There have been several resources for measuring compliance program effectiveness. The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) put out “Measuring Compliance Program Effectiveness: a Resource Guide” in March 2017. The Healthcare Association of New York State put out its “Compliance Program Effectiveness Guide” in June 2017. Now the Criminal Division of the U.S. Department of Justice (DOJ) has issued its “Evaluation of Corporate Compliance Programs”. This document is designed to give federal prosecutors more guidance on evaluating the effectiveness of compliance programs. Prosecutors do this type of evaluation when recommending penalties for organizations convicted of criminal offenses. Prosecutors can also take into account this evaluation when deciding whether to charge criminal conduct at all.
The Guidelines allow for a reduction in fines of up to 90% when the organization can demonstrate it has an effective compliance program.
Guide to Measuring an Effective Corporate Compliance Program
Measuring Compliance Program Effectiveness
The DOJ has long considered how organizations implement effective compliance programs as part of their recommendations for charging in criminal matters. And the U.S. Sentencing Guidelines allow for consideration of the effectiveness of an existing compliance program when prosecutors make sentencing recommendations.
The new Evaluation of Corporate Compliance Program Guidance Document gives prosecutors more guidance on evaluating the effectiveness of the organizations compliance program. These guidelines can also be useful to healthcare organizations who are interested in measuring compliance program effectiveness in their own organization.
3 Critical Questions
The DOJ Guidance Document emphasizes three questions that prosecutors are supposed to ask: (1) Is the organization’s compliance program well-designed? (2) Is the program being applied earnestly and in good faith, e.g. is it being implemented effectively? (3) Does the program work in practice?
In posing these questions, the Guidance Document goes on to suggest many criteria to address in answering them. Of course, since it is guidance on evaluating an organization after a serious offense, the questions and criteria are couched in terms of misconduct. But they work equally well in evaluating a program that also addresses mistakes.
1. Is the Corporate Compliance Program Well Designed?
This portion of the Guidance will be very familiar to organizations that have followed the OIG Guidance for most health care organizations.
- Is there a risk assessment that identifies the areas that put the organization at risk for mistakes or misconduct? For health care organizations, that usually means submitting claims to the Medicare and Medicaid programs.
- Are there policies and procedures to reduce the risk of mistakes or misconduct? These would include things like a code of conduct and policies that address specific risk areas. Are the policies comprehensive and accessible?
- Are employees trained in the policies that apply to them? Do they know the organization’s stand on misconduct? Is the training effective in communicating the organization’s policies and lessons learned?
- Is there a structure for confidential reporting and investigating? Can staff report anonymously, and are investigations conducted by qualified personnel?
2. Is the Corporate Compliance Program Being Implemented Effectively?
Again, there is overlap with the OIG Guidance, but also some important differences.
- Is there commitment to the program by Senior and Middle Management? Staff definitely can tell when a program or initiative is receiving lip service. The conduct at the top matters, as well as support from the middle.
- Is the program properly resourced, and is it autonomous within the organization? Does the compliance program staff have direct access to the Board of Directors? Are there sufficient resources to carry out the education, auditing and monitoring and other activities of the program?
- Has the organization established incentives for compliance and disincentives for non-compliance? Organizations must publicize disciplinary guidelines – and enforce them when confronted with misconduct.
3. Does the Compliance Program work in practice?
This is perhaps the most difficult question for prosecutors to answer. After all, if the compliance program were working, then misconduct would be found out early and mistakes corrected timely.
- Does the organization have a process to improve the compliance program based on internal and external changes? Organizations need a robust internal audit process. They also need to continuously work to strengthen a culture of compliance.
- Is there a proper and adequately funded process for investigating mistakes or misconduct? Can investigations be conducted no matter where they lead?
- Does the organization conduct a root cause analysis when mistakes or misconduct are uncovered? Are process improvements identified and implemented when weaknesses have been identified?
Many organizations rely on a checklist approach when measuring compliance program effectiveness. The DOJ Guidance Document can certainly supplement the checklists based on OIG compliance guidance. And of course, they may save the organization a lot of money if you can avoid being charged or sentenced for actual criminal misconduct.
To learn more about health care compliance programs, visit our website and check it out!