In November, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued its General Compliance Program Guidance (GCPG). This guidance serves as an essential resource for professionals and organizational decision-makers. Astute compliance professionals will craft strategies grounded in the GCPG. This involves fully grasping the content and implications of the GCPG, promoting internal dialogue regarding its application, and identifying and implementing practices that leverage its insights for enhancing compliance program effectiveness.
The GCPG—extending over 91 pages—contains a trove of information. Given its extensiveness, this article focuses on some of OIG’s most compelling statements relating to compliance program infrastructure. They are found in Section III of the GCPG, Compliance Program Infrastructure: The Seven Elements.[1]
The entire document is required reading for those aspiring to cultivate best practices in their compliance programs because:
-
OIG’s guidance has traditionally become a standard for expected industry practices. The GCPG, as OIG’s most extensive compliance program guidance in 25 years, is poised to reinforce and reset industry standards.
-
The GCPG tackles significant challenges faced by compliance professionals and their organizations, including issues related to reporting structures, empowerment, and governance by boards.
OIG’s expectations outlined
The GCPG is a pivotal development in compliance, setting forth extensive standards that will significantly influence industry practices. It applies to all individuals and entities in the healthcare industry. Its depth and breadth underscore the evolving compliance landscape, emphasizing adherence to regulatory requirements and robust, dynamic organizational compliance infrastructures. While it is a voluntary, nonbinding framework that does not introduce new laws or contain exhaustive legal summaries, it sets forth OIG’s expectations for effective compliance programs.
For compliance professionals and their organizations, the GCPG is a guidebook for pursuing best practices. It offers a clear framework for identifying, assessing, and mitigating compliance risks and fostering proactive and preventive compliance program management. To this end, compliance officers should develop practical, actionable, measurable playbooks incorporating the GCPG’s recommendations relevant to their organizations.
Such playbooks should serve as tools that evolve with regulatory changes, organizational shifts, and emerging challenges. They should incorporate strategies for infrastructure, risk assessment, auditing, monitoring, and continuous improvement, ensuring compliance is not just a regulatory obligation but a strategic advantage.
Numerous aspects of the GCPG will directly apply to your compliance program. After discussing the most salient points relating to the seven elements, I have listed potential core playbook items to help operationalize some of OIG guidance’s more compelling aspects. Your playbook should be tailored to your circumstances.
Section III: Compliance program infrastructure
Section III of the GCPG is a blueprint for organizations striving to structure their compliance programs well, and it meticulously discusses the seven elements of an effective compliance program. It is based on insights OIG has gained over a quarter-century of monitoring corporate integrity agreements. It also incorporates feedback from industry participants and knowledge gained from enforcement actions and investigations and adapts to the continuous development of the healthcare delivery system and its supporting technology. The introductory remarks state:
OIG’s longstanding belief is that an entity’s leadership should commit to implementing all seven elements to achieve a successful compliance program. The guidance in this section is intended to help entities fulfill that commitment in a robust and meaningful way.
The following summaries of each element highlight the most notable manifestations of that belief.
Element 1 – Written policies and procedures
-
Policies and procedures provide tangible evidence to stakeholders and regulators that an organization is committed to compliance. A comprehensive compliance program is incomplete without a code of conduct and clearly defined compliance policies.
-
Embedding a compliance culture into everyday activities is crucial and should be guided by the organization’s policies and procedures.
-
The compliance officer and compliance committee should oversee the code of conduct and compliance documents, ensuring they are accessible and understandable.
-
Employee and contractor performance evaluations should incorporate adherence to the code of conduct and relevant policies.
-
The CEO’s confirmation of the organization’s commitment to compliance can be effectively communicated through a signed introduction in the code of conduct. A signed statement or endorsement from the board can reinforce the organization’s overall commitment to compliance.
-
Outdated policy documents undermine their reliability and credibility to users and regulators. Inaccurate or unreliable policies diminish the authority and effectiveness of the compliance program.
Playbook items for Element 1
Considering this guidance, compliance professionals can develop a playbook containing the following key items as relevant to their compliance program and organization:
-
Streamlining workflow and documentation: Develop policies that efficiently manage workflows and set clear documentation standards. Focus on defining clear oversight responsibilities and establishing controls to mitigate specific risks.
-
Demonstrating commitment to compliance: Use policies and procedures as evidence to showcase the organization’s dedication to compliance with stakeholders and regulators. To reinforce this commitment, incorporate messages from senior leaders and the board of directors.
-
Performance evaluations and compliance: Incorporate compliance adherence—particularly to the code of conduct and relevant policies—into the performance reviews of all employees and contractors.
-
Relevance and accuracy of policies: Regularly update policies to maintain relevance and credibility, ensuring they remain effective tools for users and credible to regulators.
-
Authority and effectiveness of policies: Address inaccuracies in policies promptly to preserve the authority and effectiveness of the compliance program.
Element 2 – Compliance leadership and oversight
-
An effective compliance program requires a board and senior leadership that understand its value and are committed to its success, including a designated compliance officer with authority and resources to lead a successful program.
-
The compliance officer should be given the authority, stature, access, and resources to lead the compliance program effectively.
-
The compliance officer’s role includes:
-
Reporting directly to the CEO or the board, with independent board access
-
Having sufficient stature to interact equally with other senior entity leaders
-
Exhibiting impeccable integrity, sound judgment, assertiveness, an approachable manner, and the ability to gain employees’ respect and trust
-
Accessing adequate funding, resources, and staff to manage a program capable of identifying, preventing, mitigating, and remedying compliance risks
-
Advising the CEO, board, and senior leaders on compliance risks, operational strategies, and the program’s functioning
-
Chairing the compliance committee
-
Reporting to the board on program implementation, operations, needs, and the entity’s compliance risks and risk management strategies
-
Working with other departments like internal audit, risk, quality, and IT for compliance risk reviews, monitoring, and auditing
-
Independently investigating compliance matters, leading internal investigations, recommending policy/process changes, and corrective actions
-
Developing policies and programs encouraging reports of suspected fraud and improprieties without fear of retaliation
-
-
The compliance officer should be empowered and independent, capable of identifying and addressing compliance risks and maintaining federal healthcare program compliance
-
The compliance officer should avoid roles in the entity’s legal or financial functions and report directly to the CEO or the board.
-
Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles. (Bold in original document)
-
-
The compliance officer should maintain separation from healthcare delivery and related operations to prevent conflicts of interest, avoiding responsibilities in healthcare delivery, billing and coding, or claim submission.
-
Ideally, the compliance officer’s sole responsibility should be compliance, but if they also serve as the privacy officer, they should have adequate staff and resources for both roles.
-
The compliance officer should have the authority to review all relevant documents, data, and information for the organization’s compliance activities, including patient and billing records, and the authority to conduct or delegate compliance investigations.
-
The compliance committee’s duties include analyzing legal and regulatory requirements, developing and reviewing policies, monitoring internal controls, assessing training needs, developing disclosure programs, conducting risk assessments, and evaluating the effectiveness of the compliance program and work plan. The compliance officer should chair it.
-
Organizational leadership, including the board and CEO, should set the tone for the compliance program and compliance committee, emphasizing regular attendance and participation in committee meetings as part of performance evaluations.
-
The compliance officer should periodically assess the compliance committee’s performance, comparing expected and actual performance and seeking input from committee members, the CEO, and the board.
-
The board’s fiduciary oversight includes overseeing the compliance officer and compliance committee, understanding compliance risks, and ensuring access to necessary knowledge and resources.
-
The board’s oversight of the compliance officer includes ensuring their authority, independence, and resources for effectively implementing, maintaining, and monitoring the compliance program.
-
The board should ensure the compliance officer’s stature matches their responsibilities, and that the organization’s structure allows for uninhibited communication of compliance risks to the board.
-
To maintain the compliance officer’s independence, the board should ensure they are free from conflicting organizational responsibilities.
-
The board should regularly review the compliance officer’s and compliance program’s resource adequacy, considering the entity’s size, complexity, and interactions with federal healthcare programs.
-
Regular (at least quarterly) meetings between the board and the compliance officer should take place to discuss compliance activities risks, and there should be executive sessions without non-board members.
Playbook items for Element 2
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Empowerment and independence: Stress that the compliance officer should be empowered and independent, able to identify and address compliance risks and maintain federal healthcare program compliance. They should review all relevant documents, data, and information for the organization’s compliance activities.
-
Role limitation: Recommend that the compliance officer avoid roles in legal or financial functions and report directly to the CEO or board. They should be separated from healthcare delivery and related operations to prevent conflicts of interest.
-
Dual roles: If the compliance officer also serves as the privacy officer, they should have adequate staff and resources for both roles.
-
Compliance committee responsibilities: Develop a charter defining the compliance committee’s duties, including legal and regulatory analysis, policy development, internal control monitoring, training needs assessment, risk assessments, and program effectiveness evaluation.
-
Leadership and committee involvement: Encourage organizational leadership, including the board and CEO, to set a positive tone for the compliance program and committee, emphasizing the importance of their regular attendance and participation.
-
Performance assessment: Suggest regular performance assessments of the compliance committee by the compliance officer.
-
Board’s oversight of the compliance officer: Highlight the need for the board to ensure the compliance officer’s authority, independence, and resource adequacy.
-
Regular meetings and reviews: Establish regular—at least quarterly—meetings between the board and the compliance officer to discuss compliance activities and risks and have executive sessions without non-board members.
Element 3 – Training and education
-
The compliance officer should create an annual training plan, specifying topics and target audiences and integrating feedback from past audits and investigations. The compliance committee should review this plan annually to ensure it aligns with current needs and regulatory changes in federal and state healthcare laws.
-
“All board members, officers, employees, contractors, and medical staff (if applicable) of the entity should receive training at least annually on the entity’s compliance program and potential compliance risks.” (Bold in original document)
-
There should be targeted training sessions tailored and assigned according to individual roles, responsibilities, and related compliance risks. These sessions should focus on relevant federal healthcare program rules and address specific compliance risks associated with each role.
-
There should be targeted training for new and existing board members. New members should receive prompt training on governance and compliance oversight. It should cover specific healthcare board responsibilities, risks, and effective oversight techniques. The compliance officer should also arrange periodic updates for the board on evolving compliance risks and changes in relevant federal and state healthcare regulations.
-
The compliance committee should ensure training materials are accessible to everyone, considering cultural diversity by providing multiple language options. Training can be conducted live, online, or through prerecorded videos. Regardless of the format, there should be a way for participants to ask questions, such as email queries to the compliance officer.
-
Mandatory compliance training should be a condition for continued employment or engagement, with noncompliance leading to potential termination. It should also be a key criterion in annual performance evaluations of employees and assessments of contractors. Hospitals and similar entities should collaborate with their chief medical officers and chiefs of staff to ensure all medical staff complete the required training.
Playbook items for Element 3
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Annual training plan: Develop a training plan detailing topics and target audiences, incorporating insights from past audits. Ensure the compliance committee reviews and updates this plan to reflect regulatory changes and current needs.
-
Broad participation: Require annual training for all board members, officers, employees, contractors, and medical staff on the entity’s compliance program and associated risks.
-
Role-specific training: Develop targeted training sessions based on individual roles and responsibilities. Focus these sessions on pertinent federal healthcare program regulations and role-specific compliance risks.
-
Board member training: Provide immediate, comprehensive training for new board members on governance and oversight. Schedule regular updates for all board members about evolving compliance risks and regulatory changes.
-
Material accessibility and diversity: Ensure training materials are accessible to a diverse workforce, including multilanguage options. Offer training through various formats and include mechanisms for participant queries and feedback.
-
Mandatory training: Make compliance training a prerequisite for continued affiliation with the entity, with noncompliance potentially leading to termination. Integrate training completion into annual performance evaluations for employees and contractor assessments. Encourage collaboration with chief medical officers and hospital staff leaders to guarantee medical staff participation in required training.
Element 4 – Effective lines of communication with the compliance officer and disclosure programs
-
Personnel must be aware of how to contact the compliance officer directly (via email, telephone, messaging), with this information prominently displayed in common areas and online platforms.
-
The compliance officer should periodically survey personnel to ensure communication methods meet the needs of a diverse workforce.
-
OIG believes that whistleblowers should be protected against retaliation, a concept embodied in the provisions of the False Claims Act. In some cases, employees may sue their employers under the False Claims Act’s qui tam provisions out of frustration because of the company’s failure to act when a questionable, fraudulent, or abusive situation was brought to the attention of senior leaders. (Bold in original document)
-
The compliance committee should establish multiple direct reporting channels for employees to report violations of federal and state healthcare regulations and entity policies, ensuring these reports bypass potential interference from supervisors or other staff.
Playbook items for Element 4
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Accessibility: Make it a priority for all staff to contact the compliance officer directly via email, telephone, or messaging and display this information in physical and digital common areas.
-
Communication diversity: Regularly conduct surveys to ensure the communication methods employed meet the diverse preferences and needs of the workforce.
-
Whistleblower protection: Emphasize the importance of protecting whistleblowers from retaliation under the False Claims Act and underscore the need for prompt action on issues raised by employees to prevent potential qui tam lawsuits.
-
Independent reporting channels: Establish multiple direct reporting channels for employees to report potential violations of federal and state healthcare regulations and company policies, bypassing possible interference from supervisors or other staff.
Element 5 – Enforcing standards: Consequences and incentives
-
Organizations should enforce consequences for noncompliance, such as remediation or sanctions, and offer incentives to promote compliance and innovation. Balancing both is key to ensuring effective compliance programs.
-
Organizations should set and communicate procedures for identifying, investigating, and rectifying noncompliant actions, including retraining or disciplining involved individuals. These procedures should outline potential consequences and detail the roles (e.g., managers, HR) responsible for deciding these outcomes.
-
The consequences of noncompliance should be consistently applied and enforced. All levels of employees should be subject to the same consequences for the commission of similar offenses. The commitment to compliance applies to all personnel levels within an entity, including contractors and medical staff.
-
OIG believes that corporate officers, managers, supervisors, healthcare professionals, and medical staff should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, laws, policies, and procedures.
-
Although an entity may not be able to publicly recognize an individual who raises a substantiated concern that results in the mitigation of harm or risk, the entity should find a way to recognize this in the performance reviews of individuals. This, of course, is not possible for people who wish to remain anonymous. Also, this does not apply to individuals who raise compliance or legal violations for which they themselves committed or were responsible. (Bold in original)
-
The compliance committee and entity leaders should assess if incentive plans, like sales or admission goals, promote ethical and compliant operations. They should consider if these goals might inadvertently encourage noncompliant behaviors, such as improper inducements to healthcare practitioners or referral practices. The review should also consider any unintended consequences of specific performance targets.
Playbook items for Element 5
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Enforce consequences for noncompliance: Organizations must implement and balance consequences, like remediation or sanctions, with incentives to foster compliance and innovation. This balance is crucial for effective compliance programs.
-
Set clear noncompliance procedures: Establish and communicate clear procedures for detecting, investigating, and correcting noncompliant actions, including retraining or discipline. Detail the potential consequences and define the roles responsible (e.g., managers, HR) for these decisions.
-
Consistent application of consequences: Apply consequences for noncompliance uniformly across all employee levels, including contractors and medical staff. Ensure that corporate officers, managers, and healthcare professionals are accountable for personal and subordinate noncompliance.
-
Recognize compliance efforts in reviews: While public recognition may not be feasible for individuals who report substantiated concerns, performance reviews should acknowledge their contributions. This does not apply to those wishing to remain anonymous or individuals reporting violations they committed.
-
Review incentive plans for compliance risks: The compliance committee and leaders should evaluate if incentive plans, such as sales or admission targets, align with ethical and compliant practices. Assess whether these goals could unintentionally promote noncompliant behavior, like improper inducements or referrals, and consider the ramifications of specific performance objectives.
Element 6 – Risk assessment, auditing, and monitoring
-
Risk assessment, auditing, and monitoring are vital in pinpointing and measuring compliance risks. Traditionally central to compliance programs, the importance of a formal compliance risk assessment process has recently gained increased recognition and emphasis from OIG, compliance professionals, and other stakeholders.
-
Periodic compliance risk assessments should be a component of an entity’s compliance program and conducted at least annually.
-
A formal compliance risk assessment should gather and evaluate risks from various sources, both external and internal. It involves prioritizing these risks and deciding on response strategies. The compliance committee—tasked with conducting and implementing this assessment—may benefit from coordinating with compliance, audit, quality, and risk management teams for a joint assessment. This approach optimizes resource use and minimizes redundant evaluations. The findings then guide the compliance committee and the compliance officer in prioritizing resources and formulating the compliance work plan, which includes audits and monitoring based on risk priority.
-
Entities should use data analytics to identify compliance risks. Regardless of size, all entities should analyze their data directly or via a third party, like a billing contractor. The complexity of data analytics can vary based on the volume of data and the entity‘s analytical capabilities and resources.
-
Entities should internally compare standard metrics of their healthcare operations to identify outliers in focus areas.
-
The compliance committee should incorporate a schedule of audits in the compliance work plan, aligned with risks identified in the annual risk assessment. Additionally, they should ensure the compliance officer has the capacity to conduct or oversee extra audits as needed, such as during investigations revealing systemic issues.
-
Medicare requires, as a condition of payment, that items and services be medically reasonable and necessary. Therefore, entities should ensure that any claims reviews and audits include a review of the medical necessity of the item or service by an appropriately credentialed clinician. Entities that do not include clinical review of medical necessity in their claims audits may fail to identify important compliance concerns relating to medical necessity. (Bold in original document)
-
Entities should also periodically assess the compliance program’s effectiveness. The review should determine how effectively each compliance program element functions.
-
The board should mandate a review of the compliance program’s effectiveness, with findings and recommendations reported directly to them. Considering the entity’s resources and compliance history, such as significant failures or unaddressed risks, the board may hire an external expert for this review.
Playbook items for Element 6
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Formal compliance risk assessment: A structured compliance risk assessment process should be conducted annually.
-
Collaborative risk assessment approach: The compliance committee should collaborate with compliance, audit, quality, and risk management teams for a joint risk assessment. The outcome should inform the prioritization in the compliance work plan.
-
Urge the use of data analytics in risk identification: Employ data analytics to pinpoint compliance risks, leveraging data directly or through third parties. Adjust the complexity of data analytics based on your entity‘s data volume and analytical resources.
-
Internal benchmarking using standard metrics: Compare your healthcare operations against standard metrics to spot outliers or areas of concern.
-
Audits and compliance officer capacity: Advise the compliance committee to schedule regular audits based on identified risks and ensure the compliance officer can conduct or oversee additional audits as new risks emerge, especially during investigations.
-
Focus on clinical review for medical necessity in claims audits: Include clinical reviews for medical necessity in claims audits.
-
Periodic assessment of compliance program effectiveness: Conduct regular assessments of the compliance program’s effectiveness.
-
Board-directed reviews of compliance program effectiveness: The board should mandate reviews of the compliance program’s effectiveness, with an option to engage external experts based on the entity’s resources and compliance history.
Element 7 – Responding to detected offenses and developing corrective action initiatives
-
Regardless of an entity’s dedication to compliance, the effectiveness of its policies, procedures, training, and risk assessment, a compliance officer will inevitably encounter audit or monitoring results that highlight issues or receive reports through the disclosure program necessitating investigation. “If, over time, a compliance officer does not receive this type of information, the compliance officer should consider conducting a compliance program effectiveness review.” (Bold in original document)
-
Compliance programs must have processes and resources to investigate compliance issues effectively, remediate legal or policy breaches, report to applicable agencies when appropriate, and analyze root causes to avoid repeat offenses.
-
The effectiveness of a compliance program is evident in how an entity responds to substantial overpayments or severe misconduct, distinguishing robust programs from superficial ones.
-
As a general matter, if credible evidence of misconduct from any source is discovered and, after a reasonable inquiry, the compliance officer or counsel has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the entity should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate government authority of the misconduct.
-
Implementing corrective action initiatives once the entity has gathered sufficient credible information to determine the nature of the misconduct, it should take prompt corrective action, including:
-
refunding of overpayments;
-
enforcing disciplinary policies and procedures; and
-
making any policy or procedure changes necessary to prevent a recurrence of the misconduct.
-
Playbook items for Element 7
Considering this guidance, compliance professionals can develop a playbook containing the following items as relevant to their compliance program and organization:
-
Proactive response to compliance issues: Compliance officers must be prepared to address audit or monitoring findings that reveal potential issues, even in highly compliant environments. Over time, the lack of such findings should trigger a review of the program’s effectiveness.
-
Effective investigation and remediation processes: Establish clear processes for investigating compliance concerns, remedying legal or policy violations, and, where appropriate, reporting to government bodies. The strength of a compliance program is reflected in its ability to handle significant overpayments or misconduct.
-
Timely reporting of misconduct: If credible evidence of misconduct potentially breaching criminal, civil, or administrative law is found, the entity may be able to mitigate exposure by reporting to the relevant government authority promptly—typically within 60 days of recognizing credible evidence.
-
Implementation of corrective actions: Upon identifying the nature of misconduct, take appropriate corrective steps, which may include:
-
Refunding overpayments
-
Enforcing disciplinary measures
-
Amending policies and procedures to prevent repeat incidents
-
Conclusion
Ultimately, the GCPG’s guidance challenges compliance professionals to elevate their roles, transforming compliance from a reactive function to a strategic partner in organizational success. By embracing the GCPG’s principles and integrating them into comprehensive playbooks, organizations commit to a path of ethical integrity, operational excellence, and sustainable compliance, marking a significant stride towards a more transparent, accountable, and ethically sound business environment.
Takeaways
-
The U.S. Department of Health and Human Services Office of Inspector General’s (OIG) General Compliance Program Guidance (GCPG) is a landmark document in compliance, reinforcing previous principles and setting new benchmarks for industry practices.
-
OIG’s GCPG addresses perennial challenges in compliance, including reporting structures, empowerment, and board governance.
-
The guidance is a blueprint for organizations to develop tailored playbooks that operationalize its advice.
-
Section III of the GCPG addresses the seven elements of an effective compliance program, drawing from OIG’s extensive experience with corporate integrity agreements and enforcement actions.
-
The GCPG underscores the necessity of leadership commitment in implementing all seven elements for a successful compliance program.