A New Role for Compliance Programs in HHS-OIG Resolutions of Non-compliant Conduct

Ryan Meade
Director of Regulatory Compliance Studies at Loyola University Chicago School of Law


A recent commentary from the U.S. Department of Health & Human Services’ Office of Inspector General (HHS-OIG) indicates it will not consider the existence of an effective compliance program as a positive factor in resolving civil non-compliance but it will count the absence of an effective compliance program as a negative factor in the resolution.  http://www.oig.hhs.gov/exclusions/files/1128b7exclusion-criteria.pdf  HHS-OIG has gone beyond making compliance programs mandatory through its settlement power.  It has sent a clear signal to the health care industry that compliance programs are expected to be as much a part of day to day business as treating employees fairly or making sure elevators work.  This is a subtle but important new twist on HHS-OIG’s position on compliance programs and surprisingly pivots away from the incentives offered under the Federal Sentencing Guidelines for having effective compliance programs.  Under the Federal Sentencing Guidelines (Chapter 8), having an effective compliance program lowers a convicted organization’s culpability score, thereby decreasing criminal penalties.  HHS-OIG appears no longer willing to parallel these incentives in their resolutions.

HHS-OIG has long used its authority to exclude individuals and entities from participation in federal health care programs as leverage to get organizations to adopt compliance programs even when the law does not require them.  HHS-OIG’s most frequent approach in resolving serious instances of non-compliance is to ask the organization to adopt a “Corporate Integrity Agreement” (CIA) in exchange for HHS-OIG foregoing the option of excluding the organization from participation in the Medicare and Medicaid programs.   CIAs usually require re-designs in the organization’s compliance programs (or adoption of a compliance program if there isn’t one), stepped up education and auditing, and mandatory outside reviews and monitoring.  Since exclusion from federal health care programs effectively closes down a health care provider, HHS-OIG has been hugely successful in getting health care organizations to adopt compliance programs proactively, if for no other reason than to avoid CIAs if there is need to resolve serious non-compliance.

Not everyone resolving a regulatory matter with HHS-OIG received an offer that allowed them to escape exclusion.  Several thousand individuals and organizations have been excluded from participation in federal health care programs since the mid-90s in instances when HHS-OIG thought that their continued participation in federal health care programs posed a high risk to federal funds or federal beneficiaries.  Although it has been mostly a guessing game as to whether HHS-OIG would require a CIA, exclude the individual or entity, or give a release with no CIA, clear trends emerged over the years and there were helpful (but non-binding) criteria published in 1997 (See, 62 Fed. Reg. 67,392 (December 24, 1997)) along with a variety of Open Letters from the Inspector General.  One trend which seemed to hold was that organizations that demonstrated a strong and effective compliance program were given valuable resolution credit for their efforts at being good corporate citizens.  (See for example, HHS-OIG “An Open Letter to Health Care Providers,” March 9, 2000: “When False Claims Act liability results from such a disclosure, the OIG can be more flexible in considering the terms of a CIA in light of the demonstrated effectiveness of the provider’s compliance program.”)

On April 18, 2016, HHS-OIG rescinded and replaced its 1997 non-binding criteria with a new set of criteria, aptly and plainly named, “Criteria for implementing section 1128(b)(7) exclusion authority.”  The statutory reference is to Section 1128 of the Social Security Act (42 U.S.C. 1320a–7), which grants the Secretary of HHS permissive authority to exclude individuals and entities for a laundry list of non-compliant conduct.  The 2016 criteria set out considerations for how HHS-OIG will assess the level of risk the organization poses to federal health care programs.  The level of risk impacts the severity of the resolution.  There are four categories of considerations: (1) nature and circumstances of the conduct; (2) conduct during the government’s investigation; (3) significant ameliorative effects; and, (4) history of compliance.  It’s the last category’s commentary on compliance programs that has left some people in the compliance industry wondering if this is a turning point moment in health care compliance and the law.

Important to this discussion is that the 2016 criteria generally identify three ways the various considerations will be used in the government’s risk assessment: (1) indicating less risk to federal health care programs; (2) indicating higher risk to federal health care programs; or, (3) not factoring into the risk assessment.  The last category is on the order of “it doesn’t help you or hurt you,” in that even good facts under that consideration are not going to help an organization get a better resolution.  Although some considerations in the various criteria are silent as to which of the three impacts the factor will have on the government’s risk assessment of the organization, most of the considerations are grouped into one of these three.

In the context of the government’s risk calculation, the 2016 criteria address compliance programs under the “history of compliance” category.  HHS-OIG sets out two distinct bullet points about compliance programs on the very last page of the document:

  1. “The existence of a compliance program that incorporates the U.S. Sentencing Commission Guidelines Manual’s seven elements of an effective compliance program does not affect the risk assessment.” (emphasis added)
  2. “The absence of a compliance program that incorporates the U.S. Sentencing Commission Guidelines Manual’s seven elements of an effective compliance program indicates higher risk.” (emphasis added)

These two bullets need to be read together.  Having an effective compliance program will no longer get a health care provider credit or a lighter resolution (“the existence…does not affect the risk assessment”), but not having an effective compliance program will count against an organization and suggest a tougher resolution (“the absence…indicates higher risk”).  What HHS-OIG appears to be saying is that compliance programs are now of such a high degree of expectation from the government that having one doesn’t help an organization in negotiating fines, penalties, and releases.  In other words, you will not get credit for something you are already expected to be doing.  This is not only reinforcing compliance programs as mandatory in the sense of “it must be done,” but also emphasizing that compliance programs are expected to be so common place that having a robust compliance program is not something the government sees as being extraordinary.  This is perhaps not an unexpected move in that it is matching industry expectations for compliance programs as being a permanent part of administration, but it is an important shift in thinking from HHS-OIG’s previous view on giving credit for an effective compliance program.