Ahmed Salim (firstname.lastname@example.org) is Director of Ethics and Compliance with iRhythm Technologies in Lincolnshire, IL. David M. Rapasadi (email@example.com) is Senior Compliance Specialist at Medline Industries Inc. in Northfield, IL. Palak Desai (firstname.lastname@example.org) is a student at DePaul University College of Law in Chicago, IL.
Investigations are essential to running an effective compliance program. A well-defined investigation sets forth how individuals report potential compliance concerns and mentions any remedial measures once the investigation has concluded. These practices also create a culture of compliance within an organization by assuring employees and surrounding community members. The organization’s commitment to corporate integrity and creating a thorough investigative process can be challenging and exhaust a number of limited resources. In order to create a strong investigative process, an organization should look internally to determine what processes they have in place and whether any new processes should be implemented.
The strength of an effective investigation is determined by breaking the process into two parts: (1) receiving/triaging a concern and conducting the investigation and (2) benchmarking and reporting.
In this two-part article, we will illustrate how to implement a well-defined investigative process. Our mission is to provide compliance departments looking to adopt their own processes with a road map of how to build a strong and reliable investigation system.
Receiving and triaging a concern
A compliance department may initiate an investigation once a concern has been raised. Anyone from within or outside an organization may raise a concern as long as it is presented in good faith. An effective investigative process involves well-defined policies and procedures to address these concerns.
Investigation policy and procedure
It is important for an organization to have a well-publicized and accessible reporting policy regarding potential good-faith compliance concerns. A well-defined policy should include the following:
Types of issues to report,
Where/how to report an issue,
Good faith/nonretaliation, and
Investigation policies should outline rules and regulations (e.g., Health Insurance Portability and Accountability Act, Anti-Kickback Statute, Stark Law) related to potential concerns and provide examples of critical issues.
After identifying the types of issues that should be raised, a comprehensive policy should outline how the issues should be reported. Typically, compliance concerns can be reported through a compliance hotline, directly to compliance (in person or by email or phone call), or through the chain of command (in person or by email or phone call).
It is also important to outline any additional ways the compliance program receives and manages these concerns. This involves publicizing all applicable avenues through which the program is able to receive a concern.
All investigation policies should include how issues are brought in good faith and the organization’s commitment to nonretaliatory behavior—neither the government nor an organization will discipline or retaliate against any individual who raises an issue in good faith. Issues not brought in good faith leave the reporter open to disciplinary actions, which could include suspension and/or termination.
Those who report issues in good faith are protected against potential retaliatory action. It is imperative the investigation policy clearly outlines the reporter’s right to nonretaliation and the importance of reporting any retaliatory behavior.
Aside from outlining the steps on reporting and a reporter’s protections, a well-defined investigation policy will also include the investigative process, as well as any remedial measures taken if the concern is found to be valid. An investigation policy should outline how compliance will conduct the investigation and any follow-up measures once an investigation has been completed. This would likely allow a reporter to feel comfortable with raising a potential compliance issue. The policy should outline how concerns will be handled by the compliance department and the expected amount of time an investigation may take to complete. Additionally, it should direct the reporter on how to provide any additional information they may want to provide during the investigation, or establish guidelines regarding how compliance personnel may connect anonymously with a reporter for additional information.
The investigation policy should also set out the possible remedial measures the compliance department may take after an investigation has been completed, including closure, disciplinary actions, and any applicable reporter follow-up. The investigation policy should also outline an organization’s stance on what information will be conveyed back to a reporter once an investigation has been completed and refer to the organization’s confidentiality policy.
Finally, it is important that the compliance department handling the investigation educate its members. This education can be offered annually or ad hoc, depending on the organization’s calendar. Training should emphasize the importance of reporting all identified compliance concerns, how to report, nonretaliation, the general policy, and any remedial measures that may occur.
Having a clear and organized investigative process is paramount to running an effective compliance program. It is also important to have a process in place to educate members about the types of eligible issues to raise and how to bring them forward.