Your condensed version of the OIG’s compliance guidance

If you’re looking for materials where the government tells you exactly what to do for your compliance program, there isn’t all that much to find. Unless, that is, you shift your gaze to the The Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS). In fact, the OIG dropped an early holiday present for compliance folks back in November: OIG’s General Compliance Program Guidance (GCPG). So sweet of them! Of course, unless you’ve got nothing better to do—like, say, actually running your program—it might take a hot minute to get through all 91 PAGES! 🤯

Do I think you should read it all? Yes.

Delegating doesn't count! | Source: Apple TV’s Ted Lasso via giphy

You know your program better than anyone, so reading it will resonate in a unique way for you. But I also know finding the time to do that will be tough. So, here are my thoughts after reading it—yes, all of it—for any compliance pro in any industry looking to benchmark. But first, a couple housekeeping notes:

• Don’t get distracted by the healthcare aspect. There’s a lot of translatable info to glean!
• It’s “guidance.” That means it's not mandatory, doesn’t equate to a model program, and isn’t the only way to build or manage a compliance program. That being said, it is from a regulatory agency so impart whatever level of gravitas you feel is reasonable.
• There's a big section on healthcare industry-specific laws which I’m going to skip in this blog post. The lesson here is not to rely solely on the condensed version. Know the rules that apply to you and your organization!

Ready to get started? Here are the excerpts that stood out to me.

“…tailored to fraud and abuse risk areas for each industry subsector...”

Bespoke is always in fashion! For many years, OIG has issued GCPG documents to help program administrators prevent, detect and reduce fraud, waste, and abuse. This year, they will start issuing Industry Segment-Specific CPGs (ICPGs) tailored to different types of healthcare providers, suppliers, and others in the industry. As any astute reader of the tea leaves has seen in recent years, the mantra coming from many U.S. regulatory agencies has been “be specific” with your messaging, training, and communications. 

What exactly does it mean to “be specific”? 🔍 I’ll elaborate more throughout this article, but in short, it’s about making sure your messaging is being delivered to the right audience at the right time. This addition of ICPGs is the regulators signaling that this is an important takeaway. General themes are still fine when you’re speaking foundationally or when you need to provide a quick, broad sweep of a particular topic. However, getting specific about who you’re talking to, what you’re telling them, when you’re providing it, and how you’re doing it is a smart move. 

“…an entity’s leadership should commit to implementing all seven elements to achieve a successful compliance program.”

No matter your industry, company, or program size, the OIG’s Seven Elements of an Effective Compliance Program are generally applicable. Let’s dive into what the OIG has to say about them and some insights on how we can do better.

Element 1: “…provide a roadmap for relevant individuals…”

How will anyone know what to do if you don’t write it down (in a language and at a level they understand!) and put it somewhere they can find it? Build that map by establishing WRITTEN, published, accessible, and current policies and procedures. Make sure they know where to go by communicating clearly and regularly so your colleagues don’t fall prey to the forgetting curve. 💭

Also, take note of the term “relevant individuals.” Here we go again—but in a good way—be specific! Get the audience right. Not everything applies equally to everyone. If you don’t feel like you know what the audience should be, it’s on you to find out. 

That’s one way to figure it out.  | Source: Amazon Studios The Marvelous Mrs. Maisel via giphy

Codes of Conduct are important, too. Whether you think of them as a foundation or an umbrella, they set forth the ethical culture to achieve your organization’s mission and goals. A Code has a longer lifespan than other policy documents and probably doesn’t need to be reviewed as regularly, but it’s something you definitely don’t want to put on a shelf. Also, don’t forget to ensure your senior leadership openly and actively acknowledges and embraces your Code! Which is a great segue to…

Element 2: “To be effective, a compliance program should have a board and senior leadership that understand its value and are committed to its success.”

Of course, that starts with you, dear compliance reader. The CCO (and by extension the compliance program) needs to have independent access and the ability to make reports directly to the highest governing authority (e.g., board), without a buffer or by proxy. If compliance is buried down the org chart, effectiveness is highly diminished. Your board needs to learn from and be informed by you on risks as well as provide you with feedback and oversight to ensure your program does not stagnate. Think of it as a push and pull.

I’m just going to let this quote stand for itself because it’s perfect: “Thus, the compliance officer should not lead or report to the entity’s legal or financial functions and should not provide the entity with legal or financial advice or supervise anyone who does.” (More on this in Element 7.) Remember, compliance isn’t the operational arm of the organization. And, another perfect quote: “Whenever possible, the compliance officer’s sole responsibility should be compliance.” Mic drop. 🎤

But you simply cannot do it alone. Having a strong and active compliance committee made up of operational leaders is essential. They’ll help you keep a pulse on the organization—both culturally as well as identifying emerging risk areas.

Pro tip: Want a good way to really demonstrate tone-at-the-top? Active participation by senior leaders on the compliance committee is a great indicator!

Element 3: “…develop and coordinate a multifaceted education and training program specific to the needs of and risks presented by the entity…” (emphasis added)

You could have the most amazing program in the world, but if you don’t tell anyone about it, what good is it? Communication is key! And here’s my hot take: Your LMS is terrible at communicating. 🔥 Training and communications programs need to be robust (read: multifaceted) and contain education and support directly related (read: specific) to the risks you are working to address and mitigate. 

You cannot just throw this together. Develop, with the help of your team and reviewed by your compliance committee, a thorough communications and training plan to cover your identified risk areas with a mixture of messages delivered over time to the right audiences to help ensure adoption, retention, and application. 

Also, don’t forget to let people know how and where to go for help! (Speaking of, need some help with this? We got you!)

Element 4: “…encourage communication with the compliance officer and the reporting of incidents of potential fraud and other compliance concerns.”

Did anyone ever tell you to “shut your mouth and open your ears”? Open communication requires great listening skills! People need to know that you’re available to hear them: They need to be reassured that it’s OK to speak up and encouraged to do so. They also need to be reassured that they won’t experience retaliation. 

Furthermore, you never know when someone might need you, so make sure that there are lots of ways for you to listen (open door, feedback loops, surveys, hotlines, anonymous options, etc.).

Compliance is always ready for a chat!  | Source: Savoy Theatre 9 to 5: The Musical via giphy

Once you’ve listened, make sure you’re also learning by keeping track of the issues being raised (including issues that are disguised as inquiries). Sometimes the picture takes a while to come into focus and a good recordkeeping strategy to log and review reported concerns is essential. 

Element 5: “Both incentives and consequences are important to enforcing compliance.”

Granted, it isn’t always the fun part of the job, but enforcing standards is a critical one. If someone makes a mistake, it must be addressed. Your culture depends on it. Ignoring or sweeping something under the rug breaks down trust and sets you up for failure (like lawsuits or regulatory actions). Enforcement isn’t just on you, but compliance plays an important role in the identification and remediation of identified issues. One thing to note: Consistent application of enforcement actions is key and outcomes should match. 🔑

Incentivizing compliant behavior is also something to think about—carefully. You don’t want to send the wrong message by having them look like kickbacks. Think critically about ways to encourage behaviors that support your ethical culture and highlight risk-reducing activities (like celebrating improved processes or great catches).

Element 6: “…include in the compliance work plan a schedule of audits [and monitoring] to be conducted based on risks identified by the annual risk assessment.”

You’ve got your compliance committee and your feedback loops to help you, but you also need to audit and monitor for risks throughout the year. And how do you know what risks to look at? You do a risk assessment! It’s a big process, but one that needs to be prioritized. 

If you’re crunched for time, think about ways to fit the assessment into your organization’s current operational activities (e.g., standing meetings, leadership retreats, committee reports). There is no rule that says it must be done at a certain time or in a certain way. It just needs to be done, and done regularly. Furthermore, you need to make sure the data is good. 

Otherwise junk in, junk out.  | Source: Comedy Central’s The Colbert Report via giphy

Once you know what risks you’re focusing on, keep track of them. Clearly, there should be an educational element (see comms section above) but building a robust audit and monitoring infrastructure gives you an additional layer to see what’s really happening in the field. Some things make sense to monitor (i.e., regular, routine checks) and other things are better as audits (i.e., retrospective looks back in time). And don’t forget to include yourself, too! Having a mirror on your program provides solid feedback and identifies opportunities to improve.

Element 7: “…it is inevitable that a compliance officer will receive audit or monitoring results that raise concerns or receive a report through the disclosure program that requires investigating.”

We’re human and humans are prone to making mistakes from time to time. The key is admitting and fixing them! Find ways to improve your own investigation skills and internal processes (including documentation and recordkeeping) so you can feel confident that any review of an identified issue gives you the information you need to fix it and prevent it from happening again. 

As part of your investigations process, know when to ask for help. If something looks like it’s illegal or going to require regulatory reporting, reach out to legal counsel and any others you’ll need to address it. (Pro tip: this is another good reason why compliance and legal should be separate functions—you play different roles!)

Then—to state the obvious—actually fix the problem you found. 

Source: Warner Bros. Harry Potter and the Order of the Phoenix via giphy

A few final pearls...

If you find yourself thinking, “Well, Jennifer, that’s all great, but there is no way our little company can afford all this!” I hear you! And so does the OIG. But just because your company may be small doesn’t mean the law doesn’t apply. You’ll need to find some way to have at least a minimal compliance program to meet those obligations, so you may need to get creative.  

Here are some ideas:

1. Identify a dedicated compliance contact, full- or part-time. 
2. Outsource certain aspects, like training and comms creation.
3. Leverage free resources, like all the stuff OIG has created. (You don’t have to be in healthcare to access or use it.)
4. Ask to be part of already-established internal resources, like newsletters or standing meetings.
5. Distribute compliance messages through supervisors and managers, and encourage them to receive and share feedback with you.
6. Block calendars ahead of time to conduct risk assessments and audits. 
7. Ask IT to help you automate monitoring activities into regular reports. 
8. Always have a bit of unassigned time available in case a new investigation or issue pops up (because it will).

For you big companies … If you don’t currently have everything that’s already been mentioned, what’s your excuse? 🤨 Seriously, you need to answer this question because I can guarantee you that a regulatory investigator will ask it. The expectation is “consider the size and complexity of [the] organization in reviewing the scope and adequacy of the entity’s compliance program,” and “… large organizations will generally need significant compliance resources and expertise to develop and monitor a compliance program capable of addressing the breadth and complexity of compliance issues that a large organization faces.”

What’s next?

You can do this. Lack of time/budget/resources? Those are all just excuses. I’m not saying they are not valid ones, but in the end, they are excuses for not taking the steps necessary to establish a compliance program.

I know I’m mostly preaching to the choir here, so hopefully you’re nodding your head in agreement.* Hopefully this GCPG can help you continue to make the case for your program and motivate you to keep fighting the good fight! 

*If not, let’s chat! I’m always open to hearing your thoughts and learning new ways to think about these issues!