Recommendations Healthcare Entities Should Consider Following the Release of the OIG’s Newly Issued General Compliance Program Guidance


The Department of Health and Human Services (HHS) Office of Inspector General (OIG) protects the integrity of its programs, including Medicare and Medicaid. Over the years, the OIG has developed various compliance program guidance (CPG) documents to help the healthcare industry comply with program requirements and applicable laws and minimize the risk of fraud, waste, and abuse. Compliance with the CPGs is voluntary.

In November 2023, the OIG published a comprehensive compliance reference guide to modernize the accessibility of its various resources and expand its guidance to include more diverse medical services subject to its programs. The healthcare attorneys of MehaffyWeber offer the following insight into this change.

How to Apply the OIG’s Latest Compliance Guidelines

The General Compliance Program Guidance (GCPG) provides a summary of some applicable federal laws, discusses the elements of an effective compliance program, instructs how to adapt the recommendations based on entity size, and examines other important compliance considerations. The GCPG applies to all participating persons and entities working in the healthcare industry. However, it also stresses that the guidance given is not intended to be the definitive model of conduct that will meet compliance requirements in every situation.

All of the guidance given is intended to create awareness and help identify potential risks that should be considered when putting together a new compliance program or assessing and updating an existing program. The general information may need to be adapted to meet the specific needs of a particular organization.

OIG Enforcement Authority Against Healthcare Entities Engaging in Prohibited Conduct

The OIG has the authority to level civil monetary penalties against individuals or entities engaging in prohibited conduct and exclude them from participation in HHS programs. Some types of conduct that the OIC may impose monetary penalties for include:

  • False or fraudulent claims
  • Claims for services not provided
  • Claims for services not medically necessary
  • Improper remuneration for inducing referrals
  • Patient dumping

Program exclusion periods vary depending on the nature of the violating conduct. Mandatory exclusion periods apply for some criminal convictions. A conviction of a program-related crime carries a minimum five-year exclusion, as does a felony conviction relating to healthcare fraud. Conviction of three mandatory exclusion offenses results in permanent exclusion.

The OIG has the discretion to impose periods of exclusion for less culpable conduct. In January 2024, OIG enforcement actions included the following exclusion periods:

  • Seven years for prescribing medically unnecessary drugs
  • Seven years for receiving improper remuneration
  • Ten years for receiving improper remuneration
  • Twenty years for employing an excluded individual and paying improper remuneration
  • Five years for submitting false claims
  • Seven years for paying improper remuneration

The 7 Elements of a Successful Compliance Program

Based on years of OIG experience, industry feedback, and the evolving healthcare industry, the GCPG includes a section discussing the component pieces that should be a part of any successful compliance program.

1. Written Policies and Procedures

Written policies and procedures should address employee conduct and how a compliance program will be conducted. Entities should include processes for reducing the risk of non-compliance. Materials should be easy to access and kept up to date.

2. Compliance Leadership and Oversight

A compliance program needs the commitment of senior leadership to ensure its success. The OIC suggests entities designate a compliance officer to monitor and report on the operation of the compliance program. A compliance committee comprised of department leaders should assist and support the efforts of the compliance officer.

3. Training and Education

All persons associated with an entity should receive training at least annually on the compliance program, risks to compliance, and the entity’s commitment to a culture of compliance.

4. Effective Lines of Communication with the Compliance Officer and Disclosure Programs

There need to be accessible channels for individuals to report suspected compliance violations and policies that protect confidentiality and prohibit retaliation.

5. Enforcing Standards: Consequences and Incentives

An effective compliance program establishes consequences for noncompliance and incentives to encourage compliance. Consequences should be appropriate for the degree of violation and applied fairly and consistently. Compliance achievement can be incentivized with recognition or compensation.

6. Risk Assessment, Auditing, and Monitoring

At least annually, risks to entity compliance should be identified. Periodic audits should be planned to check compliance where the potential for noncompliance has been recognized. Routine monitoring of ongoing risks helps determine the effectiveness of risk control and remediation efforts.

7. Responding to Detected Offenses and Developing Corrective Action Initiatives

Compliance concerns should be thoroughly investigated, and the findings and outcomes should be documented. If a violation is found, the person discovering the issue should promptly report it to the appropriate government authority for correction.

Adapting Compliance Guidelines to Large and Small Entities

Smaller entities may not have the resources to implement a formal compliance program but can still achieve success by adapting the compliance practices to suit their own needs. OIG training videos and other resources can provide additional guidance for smaller organizations.

Larger entities with multiple locations will need significant resources and expertise to develop, implement, and monitor an effective compliance program. A large organization may need an entire department devoted to compliance with personnel at each location. Compliance committees may be large and operate more efficiently if organized into subcommittees to support various compliance functions.

Other Relevant Compliance Considerations

Beginning in 2024, OIG will publish industry-segment-specific compliance program guidance (ICPG) addressing the compliance risks of various providers, suppliers, and other healthcare industry subsectors.

The GCPG also recommends compliance plans consider and provide for the following general risk areas:

  • Quality of care and patient safety
  • Entry of new or non-traditional providers into the healthcare industry
  • Track financial incentives to see where the money is going

The GCPG Is Designed as the Go-To Document for HHS Program Compliance

The GCPG is intended to be the place to start when looking for compliance information for HHS program participants. It provides links to many other OIG resources, including a hotline for reporting tips and complaints.

The GCPG will be a dynamic document updated as new resources become available and new developments occur. The first two ICPG documents will address Medicare Advantage and nursing facilities and will be released in 2024. OIG expects the next two ICPGs to tackle hospitals and clinical laboratories. Interested industry stakeholders are encouraged to email their feedback to Compliance@oig.hhs.gov.