The Office of Inspector General of the U.S. Department of Health and Human Services (OIG) on Nov. 6, 2023, issued new General Compliance Program Guidance (GCPG) as a reference guide for the healthcare compliance community. This resource is the first-ever comprehensive compliance program guidance that would apply across all healthcare stakeholders, including traditional healthcare providers and facilities, as well as managed care plans, pharmaceutical manufacturers and contracted service providers. For years, the healthcare compliance community needed to piece together applicable requirements and best practices in the development of their compliance programs, relying on guidance that may have been intended for different types of healthcare entities or drawing from more general guidance included, for example, in the U.S. Sentencing Guidelines that apply to any business organization. The GCPG is the first step in OIG's efforts, as announced on April 24, 2023, to improve and update existing compliance guidance that was directed toward only certain sub-industry healthcare sectors and, in some cases, had not been updated in 25 years. It is expected that OIG will issue further compliance guidance targeted toward specific segments of the healthcare industry and healthcare entities that have emerged in recent years. In the meantime, the GCPG is an important and long-awaited resource that enables healthcare entities of all sizes and types to build and promote effective compliance programs.

Top 10 Insights

Below are our top 10 insights and key takeaways from the GCPG, including observations as to how it compares to or differs from other types of compliance program guidance previously issued by OIG and other agencies.

1. A One-Stop Shop. The GCPG is a true user's guide for legal, regulatory and compliance personnel that is worth a detailed read. Both the online and PDF versions of the GCPG include helpful hyperlinks that will allow users to access an assortment of other guidance that OIG and other government agencies and industry organizations have issued, including the OIG work plan, self-disclosure protocols, compliance program effectiveness checklists, compliance risk assessment frameworks and other resources. Though all these materials have been made publicly available for years, the GCPG provides better context for users on when it may be helpful to refer to these resources and how the referenced tools may be deployed.
2. Voluntary Guidance. OIG emphasizes that the GCPG is completely voluntary guidance and is not binding on any individual entity. The resource is "not intended to be one-size-fits-all, completely comprehensive, or all-inclusive of compliance considerations and fraud and abuse risks for every organization." OIG uses the term "should" instead of "must" throughout the guidance, which differs from CMS' approach in its Compliance Program Guidelines of the Medicare Managed Care Manual and Prescription Drug Benefit Manual that delineate where certain actions "must" be taken because they are required by law or regulations, as opposed to recommended best practices that "should" or "may" be implemented with Medicare Advantage and Part D plans. Nevertheless, the GCPG is intended to describe best-in-class compliance processes and procedures, so as healthcare entities evaluate this guidance, they should consider why a specific deviation from the GCPG may be necessary or how to justify that a particular best practice is not well-suited for the organization's business or operations.
3. Inclusion of Quality and Patient Safety. OIG provides additional new insight into how the monitoring of quality and patient safety should be factored into a healthcare entity's compliance program. OIG correctly observes that many organizations treat quality and patient safety as separate and distinct from compliance and that quality and patient safety are not often included as areas of focus in compliance programs. However, OIG now states expressly that healthcare entities should incorporate quality and patient safety oversight into their compliance programs in order to alert the organization of quality and patient safety concerns and enable the organization to mitigate the risk of patient harm. Healthcare entities should ensure their compliance committees include members responsible for quality assurance and patient safety and that they receive regular reports on quality and patient safety, as well as the adequacy of patient care, where applicable. The compliance committee also should establish and implement a program for performing quality audits and reviews and participate in the assessment of staffing for clinical services to ensure quality and patient safety compliance risks are addressed along with any other compliance risk areas. This clinical quality and patient safety focus will require a strong and productive collaboration between compliance and clinical and quality leadership and potential fine-tuning of internal functions and responsibilities in connection with clinical performance.
4. Interpretation of Fraud, Waste and Abuse Laws. The GCPG includes a separate section that summarizes key healthcare fraud, waste and abuse laws in a clear, succinct and accessible way. Though the guidance does not detail all the intricacies involved in a legal analysis of a given arrangement with respect to these laws, OIG includes checklists and key questions to equip organizations in better identifying potentially problematic arrangements. For example, the guidance lists key questions that should be considered when evaluating an arrangement under the federal Anti-Kickback Statute (AKS), such as the nature of the relationship between the parties, how the parties were selected, the determination of remuneration, the nature and value of the services and other considerations. Again, all of these factors can be gleaned from an assortment of OIG advisory opinions and other previously issued OIG guidance, but they are consolidated in a user-friendly checklist that may assist legal and compliance teams in compiling facts and circumstances necessary for a detailed legal and compliance review. Other sections include helpful explanations of concepts that were not specifically addressed before in OIG compliance guidance, such as the overlap between the AKS and the prohibition against beneficiary inducements under the Civil Monetary Penalties Law, as well as new laws such as the information blocking rules under the 21st Century Cures Act.
5. Common Compliance Risk Areas. OIG highlights common risk areas for healthcare entities, including billing and coding, sales and marketing, quality of care, patient incentives, and arrangements with physicians, providers, vendors and other potential sources or recipients of referrals of healthcare business. The GCPG also emphasizes the need to continually scan for unidentified and new risks to an organization by monitoring for legal and regulatory changes, enforcement actions, OIG work plan developments and audit and investigation results in light of new entity acquisitions, strategies and initiatives. OIG also notes that material violations of applicable law may occur even without a monetary loss to the government and that the "existence, or amount, of a monetary loss to a federal health care program is not solely determinative of whether or not a violation has occurred." Healthcare entities often assess financial impacts to their own business and to the government to determine potential risks and liabilities of a given incident, but OIG emphasizes that corrective action and reporting may still be necessary "to protect the integrity of the applicable program and its enrollees."
6. Role of the Compliance Officer. The GCPG reiterates the importance of the role of the compliance officer and details the responsibilities and expectations of this position. Although this has been referenced before in other guidance, OIG notes specifically that "the compliance officer should not lead or report to the entity's legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does." Even where OIG acknowledges that the size of an organization may not merit a full-time or part-time dedicated compliance officer, it still recommends that the compliance contact "not have any responsibility for the performance or supervision of legal services to the entity, and, whenever possible, [ ] not be involved in the billing, coding or submission of claims." Many healthcare organizations allow compliance officers to reside within their legal departments or assign a compliance function to the legal team, but perhaps out of concern of legal privilege issues OIG continues to recommend the separation of these roles. Healthcare entities that may not be able to staff their legal and compliance teams in accordance with OIG's recommendations should still make every effort to ensure direct and open lines of communication with senior leadership and the board and to take other steps to preserve the integrity of the compliance function.
7. Carrots, Not Just Sticks. In a departure from previous guidance and the emphasis on disciplinary standards under Element V of the traditional seven elements of an effective compliance program, OIG has reworked its approach to promote the use of incentives for participation in the organization's compliance program, rather than solely the use of consequences for noncompliance. This new concept advocates for the use of creative ways to incentivize, for example, an achievement of compliance goals or actions that reduce compliance risk, or to reward performance of compliance activities outside of the individual's job function, such as mentoring colleagues on compliant conduct or serving as a compliance representative within their department or team. The incentive can be the basis for additional compensation, significant recognition or other, smaller forms of encouragement. At the same time, OIG warns that incentive plans generally should be reviewed to ensure that they can be achieved while operating in an ethical and compliant manner. For example, the compliance function should assess whether a sales target or admission goal could encourage risky or noncompliant behavior to improperly increase referrals or utilization, or if there could be other unintended consequences such as falsifying documents or covering up incidents that would hinder the achievement of set goals. It remains to be seen if this reworked concept under Element V will be similarly adopted by CMS in its Medicare Advantage and Part D compliance program guidance and by other government agencies.
8. Adaptations for Small Entities. OIG has always acknowledged the ability to "right-size" a compliance program based on the size and type of the healthcare organization. However, the GCPG provides much more specific and detailed guidance on which features could be traded off or not when implementing a customized compliance program. In addition to the compliance officer recommendations discussed above, OIG continues to emphasize the importance of routine auditing and monitoring and the need to perform exclusion and debarment checks, including against the OIG List of Excluded Individuals and Entities (LEIE), even at smaller organizations. OIG does appear to accommodate, though, how policies and training programs can be prepared and deployed within an organization and that a confidential compliance hotline that serves as the gold standard for any compliance reporting mechanism can be replaced with an "open door" policy and other accommodations that would still foster effective lines of communication. Another interesting observation is that though OIG references the importance of monthly exclusion and debarment checks in other sections of the GCPG, here OIG does not specifically mention monthly screenings – a frequent pain point for smaller organizations. Instead, the guidance just references the need for "routine monitoring" of the LEIE, state exclusion lists and provider licensure and certification status.
9. Nontraditional Service Providers. OIG's compliance guidance for vendors and nonprovider entities previously has been limited, save for the compliance program guidance for third-party medical billing companies dated Dec. 18, 1998. Most subcontractors, vendors and service providers have designed their compliance programs based on Medicare Advantage and Part D requirements for first-tier, downstream and related entities and were guided by the compliance efforts of their contracted managed care plans and intermediaries. The GCPG now provides guidance that applies to these entities as well. OIG specifically acknowledges new entrants into the healthcare ecosystem such as technology companies (established and startups), new investors and nontraditional service providers in healthcare settings for social services, care coordination and food delivery. OIG acknowledges that these new entrants may be unfamiliar with healthcare compliance standards and recognizes that what may have been perfectly acceptable conduct in other industries create risks in the healthcare sector. The guidance urges companies to use the GCPG to better familiarize themselves with healthcare compliance standards and best practices.
10. New Players and Trends. The GCPG includes new content that acknowledges the changing players and business models in the healthcare space. OIG specifically addresses private equity ownership, a concept that would not likely have been included even a few years ago. Healthcare organizations, including their investors and governing bodies, should "carefully scrutinize their operations and incentive structures to ensure compliance" with fraud, waste and abuse laws and to ensure patient quality of care. Investors that provide management services or a significant amount of operational oversight over and control in a healthcare entity must be especially familiar with the applicable laws and the role of an effective compliance program. In addition to new participants, OIG references healthcare entities entering into new industry areas, where providers are now offering managed care plans or healthcare technology. These organizations should be aware of new risk areas and familiarize themselves with applicable requirements for any new lines of business. Finally, as payment structures shift from fee-for-service to capitated arrangements and value-based care, compliance personnel must understand any heightened risks associated with these reimbursement models, including the possible stinting on care or discriminating against high-risk and high-cost patients or the gaming of data to qualify for performance-based payments. All such entities, and their investors or owners, should fully understand these payment incentives and related risks.

The release of the GCPG should help provide even better clarity and direction for healthcare entities to ensure that they have effective compliance programs and safeguards in place.