By: Jacqueline Bain
In the beginning of June, 2020, the Department of Justice (“DOJ”) revised its Evaluation of Corporate Compliance Programs Guidance Document. The Document is designed to assist prosecutors in making informed decisions as to whether, and to what extent, the company’s compliance program is effective for purposes of determining, when a compliance violation has occurred, the appropriate form of any resolution or prosecution and monetary penalty. It also guides a prosecutor as to the company’s compliance obligations contained in any criminal resolution. The Document has been revised on three occasions since 2017, telegraphing the DOJ’s intent to prosecute those businesses without compliance plans, or without effective compliance plans, more harshly than those taking steps to identify and remedy risks.
A healthcare business’ failure to have in place a compliance program designed to detect and respond to potential fraud and security risks places it at a serious risk of civil and criminal liability. When a compliance issue is investigated, charged and resolved, DOJ prosecutors are instructed to consider whether the business has invested in and improved its corporate compliance program and internal controls systems. They must also determine whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. According to the DOJ, there are three fundamental questions that a prosecutor should ask when determining whether a business’ compliance plan is sound:
- Is the compliance program well designed?
Does the compliance program comprehensively assess the business’ risks and is it integrated throughout the business’ processes? How the company has identified, assessed, and defined its risks? Which risks are given priority and resources, and why? How often are these risks reassessed, and how often does the company evaluate its responses to these risks? How does the company track how often risks materialize into compliance issues and how it responds to those issues? How are employees educated to detect and respond to issues?
- Is the program being applied earnestly and in good faith?
A well-designed corporate compliance program isn’t worth the paper it’s written on if it isn’t implemented into the healthcare business’ everyday work culture. The company should implement a top down adoption of compliance practices in order to ensure that the compliance program is universally adopted among its workforce. Moreover, any effective compliance program will empower its compliance officer or team with adequate power and significance to enforce the program.
- Does the compliance program work?
Prosecutors will consider whether a compliance program evolved over time to address existing and changing compliance risks, and whether the company undertook an adequate and honest root cause analysis to understand both may contribute to the misconduct and the degree of remediation needed to prevent similar events in the future. Moreover, a well-functioning and appropriately funded compliance program allows for timely investigations of any allegations or suspicions of misconduct by the company and its workforce.