On November 6, 2023, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) issued its anticipated General Compliance Program Guidance (“GCPG”) for the health care industry. The GCPG serves as a reference for the health care compliance community, including the life sciences industry. The GCPG covers the key federal health care fraud and abuse authorities, OIG’s expectations for an effective compliance program, and highlights general agency resources designed to support health care compliance.

The GCPG is OIG’s initial step in revamping its historical guidance around voluntary compliance programs. In 1998, OIG started publishing compliance program guidance documents (“CPGs”) specific to different subsectors of the health care industry, including: pharmaceutical manufacturers; the durable medical equipment, prosthetics, orthotics, and supply industry; and clinical laboratories. In April 2023, OIG announced its plans to improve and modernize the CPGs. As part of its efforts, OIG is revising the structure of its guidance and dividing it into two main parts: general applicable guidance for the entire industry (i.e., the GCPG that was just published); and industry segment-specific guidance that will supplement the umbrella guidance articulated in the GCPG.

Starting in 2024, OIG will be publishing industry segment-specific CPGs (“ICPGs”) for different types of providers, suppliers, and other industry subsectors that will be tailored to fraud and abuse risk areas for each industry subsector and provide compliance measures the subsector can take to reduce these risks. It is anticipated that one or two ICPGs will be published to address pharmaceutical and medical device manufacturers; however, OIG is seeking input on which direction it will go.

ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM

The GCPG recommends that an effective compliance program have the same general infrastructure previously articulated by OIG in past guidance to applicable industry groups, including in the 2003 Compliance Program Guidance for Pharmaceutical Manufacturers. Specifically, GCPG reiterates that an effective compliance program has the following seven elements:

1. Written Policies and Procedures
2. Compliance Leadership and Oversight
3. Training and Education
4. Effective Lines of Communications with the Compliance Officer and Disclosure Program
5. Standards for Enforcing Compliance That Includes Consequences and Incentives
6. Processes for Conducting Risk Assessments and Engaging in Auditing and Monitoring
7. The Ability to Respond to Detected Offenses and to Develop Corrective Actions

While the general elements and infrastructure have not changed, OIG’s expectations for what each of the elements means continue to evolve and become more defined.

Previously, guidance regarding the fifth element focused on having standard disciplinary guidelines for individuals who engage in noncompliant behavior. This element has evolved into requiring a system that both promotes and enforces compliance. Specifically, the GCPG expands who should face consequences for non-compliance and explicitly discusses how companies should develop incentives to encourage participation in their compliance programs. The GCPG recommends that there be consequences for individuals both engaging in non-compliant behavior and failing to detect a violation due to their ignorance, negligence, or reckless conduct (e.g., supervisors), following the general themes that compliance should emanate from the top down and that there needs to be appropriate oversight.

Additionally, the GCPG directs the compliance officer and compliance committees to devote time, thought, and creativity to developing appropriate incentives around compliance activities and contributions, as well as consider how other incentive programs at the company, such as sales and performance goals, can inadvertently disincentivize compliance and encourage noncompliant behaviors.

Reading between the lines, the GCPG challenges companies, in particular compliance officers, to evaluate employee compensation to ensure the methodology does not encourage risky or noncompliant behavior. While not explicitly addressing life sciences companies, the GCPG’s reference to “sales goals” seems, in part, directed at incentive compensation routinely offered by life sciences companies. The GCPG also encourages compliance departments to develop other incentives around the achievement of compliance goals and/or the development of controls for reducing compliance risks. One example provided was developing achievement awards for individuals who perform compliance activities outside their job description.

Additionally, OIG has clearly expanded its expectations around the sixth element, auditing and monitoring. Previously, OIG focused on a company’s ability to internally monitor and audit compliance risks. The GCPG now codifies what was often referred to as the implicit eighth element of an effective compliance program – a process for conducting periodic risk assessments – into the sixth element of an effective compliance program. GCPG now recommends that “periodic compliance risk assessments should be a component of an entity’s compliance program and should be conducted at least annually.” The need to conduct an annual risk assessment, and have dedicated time and resources allocated for the risk assessment, applies to small companies, further demonstrating the importance OIG places on risk assessments.

HOW OIG’S EVOLVING EXPECTATIONS FOR COMPLIANCE PROGRAMS MIGHT IMPACT LIFE SCIENCES COMPANIES

While the overall infrastructure of an effective compliance program may not have materially changed, the GCPG signals OIG’s growing expectations for compliance officers, compliance committees, executive leadership, and boards in implementing, operating and overseeing an effective compliance program. Below are key considerations for compliance officers at life sciences companies:

Continuous improvement of the compliance function on an annual basis.

OIG has always articulated that no compliance program is perfect, and all compliance programs should be continuously growing as companies face new and evolving risks, which is particularly true in the life sciences industry where companies are continuously looking to improve their products and services to meet the needs of customers and patients. However, OIG, through the GCPG, now articulates explicit recommendations designed to ensure that companies’ compliance programs continue to grow with the companies. For instance, the GCPG recommends that companies review policies and procedures annually to ensure that they reflect appliable laws and regulations, as well as the companies’ actual processes, noting inaccurate or unreliable policies and procedures reduce a compliance program’s authority, credibility, and effectiveness, both internally and with Government regulators. Further, the GCPG repeatedly discusses the need to develop robust and detailed work plans, such that the company’s compliance expectations can be measured against actual performance. Such work plans and evaluations should be routinely shared and communicated with senior leadership. Through these and other requirements, such as annual risk assessments, which are largely taken from recent corporate integrity agreements, OIG is pushing companies to continue to demonstrate that their compliance programs are designed to quickly evolve with the company. Life sciences companies should evaluate the way they document compliance objectives and communicate the objectives and achievements to senior leadership, including the board. Compliance departments at life sciences companies should have proactive scopes of work while still retaining flexibility to account for the need to reactively respond to changes in the business.

Elevated role and independence of the Compliance Officer.

OIG has always expressed that the Compliance Officer must have the authority, stature, access, and resources necessary to lead an effective and successful compliance program. OIG is now being more direct in what this means. The GCPG leaves no room for doubt that, in order for a compliance program to be effective, the primary responsibility of the Compliance Officer must be overseeing and monitoring the implementation and operation of the compliance program, including advising the CEO, board, and other senior leaders on compliance risks. The GCPG recommends that the board meet with the Compliance Officer on a regular basis and no less than quarterly. Further, the GCPG emphasizes that the Compliance Officer should report directly to the CEO or the board and should not lead or report to the entity’s legal or financial functions, nor should the Compliance Officer provide the entity with legal or financial advice or supervise anyone who does. This reinforces OIG’s expectation that the Compliance Officer and the compliance department should be separate and distinct from the company’s legal functions.

Smaller life science companies grapple with where compliance should sit within the company, and it is not uncommon for compliance to report up through legal or for the General Counsel of the company to serve as the Compliance Officer. However, in OIG’s opinion, an effective compliance program requires compliance to be independent from the legal and financial roles. While this standard is voluntary, OIG has announced its clear expectation that compliance is an independent function with direct reporting obligations and access to senior management and the board without exception, even for small organizations.¹ OIG indicates that one way to demonstrate the importance of compliance and foster a culture of compliance is to give compliance a “seat at the table” with other executive management of the company. Companies whose compliance functions report through legal should consider the feasibility of altering their reporting structure or at least look to demonstrate compliance independence in other ways. Such companies should also be prepared to justify and defend the deviation from OIG’s expectation.

Compliance should possess a variety of skills, including skills in data analytics.

The GCPG also weighed in on what resources may be necessary to operate an effective compliance program. Specifically, the GCPG states that Compliance Officers at large entities, such as many pharmaceutical and medical device manufacturers that operate both nationally and internationally, likely need to be supported by a department of compliance personnel with a variety of skills and expertise to be successful. The variety of skills the GCPG recommends include auditors, investigators, clinicians, and data experts. The inclusion of data experts is not surprising given the GCPG’s recommendation that compliance departments understand the vast data sets their companies generate and use that same data to identify and detect compliance outliers and risks.

Compliance should have oversight over the quality of the manufacturing of drugs, devices, and other items.

The GCPG significantly focuses on quality and patient safety. Quality is defined as (a) the quality in manufacturing and supplying drugs, devices, and other items, and (b) the quality of care in the provision of items and services. Notably, the GCPG acknowledged that quality and patient safety are often treated as separate and distinct from compliance, and compliance programs often do not contain quality and patient safety components. However, the GCPG seeks to change this, noting that quality and patient safety are integral to OIG’s mission, and quality and patient safety oversight should be incorporated into the compliance processes. In support of this recommendation, the GCPG highlights the fact that OIG and DOJ have investigated and settled cases based on the submission of false claims for care that is materially substandard, resulting in death or severe harm to patients. While not explicitly cited, OIG appears to be referring in part to recent cases where manufacturers failed to comply with the Food, Drug, & Cosmetic Act (“FDCA”), including failure to report adverse events.² The emphasis on quality and patient safety will require enhanced collaboration between a company’s compliance department and regulatory and quality departments.

Good manufacturing practices and the quality system regulations already require pharmaceutical and medical device manufacturers to implement and operate systems to monitor and detect complaints and other quality concerns, as well as develop processes to implement corrective actions and disclose potential quality concerns to the U.S. Food & Drug Administration (“FDA”). Many of these quality principles already contain elements of a compliance program, including the requirements to have written policies and procedures and to regularly perform auditing and monitoring. We do not believe that OIG intends for compliance functions to “take over” these existing quality functions, although the agency is signaling that quality failures could have ramifications for companies with regard to more traditional compliance laws like the False Claims Act. Rather, we understand that OIG’s recommendation for compliance to have some oversight into quality issues comes from OIG’s desire to (a) increase board and senior leadership oversight over quality-related issues and (b) ensure that there are effective and unimpeded lines of communication regarding quality issues throughout the organization. One way OIG believes it can accomplish this goal is by encouraging compliance to have oversight into quality-related issues. As it relates to pharmaceutical and medical device manufacturers, there may be opportunities to encourage OIG to modify this position so that the agency does not expect the compliance department within a life sciences company to oversee quality if the head of the company’s quality functions has similar independence and access/accountability to senior leadership that the Compliance Officer has within the compliance program (i.e., the company has a quality program akin to the company’s compliance program).

Prioritize risks by following the money and monitoring/understanding all financial incentives, including relationships with private equity firms and other investors.

The GCPG directs the Compliance Officer to track financial arrangements and “follow the money” to best identify fraud and abuse risks. In doing so, OIG acknowledges the “growing prominence of private equity and other forms of private investments in health care.” Specifically, OIG raised concerns about the impact of ownership incentives on the delivery of high quality of care, suggesting companies’ compliance function should scrutinize how ownership incentives could influence compliance and quality of care objectives. Conversely, OIG also signaled to investors the importance of the role of an effective compliance program in helping them provide the management services and operational oversight required in the health care industry. As there is no question around the growing importance of private equity within the life sciences industry, life sciences companies should ensure their compliance programs consider and address potential compliance risks associated with private equity and other investment interests.

Express requirements for compliance investigations and emphasis on voluntary self-disclosure.

The Government has spent a good portion of 2023 developing guidance and issuing statements encouraging self-disclosure. As a result, it is not surprising that the GCPG highlights the benefits and procedures for voluntary self-disclosure. Specifically, the GCPG notes some conduct might warrant immediate notification to governmental authorities, including conduct that: (a) is a clear violation of criminal law; (b) has a significant adverse effect on patient safety or quality of care; or (c) indicates evidence of systemic failure to comply with applicable laws or an existing corporate integrity agreement (“CIA”).

Additionally, in accordance with the theme of cooperating with the Government and supporting the Government in its investigations, the GCPG outlines procedures companies should take in developing a contemporaneous record of all investigations into compliance issues, regardless of the size or severity of the investigation. The recommendation includes maintaining copies of interview notes and key documents and detailing the results of the investigation. Life science companies should carefully consider the implications, including potential privilege and resource limitations, around implementing such a detailed, singular approach to compliance investigations.

Potential state law implications for life science companies.

The GCPG is a voluntary guidance; however, life science companies must consider potential state law implications. Certain states, such as California and Connecticut, have adopted laws requiring life science companies to implement effective compliance programs. These state laws require life sciences companies to adhere to OIG’s 2003 Compliance Program Guidance for Pharmaceutical Manufacturers. There is an open question as to whether these state laws will be modified or interpreted to reflect OIG’s updated compliance program guidance, including the GCPG and forthcoming ICPGs. As a result, life sciences companies, unlike other sectors of the health care industry, must be mindful that while the GCPG is technically voluntary, the standards set therein may be codified by state law requirements.

POTENTIAL TO CONTRIBUTE TO THE DEVELOPMENT OF ICPGS AND FUTURE REVISIONS TO THE GCPG

OIG plans on publishing the GCPG and the new ICPGs on its website without publishing them in the Federal Register. Although OIG does not intend to publish the guidance through the Federal Register, OIG welcomes feedback on the GCPG and forthcoming ICPGs. Stakeholders may submit comments by emailing Compliance@oig.hhs.gov. Submissions will generate an automated confirmation of receipt, which will be the only response to a submission unless additional follow up is needed. If OIG requires additional information, the agency may reach out directly to the sender. Through this ongoing email submission process, industry, including the life sciences industry, can help inform and participate in the development of the GCPG and ICPGs. OIG has indicated that it intends to make the GCPG and ICPGs “living documents” that can be updated more quickly as new risk areas emerge.