If anyone needed a wakeup call as to how critical a functioning compliance system and culture is, look no further than the recent reports in the Austrian media about allegations of fraud launched against a surgeon working at one of Vienna's most renowned public-sector hospitals. Accusations surfaced in July that the surgeon had falsified operating room records: claiming to be in surgery at the respective hospital, while actually performing surgery in another, privately-held hospital.

The allegations were brought to light by a whistleblower and triggered an internal investigation by the hospital operator, for which a special board comprised of external surgeons and other experts was set-up. The surgeon has meanwhile been dismissed by the public-sector employer pursuant to media reports.

Leaving aside the negative publicity this case has triggered, time and effort invested and the costs incurred by the hospital operator have been considerable. Following the allegations in the media, comparable behavior is alleged to be widespread – the case has been described as "the tip of the iceberg".

Non-compliant behavior in healthcare clearly in the spotlight and clearly a material risk

For too long not taking applicable laws and regulations seriously has been considered a trivial offence. In fact, these "trivial offences" have created an iceberg of loss (the result of corruption and fraud) that the European Healthcare Fraud and Corruption Network values at EUR 56 billion. No wonder enforcement efforts have been sharply increased over the last years, focusing on different layers of unlawful behavior:

  • Enforcement authorities are increasingly investigating corruption and fraud in the industry. They are supported by OLAF, the European Anti-Fraud Office, which has developed a system of "red flags" to detect problematic public procurement projects and have identified cross border fraud cases involving the misuse of EU funds. Only recently in Slovakia, a EUR 17.6 million fraud case involving the supply of medical equipment from the Czech Republic to Slovakia, resulted in OLAF recommending the recovery of all the EU funds and the handover of the matter to the Slovak authorities for further investigation. Similar cases have been detected in other CEE jurisdictions.
  • Pharmaceutical companies have faced investigations into bribing officials and practitioners when introducing new drugs.
  • Competition authorities are scrutinising healthcare tenders in the CEE region and have established close contacts with tendering authorities to detect and investigate bid rigging. Only recently, the Hungarian competition authority, for example, settled a case regarding a tender for radiology equipment.

Compliance is core management responsibility

Compliance affects every type of healthcare provider and healthcare organisation, from the individual physician to the large international healthcare group. Traditionally in a strongly regulated industry, setting up a robust compliance framework is of utmost importance in the healthcare industry, particularly nowadays with increased enforcement activity and ever-changing regulations.

It is a core management responsibility to ensure that the conduct of the organisation is in line with applicable rules and regulations. Consequently, the top management body bears the ultimate responsibility for a healthcare organisation's compliance – or lack thereof.

A sound compliance management system (CMS) must meet certain minimum criteria. Over the last few years these minimums have been enshrined in several norms, also to create a standard against which the robustness and effectiveness of a system can be audited. For example, Austrian Standards have published ONR 192050, TÜV Rheinland adopted TR CMS 101:2011, and the International Organisation for Standardisation has published ISO 19600:2014. All norms have the commonality of a functioning CMS consisting of an iterative process of planning, implementing, checking and reacting, involving all relevant hierarchy levels from the top to the bottom of the organisation as well as, where needed, external support.

Most importantly, a functioning compliance framework requires a robust culture. The individuals within an organisation must develop a clear understanding that acting in compliance with applicable rules, regulations, and ethical standards, is not only a core obligation, but is of paramount importance to the reputation, integrity and (market) standing of an organisation – factors which ultimately define its success and continuity.