In its General Compliance Program Guidance (GCPG) issued in November 2023, the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) announced its intent to publish industry segment-specific compliance program guidance (ICPGs) for the healthcare industry. (See McGuireWoods’ Jan. 11, 2024, alert.)
On Feb. 21, 2024, OIG announced the first four subsectors for which it will publish ICPGs. OIG intends to publish the first two ICPGs, focusing on Medicare Advantage and nursing facilities, in 2024, and anticipates issuing compliance guidance for hospitals and clinical laboratories in its next two ICPGs.
While the current GCPG applies broadly to healthcare entities, the goal of the ICPGs is to highlight salient risk areas specific to healthcare subsectors. This guidance is not intended to address all compliance risks within an organization. Rather, the ICPGs will suggest compliance measures organizations can take to reduce risk based on fraud and abuse considerations relevant to an organization’s segment of the healthcare industry. Organizations implementing or maintaining compliance programs should apply relevant OIG guidance to fit their unique needs.
This announcement serves as a reminder, not only for the four identified subsectors but for all industry stakeholders, that the OIG remains focused on voluntarily adopted compliance programs and that the implementation of such a program should be a strategic priority for all healthcare organizations. In the January 2024 alert, McGuireWoods recommended that all healthcare providers take the GCPG seriously. Firm lawyers also translated the guidance into 10 action items to consider in 2024 to build a strong compliance culture and six key themes that should guide a healthcare provider’s compliance program efforts.
For healthcare entities that have not yet implemented this guidance, McGuireWoods recommends reviewing the prior alert and using this new OIG announcement as an opportunity to build the framework for future compliance before any relevant ICPGs are issued that may apply to the relevant subsector. The ICPG can then be used to further modify and refine the entity’s efforts.
McGuireWoods continues to track OIG compliance updates. Please do not hesitate to contact a McGuireWoods attorney or one of the authors of this alert for more information on the GCPG or ICPGs, or with other healthcare compliance questions.
OIG’s New Compliance Guidance: 10 Action Items and Six Themes for Providers
January 11, 2024
On Nov. 6, 2023, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued the General Compliance Program Guidance (GCPG) for healthcare providers and other industry stakeholders. The GCPG follows an earlier announcement by OIG regarding a modernization initiative and signifies a major update to OIG’s prior approach for providing guidance on effective compliance programs, which focused on sector-specific compliance program guidance issued between 1998 and 2008. OIG intends for members of the healthcare sector to use the GCPG for purposes of creating and maintaining an appropriate compliance program.
The GCPG continues to demonstrate OIG’s emphasis on the need for compliance as part of each healthcare industry actor’s goals and standard operating practices. Much of OIG’s guidance is not new, but it reinforces past statements and formalizes insights learned from past enforcement and corporate integrity agreements (CIAs). In that context, the GCPG provides a useful primer for healthcare industry leaders. The GCPG also highlights the importance of compliance expertise and considerations for entities that may not be “traditional” healthcare industry players but have an expanding role in the industry, including private equity funds and investors, digital health entities and technology companies.
While this guidance is nonbinding and voluntary, McGuireWoods recommends that all healthcare providers take it seriously. To assist this effort, this alert distills the GCPG into two main categories for healthcare entities and stakeholders: (1) 10 action items to consider addressing in 2024 to build a strong compliance culture; and (2) six key themes from the GCPG that should guide a healthcare provider’s compliance program efforts. This content will help healthcare providers and other industry participants to strengthen their compliance programs and reduce the risk of a government investigation or enforcement action.
10 Action Items. While these are not the only suggestions OIG made in the GCPG, all healthcare providers should consider implementing these 10 action items in 2024:
- Appoint a compliance officer and consider segregating the role with respect to compliance functions. All providers should appoint a compliance officer who has sufficient independence and resources to implement compliance initiatives within an organization. To that end, mirroring past guidance, OIG believes the compliance officer should not have non-compliance-related clinical, financial, legal or operational duties, such as billing and coding responsibilities, that may conflict with his or her independent role. Similarly, OIG believes this individual should report to the CEO or the board and should not report to an entity’s legal or finance departments. OIG acknowledges, however, that many smaller organizations will need to have individuals serve in multiple roles that will be in addition to their compliance work.
- Adopt a code of conduct that sets forth the entity’s goals, mission and ethical and compliance requirements. Even if the entity does not have a comprehensive set of policies and procedures, a code of conduct in an employee handbook should reflect the entity’s commitment to compliance.
- Educate leadership on the seven elements of an effective compliance program. OIG noted that an entity’s board should be knowledgeable about the entity’s compliance operations and provide oversight to its program. OIG further stressed that new participants in this area, such as private equity investors for healthcare entities, also should have basic compliance knowledge and exercise reasonable oversight. Healthcare companies should add at least one session at an upcoming meeting on the GCPG and explain how the entity is implementing its guidance. The OIG highlights the importance of compliance starting from the top of the organization.
- Ensure compliance functions have an audit and monitoring component. Entities should perform regular assessments to identify and respond to risks. At minimum, an entity should perform regular exclusion searches of employees, contractors and vendors against OIG’s List of Excluded Individuals/Entities and state Medicaid exclusion lists. McGuireWoods recommends both internal and external billing and coding audits and periodic compliance program reviews, as well.
- Incentivize raising compliance concerns. To the extent possible, OIG suggests rewarding those who raise substantiated issues and recognizing achievements related to compliance efforts. An annual award for the top report could show all stakeholders how the organization encourages reporting concerns.
- Right-size the GCPG guidance for the organization. As discussed further below, tailor compliance programs and activities, including the number of individuals devoted to compliance functions and corrective actions, to the entity’s size and needs. For growing organizations, this will mean periodically adding resources and staff.
- Address compliance risk areas relevant to the entity’s specific healthcare subindustry. An entity’s compliance activities and initiatives should be tailored based on risk and exposure. McGuireWoods recommends identifying the most significant risks in 2024 within the organization’s subindustry and taking concrete steps to address them. This is discussed further below.
- Train staff on compliance. An entity’s compliance initiatives should include assessing training needs and effectiveness, reviewing training requirements and providing targeted training appropriate for relevant individuals’ duties and roles. McGuireWoods recommends at least annual training, which, if not part of current operations, should be added in 2024 utilizing government-produced or other reliable third-party tools.
- Ensure communication with respect to an entity’s compliance programs. OIG has long encouraged anonymous hotlines and suggestion boxes. These can be helpful, but if an organization is not receiving reports, it should consider whether other channels may be more successful — e.g., Slack, webforms and annual questionnaires. Then, an entity needs to address these reports effectively, including sharing reports with leadership. If there were no reports in 2023, consider a new reporting tool in 2024 and brainstorm ways to encourage further communication.
- Add quality and patient safety goals to an entity’s compliance programs. An entity should integrate oversight for quality, both in manufacturing and quality of care, and patient safety. The entity should report on quality controls and patient safety to the board regularly. While entities sometimes overlook this objective when responding to technical legal issues, OIG stressed throughout the GCPG that the reason for its guidance is quality and safety for patients; therefore, healthcare providers should similarly address this in their programs.
Six Key Themes From the GCPG. OIG further used the GCPG to communicate the themes it believes are critical for compliance programs, both to avoid issues in advance and to explain what OIG wants to see in order to give credit to the entity during an investigation. The six key themes from the GCPG are as follows:
1. OIG highlights the importance of healthcare regulatory compliance knowledge and familiarity for “new entrants” and entities tangential to the traditional healthcare industry, such as private equity funds and investors, social services organizations and technology companies. In particular, OIG highlighted two areas to consider in efforts to ensure compliance: (1) the need for new entrants in the healthcare industry (e.g., technology companies) to ensure that all business partners understand the impact of fraud and abuse laws on their specific businesses and the need for a strong compliance program; and (2) the need to understand financial incentives and the flow of funds though varying business arrangements and the incentives created by different types of funding structures (e.g., private equity and other types of private investors, including foreign companies). As a result, individuals and entities who are not healthcare providers, but who interact with the healthcare industry through investment or other means, should be familiar with OIG’s compliance guidance and recognize the GCPG as an industry standard for compliance programs.
Building on this standard, the GCPG also ties its compliance activities to other regulatory bodies’ guidance, such as the Centers for Medicare & Medicaid Services (CMS) guidance for entities enrolled in Medicare to implement an effective compliance program. CMS has suggested in the past that OIG’s seven elements serve as an adequate basis for a compliance plan. The U.S. Food and Drug Administration also has compliance guidance for biologics, devices and drugs (among others), as well as a guide for small entity adaptations. For entities that may be unable to apply the GCPG directly because of industry-specific considerations and difficulties, OIG’s forthcoming industry segment-specific compliance program guidance (ICPG) documents will address concerns for different providers, suppliers and other entities in greater detail. That said, the GCPG’s framework and key themes likely will carry over.
2. OIG structures the GCPG as a broad resource for compliance for healthcare industry stakeholders and entities. To that end, the GCPG serves as a centralized hub for compliance guidance and other OIG resources, providing useful and informative resources in a timely manner to help advance the healthcare industry’s voluntary compliance efforts in preventing fraud, waste and abuse. It includes multiple compliance and legal resources, such as its toolkits, OIG reports and publications, advisory opinions, special fraud alerts, bulletins, answers to frequently asked questions (FAQs), CIAs, enforcement action summaries, information on OIG’s self-disclosure processes, the OIG hotline and various other reports and publications.
The GCPG sets out a format for future guidance as part of its efforts to produce user-friendly and accessible information and to promote an easier avenue to update compliance program guidance (CPGs) as new risk areas emerge. OIG will no longer publish updated or new CPGs in the Federal Register. Rather, all current, updated and new CPGs will be readily available on OIG’s website with interactive links to relevant resources. Essentially, the GCPG centralizes OIG resources for stakeholders, with links to guidance, self-reporting and other educational materials. Readers of the electronic version of the GCPG also may access direct links to definitions and text found in the applicable statutes and regulations and may access links to corporate integrity agreements, advisories, FAQs, toolkits, the OIG hotline and the self-disclosure online submission form.
OIG anticipates making updates to the GCPG based on changes in compliance practices or legal requirements that may warrant revision in the future and emphasizes a desire to collaborate with industry stakeholders to provide the most effective guidance. Accordingly, OIG maintains that it will continue to seek input and feedback from industry participants both in the process of developing the GCPG and while preparing future guidance documents. Stakeholders can submit feedback about general compliance considerations and risk areas to [email protected].
3. OIG uses the GCPG to stress flexibility and adaptability for compliance programs depending on entity size and organizational needs. OIG highlights that the GCPG is nonbinding and voluntary, does not create any new law or legal obligations, and is intended to identify risk areas and to raise considerations for those involved with the development and implementation of compliance programs. Despite the voluntary nature of the guidance, government agencies and healthcare industry participants generally have utilized previously published CPGs to implement (and evaluate the effectiveness of) a compliance program.
Indeed, one of the key concepts of the GCPG is its adaptability to fit organizational needs. For example, OIG differentiates between small and large entities. Since small entities may face financial and staffing constraints that limit their ability to establish a compliance program as robust as larger entities, OIG offers several modifications in the GCPG to allow smaller entities to benefit from a compliance program. One suggestion for smaller entities that cannot afford a full-time compliance officer is to designate a compliance contact. OIG also points to free resources that small entities may use to model compliance policies, procedures, trainings, risk assessments and auditing. The GCPG includes user-friendly methods of open communication for small entities where a formal disclosure program may not be applicable. OIG also provides recommendations for small entities with respect to enforcing their compliance programs and responding to offenses if/when they occur.
For large, sophisticated entities, OIG’s guidance sets an expectation that a comprehensive compliance program is the standard. The GCPG includes additional recommendations for large entities. Instead of a single compliance officer, OIG recommends that larger entities have an entire department of compliance personnel. Similarly, OIG suggests that both compliance and non-compliance personnel should serve on a compliance committee. For large entities, OIG also suggests that the board of directors involve itself in the organization’s compliance program by forming a dedicated board compliance committee.
Moreover, OIG recommends that all entities, regardless of size and financial resources, have a compliance program. The tenets within the GCPG may be voluntary, but OIG takes fraud, waste and abuse seriously. OIG has levied significant fines against organizations that — either through willful commission or through lack of an adequate compliance program — have violated federal fraud and abuse laws.
4. OIG plans to introduce industry-specific guidance in the future to focus on specific sectors, which also highlights the OIG’s emphasis on flexible, adaptable compliance programs depending on an entity’s characteristics and needs. The current GCPG is a general document applicable to all healthcare industry participants, but OIG also will issue a number of ICPGs. ICPGs are expected to be released starting in 2024 and will focus on fraud and abuse issues relevant to specific sectors or types of healthcare providers. However, neither the GCPG nor ICPGs will comprehensively address risks or act as a one-size-fits-all solution for every organization. Instead, healthcare stakeholders should view them as a resource for certain fraud and abuse considerations. The goal of the upcoming ICPGs will echo that of the GCPG: to provide voluntary compliance guidelines and to identify salient risk areas.
The currently existing CPGs will remain effective until the relevantly issued ICPGs replace them. Once replaced, OIG will archive the CPGs, which will remain available for use on OIG’s website as an additional resource to help identify risk areas in a particular industry, while OIG continues to develop all applicable ICPGs. As noted above with respect to action items, McGuireWoods recommends that healthcare providers utilize these tools to identify their most significant compliance needs and then develop plans to address them proactively.
5. OIG reiterates its seven fundamental elements of an effective compliance program — with some updates to focus on governance, quality and integration. OIG revised its seven elements (redline showing changes below).
- Written policies and procedures
Designate a compliance officerCompliance leadership andcompliance committeeoversight- Training and education
- Effective lines of communication with the compliance officer and disclosure program
- Enforcing standards:
through well-publicized disciplinary guidelinesconsequences and incentives ConductRisk assessment,internalauditing, and monitoring- Responding
promptlyto detecteddeficienciesoffenses andundertakedeveloping corrective action initiatives
Key changes consist of the inclusion of enforcement through both consequences and positive reinforcement, rather than the creation of disciplinary guidelines alone, and the emphasis on monitoring and auditing performed both internally and externally.
The OIG’s changes also stress the importance of compliance as a part of overall governance. For instance, whereas previous OIG guidance recommended the use of a compliance officer and compliance committee, the GCPG takes a much broader perspective toward compliance governance. Of course, OIG maintains that organizations should have a compliance officer — specifically, one who does not answer to the legal or financial functions of the organization. The compliance officer should manage the compliance program and advise the CEO and board on compliance issues and strategy. The compliance officer also should serve as the chairperson of the compliance committee and act as a liaison between organizational stakeholders to implement the compliance program. The compliance committee should be an interdisciplinary body comprising leaders from operational and supporting departments such as billing, clinical, finance, human resources, legal, information technology, sales and operations. The committee’s main duties should be to assess and monitor the organization’s compliance program, as well as to set organizational objectives and evaluate the effectiveness of the program. Additionally, the GCPG highlights board oversight of healthcare compliance and the need to ensure that committees have the expertise necessary to exercise such oversight.
6. OIG directly links compliance to quality and patient safety. OIG acknowledges in the GCPG that some stakeholders may have treated quality and patient safety as separate and distinct from compliance. In truth, OIG and the U.S. Department of Justice have long emphasized the importance of quality and patient safety. The GCPG recommends that entities incorporate quality and patient safety into compliance processes, including a process for alerting the organization to patient safety and quality issues. The board also should require regular reports on quality and safety from leadership. Both the compliance officer and compliance committee should monitor quality and patient safety as part of their broader responsibilities. It is important to note that OIG does not constrain its definition of quality to the provision of health services, but also includes the manufacture and supply of drugs and devices.
Conclusion
OIG maintains its position that an effective compliance program not only detects fraud, waste and abuse, but also is an integral part of reducing errors, improving quality of care and ensuring patient safety. Healthcare entities, no matter their size, should view the GCPG as a foundation and a centralized resource for establishing such a compliance program.
Please do not hesitate to contact a McGuireWoods attorney or one of the authors of this alert for more information on the GCPG; for any questions about healthcare compliance, fraud and abuse; or for assistance in implementing a compliance program in 2024.