The Department of Justice (DOJ) issued new guidance on corporate compliance programs. Risk managers should use the guidance to tailor and optimize their compliance programs.
• The guidance provides specific questions to ask about your own program.
• DOJ expects companies to police the compliance of third parties.
• The guidance illustrates DOJ’s expectation that effective compliance programs will evolve over time.
The Criminal Division of the U.S. Department of Justice (DOJ) recently released a guidance document for white-collar prosecutors on the evaluation of corporate compliance programs, and it should be a valuable tool for risk managers.
The document updates a prior version issued by the division’s Fraud Section in February 2017. DOJ issued a statement saying the new guidance “seeks to better harmonize the guidance with other department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.” (The updated guidance is available online at: https://bit.ly/2lEphmk.)
The guidance signals the DOJ’s commitment to corporate compliance programs, says former assistant U.S. attorney Jason Mehta, JD, now an attorney with the Bradley law firm in Tampa, FL.
“While many would have thought that the government would be more lax in corporate enforcement under the Trump administration, this policy in some ways is more robust and more vibrant than in past administrations,” he says. “Enforcement is here to stay for the long haul, and the more companies recognize that, the more they can see corporate compliance as a chance to improve rather than as yet another hurdle to overcome.”
Any time the government lays out its thinking and its metrics on how it evaluates compliance programs, risk managers should really be paying attention, Mehta says.
“This is the playbook of how the government is going to evaluate corporate compliance programs, the roadmap, and the things it cares about. Healthcare companies would be well-served by scrutinizing this guidance and making sure their own programs comport with it,” he adds.
The guidance explains that companies need to tailor their corporate compliance programs to the risks facing the organization, Mehta says. Companies should identify their areas of high risk and low risk, apportioning their resources and efforts accordingly.
“Understanding that baseline expectation is really critical. It should force healthcare companies to think critically about their own companies, where they have vulnerabilities, and devote the corresponding resources there,” Mehta says.
The guidance also makes clear that DOJ expects companies to police third parties they work with. “This really puts a burden on companies to understand who their partners, agents, and consultants are, and then to think about whether they are doing enough due diligence on these parties,” he says. “That means understanding things like who the top referrers are, the top prescribers, and making sure that not just your own company is compliant but those third parties are, too.”
The government also is focusing on how a compliance program is implemented and maintained — not just how it is initially formed, Mehta notes. Risk managers should make sure that executives in the company are demonstrating leadership with the compliance program, modeling proper behavior, and not tolerating compliance risks. Companies also must ensure that all employees are educated on the compliance program.
Plenty of Advice From DOJ
This recent guidance from the DOJ is another welcome prosecutorial focus on the importance of compliance programs, says Gary Giampetruzzi, JD, partner at the Paul Hastings law firm in New York City and vice chair of the firm’s Life Sciences practice.
“It breaks the subject of programs down nicely from the design with the expected subcategories of coverage, to the effort at the implementation, and then the question of whether the program was effective in operation — the latter two core categories also including subcategories of coverage,” Giampetruzzi says.
“While a document 19 pages or so in length cannot spell out all that could be spelled out on the broad topic of compliance programs, this one does offer enough to enable internal and external practitioners alike to confirm what might have been existing thinking — or, in some cases, redraw focus on topics that tend to fall out of focus for too many at times, like the subject of threshold risk assessments — which receives a fair amount of real estate — and relatively thorough treatment for what could be otherwise considered such an established topic.”
There also are elements of the document that suggest a keener understanding today regarding the actual complexities associated with operationalizing compliance programs, which the document specifically calls out, Giampetruzzi says. The role of controls gatekeepers also receives what he calls an interesting and justifiable focus.
“The importance of the close cousin to the compliance control — the financial control — is very much present for those looking for it, and really needs to be considered by the compliance professionals more routinely focused on compliance policies and procedures,” he says.
Giampetruzzi notes that there is even a good question nestled in the guidance regarding compliance resources: “Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?”
“The operationalization of that Q&A itself should prove interesting within some companies,” he says. “All in all, a pretty good effort by the DOJ on the subject of compliance.”
More Detail Than Previous Guidance
Much of what is new in the guidance is the level of detail rather than a major shift in policy, says Jason de Bretteville, JD, shareholder and chair of the litigation department with the Stradling law firm in Newport Beach, CA. It addresses familiar topics including the role of the compliance function within the organization, the need for skilled internal investigators, the limits of outsourcing compliance functions, the relationship between risk assessment and program design, and the role of compliance in mergers and acquisitions transactions — all with a greater level of detail than what is provided in the existing guidance, he says.
It should be used to educate and secure support for the compliance function from directors and senior executives, and as a resource in assessing the adequacy of existing compliance efforts, de Bretteville says.
“The most fundamental aspect of the guidance is its focus on the need to perform and document a meaningful risk assessment as a predicate to designing a tailored ‘fit for purpose’ compliance program,” de Bretteville says.
He cites these key points of emphasis in the guidance: the need to establish an autonomous and robust compliance function on par with other key business units; involve business stakeholders in designing a risk-based program; achieve demonstrable buy-in from middle and lower management; provide training that is tailored to each audience and includes real-world examples; incorporate both incentives for good behavior and consequences for breaches; conduct meaningful testing; and perform a root cause analysis in response to any breach and implement changes that address that root cause as part of remediation.
“For larger enterprises with mature compliance programs, the guidance provides a basis on which compliance officers can drive the organization to improve program design by undertaking meaningful assessment of the unique risks faced by healthcare organizations on a reiterative basis, and devote adequate resources to that program,” de Bretteville says. “For smaller companies, the emphasis on risk assessment will help compliance officers advocate for and defend more focused and efficient compliance programs that target the greatest sources of risk to the specific organization.”
Begin With Formal Risk Assessment
When evaluating whether a compliance program is well-designed, a critical step is to begin with a formal risk assessment, says Anthony J. Phillips, JD, principal with the McKool Smith law firm in Houston.
The risk assessment should focus on the risks and types of misconduct most likely to occur in the organization’s line of service, particularly the most relevant regulatory structures and requirements. Compliance professionals should use the results of this risk assessment to guide the drafting of policies and procedures that appropriately address risk areas, and training programs for employees and important third parties such as agents, affiliates, and acquisition targets, he says. The assessment also should guide a communication plan to ensure the program’s messaging is broadly delivered.
“It is best to benchmark one’s program against peer organizations — both by lines of service and institutional size — and to update the risk assessment periodically, ensuring that one’s program is keeping up with changing risks and compliance industry norms,” Phillips says.
Once confident in the compliance program design, it is important to ensure that the program is implemented effectively, he says. Leadership must set the correct tone from the top of the organizational structure, and a culture of compliance must be integrated throughout the organization.
“These goals can be achieved by ensuring that the organization’s compliance function is well-resourced and has sufficient autonomy to review, investigate, and remediate potentially noncompliant processes by supporting regular audits of high-risk areas, and by ensuring effective discipline in the event that actual misconduct is discovered,” Phillips says. “In fact, organizations should proactively encourage inquiries to the compliance office and reporting of potential misconduct. It is equally important to guarantee freedom from retaliation and protection for good-faith reporters and witnesses cooperating with an investigation.”
The effective compliance program will incorporate real-world compliance issues faced by the organization into employee and third-party training and certification programs, Phillips says.
An organization also has to ensure that the compliance program is working, Phillips says. Of significant importance is broad dissemination of compliance program results in an effort to ensure a thorough understanding of the role of compliance in the organization, he says. An effective compliance program might include regular messaging from senior management of compliance “saves” as well as anonymized discipline for policy violations.
“It is also important to ensure that compliance reports are promptly and effectively investigated, including root cause analysis, any necessary training or certification of actors involved, and documented accountability for mistakes or misconduct, up to and including termination, where appropriate,” he says. “A compliance program that is working properly will learn from trends in compliance reporting, the findings of investigations, and any necessary remediation efforts to continuously improve the program.”
Phillips adds another point that is not in the guidance but that is particularly useful for compliance professionals: Proactively involve other administrative functions in your compliance program. The legal department, human resources, internal audit, and corporate security all are natural allies of the compliance department, he says. A compliance professional can create powerful synergies with these allies that strengthen the program’s design, improve implementation, and ensure that the program is actually working, he suggests.
No Rigid Formula for Prosecution
It is not clear how the DOJ will use the 2019 guidance going forward, says Kathy Butler, JD, an officer and leader of the Healthcare Practice Group at Greensfelder, Hemker & Gale in St. Louis. Many of the concepts that are explained in more detail in the 2019 guidance have been used by prosecutors in the past when making enforcement decisions, she notes.
“The 2019 guidance itself notes that there is no rigid formula to assess the effectiveness of a corporate compliance program, and the sample topics and questions are not designed to be a checklist or a formula,” Butler says. “Each organization’s compliance program will be different based on risk profiles and resources, and each will be evaluated by the DOJ in the specific context of a criminal investigation. The 2019 guidance sets forth the common questions prosecutors will take into consideration when evaluating a corporate compliance program during an enforcement action, but it is guidance — not law or regulation — and not all of the guidance will apply to every corporation.”
However, Butler says, publishing the 2019 guidance effectively puts healthcare providers on notice of what prosecutors will be looking at when they evaluate compliance programs, including design and operation with respect to training, investigations, and management. The framework of the guidance gives providers a resource to proactively assess their compliance programs based on relevant portions of the guidance, and if necessary, make changes to improve their polices and processes, she says.
“Providers who use the 2019 guidance as a resource to improve their corporate compliance programs may reduce the risk of compliance failures that may lead to investigation or prosecution. Or, if the provider should become the subject of an investigation, demonstrate the provider’s efforts to maintain an effective compliance program,” Butler says. “Healthcare risk managers should read the 2019 compliance guidance carefully, and use the questions in the document that are relevant to that provider to evaluate the current status of the provider’s corporate compliance program.”
The DOJ understands that corporate compliance programs will differ based on the provider’s risk profile and resources, Butler says, but in any enforcement action, DOJ will expect prosecutors to ask the three fundamental questions with respect to program design, implementation, and effectiveness.
“The 2019 compliance guidance focuses on the compliance program from top to bottom, so getting senior and middle managers involved in the compliance process is an important part of the evaluation,” Butler says.
• Jason de Bretteville, JD, Shareholder, Stradling, Newport Beach, CA. Phone: (949) 725-4094. Email: firstname.lastname@example.org.
• Kathy Butler, JD, Officer, Greensfelder, Hemker & Gale, St. Louis. Phone: (314) 516-2661. Email: email@example.com.
• Gary Giampetruzzi, JD, Partner, Paul Hastings, New York City. Phone: (212) 318-6417. Email: firstname.lastname@example.org.
• Jason Mehta, JD, Bradley, Tampa, FL. Phone: (813) 559-5532. Email: email@example.com.
• Anthony J. Phillips, JD, Principal, McKool Smith, Houston. Phone: (713) 485-7309. Email: firstname.lastname@example.org.