Written by: Compliance blogger
Originally Posted 6/6/2019
Updated after NEW Justice Manual posted June 2020
Updated October 2023
Why Should Your Organization Always Have a Compliance Program in Place?
Unbeknownst to you, your organization could be under investigation at this moment. Whether you are a small physician or health care provider practice or a large nursing home network or medical center, your organization’s billing or business activities may be monitored prior to any notification given to C-Suite Executives of the company.
The importance of having an effective compliance program in place at your organization cannot be understated. Regarding fraud investigations specifically, the U.S. Department of Justice Criminal Division first published the Guidance for the Evaluation of Corporate Compliance Programs in June 2019. Since then, the guidance has been updated as of June 2020 and again in 2023.
The purpose of this government document, available to the public to download, is to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate:
- form of any resolution or prosecution;
- monetary penalty, if any; and
- compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).
Items that Prosecutors Consider in Their Evaluation
It is important to remember that a failure to prevent or detect misconduct does not mean that a compliance program is not effective. There are 3 fundamental questions a prosecutor should ask, according to the Justice Manual 9-28.800, when evaluating a corporate compliance program include:
- Is the compliance program well designed?
- Is the program applied “earnestly and in good faith?”
- Does the program work?
Let’s review how the prosecutor evaluates if your compliance program is well designed.
Quote (Page 2 of the March 2023 Evaluation of Corporate Compliance Programs Document)
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.” JM 9-28.800.
Accordingly, prosecutors should examine “the comprehensiveness of the compliance program,” ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.
Prosecutors are directed to evaluate your compliance program to understand your health care business from a commercial perspective. How have you, as a provider, identified, assessed and defined your risk profile? To what degree does the program devote appropriate scrutiny and resources to the spectrum of risks?
The Office of Inspector General (OIG) and the Risk Spectrum
The OIG dedicates a page on their website www.oig.hhs.gov to the Fraud Risk Indicator and assesses the future trustworthiness of parties involved in a False Claims Act (FCA) case to decide whether to exclude them from the Federal healthcare programs to take other action.
Because OIG's assessment of the risk posed by a FCA defendant may be relevant to various stakeholders, including patients, family members, and healthcare industry professionals, OIG makes public information about where a FCA defendant falls on the risk spectrum. During the investigation the organization is placed in a Risk Category:
Highest Risk- Exclusion
Parties that OIG determines present the highest risk of fraud will be excluded from Federal healthcare programs to protect those programs and their beneficiaries. Excluded individuals and entities are listed in OIG's Exclusions Database.
Parties are in the High-Risk category because they pose a significant risk to Federal healthcare programs and beneficiaries. This is because, although OIG determined that these parties needed additional oversight, they refused to enter CIAs sufficient to protect Federal healthcare programs. Parties in the High-Risk category that reached settlements finalized on October 1, 2018 or later are listed here:
Medium Risk- CIAs (Corporate Integrity Agreements)
Healthcare providers and other entities in the Medium Risk category have signed CIAs with OIG to settle investigations involving Federal healthcare programs. Under these agreements, parties promise to fulfill various obligations in exchange for continuing to participate in the programs. A list of active CIAs is posted on OIG's website.
Lower Risk – No Further Action
OIG sometimes concludes that parties present a relatively low risk to Federal healthcare programs. As a result, OIG is not seeking to exclude them from those programs or require a CIA. OIG's cases against these parties are closed without evaluating the effectiveness of any efforts the parties have made to ensure future compliance with Federal healthcare program requirements.
Low Risk – Self Disclosure
This is when an organization makes the decision to disclose evidence of potential fraud related to Federal healthcare programs to OIG. OIG believes that doing so in good faith and cooperating with OIG's review and resolution process generally demonstrates that the party has an effective compliance program. OIG works to resolve such cases faster, for lower settlement amounts, and with a release from potential exclusion with no CIA or other requirements. More information about OIG's self-disclosure protocol is here:
Prosecutors will evaluate the effectiveness of your Risk Assessment process. Questions will be asked to determine if your program is designed to detect various types of potential misconduct that is likely to occur in your type of health care organization. They review the complexity of your organization, number of locations, the competitiveness of the market as well as your business partners, for example.
Are you devoting the resources needed to monitor risk and periodically assess the risk of criminal conduct? Have you identified high-risk transactions? Below is a list created from the June 2020 publication based on what prosecutors will evaluate:
Risk Management Process
What methodology do you use to identify, analyze, and address the particular risks faced? What information or metrics does your company collect and use to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
Risk-Tailored Resource Allocation
Does your company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does your company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
Updates and Revisions
Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these
updates account for risks discovered through misconduct or other problems with your compliance program?
Does your company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
Policies & Procedures
Documentation of your compliance program is required and should include policies and procedures. The policies and procedures are expected to have both content and effect to ethical norms which aim to reduce risks identified by your company’s risk assessment process.
Prosecutors are likely to assess your company’s code of conduct and commitment to full compliance which is made available to your workforce.
In application, compliance programs should be integrated into the company’s everyday operations through the training and certification of relevant staff members. This training must cover previous compliance incidents that the organization has encountered. There should also be customized training designed for high-risk and control employees. Prosecutors will consider how the company determines what type of training each employee needs and whether that training is appropriate for its audience, per JM 9-28.800 – the following will be reviewed:
- Risk-Based Training
o What training have employees in relevant control functions received?
o Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred?
o Have supervisory employees received different or supplementary training?
o What analysis has the company undertaken to determine who should be trained and on what subjects?
- Form/Content/Effectiveness of Training
o Has the training been offered in the form and language appropriate for the audience?
o Is the training provided online or in-person (or both), and what is the company’s rationale for its choice?
o Has the training addressed lessons learned from prior compliance incidents?
o Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?
o How has the company measured the effectiveness of the training?
o Have employees been tested on what they have learned?
o How has the company addressed employees who fail all or a portion of the testing?
o Has the company evaluated the extent to which the training has an impact on employee behavior or operations?
- Communications about Misconduct
o What has senior management done to let employees know the company’s position concerning misconduct?
o What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
- Availability of Guidance
o What resources have been available to employees to provide guidance relating to compliance policies?
o How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?
Alongside thorough training, it is also important for organizations to have resources available to provide employees with guidance regarding the organization’s compliance policies. During an investigation, prosecutors may examine how the company communicated about compliance policies and procedures with employees. They will also look at whether there is an anonymous or confidential way for employees to report misconduct allegations.
Regarding staff members who work with compliance, there are additional items that prosecutors will include in their investigation. For example, the experience, seniority, and autonomy of compliance staff are all important factors when evaluating a corporate compliance program. Compliance teams within an organization should also have access to the resources necessary to fulfill their job duties, such as funding and adequate staffing.
Response to Incidents
Finally, the DOJ Criminal Division directs prosecutors to consider how the company responded to the compliance incident. They recommend that prosecutors seek to answer a number of questions about the company being investigated, such as:
- Did the company identify the misconduct? If so, how was it detected?
- Were there any previous opportunities to uncover the misconduct? If so, why were these opportunities missed?
- What resources were in place to investigate the misconduct?
- How thorough was the company’s response?
- What changes has the company implemented to reduce the risk of this happening again?
As a compliance professional, you can use this knowledge of what prosecutors will consider when evaluating compliance programs to reflect on the items that your own organization’s compliance program should address.
This article only scratches the surface of this important topic. AIHC actually has an entire online course dedicated for Corporate Compliance Offices and developing an effective Compliance Program! We also offer “How to Train Your Workforce” – a short, low-cost online course.
Gain buy-in from Directors and C-Suite Executives to get the resources needed to properly perform and monitor high-risk areas. Develop an Auditing for Compliance Program. Document your policies, procedures and distribute them appropriately throughout your workforce. Make ethics and compliance part of your corporate culture, even if you are a smaller provider office!
Visit our Certification Store for details about additional training and continuing education courses!