OIG’s first-ever General Compliance Program Guidance covering all health care parties released

In November 2023, OIG released its first ever General Compliance Program Guidance (GCPG). The GCPG is a comprehensive document that applies to all individuals and entities involved in the health care sector.

Historically, OIG has maintained similar industry-specific compliance program guidance documents (ICPGs) applicable to individual industry subsectors, such as hospitals and pharmaceutical manufacturers. However, not every subsector was previously covered by an ICPG. The GCPG changes that framework by addressing key legal authorities, compliance program infrastructure, and compliance considerations for all entities involved in the health care industry.

OIG will also be publishing new ICPGs starting in 2024 for different types of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to Federal health care programs. ICPGs will be tailored to fraud and abuse risk areas for each industry subsector and will address compliance measures that the industry subsector participants can take to reduce those risks.


The GCPG’s content is a high-level amalgamation of OIG’s existing guidance that may be particularly useful for entities and individuals who are less experienced analyzing health care compliance issues. To that end, the GCPG is written in a corporate compliance manual-style format, enriched with graphics and practical tips that make it a helpful guide for standing up a compliance program. For example, the description of the fraud and abuse laws is accompanied by “Key Questions” that OIG recommends for analyzing whether an arrangement presents a risk of fraud and abuse.

The GCPG reviews the statutes that OIG enforces; describes the seven elements of a compliance program; discusses how compliance programs differ for small and large entities; reviews other compliance considerations, such as private equity ownership and payment incentives; and describes OIG resources and processes, such as corporate integrity agreements and advisory opinions.


While much of the information contained in the GCPG is not new, there are several areas where OIG has, for the first time, “said the quiet part out loud” by incorporating suggested best practices typically contained in Corporate Integrity Agreements (“CIAs”) into generally applicable guidance.

               Compliance Officer

The GCPC includes strong recommendations about how the Compliance Officer’s role should be structured. More than once and consistent with the framework adopted in CIAs, the GCPG advocates that the Compliance Officer should not have responsibility for clinical, financial, legal, or operational duties, and should refrain from offering legal or business advice, or supervising others in these areas. The GCPG also suggests that for large entities, the Compliance Officer should report directly to the CEO or Board and the Board should have input into appointment of a Compliance Officer and directly evaluate their performance and compensation.

               Compliance Committee and Board Oversight

The GCPG contains an extensive description of the roles, responsibilities, and duties of the Corporate Compliance Committee. For example, the GCPG recommends that the Corporate Compliance Committee should meet at least quarterly to ensure regular oversight. In addition, the Committee should be chaired by the Compliance Officer and be comprised of the relevant leaders of both operational and supporting departments. OIG acknowledges that committee composition will vary across entities, but provides a robust list of the types of functions that could be included: Billing and Coding, Clinical and Medical, Finance, Internal Audit, Information Technology, Health Information Management, Human Resources, Legal, Quality, Risk Management, and Sales and Marketing. OIG further recommends that “[m]ember attendance, active participation, and contributions should be included in each member’s performance plan and compensation evaluation.”

Consistent with common CIA requirements, the GCPG envisions that the Compliance Officer would report to the Board on the Corporate Compliance Committee’s work and performance and recommends robust Board oversight responsibilities. For example, the GCPG suggests that the Board should be responsible for ensuring that the Compliance Officer “has sufficient power, independence and resources to implement, maintain, and monitor the entity’s compliance program and advise the board about the entity’s compliance operations and risk.” OIG further suggests that the Board have responsibility for overseeing the Compliance Committee, for evaluating the effectiveness of the overall compliance program, and for “tak[ing] every opportunity to communicate to each of its audiences its commitment to compliance.” The GCPG also recommends that the Board appoint a special Board Compliance Committee to oversee compliance, rather than just relying on existing committees (e.g., Audit Committee).

               Compliance Program Resources and Infrastructure

The GCPG provides prescriptive guidance on compliance program resources and functions. With respect to resourcing, the GCPG underscores the critical need for adequate funding, resources, and staffing to ensure the effectiveness of a compliance program. With respect to activities, the GCPC suggests specific compliance activities and, in some cases, the appropriate cadence for those activities. For example, the GCPC suggests that:

  • Personnel and Board members should undergo annual and targeted role-specific compliance training covering a wide range of topics, from billing, coding, and documentation to medical necessity, beneficiary inducements, gifts, interactions with health care providers, and sales and marketing practices. Members of the Compliance Committee, the Board, and others with specific compliance roles should also receive training specific to those duties and responsibilities.

  • Policies, procedures, and training materials should be accessible and comprehensible to all within the entity. Training materials should include a mechanism for participants to ask questions about the content.

  • Entities should conduct an annual formal compliance risk assessment to identify and mitigate potential compliance risks effectively and to better design the entity’s auditing and monitoring activities. OIG provides resources for how to do a risk assessment and suggests that even small entities can execute a risk assessment on a smaller scale.

  • The compliance department should use data analytics to drive compliance programs, which starts with ensuring that the department has access to and regularly utilizes business-generated data.

  • U.S. subsidiaries of large international organizations should provide sufficient information to their parent boards about relevant laws, regulations, and compliance risks specific to U.S. operations.

  • Entities should use a centralized tool to monitor financial arrangements that may pose a risk of fraud and abuse.

“Carrots and Sticks”

The GCPG speaks of both “sticks” and “carrots” to encourage compliance. The “sticks” include well-documented disciplinary protocols which are genuinely enforced. In another example, the GCPG recommends that participation in compliance training programs should be made a condition of continued employment or engagement by the entity and should be a basic requirement of each employee’s annual performance evaluation or the evaluation of contractor performance. The “carrots” align with recent government guidance documents (e.g., DOJ’s 2023 Pilot Program Regarding Compensation Incentives and Clawbacks) by encouraging the integration of compensation with compliance. Specifically, with respect to compensation, the GCPG encourages entities to establish incentive compensation programs to reward ethical behavior. The GCPC also urges organizations to evaluate whether their incentive plans align with ethical and compliant practices, especially considering whether sales or commission goals inadvertently promote risky or noncompliant behavior. 

               Reporting to the Government

The GCPG provides general guidelines related to reporting misconduct to the government. Notably, the GCPG asserts a 60-day reporting standard: if credible evidence of misconduct is discovered and, after reasonable inquiry, the Compliance Officer or counsel determines that the evidence substantiates a violation of criminal, civil, or administrative law, then the GCPG recommends that the entity notify the appropriate government authority not more than 60 days after that determination has been made. This 60-day window mirrors the statutorily-mandated Medicare overpayment rule and tracks similar language in the 1998 ICPG for hospitals. The inclusion of the 60-day window in the GCPG reiterates OIG’s view that prompt reporting, within 60 days, of any confirmed violations of any health care law is the standard for demonstrating an entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.

               Small and Large Entities

The GCPG identifies adaptations for small and large entities. OIG’s guidance for small entities includes common sense modifications to the guidance applicable to large entities. Notably, OIG emphasizes that even for smaller entities, the person designated as a compliance contact “should not have responsibility for the performance or supervision of legal services.”

               Integrating Quality Oversight into Compliance

The GCPG contains some interesting statements that may encourage entities to rethink the role of compliance and how OIG’s guidance applies to them. In one notable example, the GCPG emphasizes that “quality and patient safety” oversight should be incorporated into compliance programs. In the GCPG, OIG reiterated its longstanding emphasis on the importance of quality and patient safety, including by citing to CIAs on quality of care and patient safety, as well as several OIG guidance documents on quality of care issues. As the GCPG frames the legal exposure to companies, “besides patient harm, quality and patient safety concerns, such as excessive services and medically unnecessary services, can lead to overpayment and may cause False Claims Act liability.” The GCPG reflects OIG’s views that the separation between the quality and patient safety function and the compliance function can undermine effective compliance oversight. The GCPG recommends (1) the Board receive regular reports from senior leadership responsible for quality and patient safety, (2) the Compliance Committee include members responsible for quality assurance and patient safety, and (3) the compliance auditing and monitoring function include quality audits and reviews.

               Addressing Private Equity

The GCPG fires something of a shot across the bow at private equity firms and other investors by emphasizing that they are responsible for “understanding the laws applicable to the health care industry and the role of an effective compliance program,” particularly for those investors “that provide management services or a significant amount of operational oversight for and control in a health care entity.” The GCPG specifically references OIG’s concerns “about the impact of ownership incentives (e.g., return on investment) on the delivery of high quality, efficient health care” and suggests that private equity and other investors may come under scrutiny for how they do or do not incentivize compliance.


Overall, the GCPG aggregates rather adds to OIG’s existing guidance. For those who are less familiar with health care regulatory issues, it stands out for its breadth and accessibility. For those who are more experienced, it stands out for the fact that it incorporates many of OIG’s suggested best practices, for the first time, into a generally applicable guidance document. As it develops the ICPGs, OIG solicits feedback or suggestions for risk areas specifically related to the different types of providers, suppliers, and other participants in health care industry subsectors that will be covered by ICPGs. Feedback may be submitted to compliance@oig.hhs.gov.       

If you have any questions about the GCPG, please contact any of the authors of this alert or the Hogan Lovells attorney with whom you work most closely.


Authored by Ron Wisor, Tom Beimers, Eliza Andonova, Laura Hunter, and Mike Dohmann


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.