In 1998, HHS-OIG began publishing compliance program guidance for hospitals, home health agencies, clinical laboratories, and other types of health care organizations1. Over the past 25 years, this guidance, while voluntary and nonbinding, has served as a roadmap for developing and evaluating the effectiveness of compliance programs in the health care industry. Until this past November, however, HHS-OIG had not issued any updates to its compliance program guidance since 2008.

On November 6, 2023, HHS-OIG issued new General Compliance Program Guidance (GCPG) aimed broadly at all individuals and entities involved in the health care industry. According to the agency, the GCPG is intended to “update and consolidate compliance tools and resources consistent with contemporary industry practices and current law.” Beginning in 2024, HHS-OIG will issue guidance tailored to the fraud and abuse risk areas for different industry segments.

While much of the GCPG represents a compilation and distillation of HHS-OIG’s prior guidance, the GCPG does include several notable observations, updates, and clarifications, including these:

  • New Entrants in the Health Care Industry. HHS-OIG notes that “the health care sector is seeing an increasing number of new entrants,” including technology companies, new investors, and organizations providing non-traditional services (e.g., social services, food delivery, and care coordination services) in health care settings. The agency emphasizes that these organizations need to have a solid understanding of fraud and abuse (and other applicable) laws, and recommends new entrants study the GCPG when developing and implementing their compliance programs.
  • Emphasis on Formal Risk Assessment Process. HHS-OIG has updated one of the seven elements of an effective compliance program (pertaining to auditing and monitoring) to specifically reference risk assessments. While HHS-OIG has long recommended that organizations perform periodic compliance risk assessments, the GCPG places a greater emphasis on having a “formal” risk assessment process. To that end, the GCPG (i) recommends that compliance committees “educate themselves on risk assessment methods when creating their own compliance risk assessment process,” and (ii) provides links to what HHS-OIG considers to be “standard resources” for risk assessments.
  • Identifying Financial Incentives. The GCPG emphasizes that “one of the best ways to identify fraud and abuse risks is to “follow the money.” HHS-OIG highlights in particular the “growing prominence of private equity and other forms of private investment in health care,” and raises concerns about how ownership incentives (e.g., returns on investment) may impact the delivery of high quality, efficient health care. HHS-OIG also emphasizes that different payment methodologies have different risks due to the financial incentives at play (e.g., fee-for-service reimbursement creates a risk of overutilization, whereas managed care creates a risk of patient stinting), and that these differing incentives should be taken into account when developing auditing and monitoring plans.
  • Tracking Financial Arrangements. Relatedly, HHS-OIG observes that a centralized tracking system of financial arrangements between referral sources and referral recipients is a compliance measure that should mitigate potential liability under fraud and abuse laws, as such a system would enable health care organizations to better ensure ongoing compliance with contractual terms and conditions and that proper supporting documentation (e.g., legal analyses, FMV assessments) is maintained. This observation provides a concrete example of what the agency may be looking at when it asks whether a compliance program has adequate resources.
  • Authority/Stature of Compliance Officer. The GCPG includes a multi-page discussion of the role of the compliance officer. This discussion includes a detailed list of the compliance officer’s responsibilities and an explanation of how HHS-OIG expects the role to be structured. The discussion also emphasizes that the compliance officer must have sufficient “authority”/“stature” within the organization to be effective.
  • Rightsizing a Compliance Program. The GCPG provides the most detailed, concrete guidance to date on how the seven elements can be applied to both small and large organizations.
    • For example, while a small entity may be unable to support a compliance officer on a full- or even part-time basis, the GCPG recommends the entity assign a single person responsibility for the entity’s compliance functions, and ensure that person’s responsibilities outside of compliance do not include “the performance or supervision of legal services to the entity.”
    • On the other end of the spectrum, HHS-OIG notes that in addition to a full-time compliance officer, a large organization is likely to “need a department of compliance personnel with a variety of skills and expertise to implement the organization’s compliance program and address its manifold compliance needs.” The agency also notes that in the case of international organizations headquartered overseas, the parent board should “receive regular reports from and have the opportunity to engage in discussions with the chief compliance officer of the U.S. organization and counsel knowledgeable in the laws applicable to the U.S. organization.”
  • Quality & Patient Safety. The GCPG expresses concern that “quality and patient safety are often treated as wholly separate and distinct from compliance” and recommends that  compliance programs should include oversight of “medical necessity, patient safety, and other quality compliance issues” in order to mitigate the risk of patient harm and overpayments arising from the furnishing of medically unnecessary services.
  • HIPAA Compliance. HHS-OIG also emphasizes that “with the increasing number of cybersecurity attacks aimed at HIPAA-regulated entities of all sizes,” compliance with HIPAA’s Privacy, Security, and Breach Notification Rule requirements should “be a top compliance priority and included in all risk assessments.”
  1. See HHS-OIG, Compliance Guidance, https://oig.hhs.gov/compliance/compliance-guidance/. HHS-OIG has issued CPGs for hospitals, home health agencies, clinical laboratories, third-party medical billing companies, DMEPOS suppliers, hospices, Medicare Advantage organizations, nursing facilities, individual and small group physician practices, ambulance suppliers, pharmaceutical manufacturers, and recipients of PHS research awards. ↩︎
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Stephanie Murtagh

About Stephanie Murtagh

Stephanie Murtagh is a member of Dentons' Health Care practice, resident in the Los Angeles office. Hardworking, thoughtful, and dedicated to her clients, Stephanie routinely counsels for-profit and nonprofit hospitals, health systems, and large physician groups on a variety of regulatory and compliance matters.

Full bio

RELATED POSTS