What Health Care Organizations Need to Know about Updated DOJ Compliance Guidance

Summary of DOJ Revisions

Revisions in the Guidance Update signal how the DOJ currently views compliance programs in general and which of the several components of an effective compliance program should be given specific attention at this time. The Guidance Update makes it clear that the DOJ is aware of, and appreciates, the unique circumstances of each organization—and the resulting, necessary differences in compliance programs across regions and industries. Nevertheless, the overarching theme in the Guidance Update is that all organizations must ensure that their compliance programs remain vigilant and dynamic. That is, to be effective, a compliance program cannot remain static—it must be continually monitored and tested so that the organization can respond and adapt accordingly. The Guidance Update focuses in large part on steps that an organization should take to ensure compliance risks are identified and misconduct is addressed in a meaningful, efficient and consistent manner.

This means that (1) risk assessments must be built on current, complete and accurate information and data from both internal and external sources; (2) policies and procedures, training and education programs, and systems of reporting misconduct must be monitored, assessed, and updated to ensure that they are accessible and user-friendly; and (3) those responsible for the compliance program must have sufficient, up-to-date, data-driven resources at their disposal and the authority to carry out their functions effectively.

Also noteworthy in the Guidance Update is the attention to due diligence in the context of mergers and acquisitions, and the emphasis it places on post-acquisition due diligence and the integration of newly acquired business. To the extent that an organization may not have been able to complete adequate pre-acquisition due diligence, the DOJ's expectation is that the acquiring entity will, in a timely manner, address any pre-acquisition issues, integrate the new entity into existing compliance program structures, and conduct appropriate monitoring or auditing of the new business.

Finally, the Guidance Update emphasizes the need to pay particular attention to the relationship between organizations and third parties. In essence, the DOJ appears to be flagging its intention to hold organizations responsible for their selection of appropriate third-party business partners, as well as how they manage third parties throughout the relationships. Managing third parties in this context means that the organization "incentivizes compliance and ethical behavior by third parties" and is responsible for the "risk management of third parties throughout the lifespan of the relationship," not just at the onset of the relationship.

Previous Guidance on Compliance Program Effectiveness

The practice of evaluating the effectiveness of a compliance program predates the DOJ Compliance Program Guidance. In fact, the roots of compliance program guidance can be found in the 1991 Federal Sentencing Guidelines for Organizational Crime (Sentencing Guidelines), which made clear that the steps taken by an organization to prevent and detect criminal conduct would be considered in determining appropriate sentences. The Sentencing Guidelines were revised and expanded in 2004, with special attention given to compliance and ethics programs. The 2004 Sentencing Guidelines set forth seven minimum requirements for an effective compliance and ethics program which have evolved to create the basic elements of a corporate compliance program. 

The Department of Health and Human Services (DHHS) Office of Inspector General (OIG) has long engaged with the health care industry in developing and publicizing compliance guidance and promoting what it considers the hallmarks of an effective compliance program. Collectively, the Federal Sentencing Guidelines and the OIG guidance documents provide the framework upon which an organization can build a process that monitors and assesses—on a continual basis—the efficacy of its individual compliance program. Compliance programs vary in size, scope and structure depending on several factors unique to the organization, including the regulatory environment in which the organization operates, the number and type of its lines of businesses, its organizational structure, size, footprint and growth patterns. Regardless of the uniqueness of any organization, however, there are seven elements that have been identified as the hallmarks of an effective compliance program. These elements include:

1. Written Standards of Conduct
2. Corporate Oversight
3. Education and Training
4. System for Communication of Complaints
5. System for Responding to Allegations of Improper/Illegal Activities
6. Auditing and Monitoring Compliance
7. Investigation and Remediation of Identified Systemic Problems

Traditionally, in developing a compliance program, an organization would implement each of the seven elements listed above. In evaluating the effectiveness of a compliance program, however, an organization should consider not only the existence of documents developed or processes put in place with respect to each element, it should also consider whether those documents have been adequately disseminated and whether the processes have been appropriately implemented. That is, the evaluation should consider whether the systems put in place are actually generating the desired outcomes, i.e., avoiding, identifying and correcting misconduct. While the DOJ Compliance Program Guidance considers the seven elements, it actually provides a different outline for exploring the actual functioning of a compliance program so that an organization can determine whether, after a full evaluation of the components, a compliance program is actually working effectively and thereby providing optimal safeguards against compliance risks.

As noted in the Federal Sentencing Guidelines, to be effective, a compliance program must be "reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct." In other words, an organization's compliance program must not only be appropriately structured, it must produce the desired effects, i.e., the identification, prevention and detection of misconduct. Evaluating both design and function is the essence of the DOJ Compliance Program Guidance.

The Compliance Program Guidance is presented, in large part, in the form of questions, which are framed to encompass three areas of focus:

• Compliance Program Design, which focuses on evaluating whether the program is adequately designed to effectively prevent and detect wrongdoing by employees and whether corporate management is enforcing the program. An evaluation of the compliance program design includes reviewing (1) risk assessments, (2) policies and procedures, (3) trainings and communications, (4) confidential reporting structure and investigation process, (5) third party management relationships, and (6) the role of compliance in mergers and acquisitions.
• Compliance Program Implementation, which focuses on the application of the compliance program, specifically, whether it is being implemented, reviewed, and revised as needed or whether it is static, i.e., existing on paper only. An evaluation of the compliance program implementation reviews (1) the commitment of the senior and middle management team to the program, (2) the autonomy of and resources available to the Compliance Officer and the compliance program generally, and (3) whether there are incentives for compliance and disciplinary actions for non-compliance.
• Compliance Program in Practice, which focuses on whether, to the extent misconduct occurs, the compliance program adequately identified the misconduct within a reasonable timeframe, appropriately addressed the misconduct, and took adequate measures to prevent future misconduct. Evaluating a compliance program in practice requires the reviewer to discern whether (1) the compliance program is subject to continuous testing and improvement, (2) compliance investigations are conducted timely and thoroughly, and (3) the organization conducts a thoughtful and thorough root cause analysis to ensure that remediation is appropriate.

What's New

The Guidance Update expands and develops on a number of themes, including how an organization should: (1) develop and update its risk assessment, (2) explore how the compliance "message" is disseminated to employees, (3) monitor, test and update various components of the compliance program, (4) devote adequate resources to, and establish sufficient authority in, the compliance program, (5) integrate acquired entities into the existing compliance program, and (6) manage third party relationships.

Before addressing the six themes listed above, it is worth mentioning that the first obvious addition in the Guidance Update is the acknowledgment that an organization's compliance program varies based on individual circumstances, including size, industry, geographic footprint, regulatory landscape, and other factors both internal and external to the organization's operations. In other words, an organization, in both developing and evaluating its compliance program, should recognize that there is no "one size fits all" compliance program, and that its compliance program will need to be appropriately tailored to the organization's environment, and periodically refined to address evolving circumstances.

Risk Assessments

An important component of a well-designed compliance program is one that identifies, defines and assesses its risk profile. An organization should evaluate how it uses risk assessments, how frequently the risk assessments are conducted, whether government guidance is consulted, whether the identified risk areas are reflective of the organization's operations, and, once risks are identified, whether resources are allocated to prioritize higher risks.  The Guidance Update makes it clear that the risk assessment is a key component of a compliance program and that it must be developed and timely updated so that the organization's response to new and evolving risks is both dynamic and comprehensive. The DOJ focus is on whether the organization is reviewing its risk assessments based on "continuous access to operational data and information across functions," as opposed to "a 'snapshot' in time." Taking the former approach would require the compliance program to keep pace not only with internal changes, but also with developments in the industry and/or geographical region. This would also require special attention to "lessons learned," i.e., making use of the instructive value of both internally and externally identified compliance issues.

The Compliance Message

Both the DOJ and OIG place significant emphasis on an organization's commitment to compliance as one of the most important aspects of an effective compliance program, and one of the chief goals of a corporate compliance program is to promote the education of the work force in an effort to avoid non-compliant activity. This goal is addressed in both formal measures, such as the organization's written policies and procedures and its training programs, as well as in informal communications. The Compliance Program Guidance emphasizes the importance of appropriately tailored training and communications and highlights key factors that distinguish a compliance program as effective, including (1) the integration of policies and procedures into training, (2) presenting information in a manner suited to the target audience, and (3) access to key compliance guidance documents (policies, code of conduct, employee handbooks, etc.). The Guidance Update expands on these points by emphasizing the need to (1) keep policies updated, (2) ensure that policies are accessible, and (3) conduct targeted training.

It is axiomatic that a compliance program must have at its core a set of formal, written policies. The Guidance Update reiterates the importance of the accessibility of policies and procedures by suggesting they be put into a searchable format for easy reference. Training and education are also fundamental to a compliance program. A compliance program with a robust training program ensures that the organization's compliance policies are clearly and continuously communicated and understood. The Guidance Update suggests using shorter, more targeted training sessions that promote opportunities to alert compliance and management to potential issues. Further, employee training should be designed so that employees are able to engage—asking questions both during and after training. Providing a forum for raising questions not only promotes better understanding of compliance guidelines, it affords the opportunity to evaluate the effectiveness of the training as well as the compliance program in general.

Testing and Updating

A compliance program must evolve over time and respond to changes in the environment in which the organization operates, the applicable laws and regulations, the payment systems, industry standards and other identified risks. This will include regular evaluations and changes to the overall compliance program as well as specific policies and procedures.

The Guidance Update is replete with reminders that an effective compliance program should be continually tested and updated. For example, it is not enough to put a confidential reporting process in place if employees are not aware of, or comfortable using, the system. An effective compliance programs tests whether employees and third parties doing business with the organization (1) know how and when to report non-compliance, (2) are not fearful of retaliation for reporting non-compliance, and (3) are confident that reports to compliance are appropriately addressed. The Guidance Update suggests periodic testing of the hotline by tracking a report from start to finish. The Guidance Update also recommends testing whether training is having an impact on employee behavior or operations.

Responding to testing results necessarily means that the compliance program will be updated and refined to address risks and vulnerabilities. As noted above, the Guidance Update emphasizes the need to update its risk assessment, policies, procedures and controls to adapt to both internal and external changes and developments.

Resources and Authority

In order to effectively implement a compliance program, the departments and individuals responsible for oversight and the day-to-day functioning of the compliance program must have the appropriate resources to carry out their mission with sufficient authority and autonomy from management, i.e., the compliance officer should have a direct reporting relationship to the board of directors (or board compliance committee). The Guidance Update refined its previously worded question ("Is the compliance program being implemented to function effectively?") to "Is the compliance program resourced and empowered to function effectively." This revision draws additional attention to (1) the amount and quality of resources dedicated to the compliance function, and (2) the ability of the compliance department to effectively carry out its mission by ensuring management buy-in and a tool chest that allows the compliance program to both incentivize compliance and disincentivize non-compliance. With respect to adequate resources, the Guidance Update asks whether an organization is investing in the development and training of its compliance personnel and whether compliance has enough access to relevant sources of organization data so that it can adequately monitor and/or test policies, controls and transactions. The Guidance Update also added language to highlight the need for demonstrated commitment by management at all levels of the organization, including middle management. The Compliance Program Guidance has always included a recommendation that a compliance program make use of incentives (to promote compliance) and a disciplinary process (to discourage non-compliance). Because consistency in applying these tools is paramount, the Guidance Update suggests that companies should be proactively monitoring its investigations and resulting discipline to ensure that measures taken are consistently applied.

Acquisitions and Compliance Integration

Due diligence in mergers and acquisitions is another emerging area of focus for the government. TheCompliance Program Guidance stresses the importance of conducting adequate due diligence to detect compliance issues pre-acquisition and integrating compliance functions post-acquisition. In addition to focusing on the importance of pre-acquisition due diligence, the Guidance Update makes it clear that the DOJ is equally focused on post-acquisition efforts to integrate the acquired entity into the existing compliance program structures, particularly when pre-acquisition due diligence may have been inadequate. This includes not only implementing compliance policies and procedures at the new entity but also conducting post-acquisition audits.

Third Parties

Ensuring that third parties doing business with the organization are aware of, and required to comply with, an organization's commitment to compliance has become an area of focus for government regulators, and for this reason it has been treated in DOJ guidance as one of the hallmarks of an effective compliance program. The ability to detect misconduct is compromised to the extent an organization does not have a full understanding of its business partners or a mechanism for managing and monitoring its relationships. The Guidance Update highlights the need to manage third parties in the context of risk assessment development, as well as compliance monitoring and auditing. Management of third parties occurs not just during the onboarding process, but throughout the organization's relationship with third parties. Finally, the Guidance Update appears to be signaling that the DOJ intends to expand its focus to third party arrangements by recommending that prosecutors assess the organization's business rationale and underlying need for third party partners.

Takeaways

For the past several years, it has become evident that, to satisfy regulators and law enforcement that an organization takes compliance seriously, it is no longer sufficient to establish a compliance program that simply "checks the box." Evaluating the effectiveness of its compliance program allows an organization to ensure that compliance is appropriately prioritized, well-developed, pervasive, responsive to change, adequately resourced and empowered, and meeting government expectations. The Guidance Update provides further insight regarding government expectations, but it also presents some new, yet practical, questions that organizations, particularly those in the health care industry, should consider when assessing compliance risks and how effective the compliance program will be in avoiding and/or mitigating those risks.