What are the OIG 7 elements of an effective compliance program?

The OIG General Compliance Program Guidance (GCPG), updated November 6, 2023, identifies seven elements of an effective healthcare compliance program: (1) Written policies, procedures, and standards of conduct. (2) Compliance leadership and oversight — designated compliance officer, active compliance committee, board oversight. (3) Training and education — culturally accessible, multi-language if needed, integrated into annual performance evaluations. (4) Effective lines of communication and disclosure programs — anonymous reporting mechanisms, whistleblower protections. (5) Enforcing standards: consequences and incentives — uniform consequences for violations, proactive incentives for compliant behavior. (6) Risk assessment, auditing, and monitoring — proactive identification of internal vulnerabilities. (7) Responding to detected offenses and developing corrective action initiatives.

Is a healthcare compliance program legally required?

The OIG GCPG is explicitly voluntary and uses 'should' rather than 'must' language — there is no federal law requiring all healthcare providers to have a compliance program. However, the Affordable Care Act (ACA) mandated compliance programs for providers participating in Medicare, Medicaid, and CHIP — covering more than 1.5 million Medicare-participating providers. Several states have enacted their own mandates: New York's OMIG 18 NYCRR Part 521 is one of the most rigorous state mandates, with 2024 amendments requiring overpayment reporting with no dollar threshold minimum. Florida and California have additional Medicaid-specific compliance requirements. The practical consequence of not having a compliance program is not just regulatory — it is evidence of intent in FCA investigations. The DOJ recovered $6.8 billion in FCA settlements in 2025 (84% from healthcare), with 1,297 qui tam whistleblower filings.

What is the False Claims Act penalty for healthcare fraud?

False Claims Act penalties for healthcare fraud are $13,946 to $27,894 per false claim (2024, adjusted annually for inflation) plus treble damages — three times the amount of the false claim. In a healthcare billing context, where a provider may submit thousands of claims per year, FCA exposure can be existential. The DOJ recovered $6.8 billion in FCA settlements and judgments in 2025 — the highest in the statute's history — with 84% of recoveries from the healthcare industry. A well-documented compliance program does not eliminate FCA liability, but it is a significant mitigating factor in settlement negotiations and in demonstrating that violations were not systemic.

Healthcare Compliance Program Development Consulting

Last updated: April 2026

IHS builds healthcare compliance programs aligned with the OIG 7 elements — for digital health startups launching from scratch, PE-backed acquisitions navigating 100-day integration, and established providers whose programs have never been tested against the 2023 OIG General Compliance Program Guidance. Programs that survive DOJ scrutiny, not just OIG self-assessments.

Schedule a Compliance Program Assessment

Why Healthcare Compliance Programs Cannot Wait

The numbers from 2025 are not abstractions:

$6.8 billion in DOJ False Claims Act settlements and judgments — the highest in the statute's history. 84% from the healthcare industry.
1,297 qui tam whistleblower filings in 2025 — the highest ever recorded. Whistleblowers are your employees, your billing staff, your former contractors.
$13,946–$27,894 per false claim penalty (2024), plus treble damages. A provider submitting 10,000 claims per year with systemic billing errors is not facing a fine — they are facing an existential exposure.
75,000+ individuals and entities on the OIG exclusion database. A $10,000 penalty applies per item billed by an excluded person — and most providers discover the exclusion during an audit, not before hiring.
41% of healthcare organizations have only partial or incomplete HIPAA safeguards (2024 study). The HIPAA Security Rule NPRM in early 2025 proposed new ePHI cybersecurity requirements — driving compliance program overhauls across the industry.

The OIG's November 2023 General Compliance Program Guidance (GCPG) — the first comprehensive update in over two decades — made one thing explicit: a compliance program that exists on paper but is not operational is not a mitigating factor. It is evidence of neglect.

What Is a Healthcare Compliance Program?

A healthcare compliance program is a structured organizational system for detecting and preventing violations of healthcare law — particularly the False Claims Act, Anti-Kickback Statute, Stark Law, HIPAA, and the state-law equivalents that apply to your specific operations and geography.

A compliance program is not:

A policy manual that sits on a shelf
Annual HIPAA training that staff click through in 15 minutes
A software platform subscription with pre-built templates
A checkbox that satisfies the accreditation survey and is otherwise ignored

A compliance program is an operational system — one that identifies risk before it becomes violation, creates accountability at every level of the organization, and demonstrates to regulators that if something goes wrong, the organization had the infrastructure to catch it and respond.

The OIG 7 Elements: What Your Program Must Include

The OIG General Compliance Program Guidance, updated November 6, 2023 — a 91-page manual representing the first comprehensive update in over two decades — defines seven elements of an effective compliance program. The GCPG uses "should" language (it is voluntary), but the 2023 update reflects what the DOJ evaluates when assessing whether an organization had an effective compliance program at the time violations occurred.

Written Policies, Procedures, and Standards of Conduct
A Code of Conduct that sets organizational expectations, supported by specific policies addressing your highest-risk operational areas: billing and coding, vendor due diligence, Anti-Kickback Statute compliance, patient incentive structures, telehealth documentation, and incident response. Policies must be customized to your actual clinical workflows — not template documents that describe a different organization.
Compliance Leadership and Oversight
A designated Compliance Officer with appropriate authority, resources, and independence from operational leadership. An active Compliance Committee with cross-functional representation (clinical, legal, finance, operations). Board oversight — the 2023 GCPG made board engagement a specific focus, including board education on compliance risks and the board's responsibility to ensure adequate compliance resources.
Training and Education
Training that is culturally accessible, available in multiple languages where needed, and integrated into annual performance evaluations — not a one-time event. The 2023 GCPG specifically addressed training for high-risk roles: billing staff, clinicians who document for reimbursement, and executives who sign certifications. Training that all employees receive is not the same as training that is tailored to the compliance risks of specific roles.
Effective Lines of Communication and Disclosure Programs
An anonymous reporting mechanism (compliance hotline, web portal, or equivalent) with documented whistleblower protections and a non-retaliation policy with teeth. The 2023 GCPG emphasized that a reporting mechanism that employees do not trust or use is not an effective line of communication — it is a legal formality. The test is whether employees actually report concerns through the mechanism, not whether it technically exists.
Enforcing Standards: Consequences and Incentives
Uniform consequences for compliance violations — applied consistently regardless of the seniority of the violator. Proactive incentives for compliant behavior — the 2023 GCPG specifically noted that compliance programs that only punish violations without recognizing compliant conduct create a culture of fear rather than a culture of compliance.
Risk Assessment, Auditing, and Monitoring
A proactive annual compliance risk assessment that identifies your organization's specific vulnerabilities — not a generic industry risk list. Internal auditing of the highest-risk areas (billing accuracy, clinical documentation, vendor relationships). Ongoing monitoring systems that detect emerging patterns before they generate claims. The 2023 GCPG was explicit: risk assessments must be conducted and documented annually, and auditing must be driven by actual risk findings.
Responding to Detected Offenses and Corrective Action
A documented process for investigating potential violations, implementing corrective action, and — when required — self-disclosing to OIG or other regulators. The 2023 GCPG addressed self-disclosure directly: organizations that self-disclose are eligible for substantially reduced penalties and Corporate Integrity Agreement terms compared to organizations discovered through external investigation or whistleblower action.

The 2023 OIG GCPG: What Changed After 20 Years

The November 6, 2023 GCPG was the first comprehensive update since the late 1990s/early 2000s. Organizations that built compliance programs based on the prior guidance are operating from an outdated framework. Key changes in the 2023 update:

Board accountability elevated: The 2023 GCPG specifically addressed board members as recipients of compliance training and active participants in compliance oversight — not passive recipients of quarterly reports. Boards that approve compliance budgets without understanding compliance risks are specifically called out as a governance failure.
Risk assessment specificity: The 2023 update emphasized that risk assessments must be tailored to the organization's specific operational context — not templated from industry-generic risk lists. A hospice agency and a digital health startup have fundamentally different compliance risk profiles that require different risk assessment methodologies.
PE investor accountability: The 2023 GCPG directly addressed private equity investors in healthcare — noting DOJ's interest in holding PE owners accountable for compliance failures in portfolio companies. PE-backed healthcare acquisitions that have not completed compliance program assessments as part of the 100-day integration plan are carrying explicit OIG-identified risk.
Industry Segment-Specific Guidance (ICPGs): The OIG is rolling out ICPGs for specific provider types — Medicare Advantage organizations and nursing facilities have already received ICPGs. More are planned. Organizations in these segments must align their programs with both the GCPG and their ICPG.

Who Needs a Healthcare Compliance Program Built from Scratch

Digital Health Startups

3,724 US-founded digital health ventures are operating domestically. Startups routinely run afoul of the Anti-Kickback Statute and Stark Law with patient incentive structures, referral arrangements, and telemedicine reimbursement models that were not designed with compliance counsel engaged. VC backers increasingly require documented compliance programs as a condition of funding — not because they care about OIG guidance, but because they have seen portfolio companies destroyed by FCA investigations.

A startup compliance program is not the same as an established provider's program. It must be built to scale, address the specific risk profile of the startup's revenue model (often AKS and Stark Law with value-based care and incentive payment arrangements), and give investors the documentation they need for due diligence.

PE-Backed Healthcare Acquisitions

$140 billion in US healthcare PE deal value in 2025 across 1,153 transactions. Every acquisition requires a compliance program assessment and — where the target company's program is inadequate — a 100-day integration plan that includes compliance program build or remediation. The DOJ explicitly called out PE investors in the 2023 GCPG, and Corporate Integrity Agreements increasingly include provisions directed at PE ownership structures.

IHS builds compliance programs for PE acquisition 100-day integration on compressed timelines — prioritizing the highest-risk areas identified in due diligence and building toward a full 7-element program over the integration period.

Established Providers with Legacy Programs

An organization that last updated its compliance program before the November 2023 GCPG has a program built on outdated OIG guidance. An organization that has never conducted an OIG-methodology risk assessment does not have element 6 of the 7-element program — it has a list of policies and a hotline. IHS conducts compliance program gap assessments against the 2023 GCPG for established providers who want an honest assessment of where their program stands against current OIG expectations.

Compliance Consulting vs. Compliance Software: What You Actually Need

Compliance software platforms — Compliancy Group (~$99/month), Accountable (~$99/month), Healthicity ($500/month and up) — provide value for organizations that have already built a compliant program and need administrative tools to manage it: BAA tracking, policy distribution, training completion tracking, exclusion screening.

Software cannot:

Build policies that reflect your actual clinical workflows
Conduct a risk assessment tailored to your specific revenue model and regulatory exposure
Coach your board on their compliance oversight responsibilities
Respond to a government investigation or develop a self-disclosure package
Represent you in OIG Corporate Integrity Agreement negotiations

The strategic use of compliance resources is: IHS builds the framework; your team uses SaaS for ongoing administration. Organizations that try to build a compliance program using only software are creating checkbox compliance — the type of program the DOJ specifically uses as evidence of inadequate compliance culture in FCA prosecutions.

State-Specific Compliance Mandates That May Apply to You

Beyond the OIG GCPG, several states have enacted compliance mandates that affect specific provider types:

New York (OMIG — 18 NYCRR Part 521): One of the most rigorous state mandates in the country. 2024 amendments require providers to report and return overpayments with no dollar threshold minimum — any overpayment, regardless of amount, must be reported and returned within 60 days of identification.
Florida (AHCA): Mandatory compliance program parameters for Medicaid providers. Managed care contracts require compliance attestations.
California: Risk-Bearing Organizations (RBOs) must register with DMHC and demonstrate financial health and compliance oversight.
New Jersey: Biennial inspections for surgical practices with specific compliance mandates including Safe Haven Act provisions.
Pennsylvania HealthChoices: Strict behavioral and physical health documentation requirements including telehealth equipment security and encounter form auditing.

The IHS Compliance Program Development Process

Phase 1: Gap Assessment and Risk Analysis

IHS conducts a comprehensive assessment of your current compliance posture against the 2023 OIG GCPG 7 elements. For organizations building from scratch: the gap assessment establishes the baseline and identifies the highest-risk areas that must be addressed first. For established organizations: the assessment produces an honest gap analysis against current OIG expectations — not a recitation of what your program already includes.

Phase 2: Policy and Procedure Development

IHS develops or revises the core compliance documentation: Code of Conduct, billing and coding compliance policies, vendor due diligence procedures, Anti-Kickback Statute compliance framework, telehealth documentation and security requirements, and incident response procedures. All policies are customized to your specific clinical workflows — not adapted from templates that describe a different organization.

Phase 3: Compliance Officer Appointment and Support

IHS supports the designation or hiring of a Compliance Officer — including position description development, role scope definition, and onboarding. For organizations that cannot yet support a full-time CCO, IHS provides fractional Chief Compliance Officer services during the program build period and structures the role for future internalization.

Phase 4: Training and Education Rollout

IHS develops role-specific training programs — not one-size-fits-all HIPAA modules. Training for billing staff focuses on FCA exposure and documentation accuracy. Training for clinicians focuses on Anti-Kickback Statute red flags, referral documentation, and telehealth compliance. Executive and board training focuses on oversight responsibilities and compliance risk governance.

Phase 5: Reporting Mechanism Implementation

IHS implements anonymous compliance reporting mechanisms appropriate to the organization's size and structure — selecting and configuring hotline or web-based reporting tools, developing non-retaliation policies, and establishing the intake and investigation workflow that ensures reports are acted on.

Phase 6: Auditing and Monitoring Program Design

IHS designs the ongoing auditing and monitoring program: annual risk assessment methodology, billing accuracy audit schedule, clinical documentation monitoring, vendor and BAA review cycle, and OIG exclusion screening integration. The monitoring program is designed to be administratively sustainable — organizations that cannot maintain a monitoring program after the consultant engagement ends have not built a compliance program.

Phase 7: Board Education and Oversight Framework

IHS provides board-level compliance education — structured to satisfy the 2023 GCPG's specific expectations for board engagement — and develops the governance framework for ongoing board oversight of the compliance program, including reporting templates, escalation protocols, and annual compliance review structure.

The IHS Differentiator: Programs That Survive Scrutiny

IHS is a specialized healthcare compliance consulting firm with 25+ years of experience building programs that are evaluated by regulators, not just by internal assessors. Our clients include organizations that have faced OIG investigations, DOJ civil investigative demands, and state OMIG audits — and whose compliance programs served as evidence of good-faith effort rather than as evidence of neglect.

Most compliance software platforms and many generalist consulting firms build programs that satisfy an OIG self-assessment checklist. IHS builds programs that satisfy the standard the DOJ applies when evaluating whether an organization had an effective compliance program at the time violations occurred. There is a material difference between these two standards.

IHS's specific differentiators:

Custom policies, not templates: Policies that describe your actual billing codes, your actual vendor relationships, your actual telehealth platform — not generic language that could describe any healthcare organization.
Risk assessment methodology: OIG-methodology risk assessments that identify your specific vulnerabilities, not industry-generic risk inventories downloaded from a software platform.
Startup and PE acquisition expertise: IHS has built compliance programs for digital health startups with novel AKS risk profiles and PE acquisition targets requiring 100-day integration — use cases that established-provider-focused consulting firms do not have frameworks for.
Coordinated accreditation and compliance programs: Many organizations pursue compliance program development alongside URAC, ACHC, or HITRUST accreditation. IHS coordinates policy development across programs to reduce redundant work and ensure consistency between the compliance program and accreditation documentation.

Work With IHS on Your Healthcare Compliance Program

IHS provides healthcare compliance program development for digital health startups, PE-backed acquisitions, and established providers navigating the 2023 OIG GCPG. Our engagements begin with a gap assessment that gives your organization an honest picture of where your program stands against current OIG expectations — before you commit to the full build.

Schedule a Compliance Program Assessment with Dr. Goddard