Kusserow on Compliance: DOJ issues 2020 compliance program guidelines

Provides a more in-depth analysis of compliance programs

The DOJ released the updated Evaluation of Corporate Compliance Programs to assist prosecutors in making an informed analysis about an organization’s compliance program at the time of charging decisions. It has not changed much from the prior releases that included a list of 119 compliance-related questions. The new guidance continues to focus on three core questions derived from the Justice Manual, namely,  whether a compliance program is “well designed,” “being applied earnestly and in good faith,” and “works in practice.” It restates the importance of having a compliance program suitable for the company’s risk profile but added context and detail for companies to ensure that their compliance priorities are aligned with the DOJ’s expectations.

These include: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Additional attention is given to these principles for companies to enhance their compliance program and adhere to best practices that would best position themselves in the event of an inquiry or enforcement action from a government regulator. It reflects the continued expectation that a compliance program should continue to evolve and improve over time as the business changes and the compliance function matures. Meaningful risk assessments and program evaluations are critical to this end. There is added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “has the periodic review led to updates in policies, procedures, and controls?”

The DOJ has continued to move away from the antiquated model of a generic, “off-the-shelf” compliance program and focus more on how an organization acts in response to risk assessments. Other questions include whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior identified issues or from those of other companies operating in the same industry and/or geographical region. The DOJ asks about effective monitoring of compliance and whether a company’s compliance program has continuous access to operational data and information across functions. The DOJ underscores, once again, the importance of having regular reviews of the compliance program; and make it clear that this should not be “cookie cutter” “check the box” type reviews. These reviews should lead to useful findings that result in meaningful changes and improvements. Greater emphasis is also given to the adequacy of compliance resources, quality of trained staff, and empowerment for the program. The importance of oversight of any third-party agents that act on a company’s behalf is stressed, including whether the company engages in risk management of third parties throughout the lifespan of the relationship. The questions include whether the company completed pre-ad post-acquisition due diligence; and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

The guidance asks whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees; and if the policies have been published in a searchable format for easy access and reference. Employee training received new attention, suggesting companies consider the format of their trainings to be more responsive, including by: (1) investing in shorter, more targeted training sessions, and (2) ensuring a process by which employees can ask questions arising out of the training. In addition, there is the question as to the extent to which the training has an impact on employee behavior or operations. With regards to the hotlines, the guidance had added language to ensure that the hotline is an accessible, responsive tool, whether the company test whether employees are aware of the hotline and feel comfortable using it, and if reports are tracked from inception to finish.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Not all data breaches are from accidents or cyber attacks

1,182 Beaumont Health patient records compromised

Employee passed patient information to a personal injury law firm

Undetected for 3 years

Not found by hospital but from an alert by the Attorney Grievance Commission

OCR not notified because it was not a data breach

An employee for Beaumont Health, an eight-hospital health system in Michigan, was caught siphoning sensitive patient information without permission then handing it over to a personal injury attorney. The medical records involved 1,182 individuals. The identity of the law firm was not identified and it is not clear how the law firm used the information. The case is under investigation and all persons whose records were compromised are being notified.

The Michigan Health & Hospital Association was notified to alert other hospitals about the incident and guard against similar intrusions. The breach was discovered on December 10, 2019, and resulted in an internal investigation. The matter was not discovered by Beaumont, but as result of an alert by the Michigan Attorney Grievance Commission—a watchdog to maintain ethical law practices in the state. How the Commission learned of the issue was not reported.

It was determined that from February 1, 2017, until October 22, 2019, the employee accessed and disclosed protected health information (PHI) without authorization. The information accessed included names, addresses, dates of birth, phone number, email addresses, reason for treatment, insurance information, and Social Security numbers. Notified individuals have been advised on how to further protect their information and monitor financial accounts for fraud. They also were asked to closely review health insurance claim information. Those having Social Security numbers exposed have been given information about enrolling in free credit monitoring, Beaumont said.  Beaumont reported that they have no experienced or reported a data hack or unauthorized patient data loss to the Office of Civil Rights that tracks and investigates breaches of patient data.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 202o Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for an effective compliance exit interview program

– Useful only if done correctly

Carrie Kusserow has developed and evaluated many compliance-related exit interview programs and has found that one that is properly designed and constructed may give early warning of a potential liability and permit corrective action to prevent escalation of the problem. There is the added benefit that the program may deter departing employees from becoming “whistleblowers” after they have secured new employment and are free of the fear of retribution or retaliation. By affording these employees an opportunity to provide information prior to departure permits the individual a legitimate path for redress of grievance and reduces the likelihood they will turn outside the company to “blow their whistle.”

She found the most cost effective, efficient, and useful programs are those that separate the last day HR exiting process of filling out forms, turning in company property, providing COBRA and other needed information. On the last day, departing employees are often preoccupied with the process of leaving and what is required and may be reluctant to reveal the full and true reasons for leaving. Exit interview should be conducted as far in advance of the last day as possible. They should be a live exchange and not just “fill out the form” process and those conducting the interviews should be properly trained and with the skills to obtain useful information.

If done properly, exit interviews allow departing employees to describe experiences and identify issues for management that could otherwise remain unknown. Most such interviews will likely only take 15 to 30 minutes. The biggest challenge is defining those that the compliance officer should debrief. There is only a limited number that can be done. Generally, the individuals are limited to members of management and those identified as potentially having a grievance against the organization.  She offered the following tips for those considering establishing or enhancing their exit interview program.

 

  1. Create a policy document as to what level of management should be debriefed by the compliance officer. It is important to carefully define covered persons to avoid individuals resisting being interviewed. It should be considered just another formality in the exiting process. It then can be presented as yet another formality that must be followed before exiting the organization.

 

  1. Interviews should be scheduled as soon as possible after the decision to the leave the organization has been made. This permits the organization to take remedial action to any problems raised during the interview before the person leaves.

 

  1. Conduct the interview away from the person’s office to avoid distractions or interruptions in a place where the conversation can be overheard.

 

  1. Use open-ended questions, where the departing employee supplies the answer, are much more effective than having answers given from a predetermined list. Departing employees are typically reluctant to say or do anything that might prejudice their opportunities for future employment. The reliability and usefulness of the results is strongly affected by the skill of the interviewer and whether the employee trusts the interviewer.

 

  1. Include questions about the departing employee’s experience, especially where it involves compliance matters, discrimination, and harassment, etc. The debriefing should include very pointed questions about their work place experience with regards to compliance.

 

  1. Questions should include whether they observed any violations of laws, regulations, Code of Conduct, policies, etc. If so, the compliance office should be alerted.

 

  1. Any management, regulatory, or legal issue raised should be addressed, if possible, before the employee leaves the control of the organization. Taking corrective action while the person is still an employee may forestall that person from taking the same issues with an attorney, government agency, media, etc.

 

For more information or assistance in establishing Compliance Program Exit Interview Programs, contact ckusserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.