internal
departments, contractors and the State; and
(vii) the compliance officer shall be responsible for coordinating the implementation of
the fraud, waste, and abuse prevention program with the director and lead investigator
of the MMCO’s special investigation unit pursuant to SubPart 521-2 of this Part, if
applicable.
(2) The compliance officer shall report directly and be accountable to the required provider’s
chief executive or another senior manager whom the chief executive may designate for
reporting purposes provided, however, such designation does not hinder the compliance
officer in carrying out their duties and having access to the chief executive and governing
body.
(3) The responsibilities in paragraph (1) of this subdivision may be the compliance officer’s
sole duties or, depending on the size, complexity, resources, and culture of the required
provider and the complexity of the tasks, the compliance officer may be assigned other duties,
provided that such other duties do not hinder the compliance officer in carrying out their
primary responsibilities under this SubPart.
Page 19 of 73
(4) The required provider shall ensure that the compliance officer is allocated sufficient staff
and resources to satisfactorily perform their responsibilities for the day-to-day operation of the
compliance program based on the required provider’s risk areas and organizational
experience.
(5) The required provider shall ensure that the compliance officer and appropriate compliance
personnel have access to all records, documents, information, facilities and affected
individuals that are relevant to carrying out their compliance program responsibilities.
(c) Compliance committee. The required provider shall designate a compliance committee which
shall be responsible for coordinating with the compliance officer to ensure that the required provider is
conducting its business in an ethical and responsible manner, consistent with its compliance program.
The required provider shall outline the duties and responsibilities, membership, designation of a chair
and frequency of meetings in a compliance committee charter. The required provider’s designation of
a compliance committee shall meet the following requirements:
(1) The compliance committee’s responsibilities shall include:
(i) coordinating with the compliance officer to ensure that the written policies and
procedures, and standards of conduct required by subdivision (a) of this section are
current, accurate and complete, and that the training topics required by subdivision (d)
of this section are timely completed;
(ii) coordinating with the compliance officer to ensure communication and cooperation
by affected individuals on compliance related issues, internal or external audits, or any
other function or activity required by this SubPart;
(iii) advocating for the allocation of sufficient funding, resources and staff for the
compliance officer to fully perform their responsibilities;
Page 20 of 73
(iv) ensuring that the required provider has effective systems and processes in place to
identify compliance program risks, overpayments and other issues, and effective
policies and procedures for correcting and reporting such issues; and
(v) advocating for adoption and implementation of required modifications to the
compliance program.
(2) Membership in the committee shall, at a minimum, be comprised of senior managers. The
compliance committee shall meet no less frequently than quarterly and shall, no less frequently
than annually, review and update the compliance committee charter.
(3) The compliance committee shall report directly and be accountable to the required
provider’s chief executive and governing body.
(d) Training and education. The required provider shall establish and implement an effective
compliance training and education program for its compliance officer and all affected individuals. The
required provider’s compliance training and education program shall meet the following requirements:
(1) The training and education shall include, at a minimum, the following topics:
(i) the required provider’s risk areas and organizational experience;
(ii) the required provider’s written policies and procedures identified in subdivision (a) of
this section;
(iii) the role of the compliance officer and the compliance committee;
(iv) how affected individuals can ask questions and report potential compliance-related
issues to the compliance officer and senior management, including the obligation of
affected individuals to report suspected illegal or improper conduct and the procedures
for submitting such reports; and the protection from intimidation and retaliation for good
faith participation in the compliance program;
(v) disciplinary standards, with an emphasis on those standards related to the required
provider’s compliance program and prevention of fraud, waste and abuse;
Page 21 of 73
(vi) how the required provider responds to compliance issues and implements corrective
action plans;
(vii) requirements specific to the MA program and the required provider’s category or
categories of service;
(viii) coding and billing requirements and best practices, if applicable;
(ix) claim development and the submission process, if applicable; and
(x) for MMCOs only, the fraud, waste and abuse prevention program, as specified in
SubPart 521-2 of this Part, and any applicable terms of the MMCO’s contract with the
department to participate as an MMCO.
(2) The compliance officer and all affected individuals shall complete the compliance training
program required by this subdivision no less frequently than annually. The training and
education required by this subdivision shall be made a part of the orientation of new
compliance officers and affected individuals and shall occur promptly upon hiring.
(3) Training and education shall be provided in a form and format accessible and
understandable to all affected individuals, consistent with Federal and State language and
other access laws, rules or policies.
(4) The required provider shall develop and maintain a training plan. The training plan shall, at
a minimum, outline the subjects or topics for training and education, the timing and frequency
of the training, which affected individuals are required to attend, how attendance will be
tracked, and how the effectiveness of the training will be periodically evaluated.
(e) Lines of communication. The required provider shall establish and implement effective lines of
communication which ensure confidentiality for the required provider’s affected individuals. In
designing its lines of communication, the required provider shall meet the following requirements:
(1) The lines of communication shall be accessible to all affected individuals and allow for
questions regarding compliance issues to be asked and for compliance issues to be reported.
Page 22 of 73
(2) The required provider shall publicize the lines of communication to the compliance officer
and such lines of communication must be made available to all affected individuals and all MA
recipients of service from the required provider.
(3) The required provider shall have a method for anonymous reporting of potential fraud,
waste and abuse, and compliance issues directly to the compliance officer.
(4) The required provider must ensure that the confidentiality of persons reporting compliance
issues shall be maintained unless the matter is subject to a disciplinary proceeding, referred to,
or under investigation by, MFCU, OMIG or law enforcement, or disclosure is required during a
legal proceeding, and such persons shall be protected under the required provider’s policy for
non-intimidation and non-retaliation.
(5) If applicable, the required provider shall make available on its website, information
concerning its compliance program, including its standards of conduct.
(f) Disciplinary standards. The required provider shall establish disciplinary standards and shall
implement procedures for the enforcement of such standards to address potential violations and
encourage good faith participation in the compliance program by all affected individuals. In
developing and enforcing its disciplinary standards, the required provider shall meet the following
requirements:
(1) The written policies and procedures establishing, pursuant to subdivision (a) of this section,
the required provider’s disciplinary standards and the procedures for taking such actions shall
be published and disseminated to all affected individuals and shall be incorporated into the
required provider’s training plan as set forth in subdivision (d) of this section.
(2) The required provider shall enforce its disciplinary standards fairly and consistently, and the
same disciplinary action should apply to all levels of personnel.
(g) Auditing and monitoring. The required provider shall establish and implement an effective system
for the routine monitoring and identification of compliance risks. The system should include internal
Page 23 of 73
monitoring and audits and, as appropriate, external audits, to evaluate the organization’s compliance
with the requirements of the MA program and the overall effectiveness of the required provider’s
compliance program. In developing its auditing and monitoring program the required provider shall
meet the following requirements:
(1) Auditing. Required providers shall perform routine audits by internal or external auditors
who have expertise in state and federal MA program requirements and applicable laws, rules
and regulations, or have expertise in the subject area of the audit. Audits or investigations
conducted by state or federal governmental entities are not considered external audits for
purposes of this paragraph. The audits required by this paragraph shall meet the following
requirements:
(i) Internal and external compliance audits shall focus on the risk areas identified in
section 521-1.3 of this SubPart.
(ii) The results of all internal or external audits, or audits conducted by the State or
Federal government of the required provider, shall be reviewed for risk areas that can
be included in updates to the required provider’s compliance program and compliance
work plan.
(iii) The design, implementation, and results of any internal or external audits shall be
documented, and the results shared with the compliance committee and the governing
body.
(iv) Any MA program overpayments identified shall be reported, returned and explained
in accordance with the provisions of SubPart 521-3 of this Part and the required
provider shall promptly take corrective action to prevent recurrence.
(2) Annual compliance program review. The required provider shall develop and undertake a
process for reviewing, at least annually, whether the requirements of this SubPart have been
Page 24 of 73
met. The purpose of such reviews shall be to determine the effectiveness of its compliance
program, and whether any revision or corrective action is required.
(i) The reviews may be carried out by the compliance officer, compliance committee,
external auditors, or other staff designated by the required provider, provided however,
that such other staff have the necessary knowledge and expertise to evaluate the
effectiveness of the components of the compliance program they are reviewing and are
independent from the functions being reviewed.
(ii) The reviews should include on-site visits, interviews with affected individuals, review
of records, surveys, or any other comparable method the required provider deems
appropriate, provided that such method does not compromise the independence or
integrity of the review.
(iii) The required provider shall document the design, implementation and results of its
effectiveness review, and any corrective action implemented.
(iv) The results of annual compliance program reviews shall be shared with the chief
executive, senior management, compliance committee and the governing body.
(3) Excluded providers. In accordance with the requirements of section 515.5 of this Title,
required providers shall confirm the identity and determine the exclusion status of affected
individuals. In addition, MMCOs shall confirm the identity and determine the exclusion status
of any other persons identified in its contract with the department to participate as an MMCO,
including its participating providers and its subcontractors.
(i) In determining the exclusion status of a person required providers shall review the
following State and Federal databases at least every thirty (30) days:
(a) New York State Office of the Medicaid Inspector General Exclusion List;
(b) Health and Human Services Office of Inspector General’s List of Excluded
Individuals and Entities; and
Page 25 of 73
(c) for MMCOs only, any other list or database required by the contract between
the MMCO and the department to participate as an MMCO.
(ii) Required providers shall require contractors to comply with the provisions of this
paragraph. In addition, MMCOs shall require their participating providers and
subcontractors to comply, where applicable, with the provisions of this paragraph.
(4) The required provider shall promptly share the results of the activities required by this
subdivision with the compliance officer and appropriate compliance personnel.
(h) Responding to compliance issues. The required provider shall establish and implement
procedures and systems for promptly responding to compliance issues as they are raised,
investigating potential compliance problems as identified in the course of the internal auditing and
monitoring conducted pursuant to subdivision (g) of this section, correcting such problems promptly
and thoroughly to reduce the potential for recurrence, and ensuring ongoing compliance with State
and Federal laws, rules and regulations, and requirements of the MA program. In developing its
system for responding to compliance program issues, the required provider shall meet the following
requirements:
(1) Upon the detection of potential compliance risks and compliance issues, whether through
reports received, or as a result of the auditing and monitoring conducted pursuant to
subdivision (g) of this section, the required provider shall take prompt action to investigate the
conduct in question and determine what, if any, corrective action is required, and likewise
promptly implement such corrective action.
(2) The required provider shall document its investigation of the compliance issue which shall
include any alleged violations, a description of the investigative process, copies of interview
notes and other documents essential for demonstrating that the required provider completed a
thorough investigation of the issue. Where appropriate, the required provider may retain
outside experts, auditors, or counsel to assist with the investigation.
Page 26 of 73
(3) The required provider shall document any disciplinary action taken and the corrective
action implemented.
(4) If the required provider identifies credible evidence or credibly believes that a State or
Federal law, rule or regulation has been violated, the required provider shall promptly report
such violation to the appropriate governmental entity, where such reporting is otherwise
required by law, rule or regulation. The compliance officer shall receive copies of any reports
submitted to governmental entities.
521-1.5 Compliance program reviews.
(a) Nothing in this SubPart shall preclude or limit the department’s ability to determine if a required
provider has an effective compliance program.
(b) OMIG may, at any time, review to determine if a required provider has adopted, implemented and
maintained a compliance program as required by this SubPart, and to confirm that:
(1) the adopted compliance program satisfies the requirements of this SubPart;
(2) the adopted compliance program has been implemented and that the required provider has
continuously operated such program for the entire period under review;
(3) that the required provider met the criteria requiring the adoption, implementation and
maintenance of such programs; and
(4) the adopted, implemented and maintained compliance program is effective.
(c) Notification.
(1) OMIG shall notify a required provider of its intent to commence a review of its compliance
program by sending the required provider written notification of the review period and
procedures for completing the review. The notification shall be sent to the required provider’s
correspondence or pay-to address on file with the department, or last known address. The
notification shall include the legal authority for the review, outline the process and timeframes
for completing the review, and list any documentation the required provider must provide.
Page 27 of 73
(2) The required provider shall provide its responses in the form and manner prescribed by
OMIG, including any requested records, within thirty (30) days of the date on OMIG’s
notification of its intent to commence a compliance program review. For good cause shown,
OMIG may extend the thirty (30) day period to respond.
(3) The provisions of this section notwithstanding, OMIG may separately review an MMCO’s
compliance program as part of a Medicaid program integrity review pursuant to subdivision 36
of section 364-j of the Social Services Law.
(d) Determination. After completing its review OMIG shall notify the required provider of the results of
its review. The notice shall:
(1) advise the required provider whether its compliance program satisfactorily met the
requirements of this SubPart;
(2) advise the required provider of any recommendations for improving its compliance program
or correcting deficiencies; or
(3) where OMIG has determined that a required provider has not satisfactorily met the
requirements of Social Services Law section 363-d and the requirements of this SubPart,
OMIG will advise the required provider that, in addition to any other action authorized by law, it
may be subject to monetary penalties pursuant to Part 516 of this Title, and that its
participation in the Medicaid program may be revoked (terminated) pursuant to Part 504 of this
Title.
Page 28 of 73
SUBPART 521-2 MEDICAID MANAGED CARE FRAUD, WASTE AND ABUSE PREVENTION
521-2.1 Scope and applicability
521-2.2 Definitions
521-2.3 MMCO duties
521-2.4 Fraud, waste and abuse prevention program requirements
521-2.1 Scope and applicability.
(a) Scope. Social Services Law requires managed care providers, including managed long term care
plans, to adopt and implement programs designed to detect and prevent fraud, waste and abuse in
the MA program. This SubPart sets forth the standards for managed care fraud, waste and abuse
prevention programs pursuant to subdivision 39 of section 364-j of the Social Services Law.
(b) Applicability. This SubPart applies to managed care providers and includes managed care long
term care plans, which shall hereinafter be collectively, unless otherwise noted, referred to as
“Medicaid managed care organizations” or “MMCO.”
(c) Related regulations. Section 98-1.21 of Title 10 and section 86.6 of Title 11 set forth requirements
related to the establishment and operation, for certain managed care plans, of fraud and abuse
prevention plans and programs. MMCOs subject to those sections shall continue to comply with such
requirements, provided that, as it pertains to the MMCO’s participation in the MA program, the
requirements of this SubPart are met. To the extent that any requirements of this SubPart conflict
with or are greater than the requirements of those sections, the requirements of this SubPart shall
apply to the MMCO.
521-2.2 Definitions.
(a) For purposes of this SubPart, the terms defined in Parts 504 and 515 of this Title, and SubPart
521-1 of this Part, unless noted otherwise, shall apply.
(b) In addition, for the purposes of this SubPart, the following terms have the following meanings:
Page 29 of 73
(1) “Abuse” means practices that are inconsistent with sound fiscal, business, medical or
professional practices, and which result in unnecessary costs to the Medicaid program,
payments for services that were not medically necessary, or payments for services which fail
to meet recognized standards for health care. It also includes enrollee practices that result in
unnecessary costs to the Medicaid program.
(2) “Fraud” means an intentional deception or misrepresentation made with the knowledge that
the deception could result in some unauthorized benefit to the provider, Contractor,
Subcontractor, or another person and includes the acts prohibited by section 366-b of the
Social Services Law. It also includes any other act that constitutes fraud under applicable
Federal or State law.
521-2.3 MMCO duties.
(a) General. MMCOs shall adopt and implement policies and procedures designed to detect and
prevent fraud, waste and abuse. Such policies and procedures shall satisfy the requirements of this
SubPart. The MMCO’s fraud, waste, and abuse prevention program may be a component of more
comprehensive fraud, waste and abuse prevention activities by the MMCO, so long as the
requirements of this SubPart are met.
(b) Record retention, access to records and facilities, and cooperation with OMIG, Department and
MFCU requests. In addition to the MMCO’s record retention obligations under the MMCO’s contract
with the department to participate as an MMCO, an MMCO shall retain all records demonstrating that
it has adopted, implemented and operated a fraud, waste and abuse prevention program which has
satisfied the requirements of this SubPart.
(1) The MMCO and its subcontractors shall retain records in accordance with the requirements
of its contract with the department to participate as an MMCO.
(2) The MMCO and its subcontractors shall provide to OMIG, the department or their
authorized representatives, and MFCU, all records and information requested, in the form
Page 30 of 73
requested, and allow access to their facilities at any time. All copies of records must be
provided free of charge. The MMCO and its subcontractors shall comply with any additional
terms regarding access to records in accordance with the terms of its contract with the
department to participate as an MMCO.
(3) The MMCO and its subcontractor shall permit OMIG, the department and MFCU to conduct
private interviews of MMCO personnel, its subcontractors and their personnel, witnesses, and
enrollees. MMCO personnel, and subcontractors and their personnel must cooperate fully in
making MMCO personnel, subcontractors and their personnel available in person for
interviews, consultation, grand jury proceedings, pre-trial conferences, hearings, trial and in
any other process, including investigation, at the MMCO’s and subcontractor’s own expense.
(c) Contractors, agents, subcontractors, and independent contractors. MMCOs shall ensure that
contracts with contractors, agents, subcontractors, independent contractors, and participating
providers specify that the contractors, agents, subcontractors, independent contractors, and
participating providers are subject to audit, investigation, or review under the MMCO’s fraud, waste
and abuse prevention program, to the extent that such contractors, agents, subcontractors,
independent contractors, and participating providers relate to the MMCO’s participation in the MA
program.
521-2.4 Fraud, waste and abuse prevention program requirements.
(a) Compliance program. The MMCO shall adopt, implement and maintain a compliance program
that satisfies the requirements of SubPart 521-1 of this Part. The MMCO shall be responsible for
ensuring that the requirements of its fraud, waste and abuse prevention program are incorporated
into its compliance program. Specifically, the MMCO shall:
(1) incorporate into the written policies and procedures required by subdivision (a) of section
521-1.4 of this Part, the MMCO’s policies and procedures for preventing, detecting and
investigating fraudulent, wasteful or abusive activities by its participating providers, non-
Page 31 of 73
participating providers, contractors, agents, subcontractors, independent contractors, and any
other person the MMCO or its subcontractors pay for ordering, providing, furnishing or
arranging for a service to a MA program recipient. The MMCO shall also incorporate any other
policies and procedures related to its obligations under this SubPart;
(2) require its designated compliance officer, as required by subdivision (b) of section 521-1.4
of this Part, to be responsible, except where noted, for implementing the requirements of this
SubPart, and shall be responsible for coordinating with the MMCO’s SIU director, where
applicable;
(3) include, as part of the training required by subdivision (d) of section 521-1.4 of this Part,
training of all personnel involved in identifying and evaluating instances of potential fraud,
waste and abuse; and
(4) include, as part of its auditing and monitoring activities as required by subdivision (g) of
section 521-1.4 of this Part, the requirements of subdivision (c) of this section.
(b) Special investigation unit (SIU). If the MMCO has an enrolled population of one thousand (1,000)
or more persons in the aggregate in any given year, the MMCO shall establish a full-time SIU to
identify risk and to detect and investigate cases of potential fraud, waste and abuse, report such
cases to OMIG, and electively report potential fraud to MFCU, in accordance with the provisions of
this SubPart and the terms of the MMCO’s contract with the department to participate as an MMCO.
The SIU must be separate and distinct from any other unit or function of the MMCO. In establishing
its SIU, the MMCO shall meet the following requirements:
(1) Staffing requirements. The MMCO shall dedicate sufficient staff and resources to the SIU
to effectively detect and prevent fraud, waste and abuse in the New York State MA program.
(i) The MMCO shall employ at least one full-time lead investigator and one SIU director
who shall be based in the State of New York and be responsible for communicating and
coordinating with OMIG or MFCU with respect to:
Page 32 of 73
(a) conducting fraud, waste and abuse investigations;
(b) making fraud, waste and abuse referrals;
(c) preparing investigatory reports;
(d) investigating and remediating conflicts of interest;
(e) identifying and recovering overpayments;
(f) conducting provider terminations, education or re-education, and other related
actions;
(g) implementing the fraud, waste and abuse prevention program required by this
SubPart;
(h) participating in any meetings required by OMIG; and
(i) participating in any meetings required by MFCU
(ii) The MMCO shall employ at least one (1) full-time investigator per sixty thousand
(60,000) enrollees, except in the case of an MLTCP, which shall employ at least one (1)
full-time investigator per six thousand (6,000) enrollees. The MMCO shall employ
investigators dedicated to servicing a particular county when that county on its own
meets the designated investigator-to-enrollee ratio required by this paragraph. An
MMCO may propose for OMIG’s consideration alternative minimum staffing levels,
provided the MMCO demonstrates to OMIG’s satisfaction that its proposal would be no
less effective than those required by this subparagraph and that the requirements of this
SubPart can be fully met. The MMCO must apply for and receive written approval from
OMIG of any alternative staffing levels prior to the implementation of any alternative
minimum staffing levels. The approval or denial of any alternative staffing level
proposal is at the discretion of the Medicaid Inspector General or their designee, and
such approval may be rescinded by the Medicaid Inspector General or their designee
with ninety 90 days’ notice.
Page 33 of 73
(iii) In addition to investigators, the MMCO shall also employ or utilize existing
employees who are certified coders, clinicians, data analysts, or pharmacists to support
the work of the SIU.
(2) SIU investigator qualifications. Persons employed by the SIU as investigators shall be
qualified by education or experience, which shall include:
(i) a minimum of five years in the healthcare field working in fraud, waste, and abuse
investigations and audits, or five years of insurance claims investigation experience or
professional investigation experience with law enforcement agencies, or seven years of
professional investigation experience involving economic or insurance related matters;
(ii) an associate’s or bachelor’s degree in criminal justice or a related field; or
(iii) employment as an investigator in the MMCO’s SIU on or before the effective date of
this SubPart.
(3) SIU work plan. No less frequently than annually, the SIU shall prepare a work plan
outlining the activities that it plans to complete in the coming year. The SIU shall consider the
MMCO’s risk areas, as specified in SubPart 521-1 of this Part, and organizational experience
in developing the work plan. The SIU work plan may be a standalone document, or a
component of its larger compliance work plan required by SubPart 521-1 of this Part.
(4) Delegation. The MMCO may delegate all or part of the functions of the SIU under this
subdivision, provided, however, that it shall be no defense to enforcement of this SubPart that
a subcontractor failed to provide effective service enabling the MMCO to comply with its
obligations. The MMCO is ultimately responsible for meeting the requirements of this SubPart.
(i) The MMCO shall require that the subcontractor to whom it delegates the SIU function
comply with all the requirements of this subdivision, and any other relevant
requirements under this SubPart. The MMCO shall also require that the subcontractor
cooperate fully with OMIG in any examination of the implementation of the fraud, waste
Page 34 of 73
and abuse prevention program required by this SubPart and provide any and all
assistance requested by OMIG, the department, MFCU and any other law enforcement
agency or any prosecutorial agency in the investigation of fraud, waste and abuse, and
the prosecution of fraud and abuse and related crimes.
(ii) The MMCO shall review any contract for SIU functions to determine if it delegates
any management authority. An MMCO shall not enter into any agreement delegating
management authority except pursuant to a management contract which complies with
the requirements of subdivisions (h) through (s) of section 98-1.11 of Title 10 and
section 98-1.18 of Title 10.
(iii) If the MMCO enters into a management contract for all or part of its SIU function, the
management contract shall be submitted to the department and OMIG, and included as
part of the fraud, waste and abuse prevention plan required by subdivision (i) of this
section.
(c) MMCO audits and investigations. In addition to the auditing and monitoring requirements of
subdivision (g) of section 521-1.4 of this Part, the MMCO shall audit, investigate, or review cases of
fraud, waste or abuse specific to its participation in the MA program, and the MMCO’s risk areas as
specified in SubPart 521-1 of this Part. The MMCO shall conduct such audits, investigations or
reviews in accordance with the following requirements and as specified in the contract between the
MMCO and the department to participate as an MMCO:
(1) The MMCO’s SIU, if applicable, shall be primarily responsible for performing, or
collaborating with and monitoring those individuals performing, such audits, investigations and
reviews, and shall coordinate with the MMCO’s designated compliance officer.
(2) Such audits, investigations and reviews must involve at least one percent (1%) or more of
the aggregate of MA program claims it pays to providers and subcontractors, based on the
total prior year’s claims paid by the MMCO. Such audits, investigations and reviews may
Page 35 of 73
review claims consistent with any lookback period established in the MMCO’s contract with the
Department to participate as an MMCO.
(3) Such audits, investigations and reviews must be of clinical and billing records to verify that
no duplicate payments were made, appropriate services were rendered and billed, appropriate
procedure codes were utilized, and accurate encounter data was reported to the department.
(d) Reporting cases of fraud, waste and abuse. The MMCO and its subcontractors shall report all
cases of potential fraud, waste and abuse to OMIG. The MMCO may also report cases of potential
fraud to the MFCU. In reporting such cases, the MMCO shall comply with the terms of its contract
with the department to participate as an MMCO. The reports shall be reviewed and signed by an
executive officer of the MMCO responsible for the operations of the SIU. In addition, the MMCO shall
include the following information when reporting potential fraud, waste and abuse to OMIG:
(1) Information about the subject of the report, including:
(i) the name of the person or provider;
(ii) the provider’s Medicaid provider ID, if applicable;
(iii) the person’s or provider’s national provider ID, if applicable;
(iv) the person’s or provider’s address;
(v) the type of provider; and
(vi) any other information requested by OMIG.
(2) The source and origin of the allegation;
(3) The date the allegation was first reported to the MMCO, or the MMCO first became aware
of the allegation;
(4) A summary of the investigation, which shall be in a form and format approved by OMIG;
(5) A description of the suspected misconduct, with specific details including:
(i) the category of service;
(ii) a factual explanation of the allegation;
Page 36 of 73
(iii) the specific MA program statutes, rules, regulations, and/or policies violated; and
(iv) the date(s) of the conduct.
(6) The amount the MMCO paid to the person or provider during the past three (3) years or
during the period of the alleged misconduct, whichever is greater;
(7) All communications between the MMCO and the provider or person concerning the conduct
at issue;
(8) The contact information for the MMCO SIU director, lead investigator, investigator(s) and
staff with knowledge of the case;
(9) An estimate of the overpayment, when available; and
(10) Copies of the investigation file and related material.
(e) The MMCO and its subcontractors shall immediately refer reasonably suspected criminal activity
to OMIG and MFCU in accordance with the requirements specified in the MMCO’s contract with the
department to participate as an MMCO.
(f) Report, return and explain. The MMCO shall establish policies and procedures in accordance with
the requirements of section 363-d of the Social Services Law for its participating providers and other
subcontractors to report, return and explain overpayments to the MMCO within sixty (60) days of
identification. The MMCO shall promptly report all recoveries, including recoveries which result from
a provider or subcontractor reporting, returning and explaining an overpayment under this
subdivision:
(1) in its cost reports to the department, and in accordance with the instructions and directives
of the department; and
(2) in a monthly report to OMIG in a form and format to be determined by OMIG, or as
otherwise specified in its contract with the department to participate as an MMCO.
Page 37 of 73
(g) The MMCO shall develop a fraud, waste and abuse detection procedures manual for use by
officers, directors, managers, personnel, and subcontractors performing claims underwriting, member
services, utilization management, complaint, investigative and/or SIU services.
(h) Other program integrity requirements.
(1) The MMCO shall develop a fraud, waste and abuse public awareness program focused on
the cost and frequency of MA program fraud, and the methods by which the MMCO’s
enrollees, providers, and other contractors, agents, subcontractors, or independent contractors
can prevent it. The MMCO shall make information regarding the public awareness program
available on its website.
(2) The MMCO shall make available on its website information on how and where to report,
return and explain overpayments to the MMCO, in accordance with the requirements of
subdivision (f) of this section.
(i) Fraud, waste and abuse prevention plan.
(1) Within ninety (90) calendar days of the effective date of this SubPart or of signing a new
contract with the department to begin participation as an MMCO, the MMCO shall develop a
fraud, waste and abuse prevention plan and shall submit such plan to OMIG.
(2) The MMCO shall review and update such plan no less frequently than annually.
(3) The plan shall include:
(i) a description of the MMCO’s program for preventing and detecting fraud, waste and
abuse;
(ii) a description, if applicable, of the organization of the SIU, including:
(a) titles and job descriptions of the investigators, investigative supervisors and
other staff;
(b) the minimum qualifications for employment in these positions in addition to
those qualifications required by this section;
Page 38 of 73
(c) the geographical location and assigned territory of each investigator and
investigative supervisor;
(d) the support staff and other physical resources, including database access
available to the SIU; and
(e) the supervisory and reporting structure within the SIU and between the SIU
and senior management of the MMCO.
(iii) If investigators employed by the unit will be responsible for investigating cases in
more than one state, the plan must apportion that percentage of the investigators
efforts that will be devoted to New York cases;
(iv) the rationale, if applicable and different from the minimum staffing levels required by
subdivision (b) of this section, for the level of staffing and resources of the SIU which
may include, but is not limited to, objective criteria such as the number of claims
received with respect to the MMCO’s participation in the New York State MA program
on an annual basis, volume of potential fraud, waste and abuse for the MMCO’s New
York MA claims currently being detected, other factors relating to the vulnerability of the
MMCO to fraud, waste and abuse, and an assessment of optimal caseload which can
be handled by an investigator on an annual basis;
(v) a description of the roles, responsibilities and interaction between the MMCO’s:
(a) designated compliance officer responsible for carrying out the provisions of
the fraud, waste and abuse prevention program and the SIU;
(b) SIU and the claims, quality, member services, utilization review, complaint
procedures and underwriting functions of the MMCO for the purpose of
enhancing the ability of the MMCO to detect fraud, waste and abuse and to
increase the likelihood of its successful prosecution, and for the initiation of civil
action when appropriate;
Page 39 of 73
(c) SIU and the MMCO’s legal department; and
(d) SIU and OMIG, the department, MFCU, or other law enforcement agencies
and prosecutors;
(vi) the MMCO’s policies and procedures required by paragraph (1) of subdivision (a) of
this section;
(vii) the criteria the MMCO uses for the internal referral of a case to the SIU for
evaluation, and the criteria the SIU utilizes for reporting cases of potential fraud, waste
and abuse to the department and OMIG in accordance with subdivision (d) of this
section;
(viii) a description of the specific controls in place for the prevention and detection of
potential fraud, waste and abuse, including a list of any automated pre-payment claims
edits and a list of any automated post-payment review of claims;
(ix) a description of the training required by paragraph (3) of subdivision (a) of this
section;
(x) the timetable for the implementation of the fraud, waste and abuse prevention plan,
provided however, that the period preceding implementation shall not exceed one
hundred and eighty (180) calendar days from the date the MMCO executes its contract
with the department to participate as an MMCO and develops its fraud, waste and
abuse prevention plan pursuant to paragraph (1) of this subdivision.
(4) A fraud and abuse prevention plan developed in accordance with the provisions of section
98-1.21 of Title 10 or section 86.6 of Title 11 will satisfy the requirements of this subdivision,
provided that the MMCO includes any additional information required by this subdivision.
(j) Annual report. The MMCO shall on or before a date specified by OMIG, which shall be no sooner
than January 31 of each calendar year, file with OMIG, in a form and format approved by OMIG, an
Page 40 of 73
annual report for the preceding calendar year, demonstrating that it has satisfied the requirements of
this SubPart. Such report shall, at a minimum, include:
(1) a description of the MMCO’s experience, performance and cost effectiveness in
implementing the fraud, waste and abuse prevention program;
(2) the MMCO’s proposals for modifications to its fraud, waste and abuse prevention program
and plan, to amend its operations, to improve performance or to remedy observed deficiencies;
(3) a summary of the MMCO’s SIU staffing;
(4) a summary of the activities of the MMCO’s subcontractors or vendors who perform audit,
investigation or review functions for the MMCO;
(5) the total number of reported cases of potential fraud, waste or abuse identified by the
MMCO, its subcontractor(s) or vendor(s);
(6) the MMCO’s SIU work plan for the next calendar year;
(7) results of service verification reviews as specified in the MMCO’s contract with the
department to participate as an MMCO; and
(8) any other information or data that OMIG may require relevant to the requirements of this
SubPart or related requirements under the MMCO’s contract with the department to participate
as an MMCO.
(k) Notwithstanding any requirement to report using forms or formats approved by OMIG under this
SubPart or under the MMCO’s contract with the department to participate as an MMCO, in the event
that such form or format has not been promulgated, the MMCO shall report the substantive
information required by this SubPart or the contract.
Page 41 of 73
18 NYCRR SUBPART 521-3 SELF-DISCLOSURE PROGRAM
521-3.1 Scope and applicability
521-3.2 Definitions
521-3.3 Reporting and returning overpayments
521-3.4 Self-Disclosure Program
521-3.5 Returning the overpayment
521-3.6 Notification
521-3.7 Enforcement
521-3.1 Scope and applicability.
(a) Scope.
(1) Subdivision 6 of the section 363-d of the Social Services Law requires persons who have
received an overpayment under the MA program to report, return and explain the overpayment
to the department and the Office of Medicaid Inspector General (“OMIG”).
(2) A person satisfies their obligation to report, return and explain by making a disclosure
through OMIG’s Self-Disclosure Program, complying with the requirements as specified in
section 521-3.4 of this SubPart, and returning the overpayment and interest to the department
in accordance with the provisions of section 521-3.5 of this SubPart.
(b) Applicability. This SubPart applies to persons who have received an overpayment under the MA
program.
(c) Related requirements. 42 U.S.C. § 1320a-7k(d) requires persons who have received an
overpayment from the MA program to report, return and explain the overpayment to the Federal
Department of Health and Human Services, the State, or appropriate fiscal intermediary.
521-3.2 Definitions.
(a) For purposes of this SubPart, the terms defined in Parts 504 and 515 of this Title, and SubPart
521-1 of this Part, except as otherwise noted in this SubPart, shall apply.
Page 42 of 73
(b) In addition, for the purposes of this SubPart, the following terms have the following meanings:
(1) “Managed long term care plan” means an entity that has received a certificate of authority
pursuant to section 4403-f of the Public Health Law to provide or arrange for health and long
term care services on a capitated basis for a population which the plan is authorized to enroll.
(2) “MMCO” means:
(i) a managed care provider as defined in in subdivision 1 of section 364-j of the Social
Services Law; and
(ii) a managed long term care plan.
(3) “Overpayment has the same meaning as used in subdivision (c) of section 518.1 of this
Title.
(4) “Person” means:
(i) a provider as defined in section 504.1 of this Title;
(ii) an MMCO, and any subcontractors or network providers of an MMCO; and
(iii) does not include MA program recipients.
(5) “Self-Disclosure and Compliance Agreement” or “SDCA” means the stipulation of
settlement between OMIG and a person who agrees to repay the MA program the amount of
the overpayment and interest in accordance with the provisions of section 518.4 of this Title
through installment payments and/or agrees to implement corrective action to prevent
recurrence of the conduct giving rise to the overpayment.
521-3.3 Reporting and returning overpayments.
(a) General. Any person who has received an overpayment under the MA program, directly or
indirectly, shall report, return and explain the overpayment by submission of a Self-Disclosure
Statement to OMIG’s Self-Disclosure Program pursuant to section 521-3.4 of this SubPart.
(b) Deadline for reporting and returning overpayments.
Page 43 of 73
(1) If a person has received an overpayment under the MA program, the person shall report
and return the overpayment and interest if applicable to the department, and explain the
reasons for the overpayment to OMIG by the later of:
(i) the date which is sixty (60) days after the date on which the overpayment was
identified; or
(ii) the date any corresponding cost report is due, if applicable.
(2) Pursuant to paragraph (b) of subdivision 6 of section 363-d of the Social Services Law, a
person has identified an overpayment when that person has or should have through the
exercise of reasonable diligence, determined that they have received an overpayment and
quantified the amount of the overpayment.
(3) Where a person fails to exercise reasonable diligence, and the person in fact received an
overpayment, they shall be subject to any enforcement action authorized by section 521-3.7 of
this SubPart and any applicable provisions of federal and state law, including but not limited to
Article XIII of the New York State Finance Law.
(4) Pursuant to paragraph (c) of subdivision 6 of section 363-d of the Social Services Law, the
deadline for reporting, returning and explaining an overpayment shall be tolled when OMIG
acknowledges receipt of a submission of a Self-Disclosure Statement to its Self-Disclosure
Program pursuant to section 521-3.4 of this SubPart, and shall remain tolled until such time:
(i) that an SDCA, in accordance with subdivision (e) of section 521-3.4 of this SubPart,
is executed by both the person reporting, returning and explaining the overpayment and
OMIG, if applicable;
(ii) the person withdraws from the Self-Disclosure Program;
(iii) the person repays the full amount of the overpayment along with any interest due,
as determined by OMIG after review of a person’s disclosure, in accordance with the
provisions of section 521-3.5 of this SubPart; or
Page 44 of 73
(iv) OMIG terminates, pursuant to subdivision (f) of section 521-3.4 of this SubPart, the
person’s participation in the Self-Disclosure Program.
(5) For an overpayment made by an MMCO to the person under the MA program. A person
who reports, returns and explains an overpayment to an MMCO, in accordance with the
provisions of subdivision (f) of section 521-2.4 of this Part shall be considered to have satisfied
the requirements of subdivision 6 of section 363-d of the Social Services Law, provided that
the overpayment is reported and returned to the MMCO by the deadline specified in paragraph
(1) of this subdivision.
521-3.4 Self-Disclosure Program.
(a) General. Pursuant to subdivision 7 of section 363-d of the Social Services Law, the OMIG’s Self-
Disclosure Program is the process by which persons who have identified an overpayment under the
MA program report, return and explain overpayments to the MA program. Persons required to report,
return and explain overpayments pursuant to section 521-3.3 of this SubPart shall submit information
regarding the overpayment to OMIG and make repayment in the form and manner set forth in this
section.
(b) Self-Disclosure Program - General Provisions.
(1) Eligibility. A person is eligible to participate in the Self-Disclosure Program if:
(i) the person is not currently under audit, investigation, or review by OMIG. If the
person is under audit, investigation, or review, but the overpayment being disclosed
does not relate to the existing audit, investigation, or review the person shall be eligible
to participate, with respect to the overpayment being disclosed. For purposes of this
paragraph, an audit, investigation, or review includes, but is not limited to, Parts 515,
516, 517, 518 and 521 of this Title;
(ii) the person is disclosing an overpayment and related conduct that OMIG has not
identified at the time of the disclosure;
Page 45 of 73
(iii) the overpayment and related conduct are reported by the deadline specified in
paragraph (1) of subdivision (b) of section 521-3.3 of this SubPart; and
(iv) the person is not currently a party to or the subject of any criminal investigation,
related to their participation in the MA program, being conducted by the MFCU or an
agency of the United States Government or any political subdivision thereof.
(2) For persons eligible to participate in the Self-Disclosure Program, pursuant to paragraph (1)
of this subdivision, OMIG, in its sole discretion, after a written request from an eligible person
participating in the Self-Disclosure Program, may:
(i) waive the imposition of interest on the amount of the overpayment, in whole or in
part;
(ii) permit repayment through installments pursuant to an SDCA;
(iii) in accordance with the provisions of subdivision 18 of section 32 of the Public Health
Law, consider the person’s reporting and returning overpayments as a mitigating factor
in the determination of an administrative enforcement action; and
(iv) for persons subject to the provisions of SubPart 521-1 of this Part and in
accordance with section 363-d of the Social Services Law, consider the person’s
reporting and returning overpayments as a factor in determining whether the person has
adopted and implemented an effective compliance program.
(3) Regardless of eligibility, if the person has determined that they have received an
overpayment pursuant to section 521-3.3 of this SubPart, the person shall submit a Self-
Disclosure Statement pursuant to subdivision (c) of this section.
(4) If OMIG determines that a person is ineligible, it shall notify the person of this determination
in writing, in accordance with the requirements of subdivision (a) of section 521-3.6 of this
SubPart.
(c) Self-Disclosure Statement.
Page 46 of 73
(1) As a condition of participation in the Self-Disclosure Program, the person shall apply by the
submission of a self-disclosure statement, cooperate and furnish any information requested,
including any additional data, documentation, or information requested by the OMIG needed to
confirm the overpayment.
(2) To participate in the Self-Disclosure Program, a person shall submit a statement which
shall contain the following information:
(i) An estimate of the amount of the overpayment. The person shall calculate the
estimated overpayment and provide information to OMIG which supports the calculated
overpayment amount. OMIG has the sole discretion to approve the methodology used
for the calculation and to determine the overpayment amount and interest if applicable;
(ii) A detailed explanation of the reason the person received the overpayment, which
shall, at a minimum include:
(a) a description and explanation of the circumstances that gave rise to the
overpayment;
(b) how the circumstances giving rise to the overpayment were discovered;
(c) the date the overpayment was identified;
(d) how the person calculated the amount of the overpayment;
(e) the date(s) the overpayment(s) were received; and
(f) the action taken to correct the error which caused the overpayment.
(iii) the person’s contact information;
(iv) data file, in the form and format specified by OMIG;
(v) whether the person is requesting to repay through installment payments;
(vi) whether the person is requesting the waiver of any applicable interest;
(vii) the person’s agreement to return the full amount of the overpayment and interest if
applicable, as determined by OMIG; and
Page 47 of 73
(viii) any other data, documentation, or information OMIG shall require through the
issuance of guidance or in response to its review of the submission.
(3) The Self-Disclosure Statement shall be signed by the person’s compliance officer, where
the person is a required provider pursuant to SubPart 521-1 of this Part. Where the person is
not a required provider pursuant to SubPart 521-1 of this Part, the Self-Disclosure Statement
may be signed by one of the following, the person’s chief executive officer, chief operating
officer, a senior manager of the person, or the person, where the person is a sole practitioner.
(4) A person requesting to repay through installment payments may be required to furnish
OMIG with financial records and other documentation in support of the request. OMIG shall
approve or reject a person’s request based on a review of the person’s financial
documentation, participation in the MA program, and any other factors OMIG identifies.
(5) If OMIG determines that no overpayment was made, it shall notify the person in writing of
the determination.
(6) A person who has received and disclosed an overpayment or has received notice of the
overpayment amount due, and interest if applicable, pursuant to section 521-3.5 of this
SubPart is required to return the overpayment and interest if applicable, in accordance with
section 521-3.3 of this SubPart.
(d) Review of Accepted Self-Disclosures.
(1) OMIG shall acknowledge receipt and review the Self-Disclosure Statement and consider
any written requests made pursuant to paragraph (2) of subdivision (b) of this section and shall
complete a preliminary review within twenty (20) days of the submission. The deadline to
report, return and explain shall be tolled, in accordance with the provisions of subdivision (b) of
section 521-3.3 of this SubPart, from the date the submission was acknowledged by OMIG
until completion of OMIG’s preliminary review. Upon completion of its preliminary review,
OMIG shall notify the person, in accordance with the notice provisions of subdivision (a) of
Page 48 of 73
section 521-3.6 of this SubPart, and either accept the submission or return the submission as
incomplete and identify the information and data needed to complete the submission. Only a
submission that is acknowledged and accepted shall continue to toll the deadline to report,
return and explain, in accordance with the provisions of subdivision (b) of section 521-3.3 of
this SubPart, from the date the submission was acknowledged by OMIG. OMIG’s acceptance
of the person’s submission of a Self-Disclosure Statement is conditioned upon the person’s
cooperation with OMIG under the Self-Disclosure Program, including any request for additional
information or data under paragraph (2) of this subdivision.
(2) OMIG may, at any time, request additional information or data from the person who
submitted the Self-Disclosure Statement. Such requests will be made in writing in accordance
with subdivision (a) of section 521-3.6 of this SubPart. The person shall respond with such
information and data within fifteen (15) days of the date of OMIG’s notice.
(i) OMIG may extend the period to respond for good cause. Any request by the person
to extend the period to respond shall be made in writing to OMIG and any approval or
denial of the extension request shall be made by OMIG, in writing, in accordance with
the provisions of subdivision (a) of section 521-3.6 of this SubPart.
(ii) Failure by the person to respond within fifteen (15) days or by any extended deadline
will result in the submission being deemed not accepted and returned to the person as
incomplete, and any tolling of the deadline to report, return and explain shall be
terminated. OMIG will notify the person in writing, in accordance with the provisions of
subdivision (a) of section 521-3.6 of this SubPart, that the submission has not been
accepted, and the notice shall include the date on which the submission was deemed
not accepted and the tolling of the deadline to report, return and explain was terminated.
(3) Once OMIG has accepted the submission of a self-disclosure statement and determined
that the submission is complete, OMIG will review and verify the amount of the overpayment
Page 49 of 73
and issue a notification, in accordance with subdivision (a) of section 521-3.6 of this SubPart,
to the person of the overpayment amount due, including interest if applicable, and instructions
for repayment.
(e) Self-Disclosure and Compliance Agreement.
(1) The SDCA is a binding contract between the person and OMIG. A person may be eligible
for an SDCA based on the conduct being disclosed and/or where the person has requested to
repay the determined overpayment amount through installments. The overpayment amount
shall include interest unless interest is waived, in the sole discretion of OMIG.
(2) The SDCA shall include, at a minimum, the following terms and conditions:
(i) Agreement by the person to repay the amount of the overpayment and interest if
applicable, as determined by OMIG, which is the subject of the disclosure.
(ii) If approved by OMIG for installment payments, agreement to make all installments
payments on time, and in accordance with the repayment schedule.
(iii) Identification of, and agreement by the person to implement any corrective actions
to prevent the issues which caused the person to receive an overpayment from the MA
program from recurring.
(3) The person shall execute and return the SDCA, which must be received by OMIG within
fifteen (15) days of the person receiving said agreement from OMIG, or such other timeframe
as OMIG may permit, provided that such period shall not be less than fifteen (15) days.
(4) If the person fails to execute and return the SDCA to OMIG within the timeframe specified
in paragraph (3) of this subdivision the person’s participation in the Self-Disclosure Program
shall be terminated. Notice of such termination shall be provided in accordance with
paragraph (2) of subdivision (f) of this section.
(5) OMIG shall have the authority to enter into an SDCA with a person making a Self-
Disclosure, in its sole discretion.
Page 50 of 73
(f) Termination of participation.
(1) In accordance with subparagraph (4) of paragraph (f) of subdivision 7 of section 363-d of
the Social Services Law a person’s participation in the Self-Disclosure Program shall be
immediately terminated if:
(i) the person provides false material information or omits material information in their
Self-Disclosure Statement or other communications with OMIG;
(ii) the person attempts to defeat or evade an overpayment due pursuant to the SDCA
or notification of an overpayment due, and interest if applicable, pursuant to section
521-3.5 of this SubPart; or
(iii) the person fails to execute and return the SDCA in accordance with the timeframes
specified in subdivision (e) of this section.
(2) If OMIG terminates a person’s participation in the Self-Disclosure Program it shall issue a
notice to the person within five (5) business days of its determination. The notice shall be
mailed to the person’s designated payment address or correspondence address or address
provided on the Self-Disclosure Statement submitted pursuant to subdivision (c) of this section.
The notice shall contain:
(i) the reason for the termination and the legal authority for the action taken;
(ii) the effective date of the termination;
(iii) the overpayment amount and interest due;
(iv) the due date of the overpayment amount and interest;
(v) the date on which the tolling of the return of the overpayment amount ends;
(vi) notification that the overpayment and interest amount may be recovered in
accordance with Part 518 of this Title; and
(vii) notification that failure to return the overpayment and interest amount by the due
date may result in monetary penalties pursuant to section 145-b(4) of the Social
Page 51 of 73
Services Law and Part 516 of this Title, and any other sanction or penalty authorized by
law.
521-3.5 Returning the overpayment.
(a) Once OMIG has completed its review and verified the amount of the overpayment OMIG shall
notify the person of the amount of the overpayment and interest if applicable, and such notification
shall contain instructions for remitting payment to the department. Interest may be waived in the sole
discretion of OMIG.
(1) The notification will be issued in accordance with the provisions of subdivision (a) of section
521-3.6 of this SubPart.
(2) The person shall remit the full amount of the overpayment and interest within fifteen (15)
days of the date of OMIG’s notification of the determination of the amount of the overpayment,
and interest, unless the person has been approved by OMIG to repay the overpayment
through installments.
(3) Where a person has been approved to repay the overpayment and interest through
installment payments, OMIG’s notification of the amount of the overpayment shall also include
an SDCA which the person shall execute and return to OMIG within the timeframe specified in
paragraph (3) of subdivision (e) of section 521-3.4 of this SubPart.
(i) In order to remain eligible to participate in OMIG’s Self-Disclosure Program the
person must comply with all the terms of the SDCA, including the schedule of
repayments.
(4) Notwithstanding any provision tolling the deadline to report, return and explain, in no event
shall the person be required to repay the full amount of the overpayment and interest prior to
the expiration of the deadline to report, return and explain, as set forth in paragraph (1) of
subdivision (b) of section 521-3.3 of this SubPart.
(b) The full amount of any overpayment shall become immediately due and payable, with interest, if:
Page 52 of 73
(1) the person fails to remit payment, either for the full amount of the overpayment or any
scheduled installment payment pursuant to the terms of an SDCA, or
(2) participation in the Self-Disclosure Program is terminated in accordance with the provisions
of subdivision (f) of section 521-3.4 of this SubPart.
(c) Where the person is required to pay interest, interest shall accrue on the amount of the
overpayment as determined by OMIG, in whole or in part, in accordance with the provisions of section
518.4 of this Title.
(d) OMIG may recover the overpayment in accordance with Part 518 of this Title or by any other
mechanism authorized by law.
521-3.6 Notification.
(a) Any notification issued by OMIG to the person under this SubPart shall meet the following
requirements:
(1) Notification shall be made by sending written notification to the person at:
(i) the person’s designated payment address or correspondence address or address
provided on the Self-Disclosure Statement submitted pursuant to subdivision (c) of
section 521-3.4 of this SubPart; or
(ii) an email address designated on the Self-Disclosure Statement if the person so
designates that email address for receipt of electronic communication. It shall be the
obligation of the person electing to receive notification electronically to provide and
maintain a valid email address with OMIG. Proof of such email, containing a time and
date stamp, shall constitute sufficient notification that the electronic communication was
received by the person making such Self-Disclosure.
(2) Notwithstanding the option of a person making a Self-Disclosure under this SubPart to
select electronic notification, any notice pursuant to paragraph (2) of subdivision (f) of section
521-3.4 of this SubPart shall be mailed to the person’s designated payment address or
Page 53 of 73
correspondence address or address provided on the Self-Disclosure Statement submitted
pursuant to subdivision (c) of section 521-3.4 of this SubPart.
(3) Notification mailed to the person’s designated payment address or correspondence
address or address provided on the Self-Disclosure Statement submitted pursuant to
subdivision (c) of section 521-3.4 of this SubPart shall be assumed to be received five (5)
business days from the date on the notification.
(b) OMIG shall provide the department with information and notices upon request and in periodic
reporting at least monthly concerning providers who have received notification:
(1) that they are ineligible to participate in the Self-Disclosure program pursuant to paragraph
(4) of subdivision (b) of section 521-3.4 of this SubPart;
(2) that their Self-Disclosure is not accepted pursuant to subparagraph (ii) of paragraph (2) of
subdivision (d) of section 521-3.4 of this SubPart; and
(3) of the amount of the overpayment and interest due pursuant to subdivision (a) of section
521-3.5 of this SubPart.
521-3.7 Enforcement.
(a) A person who fails to report, return and explain an overpayment by the deadline specified in
subdivision (b) of section 521-3.3 of this SubPart may be subject to monetary penalties pursuant to
section 145-b(4) of the Social Services Law and Part 516 of this Title, and any other sanction or
penalty authorized by law.
Page 54 of 73
REGULATORY IMPACT STATEMENT
Statutory Authority
The Office of the Medicaid Inspector General (OMIG) is an independent office within the
Department of Health (“Department”) responsible for the prevention, detection, and investigation of
fraud and abuse in New York State’s Medical Assistance (Medicaid) program pursuant to New York
State Public Health Law (“PBH”) § 31. PBH § 32(20) sets forth the functions, duties and
responsibilities of OMIG, and specifically authorizes OMIG to “implement and amend, as needed,
rules and regulations related to the prevention, detection, investigation and referral of fraud and
abuse within the medical assistance program and the recovery of improperly expended medical
assistance program funds.” New York State Social Services Law (“SOS”) § 363-d requires that
certain Medicaid providers (including managed care plans) adopt and implement a compliance
program and establishes the State requirement that persons shall report, return and explain
overpayments within sixty (60) days of identification, and codifies the requirements of the self-
disclosure program administered by OMIG and authorizes OMIG, in consultation with the
Department, to promulgate regulations. SOS § 364-j(39) requires managed care plans, including
managed long term care plans (collectively “MMCO”) to adopt and implement policies and procedures
designed to detect and prevent fraud, waste and abuse, and authorizes OMIG, in consultation with
the department, to promulgate regulations.
Legislative Objectives
The legislative objective is to protect the fiscal integrity of the Medicaid program and promote
provider and MMCO compliance with Medicaid program laws, rules and requirements.
Subdivisions 1 7 of SOS § 363-d were amended to better align the elements of New York State’s
mandatory compliance program with the elements found in Federal regulations and guidance, to
codify the federal requirement that a person report, return and explain Medicaid overpayments in
State law, and to codify the requirements of OMIG’s self-disclosure program. In addition, the statute
Page 55 of 73
was updated to include a monetary penalty for any provider who fails to adopt and implement an
effective compliance program and for any person who fails to report return and explain an identified
overpayment received from the Medicaid program. The provisions relating to the monetary penalty
were promulgated in OMIG’s October 2020 rulemaking amending 18 NYCRR Part 516.
Subdivision 39 of SOS § 364-j was added to require MMCOs to adopt and implement policies and
procedures designed to detect and prevent fraud, waste and abuse under the Medicaid program.
These policies and procedures include a compliance program, consistent with the requirements of
SOS § 363-d, and the establishment of a special investigation unit (SIU) if the MMCO meets certain
enrolled population thresholds.
Needs and Benefits
This rulemaking is necessary for the State to implement provisions of the State Fiscal Year
2020-2021 Enacted Budget (Chapter 56 of the Laws of 2020, Part QQ) and Medicaid program
integrity reform initiatives of the MRT II. SOS § 363-d sets forth the general requirements for
providers to adopt and implement a compliance program, requires providers to report, return and
explain overpayments from the Medicaid program, and codifies OMIG’s self-disclosure program.
SOS § 364-j(39) requires MMCOs to adopt and implement fraud, waste and abuse prevention
programs. This rulemaking repeals and replaces Part 521 and creates three (3) new SubParts to
address these requirements.
SubPart 521-1 further defines and clarifies the standards and requirements for the adoption
and implementation of an effective compliance program. The prior version of Part 521 largely
mirrored the language in the statute and relied on guidance documents to further define compliance
program requirements. This rulemaking will provide clarity and direction to providers and set
expectations prior to a compliance program review by OMIG.
SubPart 521-2 establishes the standards and requirements for the adoption and
implementation of policies and procedures to detect and prevent fraud, waste and abuse for MMCOs.
Page 56 of 73
The statute requires MMCOs with a certain number of enrolled Medicaid recipients to establish an
SIU. Existing DOH and DFS regulations require certain health plans to establish an SIU and have a
fraud and abuse prevention plan. This new SubPart creates a standard for the Medicaid program that
will be consistent across all plans participating in the Medicaid program.
SubPart 521-3 clarifies the requirement that persons shall report, return and explain
overpayments within sixty (60) days of identification and codifies the requirements of the self-
disclosure program administered by OMIG.
Costs
Generally, any costs that may be incurred by providers, MMCOs or other persons would be a
direct result of the statutory authority and not this rulemaking. Furthermore, most, if not all, of the
statutory authority were either modifications of existing statutory obligations, or codification of existing
Federal requirements. The requirement that certain Medicaid providers adopt and implement a
compliance program was established in SOS § 363-d in 2006. The current amendments did not
change the pre-existing obligation to adopt and implement an effective compliance program or the
scope of who was required to do so, nor the requirement to report, return and explain identified
overpayments received from the Medicaid program. Rather, it aligned the State compliance program
requirement more closely with the standard used at the Federal level and codified the Federal
requirement that a person who has received and identified an overpayment from the Medicaid
program, report, return and explain the overpayment to the Medicaid program. Likewise, many
MMCOs are required to have a fraud and abuse prevention plan pursuant to existing DOH or DFS
regulation. This rule will expand the requirement to establish an SIU to additional MMCOs. It is
anticipated that this rulemaking will achieve savings for both providers and taxpayers as it provides
direction and clarification of the statutory requirements, which will be subject to review by OMIG, and
could result in the recovery of overpayments and/or the imposition of monetary penalties.
Page 57 of 73
Costs to Regulated Parties
As a result of this rulemaking, regulated parties are not expected to incur additional costs for
continuing compliance with SOS § 363-d. Under the statute, specific categories of providers are
required to adopt, and implement effective compliance programs as well as the obligation to report,
return and explain overpayments. Furthermore, this rulemaking amends the existing definition of
“substantial portion of business operations,” to increase the value of claims submitted to the Medicaid
program or payments received from the Medicaid program, from $500,000 to $1,000,000, and
eliminates the category of “ordering.” The result is that fewer providers will be subject to the
provisions of SubPart 521-1. Aligning the Federal and State standards for compliance programs
should also reduce costs to Medicaid providers, such as MMCOs, who participate in other
government programs with similar requirements.
Many MMCOs participating in the Medicaid program are currently required to have a fraud and
abuse prevention plan and establish an SIU. The requirement that an MMCO with a certain enrolled
Medicaid population must establish an SIU is set forth in statute, and therefore any costs associated
with that requirement are the result of the statute, not this rulemaking. This rulemaking seeks to
provide clarity and consistency in MMCO requirements within the Medicaid program. It is expected
that MMCOs will incur additional costs associated with the staffing requirements for SIUs, particularly
where an MMCO does not have an existing SIU. However, the rulemaking provides flexibility with
regard to staffing and other provisions to allow for innovation on the part of MMCOs in meeting the
SIU staffing requirement of SubPart 521-2.
Costs to State Government and the State Agency
State government and the Medicaid Inspector General are not expected to incur any additional
costs as a result of this rulemaking. Agency personnel will continue to conduct compliance program
reviews, audits, investigations, and reviews of individuals and entities participating in the Medicaid
program.
Page 58 of 73
Costs to Local Government
There will be no additional costs to local government as a result of this rulemaking.
Local Government Mandates
The proposed rulemaking does not impose any new program, services, duties, or
responsibilities upon any county, city, town, village, school district, fire district, or other special district.
Paperwork
No additional paperwork requirements will be imposed upon regulated parties under the
proposed regulation. Medicaid providers and MMCOs who are subject to the proposed regulations
are already required to maintain documents associated with their compliance programs.
Duplication
The statute incorporates requirements under 42 U.S.C.1396-a(a)(68), which requires providers
who makes or receives payments from government programs (i.e., Medicaid) of more than
$5,000,000, to have policies, procedures, and education regarding Federal and State False Claims
Act provisions and related Federal or State laws. Providers who are subject to this Federal statute
are also required to adopt and implement an effective compliance program under SOS § 363-d. Its
inclusion in the statute, and this rulemaking, does not create any overlapping or conflicting
requirements. Rather it will ensure that OMIG reviews of compliance with the Federal requirement
will be conducted in conjunction with its review of a provider’s compliance program, which is more
efficient for both the provider and the State.
The department is required, pursuant to 42 C.F.R. § 438.608, to require MMCOs, through the
MMCO’s contract with the department, to adopt and implement an effective compliance program.
The amendments made to SOS § 363-d and this rulemaking align with the requirements of the
Federal regulation and the MMCO’s contract with the department and provides clarification on the
general requirements outlined in the contract.
Page 59 of 73
The statute also includes a provision that a provider whose compliance program is accepted
by the Federal Office of Inspector General for the Department of Health and Human Services, or for
MMCOs whose compliance program satisfies the requirements of the MMCO’s contract with the
department, that such programs may satisfy the requirements of the statute if it adequately addresses
"medical assistance risk areas and compliance issues."
MMCO’s subject to this rulemaking may already be required to adopt and implement policies
and procedures designed to detect and prevent fraud and abuse pursuant to 10 NYCRR § 98-1.21 or
11 NYCRR § 86.6. To the extent it is appropriate for the Medicaid program, the requirements of
SubPart 521-2 were drafted to be consistent with existing requirements.
Alternatives
There were no significant alternatives considered as the changes were made to align to the
revised statutory obligations.
Federal Standards
There are no mandatory Federal standards or requirements for compliance programs for
Medicaid providers. However, as noted previously, 42 U.S.C.1396-a(a)(68), requires providers who
make or receive payments, directly or indirectly, from a government program (i.e., Medicaid) of more
than $5,000,000, to have policies, procedures and education regarding Federal and State False
Claims Act provisions and other similar Federal or State laws. This rulemaking exceeds the Federal
requirement by requiring all providers subject to the provisions of SOS § 363-d to have policies and
procedures pursuant to 42 U.S.C.1396-a(a)(68), regardless of whether they meet the billing
threshold. The rule exceeds this federal requirement because SOS § 363-d broadly requires
providers to have written policies and procedures, as well as training programs, which address the
provider’s compliance with State and Federal standards. The policies and procedures of 42
U.S.C.1396-a(a)(68) fall within this broad standard, and it is not expected that providers would incur
any significant costs incorporating this requirement into their compliance programs. Finally, having
Page 60 of 73
policies and procedures, as well as education, regarding the State and Federal false claims act as
part of a provider’s compliance program, which includes the rights of employees to be protected as
whistleblowers, is an important safeguard in the prevention and detection of fraud and abuse in the
Medicaid program.
Further, the amendments to SOS §363-d and this rulemaking generally align with Federal
requirements requiring overpayments from the Medicaid program be reported, returned and explained
under 42 U.S.C. 1320-7k(d).
Compliance Schedule
SubParts 521-1, 521-2 and 521-3 will take effect upon publication of a Notice of Adoption in
the State Register. As noted in SOS § 363-d(3)(c), enforcement of compliance program requirements
under SubPart 521-1 will not begin until 90 days after the effective date of the regulation. Similarly,
enforcement of the SubPart 521-2 requirements will not begin until 90 days after the effective date of
the regulation.
Agency Contact
Michael T. D’Allaird
Office of the Medicaid Inspector General
800 North Pearl Street, 2
nd
Floor
Albany, New York 12204
(518) 408-5803
rulemaking@omig.ny.gov
Page 61 of 73
REGULATORY FLEXIBILITY ANALYSIS FOR SMALL BUSINESSES
AND LOCAL GOVERNMENTS
The proposed regulation applies to certain providers (defined by statute) participating in the
Medicaid program, including some small businesses; modifies existing requirements for adopting and
implementing required compliance programs; imposes an obligation for Medicaid managed care
organizations and managed long term care plans (collectively “MMCO”) to establish a fraud, waste
and abuse prevention program, and certain MMCOs to establish an SIU; establishes the requirement
that persons shall report, return and explain overpayments to the Medicaid program; and codifies the
requirements of the self-disclosure program administered by OMIG.
1. Effect of the rule:
The proposed regulations require that certain Medicaid providers, including small businesses
adopt and implement a compliance program. In addition, all MMCOs participating in the Medicaid
program are required to adopt and implement a fraud, waste and abuse prevention program under
SubPart 521-2. The proposed regulations relating to compliance programs (SubPart 521-1) will apply
to any businesses that fall under one or more of four general categories:
1. providers that are subject to the provisions of Articles 28 or 36 of the public health law;
2. providers that are subject to the provisions of Articles 16 or 31 of the mental hygiene law;
3. managed care providers; and
4. persons who submit Medicaid claims or receive Medicaid payments totaling $1,000,000 or
greater in a twelve-month period.
These categories of providers are required by SOS § 363-d to adopt, implement and maintain
a compliance program. The proposed regulations are consistent with those statutory requirements.
The fourth category of providers previously had a threshold of $500,000 of Medicaid claims within a
twelve-month period, and the amendment to this regulation increases the threshold to $1,000,000.
This change will enable OMIG to focus on providers with significant potential impact on the Medicaid
Page 62 of 73
program, and it may result in cost savings for some small businesses and local governments which
will no longer be required to maintain a compliance program which satisfies the requirements of
SubPart 521-1. While OMIG is unable to estimate the number of small businesses impacted by this
rulemaking, it is anticipated that with the changes fewer small businesses will be subject to and
impacted by these requirements.
Small businesses that meet the criteria listed above will continue to be required to have a
compliance program. The types of small business providers that may be subject to these regulations
include, but are not limited to, MMCOs, pharmacies, physicians, dentists, durable medical equipment
businesses, service bureaus, and transportation providers.
It is estimated, based on information available to OMIG, that approximately 276 local
government providers, including some school districts, fall under one or more of the categories of
providers that are required to establish compliance programs. These entities will be required to
comply with the existing statute and proposed regulations. As with small businesses, with these
changes OMIG estimates that at least 55 local government providers who were subject to the prior
version of Part 521 will not be subject to this rulemaking.
The proposed regulation also requires MMCOs to establish a fraud, waste and abuse
prevention program (SubPart 521-2). MMCOs subject to this SubPart include Medicaid managed
care organization and managed long term care plans. Such plans vary in the size and complexity of
operations, but in general, this SubPart should not adversely affect small business and local
governments.
The proposed regulation also clarifies a person’s obligation to report, return, and explain
identified overpayments received from the MA program, consistent with statutory requirements.
2. Compliance requirements:
Any small business or local government that is subject to the proposed regulations will be
required to adopt and implement a compliance program and to report, return and explain
Page 63 of 73
overpayments received from the MA program in accordance with the requirements contained in SOS
§ 363-d and as further defined in the proposed regulations.
Many providers are already required to adopt and implement a compliance program under
existing law, but depending on what policies, procedures and controls a provider has already
instituted, additional action may be necessary. No additional affirmative acts will likely be required for
a provider if that provider already has an effective compliance program that satisfies the elements
contained in law and further defined in the proposed regulations.
3. Professional services:
Many providers are already required to adopt and implement a compliance program; however,
they may require or continue to utilize the services of certain professionals, including medical
professionals, auditors, attorneys, and compliance professionals, in order to update their policies,
procedures, and controls in order to maintain an effective compliance program.
4. Compliance costs:
The requirement that certain Medicaid providers adopt and implement compliance programs is
already a statutory requirement in SOS § 363-d. Providers and MMCOs may incur additional costs to
comply with this rulemaking. These costs may result from additional reporting, recordkeeping and
compliance costs. However, the costs incurred by these providers are a direct result of that statute
and not this rulemaking. This rulemaking clarifies the types of providers that are subject to the
compliance program requirement and must therefore incur costs, if any, associated with such a
program.
The costs incurred by regulated parties in order to comply with the proposed rulemaking will
vary depending upon existing control measures the provider has in place at the time the regulation
takes effect. For those providers who already have an operating compliance program, potentially little
or no costs may be incurred in order to modify a compliance program that satisfies the required
elements in law and further defined in the proposed regulations. The extent of those costs will
Page 64 of 73
depend on the level of effort that is necessary for the provider to establish a compliance program that
satisfies each of the mandatory elements.
The costs will also vary depending upon the size and other specific attributes of the provider.
SOS § 363-d states that a provider's compliance plan should reflect the provider's size, complexity,
resources, and culture. Thus, a large, complex provider may incur more costs in establishing a
compliance program than a smaller provider might incur.
The proposed rulemaking will not impose costs on local governments in general, but local
government entities that fall within the definition of a "required provider,” including school districts, will
be required to implement a compliance program. The cost analysis would be the same as other
similarly situated providers covered by the statute.
It is estimated that increasing the threshold to $1,000,000 in Medicaid claims for the definition
of “substantial portion of business operations” will reduce the number of providers subject to SubPart
521-1 by approximately 2,300, which may result in cost savings to small businesses and local
governments no longer subject to the specific requirements of this regulation. In assessing the costs
that may be incurred by a provider when it maintains a compliance program, pursuant to SOS § 363-d
and the proposed regulations, OMIG also considered the cost savings that could result from the
implementation of an effective compliance program due to risk mitigation and other factors. These
cost savings should diminish, if not completely offset, any costs incurred by providers in the
implementation and maintenance of an effective compliance program, or in the case of an MMCO, a
fraud, waste and abuse prevention program.
5. Economic and technological feasibility:
Although there may be some costs involved for some providers in modifying existing
compliance programs to comply with the proposed regulations, OMIG anticipates those costs will be
lessened or offset entirely by the cost savings that Medicaid providers could realize once the program
is implemented.
Page 65 of 73
There are no new technologically challenging aspects to the requirements of the proposed
rulemaking that do not already exist as requirements in current statutes, such as HIPAA, as a
compliance program would establish measures to ensure compliance with laws relevant to the
Medicaid program.
For these reasons, OMIG concludes that the proposed regulations will be economically and
technically feasible for any affected small businesses and local governments.
6. Minimizing adverse impact:
SOS § 363-d states in part: "The legislature. . . recognizes the wide variety of provider types in
the medical assistance program and the need for compliance programs that reflect a provider's size,
complexity, resources, and culture. For a compliance program to be effective, it must be designed to
be compatible with the provider's characteristics."
While each required provider will need to develop a compliance program that adequately
addresses each of the elements listed in SOS § 363-d and further defined in the proposed
regulations, OMIG will give due consideration and attention to the concerns noted by the legislature
and review compliance programs for appropriateness consistent with the provider's specific
characteristics.
The benefits associated with implementation of a compliance program, and for MMCOs, a
fraud, waste and abuse prevention program, far outweigh any adverse economic impact. An effective
compliance program will assist providers in preventing inappropriate payments and avoiding costs,
such as reimbursements, penalties, and other adverse consequences, that might otherwise be
incurred due to violations. The compliance program requirement will also help to ensure that:
Medicaid funds are used properly and that payments are made only for legitimate claims; providers
systematically identify, report, and return overpayments; medical care, services, and supplies
provided meet required standards of care; individuals can report unacceptable practices, such as
fraud, directly and safely; and that providers establish accountability in governance structures.
Page 66 of 73
Although there are no mandatory federal standards or requirements for compliance programs
for Medicaid providers, the federal government has issued guidance for many types of providers
interested in voluntary compliance programs. OMIG has issued guidance on compliance programs,
and DOH also issues advisory opinions on appropriate standards of compliance. Local government
entities required to comply with this regulation can utilize those no cost guidelines and advisory
opinions when developing an effective compliance program pursuant to this regulation.
7. Small business and local government participation:
These proposed regulations arise from a change in State law pursuant to Chapter 56 of the
Laws of 2020, Part QQ. The initiatives were recommended by the MRT II following a series of public
meetings where stakeholders had the opportunity to comment and collaborate on ideas to aid in the
development of these program integrity initiatives. In addition, the MRT II was comprised of
representatives of providers and MMCOs, amongst others. OMIG will comply with SAPA section
202-b(6) by providing MMCO associations, provider associations, many of whom represent small
businesses, and NY county and local government organizations and associations with a summary of
the rule prior to the public comment period, publishing the proposed amendment in the State Register
and posting the proposed amendment on its website. OMIG welcomes comments on the proposed
regulations from local governments and businesses, and any other program stakeholders.
Page 67 of 73
RURAL AREA FLEXIBILITY ANALYSIS
1. Types and estimated numbers of rural areas:
This rulemaking implements Social Services Law (SOS) § 363-d which requires certain
Medicaid providers to adopt and implement required compliance programs and to report, return and
explain overpayments received from the Medicaid program. In addition, it implements SOS § 364-
j(39) which requires Medicaid managed care organizations and managed long term care plans
(collectively “MMCO”) to adopt and implement procedures to detect and prevent fraud, waste and
abuse in the Medicaid program. SOS §§ 363-d and 364-j(39), and these proposed regulations apply
uniformly to Medicaid providers and MMCOs throughout all 62 counties of the State, including those
operating in rural areas of the State.
2. Reporting, recordkeeping and other compliance requirements; and professional services:
Medicaid providers and MMCOs in rural areas may be subject to additional reporting,
recordkeeping, or other compliance requirements as the implementation of a compliance program, or
in the case of an MMCO, a fraud, waste and abuse prevention, program requires maintenance of
records to demonstrate the adoption and implementation of such programs. These additional
compliance requirements are expected to be minimal. All Medicaid providers, including MMCOs, are
already subject to existing statutory and regulatory requirements for adopting and implementing
compliance programs. Depending on what control measures a provider has already instituted,
additional action may be necessary for a provider to meet the updated requirements of a Medicaid
provider compliance program. Moreover, pursuant to SOS § 363-d the adoption and implementation
of an effective compliance program is a condition, for those providers subject to the requirement, of
being eligible to receive reimbursement under the Medicaid program, and Medicaid providers have
existing requirements to maintain records demonstrating their right to receive payment. Furthermore,
MMCOs have existing requirements in state and federal law and contract to maintain records and
provide reporting to the state related to fraud, waste and abuse.
Page 68 of 73
Many providers and MMCOs are already required to adopt and implement a compliance
program or a fraud and abuse prevention plan; however, they may require or continue to utilize the
services of certain professionals, including medical professionals, auditors, attorneys, and compliance
professionals, in order to update their policies, procedures, and controls in order to maintain an
effective compliance program.
3. Costs:
Providers and MMCOs may incur additional costs to comply with this rulemaking. These costs
may result from additional reporting, recordkeeping and compliance costs. In the case of MMCOs, it
may result from new requirements relating to the staffing of the MMCO’s special investigation unit
(“SIU”). There are also training requirements for the provider’s or MMCO’s “affected individuals.”
However, any costs should be minimal as most providers and MMCOs who are subject to this
rulemaking, including those in rural areas, were required to have a compliance program under the
prior iteration of the rule, and this rulemaking clarifies the types of providers that are subject to the
compliance program requirement and likely to incur costs, if any, associated with such a program. It
is anticipated that fewer providers will be subject to this regulation than under the prior version.
Likewise, many MMCOs already have established fraud and abuse prevention programs, including
the establishment of an SIU, and related requirements under contract.
In assessing the costs that may be incurred by a provider when it establishes a compliance
program or an MMCO establishing a fraud, waste and abuse prevention program, OMIG also
considered the cost savings that could result from the implementation such programs due to risk
mitigation and other factors. These cost savings should diminish, if not completely offset, any costs
incurred by providers and MMCOs in the development and implementation of the programs required
under this regulation.
Page 69 of 73
4. Minimizing adverse impact:
This rulemaking uniformly affects Medicaid providers and MMCOs located in both rural and
non-rural areas in New York. It should not have an adverse impact on rural areas.
SOS § 363-d states in part: "The legislature. . . recognizes the wide variety of provider types in the
medical assistance program and the need for compliance programs that reflect a provider's size,
complexity, resources, and culture. For a compliance program to be effective, it must be designed to
be compatible with the provider's characteristics."
While each required provider will need to develop a compliance program that adequately
addresses each of the elements listed in SOS § 363-d and further defined in the proposed
regulations, OMIG will give due consideration and attention to the concerns noted by the legislature
and review compliance programs for appropriateness consistent with the provider's specific
characteristics.
The benefits associated with implementation of a compliance program, and for MMCOs, a
fraud, waste and abuse prevention program, far outweigh any adverse economic impact. An effective
compliance program will assist providers in preventing inappropriate payments and avoiding costs,
such as reimbursements, penalties, and other adverse consequences, that might otherwise be
incurred due to violations. The compliance program requirement will also help to ensure that:
Medicaid funds are used properly and that payments are made only for legitimate claims; providers
systematically identify, report, and return overpayments; medical care, services, and supplies
provided meet required standards of care; individuals can report unacceptable practices, such as
fraud, directly and safely; and that providers establish accountability in governance structures.
Although there are no mandatory federal standards or requirements for compliance programs
for Medicaid providers, the federal government has issued guidance for many types of providers
interested in voluntary compliance programs. OMIG has also issued guidance on compliance
programs. Providers and MMCOs in rural areas required to comply with this regulation can utilize
Page 70 of 73
those no cost guidelines when developing an effective compliance program pursuant to this
regulation.
5. Rural area participation:
These proposed regulations arise from a change in State law pursuant to Chapter 56 of the
Laws of 2020, Part QQ. The initiatives were recommended by the MRT II following a series of public
meetings where stakeholders had the opportunity to comment and collaborate on ideas to aid in the
development of these program integrity initiatives. In addition, the MRT II was comprised of
representatives of providers and MMCOs, amongst others. OMIG will comply with SAPA section
202-bb(7) by providing MMCO associations and provider associations, many of whom represent
providers and MMCOs in rural areas, with a summary of the rule prior to the public comment period,
publishing the proposed amendment in the State Register and posting the proposed amendment on
its website. OMIG welcomes comments on the proposed regulations from providers and MMCOs
operating in rural areas.
Page 71 of 73
JOB IMPACT STATEMENT
The legislature has determined that Medicaid providers should be required to adopt and
implement a compliance program in order to reduce errors and identify fraud in Medicaid billing and to
report, return and explain overpayments. The legislature also determined that managed care plans
and managed long term care plan (collectively “MMCO”) shall be required to adopt and implement
policies and procedures designed to detect and prevent fraud, waste and abuse in the Medical
Assistance (Medicaid) program. This rulemaking is necessary in order to implement the statutory
mandate in Social Services Law (SOS) § 363-d and SOS § 364-j(39). This rulemaking will also
ensure that the regulated community is given appropriate notice as to which providers must
implement a compliance program.
This rulemaking is part of an overall effort by New York State to enhance the integrity of its
Medicaid program. The compliance program requirement in existing law helps to ensure that
Medicaid funds are used properly and that payments are made only for legitimate claims. Although
this rulemaking will require providers that are subject to the statute to implement guidelines further
defined in the regulation for employee training and education and designate an employee with the
responsibility of overseeing the compliance program, those providers may also realize benefits
associated with the implementation of a compliance program. An effective compliance program will
assist a provider in preventing inappropriate payments and avoiding costs, reimbursements,
penalties, and other adverse consequences that might otherwise be incurred due to violations.
Likewise, Subpart 521-2 of this rulemaking proposes staffing requirements for MMCOs related
to the establishment of a special investigation unit. It is expected that MMCOs already have staffing
in place that is consistent with the standards established in the regulation due to existing contractual
obligations. In addition, the regulation allows the MMCO flexibility to propose alternative staffing
levels, provided it can show the effectiveness of its proposal in achieving the objectives of this
Page 72 of 73
rulemaking. Finally, it is expected that MMCOs will realize benefits, including increased recoveries or
cost avoidance, through stepped up fraud, waste and abuse prevention and detection activities.
The costs incurred by regulated parties in order to comply with the proposed rulemaking will
vary depending upon existing control measures the provider has in place at the time the regulation
takes effect. Many providers are already required to adopt and implement a compliance program, all
must report, return and explain overpayments, and many MMCO’s are already required to have fraud
and abuse prevention plans. However, they may require the services of certain professionals,
including medical professionals, auditors, attorneys, and compliance professionals, to update their
policies, procedures, and controls in order to maintain an effective compliance program. For those
providers who already have an operating compliance program, potentially little or no costs may be
incurred in order to meet the requirements in statute and in the proposed regulations. However, for
those providers who do not have a program in place that meets the requirements set forth in this
proposed rulemaking, some costs will be incurred in order to achieve compliance. The extent of
those costs will depend on the level of effort that is necessary for the provider to establish a
compliance program that satisfies each of the mandatory elements. Those elements are listed and
described in both the proposed regulations and SOS § 363-d.
The requirement that certain Medicaid providers implement compliance programs and the
requirement that all persons who have identified overpayments must report, return and explain
overpayments is established by statute in SOS § 363-d. Likewise, the requirement that MMCOs adopt
and implement a fraud, waste and abuse prevention program is established by statute in SOS § 364-
j(39). Therefore, any adverse impact on jobs or employment opportunities that may be incurred by
these providers would be a direct result of that statute and not this rulemaking. This rulemaking
clarifies the types of providers that are subject to the compliance program requirement and must
therefore incur costs, if any, associated with such a program.
Page 73 of 73
In assessing the adverse impact on jobs or employment opportunities incurred by a provider
when it establishes a compliance program, or the obligation to report, return and explain
overpayments pursuant to SOS § 363-d or when an MMCO establishes a fraud, waste and abuse
prevention program pursuant to SOS § 364-j(39) and the proposed regulations, due consideration
should be given to the cost savings that may result from the implementation of such programs due to
risk mitigation and other factors. These cost savings should diminish, if not completely offset, any
costs incurred by providers or adverse impacts on jobs or employment opportunities in the
implementation these requirements.
It is anticipated that the total impact on jobs and employment opportunities associated with
establishing a provider compliance program, the obligation to report, return and explain
overpayments, or MMCO fraud, waste and abuse prevention program will be relatively modest,
particularly for providers or MMCOs who already have a full or partial program in place. For those
providers and MMCOs who do not yet have an established program, the cost savings associated with
such a program will help to offset the expense of implementing the program.
Therefore, the statutorily required compliance program for certain Medicaid providers, the obligation
to report, return and explain overpayments, and fraud, waste and abuse program for MMCOs, as
implemented by this rulemaking, should not have a substantial adverse impact on jobs and
employment opportunities.