Skip to main content
Compliance Guides8 min readJanuary 6, 2026

How to Build a Pharmacy Compliance Program from Scratch

Step-by-step guide to building a pharmacy compliance program based on the OIG seven elements, with practical timelines and implementation advice.

How to Build a Pharmacy Compliance Program from Scratch

In This Article

  1. 1The OIG's Seven Elements: Your Blueprint
  2. 2Element 1 - Written Policies and Procedures
  3. 3Element 2 - Compliance Officer and Committee
  4. 4Element 3 - Training and Education
  5. 5Element 4 - Open Lines of Communication
  6. 6Element 5 - Monitoring and Auditing
  7. 7Element 6 - Enforcement and Discipline
  8. 8Element 7 - Response and Corrective Action
  9. 9Implementation Timeline
  10. 10Connecting Your Compliance Program to Daily Operations

The OIG's Seven Elements: Your Blueprint

The OIG's compliance program guidance, originally published for various healthcare segments and consolidated in its General Compliance Program Guidance (GCPG) updated in 2023, identifies seven elements that every effective compliance program should include. These elements are not optional for Medicare Part D participants - 42 CFR 423.504(b)(4)(vi) requires Part D sponsors and their downstream entities (including pharmacies) to have compliance programs that incorporate these components.

Element 1 - Written Policies and Procedures

Written policies and procedures are the foundation of your compliance program. They define the standards of conduct for your pharmacy, translate regulatory requirements into actionable daily practices, and provide a reference point for staff when questions arise.

What to Include

Your pharmacy compliance policies should cover, at minimum:

  • Code of conduct - organizational values, ethical standards, and expectations for all staff
  • Billing and claims submission - proper procedures for submitting accurate claims, handling rejections, and avoiding upcoding or unbundling
  • Controlled substance handling - inventory, recordkeeping, corresponding responsibility, and disposal per DEA regulations
  • HIPAA privacy and security - PHI handling, breach notification, minimum necessary standard, and business associate requirements
  • OIG exclusion screening - monthly screening procedures, databases to check, and match response protocols
  • FWA prevention - definitions, examples, reporting mechanisms, and non-retaliation policies
  • Documentation standards - prescription recordkeeping, signature logs, counseling documentation
  • Conflicts of interest - disclosure requirements and prohibited relationships
  • Corrective action procedures - how violations are investigated and resolved

Implementation Tips

Do not try to write every policy from scratch at once. Start with the highest-risk areas (billing, controlled substances, HIPAA) and build out from there over the first six months. Policies should be written in clear, plain language that staff can actually understand and follow. Review and update policies annually or whenever regulations change.

Element 2 - Compliance Officer and Committee

Every compliance program needs a designated compliance officer - a specific person responsible for developing, implementing, and monitoring the program. In a large organization, this is a full-time role. In an independent pharmacy, the compliance officer is typically the pharmacist-in-charge (PIC) or the pharmacy owner.

Compliance Officer Responsibilities

  • Overseeing the development and implementation of compliance policies
  • Coordinating compliance training for all staff
  • Monitoring compliance activities and reviewing audit results
  • Managing the internal reporting process for compliance concerns
  • Reporting compliance status to pharmacy leadership (or the board, if applicable)
  • Staying current on regulatory changes that affect pharmacy operations

Compliance Committee

Even in a small pharmacy, having a compliance "committee" - which may be as simple as the PIC and one or two senior staff members - creates shared accountability and multiple perspectives on compliance issues. The committee should meet at least quarterly to review compliance activities, training status, audit results, and any incidents or concerns.

Element 3 - Training and Education

Training is where your compliance program comes to life. Written policies are meaningless if staff do not understand them. Your training program should include:

  • Initial training for all new hires within 90 days of employment
  • Annual refresher training for all staff covering key compliance topics
  • Role-specific training - pharmacists need different training than technicians or clerks
  • FWA-specific training meeting Medicare Part D requirements (see our FWA training guide)
  • HIPAA training covering privacy, security, and breach notification
  • Controlled substance training for all staff involved in dispensing or handling

Document all training with attendance records, content summaries, and signed attestations. Training records are among the first things auditors and investigators request.

Element 4 - Open Lines of Communication

Staff must have clear, accessible, and confidential channels to report compliance concerns without fear of retaliation. This element is critical because the people most likely to spot violations are frontline staff, and they will only report what they see if they trust the system.

Communication Channels

  • Direct reporting to the compliance officer
  • Anonymous reporting mechanism (even a locked suggestion box meets this requirement for small pharmacies)
  • Open-door policy documented and communicated to all staff
  • Regular compliance discussions during staff meetings

Non-Retaliation Policy

Your compliance program must include a written non-retaliation policy that protects staff who report concerns in good faith. This policy should be communicated during training and posted where staff can see it. Staff must understand that retaliation for good-faith compliance reports is itself a violation of pharmacy policy and potentially of federal law under the False Claims Act's whistleblower protections.

Element 5 - Monitoring and Auditing

A compliance program without monitoring is just a set of aspirational documents. Monitoring and auditing are how you verify that policies are being followed and identify problems before regulators find them.

Internal Monitoring Activities

  • Monthly OIG/SAM exclusion screening for all staff and contractors
  • Quarterly claims audits - randomly sample filled prescriptions to verify billing accuracy
  • Monthly controlled substance inventory reconciliation (perpetual inventory for Schedule II)
  • Annual HIPAA risk assessment - required under the Security Rule
  • Regular review of PDMP usage patterns
  • Signature log audits - verify that signature logs are complete and compliant
  • Documentation audits - review prescription records for completeness

External Audits

Consider engaging an external consultant or compliance firm to conduct an independent audit of your compliance program annually or biennially. An external perspective can identify blind spots that internal monitoring misses. This is especially valuable in the first year of your compliance program.

Element 6 - Enforcement and Discipline

Your compliance program must include consistent enforcement mechanisms for violations. Staff need to understand that compliance is not optional and that violations have real consequences.

Disciplinary Framework

Develop a progressive disciplinary framework that includes:

  • Verbal warning for minor, first-time compliance issues
  • Written warning for repeated minor issues or moderate violations
  • Suspension for serious compliance violations
  • Termination for egregious violations, willful misconduct, or failure to correct repeated issues

The key is consistency. Compliance standards must be applied equally to all staff regardless of position, tenure, or personal relationships. Document all disciplinary actions related to compliance violations and maintain those records as part of your compliance program files.

Incentives

Enforcement is not only about discipline. Consider positive reinforcement for compliance excellence - recognizing staff who identify and report concerns, complete training promptly, or contribute to improving compliance processes. A compliance program built entirely on punishment creates a fear-based culture that discourages reporting.

Element 7 - Response and Corrective Action

When compliance issues are identified - whether through internal monitoring, staff reports, or external audits - your program must include a structured response process.

Response Protocol

  1. Investigate promptly - Acknowledge the report and begin investigation within a defined timeframe (e.g., 48 hours for standard issues, immediately for urgent matters)
  2. Document the investigation - Record who was involved, what was examined, findings, and conclusions
  3. Determine root cause - Understand why the violation occurred, not just what happened
  4. Implement corrective action - Fix the immediate problem and address the root cause to prevent recurrence
  5. Monitor effectiveness - Follow up to ensure corrective actions are working
  6. Report as required - If the issue involves federal program overpayments, report and return them within 60 days per 42 U.S.C. 1320a-7k(d). If it involves a HIPAA breach, follow breach notification requirements. If it involves controlled substance loss, file DEA Form 106.

Self-Disclosure

In some cases, self-disclosure to the OIG, CMS, or state agencies may be appropriate or required. The OIG operates a Self-Disclosure Protocol for healthcare providers who have identified potential fraud. Voluntary self-disclosure is generally viewed favorably and can result in reduced penalties. Consult with legal counsel before making any external disclosures.

Implementation Timeline

Building a compliance program from scratch is a phased effort. Here is a realistic timeline:

Months 1-2: Foundation

  • Appoint compliance officer
  • Draft code of conduct and core policies (billing, HIPAA, controlled substances)
  • Establish reporting mechanisms
  • Begin monthly OIG/SAM exclusion screening

Months 3-4: Training Launch

  • Develop and deliver initial compliance training
  • Complete FWA training for all staff
  • Begin controlled substance inventory reconciliation
  • Establish compliance committee and hold first meeting

Months 5-6: Monitoring Activation

  • Implement claims auditing procedures
  • Conduct first internal compliance audit
  • Develop corrective action procedures
  • Review and refine policies based on initial experience

Months 7-12: Maturation

  • Complete HIPAA risk assessment
  • Expand policy library to cover remaining risk areas
  • Conduct annual compliance training refresh
  • Consider external compliance review
  • Document program effectiveness and areas for improvement

Connecting Your Compliance Program to Daily Operations

A compliance program only works if it is integrated into how your pharmacy operates every day, not treated as a separate administrative burden. Reference compliance policies during staff meetings. Include compliance checkpoints in your standard operating procedures. Make exclusion screening and claims auditing as routine as ordering inventory.

For a comprehensive view of what your compliance program should address, see our Complete Pharmacy Compliance Checklist. The training component of your compliance program should include robust FWA training that meets Medicare Part D requirements and prepares your staff to recognize and prevent violations.

Pharmacy Compliance Newsletter

Weekly insights on compliance updates, inspection tips, HIPAA best practices, and pharmacy industry news. Join pharmacy professionals staying ahead of regulations.

No spam. Unsubscribe anytime.

Previous

Controlled Substance Compliance: DEA Best Practices for Independents

Next

Medicare Part D Audit Preparation: The Pharmacy Owner's Playbook

Related Articles

The Real Cost of Non-Compliance: Pharmacy Penalty Data Breakdown

The Real Cost of Non-Compliance: Pharmacy Penalty Data Breakdown

5 min read
Fraud, Waste, and Abuse Training: What Every Pharmacy Staff Member Needs

Fraud, Waste, and Abuse Training: What Every Pharmacy Staff Member Needs

9 min read
Pharmacy Board of Pharmacy Inspection: What Surveyors Actually Look For

Pharmacy Board of Pharmacy Inspection: What Surveyors Actually Look For

10 min read