Compliance Plan requirements
Part by part breakout of what must be covered by the compliance plan.
This is from the HHS OIG at This is an excellent guide on what a compliance plan is and what is expected. If you simple replace Billing companies with school district you have an excellent guide and template to follow. This guide include the following over view of the required elements.
Elements for an Effective Compliance Program
Through experience, the OIG has identified 7 fundamental elements to an effective compliance program. They are:
• Implementing written policies, procedures and standards of conduct;
• Designating a compliance officer and compliance committee;
• Conducting effective training and education;
• Developing effective lines of communication;
• Enforcing standards through well-publicized disciplinary guidelines;
• Conducting internal monitoring and auditing; and
• Responding promptly to detected offenses and developing corrective action
The guide go into the following detail on the elements and what they should include;
At a minimum, comprehensive compliance programs should include the following seven elements:
(1) The development and distribution of written standards of conduct, as well as written policies and procedures that promote the billing company’s commitment to compliance (e.g., by including adherence to the compliance program as an element in evaluating managers and employees) and that address specific areas of potential fraud, such as the claims submission process, code gaming and financial relationships with its providers;
(2) The designation of a chief compliance officer and other appropriate bodies, e.g., a corporate compliance committee, charged with the responsibility of operating and monitoring the compliance program and who report directly to the CEO and the governing body;
(3) The development and implementation of regular, effective education and training programs for all affected employees;
(4) The creation and maintenance of a process, such as a hotline, to receive complaints and the adoption of procedures to protect the anonymity of complainants and to protect callers from retaliation;
(5) The development of a system to respond to allegations of improper/ illegal activities and the enforcement of appropriate disciplinary action against employees who have violated internal compliance policies, applicable statutes, regulations or Federal, State or private payor health care program requirements;
(6) The use of audits and/or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas;18 and
(7) The investigation and correction of identified systemic problems and the development of policies addressing the non-employment of sanctioned individuals.
The New York State regulations say the following:


State Reg - 521.3 Compliance Program Required Provider Duties. (Excludes first part of regulation.)
          (a)  Every required provider shall adopt and implement an effective compliance program. The compliance program may be a component of more comprehensive compliance activities by the required provider so long as the requirements of this Part are met.   Required providers’ compliance programs shall be applicable to:
          (1) billings; 
          (2) payments;  
          (3) medical necessity and quality of care; 
          (4) governance;
          (5) mandatory reporting;
          (6) credentialing; and
          (7) other risk areas that are or should with due diligence be identified by the provider.
Comment: Plan must cover every facet of what leads to and supports the right to a Medicaid payment.  
(b) Upon applying for enrollment in the medical assistance program, and during the month of December each year thereafter, a required provider shall certify to the department, using a form provided by the Office of the Medicaid Inspector General on its website, that a compliance program meeting the requirements of this Part is in place. The Office of the Medicaid Inspector General will make available on its website compliance program guidelines for certain types of required providers. 
(c) A required provider’s compliance program shall include the following elements:
(1)  written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics, implement the operation of the compliance program, provide guidance to employees and others on   dealing with  potential compliance issues, identify how to communicate compliance issues to appropriate compliance personnel and describe how potential compliance problems are investigated and resolved;

This is a very important part. All employees must be made aware of the school district policy concerning compliance with the Medicaid requirements. Here is what we have in our plan as the policy statement. The Board must adopt a board policy.

Policy: Each employee, contractor, or vendor involved with providing or obtaining reimbursement for medical services, supplies, or equipment from or on behalf of our clients is responsible for submitting honest and accurate bills to Medicaid, Medicare, and other Federal and state health care programs. In addition to complying with Kinney's Standards of Conduct, all employees, contractors, and vendors are expected to comply with Federal and state laws and administrative remedies designed to prevent fraud, abuse, and waste in Federal and state health care programs.
(2)  designate an employee vested with responsibility for the day-to-day operation of the compliance program; such employee's duties may solely relate to compliance or may be combined with other duties so long as compliance responsibilities are satisfactorily carried out; such employee shall report directly to the entity's chief executive or other senior administrator designated by the chief executive and shall periodically report directly to the governing body on the activities of the compliance program;
In the education setting the person designated to be the compliance officer must report directly to the superintendent or their designee and periodically to the board on the ongoing compliance activities. Those reports obviously include any allegations being investigated as well as activities to ensure ongoing compliance with the Medicaid program requirements. It should cover things like training of new employees on their responsibility, periodic training of existing employees, changes in program requirements, etc. 
(3)  training and education of all affected employees and persons associated with the provider, including executives and governing body members, on compliance issues, expectations and the compliance program operation; such training shall occur periodically and shall be made a part of the orientation for a new employee, appointee or associate, executive and governing body member;
The training must cover all involved. It must include who the compliance officer is, how to reach them with concerns, and the assured protection of folks reporting possible wrong doing. The initial training on the states and protection of whistle blower will be covered in the state training.
(4)  communication lines to the responsible compliance position, as described in paragraph (2) of this subdivision, that are accessible to all employees, persons associated with the provider, executives and governing body members, to allow compliance issues to be reported; such communication lines shall include a method for anonymous and confidential good faith reporting of potential compliance issues as they are identified;
This is very clear. The reporting mechanisms must be available to all and must allow for the reporting individual to remain anonymous if they so choose. Here is what our says.

1. Anyone who becomes aware of or in good faith suspects wrongdoing by another employee, a board member, a client, a vendor, a contractor, or any other person should report it to their supervisor as well as Joe (Compliance Officer or Diane Kinney or Sandra Steinhardt.

2. The individual making the report may do so by reporting the concern in writing or by using any anonymous method such as leaving a note on one of the above person desk, etc. Anyone making an anonymous report must realize that the Compliance Officer will not be able to ask additional questions of the person reporting nor advise the person of the outcome.

I really think school district should band together and setup an 800 number for employees to use to report alleged wrong doing. It isn't expensive a very simple to do. That way each district won't have to worry about how to cover the anonymous part.   

(5) disciplinary policies to encourage good faith participation in the compliance program by all affected individuals, including policies that articulate expectations for reporting compliance issues and assist in their resolution and outline sanctions for:
          (i) failing to report suspected problems; 
          (ii) participating in non-compliant behavior; or
          (iii) encouraging, directing, facilitating or permitting either actively or passively non-compliant behavior; such disciplinary policies shall be fairly and firmly enforced;
This will probably require a new board policy specific to Medicaid compliance. Here is what ours says:
  1. Organizational Response.

    Non-Compliance/Suspected Criminal Activity.

  • In the event the investigation identifies employee misconduct or suspected criminal activity, Kinney will undertake the following steps.
  • As quickly as possible, cease the offending practice.
  • If the conduct involves the improper submission of claims for payment, we will immediately cease all billing potentially affected by the offending practice and or client.
  • Consult with legal counsel, if necessary, to determine whether voluntary reporting of the identified misconduct to the appropriate governmental authority is warranted.
  • If applicable, calculate and process adjustments for any improper payments made by a Federal or State government program as a result of the misconduct.
  • Initiate appropriate disciplinary action, which may include, but is not limited to, reprimand, demotion, suspension and/or termination. If the offense involves the action of an employee of a client we will immediately report the instance to the appropriate executive at the client.
  • If the investigation uncovers what appears to be criminal conduct on the part of an employee or client, appropriate disciplinary action against the employee or employees who authorized, engaged in or otherwise participated in the offending practice will include, at a minimum, the removal of the person from any position of oversight and may include, in addition, suspension, demotion, and termination. In the case of possible criminal conduct by an employee of a client, referral to the appropriate government official will be made.
  • Promptly undertake appropriate training and education to prevent a recurrence of the misconduct.
  • Conduct a review of policies and procedures to determine whether revisions or the development of new policies and/or procedures are needed to minimize future risk of noncompliance.

Conduct, as appropriate, follow-up monitoring and auditing to ensure effective resolution of the offending practice.


(6)  a system for routine identification of compliance risk areas specific to the provider type, for self-evaluation of such risk areas, including but not limited to internal audits and as appropriate external audits, and for evaluation of potential or actual non-compliance as a result of such self-evaluations and audits, credentialing of providers and persons associated with providers, mandatory reporting, governance, and quality of care of medical assistance program beneficiaries;
This requires a review of each provider area and a plan to deal with the potential problem area's. Issues like supervision, orders, license and registration, supervisor sign-off, periodic check against state and federal excluded provider list, monitoring of licenses and registration information, systematic confirmation actual meeting dates versus scheduled meeting, etc. All are know problem areas that need to be addressed. 
You should also use audit techniques to assure that what we think is happening is actually taking place.
(7)  a system for responding to compliance issues as they are raised;  for investigating potential compliance problems; responding to compliance problems as identified in the course of self-evaluations and audits; correcting such problems promptly and thoroughly and implementing procedures, policies and systems as necessary to reduce the  potential for recurrence; identifying and reporting compliance issues to the department or the office of                   Medicaid inspector general; and refunding overpayments;
Fairly clear, but complex in a school district setting. The structural setting should not, and can not be allowed to, impeded the necessary actions. When problems are identified the plan need to allow for the early informing of the OIG.  For example, you find out that a physical therapist did not pay their registration fee yet their services were billed for. Immediately void the bills and inform the OIG. Then review how this got through the system and implement corrective action so it won't happen again. Historically this is a problem with LSP as they don't need to be registered to work in a school setting.  
(8) a policy of non-intimidation and non-retaliation for good faith participation in the compliance program, including but not limited to reporting potential  issues, investigating issues, self-evaluations, audits and remedial actions, and reporting to appropriate officials as provided in sections seven hundred forty and seven hundred forty-one of the labor law.
People who make the district aware of valid compliance issues must be protected for any retaliation of any type. This can be a problem as you will have one employee reporting on another. The result could be a negative action against one employee who then will seek to retaliate against the other.
Here is our policy:
6. Retaliation or reprisal in any form against anyone who makes a report of wrongdoing, cooperates in an investigation, or participates in the compliance program is strictly prohibited. If an employee or a contractor believes that an adverse action in the form of reprisal or retaliation has been taken against him or her as the result of making a report or cooperating in an investigation pursuant to this or any other compliance policy, he or she should report it to the Compliance Officer immediately.
521.4 Determination of Adequacy of Compliance Program.
           (a) The commissioner of health and the Medicaid inspector general shall have the authority to determine at any time if a provider has a compliance  program that is effective and appropriate to its characteristics and satisfactorily meets the requirements of this Part.
           (b) A provider whose compliance program that is accepted by the federal department of health and human services office of inspector general and remains in compliance with the standards promulgated by such office shall be deemed in compliance with the provisions of this Part, so long as such plans adequately address medical assistance program risk areas and compliance issues.