A new Part 521, entitled “Provider Compliance Programs,” is added to Title 18 of the Codes, Rules and Regulations of the State of New York to read as follows:

PART 521
PROVIDER COMPLIANCE PROGRAMS

§521.1 General requirements and scope. To be eligible to receive medical assistance payments for care, services, or supplies, or to be eligible to submit claims for care, services, or supplies for or on behalf of another person, the following persons shall adopt and implement effective compliance programs: (a) persons subject to the provisions of articles twenty-eight or thirty-six of the public health law; (b) persons subject to the provisions of articles sixteen or thirty-one of the mental hygiene law; or (c) other persons, providers or affiliates who provide care, services or supplies under the medical assistance program or persons who submit claims for care, services, or supplies for or on behalf of another person for which the medical assistance program is or should be reasonably expected by a provider to be a substantial portion of their business operations.

§521.2 Definitions. For purposes of this Part, the definitions contained in Parts 504 and 515 of this Title shall apply. In addition, the following terms, as used in this Part, shall have the following meanings:
(a) “Required provider” means a provider meeting any of the criteria listed in subpart
521.1 of this Part. (b) “Substantial portion” of business operations means any of the following:
(1) when a person, provider or affiliate claims or orders, or has claimed or has ordered, or should be reasonably expected to claim or order at least five hundred thousand dollars ($500,000) in any consecutive twelve-month period from the medical assistance program;
(2) when a person, provider or affiliate receives or has received, or should be reasonably expected to receive at least five hundred thousand dollars ($500,000) in any consecutive twelve-month period directly or indirectly from the medical assistance program; or
(3) when a person, provider or affiliate who submits or has submitted claims for care, services, or supplies to the medical assistance program on behalf of another person or persons in the aggregate of at least five hundred thousand dollars ($500,000) in any consecutive twelve-month period.

§521.3 Compliance Program Required Provider Duties.
(a) Every required provider shall adopt and implement an effective compliance program. The compliance program may be a component of more comprehensive compliance activities by the required provider so long as the requirements of this Part are met. Required providers’ compliance programs shall be applicable to: (1) billings;
(2) payments; (3) medical necessity and quality of care; (4) governance; (5) mandatory reporting; (6) credentialing; and
(7) other risk areas that are or should with due diligence be identified by the provider.
(b) Upon applying for enrollment in the medical assistance program, and during the month of December each year thereafter, a required provider shall certify to the department, using a form provided by the Office of the Medicaid Inspector General on its website, that a compliance program meeting the requirements of this Part is in place. The Office of the Medicaid Inspector General will make available on its website compliance program guidelines for certain types of required providers.
(c) A required provider’s compliance program shall include the following elements:
(1) written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on dealing with potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel and describe how potential compliance problems are investigated and resolved;
(2) designate an employee vested with responsibility for the day-to-day operation of the compliance program; such employee's duties may solely relate to compliance or may be combined with other duties so long as compliance responsibilities are satisfactorily carried out; such employee shall report directly to the entity's chief executive or other senior administrator designated by the chief executive and shall periodically report directly to the governing body on the activities of the compliance program;
(3) training and education of all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations and the compliance program operation; such training shall occur periodically and shall be made a part of the orientation for a new employee, appointee or associate, executive and governing body member;
(4) communication lines to the responsible compliance position, as described in paragraph (2) of this subdivision, that are accessible to all employees, persons associated with the provider, executives and governing body members, to allow compliance issues to be reported; such communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified;
(5) disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assist in their resolution and outline sanctions for:
(i) failing to report suspected problems;
(ii) participating in non-compliant behavior; or
(iii) encouraging, directing, facilitating or permitting either actively or passively non-compliant behavior;
such disciplinary policies shall be fairly and firmly enforced;
(6) a system for routine identification of compliance risk areas specific to the provider type, for self-evaluation of such risk areas, including but not limited to internal audits and as appropriate external audits, and for evaluation of potential or actual non-compliance as a result of such self-evaluations and audits, credentialing of providers and persons associated with providers, mandatory reporting, governance, and quality of care of medical assistance program beneficiaries;
(7) a system for responding to compliance issues as they are raised; for investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting such problems promptly and thoroughly and implementing procedures, policies and systems as necessary to reduce the potential for recurrence; identifying and reporting compliance issues to the department or the office of Medicaid inspector general; and refunding overpayments;
(8) a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential issues, investigating issues, self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections seven hundred forty and seven hundred forty-one of the labor law.

521.4 Determination of Adequacy of Compliance Program.
(a) The commissioner of health and the Medicaid inspector general shall have the authority to determine at any time if a provider has a compliance program that is effective and appropriate to its characteristics and satisfactorily meets the requirements of this Part.
(b) A provider whose compliance program that is accepted by the federal department of health and human services office of inspector general and remains in compliance with the standards promulgated by such office shall be deemed in compliance with the provisions of this Part, so long as such plans adequately address medical assistance program risk areas and compliance issues.
(c) In the event that the commissioner of health or the Medicaid inspector general finds that the required provider does not have a satisfactory program, the provider may be subject to any sanctions or penalties permitted by federal or state laws and regulations, including revocation of the provider's agreement to participate in the medical assistance program.