Current through Register Vol. 46, No. 45, November 2, 2024
Section 521-1.4 - Compliance program requirements(a) Written policies and procedures. (1) General. Required providers shall have written policies, procedures, and standards of conduct. The required provider shall establish a process for drafting, revising, and approving the written policies and procedures required by this subdivision. The written policies and procedures described in this subdivision must be available, accessible, and applicable to all affected individuals.(2) The written policies and procedures shall:(i) articulate the required provider's commitment and obligation to comply with all applicable federal and state standards. The required provider shall identify governing laws, and regulations that are applicable to the provider's risk areas, including any MA program policies and procedures, as specified in subdivision (d) of section 521-1.3 of this SubPart or category of service.(ii) describe compliance expectations as embodied in standards of conduct. The standards of conduct shall serve as a foundational document which describes the required provider's fundamental principles and values, and commitment to conduct its business in an ethical manner.(iii) document the implementation of each of the subdivisions under this section and outline the ongoing operation of the compliance program. Policies and procedures shall describe, at a minimum, the structure of the compliance program, including the responsibilities of all affected individuals in carrying out the functions of the compliance program.(iv) provide guidance to affected individuals on dealing with potential compliance issues. Such guidance shall, at a minimum:(a) assist affected individuals in identifying potential compliance issues, questions and concerns, set forth expectations for reporting compliance issues, and explain how to report such issues, questions, and concerns to the compliance officer; and(b) establish the expectation that all affected individuals will act in accordance with the standards of conduct, that they must refuse to participate in unethical or illegal conduct, and that they must report any unethical or illegal conduct to the compliance officer.(v) identify the methods and procedures for communicating compliance issues to the appropriate compliance personnel.(vi) describe how potential compliance issues are investigated and resolved by the required provider and the procedures for documenting the investigation and the resolution or outcome.(vii) include a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including, but not limited to:(a) reporting potential compliance issues to appropriate personnel;(b) participating in investigation of potential compliance issues;(f) reporting instances of intimidation or retaliation; and(g) reporting potential fraud, waste or abuse to the appropriate State or Federal entities.(viii) Disciplinary standards. Include a written statement setting forth the required provider's policy regarding affected individuals who fail to comply with the written policies and procedures, standards of conduct, or State and Federal laws, rules and regulations. (a) Such statement shall establish standards for escalating disciplinary actions that must be taken in response to non-compliance, with intentional or reckless behavior being subject to more significant sanctions. Sanctions may include oral or written warnings, suspension, and/or termination.(b) The written policies and procedures shall also outline the procedures for taking disciplinary action and sanctioning individuals. Disciplinary procedures shall conform with collective bargaining agreements when applicable.(ix) Additionally, notwithstanding the requirement under 42 U.S.C. 1396a(a)(68), which applies to entities that receive or make annual payments of at least $5,000,000 annually, all required providers shall comply with the provisions of 42 U.S.C. 1396 a(a)(68) (United States Code, 2006 edition, Title 42, Chapter 7, SubChapter XIX, Government Printing Office, https://www.govinfo.gov/content/pkg/USCODE-2006-title42/pdf/USCODE-2006-title42-chap7-subchapXIX-sec1396a.pdf. A copy of which is available for copying and inspection at the Office of the Medicaid Inspector General, 800 North Pearl Street, 2nd Floor, Albany, NY 12204). (x) for MMCOs, describe the MMCO's implementation, where applicable, of the requirements of SubPart 521-2 of this Part.(3) The required provider shall review the written policies and procedures, and standards of conduct required by this subdivision at least annually to determine: (i) if such written policies, procedures, and standards of conduct have been implemented;(ii) whether affected individuals are following the policies, procedures, and standards of conduct;(iii) whether such policies, procedures, and standards of conduct are effective; and(iv) whether any updates are required.(b) Compliance officer. The required provider shall designate an individual to serve as its compliance officer. The compliance officer is the focal point for the required provider's compliance program and is responsible for the day-to-day operation of the compliance program. The required provider's designation of a compliance officer shall meet the following requirements: (1) The compliance officer's primary responsibilities shall include:(i) overseeing and monitoring the adoption, implementation and maintenance of the compliance program and evaluating its effectiveness;(ii) drafting, implementing, and updating no less frequently than annually or, as otherwise necessary, to conform to changes to Federal and State laws, rule, regulations, policies and standards, a compliance work plan which shall outline the required provider's proposed strategy for meeting the requirements of this section for the coming year, with a specific emphasis on subdivisions (a), (d), (g), (h) of this section and, if applicable, SubPart 521-2 of this Part;(iii) reviewing and revising the compliance program, and, in accordance with paragraph 3 of subdivision (a) of this section, the written policies and procedures and standards of conduct, to incorporate changes based on the required provider's organizational experience and promptly incorporate changes to Federal and State laws, rules, regulations, policies and standards;(iv) reporting directly, on a regular basis, but no less frequently than quarterly, to the required provider's governing body, chief executive, and compliance committee on the progress of adopting, implementing, and maintaining the compliance program;(v) assisting the required provider in establishing methods to improve the required provider's efficiency, quality of services, and reducing the required provider's vulnerability to fraud, waste and abuse;(vi) investigating and independently acting on matters related to the compliance program, including designing and coordinating internal investigations and documenting, reporting, coordinating, and pursuing any resulting corrective action with all internal departments, contractors and the State; and(vii) the compliance officer shall be responsible for coordinating the implementation of the fraud, waste, and abuse prevention program with the director and lead investigator of the MMCO's special investigation unit pursuant to SubPart 521-2 of this Part, if applicable.(2) The compliance officer shall report directly and be accountable to the required provider's chief executive or another senior manager whom the chief executive may designate for reporting purposes provided, however, such designation does not hinder the compliance officer in carrying out their duties and having access to the chief executive and governing body.(3) The responsibilities in paragraph (1) of this subdivision may be the compliance officer's sole duties or, depending on the size, complexity, resources, and culture of the required provider and the complexity of the tasks, the compliance officer may be assigned other duties, provided that such other duties do not hinder the compliance officer in carrying out their primary responsibilities under this SubPart.(4) The required provider shall ensure that the compliance officer is allocated sufficient staff and resources to satisfactorily perform their responsibilities for the day-to-day operation of the compliance program based on the required provider's risk areas and organizational experience.(5) The required provider shall ensure that the compliance officer and appropriate compliance personnel have access to all records, documents, information, facilities and affected individuals that are relevant to carrying out their compliance program responsibilities.(c) Compliance committee. The required provider shall designate a compliance committee which shall be responsible for coordinating with the compliance officer to ensure that the required provider is conducting its business in an ethical and responsible manner, consistent with its compliance program. The required provider shall outline the duties and responsibilities, membership, designation of a chair and frequency of meetings in a compliance committee charter. The required provider's designation of a compliance committee shall meet the following requirements: (1) The compliance committee's responsibilities shall include: (i) coordinating with the compliance officer to ensure that the written policies and procedures, and standards of conduct required by subdivision (a) of this section are current, accurate and complete, and that the training topics required by subdivision (d) of this section are timely completed;(ii) coordinating with the compliance officer to ensure communication and cooperation by affected individuals on compliance related issues, internal or external audits, or any other function or activity required by this SubPart;(iii) advocating for the allocation of sufficient funding, resources and staff for the compliance officer to fully perform their responsibilities;(iv) ensuring that the required provider has effective systems and processes in place to identify compliance program risks, overpayments and other issues, and effective policies and procedures for correcting and reporting such issues; and(v) advocating for adoption and implementation of required modifications to the compliance program.(2) Membership in the committee shall, at a minimum, be comprised of senior managers. The compliance committee shall meet no less frequently than quarterly and shall, no less frequently than annually, review and update the compliance committee charter.(3) The compliance committee shall report directly and be accountable to the required provider's chief executive and governing body.(d) Training and education. The required provider shall establish and implement an effective compliance training and education program for its compliance officer and all affected individuals. The required provider's compliance training and education program shall meet the following requirements: (1) The training and education shall include, at a minimum, the following topics: (i) the required provider's risk areas and organizational experience;(ii) the required provider's written policies and procedures identified in subdivision (a) of this section;(iii) the role of the compliance officer and the compliance committee;(iv) how affected individuals can ask questions and report potential compliance-related issues to the compliance officer and senior management, including the obligation of affected individuals to report suspected illegal or improper conduct and the procedures for submitting such reports; and the protection from intimidation and retaliation for good faith participation in the compliance program;(v) disciplinary standards, with an emphasis on those standards related to the required provider's compliance program and prevention of fraud, waste and abuse;(vi) how the required provider responds to compliance issues and implements corrective action plans;(vii) requirements specific to the MA program and the required provider's category or categories of service;(viii) coding and billing requirements and best practices, if applicable;(ix) claim development and the submission process, if applicable; and(x) for MMCOs only, the fraud, waste and abuse prevention program, as specified in SubPart 521-2 of this Part, and any applicable terms of the MMCO's contract with the department to participate as an MMCO.(2) The compliance officer and all affected individuals shall complete the compliance training program required by this subdivision no less frequently than annually. The training and education required by this subdivision shall be made a part of the orientation of new compliance officers and affected individuals and shall occur promptly upon hiring.(3) Training and education shall be provided in a form and format accessible and understandable to all affected individuals, consistent with Federal and State language and other access laws, rules or policies.(4) The required provider shall develop and maintain a training plan. The training plan shall, at a minimum, outline the subjects or topics for training and education, the timing and frequency of the training, which affected individuals are required to attend, how attendance will be tracked, and how the effectiveness of the training will be periodically evaluated.(e) Lines of communication. The required provider shall establish and implement effective lines of communication which ensure confidentiality for the required provider's affected individuals. In designing its lines of communication, the required provider shall meet the following requirements:(1) The lines of communication shall be accessible to all affected individuals and allow for questions regarding compliance issues to be asked and for compliance issues to be reported.(2) The required provider shall publicize the lines of communication to the compliance officer and such lines of communication must be made available to all affected individuals and all MA recipients of service from the required provider.(3) The required provider shall have a method for anonymous reporting of potential fraud, waste and abuse, and compliance issues directly to the compliance officer.(4) The required provider must ensure that the confidentiality of persons reporting compliance issues shall be maintained unless the matter is subject to a disciplinary proceeding, referred to, or under investigation by, MFCU, OMIG or law enforcement, or disclosure is required during a legal proceeding, and such persons shall be protected under the required provider's policy for non-intimidation and non-retaliation.(5) If applicable, the required provider shall make available on its website, information concerning its compliance program, including its standards of conduct.(f) Disciplinary standards. The required provider shall establish disciplinary standards and shall implement procedures for the enforcement of such standards to address potential violations and encourage good faith participation in the compliance program by all affected individuals. In developing and enforcing its disciplinary standards, the required provider shall meet the following requirements:(1) The written policies and procedures establishing, pursuant to subdivision (a) of this section, the required provider's disciplinary standards and the procedures for taking such actions shall be published and disseminated to all affected individuals and shall be incorporated into the required provider's training plan as set forth in subdivision (d) of this section.(2) The required provider shall enforce its disciplinary standards fairly and consistently, and the same disciplinary action should apply to all levels of personnel.(g) Auditing and monitoring. The required provider shall establish and implement an effective system for the routine monitoring and identification of compliance risks. The system should include internal monitoring and audits and, as appropriate, external audits, to evaluate the organization's compliance with the requirements of the MA program and the overall effectiveness of the required provider's compliance program. In developing its auditing and monitoring program the required provider shall meet the following requirements:(1) Auditing. Required providers shall perform routine audits by internal or external auditors who have expertise in state and federal MA program requirements and applicable laws, rules and regulations, or have expertise in the subject area of the audit. Audits or investigations conducted by state or federal governmental entities are not considered external audits for purposes of this paragraph. The audits required by this paragraph shall meet the following requirements: (i) Internal and external compliance audits shall focus on the risk areas identified in section 521-1.3 of this SubPart.(ii) The results of all internal or external audits, or audits conducted by the State or Federal government of the required provider, shall be reviewed for risk areas that can be included in updates to the required provider's compliance program and compliance work plan.(iii) The design, implementation, and results of any internal or external audits shall be documented, and the results shared with the compliance committee and the governing body.(iv) Any MA program overpayments identified shall be reported, returned and explained in accordance with the provisions of SubPart 521-3 of this Part and the required provider shall promptly take corrective action to prevent recurrence.(2) Annual compliance program review. The required provider shall develop and undertake a process for reviewing, at least annually, whether the requirements of this SubPart have been met. The purpose of such reviews shall be to determine the effectiveness of its compliance program, and whether any revision or corrective action is required. (i) The reviews may be carried out by the compliance officer, compliance committee, external auditors, or other staff designated by the required provider, provided however, that such other staff have the necessary knowledge and expertise to evaluate the effectiveness of the components of the compliance program they are reviewing and are independent from the functions being reviewed.(ii) The reviews should include on-site visits, interviews with affected individuals, review of records, surveys, or any other comparable method the required provider deems appropriate, provided that such method does not compromise the independence or integrity of the review.(iii) The required provider shall document the design, implementation and results of its effectiveness review, and any corrective action implemented.(iv) The results of annual compliance program reviews shall be shared with the chief executive, senior management, compliance committee and the governing body.(3) Excluded providers. In accordance with the requirements of section 515.5 of this Title, required providers shall confirm the identity and determine the exclusion status of affected individuals. In addition, MMCOs shall confirm the identity and determine the exclusion status of any other persons identified in its contract with the department to participate as an MMCO, including its participating providers and its subcontractors.(i) In determining the exclusion status of a person required providers shall review the following State and Federal databases at least every thirty (30) days: (a) New York State Office of the Medicaid Inspector General Exclusion List;(b) Health and Human Services Office of Inspector General's List of Excluded Individuals and Entities; and(c) for MMCOs only, any other list or database required by the contract between the MMCO and the department to participate as an MMCO.(ii) Required providers shall require contractors to comply with the provisions of this paragraph. In addition, MMCOs shall require their participating providers and subcontractors to comply, where applicable, with the provisions of this paragraph.(4) The required provider shall promptly share the results of the activities required by this subdivision with the compliance officer and appropriate compliance personnel.(h) Responding to compliance issues. The required provider shall establish and implement procedures and systems for promptly responding to compliance issues as they are raised, investigating potential compliance problems as identified in the course of the internal auditing and monitoring conducted pursuant to subdivision (g) of this section, correcting such problems promptly and thoroughly to reduce the potential for recurrence, and ensuring ongoing compliance with State and Federal laws, rules and regulations, and requirements of the MA program. In developing its system for responding to compliance program issues, the required provider shall meet the following requirements:(1) Upon the detection of potential compliance risks and compliance issues, whether through reports received, or as a result of the auditing and monitoring conducted pursuant to subdivision (g) of this section, the required provider shall take prompt action to investigate the conduct in question and determine what, if any, corrective action is required, and likewise promptly implement such corrective action.(2) The required provider shall document its investigation of the compliance issue which shall include any alleged violations, a description of the investigative process, copies of interview notes and other documents essential for demonstrating that the required provider completed a thorough investigation of the issue. Where appropriate, the required provider may retain outside experts, auditors, or counsel to assist with the investigation.(3) The required provider shall document any disciplinary action taken and the corrective action implemented.(4) If the required provider identifies credible evidence or credibly believes that a State or Federal law, rule or regulation has been violated, the required provider shall promptly report such violation to the appropriate governmental entity, where such reporting is otherwise required by law, rule or regulation. The compliance officer shall receive copies of any reports submitted to governmental entities.N.Y. Comp. Codes R. & Regs. Tit. 18 §§ 521-1.4
Adopted New York State Register December 28, 2022/Volume XLIV, Issue 52, eff. 12/28/2022