Health Care Compliance: New Federal Guidance Seeks a Modernized Approach and Shows OIG’s Specific Interest in Private Equity and Tech Companies

4 minute read | November.10.2023

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has issued new general compliance program guidance, marking the first time the agency has released this type of “reference guide for the health care compliance community.” It brings together information previously scattered across different sources, including on relevant federal laws, elements of an effective compliance program, OIG resources and other compliance material.

Overall Takeaways

The guidance demonstrates the agency’s effort to make compliance more accessible and its continued, and likely increased, interest in corporate compliance programs. Although much of the substance is not new, by collecting and publicizing it in this form, OIG is putting companies on notice of what it means to address compliance risks. 

As discussed below, OIG specifically flagged its interest in topics such as private equity investment in health care and new entrants to health care, specifically including technology companies, and the potential compliance risks posed. These companies should be aware that, with this guidance, OIG is signaling heightened expectations and a potential increased willingness to evaluate their corporate compliance programs. 


This guidance has been a long time coming. As the agency announced this year, it is pushing to modernize its approach, including the accessibility and usability of its public resources. This includes moving away from relying on the Federal Register, which can be challenging to access, identify and follow, and issuing new compliance tools and material—of which this guidance is the most critical piece to date.

What’s in the Guidance

As noted, the content largely affirms existing guidance and highlights key risk and compliance program issues relevant to the health care industry. Specifically, it covers:

  • Overview of relevant laws and legal frameworks – sets out the primary federal statutes that govern the area and other authorities OIG recommends parties should be aware of, including the Anti-Kickback Statute, Physician Self-Referral (or “Stark”) Law, the False Claims Act and others.
  • The Seven Elements of a Compliance Program – as the agency has previously set forth, the core elements of an effective compliance program are:

    (1) Written policies and procedures

    (2) Compliance leadership and oversight

    (3) Training and education

    (4) Effective lines of communication with the compliance officer and disclosure programs

    (5) Enforcement of standards, including consequences and incentives

    (6) Risk assessment, auditing and monitoring

    (7) Responding to offenses and corrective actions, including investigations and reporting

    OIG makes clear that a company should commit to effectively implementing all seven elements.

  • Compliance Program Adaptation – along with the below, a “newer” aspect of the guidance is OIG recognizing that a company will need to build a compliance program that is appropriately sized and adapted to meet its needs.
  • Other Compliance Considerations – a list of various issues that OIG is highlighting as also relevant.Some of the most interesting are highlighted below.
  • OIG Resources – parties may want to consult.

Key New / Interesting Points:

  • First, OIG specifically addresses private equity and other ownership structures (in the “other compliance considerations” section), explaining that the flow of funds may help identify compliance issues. As the guidance notes, “the growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives (e.g., return on investment) on the delivery of high quality, efficient health care.”While it does not further specify how such ownership changes things, OIG is clearly signaling its continued interest in such entities and investors.
  • Second, OIG includes a section on the “increasing number of new entrants” in health care—specifically mentioning technology companies—that may be unfamiliar with the applicable laws and regulatory regimes. As the guidance explains, “business practices that are common in other sectors create compliance risk in health care.” As a result, new entrants should ensure they know the relevant laws and how an effective compliance program should work in this setting.
  • Third, and in contrast with the above, OIG’s “program adaptation” section suggests that, while OIG is going to expect these companies to have a compliance program, that program should be reasonably tailored to the specific entity. In combination with the expanded discussion of compliance risk assessments (compliance program “element 6”), the agency seems to recognize that tailoring needs to respond to the actual risks identified by the company, but also building an effective program, does not always mean that more is more.