As New Yorkers are preparing for Thanksgiving and the official start to the holiday season (although some could argue it started a month ago), required Medicaid providers should also be reviewing their Compliance Programs in preparation to submit their Annual Provider Compliance Program Certification to the New York State Office of the Medicaid Inspector General (“OMIG”).  Required providers must submit a certification at the time of their enrollment and each December thereafter.

As defined by Social Services Law Section 363-d (“Section 363-d”) and Part 521 of Title 18 of the New York Code of Rules and Regulations (“Part 521”), required providers are considered any provider that can answer “Yes” to one of the following questions and therefore must implement a comprehensive Compliance Program:

  1. Is the provider organization subject to Article 28 or Article 36 of the NYS Public Health Law?
  2. Is the provider organization subject to Article 16 or Article 31 of the NYS Mental Hygiene Law?
  3. Does the provider organization claim or order, or can be reasonably expected to claim or order, Medicaid services or supplies of at least $500,000 in any consecutive 12-month period?
  4. Does the provider organization receive Medicaid payments, or can be reasonably expected to receive payments, either directly or indirectly, of at least $500,000 in any consecutive 12-month period?
  5. Does the provider organization submit Medicaid claims of at least $500,000 in any consecutive 12-month period on behalf of another person or persons?

There are two important concepts to be aware of when answering these questions.  First, as defined by the OMIG, Indirect Medicaid Reimbursement is any payment that a provider receives for the delivery of Medicaid care, services, or supplies that comes from a source other than the State of New York.  An example of this is when a provider provides covered services to a Medicaid beneficiary who is enrolled in a Medicaid Managed Care Plan, any payment from the Managed Care Organization is considered an indirect payment.

The second important concept is that the OMIG considers any consecutive 12-month period to be exactly that, any twelve consecutive months.  This determination should not be considered solely on a calendar year.  For example, if a provider established her practice on April 1, 2018 and will not reach $500,000 in either claims or payments by December 31, 2018 but can reasonably expect to hit that mark by March 2019, then that provider should have a Compliance Program in place and be prepared to certify to its implementation by December 31, 2018.

To assist providers, the OMIG’s website identifies seven compliance areas that a provider’s Compliance Program must apply to, as well as eight elements that should be included in all Compliance Programs, regardless of provider type.

The Seven Compliance Areas are:

  1. Billings;
  2. Payments;
  3. Medical necessity and quality of care;
  4. Governance;
  5. Mandatory reporting;
  6. Credentialing; and
  7. Other risk areas that are or should with due diligence be identified by the provider.

The Eight Elements required in every Compliance Program are:

Element 1: Establish written policies and procedures that clearly describe and implement compliance expectations, as well as provide guidance to employees and others on dealing with potential compliance issues.  The written policies and procedures must also identify how to communicate compliance issues to appropriate compliance personnel and describe how potential compliance problems are investigated and resolved.

Element 2: Designate a Compliance Officer who is responsible for the day-to-day operation of the Compliance Program.

Element 3: Establish an effective training and education program for all affected employees and persons associated with the provider, including executives and governing body members (“affected persons”).

Element 4: Establish clear lines of communication to the Compliance Officer that allow all affected persons report compliance issues.  Providers must also establish anonymous and confidential reporting systems.

Element 5: Establish disciplinary policies that are fairly and firmly enforced to encourage good faith participation in the Compliance Program by all affected persons.  The policies must include clear expectations for the reporting or and assistance in resolving compliance issues.  The policies must also include defined sanctions for:

  • failing to report suspected problems;
  • participating in non-compliant behavior; or
  • encouraging, directing, facilitating or permitting either actively or passively non-compliant behavior.

Element 6: Conduct routine compliance assessments for those risk areas specific to the individual provider type, including but not limited to self-audits. These self-audits can be conducted internally or a provider may choose to have an external party conduct the audit.

Element 7: Establish a system for responding to and investigating potential compliance problems as the Compliance Officer becomes aware of them, either by a report received from an affected person or as the result of an internal assessment.  Compliance Program must also establish systems for the provider to report compliance issues the OMIG, as well as repay any related overpayments.

Element 8: Establish a policy of non-intimidation and non-retaliation for good faith participation in the Compliance Program, including but not limited to reporting potential issues, investigating issues, self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections 740 and 741 of the New York State Labor Law.

As mentioned above, each December, required providers must submit a Provider Compliance Program Certification, attesting that they have a Compliance Plan in place and that Compliance Plan satisfies each of the OMIG’s Eight Elements.  If a provider is unable to unequivocally state that their plan meets these requirements then a certification should not be submitted and immediate steps must be taken to all necessary modifications to establish a satisfactory Compliance Plan.  Any provider who submits a false certification may be subject to sanctions, including monetary fines or provider enrollment termination.

If you are unsure whether your Compliance Plan would satisfy the OMIG’s Eight Elements, or if you are a provider who believes you are required to implement a Compliance Plan and have not done so, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or

New York State Court of Appeals, Albany, New York

Earlier this Summer, the Court of Appeals overturned the Appellate Division Third Department’s (the “Third Department”) unanimous decision in The Matter of Anonymous v. Molik, where it ruled that the New York State Justice Center for the Protection of People with Special Needs (“Justice Center”) exceeded its authority by substantiating a report against a facility or provider agency based upon a “concurrent finding” of neglect.[i]  With its decision, the Court of Appeals has not only clarified the Justice Center’s scope of authority, but also reopened the floodgates to a large number of investigations and appeals that have been existing in a state of limbo since the Third Department’s June 2, 2016 decision.[ii]

Pursuant to Executive Law §§ 551-562 and Social Services Law §§ 488-497, the Justice Center was established in 2013 to protect “vulnerable persons who receive care from New York State’s human services agencies.”[iii] It was created to protect all vulnerable persons, or those “who, due to physical or cognitive disabilities, or the need for services or placement, [are] receiving services from a facility or provider agency.”[iv]

All reportable incidents, including any allegation of neglect,[v] must be reported by a facility to the Statewide Vulnerable Persons’ Central Register (“VPCR”)[vi], whereby the Justice Center is mandated to investigate the allegation(s) and submit its findings to the VPCR.[vii]  The Justice Center’s findings are “based on a preponderance of the evidence and indicate whether the alleged abuse or neglect is substantiated in that it is determined the incident occurred and the subject of the report, facility or provider agency are responsible; or the allegation is found to be unsubstantiated because the event did not occur, or the subject of the report was found not responsible.”[viii] Additionally, the Justice Center may make “a concurrent finding . . . that a systemic problem [at the provider agency or facility] caused or contributed to the occurrence of the incident.”[ix]

In Molik, a male resident engaged in inappropriate sexual conduct with a female resident after two staff members momentarily left a common room at the Petitioner’s facility.[x] This assault was the third incident in a six month period, with the previous two assaults being known to the Petitioner.[xi]  The Justice Center investigated the incident, but did not substantiate a report of neglect against the two individuals because “there were no policies or requirements in place prohibiting staff from leaving the room unattended while residents were gathered there.”[xii] However, since the male resident had previously engaged in similar conduct, the Justice Center substantiated a concurrent finding of neglect against the Petitioner, the operator of the residential facility, “for failing to implement clear staff supervision protocols and for failing to modify [the male resident’s] care plan to increase his level of supervision after the first two attacks.”[xiii]

The Petitioner requested that the Justice Center amend its finding to unsubstantiated, which was denied, leading to the Petitioner’s Article 78 action where it received unanimous support from the Third Department.[xiv]  In its decision, the Third Department overturned the Justice Center’s concurrent finding, stating that it did not have to “defer to the Justice Center’s interpretation of the statutory provisions in question . . . [but rather defer to the] pure statutory interpretation dependent only on accurate apprehension of legislative intent.”[xv] “[T]he only circumstance under which the Justice Center could substantiate a report of neglect against a facility or provider agency is where an incident of neglect has occurred but the subject cannot be identified — a situation that is plainly not present here.”[xvi] The Third Department continued by saying, while the Justice Center does, in fact, have the authority to make a concurrent finding, “the only concurrent finding that may be made is that a systemic problem caused or contributed to the occurrence of the incident.”[xvii] Accordingly, since the controlling statute did not provide the Justice Center with the clear ability to categorize a concurrent finding it necessarily followed that such a finding could not constitute neglect on the part of a provider agency.[xviii]

The Court of Appeals, however, did not share in the Third Department’s view, stating that courts may look beyond the literal text of a statute when “the plain intent and purpose of the statute would otherwise be defeated.”[xix] Consequently, the Court viewed the Petitioner’s, and the Third Department’s, narrow interpretation of the law as “leav[ing] the Justice Center powerless to address many systemic issues, defeating the purpose of the Act and preventing the Justice Center from protecting vulnerable persons where it is most critical to do so.”[xx]  The Court, in light of the particular underlying events in Molik, ruled that to uphold this construction “would perversely allow this dangerous cycle to continue: employee conduct could not be substantiated because it does not violate facility policies, but facility policies would remain ineffective because the Justice Center lacks authority to implement change.”[xxi]

In her dissenting opinion, Judge Rivera stated that she agreed with the majority that “[i]t would lead to absurd results if [N.Y. Soc. Serv. Law § 493(3)(a) were interpreted] to permit a facility or provider agency to be found responsible in those situations where an incident occurs and no subject can be identified, but not where an identified subject is found not responsible for a confirmed incident of abuse or neglect.”[xxii]  However, Judge Rivera points out that a ‘concurrent’ finding should be viewed as an ‘adjunct’, requiring that an initial finding of neglect must be made before a provider agency could be found to have concurrently committed neglect, even if the initial subject is ultimately found not responsible.[xxiii]  In Molik, as reasoned by Judge Rivera, the initial step of establishing a finding of abuse or neglect was never reached because the allegation of neglect against the two identified subjects was declared unsubstantiated; therefore, a ‘concurrent’ finding could not be made.[xxiv]

In a post-Molik world, it is imperative that all provider agencies subject to Justice Center oversight review their internal policies, procedures, and processes, understanding that they too are now clearly within the Justice Center’s reach.  Provider agencies should evaluate previous incidents that occurred within the facility to determine whether the necessary corrective actions have been taken or if further steps are needed.  Furthermore, staff training curriculum should be reevaluated to determine whether opportunities for improvement exist.

If you have any questions or would like additional information regarding the Justice Center, or would be interested in assistance reviewing, developing or revising your policies, processes, and training programs, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or


[i] Anonymous v. Molik, 2018 WL 3147607 (N.Y. Jun. 28, 2018).

[ii] Matter of Anonymous v. Molik, 141 A.D.3d 162, (App. Div. 3 Dep’t, June 2, 2016)

[iii] 14 N.Y.C.R.R. § 700.1(a).

[iv] N.Y. Soc. Servs. Law § 488(14).

[v] 14 N.Y.C.R.R § 624.3(b)(8).

[vi] N.Y. Soc. Serv. Law § 492(1)(a).

[vii] Id. at (3)(c)(i); Id. at (3)(c)(viii); N.Y. Soc. Serv. Law § 493(1).

[viii] N.Y. Soc. Serv. Law § 492(3)(a).

[ix] Id. at (3)(b).

[x] Molik, 2018 WL 3147607 at *1.

[xi] Id.

[xii] Id.

[xiii] Id.

[xiv] Id. at *2.

[xv] Molik, 141 A.D.3d. at 166 (internal citations omitted).

[xvi] Id. at 167 (citing N.Y. Soc. Serv. Law § 492(3)(a)).

[xvii] Id. at 167–168 (internal citations and quotations omitted).

[xviii] Id.

[xix] Id. at *4.

[xx] Molik, 2018 WL 3147607 at *5.

[xxi] Id.

[xxii] Id. at 8

[xxiii] Id. at 9.

[xxiv] Id. at 10.

Earlier this month, a bill to amend the False Claims Act (“FCA”), the “Fairness in Health Care Claims, Guidance and Investigations Act,” was introduced in the House of Representatives.  According to one of the bill’s sponsors, Rep. Howard Coble (R-NC), the bill’s purpose is to ensure that unintentional billing disputes are not penalized as fraud.

Some parts of the bill are unlikely to gain wide support.  First, the bill requires that before the Department of Justice (“DOJ”) requests information from a health care provider as part of an investigation, it would have to certify that the responsible agency had examined all regulations, guidelines and billing instructions, all communications with the alleged perpetrator, and each of the allegedly false claims, and certify that the allegations are viable and that the regulations, guidelines and billing instructions were unambiguous at the time of the violation.  Without such a certification, the Court would be required to dismiss a qui tam complaint based on those allegations.

When DOJ receives a qui tam complaint, however, it is mandated by law to investigate, and the bill would seem to require that the government undertake a full investigation based on its own records alone, and on all of the involved claims, before seeking any information from a provider.  The bill would also apply to federal investigations that do not arise from qui tam complaints.  Legislators are unlikely to so severely restrict the ability of federal agencies to investigate health care fraud in light of the massive resources being poured into enforcement.  Similarly, passage of the provision to raise the FCA standard of proof from “preponderance of the evidence” to “clear and convincing evidence” is a long-shot.

Sections Likely to Gain Support

Nevertheless, some parts of the bill could garner support because they go directly to the concept of “fairness” in the bill’s title, and the widespread concern that billing errors or confusion about compliance are routinely characterized by investigators and qui tam relators as fraud.  The bill provides that an FCA case could not be brought based on a claim submitted in good faith reliance on: (1) erroneous information supplied by an agency; (2) written statements of Federal policy provided by an agency; or (3) an audit or review by the agency of the person submitting the claim where there was no finding that the claim was a violation.  The bill would also bar FCA cases where a claim was submitted in substantial compliance with a model compliance program issued by HHS.  Some form of these provisions would add a measure of fairness for providers who are attempting to comply in good faith but do not succeed in meeting all the requirements of extremely complex regulations, guidelines and billing instructions.  Another bill provision would limit FCA claims to those involving an amount of damages that is material to the government.

Providing a safe harbor for providers attempting good faith compliance would be a very appealing change to the FCA.  While the DOJ certification provision has a limited chance of success, a restriction on excessive or disproportionate use of subpoenas and civil investigative demands may have broader support.  In any event, this bill highlights the problems providers face when billing errors or confusion are treated as fraud, and they are subjected to the staggering costs of responding to a federal investigation and the crippling risks of fighting the treble damages and penalties of an FCA case.

Farrell Fritz health care attorneys know the False Claims Act, and can help health care providers deal with government investigations, audits, and compliance issues.

Just a reminder to New York State Medicaid providers that certifications under the NYS Social Services Law and the Federal Deficit Reduction Act are due no later than December 31.

All New York State Medicaid providers who are required to have a compliance program under Social Services Law Section 363-d must certify that their compliance programs are effective.  The certification must be completed during the month of December each year.  The Social Services Law certification is an online certification that may be accessed through the New York State Office of the Medicaid Inspector General website under the Compliance tab. 

Medicaid providers subject to the Federal Deficit Reduction Act of 2005 (DRA) must also provide a certification that they are meeting the DRA’s requirements.  The certification must be completed each year prior to January 1st.  The DRA certification may also be accessed on OMIG’s website under the Compliance tab.

There can be significant consequences both for failing to certify and for certifying compliance when not in compliance with the regulatory requirements.  Parties who are unsure whether they need to certify their programs, or who may have questions regarding their compliance programs or certifications, are advised to consult with their attorneys to review their options.

In late October the U.S. Attorney’s Office in the Southern District of New York announced the settlement of a False Claims Act case against Westchester Medical Center (“WMC”) for $7 million, for submitting false reimbursement claims to Medicaid from August 2001 through June 2010 involving outpatient behavioral health services.  The settlement is to be paid in equal amounts of $3.5 million to the United States and to New York State.

The government’s complaint alleged that WMC billed for outpatient mental health services without having the core documentation required for billing under Medicaid.  The government’s complaint further alleged that WMC’s outpatient department had “virtually no compliance program prior to mid-2010 to ensure that the services took place or that they were provided in accordance with applicable regulations,” and that management was aware of the problems and took steps to avoid dealing with the problems.  In addition to alleging that WMC had presented false claims, the government’s complaint alleged that under the Patient Protection and Affordable Care Act (“PPACA”), WMC had failed to report and return overpayments of Medicaid funds as required within 60 days after identifying the overpayment.

As previously highlighted in this blog, the SDNY has been  requiring  defendants in False Claims Act settlements to admit to a core set of facts.  In the WMC settlement, WMC admitted that required documentation, including patient progress notes, treatment plans and treatment reviews, were often missing or incomplete; that the behavioral health center outpatient clinic lacked a dedicated compliance program; and that WMC had permitted a nurse practitioner who was not properly credentialed to furnish psychiatric services.

The Westchester Medical Center settlement highlights once again the need for medical providers to have a strong compliance program and to aggressively address any compliance problems and any overpayments from Medicare and Medicaid.  Any hope for WMC to mitigate its record-keeping problems was likely lost due to its failure to monitor compliance and address problems when they were raised.  In addition, this case shows that the government will be vigilant in prosecuting FCA claims under PPACA’s requirement that overpayments be reported and returned within 60 days of identification.

The US Department of Health and Human Services Office of Civil Rights (“OCR”) recently released its HIPAA audit protocol.  Audits of HIPAA compliance were mandated by the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amended many parts of HIPAA and included breach notification requirements.

The OCR conducted a number of pilot audits of compliance with privacy, security and breach notification requirements of HIPAA covered entities beginning in 2011, and will continue the test phase through December 2012 with a total of 115 such audits.

Protocol Modules

The protocol is divided into two modules: (1) Security, and (2) Privacy and Breach Notification.  The Security module contains 77 entries, covering Security Rule requirements for administrative, physical, and technical safeguards.  The Privacy and Breach Notification module contains 88 entries, and covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures, as well as Breach Notification Rule requirements.

Lax Enforcement No More

At a recent OCR/National Institute of Standards and Technology (NIST) HIPAA Security Conference, one OCR official stated that “It is no longer acceptable to be noncompliant.”  Another official noted that OCR was finding significant issues with security of electronic data, and that many covered entities were failing to conduct risk assessments, and failing to adequately address identified risks.

In the past, OCR had been accused of lax or non-existent enforcement of HIPAA and HITECH violations.  However, recent record-breaking fines of over $1M against several providers which had committed HIPAA breaches, combined with the full audit program being implemented along with the audit protocols, suggest that the OCR is ramping up its enforcement efforts in a big way.  Covered entities will need to take strong actions to comply with the numerous requirements of the laws.

Steps to Take to Comply

The first step toward increased compliance is to conduct a self-audit.  The new audit protocols lay out exactly what the OCR will be looking at in an audit, and will help covered entities identify areas of weakness.  This audit can be conducted by the covered entity itself, or with the guidance of legal counsel or consultants familiar with HIPAA and HITECH requirements.  Once areas are identified, the provider should prioritize by levels of importance and risk, and begin to implement new or revised policies and procedures to address the issues.

The New York State Office of the Medicaid Inspector General (“OMIG”) recently released its Compliance Program Guidance for General Hospitals.   While the OMIG had previously released a Compliance Program Assessment Tool, the new Guidance document provides a far greater level of detail as to the expectations of a hospital’s compliance program.

New York State law (Social Services Law Section 363-d and 18 NYCRR Section 521.3) requires that hospitals and most other Medicaid providers adopt and implement “effective compliance programs” in order to participate in New York’s Medicaid program.  If a Medicaid provider fails to implement an effective compliance program, that provider may be ineligible to bill or receive Medicaid payments, and the provider’s participation in the Medicaid program could be revoked.

Eight Elements of an Effective Compliance Program

The compliance program implemented by Medicaid providers must apply to billings, payments, medical necessity and quality of care, governance, mandatory reporting, credentialing and other risk areas that are or should, with due diligence, be identified by the provider.  The Guidance provides OMIG’s views on the eight elements for effective compliance programs.  In brief, the eight elements are as follows:

(1)  Written Policies and Procedures
(2)  Designation of Compliance Officer
(3)  Training and Education
(4)  Communication Lines to the Compliance Officer
(5)  Disciplinary Policies
(6)  Identification of Compliance Risk Areas and Non-Compliance
(7)  Responding to Compliance Issues
(8)  Policy of Non-Intimidation and Non-Retaliation

The Guidance breaks down each element into multiple requirements, and the provides numerous specific recommendations for each requirement.  For example, under Element #2, Requirement #2, these can be as broad as “the compliance officer advises on compliance related contract provisions” and as specific as which committee meetings the Compliance Officer might attend (quality assurance, risk management, billing and coding, and credentialling).

The OMIG continues to conduct compliance program effectiveness reviews, and has stated that adherence to the Guidance document recommendations will be one measure of an effective program.

Not Just for Hospitals

While directly relevant and specific to acute care hospitals in New York, the Guidance is recommended reading for all other Medicaid providers.  Non-acute care providers will gain insight into items OMIG will look for in a compliance program, and may elect to proactively amend their compliance programs.  In addition, providers who service hospitals are likely to find language in their contracts mandating that they abide by the hospitals’ compliance programs.

Health care providers in New York that participate in Medicaid may be included in the latest cycle of the Centers for Medicare and Medicaid Services Payment Error Rate Measurement Program (“PERM”).  PERM was developed in response to the Improper Payment Information Act, which requires that Federal agencies review programs that are prone to erroneous payments on an annual basis. The PERM Program reviews each state once every three years.

The New York State Medicaid Program is included in the current PERM cycle.  As a result, CMS will review a random sample of fee-for-service (FFS) Medicaid payments submitted by providers between  October 1, 2010 and September 30, 2011.

CMS began contacting providers in October 2011 and will continue with such requests until mid-2012. CMS initiates the request by calling the affected service provider, explaining the PERM process and requesting provider records for  review.  The calls are followed up by a written request for specific medical records.

Providers have seventy-five (75) days to respond to CMS’s request for documentation on the targeted FFS.  If a provider does not respond within that time frame, CMS will determine that there is no evidence to adequately establish whether the services were provided, medically necessary or properly coded or paid.  Not responding to a CMS request will likely result in a recoupment request by the NYS Office of the Medicaid Inspector General.

If CMS determines that an erroneous payment was made, the NYS Office of the Medicaid Inspector General may recover those erroneous payments from the health care provider.  Providers will be afforded normal appeal rights with New York State if such an error is determined.

There are certain “best practices” that health care providers should follow when dealing with a PERM Program request, including:

  • being knowledgeable about state Medicaid policies for their provider type and maintaining accurate documentation as required by state policies;
  • designating a point of contact to hand record requests;
  • making the request a priority and reviewing it as soon as it is received;
  • viewing the record for document/image readability quality;
  • understanding that sending billing information is not sufficient proof that services were provided; and
  • maintaining a copy of the documentation sent to CMS in order to be able to reference it upon any follow-up calls by CMS to the service provider.