Health Care Industry Should Prepare for Growing Federal Compliance Focus

Businesses involved in the health care industry should review their compliance programs. Both the Department of Justice (DOJ) and Office of the Inspector General (OIG) recently signaled a renewed focus on enforcing compliance sanctions, and the effectiveness of a company’s compliance program could make a major difference during investigations.

Previous Federal Focus on Compliance Programs

During the 1990s, as Medicare program costs increased—and along with them a government focus on health care fraud and abuse—the OIG of HHS began to encourage voluntary compliance programs. The programs aimed to engage the private health care sector in preventing inappropriate conduct in federal health care programs. OIG issued a series of compliance program guidance for 11 types of health care providers, including hospitals, nursing homes, hospice providers, medical suppliers, physician groups and others. These were not model compliance programs, but suggested components needed for a compliance program to be considered “effective.” 

This terminology, and determination of “effectiveness,” was based in large part on elements of the Federal Sentencing Guidelines enacted in 1991, which in Chapter 8 included guidelines applicable to entities. In general, sentencing enhancement or reduction for entity defendants was affected by the conduct of the defendant entity and what efforts it made to prevent or mitigate the conduct which created the criminal violation. In addition to supporting civil claims for violation of the False Claims Act, whether brought by private claimants or the DOJ itself, the Anti-Kickback Statute is a criminal statute, so many aspects of OIG compliance guidance flow from the Sentencing Guidelines.

The original HHS OIG compliance program guidance suggested that health care entities  establish a compliance program, and that, for the program to be effective, it should:

1. Include a number of enumerated attributes, including a formal code of conduct and a formally designated compliance officer and compliance committee, which have a clear, well-crafted mission and sufficient resources.
2. Have separation between compliance function and function of the entity's general counsel.
3. Complete a yearly review, including an assessment of whether:
   • The committee was active.
   • The compliance officer had significant authority, such as direct access to the board and senior management. Direct contact to the board was significant as it recognized that sometimes impropriety occurs at senior management level, such that the program could be circumvented if the compliance officer was required to report to such management.
   • The compliance officer was independent and had independent authority to retain outside legal counsel.
   • The compliance officer made regular reports to the board.
4. Develop compliance policies and procedures.
5. Provide compliance training and education.
6. Conduct internal monitoring and auditing.
7. Identify and respond to deficiencies.

An important overall consideration was whether the entity conducted thorough and prompt compliance investigations and self-reported them if detected. Thus, evidence of “effectiveness” was measured in part based on there being active inquiries, investigations and results, and not simply a compliance program on paper.

The elements set forth in this early guidance also tended to be considerations in FCA actions brought by the DOJ. They also had some bearing on whether settlements and other regulatory sanctions would require Corporate Integrity Agreements—which were essentially a form of supervised probation for the entity—and the terms of such agreements.

Compliance remained a hot topic in health care through around 2007 or 2008, as entities devoted significant attention to establishing compliance programs. However, over time, and perhaps due to the housing bubble burst in 2008, the financial crisis which followed, presidential administration turnover, and the COVID-19 pandemic, compliance program structure and operation seemed to wane as a government focus. During this period, some entities’ compliance programs may have moved toward more paper and less substance. However, it appears that government focus is about to change.

What’s on the Horizon for Compliance Enforcement?

Earlier this year, both the OIG and the DOJ made announcements which indicate that compliance is making a comeback, and perhaps with a vengeance.

On April 24, the OIG announced that it was modifying its process for issuing compliance program guidance. OIG will not withdraw the compliance guidance it issued between 1998 and 2005 as described above. Instead, it will transition to a new general compliance program guidance by the end of 2023 that will apply to all individuals and entities involved in the health care industry. This will broaden guidance to include facilities, entities, vendors and individuals not mentioned in the original 11 guidances.

Further, beginning in 2024, OIG will publish “industry-specific” guidance for different types of providers, suppliers and other participants in health care industry subsectors and ancillary industry sectors involved with federal health care programs. These will be tailored to fraud and abuse risk areas OIG identifies for each industry subsector. They will also identify compliance measures that participants can take to reduce those risks. OIG expressed that the first two sectors to receive new guidance would be Medicare Advantage plans and nursing homes. These industry specific pronouncements will likely extend beyond traditional Stark Law and Anti-Kickback Statute issues and address matters such as staffing requirements, data security and other current concerns.

While the OIG spoke to guidance, the DOJ weighed in on a somewhat more ominous note. Its pronouncement included a 20-page description of areas which should be examined by DOJ staff, including federal prosecutors, when evaluating whether an entity’s compliance program was “effective.” It seems clear from this announcement that  superficial, underfunded and ineffective compliance programs are not acceptable.

An additional sobering pronouncement came from DOJ on March 3 that it was enacting a three-year “Pilot Program Regarding Compensation Incentives and Clawbacks.” As a part of compliance enforcement, the program proposes to claw back compensation paid to certain corporate officers and employees and other individuals involved with entities which become subject to these sanctions due to compliance violations.

The DOJ noted that it will “continue to investigate and prosecute companies (and responsible individuals) who engage in such misconduct. But the department’s ultimate goal is to prevent corporate crime before it occurs. Through its policies and enforcement actions, the department strives to deter criminal conduct, incentivize the development and implementation of effective compliance programs, and promote ethical corporate cultures.” Initiatives such as the Pilot Program should be considered in the context of  indicia of “effectiveness” of a compliance program contained in the original guidance as described at the outset, a significant element of which was there being evidence of inquiries, investigation and activity by the compliance officer and committee.

The release proceeded to state that the DOJ “has considered how to reward corporations that develop solutions to incentivize better compliance through their compensation systems, including the use of clawback policies” relating to their compensation. The DOJ offered examples of these solutions, including:

• Adding incentives for employees who show full commitment to compliance processes.
• Banning bonuses for employees who do not meet compliance performance requirements.
• Disciplining employees who violate applicable law and others who both:
  • Had supervisory authority over the employees or business area engaged in misconduct
  • Knew of, or were willfully blind to, the misconduct

Management and executive staff should understand that under the Pilot Program, they could under appropriate regulatory circumstances suffer personal compensation clawbacks based on the conduct of their companies in areas subject to their supervision. While this initiative appears to apply to all entities involved in federal programs, health care is heavily involved due to the Medicare program. Those managing health care providers participating in Medicare should be aware of the new program’s impact.

It seems clear that a new era of focus on regulatory compliance is arriving. Health care providers should conduct a thorough review of the structure and operations of their compliance programs and prepare now for these new initiatives rather than learn about them after the fact. This includes working with their compliance counsel to:

• Examine the structure of the compliance program and the composition of the compliance committee and compliance officer.
• Review the sufficiency of compliance policies and procedures, being sure a team is designated and in place to conduct future compliance investigations should the need arise.
• Consider the sufficiency of existing compliance education and training.
• Consider conducting at least a limited audit of recent compliance activities.

Please contact Tom Sullivan, Walt Green or any member of Phelps’ Health Care or White Collar Defense and Investigations teams if you have questions or for advice and guidance.