On November 6, 2023, the Office of Inspector General (“OIG”) issued its long-awaited General Compliance Program Guidance (“Guidance”) “to help advance the industry’s voluntary compliance efforts in preventing fraud, waste, and abuse in the health care system.” Although the Guidance is nonbinding, it reflects the OIG’s expectation that compliance programs become increasingly sophisticated in their approach to identifying and managing compliance risks as healthcare delivery and payment models continue to evolve.
In light of the new Guidance, healthcare entities—and nonhealthcare entities that are entering the health space—should ensure that their approach to compliance:
- Is fully embraced by leadership and suffused throughout the organization’s culture.
- Takes a holistic, proactive view of compliance risk.
- Anticipates and responds to new compliance challenges surrounding changes in healthcare delivery, ownership, and payment.
With this integrated approach to risk, the OIG highlights best practices to help healthcare entities fulfill their commitment to compliance with a focus on company-wide involvement driven by leadership. Since their publication by the US Sentencing Commission in 1991, seven elements have become core tenets of healthcare compliance programs not only because of their impact on potential damages, but in helping organizations develop well-rounded compliance programs. With the Guidance, the OIG reinforces the need for organizations to fully embrace the seven elements while also asking organizations to think more critically about how each element can best serve the needs of their organization. Some of the areas highlighted in the Guidance include:
- Revisiting the Code of Conduct with each new CEO – this is an opportunity for leadership to own their commitment to leading through a culture of compliance.
- Building a Compliance Committee that is representative of the organization’s operational and supporting departments to facilitate enterprise-wide involvement in compliance oversight.
- Reviewing the compliance training plan at least annually to incorporate regulatory updates or changing priorities.
- Establishing multiple reporting paths for employees to engage through. If reports are never being made, consider conducting a compliance program effectiveness review.
- Incentivizing compliance such as recognition during performance reviews.
- Scanning for unidentified or new risks, by reviewing legal and regulatory changes, recent enforcement actions, and the OIG’s annual work plan.
Along with its strengthened emphasis on formal risk assessments, the Guidance suggests taking an enterprise risk management approach to compliance risk. But what is enterprise risk management? In short, enterprise risk management is holistic, proactive, and mission-aligned whereby leaders actively engage with and oversee risk and understanding of risk is suffused throughout the organization’s culture. Because enterprise risk management acknowledges the constancy of change, the framework is resilient and evolving.
An enterprise risk management lens facilitates a sophisticated approach to identifying and managing compliance risks, as well as other risks healthcare organizations face. Throughout, the new Guidance reflects these concepts. For example, it emphasizes the need to:
- Ensure leadership commitment.
- Identify and advise leadership on strategy-related compliance risks.
- Work closely across departments and disciplines.
- Use “a variety of external and internal sources” to assess risks.
- Proactively scan for and monitor risks between risk assessments.
- Communicate the organization’s mission and ethical requirements.
- Cultivate an organization-wide culture of compliance.
Reflecting this need to take a holistic, proactive view of risk, the Guidance underscores the importance of proactively assessing for and managing problems with patient safety and quality of care as an indicator of potential compliance problems. Recommended steps include:
- Integrating quality and patient safety oversight into compliance processes, including reporting to and oversight by the board.
- Including patient safety and quality assurance professionals on the compliance committee and otherwise forming strong partnerships with these and other departments.
- Addressing medical necessity, patient safety, and other quality compliance issues when conducting risk assessments.
- Implementing a program for compliance audits and reviews of quality and patient safety incidents.
- Assessing staffing to ensure appropriate staff numbers, quality, and composition.
Creating a risk-aware culture is critical to the reduction of any potential for fraud, waste, and abuse. The OIG suggests that understanding how funds flow through business arrangements and the varying incentives created by different types of funding structures is one of the best ways to identify fraud and abuse risks and is key to unearthing potential compliance issues, implementing effective monitoring, and identifying preventive strategies. Some of the key strategies recommended by the OIG include:
- Evaluating whether an arrangement can be structured or restructured to fit within an Anti-Kickback Statute safe harbor.
- Having a method to keep track of, and review closely, financial relationships with physicians who refer Medicare patients.
- Taking proactive measures to keep billing and coding practices up to date including conducting regular internal billing and coding audits.
- Understanding the law around employing excluded individuals.
- Attuning to the risks associated with payment methodologies through which healthcare entities are reimbursed.
- Ensuring that proper supporting documentation is maintained, and regular legal reviews are conducted.
- Performing and updating fair market value assessments routinely.
Compliance and legal professionals should also pay particular attention to evolving risks that the Guidance highlights. For example, OIG states that new entrants to the healthcare sector must carefully understand regulations and business constraints that apply to healthcare. In addition, existing healthcare organizations that are entering new territory (e.g., managed care, technology) must evaluate compliance risks these ventures may pose.
The OIG highlights ownership and financial arrangements as potential concerns as well. Private investors, governing bodies, and healthcare organizations should “carefully scrutinize their operations and incentive structures” to ensure compliance and high-quality, safe care—especially if the investor provides management services or significant operational oversight and control, the new guidance states. Similarly, compliance officers should understand risks associated with both traditional payment incentives (e.g., overutilization in fee-for-service systems) and newer payment incentives (e.g., stinting on care or discriminating against costly patients in capitated systems, “gaming” quality data in performance-based systems).