One way to find out whether compliance and integrity have seeped into the bones of an organization is asking people who would know. There may be a compliance program in place with bells and whistles, but whether its systems for detecting and preventing fraud and abuse are functional may require some private conversations with certain managers, including the compliance officer.
“I have found it enormously valuable” to have “targeted, confidential conversations with people in key positions,” says former Deputy Attorney General David Ogden, who serves as an independent corporate monitor for the Department of Justice (DOJ) in the resolution of criminal cases. For example, do compliance professionals have the support of local leadership? Is there fear of retaliation? If so, why? “What is the lived experience? That’s the real question,” Ogden says. “Is good behavior rewarded, or bad behavior? Do people who want to do the right thing feel supported?”
The answers to these questions and others like them help determine the effectiveness of compliance programs, whether organizations evaluate them or the DOJ and the HHS Office of Inspector General (OIG) kick their tires in the context of enforcement actions. Satisfying responses affect an organization’s fate in a corporate fraud case, as DOJ has conveyed in a series of guidance documents, including its Evaluation of Corporate Compliance Programs,[1] which was updated in April 2019,[2] and the 2018 “Selection of Monitors in Criminal Division Matters” memo.[3]
How DOJ’s policies translate on the ground remains to be seen. “What is coming out of DOJ now is an effort to figure out how to incentivize higher-quality compliance” and self-disclosures, says Ogden, with WilmerHale in Washington, D.C. “To some extent, the proof will be in the pudding. It is a question of looking at the inside of companies [to see] how they are proceeding. My bet is you will see greater change if there becomes a story over time based on how they were treated [by DOJ] if they had a good compliance program in place,” he says. How credible is it when inevitably things go wrong at an organization? “It is more than putting policies down. It is about follow-through.”
DOJ Is Skeptical of ‘Checking-the-Box Exercise’
In its updated guidance on the use of independent corporate monitors in criminal matters, DOJ says organizations may be required to hire a monitor in deferred prosecution agreements, non-prosecution agreements and plea agreements, according to the October 2018 memo by Assistant Attorney General Brian Benczkowski. When evaluating whether to require an independent monitor, the memo directs criminal division attorneys to consider factors that speak loudly to compliance programs: “(a) whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance program or internal control systems; (b) whether the misconduct at issue was pervasive across the business organization or approved or facilitated by senior management; (c) whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal control systems; and (d) whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.”
Ogden says DOJ-mandated monitors are “sort of an alternative” to the corporate integrity agreement (CIA) approach. The use of monitors is “less prescriptive” than a CIA. “You get something in the nature of a root-cause analysis after resolution of a legal problem. The monitor helps the company evolve a set of responses in terms of structures that weren’t there before but hopefully will be a new level of resiliency against violations.” Monitors also may be used in False Claims Act[4] resolutions or voluntarily to evaluate an organization’s compliance program.
“The one critical question DOJ is interested in and will be the focus of the monitorship is a sense there has been a real and functioning system and not a checking-the-box exercise,” he says. The Catch-22 is that compliance programs have been built around satisfying seven elements, which tends to be a box-checking experience. Prosecutors will wonder whether the organization has a meaningful system for catching mistakes, he says. Does it operate to surface mistakes for people who will put a stop to them? That requires “constant self-scrutiny by the company that what they are doing is real,” Ogden explains. “The monitor is asking those questions.” Do audits identify consequential problems? Do they prioritize in a sensible way in terms of what needs to be remediated? Is the organization incentivizing compliant behavior, or when something goes wrong, will it be evident in retrospect the wrong behaviors were incentivized? “Consider whether adjustments need to be made,” he says. “It’s key to whether the company is developing the wrong culture.”
Look at What the IRO Reviews
Another way to evaluate the culture of a corporation is to look at the compensation of its executives, says Shannon Sumner, a principal of PYA in Brentwood, Tennessee. Does their compensation include metrics for compliance? “You may say you have a balanced scorecard to incentivize the C-suite. But is it truly balanced, or are you just focused on operational measures, or are there compliance measures?” For example, executive compensation could be linked to compliance audit results or culture surveys, Sumner says.
She encourages organizations to study CIAs to improve their compliance programs. “How can they take advantage of CIAs and drill down to their expectations?” For example, would managers be able to sign management certifications attesting that their departments are in compliance with applicable laws and regulations? “When managers see that, it gives them pause,” Sumner says. They are reliant for compliance on employees in their departments, and some of them only receive “compliance training that’s generally not deep enough for their departments or for high-risk activities,” such as relationships with referral sources. Even without management certifications, the awareness that managers who sign claims and other federal forms are implicitly attesting to compliance with federal program requirements become more sensitive to the implications, Sumner says. “It has given organizations a chance to evaluate their training.”
But the exercise may leave them uneasy about their compliance program’s effectiveness in light of the organization’s size and complexity, she says. “If you have to certify your organization is in compliance with XYZ, we are seeing a push to having liaisons and champions, because we know it takes a lot of individuals to have a compliant company,” Sumner says. There’s always a risk, however, that too much decentralization prevents the sharing of audit results or other problems in a consistent way, Ogden says. Compliance champions are “a way of having eyes and ears in a decentralized environment,” but organizations have to have systems to ensure “they have a sense of what’s going on out there.”
Physicians Are Not Only Referral Sources
Sumner also recommends organizations review the independent review organization’s (IRO) list of expectations at the end of CIAs if they have a specific area they plan to audit, such as real estate or relationships with referral sources. Mock audits for that risk area is an option. How would you fare with an IRO, which is a tough audience? Organizations should be able to show they have a complete inventory of physician relationships, which may not be the case, Sumner says. “A mock audit is an easy way to test the completeness of that process. “But get the OIG monitor’s permission” for a mock audit if you’re already under a CIA.
Keep in mind that physicians are not the only referral sources, Sumner says. “People think of physicians because of the Stark Law,” but referral sources also refer to services purchased on behalf of the organization, such as ambulance transports and home health agency discharge planners. There is the potential to improperly reward other referral sources to attract their business, she says. For example, hospitals may restock ambulances to encourage them to bring patients. Organizations should identify all their referral sources and their physicians’ ownership in other entities, such as ambulatory surgery centers. “It could be a conflict of interest.”
Contact Sumner at ssumner@pyapc.com and Ogden at david.ogden@wilmerhale.com.