Mandatory Provider Compliance Certification Due December 31, 2009 Each YearJanuary 12, 2010 |
The New York State Office of the Medicaid Inspector General (OMIG) requires the filing of a Mandatory Provider Compliance Certification on or before December 31, 2009 of each year. For your reference, we have set forth below the relevant portions from the OMIG website related to the Mandatory Provider Compliance Law.
The Mandatory Compliance Law
Chapter 442 of the Laws of 2006, which established the New York State Office of the Medicaid Inspector General (OMIG), also created a new Social Services Law § 363-d which requires that Medicaid providers develop, adopt and implement effective compliance programs aimed at detecting fraud, waste, and abuse in the Medicaid program. The purpose of directing Medicaid providers to implement a compliance program is to ensure providers establish systemic checks and balances to detect and prevent inaccurate billing and inappropriate practices in the Medicaid program.
Who Must Have A Compliance Program?
The Mandatory Compliance Law applies to Medicaid providers operating under Articles 28 or 36 of the Public Health Law, Articles 16 or 31 of the Mental Hygiene Law and those providers of care, services and supplies for which the Medicaid program “constitutes a substantial portion of their business operations,” which the Office of the Medicaid Inspector General has defined under 18 NYCRR § 521.2 (b) as ordering, providing, billing or claiming $500,000 or more from Medicaid in a 12-month period. The $500,000 threshold applies if a provider receives the reimbursement directly or indirectly from Medicaid funds. If the provider meets either the statutory provisions or monetary thresholds, there are no exemptions. For example, the law is applicable to early intervention, school supportive, state and county-run providers, etc.
At A Minimum, What Must A Compliance Program Contain?
Provider compliance programs should apply to, at a minimum, billings to and payments from the medical assistance program. The law contains only the minimum requirements, including the following eight core requirements:
1. Write policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on dealing with potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel, and describe how potential compliance problems are investigated and resolved.
2. Designate an employee vested with responsibility for the day-to-day operation of the compliance program; the designated employee’s duties may solely relate to compliance or may be combined with other duties so long as compliance responsibilities are satisfactorily carried out; the employee shall report directly to the entity’s chief executive or other senior administrator and shall periodically report directly to the governing body on the activities of the compliance program.
3. Train and educate all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations and the compliance program operation. Training shall occur periodically and be made a part of the orientation for a new employee, appointee or associate, executive and governing body member.
4. Establish communication lines to the designated compliance person, accessible to all employees, persons associated with the provider, executives and governing body members, allowing compliance issues to be reported. Communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified.
5. Establish disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assist in their resolution and outline sanctions for: failing to report suspected problems; participating in non-compliant behavior; and/or encouraging, directing, facilitating or permitting non-compliant behavior. Disciplinary policies shall be fairly and firmly enforced.
6. Create a system for routine identification of compliance risk areas specific to the provider type for self-evaluation, including internal audits, and, when appropriate, external audits for evaluation of potential or identified non-compliance.
7. Establish systems for responding to compliance issues as they are raised; investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting identified problems promptly and thoroughly; implementing policies, procedures and systems to reduce the potential for recurrence; identifying and reporting compliance issues to the OMIG or the DOH; and refunding overpayments.
8. Establish a policy of non-intimidation and non-retaliation for good-faith participation in the compliance program, including but not limited to: reporting potential issues, investigating issues, conducting self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections seven hundred forty and seven hundred forty-one of the labor law (new whistleblower provisions for health care fraud).
What Are The Possible Consequences For Failing To Adopt An Effective Compliance Program?
As of October 1, 2009, the OMIG is authorized to impose sanctions or penalties, including, but not limited to, the revocation of the provider’s agreement to participate in the Medicaid program against providers who fail to develop, adopt and implement an effective compliance program. The Mandatory Compliance Law provides that “a compliance program that is accepted by the United States Department of Health and Human Services Office of Inspector General (US HHS OIG) and remains in compliance with the standards promulgated by such office shall be deemed in compliance with the provision of this law.” However, the US HHS OIG does not review and “accept” provider compliance plans. A compliance program may be a part of more comprehensive compliance activities so long as the minimum requirements of the law and implementing regulations are met.
The OMIG has developed an on-line certification form through its web site. Covered providers who apply for enrollment into the MA program will be required to certify upon enrollment and on or before December 31 annually. Participating providers who fall under the requirements of the regulations and who are currently enrolled in the MA program will be required to certify on or before December 31, 2009 and on or before December 31 each year thereafter. The OMIG strongly encourages that someone from senior management (other than the compliance officer) or a member of the governing authority sign the certification as an indication that the provider’s compliance efforts and responsibilities extend beyond the compliance officer.
Does A Provider Have To Submit A Separate Certification For Each Location Or Provider Number?
Providers with multiple locations, affiliates or provider numbers may submit a single certification and list the relevant provider numbers associated with that certification. However, there are separate certification forms for mandatory compliance and DRA requirements.
What Is The Consequence Of A Provider’s Failure To Certify?
The OMIG is authorized to impose administrative sanctions, up to and including exclusion from the program, against providers who fail to certify to the existence of an effective compliance program.
Should you have any questions regarding whether or not you are required to submit the Mandatory Provider Compliance Certification or about compliance plans in general, please contact us.
Reprinted with permission. All rights reserved.