1. Introduction

One unavoidable cost of doing business for organizations operating in complex regulatory environments is the establishment and implementation of an effective ethics and compliance program. To ensure that the compliance program is not simply a paper program and, in practice, meets the criteria outlined by Congress and the U.S. Sentencing Commission for an effective compliance program, the organization must also decide whether or not, and to what extent, general counsel should control or supervise compliance and whether or not the organization might instead benefit from the formation of an autonomous compliance function headed by a chief compliance officer.

In an effort to recalibrate its compliance department and ameliorate the organization’s internal controls after its well-documented billion-dollar fall-out, JPMorgan Chase & Co. (“Chase”) recently addressed these questions.1 Chase announced that it was moving compliance out of its general counsel’s office and had opted to hire a new global head of compliance who will report directly to top executives instead of general counsel.2

Chase’s decision to create an autonomous chief compliance officer also invites organizations to consider another relevant question: to what extent will Chase now protect its compliance communications under this new business arrangement excluding in-house counsel?

United States, ex rel. v. Halifax Hospital Medical Center3 recently provided some answers to this exact question when the district court determined which in-house communications may be protected in any subsequent litigation by the attorney-client privilege, and which may not, in the compliance context.

In Halifax, the court held that communications made by Halifax employees to Halifax’s compliance department – which reported to general counsel about the level of litigation risk and operated under the supervision of the in-house legal department – were not protected by the attorney-client privilege. In so holding, the court underscored that communications between the corporate client and outside counsel, are “cloaked with a presumption of privilege” 4 whereas in-house communications are subject to a more rigorous purpose and intent threshold test5 because, “in-house legal counsel participates in and renders decisions about business, technical, scientific, public relations, and advertising issues, as well as purely legal issues.”’6

  1. United States, ex rel. v. Halifax Hospital Medical Center

In Halifax, the Director of Physician Services (the Relator) filed a qui tam action alleging that Halifax violated the False Claims Act (FCA) 7 when it paid kickbacks, profit-sharing incentives and other compensation to physicians in violation of the Stark Amendment to the Medicare Act 8 and the Anti- Kickback Statute.9 To show that Halifax violated the FCA, the Relator moved to compel production of documents listed in Halifax’s privilege log. Among the documents requested and obtained by the Relator, were the compliance log, compliance “advice” communications and internal audits.

  1. Compliance Department Referral Log

The "referral log" documented investigations and any corrective actions taken by the Compliance Department. The General Counsel oversaw the maintenance of the log, and the purpose of the log was “to facilitate [the Director of Compliance’s] discussions with Halifax's General Counsel and the Halifax Legal Department regarding the level of litigation risk and potential exposure stemming from reported incidents.” Each “incident cover sheet” on the log was also addressed to General Counsel and a “Compliance Committee” reviewed the log periodically.

Communications in the log were not protected by the attorney-client privilege because “none of them [the communications] were evidence of legal advice sought or received” and there was no instance during which a “lawyer commented on the information recorded nor has an employee in the Compliance Department indicated that he or she would seek advice of counsel.”10 Email communications listed in the referral log also were not protected because:

  • The communications are between non-lawyers; and
  • The communications do not expressly reflect “information gathered by corporate employees for the transmission to corporate counsel for the rendering of legal advice []”11; and  
  • The communications failed to reflect, “prior legal advice received that is being transmitted to those who have a need to know in the scope of their corporate responsibilities.”12
  1. Communications Related to “Compliance Advice”

Halifax was also required to produce documents requesting “compliance advice” even though Halifax is structured so that “the compliance department operates under the supervision and oversight of [the] legal department.”13

The attorney-client privilege did not apply to these communications because:  

  • The primary purpose of the communication was not to render or receive legal advice; and  
  • The communications were sent to non-attorney Halifax personnel.14

In one instance, the magistrate judge noted that Halifax did not meet its burden of proving "primary purpose and intent," where Halifax's communication was sent to in-house counsel to "facilitate the rendering of compliance advice." 15 Considering how often compliance questions are in fact legal questions, one wonders whether such labeling would have so easily defeated the claim of attorneyclient privilege if outside counsel had been involved.

  1. Halifax Internal Audits and Reviews

In addition, Halifax was ordered to produce documents containing communications from its Case Management, Compliance, and Finance departments in connection with internal audits and reviews performed at Halifax. Those communications were not privileged because:

  • Email communications which are sent to legal and non-legal personnel for simultaneous review are not protected by the attorney client privilege because the primary purpose of the communication is not to obtain purely legal advice16; and
  • Labeling a document as “Confidential – Attorney-Client Privilege” is insufficient to establish the primary purpose of the communication is to offer or obtain legal advice.17
  1. Lessons from Halifax

One lesson from Halifax is that the inherent role of in-house counsel – which is often to play an active role in advising the organization on matters that are not purely legal – has given rise to a heightened standard for showing that the attorney-client privilege attaches to communications made to in-house counsel, including communications about an organization’s compliance missteps. Indeed, according to Halifax, these types of in-house communications may be susceptible to disclosure to an extent that particularized requests to outside counsel may not be. Therefore, in light of these different standards, organizations would be well advised to consider whether or not they might successfully minimize the risk of compelled disclosure by employing outside counsel to help supervise compliance. After all, the disclosure of sensitive, possibly incriminating, communications may subject the organization to an endless array of criminal, civil, or administrative penalties and sanctions.18

However, Halifax leaves several critical questions unanswered. First, Halifax fails to address how, and to what extent, organizations should permit in-house compliance personnel, including in-house counsel, to review or document compliance communications. Communication with non-attorney compliance personnel is an essential component of any organization’s compliance program because of their individualized expertise in specialized, sometimes highly technical, areas – expertise that attorneys lack. Second, Halifax does not suggest any best practices for how in-house compliance personnel should document or transmit compliance questions or complaints without falling into the same trap that Halifax did. Third, Halifax does not discuss the ethical issues that arise when outside counsel represents the organization and outside counsel also regularly communicates with and advises the organization’s compliance personnel. Thus, organizations must implement policies that directly address these questions and, in practice, ensure that sensitive communications are protected by the attorney-client privilege.