OIG Issues General Compliance Program Guidance Updates

OIG COMPLIANCE PROGRAM GUIDANCE DOCUMENTS

From 1998 to 2008, OIG developed a series of voluntary compliance program guidance documents (CPGs) directed at various centers of the healthcare industry. On April 24, 2023, OIG announced plans to improve and update existing CPGs and deliver new CPGs specific to new segments of the healthcare industry through the OIG’s modernization initiative. On November 6, 2023, OIG released the first new CPG since September 2008: the GCPG. Given the GCPG’s 91-page length, we identify the highlights here and do not cover every issue or suggestion OIG discusses.

OIG clarified that it will no longer publish updated or new CPGs in the Federal Register and will instead post them directly on the OIG website. The GCPG is applicable to all individuals and entities in the healthcare industry. Starting in 2024, OIG will publish industry-specific CPGs (ICPGs) for different types of providers, suppliers and other participants. When OIG lawyers announced the GCPG at the Health Care Compliance Association’s Enforcement Compliance Conference, they stated that managed care and nursing homes will be the first ICPGs published. The existing CPGs will remain effective until replaced and then most likely will be archived on OIG’s website.

While the GCPG is voluntary guidance, and OIG has repeatedly emphasized the voluntary and nonbinding nature of the guidance, OIG and other government agencies, as well as the healthcare community, have often used past OIG CPGs as the basis for structuring compliance programs and evaluating compliance program effectiveness.

THE GENERAL COMPLIANCE PROGRAM GUIDANCE

The GCPG (a) summarizes key federal authorities for entities engaged in health care business; (b) provides a revised version of the seven elements of a compliance program; (c) lists adaptations for small and large entities; (d) identifies other compliance considerations, and (e) lists OIG processes and resources.

Key Federal Authorities

The GCPG summarizes federal laws related to healthcare fraud enforcement and other standards. These key authorities include the federal Anti-Kickback Statute (AKS), the physician self-referral law (known as the Stark Law), the False Claims Act, civil monetary penalty authorities, exclusion authorities, the criminal Health Care Fraud Statute, and Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. The GCPG includes examples of problematic conduct, key questions that entities can ask to evaluate AKS risk in an arrangement, and tips on what to do if a problem is identified. OIG notes that because of increasing cybersecurity attacks, compliance with privacy, security and breach notification rule requirements should be a top compliance priority for HIPAA-regulated entities of all sizes.

Compliance Program Infrastructure: The Seven Elements

The GCPG largely maintains the historic seven elements of a compliance program from prior CPGs, but it provides a more in-depth discussion of each element while being agnostic to the specific facility type. The revised guidance integrates feedback from industry stakeholders and “lessons learned” from enforcement actions, 25 years of Corporate Integrity Agreement monitoring, investigations and evolving technologies used to support the healthcare delivery system.

Some themes that OIG identifies include:

• Tone from the Top: OIG states that boards should take every opportunity to communicate to each of its audiences its commitment to compliance. To demonstrate such commitment, the board and chief executive officer (CEO) may wish to include a signed endorsement or similar written statement with their code of conduct, which should be updated after leadership changes to reflect the ongoing commitment to compliance.
• Chief Compliance Officer (CCO) Has a Senior Role: OIG spends a considerable amount of time discussing the CCO’s role as a senior leader in the organization who has the authority, stature, access and resources necessary to lead an effective and successful compliance program.
  • OIG notes that the CCO’s primary responsibilities should include advising the CEO, board and other senior leaders on compliance risks and business strategy.
  • OIG maintains its long-held position that the CCO should not lead or report to the entity’s legal or financial functions, and the CCO should maintain a degree of separation from the entity’s delivery of healthcare items and services, including billing, coding and claim submission. This is true even for small entities that may have a compliance contact rather than a CCO.
• Well-Functioning Executive Compliance Committee: The executive compliance committee should be chaired by the CCO and composed of various leaders across the organization. In addition to the usual suspects, such as legal, audit and human resources, OIG includes clinical and quality as recommended compliance committee members.
  • OIG suggests including “attendance, active participation and contributions” as part of the members’ performance plan and compensation evaluation, and suggests that the CCO report on member attendance to the board compliance committee.
  • OIG lists indicators of a well-functioning committee, such as a robust and detailed work plan, follow-through on committee recommendations and active engagement of committee members.
  • OIG describes in some detail how to conduct the risk assessment process and auditing and monitoring activities.
• Engaged Board Compliance Committee: OIG suggests that the board compliance committee actively oversee the compliance program function and evaluate the risk assessment process. OIG states that the board compliance committee should reserve time at each meeting to discuss the compliance program, activities and risk updates with the CCO.
• Targeted Training and Multiple Forms: OIG recommends developing targeted compliance training for different types of employees to address compliance risks specific to those roles. Board members should also receive compliance training. OIG also suggests that training occur in multiple forms, including both formal training sessions and more informal methods, such as periodic videos, newsletters, standing agenda items in staff meetings and other ad hoc communications.
• Multiple Reporting Pathways: Entities should facilitate multiple independent reporting pathways to report compliance concerns, not just one way or a “preferred” pathway. Entities should avoid requesting or requiring that personnel bring such concerns to their manager or supervisor before contacting the compliance officer. Such a request may deter individuals from coming forward or increase potential for reports to be diverted by supervisors or other personnel.
• Incentives for Compliant Behavior: Entities should consider encouraging participation in the compliance program through incentives, such as sharing stories of compliance success or how issues were resolved, or recognizing an individual (even anonymously) whose actions resulted in mitigation of harm or risk through performance reviews.

The US Department of Justice (DOJ) has also compiled a set of questions for entities to consider in setting up and reviewing their system of policies and procedures, available here.

Compliance Program Adaptations for Small and Large Entities

While the GCPG is applicable to all entities, OIG provides guidance on how small entities and large organizations should think about how to “right-size” their compliance programs to meet their own entity’s needs.

For small organizations with more limited resources, in keeping with its prior guidance, OIG recognizes that such entities may face financial and staffing constraints that are not as material for larger entities. OIG’s suggestions for small organizations on how to implement the seven elements include designating a compliance contact if a compliance officer cannot be hired; making clear that if anonymity of an employee’s identity cannot be guaranteed, there are protections in place for individuals reporting concerns; and identifying risk indicators particularly relevant to the business.

For large entities, OIG recommends that board members consider the size and complexity of the organization in reviewing the scope and adequacy of the compliance program. Because large entities may have greater resources, larger staffs and multiple locations, compliance subcommittees may be needed. If the entity has a global parent or board, the US-based compliance officer and committee should regularly engage with the global board, and the entity may wish to consider engaging counsel knowledgeable in the laws applicable to the US organization. OIG further suggests that large organizations consider having separate board healthcare compliance and audit committees.

Other Compliance Considerations

Adding Quality: While quality and patient safety often are treated separately from compliance, the GCPG states that these issues are high priorities for HHS and DOJ and should be incorporated into compliance programs. The compliance committee should include members responsible for quality assurance and patient safety, and should receive regular reports from senior leadership on those topics.

New Entrants: OIG notes that it is “seeing an increasing number of new entrants” in the healthcare sector, such as technology companies, social services organizations and private equity investors. OIG recommends that new entrants take steps to ensure they are familiar with the healthcare regulatory landscape, as “business practices that are common in other sectors create compliance risk in health care.” OIG expresses concerns about the impact of ownership incentives of private equity and other forms of investment on the delivery of high-quality and efficient healthcare. OIG advises entities with private investments to carefully scrutinize their operations and incentive structures—“follow the money”—to ensure that there are checks and tracking systems in place to prevent prioritizing financial gain over patient care.

Financial Arrangement Monitoring: OIG incorporated elements from Corporate Integrity Agreements that address AKS issues to suggest entities not only have a process for entering into financial arrangements with referral sources but also have a process to monitor compliance with those arrangements. This monitoring process should consider establishing a centralized arrangements tracking system, a process to ensure that proper supporting documentation is maintained, regular legal reviews are conducted, and fair market value assessments are performed and updated routinely as appropriate.

OIG Resources and Processes

The GCPG’s final section provides several compliance and legal resources, including compliance toolkits, trainings, software recommendations, advisory opinions, special fraud alerts, FAQs, and other reports and publications.

Additional Resources Referenced

• Measuring Compliance Effectiveness Toolkit
• Practical Guidance for Health Care Boards on Compliance Oversight
• Enterprise Risk Management: Integrating with Strategy and Performance (2017)
• Compliance Risk Management: Applying the COSO ERM Framework (2020)
• The Green Book
• Playbook: Enterprise Risk Management for the U.S. Federal Government (Fall 2022 Update)
• Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors

TAKEAWAYS
Compliance is a dynamic process, and an effective compliance program is critical to operational success and prevention of fraud, waste and abuse. The GCPG should assist healthcare entities and those playing a role in healthcare delivery today in evaluating and structuring compliance programs. Many of OIG’s suggestions are consistent with prior compliance program guidance or reflect recent Corporate Integrity Agreements and other common industry practices.

At the same time, the GCPG goes farther in certain areas than OIG has in the past, particularly on governance issues relating to the CCO’s role and placement in the organization, and the executive compliance committee’s activities and scope, including making quality part of the compliance committee’s work. OIG defines “quality” in the context of both manufacturing and supplying drugs, devices and other items, as well as the provision of items and services by healthcare providers. In many healthcare organizations, clinical quality and patient/product safety is overseen by specific board-level quality committees working in concert with departmental operations that involve clinicians and others who have specialized clinical and quality program knowledge. This collaborative approach creates a typical healthcare quality infrastructure, which is designed in part to meet other regulatory requirements For hospitals, these requirements include CMS’ Conditions of Participation for Hospitals, accrediting organization standards, and related requirements around quality assurance and performance improvement programs. For life sciences companies, these requirements include FDA’s Current Good Manufacturing Practices regulations (as well as other country’s manufacturing standards). Including the CCO and compliance committee in an organization’s existing quality committee and departmental structure without careful planning risks inefficiency, redundancy, and role confusion. The ICPGs will hopefully provide further recommendations on the interplay between the compliance and quality functions for various types of healthcare businesses to assist healthcare organizations in evaluating their structures and operations.

The GCPG’s express discussion of new entrants such as technology companies (both large and start-up) and private equity provides further confirmation that OIG is increasing its scrutiny of those new entrants’ companies and their activities as federal healthcare program participants.

As always, your McDermott lawyers are available to discuss the GCPG and its application to your organization.