This guidance is used in two ways:
- Federal prosecutors conducting criminal investigations (such as into healthcare fraud) use it to evaluate a corporation’s compliance program. This evaluation can impact any financial penalties imposed.
- Corporations, including healthcare providers, use it to evaluate their own compliance programs.
Here are some of the DOJ’s June 2020 changes to its compliance evaluation guidance:
Does your compliance program have adequate resources?
The revised guidance considers whether compliance programs are “adequately resourced and empowered to function effectively….” (emphasis added).
Other updates in this guidance also evaluate the amount of resources behind the compliance program. The DOJ is looking for:
- A culture of compliance at all levels, including the top and the middle.
- Whether companies “invest in further training and development” of compliance personnel
- Whether compliance personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”
Many compliance programs involve a great deal of effort in the beginning when they are implemented – but then resources drop off. The DOJ guidance makes clear that ongoing resources, such as leadership, training, and data-based auditing and monitoring, are necessary for a compliance program to be effective.
Does your compliance program evolve?
The DOJ’s revisions emphasize the importance of ongoing compliance program reviews and “how the company’s compliance program has evolved over time.” The DOJ is looking for:
- Whether compliance reviews result in updates to policies, procedures, and controls
- Whether compliance reviews are “limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions”
- Whether the company incorporates “lessons learned” into its risk assessments. Does the compliance program incorporate lessons from past issues within the organization or from competitors?
In other words, it is not enough to conduct a compliance program review once, and then abandon this effort. Compliance review should be an ongoing process (with scheduled annual reviews). Without ongoing reviews that address evolving risks, compliance quickly becomes outdated.
Does your compliance program sufficiently evaluate third-party risk?
The revised guidance adds increased scrutiny of compliance programs’ review of third parties. The DOJ is looking for:
- Whether a company knows “the business rationale for needing [a] third party in [a] transaction, and the risks posed by third-party partners….”
- Whether third-party risk is managed throughout the relationship (and not just at on-boarding).
Vendor risk is of increasing regulator concern. In the healthcare setting, vendors bring HIPAA risk as well. Your compliance processes should include thorough screening at the outset of a relationship, but also ongoing controls.
How do you measure up?
MPA recommends incorporating the revised DOJ guidance into your own compliance program review. . The OIG has long recommended annual compliance program reviews for all providers – and annual reviews are now required for nursing homes. Your review might take longer during the pandemic – but set aside some time to move this process forward.
MPA can help
While most of the DOJ guidance updates are already addressed in MPA’s annual review process, we have used the guidance to make updates to our process. Contact us to talk about MPA reviewing your compliance program.