On June 1, 2020, the Department of Justice’s (DOJ) Criminal Division released revisions to its Evaluation of Corporate Compliance Programs guidance for use with federal prosecutors when investigating corporations for criminal misconduct. This guidance updates the 2019 version that was covered in a previous blog post and provides insight into the DOJ’s expectations for corporate compliance programs. This guidance is particularly useful for healthcare providers and their compliance officers and should be used to evaluate and improve current compliance measures and controls. Here we highlight the new areas that DOJ prosecutors will consider when investigating compliance programs and the main takeaways for improving compliance program effectiveness.
1. Compliance Programs Should Be Adequately Resourced and Function Effectively
The DOJ revised one of the three fundamental questions that prosecutors ask when evaluating compliance programs to guide an investigation⎯ is the program being applied earnestly and in good faith? In answering this question, prosecutors are directed to evaluate whether the compliance program is adequately resourced and empowered to function effectively. The guidance states that even a well-designed compliance program may be unsuccessful in practice if it is under-resourced. In addition, the guidance includes the following clarifications for this fundamental question:
- An effective compliance program requires the involvement of senior and middle management. Fostering a culture of ethics and compliance at all levels within an organization is critical and requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.
- Organizations should invest in training and development of personnel charged with a compliance program’s day-to-day oversight. And compliance personnel should have access to relevant sources of data to allow for purposes of effective monitoring and/or testing of policies, controls, and transactions.
- Investigations and resulting discipline should be monitored to ensure they have been fairly and consistently applied across the organization.
2. Compliance Programs Should Evolve Over Time
In order to evaluate whether an organization has a well-designed compliance program, the DOJ guidance directs prosecutors to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time. The guidance highlights the importance of an ongoing risk assessment that is subject to periodic review and directs prosecutors to evaluation whether the periodic review is based upon continuous access to operational data and information across functions rather than limited to a snapshot in time. Additionally, prosecutors will consider whether there is a process to track and incorporate lessons learned into an organization’s risk assessment from its own issues as well as issues within its industry/ geographical region.
3. Maintain a Process for Accessing and Tracking Compliance Policies and Training
The DOJ emphasizes the importance of updating compliance policies and procedures. The guidance instructs prosecutors to evaluate if the organization: 1) publishes its policies and procedures in a searchable format for easy reference; and 2) tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees.
The DOJ guidance highlights the importance of providing effective workforce training. Whether online or in-person trainings, an organization should provide a process by which employees can ask questions arising out of the trainings. And organizations are expected to evaluate the extent to which the training has an impact on employee behavior or operations.
4. Establish an Effective Hotline/Confidential Reporting Mechanism
The DOJ expects organizations to have a hotline/ effective reporting mechanisms that can be used to anonymously or confidentiality report breaches and misconduct. The DOJ guidance includes the following lines of inquiries:
- Is the hotline publicized to both employees and third parties?
- Does the organization take measures to test whether employees are aware of the hotline and feel comfortable using it?
- Does the organization periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?
5. Manage Compliance Risks Posed by Third Party Partners Throughout the Lifespan of the Relationship
Organizations are expected to continuously manage compliance risks presented by third parties. Language added to the guidance asks prosecutors to assess: 1) whether the organization knows the business rationale for needing the third party in the transaction and the risks posed by third-party partners; and 2) whether the organization engages in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.
6. Conduct Comprehensive Compliance Due Diligence of Acquisition Targets and Timely Integrate Compliance Functions
The DOJ guidance focuses on comprehensive compliance due diligence and post-closing integration for mergers and acquisitions. Organizations are expected to have a process that allows for the timely and orderly integration of the acquired entity into the organization’s existing compliance program structures and internal controls. Prosecutors are directed to ask if the organization completed pre-acquisition due diligence and post-acquisition audits at newly acquired entities.
The DOJ guidance serves as an insightful resource for compliance officers. In addition, incorporating appropriate software tools into your compliance strategy will help streamline processes and serve as your first line of defense against these significant risk areas. First Healthcare Compliance’s cloud-based software offers solutions to fit your organization. Contact us today for a quick demonstration of our compliance management software solution.