On November 6, 2023, the Office of Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) issued new General Compliance Program Guidance (“GCPG”) for members of the health care compliance community and other health care stakeholders. Since the release of its first compliance program guidance (“CPG”) for hospitals in 1998, OIG has developed a series of voluntary CPGs directed at various subsets of the health care industry, such as hospitals, nursing homes, third-party billing companies, clinical laboratories, among many others. These CPGs were designed to encourage entities to develop and implement internal monitoring controls to assure adherence to applicable statutes, regulations, and compliance program requirements.
The GCPG is the first of many CPGs expected to be released by OIG in the coming years. Beginning in 2024, OIG plans to publish industry segment-specific CPGs (“ICPGs”) for a variety of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to the federal health care programs. These ICPGs will address fraud and abuse risk areas for each specific industry subsector and compliance measures that can be taken to reduce fraud and abuse risks. OIG plans to periodically update these ICPGs to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance. Once issued, the ICPGs will replace OIG’s existing CPGs and supplemental CPGs. However, the existing CPGs will still be archived on OIG’s website.
The GCPG applies to all individuals and entities involved in the health care industry and discusses key aspects of general compliance risks and compliance program infrastructure for health care entities. More specifically, it addresses (i) key federal authorities for entities engaged in health care business; (ii) the seven elements of a compliance program; (iii) adaptations for small and large entities; and (iv) other compliance considerations, OIG processes and resources. OIG reiterates that the GCPG, like its existing CPGs, does not constitute a model compliance program; it is not designed to be one-size-fits-all or all-inclusive of compliance and risk considerations for every health care organization.
Key Highlights of the GCPG
Much of what is covered in the GCPG is not new to the health care compliance industry. Many of the compliance program provisions in the GCPG reinforce best practices and recommendations from previous CPGs, as well as insights learned from Corporate Integrity Agreements (“CIAs”) and various other OIG guidance. Below we provide some of the compliance guidance memorialized in the GCPG:
1. Compliance Officers
A concept largely required in CIAs, OIG is now addressing the reporting relationship of the compliance officer. Specifically, the entity’s compliance officer should not (i) lead or report to the entity’s legal or financial functions, (ii) provide the entity with legal or financial advice, or (iii) supervise any employees who do. This has been a concept long-included in CIAs but often questioned by health care entities not subject to a CIA. The belief was that the CIA requirements were more stringent for an entity that found themselves in violation of the federal health care programs. Now, OIG is providing more direct guidance on the compliance reporting structure for all health care entities—not just those under a CIA. The OIG also reconfirmed that the compliance officer should report either to the CEO with direct and independent access to the organization’s governing board or to such governing board directly, and have sufficient stature within the entity to interact as an equal to other organizational senior leaders.
2. Compliance Committees
OIG has also updated the purpose of the compliance committee by expanding its role from merely “advising” to “aiding and supporting” the compliance officer in implementing, operating, and monitoring the compliance program. OIG’s expectation is that compliance committees are active participants in an organization’s compliance activities rather than mere bystanders. Additionally, OIG suggests that compliance committees of large organizations may benefit from creating subcommittees to provide both support to the compliance officer and oversight of the compliance committee.
3. Risk Assessment
Another concept largely seen in CIAs, OIG more formally recommends health care entities conduct annual compliance risk assessments. As OIG monitors have stressed to entities under CIAs, OIG’s expectation is that the compliance committee is responsible for implementing the risk assessment process. As compliance committees are comprised of a cross-section of the organization, that body is best equipped to represent the organization and evaluate the risk areas.
4. New Terms
OIG has identified “senior leadership” as an additional category of individuals to which the compliance officer shall advise on compliance risks and the operation of a compliance program. OIG defines senior leadership as “the group of leaders who report directly to the executive leading the entity, usually the CEO.”
OIG has also introduced the concept of a “relevant individual” for purposes of explaining to whom compliance processes and procedures apply. OIG defines a relevant individual as “a person whose responsibilities or activities are within the scope of the code, policy, or procedure [and] could include employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, or people in other roles, or a subset of the above.” OIG suggests that each entity determine for itself who their relevant individuals are, as it will vary by organization.
5. Quality and Patient Safety Considerations
OIG highlights the integral role that quality and patient safety play in the work of HHS and other federal agencies and notes that quality and patient safety are often treated as wholly separate and distinct from compliance. To bridge this gap, OIG suggests that health care entities incorporate quality and patient safety oversight into their compliance programs. Thus, OIG is recommending that the organization’s governing board require regular reports from senior leadership and the compliance officer on the (i) system of internal quality controls; (ii) quality assurance monitoring; (iii) patient safety; and (iv) patient care.
6. Adaptations for Small and Large Entities
OIG recommends that small and large entities thoughtfully consider how to size and structure their compliance program to meet their organization’s specific needs.
OIG outlines ways that small entities can implement a compliance program that adheres to the seven elements (even with limited resources). For example, OIG recommends that small entities lacking the financial or administrative ability to support a compliance officer on either a full-time or part-time basis consider appointing one individual as the entity’s compliance contact and have that person be responsible for ensuring all compliance activities are completed.
For large entities, on the other hand, OIG not only expects that they have a compliance officer but that they should create a department of compliance personnel with a variety of skills to contribute to the implementation and monitoring of the compliance program.
7. Accessibility
To make its guidance more “user friendly and accessible,” OIG will no longer publish updated or new CPGs in the Federal Register. All current, updated, and new CPGs will be available on the OIG website with interactive links to resources. The GCPG outlines the various resources that OIG makes available to assist providers and other health care entities in their efforts to develop effective compliance programs and address fraud and abuse risks. Many of the links to resources are tried and true, but OIG has also included some newer additions.
8. New Entrants in the Health Care Industry
OIG acknowledges that the health care industry is witnessing an increased number of “new entrants” (technology companies, new investors, organizations providing non-traditional services in health care settings, etc.) that are often unfamiliar with the complex regulations and constraints that apply within the health care sector. OIG suggests that new entrants take proactive steps to ensure that they, and any business partners, possess a robust understanding of the federal fraud and abuse laws and the essential role an effective and efficient compliance program plays in “preventing, detecting, and addressing potential violations.”
Key Takeaways
OIG has spent a great deal of time and effort creating the GCPG, so it will likely be considered “THE” primary resource and the minimum standard for compliance programs moving forward. We recommend each organization, either with existing compliance programs or those in the developmental stage, comprehensively review the GCPG and reference it when assessing whether your current program conforms with OIG’s expectations. For so long, CIAs have been viewed as the gold standard in setting forth the OIG compliance program expectations. Now that so many of the concepts from CIAs are present in the GCPG, it would behoove any organization to reevaluate their compliance program to ensure it is aligned with the GCPG and any forthcoming recommendations from OIG.
Last, but not least, since OIG intends to keep the GCPG current and reflective of the needs of the industry and welcomes any feedback from industry stakeholders related to general compliance considerations and risk areas, we recommend that health care entities submit questions and comments to the OIG at Compliance@oig.hhs.gov.
For more information on OIG guidance and compliance program matters, please contact:
- Ritu Kaur Cooper at (202) 370-9584 or rcooper@hallrender.com;
- Katherine Kuchan at (414) 721-0479 or kkuchan@hallrender.com;
- Scott Taebel at (414) 721-0445 or staebel@hallrender.com;
- Jemalyn Harvey at (202) 780-2990 or jharvey@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
