Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG) 

Last month, the Office of Inspector General (OIG) published a new, user-friendly, 91-page General Compliance Program Guidance (GCPG). It is meant to be a helpful reference for everyone in the health care industry about how to develop a compliance program, safeguard their organizations and ensure they operate according to all laws and regulations. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents.  

Previous versions are archived on the OIG website and will no longer be published in the Federal Register. Also, industry segment specific guidance (ICPGs) will be developed for sectors of federal health care programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

• Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether an arrangement violates the federal anti-kickback statute. 
• Exclusions (page 26): OIG recommends that any entity participating in the federal Medicaid program should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
• HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
• Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These people should at least receive new and/or revised policies and procedures before they are implemented. 
• Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

“The Compliance Officer’s primary responsibilities should include advising the CEO, board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

• Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome. The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

• Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on the members, roles direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
• Board Responsibilities (page 43): the OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “the board should also ensure that the compliance officer has direct and uninhibited access to the board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it is effective and promotes transparency. 
• Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences can ask questions.  
• Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all health care compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 

• Large and Small Entities (page 65): There is a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

• The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims. 
• In the absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation. 
• Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

• The OIG repeats the need for compliance officers to report directly to the board to send a message and establish the proper tone for all relevant individuals.  
• For the first time, the OIG says that exceptionally large organizations controlled by an international parent organization need to have sufficient information about applicable law. 

• Quality and Safety (page 76): In the last section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discrimination against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced is “new entrants,” on page 78. The term references technology companies, new investors, and non-traditional service providers in health care settings that may not be aware of the health care industry regulations. To identify and prevent fraud and abuse risks in a complex health care environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG is right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.   

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.   

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.