Editor’s Note: Lee F. Lasris is a Board Certified Health Law attorney and a shareholder at Greenspoon Marder’s Florida Health Law Center. Mr. Lasris has served as counsel to numerous health-care providers, including MSOs and independent practice associations, managed care organizations, value added provider networks physician practices, diagnostic imaging providers, hospitals, physical therapy providers, home health agencies, management companies and other health-care related entities.
When is the last time you looked at your corporate compliance plan? Does your organization even have one? Many organizations operate under the misguided belief that once they undergo the expensive process of acquiring a compliance plan—and perhaps even arranging for the initial training of staff—that the job is done and a pretty binder containing the compliance plan can just sit on the shelf. We should never lose sight of why we undertook the exercise of creating compliance plans in the first place.
Not only are they a mandatory condition of participation for Medicare providers, but the government and the courts look to whether an entity facing criminal prosecution has a viable compliance plan when determining appropriate sentencing under the Federal Sentencing Guidelines.
A properly prepared and maintained compliance program can be an effective tool to help health care organizations identify and avoid potential compliance problems and improper conduct while establishing a culture of compliance within the organization respected by both the workforce and third parties. While many organizations believe that having a viable compliance plan is optional, the practical approach is that this is no longer the case. Every organization should have a compliance plan that is a central part of the organization’s operations and of no less than equal import to its standard operating procedures.
The government is serious regarding the value it places on effective compliance plans. They typically review them when there is a problem, such as during an investigation of wrongdoing by the organization or one of its members, or during the sentencing phase of a case. The United States Department of Justice (“DOJ”) recently issued guidance to its Criminal Fraud Section titled “Evaluation of Corporate Compliance Programs” (the “Guidance”) regarding evaluation of corporate compliance programs during a fraud investigation.
The Guidance provides organizations with a preliminary set of questions that the DOJ will likely consider during an investigation and after trial in the event of a prosecution. These questions will also serve as a framework upon which to build or revise a corporate compliance program. Keep in mind that the DOJ attorney will likely make sentencing suggestions to the court following a guilty verdict, increasing the value of a good compliance plan.
The Guidance asks DOJ attorneys to look at a number of topics when reviewing an organization’s compliance plan in connection with an investigation, and, in so doing, asks a number of questions within each topic which will help to make an individualized evaluation of a specific compliance program. The guidance proposes 11 such topics which DOJ attorneys may consider in reviewing the compliance plan of an organization under investigation.
While these topics focus upon the investigative phase of a matter, they are very instructive to healthcare providers who desire to review their own policies and procedures to see how they will stack up in the event of an investigation, or take the opportunity to update existing policies. In either case, the Guidance provides a window into the thinking of the DOJ which should not go unheeded.
When either updating existing or creating new compliance plans we suggest addressing the following topics suggested in the Guidance:
(1) Analysis And Remediation Of Underlying Misconduct. While this topic, like most of those contained in the Guidance relates to an ongoing investigation, the focus seems to be on identifying the root cause of the misconduct and identifying the existence of opportunities to detect and correct misconduct. In that case, an organization’s compliance plan should establish a mechanism for analyzing potential problems before they arise and establishing controls to help avoid such problems. That would include undertaking a risk analysis of potential problem areas within the organization and the creation of systems to minimize those risks.
(2) Senior and Middle Management. The government will review the conduct of senior and middle management, including whether they encourage, either through words or actions, the misconduct in question or whether such individuals demonstrated to the workforce a commitment to compliance, including remediation efforts. The compliance plan, therefore, should firmly establish the commitment of the organization’s leadership to compliance, including a commitment to remediation efforts within the organization.
Organizations should also be aware of the mandate set out in the now famous memorandum issued by the then Deputy Attorney General Sally Yates requiring that DOJ attorneys investigating corporate wrongdoing “maintain a focus on the responsible individuals” in an organization and holy them to account for any corporate wrongdoing. This is intended to serve as a significant inducement to combat corporate misconduct. In order for an organization to receive credit for cooperating with the government in any investigation, it will be required to provide “all relevant facts relating to the individuals responsible for the misconduct.” It is, therefore, important that management make a sincere effort to commit both the organization and themselves to compliance.
(3) Autonomy and Resources. The organization’s commitment to compliance may be demonstrated through a. the level of autonomy of the compliance department; b. the stature of the compliance department within the organization; c. the resources devoted to that department; d. and the role which compliance plays in the company’s strategic and operational decisions. In other words, is the compliance department a significant part of the organization’s structure with direct reporting lines to significant decision-makers and with adequate resources with which to undertake its function? A compliance department with significant turnover of personnel may be a telling factor.
(4) Policies and Procedures. This review may include a. looking at the process for designing the policies and procedures comprising the compliance program and the accessibility of the program to employees, and b. how the compliance program is integrated into organization. This topic provides an essential guide into how the compliance program should be conceived, rolled out and maintained as an organic document and valuable resource of the organization. While much of its focus is on remedial efforts, it suggests a number of policies and procedures which should be included in the compliance program intended not only to specify the conduct that is to be prohibited but may also look into such things as workforce training and reporting, accountability for supervisory oversight, and whether the organization has assessed the usefulness and effectiveness of the policies.
Another aspect of this review is to analyze how the policies have been integrated into the organization and the establishment of controls. When this review is conducted in the context of an investigation, and inquiry will be made as to whether there was a process in place that could have prevented improper conduct. If the conduct was actually discovered by management, and inquiry will be made into what remedies were in for a minute to address or correct the problem. The inquiry will also extend to vendors, if a vendor was involved in any misconduct.
(5) Risk Assessment. Review of any risk assessment undertaken by the organization in the development of policies and in the detection of misconduct. The compliance plan should include an undertaking to conduct and periodically review a risk assessment that will be used to identify, analyze and address potential and actual risks.
(6) Training and Communications. Examination of the training, guidance, and resources provided to employees, especially those employees in areas of identified high-risk. The training should be tailored for high-risk and control areas of the organization, especially in those areas where any misconduct occurred. The government will look to see whether the training was appropriate and effective and whether it adequately set forth senior management’s position on any misconduct.
(7) Confidential Reporting and Investigation. The compliance plan should include systems for collecting and analyzing information regarding allegations of misconduct and investigating such allegations. Investigations should not only focus on the actual misconduct, but also identifying root causes, system vulnerabilities, and lapses of supervisory accountability which would account for the misconduct in question or avoid future misconduct. The government will look to see whether the investigation was objective and a properly conducted and documented. The organization should also have a process for responding to investigative findings through disciplinary action and training.
(8) Incentives and Disciplinary Measures. A single risk assessment may not be sufficient. The organization should consider periodic updating of its risk assessment
(9) Continuous Improvement, Periodic Testing and Review; (10) Third Party Management; and (11) Mergers and Acquisitions.
The Guidance notes that the DOJ “does not use any rigid formula to assess the effectiveness of corporate compliance programs,” but rather conducts a “particularized evaluation” and “individualized determination in each case.” Therefore, when a corporation is constructing or reevaluating its compliance program, it should pay particular attention to the Guidance while maintaining the corporation’s individualized needs. The central focus should be whether the corporate compliance program effectively prevents and detects wrongdoing and whether corporate management is enforcing the program. This will be key to achieving the benefits of an effective program.
At a minimum, your corporate compliance program should be well-designed and applied in good faith, taking into consideration, among other things, the degree of criminal misconduct to be avoided, the number of corporate employees within the organization, the gravity and length of the discovered misconduct, and the possible remedial actions to be taken by the corporation. Specifically, compliance officers and decisions makers within the organization should consider the following:
Establish a “culture of compliance,” beginning with the board of directors and senior executives setting the appropriate tone for the organization.
Ensure that the code of conduct is clear, concise, and accessible to all employees.
Assign responsibility of oversight and implementation of the compliance program to appropriate decision makers, including the appointment of a compliance officer.
Engage in a risk assessment of the organization and that appropriate policies are adopted to address identified risks.
Ensure that relevant policies and procedures are communicated throughout the organization in a manner appropriate for employees.
Set clear and appropriate disciplinary procedures that are applied consistently, promptly, and fairly.
Develop a confidential mechanism for individuals to report suspected or actual misconduct or violations of company policies.
Test and review policy controls, risks, and weaknesses on a continuous basis.
Incorporate risk-based due diligence practices in line with the corporate compliance program when interacting with third parties.
Ensure due diligence prior and during a merger or acquisition by taking into account the corporation’s compliance plan.
All healthcare providers should make compliance plans an immediate priority. Not only are they a regulatory necessity, they are a primary means of protecting your company’s reputation.