The Criminal Fraud Section of the U.S. Department of Justice (DOJ) recently released guidance entitled “Evaluation of Corporate Compliance Programs,” setting forth over 100 questions in 11 categories that the Fraud Section may ask in assessing the “effectiveness” of an entity’s compliance program when determining whether to bring charges or negotiating resolutions of white-collar criminal matters. This guidance is the DOJ’s most comprehensive compilation of such factors to date, and it provides insights into the DOJ’s thought process.

Notably, there is a separate section on “Mergers and Acquisitions”—simply put, there will be ramifications for companies that fail not only to conduct robust due diligence but also to remediate misconduct uncovered during the due diligence process after entities are acquired.

Thus, boards and senior management of any health care company—including private equity funds and other investors with expanding health care company portfolios—must be aware of these principles and fully implement them into their acquisition strategies and processes.

In addition to the above, the top five takeaways from this recent DOJ guidance concern:

  1. Acquisition Due Diligence: The DOJ will consider whether a buyer identified misconduct in its due diligence process, and how compliance issues were remediated. For example: (a) whether the compliance issues were addressed in the deal agreements, (b) whether they were remediated pre- or post-closing, and (c) whether there is ongoing monitoring at a newly acquired entity to ensure that the issues do not recur.
  2. Root Cause Analysis: The DOJ will ask if the company performed a “root cause analysis” of the misconduct and identified any underlying systemic issues, and if any corrective actions taken are closely monitored thereafter.
  3. Board and Senior Management Involvement: The DOJ wants to see that the company’s top management and board are committed to compliance and involved in (a) adequately funding and monitoring the compliance program, (b) remediation of identified noncompliance, (c) direct reporting from the compliance officer, and (d) access to outside auditors and experts.
  4. Dedication to Compliance: The DOJ will explore if the company dedicates enough funds to (a) hire sufficient, qualified compliance staff; (b) train company staff on compliance and job-specific compliance areas; and (c) establish confidential reporting mechanisms.

Robust Auditing: The DOJ wants to know that the company has been conducting robust compliance auditing, on a regular basis, focused on top risk areas pertaining to the company’s particular services and operations to head off new issues and address previously identified issues.