On November 6, 2023, U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a General Compliance Program Guidance (GCPG) as part of its plan to renovate its library of compliance program guidance documents (CPGs). As we previously reported, the OIG announced in April its plans to issue the GCPG, and to deliver new “industry-specific” (ICPGs) that—like the older CPGs—will each address a different subsector of the healthcare industry or ancillary related fields. The OIG stated that the ICPGs—which the OIG expects to begin publishing in 2024—will address subsectors that have emerged in recent years; the OIG announced that new guidance would first issue for Medicare Advantage organizations and nursing facilities. The OIG stated that it intends to update its CPG library periodically, integrating new risk areas and compliance measures.

As background, starting in 1993, the OIG issued CPGs—reference guides for compliance risks and voluntary compliance programs—addressed at discrete healthcare industry subsectors, e.g., hospitals and home health agencies. The new GCPG stands apart from its predecessors for its length (91 pages), comprehensive breadth, and the fact that it is drafted as a general reference for all healthcare industry stakeholders. That said, the GCPG mainly reprises familiar themes and recommendations from past agency guidance such as OIG’s Seven Elements of Compliance. This alert spotlights novel and notable guidance in the GCPG that a reader might otherwise miss and more broadly discusses the significance of the GCPG.

What’s New in the GCPG

It is important to acknowledge what is the novel about the GPCG as a whole: OIG has rarely issued guidance that is not tailored for a narrow audience (e.g., older CPGs), a discrete concern (e.g., Special Fraud Alerts and Bulletins) or specific factual circumstances (e.g., advisory opinions). By contrast, the GCPG explicitly addresses all stakeholders across the healthcare industry—as well as service operations, tech companies, investors, and other outside players—whose activities ancillary to healthcare implicate the OIG’s fraud and abuse authorities. The GCPG offers a singularly broad overview of those authorities, associated regulatory risk areas, advice for effective compliance programs, and introduces important agency processes such the advisory opinion process and self-disclosure protocols. It contains an apparently unprecedented collection of useful links to resources at OIG and elsewhere. As noted, however, the GCPG mainly appears to recap guidance aggregated from elsewhere in OIG publications.

Below is a selected listing of points where the GCPG offers novel guidance from OIG:

1. Stark Law Analysis (pg. 15)
   The GCPG offers further detail from OIG’s perspective about the federal physician self-referral law (e.g., the “Stark Law”) which, although closely related to the AKS and other OIG authorities, is administered by the Centers for Medicare and Medicaid Services. Included are three vignettes of arrangements problematic under the Stark Law and advice on how to navigate potential analytical overlap between Stark Law and AKS problems.
2. Information Blocking Rule (pg. 22)
   In June 2023, OIG published its Final Rule detailing its authority to investigate information blocking violations under the 21st Century Cures Act and under establishing CMPs of up to $1 million per violation. Broadly, information blocking is defined as knowing and impermissible interference with the access, exchange, or use of electronic health information by health information technology developers, exchanges and networks, or care providers. This subsection provides useful helpful background on the law, but it may chiefly be intended to signal that it expects applicable entities to integrate information blocking concerns into their training and other compliance infrastructure.
3. Compliance Incentives (pg. 54)
   The GCPG endorses a tool that we do not recall OIG mentioning elsewhere: employee and management incentives for active contributions toward compliance culture. It encourages development and implementing of formal incentives for behavior like achieving department or position-specific compliance goals, reducing compliance risk through innovation, or engaging in constructive activities beyond job descriptions (such as compliance mentoring). This treatment appears related to, or possibly inspired by, the “carrots and sticks” approach to corporate compliance and enforcement promoted recently by the U.S. Department of Justice’s Criminal Division.
4. Right-Sizing Small Entity Compliance (pg. 65)
   The GCPG offers new advice about how small entities, such as small physician groups and tech start-ups, can leverage limited resources toward achieving the OIG’s Seven Elements of Compliance. The OIG acknowledges the need for trade-offs when implementing an effective compliance program within tight financial and staffing constraints. If hiring a dedicated compliance officer is impractical, for instance, the OIG suggests designating an existing employee, preferably one without responsibilities for legal services or involvement in billing, coding, or claims submission. OIG advises that small entities undertake compliance risk assessments at least annually using reputable, free web-based materials such as Compliance Risk Management: Applying the COSO ERM Framework and OIG online resources.
5. “New Entrants” and Nontraditional Ventures (pg. 78)
   The GCPG points to the increasing presence of new entrants in the healthcare industry, including technology companies, investors, and organizations offering nontraditional support services (citing social services, food delivery, and care coordination as examples). It also states that established healthcare organizations are increasingly expanding into nontraditional ventures—such as providers offering managed care plans and developing healthcare technology. GCPG’s recommendations for these entities are themselves unsurprising (e.g., learn relevant federal law, appreciate unfamiliar regulatory risks, acknowledge the critical role of compliance programs). That OIG chose to address these entities suggests that ongoing changes among the players in the healthcare industry have prompted a broader approach by the agency to policing government healthcare programs.
6. Private Equity and Investors (pg. 79)
   After discussing new entrants, the GCPG specifically comments on the growing prominence of, and public concern about, private equity and other private investors in healthcare. It states that an understanding of healthcare law and role of an effective compliance program is particularly important for investors that who provide management services or a conduct significant operational oversight for and control in a healthcare entity.
7. Financial Arrangements Tracking (pg. 80)
   The GCPG emphasizes the importance of establishing centralized tracking systems for ongoing compliance monitoring of financial arrangements and transactional agreements that potentially implicate healthcare fraud and abuse authorities. OIG recommends that, where appropriate, such systems should store documentation, including logs for exchanges involving services, as well as the use of leased space and equipment; they should ensure compliance with contract terms and document business rationale; and should facilitate periodic legal reviews and fair market value assessments relating to ongoing arrangements. OIG appears to signal that it expects that companies should more thoroughly integrate compliance operations and legal oversight functions into their business process management tools.

Conclusion

The OIG offers novel guidance in the subsections of the GCPG listed above, among others. The introduction of the information blocking rule, discussion right-sizing small entity compliance, and references to new entrants and nontraditional ventures and private equity and investors merit consideration in light of the OIG’s decision to break with past practice by issuing a general-purpose compliance program guidance. OIG apparently seeks to convey the message of the GCPG as broadly as possible. OIG is putting on notice the gamut of healthcare entities, even in the context of nontraditional ventures, and outside actors in roles ancillary to healthcare operations—including service operations, tech companies, and investors: anyone whose activities implicate OIG fraud and abuse authorities will be expected to be avoid regulatory risk and operate under situation-appropriate and effective compliance oversight.

The OIG said that it welcomes feedback from the healthcare community and other stakeholders in connection with the GCPG and forthcoming ICPGs; feedback can be sent to compliance@oig.hhs.gov.