The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.