With physicians looking to find ways to increase their revenue streams, some physicians have started working with Medicaid patients. While this may open up an additional revenue stream for them, it may also open up increased risk for unsuspecting practices. With Medicaid billing comes the need for Medicaid compliance. In order to assist physician practices in the process, the Office of the Medicaid Inspector General (“OMIG”) has provided a detailed guide on how to achieve compliance with the complex Medicaid regulations. The way to achieve this is through the OMIG’s mandatory compliance program. The purpose of this program is “to enhance the integrity of the NYS Medicaid program by preventing and detecting fraudulent, abusive, and wasteful practices within the Medicaid program and recovering improperly expended Medicaid funds while promoting high-quality patient care.” It’s the do’s and don’ts that Medicaid providers must pay very close attention to. In essence, the compliance program will aid providers in self-assessment and self-correction. Under NYS Social Services law 363-d, Subsection 1, providers of Medicaid-funded services will be better able to identify and resolve billing discrepancies and detect potential fraud if the required compliance program is adopted. Adoption of the program would require the imposition of systemic checks and balances that would mitigate future reoccurrences of noncompliance.
If you answer “Yes” to any of the questions below, you are required to implement the mandatory program as required under NYS Social Services Law Section 363-d (SSL SS 363-d) and 18 NYCRR Part 521.
Because every physician practice is different by way of operations and organizational structure, a compliance program can only be effective if it is designed and tailored to the specific characteristics of your practice. At the same time, despite the many differences between practices, key components must be included in every compliance program. Without such components, or “elements” as defined by the OMIG, a provider cannot participate in Medicaid programs.
There are eight elements described by OMIG that are required in every compliance program. These are as follows:
Written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics.
While a written code of conduct is ideal, it is not mandatory. Policies and procedures may be sufficient if it is easily determinable that the written policies are truly in effect. Such policies should detail the expectations of conducting business with integrity and the ramifications of violating the program. The policies should clearly define who is expected to follow such rules and that implementation is occurring organization-wide. Such policies should not only provide the necessary guidance in dealing with potential issues of noncompliance but also guidance on communicating such issues to appropriate personnel for resolution.
What does OMIG look for in its assessment of the application of the element? First and foremost, the policies must be in writing and approved by those in leadership. Verbal policies and practices bear no weight in the OMIG’s eyes. Most important of all however, have the policies been implemented? A provider may have the best compliance program, but without actual implementation, it is worthless and possibly worse than NOT having written procedures to begin with.
Designation of an employee vested with the responsibility for the day-to-day operations of the compliance program.
Just as the policies and procedures are integral to the foundation of the compliance program, so is the designation of one individual for oversight of the program. This designated employee, often referred to as the Medicaid Compliance Officer (“MCO”), carries out duties primarily related to compliance (but may have other non-conflicting duties). The MCO should report directly to the entity’s chief executive or someone selected directly by the chief executive. This gives the MCO the desired autonomy necessary to effectively carry out this oversight task. The MCO should relay to the CEO any information as it pertains to compliance (e.g. issues of noncompliance, ineffective policies and procedures, etc.). The MCO is responsible for reviewing the Medicaid policies, reporting, overseeing compliance training, conducting internal audits, and obtaining results. These responsibilities are further explained in the following elements.
Training and education of all affected individuals on compliance issues, expectations and the compliance program.
In order for the Medicaid compliance program to run effectively, all employees and individuals associated with the provider must be trained and educated on potential compliance issues and expectations. This includes the training of management and governing board members as well. Trainings should be conducted periodically, and evidence of the training records should be readily available if proof is requested by the OMIG. Training sessions should be offered in such a way that make-up trainings for absentees are made available and failure to attend trainings should be evidenced with disciplinary action. In addition, new hire orientation should include an abbreviated compliance discussion. Training is not limited to only employees but also includes others associated with the practice including, vendors, consultants, contractors, volunteers, etc. The trainings should be catered to the audience involved with special consideration given to demographics and the audience’s spoken language. Different trainings should be available for the various divisions of the practice’s operations. Not all trainings will be applicable to all staff and associated persons.
Communication lines to the compliance officer that are accessible to all affected individuals to allow compliance issues to be reported.
In the event that issues of noncompliance arise, a direct line of communication to the MCO/ compliance department should be available to all affected people and such communication should be encouraged. To aid in such endeavors, an anonymous/ confidential method of communication must be made available for all the different parties involved. Anonymous avenues must retain anonymity (bear in mind that an anonymous tip cannot be anonymous if the phone retains caller ID, the IP address of the email can be tracked, suggestion boxes can be tampered with by someone other than the compliance officer, etc.). All tips received should be investigated and addressed in a timely fashion, even if, at the investigation’s conclusion, the reporting individual’s suspicions are found incorrect.
Disciplinary policies to encourage good faith participation in the compliance program.
It is possible that communication lines are available for all affected persons but go unused. How will the MCO know what compliance issues are within the operations of the practice if such information is not communicated to him/her? To solve this dilemma, the OMIG has instructed practices to include within their compliance program disciplinary policies to encourage communication and to encourage what they call “good faith participation.” This means the program should have in place repercussions for failure to report suspected noncompliance. Notice that the OMIG does not simply say noncompliance. Rather, there should be a call for action against individuals who even SUSPECT noncompliance but choose not to disclose their doubts. Furthermore, disciplinary policies should be outlined for individuals who not only participate in such noncompliant actions but also those who encourage such behavior. It is crucial to note here that the tone is set at the top. If management casts a blind eye, it is not unusual that employees will follow suit. Such policies should be enforced and communicated to all affected persons.
System for routine identification of compliance risk areas and non-compliance.
In addition to opening communication lines, the MCO should conduct routine checks to ensure that the Medicaid program is operating effectively and in accordance with the Mandatory Compliance Program. The MCO should periodically review the risk areas of the program and how such risks should be addressed and alleviated. This process of self-evaluation of risk areas includes, but is not limited to, the following:
- Internal audits and evaluation of the results – to the extent applicable, external audits can be an additional tool to review risk areas associated with the practice
- Credentialing of providers/persons associated with the practice – For examples, are vendors used included in Medicaid’s exclusion list?
- Evaluation of the reporting systems, management and board activities, and quality of care of Medicaid beneficiaries should be conducted
Upon discovery of noncompliance, there must be documentation to show how the issue was resolved and what actions were taken to ensure that the issue does not present itself in the future. The process of assessing risk, testing to ensure compliance, and monitoring of any corrective action plan, should be well documented to support that the process appropriately occurred.
System for responding to compliance issues when raised, for investigating and correcting problems.
This element delves deeper into the actual system for responding to and investigating noncompliance issues communicated or discovered. OMIG looks to ensure that the system works and is properly outlined in the policies and procedures. The system should be set in such a way that issues are addressed as they are raised and that the time lag between initial discovery and resolution is short. There should be evidence that an investigation took place. To the extent that allegations of noncompliance are proven true, the system should allow for plans of corrections and actions to ensure that such issues do not arise again. Additionally, it is not enough that the matter was investigated and solved. A periodic check in the future should substantiate that the issue was handled effectively and documented that the issue did not happen again. Compliance issues that arise may prompt the MCO to revise the policies at hand or add additional procedures to further mitigate future happenings. To the extent necessary, the system should also outline when self-disclosure to the OMIG is required.
Policy of non-intimidation and non-retaliation for good faith participation in the compliance program.
Just as open communication lines are vital to an effective compliance program, so are policies of both non-intimidation and non-retaliation. There must be evidence that such policies are operating efficiently. Any allegation or complaint of intimidation/retaliation should be considered a risk area in determining risk during Element #6, and should be investigated thoroughly. Lack of tolerance of such behavior should be clearly outlined to all members of management, staff, volunteers, and vendors. Individuals coming forth with concerns of noncompliance should be protected under such policies, as well as, those individuals carrying out the investigation. Labor Law sections 740 and 741 specifically prohibit retaliatory actions by employers against employees if they are reporting issues of non-compliance.
The NYS Mandatory Provider Compliance Program Certification requires NYS Medicaid providers to annually certify that the compliance program “satisfactorily meets the requirements of NYS Social Services Law Section 363-d and 18 NYCRR Part 521.” If the compliance program fails to meet the requirements of the law, the practice should not complete the certification form. Rather, steps should be implemented immediately to bring the practice under compliance. The annual compliance certification is often blindly certified by the practice’s MCO, even though the practice is not compliant with its own compliance program. By falsely certifying, a provider may suffer repercussions from the OMIG as well as possible fines and criminal charges. As part of the Office of Inspector General’s (OIG) routine investigations, the OMIG Bureau of Compliance will conduct focused “Compliance Program Effectiveness Reviews” to test the “effectiveness” of the compliance program and determine to what extent (if any) the program is being followed by the practice. As a result, practices should make sure their compliance program is up to speed.
Kenneth R. Cerini, CPA, CFP, FABFA
Ken is the Managing Partner of Cerini & Associates, LLP and is the executive responsible for the administration of our not-for-profit and educational provider practice groups. In addition to his extensive audit experience, Ken has been directly involved in providing consulting services for nonprofits and educational facilities of all sizes throughout New York State in such areas as cost reporting, financial analysis, Medicaid compliance, government audit representation, rate maximization, board training, budgeting and forecasting, and more.