Original written for, and published by, the American Health Lawyers Association, May 10, 2019
[Editor’s Note: With the adoption of the SUPPORT Act of 2018 and its inclusion of the “Eliminating Kickbacks in Recovery Act” which now expands federal jurisdiction in the SUD treatment regulatory space to private-pay providers as well, it is far past time for licensed service providers to begin to take very seriously the development of an effective compliance program, consistent with US Department of Justice Guidelines, in order to both mitigate risk, as well as to be able to identify new risk quickly and effectively when it arises.]
The health care compliance industry recently received a new addition to the compliance program guidance library that continues the discussion of the government’s viewpoint on measuring compliance program effectiveness.
The guidance document, entitled “The Evaluation of Corporate Compliance Programs,” was issued by the Department of Justice (DOJ) Criminal Division on April 30, 2019, updating a prior version issued by the Criminal Division’s Fraud Section in February 2017. Ten pages longer than the 2017 version—many of the revisions provide additional context to how DOJ expects prosecutors to analyze a company’s compliance program, while also harmonizing the guidance with other Department guidance and standards.
The 2019 version stresses the adequacy—rather than the simple existence—of a corporation’s compliance program. Whether the organization had any compliance program at the time the misconduct occurred, and the quality of the program, affects the resulting (a) form of any resolution or prosecution; (b) monetary penalty, if any; and (c) compliance obligations contained in any corporate criminal resolution. Prosecutors are instructed to consider whether the compliance program has been tested and proven to prevent or detect misconduct, and whether simple changes and improvements could correct the misconduct that gave rise to the legal issue.
The new guidance document discusses in detail the three main thematic questions that prosecutors should use in evaluating corporate compliance programs: (1) whether the program is well-designed; (2) whether the program has been applied earnestly and in good faith (in other words, effectively implemented); and (3) whether the program actually works in practice. DOJ dispensed with the 2017 document’s structure, moving from a series of questions about the characteristics of a compliance program into a discussion of how these three main thematic questions can be used to draw out information to show that the compliance program is adequate and effective.
Part I: Design
DOJ first examines the compliance program’s design as the starting point for an effectiveness review. One hallmark of a well-designed compliance program is whether the program’s risk assessment program is designed to detect the particular types of misconduct most likely to occur in the company’s line of business and whether that risk assessment is updated periodically. This approach acknowledges that compliance programs need to prioritize risks to properly focus time and resources to the risks that pose greater importance to the business than other, possible, but less likely risks. Much of DOJ’s further discussion of risk assessment and program design keys off of this concept:
- Policies and procedures—DOJ looks at company policies and procedures for content addressing risks and showing a commitment to a culture of compliance and ethics.
- Training and communications—Here, DOJ examines whether the program is being disseminated to, and understood by, employees in practice in order to decide whether the compliance program is truly effective, including providing appropriate resources for guidance.
- Confidential reporting structure and investigation process—DOJ’s review will examine whether the program provides an efficient and trusted mechanism by which employees can anonymously and confidentially report allegations of a breach of the code of conduct, a company policy, or suspected/actual misconduct, as well as an efficient and effective investigation response.
- Third party management—DOJ will ask whether the program applies risk-based due diligence to vet its third-party relationships, with a focus ranging from specificity of contract terms to the third-party’s reputation.
M&A—Finally, DOJ reviews whether the program ensures comprehensive due diligence of any acquisition targets.
The main lesson from this discussion is DOJ’s focus on the effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment. DOJ expects that an effective compliance program evolves over time as new risks emerge and as the company develops new strategies to address them. The new focus on M&A diligence reflects a pattern that DOJ has seen time and again—those situations where a new owner finds itself saddled with ongoing compliance issues, and the attending liability, when its diligence activities have been insufficient to identify historical non-compliance.
Part II: Implementation
DOJ next moves to discussing the features of effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures. Helpfully, DOJ continues to acknowledge that there is no “one size fits all” for compliance program structure and consequent implementation, but that these decisions depend on the size, structure, and risk profile of the particular company. The implementation discussion includes:
Commitment by senior and middle management—Consistent with all of DOJ’s statements on individual accountability (e.g., Yates Memo), DOJ unsurprisingly scrutinizes whether the company’s leadership fosters a culture of ethics and compliance with the law and demonstrates a personal, shared commitment to compliance.
Autonomy and resources—A longstanding issue for the government’s examination of program effectiveness is whether the program gives adequate authority and stature to those charged with day-to-day oversight.
Incentives and disciplinary measures—Another longstanding government concern is whether the program establishes incentives for compliance and disincentives for non-compliance, including clear disciplinary procedures, with a focus on consistency.
A key takeaway from the implementation discussion is a focus on “tone at the top” and other indications of support for the compliance program from gatekeepers, executive leadership, and the board. DOJ will look not only at what senior management says, but at how senior management treats compliance professionals. A company that gives lip service to compliance, but denies its compliance professionals the title, authority, and resources necessary to effectively implement the program will not be viewed favorably.
Part III: Actual Operation
Finally, DOJ ends its thematic analysis with metrics for asking whether the compliance program is in fact operating effectively. Importantly, DOJ acknowledges the fact that some misconduct occurred does not necessarily mean that the compliance program is ineffective. However, consistent with long-held views of the Department of Health and Human Services Office of Inspector General, detection, remediation, and resolution of misconduct is described as an important sign that the compliance program is effective.
Continuous improvement, periodic testing, and review—DOJ’s review concerns whether the program has the capacity to improve and evolve with changes in company business and the environment within which it operates, including whether the company makes meaningful efforts to review its compliance program and ensure it does not lose strength.
Investigation of misconduct—DOJ articulates a strong focus on whether the program has a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents that includes meaningful documentation.
Analysis and remediation of any underlying conduct—Another traditional area for government examination is whether the company is able to conduct a root cause analysis of misconduct and timely and appropriately remediate to address the root causes.
DOJ’s main message with this factor is a strong focus on how the company both detects misconduct and responds to situations in which misconduct is detected. Once again, DOJ focuses on the need for a compliance program to adapt to new risks and develop new controls as the business environment changes. And once again there is a strong message from DOJ that a compliance program must be sufficiently resourced so that the company can effectively and rigorously investigate alleged misconduct.
Given all the risks health care companies face in operating in a highly regulated environment, a well-functioning and effective compliance program is a critical component of a company’s risk management strategy. DOJ’s revised guidance shows DOJ has a consistent view of the importance of an effective and highly functioning compliance program. Health system boards, executive teams, and the compliance and other departments would be well served to review and implement the key takeaways and messages from the revised guidance.
Mr. Peregrine and Mr. Maida are partners in the law firm of McDermott Will & Emery, and Ms. Lauer is a partner in the law firm of Latham & Watkins.