Compliance Perspectives

By Adam Turteltaub Andrew Walker is the US Tennis Association’s (USTA) director of education and training for officiating and chief umpire at the US Open. He was good enough to join our Sports, Compliance & Ethics Conference, where he revealed something surprising. With the USTA having over 13,000 sanctioned events a year, ranging from adults to juniors, the vast majority of matches are technically unofficiated. Roving umpires are available but move from court to court. They don’t sit in the chair and call each point. Players do and keep the score. That’s often true as well at the college level. It's not too different from how things work in the business world, with compliance officers not there to make every call for the business unit. How does this work? Part of the role of officials at entry level events, especially those with children, he explains, is not to act only as officials, but to act as educators as well. They are there to teach kids to officiate fairly, even if it means making a call against oneself. That’s not easy, human nature being what it is and with, these days, the ultra-competitive environment in youth sports. The officials seek to ingrain sportsmanship, which includes integrity, respect for your opponent and respect for the game. It also includes being a good winner and a good loser. What happens when there is a dispute? First, officials recognize that honest mistakes are possible. A player, especially a young one, running to make a shot may not see things accurately. Even competitive players can lose track of the score. But, when the calls are questionable, they will stay and watch the match for a while. And, if a player is repeatedly overruled in his or her calls, points and games can be taken away. The player may even default. Listen in to get both a new appreciation of the world of tennis and maybe pick up a few ideas about how you could encourage more self-umpiring at your organization.

By Adam Turteltaub Fraud and compliance issues often go hand in hand, which is why it’s important for fraud and compliance teams to work closely together. Christopher Knight (LinkedIn) of Knight Vision Fraud Investigations and Megan Grifa (LinkedIn), Senior Director, Compliance Oversight for Sidecar Health, will be addressing the fraud-compliance relationship at the 2023 HCCA Compliance Institute, taking place in Anaheim April 23-26. In this podcast that point out that communication and follow up are central to building successful connections between fraud and compliance. Each needs to let the other know what it is doing, what has been found and what is coming up next. Also of great value:  setting up mechanisms to force yourselves to connect at a certain cadence to keep the lines of communication open. In addition, they advise taking the time to get to know each other on a personal level. That will help build the trust that is essential when addressing a crisis. Even during more normal times it’s essential to cooperate, aligning program structures and sharing risk assessments. Compliance teams can benefit from data mining and analytics tools that fraud has. Meantime, the fraud team can benefit from the seven elements approach used by compliance. Listen in and then plan on learning more at the 2023 Compliance Institute.

By Adam Turteltaub Ethical leadership is about much more than being both ethical and a leader. It is also about the actions you take to encourage ethical behavior all around you. It’s the subject of this podcast and a talk that will be given in March at the SCCE European Compliance & Ethics Institute by Steven Pegg, Senior Ethics Officer, Europe, Middle East & Africa for Lockheed Martin. Ethical leadership comes with many challenges. Aggressive goals can cause executives to focus just on the task at hand and be tempted to cut corners. Studies have shown that positions of power can have an affect on behavior over time, leading to a loss of empathy, acts of disrespect, feelings of entitlement, selfish behavior and a tendency to think that the rules don’t apply to them. These factors can create a toxic culture not surprisingly. Smaller offices also face the challenge of developing a subculture that can be inimical to ethical conduct. Lacking the controls of larger locations, unethical behavior may be left unchecked. There is one other challenge to ethical leadership: a hesitance to talk about ethics. Some leaders, even virtuous ones, are uncomfortable discussing ethical issues. To overcome these challenges ethical leaders need to develop several skills. These include: * Setting the tone. People model what their leaders do. If a leader is comfortable telling stories and discussing ethical issues, it’s far more likely the rest of the workforce will be as well. * Act as a positive role model. They must be accountable for their actions and both talk the talk and walk the walk. They also must respond fairly to both positive and negative feedback. * Know their limits. When leaders have exhausted their own skill sets, they need to be willing to reach out to others for guidance. How can executives exercise ethical leadership in a hybrid environment? Steven recommends being creative. Use technology when it is helpful, but look also to face-to-face, in-person interactions as well. Setting up regular check-ins with the team can be particularly useful. At those meetings, encourage people to share their ideas on all the issues. It will make them feel more comfortable raising their hand, knowing they are in a safe environment. Also, remember that different cultures around the globe have their own unique ways of seeing things and behaving. Take the time to understand those differences and communicate sensitively. Finally, he discusses what to do when an employee comes forward with a concern. His central advice: listen, listen, listen. Listen in for more and then be sure to join him at the 2023 SCCE European Compliance & Ethics Institute.

By Adam Turteltaub At the 2023 HCCA Compliance Institute, which takes place April 23-26 in Anaheim (and in a virtual format  April 24-26), Niurka Adorno-Davies, AVP Compliance, Molina Healthcare, and Scott Intner, Chief Compliance Officer, GW Medical Faculty Associates, will be leading the session “Swimming with Sharks: A Compliance Officer’s Guide on Working with Legal Counsel.” Their session, and this podcast, will examine some of the friction points in the Compliance-GC relationship and how to make things go smoother. There are a number of causes of stress in the relationship, they explain. A GC controlling access to the board and senior leadership is one of them. Having legal as the gate keeper can be detrimental to the relationship and the effectiveness of the compliance program.  Another cause for stress is overlapping responsibilities. If legal and compliance are unsure where one ends and the other begins, the lack of clarity can lead to turf battles or issues falling between the cracks. To make the relationship a positive one they recommend beginning with respect for each other’s role. Second, compliance should be sure to give legal a seat at the table as soon as a potential issue is identified. Having them as a part of the team early can yield multiple benefits. Also, don’t overstep your role and start giving legal advice. That’s for them to do. To protect privilege, be prudent when confronted an issue that may lead to litigation or a settlement conversation with the government. Bring in the GC’s office, or if your organization doesn’t have one, reach out to outside counsel. Outside counsel may also be helpful if the investigation is likely to involve senior leadership or delves into an area of specialized expertise that in-house counsel lacks. Finally, be sure to share information both ways, understand each other’s roles and embrace a commitment to respect. Listen in, and be sure to check out their session at the Compliance Institute.

By Adam Turteltaub So what do escalators in Japan have to do with compliance and ethics? As Christian Hunt found, quite a lot. In this podcast the author of Humanizing Rules and founder of the consultancy Human Risk shares an interesting tale. A community outside of Tokyo found that the rate of injuries on escalators to and from train platforms had grown alarmingly high. The culprit was a tendency of some people to walk or run on the escalator, rather than just stand there. They ended up jostling other passengers, many of whom were older. This led to several injuries. To combat the problem a campaign was launched requiring people to stand on the escalators. Signs were posted telling people that hurrying up or down the escalator was prohibited. There was no rigid enforcement, just a reliance on people’s goodwill. At first there was near universal compliance. People saw that no one else was running or walking on the escalators, which provided social proof that standing was the only acceptable behavior. Also, with so many people just standing, it was more difficult to get by them all, effectively forcing people to stand where they were. Not surprisingly, injury rates plummeted. Over time, though, compliance rates dropped. For some, resisting the urge to hurry and not be late was just too strong, but, happily, injury rates remained far lower than their peak. As Christian explains, this case of what he calls “compliance in the wild” – something compliance-related we see in everyday life that we can learn from – provided several lessons for compliance teams: * Maintaining 100% compliance is extremely difficult for long periods of time * Even less than 100% compliance can be a big win * Battling human urges (including simply feeling you are late) is extremely challenging He also provides a warning that, when seeking to influence human behavior one must be mindful of not annoying them any more than you need to. If you go too far, it may well provoke bad behavior elsewhere. Listen in, but maybe not while riding an escalator.

By Adam Turteltaub Veronique Roedolf, the Brussels-based Chief Compliance Officer at Solvay, was focused on developing and enhancing the compliance program.  As she shares in this podcast, the company evolved their efforts and developed what they call a “Four Cluster Compliance Program.” The clusters are: Protecting a Culture of Integrity A culture of integrity, as they defined it internally, is about not just following the law but also acting with integrity according to the organization’s values. Building a Strong Speak-Up Culture Here they sought to raise the bar, overcome regional differences and help everyone understand that speaking up is not a negative thing. When done in good faith it enables the culture of integrity. Increasing Third Party Oversight These days every organization is only as strong as its weakest third party. Due diligence was expanded to include human rights and environmental issues. Addressing and Mitigating Risk Compliance and risk management are very much connected. The goal was to detect and address a broader spectrum of risk in an early stage. Overall the focus is on prevention, which goes hand in hand with being more efficient and effective as a compliance program. To achieve their goals they worked to become more embedded in and supportive of the business. They secured management commitment by involving leadership from the start. They also made sure there were opportunities or feedback and to have an impact. To launch and sustain the program the compliance team developed a strategic communication plan with consistent and repeated messaging around two key communication points: * Acting with integrity in everything we do * Thank you for protecting our culture of integrity at Solvay Listen in to learn more about the development and implementation of the Solvay Four Cluster Compliance Program.

By Adam Turteltaub ESG, or Environmental Social and Governance efforts, may not be a mandate quite yet for healthcare providers, but already there are heavy demands for ESG-related information from regulators, the public and bondholders. As organizations pull together the data they need to report, says Rebekuh Eley and Rick Kes of RSM, it’s important to make sure that you have a thoughtful process behind it so that the data is accurate, consistent and complete. The last thing an organization wants is to have faulty data. At the same time, many organizations only scratch the surface of what they can take credit for in terms of increasing health equity for the communities they serve or improving their environmental footprint. That information can be helpful in meeting federal tax compliance requirements. While some may see ESG as something new and different, they note that community health is squarely under the S (Social) aspect of ESG. Keeping a good score on your ESG efforts can help demonstrate that your organization is meeting its obligations to the community and 501(r) requirements. It can also earn you credit for your environmental and governance efforts, including the number of community members who are on your board. Listen in to learn more about ESG and its role in healthcare

By Adam Turteltaub London-based Keith Read (LinkedIn) is a longtime member of the compliance community and author of the book The Unconventional Compliance Officer: Doing Things Differently. He laments the fact that compliance officers spend their time “pushing”, as he describes it: pushing training, reminders, policies and so forth. That, he believes, leads to compliance fatigue and pushback. Instead, he is an advocate for creating pull, where employees don’t see compliance as a chore but as an asset. In this podcast he outlines several intriguing practices he has used throughout the year to stimulate pull: * A compliance passport system to provide a more formal and valuable certification for employees of their achievement in meeting their compliance training requirements * A competition to identify compliance and ethics issues, which exposed some genuinely real issues * Creating “licensed professionals”. For example, by completing compliance training you are then licensed to perform your job. This helped identify gaps and tighten up the procurement process. * Instead of just auditing third parties, providing them with a grade, similar to what is often done for health and safety ratings at restaurants. Vendors came to use good ratings as a badge of pride internally and to help them win additional business Listen in to learn more about these ideas and others that could stimulate new ways to think about your compliance and ethics program.

By Adam Turteltaub Pharmaceutical and medical device companies use a number of methods to market their products. Among them, speaker programs get the most attention, often for all the wrong reasons. As Radha Inguva (LinkedIn), Director of Compliance, The CM Group explains in this podcast, while these programs are designed to educate the medical community they often lead to wrongdoing, with “educational sessions” held at wine tastings, lavish dinners and even Hooters. To avoid problems, she and others are advocates for what is known as the optics test:  basically, asking how a program would look, sound and feel to others. If it doesn’t seem right, it probably isn’t. From a practical perspective, she advises looking at all aspects of the program. Are the menu selections appropriate? Is alcohol served (which it shouldn’t be)? Is there an appropriate amount of educational content? Is the venue consistent with learning? Are there some doctors attending the same program again and again for no apparent reason other than the free lunch? Are the speakers being paid an appropriate honorarium? Then, after a program concludes, spend time making sure that it makes sense from both a business and optics perspective. It isn’t just pharma and medical device companies that need to look at the optics. Health care providers are looking at them, too, with some creating blacklists of restaurants that they will not allow people to visit for presentations. Listen in to learn more about what makes for a speaker program that’s safe to listen to.

By Adam Turteltaub Providence is a US-based healthcare system with over 165 years of history behind it. But, the Providence Global Center in India started just in 2020. It was founded as an engineering and operations hub and has a startup culture. Anitha Vittal, Head, Risk and Compliance, was charged with getting the program off the ground. To get things started she first spent time talking with staff. Happily, she learned that attitudes towards compliance were very positive. While each person may have had a different definition of compliance, there was an eagerness for guidance and, for some, to have others responsible for managing the many legal and regulatory requirements. After considering how to make the program effective and relevant, she ultimately decided to leverage the start-up culture and position compliance differently. Instead of speaking of it as a control, she positioned it as a way to make each endeavor successful. This approach includes three key elements: * Each new hire, as part of their two-day orientation, is given a thirty-minute introduction to the compliance program featuring an engaging story-telling approach * A compliance champions network * Encouraging a speak-up culture In addition, the risk assessment results were characterized in a new way, with each area labeled either “asking for help”, “may need help in the future”, or “no help needed”. Using this nomenclature, she found, was much more successful at providing dimension to risk areas. Looking to the future, 2023 plans include embedding compliance into the organization’s DNA, exploring opportunities for insourcing resources, and leveraging technology to enhance productivity and bring efficiencies. Listen in to learn more about what she and Providence are doing.

By Adam Turteltaub On December 7, 2022 The Speak Out Act became law. Stephen Paskoff, the President and CEO of ELI explains that the law was spurred by the #MeToo movement and the Non-Disclosure Agreements (NDAs) that limited recourse available for victims. It was designed to make it easier for victims to come forward, and for improper behavior to remain hidden. The new law, limits the ability of employers to include NDAs when it comes to sexual assault and harassment. Specifically, it states: With respect to a sexual assault dispute or sexual harassment dispute, no nondisclosure clause or nondisparagement clause agreed to before the dispute arises shall be judicially enforceable in instances in which conduct is alleged to have violated Federal, Tribal, or State law. As a result of the law, compliance teams, no doubt working closely with HR and the general counsel’s office, will need to work to ensure that NDAs for sexual assault and harassment are no longer used internally or even externally with vendors. Existing agreements will need to be reviewed as well. Organizations will also need to recognize that the balance has shifted, making it easier for employees to air grievances publicly. To get ahead of this issue, they will need to take several steps that they likely should have already, including stressing standards and the value of respect. Training to prevent the bad behavior in the first place will be even more important, as will be good controls to catch it quickly when it happens. Listen in to learn more about what The Speak Out Act means for your compliance program.

By Adam Turteltaub Perhaps the biggest non-Covid change in the corporate landscape over the last few years has been the growth of the Environmental Social and Governance (ESG) movement and its call to measure business on more than P&L statements. While some consider it a passing phase, Stuart Pardau, Associate Professor of Business Law, Professional Practice at Miami Herbert Business School at the University of Miami, thinks it is here to stay. As proof he points out that BlackRock, Vanguard and State Street, with a combined $20 trillion in assets, have stated their commitment to making investment decisions informed by ESG considerations. He also notes that the SEC has proposed new rules to standardize climate-related disclosures. On the corporate side, bonuses are increasingly tied to ESG metrics, and annual reports are featuring ever more language on the topic. Organizations are also more willing to take a stand on social issues. With this revolution, though, has come new risks, he notes. Greenwashing – making marginal or fraudulent environmental claims – has grown to be a serious issue with the potential for reputational damage. With this and other risks have come new challenges for compliance programs. Compliance teams need to help in the assessment of which ESG risks are greatest for their organization. In addition, they must keep in mind that not all of these risks come from aspiring to be a better organization. Some, whether around environmental, forced labor, or other issues, already have laws behind them. There is also an internal risk around corporate culture. If there is a gap between the professed values and the everyday actions, the chances of a public and embarrassing failure are great. Listen in to learn more about where ESG is going and the role of compliance along the way.

By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It’s not, however, only banks that fall under GLBA’s umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: * Have a qualified individual to implement and enforce an information security plan * Conduct a periodic cybersecurity risk assessment * Implement cybersecurity controls to manage those risk * Document who has access to customer data * Assess the risks of applications that can access the data * Securely destroy old data * Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it’s important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.

By Adam Turteltaub Last year was an eventful one for the world and the compliance profession. In this podcast, Matt Kelly, Editor and CEO of Radical Compliance, looks back at what he sees as the biggest events, and looks into the future. The conversation begins with the impact of the war in Ukraine. He observes that the increasing number of sanctions of Russian individuals and entities, as well as the variations from country to country, have forced companies to improve their sanctions compliance efforts. The sanctions have also complicated procurement, forcing organizations to review their suppliers more carefully to avoid sanctions issues. With the war has also come of host of ethical considerations. Organizations have had to decide what to do with their Russian operations and the people that work at them. Also on the international front, 2023 brought increased cooperation among prosecutors, with a rising number of anti-corruption enforcement actions combining the resources of prosecutors in multiple countries. ABB, Glencore and Danske Bank are three notable examples. This activity comes at the same time as Europe continues to lead the world in privacy and data protection requirements. Looking domestically, he points to statements by Lisa Monaco at the Department of Justice and the push to require certification of the effectiveness of the compliance program by the CEO and chief compliance officer. This could be a dramatic shift for compliance programs.  On the one hand, it could create stronger ties between the CEO and compliance, Matt observes. On the other hand, compliance officers would see greater personal risk, especially given the real likelihood that, despite a strong program, wrongdoing may occur. Whether certification truly becomes established practice, though, has yet to be seen. Thus far it has only been imposed in the context of recently signed DPAs. As a result, certification will come in three years, if at all. He notes that a change in Administration could see a reversal of the policy. What does he see in 2023? For one, a need for compliance teams to improve their ability to access and analyze data. The US Department of Justice has made it clear that it expects organizations to have robust compliance data analytics processes. Second, he sees increased data protection enforcement actions, both abroad and in the US. Listen in to learn more about what happened and what to expect for your compliance program in the year to come.

By Adam Turteltaub It’s critical for patients leaving the hospital for a post acute care (PAC) provider that the handoff be conducted well. Some facilities will be better suited to the patients needs than others, which is why the process needs to be handled properly, with discharge planners making recommendations based on patient need, rather than the financial interests of the hospital or PAC. Unfortunately, explains Beth Kastner, Member, and Shannon DeBra, Senior Counsel, at Epstein Becker & Green, that’s not always the case. Patient steering and charting can take place, with bad outcomes for everyone involved. While there is no official definition of patient steering, it has been informally defined as the practice of directing patients and/or their caregivers to PAC providers that do not align with the patient’s goals of care and treatment plan. It can also be defined as inappropriately influencing the patient and/or care giver. Traditionally this occurs when the hospital, or its discharge planner, has been remunerated in some way by the PAC. As recent cases have shown, that could come in the form of gift cards, massages or even a free cruise. It might also be delivered as staffing for the hospital paid for by the PAC. Whatever the form, it’s improper and could lead to a very large settlement and termination of the Medicare provider agreement. Patient charting is a scheme in which a PAC is given access to patient data to identify patients for referral to their facility. It’s a practice that holds multiple risks, including anti-kickback and privacy. So how can a hospital stay ahead of this risk? First, train the staff that remuneration comes in many forms and carries substantial risks. Second, reinforce that discharge planning must be done in the best interest of the patient. Third, watch carefully, including ensuring that all arrangements are in writing and reviewed by legal or compliance before signing. Listen in to learn more about the issue and the do’s and don’ts of preventing patient steering and charting.