Seven Steps To Medicaid Compliance Program Readiness

By Maureen Dunn McGlynn

The mission of the New York Office of The Medical Inspector General (OMIG) includes enhancing the integrity of the Medicaid program by preventing and detecting fraudulent, abusive and wasteful practices within the Medicaid program. Pursuant to this mission, New York implemented compliance program requirements in 2009. Recently, amended regulations were adopted governing the implementation and operation of effective compliance programs for certain required Medicaid providers. These revised regulations include significant changes to the original regulations and will require affected Medicaid providers to review and revise their existing compliance programs. So, what steps should Medicaid providers take now to meet these new requirements?

1. Determine whether you are a required provider. As a condition of receiving payment under the Medicaid program, a “required provider” must adopt, implement and maintain an effective compliance program that satisfies the new regulations. “Required providers” include providers subject to Articles 28 or 36 of the Public Health Law, Articles 16 or 31 of the Mental Hygiene Law and managed care providers or managed long term care plans (MMCOs). Also included are providers who provide care services or supplies under the Medicaid program for which the Medicaid program is or should be reasonably expected by a provider to be a “substantial portion” of their business operations. A substantial portion of business operations means the provider claimed or received $1 million in any consecutive 12-month period, directly or indirectly from the Medicaid program.

2. Identify your risk areas. A required provider’s compliance program must apply to the provider’s risk areas. Risk areas are areas of the provider’s operations that are or should with due diligence be identified by the provider through its organizational experience. Areas of operations included in a compliance program must include billings, payments, medical necessity and quality of care, governance, mandatory reporting, credentialing, ordered services and contractor, subcontractor, agent or independent contractor oversight. An effective compliance program should be designed to be compatible with the provider’s characteristics (i.e. size, complexity, resources and culture) and be well-integrated into the provider’s operations.

3. Review and update your written policies and procedures and review them at least annually. Compliance programs must have written policies, procedures and standards of conduct accessible to everyone affected by the provider’s risk areas, including employees, chief executives and other senior administrators, managers, contractors, agents, subcontractors, independent contractors and governing body and corporate officers. The policies and procedures must describe compliance expectations, the provider’s fundamental principles, values and commitment to conduct its business in an ethical manner. In addition, the policies and procedures must include specific guidance on dealing with potential compliance issues, identify methods and procedures for communicating compliance issues to the appropriate compliance personnel and describe how potential compliance problems are investigated and resolved.

4. Appoint a compliance officer and plan compliance training. The compliance officer, who is not required to be an employee, reports directly to the chief executive or other senior administrator and periodically reports directly to the governing body. The compliance officer leads and coordinates the compliance committee, which is required to meet at least quarterly, have its own charter and consist of senior managers. Compliance training must be provided annually and must be part of orientation for new employees and occur promptly upon hiring.

5. Create and maintain effective lines of communication to ensure confidentiality. It is important that lines of communication directly to the compliance officer are publicized and available to all staff and Medicaid recipients of service by the provider, including a method for anonymous reporting of potential fraud, waste, abuse and compliance issues. With certain exceptions, the confidentiality of the reporter must be maintained.

6. Monitor and respond to compliance issues. A key component of an effective compliance program is a system for routine monitoring and identification of compliance risks. Monitoring activity results should be promptly shared with the compliance officer and appropriate compliance personnel. It is crucial that compliance issues are promptly investigated and corrected.

7. Take advantage of available resources. There are several resources available to assist in meeting compliance program obligations on the OMIG website (, including a compliance library, webinar, Compliance Program Review Module and OMIG’s Compliance Program Guidance. 

Maureen Dunn McGlynn is a member at
CCB Law, a boutique law firm focused
on providing counsel to physicians and
healthcare professionals. She can be reached
at 315.477.6276 or

Leave a Reply

Your email address will not be published. Required fields are marked *