Compliance Perspectives

By Adam Turteltaub In January 2024 the US Attorney’s Office for the Southern District of New York (SDNY) set a shockwave through the business world by announcing a new whistleblower pilot program. To understand what the policy says and what it likely means for compliance programs, we spoke with Todd Haugh (LinkedIn), Associate Professor of Business Law and Ethics, Arthur M. Weimer Faculty Fellow in Business Law at the Kelley School of Business at Indiana University. Under the policy, he explains, individuals who have participated in a fraud may be eligible for a non-prosecution agreement, if the individual meets three key criteria: They provide information that is not previously known to prosecutors and is produced voluntarily, not subsequent, say, to an arrest. The information is full, substantial and truthful. The individual is not otherwise disqualified, such as serving as a government official or the CEO or CFO of the company. Given the incentives already in place for companies to self-report wrongdoing, this is in many ways an extension of what already exists. However, it’s impact should not be underplayed. The SDNY is a leader in white collar prosecutions and other US Attorney’s offices are likely to follow suit. At least one already has. Second, while the SEC has encouraged whistleblowing at publicly traded policies, the SDNY policy is open to public, private and even non-profit organizations. The new policy also may create situations in which employees and their employers find themselves in a race to disclose first. This, in turn, means that organizations need to significantly increase their efforts to create a culture that encourages internal whistleblowing. That includes creating easy paths to follow for potential whistleblowers and prompt investigations. Listen in to learn more about the policy and how your compliance program may need to evolve as a result of it.

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues in healthcare and patient safety. It also reflects the OIG’s efforts to ensure effective compliance program in new entrants into healthcare, such as private equity and technology firms. Both may well discover that practices that are permissible elsewhere are not in healthcare. The guidance also encourages incentivizing compliance. Another gem in the guidance is the clear message to carefully scrutinize arrangements with third parties. Due diligence at the outset is important, but it is also necessary on an ongoing basis to determine if the relationship is necessary and the price tag is fair market value. Listen in to learn more, and be sure to check out the General Compliance Program Guidance.

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into the business process.

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosystem is sustained with active partnership and representation between critical and significant technology partners and suppliers, including non-traditional health and life science entities”  It sets four objectives under that goal: Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks Listen in to learn more about the document, the council and how the healthcare sector is working together to stem cyberthreats.

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very bad idea. Another bad idea:  assuming your people are not a risk area. They are. Be sure to be sensitive to internal risks. Train the workforce and work with the finance team to help them serve as an extra sets of eyes when it comes to spotting misconduct. Above all, stay alert and be prepared to investigate possible incidents. Prosecutors still expect companies to bear the brunt of the investigative burden.

By Adam Turteltaub Krista Muszak is organized. More importantly, the longtime compliance professional and Senior Manager, Regional Process & Optimization Lead for Pfizer knows how to keep others organized as well. She will be sharing some of this wisdom in Nashville at the 2024 HCCA Compliance Institute in the session “Muda, Mura, Muri to Veni Vidi Vici: Applying Project Management and Process Improvement to Your Compliance Program.”  She also shares a bit of it here in the latest Compliance Perspectives podcast. First, she explains that the title comes from terms used by Toyota to improve the process flow at their plants and eliminate waste. Muda is about eliminating waste and activities that don’t add value. Mura speaks to addressing variability in operations to increase stability and reduce unnecessary variations. Mudi addresses not overloading people and the business with too many asks, such as releasing a round of training at the same time as year-end activities. Embracing these concepts can increase efficiency and effectiveness. At the same time adopting a project management approach helps build guardrails around your efforts. Use it to identify who is responsible, who is accountable, who needs to be informed and who needs to consulted. This brings clarity into who the key players are and their responsibilities. With the right people on board, a project charter can be extremely effective, identifying what the project goals are, and what they aren’t. From there it is time, she explains, to move on to measure, analyze, improve and establish controls for your initiative. Listen in to learn more about how to bring greater effectiveness and efficiency for your compliance efforts.

By Adam Turteltaub When it comes to compliance technology, there are two challenges. First is finding the right solutions to increase your programs effectiveness. Second is securing the resources to acquire and deploy the technology. Parth Chanda, Founder and CEO of Lextegrity, covers both topics in this podcast. When it comes to tech, he explains, you want tools that give you the confidence that your program is effective in practice and not just on paper. You also need to prioritize based on risk, and your organization’s own experience with technology. If the history is short or non-existent, start with something relatively simple such as training or policy management.  Tools that can make it easier for employees to report wrongdoing are also invaluable. To secure the resources you need, he advises making the business case by focusing on the ROI, for example, by showing that investigations can be completed in less time and with less staff. But, as you look at technology, be realistic and recognize that technology will not remove human judgement. It can expose gaps and gray areas, but then the compliance team will need to step in to understand the nuances and the appropriate solution.

By Adam Turteltaub Imagine you are at a large company with thousands of suppliers. As a part of the compliance team you need to understand the risk of working with each and every one of them. To do that you may need to understand the ownership structure, where they source materials, where and how they manufacture, and a host of other data about each and every one of them. That’s a daunting task. It’s also one that Jenna Wells, Chief Customer and Product Officer at Supply Wisdom believes is ideally suited for AI. With human supervision it can help with such a large, seemingly impossible undertaking. AI, she argues, can be an effective tool for enabling compliance programs to better understand the risks they face and then focus on the most important ones. To get there, compliance teams need to get a handle on the data that they have that is normally siloed. Look to external sources for regulatory data and emerging legislation, she suggests. At the same time, though, it’s important to understand the limitations of AI. While it can handle the brute force exercises, such as combing through all the data on all those vendors, there is still a need for the human element. Listen in to learn more about putting the power of AI to work for your compliance efforts.

By Adam Turteltaub Traditionally, explains, Tanya Ganguli (LinkedIn), Principal Associate, Law Offices of Panag & Babu, India’s criminal law framework revolved around the Indian Penal Code, The Code of Criminal Procedure and the Indian Evidence Act, two of which dated back to the 19th century. That changed with the passage of three new laws: the Bharatiya Nyaya (Second) Sanhita, 2023, the Bharatiya Nagarik Suraksha (Second) Sanhita, 2023 and the Bharatiya Sakshya (Second) Bill, 2023. Together they seek to bring criminal law into the 21st century and build off of long-established precedents. They are designed, she reports, to address loopholes, enhance efficiency and ensure justice. The laws are now more victim centric, but may not be too transformative, according to Tanya, for most compliance and ethics programs. Nonetheless, there are changes. New rules for searches and seizures will likely require updated training on dawn raids. Summons can now be delivered electronically. There is much greater need to digitize and consolidate records. Having the right tone at the top will be more important than ever. However, the change is likely to come relatively slowly with many aspects of the law expected to be implemented in stages. So keep your eye on the horizon in India, and be sure to listen to this discussion. Also, don’t miss the first ever SCCE Basic Compliance & Ethics Academy in India.

By Adam Turteltaub As of January 2024, there’s a new Code of Conduct of the Volkswagen Group, replacing one developed in 2017. To understand what led to the latest iteration of the code and the vision behind it we spoke with Silke Becker and Sarah Specht (LinkedIn) of Volkswagen Group Integrity & Compliance. They are part of a team lead by Tina Landsmann, Head of Volkswagen Group Center of Competence Integrity & Compliance Awareness & Qualification and Dr. Kurt Michels, Volkswagen Group Chief Integrity & Compliance Officer. The code was updated to reflect changing times, including the draft European Supply Chain Act. This required a change in content, but the team also chose to update the tone and feel. The language of the document now focuses on “we” and “us”, and it is very proactive, making the document less about what the board or management calls for and is instead about what we as a group are committing to. Each section of the code has a headline that reinforces this message: “We take responsibility for human rights,” “We lead based on our values,” “We like diversity.” The document embraces a magazine style to increase readability, and there is the opportunity to digitally drill down on individual topics, make it a one-stop shop for employees. As the team developed the document, in partnership with individuals around the company from multiple departments, they had several goals in mind. First, it had to be relevant for everyone, whether working in conventional auto manufacturing or battery development. Second, it had to work all around the globe given Volkswagen’s global footprint. It also had to be more human. Take some time to see all of these elements and more when you explore the code. Then listen to the podcast to hear the story behind it and, maybe, get some ideas for updating your code of conduct.

By Adam Turteltaub On January 5, 2023 the EU Corporate Sustainability Reporting Directive went into force. The directive broadens the scope of companies report on sustainability issues, adds to the amount of information that needs to be reported, and even requires external assurance, reports Elena Sychenko (LinkedIn), Adjunct Professor at the Department of Management at the University of Bologna and currently a Fulbright Scholar at the Wharton School of Business. The directive now covers all listed companies with the exception of micro enterprises. Also falling under it are non-EU companies that have a significant presence in the EU. The reporting requirements, which are still being fully developed, closely follow the Global Reporting Initiative (GRI) standards and focus on ESG explicitly, with several areas of reporting under E, S, and G. These include: E: climate change, pollution, water, biodiversity S: the organization’s own workforce, the workforce in the value chain, affected communities, consumers and end users G: business conduct in general Compliance teams will need to ensure that the reporting is accurate. One area to watch out for, she notes, is vagueness. A company may choose to provide overly vague information that could be misleading. Listen in to learn more about the directive and the risks involved.

By Adam Turteltaub The No Surprises Act is a significant change to how healthcare coverage is handled and billed. In general, it eliminates balance billing in three typical areas: A patient is brought to an emergency room in an out of network hospital A patient is transported by air ambulance A patient is being cared for at an in-network hospital but, unbeknownst to him or her, a physician or service that is out of network provides care. To understand the Act more fully, we spoke with Brian Stimson, Partner, Arnall Golden Gregory, who will be leading the session The All Surprises Act:  Avoiding Compliance Pitfalls and Responding to Administrative Enforcement Actions under the Surprise Billing Laws at the 2024 HCCA Compliance Institute. As he explains, there is a two-tiered enforcement structure to the law, with both individual states and the federal government involved. Compliance teams looking to ensure their organizations are complying need to pay close attention to patient complaints. These can be a tip off to improper balance billing and a red flag of systemic issues. Be extra alert if a patient comes to them, and it can even be good to check social media for reports of wrongful billing. Listen in to learn more, and then join us in Nashville, April 14-17, for the HCCA Compliance Institute.

By Adam Turteltaub When it comes to risk assessments, the word “annual” comes up a lot. But, Kelly Alwin, Regional Compliance Officer North America for SAP America, believes that once a year may be more than a bit too long. To her, a risk assessment is more than a periodic assessment and an annual chore. It is critical to the program’s success and lends credibility and substance to the compliance program. She points out that from the Delaware Chancery Court to the US Department of Justice, the importance of a strong risk assessment is underscored. In this podcast she argues that, for the risk assessment to play the role it should, it can’t afford to sit on the shelf. It needs to be a dynamic document that both informs all the other elements of the program and evolves as risks evolve, whether due to a new go to market strategy, a merger or an entry into a new market. Bottom line: look at your risk assessment, she advises, not as a discrete activity but as a continuous analysis. Incorporate micro assessments, embrace continuous improvement, and, hopefully, enjoy a more effective compliance and ethics program as a result.

By Adam Turteltaub Behavioral health shares many of the same compliance challenges as the rest of healthcare, but it also has several of its own. To understand the risks, we sat down with Community Counseling Solutions’ Executive Director Kimberly Lindsay and Compliance & Privacy Officer Tim Timmons. They will be leading the session “Developing an Ethics and Compliance Program in Behavioral Health” at the HCCA 28th Annual Compliance Institute, which will be in Nashville, April 14-17 and also offered in a virtual format. In this podcast they identify several typical compliance challenges in the behavioral health setting: Managers and supervisors who are well intentioned but busy, not holding staff accountable and not reporting in a timely manner. Incidents after hours when a patient is in crisis. This is a very difficult situation.  The team is eager to help the patient get better, but with lots of adrenaline flowing in a difficult situation, they may find themselves sharing more information about the patient than they should. Sharing PHI improperly when working with community partners. Mishandling of subpoenas and court ordered requests for records which may not comport with 42 CFR. Coding and dual diagnosis treatment Treatment plans that are not updated before providing services Overly verbose documentation Listen in as they outline these issues and ways to address them. Then, plan on joining us in Nashville for the 28th Annual Compliance Institute.

By Adam Turteltaub While Ericsson is best known for its mobile phones, the company’s reach in wireless is far greater. It is the creator of Bluetooth technology, owns patents on much of the critical IP that wireless systems depend on, and is active in more than 180 countries providing much of the hardware, and even cellphone towers, that enables all of us to talk, text, and surf the web wherever we are in the world. Jan Sprafke, Chief Compliance Officer at Ericsson, explains in this podcast that with that global reach – including operations in approximately 100 high risk countries – also comes a large network of suppliers. To manage the potential compliance challenges that go along with it, the company uses a risk-based approach to supplier management They assess the country risk, go to market approach and whether the supplier will be using subcontractors. Then they work closely with sourcing and other assurance functions on an ongoing basis. The company’s supplier code of conduct is shared with their vendors. But, it is just the start. There is also training provided, supplier days, meetings with them to discuss FCPA, AML, health and safety and other topics. All of these efforts and more help suppliers understand what Ericsson’s expectations are, not just in principle but also in practice. They even work with many of their contractors as they select their subcontractors. The goal is to create an end-to-end framework for managing third party compliance risk. Download the podcast (maybe even on your mobile device) to learn more.

By Adam Turteltaub Julie Janeway (LinkedIn), General Counsel and principal owner, Principled  Healthcare Consulting will be speaking about internal and parallel investigations at the 2024 HCCA Compliance Institute. In this podcast she slices off a bit of that expertise. A thorough investigation is needed, she advises whenever there is an issue that could require arbitration, a court case, administrative hearing, contractual dispute or reputational issues, whether by an employee, contractor or the organization itself. The same is true if there is a policy breach or alleged violation of the code of conduct. So how best to do it? Have both an investigation plan and a preplan which designates who will be responsible for the investigation depending on what the issue is. For example, a privacy officer would likely play the lead role in a HIPAA breach allegation. As for the plan itself, it should be thorough. The team executing it should include individuals with a wide range of skills and, she highly recommends it include an experienced investigations attorney. What should you avoid? Several things, she cites, including retaliation, making the plan as you go along, letting supervisors or managers interview subordinates and not having insurance for when investigations happen. The rules are largely the same with parallel investigations, which are required pursuant to statues that call for entities notified of an investigation by a governmental agency to conduct their own investigation. These absolutely must be done, or the organization may face sanctions. She highly recommends doing these investigation under attorney-client privilege. Listen in to learn more about what to do and what not to do in an investigation. Then, don’t miss her session at the 2024 Compliance Institute, March 18-20 in Nashville.

By Adam Turteltaub In 1984 I went to my friend Chris’s wedding, and one of the other groomsmen, Drew Neisser (LinkedIn), his then boss, talked me into pursuing a career in advertising. Just a few months shy of 40 years later, I caught a video on LinkedIn of him with chief marketing officers discussing the struggles of managing remote workers. It didn’t matter that these were marketing people, the problems sounded just like we in compliance face. So, I asked Drew, who is the founder of CMO Huddles and the author of the book Renegade Marketing:  12 Steps to Building Unbeatable B2B Brands, to sit down and do a podcast on the topic. Drew points out that, despite workers being required to come into the office more often, there is still a cost to remote work. Churn is higher than before. Partners at law firms complain that their associates are years behind in their development, likely due to the inability to learn by osmosis. So what do we do? He recommends that we recognize the present reality and look to hire self-starters. People who need a great deal of hand holding will not work out in a world where their managers are miles, if not hundreds of miles, away. Second, make sure the team understands what the organization’s business is. Then, help them connect, intellectually and emotionally, with it. If they don’t, then it’s just another job to them. Incorporate virtual bonding activities, but also try to get the team together in person. That effort creates culture and connection. Looking outside your team, he recommends four tactics: Meet, ideally in person. Get to know your colleagues, and understand their business priorities. Focus on helping them solve their problems. Track all the people you want to meet and influence. Then, take active steps to connect with them and get to know them. Share something about yourself and encourage them to do the same. Get to know the person and stay in touch. For example, send them over articles you think they would find of interest based on what you learned about them. Join formal and informal work groups. If there is a team forming to tackle a problem, be a part of it. But also look to book groups and other less structured ways to connect. Throughout, he advises thinking of yourself as an impact player and a business leader. Finally, he advises understanding how people want to communicate these days, and meet them there. The era of relying solely on email are done, especially for the younger generation. Listen in for some very good insights for compliance officers from a career marketer.

By Adam Turteltaub Some people have a gift for invisibly attending a conference, and no one knows that they were even there. That’s great for a conference of spies, but most people at compliance conferences like to meet at least some of the other attendees. For many, though, connecting with strangers is difficult, whether they know no one or they are shy about going beyond their usual circle of contacts. So what do you do if you are one of them? To find out we spoke with Richard Bistrong (LinkedIn), newsletter author and CEO Of Frontline Antibribery, who will be moderating a general session at the 2024 SCCE European Compliance & Ethics Institute in Amsterdam. If you spot someone standing alone and looking a bit lost, he recommends you think like a host and invite them to join you. Even if you’re already talking with friends, he advises being a croissant and not a bagel: be sure there is an opening for others. Make the effort to catch them up with the conversation – “we were just discussing helplines”—and ask them to share their thoughts. If you hesitate to join conversations because you don’t feel you are good at small talk, think of a few questions in advance to use as ice breakers. They don’t have to be traditional compliance-related questions. You could ask people about what excited them the most in the last year. Richard often uses Vertellis cards to start or help conversations. For those at the conference with a friend or colleague, use the other person as your wingman or wingwoman. Tell them who you are interested in meeting and have them serve as a second set of eyes and ears. Also, don’t forget about the SCCE & HCCA staff as a source of connection. See if they know someone it would be good for you to talk with. Listen in to learn more, including how to follow up properly after the conference is over. Then, be sure to say hello to Richard (and offer him a croissant) in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute, March 18-20.

By Adam Turteltaub Compliance programs have come far over the last few decades, but there is still more that they could do to elevate their performance. In this podcast, Alison Taylor, Clinical Associate Professor at NYU Stern School of Business and author of the book Higher Ground shares some intriguing and provocative ideas for improvement. She is a strong believer in what she calls “firm foundations”. These foundations avoid having too many rules which can, inadvertently, have a negative impact, causing employees to abdicate responsibility for their action and grow overly reliant on following rules. Instead, she argues for simplifying and being attuned to human behavior and the role of incentives. Be wary too, she advises, of mixed messages and potentially pernicious effects when it appears, whether true or not, that the rules for the rank and file do not apply to leadership. It degrades trust and the culture. To get more employees to speak up when they see wrongdoing, she advises investing the time in understanding why they don’t raise their hands more. When it comes to measuring the impact of the compliance program, she is a strong proponent of measuring the ethical culture. Do employees feel safe speaking up?  Whom do they speak to when there is a problem? Do they believe the whistleblower line is truly anonymous? Is leadership looking out for them? The answers to these questions, and how they change over time, can illuminate how well the program is working. Listen in to gain more insights, including how to build a common ethical foundation and the importance of adequate authority for the compliance and ethics program.

By Adam Turteltaub Clara Becerra Campos, Senior Compliance Analyst-Europe for TD SYNNEX, and Dr. Tobias Kruis, Head of Corporate Compliance, Giesecke+Devrient, will be addressing the new EU whistleblowing requirements at the 2024 SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 18-20. In this podcast, they delve into the challenges posed by the directive, which significantly expands the number of EU-based and non-EU-based companies that must comply. The directive not only provides protections for whistleblowers, they explain. It also establishes procedures and deadlines for handling reports. As significantly, it leaves the door open to variations among EU member states, which complicates the picture considerably. So what should you do? If your organization does not have a whistleblower line already in place they recommend you: Implement an internal reporting channel Be sure it’s aligned with legal and data privacy Consider who will manage the system and conduct the investigations Ensure confidentiality Communicate with your workforce For those with a helpline already they recommend starting with a gap analysis to determine if your existing efforts are meeting the new requirements. Listen in to learn more, then join them in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute.