Back to the Basics: Using the OIG Work Plan to Set Next Year’s Compliance Priorities, Deliverables, and Calendar
1. Why It’s Time to Get Back to Basics
Every fall, compliance professionals start sketching out next year’s plans - training cycles, audit schedules, policy reviews, and that all-important budget narrative. But before diving into spreadsheets and PowerPoint decks, it’s worth taking a deep breath and returning to one of the simplest tools available: the Office of Inspector General (OIG) Work Plan.
The OIG Work Plan isn’t glamorous, but it’s one of the most practical roadmaps a compliance program can use. Published by the Department of Health and Human Services (HHS) OIG, it outlines the oversight projects and audits the Inspector General intends to pursue across Medicare, Medicaid, and public-health programs (OIG, 2025). These updates show what risks the federal government considers significant - and therefore what should already be on every compliance officer’s radar.
Getting “back to the basics” means using that public document as a living reference, not a once-a-year curiosity. Whether you’re new to the field or have a decade of audit experience, the OIG Work Plan remains a built-in compass for planning your compliance calendar and shaping next year’s deliverables.
In this article, we’ll revisit what the Work Plan is, why it matters, where to find it, and how to translate its priorities into a concrete set of annual goals. You’ll also find a copy-and-paste OIG Work Plan Review Checklist at the end of the article to help you get started. I’ve placed this checklist in the public domain so it’s freely usable and adaptable by anyone who finds it helpful in strengthening their compliance planning.
By the time you finish reading, you’ll have a refreshed appreciation for this fundamental resource - and perhaps a few ideas for how to make “back to the basics” an annual tradition in your own organization.
2. What Is the OIG Work Plan?
At its core, the Office of Inspector General (OIG) Work Plan is the federal government’s way of saying, “Here’s what we’re watching.” It is published by the Department of Health and Human Services (HHS) Office of Inspector General - an independent oversight body charged with protecting the integrity of federal health programs and the welfare of their beneficiaries (OIG, 2025).
The Work Plan outlines ongoing and planned audits, evaluations, and inspections that the OIG intends to conduct within HHS and across related healthcare sectors. These projects range from traditional Medicare and Medicaid payment reviews to modern priorities like cybersecurity, data interoperability, and telehealth billing integrity. Each entry includes a short summary, the operating division involved, and the objective or risk area being assessed.
Unlike static regulatory documents, the OIG Work Plan is dynamic - updated monthly to reflect new initiatives, completed reviews, or areas of emerging concern (OIG, 2025). That means it’s not just a once-a-year report but a living guide to federal oversight priorities. Compliance officers who make it part of their regular routine gain an early sense of where the government’s attention is heading before enforcement activity ramps up.
The Work Plan doesn’t create new laws or requirements. Instead, it serves as a strategic signal. When the OIG lists a topic for review, such as managed care organization audits or data security risks, it’s an unmistakable message that the issue deserves organizational scrutiny as well. Programs that align their internal audit plans, training topics, and risk assessments with these public signals demonstrate proactive governance and sound risk management (Leib, 2022).
For new compliance professionals, the Work Plan provides a simple way to begin identifying and prioritizing compliance risks. For seasoned leaders, it’s a credible anchor for resource allocation, board reporting, and long-term planning. Either way, it’s one of the most cost-effective tools in the compliance toolkit - available freely and updated year-round.
3. Where to Find the OIG Work Plan and When to Review It
Finding the OIG Work Plan is straightforward - it’s one of the most accessible federal resources available to compliance professionals. The current version and all past archives are published directly on the HHS Office of Inspector General website at https://oig.hhs.gov/reports-and-publications/workplan/ (OIG, 2025).
The Work Plan is updated monthly, typically toward the end of each month, and includes both new items and ongoing reviews. Each entry provides a short description of the focus area, the operating division responsible (for example, CMS or FDA), and the expected objective. The online format allows users to sort by date or agency, making it easy to track developments in the areas most relevant to their organizations.
For maximum effectiveness, reviewing the Work Plan should be a routine habit, not a special event. Many compliance teams make it a standing item on their monthly or quarterly meeting agendas. Others build it into the risk assessment process or assign it as part of their compliance analyst’s recurring monitoring duties.
- Bookmark the OIG Work Plan page in your browser and check it at the start of each month.
- Subscribe to the OIG email list or RSS feed to receive automatic notifications of new updates (OIG, 2025).
- Add a recurring calendar reminder - for example, the first Monday of each month - to review and discuss any new entries.
- Document your review as evidence of proactive oversight. Even a one-page summary noting that “no new relevant items were added this month” demonstrates diligence and accountability.
Taking fifteen minutes once a month to review OIG updates is a simple step that pays long-term dividends. It keeps your program aligned with federal oversight priorities, provides a credible defense in audits or inquiries, and builds a culture of continuous compliance awareness across your organization.
4. Why the OIG Work Plan Matters
In compliance, it’s easy to get buried under competing demands - regulatory updates, internal audits, data security projects, and leadership requests. The OIG Work Plan cuts through that noise. It helps every compliance program, large or small, focus attention where it matters most: on the areas the federal government considers high risk (Leib, 2022).
When the Office of Inspector General selects a topic for review, it signals that the issue is both significant and widespread enough to warrant federal scrutiny. That alone makes it a valuable early warning system for compliance teams. For example, if the OIG announces a review of data governance or managed care oversight, you can be certain that enforcement agencies and payers are watching those same areas closely.
- It reflects current federal priorities. The Work Plan is the most direct insight into what matters to regulators right now - whether that’s cybersecurity safeguards, telehealth documentation, or the integrity of payment systems (OIG, 2025).
- It strengthens risk-based planning. Reviewing Work Plan items alongside your internal risk assessment helps identify emerging vulnerabilities before they become audit findings.
- It supports accountability. Citing the OIG Work Plan in board or committee briefings shows that your compliance program is data-informed and aligned with national oversight trends.
- It’s evidence of diligence. If regulators ever ask how your organization stays current with federal expectations, documented OIG reviews demonstrate a culture of active monitoring and responsiveness.
Put simply, the OIG Work Plan matters because it connects your day-to-day compliance efforts to the broader federal oversight landscape. It bridges the gap between regulation and reality - turning a publicly available document into a strategic advantage.
5. Translating OIG Focus Areas into Organizational Priorities
Knowing what’s in the OIG Work Plan is only half the job. The real value comes from translating those federal priorities into actionable goals inside your own organization. That translation step turns a government audit list into a living roadmap for your compliance operations.
Start by identifying which topics in the OIG Work Plan apply to your organization’s lines of business, patient populations, or operational functions. For instance:
- A hospital might focus on inpatient billing, quality-of-care measures, or cybersecurity of connected medical devices.
- A physician group might look at documentation accuracy, referral integrity, and telehealth compliance.
- A vendor or business associate might zero in on data security, subcontractor oversight, and information handling practices.
Once you’ve identified relevant areas, create a simple crosswalk or table linking each OIG topic to your internal risk domains. Here’s an example of how that might look:
| OIG Topic | Organizational Impact | Planned Action |
|---|---|---|
| Telehealth Billing Accuracy | Expanding telehealth services create coding risk | Conduct focused audit of modifier usage and documentation |
| HIPAA Security Rule Oversight | Sensitive PHI stored in shared systems | Review risk analysis documentation and patch management logs |
| 340B Program Integrity | Covered entity under review | Update policy, conduct annual self-audit, and retrain staff |
| Managed Care Oversight | Contracted with MA and Medicaid plans | Validate encounter data accuracy and reporting controls |
This kind of mapping helps you convert oversight priorities into operational deliverables - the practical outputs of your compliance program. It also provides an easy way to brief management and the board. A concise summary like, “OIG has prioritized data governance; our plan is to strengthen vendor oversight and encryption controls,” shows leadership that your compliance strategy is proactive, not reactive.
Remember, not every Work Plan item will apply to your organization - and that’s fine. The point isn’t to chase every federal project, but to align your risk focus with the issues most likely to affect your operations. The Work Plan gives you a framework; your risk assessment gives it shape. Used together, they form a credible, defensible approach to compliance planning (OIG, 2025).
6. Building Next Year’s Compliance Deliverables
Once you’ve mapped OIG focus areas to your organization’s risk profile, the next step is turning those insights into tangible deliverables - the projects, reports, and documentation that demonstrate your compliance program is working.
Deliverables are what management and regulators can see, measure, and verify. They translate strategy into evidence. Common examples include:
- Updated or newly issued policies and procedures
- Internal audit reports or monitoring results
- Risk assessment summaries
- Annual training plans and completion reports
- Corrective action plans and follow-up documentation
- Quarterly or annual compliance dashboards for leadership
Start by looking at your OIG-to-risk crosswalk and identify what can realistically be produced within the next calendar year. For each OIG-relevant topic, ask:
- What output would show that we’ve addressed this risk?
- Who owns it?
- When can it be delivered?
From there, create a simple Deliverables Register - a living document that aligns each OIG-inspired goal with a deliverable, responsible party, and due date. This not only keeps your team organized but also provides a clear trail of evidence for board reports or external audits.
| Focus Area | Deliverable | Owner | Timeline |
|---|---|---|---|
| OIG emphasis on data privacy and security | Annual HIPAA risk analysis and corrective action tracking | Privacy Officer | Q1 |
| OIG attention to claims accuracy | Pre-billing audit results and staff education summary | Compliance Analyst | Q2 |
| OIG work on managed care integrity | Policy review and vendor audit of MA encounter data | Compliance Manager | Q3 |
| OIG attention to training effectiveness | Evaluation of compliance training outcomes | Director, Compliance | Q4 |
Linking deliverables to OIG priorities also strengthens your annual compliance report. When leadership asks, “How do we know our compliance plan reflects federal expectations?”, you can point to specific projects that respond directly to OIG oversight themes (Leib, 2022).
This structure builds both credibility and efficiency. It ensures your compliance team spends time on what matters most and helps management see the value behind your recommendations and requests for resources.
7. Designing the Compliance Calendar
A compliance calendar is the bridge between intention and execution. Once your deliverables are defined, scheduling them across the year turns strategy into a working plan. The goal isn’t to pack every month with activity but to distribute priorities logically, balancing depth and timing.
A good compliance calendar blends recurring obligations (like training and policy reviews) with strategic initiatives (like OIG-priority audits or risk analyses). Think of it as a visual roadmap showing when each deliverable will be addressed, who’s responsible, and how it connects to your broader compliance goals.
| Quarter | Key Activities | OIG Linkage Example |
|---|---|---|
| Q1: Foundation | Annual risk assessment, Work Plan review, compliance plan update, and policy revisions | Aligning internal risk priorities with new OIG focus areas |
| Q2: Implementation | Targeted audits, data validation, and workforce training refreshers | Conducting reviews tied to OIG oversight categories such as billing accuracy or data security |
| Q3: Monitoring & Feedback | Mid-year progress reports, corrective action tracking, and management briefings | Evaluating progress on OIG-aligned initiatives and preparing board updates |
| Q4: Evaluation & Planning | Year-end effectiveness evaluation, audit of corrective actions, and next year’s plan draft | Using OIG Work Plan updates to inform the next cycle’s priorities |
The key is consistency. Embed a short monthly “OIG Work Plan Check-In” meeting in your schedule, even if it’s just 15 minutes. Review recent updates, confirm whether any new items apply to your organization, and document that review. Over time, this habit turns into a defensible record of ongoing vigilance - an easy win for audit readiness and board confidence (OIG, 2025).
Your calendar should also coordinate with other departments’ cycles. For instance, align compliance audits with internal audit schedules, coordinate privacy and IT reviews, and time board reports to feed into executive planning meetings.
Remember, a well-structured compliance calendar isn’t just an internal tool - it’s an external signal. It shows leadership that compliance is deliberate, strategic, and integrated into the organization’s operations year-round.
8. Communicating the Plan to Leadership
Even the best compliance plan loses its impact if it isn’t clearly communicated. Leadership and the board need to see that your priorities aren’t random - they’re rooted in credible, external standards like the OIG Work Plan. Presenting the plan effectively turns oversight alignment into strategic value.
When you brief leadership, focus on translation rather than transcription. Executives don’t need a rundown of every OIG audit; they need to understand what those priorities mean for the organization. For example:
- “The OIG continues to highlight cybersecurity and data protection. We’re translating that into an enterprise-wide review of access controls and vendor encryption standards.”
- “OIG’s focus on managed care data integrity supports our plan to conduct a claims validation audit before year-end.”
These short, strategic statements connect federal oversight to organizational action - something every board appreciates.
Here are a few best practices for presenting your OIG-aligned plan to leadership:
- Start with the “why.” Briefly summarize the OIG’s role and explain that the Work Plan identifies federal priorities that shape enforcement and funding trends (Leib, 2022).
- Use visuals sparingly but effectively. A one-page table showing OIG focus areas mapped to internal initiatives speaks louder than a long slide deck.
- Show linkage to enterprise risk management. Position your compliance deliverables as controls that mitigate organizational risk categories - financial, operational, reputational, or patient safety.
- Quantify where possible. Example: “Our OIG-linked initiatives represent 60 percent of our audit plan and directly address three of the top five enterprise risks.”
- Keep a summary report ready. A two-page executive summary that references OIG priorities, internal actions, and progress to date becomes a powerful accountability tool.
Most importantly, make the OIG Work Plan a recurring reference point in your conversations with leadership. Over time, the simple phrase “As reflected in the OIG Work Plan…” helps position compliance not as an isolated function, but as an informed and forward-looking partner in governance.
9. Making “Back to Basics” an Annual Tradition
In a field as dynamic as healthcare compliance, it’s easy to get swept up by new regulations, technologies, and enforcement trends. But the strongest programs are often the ones that never stop doing the fundamentals well. Returning to the OIG Work Plan each year - before budgets are finalized and calendars are filled - keeps your compliance program grounded in the basics that matter most.
This isn’t just about efficiency; it’s about discipline and credibility. Reviewing the Work Plan regularly demonstrates that your team is methodical, informed, and aligned with federal oversight. It also reminds leadership that compliance isn’t reactive - it’s predictive. The OIG tells the industry where attention is shifting; smart organizations listen early and prepare accordingly (OIG, 2025).
Making this process a yearly tradition doesn’t have to be complicated. Each fall, take a short, structured approach:
- Review the current OIG Work Plan and flag relevant items.
- Update your compliance risk assessment and deliverables register.
- Build your next-year calendar around those priorities.
- Present your findings and plan to leadership.
- Document the review as part of your compliance file.
You’ll find a simple OIG Work Plan Review Checklist at the end of this article to help guide that process. I’ve placed this checklist in the public domain so that anyone who finds it useful is free to copy, share, or adapt it for their own compliance program.
By embedding this discipline into your yearly routine, you reinforce your program’s foundation - clarity, consistency, and credibility. Those are the traits that make compliance sustainable, even as the regulatory landscape continues to evolve. “Back to the basics” isn’t just a slogan; it’s the steady rhythm that keeps a compliance program healthy year after year.
OIG Work Plan Review Checklist
(Placed in the public domain by the author for free and unrestricted use.)
This simple checklist can be copied, pasted, or adapted into your organization’s own compliance documentation. It’s designed to help healthcare compliance professionals of all experience levels translate the OIG Work Plan into actionable steps for planning, prioritization, and reporting.
Step 1 - Locate and Access
- Visit the official OIG Work Plan page: https://oig.hhs.gov/reports-and-publications/workplan/
- Confirm the publication date of the most recent update.
- Bookmark the page and subscribe to OIG email or RSS alerts.
Step 2 - Review and Identify Relevance
- Read newly added and active projects.
- Note topics related to your organization’s functions (e.g., billing, privacy, data security, quality).
- Exclude items clearly outside your operational scope.
Step 3 - Map to Organizational Risks
- Create a short table linking relevant OIG topics to internal compliance risks.
- Identify which departments, systems, or contracts are affected.
- Flag items requiring follow-up review or validation.
Step 4 - Translate into Actions and Deliverables
- Determine what tangible evidence will show you’ve addressed each relevant topic (policy updates, audits, training, etc.).
- Add these to your compliance deliverables register.
- Assign ownership and completion targets.
Step 5 - Integrate Into the Compliance Calendar
- Schedule each deliverable into the next-year compliance calendar.
- Add a recurring monthly reminder to check for OIG updates.
- Document each review, even when no new items apply.
Step 6 - Communicate and Report
- Summarize key OIG themes for leadership and the board.
- Highlight your organization’s corresponding actions.
- Archive the summary as part of your annual compliance plan or report.
Step 7 - Evaluate and Refresh Annually
- Revisit your OIG review process each fall during annual planning.
- Adjust your risk assessment and deliverables based on OIG trends.
- Retain documentation as evidence of proactive oversight.
When applied consistently, this checklist forms a sustainable cycle of continuous alignment with federal oversight priorities - one that supports audit readiness, transparency, and long-term program maturity.
References
- Leib, M. (2022, October 12). How to use the OIG Work Plan as part of your compliance program. Health Care Compliance Association (HCCA). https://www.hcca-info.org/resources/how-use-oig-work-plan-part-your-compliance-program
- Office of Inspector General (OIG). (2025). Work Plan. U.S. Department of Health and Human Services. https://oig.hhs.gov/reports-and-publications/workplan/