On November 6, 2023, the Office of Inspector General (“OIG”) issued its long-awaited General Compliance Program Guidance (“Guidance”) “to help advance the industry’s voluntary compliance efforts in preventing fraud, waste, and abuse in the health care system.” Although the Guidance is nonbinding, it reflects the OIG’s expectation that compliance programs become increasingly sophisticated in their approach to identifying and managing compliance risks as healthcare delivery and payment models continue to evolve.

In light of the new Guidance, healthcare entities—and nonhealthcare entities that are entering the health space—should ensure that their approach to compliance:

  • Is fully embraced by leadership and suffused throughout the organization’s culture.
  • Takes a holistic, proactive view of compliance risk.
  • Anticipates and responds to new compliance challenges surrounding changes in healthcare delivery, ownership, and payment.

With this integrated approach to risk, the OIG highlights best practices to help healthcare entities fulfill their commitment to compliance with a focus on company-wide involvement driven by leadership. Since their publication by the US Sentencing Commission in 1991, seven elements have become core tenets of healthcare compliance programs not only because of their impact on potential damages, but in helping organizations develop well-rounded compliance programs. With the Guidance, the OIG reinforces the need for organizations to fully embrace the seven elements while also asking organizations to think more critically about how each element can best serve the needs of their organization. Some of the areas highlighted in the Guidance include:

  • Revisiting the Code of Conduct with each new CEO – this is an opportunity for leadership to own their commitment to leading through a culture of compliance.
  • Building a Compliance Committee that is representative of the organization’s operational and supporting departments to facilitate enterprise-wide involvement in compliance oversight. 
  • Reviewing the compliance training plan at least annually to incorporate regulatory updates or changing priorities.
  • Establishing multiple reporting paths for employees to engage through. If reports are never being made, consider conducting a compliance program effectiveness review.
  • Incentivizing compliance such as recognition during performance reviews.
  • Scanning for unidentified or new risks, by reviewing legal and regulatory changes, recent enforcement actions, and the OIG’s annual work plan.

Along with its strengthened emphasis on formal risk assessments, the Guidance suggests taking an enterprise risk management approach to compliance risk. But what is enterprise risk management? In short, enterprise risk management is holistic, proactive, and mission-aligned whereby leaders actively engage with and oversee risk and understanding of risk is suffused throughout the organization’s culture. Because enterprise risk management acknowledges the constancy of change, the framework is resilient and evolving.[1]

An enterprise risk management lens facilitates a sophisticated approach to identifying and managing compliance risks, as well as other risks healthcare organizations face.[2] Throughout, the new Guidance reflects these concepts. For example, it emphasizes the need to:

  • Ensure leadership commitment.
  • Identify and advise leadership on strategy-related compliance risks.
  • Work closely across departments and disciplines.
  • Use “a variety of external and internal sources” to assess risks.
  • Proactively scan for and monitor risks between risk assessments.
  • Communicate the organization’s mission and ethical requirements.
  • Cultivate an organization-wide culture of compliance.

Reflecting this need to take a holistic, proactive view of risk, the Guidance underscores the importance of proactively assessing for and managing problems with patient safety and quality of care as an indicator of potential compliance problems. Recommended steps include:

  • Integrating quality and patient safety oversight into compliance processes, including reporting to and oversight by the board.
  • Including patient safety and quality assurance professionals on the compliance committee and otherwise forming strong partnerships with these and other departments.
  • Addressing medical necessity, patient safety, and other quality compliance issues when conducting risk assessments.
  • Implementing a program for compliance audits and reviews of quality and patient safety incidents.
  • Assessing staffing to ensure appropriate staff numbers, quality, and composition.

Creating a risk-aware culture is critical to the reduction of any potential for fraud, waste, and abuse. The OIG suggests that understanding how funds flow through business arrangements and the varying incentives created by different types of funding structures is one of the best ways to identify fraud and abuse risks and is key to unearthing potential compliance issues, implementing effective monitoring, and identifying preventive strategies. Some of the key strategies recommended by the OIG include:

  • Evaluating whether an arrangement can be structured or restructured to fit within an Anti-Kickback Statute safe harbor.
  • Having a method to keep track of, and review closely, financial relationships with physicians who refer Medicare patients.
  • Taking proactive measures to keep billing and coding practices up to date including conducting regular internal billing and coding audits.
  • Understanding the law around employing excluded individuals.
  • Attuning to the risks associated with payment methodologies through which healthcare entities are reimbursed.
  • Ensuring that proper supporting documentation is maintained, and regular legal reviews are conducted.
  • Performing and updating fair market value assessments routinely. 

Compliance and legal professionals should also pay particular attention to evolving risks that the Guidance highlights. For example, OIG states that new entrants to the healthcare sector must carefully understand regulations and business constraints that apply to healthcare. In addition, existing healthcare organizations that are entering new territory (e.g., managed care, technology) must evaluate compliance risks these ventures may pose.

The OIG highlights ownership and financial arrangements as potential concerns as well. Private investors, governing bodies, and healthcare organizations should “carefully scrutinize their operations and incentive structures” to ensure compliance and high-quality, safe care—especially if the investor provides management services or significant operational oversight and control, the new guidance states. Similarly, compliance officers should understand risks associated with both traditional payment incentives (e.g., overutilization in fee-for-service systems) and newer payment incentives (e.g., stinting on care or discriminating against costly patients in capitated systems, “gaming” quality data in performance-based systems).

For help evaluating or implementing a compliance program in the healthcare industry, please contact Josi Wergin, Natasha Sumner, Kasey Ciolfi, or another member of Husch Blackwell’s Healthcare Regulatory team.


[1] See Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Enterprise Risk Management: Integrating with Strategy and Performance: Executive Summary (2017), https://www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf.

[2] See American Society for Health Care Risk Management, Enterprise Risk Management (2020), https://www.ashrm.org/system/files/media/file/2020/11/ERM-Tool_FINAL.pdf (describing domains of enterprise risk management in healthcare as including operational, clinical and patient safety, strategic, financial, human capital, legal and regulatory, technology, and hazard domains).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Josi Wergin Josi Wergin

Josi guides clients through healthcare regulatory and compliance matters. She helps healthcare organizations navigate intricate regulations and statutory schemes, allowing them to concentrate on their primary mission: providing care. Josi came to the practice of law after a 17-year career in healthcare risk…

Josi guides clients through healthcare regulatory and compliance matters. She helps healthcare organizations navigate intricate regulations and statutory schemes, allowing them to concentrate on their primary mission: providing care. Josi came to the practice of law after a 17-year career in healthcare risk management, where she examined and analyzed a broad spectrum of legal, clinical, and operational implications in healthcare topics for various risk management-focused publications. She is a Fellow of the American Society for Health Care Risk Management.

Photo of Natasha Sumner Natasha Sumner

Natasha co-leads the firms’ Psychedelics and Emerging Therapies Practice Group and is also part of the product liability team. She focuses her practice on assisting clients in navigating the regulatory scheme for conducting clinical trials on psychedelics and other controlled substances and litigating

Natasha co-leads the firms’ Psychedelics and Emerging Therapies Practice Group and is also part of the product liability team. She focuses her practice on assisting clients in navigating the regulatory scheme for conducting clinical trials on psychedelics and other controlled substances and litigating product liability claims.

Natasha is well-versed in historical and current psychedelic research including recent FDA-approved studies on MDMA and psilocybin use for mental health and end-of-life issues, the legalization and decriminalization of psylocibin in numerous cities and states, and biotech and pharmaceutical research. Natasha’s interest in this area keeps her at the forefront of assisting clients in navigating regulatory uncertainty, legislative advocacy, corporate transactions, and ­­­­­­­­­­litigation in this rapidly evolving complex area. Natasha is also dedicated to insuring diversity, equity, and inclusion and recognizing and preserving indigenous knowledge.

Academic institutions, product manufacturers and commercial businesses are among the clients relying on Natasha’s broad experience. Natasha has defended clients against claims of mold, asbestos, and benzene exposure, including landlords and housing authorities in disputes regarding habitability. She has represented clients alleging violations under the Food, Drug, and Cosmetic (FD&C) Act, and counseled clients regarding California’s Proposition 65 warning requirements, among other state and federal laws.

While in law school, Natasha interned with the California Attorney General Energy Task Force, working on antitrust issues related to the state’s 2001 energy crisis. Her inside view of regulatory issues is appreciated by clients as she navigates them through various complex litigation and compliance.

Photo of Kasey Ciolfi Kasey Ciolfi

Kasey focuses her practice on healthcare regulatory matters, helping clients resolve situations before they become problems. Kasey advises healthcare providers on compliance with state and federal regulatory matters. She also helps them resolve issues with regulatory bodies, including public health departments, state health…

Kasey focuses her practice on healthcare regulatory matters, helping clients resolve situations before they become problems. Kasey advises healthcare providers on compliance with state and federal regulatory matters. She also helps them resolve issues with regulatory bodies, including public health departments, state health agencies, the Office of Health and Human Services, the Office of Elder Affairs, and the Centers for Medicare & Medicaid Services. Kasey has developed relationships with many regulatory agencies, allowing her to solve client problems quickly. She frequently works with Medicare regulations and payment issues and is extensively familiar with Medicare Advantage and Programs of All-Inclusive Care for the Elderly (PACE) compliance.