Please ensure Javascript is enabled for purposes of website accessibility

What providers need to know about final N.Y.S. healthcare compliance program regulations

What providers need to know about final N.Y.S. healthcare compliance program regulations


Following years of amendments and updates to regulations since April 2020, as of December 28, 2022, the New York State Office of the Medicaid Inspector General (OMIG) has released final 18 NYCRR Part 521 regulations to meet the amendments of the New York State Social Service Law Section 363-D. These new regulations will have significant implications for healthcare providers and affected individuals, including employees, chief executives, senior administrators and managers, contractors, agents, subcontractors, independent contractors, governing body, and corporate officers.

The updates are intended to better help providers detect and prevent fraud, waste, and abuse in the Medicaid program, as well as establish provider compliance and self-disclosure programs. While preventing Medicaid mismanagement is important for the proper and ethical functioning of our healthcare system, the new regulations require providers to establish new functions within their operations in compliance.

As recent indictments of healthcare providers have demonstrated, failure to comply with billing regulations can have costly and severe consequences, such as high settlement payments or even prison time. Therefore, now that these regulations are finalized, here are some of the key areas that organizations need to be prepared for:

Increased compliance thresholds

The threshold dollar amount of Medicaid claims that a provider must have in any consecutive 12-month period to qualify as a “required provider” has been raised from $500,000 to $1,000,000+.  This update reduces the number of providers required to maintain a compliance program, allowing OMIG to focus on providers with significant potential impact on the Medicaid program and resulting in cost savings for some small businesses and local governments.

Establishment of a compliance program

Under the newly final regulations, required providers must adopt, implement, and maintain an effective compliance program.  As part of this plan, providers must designate an individual as the compliance officer.  This officer is responsible for carrying out the day-to-day activities of the provider’s compliance program, drafting a compliance work plan, and reporting at least once quarterly to the provider’s governing body, chief executive, and compliance committee.  The provider must also designate a compliance committee to work alongside the officer and ensure that the provider is conducting business in an ethical and responsible manner, consistent with its compliance program.  Required providers must retain all records demonstrating the adoption, implementation, and operation of an effective compliance program, as well as records demonstrating that the provider has met the regulatory requirements, for six years from the date that the program is implemented.

Policies and procedures

Providers must now have written policies, procedures, and standards of conduct when it comes to filing Medicaid claims.  These policies and procedures are to be reviewed at least once annually to ensure that they are up to date, being abided accordingly by employees, and effective.

Training and education

Training and education are imperative to remain compliant. Providers that qualify must enforce a Compliance Training Program for both the Compliance Officer as well as all Affected Individuals. These trainings must be updated annually and infused into the current onboarding training protocols. Trainings need to address risk areas, policies, and procedures such as the Standards of Conduct, reporting, resolution, investigation, non-retaliation, the role of the Compliance Officer and Compliance Committee, methods of reporting Compliance concerns, disciplinary standards, other applicable laws, and regulations (Deficit Reduction Act, False Claims Act, Whistleblower Protections), and more. That’s not all. A Training Work Plan must be developed, maintained, and evaluated regularly to ensure continued effectiveness and relevance.

Self-disclosure requirements

In accordance with OMIG’s Self-Disclosure Program, the proposed regulations provide detailed requirements for organizations that identify overpayments.

The key updates listed here are far from exhaustive and represent only a small sample of the most recent regulatory changes finalized by OMIG. Organizations must ensure they fully understand the changing requirements and align with a trusted advisor who can offer necessary guidance.

Paul Mayer is a Partner with The Bonadio Group’s Compliance Solutions Division with more than 15 years of experience in not-for-profit settings. He has held positions of Corporate Compliance Officer, Director of Corporate Compliance, Process Integrity Coordinator, and Case Manager for organizations regulated by local state and federal laws. He has conducted compliance trainings and assessed compliance programs for organizations throughout the country and is a great Compliance Program resource for his clients.