New York Codes, Rules and Regulations
Title 18 - DEPARTMENT OF SOCIAL SERVICES
Chapter II - Regulations of the Department of Social Services
Subchapter E - Medical Care
Article 3 - Policies and Standards Governing Provision of Medical and Dental Care
Part 521 - Fraud, Waste and Abuse Prevention
Subpart 521-1 - COMPLIANCE PROGRAMS
Section 521-1.4 - Compliance program requirements
Universal Citation: 18 NY Comp Codes Rules and Regs § 521-1.4
Current through Register Vol. 47, No. 12, March 26, 2025
(a) Written policies and procedures.
(1) General. Required providers shall have
written policies, procedures, and standards of conduct. The required provider
shall establish a process for drafting, revising, and approving the written
policies and procedures required by this subdivision. The written policies and
procedures described in this subdivision must be available, accessible, and
applicable to all affected individuals.
(2) The written policies and procedures
shall:
(i) articulate the required provider's
commitment and obligation to comply with all applicable federal and state
standards. The required provider shall identify governing laws, and regulations
that are applicable to the provider's risk areas, including any MA program
policies and procedures, as specified in subdivision (d) of section
521-1.3 of this SubPart or
category of service.
(ii) describe
compliance expectations as embodied in standards of conduct. The standards of
conduct shall serve as a foundational document which describes the required
provider's fundamental principles and values, and commitment to conduct its
business in an ethical manner.
(iii) document the implementation of each of
the subdivisions under this section and outline the ongoing operation of the
compliance program. Policies and procedures shall describe, at a minimum, the
structure of the compliance program, including the responsibilities of all
affected individuals in carrying out the functions of the compliance
program.
(iv) provide guidance to
affected individuals on dealing with potential compliance issues. Such guidance
shall, at a minimum:
(a) assist affected
individuals in identifying potential compliance issues, questions and concerns,
set forth expectations for reporting compliance issues, and explain how to
report such issues, questions, and concerns to the compliance officer;
and
(b) establish the expectation
that all affected individuals will act in accordance with the standards of
conduct, that they must refuse to participate in unethical or illegal conduct,
and that they must report any unethical or illegal conduct to the compliance
officer.
(v) identify
the methods and procedures for communicating compliance issues to the
appropriate compliance personnel.
(vi) describe how potential compliance issues
are investigated and resolved by the required provider and the procedures for
documenting the investigation and the resolution or outcome.
(vii) include a policy of non-intimidation
and non-retaliation for good faith participation in the compliance program,
including, but not limited to:
(a) reporting
potential compliance issues to appropriate personnel;
(b) participating in investigation of
potential compliance issues;
(c)
self-evaluations;
(d)
audits
(e) remedial
actions
(f) reporting instances of
intimidation or retaliation; and
(g) reporting potential fraud, waste or abuse
to the appropriate State or Federal entities.
(viii) Disciplinary standards. Include a
written statement setting forth the required provider's policy regarding
affected individuals who fail to comply with the written policies and
procedures, standards of conduct, or State and Federal laws, rules and
regulations.
(a) Such statement shall
establish standards for escalating disciplinary actions that must be taken in
response to non-compliance, with intentional or reckless behavior being subject
to more significant sanctions. Sanctions may include oral or written warnings,
suspension, and/or termination.
(b)
The written policies and procedures shall also outline the procedures for
taking disciplinary action and sanctioning individuals. Disciplinary procedures
shall conform with collective bargaining agreements when applicable.
(ix) Additionally, notwithstanding
the requirement under 42
U.S.C. 1396a(a)(68), which
applies to entities that receive or make annual payments of at least $5,000,000
annually, all required providers shall comply with the provisions of
42 U.S.C.
1396 a(a)(68) (United States Code, 2006
edition, Title 42, Chapter 7, SubChapter XIX, Government Printing Office,
https://www.govinfo.gov/content/pkg/USCODE-2006-title42/pdf/USCODE-2006-title42-chap7-subchapXIX-sec1396a.pdf.
A copy of which is available for copying and inspection at the Office of the
Medicaid Inspector General, 800 North Pearl Street,
2nd Floor, Albany, NY 12204).
(x) for MMCOs, describe the MMCO's
implementation, where applicable, of the requirements of SubPart 521-2 of this
Part.
(3) The required
provider shall review the written policies and procedures, and standards of
conduct required by this subdivision at least annually to determine:
(i) if such written policies, procedures, and
standards of conduct have been implemented;
(ii) whether affected individuals are
following the policies, procedures, and standards of conduct;
(iii) whether such policies, procedures, and
standards of conduct are effective; and
(iv) whether any updates are
required.
(b) Compliance officer. The required provider shall designate an individual to serve as its compliance officer. The compliance officer is the focal point for the required provider's compliance program and is responsible for the day-to-day operation of the compliance program. The required provider's designation of a compliance officer shall meet the following requirements:
(1) The compliance officer's primary
responsibilities shall include:
(i) overseeing
and monitoring the adoption, implementation and maintenance of the compliance
program and evaluating its effectiveness;
(ii) drafting, implementing, and updating no
less frequently than annually or, as otherwise necessary, to conform to changes
to Federal and State laws, rule, regulations, policies and standards, a
compliance work plan which shall outline the required provider's proposed
strategy for meeting the requirements of this section for the coming year, with
a specific emphasis on subdivisions (a), (d), (g), (h) of this section and, if
applicable, SubPart 521-2 of this Part;
(iii) reviewing and revising the compliance
program, and, in accordance with paragraph 3 of subdivision (a) of this
section, the written policies and procedures and standards of conduct, to
incorporate changes based on the required provider's organizational experience
and promptly incorporate changes to Federal and State laws, rules, regulations,
policies and standards;
(iv)
reporting directly, on a regular basis, but no less frequently than quarterly,
to the required provider's governing body, chief executive, and compliance
committee on the progress of adopting, implementing, and maintaining the
compliance program;
(v) assisting
the required provider in establishing methods to improve the required
provider's efficiency, quality of services, and reducing the required
provider's vulnerability to fraud, waste and abuse;
(vi) investigating and independently acting
on matters related to the compliance program, including designing and
coordinating internal investigations and documenting, reporting, coordinating,
and pursuing any resulting corrective action with all internal departments,
contractors and the State; and
(vii) the compliance officer shall be
responsible for coordinating the implementation of the fraud, waste, and abuse
prevention program with the director and lead investigator of the MMCO's
special investigation unit pursuant to SubPart 521-2 of this Part, if
applicable.
(2) The
compliance officer shall report directly and be accountable to the required
provider's chief executive or another senior manager whom the chief executive
may designate for reporting purposes provided, however, such designation does
not hinder the compliance officer in carrying out their duties and having
access to the chief executive and governing body.
(3) The responsibilities in paragraph (1) of
this subdivision may be the compliance officer's sole duties or, depending on
the size, complexity, resources, and culture of the required provider and the
complexity of the tasks, the compliance officer may be assigned other duties,
provided that such other duties do not hinder the compliance officer in
carrying out their primary responsibilities under this SubPart.
(4) The required provider shall ensure that
the compliance officer is allocated sufficient staff and resources to
satisfactorily perform their responsibilities for the day-to-day operation of
the compliance program based on the required provider's risk areas and
organizational experience.
(5) The
required provider shall ensure that the compliance officer and appropriate
compliance personnel have access to all records, documents, information,
facilities and affected individuals that are relevant to carrying out their
compliance program responsibilities.
(c) Compliance committee. The required provider shall designate a compliance committee which shall be responsible for coordinating with the compliance officer to ensure that the required provider is conducting its business in an ethical and responsible manner, consistent with its compliance program. The required provider shall outline the duties and responsibilities, membership, designation of a chair and frequency of meetings in a compliance committee charter. The required provider's designation of a compliance committee shall meet the following requirements:
(1) The compliance committee's
responsibilities shall include:
(i)
coordinating with the compliance officer to ensure that the written policies
and procedures, and standards of conduct required by subdivision (a) of this
section are current, accurate and complete, and that the training topics
required by subdivision (d) of this section are timely completed;
(ii) coordinating with the compliance officer
to ensure communication and cooperation by affected individuals on compliance
related issues, internal or external audits, or any other function or activity
required by this SubPart;
(iii)
advocating for the allocation of sufficient funding, resources and staff for
the compliance officer to fully perform their responsibilities;
(iv) ensuring that the required provider has
effective systems and processes in place to identify compliance program risks,
overpayments and other issues, and effective policies and procedures for
correcting and reporting such issues; and
(v) advocating for adoption and
implementation of required modifications to the compliance program.
(2) Membership in the committee
shall, at a minimum, be comprised of senior managers. The compliance committee
shall meet no less frequently than quarterly and shall, no less frequently than
annually, review and update the compliance committee charter.
(3) The compliance committee shall report
directly and be accountable to the required provider's chief executive and
governing body.
(d) Training and education. The required provider shall establish and implement an effective compliance training and education program for its compliance officer and all affected individuals. The required provider's compliance training and education program shall meet the following requirements:
(1) The training and education shall include,
at a minimum, the following topics:
(i) the
required provider's risk areas and organizational experience;
(ii) the required provider's written policies
and procedures identified in subdivision (a) of this section;
(iii) the role of the compliance officer and
the compliance committee;
(iv) how
affected individuals can ask questions and report potential compliance-related
issues to the compliance officer and senior management, including the
obligation of affected individuals to report suspected illegal or improper
conduct and the procedures for submitting such reports; and the protection from
intimidation and retaliation for good faith participation in the compliance
program;
(v) disciplinary
standards, with an emphasis on those standards related to the required
provider's compliance program and prevention of fraud, waste and
abuse;
(vi) how the required
provider responds to compliance issues and implements corrective action
plans;
(vii) requirements specific
to the MA program and the required provider's category or categories of
service;
(viii) coding and billing
requirements and best practices, if applicable;
(ix) claim development and the submission
process, if applicable; and
(x) for
MMCOs only, the fraud, waste and abuse prevention program, as specified in
SubPart 521-2 of this Part, and any applicable terms of the MMCO's contract
with the department to participate as an MMCO.
(2) The compliance officer and all affected
individuals shall complete the compliance training program required by this
subdivision no less frequently than annually. The training and education
required by this subdivision shall be made a part of the orientation of new
compliance officers and affected individuals and shall occur promptly upon
hiring.
(3) Training and education
shall be provided in a form and format accessible and understandable to all
affected individuals, consistent with Federal and State language and other
access laws, rules or policies.
(4)
The required provider shall develop and maintain a training plan. The training
plan shall, at a minimum, outline the subjects or topics for training and
education, the timing and frequency of the training, which affected individuals
are required to attend, how attendance will be tracked, and how the
effectiveness of the training will be periodically evaluated.
(e) Lines of communication. The required provider shall establish and implement effective lines of communication which ensure confidentiality for the required provider's affected individuals. In designing its lines of communication, the required provider shall meet the following requirements:
(1) The
lines of communication shall be accessible to all affected individuals and
allow for questions regarding compliance issues to be asked and for compliance
issues to be reported.
(2) The
required provider shall publicize the lines of communication to the compliance
officer and such lines of communication must be made available to all affected
individuals and all MA recipients of service from the required
provider.
(3) The required provider
shall have a method for anonymous reporting of potential fraud, waste and
abuse, and compliance issues directly to the compliance officer.
(4) The required provider must ensure that
the confidentiality of persons reporting compliance issues shall be maintained
unless the matter is subject to a disciplinary proceeding, referred to, or
under investigation by, MFCU, OMIG or law enforcement, or disclosure is
required during a legal proceeding, and such persons shall be protected under
the required provider's policy for non-intimidation and
non-retaliation.
(5) If applicable,
the required provider shall make available on its website, information
concerning its compliance program, including its standards of
conduct.
(f) Disciplinary standards. The required provider shall establish disciplinary standards and shall implement procedures for the enforcement of such standards to address potential violations and encourage good faith participation in the compliance program by all affected individuals. In developing and enforcing its disciplinary standards, the required provider shall meet the following requirements:
(1) The written policies and
procedures establishing, pursuant to subdivision (a) of this section, the
required provider's disciplinary standards and the procedures for taking such
actions shall be published and disseminated to all affected individuals and
shall be incorporated into the required provider's training plan as set forth
in subdivision (d) of this section.
(2) The required provider shall enforce its
disciplinary standards fairly and consistently, and the same disciplinary
action should apply to all levels of personnel.
(g) Auditing and monitoring. The required provider shall establish and implement an effective system for the routine monitoring and identification of compliance risks. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the organization's compliance with the requirements of the MA program and the overall effectiveness of the required provider's compliance program. In developing its auditing and monitoring program the required provider shall meet the following requirements:
(1) Auditing.
Required providers shall perform routine audits by internal or external
auditors who have expertise in state and federal MA program requirements and
applicable laws, rules and regulations, or have expertise in the subject area
of the audit. Audits or investigations conducted by state or federal
governmental entities are not considered external audits for purposes of this
paragraph. The audits required by this paragraph shall meet the following
requirements:
(i) Internal and external
compliance audits shall focus on the risk areas identified in section
521-1.3 of this SubPart.
(ii) The results of all internal or external
audits, or audits conducted by the State or Federal government of the required
provider, shall be reviewed for risk areas that can be included in updates to
the required provider's compliance program and compliance work plan.
(iii) The design, implementation, and results
of any internal or external audits shall be documented, and the results shared
with the compliance committee and the governing body.
(iv) Any MA program overpayments identified
shall be reported, returned and explained in accordance with the provisions of
SubPart 521-3 of this Part and the required provider shall promptly take
corrective action to prevent recurrence.
(2) Annual compliance program review. The
required provider shall develop and undertake a process for reviewing, at least
annually, whether the requirements of this SubPart have been met. The purpose
of such reviews shall be to determine the effectiveness of its compliance
program, and whether any revision or corrective action is required.
(i) The reviews may be carried out by the
compliance officer, compliance committee, external auditors, or other staff
designated by the required provider, provided however, that such other staff
have the necessary knowledge and expertise to evaluate the effectiveness of the
components of the compliance program they are reviewing and are independent
from the functions being reviewed.
(ii) The reviews should include on-site
visits, interviews with affected individuals, review of records, surveys, or
any other comparable method the required provider deems appropriate, provided
that such method does not compromise the independence or integrity of the
review.
(iii) The required provider
shall document the design, implementation and results of its effectiveness
review, and any corrective action implemented.
(iv) The results of annual compliance program
reviews shall be shared with the chief executive, senior management, compliance
committee and the governing body.
(3) Excluded providers. In accordance with
the requirements of section
515.5 of this Title, required
providers shall confirm the identity and determine the exclusion status of
affected individuals. In addition, MMCOs shall confirm the identity and
determine the exclusion status of any other persons identified in its contract
with the department to participate as an MMCO, including its participating
providers and its subcontractors.
(i) In
determining the exclusion status of a person required providers shall review
the following State and Federal databases at least every thirty (30) days:
(a) New York State Office of the Medicaid
Inspector General Exclusion List;
(b) Health and Human Services Office of
Inspector General's List of Excluded Individuals and Entities; and
(c) for MMCOs only, any other list or
database required by the contract between the MMCO and the department to
participate as an MMCO.
(ii) Required providers shall require
contractors to comply with the provisions of this paragraph. In addition, MMCOs
shall require their participating providers and subcontractors to comply, where
applicable, with the provisions of this paragraph.
(4) The required provider shall promptly
share the results of the activities required by this subdivision with the
compliance officer and appropriate compliance personnel.
(h) Responding to compliance issues. The required provider shall establish and implement procedures and systems for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of the internal auditing and monitoring conducted pursuant to subdivision (g) of this section, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensuring ongoing compliance with State and Federal laws, rules and regulations, and requirements of the MA program. In developing its system for responding to compliance program issues, the required provider shall meet the following requirements:
(1) Upon the
detection of potential compliance risks and compliance issues, whether through
reports received, or as a result of the auditing and monitoring conducted
pursuant to subdivision (g) of this section, the required provider shall take
prompt action to investigate the conduct in question and determine what, if
any, corrective action is required, and likewise promptly implement such
corrective action.
(2) The required
provider shall document its investigation of the compliance issue which shall
include any alleged violations, a description of the investigative process,
copies of interview notes and other documents essential for demonstrating that
the required provider completed a thorough investigation of the issue. Where
appropriate, the required provider may retain outside experts, auditors, or
counsel to assist with the investigation.
(3) The required provider shall document any
disciplinary action taken and the corrective action implemented.
(4) If the required provider identifies
credible evidence or credibly believes that a State or Federal law, rule or
regulation has been violated, the required provider shall promptly report such
violation to the appropriate governmental entity, where such reporting is
otherwise required by law, rule or regulation. The compliance officer shall
receive copies of any reports submitted to governmental entities.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
