OMIG Regulations Expand Compliance Program, Overpayment, and Managed Care Plan Requirements
The New York State Office of the Medicaid Inspector General (OMIG) has adopted new regulations expanding requirements governing compliance programs; strengthening Medicaid managed care plan fraud, waste, and abuse prevention programs; and codifying OMIG’s self-disclosure program for Medicaid overpayments. These amendments were recommended as part of the 2020 Medicaid Redesign Team (MRT) II process and are derived from statutory changes enacted in 2020. The regulations took effect on Dec. 28, 2022. However, two of the three subparts – the Compliance Program and Medicaid Managed Care Fraud, Waste, and Abuse Prevention Programs subparts – will not be enforced for 90 days from the effective date (i.e., March 28, 2023). It appears that enforcement of the Self-Disclosure Program subpart will not be delayed.
LeadingAge NY submitted comments on the proposed regulations, seeking a delay in the effective date, the elimination of duplicative and overlapping requirements applicable to “Affected Individuals” who are also “Required Providers and/or that contract with multiple Required Providers,” and an exemption of Programs of All-Inclusive Care for the Elderly (PACE programs) from managed care requirements. Although OMIG made technical changes in the regulations in response to some of our comments and offered clarifications in its assessment of public comment, it did not make substantive changes in the proposed regulations. Our outside counsel at Hinman Straub has prepared a memo on the adopted regulations. The following is a brief summary; however, members are encouraged to review the regulations in their entirety:
Compliance Programs (Subpart 521-1)
The Compliance Program subpart clarifies and expands upon existing requirements for Medicaid providers and managed care plans. It is intended to better align New York State’s mandatory compliance program with the elements found in federal regulations and guidance, as well as align with the state law changes enacted in 2020. It applies to “required providers,” defined as:
- any person subject to the provisions of Articles 28 or 36 of the Public Health Law;
- any person subject to the provisions of Articles 16 and 31 of the Mental Hygiene Law;
- any managed care provider or managed long term care plan, which shall hereinafter be collectively, unless otherwise noted, referred to as “Medicaid managed care organization” or “MMCO;” and
- any other person for whom the Medicaid (MA) program is, or is reasonably expected by the person to be, a substantial portion of their business operations.
Under the regulations, a “substantial portion of business operations” means claiming, receiving, or expecting to claim or receive at least $1 million in a 12-month period from the Medicaid program. Under the prior regulation, Medicaid revenue or claims of $500,000 triggered the compliance program requirement.
The regulation sets forth risk areas that must be addressed by each Required Provider’s compliance program, including 10 additional risk areas specific to Medicaid managed care plans. Each Required Provider’s compliance program, and its policies and procedures, must be applicable to all “Affected Individuals,” defined as all persons or entities affected by the provider's risk areas, including its employees, governing body, and contractors.
The subpart also includes detailed provisions governing compliance program elements, policies and procedures, guidance for Affected Individuals, the role of the compliance officer and compliance committee, training and education for the compliance officer and Affected Individuals, lines of communication and accountability, auditing and monitoring, annual compliance reviews to determine the effectiveness of the compliance program, procedures for responding to compliance issues, and reporting of violations of law to governmental authorities. In addition, the subpart sets forth the elements of OMIG reviews of compliance programs and the process for notifying providers of its findings.
LeadingAge NY, in its comments on the regulation, raised concerns about the broad definition of Affected Individuals and the extensive responsibilities imposed on Affected Individuals (and Required Providers in relation to Affected Individuals) for training, communication, and compliance program activities. We pointed out that many, if not most, Affected Individuals will be subject to the compliance programs of multiple Required Providers and are often Required Providers themselves. For example, most providers will be Affected Individuals of multiple managed care plans, which are considered Required Providers under the regulations. As a result, the Affected Individuals will be required to comply with the provisions of their own compliance programs, as well as those of each managed care plan with which they contract.
OMIG made some technical changes to the regulation in response to these comments. In its review of public comments, OMIG stated that Affected Individuals who are contractors are only subject to the Required Provider’s compliance program to the extent it is related to their contracted role and responsibilities within the provider’s identified risk area. Supplemental guidance will be issued about how OMIG intends to interpret the responsibilities of Required Providers and their contractors, in the context of when contractors are subject to both their own compliance program and the compliance program of the Required Provider. OMIG also stated that it will explore with the Department of Health (DOH) amending the standard clauses for MMCO network providers to incorporate the requirements of this subpart.
OMIG also noted that Required Providers may need to modify the existing contracts they have with contractors. To assist Required Providers in meeting these requirements, OMIG will only enforce the requirements of Section 521-1.3(c) for contracts executed or renewed starting 90 days and no later than two years from the effective date of subpart 521-1. This will be confirmed in guidance.
Medicaid Managed Care Fraud, Waste, and Abuse Prevention (Subpart 521-2)
This subpart applies to MMCOs and explicitly applies to “managed long term care plans,” which are defined in subpart 521-1 as “an entity that has received a certificate of authority pursuant to section 4403-f of the Public Health Law to provide or arrange for health and long term care services on a capitated basis for a population which the plan is authorized to enroll.”
The new subpart adds to managed care regulations set forth at 10 NYCRR 98-1.21 and 11 NYCRR 86.6. However, to the extent that the OMIG regulations conflict with or expand upon those pre-existing regulations, the OMIG regulations will govern the managed care plans in their participation in Medicaid. A plan’s fraud, waste, and abuse prevention program must be incorporated into its compliance program.
This subpart includes detailed provisions governing MMCO fraud, waste, and abuse prevention programs, including provisions that expand the requirement to have a Special Investigation Unit (SIU) and specify its composition. Specifically, the regulations include the following, among other provisions:
- An MMCO that has 1,000 or more members in a year must have a full-time SIU that is separate and distinct from other units or functions.
- An MMCO must employ at least one full-time lead investigator and one SIU director. Unless alternative staffing levels are approved by OMIG, at least one full-time investigator must be employed per 6,000 enrollees for managed long term care (MLTC) plans. At least one full-time investigator must be employed per 60,000 enrollees in other types of plans. An MMCO must employ investigators dedicated to servicing a particular county when that county on its own meets the designated, required investigator-to-enrollee ratio.
- An MMCO may apply to OMIG for alternative minimum staffing levels.
- In addition to investigators, the MMCO shall also employ or use existing employees who are certified coders, clinicians, data analysts, or pharmacists to support the work of the SIU.
- The SIU investigator must have a minimum of five years of experience in the health care field working in fraud, waste, and abuse investigations or insurance claims investigation experience, or certain other specified types of education or experience.
- The functions of the SIU may be delegated; however, the contract for SIU function must meet certain requirements.
- The SIU audits, investigations, and reviews must involve at least 1 percent of the aggregate MA program claims it pays to providers and subcontractors, based on the total prior year’s claims paid.
- The MMCO and its subcontractors must report all cases of potential fraud, waste, and abuse to OMIG and immediately refer reasonably suspected criminal activity to OMIG and the Medicaid Fraud Control Unit (MFCU), in accordance with the MMCO’s contract with DOH.
- The MMCO must develop a fraud, waste, and abuse public awareness program and make it available on its website.
- The MMCO’s fraud, waste, and abuse prevention plan must be submitted to OMIG within 90 calendar days of the effective date of these proposed regulations and upon signing a new contract with DOH.
- An annual report on fraud, waste, and abuse prevention activities must be submitted on or before a date specified by OMIG, which can be no sooner than Jan. 31st.
LeadingAge NY, in its comments on the proposed regulations, noted the staffing challenges that many plans and providers are facing and sought a delay in the implementation of the regulations. OMIG did not choose to delay the enforcement of the regulation beyond 90 days. However, it stated in response to comments: “The proposed regulations allow for plan flexibility through the option of proposing alternative staffing arrangements. In enforcing the requirements of SubPart 521-2, OMIG will, however, take into consideration a provider’s and MMCO’s documented good faith efforts to hire and retain staff in any review or enforcement action."
LeadingAge NY also questioned the imposition of more rigorous SIU staffing ratios for MLTC plans than for mainstream plans. OMIG responded:
We disagree that the staffing ratios for SIUs are more rigorous for MLTCs than for other Plan types. In developing the lower staffing ratio (6,000 enrollees) OMIG considered not only enrollment thresholds but payments to plans, with the rate of per member reimbursement for MLTCs is higher than other plan types. Taking these factors into consideration, OMIG developed a standard for MLTCs consistent with the requirements for MCOs, who have higher enrollment, but lower reimbursement per member, without overburdening the MLTCs.
LeadingAge NY also sought an exemption of PACE programs from the managed care subpart, given their size and hybrid nature as both providers and managed care entities. OMIG responded:
OMIG agrees with the commenter to the extent that OMIG will review and assess a required provider’s obligation to adopt and implement an effective compliance program at an organizational level. While each individual provider may meet the definition of a “required provider”, OMIG expects that such providers would operate one, cohesive compliance program. However, we do not feel a revision to the regulation is required to effectuate this interpretation.
Self-Disclosure Program (Subpart 521-3)
The Self-Disclosure Program subpart reiterates statutory requirements Section 363-d of the Social Services Law, and many of the requirements included in prior guidance issued by OMIG. The regulation requires “[a]ny person who has received an overpayment under the MA program, directly or indirectly [to] . . . report, return and explain the overpayment by submission of a Self-Disclosure Statement to OMIG’s Self-Disclosure Program pursuant to section 521-3.4 of this SubPart.” A person has identified an overpayment “when that person has or should have through the exercise of reasonable diligence, determined that they have received an overpayment and quantified the amount of the overpayment.” When a person fails to exercise reasonable diligence, and receives an overpayment, they are subject to an enforcement action.
This subpart sets forth the required contents of self-disclosures. It also includes deadlines for reporting, returning, and explaining overpayments; for OMIG review of self-disclosures and notification of the outcome of the review; and for responses to OMIG requests for additional information. It includes the terms of self-disclosure and compliance agreements and provides for termination of participation in the Self-Disclosure Program if the disclosing person submits false information, omits material information, attempts to evade an overpayment due, or fails to execute and return the self-disclosure and compliance agreement. The regulations also include provisions for re-paying overpayments, including provisions governing timelines and interest. Persons who fail to report, return, and explain an overpayment may be subject to monetary penalties and other sanctions.
LeadingAge NY will provide members with updates as supplemental guidance becomes available.
Contact: Karen Lipson, firstname.lastname@example.org