DOJ vs. OIG: Analysis of Recently Issued Federal Compliance Documents
Within just weeks of each other, the U.S. Department of Justice (“DOJ”) and the U.S. Department of Health and Human Services’ Office of Inspector General (“OIG”) issued separate documents that health care organizations may use to design, implement, evaluate and improve their compliance programs. This E-Alert provides a brief overview of each agency’s document in Sections I and II, and thereafter analyzes the documents in Section III by pointing out the important ambiguities that exist in the DOJ’s document and differences between the two agency’s positions that compliance personnel, management, and others should be aware of when utilizing these two separate documents as tools.
I. The DOJ’s “Evaluation Of Corporate Compliance Programs”
On February 8, 2017 the DOJ Fraud Section issued a document (available here) entitled “Evaluation of Corporate Compliance Programs” which included eleven sample topics and related questions federal prosecutors may utilize to assess the effectiveness of corporate compliance programs (herea er, the “DOJ Factors”). Although many of the topics and questions provided in the DOJ Factors also appear in other government resources, including the United States Attorney’s Manual and United States Sentencing Guidelines, the DOJ Factors offer some increased transparency into the factors that the Fraud Section finds relevant in an effective corporate compliance program, and more particularly, how a program will be evaluated when underlying criminal conduct has been identified. This is the most recent document released by the Fraud Section since the Department retained a full-time compliance expert in November 2015.
The DOJ Factors reference the two factors under the United States Attorney’s Manual that federal prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. These factors, commonly known as the “Filip Factors,” include (1) the “existence and effectiveness of the corporation’s pre-existing compliance program” and (2) the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” With these factors in mind, the Fraud Section acknowledged with the DOJ Factors that it does not use any rigid formula to assess the effectiveness of corporate compliance programs because each company’s corporate compliance program is developed using individual risk profiles and mitigation approaches. Instead, the DOJ Factors are intended to provide an illustration of the “common questions” federal prosecutors may ask when evaluating a compliance program.
With the DOJ Factors, the Fraud Section offers the following eleven key subject areas that federal prosecutors may consider when conducting an investigation, each of which may be more or less relevant depending on the particular facts at issue:
Analysis and Remediation of Underlying Conduct;
Senior and Middle Management;
Autonomy of Resources;
Policies and Procedures;
Training and Communications;
Confidential Reporting and Investigation;
Incentives and Disciplinary Measures;
Continuous Improvement, Periodic Testing and Review;
and Mergers and Acquisitions.
Although the DOJ cautions that the topics above are not intended to be used as a checklist or create a formula for government investigations, they are a useful resource for legal counsel and compliance personnel when training employees on compliance issues and designing company compliance programs. Additionally, the topics emphasize that it is not su icient for a company to simply implement a compliance program, but rather, ongoing risk assessment, training, and improvement is required and will be assessed by federal prosecutors should misconduct be identified.
II. The OIG’s “Measuring Compliance Program E ectiveness: A Resource Guide”
On March 27, 2017, just weeks a er the DOJ’s Fraud Section released its document on corporate compliance program factors, the OIG, in conjunction with the Health Care Compliance Association (“HCCA”), issued a document (available here) entitled “Measuring Compliance Program Effectiveness: A Resource Guide” which provides guidance for designing and implementing company compliance programs (herea er, the “OIG/HCCA Guide”). The OIG/ HCCA Guide was produced by the OIG and HCCA following a roundtable meeting attended by OIG staff and other health care compliance professionals in January 2017. A product of the roundtable discussions, the OIG/HCCA Guide contains more than 400 compliance metrics that address the following seven elements of an effective compliance program and lists suggested ways to measure such metrics:
1. Standards, Policies, and Procedures;
2. Compliance Program Administration;
3. Screening and Evaluation of Employees, Physicians, Vendors and other Agents;
4. Communication, Education, and Training on Compliance Issues;
5. Monitoring, Auditing, and Internal Reporting Systems;
6. Discipline for Non-Compliance; and
7. Investigations and Remedial Measures.
The stated purpose of the OIG/HCCA Guide is to give health care organizations a wide range of ideas to consider when developing and reviewing company compliance programs. While the metrics are an important resource in evaluating a compliance program’s effectiveness, the OIG cautions that the OIG/HCCA Guide is not intended as a checklist to be applied wholesale to assess a compliance program. Instead, the OIG recommends that health care organizations review the OIG/HCCA Guide and apply the metrics most relevant to the organization’s risk areas, size, resources, and industry segment, among other factors.
III. The DOJ Factors Vs. The OIG/HCCA Guide
Even though the DOJ Factors and the OIG/HCCA Guide were released within weeks of each other and address the same subject matter, there is no indication that DOJ and OIG coordinated when developing the documents. As a result, health care companies are le with the arduous task of reconciling the two documents when attempting to use them to identify and measure priority compliance metrics. While the agencies include many of the same broad topics, compliance personnel, management, and attorneys operating in the health care industry should be familiar with the di erences between the DOJ Factors and the OIG/HCCA Guide when evaluating company compliance programs. The following is a brief summary of the major di erences between the two documents that warrant particular attention.
• The intended audiences of the DOJ Factors and the OIG/HCCA Guide are not the same. The DOJ drafted its document for internal use when investigating a company’s corporate compliance program. In contrast, the OIG and HCCA developed its guide for external use by the health care industry as a compliance tool.
• The OIG’s guidance offers suggestions for health care organizations. The OIG makes clear that the OIG/ HCCA Guide is a reference document and organizations should not strive to do everything outlined in this lengthy document. The DOJ Factors do not provide similarly explicit application. In developing the OIG/HCCA Guide, it is possible the OIG recognized that, while the guide may be helpful, there is potential for it to be used against an organization in an enforcement matter (e.g., the government taking the position that if a company does not follow the OIG/HCCA Guide completely, it has an ineffective compliance program), and the OIG intended to avoid this outcome.
• The DOJ Factors include a list of potential questions the Fraud Section may ask during an investigation, some of which are open-ended with no indication as to which answer may be the “correct” answer from the DOJ’s perspective. Other factors are compound questions, and the DOJ does not identify which portions are more critical or how the responses may be weighed. For example, in assessing the autonomy and resources of a company’s compliance program, the DOJ Factors indicate that the Fraud Section may ask: “Has the company outsourced all or parts of its compliance functions to an external firm or consultant?” But, it is unclear whether the DOJ perceives outsourcing as negative or positive or what weight the DOJ will place on full versus partial outsourcing. Thus, depending on the circumstances, the DOJ could subjectively use a company’s answer to this question to fit its own preconceived narrative.
• To the extent the DOJ Factors ask a company to answer how it has assessed or implemented a certain topic, the OIG/HCCA Guide may provide specific action items that, if followed, may answer the DOJ’s question. For example, the DOJ Factors indicate the Fraud Section may ask: “Has the company had policies and procedures that prohibited the misconduct?” and “[h]ow has the company assessed whether these policies and procedures have been effectively implemented?” The OIG/HCCA Guide provides several ways to determine if policies have been effectively implemented, one of which is to “audit practices and review committee minutes and other document to determine how new policies are implemented.” Thus, a company that follows the OIG’s suggestions would be able to affirmatively represent to the DOJ that it had a process in place for reviewing policy implementation.
• In terms of specific content, there are several differences between what the OIG recommends when evaluating your compliance program and what the DOJ focuses on when doing the same. Specifically:
Code of Conduct / Compliance Committee. Unlike the OIG/HCCA Guide, the DOJ Factors do not expressly address a company’s code of conduct or compliance committee.
Compliance Incentives. Unlike the DOJ Factors, the OIG/HCCA Guide does not focus on how management’s actions encourage or discourage a particular type of misconduct. Instead, the OIG encourages companies to align their performance evaluations and incentive systems with their ethics and compliance objectives, possibly reflecting the DOJ’s renewed focus on identifying culpable individuals.
Compliance Resources. While the DOJ Factors and OIG/HCCA Guide both focus on sufficient allocation of compliance personnel and resources in light of a company’s risk, the DOJ Factors are further focused on whether requests for resources by compliance have been denied and how such denial decisions were made. The OIG/HCCA Guide is not focused on this operational detail.
Policies and Procedures.
The OIG/HCCA Guide expressly suggests measuring processes related to the review and approval of policies and procedures, whereas the DOJ Factors ambiguously inquire about the “design” of policies and procedures.
Keeping in mind that the DOJ Factors cover situations where the DOJ is retroactively assessing a company’s compliance program a er allegations of non-compliance arose, the DOJ Factors focus on whether a company had policies and procedures in place that prohibited the specific misconduct being investigated only. In contrast, the OIG/HCCA Guide focuses on the assessment of a broader population of policies; namely, whether a company has essential, required, and fundamental policies and procedures in place, as well as policies in procedures in “high risk” areas.
In reviewing the accessibility of policies and procedures, the DOJ Factors focus on how policies and procedures have been communicated to employees and third parties and how the company has evaluated the usefulness of such policies and procedures. The OIG/HCCA Guide expands far beyond communication, focusing on ways to measure actual accessibility to policies and procedures, audit actual access that has occurred, assess communication strategies (including that communication occurs in an accessible language), and determine personnel awareness of the compliance program.
• The OIG/HCCA Guide provides more robust information on policy evaluation, noting several ways to measure the quality, usefulness, and effectiveness of a company’s policies and procedures. Notably, the DOJ Factors make no mention of quality.
Internal Audits, Monitoring, and Investigations. The importance of having internal monitoring and auditing processes, as well as conducting investigations when concerns arise, is clear in both documents. The OIG/HCCA Guide provides more robust and detailed information on these areas than the DOJ Factors. The DOJ Factors retroactive perspective (e.g., questioning whether an audit could have uncovered the misconduct) and the OIG/HCCA Guide’s prospective perspective (e.g., assessing whether audit processes are in place to identify compliance deficiencies) are particularly apparent here.
Reporting Mechanism. While both documents focus on the e ectiveness of the company’s reporting mechanism, unlike the OIG/HCCA Guide the DOJ Factors do not question the accessibility to, awareness of, and trust in the company’s reporting mechanism by employees.
Screening and Disclosures. The OIG/HCCA Guide sets forth several metrics devoted to exclusion screening and disclosure, background checks, licensure screening, and conflicts of interest. The DOJ Factors make no mention of the same.
Vendor and Third Party Management.
The DOJ Factors question the company’s rationale for using third parties and focus on the specifics of certain contractual terms with such parties. The OIG/HCCA Guide places no focus on such items.
To the extent a vendor was involved in any misconduct, the DOJ Factors focus primarily on the company’s processes for selecting that vendor. The OIG/HCCA Guide does not focus on the vendor selection process and instead emphasizes company processes for screening vendors for exclusion, performing background checks (if appropriate), and ensuring vendors disclose any conflicts of interest.
Mergers and Acquisitions. There is an entire section in the DOJ Factors devoted to mergers and acquisitions and the due diligence process. Information on mergers and acquisitions is nonexistent in the OIG/ HCCA Guide.
Training and Communications
The OIG/HCCA Guide identifies some positions within a health care company that are “high risk,” such as individuals conducting coding and billing tasks as well as physicians. The DOJ Factors do not include examples of such high risk positions.
The OIG/HCCA Guide suggests that health care companies conduct audits of the training program to ensure appropriate high risk individuals have been identified and the correct training has been assigned. The DOJ Factors do not address any training-specific audit tasks.
- Discipline for Non-Compliance
The OIG/HCCA Guide specifically addresses the company compliance officer and a compliance officer’s role in disciplinary action. The DOJ Factors do not discuss the role of a compliance officer.
The OIG/HCCA Guide includes the importance of non-retaliation for good faith reporting of non-compliance with company policies and procedures. The DOJ Factors do not discuss non- retaliation.
Given the complexities of health care laws that govern day-to-day operations of health care companies, it is necessary for companies to have corporate compliance programs. Further, the DOJ’s fraud enforcement efforts continue to be aggressive as the government, generally, continues to crack down on alleged violations of the Federal False Claims Act, Federal Anti-Kickback Statute, and analogous state statutes. As a result of the increased pressure brought on by today’s regulatory and enforcement environment, we recommend that health care companies review their compliance programs in light of the above documents.