Skip to main content

New York Office of Medicaid Inspector General Proposes Regulations on Medicaid Provider Compliance Programs

The New York State Office of Medicaid Inspector General (OMIG) published proposed regulations in the July 13, 2022 issue of the New York State Register.  The proposed regulations would repeal the current Part 521 - Provider Compliance Programs of Title 18 of the New York Codes, Rules and Regulations (NYCRR) in its entirety and establish new requirements for providers to detect and prevent fraud, waste and abuse in the Medicaid Program under a new Part 521: Fraud, Waste, and Abuse Prevention (Part 521). Part 521 would implement provisions of the New York State Fiscal Year 2020-2021 Enacted Budget and recommendations from the Department of Health’s Medicaid Redesign Team II. 

If enacted, the proposed rules would implement changes related to Medicaid provider compliance programs, Medicaid managed care organization (MCO) fraud, waste, and abuse prevention, and Medicaid providers’ “obligation to report, return, and explain Medicaid overpayments through OMIG’s Self-Disclosure Program.”  We have highlighted below certain provisions from the first of Part 521’s three subparts, Subpart 521-1, that are relevant to New York Medicaid providers as they structure and update their compliance programs.

Scope and Applicability of Program – Section 521-1.1

These proposed regulations require certain “Required Providers” (defined below) participating in the Medical Assistance program (Medicaid) to adopt a compliance plan to detect and prevent fraud, waste, and abuse in the Medicaid program. The following are deemed Required Providers and are obligated to comply with this proposed regulation:

  • hospitals, nursing homes, residential care facilities, and home care service agencies;
  • family care homes and residential treatment facilities for children and youth;
  • any managed care provider or managed long term care plan; and
  • any other person for whom the Medicaid program is or is reasonably expected to be a “substantial portion of their business operations.”  “Substantial portion of their business operations” includes persons who have claimed or received at least $1,000,000 a year from the Medicaid program. The current statutory definition sets $500,000 as the threshold.

In the current regulations, managed care providers and managed long term plans are not included in the scope of the Required Provider definition. 

Duties of Required Providers – Section 521-1.3(a)

To receive payment through the Medicaid program, Required Providers must maintain a compliance program. The regulations define an “effective compliance program” as a program that is:

  • well-integrated into the company’s operations and supported by the highest levels of the organization;
  • promotes adherence to the Required Provider’s legal and ethical obligations;
  • and is designed and implemented to prevent, detect, and correct non-compliance with Medicaid program requirements, such as fraud, waste, and abuse.

The provider must ensure that contracts with contractors, agents, subcontractors, and independent contractors are subject to their compliance program, and if such individuals meet the definition of an Affected Individual, the contracts must include termination provisions for failure to adhere to the Required Provider’s compliance program requirements. The proposed regulations define Affected Individuals as “persons who are affected by the Required Provider’s risk areas including the Required Provider’s employees, the chief executive and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, and governing body and corporate officers.”

Risk Areas for Providers and Medicaid MCOs – Section 521-1.3(d)

The proposed regulations indicate there are ten risk areas, defined as areas of operation affected by the compliance program, that the compliance program must apply to:

  • billings;
  • payments;
  • ordered services;
  • medical necessity;
  • quality of care;
  • governance;
  • mandatory reporting;
  • credentialing;
  • contractor, subcontractor, agent, or independent contract oversight; and
  • other risk areas that are or should reasonably be identified by the provider through “organizational experience.” 

The regulations define “organizational experience” to include four components, which include the Required Provider’s knowledge, skill, practice, and understanding in operating a compliance program; identification of issues or risk areas; experience, knowledge, skill, practice and understanding of its participation in the Medicaid program; and awareness of issues it should reasonably become aware of for its services.

In the current regulations, "ordered services" and "contractor, subcontractor, agent, or independent contractor oversight" are not risk areas that were are required to be addressed in a Required Provider's compliance program. The proposed regulations also add ten additional risk areas for Medicaid MCOs, which must also be addressed in their compliance programs.  These additional areas of risk include:

  • Compliance with Medicaid MCO’s contract terms;
  • Cost reporting;
  • Submission of encounter data;
  • Network adequacy and contracting;
  • Provider and subcontractor oversight;
  • Underutilization;
  • Marketing;
  • Provision of medically necessary services;
  • Payments and claims processing; and
  • Statistically valid services verification.

Certification – Section 521-1.3(f)

Required Providers must submit an annual certification to the Department of Social Services that it maintains a compliance program.  The Required Provider must also submit a copy of such certification to each Medicaid MCO with which the Required Provider has a provider agreement.

Written Policies of Compliance Program – Section 521-1.4(a)

Required Providers are required to have written policies, procedures, and standards of conduct that govern the compliance program. These policies, procedures, and standards of conduct must cover several topics, including providing guidance on dealing with compliance issues, descriptions of how compliance issues are investigated and resolved, and include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program. The policies and procedures must be reviewed at least annually.

Compliance Officer and Compliance Committee – Section 521-1.4(b)-(c)

In the current regulations, a Required Provider was responsible for designating one employee that is responsible for the compliance program's operation.  Now, under the proposed regulations, Required Providers must designate a compliance officer who will oversee, monitor, and review the compliance program, implement compliance work plans, and investigate matters related to the compliance program. The compliance officer will also coordinate with a designated compliance committee. The compliance committee will be responsible for, among other things, collaborating with the compliance officer on written policies and procedures, ensuring that the compliance officer is allotted sufficient resources to perform their job, and enacting required modifications to the compliance program.

Compliance Training and Education – Section 521-1.4(d) 

Required Providers must maintain a compliance training and education program for the compliance officer and all Affected Individuals.  This training must be completed at least annually. The training and education must include, at a minimum, a discussion of the following:

  • risk areas and organizational experience of the Required Provider;
  • written policies, procedures, and standards of conduct related to compliance;
  • the role of the compliance officer and compliance committee;
  • the obligation of Affected Individuals to report compliance concerns, the procedures for reporting concerns, and the non-intimidation and retaliation policies of the Required Provider;
  • disciplinary standards related to the compliance program and fraud, waste, and abuse prevention;
  • corrective action plans and response to compliance issues;
  • Medicaid program requirements and the Required Provider’s category of services;
  • coding and billing requirements and best practices;
  • claim development and submission; and
  • for Medicaid MCOs only, the fraud, waste, and abuse prevention program requirements of Subpart 521-2 (which will be further discussed in a future Mintz blog post).

OMIG Compliance Program Reviews – Section 521-1.5 

OMIG may review a Required Provider’s compliance program to determine its compliance with the regulations. OMIG will notify a Required Provider of its intent to commence a review, and such notice will include the review period and procedures that will be undertaken to complete the review.  Once the review is complete, OMIG will advise the Required Provider if it satisfies the requirements of Part 521 and if any deficiencies need to be corrected.


If enacted, Part 521-1 will compel Medicaid providers and Medicaid MCOs to examine and, potentially, restructure their compliance programs. OMIG is accepting public comment on these proposed regulations through September 11, 2022.

Subscribe To Viewpoints


Jeannie Mancheno is an Associate at Mintz who focuses her practice on health care transactional, regulatory, and compliance matters. She represents clients across the health care industry, including hospitals, physician organizations, health care systems, and long-term and urgent care providers.

Cody Keetch


Cody Keetch is an Associate at Mintz who focuses his practice on health care transactions and advises health care organizations on regulatory, compliance, and governance matters. He also represents clients in the technology and life sciences industries.