On September 28, 2022, the Assistant Attorney General for the Criminal Division of the United States Department of Justice (DOJ) joined the Inspector General for the United States Department of Health and Human Services (HHS-OIG) to offer some stern advice for corporate leaders and compliance officers. In his remarks, Polite made clear that corporate leaders should not only invest in sophisticated data analysis, but also be prepared to show how they use data analysis to improve and enhance compliance. Speaking at a joint appearance at the American Health Law Association conference in Baltimore, Assistant Attorney General Kenneth Polite, Jr. – a former Chief Compliance Officer – succinctly cautioned: “Invest in compliance early and often. Corporate leaders who fail to do so? They do so at their own risk.”

Polite’s warnings come less than a week after Deputy Attorney General Lisa Monaco announced a renewed focus on individual accountability in corporate criminal enforcement. This consistent narrative highlights the Department’s enhanced scrutiny on the actions of individual bad actors in corporate prosecutions, coupled with the Department’s reaffirmed expectation that companies proactively implement and maintain robust compliance controls. Simply put, individuals will be held accountable their misconduct, as will their employers if they lack sufficient and appropriate compliance monitoring and controls.

To further amplify the point, HHS Inspector General Christi Grimm added that corporate leaders should understand that OIG investigators and prosecutors increasingly use data analysis to focus their investigations on outliers and data trends that signal potential corporate and individual misconduct. Grimm made clear that corporate compliance functions should analyze company data in the same way investigators do in order to detect problematic conduct quickly. Grimm explained that data analysis allows the government to “fight fire with fire,” so corporate leaders should “make sure [to] have accurate and timely data” within their own compliance programs. Specifically, corporations need to invest in data collection systems and apply forensic expertise to review and understand the compliance implications of their business operations—because that is exactly what investigators and enforcers have been and are doing when they decide where to direct their investigative attention.

AAG Polite echoed Grimm’s comments, emphasizing the “importance of data in the compliance function.” For example, as he has recently asserted in other public statements, Polite said that Corporate Compliance Officers need to have ample resources and comprehensive administrative access to be effective. This capability is necessary to identify problematic patterns in business activity, and it will also demonstrate to enforcers that the corporation responds appropriately to troubling patterns and markers of misconduct. Of course, Polite added, DOJ also expects companies to be able to provide tangible evidence of how they use data analytics to develop and enhance compliance.

Adding a finer point, Polite said that DOJ prosecutors will consider the extent of a company’s use of data to inform its compliance function when determining how to resolve an investigation. This will be folded into DOJ’s determination of whether a company’s compliance function was sufficiently resourced, and whether the company adequately responded when misconduct was discovered. As a former Chief Compliance Officer, Police candidly told the audience that he knows from experience that the compliance department is often siloed and without a voice in the corporation. The CCO must have “a seat at the table” and “this is an expectation of DOJ.” It is worth noting that former Chief Compliance Officers are getting a seat at the able at DOJ, too – both former Hewlett Packard Chief Compliance Office Glenn Leon and former Anheuser-Busch InBev’s Global Compliance Chief (and data analysis expert) Matt Galvin have joined the Fraud Section of DOJ’s Criminal Division this year.

AAG Polite lamented that the biggest challenge that prosecutors face is trying to keep up with the ever-evolving schemes perpetrated by bad actors. Given this reality, Polite again echoed Grimm’s emphasis on data-driven investigative activity, explaining that it is necessary to effectively monitor the enormous healthcare industry. Similarly, Grimm noted that her office’s biggest challenge is limited resources, closely followed by the increasing complexity of the industry and the schemes used by fraudsters.

Further, Grimm, as well as Polite, pointed to telemedicine as a new frontier for bad actors to easily scale what used to be regional into nationwide schemes generating massive corrupt revenue. They agreed that telemedicine is here to stay, however, and for good and important reasons. As such, both DOJ and HHS-OIG are working on rules to catch up to this fast-developing field. Telemedicine companies should therefore prioritize comprehensive compliance programs that focus on data collection, analytics, and expertise to prepare for the inevitable investigative knock-on-the-door.

Officials at DOJ and HHS-OIG will continue to elaborate on the changes in DOJ enforcement policy announced by Deputy Attorney General Monaco last month, and these early comments by Polite and Grimm provide an important data point. The fact that their advice focused on the role of data analysis in a compliance program is significant because DOJ has made clear that a well-resourced and well-run compliance program will be an important factor in determining how to resolve cases and in deciding whether a corporate monitor should be imposed. With this in mind, companies should ensure that their compliance programs use data analysis in at least three ways:

  • to identify and detect trends in their own data that might suggest misconduct,
  • to investigate problematic data trends quickly, and
  • to modify and improve their compliance programs based on lessons learned from data analysis.

Using data analysis in these ways requires expertise and investment, a reality which recalls Polite’s advice to invest in compliance “early and often.” Companies that follow this guidance will improve their compliance programs and put themselves in the best possible position should misconduct occur and enforcers come knocking.