Health Law Blog

Medicaid Compliance Plans and the OMIG

As you may be aware, the New York State Office of the Medicaid Inspector General (or “OMIG) has established that certain Medicaid providers (all Public Health Law Article 28 and 36 facilities, and all Mental Hygiene Law Article 16 and 31 facilities) have Medicaid Compliance Plans.  Also covered are providers that derive a “substantial portion of their business operations from Medicaid. See Social Services Law 363-d and the implementing regulations found at 18 NYCRR Part 521.  18 NYCRR 521.2 (b) requires that a Medicaid provider is subject to the mandatory compliance program obligation if the Medicaid provider:

  1. is a person, provider, or affiliate that claims, orders or has claimed or has ordered or should be reasonably expected to claim or order at least $500,000 in any consecutive 12-month period from Medicaid;
  2. is a person, provider, or affiliate that receives or has received or should be reasonably expected to receive at least $500,000 in any consecutive 12-month period directly or indirectly from Medicaid; or
  3. is a person, provider, or affiliate that submits or has submitted claims for care, services, or supplies to the Medicaid program on behalf of another person or persons in the aggregate of at least $500,000 in any consecutive 12-month period.

Additionally, the OMIG has required that such providers annually electronically certify via the OMIG website that they have a compliance plan and that their compliance plan is effective.

The OMIG has recently issued regulatory guidance in this area to providers by posting “Frequently Asked Questions” (or FAQs) about the mandatory compliance plan requirements on its website.  Some of the more key topics addressed there are:

  • The necessity of having a compliance plan: In addition to the fact that such plans are required by law, the OMIG states that “[t]he purpose of directing Medicaid providers to implement a compliance program is to ensure providers implement and maintain appropriate systems and processes to detect and prevent fraud, waste and abuse in the Medicaid program. The overall goal is to achieve “program integrity in the Medicaid program and saves the Medicaid program dollars by reducing inappropriate payments and maximizing appropriate payments for covered services that are delivered to Medicaid recipients.
  • The contents of the required compliance program: Social Services Law §363-d subd. 2 and 18 NYCRR §521.3(c) set out the following eight core elements that shall be included in all compliance programs:
    1. written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on dealing with potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel and describe how potential compliance problems are investigated and resolved;
    2. designate an employee vested with responsibility for the day-to-day operation of the compliance program; such employee’s duties may solely relate to compliance or may be combined with other duties so long as compliance      responsibilities are satisfactorily carried out; such employee shall report directly to the entity’s chief executive or other senior administrator and shall periodically report directly to the governing body on the activities of the compliance program;
    3. training  and education of all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations, and the compliance program operation; such training shall occur periodically and shall be made a part of the orientation for a new employee, appointee or associate, executive, and governing body member;
    4. communication lines to the responsible compliance position (as described in “2,” above) that are accessible to all employees, persons associated with the provider, executives, and governing body members, to allow compliance issues to be reported; such communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified;
    5. disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assisting in their resolution and outline sanctions for: (1) failing to report suspected problems; (2) participating in non-compliant behavior; or (3) encouraging, directing, facilitating, or permitting non-compliant behavior; such disciplinary policies shall be fairly and firmly enforced;
    6. a system for routine identification of compliance risk areas specific to the provider type, for self-evaluation of such risk areas, including internal audits and, as appropriate, external audits, and for evaluation of potential or actual non-compliance as a result of such self-evaluations and audits;
    7. a system for responding to compliance issues as they are raised; for investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting such problems promptly and thoroughly and implementing procedures, policies and systems as necessary to reduce the potential for recurrence; identifying and reporting compliance issues to the department or the office of Medicaid inspector general; and refunding overpayments; and
    8. a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections 740 and 741 of the labor law.
  • A comparison between the OMIG compliance plan requirement and the Deficit Reduction Act (DEFRA) of 2005: The compliance plan required by the OMIG is different than what is required by DEFRA 2005 which requires that providers who bill or receive Medicaid monies in excess of $5 million per federal fiscal year certify that the provider is in compliance with the federal law and shall, among other things, provide education and training about fraud, waste and abuse to its staff and vendors. Certification is done via a different OMIG form found on their website. FAQs specific to the DRA 2005 certification and form can be accessed here.  Note that the DEFRA certification must be completed on or before January 1st for each prior federal fiscal year that the Medicaid provider receives or makes $5 million or more in Medicaid payments. The federal fiscal year starts on October 1st and ends on September 30th.


  • Is there one OMIG compliance plan that fits all providers? The law has minimum requirements that apply to all providers that meet the criteria regardless of the size of the provider. The OMIG states that it recognizes that there is no “one size fits all” approach to compliance, and additionally that “an effective compliance program must be tailored to a provider’s size, scope of items or services provided, complexity, resources, and culture.


  • Will the OMIG issue model compliance plans for use by various types of providers? The OMIG has developed a compliance plan for hospitals and is currently in the process of drafting industry-specific guidelines for other provider types under Medicaid. When these guidelines are developed, they will be available on OMIG’s website. According to their website, the OMIG does not anticipate issuing model compliance plans or templates.


  • Assessement of efficacy of plan and compliance with law: Whether or not the provider’s compliance plan “effective is a key question that must be answered by each provider prior to certifying compliance to the OMIG.  The determination of whether the Medicaid provider has a compliance program that meets the requirements of Social Services Law §363-d and 18 NYCRR Part 521 is “a decision that is made by the Medicaid provider and “is an important one that should be made after due deliberation on the facts and circumstances surrounding the implementation and operation of the compliance program. OMIG recommends that each Medicaid provider should conduct an annual self assessment of its compliance program to determine if the certification requested can be made. Providers may use a self-assessment tool that is available on the OMIG Web site.
  • What do providers do if they determine that their compliance program has not been adopted, implemented, or is not effective? The provider should not check the certification box but should instead check the box that indicates the Medicaid provider’s “compliance program is not effective.” In that case, the provider should provide the additional information requested. An attorney should be consulted as well, because the OMIG has sanctions available to it in such cases including but not limited to termination of the enrollment agreement.

Ultimately, the development of a satisfactory compliance plan is an involved process that requires care and attention to detail.  Providers should consult an attorney for assistance with this process.

Please contact David R. Ross at for more information.

Back to Top