Compliance Perspectives

By Adam Turteltaub Integrity is like peace, love and brotherhood. We’re all for it, but when it comes to practicing it, that’s when the challenges start. Paul Fiorelli hopes to change that. The Director, Cintas Institute for Business Ethics at Xavier University has just written a new book: Establishing Workplace Integrity. In it, Paul addresses six lessons in values-based leadership. To benefit from some of his long-established and well-recognized expertise we asked him to join us for this podcast. He discusses the importance, of values-based leadership. He also cites six factors that lead people into unethical or non-compliant behavior: Pressure to perform Going down a slippery slope Rationalization Groupthink Altruism (violating the law to help the company) Greed One or several of them are at play when wrongdoing occurs. So what makes for success and helps to prevent wrongdoing? He makes an argument for SMART goals: specific, measurable, attainable, relevant and time-based. Listen in to learn more about values-based leadership and promoting a workplace of integrity.

By Adam Turteltaub What makes for an effective compliance program, not just from a legal perspective but from a practical one? Getting that answer, and sharing it is the focus of the LRN 2024 Ethics & Compliance Program Effectiveness Report To learn what it contains we sat down with Meredith Hunt (LinkedIn), Ethics and Compliance Specialist at LRN. In this podcast she shared that more effective programs are focused on values rather than rules, and underscore the importance of ethical culture. They are also taking a risk-based approach. Their research also revealed the importance of adapting to the current business environment. With employees working remotely has come a change in how they gather information. The code of conduct, policies and procedures have to be accessible wherever workers are. Within the compliance program’s internal operations, effective programs, they report, are focusing more on data and metrics, looking for the data that show where the program is and isn’t working, and enabling continuous improvement. Listen in to learn more about how to create a more effective compliance program in your organization.

By Adam Turteltaub The 340B Drug Pricing Program was created to protect safety net hospitals from rising drug prices. It allows them to purchase outpatient drugs, and pharma companies to sell those drugs, at a discount. In this podcast, Jason Reddish (LinkedIn), Principal and Mark Ogunsusi (LinkedIn), Associate, at Powers Pyles Sutter & Verville provide an overview of the program and the compliance requirements. They are also two of the authors of the chapter “Pharmacy: 340B Drug Pricing Program” in the Complete Healthcare Compliance Manual. The 340B program helps hospitals that are the last line of defense for underserved communities, including those with a large percentage of Medicaid patients. Often, they are the only hospital around in rural areas. Also helped by the program are federal grantees such as Ryan White clinics and those providing treatment for STDs. The program dictates which entities can buy discounted drugs and have very specific requirements including two very important ones. First, the drugs cannot be resold or transferred to anyone who is not a patient of the covered entity. Second, double billing of Medicaid is prohibited and must be monitored for. There are a number of typical compliance problem areas, but the good news is that there has been a decline in non-compliance. Listen in to learn more about what covered entities are doing right, and what you should be on the lookout for.

By Adam Turteltaub Currently on hold due to pending court challenges, the SEC’s rules to standardize climate-related disclosures created a fire storm of controversy and comments when first proposed. The final rules (assuming the courts sides with the SEC), explains Laura Ann Smith and Judy Mayo of the communications firm Labrador (LinkedIn), reflected strong industry pushback, easing the burden on some 4000 filers. Nonetheless, there are serious demands on industry. To quote from the SEC press release, registrants will be required to disclose: Climate-related risks that have had or are reasonably likely to have a material impact on the registrant’s business strategy, results of operations, or financial condition; The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook; If, as part of its strategy, a registrant has undertaken activities to mitigate or adapt to a material climate-related risk, a quantitative and qualitative description of material expenditures incurred and material impacts on financial estimates and assumptions that directly result from such mitigation or adaptation activities; Specified disclosures regarding a registrant’s activities, if any, to mitigate or adapt to a material climate-related risk including the use, if any, of transition plans, scenario analysis, or internal carbon prices; Any oversight by the board of directors of climate-related risks and any role by management in assessing and managing the registrant’s material climate-related risks; Any processes the registrant has for identifying, assessing, and managing material climate-related risks and, if the registrant is managing those risks, whether and how any such processes are integrated into the registrant’s overall risk management system or processes; Information about a registrant’s climate-related targets or goals, if any, that have materially affected or are reasonably likely to materially affect the registrant’s business, results of operations, or financial condition. Disclosures would include material expenditures and material impacts on financial estimates and assumptions as a direct result of the target or goal or actions taken to make progress toward meeting such target or goal; For large accelerated filers (LAFs) and accelerated filers (AFs) that are not otherwise exempted, information about material Scope 1 emissions and/or Scope 2 emissions; For those required to disclose Scope 1 and/or Scope 2 emissions, an assurance report at the limited assurance level, which, for an LAF, following an additional transition period, will be at the reasonable assurance level; The capitalized costs, expenditures expensed, charges, and losses incurred as a result of severe weather events and other natural conditions, such as hurricanes, tornadoes, flooding, drought, wildfires, extreme temperatures, and sea level rise, subject to applicable one percent and de minimis disclosure thresholds, disclosed in a note to the financial statements; The capitalized costs, expenditures expensed, and losses related to carbon offsets and renewable energy credits or certificates (RECs) if used as a material component of a registrant’s plans to achieve its disclosed climate-related targets or goals, disclosed in a note to the financial statements; and If the estimates and assumptions a registrant uses to produce the financial statements were materially impacted by risks and uncertainties associated with severe weather events and other natural conditions or any disclosed climate-related targets or transition plans, a qualitative description of how the development of such estimates and assumptions was impacted, disclosed in a note to the financial statements. Even with all these requirements, Smith and Mayo recommend that companies realize that this is just a baseline. For those with operations in Europe there are requirements to meet as...

By Adam Turteltaub It used to be that tracking email usage was considered tough. These days the workforce is also communicating via text, WeChat, Slack and countless other channels both internally and externally. That can be a total nightmare since prosecutors want access to all those conversations. What makes things harder is that employees may be resistant, feeling that the communications they have on their phone, especially in organizations with a Bring Your Own Device (BYOD) policy, is private. The employee owns the phone, not the company. Eddie Green (LinkedIn), CEO of SnippetSentry advises companies get their heads around this problem. Digital compliance is broadening out from the investment community to pharma and elsewhere. To manage the issue, some companies are now scrapping BYOD policies and making it clear that all work communications need to go on work-owned devices. They are also looking for solutions which enable employees to communicate in familiar ways, but with the tracking that logs all those communications. Listen in to understand the challenge and how to approach it more effectively.

By Adam Turteltaub In January 2024 the US Attorney’s Office for the Southern District of New York (SDNY) set a shockwave through the business world by announcing a new whistleblower pilot program. To understand what the policy says and what it likely means for compliance programs, we spoke with Todd Haugh (LinkedIn), Associate Professor of Business Law and Ethics, Arthur M. Weimer Faculty Fellow in Business Law at the Kelley School of Business at Indiana University. Under the policy, he explains, individuals who have participated in a fraud may be eligible for a non-prosecution agreement, if the individual meets three key criteria: They provide information that is not previously known to prosecutors and is produced voluntarily, not subsequent, say, to an arrest. The information is full, substantial and truthful. The individual is not otherwise disqualified, such as serving as a government official or the CEO or CFO of the company. Given the incentives already in place for companies to self-report wrongdoing, this is in many ways an extension of what already exists. However, it’s impact should not be underplayed. The SDNY is a leader in white collar prosecutions and other US Attorney’s offices are likely to follow suit. At least one already has. Second, while the SEC has encouraged whistleblowing at publicly traded policies, the SDNY policy is open to public, private and even non-profit organizations. The new policy also may create situations in which employees and their employers find themselves in a race to disclose first. This, in turn, means that organizations need to significantly increase their efforts to create a culture that encourages internal whistleblowing. That includes creating easy paths to follow for potential whistleblowers and prompt investigations. Listen in to learn more about the policy and how your compliance program may need to evolve as a result of it.

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues in healthcare and patient safety. It also reflects the OIG’s efforts to ensure effective compliance program in new entrants into healthcare, such as private equity and technology firms. Both may well discover that practices that are permissible elsewhere are not in healthcare. The guidance also encourages incentivizing compliance. Another gem in the guidance is the clear message to carefully scrutinize arrangements with third parties. Due diligence at the outset is important, but it is also necessary on an ongoing basis to determine if the relationship is necessary and the price tag is fair market value. Listen in to learn more, and be sure to check out the General Compliance Program Guidance.

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into the business process.

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosystem is sustained with active partnership and representation between critical and significant technology partners and suppliers, including non-traditional health and life science entities” It sets four objectives under that goal: Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks Listen in to learn more about the document, the council and how the healthcare sector is working together to stem cyberthreats.

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very bad idea. Another bad idea: assuming your people are not a risk area. They are. Be sure to be sensitive to internal risks. Train the workforce and work with the finance team to help them serve as an extra sets of eyes when it comes to spotting misconduct. Above all, stay alert and be prepared to investigate possible incidents. Prosecutors still expect companies to bear the brunt of the investigative burden.