Evaluating Corporate Compliance Programs

The Department of Justice’s (DOJ) Criminal Division recently released a guidance document titled “The Evaluation of Corporate Compliance Programs” for use with federal prosecutors when investigating corporations for criminal misconduct. This new document updates the 2017 version in order to align with internal processes while providing additional context to the government’s analysis of a company’s compliance program. Healthcare organizations should take heed and use this guidance to improve its healthcare compliance initiatives. Here we highlight some of the main topics and questions prosecutors will consider in their investigation. This is also relevant when evaluating corporate compliance programs for your healthcare organization.

The DOJ’s guidance document sets forth topics and questions to address three fundamental questions that prosecutors ask when evaluating compliance programs to guide its investigation:

One – Is the compliance program well-designed? 

In determining whether the program is adequately designed, the DOJ will look at the organization’s risk assessment and whether it addresses risks presented by factors such as its location, industry, the competitiveness of the market, the regulatory landscape, potential clients /business partners, transactions with foreign governments and payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations. Some of the questions prosecutors may consider in this area include:

  • What methodology was used to identify, analyze, and address the particular risks the organization faces?
  • What information/ metrics was used to help detect the type of misconduct in question? How has this informed the organization’s compliance program?
  • Does the company give greater scrutiny to high-risk transactions than more modest and routine transactions?
  • Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned?

Assessing the compliance program will include an evaluation of the organization’s policies and procedures, including the code of conduct. DOJ will consider the organization’s process for designing and implementing new policies and procedures, the individual(s) responsible for the process and whether policies reflect the organization’s risk. Policies should be understandable and communicated to employees and reinforced through the organization’s internal control systems.

Training and communications regarding the compliance program must be appropriately tailored to the audience’s size, sophistication, or subject matter expertise. As examples of this, the DOJ noted organizations that give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis. In determining the effectiveness of an organization’s training curriculum, prosecutors will look at risk-based training (whether high-risk employees received tailored training), the form/content/effectiveness of training, how misconduct is communicated to employees, and the availability of guidance resources relating to policies and procedures.

The organization’s confidential reporting structure and investigation process will also be assessed. The DOJ will look to the effectiveness of the reporting mechanism, how it is publicized to employees, and how reported allegations are assessed. Organizations must have a process in determining which allegations are investigated. These investigations must be independent, objective, appropriately conducted, and properly documented. The investigation response process and tracking of results are also areas DOJ will evaluate.

Further, organizations will be evaluated on their management of third-parties and due diligence efforts for mergers and acquisition targets.

Two – Is the compliance program effectively implemented?  

The compliance program cannot be a “paper program.” Senior and middle management must be committed to ethics and compliance for effective implementation of a compliance program. The DOJ will examine the actions of senior management and if they have clearly articulated the organization’s ethical standards. Middle management is expected to reinforce these standards to employees.  Specifically, the DOJ will assess how top executives have modelled proper behavior and if  managers allowed compliance risks in pursuit of new business or greater revenues.

The DOJ is also interested in the compliance expertise available to the board of directors and how the board has exercised oversight over compliance functions. Personnel in charge of compliance functions will also be evaluated, and if they have: i) sufficient seniority within the organization; ii) sufficient resources for auditing, documentation, and analysis; and iii) sufficient autonomy from management (direct access to the board of directors or the board’s audit committee). Prosecutors will be responsible for inquiring into the compliance function’s structure, autonomy, seniority and stature, and if any functions have been outsourced. In addition, the experience,  qualifications, and resources of compliance personnel will be evaluated.

In assessing the implantation of the program, DOJ will determine if incentives for compliance and disincentives for non-compliance have been established. The DOJ noted that positive incentives drive compliance, such as personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership.

Prosecutors will review the organization’s disciplinary procedures and whether they are consistently and fairly enforced and commensurate with the violations. Questions for evaluating this area include:

  • Who participates in making disciplinary decisions?
  • Is the same process followed for each instance of misconduct, and if not, why?
  • Are the actual reasons for discipline communicated to employees? If not, why not?
  • Have disciplinary actions and incentives been fairly and consistently applied across the organization? Are there similar instances of misconduct that were treated disparately?
  • How does the company incentivize compliance and ethical behavior?
  • Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

Three – Does the compliance program actually work in practice? 

The fact that misconduct occurred does not by itself indicate that the organization’s compliance program was ineffective. There are a number of items that factor into the DOJ’s assessment here—if and how the misconduct was detected, the resources available to investigate suspected misconduct, whether a root cause analysis was conducted, the remedial efforts taken, whether the program has evolved to account for compliance risks,  and whether changes to the program have been tested to ensure similar misconduct will be prevented/detected in the future.

The First Healthcare Compliance cloud-based software solution creates confidence among compliance professionals through education, resources, and support in the areas of HIPAA, OSHA, human resources compliance, and fraud waste and abuse laws. Visit our website to learn more about our comprehensive compliance management solution for healthcare providers and explore our blogs for informative articles.