Health System Compliance Program Oversight: Elements of Governance Effectiveness Attorney Working Version Description of Key Elements A. Accessible and Effective Policies and Procedures 1. Compliance policies and procedures (P&P) are designed for reasonable effectiveness in preventing and detecting compliance issues and employee wrongdoing. 2. P&P are tailored to address the company s risk assessment and profile. 3. The organization s process for designing and implementing P&P reflects business unit input. 4. P&P have clear ownership assignments and are regularly updated to reflect changes to law and regulation. 5. P&P are designed for the intended audience, provide clear guidance for key gatekeepers, and are accessible to relevant employees and third parties. B. Role of Organizational Leadership 1. Tone at the top ; leadership promotes an organizational culture that encourages ethical conduct and a commitment to compliance with the law. 2. The governing board is engaged and informed with respect to the content and operation of the compliance and ethics program. 3. Specific leadership actions are taken to demonstrate their commitment to compliance and remediation efforts. 2018 McDermott Will & Emery LLP Prepared by: Michael W. Peregrine mperegrine@mwe.com 312.984.6933 Updated: January 2018 Tony Maida tmaida@mwe.com 212.547.5492
4. The governing board has access to compliance expertise, and exercises independent review over proposed corporate actions. 5. An information and reporting system provides management and the board with timely and accurate information that supports informed decision making on legal compliance matters. C. Compliance Program Administration 1. The compliance function has an appropriate, autonomous hierarchical stature within the organization. 2. Compliance personnel have experience and qualifications appropriate for their roles and responsibilities. 3. Senior compliance executives, and the general counsel, have a direct reporting relationship to the board and applicable board committees. 4. Compliance program activities are addressed in the compensation and promotion of company personnel in view of their role, responsibilities and other factors. 5. The compliance function is integrated into the business functions and has appropriate involvement and opportunity to review and advise on proposed transactions for compliance considerations. D. Compliance Program Resources 1. The compliance function has funding and staffing resources commensurate with the size and risk profile of the organization and is consistent with the funding and staffing of other Elements of Board/Director Effectiveness I 2
business units in the corporation. 2. Management works with the board to determine the adequacy of the resources dedicated to implementing and sustaining the compliance program. 3. The compliance function staff have appropriate continuing education and professional development resources and opportunities, 4. Compliance staff is sufficient to audit, document, analyze and utilize the results of the corporation s compliance efforts. 5. Compliance-related responsibilities are assigned across the appropriate levels of the corporation. E. Oversight, Management of Third Parties 1. There is a specific process by which third party vendors are selected. 2. Third party vendor performance is monitored for adherence with compliance program requirements. 3. Vendor incentive compensation models are analyzed for compliance risks. 4. Third party corporate relationship managers are trained about relevant compliance risks and how to manage them. 5. Appropriate controls are in place to assure compliance with third party contract and payment terms. Elements of Board/Director Effectiveness I 3
F. Training, Education and Communications 1. Training is provided to employees in control functions, with special emphasis on employees in high risk areas. 2. Training is offered in the form and language appropriate for the intended audience, and regularly monitored for effectiveness. 3. Management communicates to employees corporate policy on specific incidents of misconduct, and on disciplinary consequences for failure to comply with compliance policy. 4. Employees are adequately informed about the compliance program and believe the corporation is committed to the program. 5. Appropriate resources are available to employees to provide guidance relating to compliance policies. G. Monitoring, Auditing and Risk Assessment 1. The company applies a specific methodology to identify, analyze and address risks it faces. 2. The auditing and monitoring plan is informed by information and metrics designed to identify specific types of misconduct. 3. Corporate risk assessment processes account for manifested risks. 4. Risk assessments are updated on a regular basis by qualified personnel and reviewed by a work group that contains nonconflicted personnel. Elements of Board/Director Effectiveness I 4
5. The internal audit function is properly structured, staffed and resourced. H. Confidential Reporting and Investigation 1. Internal reporting mechanisms are a source for the audit work plan and risk assessment activities. 2. Internal investigations are properly scoped, independent, objective, appropriately conducted and properly documented. 3. Internal investigations extend to the appropriate level of organizational hierarchy. 4. The compliance function has full access to reporting and investigative information. 5. Compliance policies appropriately address the retention of business records, and prohibit the improper destruction or deletion of business records. I. Analysis and Remediation of Underlying Conduct 1. A root cause analysis is conducted of identified misconduct, that considers system vulnerabilities and accountability lapses. 2. Particular focus is on prior opportunities to have detected the ultimately identified misconduct. 3. Specific remediation efforts are applied to address the concerns identified in the root cause and missed opportunities analysis. Elements of Board/Director Effectiveness I 5
4. High level results from disciplinary actions are published internally to ensure transparency. 5. The compliance function conducts validation review of corrective action plans. J. Incentives and Disciplinary Measures 1. A fair and consistent disciplinary process and compliance incentive program exists across the organization. 2. A clear record of applying accountability measures by appropriate officers in instances of misconduct. 3. The company incentivizes compliant and ethical behavior, and evaluates the potential negative implications of its incentives and rewards. 4. Accountability is extended to managers where misconduct occurred under their supervision, and to supervisors for failure of oversight. 5. Compliance considerations are applied in employee performance review, compensation and promotion criteria. K. Continuous Improvement, Periodic Testing and Review 1. Relevant audit findings and remediation progress are reported to management and the board on a regular basis. 2. Elements of the compliance program relating to incidents of specific misconduct are periodically reviewed. Elements of Board/Director Effectiveness I 6
3. Risk assessments and compliance practices are regularly reviewed and updated. 4. Management and the board regularly follow up on audit findings and remediation progress. 5. The compliance function periodically evaluates whether specific policies and protocols make sense for particular business segments or subsidiaries. Bibliography 1. U.S. Department. of Justice, Criminal Division-Fraud Section, Evaluation of Corporate Compliance Programs, February 8, 2017), available at https://www.justice.gov/criminalfraud/page/file/937501/download. 2. U.S. Department of Health and Human Services, Office of Inspector General and the Health Care Compliance Association (HCCA), Measuring Compliance Program Effectiveness: A Resource Guide (OIG Guide) (Mar.27, 2017), available at https://oig.hhs.gov/compliance/101/files/hccaoig-resource-guide.pdf. 3. U.S. DEP T OF JUST., U.S. ATTORNEY S MANUAL 9-47.120(3)(c) (FCPA Corporate Enforcement Policy) available at https://www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977#9-47.120 4. U.S. DEP T OF JUST., U.S. ATTORNEY S MANUAL 9-28.800 (Principles of Federal Prosecution of Business Corporations: Corporate Compliance Programs) available at https://www.justice.gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations#9-28.800 5. Department of Health & Human Services, Office of Inspector General and the American Health Lawyers Association, An Integrated Approach to Corporate Compliance: A Resource to Health Care Boards of Directors (July 1, 2004) available at https://oig.hhs.gov/fraud/docs/complianceguidance/040203corpresprsceguide.pdf 6. Department of Health & Human Services, Office of Inspector General and the American Health Lawyers Association, Corporate Responsibility and Corporate Compliance: A Resource to Health Care Boards of Directors (April 2, 2003), available at https://oig.hhs.gov/fraud/docs/complianceguidance/040203corpresprsceguide.pdf Elements of Board/Director Effectiveness I 7
7. In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362, 2006 Del. LEXIS 597 (Del. Nov. 6, 2006). DM_US 87851921-3.PG0540.0010 Elements of Board/Director Effectiveness I 8