[co-author: Mariam Ba]

From 1998-2008, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) published compliance program guidelines for various industries in the Federal Register. In April of this year, the OIG announced an initiative to modernize public resource accessibility and usability, including plans to publish all new compliance program guidance on its website, instead of in the Federal Register, to issue general compliance guidance applicable to all participants in the health care industry, and to publish new and updated industry-specific compliance program guidance.

On November 6, 2023, more than 15 years after the last industry compliance guidance was issued, the 91-page General Compliance Program Guidance (GCPG) was released as a “reference guide for the health care compliance community and other health care stakeholders.”[1] The User’s Guide to the GCPG emphasizes that it contains voluntary guidance discussing general compliance risks and programs, and is not binding on any individual or entity. The GCPG is structured to serve as an interactive resource, allowing readers to interact with it through a clickable table of contents and provides direct hyperlinks to areas of the OIG website and other Federal agency and third-party resources at which more in-depth information can be obtained. Thus, the GCPG can be used as the initial resource for compliance guidance and a roadmap for locating more information.

The GCPG addresses key Federal authorities, including civil monetary penalty provisions, exclusion authorities, the False Claims Act, the Criminal Health Care Fraud Statute and HIPAA, as well as providing discussions of the Federal Anti-Kickback Statute and Physician Self-Referral Law. It provides guidance on each of the seven elements of a compliance program, adaptations for small and large entities, other compliance considerations and a description of OIG processes and resources.

While we recommend reviewing the Guidance in its entirety, below are some notable provisions:

1. Guidance on Federal Fraud and Abuse Laws. The GCPG alerts readers to potentially problematic arrangements, provides a general primer on Federal fraud and abuse laws, as well as, offers checklists, key questions, and tips help readers think through these arrangements. For example, the Guidance provides key questions to ask in assessing whether an arrangement is problematic under the Federal Anti-Kickback Statute, and lists the six elements required to implicate the Physician Self-Referral Law, as well as providing examples of prohibited referrals.
2. Compliance Leadership. The GCPG emphasizes the importance for an effective compliance program to have the following:
   1. a compliance officer in a senior leadership position,
   2. a compliance committee that is chaired by the compliance officer and aids him or her in implementing, operating, and monitoring the compliance program
   3. board oversight of the compliance officer and compliance committee.

The Guidance also elaborates on the primary responsibilities of the

4. compliance officer,
5. the compliance committee,
6. the board.

3. Addressing Quality & Safety. The OIG acknowledges the historical separation and absence of quality and patient safety from compliance programs, but notes that the importance of quality and patient safety has long been emphasized by the OIG and the Department of Justice. The GCPG states that entities should incorporate oversight of quality and patient safety into their compliance programs. This includes having members responsible for quality and patient safety on the compliance committee, and implementing a program for performing quality audits and reviews. Senior leadership should provide regular reports to the board on the “system of internal quality controls, quality assurance monitoring, patient safety, and patient care.”[2]
4. Small and Large Entity Adaptations. The GCPG notes that small entities may face financial and staffing constraints that affect how their compliance programs are structured to meet the seven elements of an effective program. For example, rather than a separate compliance officer, a small entity may need to designate a person who has other duties to perform that role. However, the designated person should not have responsibility for provision or oversight of legal services and whenever possible, should not be involved in billing, coding, or claim submission. On the other hand, large entities are likely to need a department of compliance personnel and may need to have a facility compliance officer at each location. If possible, facility compliance officers should not have responsibility for legal, clinical, financial, or operational duties. If such facility compliance officers have other roles at their locations, they should have dotted-line reporting to the compliance officer, and the compliance officer should make sure each facility compliance officer has the skills, knowledge, resources, and time to fulfill his or her compliance duties.
5. Provision of Incentives. The OIG recommends that health care entities utilize incentives to promote participation in compliance programs. Compliance officers, committee members, and other leaders are tasked with assessing which compliance performance or activities to incentivize. The entity should then use compliance performance or significant contribution to the compliance program as the basis for additional compensation, recognition, or other encouragement. While the OIG still emphasizes the use of consequences, such as remediation and sanctions, to address noncompliance, it acknowledges the importance of incorporating incentives as an encouragement mechanism. On the other hand, the OIG recommends reviewing other incentive plans to assure they do not raise compliance risks; for example, setting sales or admission goals that may prompt inappropriate behaviors in seeking to reach those goals.
6. New Entrants. The OIG addresses new entrants into the healthcare industry, highlighting the creation of possible compliance risks from practices that are common in other businesses. New entrants, including technology companies, investors, and those providing non-traditional services in health care settings, should take steps to ensure they have a “solid understanding” of Federal fraud and abuse laws, in addition to other applicable laws, and of the critical role played by compliance programs. Additionally, the OIG recommends that health care entities entering new arenas—such as health care providers developing technology or offering managed care plans—take steps to understand the potential risks associated with those different lines of health care business.
7. Follow the Money. The OIG notes that “[o]ne of the best ways to identify fraud and abuse risks is to follow the money.”[3] The GCPG calls attention to the increasing prominence of private equity and other private investment in the health care industry. Specifically, the OIG warns health care entities (along with their investors and governing bodies) to carefully scrutinize their “operations and incentive structures” to ensure they are complying with Federal fraud and abuse laws. Proficiency with applicable laws is especially necessary for investors providing management services or operational oversight/control for health care entities. The GCPG also notes that compliance officers must be attuned to the varying risks arising from different payment methodologies. For example, fee-for-service payment may raise increased risks of overutilization, but capitated payment heightens risks such as stinting on care. Further, incentive payments may give rise to risks of gaming data. Compliance officers should design strategies to address the associated risks presented by relevant payment methodologies.

Finally, the OIG is in the process of developing Industry Specific Compliance Program Guidances (ICPGs) to be released in 2024. These ICPGs will address health care industry subsectors, and inform those subsectors on measures they can take to reduce risk of violating Federal fraud and abuse laws. The OIG has indicated it anticipates the initial ICPGs to address Medicare Advantage and nursing facilities, so participants in those areas should be on the lookout for further guidance.

[1] U.S. DEP’T. OF HEALTH AND HUMAN SERVICES, OIG, General Compliance Program Guidance (November 2023), https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf

[2] Id. at 77.

[3] Id. at 79.

[View source.]