On November 6, 2023, for the first time in 15 years, HHS OIG issued a new reference guide for the health care compliance community – the General Compliance Program Guidance, or GCPG. While the GCPG does not set new legal standards and largely reinforces existing guidance, it is a tremendous tool to help health care and life sciences companies advance their compliance efforts. Indeed, within its 91 pages, the GCPG provides the most comprehensive and user-friendly trove of health care compliance insights, tips, and guidance ever provided by the federal government.
The GCPG is a voluntary guidance document that includes not only detailed information about the traditional “seven elements” of an effective compliance program but also serves as a resource guide for the application of various health care fraud and abuse laws (the Anti-Kickback Statute (AKS), the False Claims Act (FCA), the Physician Self-Referral Law (PSL or Stark Law), the various civil monetary penalty (CMP) authorities, etc.) and offers insights about the evolving status of compliance in the health care industry. The GCPG provides meaningful insights into OIG’s expectations for both small and large entities, its views on the interaction of compliance and oversight of quality and safety, what new entrants into health care should know about compliance, and the importance of examining financial incentives. Notably, the GCPG section on financial incentives states that private equity investors should focus on ensuring strong regulatory compliance and high quality care. OIG expects private equity investors, especially those who actively manage or oversee their portfolio companies, to understand healthcare laws and regulations and the role of an effective compliance program.
Below is a list of our top observations from the new GCPG – and what it means for health care and life sciences companies:
 OIG uses the term “health care” broadly to encompass life sciences as well as service providers, suppliers, and anyone else subject to the health care fraud and abuse laws.
- OIG had previously announced that in response to public input on its guidance modernization efforts, it would issue this GCPG and supplement it with industry segment-specific CPGs (ICPGs).
- The new GCPG will serve as an umbrella, pan-industry guidance document that is intended to broadly address compliance in the health care industry.
- The OIG’s longstanding Compliance Program Guidance for various industry sectors (for example, the Compliance Program Guidance for Pharmaceutical Manufacturers) will be updated and recontextualized as ICPGs to address risk areas for each industry sector.
- Starting in 2024, OIG will publish new or updated ICPGs tailored to the fraud and abuse risks in each sector. The ICPGs will no longer be published in the Federal Register.
- OIG has stated that its top priorities for ICPGs are managed care and nursing homes.
- As with past CPGs, neither the GCPG nor the upcoming ICPGs are a “model compliance program” or one-size-fits-all approach but rather a resource with voluntary guidelines and tips about risk areas and compliance approaches.
[See GCPG, pages 6-8]
- The GCPG provides details on analyzing and applying various federal healthcare laws, including the Anti-Kickback Statute, the Physician Self-Referral Law, the False Claims Act, the Civil Monetary Penalty authorities, the exclusion authorities, and HIPAA.
- This provides anyone with an interest in compliance under these laws a user-friendly, plain language explanation of these statutes that have such broad reach in our health care system.
- The CPGC also includes new practical tools like a list of questions to ask to identify and assess arrangements that may raise risks under the AKS.
- OIG includes links to its compliance toolkits, its previous reports on healthcare compliance governance, compliance training, OIG reports, advisory opinions and special fraud alerts and bulletins, and more. These OIG resources are much more readily available through the GCPG than through otherwise searching the OIG website.
[See GCPG, pages 9-30; 82-91]
- Element 1 – Written Policies & Procedures [see GCPG, pages 32-37]
- OIG emphasizes that CEOs can demonstrate their support for an organization’s commitment to compliance by signing the introduction to, or including a signed endorsement or similar statement in connection with, the organization’s Code of Conduct.
- OIG suggests that entities review all applicable handbooks and codes of conduct whenever a new CEO is hired to ensure that quotes, endorsements, and the like are updated and reflect the entity leadership’s current commitment to compliance.
- OIG emphasizes the need for all organizations to have a policy & procedure on screening employees, contractors, and other individuals against the OIG’s list of excluded individuals and entities and relevant state Medicaid program exclusion lists.
- If an entity uses a third-party to conduct its screening, OIG recommends validating that the third party is doing it the right way.
- OIG explains the entity should make its compliance code, policies, and procedures easily accessible to, and understandable by, all employees and other individuals to whom they apply.
- OIG cites to DOJ’s Evaluation of Corporate Compliance Programs as a “useful set of questions for entities to consider in setting up and reviewing their system of policies and procedures.” OIG also recommends setting up a regular schedule for reviewing and revising policies, recommending at least an annual review.
- OIG encourages companies to use a means of communicating and documenting interim policies and procedures if the procedure for policy revisions impedes the rapid implementation of a required change.
- Element 2 – Compliance Leadership & Oversight [see GCPG, pages 37-46]
- Compliance Officer
- OIG emphasizes the Compliance Officer’s primary responsibilities include advising the CEO/Board/senior leaders, chairing the Compliance Committee, reporting to the Board, revising the compliance program (as needed), coordinating with HR on exclusion & debarment reviews, coordinating with other functions (for example, Internal Audit, Quality, and IT) to develop monitoring and auditing plans, independently investigating allegations of wrongdoing, and developing policies.
- OIG emphasizes the Compliance Officer should not lead or report to Legal or Finance and should report to the CEO (with independent access to the Board) or directly to the Board.
- OIG expects the entity to empower the Compliance Officer through stature in the organization (as a peer of other senior leaders), with funding and resources necessary to operate the compliance program, and authority to access all information relevant to compliance.
- For compliance officers with a dual role of privacy officer, OIG recommends that the entity ensure that the Compliance Officer has sufficient staff and resources to perform both roles.
- Compliance Committee
- OIG emphasizes that the Compliance Committee’s primary duties include analyzing legal and regulatory requirements applicable to the organization; assessing and reviewing policies and procedures; monitoring and recommending internal controls and systems; assessing education and training needs and effectiveness; developing a disclosure and reporting program; conducting annual risk assessments; developing a compliance workplan, and evaluating the effectiveness of the compliance program.
- OIG identifies the relevant leaders of functional areas that should be on the Compliance Committee and recommends that new members receive training on duties & responsibilities and the organization’s expectations.
- OIG emphasizes the importance of CEO and Board engagement in setting an expectation of regular, active, and engaged participation by all members in the Compliance Committee, and reinforcement of these expectations through the members’ performance and compensation evaluations.
- OIG recommends circulating an agenda before the meeting to inform members of the meeting topics and to give them an opportunity to prepare – in addition to keeping minutes of the meeting to provide a documentary record of the Committee’s activities and accomplishments.
- OIG recommends the Compliance Officer periodically evaluate the Compliance Committee and provide a report on its effectiveness to the Board.
- Board Compliance Oversight
- OIG notes that Boards should know about the content and operation of the compliance program and exercise reasonable oversight with respect to its implementation. This includes overseeing the Compliance Officer and compliance program and making sure they have “sufficient power, independence, and resources” given the entity’s size, complexity, and federal program interactions.
- The Board should meet with the Compliance Officer on a regular basis, at least quarterly, and should also receive regular reports from the Compliance Committee on members’ role and performance. The Board should ensure the Compliance Officer has direct and uninhibited access to the Board. The Board should also receive at least an annual report on the entity’s effectiveness in addressing and resolving Compliance Committee-identified risks.
- The Board should oversee the Compliance Committee and ensure its members understand and exercise their role of supporting and operationalizing compliance.
- The Board should encourage the Compliance Officer and senior leaders to report on how Committee decisions are implemented.
- The Board should periodically evaluate the Compliance Committee’s risk assessment process.
- OIG emphasizes the importance of the Board consistently communicating to multiple audiences its commitment to compliance.
- Element 3 – Training & Education [see GCPG, pages 46-49]
- Appropriate, risk-based education and training is vital to an effective compliance program and OIG provides greater specificity as to the appropriate content and audiences for training, including the need to train all Board members, officers, contractors, and medical staff (if applicable) on at least an annual basis.
- OIG recommends the Compliance Committee review the training plan on an annual basis to ensure that the training topics address the entity’s current needs and risks, including any issues identified through monitoring or auditing, investigations, and changes to Federal and State health care requirements.
- Trainings should describe the entity’s commitment to complying with Federal and State fraud and abuse laws, as well as explain the elements of the entity’s compliance program, how to raise compliance questions and concerns, and how the entity enforces its written policies and procedures.
- In addition, targeted training sessions should be developed and assigned based on individuals’ roles and responsibility, and any compliance risks specific to those roles and responsibilities, including, for example, billing, coding, documentation, medical necessity, beneficiary inducements, gifts, interactions with physicians and other sources or recipients of referrals of Federal health care program business, and sales and marketing practices.
- Targeted training should also be developed for board members, and new board members should receive training on their governance and compliance oversight roles promptly after joining the board. Initial board training should also address the specific responsibilities of health care board members, including the risks, oversight areas, and approaches to conducting effective oversight of a health care entity.
- Training materials should be accessible to all members of a designated audience. This means, for example, that if an entity has a culturally diverse staff, training materials should be available in the relevant languages.
- OIG emphasized that the entity should provide a mechanism for, and encourage, questions from participants about the content.
- Beyond annual training, OIG recommends that compliance officers seek and develop opportunities to provide education on compliance topics and risks throughout the year, including having a standing compliance item on the agenda for regularly scheduled meetings, writing regular columns in entity newsletters, and having compliance committee members deliver compliance messaging and training in various meetings and settings to normalize compliance as an integral part of the entity’s culture.
- Finally, OIG expressed its view that participation in required compliance training should be a condition of continued employment, and the failure to comply with training requirements should result in consequences up to and including termination (when warranted by the circumstances).
- Element 4 – Effective Lines of Communication with the Compliance Officer and Disclosure Programs [see GCPG, pages 50-52]
- Here, OIG emphasizes the importance of the Compliance Committee developing multiple reporting paths for an employee to directly report compliance concerns. This includes open lines of communications that allow for employees to report wrongdoing directly to the Compliance Officer or via a hotline, website, or email address.
- OIG emphasizes the importance of confidentiality and non-retaliation, as well as the importance of maintaining a disclosure log that includes relevant information about each disclosure made (including how the disclosure was investigated, corrective action taken, policy changes made, or whether a referral or disclosure to government authorities was made).
- OIG also highlights that the Compliance Officer should be remain involved in all health care compliance investigations in which counsel takes the lead on investigating, acknowledging that some concerns may be referred to others (for example, HR) to lead.
- Element 5 – Enforcing Standards: Consequences & Incentives [see GCPG, pages 53-55]
- An effective compliance program should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance.
- Consequences for noncompliant actions may be educational or remedial and non-punitive, punitive, or both. OIG recognizes the range of levels of culpability and states that intentional or reckless noncompliance should result in significant sanctions.
- OIG recommends that policies and procedures identify the consequences the entity may impose under specific circumstances involving noncompliance and the management and HR functions that will be involved in making decisions regarding appropriate consequences.
- Disciplinary actions and other remedial consequences should be imposed on a fair and equitable basis. OIG expects the Compliance Officer to monitor investigations and resulting discipline to ensure consistency.
- OIG believes that all levels of employees should be subject to the same consequences for the commission of similar offenses and leaders should be held accountable for their own failures and the foreseeable failures of their subordinates.
- OIG believes entity leadership should consider compliant behavior or actions that they would like to incentivize, both across the entity and within specific departments or positions. Excellent compliance performance or significant contributions to compliance could be the basis for additional compensation, significant recognition, or other forms of encouragement.
- OIG points to examples of behavior an entity may want to incentivize, such as achieving compliance goals specific to a department or position, reducing compliance risk or enhancing compliant conduct, and compliance activities that go beyond an individual’s job description.
- To the extent an entity is not able to publicly recognize an individual who raises substantiated concerns that result in the mitigation of risk or harm, OIG recommends the entity recognize this in its reviews of the individual.
- OIG challenges entity leaders, including the compliance committee, to consider whether the entity’s other incentive plans can be achieved while operating in an ethical and compliant manner. For example, do sales or admission goals inadvertently encourage noncompliant behavior? Are there performance goals that may have unintended consequences, such as falsifying documents or covering up incidents that would detract from goal achievement?
- Element 6 – Risk Assessment, Auditing, and Monitoring [see GCPG, pages 55-59]
- OIG recognizes the increased importance of risk assessment, auditing, and monitoring in identifying and quantifying compliance risk and provides guidance and recommendations on how to conduct these activities.
- Risk Assessment:
- A formal risk assessment should pull information about risks from a variety of external and internal sources, evaluate and prioritize them, and then decide which risks to address and how to address them. The risk assessment should form the basis of the compliance work plan, including audits and monitoring of identified risks based on priority.
- Entities should consider using data analytics (analyzing its own data) to identify compliance risk areas. Additionally, all entities should be able to compare standard metrics of their health care operations internally to determine if there are outliers in any areas of focus.
- Between risk assessments, the Compliance Officer should scan for unidentified or new risks. Unidentified or new risks may result from legal or regulatory changes, enforcement actions, changes in OIG work plans, and new entity acquisitions, strategies, or initiatives, and evaluating audits and investigations.
- Auditing and Monitoring:
- The compliance work plan should include routine monitoring of compliance risks (as identified by the annual risk assessment), as well as monitoring of the effectiveness of controls and risk remediation efforts.
- The Compliance Officer should also have the resources to perform or oversee additional audits based on risks identified throughout the year (for example, based on the result of an investigation).
- Entities should also audit the effectiveness of their own compliance program. The Board should direct the effectiveness review and have the results reported directly to the Board.
- Element 7 – Responding to Detected Offenses & Developing Corrective Action Initiatives [see GCPG, pages 59-63]
- In perhaps the most important stand-alone sentence in the GCPG, OIG explains that:
- "How an entity responds when it finds a violation resulting in a substantial overpayment or serious misconduct sets apart those that have a strong compliance program from those with a compliance program that is more form than substance."
- Consistent with that view, OIG expects entities to thoroughly investigate compliance concerns, using appropriate internal and external resources, and compile a contemporaneous record of the investigation and related corrective actions.
- OIG explains its expectations about timely voluntary self-disclosure of misconduct that may violate the law and points to various entities that can receive such disclosures, including OIG’s own longstanding and successful self-disclosure program.
- OIG recommends that the Compliance Officer gather information throughout this process to inform a root cause analysis and any appropriate changes to policies and operations.
One of the most helpful and pragmatic pieces of the GCPG discusses special considerations for small entities seeking to build compliance programs. Among our observations are the following:
- Consistent with its past statements, and much like DOJ in its own compliance program guidance, OIG acknowledges that small entities face financial and staffing constraints that inform the government’s compliance program infrastructure expectations.
- If there is no Compliance Officer, OIG recommends that companies designate a compliance contact with no supervision of legal services and no involvement in billing or claims, reporting quarterly to the company’s owner or CEO (if no Board).
- OIG recommends sources (including OIG itself) of compliance resources that small entities can leverage to establish and update compliance-related policies, procedures, and training without requiring the resources that a larger entity may have for these purposes.
- Having open lines of communication may not require a formal disclosure program, but does depend on the entity clearly communicating and embodying a commitment to compliance and non-retaliation. This includes user-friendly communication methods appropriate to size (for example, an open-door policy and notices in physical / virtual common areas); policies requiring reporting of compliance issues; and a process for investigation and resolution of reported issues or concerns that prohibits retaliation.
- OIG suggests that small entities engage in risk assessment, auditing, and monitoring, including assessing the company’s risk profile at least once per year, leveraging the COSO Enterprise Risk Management Framework and OIG Work Plan, developing a list of key risk indicators, and conducting at least one annual audit on compliance.
- Notably, as is the case elsewhere in the GCPG, OIG’s guidance on responding to detected offenses and developing corrective action includes a recommendation for small companies to consider reporting to the government as part of its compliance program. Unlike other aspects of a compliance program, the size of an entity should not affect its ability to decide to self-disclose misconduct to the government.
[see GCPG, pages 65-70]
OIG reiterates its expectation that large organizations will need significant compliance resources and expertise to develop and monitor a compliance program that can address the breadth and complexity of compliance issues that large organizations face.
- Compliance Officer: a large organization will likely need a department of compliance personnel with a variety of skills and expertise to implement and monitor the organization’s compliance program. The Board should have input on the hiring, evaluation, and compensation of the chief compliance officer, and should consider requiring the chief compliance officer to report directly to the Board. In addition to a chief compliance officer, large organizations may need multiple deputy compliance officers, as well as personnel with expertise in various functions, including auditors, investigators, clinicians, and data experts.
- Compliance Committee: The Compliance Committee at a large entity should reflect various operational components and could even include sub-committees with a mix of subject matter experts as well as temporary work groups to focus on key initiatives and time-limited projects.
- Board Compliance Oversight: OIG suggests that large entity Boards consider creating a Board Compliance Committee with a charter to oversee health care compliance – separate from audit, finance, or similar committees. Further, OIG notes that Boards of large organizations operating in the United States but under an international corporate umbrella should ensure that the parent board is provided with sufficient information about U.S. health care compliance risks and relevant laws.
[see GCPG, pages 71-74]
- Quality & Patient Safety. In what could reflect a significant departure from how many organizations set up their compliance programs, OIG indicates that quality & patient safety oversight should be incorporated into the compliance program. In part, this means that the compliance committee should include members responsible for patient safety and quality assurance and should receive regular reports from senior leaders on quality & patient safety. It also means that the compliance program should audit quality and patient safety incidents and conduct root cause analyses.
- New Entrants to Health Care. Also of note is that OIG addresses technology companies, new investors, and organizations providing non-traditional services (like social services, food delivery, and care coordination), reminding these entities that “business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability,” and recommending that these groups get a “solid understanding” of the healthcare laws and the role that a compliance program plays.
- Financial Incentives: Ownership & Payment. OIG captions this section of its guidance as “Follow the Money.” Here, OIG notably acknowledges the role that private equity is playing in health care and states:
- The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives (e.g., return on investment) on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse laws and that they are delivering high quality, safe care for patients. An understanding of the laws applicable to the health care industry and the role of an effective compliance program is particularly important for investors that provide management services or a significant amount of operational oversight for and control in a health care entity.
- Payment Incentives. OIG also highlights that compliance officers should be focused on the risks associated with different payment methodologies – for example, volume-based and fee-for-service payments may increase risks of overutilization, inappropriately steer patients, and use of more expensive items than needed. In contrast, paying on a capitated basis may increase risks of stinting on care or discriminating against more costly patients. Payments based on quality of care, OIG highlights, may give risk to the risk of gaming data to qualify for performance-based payment.
- Financial Arrangements Tracking. Here, OIG emphasizes the importance of tracking and monitoring payments made to referral sources.
[see GCPG, pages 76-80]
The GCPG is transformative in that it creates a true foundational document for the building blocks of an effective health care compliance program. When read and used in connection with DOJ’s evolving guidance on the effectiveness of compliance programs, most recently updated in March 2023, the GCPG provides support for all companies seeking to create and sustain a healthcare compliance program, including both organizations with minimal resources as well as large, well-staffed and well-funded entities. We will continue to monitor and report on developments in the government’s thought leadership on compliance programs.
Our Goodwin Compliance Practice offers a unique, 360-degree perspective for healthcare and life sciences companies seeking to build and sustain their compliance programs. Our practice is led by experienced practitioners with deep government and in-house expertise in healthcare compliance, including former HHS OIG Chief Counsel (Greg Demske), former healthcare Chief Compliance Officer (Matt Wetzel), and former AUSAs (Miranda Hooker and Ilene Albala) who offer a unique combination of backgrounds and perspectives on how compliance programs are effectively built and operated, the healthcare risks they are designed to address, and how they are tested in government enforcement actions.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.