Healthcare professionals involved in compliance programs have new guidance from the Criminal Division of the Department of Justice (DOJ), which recently issued a document that tells white-collar prosecutors how to evaluate compliance programs.
DOJ’s Fraud Section issued similar guidance in February 2017, but this new guidance “seeks to better harmonize the guidance with other department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program,” the department said in a written statement. (The full DOJ statement is available at: . The updated guidance is available at: .)
The 2019 guidance, like the 2017 guidance before it (and guidance from the Office of Inspector General of the Department of Health and Human Services [HHS-OIG] issued that same year), reflects a practical method for assessment of organizations’ compliance programs, says Michael B. Lampert, JD, partner with Ropes & Gray in Boston. The guidance offers specific illustrations of what compliance professionals should focus on.
“For example, the guidance does not ask whether an organization has conducted a risk assessment process, but instead asks what methodology a company’s risk assessment process has followed,” he notes. “Likewise, the guidance asks how companies measure their training effectiveness, not whether there is training, and how a company assesses its employees’ capacity to seek advice [as well as] how and how often a company assesses its culture of compliance.” In brief, the guidance takes a compliance program’s existence as a given and looks more deeply into how a company’s compliance program really works and how it has evolved over time, Lampert explains. Organizations may assess the specific “how” questions that DOJ has asked.
For healthcare organizations that have operated with a view toward the old HHS-OIG compliance program guidance documents, Lampert says a striking part of the guidance may be where it begins: with risk assessments. “While risk-based construction of a compliance program is not a new concept, and has been part of corporate integrity agreements for a few years now, it is not the starting point of old HHS-OIG guidance, the way that it is for the guidance here,” he says. “Articulation of risk assessment as the first stage for a compliance program, at least at the point of measurement, is of significance. For healthcare organizations still basing their programs primarily off the HHS-OIG historic guidance, [the new guidance is] potentially a newly articulated area.”
Compliance officers can use the guidance to assess their own programs, Lampert says. The guidance provides very specific tools for measuring program effectiveness. “Like the 2017 DOJ and HHS-OIG guidance, these may be seen as tools with numerous parts, some of which can be used immediately, and some of which will not be for a particular organization,” Lampert explains.
“But, whatever the point of evolution of a company — and nature of its risks — the guidance provides a menu from which companies’ compliance officers may select. For that matter, it provides a menu from which board members assessing a compliance program’s operations or operators assessing a potential acquisition target may select.”
No Wholesale Change
Lampert notes that while the 2017 DOJ guidance bound only the Fraud Section, the 2019 version binds the full Criminal Division. The 2019 guidance also reflects a reorganization at DOJ.
“But neither of those observations reflects a wholesale change, and that may be the takeaway. The guidance in some ways broadens, and through some new questions sharpens, but it does not radically change the world from the situation that organizations encountered in 2017,” Lampert offers.
DOJ also recently announced a policy change regarding antitrust compliance, saying the agency will now consider a corporation’s compliance efforts when making charging decisions in a criminal antitrust investigation. (See the sidebar at bottom of page for more on that policy change.)
Substance Over Form
An overriding theme of the guidance can be summed up in three words: “Substance over form,” says Geoffrey R. Kaiser, JD, partner in the Compliance, Investigations & White Collar group with Rivkin Radler in Uniondale, NY. “Prosecutors are instructed to ask the hard questions that delve beneath the surface of a company’s compliance program to determine whether the program is truly effective and deserving of consideration in making charging decisions and formulating more lenient dispute resolutions,” Kaiser explains.
The guidance is clear that differences in risk profiles among companies require that DOJ make a “particularized evaluation” and “individualized determination” in assessing such compliance programs, Kaiser notes. However, receiving the benefit of prosecutorial discretion depends on an evaluation of three foundational compliance program areas: program design, program implementation, and program efficacy, he adds.
Key Questions to Consider
The updated DOJ guidance includes detailed questions relating to three broad program areas that healthcare organizations may use to evaluate the status of their own compliance programs and whether improvements are required to meet DOJ’s expectations. Kaiser provides this summary of the recurring themes reflected in these questions:
- Is compliance taken seriously by the organization as reflected in resource allocations, reporting lines, and the conduct of senior leadership?
- Is attention paid, through risk assessments and audits, to the riskiest aspects of the organization’s business operations? Are the criteria for those assessments and audits updated periodically to reflect the current risk environment?
- Are identified compliance issues addressed in good faith, or are they ignored?
- Do employees receive training appropriate to their positions and to the risk environment? Is training efficacy measured?
- Does the organization conduct appropriately scoped investigations in response to allegations of noncompliance? Are the results of those investigations shared appropriately within the organization?
- Does the organization demonstrate a commitment to remediate misconduct by holding individuals accountable and correcting operational deficiencies that may have allowed the misconduct to occur?
- Are the organization’s policies and procedures effectively designed and communicated?
- Are there anonymous compliance reporting systems, are they used, and is information received through those systems appropriately handled and disseminated to those with responsibility to act on the information?