The Department of Justice Issues New Guidance for Evaluating Compliance Programs, including Mergers and Acquisitions
By Susan Walberg, JD MPA CHC
As Private Equity companies and healthcare organizations move to grow or consolidate practices and organizations, one area of due diligence that is often overlooked is the evaluation of the compliance program and the compliance risks that are the natural result of a deficient program.
In June of this year, 2020, the Department of Justice (DOJ) has issued an updated ‘Evaluation of Corporate Compliance Programs’ document which outlines how the government prosecutors should determine the effectiveness of a compliance program. This evaluation is part of a government’s sentencing decision-making, in the event of an offense by a healthcare organization. This determination serves to impact the potential resolution of a prosecution, fines and penalties, or other consequences. In other words, organizations that adequately address these issues are less likely to find themselves penalized in the event of a compliance ‘incident’.
Department of Justice guidance is a useful roadmap for compliance professionals, leaders, and investors who are committed to reducing the risk in their organization. The recent guidance includes a number of focus areas, some new:
1. Is the corporation’s compliance program well designed?
In addition to the traditional expectation of policies and procedures, the updated guidance discusses at length the Risk Assessment process. The Risk Assessment, according to the DOJ, should guide the compliance program and be tailored to address and assess the ‘risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (of the compliance program) to reduce the risk of criminal conduct.’
Factors to consider in the evaluation of the Risk Management process include:
Methodology used to identify risks, including metrics and reporting, and how are those used?
Resource Allocation should be appropriate to higher risk areas and issues, such as high-risk transactions, as opposed to focusing on lower risk areas
Frequency of updates and modifications are also important. Is the Risk Assessment ongoing, and does it result in adjustments to policies, training, and processes? Or is it just a snapshot?
Are the company’s ‘lessons learned’ incorporated into the Risk Assessment process? Does the Risk Assessment also include lessons from other organizations in the industry?
Basically, what the DOJ is looking for here is an ongoing and responsive Risk Assessment process that incorporates incidents, reports, and other factors in an ongoing basis and evaluating the organization as a routine matter of course. The other half of this process is to use the results in a prioritized fashion to ensure higher risk issues that are likely to affect the organization are given attention and resources.
2. Policies
The section on policies provides guidance that appears consistent with other government guidance, such as the Office of the Inspector General’s compliance guidance. The government expects to see a Code of Conduct and specific compliance policies. Key points in this new guidance include:
Policy development process-Who designs and implements policies?
How are policy needs identified to ensure relevant areas of legal and regulatory risk are being addressed adequately?
Are policies easily accessible to all employees and those who need to be able to access them? Do people know how to access them?
Operational Integration-Who is responsible for rolling out policies? How are they reinforced?
Education for leaders. Do those responsible for certifying compliance understand the requirements? Do they fully understand what misconduct to look for? Do they understand the reporting and escalating process?
3. Training
Training and education are another staple of compliance programs, also outlined in OIG guidance documents. A few points to consider, according to the DOJ, are:
Risk-based training. Just like it sounds, the government wants to verify that key risk areas and employees with responsibilities in those areas are trained on the specific risks.
Form and content. Education needs to be in appropriate language and content for the audience. Is there a way to allow questions? Can training effectiveness be measured?
Communications about misconduct. Are employees informed about the organization’s response to misconduct? If an employee is terminated, for instance, or disciplined, are employees aware of the types of misconduct that leads to discipline? In other words, employees and leaders should understand the consequences of misconduct.
Guidance. Are there resources available to employees to help understand compliance policies? Do employees know how to seek advice?
4. Investigations and Reporting
This section represents another topic in this guidance with few surprises or changes from other, existing guidance. There is an expectation that organizations maintain an anonymous reporting mechanism, and that it is adequately publicized. Complaints need to be assessed and investigated by qualified personnel, specifically someone independent and adequately trained to ensure proper process and documentation. Investigations need to be adequately tracked and results should be addressed. The company should adequately fund these efforts and should periodically monitor the reports to identify patterns or issues that haven’t been resolved.
5. Third party Management
Take note of this section, because it is not a typical ‘element’ of a compliance program and is likely included due to incidents arising out of third-party relationships. How does the company determine the need for a third party? What are the contract terms, and are they actually performing the work? Is the compensation appropriate? Is the company doing any ongoing monitoring of the third party’s performance? Is there annual compliance training, and/or certifications for those vendors? These are the questions raised in the discussion on third parties, in addition to specific topics the DOJ has identified:
Risk-Based and Integrated Processes. In other words, what is the company’s process for managing third-parties, and how does that integrate with other vendor management processes?
Appropriate Controls. This is a big area of challenge. How does the company ensure that the relationship is necessary? How does the company ensure the contract terms adequately describe the services to be performed, that payment is appropriate, and that services are actually performed in accordance with the company’s expectations and contract?
Management of Third Parties. Have the compensation arrangements been evaluated for compliance risks? Does the company have the right to audit the third party? How does the company promote compliance with the third party? Is there ongoing risk management of the third party, or is it only during due diligence, once?
Real Actions and Consequences. Does the company respond to any red flags or compliance issues that arise with a third party? How does the company make sure there are no repeats of that issue and that third parties with such issues are not later rehired?
Managing third parties is a challenge because it can be resource intensive for a compliance officer, especially if that individual wears multiple hats, such as in a practice group. The most common risky areas to watch are billing companies, any vendor who has access to a company’s electronic health or other confidential date, and, of course, physician and referral arrangements. These types of arrangements, if not adequately structured and monitored, can create significant risks. Keep in mind this is not only fraud and abuse, but also HIPAA, that can create a compliance nightmare if there is an incident.
The fact that this is now DOJ guidance for compliance programs raises the visibility of this risk area, and should be reviewed accordingly.
6. Mergers and Acquisitions (M & A)
This is another new focus area for compliance programs, and should be of interest to Private Equity firms, healthcare attorneys who handle transactions, and, of course, healthcare leaders who are involved in buying, selling, or merging practices.
In this section, the DOJ discusses not only comprehensive due diligence of acquisition targets, but also a plan for integrating compliance program structures and controls. The valuation process is also mentioned, as a target presenting compliance risks can impact the value in addition to the risk profile generally. Specifically, the DOJ states that “Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
The DOJ highlights three specific topics in this section:
Due Diligence Process. Was due diligence conducted pre-acquisition? Was any misconduct identified? Who conducted the risk review and how was it performed?
Integration in the M & A Process. How has the compliance function been integrated into the merger, acquisition, and integration process?
Process Connecting Due Diligence to Implementation. How was misconduct tracking and remediated during due diligence? What are the processes for implementing policies, procedures, and conducting post-acquisition audits at the target entity?
Again, this is a new area of focus included with the ‘usual’ compliance program expectations, so this is definitely a topic to take seriously.
7. Compliance Resources.
Compliance professionals are not surprised to see that the government has identified concerns related to a lack of resources. The government has now called out the need to have an ‘effective’ program versus a ‘paper’ program. This includes adequate staffing, a budget to conduct audits, and funding to ensure that adequate training of employees has occurred.
Specific risks were also discussed at length, briefly summarized here:
Commitment by Senior and Middle Management. This issue addresses the culture of an organization and the values demonstrated by leaders. Specifically, the DOJ references:
Conduct at the top. Not just words, but deeds. Have leaders modelled proper behavior? Have they tolerated or encouraged compliance risks in order to gain business or revenues?
Shared Commitment. What actions have leaders taken to demonstrate a commitment to compliance?
Oversight. What compliance expertise has been available to the Board of Directors? Does the Board hold executive sessions with audit and compliance functions?
Autonomy and Resources. Prosecutors will evaluate the adequacy of staff, both in terms of quality and quantity. Compliance Officers must be empowered, also, within the company and should have access to the Board.
Structure. Where is the compliance function located within the organization? Who does it report to? Does the compliance officer have other responsibilities?
Seniority. How does the compliance function compare with other functions, in terms of rank, title, authority? Is compliance involved in strategic planning, transactions, etc?
Qualifications. What training and experience do the compliance personnel possess? Do they receive ongoing training in their field?
Funding/Resources. Are there adequate resources to allow for effective audits, risk assessments, and other program requirements?
Data Resources and Access. Do compliance staff have access to data they need to conduct audits and test policies? Are there any barriers?
Autonomy. Does compliance (and related audit/control functions) have direct reporting to the Board or Board Committee? How does the company ensure the independence of these functions?
Is the Compliance Program Effective?
This is a key question for prosecutors as well as compliance officers, leaders, and investors. Implementation of the above points, of course, are all part of this assessment. Here are some additional key points, summarized:
Continuous Review and Improvement of the Compliance Program. Business and laws change over time. Is there an assessment and adjustment of the program? How are audits determined? How are controls tested? How are Risk Assessments updates, and how does the company assess its culture of compliance? These are all factors to consider. Existing guidance from the OIG recommends annual ‘kicking the tires’ reviews of compliance programs.
Remediation of Misconduct. Does the company conduct a root cause analysis of identified misconduct, and then, once it does, is there appropriate and consistent remediation? The company needs to not only conduct a root cause analysis, but also address what controls or policies, training, etc., failed. Once the cause is identified, what steps were taken to mitigate? Are management members held accountable for failures under their supervision? Is discipline consistent?
Note that much of this is reinforcing existing guidance issued by the Health and Human Services Office of the inspector General. For those already familiar with compliance program guidance, the key points that are new relate to compliance relating to third party and mergers/acquisitions. Those sections warrant special attention.