OIG Publishes General Compliance Program Guidance for the Health Care Industry
On November 6, the Department of Health and Human Services Office of Inspector General (OIG) released a “General Compliance Program Guidance” (GCPG). This GCPG draws from numerous existing sources of OIG guidance and reiterates key OIG positions found in the 2003 Compliance Program Guidance for Pharmaceutical Manufacturers, the original four 1998 Compliance Program Guidelines (CPGs),1 various special fraud alerts, and other guidance documents. The publication follows OIG’s April 2023 announcement for plans to improve and update compliance program guidance more generally.2 As with other OIG guidance documents, while the recommendations in the GCPG are a valuable source of insight into the agency’s current enforcement approach, they are not legally binding on the various industries within the scope of OIG’s jurisdiction. Much of the content is not new, but there are a few areas worth noting for legal and compliance professionals in the health care and life sciences industries. We have outlined these below. Otherwise, OIG’s guidance continues to parallel — and emphasize the importance of — the seven elements of an effective compliance program,3 as outlined in the Federal Sentencing Guidelines.
The GCPG reiterates the importance of written policies and procedures, including a code of conduct (with a signed Chief Executive Officer (CEO) or board endorsement), to provide a roadmap for relevant individuals outlining their duties, workflow management, documentation requirements, individual and organization oversight, and risk mitigation. OIG suggests that written standards be reviewed on an annual basis, including to account for changes in applicable laws. OIG promotes existing sector-specific compliance policy guidance as a source of reference material when developing written standards. OIG also provides for the possibility of interim policies or communications to effectuate “rapid implementation of a needed process change” when “the procedure for policy revision and approval impedes rapid implementation.”
Chief Compliance Officer Role and Compliance Program Governance
The GCPG helpfully collates OIG’s recommendations with regard to the Chief Compliance Officer (CCO) role in the new GCPG into a single document. In this new guidance, the agency makes some of its strongest pronouncements with regard to CCO independence. For example, OIG reiterates its longstanding position that in order to facilitate independence, compliance officers should report directly to the CEO or the board. The CCO should not lead or report to the entity’s legal or financial functions, provide legal or financial advice, or supervise anyone who does — including general counsel or a Chief Financial Officer. Further, OIG notes that if a CCO is also a Chief Privacy Officer, the role should be adequately resourced to perform both functions. Interestingly, OIG lists traits that a compliance officer should possess and focuses on the importance of an independent, well-resourced compliance function.4
Consistent with past guidance, OIG recommends that CCOs coordinate with other relevant components (e.g., Internal Audit, Risk, Quality, IT) to develop work plans for reviewing, monitoring, and auditing compliance risks through a Compliance Committee and through other activities. Importantly, OIG sets forth a list of minimum criteria the agency expects Compliance Committee charters to follow to ensure that such bodies are effective in supporting the CCO and the overall goals of the corporate compliance program.5
In order to ensure meaningful participation by committee members, the GCPG recommends that member attendance, active participation and substantive discussions, and contributions factor into each board member’s employment performance plan and compensation evaluation. Indication of the committee’s success can be measured, according to the GCPG, by factors such as the establishment of a robust, detailed work plan, demonstrated authority and autonomy (e.g., within the scope of the committee’s charter), and examples of successful mitigation of compliance risks.
Interplay With Quality and Safety Functions
Quality and Safety have often been treated as wholly separate from Compliance. For perhaps the first time in a formal document, OIG clearly states its view that regulated companies should ensure integration of quality (including manufacturing and supply) and patient safety oversight functions into the compliance program, particularly in the case of health care providers. This includes ensuring the CCO:
- Develops a productive working relationship with clinical and quality leadership, sharing information and work advising on compliance matters
- Is informed about internal quality compliance audits and incident reviews
- Has the resources to conduct quality compliance audits (particularly in the context of provider quality, as opposed to manufacturing quality) individually or in collaboration with internal audit or outside resources
While we do not read this to mean that, for example, pharmaceutical quality operations now need to sit under the CCO, OIG appears to be signaling that the quality and safety of medical services and products continues to matter in OIG’s approach to enforcement discretion.
Training and Communication
Although OIG suggests that board members, officers, employees, contractors, and medical staff should receive training at least annually, training should be mandatory for employment and conducted periodically — not limited to just once per year. Employee and consultant training is a vital component of an effective compliance program and the CCO and Compliance Committee are expected to help guide the training program within an organization.
Training should be developed and assigned “based on individuals’ roles and responsibilities” and compliance risks related to those roles, and should include effective internal communication. OIG reminds industry of the need for core training materials to be accessible, translated into multiple languages (if an entity has a multilingual staff), and in a format that ensures that participants can ask questions of the compliance officer live or via email or other means. Participation in “required” compliance training programs should be made a condition of employment or engagement. Practically, open lines of communication and effective internal communication include: (1) polling employees and periodically sourcing feedback on areas for “FAQs”; (2) training effectiveness; and (3) other topics to ensure compliance communications are understood and effective.
OIG provides general guidelines related to the self-reporting of misconduct by entities to government authorities that is not already addressed by reporting requirements mandated by specific laws. The GCPG lists the types of issues it expects to be reported to the government, as well as the level of detail it expects in those reports. These suggestions should be considered carefully with counsel given other standards from criminal authorities, including in light of the recent clarifications by the Department of Justice (DOJ) around the self-disclosure policy. OIG notes that it considers prompt reporting of credible evidence of misconduct to be “not more than 60 days after the determination that credible evidence of a violation exists.”6
Consequences and Incentives
Entities should develop consequences and incentives to encourage participation in the entity’s compliance program. The GCPG provides detail on the types of consequences (e.g., educational, remedial, non-punitive) for noncompliant actions or incentives for compliance. For example, the behaviors entities may want to incentivize include achieving compliance goals within an employee’s job description, working with the entity to set and achieve compliance goals for risk reduction, and performance of compliance activities outside of the individual’s job description.
Risk assessment, auditing, and monitoring, play important roles in identifying and quantifying compliance risk as part of an entity’s compliance program. Unsurprisingly, OIG focuses on risk assessment and outcomes of risk assessment — which could include repayment of overpayments to federal health care programs, changing of entity processes, education of personnel, and success of monitoring programs (including those testing whether contractual clauses in highly-regulated areas, such as healthcare personnel payment transparency, are being followed).
Previously, OIG has issued board guidance instructing health care board members to evaluate the size and complexity of their organization when reviewing the adequacy of the entity’s compliance program. The GCPG includes suggested adaptations of compliance programs for small companies across the seven compliance elements. In a manner consistent with the U.S. Sentencing Commission Guidelines, DOJ corporate prosecution principles, and other OIG guidance documents, OIG recognizes that small entities may have less formal documentation or processes, but are still expected to have an effective compliance program. This is a point that DOJ has reiterated recently.7
Small companies that cannot maintain a full-time compliance officer may consider designating a “compliance contact” who can ensure the completion of compliance activities. OIG, however, disfavors company structures in which the CCO is involved in the performance or supervision of legal services, or has a role in billing, coding, or claim submission.
Commentary Directed at Investors and Industry Newcomers
OIG flags other areas of concern outside of the seven compliance elements. OIG specifically cites the growing importance of private equity and other forms of private investment in health care that give rise to ownership incentives that impact the delivery of quality and efficient health care — and that may not be fully aware of the regulations and business constraints that apply to the health care industry. Accordingly, the GCPG flags that new entrants into health care should be cognizant of their heightened compliance responsibilities. Specifically, the GCPG calls for private equity owners to scrutinize their operations and ensure compliance, as is their responsibility like any other health care company owner. New entrants can consult existing guidance, as well as forthcoming ICPGs specific to their sub-sectors.
OIG requests feedback from stakeholders in connection with the new GCPG, submittable to Compliance@oig.hhs.gov. Should you have any questions about the GCPG, reach out to any of the authors of this Advisory or your normal Arnold & Porter contact.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
In 1998, OIG issued CPGs for Hospitals, Home Health Agencies, Clinical Laboratories, and Third-Party Medical Billing Companies. See Compliance Guidance, U.S. Dep’t Health & Human Servs. (last visited Nov. 10, 2023).
Consistent with OIG’s April 2023 announcement, OIG no longer plans to publish or update new, individual CPGs in the Federal Register. In place of CPGs, OIG plans to use the following format to make its guidance more accessible: (1) the GCPG will apply to all individuals and entities in the health care industry and will address: federal authorities, the seven elements of a compliance program, adaptations for small and large entities, other compliance issues, and OIG processes and resources and (2) beginning in 2024, OIG will publish industry-specific CPGs (ICPGs) for various types of health care industry stakeholders tailored to fraud and abuse risk areas for each discrete subsector. OIG is soliciting feedback on the GCPG, which it says it will consider in updating the document going forward.
We recommend reviewing this new GCPG along with DOJ’s 2023 updates to its Compliance Program Effectiveness Guidance.
The GCPG outlines specific traits that a compliance officer should possess: demonstrates unimpeachable integrity; good judgement; assertiveness; approachable demeanor; and ability to elicit respect and trust.
These include: analyzing the legal and regulatory requirements applicable to the entity; assessing, developing, and regularly reviewing policies and procedures; monitoring and recommending internal systems and controls; assessing education and training needs and effectiveness, and regularly reviewing required training; developing a disclosure program and promoting compliance reporting; assessing effectiveness of the disclosure program and other reporting mechanisms; conducting annual risk assessments; developing the compliance workplan; evaluating the effectiveness of the compliance workplan and any action plans for risk remediation; and evaluating the effectiveness of the compliance program.
See Press Release, U.S. Dep’t Justice, Neuroscience Company and Co-Founder/CEO Pay $445,000 to Resolve False Claims Act Allegations Related to Promotion of False Billing Codes (Aug. 7, 2023) (“There is no ‘startup’ exception under the False Claims Act,” said U.S. Attorney Romero.).