By J. Mark Farrar, MSJ, CPA, CFE, CFF and Kelsey Mullady, CFE
ESTABLISHING A FOUNDATION OF COMPLIANCE
Many companies start with the adoption of “The Seven Elements of an Effective Compliance Program” under the framework established by the Office of Inspector General (OIG) released in 2003. These principles have become generally accepted and adopted globally to help guide companies in day-to-day operations, while aligning with global laws, regional codes, and industry best practices.
The seven elements comprise:
Keep in mind, all policies and procedures should be written in a common language, not legalese, to make them easy to understand and follow. They also should be written in a digestible, easy-to-reference format to encourage people to read them.
Meanwhile, ideally, a committee is selected composed of cross-functional roles to promote buy-in and organizational alignment. The idea is that these department leaders will set a positive compliance tone at the top and cascade the importance of it through to their direct and dotted-line reports.
As part of the oversight rigor, a company’s board should regularly ask questions regarding three critical compliance areas: adequacy and effectiveness of the program, performance of the function, and ownership for compliance at all levels of management.
The starting point for a strong compliance program is the adoption of “The Seven Elements of an Effective Compliance Program” under the framework established by the Office of Inspector General (OIG) at Health and Human Services.
Building on these seven elements, the U.S. Department of Justice, Criminal Division, Fraud Section (herein “DOJ”) issued an industry-agnostic “Evaluation of Corporate Compliance Programs” guidelines in 2017 and updated that guidance in April 2019. The DOJ guidance describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges and negotiating plea agreements or other enforcement actions (e.g., an appointed monitor). These factors include whether an organization had an effective compliance program in place and whether the organization took remedial actions to implement an effective compliance program or to improve an existing one. These provide an expanded perspective for companies trying to determine areas of risk assessment to emphasize.
The updated DOJ guidance organizes its 11 elements around what prosecutors assess to determine the effectiveness of a compliance program and how that translates into penalties and fines. While DOJ’s guidance does not specify any industry, it has been widely accepted in the life sciences. The DOJ guidance and its 11 elements can be easily mapped to the OIG’s seven elements, with some overlap.
As a best practice, compliance officers who historically have been following the OIG’s guidance should review the DOJ’s and determine additional elements to incorporate to further minimize key risks. The DOJ provided many caveats when it released its guidance, but the framework makes sense and builds upon the OIG guidance to be more specific and targeted. Several of the noteworthy DOJ elements are defined expansions of the OIG’s elements. These include:
Because even the most effective compliance program cannot protect a company from all risks, it’s a best practice to conduct a risk assessment at least every other year to identify potential risks and determine the severity and possibility of occurrence for each. A thorough risk assessment process also evaluates both the level of control in existence related to business processes within an organization, as well as the magnitude of impact the organization would face in the event of a compliance violation.
Organizations should gather information from all departments, not solely compliance. The more diverse the sources of information, the more accurate the view will be of the risk potential. Once potential risks are assessed and rated, then appropriate prioritization of remediation activities can take place. Risk assessments also drive the creation of the annual compliance auditing and monitoring plan.
Timeline for Effective Compliance
DOJ Guidance for Effective Compliance
CONSIDERING LEGAL MATTERS
Life sciences companies operating in the United States must comply with several federal and state laws, all of which aim to protect the safety of product and integrity of business being conducted with federal programs. Several of these federal laws include:
Beyond specific statutes, it’s helpful to evaluate enforcement trends, such as deferred prosecution agreements and corporate integrity agreements, for additional insights and considerations being assessed as part of current enforcement actions. For example, the OIG increasingly leverages corporate integrity agreements (CIA) as a mechanism to mandate the creation of effective compliance programs, which has amassed billions of dollars in fines from offending life sciences companies. The first CIA wave focused heavily on government pricing infractions, while the next emphasized off-label sales and marketing. In progress, the third wave spotlights patient support programs and third-party charity organizations in violation of the Anti-Kickback Statute.
Evolving Enforcement: The OIG leverages corporate integrity agreements as a mechanism to mandate the creation of effective compliance programs. The following are the three waves of this enforcement tactic.
In the near future, privacy issues will likely come to the forefront as the global landscape of technology continues to change what privacy is and should be to an individual. Last year, the European Union drew global attention when it adopted GDPR. With the EU now setting the global tone for privacy, many countries are looking to adopt their own version of privacy laws.
Meanwhile, in the U.S., the Constitution does not grant any inherent right to privacy, but precedent exists for it in case law, as well as industry-specific statutes, such as healthcare’s HIPAA.
MOVING COMPLIANCE FORWARD
The most effective compliance programs create a culture and understanding that compliance is everybody’s responsibilities. While a company’s maturity will in part dictate its compliance needs, a rigorous compliance program should be built into a company’s framework early on and be amenable to shifting with business milestones and legislative requirements. No matter the size or stage of a company, the compliance officer and extended team should be well regarded as a trusted business partner.
Keep in mind, building an effective compliance program takes time and should be built within an appropriate and relevant time frame. Compliance departments need to be “rightsized” for the organization, and determining that size depends on the organization’s risk profile and tolerance. No company can completely eliminate compliance violations, no matter how much they invest. The key is to be smarter with your investment dollars to target risk, utilize data analytics and automation to streamline and optimize the program, and create a culture of compliance.
Different rules and regulations apply at different business stages for the organization. For instance, major milestones, such as NDA submission and FDA approval, trigger new compliance needs. Consider and discuss at the highest levels of the organization how to balance “having everything at once” vs. steadily building an appropriate and effective compliance program over time.
J. MARK FARRAR, MSJ, CPA, CFE, CFF, is a managing director and the global practice leader of the Life Sciences Governance, Risk Management and Compliance practice for Navigant.
KELSEY MULLADY, CFE, is a senior consultant within the Life Sciences Governance, Risk Management and Compliance practice for Navigant.