Healthcare Compliance Program Frequently Asked Questions

What is a healthcare compliance program?

A healthcare compliance program is a structured organizational system for detecting and preventing violations of healthcare law — principally the False Claims Act, Anti-Kickback Statute, Stark Law, HIPAA, and applicable state equivalents. The OIG defines the standard in its General Compliance Program Guidance (GCPG), updated November 2023: an effective compliance program has seven elements that together create an operational system — not a policy manual on a shelf.

The 2023 GCPG made this distinction explicit: a compliance program that exists on paper but has not been operationalized is not a mitigating factor in enforcement. It is evidence of neglect. The DOJ evaluates the effectiveness of compliance programs — not their existence — when making prosecution and settlement decisions.

What are the OIG 7 elements of an effective compliance program?

The OIG GCPG (November 6, 2023) defines seven elements:

1. Written policies, procedures, and standards of conduct — Code of Conduct plus specific policies for high-risk operational areas: billing and coding, AKS compliance, vendor due diligence, telehealth documentation, incident response.
2. Compliance leadership and oversight — designated Compliance Officer with independent authority, active Compliance Committee, board-level oversight with documented board education.
3. Training and education — role-specific, culturally accessible, integrated into annual performance evaluations. Not a one-time HIPAA module.
4. Effective lines of communication and disclosure programs — anonymous reporting mechanisms that employees actually trust and use, documented whistleblower protections with enforcement history.
5. Enforcing standards: consequences and incentives — uniform consequences applied regardless of seniority, plus proactive recognition of compliant behavior.
6. Risk assessment, auditing, and monitoring — annual organization-specific risk assessment (not a generic template), audit schedule driven by risk findings, ongoing monitoring systems.
7. Responding to detected offenses and corrective action — documented investigation process, self-disclosure protocols, corrective action tracking.

Is a healthcare compliance program legally required?

The OIG GCPG is voluntary — it uses "should" not "must" language. However, legal mandates exist in several contexts:

• Federal ACA mandate: Compliance programs are required for providers participating in Medicare, Medicaid, and CHIP — covering 1.5 million+ Medicare-participating providers.
• New York (OMIG 18 NYCRR Part 521): Mandatory for providers receiving $500,000+ in annual Medicaid payments. 2024 amendments added no-threshold overpayment reporting.
• Florida (AHCA): Mandatory compliance parameters for Medicaid providers; managed care contracts require attestations.
• California: Risk-Bearing Organizations must demonstrate compliance oversight to DMHC.

Beyond legal mandates: the DOJ evaluates compliance program existence and effectiveness as a material factor in FCA prosecution decisions. An organization without a compliance program has eliminated the single most significant mitigating factor in federal healthcare enforcement.

What is the OIG General Compliance Program Guidance (GCPG) and what changed in 2023?

The OIG GCPG, issued November 6, 2023, is a 91-page manual representing the first comprehensive update in over two decades. Organizations that built compliance programs before 2023 are operating from an outdated framework.

Key changes from prior OIG guidance:

• Board accountability elevated: Boards must receive compliance training and actively oversee resources — not just receive quarterly reports. The 2023 GCPG specifically names board failure to fund adequate compliance programs as a governance deficiency.
• Risk assessments must be organization-specific: Generic industry risk templates do not satisfy the 2023 standard. Risk assessments must reflect the organization's actual revenue model, operational context, and regulatory exposure.
• PE investor accountability: The 2023 GCPG directly addresses PE-backed healthcare acquisitions, noting DOJ's interest in holding investors accountable for portfolio company compliance failures — not just the operating entity.
• Industry Segment-Specific Guidance (ICPGs): OIG is rolling out ICPGs for specific provider types. Medicare Advantage organizations and nursing facilities have received ICPGs. More segments are planned.

What are the False Claims Act penalties for healthcare?

FCA penalties are $13,946 to $27,894 per false claim (2024, adjusted annually) plus treble damages — three times the actual amount improperly paid. For providers submitting thousands of claims per year, FCA exposure is existential.

The 2025 enforcement environment:

• $6.8 billion in DOJ FCA settlements and judgments — the highest in the statute's history
• 84% of 2025 FCA recoveries came from the healthcare industry
• 1,297 qui tam whistleblower filings in 2025 — also a record

Whistleblowers are typically current or former employees with billing documentation access. An organization with documented compliance infrastructure — genuine anonymous reporting, evidence of investigating internal reports, corrective action records — is in a materially better position in FCA settlement negotiations than one without.

What is a Corporate Integrity Agreement (CIA)?

A CIA is a contract between OIG and a healthcare organization settling a fraud, waste, or abuse case — typically an FCA settlement. CIAs typically run 5 years and impose extensive ongoing compliance obligations:

• Independent Review Organization (IRO) auditing of claims, usually annually
• Mandatory compliance officer and compliance committee requirements
• Board member compliance certifications
• Mandatory compliance training programs with documented completion
• Regular reporting to OIG on compliance activities

Organizations subject to CIAs spend substantially more on compliance annually than they would have spent building a proactive compliance program. The strategic calculus: proactive program build costs a fraction of a CIA's ongoing compliance costs — and eliminates the reputational and operational disruption of an FCA investigation.

What is the OIG exclusion database?

The OIG List of Excluded Individuals and Entities (LEIE) contains 75,000+ individuals and entities excluded from participation in federal healthcare programs due to fraud convictions, license revocations, or other disqualifying events. Federal law prohibits Medicare and Medicaid reimbursement for any items or services furnished, ordered, or prescribed by an excluded individual — with a $10,000 penalty per item billed.

The risk most organizations underestimate: LEIE exclusions are not automatically communicated to employers. A provider can hire a nurse who was excluded from Medicare three years ago without knowing — unless the organization has a routine screening process. IHS implements exclusion screening programs that check the LEIE at hire and monthly thereafter for all employees, contractors, and vendors who could affect billing.

What compliance risks are unique to digital health startups?

Digital health startups face compliance risks that established-provider frameworks are not designed to address:

• Anti-Kickback Statute and patient incentive structures: Free devices, cash payments, premium waivers — common digital health business model elements — require careful AKS analysis. The AKS applies to anything of value offered to induce referrals or use of services covered by federal healthcare programs.
• Stark Law with value-based care: Digital health companies building value-based care arrangements with physicians need Stark Law analysis before launching compensation structures.
• Telehealth billing compliance: Cross-state practice, reimbursement eligibility, documentation requirements, and supervision requirements vary significantly by state and payer. CMS telehealth policies continued to evolve post-COVID.
• HIPAA and data monetization: Digital health companies that monetize patient data — even in purportedly de-identified form — face HIPAA analysis requirements and FCA exposure when government payers are involved.
• VC funding conditions: Investors increasingly require documented compliance programs as a funding condition. IHS builds startup compliance programs on the timeline driven by financing rounds.

How does a PE healthcare acquisition affect compliance program requirements?

PE acquisitions create compliance program obligations at multiple transaction stages:

• Due diligence: Compliance program assessment is standard in healthcare M&A. Material compliance deficiencies are disclosed risk and affect valuation.
• 100-day integration: The 2023 OIG GCPG specifically addresses PE-backed acquisitions. The 100-day plan should include compliance program assessment and priority remediation of highest-risk gaps.
• Post-acquisition operations: Each portfolio company must maintain its own operational compliance program. A parent entity program that is not implemented at the portfolio company level does not satisfy OIG expectations.
• Exit preparation: Weak compliance infrastructure degrades exit valuations. Buyers in secondary transactions conduct compliance due diligence — a documented, operational program is a positive valuation factor.

IHS builds PE acquisition compliance programs on 100-day timelines, prioritizing highest-risk areas from due diligence findings and building toward a full 7-element program over the integration period.

What is a fractional Chief Compliance Officer?

A fractional CCO is an experienced compliance officer engaged part-time or on a project basis — providing compliance leadership and expertise without a full-time hire. Appropriate for:

• Organizations building their first compliance program during the build phase
• Startups whose program will be internalized once the organization reaches sufficient scale
• PE acquisition targets needing interim compliance leadership during 100-day integration
• Small-to-mid-sized providers whose compliance workload does not warrant a dedicated FTE

The OIG does not require a full-time CCO — it requires that the compliance function have adequate authority and resources. A well-structured fractional arrangement satisfies this standard. IHS provides fractional CCO services during compliance program build engagements and can structure the role for future internalization.

What is the difference between compliance software and a compliance consultant?

Compliance software platforms (Compliancy Group ~$99/month, Healthicity $500+/month) provide administrative tools for managing an existing program: BAA tracking, policy distribution, training logs, exclusion screening, risk assessment templates. They are appropriate once a compliant program has been built.

Software cannot:

• Build policies that reflect your actual clinical workflows and specific billing codes
• Conduct an OIG-methodology risk assessment against your specific revenue model
• Coach your board on compliance oversight responsibilities
• Respond to government investigations or self-disclosure requests
• Represent you in CIA negotiations

The IHS approach: build the 7-element program with consulting expertise; use SaaS platforms for ongoing administration. Organizations that attempt to build a compliance program entirely through software produce checkbox compliance — precisely what the DOJ uses as evidence of inadequate compliance culture in FCA prosecutions.