The U.S Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued the General Compliance Program Guidance (GCPG) on November 6th – 2023, for life sciences companies and other industry verticals.
The GCPG follows an earlier announcement by the OIG, which was associated with modernizing compliance programs. It also contains a few major updates to OIG’s past guidance, “7 Elements of An Effective Compliance Program,” issued between 1998 and 2008.
A considerable part of the guidance is not new. Still, it reinforces past statements and shares insights learned from past regulatory enforcements and corporate integrity agreements (CIAs), becoming a useful primer for compliance officers and life sciences companies.
While GCPG is non-binding and voluntary, we strongly recommend compliance officers and life sciences companies take the GCPG seriously and use it to adapt their compliance programs to their unique risk profiles, and compliance demands effectively.
This article will walk you through the OIG’s GCPG, helping you adapt it to your life sciences company’s needs.
The article highlights the following:
- What Motivated OIG To This Change?
- Compliance Program Infrastructure: The Seven Elements
- Significant Changes Made to the Role of Compliance Officers
- 9 Action Items to Consider Addressing In 2024 As Per OIG’s GCPG
- Takeaways For Life Sciences Companies
What Motivated OIG To This Change?
On April 25th – 2023, OIG published a notice in the Federal Register titled “Modernization of Compliance Program Guidance Documents.”
OIG set forth the procedure and process for issuing/publishing compliance program guidance documents through the Federal Register notice.
Compliance Program Infrastructure: The Seven Elements Updated
The GCPG published in 2023 gets most of the information from the previously released CPGs, but in some areas, it provides more in-depth information on each compliance program element.
The minor changes to the GCPG are because the revised guidance encompasses feedback from industry stakeholders, the “lessons learned” from the past regulatory enforcement, and 25 years of monitoring, auditing, and investigating Corporate Integrity Agreements (CIAs).
Here are a few changes made to the seven elements of a compliance program in the fewest possible words:
| Seven Elements | Updated Seven Elements |
| Written Policies and Procedures | Written Policies and Procedures |
| Designated Compliance Officer and Compliance Committee | Compliance Leadership and Oversight |
| Training and Education | Training and Education |
| Effective Lines of Communication | Effective Lines of Communication with the Compliance Officer and Disclosure Program |
| Enforcing Standards Through Well-Publicized Disciplinary Guidelines | Enforcing Standards: Consequences and Incentives |
| Internal Monitoring and Auditing | Risk Assessment, Auditing, and Monitoring |
| Responding Promptly to Detected Deficiencies and Undertaking Corrective Action | Responding to Detected Offenses and Developing Corrective Action Initiatives |
Effectively manage your compliance program using ​a Data-driven Compliance Platform​ and utilize data to assure compliance.
Significant Changes Made To The Role Of Chief Compliance Officers
The latest guidance from the General Compliance Program Guidance consolidates the Office of Inspector General (OIG) recommendations regarding the Chief Compliance Officer (CCO) role.
It emphasizes the importance of CCO independence, stating that they should report directly to the CEO or the board. The CCO should not have ties to legal or financial functions, provide advice in these areas, or supervise those who do.
If the CCO also serves as Chief Privacy Officer, they should be sufficiently supported to fulfill both roles, ensuring that they do not deviate from their core responsibilities as per the OIG’s GCPG (which are highlighted below).
OIG basically outlines the essential traits of a compliance officer and stresses the need for an independent, well-supported compliance function.
According to the OIG, the compliance officer should:Â
- Report either to the CEO with direct and independent access to the board or the board directly
- Not lead or report to the entity’s legal or financial function, provide legal or financial advice or supervise anyone who does.
- Have sufficient stature within the entity to interact as an equal to other senior leaders of the entity.
- Demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees.
- Have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks.
Additionally, OIG suggests that CCOs collaborate with other relevant components (such as Internal Audit, Risk, Quality, and IT) to develop work plans for assessing compliance risks.
Compliance Committees should adhere to the minimum criteria outlined by OIG to support the CCO and the overall compliance program effectively.
The GCPG recommends that committee member participation be evaluated based on attendance, active involvement, and substantive contributions, with success measured by factors like the establishment of comprehensive work plans and successful risk mitigation efforts.
Primary Responsibilities of a Compliance Officer
The OIG states, “The primary responsibility of a Compliance Officer should include advising the CEO, board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.”
These responsibilities further include:
- Oversee and monitor compliance program implementation
- Advise CEO, board, and senior leaders on:
 – The totality of risks the entity faces
 – Risks related to the strategic and operational decisions of the entity
 – The operation of the entity’s compliance program
- Chairing the Compliance Committee
- Report to the board on:
 – Implementation, operation & requirements of the compliance program
 – The compliance risks the entity faces
 – How the entity can mitigate compliance risks
- Revise compliance program periodically based on organizational needs, regulatory changes
- Coordinate with HR to screen individuals against the LEIE and any applicable State Medicaid program exclusion lists
- Collaborate with relevant entity components to develop compliance risk work plans
- Independently investigate compliance matters and recommend policy changes and corrective actions.
- Develop policies and programs encouraging personnel to report fraud without fear of retaliation.
9 Action Items to Consider In 2024 As Per OIG’s Updated GCPG
1. Establish Independent & Authoritative Compliance Leadership
Appoint a compliance officer with the independence, authority, and resources to lead compliance initiatives.
The officer should not have conflicting duties, such as clinical, financial, or legal tasks. They should report directly to the CEO or board, avoiding reporting to legal or finance departments.
Many smaller organizations may require individuals to serve in multiple roles alongside compliance responsibilities.
2. Demonstrate Commitment to Compliance
Adopt a code of conduct outlining the entity’s objectives, values, and ethical standards.
Even if comprehensive policies and procedures are absent, including a code of conduct in the employee handbook should demonstrate the entity’s dedication to compliance.
3. Leverage a Top-Down Approach to Compliance
OIG recommends a top-down approach to compliance within the organization, ensuring that leadership is well-informed about the seven key elements of an effective compliance program.
Furthermore, OIG emphasizes the importance of board understanding and oversight of compliance operations.
This includes providing basic compliance education to new participants, such as private equity investors in healthcare entities, so that they can exercise reasonable oversight.
Life Sciences companies should incorporate a session on the General Compliance Program Guidance (GCPG) in an upcoming meeting to explain implementation strategies.
4. Implement Audit and Monitoring in Compliance Functions
Ensure that compliance functions include an audit and monitoring component.
Conduct regular assessments to identify and address risks effectively.
Perform routine exclusion searches of employees, contractors, and vendors against OIG’s List of Excluded Individuals/Entities and state Medicaid exclusion lists.
According to research:
- 33% are prioritizing to automate monitoring and testing in 2 years
- 39% are prioritizing to automate risk assessments
Identify your risks and do​ something about them effectively with our Global Compliance Monitoring Solution​
5. Incentivize Reporting Non-Compliance
Incentivize the individuals who raise substantiated compliance issues and acknowledge achievements related to compliance efforts.
Consider establishing an annual award program for the top reporters of non-compliance to demonstrate organizational commitment to encouraging the reporting of concerns to all stakeholders.
6. Tailor Compliance Programs As Per Your Organizational Demands
Tailor compliance programs and activities, including staffing levels and corrective actions, to align with the organization’s compliance demands.
CCOs should, however, periodically adjust resources and staff for expanding organizations to facilitate compliance business growth effectively.
7. Provide Comprehensive Compliance Training
Assess the training needs and effectiveness of employees regarding compliance. You need to ensure that all employees know the totality of risks that non-compliance poses for organizations.
The best way to do this is by reviewing training requirements and providing targeted training appropriate for an individual’s duties and roles.
Consider adding annual training in 2024 using government-produced or other reliable third-party tools if your organization does not have training and education in place already.
According to research:
- 53% of respondents expect an increase in online training over the next three years
- 52% of compliance leaders intend to increase dynamic training triggered by compliance monitoring practices
8. Build Effective Communication Channels for Compliance
While anonymous hotlines and suggestion boxes are encouraged by OIG, consider alternative channels such as Skype, Slack, web forms, and annual questionnaires to get insights into your organization’s compliance stature.
Address reports promptly and share them with leadership. If no reports were received in 2023, consider implementing a new reporting tool in 2024 to encourage further communication.
9. Integrate Patient Safety & Quality to the Entity’s Compliance Program
Integrate quality control and patient safety oversight into the entity’s compliance programs.
Ensure regular reporting to the board on quality control and patient safety to the board.
Despite potential oversight during legal matters, emphasize the importance of quality and safety for patients as highlighted by OIG throughout the GCPG.
Takeaways for Life Sciences Companies
The U.S Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued the General Compliance Program Guidance (GCPG) in 2023, providing updated recommendations for compliance for the life sciences companies and other industries.
The GCPG builds upon past guidance and incorporates regulatory enforcement and Corporate Integrity Agreements (CIAs) insights to strengthen compliance programs.
It provides key insights and recommendations to compliance officers and life sciences companies on the following aspects:
- Understanding OIG’s Motivation: Outlines the rationale behind the OIG’s updates to compliance program guidance, emphasizing the importance of modernizing compliance initiatives and incorporating lessons learned from past regulatory actions.
- Updated Compliance Program Infrastructure: The article highlights changes to the seven elements of an effective compliance program, offering insights into how compliance officers can adapt their existing programs to meet updated guidelines.
- Role of Compliance Officers: It delves into the significant changes made to the role of compliance officers, stressing the importance of independence, authority, and direct reporting lines to senior leadership or the board.
- Action Items for 2024: The article outlines nine specific action items for compliance officers to consider implementing in 2024 based on the updated GCPG. These items range from establishing independent compliance leadership to integrating patient safety and quality into compliance programs.
Our Data-Driven Compliance Platform improves your compliance program’s effectiveness, proactively identifies and mitigates risks, and enhances the HCP Engagement process.
