In November 2023, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released the General Compliance Program Guidance (GCPG). The GCPG is described as a “reference guide for the health care compliance community and other health care stakeholders.”[1] OIG specifically states the Guidance is not meant to “constitute a model compliance program” or be “one-size-fits-all,” but rather it is intended to set forth voluntary guidelines and compliance tips for all individuals and entities that play a role in the healthcare industry.[2]
The GCPG, however, is not a new concept. Since 1998, OIG has been publishing compliance program guidance documents (CPGs), which are described as “voluntary, nonbinding guidance documents to support health care industry stakeholders in their efforts to self-monitor compliance with applicable laws and program requirements.”[3] These CPGs include guidance aimed at specific stakeholders, such as hospitals, home health agencies, Medicare Advantage organizations, nursing facilities, and pharmaceutical manufacturers.
In response to stakeholder feedback, and as a part of OIG’s modernization efforts, OIG published the GCPG, which addresses all of the following topics: (1) key federal authorities for entities engaged in healthcare business; (2) the seven elements of a compliance program; (3) adaptations for small and large entities; (4) other compliance considerations; and (5) OIG processes and resources.[4] In addition, OIG stated that it will no longer publish updated or new CPGs in the Federal Register, but rather will make all current, updated, and new CPGs available on its website in a more user-friendly and accessible format and with interactive links to relevant resources.[5] Further announced efforts include the publication of industry segment-specific CPGs (ICPGs), which will be tailored to fraud and abuse risk areas, for different participants involved in healthcare industry subsectors or ancillary industry sectors relating to federal healthcare programs.[6] OIG plans to release the ICPGs starting in 2024, and will update them periodically in order to address new areas of risk and provide meaningful guidance.[7]
As further explained subsequently, while the GCPC is voluntary and is not binding on any individual or entity, OIG makes clear that its topics and compliance resources apply to all individuals and entities engaged in the healthcare industry.[8] OIG specifically notes the application of the GCPG, its CPGs, and the forthcoming ICPGs to “new entrants” in the healthcare industry and existing healthcare organizations entering new arenas.[9]
New entrants in the healthcare industry
Technology companies, organizations providing non-traditional services
With the sudden urgency for increased reliability on telemedicine and remote workforces, the COVID-19 pandemic amplified the need for new technology to enter the healthcare arena. Even after the public health emergency ended, it was clear that these new technologies were valuable to providers and patients alike and the industry landscape was forever changed. In a post-COVID world, we continue to watch as emerging technologies are introduced to optimize healthcare delivery and streamline processes. From the use of smart wireless and wearable devices to the integration of artificial intelligence (AI)-based technologies in the healthcare sector, the present-day intricate technology landscape raises several regulatory concerns, including cybersecurity, privacy, information blocking, and transparency issues.
In addition, organizations have recently expanded to provide non-traditional services in healthcare settings. As healthcare providers increasingly focus on developing patient-centered care models, they continue to rely upon several types of “non-traditional services,” including social services, care coordination services, and food delivery services.
OIG clarifies that technology companies—both established and start-up companies and organizations providing non-traditional services in healthcare settings—are subject to the same regulations and penalties applicable to healthcare entities. The GCPG warns, “[s]imply put, business practices that are common in other sectors create compliance risk in healthcare, including potential criminal, civil, and administrative liability.”[10] In other words, OIG cautions that ignorance of the healthcare legal framework is not a defense for these entities who are historically not well versed in the industry laws and regulations.
New investors
The healthcare sector is also attractive to private equity funds and other associated financial investors. Over the past decade, private equity investment in the healthcare industry has increased exponentially. Private equity firms reportedly invested more than $750 billion to buy healthcare-related operations in the United States between 2010 and 2019.[11] In 2022, private equity firms closed an estimated 863 healthcare-related service deals after peaking at 1,013 transactions in 2021, and this growth is expected to continue.[12]
In the GCPG, OIG cautions that healthcare entities’ investors are not immune from scrutiny relating to compliance with federal fraud and abuse laws. OIG explains that “understanding how funds flow through business arrangements and the varying incentives created by different types of funding structures is key to unearthing potential compliance issues, implementing effective monitoring, and identifying preventive strategies.”[13] As a result of private equity investors’ growing influence in the healthcare sector, OIG further cautions that federal regulators expect investors in healthcare operations—particularly those investors that provide management services for or have considerable operational oversight and control over a healthcare entity—to have an “understanding of the laws applicable to the healthcare industry and the role of an effective compliance program.”[14] Although private equity deals have often proved to be a valuable resource in the industry—saving hospitals and other healthcare providers from dire financial situations—OIG warns that these deals carry varying risks depending on the payment methodologies through which the healthcare entities are reimbursed for services provided; compliance officers must be aware of such risks and be positioned to conduct effective audits and implement effective preventive strategies.[15]