HHS OIG: New “General Compliance Program Guidance” Provides Voluntary Steps Towards Increased Effectiveness
In connection with the November 2023 Health Care Compliance Association’s (HCCA) Healthcare Enforcement Compliance Conference, and with acknowledgment by the Chief Counsel to the Inspector General, Rob DeConti, of the long partnership between the Office of Inspector General (OIG) and the HCCA, the OIG issued its new “General Compliance Program Guidance” (GCPG) on November 6, 2023. The ongoing HCCA conference provided an opportunity for discussion of the GCPG’s intent, design and direction at a session led by two attorneys with the Office of Counsel to the Inspector General, Amanda Copsey and Laura Ellis.
The GCPG is the first of a series of compliance guidances anticipated to be issued by the OIG. This first issuance contains 91 pages of general compliance guidance, tools and references addressed to all varieties of federal health care program providers and suppliers. Its issuance will be followed by compliance guidance addressed to multiple health care industry subsectors (i.e., specifically targeted categories of providers/suppliers) that will replace the existing compliance guidances which have been issued over the course of the last three decades, starting with the 1998 Compliance Program Guidance for Hospitals. The older compliance guidances will be archived after they are replaced, but still available for reference. Next up to be issued will be compliance program guidances for managed care plans and for nursing facilities, expected in 2024. In the interim until the specific guidances are issued, OIG recommends that identified risk areas from the existing subsector guidances be referenced and aligned for use with the new GCPG and its focus on risk assessments and risk-based compliance strategies.
The GCPG is seemingly designed to serve many compliance purposes. It includes discussions of the key laws in health care fraud enforcement and includes frameworks and questions for an analysis of situations under those laws. It includes many helpful references (with links) to various resources for compliance professionals. OIG sticks with the seven elements of compliance identified in the U.S. Sentencing Guidelines as the framework for its compliance program recommendations. Many of the compliance program implementation provisions in the GCPG are well established and familiar from prior guidance, CIAs, and various other OIG issuances, albeit now presented in a more focused and accessible one-stop format. For example, OIG underscores its view of the critical role of the Board in overseeing and assuring compliance, a theme previously stated in multiple albeit now somewhat dated guidelines.
We recommend that the GCPG be reviewed in its entirety, but we address some of the key sections below that are “new” for compliance guidance.
- Quality and Compliance
The OIG is now clearly recommending that compliance programs include quality and patient safety within their purviews. This has been a topic of discussion amongst compliance professionals for two decades, but many health care compliance programs still do not include quality and patient safety as a meaningful component of the program. This focus is particularly important, from the OIG’s perspective, for hospitals, long-term care facilities and other entities providing residential care. These entities should also focus on staffing needs for nursing, therapy and other clinical services where the potential concern relating to understaffing. Understaffing, of course, is an industry-wide problem of supply shortages in the workforce that is well known, but a challenge for any department to address.
- New Entrants in the Health Care Industry and the Role of Private Equity.
One observation in the GCPG worthy of program consideration is addressing challenges for “new entrants” that may not be familiar with regulatory or business issues in the health care space. The OIG notes that this is not just a concern regarding new players coming into the industry, but also for new lines of business that established health care organizations with new service offerings. OIG notes as examples those health care providers offering managed care plans or developing health care technologies. The observation is logical as a compliance program that may be well suited for existing operations but be insufficient for entirely different lines of business that a provider engages in.
- Concerns about private equity and other private investors in health care continues to be a growing area of attention from the federal and state enforcement authorities.
The GCPG does no more than again flag the issue, in order to keep it on a front-burner for attention. Comments at the HCCA Conference from OIG indicated they anticipate issuing additional guidance in the future directed at the role of private equity in U.S. health care.
- OIG Resources and Processes
In Section VI of the General Compliance Program Guidance, OIG did a thorough job summarizing and including links to the various resources that OIG maintains to assist providers and other entities in (1) developing their compliance programs and (2) otherwise making decisions on compliance issues related to the laws enforced by OIG – i.e., the Federal anti-kickback statute, Civil Monetary Penalties law and OIG’s Exclusion authority. Some are “old favorites” while some are relatively new to OIG’s toolbox.
- Compliance Toolkits; Compliance Resources for Health Care Boards; Provider Compliance Training; A Roadmap for New Physicians; and RAT-STATS Statistical Software;
- Advisory Opinions;
- Special Fraud Alerts, Bulletins, and Other Guidance; and Safe Harbor Regulations;
- Frequently Asked Questions – a relatively new tool for OIG. Beginning in March of this year, OIG expanded the topics that it considers for new FAQs submitted by the health care community. This section of the GCPG includes a particularly good discussion of the differences between Federal anti-kickback statute and the Beneficiary Inducement Civil Monetary Penalties (CMP).
- Corporate Integrity Agreements (CIAs) – OIG notes that CIAs can serve as a resource when a health care entity reviews its compliance programs structure and operations – including audits that the entity should consider when developing or expanding the audit function under its compliance program.
- Enforcement Action Summaries – OIG posts information regarding its settlements – criminal and civil, state enforcement agencies, CIA reportable events, CIA stipulated penalties and material breaches, CMPs and affirmative exclusions, self-disclosure settlements and grant fraud self disclosures.
- OIG Self-Disclosure Information. Note that there are different types of OIG self-disclosures including (1) health care fraud self-disclosures when providers and other entities are subject to CMPs; (2) U.S. Department of Health and Human Services (HHS) Contractor self-disclosures for use by entities that are awarded government contracts or subcontracts to provide services to HHS; or (3) HHS Grant self-disclosures in which HHS grant recipients or sub-recipients must disclose evidence of potential violations of Federal criminal law (e.g., fraud, bribery or gratuity violations) affecting the Federal award or conduct creating liability under the Civil Monetary Penalties Law or that might violate civil or administrative laws that fall within the scope of offenses under 45 C.F.R. § 75.113.
- Compliance Risk Assessments (Compliance Program Effectiveness Element 6—Risk Assessment, Auditing, and Monitoring)
As OIG notes in the GCPG, “in recent years OIG, the compliance community, and other stakeholders have come to recognize and place increasing emphasis upon the importance of a formal compliance risk assessment process as part of the compliance program”. According to OIG,
[the] compliance risk assessment is a risk assessment process that looks at risk to the organization stemming from violations of law, regulations, or other legal requirements. For entities participating in or affected by government health care programs, a compliance risk assessment focuses on risks stemming from violations of government health care program requirements and other actions (or failures to act) that may adversely affect the entity’s ability to comply with those requirements.
In the GCPG, OIG recommends that risk assessments be conducted at least annually. The OIG observes that the Compliance Committee – not the Compliance Officer – should be the entity with responsibility for the performance to reflect that it is the organization, not any individual, who is responsible for the risk assessment. Note that OIG does not suggest that the risk assessments must be conducted by external auditors, but the GCPG does indicate OIG’s belief that information gathered from both internal and external sources should be considered in the risk assessment. Findings from the risk assessment should be reviewed, prioritized and used by the provider/supplier to develop the annual work plan with auditing and monitoring of prioritized risk areas. OIG includes several links to widely-accepted expert resources addressing the performance of risk assessments.
- Small or Large Entity Compliance Programs
Another section of the GCPG includes how compliance programs may be adapted based on the whether the program exists in a small or large entity. More specifically, OIG recommends right sizing the compliance program to meet the entity’s needs.
In small entities, where budgeting constraints may not even allow for a full-time or part-time compliance individual, the recommendation is, at a minimum, to designate one person as the entity’s compliance contact with at least quarterly reporting to the owner or CEO. The program should be structured around the seven elements of an effective compliance program and OIG’s document hyperlinks to additional resources for these entities as well as provides some practical tips and expectations on managing compliance within a small entity which may be resource constrained. Importantly however, the OIG does note in the GCPG that the designated compliance individual should not have any responsibility for the performance or supervision of legal services to the entity and, whenever possible, should not be involved in the billing, coding, or submission of claims.
In large entities, the GCPG refers to OIG’s prior board guidance, and sets the expectation that boards within large health care organizations should thoughtfully evaluate the resources and expertise they will need in order to accomplish this. According to the GCPG, the expectation outlined is a well-staffed compliance department which may include not only a chief compliance officer, but also deputy compliance officers, auditors, investigators, clinicians and data experts with the chief compliance officer preferably reporting directly to the board of directors. This section also specifies that “to the extent possible, given the facility or location’s staffing constraints, the compliance officer should not have responsibility for clinical, financial, legal, or operational duties.”
Additional areas mentioned in this section include, maintaining an effective compliance committee, reporting to the board and a recommendation to consider creating a separate board compliance committee with a charter to oversee health care compliance. A noteworthy remark in this document includes that “boards of large organizations operating in the United States but owned or controlled by international organization should ensure that the parent board is provided with sufficient information about the applicable law, Federal health care program requirements, and the compliance risks presented by the operation of the U.S. organization.” From a practical standpoint, this may be achieved through the parent board receiving regular reports from the compliance officer, or U.S. based entity.
While much of this recent OIG guidance is consistent with its previous documents on managing an effective compliance program, the additional focus on expectations of a compliance program in different size entities may be helpful to the compliance department in obtaining applicable resources and commitments from the board and executive management and is typically consistent with various health care entity settlement agreement expectations.
Key Takeaways
While the OIG notes that its GCPG suggestions are voluntary, and that the “shoulds” used in the document are not “shalls” or otherwise directive, entities with existing compliance programs should review the GCPG and likely implement one or more “tweaks” to those programs. The GCPG pulls together many compliance resources (or links) in a single document and is likely to become a frequently used tool by many compliance officers and their lawyers.
Foley is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, or to our Health Care Practice Group with any questions.