In short
The situation: On November 6, 2023, the Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services (“HHS”) released its “General Compliance Program Guidance” (“GCPG”). The GCPG provides guidance generally applicable to “all individuals and entities” in the healthcare industry, from providers and manufacturers to suppliers and investors.
The action: Although much of the GCPG is a consolidation of familiar guidelines and principles, the OIG also recommends adding topics, such as quality and patient safety, to compliance reviews and expressly considers the impact of ownership and financial incentives on patient care. Like all HHS-OIG compliance documents, the GCPG is not binding on any individual or entity.
Looking forward: The GCPG is the first in a series of new compliance program guidance documents that OIG says it will issue over the next few years, with more industry-specific guidance beginning in 2024.
In April 2023, the HHS-OIG issued a Federal Register Notice that it would publish a GCPG by the end of 2023, followed by “sector-specific” compliance program guidance, tailored to areas of fraud and abuse risk for particular industry sub-sectors. In this notice, the OIG also announced that it would no longer publish the compliance guidelines in the Federal Register, but would publish and update the guidelines on the OIG website, which it considers more user-friendly.
THE GCPG, posted on the OIG website, is a departure from previous OIG Compliance Program documents, which provided compliance guidance to specific subsectors of the healthcare industry, e.g., the Compliance Program Guidance for hospitals (63 Fed. Reg. 8987; February 23, 1998). and Compliance Program Guidance for Pharmaceutical Manufacturers (68 Fed. Reg. 23731; May 5, 2003). These subsector-specific guidelines have been widely studied and, in many cases, applied to different health care sectors that were not covered by specific guidelines. Following feedback received over the years, the OIG published the GCPG as a general reference guide that applies to “all persons and entities involved in the healthcare sector” and provides guidance on risks general compliance risks, as opposed to sector-specific risks. programs. (FR April 25, 2023.)
The GCPG
The GCPG is a 91-page document, much of which is a consolidation of previous OIG guidance on a range of familiar compliance topics (along with a helpful list, including links, resources, and OIG processes ). These familiar compliance topics include:
- OIG’s perspective on key federal health care laws, including the False Claims Act, Anti-Kickback Law, Stark Law, civil monetary penalty authorities, exclusion authorities, the Criminal Health Care Fraud Act, and HIPAA.
- Guidance on Compliance Program Infrastructure, which covers the traditional “seven elements” of an effective compliance program – elements that are based on the U.S. Sentencing Guidelines and are part of the guidance of OIG’s compliance program for over 25 years since its inception. has published its Compliance Program Guide for Hospitals.
Note, however, that GCPG’s summary of the seven elements of the Sentencing Guidelines also reflects an expansion in some areas. For example, the GCPG adds risk assessments to element six, now “Risk Assessment, Audit and Monitoring,” while recognizing that “conducting formal risk assessments may be new to many compliance programs.” . Risk assessments have been a standard part of OIG’s corporate integrity agreements for several years.
Although the GCPG is a compilation of previous guidance, it goes further in that it also sets out a set of “other compliance considerations”, which may purport to expand the seven elements to eight, recommending entities to incorporate quality and patient safety concerns. in their compliance programs. The GCPG also flags other areas identified by the OIG as areas of risk, such as compliance learning curves for “new entrants” into healthcare, the impact of financial incentives on compliance and the importance of monitoring financial arrangements.
Among these compliance considerations, we highlight the following:
Quality and patient safety. Recent OIG guidance explicitly recommends that healthcare entities “should integrate quality and patient safety monitoring into their compliance programs.” The GCPG incorporates previous guidance, such as the OIG guidance “Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards,” and also makes specific recommendations to include health care personnel. quality and patient safety on compliance committees and include quality and patient safety staff. security in compliance audits and reviews.
The GCPG particularly observes the intersection between quality and False Claims Act concerns: “In addition to harm to patients, quality and patient safety issues, such as excessive services and medically unnecessary services, can lead to overpayments and result in False Claims Act liability.
Financial motivations. The GCPG pays particular attention to financial agreements and states that “understanding how funds flow through trade agreements and the different incentives created by different types of financing structures is essential for uncovering potential compliance issues, implementing monitoring effective and identify preventive strategies. OIG notes that “ownership incentives” and “payment incentives” can impact the quality and volume of care and that these incentives must be “fully understood” and integrated into the design of the compliance program.
The GCPG notably explicitly mentions “private equity” and notes that “the growing importance of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives (e.g., return on investment) on health care delivery. efficient, high-quality healthcare. The GCPG recommends that health care entities, “including their investors and governing bodies,” “examine their operations and incentive structures to ensure compliance with federal fraud and abuse laws and that they provide safe, high-quality patient care.”
Monitoring of financial arrangements. OIG observes that health care entities may manage “a significant volume of financial arrangements and transactional agreements, including those between referral sources and referral recipients,” which may implicate federal fraud laws and abuses, including the Anti-Kickback Statute and the Stark Law. The OIG recommends “continuous monitoring of compliance with the terms and conditions set forth in the agreements.” Among other recommendations, the OIG states that “entities should consider what type of centralized agreement tracking system to establish, based on the size of their organization, to ensure that appropriate supporting documentation is maintained, that regular legal reviews are carried out and fair market value assessments are carried out. carried out and updated regularly, if necessary.
The OIG announced that it plans to issue regular updates to the GCPG in response to comments, as well as issue additional industry-specific compliance program guidance, during calendar year 2024. The specific guidance to the sector will be adapted to the risks of fraud and abuse for specific healthcare. subsectors and should address the compliance measures that different providers, suppliers and other participants in the subsector can take to reduce these risks.
Three key points to remember
- The GCPG is the first in a series of upcoming compliance program guidance documents that OIG says it will release to modernize the accessibility and usability of its publicly available resources, including compliance documents. guidance on OIG’s compliance program. The OIG has indicated that it will issue additional sector-specific guidance by the end of 2024.
- The GCPG consolidates existing guidance on several key federal health care fraud and abuse laws and the traditional seven elements of an effective compliance program. The GCPG also centralizes references to a wide range of other OIG resources and processes.
- This recent guidance provides insight into several areas of OIG focus (including quality and patient safety, and the impact of ownership and payment incentives on health care services) and suggests that these considerations are taken into account in the context of compliance.