Over the last three decades, the OIG has developed a series of voluntary compliance program guidance documents (“CPGs”) directed at various segments of the healthcare industry, such as hospitals, nursing homes, and hospices. The CPGs seek to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. Although voluntary and nonbinding, providers that use the CPGs can help show their commitment to compliance, which is helpful when faced with an investigation or similar regulatory scrutiny. At the same time, the OIG hedges by disclaiming that CPGs constitute “model compliance programs,” so their use does not mean that providers are insulated from adverse findings. Instead, the OIG views the tools as establishing a voluntary set of guidelines and identified risk areas that providers should consider when developing and implementing a new compliance program or evaluating an existing one.
In 1999, the OIG released its Compliance Program Guidance for Hospices. See 64 Fed. Reg. 54031 (Oct. 5, 1999). As with all provider types, the OIG stressed that hospices must comply with what, at the time, were the widely recognized “seven basic elements” of an effective compliance program (an eighth was added in 2005). In addition to the seven basic elements, the OIG offered specific compliance measures for hospices to help curtail or eliminate fraud and abuse. It also identified a list of approximately 30 risk areas, including the following examples:
- admitting patients to hospice care who are not terminally ill;
- arranging with another healthcare provider who a hospice knows is submitting claims for services already covered by the hospice benefit;
- knowingly reducing services to patients to keep costs low;
- using untimely and/or forged physician certifications on plans of care;
- overlapping the services that a nursing home provides, resulting in insufficient care provided by a hospice to a nursing home resident;
- improperly relinquishing core services and professional management responsibilities to nursing homes, volunteers, and private-pay workers;
- providing hospice services in a nursing home before a written agreement has been finalized, if required;
- billing for a higher level of care than was necessary;
- pressuring patients to revoke hospice when the patient is still eligible for and desires care, but the care has become too expensive for the hospice to deliver;
- using high-pressure marketing of hospice care to ineligible beneficiaries;
- paying sales commissions based upon length of stay in hospice; and
- failing to comply with applicable requirements for verbal orders for hospice services.
On April 24, 2023, the OIG announced plans to improve and update existing CPGs and deliver new CPGs specific to segments of the healthcare industry, as well as entities involved in the healthcare industry that have emerged in recent years. In modernizing the CPGs, the OIG expressed its goal of producing useful, informative, and timely resources to help advance the healthcare industry’s voluntary compliance efforts in preventing fraud, waste, and abuse.
As part of the effort to improve the timeliness and access to CPGs, the OIG announced that it will no longer publish CPGs in the Federal Register, which entails a more laborious review and publication process. Instead, all current, updated, and new CPGs will be available on the OIG’s website. In addition, the OIG announced that it has developed a new format for CPGs, consisting of two parts:
- The OIG will publish a General CPG (“GCPG”) that applies to all individuals and entities involved in the healthcare industry. Think of this as the aforementioned “basic elements.” The GCPG will address topics such as federal fraud and abuse laws, compliance program basics, operating effective compliance programs, and OIG processes and resources. The OIG anticipates updating the GCPG as changes in compliance practices or legal requirements warrant, with the first published GCPG expected by the end of calendar year 2023.
- Next, the OIG will publish industry specific CPGs (“ICPGs”) for different types of providers, suppliers, and other participants in healthcare industry subsectors or ancillary industry sectors relating to federal healthcare programs. ICPGs will be tailored to fraud and abuse risk areas for each industry subsector and will address compliance measures that the industry subsector participants can take to reduce these risks. ICPGs are intended to be updated periodically to address newly identified risk areas and compliance measures and ensure timely and meaningful guidance from the OIG. The OIG expects to begin publishing ICPGs in calendar year 2024, with the first two addressing Medicare Advantage and nursing facilities.
For our part, we anticipate that the OIG’s restructuring will have a more substantive effect than a mere repackaging and relocation of existing guidance. The OIG’s introduction of a general guidance document indicates an intent to provide compliance insights to the healthcare industry globally. Prior publications focused on a few particular entity types (e.g. hospitals, nursing facilities, pharmaceutical manufacturers, etc.), leaving swaths of the healthcare industry without the valuable direction provided to those chosen few. Those entity types not selected for specific guidance may have struggled to cobble together a compliance program based on existing guidance that did not quite fit their needs. The addition of a general guidance document hopefully will provide valuable advice for entities that do not fit cleanly into one of the entity types targeted by the current set of guidance documents.
The OIG has not provided much detail about what the new guidance documents will cover. Nevertheless, given that the existing documents have not been updated in over 20 years, we anticipate that the new guidance will address newly identified risk areas. Take telehealth and cybersecurity as examples. These areas were nascent when the OIG released its existing guidance. Moreover, best practices for compliance have evolved and continue to evolve. Transitioning to a website-based format will allow the OIG to update its guidance more nimbly and timely. This is also an opportunity for the OIG to provide guidance specific to healthcare industry segments that have emerged in the intervening decades, as well as healthcare industry participants that were left out of the original round of guidance.
The CPGs, while voluntary, help establish industry standards. Implementing compliance programs aligned with them is useful for detecting or preventing non-compliance. But creating simple, static compliance programs is insufficient. Compliance programs must evolve to meet changing regulatory requirements and organizational needs. Keeping track of the numerous applicable requirements and regulations is a big challenge for any healthcare organization. The OIG’s updated guidance will likely offer current, salient insights on strategies to build successful, effective compliance programs.