The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) recently published a new resource titled General Compliance Program Guidance (“GCPG”), which is described as a reference guide for the healthcare compliance community and other stakeholders. The GCPG is part of the OIG’s latest modernization initiative and is designed to update and complement the OIG’s historical compliance program guidance materials, which were published between 1998 and 2008. While much of the GCPG is in keeping with OIG’s past compliance program guidance, there are certain notable takeaways from the 2023 GCPG that may give insight into OIG’s future initiatives and focus areas.

• General vs. Industry-Specific Guidance. OIG’s compliance guidance historically focused on specific entity types (such as ambulance suppliers, clinical laboratories, hospices, hospitals, nursing facilities, pharmaceutical manufacturers, small group physician practices, and third-party medical billing companies). The new GCPG takes a different approach, outlining general compliance principles applicable to all stakeholders in the federal healthcare regulatory arena, independent of provider type. In 2024, the OIG will also publish Industry-Specific Compliance Program Guidance (“ICPGs”) for different types of providers, suppliers, and other participants in healthcare industry subsectors or ancillary industry sectors relating to federal healthcare programs. Each of the forthcoming ICPGs will be tailored to the specific fraud and abuse risks that are most likely to affect the particular provider type or industry. Further, it is anticipated that these ICPGs, like the GCPG, will be issued directly to the public, rather than through Federal Register publication. This may afford greater agility to OIG in revising guidance as new or nuanced risks arise in industry sectors.
• New Entrants, New Focus. The GCPG demonstrates the OIG’s growing awareness of historically less-regulated healthcare industry stakeholders beyond the traditional provider categories. The GCPG includes specific references to new entrants in the healthcare industry and highlights the recent expansion of managed care plans, healthcare technology companies, third-party management companies, and private equity. In a particularly telling section, the GCPG notes one of the best ways to identify fraud and abuse risks is to follow the money. While such industry stakeholders have long been subject to federal fraud and abuse laws, including The Anti-Kickback Statue (“AKS”), the GCPG suggests healthcare technology companies, third-party management companies, and private equity stakeholders, among others, should expect increased scrutiny going forward. In keeping with this theme, OIG has announced that one of the first two ICPGs will address Medicare Advantage (the other will address nursing facilities). These anticipated ICPGs perhaps foreshadow an “in tandem” approach of ICPGs replacing legacy compliance guidances and adding guidance for stakeholders not previously directly addressed.
• Expanded AKS Analysis Factors and FAQ Process. In the overview of certain federal laws, the OIG included a list of key questions, broken into 10 subparts, for providers and stakeholders to use when analyzing whether an arrangement is potentially problematic under the federal AKS. This section provides a more comprehensive understanding of the factors that affect the OIG’s decision-making and risk analysis than most prior guidance. The OIG is also expanding the scope of its frequently asked questions to provide broader guidance and answer inquiries regarding the general application of the federal AKS and beneficiary inducements civil monetary penalty laws. The OIG’s increased resources for compliance education may signal heightened audit and enforcement initiatives in the future.
• A Note on Reporting. When discussing the process for reporting misconduct to the government, the GCPG instructs parties to promptly notify the appropriate authority not more than 60 days after a determination that “credible evidence” of a violation of criminal, civil, or administrative law exists. This language serves as a reminder that certain situations may give rise to reporting requirements regardless of whether the determination of credible evidence of a violation is made prior to, or simultaneous with, commencing an internal investigation, and that such reporting requirements are independent of the 60-day rule standard for reporting and returning an “overpayment.” The GCPG appears to limit its recommendation on this point to certain serious violations, such as clear violations of criminal law, violations that jeopardize patient safety, or a systemic failure to comply with applicable laws or standards of conduct, including Corporate Integrity Agreements. In other sections of the GCPG, the OIG does reaffirm the overpayment standard of reporting/returning within 60 days after “identification,” which includes a process of “determination” and “quantification.” Given the breadth of the GCPG, it stands to reason that there could be fact patterns where the two analyses — i.e., reporting a potential violation of law versus reporting/returning an overpayment — could legitimately be independent. Nonetheless, under many fact patterns, this creates a potential tension around investigation and reporting timing that should be carefully considered with counsel.
• Risk Assessment Expectation. In keeping with the OIG’s previous compliance program guidance, the GCPG also reaffirms the seven elements of a successful compliance program: (1) Written Policies and Procedures; (2) Compliance Leadership and Oversight; (3) Training and Education; (4) Effective Lines of Communication with the Compliance Officer and Disclosure Programs; (5) Enforcing Standards – Consequences and Incentives; (6) Risk Assessment, Auditing, and Monitoring; and (7) Responding to Detected Offenses and Developing Corrective Action Plans. Notably, under the GCPG, OIG emphasizes Risk Assessment as a foundational part of the sixth element. Risk Assessment is a proactive endeavor to identify, analyze, and respond to potential risks to the organization — before any specific incident, report, or finding arises. Risk Assessment has received increased focus from OIG and others in recent years as a formal part of a functioning compliance program. As risks rapidly evolve, so must entities’ endeavors to forestall harmful effects, and the first step is to identify them through a Risk Assessment.

Consistent with the OIG’s prior compliance guidance materials, the GCPG remains non-binding. However, the GCPG provides a good framework for providers and other healthcare stakeholders to develop and structure their compliance programs and/or reassess the effectiveness of their compliance program. The GCPG provides examples of compliance program adaptations designed for small entities, such as individual and small-group physician practices, as well as considerations specific to larger entities, such as healthcare systems or international pharmaceutical manufacturing organizations. With the release of the GCPG, the forthcoming ICPGs, and the new year fast-approaching, providers and other stakeholders in the healthcare industry should consider reviewing their compliance programs and updating their compliance plans to incorporate OIG’s refreshed guidance.