New guidance provides structure for the healthcare compliance community

On Monday November 6, 2023, the US Department of Health and Human Services, Office of Inspector General (OIG) released its new General Compliance Program Guidance (GCPG).[1] The GCPG provides voluntary compliance guidelines and identifies risk areas that OIG believes healthcare industry participants should consider when developing and implementing a new compliance program or evaluating and updating an existing one.

The new Guidance follows OIG’s April 24, 2023 announcement that the Health and Human Services Department would be “modernizing” its publicly available guidance.[2] This represents the first major update to OIG guidance since 2008. Along with this Guidance, OIG announced it will also issue new industry-specific Compliance Program Guidance (ICPGs) applicable to different healthcare providers, suppliers, and industry participants that participate in federal healthcare programs.

In this alert, we analyze the two major facets of the GCPG: (i) key federal laws governing health industry participants and (ii) the “seven elements” of an effective compliance program, as well as what the GCPG means for the healthcare compliance community and the larger healthcare industry.

The Guidance

Relevant federal statutes

The GCPG identifies and outlines the critical statutes health industry participants must consider when crafting compliance programs, and it includes practical guidance on the applicability of these statutes. These include federal fraud and abuse laws as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. These laws include:

• The Anti-Kickback Statute prohibits remuneration in exchange for referrals of federal healthcare program business. Healthcare entities involved in federal healthcare programs should be aware that offering or receiving gifts in exchange for referrals is prohibited by federal law. The GCPC offers key questions to identify business arrangements that violate the Anti-Kickback Statute and to determine whether an arrangement could be structured or restructured to fit within a safe harbor.
  
  
• The Stark Law, also known as the federal physician self-referral law, forbids physicians from making referrals for ten designated health services payable by Medicare to an entity with which the physician, or an immediate family member, has a financial relationship. The GCPG provides the elements for analyzing an arrangement under the Stark Law and gives examples of prohibited arrangements.
  
  
• The False Claims Act (FCA) is a civil statute that provides a vehicle for the government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the government. False claims may result in liability of up to three times the programs’ loss (treble damages) plus an additional penalty per claim filed, including each service billed to Medicare or Medicaid. The criminal FCA statute makes it a criminal offense to defraud a healthcare benefits program and can result in criminal penalties for companies or jailtime for individuals.
  
  
• Other sources of civil liability: The GCPG notes that there are multiples sources of authority to pursue civil penalties but the most notable is the Civil Monetary Penalties Law. Nevertheless, OIG has the authority to impose civil monetary penalties, assessments, and exclusion against individuals or entities that engage in fraudulent or improper conduct related to HHS grants, contracts, and other agreements.
  
  
• HIPAA: The GCPG highlights that the HHS Office of Civil Rights is responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. OIG emphasizes that there are an increasing number of cybersecurity attacks aimed at HIPAA-regulated entities of all sizes; thus, compliance with Privacy, Security, and Breach Notification Rule requirements should be a top compliance priority and included in all risk assessments.

The “seven elements” of an effective compliance program

The GCPG outlines the seven elements of an effective compliance program and specific corporate considerations for each element:

1. Written policies and procedures: Policies should include an employee code of conduct and a more general compliance policy. The policy should encompass both the outline of the compliance program but also important processes to reduce risk. The OIG identifies the following common compliance risk areas: billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other healthcare providers, vendors, and any other potential sources or recipients of referrals.
   
   
2. Compliance leadership and oversight: The GCPG indicates that compliance leadership should include a compliance officer, a compliance committee, and board oversight.
   
   
3. Training and education: The GCPG recommends that all board members, officers, employees, contractors, and staff of a healthcare entity should receive training at least annually on the entity’s compliance program and potential compliance risks.
   
   
4. Effective lines of communication with the compliance officer and disclosure program: The GCPG indicates that compliance officers require access and visibility within the organization and underscores the importance of anonymity for employees and whistleblowers reporting compliance concerns.
   
   
5. Enforcement of standards: The GCPG bifurcates the enforcement process into consequences and incentives for an effective compliance program. Consequences result from noncompliant actions by an individual within a healthcare entity while incentives include the praise in performance review for an individual seeking to reduce compliance risks.
   
   
6. Risk assessment, auditing, and monitoring: The GCPG outlines the need for periodic compliance risk assessments, internal or external audits, and monitoring programs.
   
   
7. Response to detected offenses and corrective action initiatives: The GCPG provides insight into the response when an audit or monitoring program reveals noncompliance or improper conduct. This response includes prompt investigation of violations, timely reports to the government, and corrective action. In this section, the GCPG flags that the aforementioned federal laws may have specific reporting requirements for organizations, such as HIPAA breach notification requirements or requirements related to reporting allegations of abuse and neglect in nursing facilities.

The GCPG also provides compliance program differences and adaptions for small and large entities as well as OIG resources, such as Advisory Opinions and Special Fraud Alerts.

Much of this guidance mirrors the compliance expectations that the Department of Justice (DOJ) has issued in the recent revisions to its Evaluation of Corporate Compliance Programs (ECCP) policies. For example, earlier this year, the DOJ announced changes to the ECCP including directing companies to impose financial penalties for misconduct while providing incentives such as promotions and bonuses for employees committed to compliance. This allows compliance officers to create comprehensive compliance policies that will comport with the expectations of multiple regulators.

What this means

The GCPG is relevant across the healthcare industry; OIG specifically directs this guidance at (1) hospitals; (2) home health agencies; (3) clinical laboratories; (4) third-party medical billing companies; (5) the durable medical equipment, prosthetics, orthotics, and supply industry; (6) hospices; (7) Medicare Advantage organizations; (8) nursing facilities; (9) physicians; (10) ambulance suppliers; and (11) pharmaceutical manufacturers.

While the GCPG is voluntary, nonbinding guidance for healthcare companies, the affected healthcare entities may rely on guidance if noncompliance or misconduct is discovered. For example, the GCPG mentions that a federal court will consider whether an entity’s governing authority is knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program when sentencing a defendant under one of the relevant federal criminal statutes.  Additionally, the GCPG provides a framework which both regulators and companies can use when assessing the compliance programs of acquisition targets, creating greater certainty in the mergers and acquisition (M&A) due diligence process.

Further, the GCPG and other requirements for healthcare entities can be very intertwined. Although the GCPG makes recommendations for healthcare providers, it flags that healthcare providers that receive federal awards must “establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award” under a federal regulation.[3] Thus, following the GCPG not only safeguards a healthcare stakeholder when noncompliance or misconduct occurs but also eases the burden on implementing federal or state requirements.

Last, the issuance of the GCPG provides health industry participants with an opportunity to create, enhance, or update their compliance programs. Entities with existing compliance programs should review the GCPG and implement the recommendations to improve those programs. Entities without a comprehensive compliance program should create one in line with the GCPG’s guidance. Through its issuance of the GCPG, HHS OIG has made its expectations of health industry participants clear, and compliance officers should add this guidance to their compliance toolkit as they continue to grow their companies’ compliance programs.

To learn more about the implications of the GCPG for your business, please contact any of the authors.