On November 6, the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) released the most up-to-date, comprehensive, and practical general compliance guidance in decades.  The new General Compliance Program Guidance is a 91-page document that contains valuable summaries of relevant laws, generally applicable compliance program basics, key resources, and practical tips.

It is organized in a way that is both a user-friendly, quick-reference guide and provides a thoughtful commentary on the elements of an effective compliance program, including the increasing importance of risk assessments and current areas of focus in healthcare compliance, such as patient quality and safety considerations, new entrants in the healthcare industry, and financial incentives promoting compliance.

It is well-established that any entity operating in the healthcare space is subject to a multitude of laws and regulations, and, as with any heavily regulated industry, healthcare entities need to ensure that they maintain a sufficiently structured and effectively operating compliance program. In its recently released guidance, the OIG acknowledges that although the design and function of an organization’s compliance program will necessarily vary based on different factors, including the size and type of the organization, there are overarching elements that every healthcare compliance program should include. The new guidance provides insight into how the government may evaluate a healthcare entity’s compliance program in an enforcement action. Healthcare companies should review the recent guidance to assess the structure and effectiveness of their compliance programs.

Since 1998, the OIG has published compliance program guidance documents (CPGs) to promote voluntary compliance efforts for the healthcare industry. Over the past 25 years, OIG has developed CPGs directed at specific segments of the healthcare industry, including, among others, hospitals, nursing facilities, and physician practices.

Other OIG compliance guidance has been available in different formats over the past several decades, including through (among others) advisory opinions, special fraud alerts, compliance toolkits, and various reports and publications. The OIG has also partnered with various healthcare associations to create compliance guidance for healthcare boards. See, for example, Practical Guidance for Health Care Governing Boards on Compliance Oversight; Office of Inspector General, U.S. Department of Health and Human Services, Association of Healthcare Internal Auditors, American Health Lawyers Association, Health Care Compliance Association.

OIG guidance, however, is only one of several sources of compliance program guidance. Most notably, the Department of Justice (DOJ) has issued numerous guidance documents over the past several decades. DOJ guidance, while applicable to most business enterprises and industries—not just the healthcare industry—serves as another significant source for informing healthcare entities regarding what constitutes an effective compliance program. See, for example, Evaluation of Corporate Compliance Programs; U.S. Department of Justice Criminal Division, Guidance Document, originally issued 2017, updated April 2019, June 2020, March 2023.

In a deviation from past practices, OIG explained that CPGs issued will now either be general CPGs (GCPG) or industry segment-specific CPGs (ICPGs), which are tailored to risk areas specific to different types of providers, suppliers, and other participants in healthcare industry subsectors or ancillary industry sectors. Furthermore, OIG will no longer publish updated or new CPGs in the Federal Register. Going forward, the GCPG and ICPGs will be published on the OIG website. While this will promote ease of access to the CPGs, it is not clear whether, as the documents are updated or otherwise changed in the future, the OIG will make archived versions available on its website. Given that the ability to compare older versions to new versions can provide key insights into government focus and priorities, users of the CPGs will likely want to ensure they maintain access to archived materials.

In addition to a fulsome discussion on the basic elements of a compliance program, the new GCPG provides:

1. General background on OIG’s previous and current compliance guidance.
2. A useful summary of applicable laws and regulations for which OIG has agency oversight.
3. Specific tips that serve to remind the industry of OIG’s general views on compliance structure and priorities.
4. Suggestions for adapting compliance programs based on entity size.
5. A discussion of specific considerations regarding compliance that suggest the OIG’s current focus.
6. A list of OIG resources with embedded links. In essence, it works as a practical, quick reference guide for both newcomers to the healthcare compliance world as well as seasoned compliance professionals.

OIG plans to update the CPGs as needed. Beginning in 2024, OIG plans to issue ICPGs, which will be updated periodically as new risk areas emerge. The GCPG and ICPGs will serve as resources for voluntary, nonbinding guidelines and tips to identify some risk areas that OIG believes the healthcare community should consider when developing a compliance program. OIG is seeking feedback and suggestions in connection with the GCPG and forthcoming ICPGs on an ongoing basis at a designated email.

Overview of Applicable Federal Laws

The GCPG contains a section devoted to a discussion of the key federal authorities for entities engaged in healthcare business, including:

• The Federal Anti-Kickback Statute
• Physician Self-Referral Law
• False Claims Act (FCA)
• Civil Monetary Penalty Authorities
• Exclusion Authorities
• HIPAA Privacy and Security Rules

The inclusion of this section in the GCPG is particularly noteworthy given that it provides not only a reminder of those laws and regulations that govern the underlying conduct for which compliance programs are designed to address but also a discussion of the practical implications of those laws and regulations. It includes areas of the law for which the OIG, Department of Justice (DOJ), Center for Medicare & Medicaid Services (CMS), and HHS Office for Civil Rights (OCR) have enforcement responsibilities. While not a treatise on the laws—the OIG describes it as “summaries only” and emphasizes that it is not comprehensive—it does include key terms and definitions, questions for analyzing potential violations, practical examples, guidance for self-disclosures, and links to specific resources, (e.g., self-disclosure protocols, list of Stark designated health services codes, etc.).

Seven Elements of a Compliance Program

In this newly released GCPG, OIG reaffirms the seven elements of an effective compliance program (Seven Elements). The OIG first discussed the “seven elements” in its 1998 OIG Compliance Program Guidance for Hospitals; Office of Inspector General, U.S. Department of Health and Human Services; 63 Fed Reg 8987, February 23, 1998. These elements were based on the seven steps of the Federal Sentencing Guidelines in place in 1998 (See United States Sentencing Commission Guidelines, Guidelines Manual, Chapter 8).

In considering how to approach enforcement for an entity engaged in violations, the government will expect to see that the entity’s compliance program includes all even Elements. In fact, government representatives have repeatedly stated in the past several years that a company’s compliance program must not only include all Seven Elements but must also be able to demonstrate its ongoing efforts to ensure that its compliance program is actually functioning as intended, i.e., it is preventing, detecting, and addressing non-compliant activities in an effective and timely manner.

While other sections of the GCPG are tailored to the needs of certain types and sizes of healthcare entities, the Seven Elements are intended to be broadly applicable to all players across the healthcare industry. The Seven Elements include:

1. Written Policies and Procedures
2. Compliance Leadership and Oversight
3. Training and Education
4. Effective Lines of Communication with the Compliance Officer and Disclosure Programs
5. Enforcing Standards: Consequences and Incentives
6. Risk Assessment, Auditing, and Monitoring
7. Responding to Detected Offenses and Developing Corrective Action Initiatives

The OIG’s inclusion of the Seven Elements is important—not because it represents any major revelation regarding the OIG’s view of the essential components of a compliance program—but because it offers a concise, well-explained summary of compliance program basics. For this reason, we will not summarize those basics here. Rather, we will discuss a few key takeaways from the GCPG.

Role of Compliance Officer

Not surprisingly, the OIG reiterates that every entity should designate a compliance officer who has the authority and resources that are required to lead an effective compliance program. Specifically, an entity should ensure that this individual reports either to the entity’s CEO with direct access to the board or to the board directly; has sufficient stature within the entity’s hierarchy to interact on equal terms with other members of the senior leadership; demonstrates integrity, judgment, approachability, and trustworthiness in the eyes of the entity’s workforce; and has sufficient funding, resources, and staff to operate the compliance program efficiently.

The role of the compliance officer, whether the compliance officer may maintain dual roles, and the compliance officer’s relationship to legal and financial functions has been a matter of some controversy over the years. OIG has consistently posited the compliance officer should not “lead or report to the entity’s legal or financial functions.”  Given it is not uncommon for companies in the healthcare world to combine or overlap with legal or financial functions with compliance, such a restriction can present a challenge, particularly for smaller organizations where the strain on resources may make it difficult to have a separate department. However, as noted by the guidance, the GCPG is not intended as a model compliance program, nor are OIG recommendations requirements. Rather, they are recommendations, and entities should recognize that some flexibility may be required in light of individual circumstances.

To the extent a company adheres to the recommendation to have a separate, independent compliance department, it should bear in mind that there may be significant overlap between compliance and other company functions, particularly legal functions. For this reason, it would be advisable to take steps to ensure the compliance program operates in coordination with other company departments to ensure adequate communication and avoid working at cross purposes.

Regardless of the specifics of the compliance officer’s job description or their reporting structure, the GCPG makes it clear that to be effective, the compliance department must be given sufficient resources and the compliance officer an adequate degree of independence. OIG has long taken the position that the role of compliance officer is critical, and it views a weak compliance officer and an under-staffed, resource-deficient compliance department to be sure signs that an organization does not value or prioritize compliance.

Enforcing Standards: Consequences and Incentives

As has been made clear by the DOJ in its recently released Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions, the government is currently very focused on the role of compensation in compliance. Specifically, both DOJ and OIG guidance strongly suggests that companies adopt compliance-promoting criteria to compensation structure, including rewards for compliance-related activities and disincentives for misconduct (e.g., clawbacks or withholding of incentive compensation). The GCPG includes a discussion on incentives that could be established to encourage ongoing participation in the compliance program as well as accomplishments achieved. For example, certain incentives may be established for the achievement of compliance goals, reduction of identified compliance risks, or performance of compliance activities outside of a particular workforce member’s job description.

Risk Assessments and Data Analytics

The OIG has long recommended that organizations utilize a formal compliance risk assessment process in addition to the prior standard of internal monitoring and auditing. Despite this recommendation, many companies continue to skip this process. The GCPG makes it clear that this is an integral component of an effective program and offers links to resources for compliance committees to consult in structuring and evaluating a risk assessment for their organization. A truly effective risk assessment guides the compliance officer and committee to consider and address risk areas specific to the entity and also provides an indication of how effective the compliance program and prior remedial measures have been.

The GCPG recommends that organizations incorporate data analytics into their compliance activities. Data analytics allow entities to compare standard metrics of their healthcare operations internally to determine whether there are any outliers within a particular area of focus. While larger entities may be more likely to make use of data analyses with higher complexity, smaller entities should consider utilizing all available resources to conduct data analysis to identify risk areas and potential non-compliant conduct.

Responding to Detected Offenses and Developing Corrective Action Initiatives

The GCPG includes a discussion of the role of self-disclosure in responding to detected non-compliance. OIG takes the position that certain violations of federal law require prompt reporting to various governmental entities, such as the HHS OCR, CMS, the OIG, and the DOJ. According to the OIG, this would include “material violations of applicable law where no monetary loss to a Federal health care program of Government entity has occurred.” While returning known overpayments is clearly required, what constitutes a “material violation of applicable law” may not be entirely clear to many entities and therefore requires disclosure. In such instances, organizations may want to consult with counsel to obtain reliable advice on how to proceed.

Compliance Program Adaptations for Small and Large Entities and Other Compliance Considerations

The new GCPG offers additional insights from OIG on a number of relevant topics regarding compliance programs, including the following:

1. A discussion on the distinctions between compliance programs for small and large entities.
2. A list of specific “considerations,” e., generally applicable risk areas that OIG considers to be of particular significance.

Adaptations for Small and Large Entities

In what may be a response to a long-standing critique of previous compliance guidance, OIG included a discussion in the GCPG regarding different approaches to compliance based on an organization’s size. While the GCPG does not specifically define the terms, it characterizes “small entities” as “individual and small-group practices, or other entities with a small number of employees.”  By contrast, it describes “large entities” as “health care system in a large metropolitan area or a chain retail pharmacy or a manufacturer with locations and operations statewide or nationwide.”  It is not clear whether or how entities that fall between these two distinct characterizations in terms of size should consider these adaptations to their compliance programs.  Nevertheless, the GCPG provides useful tips and strategies here—particularly for smaller entities.

Guidance for Small Entities

In an effort to recognize any potential financial and staffing constraints for smaller entities, the GCPG includes suggested modifications to the Seven Elements for small entities. By taking a more flexible and practical approach, these modifications allow smaller entities to stretch and optimize resources to ensure compliance programs’ effectiveness.

In lieu of having a compliance officer, the GCPG suggests that small entities designate one person as the “compliance contact” who would be responsible for monitoring compliance efforts and report to the CEO (in the absence of a board), but with the caveat that this individual should not have responsibility for the performance or supervision of legal services and should not be involved in billing, coding, or submission of claims. Allowing a compliance contact to have dual responsibilities seems eminently reasonable, but excluding the compliance contact completely from legal and billing/coding functions may not be workable for some small entities with limited resources and, in some cases, may limit the ability of the compliance contact to effectively function within the organization. With so many compliance matters relating to legal and billing/coding issues, it may not be practical for a small entity to employ multiple individuals with this technical knowledge at a level to analyze these complex areas.

With respect to written standards and training, OIG suggests small entities avail themselves of policy and procedure templates (available either online or from management companies or consultants), outsource training, and utilize OIG Compliance Training Videos and Presentation Materials. Where a formal disclosure program is not appropriate, the GCPG recommends smaller entities create scaled-down, user-friendly methods of requiring and encouraging good faith reporting of potential non-compliant activities. The GCPG includes several practical suggestions, including using an anonymous drop box or posting notices in physical or virtual common areas.

The GCPG indicates that while small entities must still assess their compliance risks on an annual basis, engage in at least one audit per year, and routinely monitor for noncompliance, it suggests performing these tasks does not need to be “complicated or resource intensive.” Included in the guidance are useful links to online resources, including the OIG Work Plan and the Compliance Risk Management: Applying the COSO ERM Framework (2020), a guide commissioned by the Committee of Sponsoring Organizations (COSO) and authored by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association. These tools are readily available and provide smaller entities the ability to design and implement risk assessments without significant expense or time investment. One of the more useful tips in this section of the GCPG includes the suggestion that small entities monitor compliance by developing a list of risk indicators—“relevant to their business or practice area”—for certain indicators such as “changes in number or type of claims rejections, high-level survey findings, illogical or atypical ordering patterns, and unusual changes in code utilization.”

Regarding responses to detected offenses and implementing corrective actions, the GCPG posits a less structured, more ad-hoc approach by suggesting that small entities designate someone—whether it be the compliance contact, entity leader, or other employee—to carry out the steps necessary to determine whether there has been a violation and what steps should be taken to correct the problem.

Guidance for Large Entities

Probably the most significant takeaway from the GCPG treatment relating to compliance programs for large entities is the emphasis on the need for such organizations to dedicate “significant” resources and expertise to compliance. In practical terms, this means a large organization will likely need a well-resourced and skilled compliance department and compliance committee, as well as a board that is actively engaged and focused on compliance. Among the suggestions and tips included in this section of the GCPG are the following:

• Boards should have input on the appointment, evaluation and compensation of the compliance officer.
• If the board combines compliance with its audit committee, it should consider setting up a separate compliance committee with its own charter and comprised of individuals with appropriate knowledge and expertise (e.g., compliance, regulatory, and clinical expertise).
• For organizations with separate facilities and/or locations, having a dedicated compliance resource (e.g., a facility compliance officer/liaison) at the facility level.

Of particular note, this section of the GCPG discusses organizations with operations within the United States but with ownership or control rooted in boards of an international organization situated in another country. As the healthcare industry expands and diversifies, these types of healthcare entities are more common, and OIG recognizes the inherent compliance risks for companies whose governing bodies may not fully understand or appreciate the U.S. healthcare system or its regulatory landscape. For this reason, the OIG is recommending that the parent boards be provided with sufficient information regarding U.S. laws and regular reports from compliance and are appropriately engaged with its U.S.-based compliance team.

Other Compliance Considerations

In the GCPG, OIG offers insight into several additional compliance considerations generally applicable to organizations of all varieties, including quality of care and patient safety, new entrants into healthcare industry, financial incentives, and financial arrangements tracking.

Quality and Patient Safety

Both OIG and DOJ have consistently emphasized the importance of quality and patient safety and have taken the position that a failure to provide quality care can form the basis of an FCA action. This position has now taken its place in formal compliance guidance, with the GCPG emphasizing the importance of addressing quality and patient safety components in a compliance program. Quality is broadly defined to include both quality in manufacturing and supplying drugs, devices, and other items, as well as quality of care in the provision of items and services, particularly for all entities that provide direct patient care. The GCPG makes the practical suggestion that an organization’s compliance committees include individuals with responsibility for quality assurance and patient safety to help integrate quality and patient oversight.

New Entrants in the Healthcare Industry

With the changing landscape of healthcare, the GCPG acknowledges an increasing number of new entrants, including technology companies, new investors, and organizations providing non-traditional services in healthcare settings that may not be familiar with the regulatory constraints that apply in the healthcare industry. Additionally, healthcare organizations are expanding into different lines of healthcare business, which will present new—and sometimes unforeseen—compliance risks. New entrants should avail themselves of the GCPG in establishing and operating effective compliance programs, along with forthcoming ICPGs as well as OIG’s existing materials, to ensure their compliance programs are up-to-date and operating as effectively as possible.

Financial Incentives: Ownership and Payment

With growing private investment in healthcare, OIG warns of the compliance implications for improper incentives that may violate federal laws or possibly result in substandard care for patients. Certain incentive structures—such as return on investment for owners—if not properly structured can create potential risks. Investors that provide management services or a significant amount of operational oversight for and control in a healthcare entity should pay particular attention to the laws that apply in the healthcare industry. OIG highlights possible risks associated with payment incentives, such as overutilization for services paid on a volume-sensitive or fee-for-service basis. On the other hand, stinting on care and gaming of performance measure data can occur when payments are made on a capitated basis. Understanding payment structures and their related risks will assist in designing effective audits, detecting problems early, and implementing corrective measures.

Financial Arrangements Tracking

For entities involved in federal healthcare program business, financial arrangements, including those with referral sources and referral recipients, are another area of potential concern. While it is common for organizations to have an established system for vetting and structuring these arrangements, it is also common for the same organizations to fail to monitor ongoing compliance with the terms of the arrangements. Developing an effective and robust arrangements tracking system and regularly auditing this information can help prevent violations and mitigate related liability to noncompliance identified.

Next Steps for Healthcare Organizations

In releasing the GCPG, OIG created a helpful reference guide for healthcare organizations at all stages of compliance program development. While the long-established tenets remain the same, with the Seven Elements of an effective compliance serving as a roadmap for a compliance program, the guidance document elaborates on how the government envisions the implementation of these elements. Finally, and perhaps more importantly, the GCPG provides healthcare organizations valuable insight into the government’s enforcement priorities as well as its ever-increasing emphasis on compliance.