Skip to Main Content

January/February 2024  Volume 5Issue 1
Health Law Connections

Managing Fraud and Abuse Risks Through Effective Compliance Programs

This Feature Article is brought to you by AHLA's Hospitals and Health Systems Practice Group.
  • January 01, 2024
  • Justin K. Brown , Bass Berry & Sims PLC
  • Dee D. Harleston , Bass Berry & Sims PLC
  • Brianna R. Powell , Bass Berry & Sims PLC
  • Morgan H. Tandy , Bass Berry & Sims PLC
Maze
Share this:

Health care organizations operate in a challenging regulatory environment. A labyrinth of statutes, regulations, and sub-regulatory guidance, as numerous as they are complex, creates an environment full of risks. Chief among these are the risks arising from fraud and abuse laws. Violations of these laws—the federal Anti-Kickback Statute (AKS),1 Physician Self-Referral Law (PSL or Stark Law),2 Civil Monetary Penalties Law (CMPL),3 and False Claims Act (FCA),4 to name a few—can result in substantial financial penalties, exclusion from participating in federal health care programs, and other penalties, both civil and criminal.

Thirty years ago, the U.S. Attorney General declared health care fraud and abuse the “number two new initiative” of the U.S. Department of Justice (DOJ), behind only “violent crime.”5 Since then, the government has not wavered. Nor have the relators who bring cases in the name of the government under the qui tam provisions of the FCA. Health care fraud cases remain a perennial leader in recoveries under the FCA. From 1994 to 2022, health care accounted for over $50 billion of the $71 billion in total FCA settlements and judgments.6

To manage fraud and abuse risks, many organizations voluntarily operate corporate compliance programs, a practice the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) encourages. It is also a practice that is required for certain organizations.7 Effective compliance programs can reduce both the risk of misconduct and the cost of noncompliance if it occurs. This article briefly traces compliance program guidance from the United States Sentencing Guidelines (USSG) to OIG’s recently published General Compliance Program Guidance (GCPG), provides an overview of the GCPG, and offers suggestions on designing and operating compliance programs.

The Road to OIG’s Revamped Compliance Program Guidance

For over 30 years, organizations and governmental agencies have looked to the USSG for compliance program guidance. Initially designed to standardize mitigating factors for organizations convicted of crimes, the USSG were one of the first systemic attempts to identify common features of effective compliance programs. From these efforts grew the now-familiar seven elements of effective compliance programs.

Since then, the USSG have played an outsized role in compliance program development. As an ad hoc committee of the United States Sentencing Commission (USSC) observed, “there is abundant evidence that the organizational guidelines have, directly and indirectly, galvanized organizations to focus on their responsibility to detect and prevent violations of law and to institute compliance programs towards this goal.”8

Soon after the USSC promulgated the organizational guidelines, OIG began publishing compliance program guidance. From 1997 through 2008, OIG published a series of industry-specific compliance program guidance intended for various industry participants.9 Each of these generally highlights the benefits of operating effective compliance programs, explains the overarching seven-element compliance program infrastructure (largely mirroring the USSG), and provides industry-specific context (e.g., reimbursement schemes, referral pathways) and detailed guidance on key risk areas. More recently, as part of its broader initiative to modernize the accessibility and usability of its publicly available resources,10 OIG announced the revamping of its compliance program guidance, as discussed in the following section.11

Meanwhile, DOJ has long directed federal prosecutors to evaluate corporate compliance programs when conducting investigations, deciding whether to bring criminal charges, and recommending resolutions against organizations.12 This guidance comes in many forms, including manuals, policy memoranda, and public statements from high-ranking officials. DOJ has largely embraced the USSC’s organizational guidelines and focused its guidance on evaluating the effectiveness of compliance programs.

An early version of this guidance came in 1999 in the form of a memorandum from then-Deputy Attorney General Eric Holder. The memorandum set forth factors prosecutors should consider when deciding whether to bring charges against a corporation.13 A series of subsequent similar memoranda followed, culminating with the codification of the Principles of Federal Prosecution of Business Organizations in the Justice Manual in 2008.14 Additional compliance program-specific guidance came in 2017 with DOJ’s Evaluation of Corporate Compliance Programs (ECCP), which it updated in 2019 and again in 2020 and 2023.15

When evaluating the effectiveness of a compliance program, this body of guidance instructs, prosecutors “should . . . attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, resourced, reviewed, and revised, as appropriate, in an effective manner.”16 DOJ instructs prosecutors to ask three fundamental questions to evaluate compliance programs:

  • Is the corporation’s compliance program well-designed?
  • Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  • Does the corporation’s compliance program work in practice?

Through these questions and the factors discussed in the Justice Manual, the prosecutor can make “an informed decision as to whether the corporation has adopted and implemented a truly effective compliance program that, when consistent with other federal law enforcement policies, may result in a decision to charge only the corporation’s employees and agents or to mitigate charges or sanctions against the corporation.”17

OIG’s General Compliance Program Guidance

On November 6, 2023, OIG published the GCPG, which summarizes key federal health care laws, describes the seven-element compliance program infrastructure (including adaptations for small and large entities), offers other compliance considerations, and catalogs OIG compliance and legal resources. Along the way, the GCPG offers practical tips and valuable insights. Although voluntary, nonbinding guidance that is largely consistent with previous guidance, several aspects of the amalgamated GCPG are noteworthy:

  • Broadly Applicable, Foundational Guidance. The new GCPG is a user-friendly, broad-based reference guide that is accessible and applicable to all participants in the health care industry. It is also the foundation upon which subsequent guidance—including the forthcoming industry-segment-specific compliance program guidance (ICPG), the first of which will be published in 2024—will be built. Augmenting the GCPG, the ICPG will be tailored to fraud and abuse risks and will address compliance measures for particular participants in the health care industry or ancillary industries. OIG expects to update the GCPG as changes in compliance practices or legal requirements may warrant, and periodically update the ICPGs to address newly identified risk areas and compliance measures. To facility more frequent updates, rather than appearing in the Federal Register, OIG will publish compliance program guidance only on OIG’s website.
  • Federal Health Care Authorities. The GCPG provides an overview of key federal health care fraud and abuse authorities, including the AKS, PSL, FCA, CMPL, exclusion authorities, and criminal health care fraud statute, along with an overview of the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules. It features vignettes and offers practical suggestions on analyzing arrangements, identifying problematic conduct, and addressing potential violations, including through self-disclosure.
  • Core Elements and Adaptations for Small and Large Entities. Although largely mirroring earlier guidance, OIG walks through each of the seven elements of an effective compliance program in the same user-friendly manner, incorporating practical tips throughout. Acknowledging that compliance programs should be shaped by entities’ size and resources, the GCPG also provides suggestions for right-sizing compliance programs for both small and large organizations. For instance, a small organization that cannot support a full-time compliance officer may instead designate a “compliance contact” (who, OIG recommends, should not have legal or financial functions), while large organizations “will generally need significant compliance resources and expertise” to operate compliance programs capable of addressing the breadth and complexity of issues large organizations face.
  • Financial Incentives and New Entrants. Consistent with DOJ’s increased emphasis on financial incentives, the GCPG addresses how ownership and payment incentives can affect compliance. OIG observes that the “growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership structures . . . on the delivery of high quality, efficient health care.”18 The GCPG calls for these investors to “carefully scrutinize” their operations and incentive structures and to understand and ensure compliance with fraud and abuse laws. Likewise, new entrants in the industry (e.g., technology companies, new investors, non-traditional service providers), and traditional participants entering new arenas (e.g., health care technology) are encouraged to familiarize themselves with regulatory regimes with which they might otherwise be unfamiliar. The focus on new entrants foreshadows ICPGs beyond the archetypal health care industry participants.
  • Making Quality and Patient Safety Part of Compliance. Although quality and patient safety are often treated separately from compliance, OIG stresses that organizations should incorporate quality and patient safety oversight into their compliance programs. It suggests that governing bodies require reports from senior leadership on internal quality controls, quality assurance monitoring, patient safety, and patient care. Emphasizing that “quality and patient safety are high priorities of HHS and DOJ,” the GCPG points to the corporate integrity agreements that OIG has entered that focus on quality of care and patient safety and offers quality-related resources.19
  • Self-Disclosures. Throughout the GCPG, OIG emphasizes the benefits of various self-disclosure protocols, including the CMS Voluntary Self-Referral Disclosure Protocol (SRDP) and the OIG Health Care Fraud Self-Disclosure Protocol (SDP). This is a cross-agency theme, as illustrated by DOJ’s self-disclosure policies, including its recently announced safe harbor policy for voluntary self-disclosures made in the context of mergers and acquisitions.20
  • Tracking Arrangements. Compliance is an ongoing process. The GCPG reminds participants that even though legal counsel may be involved at the outset of structuring and documenting an arrangement, there should be ongoing monitoring of compliance with the terms and conditions of the arrangement. This, for instance, can be particularly important for entities that furnish “designated health services” within the meaning of the PSL, given the strict liability nature of the law and the ability of parties to reconcile payment discrepancies in certain circumstances.21
  • Compliance Resources. The GCPG concludes with a compendium of tools and resources, along with processes to seek guidance from OIG.

Although voluntary, nonbinding guidance—as OIG reiterates throughout the document—the GCPG provides valuable insights into OIG’s expectations for compliance programs and like past guidance it is expected to shape industry compliance practices.

 

GCPG

• Broadly applies to all participants in the health care industry.

• Summarizes key federal health care laws.

• Describes seven elements of an effective compliance program, with adaptations for small and large entities.

• Offers other compliance considerations (e.g., quality and patient safety, new entrants, financial incentives, financial arrangements tracking).

• Compiles OIG processes and resources.

• Will be updated as changes in compliance practices or legal requirements warrant.

 

ICPGs

• Will apply to particular types of providers, suppliers, and other participants in subsectors of the health care industry or ancillary industry sectors.

• Will be tailored to fraud and abuse risk areas for each sector.

• Will contain compliance measures to reduce risks.

• Will be updated periodically to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance.

 

Designing and Operating Effective Compliance Programs

Overarching Principles

At the outset, several overarching principles are worth mentioning.

First, the foundation of an effective compliance program is a commitment to compliance throughout all facets of the organization. This typically begins with the governing body’s commitment to an ethical, law-abiding culture. Prohibiting unlawful conduct is not enough. Rather, the organization should build a culture—a set of norms and beliefs that guide individual and organizational behavior—in which compliance with the law is the expected behavior and one that “includes positive actions which demonstrate that law compliance is a key value within the organization.”22 Building this culture requires more than just a “tone at the top.” OIG observes in earlier guidance: “[L]eadership should foster an organizational culture that values, and even rewards, the prevention, detection, and resolution of problems,” one “that values compliance from the top down and fosters compliance from the bottom up,” which “is the foundation of an effective compliance program.”23

Organizations can foster this culture by establishing a clear code of conduct that sets forth the organization’s core values, allocating adequate resources to the compliance function, properly responding to compliance failures, and reinforcing the organization’s commitment through training and education. Another way—one that agencies have increasingly emphasized—is connecting compensation to ethical behavior, which OIG points out in the GCPG (and earlier guidance),24 as does DOJ.25

Second, the program should be fundamentally risk-based. Early DOJ guidance advised tailoring compliance programs “to detect and prevent the particular types of misconduct most likely to occur in a particular [organization]’s line of business.”26 Miscalibrated priorities may indicate that the program is ineffective.27 And as the new GCPG emphasizes, periodic risk assessments are key to properly identifying, analyzing, and responding to risk. The GCPG offers several standard resources, including those from the enterprise risk management field, to assist with risk assessment.28 As risks evolve over time, so should the compliance program in response to internal factors (e.g., changes in operations, lessons learned) and external factors (e.g., changes in regulatory requirements, enforcement actions).

Third, the program should generally be built on the seven elements of an effective compliance program. These elements—set forth in the USSG and reinforced in the new GCPG—have become recognized as the foundation of an effective compliance program.

Elements of Effective Compliance Programs

1. Written Policies and Procedures

Organizations should develop and distribute written standards of conduct, policies, and procedures designed to prevent, detect, and remedy misconduct. They should be communicated throughout the organization, including through its training and education programs and other means, such as internal newsletters.

Typically, ethical standards come in the form of an overarching code of conduct, and more granular policies and procedures guide daily operations. A code of conduct should function “as a document that details the fundamental principles, values, and framework for action within an organization.”29 In this respect, codes of conduct can serve as the organization’s ethical touchstone that fill inevitable gaps in policies and procedures:

Organizations with the most comprehensive compliance programs and policies and procedures will inevitably encounter circumstances not contemplated by their policies and procedures. In those situations, what drives how people will act? The law and regulations? What if those also do not contemplate the situation? Or, more significantly, what if the law permits a range of actions with some that, while legal, can cause significant harm. In these circumstances, those on the front lines, those making decisions, need a touchstone.30

The most effective codes of conduct are those that are “clear, concise, and accessible to all employees and to those conducting business on the [organization]’s behalf.”31 They often begin with a brief statement from a senior executive (frequently styled as a letter to stakeholders) that underscores the importance of the organization’s compliance program. An introductory section may set forth the purpose and goals of the code, introduce the compliance program, and clearly express the organization’s commitment to a law-abiding, ethical culture. The code should then memorialize the organization’s core values, providing context for the code and the organization’s compliance program. Internal reporting mechanisms—such as using the hotline and reporting to compliance personnel—should be featured prominently in the code. So should the ability to anonymously report matters and the organization’s non-retaliation policy. Encouraging (or even requiring) personnel to report compliance concerns is in the best interest of the organization.32 Likewise, given the importance of appropriate disciplinary action, codes often include a commitment to imposing appropriate discipline in response to misconduct.

Compliance policies and procedures should cover the implementation and operation of the organization’s compliance program. In essence, policies and procedures fill in the broad statement of values and framework erected by the code of conduct, and they inform personnel how to act on a daily basis. Policies and procedures should address specific risk areas, particularly the high-risk areas identified in the organization’s risk assessment. Common policies, depending on the type of health care organization, include those covering a variety of topics such as billing and coding, sales and marketing, quality of care, patient incentives, referral source arrangements, privacy and security, practitioner credentialing, background and exclusion screening, interactions with third parties, non-retaliation, and conflicts of interest.

An organization’s code of conduct, policies, and procedures should be readily accessible and understandable to all in the organization. All standards should be written in plain language that is easily understood and translated into other languages where appropriate. Ideally, the organization solicits input from not just the governing body and senior management but also all key employees across its operations. Not only does this result in a better policy, but it also garners buy-in from all aspects of operations.33

Policies should be comprehensive but not overly complicated. Clear direction should be given on what is expected, what is prohibited, and whom to ask if there are questions. Ensuring personnel are comfortable asking questions is important. Not every scenario can be covered by a decision tree or algorithm. Not only does trying to account for every scenario lead to unwieldy policies, but it can also lead personnel astray in complex or high-risk situations. Personnel should feel comfortable asking questions and knowing they will be answered.

Where feasible, consider operationalizing policies and procedures through internal controls. While policies and procedures articulate how the organization intends to comply with the law, controls help bring those intentions to bear. These may include review and approval processes for arrangements that pose higher risk, such as arrangements with referral sources and those for marketing services.

To ensure they remain current, the code of conduct, policies, and procedures should be periodically reviewed, at least annually OIG suggests. Consider establishing a recurring review cycle, staggering the topics to keep the project manageable while still ensuring that every policy is reviewed at designated intervals. In addition to periodic, scheduled reviews, standards should be updated in response to changes in the legal or regulatory environment, the industry, or the organization’s operations or policy considerations. Stale and inaccurate policies can undermine the effectiveness of the compliance program and its credibility inside and outside the organization. Updating policies, on the other hand, demonstrates the importance of the program and puts the organization in a better position to ward off misconduct. Whenever rolling out new or updated policies, organizations should ensure they effectively communicate and can implement any required changes in a timely manner.

2. Compliance Leadership and Oversight

The organization’s governing body should designate a compliance officer to oversee the implementation and operation of the compliance program. For the compliance officer role, the GCPG offers a detailed list of primary responsibilities.34 OIG recommends that the compliance officer should have sufficient authority, stature, access, and resources to lead an effective compliance program and either report directly to the governing body or at least have direct, uninhibited access to the governing body.

Consistent with OIG’s longstanding view,35 the GCPG recommends that the compliance officer not lead or report to the organization’s legal or financial functions or provide the organization legal or financial advice or supervise anyone who does. In discussing adaptations for small entities, OIG repeats this position, suggesting that, even if the small organization does not have a full-time compliance officer, it should have a “compliance contact” who “should not have any responsibility for the performance or supervision of legal services to the entity and, whenever possible, should not be involved in the billing, coding, or submission of claims.” Still, many organizations—particularly smaller ones—consolidate their compliance and legal roles. Although earlier joint publications from the American Health Law Association and OIG maintain that separation is ideal, they also acknowledge the prevalence of this practice and offer suggestions for creating a system of checks and balances (such as recusal, third-party audits, and use of outside counsel and consultants).36

Organizations should also consider establishing a compliance committee to assist the compliance officer in implementing, operating, and monitoring the compliance program. OIG recommends the compliance committee include leaders from various departments of the organization and meet at least quarterly. Attendance at compliance committee meetings, active participation in the compliance program, and contributions to compliance should be part of the performance and compensation evaluation for the compliance officer and compliance committee members.

The organization’s governing body is ultimately responsible for compliance, and OIG expects boards “to put forth a meaningful effort to review the adequacy of existing compliance systems and functions.”37 Boards “should receive compliance and risk-related information in a format sufficient to satisfy the interests or concerns of [board] members and to fit their capacity to review that information.”38 One mechanism OIG suggests is to establish “a risk-based reporting system, in which those responsible for the compliance function provide reports to the [board members] when certain risk-based criteria are met.”39 Just as they do with financial, operational, clinical, and other metrics, boards can regularly review an organization’s progress toward its compliance benchmarks and measures. Along these lines, early compliance program guidance from OIG observes that “[t]he existence of benchmarks that demonstrate implementation and achievements are essential to any effective compliance program.”40 OIG also recommends holding executive sessions with the compliance officer for candid discussions of compliance risks and concerns.41 A “critical element of effective oversight is the process of asking the right questions of management to determine the adequacy and effectiveness of the organization’s compliance program, as well as the performance of those who develop and execute that program, and to make compliance a responsibility for all levels of management.”42 Annual reports on the effectiveness of the compliance program (including, as the GCPG points out, quality and patient safety matters) and periodic evaluations of the effectiveness of the risk assessment process and overall program are key.

3. Training and Education

At least annually, organizations should train and educate their employees, contractors, medical staff, board, and officers on the compliance program. While all personnel may benefit from the same generalized training in some areas (e.g., the code of conduct, regulatory requirements), also incorporate role-specific training (e.g., billing and coding, documentation, medical necessity, beneficiary inducement, sales and marketing, referral source arrangements) to ensure all personnel can perform their duties in a compliant manner.43 Training should be interactive and attendees should be encouraged to ask questions.

Focus training on key risk areas, material changes to the organization and its regulatory environment, lessons learned from the program’s auditing and monitoring functions, and the compliance program itself.44 The goal is to train the relevant stakeholders so that they can do their jobs in an ethical, law-abiding manner and are motivated to do so.

Compliance training should be a condition of continued employment and should be part of employees’ annual evaluations. While formal training is essential, informal education during meetings, newsletters, and the like will help normalize compliance within the organization.

4. Effective Lines of Communication and Disclosure Programs

An effective compliance program requires effective lines of communication between the compliance leads and all personnel to ensure personnel have the means to ask questions and raise concerns and are comfortable doing so. Effective lines of communication increase the likelihood that the organization detects and responds to potential fraud and compliance problems.

Personnel should be able to report potential noncompliance anonymously and confidentially through multiple avenues (e.g., reporting to supervisors, compliance officers, hotline), at least one of which is outside of business and operational functions. The presence of reported concerns can indicate a well-functioning disclosure program, while the lack of reports may indicate the need to review the disclosure mechanism to ensure it is working.

The organization should implement written confidentiality and non-retaliation policies that protect “whistleblowers” against retaliation. The compliance officer should maintain a log of compliance complaints (including date received, individual responsible for review, description of the investigation’s findings, date resolved, and any corrective action) and should periodically report concerns and investigations to the compliance committee and governing body.

5. Enforcing Standards Through Consequences and Incentives

Organizations demonstrate their commitment to compliance, and convincingly so, when they incentivize ethical, law-abiding behavior and impose appropriate consequences for misconduct. While the latter has long been an obvious requirement, the former has gained increasing importance over the past several years. The latest revisions to DOJ’s ECCP, for instance, stress the need for appropriate compensation structures and consequence management, as does the GCPG.45 Likewise, the GCPG encourages organizations to “devote time, thought, and creativity” to the compliance contributions it wants to incentivize and ensure compliance achievements are treated in line with other achievements the organization values.46

Compliance programs should specify the consequences of misconduct or failure to detect a compliance violation, including the degrees of potential disciplinary actions (ranging from formal or informal warnings to remedial training, suspensions, loss of or decreased incentive compensation, or termination) and the processes for handling disciplinary actions.47 Whatever the outcome, disciplinary action should be fair, equitable, and consistently applied across all levels of the organization.

Performance evaluations should evaluate adherence to the organization’s code, policies, and procedures.48 If an organization rewards ethical behavior and punishes misconduct, it should treat this measure as it does others when making decisions about compensation, promotions, and discipline. Annual performance evaluations are also a good time to remind personnel of the organization’s code, policies, and procedures and address any compliance-related questions or concerns and any alleged misconduct involving the personnel being evaluated.

6. Risk Assessment, Auditing, and Monitoring

Compliance programs work best when they have ongoing evaluation processes that not only monitor and audit risk areas but also evaluate the effectiveness of the program itself.

The GCPG highlights the importance of risk assessments and recommends performing them at least annually. While recognizing that historically many organizations may not have conducted formal risk assessments, the GCPG observes that “in recent years OIG, the compliance community, and other stakeholders have come to recognize and place increasing emphasis upon the importance of a formal compliance risk assessment as part of the compliance program.”49 The GCPG includes several resources and tools for conducting risk assessments. It recommends that organizations supplement this process, for example, by staying abreast of legal and regulatory changes, monitoring government enforcement actions and OIG work plan developments, and evaluating results of audits and investigations.

As with other aspects of compliance programs, monitoring and auditing should be tailored to the organization’s risk profile and informed by its risk assessment. OIG suggests performing annual compliance audits on particular focus areas and monitoring key risk areas. One technique is to identify baselines for these risk areas and, over time, measure variations from the established baselines.50 When there is a significant variation, conduct a reasonable inquiry to determine the cause. If the variation was due to legitimate, explainable reasons, there may be no need to investigate further, perhaps only update the baseline. If, on the other hand, the organization cannot trace the variation to a legitimate cause, the compliance function should investigate further until they do or, as may be the case, identify the misconduct, improper application of policies, or other deviation from expected norms that resulted in the variation. Then, they should take prompt and appropriate corrective action, including modifying the program as appropriate.

Routine monitoring includes periodically screening personnel against the List of Excluded Individuals/Entities (LEIE),51 state Medicaid exclusion lists, and state licensure and certification databases. OIG recommends monthly monitoring for exclusions because it updates the LEIE each month. Hiring or contracting with an excluded person or entity may subject the organization to civil monetary penalties and liability under the FCA.

The GCPG also highlights the importance of evaluating the effectiveness of the compliance program itself. DOJ’s ECCP and an OIG toolkit are useful resources.52 The ECCP, which begins with three fundamental questions, divides these questions into 12 factors, which are further divided into over 50 subcomponents, culminating in over 200 questions to evaluate the effectiveness of the program. The toolkit offers a comprehensive list of ideas—organized around the seven elements, each of which is divided into a dozen or so sub-elements, which are further divided into a list of nearly 400 measures—from which organizations can select evaluative tools that best serve their needs. Although OIG observes that this resource is “not intended to be a checklist to assess the entire compliance program” because using “all the tools or many of them is impractical and not recommended,” the toolkit can facilitate a compliance program effectiveness review. Depending on the organization’s resources and history (e.g., a large compliance failure, a series of compliance events the program and risk assessment did not identify as risks), it may want to consider retaining an outside expert to conduct the review.

7. Responding to Detected Offenses and Corrective Actions

OIG and DOJ recognize that no compliance program can ever prevent all misconduct.53 When there is a potential compliance failure, organizations should promptly investigate and, where appropriate, take corrective actions. These actions may include voluntarily refunding overpayments or otherwise self-disclosing potential noncompliance (e.g., through the SRDP or SDP), enforcing disciplinary policies and procedures, and conducting root cause analyses that could result in modifying the compliance program based on the lessons learned.

The compliance officer should maintain an ongoing log of reports and document their investigation and corrective actions. Organizations may need to take necessary action to modify the compliance program based on lessons learned from investigations to minimize the risk of future misconduct and strengthen any vulnerable areas within the organization.

Conclusion

Compliance programs play a vital role in managing fraud and abuse risks. If appropriately designed and implemented, they can reduce both the likelihood of noncompliance and the costs of noncompliance should it occur. Participants in the health care industry now have not only several decades of compliance program guidance from government agencies but also OIG’s GCPG and will soon have ICPGs, which collectively offer a wealth of compliance program guidance.

*This article is adapted from a chapter of the forthcoming Enterprise Risk Management for Health Care, Fourth Edition.

Justin K. Brown is a member at Bass Berry & Sims PLC, where he regularly advises on complex health care regulatory issues, particularly those involving the federal physician self-referral law (Stark Law), Anti-Kickback Statute, and state analogs. A substantial portion of his practice involves providing front-end compliance and fraud and abuse counseling for hospitals and health systems, post-acute providers, ambulatory surgery centers, physician practices, and other health care industry participants.

Dee D. Harleston is an associate at Bass Berry & Sims PLC. He focuses his practice on health care regulatory and fraud and abuse matters, including the Federal Anti-Kickback Statute, the physician self-referral law (Stark Law), the Civil Monetary Penalties Law, and other health care compliance matters. He also advises clients on a range of operational and transactional matters, including issues related to value-based care models and Medicare Advantage.

Brianna R. Powell is an associate at Bass Berry & Sims PLC, where she provides health care compliance and fraud and abuse counsel on regulatory, operational, and transactional matters, including counsel on compliance with state and federal health care statutes and regulations such as the Stark Law, Anti-Kickback Statute, False Claims Act, and Emergency Medical Treatment and Labor Act. Additionally, Brianna assists clients in conducting internal investigations and responding to and appealing payor audits.

Morgan H. Tandy is an associate at Bass Berry & Sims PLC in its Nashville office. Morgan provides health care regulatory and transactional counsel as it relates to mergers, acquisitions, compliance, and operational matters.

This Feature Article is brought to you by AHLA’s Hospitals and Health Systems Practice Group: Julia Tamulis, Bass Berry & Sims PLC (Chair); David Crapo, Gibbons PC (Vice Chair—Education); Alison Hollender, Husch Blackwell LLP (Vice Chair—Member Engagement); Faisal Khan, Modivcare (Vice Chair—Education); Bartt Warner, VMG Health (Vice Chair—Education); and Jamie Whitney, Adelanto HealthCare Ventures, LLC (Vice Chair—Education).

1 42 U.S.C. § 1320a-7b(b).

2 42 U.S.C. § 1395nn; 42 C.F.R. pt. 411, subpt. J.

3 42 U.S.C. § 1320a-7a; 42 C.F.R. §§ 1003.200, 1003.300.

4 42 U.S.C. §§ 3729–3733.

5 U.S. Dep’t of Justice (DOJ), 1994 Annual Report of the Attorney General of the United States, https://www.justice.gov/archive/ag/annualreports/ar94/finalag.txt (last visited Aug. 30, 2023).

6 See DOJ, Press Release, False Claims Act Settlements and Judgments Exceed $2 Billion in Fiscal Year 2022 (Feb. 7, 2023), https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-2-billion-fiscal-year-2022.

7 See, e.g., 42 C.F.R. § 422.503(b)(4)(vi) (Medicare Advantage organizations); 42 C.F.R. § 423.504(b)(4)(vi) (Medicare Part D prescription drug plans); 42 C.F.R. § 483.85 (nursing facilities); see also Dep’t of Health and Human Servs. (HHS) Office of Inspector Gen. (OIG), Corporate Integrity Agreement Documents (last visited Nov. 29, 2023), https://oig.hhs.gov/compliance/corporate-integrity-agreements/cia-documents.asp (cataloging corporate integrity agreements (CIAs), which generally require compliance programs).

8 See R. Bednar et al., Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines (Oct. 7, 2003), p. 34.

9 See HHS OIG, Compliance Program Guidance, https://oig.hhs.gov/compliance/compliance-guidance/; HHS OIG, Model Compliance Plan for Clinical Laboratories, 62 Fed. Reg. 9435 (Mar. 3, 1997).

10 See HHS OIG, OIG Modernization Initiative To Improve Its Publicly Available Resources—Request for Information, 86 Fed. Reg. 53072 (Sept. 24, 2021).

11 See HHS OIG, Modernization of Compliance Program Guidance Documents, 88 Fed. Reg. 25000 (Apr. 25, 2023).

12 See, e.g., DOJ, Justice Manual 9-28-300, Principles of Federal Prosecution of Business Organizations—Factors to Be Considered (updated Apr. 2023).

13 Eric Holder, U.S. Deputy Attorney General, Bringing Criminal Charges Against Corporations (June 16, 1999).

14 See Larry Thompson, U.S. Deputy Attorney General, Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003); Paul McNulty, U.S. Deputy Attorney General, Principles of Federal Prosecution of Business Organizations (Dec. 12, 2006); Mark Filip, U.S. Deputy Attorney General, Principles of Federal Prosecution of Business Organizations (Aug. 28, 2008); Justice Manual, § 9-28.000, Principles of Federal Prosecution of Business Organizations.

15 DOJ, Evaluation of Corporate Compliance Programs (Mar. 2023).

16 Id.

17 Id.

18 GCPG at 79.

19 See GCPG at 76–7 (citing OIG and Am. Health Law Ass’n (AHLA), Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors (2004)).

20 See Lisa Monaco, Deputy Attorney General, DOJ, Speech, Policy Designed to Encourage Disclosure of Misconduct and Hold Individual Wrongdoers Accountable (Oct. 4, 2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self (announcing “a Department-wide Safe Harbor Policy for voluntary self-disclosures made in the context of the mergers and acquisition process” providing that “acquiring companies that promptly and voluntarily disclose criminal misconduct within [six months from the date of closing], and that cooperate with the ensuing investigation, and engage in requisite, timely and appropriate remediation, restitution, and disgorgement . . . will receive the presumption of a declination”).

21 See 42 C.F.R. § 411.353(h); CMS, Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77492, 77580–87 (Dec. 2, 2020). Entities that fail to monitor ongoing arrangements risk learning too late that they failed to implement an arrangement as intended, which can lead to substantial liability under the PSL.

22 Bednar, supra note 8, at 51.

23 OIG, Supplemental Compliance Program Guidance for Hospitals (hereinafter Hospital Supplemental CGP), 70 Fed. Reg. 4858, 4874 (Jan. 31, 2005).

24 GCPG at 42, 53-55, 79; Hospital Supplemental CGP at 4874.

25 ECCP at 12.

26 ECCP at 2.

27 See DOJ, Criminal Division, & Securities and Exchange Commission (SEC), Enforcement Division, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2d ed. 2020), p. 60 (“One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. Devoting a disproportionate amount of time policing [lower risk arrangements] instead of focusing on [higher risk arrangements] may indicate that a company’s compliance program is ineffective.”).

28 GCPG at 56 (citing Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management: Integrating with Strategy and Performance (June 2017); Society of Corporate Compliance and Ethics (SCCE) and Health Care Compliance Association (HCCA), Compliance Risk Management: Applying the COSO ERM Framework (Nov. 2020); Chief Financial Officers Council & Performance Improvement Council, Playbook: Enterprise Risk Management for the U.S. Federal Government (Fall 2022)).

29 OIG, Compliance Program Guidance for Pharmaceutical Manufacturers (hereinafter, Pharmaceutical Manufacturer CPG), 68 Fed. Reg. 23731, 23733 (May 5, 2003).

30 Jay Clayton, Chairman, SEC, Speech, Observations on Culture at Financial Institutions and the SEC (June 18, 2018), https://www.sec.gov/news/speech/speech-clayton-061818.

31 DOJ, Criminal Division, & SEC, Enforcement Division, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2d ed. 2020), p. 59.

32 See OIG, Supplemental Compliance Program Guidance for Nursing Facilities (hereinafter, Nursing Facility Supplemental CPG), 73 Fed. Reg. 56832, 56834 (Sept. 30, 2008) (explaining that benefits of a compliance program include, among other things, “[e]ncouraging employees and others to report potential problems, which permits appropriate internal inquiry and corrective action and reduces the risk of False Claims Act lawsuits, and administrative sanctions (e.g., penalties, assessments, and exclusion), as well as . . . actions [under state law]”).

33 See Pharmaceutical Manufacturer CPG at 23733.

34 GCPG at 38–39.

35 See, e.g., Hospital CPG at 8993, n. 35 (“OIG believes that there is some risk to establishing an independent compliance function if that function is subordinan[t]e to the hospital’s general counsel, or comptroller or similar hospital financial officer. Free standing compliance functions help to ensure independent and objective legal reviews and financial analyses of the institution’s compliance efforts and activities. By separating the compliance function from the key management positions of general counsel or chief hospital financial officer (where the size and structure of the hospital make this a feasible option), a system of checks and balances is established to more effectively achieve the goals of the compliance program.”).

36 See AHLA and OIG, The Health Care Director’s Compliance Duties: A Continued Focus of Attention and Enforcement (Aug. 2011); AHLA and OIG, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors (July 2004). But see OIG, Association of Healthcare Internal Auditors (AHIA), AHLA & HCCA, Practical Guidance for Health Care Governing Boards on Compliance Oversight, p. 7-8 (Apr. 20, 2015) (hereinafter Practical Guidance).

37 Practical Guidance for Health Care Governing Boards on Compliance Oversight at 3. See, e.g., In re Caremark Intern’l, Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996).

38 Practical Guidance at 10.

39 Id.

40 OIG, Publication of the OIG Compliance Program Guidance for Hospitals (hereinafter Hospital CPG), 63 Fed. Reg. 8987, 8988 (Feb. 23, 1998).

41 GCPG at 44.

42 Practical Guidance at 1. See GCPG at 43–46.

43 See, e.g., Hospital CPG at 8994.

44 See Hospital Supplemental CPG at 4875.

45 GCPG at 53–55.

46 GCPG at 54.

47 See Hospital CPG at 8995-96.

48 See Pharmaceutical Manufacturer CPG at 23741.

49 GCPG at 55.

50 Hospital CPG at 8996.

51 See generally OIG, Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs (May 8, 2013).

52 See HCCA and OIG, Measuring Compliance Program Effectiveness: A Resource Guide (Jan. 17, 2017).

53 Nursing Facility Supplemental CPG at 56834; Justice Manual, § 9-28.800, Cmt.

ARTICLE TAGS