The US Department of Health and Human Services Office of Inspector General (OIG) released on November 6 its General Compliance Program Guidance (GCPG), a helpful new resource for the healthcare industry that consolidates available compliance program guidance in a user-friendly format.

OIG’s introduction of the new GCPG marks the first major update to OIG’s compliance program guidance materials in 15 years. This detailed reference guide for the healthcare industry, posted in a user-friendly format on the OIG’s website, provides overviews of the following:

• Key federal laws, including the Anti-Kickback Statute (AKS), Physician Self-Referral Law (Stark Law), False Claims Act, various civil monetary penalty authorities, federal program exclusion authorities, the criminal healthcare fraud statute, and the Health Insurance Portability and Accountability Act (HIPAA)
• The “seven elements” of an effective healthcare compliance program [1]
• Special compliance program considerations for both small and large entities
• Other compliance considerations related to generally applicable risk areas, including (1) quality and patient safety; (2) new entrants to the healthcare industry (such as technology companies, new investors, organizations providing non-traditional services in healthcare settings (e.g., food delivery, social services, care coordination services), and existing healthcare organizations venturing into new sectors; (3) how to “follow the money” to assess if financial incentives may result in potential compliance issues; and (4) financial arrangements tracking
• OIG’s various compliance resources and processes

BACKGROUND ON GCPG

Since 1998, OIG has released or updated various Compliance Program Guidances (CPGs) focused on specific healthcare industry participants, including hospitals, physician practices, home health agencies, hospices, clinical laboratories, pharmaceutical manufacturers, and third-party medical billing companies.

In April 2023, OIG announced an overhaul of its compliance guidance process based on feedback received through the agency’s request for information related to its Modernization Initiative To Improve Its Publicly Available Resources. OIG previewed that these updates would “moderniz[e] the accessibility and usability” of the CPGs, including by

• publishing all new CPGs directly on OIG’s website (rather than in the Federal Register) and alerting the public of this new guidance through its public listserv and other communication platforms; and
• introducing a new bifurcated format for CPGs—the GCPG, which is generally applicable to all healthcare industry participants and addresses fundamental compliance topics, and separate industry-specific CPGs (ICPGs) that focus on specific healthcare industry participants and ancillary industry subsectors.

Notably, the GCPG, like the historical CPGs that came before it, does not constitute a model compliance program and instead offers voluntary compliance guidance that, OIG notes, is not binding on any individual or entity.

KEY TAKEAWAYS FROM GCPG

The GCPG’s compliance program guidance does not contain substantial new compliance program information but instead largely consolidates existing guidance into a centralized resource that healthcare industry participants may utilize in their voluntary compliance program efforts. OIG highlights that its compliance program guidance reflects more than 25 years of industry feedback, experience in monitoring Corporate Integrity Agreements, and other lessons learned from enforcement actions, investigations, and changes in the healthcare industry generally.

Notable takeaways from the GCPG are as follows:

The GCPG is a thorough but user-friendly resource.

OIG has designed the GCPG to be a “one-stop shop” for healthcare compliance guidance. As anyone involved in healthcare compliance can attest to, the available healthcare compliance guidance materials are seemingly endless—statutes and regulations and related preambles, historical CPGs, OIG Advisory Opinions and Special Fraud Alerts, enforcement action summaries, etc.—and not always easy to identify. Accordingly, the GCPG’s greatest feature, perhaps, is that it organizes the wide array of available compliance resources into one user-friendly primer.

Users can directly navigate the GCPG on OIG’s website or download a PDF version of the guide from the website. When used on OIG’s website or viewed on a computer in PDF format, users can easily click on and access additional hyperlinked resources referenced throughout the GCPG.

Linked resources include both OIG-created resources, as well as guidance from other agencies and organizations (e.g., US Department of Justice guidance on corporate compliance programs, the US Sentencing Commission’s Guidelines, and third-party enterprise risk management guidance). Likewise, the GCPG’s various sections are also internally hyperlinked so that users can more efficiently navigate to relevant information within the guide itself.

OIG has also made the lengthy 91-page GCPG more user-friendly by highlighting key information through helpful formatting. First, OIG has highlighted various “Tips” throughout the reference guide, which are marked with a star icon and appear in large blue text. These Tips provide critical takeaways from the GCPG’s various sections—for example:

Likewise, OIG flags “What to Do if You Identify a Problem” with exclamation point icons and provides information on how to remediate identified issues, including through the use of its Health Care Fraud Self-Disclosure Protocol or the Centers for Medicare and Medicaid Services’ Voluntary Self-Referral Disclosure Protocol, in each case providing relevant links.

OIG highlights other key language through user-friendly use of bold text throughout the GCPG.

Additionally, the GCPG also provides a number of useful lists. For example, the AKS subsection includes a detailed checklist of key questions to consider in reviewing potentially problematic arrangements.

Similarly, for the Stark Law, OIG provides a list that breaks down the six elements of analyzing an arrangement under this complex law, along with a list of examples of referrals that are likely to be prohibited.

The GCPG includes other useful lists throughout, including common compliance risk areas, primary responsibilities of the compliance officer and Compliance Committee, suggested compliance program training topics, ideas for how to provide compliance-related education outside of annual trainings, what information should be included in an internal investigation record, and examples of violations that are serious enough to warrant immediate government notification, among others.

OIG reemphasizes that its compliance guidance is not ‘one size fits all.’

OIG notes that the GCPG and forthcoming ICPGs are meant to serve as resources for the healthcare industry, but “are not intended to be one-size-fits-all, completely comprehensive, or all-inclusive of compliance considerations and fraud and abuse risks for every organization.”

Accordingly, while most of the guidance in the GCPG is generally applicable to all healthcare industry participants, OIG highlights areas where organizations will need to fine-tune their own compliance programs. For example, OIG encourages organizations to develop and require trainings and implement auditing and monitoring activities targeted to the specific risks of the organization’s business (including those identified through prior investigations and audits) and role in the healthcare delivery system. OIG also notes that compliance program leaders must “devote time, thought, and creativity to the compliance activities that the entity would like to incentivize.”

Notably, the GCPG includes a dedicated section discussing possible compliance program modifications for small and large entities, respectively. OIG highlights that entities of all sizes “should think about how to right-size their compliance program to meet their entity’s needs.”

OIG recognizes the challenges faced by small and large organizations, respectively—such as financial and staffing constraints for the former, and the complexities of ensuring compliance across a statewide, nationwide, or international enterprise for the latter—in providing this guidance on how to tailor an organization’s compliance program.

The GCPG encourages a strong ‘tone from the top’ and an accessible culture of compliance.

In discussing compliance program best practices in the GCPG, OIG emphasizes the importance of an organization’s leadership, including the Chief Executive Officer (CEO) and board of directors, setting and enforcing strong compliance expectations. In one of its Tips, OIG highlights that “CEOs can demonstrate their embrace of the organization’s commitment to compliance with a signed introduction” in the organization’s code of conduct, and that board members may similarly wish to include a signed endorsement or statement.

OIG also recommends that CEOs and boards “regularly convey the importance of, and their interest in…Compliance Committee responsibilities and participation.” Additionally, OIG encourages each Board of Directors to “take every opportunity to communicate to each of its audiences its commitment to compliance,” including company leaders and personnel, owners and shareholders, customers and patients, government healthcare programs and other payors, and the general public.

The GCPG also emphasizes accessibility and inclusion in developing compliance program materials. OIG notes that Compliance Committees should ensure that compliance training materials are accessible for all users. “For example, if an entity has a culturally diverse staff, training materials may need to be available in several languages.”

Likewise, the GCPG suggests that compliance officers may periodically survey personnel on preferred communication styles “to ensure that diverse personnel (including personnel of different generations and communication preferences) have familiar means of communicating with the compliance officer.”

The GCPG encourages private equity investors to scrutinize financial incentives.

OIG specifically recognizes the growing importance of private equity and other forms of private investment in healthcare, explaining that “entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse laws and that they are delivering high quality, safe care for patients.” Private equity firms and other investors should interpret this guidance as an opportunity to evaluate healthcare entities’ existing compliance programs during the due diligence process and to continue to monitor the entities’ compliance programs after the initial investment, including attention to fraud and abuse laws.

Investors in the healthcare market must take steps to understand the implications of federal fraud and abuse laws on operations, ownership, and incentive structures that are critical to maintaining ongoing regulatory compliance.

New players in the healthcare industry must also adhere to OIG’s compliance guidance.

As the healthcare system evolves, new players within the industry, “such as technology companies, new investors, organizations providing non-traditional services in healthcare settings (e.g., food delivery, social services, care coordination services), and existing healthcare organizations venturing into new sectors” must pay attention to the need to develop tailored and robust compliance programs.

OIG makes clear in the GCPG that new entrants are not excluded from scrutiny, and new players should consider how they build an appropriate compliance program as a condition to entry into the industry.

After a 15-year pause in OIG’s CPG development, healthcare providers and other industry participants should welcome OIG’s introduction of the thorough, well-organized GCPG. While this new resource generally does not appear to materially change existing compliance guidance, it does repackage available resources into a centralized, easily navigable reference guide. It also provides insight into OIG’s current thinking on more mature and effective compliance program processes.

Accordingly, the GCPG should serve as a streamlined starting point for understanding applicable laws and compliance program best practices for healthcare industry participants.

WHAT’S NEXT FROM OIG?

OIG notes that it anticipates updating the GCPG as warranted by changes in compliance practices or legal requirements. Consistent with its April announcement, OIG reiterated that it expects to release the first ICPGs in 2024.

OIG previously stated that the first ICPGs will focus on Medicare Advantage and nursing facilities. These guidance documents will be more narrowly tailored than the GCPG, providing fraud and abuse law compliance pointers relevant to particular providers, suppliers, and other participants in healthcare or ancillary industry sectors.

Similar to the GCPG, OIG plans to update the ICPGs as needed to address newly identified areas of risk and corresponding compliance considerations.

[1] Each of the seven elements—(1) written policies and procedures; (2) compliance leadership and oversight; (3) training and education; (4) effective lines of communication with the compliance officer and disclosure program; (5) enforcing standards: consequences and incentives; (6) risk assessment, auditing, and monitoring; and (7) responding to detected offenses and developing corrective action initiatives—are addressed in detail in the GCPG.

[View source.]