In November 2023, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released the General Compliance Program Guidance (GCPG). The GCPG is described as a “reference guide for the health care compliance community and other health care stakeholders.”[1] OIG specifically states the Guidance is not meant to “constitute a model compliance program” or be “one-size-fits-all,” but rather it is intended to set forth voluntary guidelines and compliance tips for all individuals and entities that play a role in the healthcare industry.[2]
The GCPG, however, is not a new concept. Since 1998, OIG has been publishing compliance program guidance documents (CPGs), which are described as “voluntary, nonbinding guidance documents to support health care industry stakeholders in their efforts to self-monitor compliance with applicable laws and program requirements.”[3] These CPGs include guidance aimed at specific stakeholders, such as hospitals, home health agencies, Medicare Advantage organizations, nursing facilities, and pharmaceutical manufacturers.
In response to stakeholder feedback, and as a part of OIG’s modernization efforts, OIG published the GCPG, which addresses all of the following topics: (1) key federal authorities for entities engaged in healthcare business; (2) the seven elements of a compliance program; (3) adaptations for small and large entities; (4) other compliance considerations; and (5) OIG processes and resources.[4] In addition, OIG stated that it will no longer publish updated or new CPGs in the Federal Register, but rather will make all current, updated, and new CPGs available on its website in a more user-friendly and accessible format and with interactive links to relevant resources.[5] Further announced efforts include the publication of industry segment-specific CPGs (ICPGs), which will be tailored to fraud and abuse risk areas, for different participants involved in healthcare industry subsectors or ancillary industry sectors relating to federal healthcare programs.[6] OIG plans to release the ICPGs starting in 2024, and will update them periodically in order to address new areas of risk and provide meaningful guidance.[7]
As further explained subsequently, while the GCPC is voluntary and is not binding on any individual or entity, OIG makes clear that its topics and compliance resources apply to all individuals and entities engaged in the healthcare industry.[8] OIG specifically notes the application of the GCPG, its CPGs, and the forthcoming ICPGs to “new entrants” in the healthcare industry and existing healthcare organizations entering new arenas.[9]
New entrants in the healthcare industry
Technology companies, organizations providing non-traditional services
With the sudden urgency for increased reliability on telemedicine and remote workforces, the COVID-19 pandemic amplified the need for new technology to enter the healthcare arena. Even after the public health emergency ended, it was clear that these new technologies were valuable to providers and patients alike and the industry landscape was forever changed. In a post-COVID world, we continue to watch as emerging technologies are introduced to optimize healthcare delivery and streamline processes. From the use of smart wireless and wearable devices to the integration of artificial intelligence (AI)-based technologies in the healthcare sector, the present-day intricate technology landscape raises several regulatory concerns, including cybersecurity, privacy, information blocking, and transparency issues.
In addition, organizations have recently expanded to provide non-traditional services in healthcare settings. As healthcare providers increasingly focus on developing patient-centered care models, they continue to rely upon several types of “non-traditional services,” including social services, care coordination services, and food delivery services.
OIG clarifies that technology companies—both established and start-up companies and organizations providing non-traditional services in healthcare settings—are subject to the same regulations and penalties applicable to healthcare entities. The GCPG warns, “[s]imply put, business practices that are common in other sectors create compliance risk in healthcare, including potential criminal, civil, and administrative liability.”[10] In other words, OIG cautions that ignorance of the healthcare legal framework is not a defense for these entities who are historically not well versed in the industry laws and regulations.
New investors
The healthcare sector is also attractive to private equity funds and other associated financial investors. Over the past decade, private equity investment in the healthcare industry has increased exponentially. Private equity firms reportedly invested more than $750 billion to buy healthcare-related operations in the United States between 2010 and 2019.[11] In 2022, private equity firms closed an estimated 863 healthcare-related service deals after peaking at 1,013 transactions in 2021, and this growth is expected to continue.[12]
In the GCPG, OIG cautions that healthcare entities’ investors are not immune from scrutiny relating to compliance with federal fraud and abuse laws. OIG explains that “understanding how funds flow through business arrangements and the varying incentives created by different types of funding structures is key to unearthing potential compliance issues, implementing effective monitoring, and identifying preventive strategies.”[13] As a result of private equity investors’ growing influence in the healthcare sector, OIG further cautions that federal regulators expect investors in healthcare operations—particularly those investors that provide management services for or have considerable operational oversight and control over a healthcare entity—to have an “understanding of the laws applicable to the healthcare industry and the role of an effective compliance program.”[14] Although private equity deals have often proved to be a valuable resource in the industry—saving hospitals and other healthcare providers from dire financial situations—OIG warns that these deals carry varying risks depending on the payment methodologies through which the healthcare entities are reimbursed for services provided; compliance officers must be aware of such risks and be positioned to conduct effective audits and implement effective preventive strategies.[15]
Existing healthcare organizations entering new arenas
Not only are there various new entrants to the healthcare arena, but many existing healthcare organizations are choosing to develop in new areas to progress in the ever-evolving healthcare landscape. For example, many providers are choosing to develop their own AI-enabled tools to become more efficient and improve patient outcomes; increasingly, more healthcare providers are now offering managed care plans.
In the GCPG, OIG warns that these healthcare organizations should not take comfort in the fact that they are familiar with the compliance risks applicable to their existing business practices. As business models evolve, so do the applicable compliance risks; therefore, entities considering developing in new areas must evaluate how such growth will impact their compliance programs.
Compliance risks for new entrants in the healthcare industry
As new entrants join the healthcare industry, they must familiarize themselves with the complex range of laws and regulations that govern the healthcare industry, as well as the state and federal agencies that enforce these laws.[16] As previously stated, the GCPG encourages new entrants in the industry to be circumspect in their approach as practices typical in other industries could lead to government-imposed penalties and criminal liability.[17] Similarly, exposure exists even with existing healthcare organizations that enter new arenas as they may not appreciate the differences between their current businesses and the prospective business and may further fail to fully comprehend the compliance risks associated with their new lines of business.[18] The GCPG provides tools—and a valuable resource—to new entrants in the healthcare industry as they navigate these risks.
Examples of compliance risks: Technology and private equity
While technology has undoubtedly revolutionized various industries throughout the past decades, the role of technology in healthcare is on a trajectory all on its own. Major trends in healthcare technology in 2024 include the use of AI in both the clinical and the business side of healthcare, increased use and availability of telehealth services, and the incorporation of virtual or augmented reality by surgeons and in the long-term management of chronic pain.[19] As new businesses enter the healthcare technology space, they must understand its unique compliance risks.
Healthcare technology companies should be aware of specific laws with which they must comply. The HIPAA Privacy, Security, and Breach Notification rules govern the use and disclosure of individuals’ identifiable information by health plans, healthcare clearinghouses, and certain healthcare providers that conduct electronic healthcare transactions.[20] Thus, technology companies that transmit healthcare information should understand HIPAA and how it may apply to their businesses. Healthcare technology companies may also be subject to the federal rules prohibiting “information blocking,” which is the practice by a provider or certain health IT developers that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information.[21] The 21st Century Cures Act confers authority upon the OIG to investigate conduct that could constitute information blocking.[22] The GCPG outlines HIPAA, the prohibition against information blocking, and other issues facing healthcare technology companies.
The recent dramatic increase in private equity investment in the healthcare industry has led to heightened government scrutiny of private-equity-backed healthcare.[23] As stated in the GCPG, private equity and private investment in healthcare generally create ownership incentives that raise concerns related to fraud and abuse.[24] Issues of particular concern include billing compliance and illegal referrals or kickbacks in connection to services reimbursable through government programs including Medicare and Medicaid.[25] While investments in healthcare entities can provide high returns for private equity companies, such investments also come with a high degree of risk, as the penalties for violating healthcare laws can be significant. In 2019, for example, the U.S. Department of Justice (DOJ) entered into a $21 million settlement with multiple defendants in a case against a compounding pharmacy controlled by a private equity firm accused of paying illegal kickbacks for prescriptions reimbursable by a federal government program.[26] In 2021, a private equity firm that owned an interest in a mental health service entered into a $25 million settlement with DOJ after failing to act upon the knowledge that the mental health services were being provided by unqualified and improperly supervised staff.[27] Private equity investors in the healthcare industry should be aware of the potential risks of noncompliance with healthcare laws.
The GCPG can serve as a valuable tool for private equity investors in healthcare. In particular, it offers overviews of certain federal laws that impact private equity-backed healthcare organizations, including the federal Anti-Kickback Statute, which prohibits the payment of remuneration in exchange for referrals for services reimbursable by federal healthcare programs; the Physician Self-Referral Law or the Stark Law, which prohibits physicians from making referrals for certain “designated health services” to entities with which the physician or an immediate family member has a financial relationship; and the False Claims Act, which prohibits false or fraudulent claims to the federal government, including for claims for healthcare services.[28] The GCPG provides overviews of these laws only; it does not address particular regulatory concerns for healthcare entities, including state healthcare laws. Nevertheless, the GCPG provides a resource to create awareness that can be used by new entrants in the healthcare industry to prevent future violations of federal healthcare laws, identify existing red flags, and avoid penalties, including repayments to government programs, fines, and even criminal penalties, in some cases.
Compliance advice for new entrants in the healthcare space
As new companies enter the healthcare market or existing healthcare organizations expand into new lines of business, the GCPG can serve as an excellent resource. Although the GCPG does not provide complete summaries of all potential illegal activities of healthcare entities, it provides useful overviews of critical legal issues such organizations face. Importantly, new entrants in the healthcare space can refer to the GCPG for overviews of federal laws that impact the healthcare industry, as well as information regarding healthcare fraud enforcement and other standards.[29]
A necessary element to any successful healthcare business is a compliance program, and the GCPG summarizes OIG’s recommendations for the seven elements that should make up such a program:
-
“Written Policies and Procedures
-
“Compliance Leadership and Oversight
-
“Training and Education
-
“Effective Lines of Communication with the Compliance Officer and Disclosure Program
-
“Enforcing Standards: Consequences and Incentives
-
“Risk Assessment, Auditing, and Monitoring
-
“Responding to Detected Offenses and Developing Corrective Action Initiatives”[30]
These elements are detailed in the GCPG but reflect prior guidance from OIG and are based upon prior corporate integrity agreements, feedback from industry stakeholders, enforcement actions and investigations, and the changing landscape of the healthcare industry.[31] In order to implement a successful compliance program, OIG instructs entity leadership to include all seven elements.
New entrants in the healthcare industry face particular compliance challenges unique to the healthcare industry. The GCPG can serve as a valuable resource to such companies, providing general background information on certain federal healthcare laws and laying out a structure for successful compliance programs. As the GCPG notes, an effective compliance program is critical to meeting the goals of a healthcare organization and in preventing fraud and abuse in the healthcare system.[32] The GCPG is voluntary, but industry stakeholders are encouraged to use it as a general compliance resource, to be aware that the GCPG will be updated as new resources become available, and to submit feedback regarding general compliance and areas of risk.[33]
Takeaways
-
The healthcare industry is experiencing significant growth, including in healthcare technology, private equity investment in healthcare, and non-traditional services in health settings.
-
Given the complex laws and regulations governing the healthcare industry, new entrants must be mindful of potential compliance risks.
-
The U.S. Department of Health and Human Services Office of Inspector General’s General Compliance Program Guidance (GCPG) issued in November 2023 is a valuable tool for new healthcare entities.
-
The GCPG is a voluntary resource that provides overviews of key legal issues healthcare organizations face.
-
A necessary element of any successful healthcare business is a compliance program, and the GCPG summarizes the seven elements of such a program.