Last November, New York Medicaid Inspector General, James G. Sheehan, participated in a Webinar entitled “Evaluating Effectiveness of Compliance Programs,” in which he described, among other things, OMIG’s role in ensuring a provider’s implementation of an effective compliance program, detailing the steps he and OMIG Compliance staff are taking to evaluate a provider’s implementation of the eight elements of a compliance program prescribed in the regulations.1 OMIG has since provided further guidance with respect to OMIG’s oversight of a provider’s compliance program in its 2011 Medicaid Work Plan, issued on December 6, 2010.


By now every Medicaid provider in New York State probably has experienced some type of encounter with OMIG at various points along the health care delivery continuum. Most common to providers is the audit stage, involving a retrospective review of payments or reimbursements to providers for services rendered or claims submitted years earlier. Some providers have also encountered OMIG at the self-disclosure stage, upon identifying an overpayment, before OMIG has discovered it on audit or otherwise. Now OMIG is assuming a more hands-on role on the “front end” of compliance, to ensure that a provider has in place an effective compliance program that detects and prevents compliance problems before they ripen into a larger or more systemic problem, with potentially significant financial consequences. This memorandum will briefly discuss the regulatory elements of an effective compliance program, and will highlight the tools and techniques that OMIG has recently rolled out to test whether providers have actually put in place an effective compliance program.

Legal Background

The principal sources for OMIG’s authority to oversee a provider’s compliance program are contained in New York Social Services Law Section 363-d2, 18 N.Y.C.R.R. Section 521.33, and in 18 N.Y.C.R.R. Section 521.44. Under this statutory and regulatory scheme, OMIG has been effectively anointed the chief watchdog for compliance in the State’s Medicaid program.

What are the Elements of an Effective Compliance Program?

Briefly, the eight elements to an “effective” compliance program delineated in the regulations (18 N.Y.C.R.R. Section 521.3(c)) include:  

  • Written policies and procedures that must include: (i) a “Code of Conduct”, or “code of ethics”, that describes the provider’s compliance expectations, (ii) procedures for implementing the operation of the compliance program; (iii) guidance for employees/others confronting a potential compliance issue; (iv) a procedure for communicating potential compliance issue within the organization; and (v) a process for investigating and resolving compliance issues.  
  • Compliance officer must be designated who is the employee in charge of “dayto- day operation” of the compliance program and reports directly to the CEO or other senior administrator, and to the provider’s board of directors.  
  • Inservice training and education of employees, executive staff, and board members.  
  • Line of communication to the compliance officer, including an anonymous and confidential method of “good faith” reporting (whistleblower).
  • Disciplinary policies and “firmly enforced sanctions” for (i) failing to report non-compliant behavior, (ii) participating in non-compliant behavior, (iii) or encouraging or actively or even passively allowing non-compliant behavior (i.e., looking the other way is inappropriate and sanctionable).  
  • System for identifying risk areas (i) specific to provider type (through internal and external audits) and in connection with (ii) credentialing, (iii) mandatory reporting compliance, (iv) corporate governance, and (v) quality of care.  
  • System for (i) responding to and investigating potential compliance problems, (ii) correcting, and preventing or reducing the risk of recurrence of, compliance problems, (iii) reporting compliance issues to OMIG, and (iv) refunding overpayments to the State.  
  • Non-intimidation and non-retaliation policies for good faith participation in the compliance program, including any employee reports made to public officials (whistleblower protection).  

Failure to maintain an effective compliance program as determined by OMIG may subject a provider to sanctions, including termination from the Medicaid program.  

OMIG Webinar Guidance

As mandated by statute, providers have been required to adopt and implement an effective compliance plan since at least as early as October 1, 2009. However, OMIG has only recently taken a number of steps to assess providers’ compliance programs. Specifically, OMIG has conducted outreach to determine providers’ understanding of their responsibility under the compliance requirements. These measures have included making unannounced on-site visits at providers’ facilities, random phone calls to providers, public presentations, and direct mailing to providers.5 According to OMIG, through these measures, it has discovered certain discrete areas where providers were deficient with respect to their compliance programs:  

  • Some providers had not adopted any form of compliance program;  
  • Providers were unaware of the compliance plan certification requirement (which in and of itself may demonstrate the lack of an effective compliance program);
  • Providers were confused between the certification requirements under New York regulations (effective compliance program) and the certification requirement under the federal Deficit Reduction Act (employee education);  
  • Providers were not reading the monthly Medicaid Updates available on-line that provide further compliance guidance;  
  • Providers had not provided their current contact information to eMEDNY; and  
  • Providers were unaware of the dollar value of ordered Medicaid services, which trigger certain compliance requirements.  

OMIG also identified several areas of inquiry on which it would focus when assessing the effectiveness of a compliance program:  

  • How the provider defines compliance failures;  
  • How many compliance failures the provider has experienced, and if the same ones recur;  
  • Whether the provider implements a timely, relevant plan of correction;  
  • How compliance failures are monitored;  
  • Whether the provider’s compliance officer is included in relevant meetings and provided with relevant information;  
  • Whether employee surveys and exit interviews are conducted;  
  • Whether the provider has performed an annual self-assessment of the effectiveness of its compliance plans (see OMIG Compliance Alert 2010-02 for its form of self-assessment).6  

OMIG reinforced the point in so many words that simply adopting a compliance program, on paper, is not enough. A provider must actually implement an “effective” program in order to comply with the regulatory requirements.  

OMIG 2011 Work Plan

At the outset, the OMIG 2011 Work Plan states that OMIG’s “most significant executive initiatives relate to implementation and oversight of” a provider’s compliance obligations, suggesting that compliance enforcement will be the top priority for the office in the new year. Consistent with OMIG’s recent guidance, the 2011 Work Plan otherwise details the measures OMIG will take in this area. For starters, the Work Plan cautions that a provider’s continual failure to certify that it has adopted an effective compliance program may result in requiring the provider to enter into a Corporate Integrity Agreement or the imposition of sanctions. The Work Plan also confirms that OMIG staff will be visiting and communicating with health care providers to identify and share best practices, to assess compliance-program implementation, and to identify impediments to successful compliance programs. The Work Plan warns that OMIG maintains careful records of compliance visits and telephone calls, and has been following up to ensure that any compliance failures identified, are remedied by the providers.

The Work Plan identifies several new compliance initiatives that OMIG will be introducing in 2011:

  • OMIG will be conducting investigations of significant compliance failures with respect to corporate governance issues and will be evaluating board responses to identified compliance failures to determine what systems boards had in place to inform themselves of compliance failures and to provide reasonable assurance of compliance. OMIG intends to stress the importance of the role of boards of directors in monitoring the day-to-day operations of the providers whom they govern.  
  • As of January 1, 2011, OMIG will begin enforcing Section 6402 of the Affordable Care Act, which requires repayment of an overpayment within 60 days after identifying the overpayment. Failing to make a timely self-disclosure within 60 days may highlight a provider’s lack of an effective compliance program.  
  • Providers are required to check OMIG’s list of restricted, terminated, or excluded individuals or entities before hiring and to monitor OMIG’s updates at 30-day intervals. OMIG explains that the failure to check for excluded persons, or the failure to report the employment of an excluded person is a violation of each provider’s obligation to have an effective compliance program.  

Cautionary Notes

Knock Knock. That could be OMIG at your door for an unannounced visit -- not to audit your facility or clinic’s claims or cost reports, but to assess your compliance program. OMIG has made such visits to speak with the compliance officer, to review the compliance plans, and to see evidence of the provider’s certification. Accordingly, facilities should be prepared to respond to unannounced visits from OMIG inquiring about the organization’s compliance structure and practices.

Ring Ring. In a proverbial “Gotcha”, OMIG has also made random calls to providers seeking the name of the compliance officer. OMIG has represented that if the employee who answers the call cannot provide the name of the compliance officer, that would be evidence of an ineffective compliance program. Thus, failing a compliance “pop quiz” may well count toward an organization’s final, compliance-program grade. The lesson to be drawn is that providers should continually educate all employees -- even personnel with a seemingly low compliance risk (e.g., no responsibility for billing or caregiving) -- about such basics as compliance personnel and procedures.

From OMIG’s perspective, the anecdote about the apparently clueless receptionist is no trifling matter. The proper “tone from the top” -- making compliance a priority -- must be communicated across and down the organizational chart, such that everyone, including the phone receptionist, should at least know who within the organization is the right employee to report any compliance issues. Put another way, if the policy is that compliance is integral to the organization’s culture, then that message must be loud and clear enough for all employees to hear and absorb -- and by extension for OMIG to observe and confirm when evaluating the effectiveness of a compliance program.