The Department of Health and Human Services’ Office of Inspector General (OIG) published a General Compliance Program Guidance (GCPG) on November 6, 2023, marking the first update to OIG’s compliance program guidance documents (CPGs) since 2008 and advancing OIG’s Modernization Initiative that was first announced in a September 2021 Request for Information.
OIG Senior Counsel Amanda Copsey and Laura Ellis announced the GCPG at the Health Care Compliance Association conference on November 6. The GCPG should be especially of interest to the many types of health care organizations that do not fit into industry segment(s) with existing industry-specific CPGs.
The GCPG compiles existing compliance program guidance into a centralized resource for health care industry stakeholders to reference voluntarily in their efforts to self-monitor compliance with applicable laws and program requirements. The GCPG is full of practical tips for developing a robust compliance program, including tips on effective and engaged compliance committees, risk assessments for small entities, compliance training as part of regular meetings, and employee incentives to promote compliance program engagement. Below is an overview of our key takeaways from the GCPG, including new considerations for federal Anti-Kickback Statute (AKS) analyses, a focus on financial incentives to identify fraud and abuse risks, compliance program considerations for small entities, and an overview of the information blocking prohibition which is a relatively new health care fraud and abuse law.
AKS Key Considerations
The GCPG includes a description of key health care fraud and abuse laws, including the federal AKS. In numerous advisory opinions and other OIG guidance, the OIG has espoused four key factors to assess whether an arrangement that does not satisfy an AKS safe harbor presents fraud and abuse risk which are whether the arrangement has the potential to: (i) increase costs to federal health care programs, beneficiaries, or enrollees; (ii) increase the risk of overutilization or inappropriate utilization; (iii) result in unfair competition by freezing out competitors unwilling to pay kickbacks; or (iv) interfere with appropriate clinical decision-making. Of note, the OIG expanded on these factors with a list of illustrative key questions to identify problematic arrangements under the AKS:
- The Nature of the Relationship between the Parties. This factor focuses on what degree of influence the parties have, directly or indirectly, on the generation of federal health care program business for each other – a key consideration for any AKS analysis.
- The Manner in which Participants are Selected. The OIG recommends assessing whether parties were selected to participate in an arrangement based on past or anticipated referrals.
- The Manner in which Remuneration is Determined. Another factor that would increase AKS risk is whether the remuneration takes into account, either directly or indirectly, the volume or value of business generated between the parties. For example, percentage-based or per-service fees can increase AKS risk. The OIG also recommends assessing whether the arrangement itself or the remuneration is conditioned on referrals or other business generated between the parties.
- The Value of the Remuneration. The GCPG recommends assessing whether the remuneration is fair market value in an arm’s-length transaction for legitimate, reasonable, and necessary services as opposed to arrangements that offer inflated rates to a potential referral source. Moreover, the OIG recommends that the determination of fair market value be based on a reasonable methodology that is uniformly applied and properly documented.
- The Nature of Items or Services to be Provided. The GCPG recommends assessing whether the items or services are actually needed and rendered, commercially reasonable, and necessary.
- Potential Conflicts of Interest. Similar to the OIG’s longstanding concern about whether arrangements would interfere with clinical decision-making, the OIG recommends assessing more broadly whether the arrangement presents a conflict of interest.
- The Manner in which the Arrangement will be Documented. Emphasizing that arrangements should be properly and fully documented as a best practice, the OIG also reiterated its concern about whether arrangements are actually conducted according to the terms of the written agreements.
Of note, the GCPG includes a specific section emphasizing the importance of financial incentives as the best way to identify fraud and abuse risk. The GCPG encourages the industry to follow the money, understand how funds flow through business arrangements, and understand the varying incentives created by different types of funding structures to best identify and prevent compliance issues and implement effective monitoring. The GCPG also cautions that ownership incentives (e.g., returns on investment) can impact the delivery of high-quality, efficient health care.
The GCPG also recommends that health care entities consider dedicating resources to tracking and managing financial arrangements and transactional agreements, including those between referral sources and recipients. In particular, financial arrangements should be tracked, properly documented to reflect the business need, regularly audited, and regularly updated.
Guidance for Small and Large Entities
Small entities, such as physician practices and start-up health care organizations, should take note of the GCPG’s guidance tailored for small entities, which the OIG acknowledged may have limited resources to dedicate to a compliance program. For example, if a small entity cannot support a full-time compliance officer, it should designate a compliance contact who reports to the owner or CEO, does not have responsibility for performing or supervising legal services to the entity, and is not involved in the billing, coding, or submission of claims. For annual compliance training, the GCPG specifically refers small entities to its series of compliance training videos. Open lines of communication should be maintained for reporting compliance concerns, even if anonymity for the reporting party may not be possible. Recognizing that many small entities do not have the resources to engage in complicated risk assessments, the OIG nevertheless advised that small entities should assess their compliance risks at least once a year and included a handful of resources on implementing risk assessments. One option is to generate risk information in a brainstorming session during a staff or leadership meeting, though small entities should also assess their own data, such as claims denials, challenges to medical necessity, or patient safety data.
Large organizations, conversely, should have a dedicated compliance officer, department of compliance personnel, and compliance committee(s). The chief compliance officer should organize the compliance department’s staff to serve the organization most effectively and, as needed, consider employing deputy, regional, and/or facility compliance officers and using sub-committees of the compliance committee to perform certain tasks, thus freeing up compliance committee meeting time to address strategic and systemic compliance program matters.
The GCPG highlights OIG’s newly granted authority to investigate claims that health information technology developers, exchanges, or networks have engaged in conduct that constitutes “information blocking,” defined as a practice that the developer, exchange, or network knows or should know is likely to interfere with access, exchange, or use of electronic health information , unless the practice is covered by an exception or is otherwise required by law. The Office of the National Coordinator for Health Information Technology has promulgated regulations setting forth definitions and exceptions and has also developed guidance documents defining the conduct that constitutes information blocking. OIG has issued a final rule regarding its investigations and imposition of civil monetary penalties on developers, exchanges, and networks who engage in information blocking.
The OIG’s GCPG is a user-friendly resource with a wealth of information and practical tips for health care organizations to implement robust compliance programs, particularly for organizations that do not fit squarely within one of the health care industry segments with an existing CPG. In addition to the GCPG, the OIG previously announced that updates to its separate CPGs for Medicare Advantage and skilled nursing facilities will be forthcoming. Given that the CPGs for Medicare Advantage and skilled nursing facilities were last updated in 1999 and 2008, respectively, these updates are long overdue and ripe for modernization. We will continue to monitor OIG’s Modernization Initiative developments, including updates to the CPGs.