The Department of Justice (DOJ) and qui tam plaintiffs are pressing on with their pursuit of healthcare entities for False Claims Act cases and other enforcement actions. Having a compliance program that is effective in practice, not simply on paper, is as important as ever. Here are questions you can ask to assess if your program is living up to DOJ expectations.

Is upper management bought in and modeling the correct behavior?

Compliance starts at the top. Cultivating a culture of compliance requires senior leaders to commit to compliance and communicate the duty to report, sending a clear message that compliance matters. The DOJ will want evidence that executive compensation is tied to compliance so that profits don't take precedence over compliance.

Is the compliance program tailored to your business?

Compliance programs are not one-size-fits-all. You should tailor your compliance program and metrics to align with your unique risk profile. For example, the DOJ doesn't expect a small company to have the same compliance program as a large company. The specific risks faced by your business and your company's size and resources should determine the contours of your program.

Is the program regularly reviewed and updated?

Not only does your business change, but so do the DOJ's enforcement priorities. Compliance programs that walk their talk also live and breathe rather than collect dust on a shelf. Each year's risk assessment processes and mitigation plan should reflect what you learned the prior year.

Do policies and procedures extend to ancillary businesses and third parties?

Most health care companies have a good set of policies and processes for their core business, but processes often aren't nearly as developed for ancillary service lines. The specific risks faced by your business and your company's size and resources should determine the contours of your program and add-on businesses. The fact that a violation happened before you bought the company won't protect you. Make sure that ancillary service lines and new businesses are part of your risk assessment and that you address any compliance gaps as part of your work plan.

Are employees using the program?

If people don't know how to access compliance procedures, they might as well not exist. Encourage employee understanding through education, i.e., email blasts, newsletters and webinars. Remember that some employees are in higher-risk areas and need special training. Evidence shows that scenario-based trainings are optimal. You can assess what employees need by what they are searching for on the website. Know the gaps in understanding, provide employees with anonymous options for reporting and document your training. No one calling the hotline should indicate that employees don't know how to use the system, fear retaliation for doing so or believe no one will be held accountable even if they report, so what's the point? Employees need to be informed, empowered and protected.

Do events trigger investigations?

Establish investigation protocols to determine when a report of suspected non-compliance warrants investigation. Have a properly resourced and funded investigation function and triage process for when you need to bring in counsel and conduct the investigation under privilege. Investigate the root cause of violations and use this information to beef-up internal controls and prevent future violations.

Is your program adequately resourced so that it functions correctly?

The largest health systems and life science companies need sufficient staff in terms of numbers and skill sets. Make sure people aren't stretched too thin and that experienced compliance officers are positioned in senior roles.

Does the board understand its role?

Too often board members rarely have a background in compliance or expertise in this area. We anticipate this changing in the near future. In the meantime, the board must participate in training and thoroughly understand its compliance oversight role. It's critical that compliance have direct reporting lines to the board of directors and/or audit committee and that this body exercise "critical eye review" by asking the right questions of the compliance function.

Why these questions matter

The DOJ issued guidance on the "Evaluation of Corporate Compliance Programs" to assist prosecutors in making informed decisions as to whether and to what extent a corporate compliance program was effective at the time of an offense and is effective at the time of a charging decision or resolution for purposes of determining the appropriate: 1) form of any resolution or prosecution; 2) monetary penalty if any; and 3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

The DOJ considers a program effective when it delivers results. Use these questions to evaluate the factors of effectiveness highlighted in the DOJ guidance and, if necessary, implement improvements to minimize institutional compliance risk.