This post was originally featured on the Radical Compliance blog.
The Department of Health and Human Services has released long-awaited guidance on compliance programs in the healthcare world, a 91-page booklet that’s meant to be a single source of compliance wisdom for the wide range of individual sectors in the U.S. healthcare industry.
The booklet, blandly titled “General Compliance Program Guidance,” was published on Monday by the Office of the Inspector General (OIG), the office within the Department of Health and Human Services that enforces healthcare compliance. The guidance had been in development since April, and serves as a superstructure to support more than a dozen other sector-specific pieces of guidance that HHS had published as far back as 1998.
For those compliance professionals not in healthcare, this document is roughly analogous to the FCPA Resource Guide published by the Justice Department: a soup-to-nuts compendium of everything you need to know about compliance, except with a healthcare industry twist. For example, the OIG guidance covers:
- The primary anti-fraud statutes governing healthcare;
- Major regulations governing healthcare, such as the HIPAA privacy standard;
- The civil monetary penalties that can arise from healthcare fraud enforcement, as well as other civil enforcement measures like exclusion from the Medicare and Medicaid programs;
- The seven elements of an effective healthcare compliance program, which are just the same seven elements defined by the U.S. Sentencing Guidelines for any organization;
- How a healthcare company can tailor its compliance program depending on its size, industry, and other factors.
The guidance is user-friendly, too. It includes plenty of call-outs dubbed “Tips” that give specific examples to explain practical problems or concepts. Plenty of the material is presented as a series of questions you’d want to ask yourself about your compliance program, to help you better understand how OIG regulators might look at your program during an investigation.
Tailoring the guidance to you
As we mentioned earlier, these compliance program guidelines are meant to be a superstructure of advice for any healthcare business – nursing homes, medical practices, medical equipment manufacturers, drug companies, and plenty of others. You can use the guidelines to get a basic sense of what components your compliance program will need to have, and then cross-reference those components with sector-specific guidance OIG has issued in the past.
For example, the guidelines have a section about compliance policies and procedures, which defines several common compliance risks in the healthcare sector:
- billing and coding;
- sales;
- quality of care;
- patient incentives; and
- arrangements with physicians or other vendors that could pose conflicts of interest.
Those are risks any healthcare business could face, but their exact manifestation will differ greatly from, say, a nursing home to a medical device manufacturer or a physician practice. So the OIG guidelines then direct the reader to go back to those sector-specific pieces of guidance, so that you can get a better sense of what policies in a nursing home might look like versus policies in a physician practice, and so forth.
The guidelines also offer lots of practical tips for how smaller healthcare organizations can tailor the advice down to their size. For example, OIG readily admits that a formal disclosure program might not be necessary for a smaller business. But even in the absence of a formal disclosure program, the guidance says, “small entities should have policies in place that require good faith reporting of compliance issues or potential violations of law.”
In the very next paragraph, the guidance offers some suggestions for what those policies could be, such as:
- The creation of a user-friendly process such as an anonymous drop box to report misconduct conduct;
- A policy indicating that failure to report suspected misconduct is itself a violation of the compliance program;
- If you use a billing company, have regular communications between its compliance officer and yours.
That sort of clear, practical advice is peppered throughout the guidelines’ 91 pages. We’ll take deeper dives into specific sections in due course, but even at first blush it’s clear that this is something worth your time to print out, read, and ponder as you stare out the window.
Using the OIG guidance
The OIG compliance guidelines are similar to the Justice Department guidance on compliance programs in another way, too: they’re voluntary.
That is, no federal law expressly says you must structure your compliance program according to the advice of the OIG or the Justice Department. But since OIG and the Justice Department will use their guidance as the benchmarks to assess your compliance program, concocting some other approach to compliance – an approach you’d need to defend in front of regulators, should you ever have a violation – is a risky gambit. They’re telling us what they want to see for compliance programs. Your best course of action is to listen to them.
Second, keep in mind how regulators will use this guidance. I’ll always remember the podcast I recorded with Hui Chen, author of the Justice Department’s original compliance program guidelines from 2017. Those original guidelines (and even the latest version, published earlier this year), largely exist as a series of questions that regulators could potentially ask you, depending on the exact facts of your violation – but prosecutors wouldn’t necessarily ask you every single question, because not all questions will be relevant.
The compliance officer, on the other hand, has no such luxury. You don’t know what specific facts might arise one day that trigger a compliance violation. So you need to build a robust compliance program that could address any potential violation, and answer any question that OIG, the Justice Department, or some other regulator might ask.
So, take all that guidance and put it to good use.
Ready to learn more about how NAVEX can help keep your organization compliant? Reach out to learn more: