Health Care Companies Can Mitigate Risks by Ensuring Compliance Effectiveness Based on Recent Department of Justice Criminal Enforcement Guidance

Just over a year ago, the DOJ announced its intention to strengthen corporate criminal enforcement policies and practices related to individual accountability, the treatment of prior misconduct, and the use of corporate monitors. It simultaneously established the Corporate Crime Advisory Group (CCAG) for the purpose of evaluating and enhancing DOJ's approach to corporate criminal enforcement. The CCAG's review and input over the last year has resulted in these most recent revisions by the DOJ to its criminal enforcement policies and practices, which in some instances establish department-wide policies for the first time.

Key Revisions

The revised enforcement guidance focuses on the following three (3) key areas: (1) individual accountability for corporate criminal activity; (2) corporate accountability for criminal activity; and (iii) appropriate utilization of oversight monitors related to enforcement actions.

I. Guidance on Individual Accountability

The Monaco Memo reiterates DOJ's prior policy statements that its first priority in corporate criminal matters is to hold the individuals who commit and profit from corporate criminal activity accountable for their actions. In an effort to achieve this enforcement priority, the DOJ's policy has historically only allowed corporations to be eligible for cooperation credit if they disclose all relevant, non-privileged facts about individual misconduct. To strengthen this focus on individual accountability, the Monaco Memo establishes that cooperation credit can only be received if the corporation timely produces all such information – i.e., without "undue or intentional delay." Without providing specific details, the DOJ stated that the production of information about individual misconduct must be produced "such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals."

DOJ prosecutors have now been instructed to specifically assess whether the corporation promptly notified them of relevant information related to individual misconduct and to reduce or eliminate cooperation credit if they did not do so.

II. Guidance on Corporate Accountability

The Monaco Memo provides further clarification and guidance to prosecutors on the factors to be considered in resolving corporate criminal investigations requiring prosecutors to consider a company's history of misconduct, use of opportunity to self-disclose, degree of corporate cooperation, and effectiveness of its compliance program.

A. History of Misconduct

DOJ instructs prosecutors that prior criminal resolutions entered into more than ten (10) years before the conduct under investigation, and civil or regulatory resolutions finalized more than five (5) years before the current investigation, generally should be afforded less weight than more recent enforcement activity. Its rationale for this position is that older misconduct may generally be less indicative of the entity's current compliance culture, compliance programs, and risk tolerance.

In assessing criminal accountability, prosecutors also are instructed to consider the entity's industry and whether any prior misconduct involved common management or compliance programs, which signals a tougher approach by the DOJ against recidivism. In highly regulated industries like heath care, a company's compliance should be compared to other similarly situated companies in the same industry. With regard to investigations of companies with records of prior misconduct that have been acquired or that have new management or compliance resources, less weight should be given to any prior misconduct if prosecutors determine that the acquired entity has been integrated into an effective, well-designed compliance program; the acquiring entity demonstrates it addressed the root cause of the prior misconduct currently being investigated; and the acquiring entity completely and timely remediated the misconduct before the conduct currently under investigation occurred.

In addition, in determining corporate criminal eligibility in light of its history of compliance, prosecutors are to evaluate whether prior misconduct and the current conduct being investigated occurred under the same management or executive team. The DOJ believes that involvement of the same personnel – at any level – in prior misconduct, coupled with a current investigation, may reflect a weak compliance culture and a lack of compliance discipline.

B. Voluntary Self-Disclosure

Health care companies are familiar with voluntary self-disclosure of individual misconduct through the CMS Self-Referral Disclosure Protocol (SRDP) and the Office of the Inspector General's (OIG's) Health Care Fraud Self-Disclosure Protocol. The Monaco Memo provides additional advantages to self-disclosure in the context of criminal investigation by requiring each DOJ component to develop written policies that encourage self-disclosures. Each such policy must expressly state the benefits that corporations can expect to receive if they comply with the voluntary self-disclosure protocol.

While each DOJ component may establish different procedures and benefits, all DOJ component self-disclosure protocols must adhere to these care principles: (i) without aggravating factors, the DOJ will not seek a guilty plea if a corporation voluntarily disclosed criminal misconduct, fully cooperated in the investigation, and timely and appropriately remediated the misconduct; and (ii) the DOJ will typically not require independent compliance monitors for a corporation that voluntarily self-discloses the relevant conduct if, at the time of resolution, such corporation can demonstrate that it has implemented and tested an effective compliance program.

C. Evaluation of Corporate Cooperation

Providing credit for "full and effective" cooperation and using it as a mitigating factor in criminal enforcement activity is embedded in DOJ policy. The level of a corporation's cooperation with an investigation can affect the form of the resolution, applicable fine range, and undertakings involved in the resolution.

A critical element of determining cooperation is an evaluation of whether a corporation timely preserves, collects, and discloses relevant documents to prosecutors. Recognizing that the disclosure of documents may implicate U.S. and foreign privacy laws or other data disclosure restrictions, the Monaco Memo establishes that prosecutors will provide credit to corporations that are able to navigate such privacy disclosure laws effectively. Conversely, corporations that attempt to use these laws to limit or restrict disclosure of information will be subject to an adverse inference if they fail to produce the protected materials. The corporation bears the burden of establishing the existence of a restriction on its ability to disclose information.

D. Evaluation of Compliance Program

The DOJ has always considered presence of an effective compliance program and a corporation's demonstration of a commitment to a strong compliance culture as important factors in resolving criminal investigations. Prior DOJ guidance identified several compliance components to be used for evaluating a corporation's compliance program, including how: (i) corporations measure and identify risk; (ii) they monitor payment and vendor systems for suspicious transactions; (iii) they make disciplinary decisions related to non-compliance; and (iv) senior leaders encouraged or discouraged compliance. The most recent guidance adds two (2) components for prosecutors to evaluate: (i) a corporation's compensation structure; and (ii) a corporation's policy and practices related to the use of personal devices and third-party applications.

The DOJ's position is that corporations can use compensation systems to help deter risky behavior and criminal activity, and to motivate compliant behavior. The Monaco Memo instructs prosecutors to consider how a corporation's compensation system has been used to create a culture of ethical and compliant behavior. To do so, prosecutors should consider whether a compensation system allows for financial penalties against current or former employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal misconduct as part of an overall assessment of a corporation's compliance program. Favorable components of such a compensation system include opportunities for retroactive discipline, such as use of clawback measures or partial escrowing of compensation.

An effective compliance program may also include compensation systems that reward executives and employees who promote compliance. Such programs may include the use of compliance metrics and benchmarks in compensation decisions and the use of performance reviews to measure and reward compliance-promoting behaviors.

In addition, the DOJ directs prosecutors to consider whether a corporation uses non-disclosure or non-disparagement provisions in employment contracts, severance agreements, or other financial arrangements in an effort to restrict the disclosure of criminal misconduct in evaluating the effectiveness of compliance programs.

In evaluating compliance program effectiveness, the DOJ reviews whether corporations implement policies and procedures to ensure that the use of personal devices and third-party messaging platforms preserves business-related data and communications. Components of those policies and procedures may include evidence of employee training on such policies, enforcement activity related to policy violations, and practices that allow for the collection and disclosure of non-privileged responsive documents and communications via text messaging, emails, chats, phones, tablets, or other devices used for business purposes.

III. Use of Independent Monitors

DOJ uses independent compliance monitors to reduce the risk of continued corporate misconduct and ensure that compliance failures are corrected. While prosecutors have discretion to impose monitors on a case-by-case basis, the Monaco Memo provides a list of non-exhaustive factors for consideration in imposing a monitor, including whether:

• The misconduct was self-disclosed;
• The corporation has implemented an effective compliance program at the time of resolution;
• The corporation's compliance program has been adequately tested at the time of resolution;
• The underlying misconduct was long-lasting or pervasive across the organization, or was approved, facilitated, or ignored by senior management, executives, or directors;
• The underlying misconduct involved the exploitation of an inadequate compliance program;
• The underlying misconduct involved active participation of compliance personnel or the failure of compliance personnel to appropriately escalate or respond to red flags;
• The corporation adequately investigated or remediated the misconduct;
• The corporation's risk profile is substantially changed for the likelihood of recurrence to be minimal or non-existent at the time of resolution;
• The corporation faces unique risks or compliance challenges with respect to its business; and
• To what extent the corporation is subject to oversight from industry regulators or monitors imposed by other enforcement authorities.

What Health Care Companies Should Do Now

There appears to be no slowdown of federal enforcement activity in the health care sector in the foreseeable future. Therefore, the DOJ's guidance to prosecutors is especially relevant to this industry and provides useful insights on ways to mitigate risks in the event of criminal enforcement activity.

As a threshold matter, the Monaco Memo reiterates the critical importance of an effective corporate compliance program. Effective compliance programs must be far more than a collection of well-drafted policies and procedures; instead, they must permeate throughout the corporation's business operations and culture. The DOJ clearly states that it will evaluate a corporation's compliance program in resolving criminal investigations, including determining whether or not to impose a monitor. Health care companies are well-advised to routinely evaluate the effectiveness of their compliance programs so that they can identify any areas of weakness and take remedial actions before their programs become subject to scrutiny by the DOJ or any other enforcement authority.

The Monaco Memo also provides useful insights to health care companies on existing policies that should be reviewed, and possibly revised, to better align with this current enforcement guidance. Such policies include a review of compensation systems to promote compliance, use of non-disclosure and non-disparagement agreements that do not restrict disclosures of criminal misconduct, and policies related to personal devices and third-party applications used for business purposes.

Health care companies also should remain fully apprised of best practices for compliance within their industry sector to ensure that their compliance efforts are not deemed to fall short when compared to similarly situated companies in their sector.

Finally, in the event of a criminal investigation, health care companies must be prepared to act quickly and diligently to identify and disclose information about individual misconduct in an effort to cooperate with the DOJ and potentially achieve more favorable resolutions.

While the Monaco Memo is an internal DOJ document intended to provide guidance to DOJ components and prosecutors, it also provides helpful insights to corporations that will help improve the effectiveness of corporate compliance efforts and overall business operations. If you have any questions, please contact one of the authors, or any member of our Health Law department, for assistance.