Updated Compliance Program Regulations Finalized

By Paul Mayer, on February 16th, 2023

Since April 2020, we have been waiting for the Office of Medicaid Inspector General (OMIG) to update the 18 NYCRR Part 521 regulations in order to meet the amendments of the New York State Social Service Law Section 363-D. As of December 28, 2022, those regulations were made final and effective. This article will be particularly useful if you are one of the “required providers,” mandated to follow the Law and Regulations.

New York Social Service Law Section 363-D outlined expectations for mandatory Compliance Programs in New York State for those organizations that are considered “required providers.” The law included identifying those organizations required to comply, the required components of an effective Compliance Program, and the fines and penalties associated with not having an effective Compliance Program. The 18 NYCRR Part 521 Regulations set the expectations by OMIG. Both law and regulations identify the self-disclosure protocol and set expectations for Medicaid Managed Care Organizations. This article will focus on the 18 NYCRR Part 521-1 component of the regulations which outlines the elements and expectations of an effective Compliance Program.

18 NYCRR Part 521 was effective in 2009 and the requirements have remained the same since that time. In October 2016, OMIG published a guidance document on what their expectations were related to the regulations. Almost two and half years later, the 2020 Laws of New York amended the 363-D Compliance Program requirements. As previously mentioned, on December 28, 2022, these regulations were finalized and made effective. Enforcement of these updated regulations will not begin until March 28, 2023— 90 days after they became effective.

Some of the key changes in the updated regulations include but are not limited to the following, which we will expand upon in the ensuing paragraphs:

  • Required Providers – Increased Medicaid revenue threshold for “substantial portion of business operations” to $1,000,000 (from $500,000) and defines those who are required regardless of amount of Medicaid dollars
  • Defined “Affected Individuals”
  • Increased Compliance Program applicability to specific risk areas to be addressed
  • Addressed Compliance Officer reporting requirements
  • Requires Compliance Committee and Committee Charter
  • Requires Annual Risk Assessment and Annual Work Plan
  • Training requirements are further defined
  • Added Compliance Program documentation retention period
  • Requires annual effectiveness review of Compliance Program, Policies & Procedures and Standards of Conduct

Required Providers

Per the regulations, Article 16, Article 28, Article 31, and Article 36 Clinics are defined as required providers under the Part 521 Regulations. In addition, under the new regulations, Medicaid Managed Care Organizations and an entity that has $1,000,000+ of Medicaid revenue in a 12-month period are considered required providers. This threshold is an increase from the previous threshold of $500,000+.

Affected Individuals

Affected Individuals are now defined under the regulations. Affected Individuals include employees, Chief Executive, Senior Administrators and Managers, Contractors, Agents, Subcontractors, Independent Contractors, Governing Body, and Corporate Officers. What does this mean for a required provider? This shows that it is critical that the Governing Body is engaged and kept abreast of the required provider’s Compliance Program. Furthermore, the Governing Body is to be involved in the evaluation process of determining that the Compliance Program is effective.

Required Components of an Effective Compliance Program

Regulations now address the development of the required provider’s policy and procedure. The policy must address the process for drafting, revising and approving policies and procedures. Additionally, the policy must establish the expectation that Affected Individuals will act in accordance with the Standards of Conduct, that they must refuse to participate in unethical or illegal conduct, and that they must report any unethical or illegal conduct to the Compliance Officer.

The required provider needs to ensure the Policies and Procedures are available, accessible, and applicable to those who are deemed Affected Individuals. Furthermore, Policies and Procedures and the Standards of Conduct are to be reviewed annually for effectiveness and the need to be revised.

Regulations indicate that not only do Policies and Procedures need to be available to Affected Individuals and reviewed for effectiveness, but they also need to address various elements. These elements include, but are not limited to, the structure of the Compliance Program, the responsibilities of all affected Individuals in carrying out the functions of the Compliance Program, methods and procedures for communicating compliance issues or concerns, compliance investigations, and non-intimidation and non-retaliation for good faith participation. It is key that Policies and Procedures are accessible and ensure an effective Compliance Program.

Compliance Officer

A Compliance Officer is now defined as an “individual.” This individual is responsible for overseeing the Compliance Program, evaluating the effectiveness of the Compliance Program, drafting, and overseeing a Compliance Work Plan at least annually, and reviewing and revising the Compliance Program as needed. Also, the Compliance Officer must report at least quarterly to the Governing Body, Chief Executive, Compliance Committee, and must be allocated sufficient staff and resources. This is key to ensuring that the required provider has an effective Compliance Program.

Compliance Committee

The regulations now require a Compliance Committee. The Committee is to be comprised of Senior Management, and reports directly to the Chief Executive and Governing Body. The Committee must have a Charter outlining its duties and responsibilities, membership, designation of a Chair, and meeting frequency. The Committee is required to meet at least quarterly and is to review its Charter on an annual basis, at minimum.

The Compliance Committee will play a key role in supporting the Compliance Officer and ensuring that the required provider’s Compliance Program is effective and successful. The Compliance Committee will be responsible for coordinating with the Compliance Officer to ensure that the Compliance Program is evaluated consistently for effectiveness.

Training and Education

The regulations detail requirements for training and education. It is required that a required provider has an effective Compliance Training Program for both the Compliance Officer as well as all Affected Individuals. Compliance Training must occur no less than annually, and new hires must receive their training promptly upon hire. Trainings need to address risk areas, policies, and procedures such as the Standards of Conduct, reporting, resolution, investigation, non-retaliation, etc., the role of the Compliance Officer and Compliance Committee, methods of reporting Compliance concerns, disciplinary standards, and other applicable laws and regulations (Deficit Reduction Act, False Claims Act, Whistleblower Protections). In addition to specific topics being required, a Training Work Plan must be developed and maintained. This Training Work Plan is to be evaluated regularly to ensure trainings are effective and relevant.

Lines of Communication

Per the regulations, Required Providers must publicize the lines of communication to the Compliance Officer. This information is to be made available to all Affected Individuals, as well as Medicaid recipients of service. Information about the Compliance Program, as well as the Standards of Conduct are to be made available on the required provider’s website.


A written Policy and Procedure addressing disciplinary standards and the procedures for taking such actions must be published and distributed to all Affected Individuals. This Policy and Procedure must also be incorporated into the Training Plan.

Auditing and Monitoring

It should be noted that auditing and monitoring are one of many key components in determining the effectiveness of a Compliance Program. Required Providers must employ a process that routinely monitors and identifies Compliance risks. Part of this process is to include the monitoring of internal and external audits with a focus on the effectiveness of the Compliance Program. The effectiveness of the Compliance Program can be evaluated through audit results and corrective actions. It is important that the required provider focuses on the risk areas identified within the regulations and shares the results of all audits, both internal and external, with the Compliance Committee and governing body. Furthermore, these results and risk areas should be incorporated in the Compliance Program and Annual Work Plan.

Risk Areas

The regulations indicate that a Compliance Program needs to address and monitor the required providers risk areas, some of which include billing, payments, ordered services, medical necessity, quality of care, governance, mandatory reporting, credentialing, and contract oversight.

Exclusion Screening

All required providers are to conduct monthly checks. It should be noted that these checks are to occur “at least every 30 days”. In addition to required employees, contractors, agents, subcontractors, and independent contractors should be checked. It should be noted that the regulation states “required providers shall require contractors to comply”.

Record Retention

Required providers must keep their records for at least six years. An organization should retain all records demonstrating that the required provider has adopted, implemented, and maintains an effective compliance program.

Effectiveness of Compliance Program

The regulations indicate that a Compliance Program can be deemed effective when it is fully rooted into all aspects of the organization. An effective Compliance Program must be supported by all staff within an organization, including Senior Management and the governing body. Additionally, an effective Compliance Program will be constructed in a way that helps prevent, detect, and correct any form of noncompliance, including fraud, waste, and abuse.

So how does a required provider determine the effectiveness of their Compliance Program? They must continuously evaluate their program by updating their risk assessment on a periodic basis. They also need to review and update their policies and procedures, survey their culture of compliance, and conduct testing to confirm their established controls are working.

Annual Compliance Program Effectiveness Review

The regulations state that an annual review of the effectiveness of the Compliance Program must occur. This review can be conducted internally by the Compliance Officer or the Compliance Committee, as well as an external auditor. It is important to keep in mind that the entity, be it internal or external, meets the requisites to conduct the review and is autonomous. The review should include on-site visits, interviews with staff, record reviews, and surveys. A required provider should be sure to document how the review was created and implemented. All results and corrective actions implemented need to be documented and shared with the Chief Executive, Senior Management, Compliance Committee, and the governing body.

What’s Next?

Now is the time to determine how these changes affect you and your agency. When reviewing the regulations, consider what additional resources, if any, will you need to get compliant and remain compliant. Educate your Senior Leadership and Board on these regulations and how they will be impacted. Be diligent in reviewing your current Compliance Program, compare to the updated regulations and develop a plan to make any necessary changes and implement them by March 28, 2023.

If you need further guidance or have any questions on this topic, owe are here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.

The Bonadio Group’s Compliance Solutions team is a group of experienced, licensed, and credentialed professionals. Our team members have more than 60 years’ combined provider experience in roles of Compliance Officer, Director of Nursing Services, Quality Assurance, and Direct Care prior to joining The Bonadio Group in their current consulting roles. Our team assists providers of all types in developing, implementing, maintaining, and assessing Compliance Programs.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.

Share on LinkedIn
Share on Facebook
Share on X

Written By

Paul Mayer Headshot
Paul Mayer
Executive Vice President

Related Services