On April 30, 2019, the U.S. Department of Justice (“DOJ”) released an updated version of a guidance document titled “Evaluation of Corporate Compliance Programs.” The original version of this guidance was first released in February 2017. The updated 2019 guidance offers new insight into the factors that the DOJ considers important when evaluating the effectiveness of a healthcare provider’s compliance program.
This guidance retains much of the same substance as the 2017 version, but it includes more detailed explanations of the compliance topics on which DOJ is focused, additional factors and questions DOJ considers in evaluating a compliance program, and a reorganized structure. The 2019 guidance is described as a tool “meant to assist prosecutors in making informed decisions” about the effectiveness of a corporate compliance program for purposes of determining an appropriate resolution.
The 2019 guidance demonstrates DOJ’s increasing focus on corporate compliance and provides an accompanying set of expectations as to what DOJ believes a compliance program should be doing to prevent and detect misconduct. In this guidance, DOJ emphasizes the importance of a risk-based approach to compliance and continuous improvement of corporate compliance programs.
The guidance reformulates the key topics DOJ examines in evaluating a company’s compliance program around three questions:
- Is the compliance program “well designed”?
- Is the program “implemented effectively”?
- Does the compliance program “work in practice”?
In regards to programs being “well designed,” the guidance states that a well-designed compliance program is “adequately designed for maximum effectiveness in preventing and detecting wrongdoing.” The DOJ believes that a well-designed program should accomplish these ends through the communication of a clear message of compliance along with well-integrated policies and procedures. The guidance identifies sample topics DOJ will evaluate to determine whether a compliance program is well designed, including the nature, extent, and effectiveness of a company’s: (a) Risk assessment; (b) Policies and procedures; (c) Training and communications; (d) Confidential reporting structure and investigation process; (e) Risk-based, third-party management process; and (f) Due diligence in mergers and acquisitions.
When examining if the program was “implemented effectively,” the DOJ will examine if the compliance program was “purely a paper program” or is it being “implemented effectively.” To answer this question, DOJ will examine the following sample topics: (a) Senior and middle management’s commitment to compliance; (b) The compliance function’s autonomy and resources; and (c) Incentives for compliance and disciplinary measures for noncompliance.
Acknowledging that no compliance program can detect all misconduct, DOJ expects that a program that “works in practice” should be generally effective in preventing and detecting misconduct. The factors that the DOJ will evaluate under this category include:
- Continuous improvement and evolution of the compliance program to address changing compliance risks;
- Periodic testing, auditing, and review of the compliance program, internal controls, and compliance culture to determine their effectiveness;
- Effective detection of, and response to, misconduct;
- Investigations that are appropriately staffed and sufficiently funded to thoroughly investigate and document suspected misconduct;
- The thoughtfulness of the root cause analysis to understand misconduct; and
- Thoroughness and effectiveness of remediation to prevent future misconduct, including examining and improving any identified compliance weaknesses.