New Charging Guidelines Underscore the Importance of Cooperation and Evidencing Program Effectiveness

By Cornelia M. Dorfschmid

Periodic, Independent Reviews, as well as Ongoing Auditing and Monitoring, are Essential.

On August 28, 2008, Deputy Attorney General Mark R. Filip announced the Department of Justice’s (DOJ’s) revision to its corporate charging guidelines for federal prosecutors, which apply to all business sectors including health care. The revised Principles of Federal Prosecution of Business Organizations, which govern how federal prosecutors investigate, charge, and prosecute corporate crimes, advance on the Thompson Memorandum (2003) and the McNulty Memorandum (2006). All of these guidance documents are of great interest to the health care industry, where an effective compliance program has become a critical factor in reducing exposure to fraud and abuse, as well as meeting the new challenges from the Centers for Medicare & Medicaid Services’ (CMS’) Medicare Integrity Program and Medicaid Integrity Program.

On Waiver of Attorney-Client Privilege and Work Product Protection

The revised August 2008 guidelines bring significant changes in the DOJ position on attorney-client privilege waivers as well as the key questions that prosecutors ask relating to the effectiveness of compliance programs. The nine Factors to Be Considered by a prosecutor as set forth in the original Thompson Memorandum remain intact. In the subsequent McNulty Memorandum, the DOJ reaffirmed these nine factors but amended the process for requesting waivers of privileges by organizations. In an attempt to address the mounting criticism that the Thompson Memorandum may have contributed too much pressure for organizations to waive privileges to gain credit for cooperation, the McNulty Memorandum describes a test with specific conditions and restrictions for when law enforcement’s needs for seeking a waiver would be appropriate.

The August 2008 revision has eased this position by noting that credit for cooperation will not depend on the organization’s waiver of attorney-client privilege or work product protection but rather on the disclosure of relevant facts. Organizations that disclose relevant facts may receive due credit for cooperation, regardless of whether they waive attorney-client privilege or work product protection in the process.

Corporations that do not disclose relevant facts typically may not receive such credit, like any other defendant. While the prior guidance had allowed federal prosecutors to request, under special conditions, the disclosure of nonfactual attorney-client privileged communications and work product, the new guidance forbids it, with two exceptions well established in existing law.

On Effective Compliance Programs

There are some interesting nuances in the clarification in the Factors to Be Considered and other principles. For example, the fifth factor now looks for “the existence and effectiveness of the corporation’s preexisting compliance program,” where the term “adequacy” used previously has been replaced with “effectiveness.” This terminology is more in line with the Office of Inspector General (OIG) compliance program guidance that underscores the importance of evidencing effectiveness. This modification also suggests raised expectations for such evidencing.

In the principle on Corporate Compliance Programs, the DOJ reemphasizes that it has no formulaic requirements. It provides, however, for three, instead of previously only two, fundamental questions that any prosecutor would ask:

• Is the corporation’s compliance program well designed?
• Is the program being applied earnestly and in good faith? (new)
• Does the corporation’s compliance program work?

Furthermore, prosecutors should attempt to determine whether a compliance program is not merely a “paper program” and whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner. Prosecutors are also expected to determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the organization’s compliance efforts. This added emphasis on compliance program “reviews and revisions” is in line with the OIG compliance program guidance relating to “ongoing auditing and monitoring.” It also supports the health care industry’s experience that even good compliance programs can go bad, in spite of the best intentions.

It is expected that compliance programs undergo change, adaptation, and scrutiny, including regular effectiveness reviews. Periodic external or independent reviews of the compliance program become a very important defense measure. Results of such reviews should be evidenced to senior management and the board.

Prosecutors’ determination of the sufficiency of audit and analysis staff is not a new element of the principles, but is very interesting in the context of the April 2008 OIG Open Letter to Health Care Providers that encourages full self disclosures and describes how entities may avoid a corporate integrity agreement (CIA) or certification of compliance agreement (CCA) by doing so. One of the key steps outlined in the letter is being able to complete an investigation following the self-disclosure protocol (SDP) and determine damage assessments/overpayments within three months of acceptance into the SDP.

This aggressive timeline and requirement may be a good test question for any compliance officer to ask. An answer would go far with respect to assessing how ready his or her team would be, if violations were discovered and had to be disclosed. Could damages be audited and estimated following the aggressive timelines, stringent statistical procedures, and audit requirements?

Finally, since the Thompson Memorandum, prosecutors have been asking whether a corporation’s compliance program is well designed. This remains as a key factor for prosecutors. Most health care entities have had compliance programs in place for up to 10 years. The intended or needed scope and infrastructure, however, may not be responsive to the current regulatory and enforcement environment. The auditing and monitoring needs and required skill sets may have outgrown the resources or stated mission of the compliance office. Furthermore, compliance officers come from very diverse backgrounds and may not always be accustomed to operating program offices with full-fledged project management principles and procedures.

Conducting Annual Effectiveness Reviews

What should health care organizations do in response to this heightened DOJ interest in evidencing an effective compliance program? The answer is engaging in two different types of reviews.

First, a periodic independent audit or evaluation of the compliance program’s effectiveness is critical. This cannot be done credibly by the compliance officer who would be evaluating his or her own performance. Having independent experts with “fresh eyes” will help identify opportunities for compliance program improvement and ensure adaptation to the ever-changing and demanding regulatory and enforcement environment. It also will promote the program’s alignment with other functions such as internal audit, quality and risk management, human resources, and legal and regulatory affairs.

The OIG emphasizes the importance of regular reviews of this type and recommended in the OIG Supplemental Compliance Program Guidance for Hospitals (2005) that effectiveness “reviews should be conducted at least annually and should include an assessment of each of the basic elements individually, as well as the overall success of the program.” As compliance officers prepare their annual work plans and monitoring strategies, they may want to consider these subtle changes in the DOJ guidance for prosecutors and include solid annual effectiveness reviews, including reporting of results to their boards.

Secondly, even more important, is the type of ongoing auditing and monitoring called for by the OIG that relates to the provider’s core business and operations. The OIG has stressed the particular importance of focusing on provider high-risk areas (i.e., billing and coding, the Emergency Medical Treatment and Active Labor Act (EMTALA), conflicts of interest, et cetera). These risk area reviews should involve the compliance office in that it would be reviewing operational risk areas not under its control. The compliance officer should have a work plan that continually audits and monitors risk areas that give rise to legal and regulatory liability and reports results and proposed corrective actions to senior management and the board of directors.

Cornelia M. Dorfschmid, PhD, is executive vice president of Strategic Management, where she provides senior level advisory services in corporate compliance. She has extensive experience in both assisting compliance programs and as compliance officer. For more information, contact her at 703/683-9600, ext. 419 or cdorfschmid@strategicm.com.

References:

1. DOJ August 28, 2008 press release, www.usdoj.gov/opa/pr/2008/August/08-odag-757.html.
2. DOJ August 2008 Corporate Charging Guidelines for Prosecuting Corporate Fraud, www.usdoj.gov/opa/documents/corp-charging-guidelines.pdf.
3. DOJ McNulty Memorandum (2006), www.usdoj.gov/dag/speeches/2006/mcnulty_memo.pdf.
4. DOJ Thompson Memorandum (2003), www.usdoj.gov/dag/cftf/corporate_guidelines.htm.
5. HHS OIG Open Letter to Health Care Providers, April 15 2008, oig.hhs.gov/fraud/docs/openletters/OpenLetter4-15-08.pdf.
6. OIG Compliance Program Guidance for Hospitals (1998), oig.hhs.gov/authorities/docs/cpghosp.pdf.
7. HHS OIG Supplemental Compliance Program Guidance for Hospitals (2005), oig.hhs.gov/fraud/docs/complianceguidance/012705HospSupplementalGuidance.pdf.