The Fraud Section of the U.S. Department of Justice’s (“DOJ”) Criminal Division recently released new compliance policy guidance that its attorneys and investigators are instructed to consider when “conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements.” The Evaluation of Corporate Compliance Programs (“Compliance Guidance”) provides additional substance to the factors commonly known as the Filip Factors, which guide federal investigations of business organizations. While the Compliance Guidance purports to be “neither a checklist nor a formula” for compliance efforts, for health care providers developing or evaluating their own compliance programs, it can serve as an informative rubric against which they may judge their own policies and practices to help minimize risk to the organization. The Compliance Guidance can also provide health care providers who become the subject of federal enforcement activity with a roadmap to the critical questions that should be addressed internally in order to successfully defend themselves.
Content of the Guidance
Continuing a trend evidenced by memoranda issued by past Deputy Attorneys General including, most recently, Sally Q. Yates, the Compliance Guidance recognizes that each organization has unique needs when it comes to compliance with federal laws and regulations. As such, the Compliance Guidance directs federal attorneys and investigators to ask pointed questions regarding how the organization prepared for, investigated and responded to the noncompliant practices in light of its unique circumstances. The Compliance Guidance’s questions prompt investigators to consider the following aspects of a compliance program.
- Analysis and Remediation of Underlying Misconduct. Questions under this topic focus on the organization’s specific response to the identified issue, including whether the organization had earlier opportunities to mitigate the issue, the root cause it identified in relation to the issue and what changes it made in response to its analysis.
- Senior and Middle Management. The questions focus on how senior and middle management, including the Board of Directors, demonstrate a culture of compliance within the organization. This includes how senior leaders’ compliance efforts are monitored and the extent to which compliance resources are available to the Board of Directors.
- Autonomy and Resources. The questions focusing on autonomy and resources ask generally whether the organization’s compliance program was involved in decisions after the issue was identified, whether the compliance program is empowered to address concerns independently, whether it has sufficient resources to achieve its mission and, importantly, whether previous similar concerns have been reported and dealt with appropriately. Additionally, the Compliance Guidance is clear that the compliance program should have direct access to the Board of Directors and other senior leadership.
- Policies and Procedures. With regard to policies and procedures, the Compliance Guidance asks whether the organization had adopted policies applicable to the conduct at issue, whether appropriate business units were involved in the design of those policies and whether the policies are accessible to impacted personnel. Additionally, the Compliance Guidance asks how those policies were incorporated into the organization and whether additional controls could have prevented the conduct at issue.
- Risk Assessment. Questions under this topic ask how the organization assessed its risk profile, what metrics it collected to assess the conduct in question and how the organization’s assessment process accounted for manifested risks.
- Training and Communications. These questions focus on whether the organization’s training program targets high-risk areas and whether the training is delivered in an appropriate format – for instance, whether explanations are delivered at an appropriate level and in a language understood by impacted employees. Additionally, the Compliance Guidance asks whether senior management has communicated with employees regarding the specific compliance concern at issue.
- Confidential Reporting and Investigation. These questions ask whether the organization’s reporting mechanisms were effective, including whether reports are properly investigated by appropriate personnel and whether the organization adapts its practices in response to those investigations.
- Incentives and Disciplinary Measures. These questions focus on both positive and negative incentives within the organization. In particular, they ask whether the organization undertook appropriate disciplinary actions in response to the identified issue and whether the organization’s incentive structure makes compliance a key concern for impacted employees.
- Continuous Improvement, Periodic Testing and Review. Questions in this area focus on whether the organization engages in regular audits (both internal and external), whether it evaluates the effectiveness of its internal controls and how it responds to information learned through these tests.
- Third-Party Management. The Compliance Guidance prompts organizations to expand their focus on compliance to include the third-party service providers with whom it contracts. These questions ask the organization to identify the reasons for which it contracted with any third-party providers impacted by the identified issue, whether appropriate controls were in place to mitigate risks associated with engaging third-party vendors and whether the third-party vendors’ payment structures created incentives for noncompliance.
- Mergers and Acquisitions. With regard to mergers and acquisitions, the Compliance Guidance prompts organizations to ensure that compliance functions are appropriately integrated into the merger and acquisition process, asks whether compliance concerns are appropriately identified during due diligence and further questions whether issues identified through due diligence are remediated upon closing of the deal.
The Compliance Guidance highlights the government’s expectation that businesses, including health care providers, must have an effective compliance program, particularly one in which there is clear accountability and support by senior leaders for the compliance function. As demonstrated by the Compliance Guidance’s questions focusing on senior and middle management, hospital leaders are encouraged to ensure that they establish a culture of compliance within their organizations and model behavior that reflects a true commitment to compliance. In that regard, savvy health care providers will provide their Boards of Directors with access to experts to guide them through difficult compliance concerns.
The Compliance Guidance’s focus on the compliance program’s autonomy and resources shows that a capable, autonomous compliance program whose resources are appropriate in light of the organization’s size and scope can be a bulwark against harsh punishments. Additionally, the broad focus of the questions – from Board preparedness to analysis of third-party payment incentives – shows that the DOJ considers compliance to be a key concern at all levels of an organization. As such, leaders should seek to create nimble structures that are able to detect and respond to potential compliance concerns in a timely, appropriate manner, no matter where or at what level within the organization the concern arose.
The publication of the Compliance Guidance is a prime opportunity for health care providers to reevaluate the effectiveness of their existing compliance programs. Compliance-focused organizations should use the Compliance Guidance as an additional benchmark to assess their own compliance programs and ensure that they are appropriately structured to minimize the risks inherent in participating in federal health care programs. Further, entities with pending compliance concerns can use the Compliance Guidance as a roadmap for responding to those concerns in a way that will maximize the likelihood that they will receive cooperation credit during any federal investigation.