The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) is continuing its long-laid plans to update its existing compliance program guidance documents (CPGs). On April 24, 2023, OIG announced its plans to not only improve existing CPGs but also to deliver new CPGs specific to segments of the health care industry that have emerged in recent years. In modernizing OIG’s CPGs, OIG stated that its goal is “to produce useful, informative resources—as timely as possible—to help advance the industry’s voluntary compliance efforts in preventing fraud, waste, and abuse in the health care system.” OIG is the federal agency primarily responsible for policing and promoting efficiency in Medicare, Medicaid, and many other federal health insurance programs.

Over the past several decades, OIG has developed a robust series of voluntary CPGs directed at various segments of the health care industry, including hospitals, home health agencies, durable medical equipment suppliers, and clinical laboratories. These CPGs promote the establishment and utilization of internal controls to ensure compliance with relevant statutes, regulations, and program requirements. The OIG encourages health care entities and professionals to implement effective compliance programs through the use of these voluntary guidelines, which can assist in preventing fraud, waste, and abuse in the health care industry. OIG’s first CPG, for hospitals, was published in 1998. OIG later elaborated and updated its guidance for hospitals in a “supplemental CPG” published in 2005. In 2008, OIG published its most recent such guidance: a supplemental CPG for nursing facilities elaborating on and updating a publication from 2000.

Through the April 24 notice, OIG announced several changes to its CPG process. First, OIG will no longer publish updated or new CPGs in the Federal Register. Instead, all updated or new CPGs will be available on the OIG website (the current CPGs will remain available on the OIG website). OIG will notify the public of new or updated guidance using its public listserv and communications platforms.

Second, OIG will no longer issue CPGs as before, but rather, will issue a General CPG (GCPG) and industry-specific CPGs (ICPGs), both of which will be continuously updated as necessary in light of changes in compliance practices or legal requirements. The GCPG will address topics spanning the health care industry (including federal fraud and abuse laws, compliance program basics, operating effective compliance programs, and OIG processes and resources), and will thus apply to all individuals and entities involved in the health care industry. OIG said it expects to publish the GCPG by the end of 2023.

ICPGs will be issued for different types of providers, suppliers, and other participants in subsectors of the health care industry or ancillary industry sectors relating to federal health care programs. ICPGs will be tailored to fraud and abuse risk areas for each industry subsector and will address compliance measures that the industry subsector participants can take to reduce these risks. OIG noted that ICPGs are intended to be updated periodically in order to address any newly identified risk areas and compliance measures. OIG said that the periodic updates will ensure timely and meaningful guidance from OIG. OIG expects to begin publishing ICPGs in 2024 and expects the first two ICPGs will address Medicare Advantage and nursing facilities. HHS Inspector General Christi Grimm stated last year that her “top priority is propelling meaningful improvement in the quality and safety of care in the more than 15,000 Medicare- and Medicaid-certified nursing homes nationwide.”

OIG noted that, as with the existing CPGs, the new GCPG or ICPGs do not constitute a model compliance program. Rather, OIG has stated that the primary aim of all OIG compliance guidance documents is to establish a discretionary framework of guidelines and identified risk factors, which the OIG recommends health care entities and professionals in the industry should take into consideration while devising or evaluating a compliance program. In the interim, entities involved in the health care industry should continue to use OIG’s existing CPGs and supplemental CPGs, which will remain available for use on the OIG website as OIG develops and publishes its new guidance.

This announcement comes on the tails of the U.S. Department of Justice’s (DOJ’s) updated compliance guidance. Although the DOJ guidance applies to health care companies, we should note that it also extends over enterprises in all sectors of the economy. In September 2022, as Wilson Sonsini previously reported, Deputy Attorney General (AG) Lisa Monaco introduced major updates to the DOJ’s corporate criminal enforcement policies. Among other things, she stressed that the DOJ would favor companies that have cultivated the “right” culture of compliance through effective compliance programs. Last month, the DOJ’s Criminal Division announced updated guidance for evaluating two particular aspects of a corporate compliance program: how a company deals with business communications on personal devices and alternative messaging platforms, and how a company uses its compensation structure to promote compliance. Deputy AG Monaco and Criminal Division Assistant Attorney General Kenneth A. Polite Jr. also announced revisions to the Evaluation of Corporate Compliance Programs, the DOJ’s published criteria for evaluating compliance programs.