New Guidance from HHS-OIG Offers Insights for Health Care Compliance Programs | Insights

Authors:

Michael B. Lampert , Andrew O'Connor , Elana Bengualid Harary , Natalie LaRue , Samuel Perrone

U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) recently published its General Compliance Program Guidance (the “GCPG”),¹ non-binding guidance designed to assist health care industry participants in monitoring compliance with applicable health care statutes, regulations, and program requirements. The GCPG was published to the HHS-OIG website as part of HHS-OIG’s Modernization Initiative,² and aggregates into a single document the advice of past Compliance Program Guidances (“CPGs”) issued between 1998 and 2008.³

While OIG’s guidance is largely familiar, the GCPG reflects several additions and clarifications, including (i) topics not addressed previously in past CPGs, including Information Blocking, cybersecurity, and quality and patient safety; (ii) new recommendations for previous topics, such as policy accessibility, compliance officer roles, training, claims audits, and financial arrangements tracking; and (iii) considerations for entrants to the health care space, including technology and social services organizations and private investors.

HHS-OIG plans to publish industry segment-specific CPGs (“ICPGs”) in 2024 for specific types of providers, suppliers, and other participants in the health care industry. According to OIG, the additional guidance will focus on fraud and abuse risk areas specific to each industry subsector.⁴ Importantly, neither the GCPG nor the ICPGs set forth a one-size-fits-all compliance model, and HHS-OIG emphasizes that strict adherence to the guidelines is not expected.

HHS-OIG Continues to Focus on Traditional Fraud, Waste, and Abuse Compliance Considerations, While Emphasizing New Areas of Focus for Compliance Programs

Substantive Health Care Laws Guidance. The GCPG includes substantive summaries of various health care laws, including the Anti-Kickback Statute, Stark Law, and False Claims Act. In addition, the GCPG addresses for the first time the Information Blocking Rule,⁵ under which HHS-OIG has the authority to investigate claims that certain “actors”—health IT developers of certified health IT, health information exchanges and networks, and health care providers—have engaged in “Information Blocking,”⁶ and to impose civil monetary penalties⁷ for noncompliance.
HIPAA. Given the increasing number of cybersecurity attacks targeting health care entities,⁸ HHS-OIG emphasizes in the GCPG that compliance with HIPAA should be a top compliance priority and that such compliance measures should be evaluated through periodic risk assessments.
Quality. The GCPG clearly recommends, for the first time, that compliance programs—particularly those of hospitals, long-term care facilities and other entities furnishing residential care services—include meaningful evaluation of quality and patient safety oversight.⁹ The GCPG suggests an entity’s corporate compliance committee (i) include members responsible for quality assurance and patient safety, (ii) receive regular reports from senior leadership on quality assurance and patient safety practices, and (iii) implement a program for performing quality audits and reviews. Additionally, the GCPG states that compliance officers should (i) develop productive working relationships with clinical and quality leadership, (ii) be informed about any internal quality audits and incident reviews, and (iii) have the resources to conduct the quality compliance audits.

OIG Expands upon Previous Guidance and Issues New Recommendations for Compliance Programs

Accessibility. The GCPG advises that an organization’s code, policies, and procedures should be easily accessible and comprehensible by all relevant individuals (e.g., available at appropriate reading levels and translated into other languages). The GCPG links to a DOJ Evaluation of Corporate Compliance Programs questionnaire, which is intended to facilitate the creation and review of applicable compliance policies and procedures.
Compliance Officer Roles and Responsibilities. The GCPG expresses HHS-OIG’s view that compliance officers should neither lead or report to an entity’s legal or financial functions, nor provide an entity with legal or financial advice or supervise anyone who does.¹⁰ Instead, HHS-OIG proposes that compliance officers should report directly to an entity’s CEO or board. Separately, the GCPG acknowledges that some compliance officers may also serve as an entity’s privacy officer but suggests the entity should ensure that it furnishes sufficient resources to support that individual’s dual role.
Vendor Training. The GCPG suggests that, when contracting with a third party to perform health care-related functions, an entity may grant a training waiver to the contracting entities’ employees if the contracting entity demonstrates that the contracting entity’s own compliance training is sufficient. HHS-OIG emphasizes, however, that employees of the contractor should still be informed of the manner in which noncompliance may be reported directly to the entity.
Claims Audits and Medical Necessity. The GCPG suggests that all claims audits should incorporate an assessment of medical necessity through clinician review. While medical necessity is commonly assessed in many internal audits, HHS-OIG’s expectation that every internal claims audit involve clinician input on medical necessity may exceed general industry practices, which often entail conducting at least a portion of audits with trained compliance personnel or professional coders, and may not consistently involve assessment of medical necessity by a clinician.
Financial Arrangement Tracking. Historically, HHS-OIG has neither formally nor informally directed entities to track their financial arrangements as part of an effective compliance program, except as required as part of corporate integrity agreements (“CIAs”). The GCPG adopts a position reflecting CIA requirements, suggesting that entities implement a centralized tracking system to monitor and track compliance with the terms and conditions set forth in financial arrangements, particularly between referral sources and recipients. HHS-OIG recommends that such tracking systems be regularly audited and, with respect to the financial arrangement, that entities ensure that (i) the entity maintains proper supporting documentation; (ii) legal reviews are regularly conducted; (iii) services, activities, leases, and equipment rentals are consistent with contractual terms; and (iv) fair market value (“FMV”) assessments are routinely performed and updated.

OIG Notes Additional Areas Worthy of Consideration in Compliance Programs

New Entrants. The GCPG suggests that new entrants to the health care industry (e.g., technology companies, social services organizations) take steps to ensure that they are educated on the federal fraud and abuse laws (and other applicable laws) and understand the importance of implementing an effective compliance program designed to comply with, prevent, detect, and address any violations of such laws.
Investors. The GCPG suggests that an understanding of financial arrangements and incentives is integral to uncovering possible compliance issues. The GCPG indicates that HHS-OIG believes it is important for investors and boards to understand applicable laws, the role of effective compliance programs, as well as to evaluate the entity’s operations and investment structure to ensure compliance with such laws, particularly for those investors with a management services role.
Small Versus Large Entities. Recognizing that compliance infrastructures and resources may differ substantially across small and large organizations, the GCPG sets forth specific recommendations for how compliance programs may be adapted for both small and large entities with respect to the designation and roles of compliance officers and committees, the implementation of policies and procedures and provision of training, disclosures of noncompliance, auditing and monitoring, corrective action, and board compliance oversight.

Concluding Thoughts

The GCPG is HHS-OIG’s first single, comprehensive compliance guide that unites much of the guidance it has issued over the last 25 years. While HHS-OIG’s guidance documents are non-binding, they provide important insights into what HHS-OIG and other enforcement agencies may consider in enforcement decisions and are thus helpful to reference when structuring, implementing, and monitoring effective health care compliance programs. Health care entities should take particular note of the new guidance and areas of emphasis, highlighted above, and remain apprised of the upcoming industry-specific CPGs, which will provide additional and more targeted insights.

If you have questions regarding the GCPG or navigating compliance programs, please do not hesitate to contact one of the authors or your Ropes & Gray advisor.

U.S. Dep’t Health & Hum. Servs., Off. of Inspector General, General Compliance Program Guidance (Nov. 6, 2023), https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.
See Modernization of Compliance Program Documents, 88 Fed. Reg 25000 (Apr. 25, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-04-25/pdf/2023-08326.pdf (stating that “HHS-OIG is modernizing the accessibility and usability of [its] publicly available resources, including OIG’s Compliance Program Guidance” and, in accordance with that effort, “OIG will no longer publish updated or new CPGs in the Federal Register,” and will instead be available on the HHS-OIG website).
See U.S. Dep’t Health & Hum. Servs., Off. of Inspector General, Compliance Guidance, https://oig.hhs.gov/compliance/compliance-guidance/.
HHS-OIG anticipates that the first two ICPGs published in 2024 will address compliance for Medicare Advantage and nursing facilities.
45 C.F.R. § 171.103. For more information regarding the Information Blocking Rule, its exceptions and compliance obligations, see Ropes & Gray Alerts: In Coordinated Proposed Rules, ONC and CMS Seek to Tackle Interoperability, Information Blocking, and Patient Access to Health Information; ONC Proposes Significant Changes to Health IT Certification Program and Information Blocking Rule.
An actor engages in Information Blocking when it engages in a practice, that (i) except as required by law or covered by an Information Blocking exception, is “likely to interfere with access, exchange, or use of electronic health information” (“EHI”) and (ii) such actor knows that such practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI. 45 C.F.R. § 171.103.
HHS-OIG is authorized to pursue monetary penalties and exclusion through various civil authorities. See Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, OIG Information Blocking Final Rule, 88 Fed. Reg. 42820 (July 3, 2023); 42 C.F.R. § 1003.1400.
See Check Point Software’s Mid-Year Security Report Reveals 42% Global Increase in Cyber Attacks with Ransomware the Number One Threat (Aug. 2, 2022), https://www.checkpoint.com/press-releases/check-point-softwares-mid-year-security-report-reveals-42-global-increase-in-cyber-attacks-with-ransomware-the-number-one-threat (noting that that there was an overall 42% increase in cybersecurity attacks in the first half of 2022, as compared to 2021, and a 69% increase in cybersecurity attacks targeting the health care sector); see also October 2022 OCR Cybersecurity Newsletter, https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html#ftnref5 (concluding that reportable breaches of unsecured protected health information under HIPAA affecting 500 or more individuals increased from 662 in 2020 to 714 in 2021. Of those reported breaches, 74% involved hacking/IT incidents).
Note that this suggestion addresses increased concerns over nurse staffing shortages, as described further in the following Ropes & Gray Alert: Raising the Floor: CMS Proposes New Nurse Staffing Requirements for Long-Term Care Facilities.
See Publication of the OIG Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8987, 8993, n.35 (Feb. 23, 1998), available at https://oig.hhs.gov/documents/compliance-guidance/798/cpghosp.pdf (acknowledging that there is “some risk to establishing an independent compliance function if that function is subordinance [sic] to the hospital’s general counsel, or comptroller or similar hospital financial officer” but stating that “[b]y separating the compliance function from the key management positions of general counsel or chief hospital financial officer (where the size and structure of the hospital make this a feasible option), a system of checks and balances is established to more effectively achieve the goals of the compliance program.”).