HHS OIG Unveils First New Compliance Program Guidance for Health Care Stakeholders Since 2008

The Big Picture

Many health care stakeholders have long relied on the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) guidance regarding an effective compliance program when developing their own compliance programs, especially when contracts and less prescriptive federal and state laws mandate that such stakeholders have a compliance program. Even those stakeholders not technically required to have a compliance program often adopt them, as they are seen as a standard and best practice.

On November 6, the OIG released its General Compliance Program Guidance (GCPG), a generally applicable reference guide for health care industry stakeholders to use in building, implementing and evaluating their compliance programs;¹ the GCPG represents the OIG’s first comprehensive update to compliance program guidance documents (CPGs) in over 15 years. These updates are a core part of the OIG’s Modernization Initiative To Improve Its Publicly Available Resources and reflect health care industry trends, input that the OIG has collected regarding its CPGs, and the OIG’s decades of experience initiating investigations and enforcement actions and monitoring corporate integrity agreements.

GCPG Overview and Takeaways

The OIG notes that the GCPG’s contents can apply to all health care industry stakeholders but that the guidance is voluntary, non-binding and not intended to represent a comprehensive, all-inclusive, one-size-fits-all approach to health care compliance. Rather, these resources are intended to provide guidelines and tips to aid stakeholders in identifying and addressing compliance risks when establishing or updating their compliance programs.

The GCPG elaborates on the seven elements of an effective compliance program that have long formed the core of the OIG’s compliance guidelines and recommendations. It also describes deviations from the seven elements that may be appropriate for stakeholders with certain attributes and other new or notable considerations of which compliance professionals should be aware. The GCPG provides compliance program tips, concrete indicators of success and a list of questions to help flag potential compliance issues.

The following are eight key takeaways from the GCPG:

1. Roles of the Compliance Officer vs. the Compliance Committee:Throughout the GCPG, the OIG delineates what it believes to be appropriate roles and responsibilities for a compliance officer, and separately for a compliance committee, as well as describes the relationship between the two. The OIG describes the compliance officer as the leader of the compliance department, who reports directly to the board and is responsible for implementing compliance program initiatives, whereas the compliance committee is framed as more of a behind-the-scenes brain trust that works in collaboration with the compliance officer in identifying compliance priorities and evaluating the effectiveness of the compliance program. Of note, the GCPG provides direction for how compliance officers might structure compliance departments to effectively manage compliance across an organization with multiple service lines and/or several disparate locations.
2. Focus on Risk Assessments: The OIG highlights the importance of conducting risk assessments (at a minimum annually) to ensure that compliance programs are addressing current compliance risks, as well as adjusting to new and emerging compliance risks. The OIG recommends that risk assessments consider information gathered from internal and external sources to form a comprehensive risk profile of the entity, and that, when appropriate, joint risk assessments spanning entity functions (e.g., audit, quality, compliance and risk management) may be appropriate tools to reduce resource costs associated with risk assessments. Notably, the OIG states that the compliance committee (and not the compliance officer) should be charged with performing or coordinating risk assessments.
3. Quality and Patient Safety as Compliance Priorities: The OIG notes that evaluating quality of care and patient safety are integral components of compliance programs and high priorities for both the OIG and the Department of Justice. While both topics have been omitted from many stakeholders’ compliance programs in the past, putting them front and center in the GCPG indicates that the OIG expects them to be included going forward, especially for hospitals, long-term care facilities and other providers operating in residential settings.
4. Board Involvement in Compliance Oversight: The GCPG calls attention to the critical role boards play in overseeing compliance functions, making clear that boards are not merely passive actors in fostering and ensuring organizational compliance. The OIG addresses how board functions might differ between small and large entities, such as large entities having boards with separately chartered committees for auditing and compliance oversight. The OIG also mentions considerations for boards of multinational entities whose board members might be less familiar with U.S. health care law and compliance standards.
5. Incentives as Tools for Fostering Compliance: The GCPG calls for use of both proverbial carrots and sticks to ensure compliance across an organization. While disciplinary action is an expected consequence of noncompliance, the OIG recommends that entities use incentives (financial and other) to drive compliance or reward compliance-enhancing activities. The OIG encourages the compliance officer and the compliance committee to devote time, thought and creativity to the compliance activities and contributions that the entity would like to incentivize.
6. Non-Retaliation Policies as Key Components of Compliance Programs: The OIG recommends throughout the GCPG that entities implement and publicize non-retaliation policies that establish protections from retribution for personnel who in good faith report noncompliance. Previous iterations of CPGs did not give much attention to the importance of non-retaliation policies, which are essential tools for fostering a culture of compliance and, in some cases, are required by federal law to be part of an entity’s compliance program.
7. Compliance Risks and Challenges for Private Equity and “New Entrants”: Until now, the OIG had not provided guidance on compliance risks posed by private equity actors that invest in health care businesses. In the GCPG, the OIG specifically addresses compliance risks inherent in the profit motive of private equity firms and how those motives may be in tension with health care fraud and abuse laws and other patient protections. Relatedly, the boom in digital health (backed in large part by private equity and venture capital funds) and cross-market mergers and acquisitions has prompted numerous new entrants in the health care sector or certain of its subsectors. The GCPG addresses particular challenges that such new entrants might face due to unfamiliarity with health care sector- or subsector-specific laws, regulations and standards. Both are areas ripe for future OIG guidance.
8. Industry Collaboration and New Compliance Domains: The GCPG was released and discussed by OIG attorneys at the Health Care Compliance Association’s health care enforcement compliance conference. Such close coordination with industry stakeholders is emblematic of the OIG’s future direction regarding CPGs—the OIG has the opportunity to advise health care industry participants on subsectors that CPGs have not historically addressed, including health care investors, pharmacies, management services organizations, medical device manufacturers and digital health companies. Incorporating learnings from compliance professionals in those subsectors will be essential to developing effective guidance going forward.

Next Steps

All health care stakeholders should review the GCPG and assess their own compliance program against the GCPG and consider making changes, if necessary, to make their compliance program more effective. It is always a best practice for a stakeholder to have its compliance program assessed for effectiveness by a third party every few years, and the compliance program should evolve to be responsive to emerging risk areas. The GCPG provides stakeholders with one more tool to use when determining how to appropriately tailor their compliance program to effectively prevent, detect and remediate any noncompliant, fraudulent or abusive conduct.

Note: More information is available on Manatt on Health, Manatt’s subscription service that provides in-depth insights and analysis focused on the legal, policy and market developments that matter to you, keeping you ahead of the trends shaping our evolving health ecosystem. Manatt on Health provides a personalized, user-friendly experience that gives you easy access to Manatt Health’s industry- leading thought leadership. For more information, contact Barret Jefferds at bjefferds@manatt.com.

_{¹ The release of the GCPG comes months after the OIG’s April 24, 2023 announcement that the OIG would be updating its various voluntary compliance program guidance documents, including industry segment-specific CPGs for specific categories of providers, suppliers and other health care stakeholders.}