MED-02-09-00004-A Compliance Programs for Medical Assistance Provider  

PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following action:

Addition of Part 521 to Title 18 NYCRR.

Compliance programs for medical assistance providers.

To set forth regulations governing compliance programs for medical assistance providers.

A new Part 521, entitled "Provider Compliance Programs," is added to Title 18 of the Codes, Rules and Regulations of the State of New York to read as follows:

Nonsubstantive changes were made in sections 521.1, 521.2(b) and 521.3.

Erin C. Morigerato, Esq., Office of the Medicaid Inspector General, 800 N. Pearl Street, Albany, New York 12204, (518) 408-0508, email: ecm03@omig.state.ny.us

Changes made to the last published rule do not necessitate revision to the RIS, RFA, RAFA or JIS because they were non-substantial changes made for the purposes of clarity and consistency of the text of the regulation and do not require any changes to the RIS, RFA, RAFA, or JIS.

The Office of the Medicaid Inspector General (OMIG) received 11 comments from providers, state agencies, health plans, advocacy groups and other individuals in response to the January 14, 2009 proposed rulemaking. While some commenters expressed interest in supporting and working with the OMIG to implement provider compliance requirements pursuant to N.Y. Social Service Law 363-d, generally, other commenters expressed concerns related to various aspects of the proposed regulation for a variety of reasons.

After reviewing the comments received, the OMIG determined that nonsubstantive technical revisions to the text were necessary for purposes of clarity and consistency. Nonsubstantive technical revisions were made in sections 521.1, 521.2 (b), and 521.3. There are no changes to the Regulatory Impact Statement, Regulatory Flexibility Analysis for Small Businesses and Local Governments, Rural Area Flexibility Analysis and Job Impact Statement which were previously submitted. Accordingly, the OMIG concludes that there are no issues which would impede the adoption of the regulation.

The comments have been summarized and the response to each comment appears below.

Comment:

The OMIG received comments suggesting technical changes to the text of the proposed regulation for purposes of clarity and consistency.

Response:

After considering those comments, the OMIG determined that nonsubstantive technical revisions to the text are necessary for purposes of clarity and consistency. Specifically, nonsubstantive technical changes were made in sections 521.1, 521.2 (b), and 521.3.

Comment:

Many commenters requested clarification on the applicability of the proposed regulation (i.e. which providers are required to comply).

Response:

Pursuant to N. Y. Social Services Law (SSL) § 363-d, those providers subject to this proposed regulation are: providers subject to Articles 28 and 36 of the N. Y. Public Health Law; Articles 16 and 31 of the N.Y. Mental Hygiene Law; and providers who provide care, services or supplies under the medical assistance (Medicaid) program for which the Medicaid program is a "substantial portion" of their business operations.

This regulation simply mirrors the statutory language and in addition, defines "substantial portion" by establishing a five hundred thousand dollars ($500,000.00) threshold, calculated over any consecutive twelve month period, for previous, current or reasonably anticipated Medicaid claims or orders, direct or indirect receipts of Medicaid funds, or previous or current submissions of Medicaid claims on behalf of other parties. For purposes of determining whether a provider is subject to this rulemaking under Part 521.2 (b), amounts of Medicaid funds actually claimed, ordered, submitted or received in a fiscal year or reasonably expected to be claimed, ordered, submitted or received in a fiscal year should be counted when calculating the $500,000.00 threshold.

Comment:

One commenter suggested that the proposed regulation does not apply to most Early Intervention service providers because such providers do not meet the requirements set forth in Part 521.1 even though Medicaid pays for a significant portion of the services they provide. The commenter indicated that Early Intervention service providers do not provide "care, services or supplies under the medical assistance program." The commenter further indicated that Early Intervention service providers are not subject to the proposed regulation because the municipality where the child resides is deemed the provider of such services pursuant to Public Health Law s 2559(3)(a). Additionally, the commenter noted that few Early Intervention service providers reach the $500,000.00 threshold established in Part 521.2(b).

Response:

Early Intervention service providers will be subject to the proposed regulation if they meet the requirements set forth in Parts 521.1(c) and 521.2(b). The OMIG disagrees with commenter's suggestion that these providers are exempt from the proposed regulation because they do not provide care, services or supplies to enrollees; while they are not enrolled in Medicaid, they provide services under the Medicaid program.

Comment:

We received comments from a state agency requesting clarification as to whether the proposed regulation applies to providers who do not meet the requirements set forth in Part 521.1(b) but are nonetheless subject to Article 16 of the N. Y. Mental Hygiene Law pursuant to provider agreements.

Response:

SSL 363-d mandates that providers subject to Article 16 of the N. Y. Mental Hygiene Law to implement a compliance program. SSL 363-d does not provide any exceptions to this requirement. The proposed regulation simply mirrors the text of the underlying statute.

Comment:

Some commenters requested clarification on whether the proposed regulation will apply to managed care organizations. One commenter suggested that managed care organizations should be exempt from the proposed regulation because they do not provide care, services or supplies to enrollees.

Response:

Managed care organizations that meet the regulatory requirements set forth in Parts 521.1 and 521.2 will be subject to the proposed regulation. The OMIG disagrees with commenter's suggestion that managed care organizations should be exempt from the proposed regulation. Managed care organizations certified under Article 44 of the New York State Public Health Law (PHL) who provide comprehensive health services under the medical assistance program to enrollees are directly compensated through a monthly capitation payment for each enrollee and provided supplemental capitation payments as described in the NYS Medicaid Managed Care and Family Health Plus Model Contract.

Comment:

Several commenters expressed concern with the inclusion of risk areas in the proposed regulation that traditionally have not been part of a compliance program and requested clarification on why the OMIG chose to incorporate certain risk areas in the proposed language of Parts 521.3(a) and 521.3(c)(6). Another commenter suggested that if an organization has structures in place to address additional risk areas and ensures effective communication between those responsible for the compliance program and the additional risk areas, the organization would "satisfactorily meet the OMIG's requirements and thus, the additional risk areas need not be formally moved into the compliance domain".

Response:

The OMIG has identified special areas of concern or risk areas in addition to billings to and payments from the Medicaid program as required by SSL 363-d. These include, but are not limited to, medical necessity and quality of care, governance, mandatory reporting and credentialing. The OMIG believes that these risk areas should be incorporated into an effective compliance program based upon reviews of audits and investigations. In addition, the OMIG recommends that providers incorporate into their compliance program other risk areas that are or should with due diligence be identified within the provider's organization. The OMIG disagrees with those commenters who asserted that these additional risk areas need not be specifically identified in a compliance program. The Legislature in creating SSL 363-d found that Medicaid providers may be able to detect and correct payment and billing mistakes and fraud if required to develop and implement compliance programs. The Legislature also found that the purpose of a compliance program is to organize provider resources to resolve payment discrepancies and detect inaccurate billings, "among other things", as quickly and efficiently as possible, and to impose systematic checks and balances to prevent future reoccurrences. The statute further provides that a compliance program shall at a minimum be applicable to billings to and payments from the Medicaid program but "need not be confined to such matters."

Comment:

One commenter requested clarification regarding the OMIG's issuance of provider specific compliance guidance. Another commenter seemed to be under the misconception that managed care organizations will be subject to a "separate and distinct" compliance directive from the OMIG.

Response:

SSL 363-d requires the OMIG to create and make available on its website guidelines, which reflect the requirements of the statute. The OMIG will be issuing provider specific compliance program guidance that will include recommendations and guidance on how specific segments of the provider industry can implement compliance programs. This compliance program guidance will be made available on the OMIG's internet website. While this proposed regulation mirrors the statutory requirements in SSL 363-d which requires certain providers to establish a compliance program, the OMIG's compliance program guidance is intended to provide assistance to providers in developing and implementing compliance programs.

Comment:

Specific questions were posed by a number of commenters relating to the eight elements required to be incorporated into a provider's compliance program pursuant to SSL 363-d.

Response:

The OMIG declines to further regulate the eight elements required by SSL 363-d to be included into a provider's compliance program. The text of the proposed regulation mirrors the elements required by SSL 363-d with some additions. Section 521.3(a) and 521.3(c)(6) include language requiring providers to include certain risk areas into their compliance program. Section 521.3(c)(2) adds that the entity's other senior administrator shall be designated by the entity's chief executive for purposes of direct reporting by the designated employee or compliance officer. Finally, Section 521.3(c)(5)(ii) clarifies that sanctions may be imposed for active or passive non-compliant behavior.

We believe the specific questions posed by commenters relating to the eight elements required to be incorporated into a provider's compliance program pursuant to SSL 363-d are more appropriately addressed in the provider specific compliance guidance. The OMIG has been and continues to work closely with specific segments of the provider community to develop industry specific provider compliance guidance to allow flexibility for a provider to develop a program appropriate to its characteristics.

Comment:

Some commenters requested clarification on the annual certification requirement.

Response:

SSL 363-d requires that a provider shall certify that the provider satisfactorily meets the requirements of the statute upon enrollment in the Medicaid program. This language mirrors the statutory requirements and in addition further requires providers to certify that they satisfactorily meet the requirements of the statute on an annual basis every December thereafter. Participating providers currently enrolled in the Medicaid program will be required to certify that they satisfactorily meet the requirements of the statute every December after the effective date of this regulation. Providers who apply for enrollment into the Medicaid program will be required to certify that they satisfactorily meet the requirements of the statute upon enrollment and every December after the effective date of this regulation. The OMIG is currently developing a certification form that will allow providers to certify that they have a compliance program that meets the statutory and regulatory requirements in place. The certification form and accompanying directions will be made available on the OMIG's internet website.

Comment:

One commenter suggested that there may be an administrative burden associated with the annual certification process. The commenter stated that for some health care providers, annual certification may require "extensive legal research and analysis because of the potential for complicated legal implications." The commenter asserts that the burden associated with annual certification is disproportionate to its utility.

Response:

The OMIG does not believe that the annual certification process will require the "extensive, legal research and analysis" as the commenter suggests. Annual certification will enable the OMIG to determine whether existing providers participating in the Medicaid program have met the requirements of the statute and this regulation. The goal of annual certification is to ensure that providers participating in the Medicaid program have effective compliance programs in place that satisfactorily meets the requirements of the underlying statute.

Comment:

Some commenters requested clarification on the OMIG's determination of an "effective" compliance program.

Response:

In creating SSL 363-d, the Legislature recognized that in order for a compliance program to be effective it must be designed to be compatible with the provider's characteristics. SSL 363-d(1) requires providers to adopt effective compliance program elements, and to implement such a program appropriate to its characteristics. In addition, SSL 363-d(3) gives the Commissioner of the Department of Health and the Medicaid Inspector General the authority to determine at any time if a provider has a compliance program that satisfactorily meets the requirements of the statute. SSL 363-d(3)(b) provides that in the event that the Commissioner of Health or the Medicaid Inspector General finds that the provider does not have a satisfactory program within ninety days after the effective date of this regulation, the provider may be subject to any sanctions or penalties permitted by federal or state laws and regulations, including revocation of the provider's agreement to participate in the medical assistance program. The proposed regulation mirrors the language in the underlying statute.

Comment:

Some commenters requested clarification regarding the OMIG's acceptance of a federal compliance program that satisfactorily meets the requirements of SSL 363-d.

Response:

The proposed regulation mirrors the statutory language in SSL 363-d which mandates that if a provider's compliance program is accepted by the Federal Department of Health and Human Services Office of the Inspector General (OIG) and remains in compliance with the standards promulgated by such office, the provider's compliance program shall be deemed in compliance with the provisions of SSL 363-d, so long as such program adequately addresses medical assistance program risk areas and compliance. At the present time the OIG does not "accept" provider compliance programs as a general rule unless the provider has entered into a Corporate Integrity Agreement (CIA) with the OIG. If there is no existing CIA, providers have the option of voluntarily adopting a compliance program and the OIG has issued several industry specific compliance program guidance documents to help providers to establish such programs.

Thus, the OMIG intends to collaborate with the OIG to determine whether a compliance program required by a CIA is in compliance with the provisions of SSL 363-d for the small number of New York providers who are currently subject to a CIA with the OIG. The OMIG also intends to collaborate with the OIG if the possibility of federally accepted compliance programs arise in the future. The OMIG recognizes that a compliance program may be a part of more comprehensive compliance activities so long as the minimum requirements of the statute are met.

Comment:

Some commenters requested clarification on the effective date and time frame for implementation of the proposed regulation. Some commenters suggested that 90 days from the effective date of the proposed regulation as mandated by SSL 363-d is inadequate to make meaningful changes to an effective compliance program.

Response:

SSL 363-d mandates that providers who do not have a satisfactory program within 90 days after the effective date of this regulation may be subject to sanctions or penalties permitted by federal and state laws and regulations, including revocation of the provider's agreement to participate in the medical assistance program. In response to commenters' concerns regarding the time frame for implementing a compliance program, the OMIG will establish an effective date for the proposed regulation as July 1, 2009. Thus, this proposed regulation will be effective on July 1, 2009 and providers subject to the regulation will be required to have a compliance program in place within 90 days of such date.

Comment:

One commenter suggested that upon OMIG's finding that a provider does not have a satisfactory compliance program in place, the OMIG should give the provider a limited period of time to submit a satisfactory compliance program for consideration prior to the imposition of sanctions or penalties.

Response:

We believe that such concerns are matters of OMIG policy and need not be specifically provided for in the text of the proposed regulation. We appreciate commenter's suggestion and will take such suggestion under consideration when developing internal policies and procedures with regard to enforcement of the proposed regulation.

Comment:

A number of commenters raised concerns regarding the fiscal impact on providers required to implement a compliance program.

Response:

The requirement that certain medical assistance providers prepare and adopt compliance programs is established by statute in SSL 363-d (2). Any costs that may be incurred by these providers would be a direct result of that statute and not this rulemaking. In creating SSL 363-d, the Legislature recognized that there are a wide variety of provider types participating in the Medicaid program and for a compliance program to be effective it must be designed to be compatible to reflect a provider's size, complexity, resources and culture. The costs incurred by regulated parties in order to comply with the proposed regulation will vary depending upon any existing compliance measures the provider has in place at the time the regulation takes effect. For those providers who already have an operating compliance program, potentially little or no costs may be incurred in order to establish a compliance program that satisfies the proposed regulation. However, for those providers who do not have a program in place that meets the requirements set forth in this proposed regulation and the underlying governing statute, some costs will be incurred in order to establish a compliance program. The extent of those costs will depend on the size and other attributes of the provider as well as the level of effort that is necessary for the provider to establish a compliance program that satisfies each of the eight mandatory elements.

In assessing the costs that may be incurred by a provider when it establishes a compliance program, pursuant to SSL section 363-d and the proposed regulations, OMIG also considered the cost savings that could result from the implementation of an effective compliance program. OMIG staff reviewed existing literature and studies for information concerning the issue of costs associated with compliance programs. During that research, only one report was identified: Impact of a Compliance Program for Billing on Internal Medicine Faculty's Documentation Practices and Productivity, ACADEMIC SCIENCE (March 2001). The results of this study, which focused on the implementation of a compliance program by the Saint Louis University Medical Group (UMG), suggest that compliance programs may provide certain financial benefits to the provider. For example, in the study of UMG, the gross collection rate for all services increased, staff productivity increased, unbillable services decreased, and the financial risks associated with an adverse audit decreased. These cost savings should diminish, if not completely offset, any costs incurred by providers in the development and implementation of a compliance program.

Thus, the OMIG tried to anticipate and address all circumstances regarding the costs and burdens associated with mandatory compliance programs. We believe we have created a set of requirements that appropriately meets the statutory provisions of SSL 363-d while at the same time provides the flexibility for providers to adopt an effective compliance program appropriate to its characteristics.