Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG) 

Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG) - Shawn DeGroot

“As previous OIG compliance guidance(s) are retired to ‘archival’ status, we all should recognize that the original guidance may have been the most important document ever written for healthcare compliance professionals.” — Roy Snell 

In 1998, the Office of Inspector General (OIG) issued its first General Compliance Program Guidance (GCPG). Since then, compliance officers have used it to understand how to develop a compliance program, safeguard their organizations, and ensure they operate according to all laws and regulations. 

This month, OIG published a new, user-friendly, 91-page GCPG. Like the original, it is nonbinding and voluntary – it’s meant to be a helpful reference for all individuals and entities involved in the healthcare industry. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents. Previous versions have been archived on the OIG website, and will no longer be published in the Federal Register. Also, industry segment specific guidances (ICPGs) will be developed relating to particular sectors of federal healthcare programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

  • Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether or not an arrangement violates the federal anti-kickback statute. 
  • Exclusions (page 26): OIG recommends that any entity participating in Medicaid should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
  • HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
  • Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These are people that should at least receive new and/or revised policies and procedures before they are implemented. 
  • Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position the compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

The Compliance Officer’s primary responsibilities should include advising the CEO, Board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

  • Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome.  The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

  • Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on members, roles, and direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that Boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
  • Board Responsibilities (page 43): The OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “The Board should also ensure that the compliance officer has direct and uninhibited access to the Board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it’s effective and promotes transparency. 
  • Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences have the ability to ask questions.   
  • Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all healthcare compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 
  • Large and Small Entities (page 65): There’s a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

  • The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims.   
  • In absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation.   
  • Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

  • The OIG repeats the need for compliance officers to report directly to the Board, in order to send a message and establish the proper tone for all relevant individuals.  
  • For the first time, the OIG says that very large organizations controlled by an international parent organization need to have sufficient information about applicable law. 
  • Quality and Safety (page76): In the final section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discriminating against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced on page 78, is “new entrants.” The term references technology companies, new investors, and non-traditional service providers in healthcare settings that may not be aware of the healthcare industry regulations. To identify and prevent fraud and abuse risks in a complex healthcare environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG appears to be right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.  


Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.   

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.