As promised back in April in an announcement of its plans to modernize compliance program guidance, the Department of Health and Human Services Office of Inspector General (OIG) issued the first of its new guidance documents for the health care industry on November 6, 2023. The first release is a general compliance program guidance (GCPG) designed to serve as a resource to all segments of the health care industry, regardless of the particular items or services offered.
In its newest release, OIG reiterates its view that the GCPG is by its very nature a voluntary guidebook that can act as a roadmap for a compliance program to follow, but that it is not binding on any individual or entity in the health care industry. This updated GCPG includes the following information for health care compliance programs, which we summarize further below: (1) key Federal authorities for entities engaged in health care business; (2) the seven elements of a compliance program; (3) adaptations for small and large entities; (4) other compliance considerations; and (6) OIG processes and resources.
Additional industry specific compliance guidance documents will be forthcoming, according to OIG, with its first updated guidance setting the stage for those to follow.
Key Federal Authorities
The GCPG lays out the primary Federal fraud and abuse statutes and authorities that OIG recommends all health care stakeholders understand and be aware of in their operations:
- Federal Anti-Kickback Statute – which governs referral relationships between health care providers and facilities or the giving of gifts or bonuses in return for referrals
- Federal Physician Self-Referral Law (often known as the Stark Law) – which prohibits referrals for certain designated health services to an entity with which a physician has a financial interest
- The False Claims Act – noted by OIG as the primary way the government combats fraud and abuse in the Medicare and Medicaid reimbursement context
- The Civil Monetary Penalties statutes – including EMTALA, the Beneficiary Inducement CMP, and the Information Blocking provisions of the 21st Century Cares Act, all of which give the government power to levy fines against individuals and entities that violate the statutes
- Exclusionary Authorities – OIG has the authority to exclude individuals and entities from participation in Federal health care programs. Some of these exclusions are mandatory (i.e. for patient abuse and neglect or felony convictions) some are permissive (misdemeanor fraud convictions, violations of the Anti-Kickback Statute, etc.)
- Criminal Health Care Fraud Statute – used by OIG and the Department of Justice (DOJ) to combat health care fraud that is knowingly and willfully performed in an effort to defraud a federal health care benefit program.
- HIPAA Privacy and Security Rules – Rules that provide a series of safeguards and requirements for keeping the protected health information of patients private.
The Seven Elements of a Compliance Program
Following a similar format to its older guidance documents, the OIG lays out the seven elements of a successful compliance program in its updated GCPG. Of note, OIG reiterates its view that an entity’s leadership should commit to implementing all seven elements of a compliance program in order to appropriately manage and mitigate risks inherent in the health care industry.
The seven elements are:
- Written Policies and Procedures – Both a code of conduct and a detailed set of policies and responsibilities that reflect the processes to reduce risk of noncompliance with federal law. These policies should be maintained and kept up-to-date with changes in the law or in the compliance risks faced by the entity
- Compliance Leadership and Oversight – A compliance officer who has the ear of the board and the entity’s senior leadership is essential to a successful compliance program. The OIG also recommends forming a compliance committee that meets regularly and has substantive discussions of the written policies.
- Training and Education – The OIG recommends an annual training program that updates employees on the nature of their compliance requirements, tailored to the business and their role, and addresses any concerns that may have surfaced during internal compliance audits.
- Effective Lines of Communication with the Compliance Officer and Disclosure Program – The OIG recommends giving employees ample opportunity to report compliance risks. Employees should have a quick and easy method to contact the compliance officer and there should be encouragement to report any potential compliance risks for investigation.
- Enforcing Standards: Consequences and Incentives – As with any system that attempts to direct behavior, OIG thinks that a good compliance program should have both a system of consequences for non-compliance as well as a system of incentives for employees who continue to practice compliance with the law.
- Risk Assessment, Auditing and Monitoring – OIG urges compliance programs to have a formal risk assessment process combined with active monitoring and periodic compliance audits as a way to discover and stifle compliance risk threats at an early stage before they can become violations of law.
- Responding to Detected Offenses an Developing Corrective Action Initiatives – OIG recommends that a successful compliance program have a mechanism whereby the entity can conduct internal investigation of reported compliance risks, determine what if any report needs to be made to the government and then have an internal method of creating corrective action. Proactive efforts to correct compliance violations will likely go a long way toward mitigating any penalties that the entity might face as a result of a compliance violation.
Adaptations for Small and Large Entities
The OIG recognizes that there is a practical difference in applying these standards between large and small entities, and recommends that entities adapt the requirements of a compliance program to fit the needs of their organization.
As an example, for a small organization, it is less important to have a full time or even part time compliance officer. Instead, the organization can assign a compliance contact to act as the compliance officer. However, OIG makes clear that the compliance contact should NOT be within the legal department and also should not be involved in billing or coding for the entity.
For large organizations, on the other hand, OIG recognizes that a single compliance officer may not be sufficient. Instead, the guidance says that a compliance department may be required to meet the varied needs of a large entity. That department should be led by a chief compliance officer who is answerable to the board and is in communication with senior leadership at the entity. This is also a case where a large compliance committee that includes representatives from all of the entities operating aspects would be helpful.
As another example, OIG indicates that a small organization can have a less formal reporting process and less frequent compliance audits as long as the entity has in place some method of disclosure and follow through to ensure potential violations are examined and corrective action is taken to the extent a compliance issue is identified.
Other Compliance Considerations
The new GCPG highlights a number of potential compliance risks that participants in the health care industry need to watch out for in constructing and implementing their compliance programs. In particular, the OIG urges entities to keep in mind patient safety and quality care metrics, as failure to meet those requirements could result in severe penalties given the prioritization of such failure by OIG, the DOJ, and various other federal agencies. This guidance should come as no surprise to those who have defended, or assisted clients in defending, agency investigations of medical necessity and quality issues.
The OIG notes that there have been new entrants to health care since the publication of its prior guidance, particularly technology companies, and those new entrants might not be aware of the myriad of different rules and regulations that govern such a highly regulated industry as health care. Having a compliance team in place that is aware of and ready to tackle these regulations is key to success of the program in the OIG’s view, and it constructed the GCPG to help provide practical tools for those new participants to do so.
Finally, OIG warns companies to pay attention to ownership and payment issues, as “[o]ne of the best ways to identify fraud and abuse risks is to follow the money.” Violations of the Self-Referral law or the Anti-Kickback Statute could have serious consequences for participants in the health care ecosystem, and it is important that any such participants evaluate their incentive and other financial structures to avoid running afoul of those often complex rules. Of note, in keeping with the tenor of other agency commentary lately (e.g., the Federal Trade Commission), OIG specifically calls out private equity and other private investment in health care as a potential pain point for these issues.
The guidance document concludes with a comprehensive list (and links to) the many toolkits and advisory guidance and documents that are available from the OIG when trying to navigate the compliance landscape and develop an effective compliance program. Among other resources, OIG highlights its collection of Advisory Opinions and Fraud Alerts and Bulletins, in addition to its published practical guidance, toolkits for assessing program risk, and roadmaps for maintaining compliance.
The GCPG document is a good starting point for any person or entity looking to start, or to evaluate and update an existing, compliance program in the health care industry. It does not cover entity and industry specific guidance, however, as OIG has promised that level of detail for specific industry participants and their unique concerns will be forthcoming in later publications.
Reed Smith will continue to track compliance guidance from OIG and will continue to update you on these developments. If you have any questions or would like help in standing up a compliance program within your organization, please reach out to the authors of this post or the health care lawyers at Reed Smith.