OMIG Proposes Significant New Compliance Program Regulations

July 26, 2022


On July 13, 2022, the New York State Office of the Medicaid Inspector General (“OMIG”) published a significant set of proposed compliance-related rules.  If finalized, the new rules would repeal the existing regulations governing provider compliance programs (found in 18 NYCRR Part 521), and replace them with three new subparts concerning, respectively:  (i) Compliance Programs (proposed 18 NYCRR Subpart 521-1); (ii) Medicaid Managed Care Organization Fraud, Waste and Abuse Prevention (proposed 18 NYCRR Subpart 521-2); and (iii) OMIG’s Self-Disclosure Program (proposed Subpart 521-3).

This Alert discusses some of the more significant changes found in the newly proposed compliance program regulations.  These include:

  • Changes to the definition of “Substantial Portion of Business Operations”.  New York’s mandatory compliance program requirements apply to certain “required providers,” including any person for whom the Medicaid program is (or is reasonably expected to be) a “substantial portion” of their business operations.  The newly proposed regulations increase from $500,000 to $1,000,000 the threshold amount of Medicaid claims or receipts a provider must have (or should be reasonably expected to have) in any consecutive 12 month period to qualify as a “required provider.”  This change, if enacted as proposed, will reduce the number of providers required to have a compliance program under New York law.
  • Enacts Other Significant New Definitions. The proposed compliance program rules also include other significant new definitions.  For example, the proposed rules define who qualifies as “affected individuals” (that is, those to whom a compliance program applies).  “Affected individuals” under the proposed rules means “all persons who are affected by the required provider’s risk areas including … employees, the chief executive and other senior administrators, managers, contractors, agents, subcontractors, independent contractors, and governing body and corporate officers.”  The proposed rules also lay out detailed definitions of what constitutes an “effective compliance program” and what qualifies as “organizational experience” – one of the new “risk areas” to which the proposed rules make compliance programs applicable.
  • Specifies Record Retention Requirements. While the existing regulations are silent on record retention requirements, the proposed rules specify that providers must retain all records demonstrating their adoption, implementation and operation of an effective compliance program – as well as records demonstrating that the provider has met the regulatory requirements – for not less than six (6) years from the date the program is implemented, or any amendments are made.
  • Contractual Requirements. The newly proposed regulations require providers to ensure that their contracts with contractors, agents, subcontractors and independent contractors specify that they are subject to the provider’s compliance program requirements if they are “affected individuals” and that all contracts must include termination provisions for failure to adhere to the compliance program’s requirements.  If finalized, this rule will likely require most required providers to review and amend many of their existing agreements.
  • Compliance Officer Responsibilities. The newly proposed rules also set out, in detail, the Compliance Officer’s responsibilities.  For example, the Compliance Officer must, among other things, draft, implement and update no less than annually (or as otherwise necessary) a compliance work plan for the coming year, and must report no less than quarterly to the governing body, chief executive and Compliance Committee on the progress of adopting, implementing and maintaining the compliance program.  The new rules also specifically mandate that the Compliance Officer be allocated sufficient staff and resources to satisfactorily perform his or her day-to-day responsibilities based on the required provider’s risk areas and “organizational experience.”
  • Compliance Committee Requirements.  Under the proposed rules, the Compliance Committee must have a charter outlining its duties and responsibilities, its membership, the designation of a chair and the frequency of its meetings.  The charter must be reviewed and updated no less than annually by the Committee.  The Compliance Committee’s membership must include, at minimum, senior managers, and the Committee must meet no less than quarterly. The Compliance Committee also is responsible under the proposed rules for ensuring that the Compliance Officer is allocated sufficient funding, resources and staff to fully perform his or her responsibilities.
  • Time Periods. The proposed regulations also lay out specific time frames in a number of areas.  For instance, the proposed rules specify that the compliance program’s policies and procedures and standards of conducts be reviewed at least annually; that training and education must be part of the orientation of new compliance officers and affected individuals and shall occur “promptly” upon hiring; that the provider must develop and undertake a process for reviewing, at least annually, whether it meets the regulatory requirements of Subpart 521-1 (and whether any revision or corrective action is required); and that exclusion checks of affected individuals occur at least every thirty (30) days on specified databases.

The proposed rules touch on myriad other areas as well – relating, for example, to the risk areas to which a compliance program must apply, certification, written policies and procedures, training and education, lines of communication, disciplinary standards, auditing and monitoring and OMIG reviews of provider compliance programs.

Providers should review their existing compliance program in light of the newly proposed regulations and consider what changes will be necessary to their program once the proposed rules are finalized.

 A copy of the proposed regulations can be found here:

 The comment period for the proposed regulations runs until September 12, 2022.  If finalized, enforcement of the compliance program regulations under Subpart 521-1 will not occur until 90 days after the effective date of the regulations.

Garfunkel Wild is available to review your current compliance program and to assist in making any revisions that may be necessary.  We are also available to help create and implement compliance programs for those who do not currently have one.

Download the Alert »

Should you have any questions regarding the above, please contact the Garfunkel Wild attorney with whom you regularly work, or contact us at