How does one measure compliance program effectiveness? This is a question that bedevils organization executives and boards of directors. Management and directors alike want to know that the significant time and treasure necessary to create and operate the compliance program is actually a good investment. Earlier this year, the two main law enforcement agencies for the health care industry, the US Department of Justice (DOJ) and the US Department of Health and Human Services Office of Inspector General (OIG), each independently issued guidance focused on evaluating compliance program effectiveness. At first glance, the DOJ and OIG Guides seem to approach evaluating compliance programs differently, but they cover overlapping themes and work well in tandem. The reference tools in this article will assist executives and directors in using both guides to evaluate aspects of their compliance programs for effectiveness. Using the Guides Together Although the guides cover the same subjects, they approach them from different perspectives. The DOJ Guidei contains 11 topics and corresponding sample questions that federal prosecutors frequently find relevant in evaluating corporate compliance programs. The DOJ Guide’s questions are investigative and framed around reviewing specific misconduct allegations. Although not specific to the health industry, the DOJ Guide provides benchmarks that organizations may consider when reviewing their compliance programs’ effectiveness. The OIG Guideii contains recommendations from a roundtable discussion held by OIG staff and compliance professionals in January 2017. The recommendations are divided into “what to measure” and “how to measure,” and sorted into the seven elements of compliance programs discussed in the OIG Compliance Program Guidance documents and the US Federal Sentencing Guidelines. Unlike the DOJ Guide, the OIG Guide provides recommendations from a preinvestigative standpoint on measuring and testing whether the compliance program is achieving the intended objectives. Thus, the OIG Guide’s suggestions are preemptive and more expansive. The DOJ Guide’s questions can help organizations test their compliance programs’ strength, while the OIG Guide’s measurement suggestions can help test the programs’ operation. Accordingly, compliance officers and general counsel may wish to start with the DOJ Guide’s questions for guidance before turning to the OIG Guide for measurement ideas. For example, an organization assessing its incentive system might start with the relevant DOJ Guide questions: How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken as a result of compliance and ethics considerations?iii From there, the organization would turn to the corresponding section in the OIG Guide for ideas on how to answer these questions. To test that same incentive system, the OIG Guide suggests auditing performance appraisals for acknowledgment of compliance education completion, monitoring whether promotion of compliance is tied to merit increases, and ensuring that compliance is part of annual performance evaluations.iv Both guides stress that their topics and recommendations are neither formulas nor checklists. The DOJ Guide warns that only some topics may be relevant to individual organizations, v and the OIG Guide states that implementing a large number of its suggestions is “impractical and not recommended.”vi Compliance and legal professionals using the two documents should therefore only consider the suggestions that apply to their organizations’ individual needs and not attempt to implement every suggestion. The following chart contains a summary analytical matrix that identifies common themes from both documents. Breaking Down the 2017 DOJ and OIG Compliance Guides 3 SPECIAL REPORT Breaking Down the 2017 DOJ and OIG Complaince Guides 1. Accessible and effective compliance policies and procedures DOJ Guidevii OIG Guideviii • How are policies and procedures (P&Ps) developed and communicated to employees? • Do P&Ps use appropriate language levels for their intended audience? • How are P&Ps evaluated for usefulness, coverage of risk areas and changes in legal requirements and billing rules? • Surveying employees about how they access P&Ps • Assessing the policies’ language using the Flesch-Kincaid measuring standard • Testing staff and creating focus groups to determine whether employees understand P&Ps • Reviewing P&Ps creation and update process, and designating accountable individuals for each topic 2. Effective compliance training DOJ Guideix OIG Guidex • What is the training of high-risk and control function employees? • What is the rationale for training certain employees in certain subjects? • What efforts are made to make the training accessible? • What is the method for determining the training’s effectiveness? • Reviewing the training plan for requirements, expected audience, topics covered and method of deployment • Auditing training requirements for high-risk positions • Reviewing training materials to ensure they cover the organization’s risks and are understandable/accessible to all employees, including those with disabilities • Auditing incident logs and hotline reports to evaluate the training’s effects on behavior • Incorporating compliance topics in each training program and department meeting 3. Adherence of third parties to compliance policies DOJ Guidexi OIG Guidexii • What is the selection and vetting process for third-party vendors? • How is third-party performance monitored for adherence to compliance P&Ps and contract requirements and representations? • How is compliant performance incentivized? • Evaluating third-party candidates using criminal, financial or other background checks • Auditing third parties for compliance training and compliance certification completion • Auditing contracts for compliance representations • Assigning responsible individuals to manage performance, and auditing such individuals’ oversight 4 Breaking Down the 2017 DOJ and OIG Compliance Guides SPECIAL REPORT 4. Promotion of compliance goals by leadership DOJ Guidexiii OIG Guidexiv • What are concrete examples of demonstrated commitment by leadership to compliance and remediation efforts, and how is this information shared throughout the company? • What compliance expertise is on the board of directors? • How does the board of directors exercise oversight responsibility of the compliance program? • Is the compliance function right-sized and resourced? • How is the compliance function structured and staffed to ensure appropriate independence and expertise? • Reviewing documentation to ensure staff, board and management are actively involved in the compliance program • Promoting compliance through town hall meetings or newsletters • Reviewing minutes of board/audit committee meetings and the board compliance education program • Reviewing compliance program budget and staffing, and compliance officer function, structure and experience/qualifications/training • Surveying employees • Mapping management responsibilities to key compliance areas 5. Alignment of incentives and discipline with compliance goals DOJ Guidexv OIG Guidexvi • Is there fair and consistent application of disciplinary actions and incentives across the organization? • What are the methods for incentivizing compliance and ethical behavior? • What are specific examples of actions taken as a result of compliance and ethics considerations? • Reviewing disciplinary decisions for fairness and consistency • Auditing for use of compliance considerations in performance review, compensation and promotion criteria • Auditing whether lessons learned from disciplinary actions are used to educate the organization 6. Effective reporting and auditing mechanisms DOJ Guidexvii OIG Guidexviii • How is information from reporting mechanisms collected, analyzed and used in the risk assessment and audit workplan? • How often are risk assessments updated and audits performed? • How is the risk assessment process conducted, and who participates? • How is the internal audit function structured, staffed and resourced? • What is the completion rate for audits in the workplan? • Reviewing external benchmarking reports (such as the number of hotline calls or time it takes to close cases) • Creating a process map of the risk assessment process • Auditing the scope, coverage and tools used for the risk assessment process • Reviewing the internal audit department’s audit process and information flow to the compliance department 7. Successful investigations and corrections of misconduct DOJ Guidexix OIG Guidexx • Was an investigation conducted objectively and within a proper scope? • What documentation is kept for investigations? • What is the root cause analysis process? • What is the response/corrective action process for investigative findings? • Reviewing investigation files for issue summaries, root cause analysis and corrective action • Publishing high-level results from disciplinary actions to ensure transparency • Conducting validation reviews of corrective action plans Breaking Down the 2017 DOJ and OIG Compliance Guides 5 SPECIAL REPORT Conclusion Although the guides cover mostly the same subjects, there are differences that stem from the guides’ opposing perspectives: the DOJ Guide’s questions are investigative and framed around specific misconduct, while the OIG Guide’s suggestions are preemptive and thus more expansive. The guides are useful individually and can be even more helpful together. The analysis method described here should provide a practical starting point for organizations to use these documents in evaluating their compliance programs. Since neither document is all-encompassing, however, organizations should not rely solely on the guides. Instead, compliance and legal professionals should use the guides with other tools to ensure that their organizations’ compliance programs evolve to reflect regulatory and operational changes. Over the years, OIG has created a valuable library of compliance guidance tailored to specific health care industry segments and boards of directors, as well as various special fraud alerts, bulletins, advisory opinions, workplans and other documents to assist the industry in its compliance efforts.xxi OIG Guide Chapters 1. Standards, Policies, and Procedures 2. Compliance Program Administration 3. Screening and Evaluation of Employees, Physicians, Vendors, and other Agents 4. Communication, Education, and Training on Compliance Issues 5. Monitoring, Auditing, and Internal Reporting Systems 6. Discipline for Non-Compliance 7. Investigations and Remedial Measures DOJ Guide Chapters 1. Analysis and Remediation of Underlying Misconduct 2. Senior and Middle Management 3. Autonomy and Resources 4. Policies and Procedures 5. Risk Assessment 6. Training and Communications 7. Confidential Reporting and Investigation 8. Incentives and Disciplinary Measures 9. Continuous Improvement, Periodic Testing and Review 10. Third Party Management 11. Mergers and Acquisitions Side-by-Side DOJ & OIG Chapter Breakdown 6 Breaking Down the 2017 DOJ and OIG Compliance Guides SPECIAL REPORT The material in this publication may not be reproduced, in whole or part without acknowledgement of its source and copyright. Breaking Down the 2017 DOJ and OIG Compliance Guides is intended to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with their McDermott Will & Emery lawyer or other professional counsel before acting on the information contained in this publication. ©2017 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. McDermott has a strategic alliance with MWE China Law Offices, a separate law firm. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. i US Department of Justice, Criminal Division, Fraud Section, The Evaluation of Corporate Compliance Programs (DOJ Guide) (Feb. 8, 2017), available at https://www.justice.gov/criminalfraud/page/file/937501/download. For more information about the DOJ Guide, see Michael W. Peregrine, DOJ Releases Important New Compliance Program Guidance, AHLA WEEKLY, Feb. 24, 2017. ii US Department of Health and Human Services, Office of Inspector General and the Health Care Compliance Association (HCCA), Measuring Compliance Program Effectiveness: A Resource Guide (OIG Guide) (Mar. 27, 2017), available at https://oig.hhs.gov/compliance/101/files/HCCAOIG-Resource-Guide.pdf. For more information about the OIG Guide, see Michael W. Peregrine, Tony Maida and Joshua T. Buchman, Interpreting and Applying the New HCCA-OIG Compliance Resource Guide, AHLA WEEKLY, Apr. 7, 2017. iii DOJ Guide, § 8. iv OIG Guide, Element 2. v DOJ Guide, at 1. vi OIG Guide, at 1. vii DOJ Guide, § 4. viii OIG Guide, Element 1. ix DOJ Guide, § 6. x OIG Guide, Element 4. xi DOJ Guide, § 10. xii OIG Guide, Element 3. xiii DOJ Guide, §§ 2 and 3. xiv OIG Guide, Element 2. xv DOJ Guide, § 8. xvi OIG Guide, Element 6. xvii DOJ Guide, §§ 5, 7 and 9. xviii OIG Guide, Element 5. xix DOJ Guide, §§ 1 and 7. xx OIG Guide, Elements 5 and 7. xxi See https://oig.hhs.gov/compliance/. The author would like to acknowledge the valuable work of Emily Le, Michael Peregrine and Monica Wallace in preparing this article. For more information, please contact your regular McDermott lawyer, or: Tony Maida +1 212 547 5492 email@example.com For more information about McDermott Will & Emery visit www.mwe.com McDermott Health McDermott Will & Emery's market-leading Health Care Practice Group team brings together dynamic regulatory, transactional and litigation lawyers to offer seamless service to clients across the health care industry. The team has been recognized in the top tier nationally by all major rankings directories, including eight consecutive years as the sole Tier 1 firm nationally for Healthcare Law in Chambers USA. We serve as outside general counsel, trusted strategic partners and dedicated problem solvers to leading health care providers, payors, private equity investors, management companies, technology developers and researchers across all industry subsectors. Many members of our team combine their legal experience with years as government regulators or medical practitioners, offering multifaceted perspectives on each engagement. Our team of over 100 dedicated health lawyers also draws on the resources and knowledge of our global firm, including 19 offices across the United States, Europe and Asia, and strategic relationships around the world. As health care technology and increased access to care blurs national borders, we advise on health-related matters on a truly global scale to ensure multinational compliance and to promote successful business outcomes that ultimately move the health care industry forward. McDermott Health provides innovative, solution-oriented service at the cutting edge of the health care industry. About McDermott Will & Emery McDermott Will & Emery is a premier international law firm with a diversified business practice. Numbering approximately 1,100 lawyers, we have offices in Boston, Brussels, Chicago, Dallas, Düsseldorf, Frankfurt, Houston, London, Los Angeles, Miami, Milan, Munich, New York, Orange County, Paris, Rome, Seoul, Silicon Valley and Washington, DC. Extending our reach to Asia, we have a strategic alliance with MWE China Law Offices in Shanghai. McDermott’s pro bono program seeks to bridge the justice gap for low-income individuals by providing critical legal services in the areas of family law, housing, benefits, special education, adoption and guardianship, elder abuse, asylum and immigration, and civil and human rights. McDermott also provides much-needed legal assistance to nonprofits and small businesses whose focus is to develop and revitalize low-income communities, and to environmental organizations to help ensure a clean, safe and healthy environment for all.