Health Law Blog

Important Updates to Medicaid Provider Compliance Requirements

The New York State Legislature recently enacted major pieces of legislation as part of the budget for the 2020-2021 state fiscal year.  See Senate Bill S7506B.  Part of this legislation included several significant updates to Social Services Law (“SOS”) § 363-d, which refers to Medicaid provider compliance programs.  These amendments were effective April 1, 2020 so it is important for providers to be aware of these changes so they can adjust their compliance plans accordingly.  Failure to do so could result in penalties (mentioned below).  Moreover, complying with such requirements is a condition of payment from the MA program.  See SOS § 363-d(2).

Which Providers are Impacted?

Under this amendment, it is up to the providers to determine whether they are required to adopt and implement a compliance program.  See SOS § 363-d(4).  Pursuant to SOS § 363-d,  providers subject to the compliance requirements, include, but are not limited to, the following:

  • Those subject to the provisions of Article 28 and Article 36 of the Public Health Law;
  • Those subject to the provisions of Articles 16 and Article 31 of the Mental Hygiene Law;
  • Managed care providers (including managed long-term care plans); and
  • Other providers for which the MA program is a “substantial portion of their business operations as defined in 18 NYCRR Part 521.2(b)).

Provider Compliance Program Requirements

All providers subject to SOS § 363-d(4) must adopt and implement a compliance program that includes eight elements.  Pursuant to SOS § 363-d(2)(a)(1)-(8), the compliance program must contain written policies, procedures, and standards of conduct that:

  • Articulate the organization’s commitment to comply with federal and state standards;
  • Describe compliance expectations as embodied in the standards of conduct;
  • Implement the operation of the compliance program;
  • Provide guidance to employees and other individuals on how to deal with potential compliance issues;
  • Identify how to communicate compliance issues to appropriate compliance personnel;
  • Describe how potential compliance issues are investigated and resolved by the organization;
  • Include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including, but not limited to, reporting potential issues, investigating issues, conducting self-evaluations, audits, remedial actions, and reporting to appropriate officials; and
  • Include all requirements listed under 42 U.S.C. 1396a(a)(68) (also known as the Deficit Reduction Act of 2005).

Compliance Officer and Compliance Committee

Previously, any employee could be designated as the responsible party for the provider’s compliance program – even one that had other responsibilities so long as the employee could effectively carry out compliance duties.  Under the amended SOS § 363-d(2)(b), this is no longer the case.  Now, there is a requirement to designate an official “compliance officer and a “compliance committee who will report directly and are accountable to the organization’s chief executive or other senior management.  See SOS § 363-d(2)(b).

Formal Self-Disclosure Program

SOS § 363-d(7) establishes a voluntary self-disclosure program for any persons owing any overpayment to the MA program.  Eligibility requirements under the self-disclosure program pursuant to SOS § 363-d(7)(c)(1)-(4) include the following:

  • The person is not currently under audit, investigation, or review by the Office of the Medicaid Inspector General (“OMIG), unless the overpayment and related conduct that is being disclosed does not relate to the OMIG’s audit, investigation, or review.  (Note: this conduct has always been discouraged, however, now it is written into law);
  • The person is disclosing an overpayment and related conduct that the OMIG has not determined, calculated, researched, or identified at the time of the disclosure;
  • The overpayment and related conduct is reported by the deadline under SOS § 363-d(6); and
  • The person is not currently under criminal investigation by the Deputy Attorney General for the Medicaid fraud control unit, an agency of the U.S. government, or any other political subdivision.

An eligible person who wishes to participate in the self-disclosure program must apply by submitting a self-disclosure statement in a manner to be specified by the OMIG and that the statement must contain all relevant information required by the OMIG to effectively administer the self-disclosure program.  See SOS § 363-d(7)(f). 

The OMIG may also choose to waive interest on any overpayment.  Moreover, a person’s good faith participation in the self-disclosure program may be considered as a mitigating factor when determining administrative enforcement action.  See SOS § 363-d(7)(e).

Monetary Penalties

Failure to adopt and implement a compliance program that adheres to the requirements set out in SOS § 363-d may result in a monetary penalty up to $5,000 per month, for a maximum of 12 months.  See SOS § 363-d(3)(d)(1).  Additionally, providers (including Medicaid managed care providers) who have not adopted and implemented a compliance program pursuant to this law and who have previously received a penalty within the previous five years, could receive a monetary penalty up to $10,000 per month, for a maximum of 12 months.  See SOS § 363-d(3)(d)(2).

Jessica N. Haller, Law Clerk, contributed to this article.  If you have any questions about this article or about compliance program requirements, please contact David R. Ross, Esq., Senior Shareholder, via e-mail at

Back to Top