The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) is one of the top federal offices tasked with enforcing hospitals’ compliance obligations. As a result, hospitals must develop their compliance policies and procedures with the OIG’s oversight in mind. In order to avoid unwanted scrutiny (and the potential for significant administrative or civil penalties), hospitals must have a comprehensive understanding of what it takes to be compliant, and they must tailor their compliance efforts to the OIG’s expectations. 

“While hospitals are facing unprecedented challenges in 2021, the OIG has made clear that it will not be turning a blind eye to hospitals’ compliance obligations.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C. 

This, as you might imagine, is easier said than done. There are numerous aspects to OIG compliance for hospitals. Not only must hospitals meet their compliance obligations, but they must thoroughly document their compliance efforts as well. Inadequate documentation is among the most-common triggers for enhanced OIG scrutiny; and, even if a hospital is compliant, the inability to demonstrate compliance can still lead adverse outcomes as the result of OIG audits and investigations. 

What Does it Take for Hospitals to Establish (and Maintain) OIG Compliance? 

So, this begs the question: What does it take for hospitals to establish (and maintain) OIG compliance? Here are 10 keys to developing an effective OIG compliance program: 

1. Customized Policies and Procedures 

In order to meet the OIG’s stringent compliance standards, hospitals need to develop customized policies and procedures. They cannot rely on off-the-shelf products, nor can they simply derive their compliance programs from those implemented by other facilities. While most hospitals have the same basic starting point, when it comes to the details, each hospital must ensure that its policies and procedures reflect the unique aspects of its operations. 

While we’re on the subject of policies and procedures, documentation is an extremely important aspect of OIG compliance. This is something we will touch upon again in the discussion that follows. Hospitals need to thoroughly document all compliance-related practices and protocols, they must document their implementation efforts, and they must document their compliance efforts on an ongoing basis.  

2. Designation of a Chief Compliance Officer (or Equivalent)

The OIG expects all health care providers to employ individuals who are tasked specifically with overseeing their compliance efforts. For hospitals, this typically means designating a chief compliance officer (or equivalent). The title of the position is not nearly as important as the substance of the role. 

While a hospital’s chief compliance officer does not necessarily need to devote 100% of his or her time to compliance, hospitals must afford their compliance officers sufficient time and autonomy to oversee their OIG compliance programs effectively. In many circumstances, this will mean making a full-time hire. In any case, the compliance officer should have a well-documented role and responsibilities, and the compliance officer should be able to execute his or her duties without undue oversight or influence. 

3. Standards of Conduct for Internal Personnel 

In addition to adopting compliance policies and procedures, hospitals must also adopt standards of conduct for their internal personnel. In the OIG’s Model Compliance Plan for Clinical Laboratories, the office states: 

“Laboratories should develop standards of conduct for all employees which clearly delineate the policies of the laboratory with regard to fraud, waste and abuse and adherence to all guidelines and regulations governing federally funded health care programs. These standards should be made available to and understandable by all employees (e.g., translated into other languages, if necessary) and regularly updated as the policies and regulations of these programs are modified.”

While the OIG’s Model Compliance Plan is specifically geared toward laboratories, this piece of guidance (among many others in the plan) applies equally to hospitals and other types of providers. In fact, the larger the facility, the more important the adoption and enforcement of standards of conduct becomes. 

4. Compliance Program Implementation and Training

Following the development of customized compliance policies and procedures, hospitals must effectively manage a thorough implementation process, and they must provide adequate training to all employees. What is necessary in terms of training will vary between roles, with physicians and nurses, for example, needing a very different training program from that developed for in-house billing administrators. 

In terms of implementation, the steps involved range from posting signs throughout the facility to hiring a chief compliance officer and clearly defining his or her role. In order to be maximally effective, compliance policies and procedures should be developed with implementation in mind—as this will help ensure that all policies and procedures can be adopted both efficiently and effectively. 

5. Appropriate Contract Terms with Independent Physicians and Other Third Parties 

For hospitals, another key aspect of OIG compliance is effective third-party contract management. This includes both ensuring that contracts contain appropriate terms (while excluding terms that violate the Anti-Kickback Statute or Eliminating Kickbacks in Recovery Act) and monitoring contractual compliance on an ongoing basis. If a physician or other third party violates the terms of a contract with the hospital, and if this violation presents an OIG compliance risk, the hospital must be able to both (i) promptly identify the issue, and (ii) take appropriate responsive action based on the scope and severity of the issue at hand. 

Third-party contractual issues are among the most-commonly overlooked compliance concerns for hospitals and other health care providers. While most providers know to focus on their internal compliance needs, many overlook the risk of third parties’ acts or omissions triggering OIG scrutiny. But, this is a very real concern, and the OIG has made clear that no amount of contractual protections or liability-shifting will obviate a provider’s direct obligation to maintain comprehensive statutory and regulatory compliance.  

6. Due Emphasis on Billing Compliance 

The OIG works alongside the Centers for Medicare and Medicaid Services (CMS), the U.S. Department of Defense (DOD), the U.S. Department of Justice (DOJ), and other agencies to strictly enforce hospitals’ billing compliance obligations under Medicare, Medicaid, Tricare, and other government health care benefit programs. In terms of substantive issues, billing compliance is easily among the OIG’s top enforcement priorities. 

With this in mind, hospitals must undertake extensive and comprehensive efforts to ensure that their billing compliance programs are adequate. Again, developing custom-tailored policies and procedures is extremely important, as is thorough implementation. All internal billing personnel must receive both initial and ongoing training (in addition to receiving constant oversight), and hospitals must thoroughly vet third-party billing service providers prior to entering into carefully-drafted service agreements. 

7. Monitoring of OIG Fraud Alerts 

The OIG regularly issues fraud alerts, and it expects hospitals to monitor these alerts and update their compliance policies and procedures as necessary on an ongoing basis. Failure to undertake adequate efforts to prevent fraud can lead to administrative penalties up to and including health care benefit program exclusion. Facilitating fraud (whether knowingly or unknowingly) can also lead to OIG enforcement action for hospitals; and, depending on the circumstances involved, this can potentially precipitate civil or criminal penalties. 

Some examples of recent OIG compliance fraud alerts that have triggered obligations for hospitals (minimally reviewing the sufficiency of their existing programs, and potentially requiring the adoption of new policies and procedures) include: 

• Fraud schemes related to COVID-19 testing, treatment, and vaccination 

• Genetic testing services fraud 

• Consumer fraud in the HealthCare Marketplace (for “Obamacare” insurance) 

• Fraud targeting patients with diabetes and in other specific populations 

• Medical identity theft 

8. Internal Compliance Auditing 

Internal compliance auditing is another key component of effective OIG compliance for hospitals. After implementing custom-tailored policies and procedures, hospitals must continue to monitor the effectiveness of their compliance programs on an ongoing basis. In other words, simply having a compliance program is not enough. Managing compliance is an ongoing process, and the OIG expects hospitals to both (i) proactively identify compliance risks, and (ii) promptly remedy compliance failures. 

Just like their compliance programs, hospitals must custom-tailor their auditing efforts to the unique size, scope, and nature of their operations. Audits should generally be managed by the facility’s chief compliance officer, with the oversight of the hospital’s outside compliance counsel as warranted. In addition to conducting internal compliance audits on a periodic basis, hospitals should also conduct targeted internal audits whenever actual or potential compliance concerns arise. 

9. Compliance-Based Promotions, Disciplinary Actions, and Terminations   

The OIG has also made clear that it expects health care providers to take compliance into account when making employment-related decisions. For example, in its Model Compliance Plan for Clinical Laboratories, the OIG states, “compliance programs should require that the promotion of and adherence to compliance be an element in evaluating the performance of managers and supervisors.” The OIG goes on to state that, “[a] viable compliance program must include the initiation of corrective and/or disciplinary action against individuals who have failed to comply with the laboratory's compliance policies,” and that, “[c]ompliance programs should prohibit the employment of individuals who have been convicted of a criminal offense related to health care . . . .”

Again, while this language is specifically targeted toward laboratories, the OIG’s guidance is pertinent to all types of healthcare providers. Providers such as hospitals that have large numbers of employees must be especially careful to ensure that their employment practices meet the OIG’s expectations. 

10. Ongoing Documentation of Compliance and Compliance Needs Analysis 

Finally, as discussed above, establishing OIG compliance is not a one-time event. Rather, it is a process that requires both (i) continual assessment of compliance efforts, and (ii) ongoing analysis of compliance needs. Hospitals have an obligation to understand and address their compliance burdens on an ongoing basis, and those that do so can significantly mitigate their risk of facing OIG scrutiny.