Compliance Program Development Case Study — IHS

Client Overview

Organization Type	[ORGANIZATION TYPE — e.g., Digital health startup (telehealth platform) / PE-backed specialty pharmacy acquisition / Medicaid managed care organization expanding into new state]
Location	[STATE/REGION]
Revenue Model	[e.g., B2B SaaS platform with per-member-per-month contracts with health plans / Direct-to-consumer telehealth with Medicare Advantage billing / Specialty pharmacy with PBM contracts]
Compliance Program Status at Engagement	[e.g., No formal compliance program — HIPAA Notice of Privacy Practices existed but no Code of Conduct, no Compliance Officer, no risk assessment, no reporting mechanism]
Trigger for Engagement	[e.g., Series B term sheet conditioned on documented OIG-aligned compliance program / PE acquisition 100-day integration requirement / State Medicaid managed care contract compliance attestation requirement]
Engagement Duration	[DAYS] days — [START MONTH/YEAR] to [END MONTH/YEAR]
Outcome	[e.g., Complete 7-element compliance program delivered and documented within 90 days / VC funding condition satisfied / State contract compliance attestation executed]

The Challenge

[ORGANIZATION] came to IHS with a specific external deadline: [TRIGGER DESCRIPTION — e.g., their Series B lead investor had included a compliance program condition in the term sheet, with a 90-day post-close deadline. The compliance program had to be documented, operational, and satisfying OIG 7-element standards before the final investment tranche was released.]

The organization's existing compliance posture:

[STATUS 1 — e.g., A HIPAA Notice of Privacy Practices existed — drafted by outside counsel at founding — but had never been reviewed against the organization's actual data practices.]
[STATUS 2 — e.g., No Code of Conduct. No Compliance Officer designation. No compliance committee. No risk assessment.]
[STATUS 3 — e.g., The organization had been operating for [NUMBER] months with a [DESCRIPTION OF HIGH-RISK ELEMENT — e.g., patient referral incentive program that had never been analyzed under the Anti-Kickback Statute].]
[STATUS 4 — e.g., No OIG exclusion screening process. Two of the organization's [NUMBER] employees had not been screened against the LEIE at hire.]
[STATUS 5 — e.g., No anonymous reporting mechanism. Employees had been informally encouraged to "raise concerns directly with the CEO" — a structure the OIG specifically identifies as inadequate because it chills reporting of concerns involving leadership.]

The 90-day timeline was not negotiable. IHS structured the engagement as a parallel-track build — multiple workstreams running simultaneously rather than sequentially — to meet the deadline without sacrificing compliance quality for speed.

Phase 1: Gap Assessment and Risk Prioritization (Days 1–14)

IHS conducted an accelerated gap assessment covering all seven OIG GCPG elements and the organization's specific regulatory exposure. The assessment identified [NUMBER] gap areas, which were prioritized into three tiers:

Tier 1: Immediate Legal Exposure (address within 30 days)

[TIER 1 ISSUE 1 — e.g., Anti-Kickback Statute analysis of the patient referral incentive program.] The organization was offering [DESCRIPTION — e.g., $50 Amazon gift cards to patients who referred a friend to the platform, with a referring provider also receiving [DESCRIPTION]. This structure required immediate AKS analysis — the patient incentive may qualify under the AKS beneficiary inducements exception, but the referring provider compensation required a different analysis. No opinion of counsel had been obtained before the program launched.]
[TIER 1 ISSUE 2 — e.g., OIG exclusion database screening for all existing employees and contractors.] The organization had never screened against the LEIE. IHS conducted an immediate batch screen — [RESULT — e.g., no excluded individuals identified, but the organization now had documented evidence of the screening for the VC investor's due diligence file].
[TIER 1 ISSUE 3 — e.g., Business Associate Agreement gap analysis.] [NUMBER] vendors with access to PHI had not executed BAAs — including [DESCRIPTION — e.g., the organization's CRM platform, which stored patient intake forms]. BAA execution was initiated for all identified vendors within 14 days.

Tier 2: Compliance Infrastructure Gaps (address within 60 days)

Code of Conduct development
Compliance Officer designation and role framework
Anonymous reporting mechanism selection and implementation
Core policy development: billing compliance, AKS compliance, telehealth documentation, incident response

Tier 3: Program Operationalization (address within 90 days)

Compliance training rollout for all employees
Board compliance education session
Annual risk assessment completion and documentation
Auditing and monitoring program design

Phase 2: Anti-Kickback Statute Analysis and Program Restructuring

The AKS analysis of the patient referral incentive program was the most substantively complex workstream. IHS's analysis concluded:

[PATIENT INCENTIVE ELEMENT]: [ANALYSIS — e.g., The $50 gift card to referring patients likely qualifies under the AKS beneficiary inducements exception (42 U.S.C. § 1320a-7a(i)(6)) because the value is under $15 per item and $75 annually, the items are not cash or cash equivalents, and the promotion does not target high-utilizers. However, the exception requires that the items not be tied to the volume or value of referrals — the program's current structure, which increased the incentive for patients who referred multiple friends, did not qualify for the exception as written.]
[PROVIDER INCENTIVE ELEMENT]: [ANALYSIS — e.g., The referring provider compensation required analysis under the personal services arrangement safe harbor. The current structure did not meet safe harbor requirements because compensation was not set in advance at fair market value — it was variable based on referral volume. IHS recommended restructuring to a fixed per-referral fee set at FMV with appropriate documentation.]

IHS developed restructuring recommendations that preserved the business objective of the incentive program while achieving safe harbor protection. The restructured program was documented with a compliance rationale memo — the type of documentation that demonstrates good-faith compliance analysis if the program is later scrutinized.

Phase 3: Core Policy and Infrastructure Development (Days 15–60)

Code of Conduct

IHS developed a Code of Conduct that reflected the organization's specific business model, regulatory environment, and culture — not a generic healthcare Code of Conduct template. Key elements: organizational compliance commitment, employee obligations, specific guidance on AKS and Stark Law red flags in the context of the organization's referral model, HIPAA obligations, fraud reporting requirements, and non-retaliation policy.

Compliance Officer Designation

IHS worked with the organization's leadership to designate [TITLE — e.g., the General Counsel / an existing senior operations leader] as Compliance Officer and developed: position description, scope of authority documentation, reporting structure to ensure independence from operational leadership, and a compliance committee charter with cross-functional membership.

Anonymous Reporting Mechanism

IHS evaluated and recommended [MECHANISM — e.g., a web-based anonymous reporting platform appropriate for the organization's size and employee distribution]. The platform was configured, the non-retaliation policy was finalized, and the reporting intake and investigation workflow was documented. All employees were notified of the mechanism's existence and given instructions for use as part of the compliance training rollout.

Core Policy Suite

IHS developed [NUMBER] core compliance policies including:

Billing and coding compliance policy — specific to the organization's payer mix and billing codes
Anti-Kickback Statute compliance policy — including documented analysis of each active referral arrangement
Telehealth documentation and compliance policy — addressing cross-state practice requirements, reimbursement documentation, and supervision requirements
HIPAA privacy and security policy suite — updated to reflect the organization's actual data practices
Vendor due diligence and BAA management policy
Incident response and breach notification policy
OIG exclusion screening policy — monthly screening for all employees and contractors

Phase 4: Risk Assessment, Training, and Board Education (Days 60–90)

Annual Risk Assessment

IHS conducted and documented the organization's inaugural annual compliance risk assessment — tailored to the specific regulatory exposure of the organization's revenue model, not a generic healthcare risk template. The assessment identified [NUMBER] risk areas, ranked by probability and impact, with assigned risk owners and mitigation timelines. The risk assessment documentation satisfied the VC investor's compliance due diligence requirement for evidence of an OIG-methodology risk assessment.

Compliance Training Rollout

IHS developed and delivered role-specific compliance training covering:

All-employee training: Code of Conduct, reporting obligations, non-retaliation policy, AKS red flags for all staff
Clinical staff training: telehealth documentation requirements, HIPAA obligations in the telemedicine context
Operations staff training: billing compliance, OIG exclusion screening procedures
Leadership training: FCA liability for executives, AKS management obligations, compliance oversight responsibilities

All training sessions were documented with attendance records and completion certifications maintained for investor due diligence and future OIG review.

Board Compliance Education

IHS conducted a board compliance education session — structured to satisfy the 2023 OIG GCPG's specific expectations for board engagement. Topics: board compliance oversight responsibilities under the GCPG, the organization's specific regulatory risk profile, compliance program structure, and the board's role in ensuring adequate compliance resources. Board meeting minutes documenting the session were prepared as part of the deliverable package.

Results

VC funding condition: [e.g., All 7-element compliance program requirements satisfied within 90-day window. Final investment tranche released on schedule.]
AKS restructuring: [e.g., Patient referral incentive program restructured to qualify for AKS safe harbor protection. Documented compliance rationale memo completed. Program continues operating under restructured terms.]
Legal exposure remediated: [e.g., All [NUMBER] BAA gaps closed within 14 days of identification. OIG exclusion screening conducted for all employees and contractors with no exclusions identified. Monthly screening process operational.]
Compliance infrastructure: [e.g., Code of Conduct, Compliance Officer, compliance committee, anonymous reporting mechanism, [NUMBER] core policies, annual risk assessment, training documentation — all in place within 90 days.]
Ongoing program: [e.g., IHS established a quarterly compliance review retainer to maintain program currency and conduct annual risk assessments as the organization scales.]

Key Lessons for Organizations Building Compliance Programs Under Time Pressure

AKS analysis cannot be deferred. The most common mistake digital health startups make is building their revenue model first and conducting AKS analysis later — or not at all. AKS restructuring after a program has been operating for months requires documenting the period of non-compliant operation. Building compliant structures before launch avoids the retroactive exposure entirely.
Parallel-track build is the only way to meet 90-day deadlines without sacrificing quality. Sequential compliance program builds — policies first, then training, then risk assessment — take 6–9 months. A parallel-track approach with multiple workstreams running simultaneously can deliver a complete 7-element program in 90 days. It requires an experienced lead who can manage all tracks simultaneously without creating interdependency bottlenecks.
Documentation of the build is as important as the build itself. The compliance program documentation — training attendance records, risk assessment, board minutes, policy version history — is what satisfies investor due diligence, OIG review, and DOJ evaluation. A well-built program with poor documentation is indistinguishable from no program in an enforcement context. IHS delivers documentation packages, not just program deliverables.
Anonymous reporting mechanisms that employees don't trust are not compliant. An organization where employees are "encouraged to raise concerns with the CEO directly" does not have an effective line of communication under Element 4. The 2023 GCPG specifically notes that the test is whether employees actually use the mechanism — which requires that they believe it is genuinely anonymous and that their reports will be investigated without retaliation. Building this trust requires more than standing up a hotline.

Work With IHS on Your Healthcare Compliance Program

IHS builds healthcare compliance programs for digital health startups, PE-backed acquisitions, and established providers. Our engagements begin with the gap assessment described above — identifying your specific legal exposures and compliance infrastructure gaps before determining scope and timeline.

Schedule a Compliance Program Assessment with Dr. Goddard

Healthcare Compliance Program Case Study: Building from Zero to OIG-Aligned in 90 Days