You have a compliance program — but is it effective?

Print Friendly, PDF & Email

Shannon Cox

Retail pharmacy operations present significant regulatory risks. In particular, most pharmacies are enrolled as Medicare and Medicaid providers and are therefore subject to complex requirements governing the submission of claims to these government health care programs. Failure to comply with these requirements can result in civil monetary penalties and even exclusion from participation in federally funded health care programs. Issues relating to government health care program claims can also result in liability under the False Claims Act (FCA), which provides for potential criminal and civil liability and allows the recovery of damages of up to three times the amount of the claims at issue. The FCA also authorizes private plaintiffs, known as qui tam relators, to pursue claims on behalf of the government and incentivizes them to do so by allowing them to collect a portion of the proceeds.

To reduce these risks, many health care entities historically implemented voluntary compliance programs, and in 2010, the ACA made it mandatory for Medicare and Medicaid providers to have a formal compliance program in place to prevent, detect and correct violations of federal health care laws and regulations. As a result, virtually all providers now have a compliance program in place. However, the critical question is not whether a company has a compliance program, but whether its program is effective.

Stephen Cummings

This is not an analysis that can be reduced to a checklist or a formula. Both the Department of Justice (DOJ) and the Office of the Inspector General (OIG) of the Department of Health and Human Services — which conducts the majority of health care fraud, waste and abuse investigations — have issued guidance regarding what is required for a compliance program to be effective. Here we’ve highlighted several key points from these guidance materials.

  • Your compliance program should be risk-based — An organization’s compliance program should be risk based, meaning that compliance efforts and resources should be focused on those compliance and regulatory issues that pose the most risk to the organization. A compliance risk assessment is a formalized approach to identify potential risks presented to an organization based on its operations, including the industry in which the company is involved, the geographic scope of its operations and the applicable regulatory requirements. The risk assessment process should be used to guide the development and evolution of a compliance program and its allocation of resources so that the most significant resources are targeted to the most significant risk areas.

Importantly, what was an effective compliance program a year ago — and even what might be effective today — may not necessarily be an effective program tomorrow. An organization’s risk profile is not static and may change as a result of geographic growth or expansion of products and services. Therefore, an effective compliance program requires constant reevaluation and updating to ensure that it adequately addresses your company’s risks.

  • Policies and procedures can’t be boilerplate — In evaluating the design and implementation of a compliance program, both DOJ and OIG will review compliance policies and procedures to determine whether they are customized and tailored to address the specific risk areas identified by the company during its risk assessment process. Additionally, regulators will look beyond the four corners of the formal policy documents to determine whether the policies have been fully integrated into the ongoing operations of the company through internal control systems, SOPs and other guidance materials.

DOJ and OIG will also assess the steps taken by the company to ensure that the compliance policies and procedures it has established are accessible to and understood by employees.

  • Compliance training is not a one time event — Many companies view compliance training as a one time per year obligation that can be satisfied by having all employees complete a single compliance training module. However, particularly in larger, more diversified companies, compliance training should be tailored to meet the needs of employees in different roles, and supervisors, key control employees and employees in high-risk positions should receive additional training on specific topics.

In addition, annual compliance training should not be the only time that employees hear about the compliance program. Companies should communicate with employees on an ongoing basis to ensure that all employees understand the importance of compliance, receive relevant substantive updates as needed, and know where to direct questions and concerns. And high-risk activities or evolving threats may require biannual or even quarterly training when appropriate.

  • Your CCO needs authority, autonomy and resources — Effective implementation of a compliance program requires that the employees charged with its oversight have sufficient authority within the organization, the necessary resources (primarily staffing) and independent access to the board of directors. Each factor is evaluated in the context of the company’s size, overall corporate structure, and type of business operations.

OIG has historically taken the position that the compliance function generally should be separate from and independent of legal counsel. DOJ has indicated more flexibility with regard to how a compliance group is organized, but regardless, a company should be able to articulate the rationale for the way in which its compliance program is organized and should ensure that the compliance group is treated like other key strategic functions.

  • Employees need to trust your reporting and investigation processes — A well-designed and effective compliance program must have a mechanism that allows employees to report allegations of misconduct, including violations of legal requirements, the company’s code of conduct or company policy. The reporting process should be well publicized and accessible to all employees and should include confidential reporting options and protection for employees who submit complaints.

Corporate investigations are a critical component of a robust compliance program. DOJ and OIG will consider the steps the company has taken to ensure that allegations of misconduct are investigated in a manner that is independent, objective and appropriate.

  • Compliance starts at the top — A strong compliance program goes beyond objective factors like structure, policies and procedures. It is of critical importance that a company create a “culture” of ethics and compliance that permeates the organization.

Creating a culture of compliance requires a high-level commitment by senior corporate leadership. DOJ and OIG refer to this commitment as “tone at the top” and, when evaluating a compliance program, will evaluate the extent to which the board of directors and senior corporate executives have clearly articulated the company’s ethical standards; unambiguously conveyed the standards to employees and vendors; and demonstrated rigorous adherence to the standards in their own actions.

The culture also depends on the interactions between middle managers and employees, as middle management help direct the connection between compliance and an employee’s daily responsibilities.

  • It’s not just your own compliance you need to be worried about — Recently, there has been growing scrutiny regarding a company’s use of vendors, consultants or third-party suppliers, including what diligence was performed before engaging these parties to ensure compliance with a company’s ethical standards. Just ensuring a vendor has received a copy of a company’s standards and code of conduct is no longer enough. Today, companies must actively review and supervise their third-party relationships to ensure compliance with all applicable policies, rules and regulations.
  • Incentivize compliance by rewarding it in compensation — Establishment of positive incentives and the inclusion of compliance as a metric for employee evaluation, compensation and promotion can serve as key drivers for compliance. In evaluating the effectiveness of a compliance program, both DOJ and OIG will look at a company’s compensation structure to determine if there are incentives for compliance and disincentives for noncompliance.
  • Continuously improve your program through periodic testing and review — Effective compliance programs incorporate regular testing and review. Most often the review is performed by an in-house entity like internal audit. But depending on the severity of the risks, it may be appropriate to utilize a third-party to conduct periodic audits.

Findings that identify significant gaps in your company’s compliance controls should be addressed immediately, whereas lower-level issues may be addressed in the ordinary course of business. Your company should have a follow-up process to ensure that all audit findings have been appropriately addressed.

  • You need to get to the root of the problem — In evaluating the effectiveness of a compliance program, DOJ will assess whether the company conducts a root cause analysis when misconduct is identified to understand how the misconduct occurred and determine the appropriate response.

A root cause analysis should focus on identifying any systemic issues and evaluate whether existing policies and procedures should have prohibited the misconduct and whether there were prior indications regarding the misconduct in question, such as audit reports identifying relevant control failures or prior allegations, complaints or investigations. If so, the company should try to determine why the policies and procedures were not effective and why opportunities for earlier detection were missed.

A company should also be able to show timely and appropriate remediation to address the identified root causes, ensure that employees are held accountable for their actions and reduce the risk of future occurrences. This should include disciplinary actions where appropriate for those responsible for the misconduct, either through their direct participation or by failing to provide adequate supervision and oversight.

To have an effective compliance program, an organization must invest significant time and resources in designing and implementing a program that is tailored to their specific industry and risk profile and is fully integrated into all aspects of its operations. The program then requires ongoing attention to make sure that it continues to evolve to meet the organization’s needs. Although this requires a significant commitment, only a strong compliance program can protect your company from the complex regulatory risks associated with submitting claims for reimbursement to federal health care programs.

Shannon Cox and Stephen Cummings are attorneys at King & Spalding LLP. They can be contacted at and



Comments are closed.