Compliance Perspectives

By Adam Turteltaub Our colleagues expect to be treated like adults, and that should include the compliance training we assign them. CJ Wolf, a professor at Brigham Young University-Idaho and founder of Codermedschool.com, explains we need to embrace adult learning theory, which recognizes that adults learn differently than children. Making mistakes, for example, is particularly powerful. Good compliance training, consequently, should be less about telling them what they need to know and more about providing them with an opportunity to work through scenarios and make their errors in a safe classroom setting rather than out in the real world. He shares a host of similar good advice in this podcast and in the SCCE Creating Effective Compliance Training Workshop. Click below to hear other do’s and don’ts to make your training more relevant: * Do assess the effectiveness of the training. Be sure to include testing. * Don’t assess the effectiveness just once. See what employees remember several months later. * Don’t overload new employees on the first day. A lot of departments are throwing information at them.  Be judicious in terms of what you expect them to tackle right away, and what can wait until later. * Do have a training plan based on your organization’s risk. * Don’t give everyone the same training. Tailor based on their needs. Want to know more? Think about joining him for the Creating Effective Compliance Training Workshop.

By Adam Turteltaub Contract lifecycle management has grown to be an increasingly critical issue for healthcare providers. Staffing issues, shrinking margins and changing regulatory requirements are all adding to the challenge, report David Paschall, CEO, and Stephanie Haywood, SVP of Sales and Client Engagement at Ntracts. Pursuing a contract lifecycle management strategy, they report, can help alleviate these issues by reducing the number of days a contract spends being reviewed, increase transparency and help the organization adopt standardized language and processes to ensure greater adherence to internal policies. It can also reduce the number of contracts that get auto renewed by mistake, are not renewed when they should be or overlap needlessly with other agreements. Listen in to learn more about how adopting a contract lifecycle management strategy can bring greater efficiency and a host of other benefits to your organization.

By Adam Turteltaub For years Caremark has set the standard for expectations for board members. The notable Delaware case made clear that boards should exercise reasonable care in overseeing an organization. In practice that includes obtaining information about the organization’s compliance efforts and responding when signs of potential violations are found. As Jay Cohen, of counsel at the law firm Giordano, Halleran & Ciesla, PC explains, now a new decision (In re McDonald’s Corporation Stockholder Derivative Litigation) extends that same duty of oversight to corporate officers within their area of expertise. This significantly raises the bar for executives when it comes to ensuring the organization is operating in a compliant manner. Perhaps even more significantly, only two executives at a corporation – the CEO and Chief Compliance Officer – are expected to exercise oversight throughout the entire organization. This, he argues, has the impact of increasing both the scope and importance of the compliance role within the organization. So, what should organizations and their compliance teams do in the wake of this decision?  Jay recommends that organizations raise the stature of the compliance team. Second, look at recruiting individuals for compliance who have a history in leadership to match the role. Third, build the compliance program around impact, not just activity. Listen in to learn more about what the McDonald’s decision says, and what it means for your compliance program.

By Adam Turteltaub You really should listen to this podcast. That’s my advice. If you do you’ll hear Scott Garland, Managing Director, Sanctions, Cyber, Fraud and Ethics Compliance & Monitoring at Affiliated Monitors give better advice on giving advice. He begins by advising a bit of humility: remember that having a quick and ready answer is not always best. You are likely the newest person to learn about the problem and least familiar with it. As a result, you need to take the time to learn and determine not just what the immediate problem is but also what the situation as a whole is. Don’t be afraid to ask others to slow down to ensure you understand things completely. Then, make sure you get the facts and context right. Be sure, too, to identify assumptions being made by the advice seekers to ensure that they are correct. They may not be. Once you have that information and the goal that the advice seekers have in mind, as well as what they see as the ideal outcome, then it is time to give advice. When you do, give them, he advises, a recipe and not a treatise on cooking. They don’t need to know the long history of the rules and the many exceptions. Instead focus on bite-sized information that they can use and share with others. The BLUF approach can be very effective: Bottom Line Up Front. By summarizing the issues succinctly at the top, you are more likely to reach people who are far more focused on the advice than the reason behind it. Listen in to learn more about how to give advice wisely, the importance of documentation and the role of empathy, and if you’re in SCCE member, read two articles on the topic by Scott on COSMOS.  

By Adam Turteltaub Jay Mumford is a long-time compliance veteran and Senior Global Compliance Manager at Bio-Rad Laboratories. There he developed an approach he calls MTR, which stands for Metrics, Targets and Response Plans. It’s an approach, he explains, based on ideas from the quality movement. At its heart, MTR recognizes that whatever the compliance process may be, there is a need to manage at scale. To do so, you need standards and measurements, targets, and response plans in case you miss those targets. An MTR approach, because it is disciplined and focused on goals, helps avoid a whack-a-mole approach to compliance. It enables building your program in repeatable ways, whether that’s training or, as was the case for him with document retention, ensuring that all the documents are both accounted for an not retained unnecessarily. In this podcast he explains how MTR has worked in practice and the technology tools available to compliance teams, typically at no cost, to help them take an MTR approach. These include the Power Platform embedded in Microsoft’s Enterprise platform and Visual Basic for Applications in Excel. Listen in to learn about how you can put MTR to work for your compliance program.

By Adam Turteltaub Over the last decade private equity has discovered healthcare, and with that discovery has come a rush of money and compliance nightmares.  Valerie Rock (LinkedIn), Principal, and Kristen Lilly-Davidson (LinkedIn), Consulting Senior Manager, at PYA explain that there has also come a growing awareness of the importance of compliance due diligence. Five to seven years ago, they explain, private equity (PE) firms were focused on business valuations and financial reviews.  Over the years, though, they have learned to appreciate the importance of compliance and coding reviews, including clinical compliance.  The shift was the result of too many instances of finding significant non-compliance issues post-acquisition.  These, of course, can be very expensive. Firms today need to take the time to do site reviews to examine everything from the culture to the business practices to the condition of the building to the devices used.  Often paperwork doesn’t match what actual practices are, and a dysfunctional culture can’t be identified by looking at a spreadsheet. Risks include the revenue cycle but also operational processes.  If they are poor, the potential for fines and other penalties is substantial. Listen in to learn more about what PE firms are, or should be, doing as they enter the healthcare market.  Plus, pick up some tips that can be useful for non-PE firms that are making acquisitions and conducting their own due diligence.

By Adam Turteltaub Non-compete agreements may soon be going the way of the dodo. The FTC just concluded its public comment period for its plan to eliminate them in most cases, and new rules are expected to be released later this year. Already, though, many states have restricted these agreements. In this podcast, and in his article in Compliance & Ethics Professional, John Gardiner of Bodman explains that the new FTC rule was designed to counter agreements that many felt were overly broad and restricted the ability of employees to find gainful employment elsewhere. The agreements also raised antitrust concerns since they could stifle competition; the FTC saw behavior among employers that appeared to them to keep employees from finding work elsewhere. The new rule could change that, greatly narrowing when a non-compete agreement could be enforced. It also means that non-disparagement and non-disclosure agreements that could have the same chilling effect on employment changes will likely fall on the wrong side of the line. So, assuming the rule goes into effect, what should compliance teams do? First, dust off existing agreements to determine how they measure up against the new rule and existing state laws. Second, be on the lookout for non-solicitation agreements and provisions requiring employees to reimburse their employer for training should they switch jobs. Third, make sure that the businesspeople understand what is and isn’t permissible. Finally, remember that this may be a moving target, especially if the courts start weighing in. Listen in to learn more about the changing and eroding ground under non-compete agreements.

By Adam Turteltaub The U.S. Department of Justice (DOJ) Criminal Division Evaluation of Corporate Compliance Programs document was updated in March 2023. Since then compliance teams and the broader compliance community have examined it closely, searching to better understand the government’s expectations. Gaurav Kapoor, co-CEO and co-founder of MetricStream, sees an overarching key message to the update: The DOJ expects organizations to have a well-designed compliance, ethics and risk program and, with it, the ability to closely evaluate and monitor its effectiveness. The bar has definitely been raised. So what should the compliance team do? First, to his reading, the DOJ is encouraging organizations to follow connected, holistic approaches to compliance programs. Second, how you train and communicate must be well organized and integrated into business processes. Third, third-party risk must be scrutinized and the interconnectedness with the business must be made more visible. As for boards, they need to understand that they must continue to play their role in the business and risk governance. They must also, though, act in overseeing the risk management and compliance programs and ensuring they are successful. To that end, boards need to ensure that these programs are sufficiently funded and led, understand where compliance reports and remove any conflicts of interest. Listen in to learn more about these topics as well as adopting a compliance culture, looking beyond the guidance, and the proliferation of guidance documents that compliance teams need to navigate.

By Adam Turteltaub These days, the term “blockchain” is no longer novel. Yet, many still struggle to understand what exactly it is and what implications, if any, it may have for a compliance program. Segev Shani (LinkedIn), Chief Compliance & Regulatory Officer at Neopharm explains that it is more than the tool underlying cryptocurrency. Blockchain is a technology in which data is stored in blocks, and once that block is full, another one is formed, creating a chain. This data is not held in one place but is distributed on multiple servers, which ensures that it cannot be improperly manipulated. When it comes to privacy, though, there is a privacy-blockchain paradox. While the security of the data is protected via blockchain, the data, itself, cannot be deleted. So, should compliance teams simply say “no” to using blockchain with personal data? According to Segev, not necessarily. A growing number of tools have been developed to manage this issue, including the ability for a data subject to turn their data on or off, making it either public or private as they see fit. It’s an intriguing area, and well worth the time to listen in to learn more.

By Adam Turteltaub Ah, social media. The cause of so much joy and pain, both for individuals and organizations. For compliance teams it can be a breeding ground for breaches, particularly in healthcare where HIPAA violations and social media tend to go hand in hand. Pinnacle Healthcare Consulting’s Sheila Limmorth tackled the issue of social media and compliance in the latest edition of the Complete Healthcare Compliance Manual and does so in this podcast. Some issues, such as a worker posting a photo with a patient, persist. Often innocent, these breaches are nonetheless serious. It’s the reason why ongoing training is necessary. A new worker coming, for example, out of fast food probably is unaware of the restrictions of HIPAA. Even veteran staff may lose track of the rules, and the marketing team may not realize that the testimonial they want to run still requires a signed consent form from the patient. In addition, the rapid turnover in healthcare workers means that if you have training on an annual cycle, it’s highly likely that a significant portion of the workforce has not received the education it needs. To make that training effective, she recommends providing examples of how to use social media  properly, and ways that people may use it very improperly. Unfortunately, it’s not just accidental breaches and a lack of training you need to worry about. The website and the software on it are also important. She points to the Meta Pixel JavaScript Code that many hospitals were using and which allegedly could share the data with Meta, the parent of Facebook. As with other compliance risks, ongoing monitoring is essential for managing social media. Fortunately, there are providers of software that will scour the various platforms to look for posts and even identify material that was likely submitted by an employee. In addition, she advises encouraging employees to be on the lookout for and report material that shouldn’t be on the web. The goal of this vigilance shouldn’t be to catch and punish, but prevent, educate and avoid future social media disasters. Listen in and learn more in the Complete Healthcare Compliance Manual.

By Adam Turteltaub For all the talk of tone at the top, the reality is that few employees report to the top. Virtually all report to a manager somewhere in the middle, and it’s the tone that leader sets that is often most important. Susan Du Becker, Director Risk & Compliance at Microsoft believes that compliance teams need to focus on managing from the middle and getting this important level of the organization on board. So how do you get these managers to work with you? How do you earn their commitment to help, especially in risk areas like privacy and anticorruption? For her, it’s about being inventive and thinking about how you can get them to drive compliance rather than you. To do that, she looks for the key influencers who can serve as champions for the program. They can go upstream or downstream and will help carry the message. Gaining the support of these people requires some effort, she reports. You have to sell them on your vision and let them know that it is to their benefit to further it. If, for example, you can show the sales VP that getting expense reports right reduces the risk of an audit, keeps the salesforce out of trouble and increases the speed with which the team gets reimbursed, you have a supporter. Once you have middle managers on board, make their life as easy as possible. Take away the pain, and give them the tools, templates and PowerPoints they need to put the policy into practice. What should you not do? Become overexuberant. It’s critical to avoid running ahead and instead focus on a stair step approach. Also: remember you have to keep them committed. You can’t take them for granted. Listen in to learn more about how to make the middle of your organization your greatest supporter.

By Adam Turteltaub Most of the time people look at the termination of a problematic employee as solving a problem. Bob Woolverton of Top Tier Leadership Training believes that thinking is a mistake. As he points out in this podcast, it’s not an end point. Instead, it’s the time to start, if you haven’t already, assessing how the organization got to this point. The employee’s supervisor was responsible for ensuring the worker’s success and safeguarding his or her welfare. The termination begs several questions the manager should be asking: * What should or could I have done to prevent this from happening? * What is my culpability? * If it’s a policy violation, am I certain the employee understood the policy, or did we just have him/her sign off? * Did the policy not make sense in this environment? * Was there an opportunity for misapprehension or misapplication? The bottom line it is the time to start a reassessment process. On an ongoing basis he recommends organizations’ managers take a “rudder tap” approach. What this means, in practice, is providing small adjustments to course when things begin to go awry, rather than waiting until things are so far off that a bad outcome is inevitable. Making this method successful requires fostering an environment where people – both employees and managers – understand that corrections can be positive and a part of a healthy corporate culture. Listen in to learn more about how a termination can lead to a process of positive change for the organization.

By Adam Turteltaub With the proliferation of sanctions in the wake of the war in Ukraine and more focus on responsible sourcing, trade compliance has grown exponentially in complexity. It has also become less of a compliance silo and become more integrated with other compliance efforts. To understand the state of trade compliance we sat down with Lindsay Bernsen Wardlaw (LinkedIn), Director, Trade Advisory Services, Amalie Trade Compliance, who outlined the four areas of trade compliance: sanctions, export controls, antiboycott and customs. Each has great complexity, and there’s much more than Russian sanctions to worry about. Restrictions on importing goods manufactured by forced labor have increased dramatically with the passage of the Uyghur Forced Labor Prevention Act that presumes good sourced from the Xinjiang region of China were made with forced labor. The law has real teeth, she explains. Of the approximately 3,000 shipments stopped under the law, none have been released because they were able to prove that the shipments weren’t made with forced labor; some have been released because they were able to prove they weren’t from the restricted region. So what should organizations be doing? First, take the time to understand your risks, including the primary inputs for your products and who your suppliers and customers are, including agents and channel partners. Understand, too, where the goods are being made, sold to and for whom. Have a restricted party screening process in place and an import/export classification strategy. Also, be sure to have a transaction review team in place for any deals that may be sensitive. She also recommends creating a crisis task force for when things go wrong, as they may. It will likely include the trade compliance, supply and procurement teams. Other potential members include IT, engineering, product management, and even communications. Listen in to learn more about what you need to do to ensure compliance in this ever-more complex risk area.

By Adam Turteltaub Compliance teams have long advocated for building more trust in the workplace. That is good idea for the corporate culture, but, counsels Sese Bennett, a virtual CISO for CereCore Advisory Services, going the exact opposite way may be better for your IT security. There he advocates organization never trust and always verify. So, what is a zero trust approach? It assumes that just because someone has logged in to your system doesn’t mean that person is who he says he is or that she can access the entire system. In practice that means carefully controlling access both into the network and within it. It means preventing people from accessing a low value part of the network and giving that person access to higher value servers. It means having a system that knows an individual doesn’t, say, normally login from Pakistan at 4:00 in the morning. It monitors sudden changes of usage. Importantly, he explains, a zero trust approach is not necessarily intrusive. Users won’t be forced to login repeatedly to prove who they are. Instead, it can work behind the scenes and be invisible to the end user. Listen in to learn more, including what teams you will need internally to adopt a zero trust approach and potentially better protect your data from breaches.

By Adam Turteltaub When discussing AI around compliance professionals these days you can instantly feel the tension. AI, for all its promise, has proven to be a bit of a compliance and ethics nightmare. Stories abound of AI embracing redlining and other discriminatory practices. Anthony “Ant” Stevens, CEO and Founder of Melbourne, Australia-based 6Clicks sees opportunities, though, for putting AI to work for your compliance program. It has the potential, he believes, to streamline activities, better tie policies to the underlying legal requirements and enable compliance teams to better understand the overlap of similar laws around the world. In this podcast he explains how the technology can help compliance operations, particularly ChatGPT. He also makes clear that there are limits to AI. A human element remains important for ensuring that what AI says makes sense, both on its face and for your workplace. Listen in to learn more about how AI can stop being the stuff of a compliance professional’s nightmares and start becoming a dream come true.