NEW GUIDANCE ON CORPORATE COMPLIANCE PROGRAM EVALUATION ISSUED
BY THE U.S. DEPARTMENT OF JUSTICE
By: Lee Lasris, Co-Chair, Health Law Group, Greenspoon Marder
Board Certified Health Lawyer
What role does your corporate compliance plan play in your organization? Are you confident your plan is capable of protecting from improper conduct and government investigation? Many organizations misguidedly assume that creating a corporate compliance plan is sufficient to protect against misconduct. However, developing and implementing a corporate compliance plan serves an integral purpose. Not only are Medicare providers required to have one, but it may also help mitigate the severity of sentencing under the Federal Sentencing Guidelines.
A properly prepared and maintained compliance plan can effectively help health care organizations identify potential issues and improper conduct while establishing a culture of compliance respected by both the organization’s workforce and third parties. Every organization should have a compliance plan that is central to the organization’s operations and of equal importance to its standard operating procedures.
How Does the Government View Compliance Plans? :
The government places serious value on effective compliance plans. They typically review the plan during an investigation of wrongdoing by an organization or its members or during the sentencing phase of a case. The United States Department of Justice (“DOJ”) recently issued guidance to its Criminal Fraud Section titled “Evaluation of Corporate Compliance Programs” (the “Guidance”) regarding evaluation of corporate compliance plans during a fraud investigation. The Guidance provides organizations with a preliminary set of questions that the DOJ will likely consider during an investigation and following a prosecution. These questions may also serve as a framework for building or revising a compliance plan. Note that the DOJ may make sentencing suggestions to the court following a guilty verdict, increasing the importance of a good compliance plan.
The Role of the DOJ Attorney :
The Guidance directs DOJ attorneys to consider 11 topics when reviewing an organization’s compliance plan and to ask several questions in conducting an individualized evaluation. While these topics are geared towards the investigative phase of a matter, they are instructive to healthcare providers desiring to review their own policies and procedures, update existing policies, or determine the plan’s effectiveness in the event of an investigation. In either case, the Guidance provides a window into the thinking of the DOJ that should not go unheeded.
Topics to be Considered :
Whether you are updating existing or creating new compliance plans, we suggest addressing the following topics outlined in the Guidance:
Analysis and Remediation of Underlying Misconduct. This topic focuses on identifying causes of an existing misconduct and opportunities to detect and correct future misconduct. An organization’s compliance plan should establish a mechanism for analyzing potential problems before they arise and establish controls to help avoid such problems. That should include undertaking a risk analysis of potential problem areas within the organization and creating systems to minimize risks.
Senior and Middle Management. The government will review the conduct of senior and middle management, including whether they encourage misconduct or demonstrate to the workforce a commitment to compliance and remediation. The compliance plan, therefore, should firmly establish the organization’s commitment to compliance and to remediation. In order for an organization to receive credit for cooperating with the government in any investigation, it will be required to provide “all relevant facts relating to the individuals responsible for the misconduct.” It is, therefore, important that management make a sincere effort to commit both the organization and its leadership to compliance.
Autonomy and Resources. The organization’s commitment to compliance may be demonstrated through: a) the level of the compliance department’s autonomy; b) the compliance department’s stature within the organization; c) the resources devoted to the compliance department; and d) the role compliance plays in the organization’s strategic and operational decisions. In other words, is the compliance department a significant part of the organization’s structure with direct reporting lines to significant decision-makers and with adequate resources to undertake its function?
Policies and Procedures. A review of policies and procedures may include: a) evaluating the design process of the policies and procedures within the compliance plan; b) determining the accessibility of the compliance plan to employees; and c) analyzing the integration of the compliance plan into the organization. This topic reflects the organic nature of the document and provides an essential guide into how the compliance plan should be conceived, implemented, and maintained. While this topic mainly focuses on remedial efforts, it suggests a number of policies and procedures that should be included in the plan. If a review of the policies and procedures is conducted during an investigation, the processes in place to prevent improper conduct will be evaluated. If management did discover the issue, the inquiry will consider the actions taken to address the problem. The inquiry will also extend to vendors involved in any misconduct.
Risk Assessment. The government will review any risk assessment undertaken by the organization in developing their policies and in detecting misconduct. The compliance plan should include a commitment to compliant conduct and a periodic review of the risk assessment that will be used to identify, analyze, and address potential and actual risks.
Training and Communications. An organization should examine the training, guidance, and resources provided to employees, especially those to employees in high-risk areas. The training should be tailored for both high-risk and control areas, specifically areas where misconduct previously occurred. The government looks to the effectiveness and appropriateness of the training, and if senior management’s position on misconduct was adequately communicated.
Confidential Reporting and Investigation. The compliance plan should include systems for collecting, analyzing, and investigating information regarding allegations of misconduct. Investigations should not only focus on the actual misconduct, but also identify root causes, system vulnerabilities, and lapses of supervisory accountability that would account for the misconduct in question or avoid future misconduct. The government will look to whether the investigation was objective, properly conducted, and well-documented. The organization should have a process for responding to investigative findings through disciplinary action and training.
Incentives and Disciplinary Measures. The compliance plan should set forth consistent and fair processes for taking disciplinary action against employees and their supervising managers when misconduct occurs. The organization should document all disciplinary actions, including the type of conduct at issue, whether the individual was disciplined in the past for the same or similar conduct, and whether any other person in the organization was previously disciplined or terminated for the same or similar conduct. The organization should regularly review its disciplinary policies, evaluating whether disciplinary action is consistent throughout the organization and effective in deterring the type of misconduct it aims to prevent. The organization should also ensure employees are aware of what actions are considered misconduct and incentivize good behavior while being cognizant of the negative effects of such incentives.
Continuous Improvement, Periodic Testing and Review. The government will also look to whether the organization engaged in internal audits and reported to management or the board of directors any issues discovered. Prompt remedial action should be taken to eliminate issues discovered through the audit. The government will also consider whether the organization audited its compliance policies, procedures, and practices to determine whether they are still relevant to the organizational structure and operations. Problematic or high-risk areas should be audited more frequently than less risky areas.
Third Party Management. Due diligence in vetting third-party risk is important. The mechanisms used to identify risk should vary based on the size and nature of the third-party, the type of transaction, and the organization’s historical relationship with the third-party. Organizations should continuously monitor third party relationships and train relationship managers about compliance risks arising from third-parties and how to manage the third-parties. At a minimum, if the organization is considered a business entity under the Health Insurance Portability and Accountability Act, it should execute a business associate agreement with any third-party handling protected health information.
Mergers and Acquisitions. Mergers and acquisitions create both risks and opportunities for an organization. To minimize the risk of misconduct, the organization should engage in a thorough due diligence assessment of the acquired/merged entity. The organization’s compliance plan should be integrated into the merger, acquisition, and integration process. The organization should track and remediate any misconduct identified during the due diligence period.
The Guidance notes that the DOJ “does not use any rigid formula to assess the effectiveness of corporate compliance programs,” but rather conducts a “particularized evaluation” and “individualized determination in each case.” Therefore, when an organization is constructing or reevaluating its compliance program, it should pay particular attention to the Guidance alongside maintaining the organization’s individualized needs. The central focus should be whether the corporate compliance program effectively detects and prevents wrongdoing and whether corporate management is enforcing the program.
At a minimum, your corporate compliance program should be well-designed and applied in good faith, taking into consideration, among other things, the degree of criminal misconduct to be avoided, the number of corporate employees within the organization, the gravity and length of the discovered misconduct, and the possible remedial actions to be taken by the corporation. Specifically, compliance officers and decision makers within the organization should consider the following:
Establish a “culture of compliance,” beginning with the board of directors and senior executives setting the appropriate tone for the organization.
Ensure that the code of conduct is clear, concise, and accessible to all employees.
Assign responsibility of oversight and implementation of the compliance program to appropriate decision makers, including the appointment of a compliance officer.
Engage in a risk assessment of the organization and ensure that appropriate policies are adopted to address identified risks.
Ensure that relevant policies and procedures are communicated throughout the organization in a manner appropriate for employees.
Set clear and appropriate disciplinary procedures that are applied consistently, promptly, and fairly.
Develop a confidential mechanism for individuals to report suspected or actual misconduct or violations of company policies.
Test and review policy controls, risks, and weaknesses on a continuous basis.
Incorporate risk-based due diligence practices in line with the corporate compliance program when interacting with third parties.
Ensure due diligence prior and during a merger or acquisition by taking into account the corporation’s compliance plan.
The DOJ’s “Evaluation of Corporate Compliance Programs” Guidance may be found
For assistance with constructing or reviewing your corporate compliance program, please contact
Lee Lasris, Jodi Laurence, or any other member of Greenspoon Marder’s Florida Health Law Center. They may be reached at (954) 491-1120.