DOJ’s corporate compliance program evaluation gets a facelift

Nearly a year ago, HHS-OIG published is revised Guidance and emphasized the statutory “7 Elements of a Successful Compliance Program.” These include the following:

1. Written policies and procedures
2. Compliance leadership and oversight
3. Training and education
4. Effective lines of communication with the compliance officer and disclosure program
5. Enforcing standards: consequences and incentives
6. Risk assessment, auditing, and monitoring
7. Responding to detected offenses and developing corrective action initiatives

As any white-collar defense counsel knows, an effective compliance program can and does mitigate liability – both with voluntary disclosures and False Claims Act (FCA) liability.

In September 2024, the U.S. Department of Justice (DOJ) published a revised version of its “Evaluation of a Corporate Compliance Program” which is utilized in criminal and civil matters, including FCA cases. The document describes factors that federal prosecutors should take into account when determining cooperation credit – both for companies and individuals. Specifically, to determine the “appropriate (1) form of any resolution or prosecution; (2) monetary penalties; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).” To ascertain answers, prosecutors ask fundamental questions including is the compliance program well designed and implemented in good faith? Other factors taken into account are what HHS-OIG also stated above.

A couple of notable additions stood out, which begin at the bottom of page 3 – Management of Emerging Risks to Ensure Compliance with Applicable Law. Here is a sample of the questions posed:

• Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies?
• How does the company assess the potential impact of new technologies, such as artificial intelligence (AI), on its ability to comply with criminal laws?
• Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies?

Prudent questions to ask within a compliance department regarding HIPAA, HITECH and other related cyber compliance requirements. In sum, both documents provide an excellent roadmap and refer to other sources, including laws and regulations. By reviewing and incorporating these items in a comprehensive and good faith way, companies are better positioned in the long-run to avoid liability.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.