New Mandatory Compliance Programs for Medicaid Providers
Medicaid providers will have to have effective compliance programs in place in order to submit claims to Medicaid or receive Medicaid payments under a proposed rule issued January 14, 2009, by the Office of Medicaid Inspector General (OMIG). The rule implements the statutory requirement found in Social Services Law §363-d. Comments on the proposal are being reviewed by OMIG and a final regulation is expected later this year.
The final list of Medicaid providers required to implement compliance plans is broader than originally anticipated. For example, the new category of providers where Medicaid constitutes a “substantial portion” of business operations (defined as $500,000 in a 12-month period) encompasses 10 percent of providers and 95 percent of Medicaid billings in 2006 and 2007. Consequently, many Medicaid providers who might not currently have compliance programs will be required to adopt and implement effective compliance plans within 90 days of the final rule’s effective date.
Under the proposed rule, the following types of Medicaid providers must comply with the mandatory compliance program standards:
- Providers (and affiliates of providers) who provide Medicaid care or submit Medicaid claims totaling a substantial portion of business operations.
All of the following must also comply, regardless of the dollar amount of Medicaid claims or receivables:
- Providers subject to Article 16 of the Mental Hygiene Law (residential facilities and out-patient programs serving persons with mental retardation or developmental disabilities)
- Providers subject to Article 31 of the Mental Hygiene Law (residential facilities and out-patient programs serving persons with a mental disability)
- Providers subject to Article 28 of the Public Health Law (hospitals, nursing homes, public health centers, diagnostic and treatment clinics, dental clinics, rehabilitation centers, and certain laboratories)
- Providers subject to Article 36 of the Public Health Law (home care services)
OMIG explains in the narrative statements accompanying the proposed rule that the $500,000 threshold is reasonable and justified. But inclusion of this new category of smaller providers could easily subject pharmacies, physicians, dentists, durable medical equipment businesses, service bureaus, and transportation providers to the mandatory compliance program standards. The $500,000 threshold also could impact local government providers, including some school districts.
The eight key components OMIG requires in a compliance program are:
- Written policies that set forth compliance expectations; provide guidance; and describe reporting, investigation, and resolution of noncompliance
- Designation of a compliance officer who reports directly to the senior administrator and the governing body
- Effective and regular training of employees, executives, and the governing body
- A reporting process that allows anonymous good-faith reporting
- A policy of non-intimidation and non-retaliation for good faith reporting
- Disciplinary policies that are fairly enforced and punish non-compliant behavior or a failure to report non-compliance
- A method for responding to compliance issues that ensures non-compliance is promptly corrected and recurrence is prevented
- Identification of risks and regular evaluation based on the specific provider type
Preparing and implementing an appropriate, effective compliance program can be time-consuming and frustrating. It also can be enlightening. Many providers who are implementing a compliance program for the first time or updating their existing compliance programs find new risk areas and identify organizational and personnel issues that, if addressed as part of an effective compliance program, may reduce billing errors, encourage employee compliance, and result in net cost savings to the provider.
The OMIG rule authorizes the Commissioner of Health and the Medicaid Inspector General to determine “at any time” whether a provider’s compliance program is “effective and appropriate to its characteristics and satisfactorily meets the requirements.” This broad standard should cause Medicaid providers pause. It may prove to be a major negotiation point as OMIG audits of compliance programs develop.
The rule is expected to become final later this year. The final rule could be different than the proposal, so Medicaid providers are encouraged to carefully review the final regulation when it is issued.
Medicaid providers covered by the rule will need to certify that they are in compliance with the mandatory standards when they enroll as a Medicaid provider and then in December of each year. OMIG will provide the certification form on its Web site.
The certification requirement should not be taken lightly; prosecutors have asserted false certification as a basis for bringing False Claims Act cases, which can result in civil or criminal penalties. Thus, Medicaid providers should invest the time and energy at the outset to prepare an effective compliance program before submitting the certification.
Once final, the OMIG rule will still have many kinks to work through. It is not yet clear how providers’ relationships with affiliates will impact application of the $500,000 threshold for compliance. It is not clear what standards OMIG will use in evaluating the effectiveness of a provider’s compliance program, nor is it clear how the mandatory compliance program standards will interact with the OMIG self-disclosure guidance, also expected later this year.
Rather than waiting to see how these unsettled issues shake out, Medicaid providers are advised to start now to assess the status of their compliance programs and to implement any changes that may be required to satisfy the new compliance program standards.