Feds Want to See Compliance Plans in Action
Is your healthcare organization ready for added scrutiny?
In June of this year, an updated Evaluation of Corporate Compliance Programs was issued by the Department of Justice (DOJ). It’s not often that we get updates on compliance programs. In past years it was to make sure we actually enacted compliance programs; now the federal agency is homing in on that guidance, making it clear that simply having the proper documents is not enough.
The adequacy and effectiveness at the time of an offense, as well as the timing of a charging decision and your remedial efforts to implement a compliance plan or improve an existing one, are crucial in mitigating and defending if/when an issue occurs. We need to continually ask ourselves how effective our compliance program is.
How Effective Is Your Compliance Plan?
According to the DOJ, prosecutors are to consider where the corporation has made significant investments, improvements, and internal controls to compliance programs. These actions will be taken into account when penalties are assessed. This is also going to hold true for mergers and acquisitions.
Prosecutors are encouraged to ask fundamental questions, including:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
As in previous guidance, there is no one-size-fits-all compliance program. You must tailor your program to your unique risk profile and not just enact cookie-cutter policies and procedures. This requires a plan, a budget, and remediation.
Is Your Compliance Program Well Designed?
Tips for a well-designed compliance program:
1. Understand that using a vendor or buying policies is acceptable, but you must evaluate each one and tailor it to your individuality:
a. Don’t overburden yourself with too many policies or policies that don’t apply to you.
b. Be sure to hit your riskiest areas, which may be unknown by outside vendors.
2. Perform a comprehensive risk assessment; look at all business areas:
a. Look for areas that may have been previously missed such as business partners, gifts, travel, entertainment, political donations, and regulatory landscapes.
b. Tailor your program to hit your high-risk transactions.
3. Review (and remediate) your program ongoing (not just annually):
a. Review policies and procedures on an annual basis but perform ongoing review in your riskiest areas.
b. Trend your complaints for ongoing improvements and risk areas.
4. Include a thorough review for potential compliance issues when adding new lines of business:
a. If a new business sounds too good to be true, it is.
b. Don’t have blind trust in vendors; do your own validation of product lines and services.
5. Delegate the appropriate resources to your higher-risk areas:
a. Designate an official compliance officer who is dedicated to compliance and not doing it as an afterthought.
b. Create a comprehensive budget.
6. Document your efforts:
a Plan, study, act.
b. Keep a well-documented journey; this will include both successes and failures.
Is the Program Being Applied Earnestly and in Good Faith?
Tips for effective policy and procedure:
1. Include key members from all areas when developing policy and procedure:
a. Each business unit should be represented; they know themselves the best.
b. Collaboration is always key.
2. Keep your policies on a shared drive, intranet, or other easily accessible formats:
a. Most systems will also log employee engagement for documentation of training.
b. Transparency should be a core value.
3. Review all business areas to implement comprehensive policy and procedure:
a. Include your high-transaction areas.
4. Provide guidance and training for those enforcing or involved in the control process:
a. You should not have a policy that staff is not trained on; each policy should have a training plan for those it applies to.
b. Allow for employees to question policy and training for improvements or insight to additional risk factors.
Does the Compliance Program Work in Practice?
Tips for creating a culture of compliance through training and communication:
1. Integrate your policy and procedure through training:
a. Determine the best venue for your training or for best training using multiple media.
2. Make sure all employees receive training that is appropriate for their responsibilities:
a. If they will be performing a task or interacting where a policy is in play, be sure they are trained appropriately.
b. Keep training logs.
c. Physicians are never exempt from training.
3. Make sure the training and policies are written in a format that is understandable by all:
a. Keep things simple.
b. Test for retention.
4. Make sure that your employees know who to go to for guidance and questions:
a. Make your compliance officer visible.
b. Make sure everyone knows who they can go to, whether it be internally or externally.
Tips for navigating confidential reporting and investigations:
1. Make sure that your employees know how to anonymously, or confidentially, report any suspected breaches, misconduct, or concerns:
a. Have a hotline, if possible.
b. Honor confidential requests.
c. Enforce a no-retaliation culture.
2. Have any complaints researched by qualified personnel:
a. Take all complaints seriously.
b. Communicate with the complainer on findings when appropriate.
3. Conduct timely investigations:
a. Document investigations and don’t allow them to escalate by being late on investigating.
4. Review investigational information for patterns of improvement or weakness:
a. Trends can help you find a root cause and determine the best course of action.
Don’t Forget Business Associates
Tips for compliant third-party management practices:
1. Vet your vendors just like you do for internal processes:
a. It’s your responsibility to validate vendor information. What is their track record and history?
2. Make sure the company has an appropriate rationale for using the third party:
a. What is the motive for use of the third party?
b. It is your responsibility to validate the third party.
3. Be cognizant that the third party mirrors your internal culture of compliance:
a. Don’t hire a third party that is not ethical or does not match your culture of compliance.
4. Vet third-party internal mechanisms for breaches:
a. It’s your responsibility to make sure they are what they say they are.
Mergers and Acquisitions Require Reassessments
In the past several years there has been significant activity on mergers and acquisitions of medical practices. The updated guidance includes thoughtful information on what should be reviewed during the due diligence process. You will want to make sure to do a thorough capture of all information and integrate those practices carefully into your own systems. Don’t take past indiscretions lightly and be sure to negotiate for the costs of any corruption or misconduct not captured in your pre- or post-due diligence vetting and integration, as you will be responsible for any flaws.
Tips for mergers and acquisitions:
1. Conduct a complete risk review:
a. It’s not just a checkbox procedure.
b. Don’t just ask the questions; validate the responses, as well.
c. Inquire about how they have handled past complaints, breaches, risks, etc.
2. Complete integration in a timely manner:
a. Compliance should be the first thing integrated and should happen during the closing process.
b. Risk areas identified through the due diligence should be addressed, trained on, and monitored immediately.
c. Key employees at both entities should be involved.
3. Document thoroughly for each step:
a. Keep a log of improvements, training, and integration efforts.
b. You will always find items you missed; address them in a timely fashion and effectively remediate.
4. Fund your compliance activity and monitor your results.
Set a Good Example
As always, your compliance commitment should come from the top. Be sure your senior leadership encourages and emulates the compliance culture. Demonstrate commitment to your compliance program with all key stakeholders with a solid remediation program, regardless of competing business objectives. Bring in outside expertise or legal help whenever necessary. Also, be sure that your compliance department works independently with the support of a board or CEO, and that they have the time and resources to accomplish an effective program that’s based on your needs.
A compliant organization is one that’s continuously improving through monitoring and testing. As American poet, Maya Angelou said, “Do the best you can until you know better. Then when you know better, do better.”
Evaluation of Corporate Compliance Programs: