1. OIG highlights the importance of healthcare regulatory compliance knowledge and familiarity for “new entrants” and entities tangential to the traditional healthcare industry, such as private equity funds and investors, social services organizations and technology companies. In particular, OIG highlighted two areas to consider in efforts to ensure compliance: (1) the need for new entrants in the healthcare industry (e.g., technology companies) to ensure that all business partners understand the impact of fraud and abuse laws on their specific businesses and the need for a strong compliance program; and (2) the need to understand financial incentives and the flow of funds though varying business arrangements and the incentives created by different types of funding structures (e.g., private equity and other types of private investors, including foreign companies). As a result, individuals and entities who are not healthcare providers, but who interact with the healthcare industry through investment or other means, should be familiar with OIG’s compliance guidance and recognize the GCPG as an industry standard for compliance programs.
Building on this standard, the GCPG also ties its compliance activities to other regulatory bodies’ guidance, such as the Centers for Medicare & Medicaid Services (CMS) guidance for entities enrolled in Medicare to implement an effective compliance program. CMS has suggested in the past that OIG’s seven elements serve as an adequate basis for a compliance plan. The U.S. Food and Drug Administration also has compliance guidance for biologics, devices and drugs (among others), as well as a guide for small entity adaptations. For entities that may be unable to apply the GCPG directly because of industry-specific considerations and difficulties, OIG’s forthcoming industry segment-specific compliance program guidance (ICPG) documents will address concerns for different providers, suppliers and other entities in greater detail. That said, the GCPG’s framework and key themes likely will carry over.
2. OIG structures the GCPG as a broad resource for compliance for healthcare industry stakeholders and entities. To that end, the GCPG serves as a centralized hub for compliance guidance and other OIG resources, providing useful and informative resources in a timely manner to help advance the healthcare industry’s voluntary compliance efforts in preventing fraud, waste and abuse. It includes multiple compliance and legal resources, such as its toolkits, OIG reports and publications, advisory opinions, special fraud alerts, bulletins, answers to frequently asked questions (FAQs), CIAs, enforcement action summaries, information on OIG’s self-disclosure processes, the OIG hotline and various other reports and publications.
The GCPG sets out a format for future guidance as part of its efforts to produce user-friendly and accessible information and to promote an easier avenue to update compliance program guidance (CPGs) as new risk areas emerge. OIG will no longer publish updated or new CPGs in the Federal Register. Rather, all current, updated and new CPGs will be readily available on OIG’s website with interactive links to relevant resources. Essentially, the GCPG centralizes OIG resources for stakeholders, with links to guidance, self-reporting and other educational materials. Readers of the electronic version of the GCPG also may access direct links to definitions and text found in the applicable statutes and regulations and may access links to corporate integrity agreements, advisories, FAQs, toolkits, the OIG hotline and the self-disclosure online submission form.
OIG anticipates making updates to the GCPG based on changes in compliance practices or legal requirements that may warrant revision in the future and emphasizes a desire to collaborate with industry stakeholders to provide the most effective guidance. Accordingly, OIG maintains that it will continue to seek input and feedback from industry participants both in the process of developing the GCPG and while preparing future guidance documents. Stakeholders can submit feedback about general compliance considerations and risk areas to [email protected].
3. OIG uses the GCPG to stress flexibility and adaptability for compliance programs depending on entity size and organizational needs. OIG highlights that the GCPG is nonbinding and voluntary, does not create any new law or legal obligations, and is intended to identify risk areas and to raise considerations for those involved with the development and implementation of compliance programs. Despite the voluntary nature of the guidance, government agencies and healthcare industry participants generally have utilized previously published CPGs to implement (and evaluate the effectiveness of) a compliance program.
Indeed, one of the key concepts of the GCPG is its adaptability to fit organizational needs. For example, OIG differentiates between small and large entities. Since small entities may face financial and staffing constraints that limit their ability to establish a compliance program as robust as larger entities, OIG offers several modifications in the GCPG to allow smaller entities to benefit from a compliance program. One suggestion for smaller entities that cannot afford a full-time compliance officer is to designate a compliance contact. OIG also points to free resources that small entities may use to model compliance policies, procedures, trainings, risk assessments and auditing. The GCPG includes user-friendly methods of open communication for small entities where a formal disclosure program may not be applicable. OIG also provides recommendations for small entities with respect to enforcing their compliance programs and responding to offenses if/when they occur.
For large, sophisticated entities, OIG’s guidance sets an expectation that a comprehensive compliance program is the standard. The GCPG includes additional recommendations for large entities. Instead of a single compliance officer, OIG recommends that larger entities have an entire department of compliance personnel. Similarly, OIG suggests that both compliance and non-compliance personnel should serve on a compliance committee. For large entities, OIG also suggests that the board of directors involve itself in the organization’s compliance program by forming a dedicated board compliance committee.
Moreover, OIG recommends that all entities, regardless of size and financial resources, have a compliance program. The tenets within the GCPG may be voluntary, but OIG takes fraud, waste and abuse seriously. OIG has levied significant fines against organizations that — either through willful commission or through lack of an adequate compliance program — have violated federal fraud and abuse laws.
4. OIG plans to introduce industry-specific guidance in the future to focus on specific sectors, which also highlights the OIG’s emphasis on flexible, adaptable compliance programs depending on an entity’s characteristics and needs. The current GCPG is a general document applicable to all healthcare industry participants, but OIG also will issue a number of ICPGs. ICPGs are expected to be released starting in 2024 and will focus on fraud and abuse issues relevant to specific sectors or types of healthcare providers. However, neither the GCPG nor ICPGs will comprehensively address risks or act as a one-size-fits-all solution for every organization. Instead, healthcare stakeholders should view them as a resource for certain fraud and abuse considerations. The goal of the upcoming ICPGs will echo that of the GCPG: to provide voluntary compliance guidelines and to identify salient risk areas.
The currently existing CPGs will remain effective until the relevantly issued ICPGs replace them. Once replaced, OIG will archive the CPGs, which will remain available for use on OIG’s website as an additional resource to help identify risk areas in a particular industry, while OIG continues to develop all applicable ICPGs. As noted above with respect to action items, McGuireWoods recommends that healthcare providers utilize these tools to identify their most significant compliance needs and then develop plans to address them proactively.
5. OIG reiterates its seven fundamental elements of an effective compliance program — with some updates to focus on governance, quality and integration. OIG revised its seven elements (redline showing changes below).
- Written policies and procedures
Designate a compliance officer Compliance leadership and compliance committee oversight
- Training and education
- Effective lines of communication with the compliance officer and disclosure program
- Enforcing standards:
through well-publicized disciplinary guidelines consequences and incentives
Conduct Risk assessment, internal auditing, and monitoring
- Responding
promptly to detected deficiencies offenses and undertake developing corrective action initiatives
Key changes consist of the inclusion of enforcement through both consequences and positive reinforcement, rather than the creation of disciplinary guidelines alone, and the emphasis on monitoring and auditing performed both internally and externally.
The OIG’s changes also stress the importance of compliance as a part of overall governance. For instance, whereas previous OIG guidance recommended the use of a compliance officer and compliance committee, the GCPG takes a much broader perspective toward compliance governance. Of course, OIG maintains that organizations should have a compliance officer — specifically, one who does not answer to the legal or financial functions of the organization. The compliance officer should manage the compliance program and advise the CEO and board on compliance issues and strategy. The compliance officer also should serve as the chairperson of the compliance committee and act as a liaison between organizational stakeholders to implement the compliance program. The compliance committee should be an interdisciplinary body comprising leaders from operational and supporting departments such as billing, clinical, finance, human resources, legal, information technology, sales and operations. The committee’s main duties should be to assess and monitor the organization’s compliance program, as well as to set organizational objectives and evaluate the effectiveness of the program. Additionally, the GCPG highlights board oversight of healthcare compliance and the need to ensure that committees have the expertise necessary to exercise such oversight.
6. OIG directly links compliance to quality and patient safety. OIG acknowledges in the GCPG that some stakeholders may have treated quality and patient safety as separate and distinct from compliance. In truth, OIG and the U.S. Department of Justice have long emphasized the importance of quality and patient safety. The GCPG recommends that entities incorporate quality and patient safety into compliance processes, including a process for alerting the organization to patient safety and quality issues. The board also should require regular reports on quality and safety from leadership. Both the compliance officer and compliance committee should monitor quality and patient safety as part of their broader responsibilities. It is important to note that OIG does not constrain its definition of quality to the provision of health services, but also includes the manufacture and supply of drugs and devices.