In its new general compliance program guidance (GCPG), the HHS Office of Inspector General (OIG) said that compliance committees—not compliance officers—should develop risk assessments.[1] The GCPG lists nine “primary responsibilities” of compliance officers, and they don’t include risk assessments or a few other things compliance officers may play a role in.
“We have come to realize the importance of risk assessment in terms of figuring out what the risks are and where to allocate resources and we believe they are best assigned to the compliance committee,” OIG Senior Counsel Laura Ellis said Nov. 6 at HCCA’s Healthcare Enforcement Compliance Conference in Washington, D.C. It’s a “microcosm of the entity.”
Every compliance program will have to be tweaked at a minimum in response to the new guidance, said attorney Judy Waltz, with Foley & Lardner LLP in San Francisco. “Compliance programs are, or should be, living, breathing, fluid enterprises,” she said. All compliance programs are probably missing pieces of the best practices in the GCPG.
The new GCPG was unveiled 25 years after OIG published its first compliance program guidance. This time around, it will only be posted on its website instead of the Federal Register because it’s easier to update that way and because the GCPG is “voluntary, nonbinding guidance,” said OIG Senior Counsel Amanda Copsey. For the first time, the GCPG has tips for addressing compliance concerns and links to other resources. Some of the new material may not come as a surprise because it’s been foreshadowed in OIG conference presentations and changes to corporate integrity agreements over the past three years, Waltz said.