The New OIG General Compliance Program Guidance: What to Know, What to Do

December 19, 2023

Most healthcare compliance professionals are well aware of the recently published HHS-OIG General Compliance Program Guidance ( (GCPG). Released in November 2023, the resource consolidates, modernizes, and updates compliance guidance for the healthcare industry. This Perspectives will provide an overview of the GCPG, discuss observations, and provide recommendations on how compliance professionals should begin to use the guidance.


Healthcare segment-specific compliance program guidance documents, to help guide newly forming healthcare compliance programs, were released in the Federal Register in the late 1990s into the early 2000s and addressed compliance program basics as well as specific segment risks for industry segments including but not limited to hospitals, skilled nursing facilities, clinical laboratories, small physician practices, etc. See  There have been other compliance program guidance documents released over the years, including one specific to healthcare governing boards and one regarding measuring program effectiveness, as well as development of a variety of other helpful compliance resources available on the OIG website. See

For new healthcare providers or for new compliance professionals, the information available likely seemed scattered, as there has been no overarching source for compliance guidance. The new GCPG, written for the healthcare industry as a whole, helps solve this. (Note – ICPGs, or industry-segment specific compliance program guidances, will be published by OIG starting in 2024. Stay tuned!).

One of my favorite features of the GCPG is how the document both consolidates and clarifies information. What was once in multiple separate documents is now largely consolidated into a clear, well-flowing, and pragmatically approached document. It should help newer compliance professionals “connect the dots” and should help our senior leaders and board members see the bigger picture. In addition to clarifying and condensing, the document also provides modernization. The GCPG, as well as the forth-coming ICPGs, will be updated as needed on the OIG’s website and will no longer be published in the Federal Register. The consolidation and modernization should result in clearer communication to the compliance and healthcare communities. This is evidence of the ever-evolving profession we are in! And this is a good evolution.

The GCPG provides a clear explanation of what it is and what it is not, provides a summary of pertinent regulations, presents a refreshed list of the Seven Elements and explains each one, discusses some additional areas of focus, and provides links to and explanations of other compliance resources. Along the way, the guidance provides multiple practical tips and examples. Along with the clear content and format, these user-friendly features of the guidance make it feel fresh, modern, and applicable. I particularly appreciate Section II – the discussion of selected relevant federal laws. To me as a compliance professional who is not a lawyer, the overview, discussion, checklists, and tips provided feel digestible. Compliance professionals may be able to use content from the regulation summaries in their compliance education and communication, as the clear ways they are presented should also better inform operations and finance leaders and other stakeholders about these risk and mitigation approaches.

There is a ”new” arrangement of the seven elements; not new elements, but organized in a new way. Those that are more seasoned in compliance know that the way the elements are put together and organized varies slightly between compliance resources. I prefer this arrangement to the “2017 OIG Measuring Compliance Program Guidance: A Resource Guide” arrangement, which included Screening as an element. Screening, which is a control that is used related to the risk of engaging with an excluded party, is not included in the new GCPG list. This arrangement also adds risk assessment as part of the auditing and monitoring element. Some have called risk assessment the “eight element” because it was essential to the compliance program but never listed as one of the seven elements. I have never viewed it as a separate element, but rather a foundational principle underscoring all of the other elements. Our policies, our auditing, our education and training, and so on, should all be based on our risk assessment, and also evolve as our risk assessment evolves.


There are several topics discussed within the GCPG that seem especially emphasized, and others that may have had had less emphasis in the past but seem to be more of an area of focus in this new guidance.

  • Independence and authority

This is not new. The conversation is not new. The recommendation is not new. Yet there are many healthcare provider organizations and individuals with whom I have crossed paths that do not believe OIG has historically been clear on their recommendations regarding the authority, independence, and seating of the compliance officer. If the past guidance or presentations by OIG were not clear enough (which, from my perspective were pretty clear: “report directly to CEO, board (not CFO or Legal),”[i] “sufficient autonomy from management”[ii], “report directly to the CEO and the governing body”[iii], “OIG believes an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner”[iv], etc.), OIG reemphasizes and clarifies their view. See page 37, as well as the paragraph with the bold content on page 39.

  • Incentives

The discussion regarding compliance incentives is not new either – it is discussed as part of an effective compliance program in Chapter 8 of the Federal Sentencing Guidelines.[v] Yet many healthcare provider organizations struggle to have meaningful, let alone robust, approaches to compliance incentives. Incentives help us approach compliance proactively. Prioritize development and implementation of a collaborative compliance incentives plan in 2024.

  • Risk assessment and data analytics

In the overview section I shared my perspective on risk assessment as part of the foundation for the seven elements. The GCPG discusses the benefits of a collaborative risk assessment approach, such as an ERM (Enterprise Risk Management) process, encouraging risk assessment collaboration with “audit, quality, and risk management functions.” This is a wise approach to prevent silos, duplication and/or omission, and encourage engagement and partnerships across the various functions that help the organization manage and mitigate risk. It also provides several paragraphs of discussion on the importance of data analytics relative to risk identification. If you do not think in data analytics terms, leverage someone on your team or someone in your organization to thought partner with you on incorporating data analytics into not only your approach to risk assessment, but also across your compliance program. That could be, and maybe will be, an entire future Perspectives topic!

  • Medical necessity in auditing and monitoring

The term “medical necessity” is used ten times in the GCPG. Repetition can indicate priority. The auditing and monitoring section discusses the importance of auditing medical necessity, by an appropriately credentialed clinician, as part of claims reviews/audits. I have long taught on the importance of having a diversity of skill sets in the compliance program. Compliance programs may need to think beyond their usual ways of performing billing and coding audits with billers and coders and include medical necessity auditing by a clinician as part of the audit plan.

  • Effectiveness assessment

Since effectiveness is the goal, organizations should have an intentional approach to assessing the effectiveness of the compliance program. From my professional perspective, this would include both a self-assessment element, for which there are many resources including the OIG resource referenced in the GCPG, Measuring Compliance Program Effectiveness: A Resource Guide,[vi] and an every-few-years external assessment. This blended approach balances time, pragmatism, resource availability, and the importance of both self-reflection and objectivity.

  • Reporting to the government

Like the rest of the document, the reporting to the government discussion provides a high-level but understandable view of self-reporting. Obviously, something that can be overwhelming for compliance officers and organizations, this section is a good place to start for how to begin navigating reporting to the government. And this is something you will want to work on with counsel.

  • Adaptations for large and small entities

The GCPG includes helpful and pragmatic guidance for both large and small organizations. I think the name of the game here is common sense and creativity.

  • Other compliance considerations: quality and safety

If you thought “medical necessity” was referenced a lot at ten times, the word “quality” appears in the GCPG fifty-eight times! This is certainly an area of increased focus that healthcare compliance programs will need to include going forward.

It was not clear to me when I first entered the healthcare compliance profession pivoting from my nursing career, why quality and safety risk were seemingly absent from the range of risks with which compliance was concerned. I assume it was because it was not viewed as a fraud, waste, or abuse risk. As healthcare compliance has evolved, we have seen more and more references to quality care and its connection to the False Claims Act; not just regarding unnecessary services or excessive services that should not be billed, but also relating to billing of what was determined to be substandard or worthless services. From policies to operations engagement to Compliance Committee to risk assessment, compliance professionals need to widen their purviews to include quality and safety in their compliance program approach if they have not already done so.

Thoughts on how to use the guidance

If you have not yet read it in its entirety, read it and take notes. I first skimmed it to get an overview, then I read and took notes to help me digest. Then I printed it and saved it on my desktop for ready reference. This is a document we will want to keep reviewing.

  • Remember what it is and what it is not

It is voluntary guidance. It is not meant to be a model compliance program. Use it as a guide and remember that your compliance program needs to be tailored for the size and complexity of your organization and based on your risk assessment.

  • Communicate with your leadership

Include the new GCPG in discussions with and in your next presentations to your leadership, Compliance Committee, and Board. Provide both an overview of the what and the why. Provide them with the link and encourage them to review it. Discuss specifics of the guidance relative to your compliance program. How does this change your priorities for 2024? How does it reinforce directions you have been planning?

  • Think and plan

As you review and mull over the GCPG, consider how you can use the guidance as one of the tools for assessing your program’s effectiveness and how some of the tips and ideas within could impact your approaches to some of your program elements. Make these plans with your Compliance staff and/or Compliance Committee. Consider documenting your program improvement plans to be able to track progress.

  • Stay updated

Stay in front. Things are always changing. Find ways to stay informed, communicate new information to stakeholders, and keep your program dynamic and updated. Subscribe to listservs, review enforcement actions, read relevant government agency news, get involved in the compliance community and network. Remember that the ICPGs will be rolling out  in 2024 with specifics for your and other industry segments.





[v] 2018 Chapter 8 | United States Sentencing Commission (


Connect with me!

I’d love to hear your thoughts on this Perspectives or discover if I’m the right fit for your compliance advisory needs!