On February 8, 2017, the Fraud Section of the U.S. Department of Justice (DOJ) published new guidance titled “Evaluation of Corporate Compliance Programs” (Compliance Guidance), which can be found at https://www.justice.gov/criminal-fraud/page/file/937501/download. In determining whether to bring charges against or negotiate plea agreements with hospitals or other organizations, federal prosecutors are required to consider “the existence and effectiveness of the corporation’s preexisting compliance program” as well as the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The new Compliance Guidance provides “important topics and sample questions” that prosecutors may use in evaluating a hospital’s compliance program in the context of a criminal investigation. While not a departure from past advice, the guidance is a useful distillation of principles from a number of sources and underscores the fact that a hospital must go beyond remediation of the particular issue and evaluate its implications for the compliance program on an organization-wide basis.
Although the DOJ’s fraud investigations are not limited to health care fraud, the health care industry continues to be a major target. Of the more than $4.7 billion obtained by the DOJ for the federal government in settlements and judgments from civil cases involving fraud and false claims in the fiscal year ending September 30, 2016, $2.5 billion came from the health care industry, including drug companies, medical device companies, hospitals, nursing homes, laboratories, and physicians.
The Compliance Guidance acknowledges that the DOJ’s evaluation of the effectiveness of a compliance program is an individualized determination based on the facts of each case. However, the guidance provides topics and sample questions that the Fraud Section has “frequently found relevant” in evaluating compliance programs. The sample questions are organized under eleven broad topics that make it clear the evaluation of compliance programs will examine the effectiveness of the program throughout all aspects of the organization. The topics and highlights of the questions identified are as follows:
- Hospital’s Analysis and Remediation of Underlying Misconduct. What is the hospital’s analysis of the root cause of the misconduct? Did the hospital miss prior opportunities to detect the misconduct? What specific remediation has been taken to address the root cause and missed opportunities identified?
- Leadership by Senior and Middle Management. Have senior leaders demonstrated leadership in the hospital’s compliance and remediation efforts? What actions have they taken to discourage the type of misconduct committed and demonstrate their commitment to compliance and remediation efforts? Has the board of directors held executive sessions on compliance functions and examined relevant information in exercising its oversight of the area in which the misconduct occurred?
- Autonomy and Resources of Compliance Team. Was the hospital’s compliance team involved in the decisions relevant to the misconduct? Is the compliance team sufficiently independent, qualified, well compensated, and given access to key decision-makers (including the board of directors) to be effective?
- Compliance Policies and Procedures. What has been the company’s process for designing and implementing new compliance policies and procedures? Has the hospital provided clear guidance and training to key gatekeepers in the areas relevant to the misconduct? Who has been responsible for integrating compliance policies and procedures into the hospital’s operational framework? What controls failed or were absent that would have detected or prevented the misconduct?
- Risk Assessment. What are the hospital’s procedures to regularly identify, analyze, and effectively address particular risks through its compliance program, including the specific risks involved in this misconduct?
- Employee Training and Communications. What training does the hospital provide to its employees who serve in relevant control functions, and is it sufficiently customized for high-risk and control employees to effectively address the area in which the misconduct occurred? How has senior management informed employees about the hospital’s position on the misconduct? Are sufficient resources available to employees to provide guidance relating to compliance policies?
- Confidential Reporting and Investigation. Has the hospital properly collected, analyzed, and used information from its reporting mechanisms, and has it assessed the seriousness of the allegations? How has the hospital ensured that the investigations into the misconduct are properly scoped, independent and objective, and appropriately conducted and documented? Has the hospital used the investigation to identify root causes, system vulnerabilities, and accountability lapses among managers, and to properly respond to the findings?
- Employee Incentives and Disciplinary Measures. How has the hospital incentivized compliance and ethical behavior, and have disciplinary actions and employee incentives been fairly and consistently applied? Did the hospital take appropriate disciplinary action in response to the misconduct, holding managers accountable for misconduct under their supervision where appropriate?
- Continuous Improvement, Periodic Testing, and Review. Does the hospital conduct routine internal audits, testing, and monitoring relevant to the misconduct, and what were the findings? How did management and the board follow up on these findings? How often has the hospital updated its risk assessments and reviewed its compliance policies, procedures, and practices?
- Management of Third-Party Contractors. What mechanisms are used to ensure that specific contract terms are performed by third-party contractors, payment terms are appropriate, and compensation is commensurate with the services rendered? Has the hospital monitored third-party contractors and analyzed the third party’s incentive model against compliance risks? Has the hospital trained the appropriate relationship managers about the compliance risks and how to manage them?
- Mergers and Acquisitions. Has the compliance function been integrated into the hospital’s merger, acquisition, and integration process? What is the hospital’s procedure for tracking and remediating misconduct risks identified during the due diligence process?
In today’s climate of heightened federal scrutiny, every hospital is required to establish and maintain an effective compliance program. Among the many other governmental resources available on this subject, the recent Compliance Guidance is probably the clearest statement to date of the DOJ’s primary focus areas in evaluating the effectiveness of a corporate compliance program. In this document, the DOJ provides details about the type of misconduct remediation it is looking for, and the need for the hospital to identify, if possible the systemic issues that allowed the misconduct to occur. The Compliance Guidance also reflects the increased attention given by the DOJ to actions of senior management and the board of directors and their demonstrated commitment to compliance efforts. Hospitals would be well advised to review this document carefully in evaluating their present compliance programs.