HHS-OIG Issues Long-Anticipated General Compliance Program Guidance for All Health Care Stakeholders

In Short 

The Situation: On November 6, 2023, the Office of Inspector General ("OIG") of the U.S. Department of Health and Human Services ("HHS") released its "General Compliance Program Guidance" ("GCPG"). The GCPG provides guidance that is generally applicable to "all individuals and entities" in the health care industry, from providers to manufacturers, suppliers, and investors.  

The Action: While much of the GCPG is a consolidation of familiar guidelines and principles, OIG also recommends adding topics, such as quality and patient safety, to compliance reviews and expressly considers the impact of ownership and payment incentives on patient care. Like all HHS-OIG compliance documents, the GCPG is not binding on any individual or entity. 

Looking Ahead: The GCPG is the first in a series of new compliance program guidance documents that OIG states it will be issuing over the course of the next few years, with more industry-specific guidance beginning in 2024.

In April 2023, HHS-OIG issued a Federal Register notice that it would be issuing a GCPG by the end of 2023, followed by "industry-specific" compliance program guidance, tailored to fraud and abuse risk areas for particular industry subsectors. In this notice, OIG also announced that it would no longer publish compliance guidance in the Federal Register, but instead would publish and update guidance on the OIG website, which it believes to be more user friendly.  

The GCPG, published on the OIG website, is a departure from OIG's prior compliance program documents, which provided compliance guidance to specific subsectors of the health care industry, e.g., Compliance Program Guidance for Hospitals (63 Fed. Reg. 8987; February 23, 1998) and Compliance Program Guidance for Pharmaceutical Manufacturers (68 Fed. Reg. 23731; May 5, 2003). These subsector-specific guidelines have been widely studied and in many cases applied across different health care sectors that were not the subject of the particularized guidance. As a result of feedback received over the years, OIG issued the GCPG as a general reference guide that applies to "all individuals and entities involved in the healthcare industry" and provides guidance on general, as opposed to industry-specific, compliance risks and compliance programs. [FR April 25, 2023.]  


The GCPG is a 91-page document, the bulk of which is a consolidation of OIG's prior guidance on a range of familiar compliance topics (as well as a helpful listing, inclusive of links, of OIG resources and processes). Those familiar compliance topics include: 

  • OIG's perspective on key federal health care laws, including the False Claims Act, Anti-Kickback Statute, Stark Law, Civil Monetary Penalties Authorities, Exclusion Authorities, the Criminal Healthcare Fraud Statute, and HIPAA. 
  • Guidance on the infrastructure of a compliance program, which covers the traditional "seven elements" of an effective compliance program—elements that are based on the U.S. Sentencing Guidelines and that have been part of OIG's compliance program guidance for more than 25 years since it first issued its Compliance Program Guidance for Hospitals.  

Note, however, that GCPG's summary of the Sentencing Guidelines' seven elements also reflects an expansion in certain areas. For example, the GCPG adds risk assessments to element six, now "Risk Assessment, Auditing, and Monitoring," while acknowledging that "conducting formal risk assessments may be new to many compliance programs." Risk assessments have been a standard element of OIG's corporate integrity agreements for several years. 

While the GCPG is a compilation of prior guidance, it does go further in that it also sets forth a set of "Other Compliance Considerations," which may purport to expand the seven elements to eight, by recommending that entities incorporate quality and patient safety concerns into their compliance programs. The GCPG also flags other areas the OIG identifies as areas of risk concern, such as compliance learning curves for "new entrants" into the health care arena, the impact of financial incentives on compliance, and the importance of tracking financial arrangements.  

Among these compliance considerations, we highlight the following: 

Quality and Patient Safety. OIG's recent guidance makes the explicit recommendation that health care entities "should incorporate quality and patient safety oversight into their compliance programs." The GCPG incorporates prior guidance, such as the OIG's guidance "Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors," and also makes specific recommendations for including quality and patient safety personnel on the Compliance Committees and including quality and patient safety into compliance audits and reviews.  

Notably, the GCPG observes the intersection between quality and False Claims Act concerns: "Besides patient harm, quality and patient safety concerns, such as excessive services and medically unnecessary services, can lead to overpayments and may cause False Claims Act liability." 

Financial Incentives. The GCPG gives significant attention to financial arrangements and contends that "understanding how funds flow through business arrangements and the varying incentives created by different types of funding structures is key to unearthing potential compliance issues, implementing effective monitoring, and identifying preventive strategies." OIG notes that "ownership incentives" and "payment incentives" can impact the quality and volume of care and that these incentives should be "fully understood" and incorporated into compliance program design.  

Notably, the GCPG explicitly mentions "private equity" and notes that "[t]he growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives (e.g., return on investment) on the delivery of high quality, efficient health care." The GCPG recommends that health care entities, "including their investors and governing bodies," "scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse laws and that they are delivering high quality, safe care for patients."  

Tracking Financial Arrangements. OIG observes that health care entities may manage "a significant volume of financial arrangements and transactional agreements, including those between referral sources and referral recipients," which can implicate Federal fraud and abuse laws, including the Anti-Kickback Statute and Stark Law. OIG recommends "ongoing monitoring of compliance with the terms and conditions set forth in the agreements." Among other recommendations, OIG states that "entities should consider what type of centralized arrangements tracking system to establish, depending on the size of their organization, to ensure that proper supporting documentation is maintained, regular legal reviews are conducted, and fair market value assessments are performed and updated routinely as appropriate." 

OIG announced that it anticipates issuing regular updates to the GCPG in response to feedback, as well as issuing further industry-specific compliance program guidance, in calendar year 2024. The industry-specific guidance will be tailored to fraud and abuse risks for specific health care subsectors and should address compliance measures that different providers, suppliers, and other subsector participants can take to reduce these risks.

Three Key Takeaways 

  1. The GCPG is the first in a series of upcoming compliance program guidance documents that OIG reports it will issue to modernize the accessibility and usability of its publicly available resources, including OIG's Compliance Program Guidance documents. OIG advised that it will be issuing additional industry-specific guidance by the end of 2024.
  2. The GCPG consolidates existing guidance on several key federal health care fraud and abuse laws and the traditional seven elements of an effective compliance program. The GCPG also centralizes references to a wide range of other OIG resources and processes. 
  3. This recent guidance provides insight into several areas of OIG focus (including quality and patient safety, and the impact of ownership and payment incentives on health care services), and suggests that these considerations be accounted for in the compliance setting.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.