Updated OIG Guidance: No Credit for a Compliance Program that’s Collecting Dust on the Shelf

May 2016

When misconduct is alleged, a health care provider's ability to participate in government health care programs like Medicare and Medicaid can be restricted by the Office of Inspector General of the U.S. Department of Health and Human Services (the "OIG"). The OIG has recently published updated guidance on its authority to exclude health care providers from participating in federal health care programs. This new guidance requires providers not only to adopt compliance programs, but to operate them effectively.

Exclusion from Federal Health Care Programs

The OIG has the authority to exclude health care providers from participating in federal health care programs such as Medicare and Medicaid for, among other things, filing false or fraudulent claims or violating the Anti-Kickback Statute or the Stark Law. The effect of exclusion is that no payments may be made by a federal health care program to an excluded person, and others who employ or enter into contracts with an excluded person can be subject to penalties.

Exclusion Criteria under Previous Guidance

In 1997, the OIG issued guidance that explained the criteria it used to make exclusion decisions. One aim of that guidance was to encourage the widespread adoption of compliance programs. It did this by giving to defendants settling False Claims Act cases credit for having adopted compliance programs that met the seven elements of the U.S. Sentencing Guidelines.1 Now, nearly 20 years later, the OIG has explained through the updated guidance that, in making its exclusion decisions, it will expect not only that a health care provider has adopted a compliance program, but that the provider has implemented the program effectively.

New Risk Spectrum

According to the updated guidance, the OIG will evaluate cases along a continuum, from highest to lowest risk. The penalties that the OIG might impose, corresponding to this "risk spectrum," are exclusion, "heightened scrutiny" such as unilateral monitoring at the next level of risk, a corporate integrity agreement, reservation of the exclusion authority with no further action, or release of the exclusion authority for the lowest-risk cases when the health care provider self-disclosed the violation.

Factors Used in Assessing Risk

The OIG has introduced in the updated guidance four new factors it will consider in making the risk assessment:

  • Nature and Circumstances of the Conduct. The provider's conduct will be assessed based on adverse impacts on individuals, financial losses, the circumstances of the alleged conduct (such as the length of time or existence of a pattern), the leadership roles of individual defendants or executives in the alleged conduct, and any history of prior fraudulent conduct.
  • Conduct During the Investigation. Credit will be given for cooperating with the government. This can involve undertaking an internal investigation, identifying who was responsible, and sharing that information with the government, which would align with the Department of Justice's "Yates Memorandum" of 2015, which defined cooperation as identifying the responsible person. Self-disclosure of the problem before becoming aware of the government's investigation will be viewed favorably. However, no credit will be given for prompt responses to subpoenas; which contrasts with the 1997 guidance.
  • Significant Ameliorative Efforts. The provider's violation might be mitigated if the person responsible for the conduct was disciplined or if the entity has significantly increased compliance resources before or during the investigation.
  • History of Compliance. Having a history of self-disclosing violations will be taken as indicating a lower risk.


If a health care provider does not have a compliance program that meets the seven elements of the U.S. Sentencing Guidelines, it should develop one and adopt it as soon as possible. The OIG has made clear that it expects health care providers to have one in place; although having a compliance program will not reduce the risk assessment, not having one could lead the OIG to place a case higher on the risk spectrum, possibly leading to more severe penalties.

Finally and perhaps most important, under the updated guidance, having a compliance program is meaningful only to the extent that it can prevent or identify future issues and then correct or report them. Therefore, health care providers should (1) identify ways to measure their compliance programs' ability to do these things, and (2) modify those programs as necessary to meet the OIG's higher expectations. Although this could involve some cost and might increase administrative burdens, it must be recognized that under the OIG's new guidance, a compliance program matters only if it is truly effective.

1 The seven elements are: (1) establishing policies, procedures and controls; (2) exercising effective compliance and ethics oversight; (3) exercising due diligence to avoid delegation of authority to unethical individuals; (4) communicating and educating employees on compliance and ethics programs; (5) monitoring and auditing compliance and ethics programs for effectiveness; (6) ensuring consistent enforcement and discipline of violations; and (7) responding appropriately to incidents and taking steps to prevent future incidents.