2023 was a busy year across several federal agencies in terms of issuing compliance guidance for corporations, including health care companies. For example, the Department of Justice (DOJ) issued significant compliance program guidance in various areas. Consistent with DOJ’s other corporate enforcement policies incentivizing voluntary self-disclosure, cooperation, and remediation, each compliance-focused guidance document furthers the government’s stated goal of offering increased incentives and transparency to companies that are seeking to bolster their compliance function.[1]

The Office of Inspector General for the Department of Health and Human Services (OIG) likewise followed through on its mid-2023 promise to issue modernized compliance program guidance for the health care sector. In November, the OIG issued an updated General Compliance Program Guidance document, which compiles existing compliance program guidance into a centralized resource and offers recommendations for developing a robust compliance program. The agency has promised to follow the issuance of this General Compliance Program Guidance with updated industry-specific compliance program guidance documents in 2024.

DOJ Guidance

DOJ guidance issued in 2023 repeatedly emphasized the importance of an effective compliance program. Two noteworthy updates were announced in March at the American Bar Association’s 38th Annual National Institute on White Collar Crime: the DOJ Criminal Division’s revised guidance regarding the Evaluation of Corporate Compliance Programs (the ECCP) and Pilot Program Regarding Compensation Incentives and Clawbacks (the “Pilot Program”). Our more detailed analysis of the ECCP and Pilot Program can be found here. In this piece, we focus on how the ECCP has changed and what these revisions, alongside the new Pilot Program, reveal about DOJ’s compliance-related priorities in criminal matters.

While these guidance documents are applicable only in the context of corporate criminal resolutions, they are worthy of consideration for all companies. The guidance provides insight into DOJ’s recent determinations regarding the hallmarks of an effective compliance program. Even in the civil context, a company’s ability to show that its compliance program is robust, modernized, and effective in accordance with DOJ standards will prove helpful when negotiating a potential resolution.

Evaluation of Corporate Compliance Programs

The ECCP is meant to assist prosecutors in making informed decisions as to whether and to what extent a corporation’s compliance program (1) was effective at the time of an offense, and (2) is effective at the time of a charging decision or resolution. The ECCP thus aids prosecutors in determining the appropriate (i) form of resolution or prosecution, (ii) monetary penalty, if necessary, and (iii) compliance obligations that should be contained in a corporate criminal resolution, such as monitorships and reporting obligations.[2]

While companies assessing the effectiveness of their compliance systems should consider the entirety of the ECCP, the revised 2023 version contains two primary changes: (i) a direct focus on the use of evolving technologies in an increasingly remote workplace, and (ii) increased efforts to incentivize compliance through compensation systems.

First, the ECCP now directs prosecutors to consider a company’s policies and procedures governing personal devices, communication platforms, and messaging applications (including ephemeral messaging applications). Those policies should take into account the company’s risk profile and specific business needs and ensure “to the greatest extent possible” that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Prosecutors will also consider how data preservation and review policies have been communicated to employees and whether such policies are enforced “on a regular and consistent basis in practice.”

The ECCP lists three primary factors that prosecutors will evaluate in this area:

• Communication Channels: This factor includes what electronic communication channels are used by the company and its employees to conduct business. Prosecutors will consider the mechanisms put in place to manage and preserve information contained within these channels, including the rationale for preservation and deletion settings that are available to each employee and why certain communication channels and settings are permitted.
• Policy Environment: This factor includes the policies and procedures a company has implemented to govern data preservation related to devices that are replaced, the organization’s ability to monitor and/or access business-related communications, the rationale behind “bring your own device” programs such as policies related to accessing corporate data stored on personal devices (including messaging platforms on the devices), and how data retention and business conduct policies have been enforced with respect to personal devices, among other considerations.
• Risk Management: This factor considers whether a company imposes appropriate consequences for employees who refuse to allow the company access to company communications; whether the company has disciplined employees who fail to comply with its policies; whether the use of personal devices and messaging applications used by the company has ever impaired the organization’s ability to follow its compliance program, conduct investigations, or respond to government requests; and whether the company’s device and messaging-related decisions are reasonable in light of the company’s risk profile.

In practice, there is tension between the standards DOJ is seeking to establish and many companies’ data retention and information management practices. For example, abbreviated retention windows aimed at minimizing a company’s data and document storage expenses, or even preservation policies that do not extend to data of potential interest stored exclusively on personal devices, may be met with scrutiny if the company is rendered unable to access records of interest in a future DOJ investigation. DOJ is expected to adopt a pragmatic approach that does not impose the most stringent preservation standards on companies that are perceived as lower risk, but resolutions with DOJ in 2024 may shed additional light on how rigorously the government will apply ECCP principles. In the interim, companies are incentivized to consider whether they are capable of accessing communications across different channels utilized by their employees that may unveil evidence of misconduct.

In addition to information management, the revised ECCP also addresses compliance considerations tied to compensation in greater depth. It now notes that prosecutors may consider a company’s provision for recoupment of previously awarded compensation to individuals responsible for corporate wrongdoing or the reduction of compensation due to compliance violations or other forms of misconduct. Targeting compensation as a means of fostering compliance furthers DOJ’s goals related to individual accountability.

Pilot Program Regarding Compensation and Clawbacks

The new Pilot Program, effective March 15, 2023, applies to all corporate matters handled by DOJ’s Criminal Division for a period of three years. At the end of this period, the Criminal Division will evaluate whether the Pilot Program should be modified or extended. Consistent with the compensation-focused changes to the ECCP, the Pilot Program emphasizes DOJ’s focus on driving compliance through the use of financial incentives.

During the Pilot Program, all corporate resolutions with the Criminal Division will require companies to implement compliance-related criteria in their compensation and bonus systems. Examples of criteria companies may include are as follows:

• a bonus prohibition for employees who fail to satisfy compliance performance requirements;
• disciplinary measures aimed at employees who violate the law in addition to those with supervisory authority over the employees or business units engaging in misconduct and who knew of or were willfully blind to it; and
• incentives for employees exhibiting a demonstrated commitment to compliance.

In cases where a criminal resolution is warranted, the Pilot Program sets forth that fine reductions may be available for companies that fully cooperate, timely and appropriately remediate, demonstrate they have implemented a program to recoup compensation from applicable bad actors and supervisors, and have in good faith started the process to recoup such compensation before a resolution is entered.

When these criteria are satisfied, in addition to any other applicable fine reductions, Criminal Division prosecutors will reduce the fine in the amount of 100 percent of any compensation that is recouped during the resolution period. Accordingly, at the time a resolution is entered, the company will be required to pay the full fine amount, less 100 percent of any compensation it is attempting to claw back. Then, at the end of the resolution term, the company will be required to pay the amount it attempted to claw back minus 100 percent of the compensation it actually recovered.

To incentivize implementation of this potentially complicated initiative, the Pilot Program states that if a good faith attempt to recoup compensation fails, Criminal Division prosecutors may nevertheless exercise their discretion to apply a reduction of up to 25 percent of the amount of compensation the company attempted to claw back. The Pilot Program represents another concrete benefit offered by DOJ for companies that are willing to prioritize individual accountability.

OIG Guidance

In addition to DOJ’s efforts to amplify compliance-related incentives for companies under criminal investigation (including health care companies), the OIG has substantially revised and modernized previously issued compliance guidance and resources applicable to health care companies and providers. The agency has also committed to revising and modernizing all of its compliance program guidance documents in 2024. Like DOJ’s 2023 compliance-related guidance, the OIG’s revisions underscore the agency’s commitment to encouraging companies to engage in robust, tailored compliance efforts that match agency priorities.

The OIG issued revised compliance guidance as part of a 2021 modernization initiative, in which the agency announced its intention to enhance the utility, timeliness, accessibility, and usability of its compliance-related resources and sought public input into how best to achieve this goal. Before this modernization effort, the last time the OIG had published any compliance program guidance was in 2008. Through this modernization process, the OIG committed to (i) updating and reissuing its general compliance program guidance (applicable to all individuals and entities involved in the health care industry) by the end of 2023, and (ii) revising and reissuing its industry-specific compliance program guidance documents in 2024. We previously reported on the OIG’s Modernization Initiative here.

In November 2023, OIG upheld its commitment to publish a modernized version of its general compliance program guidance (“GCPG”). We previously published a detailed analysis of this publication here. In short, the 2023 GCPG improved upon its predecessor program guidance in a few simple but effective ways.

First, the OIG consolidated into one document the entire life cycle of compliance-related resources: (i) the OIG’s recommendations regarding the essential elements of effective compliance programs, (ii) the agency’s views and tips as to how those elements can be implemented in companies of varying sizes and resources, (iii) the statutes with which the GCPG (and compliance programs, generally) are intended to ensure compliance, (iv) advisories and guidance offered by the OIG to entities seeking to understand the agency’s interpretation of those statutes, (v) resources available to entities that wish to self-disclose potential non-compliance with those statutes, and (vi) the authorities that the OIG uses to enforce violations of legal and/or program requirements. By consolidating these resources, the agency has added clarity around the arrangements, conduct, topic areas, and compliance-related activities that it believes should be covered in an effective compliance program and function.

Second, the OIG recognized that an effective compliance program is not a one-size-fits-all endeavor and that not all health care companies have the same financial and personnel resources to dedicate to compliance. The agency thus adjusted its recommendations accordingly and made suggestions for companies both big and small, as well as companies that do not have the resources to hire dedicated compliance officers and personnel.

Third, the OIG adopted a conversational, example-based approach to explaining the relevant statutes and how to assess potential violations thereof, as well as the agency’s recommendations regarding implementation of each compliance program element, among other areas. These recommendations are based on lessons the agency has learned from decades of enforcement experience. For example, the GCPG emphasizes the importance of board involvement in compliance, as well as engagement in and endorsement of compliance by company leadership, among many other tips and observations. This approach arguably increases the likelihood that compliance professionals — or employees for whom compliance is one of many job responsibilities — attempting to understand and implement the GCPG will be able to do so successfully and in alignment with OIG priorities.

Finally, like DOJ, the OIG recommended that companies consider tying compensation and incentives to employees’ compliance-related engagement. For example, the agency suggests that compliance officers, compliance committees, and other leaders consider the compliance performance or activities they would like to incentivize and then reward excellent compliance performance and contributions (e.g., through compensation, recognition, or other forms of encouragement).

Both DOJ’s and OIG’s compliance-related updates this past year underscore the importance that robust compliance functions have to the successful operation and survival of a company, and also that appropriate compliance, like the delivery of health care and the industries it touches, is ever-evolving and is most effective if it is tailored to the business and the employees it serves.