The US Department of Justice Criminal Division Fraud Section has issued a new guideline for the Evaluation of Corporate Compliance Programs. The guidance expands the former "Filip Factors" and incorporates subsequent standards that are derived primarily from FCPA and anti-corruption publications from the DOJ and SEC, as well as from various global organizations that collaborated in an attempt to implement the G20 governmental summit Anti-Corruption Action Plan.

Because the US health industry is generally regulated on a national, state or local basis, some health organization compliance programs may not have reviewed these guidance documents or incorporated some of the compliance functions that are emphasized in the global anti-corruption context.

For example, the guidance essentially expands two new lines of inquiry into standalone components of an effective compliance program – third-party management and mergers and acquisitions. These issues have traditionally been incorporated into compliance programs under the rubric of other established elements such as risk assessment or audits and monitoring. Now, these matters are subject to independent, detailed review.

The guidance clearly demonstrates that organizations cannot disavow responsibility for the misconduct of their third-party vendors. Compliance programs are now expressly required to implement an effective process for overseeing third-party relationships. The DOJ will assess the organization's efforts concerning the procurement process, due diligence prior to selecting a vendor, and incentivizing compliance by vendors through contractual provisions.

With respect to mergers and acquisitions, the DOJ will evaluate the pre-acquisition due diligence process by determining who performed the risk review and assessing that entity's diligence methodology. The DOJ will also inquire whether the organization identified any risks of misconduct during diligence. Additionally, organizations may need to demonstrate how they tracked and remediated any identified risks and implemented compliance program improvements after closing.

The guidance also reflects a more detailed inquiry into other compliance program elements. For example, the DOJ will assess the organization's root cause analysis of any misconduct at issue to ensure that the analysis was performed by appropriate personnel and that it properly identified any systemic issues. The DOJ will also determine whether the organization missed any prior opportunities to detect the misconduct and, if so, the reasons for the lapse.

The DOJ will evaluate the role and conduct of senior and middle management, inquiring how senior leaders have modelled proper behavior to subordinates. An organization may be asked to identify specific actions taken by its leaders to demonstrate their commitment to compliance.

In addition, the DOJ will evaluate the training and compliance expertise of board members and compliance professionals. It will review compliance officer compensation levels, reporting lines, performance reviews, and access to senior leaders and board members. It will also evaluate the allocated personnel, resources, and turnover rates of compliance departments. The DOJ will inquire whether compliance professionals had previously raised concerns or objections and how the organization responded to those concerns.

Action steps for healthcare companies

The new guidance expands the types of inquiries that have been typical in assessing health industry compliance programs and demonstrates a concerted effort to look beyond form to substance. The DOJ recognizes that each compliance program must be evaluated through an individualized determination. However, the government will be making these determinations with the benefit of hindsight, and with the healthy skepticism of a Division that has already identified potentially criminal activity.

Thus, it is crucial for each health industry organization to ensure that its boards and senior leaders are demonstrably committed to maintaining an effective compliance culture. The commitment begins with board member and executive engagement with the compliance department and public messaging throughout the organization. Board members and executives can no longer simply delegate compliance messaging to the compliance department.

Senior leaders must also authorize appropriate empowerment of the compliance department by allocating adequate resources, maintaining communication with the department, eliminating perverse incentives elsewhere within the organization, and responding appropriately to concerns raised by compliance professionals. Although a compliance program is evaluated by its collective expertise, health organizations are responsible for ensuring that compliance professionals have the requisite skills to recognize and help remediate major compliance risks.

Corporations must also remain engaged with third-party vendors to ensure that they comply with regulatory requirements. This may require inclusion of outside organizations into existing risk assessments or audit and monitoring plans.

Organizations must ensure that consultants and advisors are qualified to identify ongoing risks as well as specific risks related to mergers and acquisitions. Outside advisors are expected to possess the credentials and skills needed to identify risks, and senior leaders are expected to have the training and experience necessary to appreciate them. Moreover, organizations should develop work plans to confirm that a target's noncompliant practices are corrected and remediated after acquisition. Should an organization use legal counsel to perform a due diligence review, it will be crucial to maintain communication safeguards to preserve appropriate privileges.

Finally, organizations should be able to demonstrate that they have responded to identified risks with appropriate remedial action and performed adequate root cause analyses to prevent recurrence. The government may heighten its scrutiny if an organization has missed previous opportunities to remediate similar conduct or if there is a pattern of high attrition within the compliance department.

Health organizations should consider some making some well-designed modifications to their existing compliance program capabilities now. A few simple, targeted improvements could result in substantial future benefits.