New DOJ Guidance on Evaluation of Corporate Compliance Programs
In February 2017, the Fraud Section of the United States Department of Justice ("DOJ") released new guidance, entitled Evaluation of Corporate Compliance Programs, on how it evaluates corporate compliance programs in the context of a criminal investigation. For many years, the DOJ, as well as other federal and state agencies, have emphasized the importance of implementing robust compliance programs, especially in heavily regulated industries, such as health care. In fact, for many health care providers, having a compliance program is mandated by law. The new DOJ guidance does not necessarily set forth new concepts; it is more a conglomeration of corporate compliance rubrics found in sources such as the United States Attorney's Manual, the United States Sentencing Guidelines, the Securities and Exchange Commission, and the Organization for Economic Cooperation and Development Council, among others. However, it provides added insight into the elements of compliance programs that are considered the most important by the DOJ and, therefore, health care providers should pay close attention and revise their compliance programs as needed.
The DOJ guidance sets forth eleven topics, along with sample questions, that the DOJ considers in evaluating the efficacy of a particular compliance program. These topics focus on the following:
- Analysis and Remediation of Underlying Misconduct – how the company prevents, analyzes, and responds to discovered misconduct;
- Senior and Middle Management – involvement of the company's senior leaders in the compliance program and how they respond to misconduct;
- Autonomy and Resources – the value of the compliance program within the organization and whether the compliance function is provided sufficient resources to perform adequately;
- Policies and Procedures – the design and accessibility of compliance policies, as well as their integration into the company's operations;
- Risk Assessment – the methodology used to identify risk, collect data, and investigate risks;
- Training and Communications – the extent to which employees receive compliance training and communication from top management to employees regarding compliance;
- Confidential Reporting and Investigation – effectiveness of the company's reporting mechanisms, the scope of internal investigations, and the appropriateness of response to investigations;
- Incentives and Disciplinary Measures – the extent to which individuals are held accountable for misconduct and how compliance and ethical behavior are incentivized;
- Continuous Improvement, Periodic Testing and Review – the company's internal auditing, control testing, and compliance program review.
- Third Party Management – whether the company has implemented adequate control of its vendors; and
- Mergers and Acquisitions – the role of compliance in the due diligence process and corporate transactions.
Although the guidance is couched in terms of DOJ investigation of misconduct, organizations can use DOJ's sample lines of questioning to proactively review their current compliance programs. Of note, the guidance focuses on what specific actions the company took to analyze misconduct, whether the company could have identified the misconduct previously, and what steps the company has taken to remediate the misconduct. The guidance specifically asks whether the company performed a "root cause analysis of the misconduct at issue," highlighting the DOJ's emphasis on finding the impetus of misconduct as a way to prevent future misconduct.
The guidance also set forth specific topic headings and corresponding questions for compliance inquiries related to third-party vendors and mergers and acquisitions. The sample questions indicate DOJ's desire for compliance programs to include an evaluation of third-party vendors at all stages of the relationship, including due diligence in selecting vendors, subsequent on-going compliance oversight of such vendors, and remediation of any discovered misconduct by the vendors. The guidance also highlights compliance pitfalls in the context of mergers and acquisitions, focusing on whether compliance risk was reviewed during the due diligence process and whether the compliance function was identified as an integral part of the transaction more generally.
Organizations should review the new DOJ guidance closely and use it as an opportunity to evaluate their current compliance programs and to strengthen areas of potential weakness. Doing so now, and continuing to review and modify compliance programs in light of subsequent guidance and individual compliance experience and challenges, will help organizations more effectively monitor potential fraud and abuse and put them in a better position to respond in the event of any future DOJ investigation.