The Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) published the General Compliance Program Guidance (GCPG) on November 6, 2023. The GCPG provides updated descriptions of the seven elements of an effective compliance program that health care entities have long relied upon. The new guidance also includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board's and executive leadership's oversight of compliance.

Starting in 2024, OIG will publish industry segment-specific compliance program guidance (ICPGs) for different types of providers, suppliers, and other participants in health care industry subsectors. OIG emphasized that the purpose of the GCPG and ICPGs is to set forth voluntary compliance guidelines and tips and not to be one-size-fits-all or binding on organizations. We will discuss the implications of compliance with the GCPG in an upcoming alert.

Health care entities should review this updated guidance and evaluate whether their organization should make changes to their compliance program consistent with the updates. While the guidance does not prescribe mandatory requirements, it helps organizations create effective health care compliance programs. Efforts to comply with this guidance are often viewed favorably by OIG should inadvertent noncompliance occur. Below we provide key summaries and notable takeaways from the GCPG.

Updating the Seven Elements of a Compliance Program

OIG's discussion of the seven elements of an effective compliance program largely tracks prior guidance issued by OIG. However, this updated guidance provides new recommendations and addresses new healthcare business entrants, delivery arrangements, and technologies. OIG's updated take on the seven elements is briefly summarized below.

(1) Written policies and procedures

Written policies and procedures should continue to include a code of conduct. Compliance policies should be developed under the direction and supervision of the compliance officer and compliance committee and should address the implementation and operation of an entity's compliance program and processes. OIG's key new recommendation in the GCPG is that the compliance committee should conduct annual risk assessments to identify and address risk areas, including through policies and procedures.

In the GCPG, OIG outlines the following common risk areas: billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business. OIG highlights that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. OIG also specifically calls out the growing presence of private equity and other forms of private investment in health care and recommends that such investors scrutinize their operations and oversight to ensure compliance with fraud and abuse laws and the delivery of high-quality care for patients.

Policies and procedures should be updated regularly and easily accessible to relevant individuals.

(2) Compliance leadership and oversight

(a) Compliance Officer

OIG reiterates that every entity should designate a compliance officer, who has the authority, stature, access, and resources necessary to lead an effective compliance program. The compliance officer should report directly to the CEO with access to the company's board of directors and must have sufficient funding to properly run a compliance program. The compliance officer's primary responsibilities are to advise the CEO, board, and other senior leaders on the compliance risks facing the entity. The compliance officer must have authority to review any pertinent documents, data and information, and must be able to interview anyone related to the organization with respect to any compliance investigation.

Importantly, OIG also outlines that the compliance officer should not: (i) lead, report to or advise the legal or financial departments; (ii) be responsible (directly or indirectly) for the delivery of health care items and services or billing, coding, or claim submission; or (iii) be involved in functions such as contracting, medical review, or administrative appeals.

Compliance leadership makeup may vary depending on the size of the entity.

(b) Compliance Committee

The compliance officer should be the chair of the compliance committee, which should include relevant leaders from both operational and supporting departments – for example, billing and coding, clinical and medical, finance, internal audit, IT, HIM, human resources, legal, quality, risk management, sales and marketing, and other operational managers.

The main role of the compliance committee is to assist the compliance officer in implementing, operating, and monitoring the compliance program. This includes: (i) analyzing applicable legal and regulatory requirements; (ii) developing and updating policies and procedures; (iii) monitoring and recommending internal systems and controls; (iv) assessing training needs and effectiveness; (v) developing a disclosure program and promoting compliance reporting; (vi) assessing effectiveness of the disclosure program and other reporting mechanisms; (vii) conducting annual risk assessments; (viii) developing a compliance workplan; (ix) evaluating effectiveness of a compliance workplan and any action plans for risk remediation; and (x) evaluating the effectiveness of a compliance program. OIG underscores that compliance committee members sometimes mistakenly view their duties as overseeing the compliance officer and compliance program rather than supporting and working with the compliance officer on the compliance program.

OIG recommends that (i) the compliance committee meet once quarterly with an agenda circulated before each meeting; (ii) minutes of the compliance committee meetings are kept to record the Committee's activities and accomplishments; (iii) individual committee members' attendance and active participation are included in each member's performance plan and compensation evaluation; and (iv) the compliance officer periodically report the committee's performance to the board and examine how the entity implemented committee recommendations.

(c) Board Compliance Oversight

OIG underscores the importance of the board empowering the compliance officer, meeting with the compliance officer at least quarterly, understanding the entity's compliance risks, overseeing and monitoring the compliance operation and its effectiveness, including with respect to the compliance officer and committee, and receiving an annual compliance report. OIG specifically references the United States Sentencing Commission's Guidelines that require that an entity's "governing authority shall be knowledgeable about the content and operation of the compliance and ethics effectiveness of the compliance and ethics program." OIG also points out that corporate boards have a fiduciary duty of care to ensure that "information and reporting systems exist in the organization . . . to allow management and the board, each within its scope, to reach informed judgments concerning... the corporation's compliance with the law...." In re Caremark, 698 A.2d 959, 970 (Del. Ch. 1996).

OIG provides the Practical Guidance for Health Care Boards on Compliance Oversight as a resource for specific suggestions for how boards can effectively exercise their oversight role.

(3) Providing Appropriate Training and Education

The compliance officer and compliance committee should develop (and review at least annually) (i) a training plan that includes the training topics discussed and the audience for each topic, and (ii) education and training materials that cover the entity's compliance program, pertinent Federal and state standards and potential compliance risks, and board governance and oversight of a health care entity, including materials addressing concerns identified in audits and investigations. All board members, officers, employees, contractors and medical staff (if applicable) of the entity should receive training at least annually. An entity may waive training requirements for independent contractors that demonstrate a satisfactory compliance program but the compliance officer must ensure that those independent contractors are aware of how to report compliance concerns to the entity directly.

OIG recommends that an entity also develop targeted training for individuals based on their roles and responsibilities and risks specific to those roles and responsibilities, including board members and their compliance oversight responsibilities.

OIG states that there is no preference to whether the training materials are developed by the entity itself, purchased, or obtained through consultants; but emphasized that training must appropriately address the entity's compliance program and compliance risks. The training must be accessible to all staff, including in several languages if needed due to culturally diverse staff. Finally, OIG recommends that participation in required training should be a condition of employment and a component of an annual performance evaluation.

(4) Maintaining Open and Effective Lines of Communication

OIG recommends that entities inform personnel about the ways they can report any concerns. First, personnel should be able to reach the compliance officer directly (e.g., via email, telephone, messaging) and the entities should explain how on commonly frequented physical and virtual spaces. Second, the compliance committee should develop several independent reporting paths for employees to report their concerns to the committee directly so that reports cannot be diverted by supervisors or other staff.

OIG continues to recommend that the entity have at least one reporting path that allows for anonymous reporting through a channel that is independent of the business and operational functions, such as a hotline, website, email address, or mailbox.

Policies and procedures should include confidentiality and nonretaliation policies. The entity should always strive to maintain the confidentiality of the reporting employee's identity to the extent possible and always explain any limitations to the employee.

Finally, all disclosures of compliance concerns reported should be recorded in a log maintained by the compliance officer or their designee. The disclosure log should include: (i) the date the report was received; (ii) the individual or department responsible for review; (iii) a description of the investigation's findings; (iv) any corrective actions taken; (v) any policy or process changes made as a result of the investigation; (vi) the date resolved; and (vii) any resulting referral or disclosure to Federal or state authorities. The compliance officer should regularly include information about concerns received and investigations conducted in communications with the compliance committee and in reports to the CEO and board.

(5) Establish and Enforce Appropriate Standards, Consequences, and Incentives

The organization should establish and publicize its procedures for identifying, investigating, and remediating noncompliance. OIG believes that corporate officers, managers, supervisors, health care professionals, and medical staff should be held accountable for failing to comply with the applicable standards, laws, policies and procedures, or for the foreseeable violations of subordinates where a responsible individual's failure to detect a violation is attributable to their ignorance, negligence, or reckless conduct. Consequences should be consistently applied and enforced.

OIG also emphasizes the positive role that incentives can encourage participation in an entity's compliance program. The compliance officer and committee should devote time, thought, and creativity to the compliance activities and contributions that the entity would like to incentivize.

(6) Compliance Risk Assessment, Auditing, and Monitoring

(a) Compliance Risk Assessment

OIG emphasizes the importance of at least annual compliance risk assessments. OIG defines compliance risk assessment for entities participating in or affected by government health care programs as a process for identifying, analyzing, and responding to risk stemming from violations of government health care program requirements and other actions (or failures to act) that may adversely affect the entity's ability to comply with those requirements. A formal compliance risk assessment process pulls information about risks from a variety of external and internal sources, evaluates and prioritizes them, and then decides which risks to address and how. For example, OIG recommends that all entities use data analytics to highlight outliers or other data trends indicating potential noncompliance.

The compliance committee should be responsible for conducting and implementing the compliance risk assessment. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks, including based on changing or developing laws and regulations. New entrants to health care business must become familiar with the risks associated with their healthcare business operations while seasoned health care operators must ensure they keep up with risks presented by new and evolving lines of health care business.

(b) Auditing and Monitoring

The compliance work plan should include a schedule of audits to be conducted based on risks identified by the annual risk assessment and address routine monitoring of ongoing and known risks. Examples of routine monitoring to known risks include: (i) monthly screening of the LEIE and State Medicaid exclusion lists; (ii) regular screening of state licensure and certification databases; and (iii) annual review of the entity's policies and procedures.

OIG advises that the compliance committee should ensure that the compliance officer has the capacity to conduct any necessary audits and monitoring, including the capacity to monitor the effectiveness of the monitoring. OIG states that the audits can be done by internal or external auditors, as necessary, and provides the Measuring Compliance Program Effectiveness resource.

Finally, the board should direct the entity to perform the compliance program effectiveness review and have reviewers report findings and recommendations directly to the board. Depending on circumstances, the board may consider outside experts for such a review.

(7) Responding to Detected Offenses and Developing Corrective Action Initiatives

OIG notes that no matter how effective an entity's policies and procedures are, a compliance officer will inevitably receive a report or audit result that raises concerns. (And, in fact, expressly notes that if, over time, a compliance officer does not receive this type of information, the compliance officer should consider conducting a compliance program effectiveness review). The final element of an effective compliance program is ensuring the entity takes the proper steps to respond to concerns, including through investigation to identify the root cause of the conduct, government reporting of any identified misconduct as necessary, and implementing corrective actions to prevent recurrence in the future.

(a) Investigation of Violations

Compliance officers should act promptly to notify appropriate leaders and coordinate with entity counsel as needed upon receipt of reports or reasonable indications of suspected noncompliance to determine whether a material violation of applicable law has occurred that requires corrective action and reporting. Most internal investigations require interviews and review of relevant documents, so the compliance officer or legal counsel should ensure documents and other evidence are not destroyed. OIG recommends that the compliance officer keep a contemporaneous record of the investigation, which should include: (i) documentation of the alleged violation; (ii) a description of the investigative process; (iii) copies of interview notes and key documents; (iv) a log of the witnesses interviewed and the documents reviewed; (v) the results of the investigation; and (vi) any disciplinary action taken or corrective action implemented.

(b) Reporting to the Government

If credible evidence of misconduct from any source is discovered and, after a reasonable inquiry, the compliance officer has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the entity should promptly (not more than 60 days after the determination that credible evidence of a violation exists) self-report and notify the appropriate government authority of the misconduct. Prompt reporting demonstrates an entity's good faith and willingness to work with the government to remedy the problem.

OIG also points out that the following types of violations may be so serious as to warrant immediate reporting to the government, before or simultaneous with an internal investigation: (i) clear violation of criminal law; (ii) has a significant adverse effect on patient safety or quality of care provided; and (iii) indicates evidence of systemic failure to comply with applicable laws, an existing corporate integrity agreement (CIA), or other standards of conduct, regardless of impact on federal health care programs.

(c) Implementing Corrective Action Initiatives

Once an entity determines the nature of the misconduct, it should implement prompt corrective action, including (i) refunding overpayments; (ii) enforcing disciplinary policies and procedures; (iii) making any policy or procedure changes necessary to prevent recurrence of the misconduct; and (iv) determining whether misconduct exposed other systemic weaknesses.

Providing Compliance Program Adaptations for Small and Large Entities

OIG acknowledges how the needs, finances, and other resources of an entity vary significantly. The GCPG provides guidance and tips for how small entities can implement an effective compliance program that meets the seven elements even with limited resources. For large organizations, OIG emphasizes the need for significant compliance resources and expertise to develop and monitor a compliance program capable of addressing the breadth and complexity of compliance issues that a large organization faces.

Quality and Patient Safety

Although quality and patient safety considerations are typically treated as distinct from compliance, the GCPG integrates quality and patient safety oversight into existing compliance processes. OIG explains that implementing quality and safety considerations into a compliance program can help to prevent excessive or medically unnecessary services that can lead to overpayments. The GCPG recommends an entity's compliance committee receive regular reports from senior leadership on quality, patient safety, and adequacy of patient care.

New Entrants in the Health Care Industry

OIG warns that many business practices that are common in other sectors create compliance risk in health care. This is particularly relevant given the increasing number of new entrants in the health care industry, including technology companies, new investors, and organizations providing non-traditional services. The GCPG is equally applicable to new entrants in establishing and operating effective compliance programs for healthcare lines of business.

Resources

Finally, the GCPG references various compliance and legal resources for the health care community to consult for additional assistance, including advisory opinions, compliance toolkits, trainings, and FAQs. Throughout the GCPG manual, OIG provides hyperlinks, practical tips, and helpful examples in easy to digest formats.

Originally Published 18 December 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.