On November 6, 2023, OIG released new General Compliance Program Guidance (General CPG). The General CPG applies to all individuals and entities involved in the healthcare industry. The release of the General CPG was not unexpected, as OIG previously announced its plans in April 2023 to update existing Compliance Program Guidance (CPG) and issue new provider-specific CPGs. As described in more detail below, the General CPG builds on expectations OIG has historically articulated for individuals and organizations but provides additional detail and illustrates OIG’s increased expectations for compliance program development and effectiveness.

Background

OIG previously developed voluntary CPGs to support specific healthcare industry stakeholders, such as guidance directed towards hospitals, home health agencies, clinical laboratories, hospices, and other groups. The first CPG was issued in 1998 for hospitals. Most recently prior to the issuance of the General CPG, OIG had last issued a CPG in 2008. OIG has also provided compliance guidance through other issuances outside of CPGs, including Practical Guidance for Health Care Boards on Compliance Oversight and OIG’s toolkit on Measuring Compliance Program Effectiveness, and has continued to communicate its expectations through updates to its Corporate Integrity Agreement model.

In an effort to improve and update its guidance, OIG released the new General CPG and in 2024 plans to publish industry segment-specific CPGs (ICPGs) for different types of providers, suppliers, and other participants in healthcare industry subsectors or ancillary industry sectors relating to Federal healthcare programs.

Overview of the General CPG

The General CPG is non-binding, voluntary guidance document spanning 91 pages that applies to all entities and individuals involved in the healthcare industry. OIG cautions that the General CPG and forthcoming ICPGs do not constitute a model compliance program, nor are they intended to be comprehensive for every organization. Instead, they are designed to be used as an ongoing resource.

The General CPG addresses the following topics:

• Healthcare Fraud Enforcement and Other Standards: Overview of Certain Federal Laws: The General CPG begins with an overview of certain Federal authorities that may apply to entities in the healthcare industry, including primary Federal fraud and abuse authorities as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Embedded in some sections of the key authority overview are: (1) key questions posed by OIG to help organizations and individuals evaluate compliance risk; (2) guidance if organizations or individuals identify a potential problem; and (3) practical tips.
• Compliance Program Infrastructure: The Seven Elements: In this section, OIG discusses the traditional seven elements of an effective compliance program. This section also includes practical tips and indicators of success. Notably, OIG has expanded its traditional “auditing and monitoring” element of an effective compliance program to now be described as “risk assessment, auditing and monitoring.” This change reflects OIG’s emphasis on risk-based compliance programs in recent years.
• Compliance Program Adaptations for Small and Large Entities: OIG recognizes that compliance programs may be structured differently based on an entity’s size. In this section, OIG offers guidance on how small entities can implement a compliance program that meets the seven elements even with limited resources. For large organizations, OIG discusses key compliance program elements and leadership efforts needed to meet the needs of a larger entity.
• Other Compliance Considerations: In this section, OIG outlines considerations related to several key risk areas: (1) Quality and Patient Safety; (2) New Entrants in the Health Care Industry; (3) Financial Incentives: Ownership and Payment – Follow the Money (this section includes a discussion of private equity); and (4) Financial Arrangements Tracking. These focus areas are important for healthcare organizations and individuals to consider as they reflect topics that the OIG is underscoring as key risk areas, and some of these areas (e.g., new entrants in the healthcare industry) are newer focus areas for OIG.
• OIG Resources and Processes: The final substantive section of the General CPG provides an overview of other OIG resources such as compliance resources, OIG reports, advisory opinions and other guidance, frequently asked questions, Corporate Integrity Agreements, enforcement and self-disclosure information and the OIG hotline.

In sum, OIG’s new General CPG builds on OIG’s historical guidance to reflect OIG’s expanded expectations for individuals and organizations operating in the healthcare space. This document also provides more detailed guidance and practical tips for organizations and individuals to consider. It is also consistent with issuances in recent years from DOJ that emphasize the importance of effective compliance programs. Accordingly, healthcare individuals and organizations may wish to review the General CPG and forthcoming ICPGs as they develop and assess compliance programs across the healthcare industry. OIG states that it expects to update the General CPG in accordance with future changes in legal requirements or compliance practices.

The General CPG is available here.