New York Medicaid · 18 NYCRR Subpart 521-1

New York Medicaid compliance, actually operated.

part521 helps Medicaid providers build, run, and document the compliance program required under Subpart 521-1 — without hiring a full-time compliance department.

If you receive $1M+ from New York Medicaid, directly or indirectly, your organization is required to maintain an effective compliance program. part521 gives you the software and workflows — exclusion screening, training, bring-your-own hotline setup, committee cadence, reminders, and audit-ready evidence capture — so you can build, run, and document that program yourself.

See what part521 does
Built for NY Medicaid providers Monthly exclusion screening Bring-your-own hotline setup Audit-ready records
Required threshold
$1M+ Medicaid
Direct or indirect, in any consecutive 12-month period
Penalty for failure to adopt
$5K/month
Plus recoupment, enrollment risk, and termination exposure
Required program elements
7 elements
All seven Subpart 521-1 elements — generated, operated, and documented
Are you required?

If Medicaid is more than a sliver of your revenue, the rule probably applies.

OMIG has been actively enforcing Subpart 521-1 since March 2023. The threshold is broader than most operators realize.

Subpart 521-1 applies to any provider that claims, orders, refers, attests, or receives $1,000,000 or more in any consecutive 12-month period from the New York Medicaid program — directly or indirectly.

"Indirectly" is the part most operators miss. If you contract with a Medicaid Managed Care Organization, an MCO, or another Medicaid-funded entity, those payments count toward your threshold. So do payments routed through brokers like MAS or ModivCare for NEMT.

If you cross that threshold, you're a "Required Provider" and your organization must adopt, implement, and maintain an effective compliance program — and review it annually.

Three quick tests

Are you in scope?

Test 1

Revenue threshold

You received $1M+ from Medicaid in any rolling 12 months — direct, indirect, or via MCO/broker.

Test 2

Provider type

You are a Medicaid-enrolled provider or you serve Medicaid beneficiaries through a Medicaid-funded contract.

Test 3

Activity

You claim, order, refer, attest, or are paid for services that touch the Medicaid program.

Not sure if you're in scope? Take the 60-second eligibility check. We'll tell you whether Subpart 521-1 likely applies and what to do next.
The real problem

A compliance program is not a binder on a shelf. It's an operating requirement.

Adopting a written program is the easy part. Keeping it actually running every month — and being able to prove it — is where most providers come up short.

Subpart 521-1 doesn't just require you to have a program. It requires you to adopt, implement, and maintain one — and to review its effectiveness annually.

That means the program has to be active. Someone has to screen employees and contractors against the federal and state exclusion lists every month. Someone has to assign training and track who completed it. Someone has to maintain a reporting hotline. Someone has to hold compliance committee meetings, document issues raised, follow up on them, and keep the records together for the next audit.

Most small and mid-sized providers don't have that person.

So the job falls to the owner, the administrator, the biller, the dispatcher, or whoever has the least-full plate that week. Which means the program either doesn't get built, doesn't get updated, or — when OMIG asks — can't be proven.

  • Monthly LEIE / SAM / OMIG exclusion screening
  • Training assignment and completion tracking
  • Anonymous reporting and intake
  • Compliance committee meetings and minutes
  • Issue tracking and follow-up
  • Annual effectiveness review and documentation
  • Policy and Code of Conduct updates
  • Audit-ready evidence storage
What part521 does

part521 turns compliance from a scramble into a monthly operating system.

One platform that helps you build the program, keep it running, and add independence — purpose-built for the way Subpart 521-1 actually works.

Build

We help you build the program.

Written compliance program, Code of Conduct, policies, risk areas, committee structure, and adoption documents — generated and tailored to your provider type. You go from zero to a defensible program in days, not months.

Run

We help you keep it running every month.

Monthly exclusion screening, bring-your-own hotline setup, training assignment, meeting agendas and minutes, reminders, follow-ups, and a guided annual effectiveness review. The work happens on a calendar, not on a panic.

Independence

We help you add independence.

Subpart 521-1 expects an independent outside member on your compliance committee. Bring your own — your healthcare attorney or compliance advisor — or ask part521 to surface a suggested contact you can reach out to. You engage them directly; part521 is software, not a broker.

What you get

Concrete deliverables. Audit-ready records.

Everything you need to demonstrate that your compliance program is real, active, and documented — in one place.

1

A generated compliance program

Written program, Code of Conduct, policies, risk areas, and adoption documents tailored to your provider type and operations.

2

A live compliance calendar

Monthly, quarterly, and annual tasks queued and tracked — so nothing depends on memory or someone else's calendar.

3

Monthly exclusion screening

LEIE, SAM, and New York exclusion list checks for every employee, contractor, and vendor — with timestamped evidence saved.

4

Training and tracking

Assign required compliance training, track completion across staff, and keep dated records of who took what and when.

5

Anonymous reporting hotline setup

Subpart 521-1 requires an anonymous reporting channel. You bring your own hotline vendor — part521 records the phone number, web URL, optional intake email, and any company or access code, then surfaces it across your program documents, poster, and compliance page so it stays consistent.

6

Committee meeting workflow

Agendas, minutes, attendance, issues raised, follow-up items, and supporting evidence — stored together by meeting.

7

Guided annual effectiveness review

A structured walk-through that produces the documentation package required for your annual program review.

8

Audit-ready records

Every screening result, training record, meeting minute, hotline log, and policy version stored in one place — ready when OMIG asks.

Who we built this for

Built for Medicaid providers without compliance departments.

part521 is designed for owner-operated and mid-sized New York Medicaid providers who cross the $1M threshold but don't have, and shouldn't need to hire, a full-time compliance department.

NEMT & ambulette Home care (LHCSA / CHHA) Pharmacies DME suppliers Dental practices Behavioral health PT / OT / SLP Article 16 / 28 / 31 Specialty clinics

If Medicaid is a major part of your revenue, the question isn't whether compliance matters. The question is whether you can prove your program is actually operating.

How it works

Four steps from "we should probably do this" to running.

Step 01

Intake

Tell us your provider type, services, and program status. We tailor what comes next.

Step 02

Program generated

Your written program, Code of Conduct, policies, and committee structure — drafted and ready to adopt.

Step 03

Monthly operation

Screening, training, hotline, meetings, and reminders run on the calendar. Records save automatically.

Step 04

Annual review

Guided effectiveness review and documentation package — assembled, not improvised, when OMIG comes calling.

Pricing

Pricing built around what your operation actually needs.

Software only. You pay part521 for the software, onboarding, and support — nothing else. Your hotline vendor and your independent outside member are bring-your-own, and you contract with them directly. Final pricing is set during onboarding — join the waitlist for founding-customer rates.

Starter
Contact us for pricing
Software, workflows, and the records you need to show your program is running.
  • Generated written compliance program
  • Monthly exclusion screening (LEIE, SAM, NY)
  • Bring-your-own hotline setup
  • Committee meeting workflow
  • Training assignment and tracking
  • Audit-ready records
Start now
Operating
Contact us for pricing
Everything in Starter plus a guided annual review and direct support when issues come up.
  • Everything in Starter
  • Guided annual effectiveness review
  • Issue triage and escalation support
  • Policy update library
  • Quarterly compliance check-ins
  • Direct support channel
Start now
Multi-Site
Custom pricing
Everything in Operating, scaled for operators running compliance across multiple locations or entities.
  • Everything in Operating
  • Multiple locations and entities
  • Custom content overlays for your verticals
  • Consolidated reporting across sites
  • Named customer success contact
  • Outside-member setup + suggested contacts
Talk to us
FAQ

Common questions, answered straight.

Does Subpart 521-1 actually apply to my company?

If your organization claims, orders, refers, attests, or receives $1,000,000 or more from the New York Medicaid program in any 12-month period — directly or indirectly through MCOs or other Medicaid-funded entities — yes. The 60-second eligibility check at the top of this page will give you a clearer answer in under a minute.

What counts as "Medicaid revenue"?

Direct fee-for-service Medicaid payments, payments from Medicaid Managed Care Organizations (MCOs), payments routed through Medicaid-funded brokers (such as MAS or ModivCare for NEMT), and payments for services attested or referred under Medicaid all count toward the threshold. The rule defines this broadly on purpose.

What happens if we don't have a compliance program?

OMIG can impose a sanction of up to $5,000 per month for the first violation, with higher sanctions for repeat violations. Beyond direct sanctions, providers face recoupment of Medicaid payments, enrollment risk, and in serious cases, termination from the Medicaid program.

How is part521 different from a generic compliance SaaS?

Generic compliance platforms cover broad regulatory frameworks. part521 is purpose-built around 18 NYCRR Subpart 521-1 — the specific elements OMIG looks for, the specific records they expect, and the operational rhythm New York Medicaid providers need. We help operate the program, not just store policies in a folder.

How does the hotline work?

Subpart 521-1 requires an anonymous reporting channel, and you bring your own hotline vendor — many providers already have one, and any qualifying vendor works. part521 records the phone number, web URL, optional intake email, and any company or access code, then keeps that information consistent across your program documents, poster, and public compliance page. You contract with the hotline vendor directly; part521 is not a party to that contract and earns no fee from it.

Who handles the monthly exclusion screening?

part521 runs automated monthly exclusion screening against the federal LEIE, SAM, and the New York State exclusion lists for every employee, contractor, and vendor on your roster. Results and timestamps are saved to your records automatically.

Does part521 replace our healthcare attorney?

No. part521 is a compliance operating system, not a law firm. We help you run the program day-to-day. For legal advice, OMIG matters, contracts, and litigation, you still need counsel. If you don't have a healthcare attorney or compliance advisor, part521 can surface a suggested contact for you to reach out to — you engage them directly.

How fast can we be up and running?

Most providers go from intake to an adopted, running program in under two weeks. The program-generation step is days, not months — adoption and rollout are the parts that depend on your team.

Disclosures

How we make money.

part521 charges customers directly for software, onboarding, and support. That is the whole model. We do not take referral fees, placement fees, or any cut of payments to third parties.

Your anonymous reporting hotline and your independent outside committee member are bring-your-own. You choose the hotline vendor and the advisor, and you contract with each of them directly — part521 is not a party to those contracts and earns nothing from them. If you ask part521 to surface a suggested contact for an outside member, that is an introduction only: no engagement, no contract, and no fee is managed or brokered by part521.

If you have questions about how any of this works, write to info@part521.com and we'll walk you through it before you sign anything.

Get early access

Get on the list. Get ahead of the audit.

Prefer to talk first? Join the waitlist below for a direct email from the founder, founding-customer pricing locked in through year one, and a real conversation before you commit to anything.

We respond to every signup. If you're in an active OMIG matter or facing a specific compliance question right now, tell us in the notes — we'll make sure the right person reaches out.

  • Direct conversation with the founder, not a sales rep
  • Founding-customer pricing held through year one
  • Help mapping your specific 521-1 obligations
  • No obligation — it's a list, not a contract

Join the waitlist

Takes about a minute. We read every one.