On Nov. 6, the Department of Health and Human Services Office of Inspector General (OIG) released a document entitled “General Compliance Program Guidance” (GCPC or the Guidance), the first new compliance guidance the OIG has released in 15 years.
Prior to the release of the Guidance, the OIG promulgated compliance guidance for specific industry sectors (e.g., physician practices, hospitals, etc.) and other organization types (e.g., research grant recipients). In addition, during the intervening years since the OIG’s most recent industry-specific guidance, additional details and information were released via Federal Register issuances, Advisory Opinions, and Special Fraud Alerts, as well as other less formal means. The Guidance is the OIG’s attempt to unify the structure and function of compliance programs across the industry, regardless of sector. While promulgated rules, Advisory Opinions, and Special Fraud alerts identify and discuss specific patterns, arrangements, and situations that are problematic in the OIG’s eyes, the Guidance is different—it is meant primarily as a tool to teach organizations how to build an effective compliance program internally. The OIG cautions that the Guidance should not be treated as a model program. While the OIG identifies it as voluntary guidance, health care organizations should anticipate that the Guidance may be used as a yardstick in the future to measure an organization’s commitment to compliance.
While the Guidance was released recently, many in the industry may already be familiar with much of its substance. First, the GCPG briefly reviews key health care regulations such as the federal anti-kickback statute, the Stark Law, the OIG’s exclusion authority, and the False Claims Act. Second, it discusses the seven elements of an effective compliance program:
1. | Written policies and procedures |
|
2. | Compliance leadership and oversight |
|
3. | Training and education |
|
4. | Effective lines of communication and disclosure programs |
|
5. | Self-enforcement (i.e., the disciplinary process) |
|
6. | Risk assessment, auditing, and monitoring |
|
7. | Investigations and corrective actions (including self-disclosures to the government) |
The OIG released these seven elements in 1998 in its original compliance guidance for hospitals and has consistently reiterated them since then.
Next, recognizing that organizations have different needs and resources, the OIG describes ways that small and large organizations can adapt the Guidance to fulfill their functions.
Finally, the Guidance discusses more general considerations not often covered in OIG guidance (e.g., patient safety and quality of care), as well as other OIG resources that organizations can use in measuring their compliance.
While the Guidance is meant to be applicable to all types of health care organizations, the OIG has announced its intention to continue issuing industry-segment-specific compliance program guidance starting in 2024, and that such guidance will be “updated periodically.”
The Guidance is an opportunity for providers of all sizes, shapes, and types to reevaluate their compliance functions and assess how they measure up to OIG standards. Providers should also anticipate forthcoming industry-specific guidance that may be applicable to both providers themselves and other parties with whom the providers share an arrangement.