The Bureau of Compliance (BOC) works to educate, assist, and assess Medicaid program providers in meeting their obligation to establish and operate effective compliance programs by monitoring and enforcing mandatory compliance program and compliance certification requirements.  BOC also coordinates and enforces Corporate Integrity Agreements (CIA).

BOC assesses the compliance programs of Medicaid providers to help ensure they create a control structure to reduce the potential for fraud, waste, and abuse, and have systems in place to identify and self-correct errors before the Medicaid program is billed.

An integral part of BOC’s function is education and outreach to the provider community regarding program integrity compliance.

Who Must Have a Compliance Program?

Persons, providers, or affiliates are required to have a compliance program under New York State Social Services Law (SSL) § 363-d and 18 NYCRR Part 521 if they are a “required provider” as defined in 18 NYCRR § 521.2(a).  

If you answer YES to any of the following questions, you are required to have a compliance program in New York State.

  • Is your organization subject to Article 28 or Article 36 of the NYS Public Health Law? 
  • Is your organization subject to Article 16 or Article 31 of the NYS Mental Hygiene Law?
  • Does your organization claim or order — and/or can be reasonably expected to claim or order —  Medicaid services or supplies of at least $500,000 in any  consecutive 12-month period? 
  • Does your organization receive Medicaid payments — and/or can be reasonably expected to receive payments — either directly or indirectly,  of at least $500,000 in any consecutive 12-month period?

Indirect Medicaid reimbursement is any payment that you receive for the delivery of Medicaid care, services, or supplies that comes from a source other than the State of New York.  For example, if you provide covered services to a Medicaid beneficiary who is enrolled in a Medicaid Managed Care Plan, the payment you receive from the Managed Care Organization is considered an indirect payment.

  • Does your organization submit Medicaid claims of at least $500,000 in any consecutive 12-month period on behalf of another person or persons?
Elements of a Compliance Program

Under New York  Codes, Rules and Regulations (NYCRR) 18 Part 521.3 (c), compliance programs shall include the following elements:

  1.  written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on dealing with potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel and describe how potential compliance problems are investigated and resolved;
  2. designate an employee vested with responsibility for the day-to-day operation of the compliance program; such employee's duties may solely relate to compliance or may be combined with other duties so long as compliance responsibilities are satisfactorily carried out; such employee shall report directly to the entity's chief executive or other senior administrator designated by the chief executive and shall periodically report directly to the governing body on the activities of the compliance program;
  3. training and education of all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations and the compliance program operation; such training shall occur periodically and shall be made a part of the orientation for a new employee, appointee or associate, executive and governing body member;
  4. communication lines to the responsible compliance position, as described in paragraph (2) of this subdivision, that are accessible to all employees, persons associated with the provider, executives and governing body members, to allow compliance issues to be reported; such communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified;
  5. disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assist in their resolution and outline sanctions for:
    1. failing to report suspected problems
    2. participating in non-compliant behavior; or
    3. encouraging, directing, facilitating or permitting either actively or passively non-compliant behavior; such disciplinary policies shall be fairly and firmly enforced; 
  6. a system for routine identification of compliance risk areas specific to the provider type, for self-evaluation of such risk areas, including but not limited to internal audits and as appropriate external audits, and for evaluation of potential or actual non-compliance as a result of such self-evaluations and audits, credentialing of providers and persons associated with providers, mandatory reporting, governance, and quality of care of medical assistance program beneficiaries;
  7. a system for responding to compliance issues as they are raised; for investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting such problems promptly and thoroughly and implementing procedures, policies and systems as necessary to reduce the potential for recurrence; identifying and reporting compliance issues to the department or the Office of Medicaid Inspector General; and refunding overpayments;
  8. a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections 740 and 741 of the Labor Law.

In addition, 18 NYCRR § 521.3 (a) identifies seven areas that all compliance programs must be applicable to:

  1. Billings
  2. Payments
  3. Medical necessity and quality of care
  4. Governance
  5. Mandatory reporting
  6. Credentialing
  7. Other risk areas that are or should with due diligence be identified by the provider 
  8. Please see the Compliance Library for further information on compliance programs.
Contact the Bureau of Compliance

If you have any compliance-related questions, you may call the Bureau of Compliance at 518.408.0401 or email [email protected]