In late April this year, the Office of Inspector General, Department of Health and Human Services (OIG) announced that it would make changes to its existing body of healthcare compliance program guidance (CPGs) as part of its current Modernization Initiative.[1] These CPGs were directed at various segments of the health care industry and provided specific guidance on risks posed by industry practices. To kick off the initiative, OIG indicated that it would first issue a new general compliance program guidance (GCPG) by year end applicable to individuals and entities in all segments of the health care industry that would address overarching compliance elements regarding federal fraud and abuse laws, compliance program basics, compliance program effectiveness and general process and procedures. Thereafter, OIG said it planned to update existing industry-specific compliance program guidance (ICPG), which would include tailoring each to address fraud and abuse risk areas specific to a particular industry and describing the compliance measures that industry could take to reduce these risks[2].
On November 6, 2023, OIG finally published the GCPG on its website[3]. The GCPG provides information about relevant federal laws, compliance program infrastructure, OIG resources and other general information useful to the health care compliance community. The GCPG is presented in a new format that is easy to read and includes links to OIG documents, reference citations and other helpful resources. The document is divided into the following six sections: Introduction, Health Care Enforcement and Other Standards: Overview of Certain Federal Laws, Compliance Program Infrastructure: The Seven Elements, Compliance Program Adaptations for Small and Large Entities, Other Compliance Considerations, and OIG Resources and Processes.
As illustrated in this blog post, GCPG is a valuable resource for both new and experienced professionals working both within and in support of organizations in the health care industry. It represents a compilation of OIG’s past guidance regarding basic compliance practices across a wide spectrum of industries and includes new guidance based upon lessons learned from negotiating and monitoring corporate integrity agreements and from enforcement actions and investigations. Moreover, the GCPG includes tips, best practices and links to a variety of resources, including advisory opinions, special fraud alerts, bulletins and reports, compliance toolkits and corporate integrity agreements. Bottom line—the GCPG should be required reading for legal and compliance professionals working within and alongside industries impacted by the GCPG.
I. Introduction
As set out by OIG in the Introduction section of the GCPG, its decision to update existing CPGs was based upon a recognition that the health care industry regards CPGs to be an important resource. As a result, OIG decided to improve and update the CPGs to reflect its current thinking and approach to preventing fraud and abuse in the health care industry.
All of the new ICPGs will be more user-friendly, be posted on the OIG website to allow for greater flexibility for more frequent revisions, and include interactive links to resources. OIG has established an email inbox at Compliance@oig.hhs.gov where industry feedback can be submitted; an email inbox at exclusions@oig.hhs.gov for questions regarding exclusions, and an email inbox at Public.Affairs@oig.hhs.gov for questions of a general nature.
Of course, OIG emphasizes that existing CPGs, as well as the GCPG and the upcoming ICPGs continue to be voluntary in nature and are meant to be used as a guide by organizations in the healthcare industry as they develop and implement compliance programs. But this does underscore OIG’s dedicating an entire section of the GCPG to compliance program adaptations for small and large entities, and that truly, there is no “one size fits all” measuring stick.
II. Health Care Fraud Enforcement and Other Standards: Overview of Certain Federal Laws
This section includes summaries of key federal health care laws that may apply to individuals and organizations involved in the provision of health care, including the i) Federal Anti-Kickback Statute, ii) Physician Self-Referral Law, iii) False Claims Act, iv) Civil Monetary Penalty Authorities, v) Exclusion Authorities, vi) Criminal Health Care Fraud Statute and vii) HIPAA Privacy and Security Rules. OIG emphasizes that the summaries are not meant to establish or interpret any program rules or regulations, but rather to create awareness and provide tools and resources to aid compliance efforts.
In discussions of certain laws, OIG also provides i) examples of possible prohibited conduct, ii) Key Questions to ask when assessing whether proposed business arrangement raise issues, iii) references to resources such as the Health Care Fraud Self-Disclosure Protocol to consult when problems have been identified, and iv) tips for assessing activities that may implicate more than one law.
III. Compliance Program Infrastructure: The Seven Elements
The largest section of the GCPG on Compliance Program Infrastructure reinforces and provides explanatory narrative around the seven elements of an effective compliance program, including i) written policies and procedures, ii) compliance leadership and oversight, iii) effective lines of communication with the Compliance Officer and Disclosure Program, iv) enforcement of standards and consequences and incentives, v) risk assessment, auditing and monitoring, and vii) responding to non-compliance and developing corrective actions.
Of particular significance is the guidance pertaining to the role of a Compliance Officer. OIG confirms that the Compliance Officer should i) report either to the chief executive officer (CEO) of the organization with direct access to the board or directly to the board, ii) have equal stature to other senior leaders, and iii) be an advisor to the CEO, the board and senior leaders on compliance risks facing the company. To ensure the independence of a Compliance Officer, the CPGC specifically states that the Compliance Officer should not “lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does.” [4] This ensures the independence of the Compliance Officer to identify and advise on how to mitigate risks.
Other important points to note include the following guidance, some of which derives from corporate integrity agreements negotiated over the years:
- A compliance committee member’s attendance, participation and contributions should be included in the member’s performance evaluation.
- Companies should identify the compliance activities they want to incentivize and incorporate incentives such as additional compensation, recognition or other forms of encouragement into the company’s compliance program.
- Formal risk assessments should be conducted at least annually and incorporate the use of data analytics to identify compliance risk areas, where possible.
- A company should promptly notify the appropriate agency if it discovers credible evidence of misconduct that may violate criminal, civil, or administrative law.
This section also includes examples, tips and links to supporting resources interspersed throughout each section and description of the seven elements.
IV. Compliance Program Adaptations for Small and Large Entities
As noted above, recognizing that one size of a compliance program may not fit all companies, OIG includes guidance on how smaller organizations, with limited resources, can implement a compliance program that meets the seven elements of a compliance program. The GCPG endorses the concept of flexibility for small company compliance programs that may include use of a compliance contact position rather than a full or part-time compliance officer, reliance on templates for policy and procedure development and consultants or professional organizations for training activities.
For larger organizations, compliance officers most likely will require support from personnel with a variety of skills and knowledge in order to oversee and direct the compliance program. The compliance officer should meet periodically with the company’s board of directors to evaluate whether the current composition of the compliance department and associated compliance personnel is adequate to meet the needs of the organization. For large organizations that operate in the United States but are owned or controlled by a non-U.S. parent, the board of the U.S. organization should ensure that the parent board is provided with sufficient information about the applicable U.S. laws, Federal health care program requirements, and the compliance risks presented by the operation of the U.S. organization.
V. Other Compliance Consideration
OIG identifies several risk areas that may not fall within a company’s health care compliance program and lays out some important compliance considerations. For instance, OIG recommends that oversight of quality and patient safety activities be incorporated into a company’s compliance programs and that an organization’s board should require regular reports on compliance in these areas from the responsible senior leadership. OIG also recommends that organizations evaluate financial arrangements (such as ownership interests, incentive structures, and transactional agreements between referral sources and referral recipients) that may create compliance risks to ensure compliance with Federal fraud and abuse laws and to ensure that appropriate auditing and monitoring of these activities are implemented to identify and mitigate risks.
VI. OIG Resources and Processes
This section includes links to all of the resources available on the OIG website, including CPGs, advisory opinions, special fraud alerts, safe harbor regulations, compliance toolkits, OIG reports and publications, corporate integrity agreements, self-disclosure information and access to OIG’s hotline. Further, OIG has implemented an FAQ process to provide informal feedback to the health care community on various topics.
FOOTNOTES
[1] 88 Fed. Reg. 25000 (April 25, 2023).
[2] Id. Individual GCPs were developed for i) hospitals, ii) home health agencies, iii) clinical laboratories ; iv) third-party medical billing companies; v) the durable medical equipment, prosthetics, orthotics, and supply industry; vi) hospices; vii) Medicare Advantage (formerly known as Medicare+Choice) organizations; viii) nursing facilities; ix) physicians; x) ambulance suppliers; and xi) pharmaceutical manufacturers. OIG anticipates publishing the first ICPGs to address Medicare Advantage and nursing facilities in 2024.
[3] U.S. Department of Health and Human Services, Office of Inspector General, General Compliance Program Guidance, November 2023, https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.
[4] Id. at 39.