Epstein Becker Green Health Care and Life Sciences Client Alert

In the 1990s, as part of the Federal Sentencing Guidelines, the U.S. Sentencing Commission developed for the first time the criteria upon which it will view an organization’s compliance program to be “effective.” In October 2016, the New York State Office of the Medicaid Inspector General (“OMIG”) released a guidance document titled “Compliance Program Review Guidance” (“Guidance”)[1] describing what considerations the OMIG will take into account when it assesses Medicaid-enrolled provider compliance programs established pursuant to New York State Social Services Law § 363-d and 18 NYCRR Part 521. Failure to implement a satisfactory compliance program may result in sanctions or penalties, including revocation of the Medicaid-enrolled provider’s agreement to participate in the Medicaid program.[2]

The Guidance provides important insight into the OMIG’s eight elements of what it considers to be an effective compliance program and addresses the seven areas of risk (“Seven Areas”) that providers must consider when developing their compliance programs.[3] While the Guidance is neither law nor rulemaking, and does not touch on all of the statutory requirements for Medicaid compliance programs, it does provide a glimpse into the OMIG’s compliance priorities and should be used by providers to assess whether their compliance programs meet the OMIG’s expectations.

Elements of a Sufficient Compliance Program

Consistent with the Federal Sentencing Guidelines, the Guidance provides direction regarding how a provider may satisfy each of the elements of an acceptable compliance program.[4]

Written Policies and Procedures

A compliance program must, at a minimum, put all of its policies and procedures in writing. This can be demonstrated by the adoption or ratification of the compliance program and related policies and procedures by the governing body of the organization. In addition, the Guidance stresses that all “Affected Individuals”[5] should have awareness of the program.

More specifically, the OMIG Bureau of Compliance (“BOC”) will look for evidence that:

  1. a code of conduct or code of ethics is in writing,
  2. policies and procedures are applicable to all categories of Affected Individuals,
  3. the written policies and procedures identify the appropriate compliance personnel to whom all communications regarding compliance concerns should be directed, and
  4. how each category of Affected Individuals communicates to appropriate compliance personnel.[6]

The provider must also maintain evidence that demonstrates that compliance activities are carried out in a satisfactory manner. Such evidence may include the following: evidence of a compliance work plan and resulting logs, reports, and risk analyses; annual self-assessments of the compliance program and risk analyses; and evidence of the completion of investigations, including implementation and monitoring of plans of correction for compliance issues.[7]

Designation of an Employee Vested with Responsibility

As to be expected, the Guidance stresses that the organization must appoint an employee to serve as the Compliance Officer. To eliminate the potential for conflict of interest, the Compliance Officer should not be the general counsel, or associated with the financial department of the organization.[8]Similarly, if the Compliance Officer serves in another capacity within the organization, BOC will review the Compliance Officer’s compliance duties and noncompliance-related duties to ensure that potential conflicts of interest are minimized or eliminated. The Compliance Officer must have direct reporting access to the governing body, with which the Compliance Officer should meet “periodically” (defined as “a regular interval which is no less frequently than annually, but the context may require a more frequent interval”).[9]

Training and Education

The third element of a sufficient compliance program is training Affected Individuals on compliance issues, expectations, and compliance program operations. This training may take place at the same time as other mandatory trainings, such as at new hire orientation, and should be provided periodically. The training should be customized for different categories of Affected Individuals to ensure that training is as relevant and beneficial as possible. Training and education materials must address how to deal with compliance issues, how to report compliance issues that may arise, and how potential problems are investigated and resolved.[10] Compliance training may also focus on previous issues experienced by the organization and frequent issues that arise in other health care organizations.[11]

Open Lines of Communication to the Responsible Compliance Position

The compliance program must establish at least one method of communication (telephone, email, website-based correspondence, regular mail, etc.) available to each category of Affected Individuals to report a compliance issue to a supervisor or manager, and to the Compliance Officer. At least one method of communication must be anonymous, and at least one method of communication must be confidential (though one method may accomplish both purposes).[12] The Guidance advises that Affected Individuals may report directly to supervisors and management as long as such supervisors and management are required to report those issues, in turn, to the Compliance Officer.

Disciplinary Policies to Encourage Good-Faith Participation

The compliance program must contemplate the utilization of written disciplinary policies and procedures that set out expectations for reporting compliance issues and assisting in the resolution of compliance issues, disciplinary action for failing to report compliance issues, and sanctions for participating in non-compliant behavior. BOC will look for consistency in these documents, whether there has been enforcement of compliance-related disciplinary policies, and whether those policies are enforced fairly and firmly.[13]

A System for the Routine Identification of Compliance Risk Areas

A compliance program must have a procedure to identify compliance risk areas specific to the provider. This is demonstrated by a systematic process that allows for the ongoing identification of compliance risk areas particular to a provider, including the Seven Areas, followed by a work plan that addresses the identified risk areas.[14]

A System for Responding to Compliance Issues

An adequate response system is imperative to the success of a compliance program. The compliance program must provide a sufficient description of the response system and evidence of the outcome of the system’s operation, such as logs that track activity, work plans, reports of audits and/or investigations, and plans of correction.[15] Organizations should identify who will investigate a compliance breach, how the investigation will be conducted, how plans of correction will be implemented, and what steps will be taken to continually monitor the compliance program’s effectiveness.[16]

In addition to assessing whether compliance issues are promptly and thoroughly addressed, BOC will consider whether the provider is properly disclosing compliance breaches to regulatory authorities.[17] For example, an expectation must be reflected in the compliance program regarding the refunding of Medicaid overpayments, as appropriate, and BOC will look for evidence of this practice.

A Policy of Non-Intimidation and Non-Retaliation

The final element that BOC will look for is the existence of a policy on non-intimidation and non-retaliation to ensure that Affected Individuals are able to report issues of concern without fear of negative consequences. These provisions must reference New York State Labor Law §§ 740 and 741, which reflect New York State’s “whistleblower” protections. BOC will look for evidence of discipline in response to allegations of intimidation or retaliation and for any complaints of such practices in previous years.[18]


New York statutory and regulatory requirements for Medicaid compliance programs for Medicaid-enrolled providers have been in place for quite some time. The new OMIG Guidance provides Medicaid-enrolled providers a roadmap for complying with those requirements. OMIG’s identification of the Seven Areas should help providers satisfy the compliance program requirements and avoid violations that could result in regulatory penalties up to and including revocation of the right to participate in the Medicaid program.

*   *   *

This Client Alert was authored by Arthur J. Fried and Leonard Lipsky. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

*Elena M. Quattrone, a Law Clerk – Admission Pending (not admitted to the practice of law) in the Health Care and Life Sciences practice, in the firm’s New York office, contributed to the preparation of this Client Alert.


[1] N.Y.S. Office of the Medicaid Inspector Gen., Compliance Program Review Guidance (Oct. 26, 2016), available at https://omig.ny.gov/images/stories/compliance/compliance_program_review_guidance.pdf.

[2] 18 NYCRR § 521.4(c).

[3] N.Y.S. Office of the Medicaid Inspector Gen., Compliance Program Review Guidance, 31 (Oct. 26, 2016) (The Seven Areas that a compliance program must address are (1) billing, (2) payment, (3) medical necessity and quality of care, (4) governance, (5) mandatory reporting, (6) credentialing, and (7) other risk areas identified by the provider’s risk assessment process).

[4] 18 NYCRR § 521.3.

[5] N.Y.S. Office of the Medicaid Inspector Gen., Compliance Program Review Guidance, 3,4 (Oct. 26, 2016) (The BOC defines “Affected Individuals” as all employees, appointees, executives, and governing body members who contribute to the provider’s entitlement to payment under the Medicaid program in New York State. “All of the requirements under each of the Eight Elements for mandatory compliance programs must apply to all Affected Individuals,” and BOC will consider how applicable each requirement is to all the Affected Individuals of a provider).

[6] Id. at 7. 

[7] Id. at 11. 

[8] Id. at 10.

[9] Id. at 4.

[10] Id. at 15.

[11] Id. at 16.

[12] Id. at 19.

[13] Id. at 22.

[14] Id. at 24.

[15] Id. at 26. 

[16] Id. at 8. 

[17] Id. at 28.

[18] Id. at 30.


Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.