When it comes to building a healthcare compliance program, there’s no better place to start than the Office of Inspector General’s General Compliance Program Guidance.
Creating an effective, successful compliance strategy is a huge undertaking for any healthcare organization. But it’s non-negotiable — fail to stay compliant, and you’ll find your organization facing legal repercussions, expensive fines, and reputational disaster.
In this first piece in our series on OIG compliance, we start by covering the GCPG, the Office of Inspector General’s “how-to guide” to building an effective compliance program. Learn about the laws governing healthcare organizations, the importance of following them, and the seven elements of a successful compliance strategy below.
Editor’s note: The information contained in this article is intended for informational purposes only and should not be construed as or considered legal advice in any matter. Please consult an experienced compliance attorney to confirm compliance with relevant federal and state legislation.
Table of Contents
- What is the OIG General Compliance Program Guidance?
- Federal Laws Governing the OIG GCPG
- The 7 Elements of a Successful Compliance Program
- Build Your OIG Compliance Program with Vālenz Health® Today
What is the OIG General Compliance Program Guidance?
The General Compliance Program Guidance (GCPG) is a comprehensive resource guide aimed at consolidating and streamlining current OIG compliance requirements, tips, and guidance into a single location.
The GCPG offers compliance program guidance for providers, covering:
- The federal laws that make compliance programs necessary
- A comprehensive guide to compliance program infrastructure
- Ways to tailor the guidance offered for both large and small entities
- And more
It’s important to note that the OIG GCPG should be considered a starting point for your compliance program, not a simple checklist. While its recommendations are helpful for understanding compliance best practices, it’s not an all-encompassing document.
Federal Laws Affecting the OIG GCPG
Before you start building your compliance program, you must first understand the relevant federal legislation that requires these particular standards to be upheld.
The following laws are outlined in detail within the OIG GCPG, and we recommend reading them in full to garner a complete understanding of their requirements and repercussions. The OIG GCPG does not address state laws or legislation; we recommend seeking counsel from an experienced attorney to ensure your organization stays in compliance with those (and federal) statutes concerning healthcare compliance.
- Federal Anti-Kickback Statute: This legislation prohibits referral fees in the healthcare industry, dictating that both individuals and businesses can face prosecution for engaging in “financial transactions or relationships that involve any form of renumeration offered, solicited, paid, or accepted for” relevant items or services, such as medical equipment or referrals to physicians or facilities.
- Physician Self-Referral Law: Also known as the “Stark law,” this legislation prohibits physicians from referring patients to certain designated health services, payable by Medicare, that the physician or a family member may have a direct financial interest in.
- False Claims Act: This legislation prohibits individuals from knowingly submitting false or fraudulent claims for payment by the government, an act which can result in liability of up to three times the programs’ loss plus an additional penalty per claim filed.
- Civil Monetary Penalties Law: This legislation allows the Office of Inspector Genral to pursue assessments in lieu of damages, CMPs, and exclusion from participation in federal healthcare programs. While the CMPL mainly addresses fraudulent and abusive conduct, it provides authority for the OIG to pursue penalties and exclusion for a wide range of related activities, covered under the Beneficiary Inducements CMP, 21st Century Cures Act, and other authorizations.
- Exclusions Authority: The Office of Inspector General maintains a list of individuals and facilities excluded from participating in federal healthcare programs, known as the List of Excluded Individuals/Entities. Continuous monitoring of this list is crucial for staying compliant.
- Criminal Health Care Fraud Statute: This legislation makes it a criminal offense to defraud a healthcare benefits program, with penalties of up to $250,000, imprisonment of up to 10 years, or both.
- HIPAA Privacy and Security Rules: As per HIPAA requirements, healthcare organizations must protect the use and disclosure of individuals’ identifiable health information. The related Security Rule specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic personal health information.
A healthcare organization’s compliance strategy must account for all of these statutes (as well as state-specific legislation) to protect themselves and their stakeholders from liability. Of course, due to the complex nature of these statutes, that is often easier said than done.
For that reason, the OIG GCPG has also provided a framework for successful compliance programs — seven elements that account for these legislative requirements and assist organizations in building a comprehensive, effective strategy for maintaining compliance.
The 7 Elements of a Successful Compliance Program
While every healthcare organization can and should personalize their compliance strategy to their unique needs, the OIG General Compliance Program Guidance recommends organizations include seven important elements in their compliance program to protect themselves and their stakeholders from legal repercussions.
1. Written Policies and Procedures
To ensure your compliance program is fully understood and followed by all relevant stakeholders, you first need to create a comprehensive code of conduct that details your policies and procedures.
This documentation should outline your organization’s compliance strategy and include:
- Individuals’ duties and responsibilities
- A workflow for identifying and reporting noncompliance issues
- Documentation requirements and processes
- And more
This documentation should be regularly reviewed and updated to account for new federal legislation and requirements, as well as any inefficiencies to be solved or improvements to be made to the compliance program over time. It should also be readily available for all stakeholders to access and review when they need it.
2. Compliance Leadership and Oversight
Healthcare leaders have a responsibility to advocate for and implement their organization’s compliance strategy effectively. When senior-level stakeholders lead by example, the uptake of and adherence to an internal compliance program is much more likely.
The OIG GCPG recommends appointing an internal compliance officer who has the authority, stature, access, and resources necessary to lead a successful compliance program. They should be supported by a compliance committee that meets regularly to analyze and report on the program’s efficiency, as well as aid the compliance officer in implementing, operating, and monitoring the program.
3. Training and Education
Once a compliance program is documented, internal teams must be trained on its processes and expectations. However, compliance education is not a one-and-done initiative; it should be conducted regularly (the OIG GCPG recommends annually) to keep staff up-to-date and account for any changes as time goes on.
The OIG recommends training and education address:
- The elements of the compliance program, including expectations, rules, and workflow processes
- The identity and role of the compliance officer and compliance committee
- The ways individuals can raise compliance concerns and questions
- The means through which the written policies and procedures are enforced
- And more
It’s also recommended that healthcare organizations develop targeted, personalized training sessions for individuals based on their roles and responsibilities in the organization (and their compliance risk level based on those responsibilities).
Education should be accessible to all stakeholders and available in several formats to ensure the success of the training program.
4. Effective Lines of Communication
Even with the best training processes, questions are bound to arise when a compliance program is first implemented or when new parties become involved in the process. For this reason, there should always be a clear and obvious line of communication between the compliance officer and any relevant personnel.
Individuals should know how to easily reach the compliance officer (via email, telephone, messaging, etc.), and the compliance officer/board should openly encourage any questions or concerns be brought to them for a transparent conversation.
Of course, as part of the compliance policies and procedures, individuals should also have a clear communication path to follow when reporting violations or compliance concerns. One of these paths should allow for anonymous reporting and be easily accessible to all individuals in the organization.
Finally, all compliance concerns and reports should be clearly documented in an organized log for future reference and follow-up needs.
5. Standards Enforcement
Even the best-planned compliance programs will fail to succeed if standards are not enforced. Compliance should be incentivized, and non-compliance should have serious, immediate consequences to deter any actions that (deliberately or accidentally) lead to fraudulent, wasteful, or abusive practices.
The OIG GCPG offers several suggestions for potential consequences and incentives to incorporate into your organization’s policies and procedures. Whatever those end up being, they must be applied on a fair, equitable, and consistent basis to demonstrate your organization’s commitment to compliance standards.
6. Risk Assessment, Auditing, and Monitoring
A formal compliance risk assessment process — supported by comprehensive auditing and monitoring procedures — is critical to identifying and resolving potential non-compliance issues quickly and efficiently.
These processes should be deployed regularly and conducted by either internal or external professionals who have expertise in both federal and state healthcare statutes, regulations, and program requirements.
The OIG GCPG recommends:
- Monthly screening of federal and state exclusions lists
- Regular screening of state licensure and certification databases
- Annual review of your organization’s policies and procedures
Vālenz Health® can help simplify this monitoring and auditing process with our Provider Staff Sanction Monitoring solution, which tracks and alerts your team of potential compliance risks — allowing you to take action faster than manual, in-house review.
We take the license and exclusion monitoring burden off your shoulders with an optimized platform and name-matching function that gives you improved search accuracy across hundreds of state-specific and federal databases. And, by following OIG best practices, we ensure your organization is audit-ready at any moment, protecting you from fees, penalties, and other significant dangers of non-compliance.
Learn more about our Provider Staff Sanction Monitoring solution by contacting a member of our team today.
7. Response and Corrective Action Initiatives
Finally, the OIG General Compliance Program Guidelines talk in length about the importance of following through on non-compliance reports and concerns — the process through which the compliance officer should investigate, report on, and resolve any misconduct.
Regardless of the size or severity of a violation being investigated, the compliance officer and their team should follow detailed protocols to interview, review relevant documents, document their findings, and, when necessary, engage the support of external support to aid in the investigation.
If “credible evidence” indicates criminal, civil, or administrative laws have been violated, the investigation and its findings must be reported to the appropriate governmental authorities within 60 days. OIG encourages proactive self-reporting and maintains a voluntary self-disclosure program that can be used to report suspected fraud.
Of course, after an investigation determines the nature of the misconduct, a healthcare organization should take prompt corrective action, whether that be refunding overpayments, enforcing disciplinary procedures, and updating processes to prevent the misconduct from recurring.
Due to the complex nature and importance of proper investigation and reporting of misconduct, this process cannot (and should not) be left in inexperienced hands. External support may be necessary to fully comply with federal regulations and prevent even more serious repercussions later on.
Build Your OIG Compliance Program with Vālenz Health® Today
The OIG General Compliance Program Guidance is a great resource for designing your compliance program, but it’s not intended to be the end-all, be-all for your strategy. Instead, healthcare organizations are encouraged to use the OIG GCPG as a starting point, from which they can (and should) personalize their program to meet their specific situations and risk levels.
It can be helpful to partner with an external expert to design and implement the most effective compliance program for your organization, especially if you are new to the process. External support solutions — such as Valenz Provider Staff Sanction Monitoring — can reduce the administrative burden on your team and more efficiently identify and resolve any compliance risks that emerge along the way.
To learn more about how Valenz can help with our customizable compliance monitoring solution, contact one of our team members today.
