On November 6, 2023, the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) published the General Compliance Program Guidance (GCPG) as a revised reference guide for the healthcare compliance community and other healthcare stakeholders. As noted in our previous On the Subject, the GCPG is part of the ongoing OIG modernization initiative and, like previous compliance program guidance, is nonbinding, voluntary guidance. Nonetheless, OIG guidance has a significant influence on how compliance programs and efforts are designed and implemented.

Importantly, the GCPG specifically references technology companies as “new entrants to the healthcare sector” and notes “[t]he growing prominence of private equity and other forms of private investment” in the sector. Digital health companies and digital health programs within larger institutions, and investors of all types, should take note—and take action.

IN DEPTH

WHAT IS THE GCPG?

The GCPG is the first of what will be many updated compliance program guidance documents.

Historically, OIG issued various guidance documents to specific industry participants, such as hospitals, nursing homes and drug manufacturers. These documents are now between 15 and 25 years old. Earlier this year, OIG announced a plan to update these documents, with the first being the GCPG.

The GCPG is a general overview of compliance program issues that apply across the healthcare industry spectrum, such as the seven elements of a compliance program as well as a summary of the fraud and abuse laws and OIG resources. In the GCPG, OIG also describes the differences between how large and small organizations may structure their compliance programs and address attendant risks. OIG has said that industry-specific compliance program guidance documents are in the works, with guidance for managed care and nursing homes expected to be published in 2024.

WHAT DOES THE GCPG SAY ABOUT PRIVATE INVESTORS AND DIGITAL HEALTH?

Despite its modest title, the “Other Compliance Considerations” section at the end of the GCPG is where we find the new discussion that applies to the digital health sector and investors. The section covers several “generally applicable risk areas”:

• Quality and Patient Safety
• New Entrants in the Health Care Industry
• Financial Incentives: Ownership and Payment – Follow the Money
• Financial Arrangements Tracking

While quality and patient safety have long been areas of interest to OIG (the cited reference for existing OIG guidance on this subject is nearly 20 years old), the inclusion of these topics in the compliance program is different and discussed in more depth in our On the Subject linked above.

The remaining areas appear not to have warranted independent OIG guidance in the past. None of these three areas is a traditional core subject of a compliance program; rather, they appear to represent conditions that OIG believes could negatively impact compliance, and so, are factors organizations should specifically consider when developing and implementing a compliance program.

OIG’s concern about new entrants in the industry will sound familiar to any healthcare professional:

New entrants are often unfamiliar with the unique regulations and business constraints that apply in the health care industry, as well as the range of Federal and State government agencies that regulate health care and enforce fraud and abuse laws. Simply put, business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability.

Accordingly, OIG urges new entrants to educate themselves about the specific legal and regulatory requirements that pertain to healthcare organizations so that they can fully appreciate the importance of compliance programs and efforts and, of course, develop and implement effective compliance programs.

OIG’s description of new entrants is not entirely surprising, and includes technology companies, new investors, organizations providing nontraditional services (such as social services) and healthcare organizations diversifying into unfamiliar sectors, such as “developing health care technology.” This last category is an important reminder that compliance concerns are not uniform across the healthcare sector and may need fresh eyes to ensure a fulsome analysis.

OIG’s concern about financial incentives and investors raises more questions than it answers. In this section, OIG suggests that the financial incentives built into certain ownership structures could undermine compliance efforts:

The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives (e.g., return on investment) on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with Federal fraud and abuse laws and that they are delivering high quality, safe care for patients. An understanding of the laws applicable to the health care industry and the role of an effective compliance program is particularly important for investors that provide management services or a significant amount of operational oversight for and control in a health care entity. (emphasis added)

OIG’s discussion in the GCPG on ownership incentives and private investment as having “growing prominence” is somewhat curious. Private investment in healthcare is a longstanding feature of our country’s healthcare system. The expectation that there will be a return on investment to the owners of a healthcare organization is perhaps the central feature of private investment.

OIG seems particularly concerned about management companies, which are commonplace where licensure restrictions require professional ownership of the organization providing the clinical delivery of care. While the specific reference to “private equity” implies that OIG is focused on a particular market segment, there is nothing in the language that would exclude venture-backed or other privately sponsored healthcare organizations from the scope of this guidance. Given this, the scope and implications of OIG’s concerns with private investment in healthcare remain amorphous. Are public companies free of additional scrutiny, or could certain incentive-based stock ownership plans of public companies be problematic as well? Does the increased scrutiny apply to operators that are also owners? Are there some forms of private investment that are more concerning to OIG than others? Is simply having an expectation of a return on investment worrisome to OIG, or are other factors needed to pose more risk?

In addition, OIG recommends that private investors should play a role in compliance oversight. This statement also raises questions, such as: Is the scope of involvement limited to the ownership incentives that may implicate compliance concerns, or is the oversight broader? Should different classes of investors be expected to take on more or less responsibility here? Some investors are passive and do not have involvement in the organization or governance rights that permit their involvement—are they excluded? It is possible that OIG is concerned with investors that have specific board representation or that have an active role in management because of the fiduciary duties and direct participation in governance or management that go along with those roles. The language can be read, however, to demonstrate a general expectation of compliance oversight by all investors.

Perhaps reflective of the variety of ways that these areas for consideration could impact compliance efforts, OIG notes that this section of the GCPG will be subject to updates and additions “based on general compliance concerns identified through OIG work, by the enforcement community, as well as feedback received from industry stakeholders.” Accordingly, we may see further guidance in the future.

CONCLUSION AND TAKEAWAYS

While OIG’s discussion of new entrants and private investment is short, the implications could be far-reaching and signal the beginning of increased scrutiny by OIG of the healthcare marketplace and its private ownership foundation. OIG’s high-level view appears to be that there is something about the incentives built within private investment structures that could negatively impact compliance efforts. While this high-level view is useful, many questions remain about the impact of OIG’s view for the healthcare community.

The strategies for healthcare organizations to mitigate their risks are the same now as they were in the past:

• Take steps to ensure that their board members and executives are trained on the healthcare legal and regulatory landscape
• Work to ensure that the organization has an effective compliance program and that the board exercises appropriate oversight of that program
• Monitor further OIG pronouncements for further guidance in this area

Compliance professionals should also look to enforcement actions to see how the enforcement agencies utilize these areas of consideration in their investigations and enforcement efforts. In this regard, we have seen more False Claims Act cases name private equity sponsors as defendants and allege that the sponsor had a role in the alleged misconduct, or that the sponsor knew about the alleged misconduct and permitted it to continue. We expect this trend to continue and perhaps accelerate to include other investors or management entities in response to OIG’s statements in the GCPG.

Similarly, private investors should note that OIG’s statements in the GCPG are consistent with recent action taken by CMS as it pertains to reporting of ownership and control data on the CMS 855A enrollment form, which we discussed in a previous On the Subject. On November 17, 2023, the US Department of Health and Human Services published a final rule requiring nursing facilities participating in Medicaid and skilled nursing facilities participating in Medicare to disclose detailed ownership, managerial, governance and personnel qualifications, with a particular focus on private equity and real estate investment trust (REIT) ownership. In a press release accompanying the final rule, CMS cited research suggesting that private equity ownership is associated with poorer staffing conditions at nursing facilities and resultant decreases in quality of care. CMS subsequently expanded the detailed disclosure requirements to other providers who are required to maintain an 855A enrollment record in order to receive reimbursement from Medicare. The reported data will be made public in an effort to increase transparency and provide consumers with more data to evaluate facilities and make informed choices about where to obtain care. It has yet to be determined whether enrolled providers and suppliers who disclose private equity and/or REIT ownership will be subject to enhanced scrutiny, including increased audit risk.

Finally, organizations (including trade associations) should take advantage of OIG’s invitation to provide feedback to OIG.