The OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice)
8 min read · Last reviewed May 23, 2026
The OIG's seven elements of an effective compliance program are the framework HHS Office of Inspector General publishes to describe what a healthcare compliance program should contain. The seven elements — leadership, standards, training, communication, monitoring, enforcement, and response — are voluntary for most physician practices but are the lens DOJ and OIG use during investigations. The current authoritative source is the OIG General Compliance Program Guidance, 2023 update.
What the OIG actually publishes
The OIG's compliance program guidance has been around since the late 1990s. The original physician-practice guidance was published in October 2000. In November 2023 the OIG released a consolidated General Compliance Program Guidance (GCPG) — a single document that supersedes the older industry-specific guidance documents for the foundational principles, with industry-specific compliance program guidances (ICPGs) layered on top. The 2023 GCPG is the document a small practice should anchor on. CMS Program Integrity Manual (Pub. 100-08) is the parallel framework on the CMS side and overlaps heavily on monitoring, audit response, and overpayment handling.
The seven elements are unchanged across all OIG guidances since 1998:
- Written policies, procedures, and standards of conduct
- A designated Compliance Officer and Compliance Committee
- Effective training and education
- Open lines of communication
- Enforcement of standards through well-publicized disciplinary guidelines
- Internal monitoring and auditing
- Response to detected offenses and corrective action
The Department of Justice evaluates effectiveness using the Evaluation of Corporate Compliance Programs (most recent update September 2024), which asks three questions: is the program well-designed, is it adequately resourced and empowered to function effectively, and does it work in practice?
The 7 elements — applied to a small practice
Each element below is the OIG's statement followed by what we recommend a 1-15-clinician practice actually do to satisfy it. The "actually do" column is the version that holds up to a DOJ effectiveness review without overbuilding.
Element 1 — Written policies, procedures, and standards of conduct
The OIG expects a Code of Conduct (sometimes called a Standards of Conduct) signed by every workforce member, plus written policies for the operational areas with the highest fraud-and-abuse risk: coding and documentation, claim submission, refunds and overpayments, exclusion screening, anti-kickback and Stark, gifts and inducements, conflicts of interest, and HIPAA privacy and security.
For a small practice: a single binder with a 2-3 page Code of Conduct at the front, signed annually by every workforce member; followed by section policies for billing, coding, refunds, exclusion screening, anti-kickback, gifts, conflicts of interest, and HIPAA. Each policy 1-3 pages. Citations inline.
Element 2 — Compliance Officer and Compliance Committee
A designated Compliance Officer with authority to act, direct access to leadership and (where applicable) the board, and protection from retaliation. A Compliance Committee in practices large enough to have a leadership team.
For a small practice: a written designation letter naming the Compliance Officer, signed by the practice owner. The Compliance Officer can hold other roles (HIPAA Privacy/Security Officer, office manager) but cannot be the billing manager if billing reports to them as Compliance Officer. The committee can be a quarterly 30-minute meeting between the Compliance Officer, the practice owner, and one clinician — minutes filed in the binder.
Element 3 — Training and education
Initial training at hire, annual training thereafter, and role-specific training for billing/coding staff. Topics: false claims, anti-kickback, Stark, exclusion screening, HIPAA, gifts and inducements, the practice's Code of Conduct, and how to report concerns.
For a small practice: an annual training session (60-90 minutes) covering the topics above, delivered live or through a tracked vendor, with sign-in sheets retained for six years. New hires complete the same training within 30 days of start and re-sign the Code of Conduct. See annual HIPAA training curriculum for the HIPAA portion.
Element 4 — Lines of communication
A documented, well-publicized way for the workforce to report concerns confidentially and without fear of retaliation. Multiple channels (verbal, written, anonymous). A non-retaliation policy that the workforce has been trained on.
For a small practice: a confidential email address that routes to the Compliance Officer; a posted notice in the staff area listing the email, a phone number, and the OIG Hotline (1-800-HHS-TIPS) as an external option; a one-page non-retaliation policy signed by every workforce member; a logged intake of every report regardless of substance.
Element 5 — Well-publicized disciplinary guidelines
A workforce sanction policy that defines what kinds of conduct draw what level of sanction, applied consistently to all workforce members regardless of seniority. The policy must be communicated in writing.
For a small practice: a one-page sanction matrix (verbal warning / written warning / final warning / termination / referral) with examples of triggering conduct, signed at hire and re-signed annually. See the HIPAA workforce sanction policy template for the HIPAA-side mirror.
Element 6 — Internal monitoring and auditing
Risk-based monitoring of the operational areas listed in Element 1, with documented sampling, findings, and corrective action. CMS Pub. 100-08 describes the monitoring expectation in detail for Medicare claims. The OIG's Work Plan tells you which service lines are under elevated scrutiny in the current year.
For a small practice: a quarterly internal audit — typically 10-25 claims sampled per provider, scored against documentation, coding, modifier, and medical-necessity standards. A monthly OIG LEIE + SAM exclusion screening for every workforce member and contractor (vendor evidence retained). A documented monthly review of denials and refunds. A quarterly review of the audit log on the EHR. Findings logged with assigned owner and remediation date.
Element 7 — Response and corrective action
When a problem is found, it gets investigated, root-caused, corrected, and (where required) self-disclosed. Identified overpayments get returned within the timeline at 42 USC § 1320a-7k(d) (60 days). Identified false claims trigger evaluation under the OIG's Self-Disclosure Protocol.
For a small practice: a written investigation template (intake, scope, findings, root cause, corrective action, follow-up); a one-page overpayment workflow with the 60-day clock noted; a relationship with healthcare counsel for self-disclosure judgment calls.
How to deploy in a small practice
The deployment sequence we use with new clients: month one, designate the Compliance Officer in writing and adopt the Code of Conduct; month two, paste in the policy library and run an initial baseline audit against billing and HIPAA; month three, run the first annual training and capture sign-in sheets; month four, stand up the monthly LEIE/SAM screening and the quarterly internal audit cadence. By month six the binder contains every element with at least one cycle of evidence.
The practice owner signs the Code of Conduct first. Everything else follows from that signature.
Common gaps
What we see fail in practice is identical from practice to practice. The five most common gaps:
- A binder full of policies and zero evidence of execution. Policies are necessary but not sufficient. DOJ asks: does it work in practice?
- No exclusion screening evidence. Monthly LEIE + SAM screening is the lowest-cost, highest-leverage program element. Vendors do it for under $20 per workforce member per month and produce dated evidence. Practices that skip this fail Element 6 on the easiest possible audit element.
- Compliance Officer in name only. No designation letter, no authority, no time allocated, no quarterly committee meeting.
- Training that nobody can prove happened. No sign-in sheet, no LMS completion report, no copy of the slide deck in the binder.
- Identified overpayments returned late or not at all. The 60-day clock at 42 USC § 1320a-7k(d) is the single most-litigated False Claims Act trigger for physician practices. Track every overpayment from identification to return with dated evidence.
Maintenance cadence
Annual effectiveness review covering all seven elements, delivered as a written summary to the practice owner. Quarterly compliance committee meeting with minutes. Monthly LEIE + SAM screening with retained vendor reports. Internal audit on the cadence the practice committed to in Element 6. Refresh the policy library when the OIG releases a relevant ICPG or when CMS Pub. 100-08 is updated; subscribe to the Medicare Learning Network (MLN) for change notifications.
A program that has all seven elements with current evidence and a documented annual review is the program the OIG asks about. Practices that can produce it in a single binder finish enforcement actions in months instead of years.
How d3rx fits
The d3rx compliance binder generates the OIG seven-element framework as a single document set: Code of Conduct, Compliance Officer designation, training curriculum and sign-in template, reporting pathway, sanction policy, monitoring cadence, and response workflow — with citations to the 2023 GCPG, CMS Pub. 100-08, and DOJ ECCP inline. The practice's Compliance Officer remains responsible for executing, monitoring, and updating the program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — The OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Is an OIG-style compliance program legally required for a small physician practice?
Not by federal statute alone. The Patient Protection and Affordable Care Act amendments at 42 USC § 1395cc(j)(9) authorize HHS to require compliance programs as a condition of Medicare enrollment, but final rulemaking has not made it mandatory for physician practices outside of certain provider types (nursing facilities, DMEPOS suppliers, MA plans). The OIG's [General Compliance Program Guidance (2023 update)](https://oig.hhs.gov/compliance/general-compliance-program-guidance/) and prior physician-practice guidance are voluntary frameworks — but they are the framework the OIG and DOJ use when evaluating whether a practice acted reasonably.
Can one person be the Compliance Officer at a 5-person practice?
Yes. The OIG guidance is clear that small practices can scale the program. The Compliance Officer can be the same person as the HIPAA Privacy or Security Officer, and can hold the role part-time, as long as the role is designated in writing, the person has authority to act, and they have a direct line to leadership. Avoid having the billing manager serve as Compliance Officer with no separate channel — that creates an obvious conflict on FWA reports.
Do we need a third-party hotline?
Not necessarily. The OIG guidance asks for an effective reporting pathway, not a specific vendor. A small practice can satisfy this with a confidential email address, a sealed drop box, and a phone number that routes to the Compliance Officer's voicemail, as long as the workforce knows about it, can use it anonymously, and the reports are actually logged and investigated. Larger practices typically buy a third-party hotline because it scales better.
How often does the compliance program need to be reviewed?
Annually at minimum, plus after any material event (an OIG/CMS audit, an enforcement action, a major service-line change, a change in ownership). The OIG's [General Compliance Program Guidance (2023)](https://oig.hhs.gov/compliance/general-compliance-program-guidance/) recommends a documented annual effectiveness review covering all seven elements and a written summary delivered to leadership.
How does the OIG evaluate effectiveness during an investigation?
Through the Justice Department's [Evaluation of Corporate Compliance Programs](https://www.justice.gov/criminal/criminal-fraud/page/file/937501/download) framework and the OIG's resolution agreement history. They look at whether the program is well-designed, adequately resourced and empowered, and whether it works in practice — meaning whether the workforce knows about it, whether reports actually surface, and whether findings drive change.
What is the difference between the OIG's compliance program and a HIPAA compliance program?
The OIG program targets fraud, waste, and abuse (FWA) — false claims, anti-kickback, Stark, exclusion screening, billing accuracy. The HIPAA program targets privacy and security of PHI. The seven-element structure is similar, and the documentation overlaps heavily. Most small practices run them as a single binder with separate sections rather than two parallel programs.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- OIG General Compliance Program Guidance, 2023 updatehttps://oig.hhs.gov/compliance/general-compliance-program-guidance/
- Pub. 100-08https://www.cms.gov/regulations-and-guidance/guidance/manuals/internet-only-manuals-ioms-items/cms019033
- Evaluation of Corporate Compliance Programshttps://www.justice.gov/criminal/criminal-fraud/page/file/937501/download
- 1-800-HHS-TIPShttps://oig.hhs.gov/fraud/report-fraud/
- Work Planhttps://oig.hhs.gov/reports-and-publications/workplan/
- Self-Disclosure Protocolhttps://oig.hhs.gov/compliance/self-disclosure-info/
- Medicare Learning Network (MLN)https://www.cms.gov/training-education/medicare-learning-network
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))
8 min readCompliance FoundationsHIPAA Security Officer: Required Duties + Job Description Template
7 min readCompliance FoundationsAnnual HIPAA Training Curriculum (What to Cover + How to Document)
10 min readRelated across the archive
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- ComplianceHIPAA Security Officer: Required Duties + Job Description TemplateRequired duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.
- ComplianceHIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.
- GlossaryOIG Compliance ProgramVoluntary compliance program structure recommended by HHS-OIG for physician practices.
- GlossaryOIG Work PlanThe annual list of new and ongoing HHS-OIG audits, evaluations, and inspections.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.