OIG's New General Compliance Program Guidance (GCPG): Overview and Takeaways for Life Sciences Companies

On November 6, 2023, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released nonbinding General Compliance Program Guidance (GCPG) for all individuals and entities participating in the healthcare industry, including life sciences companies. As its name suggests, the 91-page GCPG broadly provides guidance for healthcare compliance programs. Below is an overview of the GCPG along with considerations for how life sciences companies can use it as a resource as they develop, implement, and evaluate their healthcare compliance programs. Notably, while the OIG’s user-friendly format is new, its guidance is consistent with existing laws and resources.

Background

In April 2023, the OIG published a notice in the Federal Register announcing that it was “modernizing the accessibility and usability of its publicly available resources,” which currently include separate compliance program guidances specific to areas of the healthcare industry, including its 2003 Compliance Program Guidance for Pharmaceutical Manufacturers. The OIG states in the GCPG that it expects to begin publishing industry-specific Compliance Program Guidances (ICPGs) in 2024 that will be tailored to address certain subsector risk areas.

Overview

The OIG refers to the GCPG as a voluntary reference guide that allows the opportunity to provide feedback to the OIG and solicit questions, including suggestions for risk areas to be covered in a particular ICPG. OIG states that it recognizes that the GCPG and forthcoming ICPGs are not intended to be one-size-fits-all or all-inclusive and do not create any new laws or legal obligations.

The GCPG includes a summary of certain laws that may apply to health care entities, including the Federal Anti-Kickback Statute and the False Claims Act and related penalty authorities, and contains illustrative questions and tips to consider when evaluating potentially “problematic arrangements” under the Anti-Kickback Statute. Listed examples of issues to explore include whether an arrangement has the potential to interfere with clinical decision-making, or raises concerns related to steering patients or entities to certain items or services, and ultimately what to do if a problem is identified. The GCPG also contains numerous references reinforcing the importance of OIG’s voluntary self-disclosure protocols to proactively report potential fraud.

The GCPG follows with the seven elements of a successful compliance program, which reflects its prior guidance and incorporates various lessons learned and practical recommendations to consider with each element. Notably, however, as to the second element, “Compliance Leadership and Oversight,” the GCPG states that an entity’s compliance officer should be independent and should not lead or report to the entity’s legal or financial functions. In addition, for the sixth element, “Risk Assessment, Auditing, and Monitoring,” the GCPG states that entities, regardless of size, should consider data analytics as a means to identify compliance risk areas.  

Acknowledging that compliance programs may be different based on the size of an entity, the GCPG includes suggestions for how small and large companies can design a compliance program that is suited to their size and needs. For example, the GCPG recommends that smaller entities that cannot appoint a full-time or part-time compliance officer, should designate a person as a compliance contact. In contrast, the GCPG states that a larger entity will likely need a compliance department comprised of numerous personnel to maintain a successful compliance program. While the structure of a compliance program may vary based on the entity’s size, the objective of meeting the OIG’s seven elements remains the same for entities of all sizes. 

The GCPG contains a discussion of general compliance considerations which includes the recommendation to “follow the money” to identify fraud and abuse risks with, for example, arrangements related to payment incentives. According to OIG, ongoing monitoring of compliance with financial arrangements includes confirming that documentation is maintained, conducting legal reviews, and performing fair market value assessments. 

Finally, the GCPG includes reference to various compliance and legal resources for consultation, such as advisory opinions, special fraud alerts (with specific mention of the special fraud alert related to pharmaceutical and medical device company-sponsored speaker programs), bulletins and safe harbor requirements, along with corporate integrity agreements and enforcement action summaries.

Takeaways for Life Sciences Companies

As the guidance itself notes, the GCPG does not create any new legal obligations and is not intended to address all compliance considerations. Because the 2003 Compliance Program Guidance for Pharmaceutical Manufacturers is 20 years old, a forthcoming ICPG will likely provide additional information about current risks that are more specific to life sciences companies. The GCPG reads much like a “code of conduct” for compliance programs that is helpful, user-friendly, and can be a centralized tool for companies to consult on an ongoing basis. It is also a resource for stakeholders to educate themselves on the basis and necessity for healthcare compliance programs as such companies consider their approach for compliance. 

Porzio’s team of Life Sciences attorneys can assist life sciences companies at all phases and of all sizes with building, maintaining and evaluating their compliance programs, while considering OIG’s guidance and other associated laws and regulations.