On November 6, 2023, for the first time since 2008, the US Department of Health and Human Services (“HHS”) Office of the Inspector General (“OIG”) issued comprehensive “General Compliance Program Guidance” (“GCPG”) for all entities involved in the healthcare industry. The GCPG also serves as a repository and reference guide for other contemporary publications and guidance issued by the OIG and applicable to all healthcare industry stakeholders. The GCPG is the first of a series of compliance guidance anticipated to be issued by the OIG throughout 2024. The new guidance is intended to replace the existing fragmented (and generally out of date) compliance guidance for the industry that began with the 1998 “Compliance Program Guidance for Hospitals.”
The OIG also announced that starting in 2024, it will publish industry segment-specific compliance program guidance (“ICPGs”) for specific types of providers, suppliers, and other participants touching the healthcare industry. ICPGs will be tailored to fraud and abuse risk areas for each industry subsector and are intended to be updated periodically to address newly identified risk areas and compliance measures.
This summary provides an overview of the new GCPG and highlights some enhanced guidance in certain areas. We will continue to supplement this article with an overview of each of the ICPGs as they are released throughout the year in a series of articles intended to keep our healthcare clients and colleagues up to date on any changes or new requirements included in the guidance.
Compliance Program Infrastructure
The GCPG slightly revises the seven elements of an effective compliance program, with the updated seven elements being: (1) written policies and procedures; (2) compliance training and oversight; (3) training and education; (4) effective lines of communication with the compliance officer and disclosure program; (5) enforcing standards: consequences and incentives; (6) risk assessment, auditing and monitoring; and (7) responding to detected offenses and developing corrective action initiatives. While the OIG’s description of these elements is consistent with prior discussion, there are a few noteworthy highlights:
More Defined Duties for the Compliance Officer. Unlike prior guidance from the OIG, the GCPG goes into more detail about the role of a compliance officer and notes that “designating a compliance officer with appropriate authority is essential to the success of the compliance program.” The GCPG also contains prescriptive duties for the compliance officer— the compliance officer should not lead or report to the entity’s legal or financial functions and should not provide the entity with legal or financial advice or supervise anyone who does. In other words, to be effective, the compliance officer should also maintain a degree of separation from the entity’s legal review of and delivery of healthcare items and services and related operations.
More Specialized Compliance Training. With respect to enhancing the effectiveness of compliance training, the OIG recommends developing specialized compliance training that relates to the duties and roles of specific employees, highlighting compliance risks specific to those roles. The OIG also recommends that training be provided in various mediums, including both formal training sessions and more informal methods, such as periodic video blasts, newsletters, and other ad hoc communications based on timely topics.
Multiple and Varied Reporting Mechanisms. The OIG states that healthcare industry participants should facilitate multiple ways to report compliance concerns, not just one way or a “preferred” way. In other words, a compliance plan that promotes a hotline as the only means of reporting should be reevaluated. It also cautions against entities requiring that employees bring compliance concerns to their manager or supervisor before contacting the compliance officer since doing so may deter individuals from coming forward or result in a viable concern being dismissed before it reaches the compliance officer.
Use of Incentives. The GCPG encourages entities to “develop appropriate incentives to encourage participation in the entity’s compliance program” and notes that the compliance officer and the compliance committee should devote time, thought, and creativity to incentivize participation in and contributions to the compliance program. Excellent compliance performance or significant contributions to the compliance program could be the basis for additional compensation, significant recognition, or other smaller forms of encouragement. And although it promotes such incentives, the OIG warns that they should be commensurate with incentives provided for achievements in other areas valued by the entity.
Ongoing Compliance Assessments. In the GCPG, the OIG makes the following observation: “In recent years, the OIG, the compliance community, and other stakeholders have come to recognize and place increasing emphasis upon the importance of a formal compliance risk assessment process as part of the compliance program.” The OIG recommends that risk assessments be done at least annually and that a formal compliance committee should assume responsibility for the risk assessment. The OIG does not encourage the use of external auditors, but it does note that information gathered from both internal and external sources should be considered in the risk assessment. The OIG also includes references to resources addressing the performance of risk assessments.
Small vs. Large Entity Compliance Programs
The GCPC continues to acknowledge the differences in compliance programs based on the size and sophistication of the particular entity.
For example, for small entities, such as smaller physician practices, the OIG suggests that one person should be designated as the entity’s compliance contact, and that person should be responsible for ensuring that the entity’s compliance activities are completed; however, the person serving in such a role should “not have any responsibility for the performance or supervision of legal services to the entity and, whenever possible, should not be involved in the billing, coding, or submission of claims.” If there is not a board, the designated compliance officer should report at least quarterly to the owner or CEO on the status of the entity’s compliance activities. It is important to note that the OIG states that the “owner or CEO is ultimately responsible for the entity’s compliance with Federal healthcare program requirements.”
In contrast, the OIG notes that large organizations need a department of compliance personnel with a variety of skills and expertise to implement and monitor the organization’s compliance program. Specifically, a large organization should hire someone knowledgeable and skilled in compliance matters as its chief compliance officer to oversee and direct the organization’s compliance department. Boards of large organizations should have input on the appointment, performance evaluation, and compensation of the chief compliance officer. Depending on the structure and the nature of the organization, it may be useful to have one or more deputy compliance officers responsible for specific areas (e.g., compliance audits, investigations, training, policies) or components within the organization, including regional compliance officers responsible for various geographic regions the organization serves, facility compliance officers or liaisons responsible for a specific facility or location, or some combination thereof. The chief compliance officer and the board should periodically evaluate the compliance department to determine whether its current composition is effectively meeting the needs of the organization.
Other Compliance Considerations. In Section V of the GCPG, the OIG offers some important compliance considerations related to several generally applicable risk areas:
Quality and Safety as a Part of Compliance. Quality and patient safety are often separate and distinct from compliance, and the compliance program often does not contain quality and patient safety components; however, the OIG encourages entities to incorporate quality and patient safety into the compliance program. In fact, the GCPG notes that any compliance committee should include members responsible for quality assurance and patient safety. Further, the GCPG suggests that compliance updates to the board include quality and patient safety reports as well as other compliance activities.
New Entrants in the Healthcare Industry. The healthcare sector is seeing an increasing number of new entrants, including technology companies (both established and start-up companies), new investors (private equity), and organizations providing non-traditional services that relate to and are a part of healthcare settings (such as social services, food delivery, and care coordination services). Recognizing this trend, the OIG warns that business practices that are common in other industries create compliance risks in healthcare, emphasizing the importance of an effective compliance program in preventing, detecting, and addressing potential violations.
Financial Incentives. The OIG subtly acknowledges the potential for misalignment of financial incentives and the fraud and abuse framework applicable to the healthcare industry. Specifically, the growing prominence of private equity and other forms of private investment in healthcare raises concerns about the impact of ownership incentives (e.g., return on investment) on the delivery of high-quality, efficient healthcare. Further, compliance officers should be attuned to the varying risks associated with the payment methodologies through which healthcare entities are reimbursed for the items and services they provide. For example, when an insurer, including Federal healthcare programs, pays on a volume-sensitive or fee-for-service basis, there may be increased risks of overutilization, inappropriate patient steering, and use of more expensive items or services than needed. When an insurer pays on a capitated basis, heightened risks include stinting on care and discriminating against more costly patients. Payments that take into account quality of care or other performance measures may give rise to the risk of gaming of data to qualify for performance-based payment. When payment incentives and associated risks are fully understood, compliance officers are better positioned to design informed audit plans, conduct effective monitoring, detect problems early, and implement effective preventive strategies.
Tracking of Financial Arrangements. The GCPG urges entities to consider establishing a centralized tracking system to ensure that proper supporting documentation is maintained, regular legal reviews are conducted, and fair market value assessments are performed and updated routinely, as appropriate. These tracking systems are most effective, in the OIG’s opinion, if they include service and activity logs, as well as leases and equipment contracts, to ensure consistency with contract terms. The business need or rationale for arrangements should also be documented. The OIG notes that an effective and robust tracking system may be helpful in mitigating potential liability under Federal fraud and abuse laws.
What’s Next?
As noted above, the GCPG is intended to serve as a general compliance guidance for all of the different types of entities involved in the healthcare industry, which the OIG plans to update on a going-forward basis as new developments occur and new resources become available.
Next, we await the release of the first IGPG, which will be published on the OIG’s website. The OIG also announced that it would no longer publish compliance guidance in the Federal Register but instead would publish and update guidance on the OIG website, which it believes to be more user-friendly.
