The Office of Inspector General (OIG) for the U.S. Department of Health and Human Services has recently released a landmark document for the healthcare industry: the General Compliance Program Guidance (GCPG). Issued on November 6, 2023, this comprehensive guide serves as a crucial reference for the entire health care compliance community. This marks the first time the OIG has provided overarching compliance program guidance applicable to all healthcare stakeholders. This includes everyone from traditional providers and facilities to managed care organizations, pharmaceutical manufacturers, and contracted service providers.
For years, developing effective compliance programs in healthcare has been a complex task. Professionals have had to piece together best practices from various sources, often relying on guidance intended for specific sectors or more general frameworks like the U.S. Sentencing Guidelines. The GCPG represents a significant step forward in the OIG’s initiative, announced earlier in 2023, to modernize and broaden its compliance guidance. Previously, guidance was often sector-specific and, in some cases, hadn’t been updated in decades. While further, more targeted guidance for specific healthcare segments is expected, the GCPG immediately provides a valuable and much-needed resource. It empowers healthcare entities of all sizes and types to build and strengthen their health care program compliance efforts.
This new guidance offers a consolidated and updated perspective on best practices in health care program compliance. To help navigate this important document, we’ve outlined the top 10 key insights and takeaways from the GCPG. These insights highlight what’s new, what’s reinforced, and what it means for your organization’s approach to health care program compliance.
Top Insights from the OIG’s General Compliance Program Guidance
1. The GCPG: Your Central Hub for Compliance Resources
The GCPG is designed to be a comprehensive and user-friendly resource, effectively a “one-stop shop” for legal, regulatory, and compliance professionals. Both the online and PDF versions are rich with hyperlinks, providing direct access to a wealth of related guidance from the OIG and other government and industry bodies. This includes vital resources like the OIG Work Plan, self-disclosure protocols, compliance program effectiveness checklists, and risk assessment frameworks. While these materials were already publicly available, the GCPG adds significant value by providing context. It clarifies when and how to utilize these tools effectively within a broader health care program compliance strategy. This contextualization makes navigating the complex landscape of healthcare compliance significantly easier.
2. Voluntary, Not Mandatory, But Highly Recommended for Best Practices
It’s crucial to understand that the OIG emphasizes the voluntary nature of the GCPG. It is not a set of binding regulations. The OIG explicitly states that the guidance is “not intended to be one-size-fits-all, completely comprehensive, or all-inclusive of compliance considerations and fraud and abuse risks for every organization.” The use of “should” rather than “must” throughout the document underscores this point. This contrasts with the approach of the Centers for Medicare & Medicaid Services (CMS) in their manuals, where “must” often indicates legal or regulatory mandates.
However, despite its voluntary nature, the GCPG is presented as a compilation of best-in-class compliance practices. Healthcare organizations should therefore carefully consider the guidance as a benchmark for effective health care program compliance. Any deviations from the GCPG should be deliberate and justifiable. Organizations should be prepared to explain why a particular recommended practice is not suitable or necessary for their specific context, or how their alternative approach achieves equivalent or superior compliance outcomes. Treat the GCPG as a roadmap to excellence in health care program compliance.
3. Integrating Quality and Patient Safety into Compliance Programs
A significant and progressive aspect of the GCPG is its explicit integration of quality and patient safety into the core of health care program compliance. The OIG recognizes that many organizations have historically treated these areas as separate from compliance functions. Quality and patient safety were often not prioritized within compliance programs. The GCPG directly addresses this gap, asserting that healthcare entities should incorporate oversight of quality and patient safety into their compliance programs. This integration is crucial to proactively identify and mitigate risks of patient harm.
To achieve this, the GCPG recommends that compliance committees include individuals responsible for quality assurance and patient safety. These committees should receive regular reports on quality metrics, patient safety incidents, and the adequacy of patient care. Furthermore, the compliance committee should actively engage in quality audits and reviews, and participate in assessing staffing levels for clinical services. This ensures that quality and patient safety compliance risks are addressed alongside traditional compliance risk areas. This new emphasis necessitates closer collaboration between compliance, clinical, and quality leadership. It may also require adjustments to internal roles and responsibilities to effectively manage clinical performance within the health care program compliance framework.
4. Understanding Fraud, Waste, and Abuse Laws: A Consolidated Resource
The GCPG dedicates a specific section to clearly and concisely explain key healthcare fraud, waste, and abuse laws. While it doesn’t delve into the exhaustive legal intricacies of each law, it provides practical checklists and key questions to help organizations identify potentially problematic arrangements. For example, when evaluating an arrangement under the Anti-Kickback Statute (AKS), the guidance provides a checklist of factors to consider. These include the nature of the relationship, selection processes, remuneration methods, and the value of services exchanged.
This information, while available in various OIG advisory opinions and prior guidance documents, is now conveniently consolidated within the GCPG. This user-friendly format simplifies the process for legal and compliance teams to gather necessary information for thorough legal and compliance reviews. The GCPG also clarifies concepts not previously explicitly addressed in OIG compliance guidance, such as the overlap between the AKS and beneficiary inducement prohibitions under the Civil Monetary Penalties Law. It also includes discussions of newer regulations like the information blocking rules from the 21st Century Cures Act, making it a timely and comprehensive resource for understanding the legal landscape of health care program compliance.
5. Common Compliance Risk Areas: Staying Vigilant
The GCPG highlights common risk areas that healthcare entities frequently encounter. These include long-standing concerns such as billing and coding accuracy, ethical sales and marketing practices, and the quality of patient care provided. It also emphasizes risks related to patient incentives and arrangements with physicians, providers, vendors, and other potential referral sources.
Beyond these established risks, the GCPG stresses the importance of continuous risk assessment. Organizations must actively monitor for emerging and unidentified risks. This involves staying informed about legal and regulatory changes, enforcement actions, OIG Work Plan developments, and audit findings. This vigilance is particularly crucial in light of organizational changes like mergers, acquisitions, new strategic initiatives, and evolving business models.
The guidance also makes a critical point about the definition of violations. The OIG clarifies that material violations of applicable law can occur even without direct financial losses to the government. The existence or magnitude of monetary loss is not the sole determinant of a violation. Even in situations without significant financial impact, corrective action and reporting may be necessary to uphold the integrity of healthcare programs and protect enrollees. This perspective encourages a broader view of risk and compliance beyond just financial considerations within a health care program compliance framework.
6. The Compliance Officer: Central to Effective Compliance
The GCPG reaffirms the critical role of the Compliance Officer and elaborates on the responsibilities and expectations associated with this position. Echoing previous guidance, the OIG emphasizes the need for independence. Specifically, the GCPG states that “the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does.” This separation aims to ensure objectivity and prevent potential conflicts of interest within the health care program compliance structure.
While acknowledging that smaller organizations may not require a full-time dedicated Compliance Officer, the OIG still recommends that the designated compliance contact avoid responsibilities related to legal services, billing, coding, or claims submission. Despite these recommendations, many healthcare organizations still house compliance functions within legal departments. However, the OIG’s continued emphasis on separation, possibly driven by concerns about legal privilege, suggests a best practice. Organizations that cannot fully separate legal and compliance roles should prioritize maintaining open communication lines to senior leadership and the board. They should also implement other safeguards to preserve the integrity and independence of the compliance function as a vital component of their health care program compliance efforts.
7. Incentivizing Compliance: Carrots and Sticks Approach
In a notable shift, the GCPG reframes the traditional approach to compliance program element V, which focuses on disciplinary standards. Instead of solely emphasizing consequences for non-compliance (“sticks”), the OIG now promotes the use of incentives (“carrots”) to encourage participation in the organization’s health care program compliance initiatives. This new perspective advocates for creative strategies to reward compliant behavior. Examples include incentivizing the achievement of compliance goals, actions that demonstrably reduce compliance risks, or contributions to compliance activities beyond regular job duties, such as mentoring colleagues on compliance or serving as departmental compliance representatives. Incentives can range from financial bonuses to public recognition or smaller tokens of appreciation.
However, the OIG cautions that incentive plans must be carefully reviewed to ensure they do not inadvertently promote unethical or non-compliant behavior in pursuit of rewards. The compliance function should assess whether performance targets, such as sales goals or admission quotas, could incentivize risky actions that might increase referrals or utilization improperly. They should also consider potential unintended consequences, like data manipulation or concealment of incidents, to meet targets. This revised approach to Element V, emphasizing both incentives and accountability, represents a more balanced and potentially more effective strategy for fostering a culture of compliance. It remains to be seen if CMS and other agencies will adopt similar incentive-based approaches in their compliance program guidance.
8. Tailoring Compliance for Small Entities: Scalability and Adaptability
The OIG recognizes that health care program compliance programs need to be adaptable and scalable based on the size and complexity of the healthcare organization. The GCPG provides more specific guidance on how smaller entities can “right-size” their compliance programs. While some core elements remain essential, such as routine auditing, monitoring, and exclusion checks against the OIG List of Excluded Individuals and Entities (LEIE), the GCPG acknowledges flexibility in implementation.
For instance, smaller organizations may adapt policy and training program delivery methods. The “gold standard” of a confidential compliance hotline can be replaced with alternative communication channels, such as an “open door” policy, to facilitate reporting and communication. Interestingly, while the GCPG elsewhere emphasizes monthly exclusion checks, the section on small entities only mentions “routine monitoring” of the LEIE, state exclusion lists, and professional licensure status. This subtle shift might acknowledge the practical challenges smaller organizations face in performing frequent, resource-intensive screenings. The GCPG’s focus on adaptable strategies recognizes the diverse needs and resources of healthcare entities of all sizes in establishing effective health care program compliance.
9. Guidance for Nontraditional Service Providers: Expanding the Scope
Historically, OIG compliance guidance for vendors and non-provider entities has been limited, with the 1998 guidance for third-party medical billing companies as a notable exception. Many subcontractors, vendors, and service providers have relied on Medicare Advantage and Part D requirements for “first-tier, downstream, and related entities” and the compliance frameworks of their managed care partners. The GCPG broadens this scope, explicitly including these entities within its guidance.
The OIG acknowledges the increasing presence of new players in the healthcare ecosystem. This includes technology companies (both established and startups), new investors, and non-traditional service providers in areas like social services, care coordination, and even food delivery. Recognizing that these new entrants may lack familiarity with healthcare-specific compliance standards, the GCPG emphasizes its relevance to them. Conduct that is acceptable in other industries may pose significant risks in the regulated healthcare sector. The GCPG serves as a crucial resource for these companies to understand and implement appropriate health care program compliance measures.
10. Addressing New Players and Emerging Trends in Healthcare
The GCPG reflects the evolving landscape of healthcare by addressing contemporary trends and new types of healthcare organizations. Notably, it specifically addresses private equity ownership in healthcare, a topic that would have been less relevant just a few years ago. The guidance emphasizes that healthcare organizations, including their investors and governing bodies, must “carefully scrutinize their operations and incentive structures to ensure compliance” with fraud, waste, and abuse laws, and to safeguard patient quality of care. Investors who provide management services or exert significant operational control must be particularly well-versed in applicable laws and the importance of an effective health care program compliance framework.
The GCPG also addresses healthcare entities expanding into new areas, such as providers offering managed care plans or developing healthcare technology. These organizations must proactively identify and mitigate new risk areas and familiarize themselves with the regulatory requirements of these new ventures. Finally, the guidance acknowledges the shift from fee-for-service to value-based care and capitated payment models. Compliance professionals must understand the unique risks associated with these reimbursement models, including potential for stinting on necessary care, discriminating against high-risk patients, or manipulating data to maximize performance-based payments. All stakeholders, including investors and owners, must fully grasp these payment incentives and related compliance risks within their health care program compliance strategy.
Conclusion: Embracing the GCPG for Enhanced Compliance
The release of the OIG’s General Compliance Program Guidance is a significant development for the healthcare industry. It offers enhanced clarity and direction for healthcare entities to develop and maintain effective health care program compliance frameworks. By providing a consolidated, updated, and comprehensive resource, the GCPG empowers organizations to strengthen their safeguards and foster a culture of compliance. Healthcare organizations are encouraged to thoroughly review the GCPG and integrate its insights into their existing compliance programs. As the healthcare landscape continues to evolve, proactive and robust compliance programs, guided by resources like the GCPG, are more critical than ever to ensuring ethical operations, regulatory adherence, and ultimately, high-quality patient care.
Disclaimer: This information is for educational purposes and should not be considered legal advice. Consult with legal counsel for specific guidance.
