Compliance Perspectives

Post By: Adam Turteltaub It’s been an interesting and challenging times for efforts to encourage employees to speak up, reports Neta Meidav, co-Founder and CEO of reporting tool provider Vault Platform. Despite the increase in employee activism, there has been a decline in year-over-year helpline volume, which she attributes to both the nature of traditional help vehicles and a deficit of trust in the workplace. Other factors having an impact are: a desire of employees to report to external avenues, COVID-related changes in the workplace, and a new focus on ethics and purpose. This last factor goes hand in hand, she argues, with a growing tendency of social issues to become business issues. Regulators have also been stepping in. For some time, of course, the SEC has encouraged reports to its Office of the Whistleblower. The EU Whistleblower Directive has acted as a catalyst across the Continent, with countries in the midst of creating their own laws, with varying protections likely. She expects this to drive increased accountability and transparency. In this podcast she encourages compliance teams to think about the activist sentiment in Europe, what it means and how it differs from the US. And, of course, organizations need to recognize the complications posed by GDPR. She also advocates for a reassessment of how compliance teams encourage employees to report internally. With open door policies no longer relevant in a time of remote working, she believes it’s time to find new tools and increase efforts to promote psychological safety. Listen in to learn more about how to foster a speak-up culture in the current era.

Post By: Adam Turteltaub Codes of conduct are ubiquitous these days, and they are often digital. It’s a way to make them more accessible, and more in line with how people work. But what if you took that virtual approach up a bit? That’s what TAQA and its Head of Ethics & Compliance Abdul Rahman Al-Ja’abari (LinkedIn) did. They created a Code of Ethics & Business Conduct that is experienced as a virtual reality walk through of representations of the some of the company’s facilities, in addition to a more conventional PDF. TAQA had recently undergone a large merger that created one of the largest listed entities by market cap in the United Arab Emirates (UAE). The newly-formed company needed an ethics and compliance program that would both help it meet regulatory requirements and unify the culture. Because the company operates around the globe, the code of conduct had to be put in a format that would be accessible to everyone. But, they also realized there was an opportunity to use it as a unifying tool. So, they created a version of it that employees could literally explore. They navigate room to room, as Abdul Rahman explains, where they see what different locations of the company look like and are able to explore different elements of the code. This creative approach has received very positive feedback.  It was also a way for the compliance team to deliver on the company’s core value of innovation. For anyone inspired by this approach, Abdul Rahman recommends beginning by building alignment with management on the approach, objectives, budgets and resources required. The communications team needs to be brought on board to help ensure you stay in line with their communications plan. Of course, the IT group is also a crucial partner, helping ensure that the solution is compatible with the organizations systems and is readily accessible to the employee base. Finally, be prepared for a positive reaction. People tend to see compliance as a staid, boring group.  Developing something creative, he explains, can help change minds very dramatically and for the better. Listen in to learn more, and then spend some time exploring the TAQA Group Code of Ethics & Business Conduct.

Post By: Adam Turteltaub The calls keep coming in to the helpline, which is great, unless you miss that all important, high risk one amidst all the minor issues. How do you avoid that problem? In this podcast, Mia Reini, Senior Manager-Corporate Compliance and Enterprise Risk Management at The Home Depot and Monica Lopez Reinmiller, Managing Corporate Counsel-Legal Affairs, Compliance at T-Mobile provide some intriguing answers. Mia reveals that Home Depot has made a bot a part of its compliance team. Working with IT they developed software which scans helpline calls in real time, looking for buzzwords that correlate with high-risk incidents. If it finds them, they go straight to corporate compliance for review. Launched in December 2020, the bot averages several cases a day by looking for terms such as SOX, FCPA, DOT, EPA and hazmat. For the compliance team it’s proven invaluable since it is always at work, including on nights and weekends. But, they warn, vigilance is still required. Like all software, sometimes the bot goes down. Of course, not every organization can have a bot, and for those, Mia and Monica advocate a risk-based approach. That includes watching out for terms that a bot might, but also having someone with the requisite skills to triage the calls and flag those needing an escalated response to the board or requiring an attorney to oversee the investigation. Both Mia and Monica also argue for a root cause analysis as part of the investigation. The US Department of Justice has been encouraging them, but that’s not the only reason they are valuable. They can help in fostering a programmatic, preventative approach to compliance that is more disciplined. And speaking of discipline, pushing for organizational justice, they explain, is key. It is all a part of an active approach to managing employee helplines that helps foster a healthy compliance program.

Post By: Adam Turteltaub As if Stark Law and the Anti-Kickback Statute aren’t complicated enough, they can also lead to False Claims Act issues, explains Charles Oppenheim, Partner at the law firm of Hopper, Lundy & Bookman and author of the chapter “The Stark Law and Anti-Kickback Statute as FCA Risks” in the new HCCA book False Claims in Healthcare. In the case of Stark Law, where there is strict liability, something as simple as faulty paperwork can be highly problematic. If the documents don’t match up, no matter how innocent the mistake, an entity is prohibited from billing for services. And, when it comes to the Anti-Kickback Statute, the law is intent-based. So even if the remuneration is fair market value, corrupt intent can have drastic consequences. To prevent issues from occurring, and effectively remediate them should they occur, he offers several recommendations in this podcast. First, have well-designed policies and procedures when it comes to entering into new relationships, including policies for when not to enter into a relationship. Second, document how fair market value is determined, how you entered into the relationship and alternatives considered. Should a potential violation be identified, bring in experts who understand the subtleties of these very complex laws. And, he notes, don’t despair. It is quite possible that the relationship falls into an exception. For example, CMS has proven more flexible of late in its documentation requirements. Should you need to make a disclosure, consider the Self-Referral Disclosure Protocol (SRDP). It can take some time, but the outcomes can be more positive than many think. Finally, he advises healthcare entities to remember that we will one day come to the end of this pandemic emergency. During this crisis CMS issued a narrow waiver on Stark Law that many took advantage of while medical practices were in deep financial troubles. It’s important to document what you did and be prepared for the end of the emergency and, quite possibly, the end of the waivers. To learn more, listen in to this podcast, and check out our new publication False Claims in Healthcare.

Post By: Adam Turteltaub There are a lot of skills that compliance professionals need – communication, persuasion, negotiation, patience, and even legal – and now Lisa Beth Lentini Walker, CEO and Founder of Lumen Worldwide Endeavors and Stef Tschida, Founder, Tschida Communications, are suggesting another: organizational scholarship. The co-authors of the book Raise Your Game, Not Your Voice suggest in this podcast that, to be effective in their roles, compliance professionals need to be skilled at navigating the organization. To do that requires a deep understanding of the organization. They advocate for taking the time to understand the company’s strategy and culture. Consume as much information about the company as possible: the website, publicly filed documents, earnings calls, even what the marketing people are saying on social media. Is the company just sending out messages, or is it engaged in a dialogue? Also, look to what others are saying on sites such as Glassdoor. Are people saying good or bad things? If you are new to the organization, they recommend having a plan for your first quarter there to quickly build your knowledge base. Connect with key people, understand what the key relationships are, and what drives behavior. Then, look beyond the walls of the organization to understand what is going on in the industry as a whole to better understand what are the key forces, what may happen next and how your company compares to its peers. And be sure to set alerts for news about competitors, as well. A crisis in one could provide clues for what to watch out for in your own organization. Finally, take the time to learn how compliance is perceived. You only get permission to speak, they explain, when you first take the time to listen. If the business people know that your ears are open and that you are sensitive to their needs, they are much more likely to pay attention to what you have to say.

Post By: Adam Turteltaub As the compliance profession matures an increasing number of professionals in the industry are thinking about going out on their own and setting up a consulting firm. In this podcast we learn from three people who did just that and are willing to share their wisdom and experience: * Kristy Grant-Hart, Spark Compliance Consulting * Kirsten Liston, Rethink Compliance * Joe Murphy (LinkedIn), Compliance Strategists and one of the founders of Integrity Interactive Recently they wrote the book The Compliance Entrepreneur’s Handbook, and in this podcast they share insight into what they call the four corners approach to determining what the sweet spot is for your business. It’s difficult to be all things to all people, especially when first starting out. By looking at the four corners, they believe, you can narrow your focus to where you bring the most value to the market. The corners are: Function Rather than focusing on all elements of a compliance program, you can narrow your focus to those areas you have the most expertise in. That helps you become known for bringing in certain pieces of the puzzle. Risk Area Privacy, anti-corruption, antitrust, and Stark Law are just a few of the areas that can be ripe for building a business around. Geographic Region Do you want to serve a city, state, region or work globally? Think about where the market is and isn’t saturated. Ask yourself how much you want to travel. An international client base can be very enticing, but it means many days away from home, calls at strange hours of the day and night, and much jetlag. Industry Choosing industries to focus on can be a tug of war. You want to leverage your expertise in a given industry or two, but you don’t want to set your sights so narrow that there are too few opportunities available. In sum, it’s a complex calculus when it comes to going out on your own, but it doesn’t have to be overwhelming. It also takes great persistence and a strong network to get your business off the ground. And one final piece of advice you will hear in this podcast: don’t forget it’s a business, with all the issues that brings. Listen in to learn more and help you decide how to start your own compliance business, or whether you are better off staying right where you are.

Post By: Adam Turteltaub Much has changed in the world of compliance, especially of late, but when it comes to healthcare investigations, not all should, says Pamela Para (LinkedIn) RN, MPH, CPHRM, ARM, DFASHRM, President and Chief Content Officer at CE Companion. According to Pamela the historical approach still works. And, interestingly enough, she notes that it relies heavily on several nursing techniques developed by Florence Nightingale, herself:  assessment, diagnosing, planning, implementing monitoring and evaluation. In the podcast she lays out three P’s for investigation (and a few additional little “p’s” too): Policies: Be sure to match up your policies, procedures and protocols with national standards of practice and regulatory requirements. Then make sure you are doing them in practice. Paper: Documentation is critical.  Document your finding for the record and any corrective actions taken. People: Get the right people involved in the investigation, and be sure to have a methodology for gathering them. Who will be on the team will vary depending o the type of investigation. And don’t forget to go back to the previous “P” and document your selection process. Listen in to learn more about how to improve the effectiveness of your healthcare investigations, including how the investigatory process can and should be a part of the enterprise risk management and strategic plans.

Post By: Adam Turteltaub While organizations have increasingly embraced cloud computing as a solution to their data management and other needs, they do so in an environment of heightened risks. Attacks on cloud providers are increasing, which makes it ever more important to ensure that the rewards outweigh the risks, including from a compliance perspective. Chris Ford, Vice President Product, Threat Stack, advises organizations look to cloud service providers that have taken the step of becoming certified against standards such as ISO 27001 or SOC 2. He also recommends not stopping there and looking to certifications that align with specific risk areas such as IPAA, GDPR, CCPA or PCI. That’s still not enough, though, he cautions in this podcast. Meet with the security team to discuss the organization’s practices and how it manages third party vendor risk. If their practices aren’t secure or the team is unwilling to meet with you that should be a very large red flag. So, too, is the approach to compliance:  stay away from vendors who take a check-the-box approach. Other pieces of advice he offers: * Ask if they scan code in the build pipeline * Determine if they do runtime monitoring of the infrastructure * Find out what tools they use to ensure your date is secure * Make sure they are constantly scanning for vulnerabilities Finally, security is a “team sport” he notes. It’s important to maintain trust on an ongoing basis and look at this as a journey together. Be sure to learn from the failures of others, and, of course, make sure that you are just as vigilant of your internal IT security as you are of your vendor’s.

Post By: Adam Turteltaub With the Theranos trial in the news, we thought we would repost this podcast with former Theranos employee and whistleblower Tyler Shultz. Tyler Shultz, like many others, was entranced by the vision of Theranos and its charismatic founder Elizabeth Holmes. He would not remain so for long, ultimately sharing his concerns with her, his grandfather (a member of the board), and then becoming a source for a Wall Street Journal reporter, and a whistleblower, reporting to New York state’s public-health lab his concerns that the company’s proficiency tests had been manipulated. On March 30, 2020 he will be sharing his experiences and insights at the 2020 Compliance Institute, and he was also kind enough to talk with us for the Compliance Perspectives podcast. In a very frank discussion, he tells us how the culture of Theranos discouraged people from coming forward and raising issues. In fact, there were severe disincentives for doing so ranging from potential loss of a visa to litigation. We also discuss what drew him to the company and why it was so hard to face the dark reality behind the enticing façade. Finally, he addresses signs that compliance professionals should watch out for that could be symptomatic of a very dysfunctional culture, if not outright wrongdoing. Listen in to hear what he has to say and then plan on hearing much more at the 2020 Compliance Institute.

Post By: Adam Turteltaub “Dark data” sounds ominous, and as Peter Bauman (LinkedIn), Founder and CEO of ActiveNav explains in this podcast, it can lead to great risks for organizations. Dard data is essentially data which organizations collect as a part of their business processes but don’t necessarily have a plan to use. It is also data that rarely gets thrown out, instead residing indefinitely on devices and services. It includes weblogs, tracking data, surveillance footage, email correspondence, chatroom conversations, presentations and old spreadsheets. This data is typically unstructured, and often it is very opaque. It also carries significant risks including the need to access it during litigation, and it even may create privacy issues. How can you get a handle on this data? Shine a light on it. Determine where it is in your organization and start building a data inventory that classifies the data. Next determine what is worth keeping and what needs to be destroyed. And, for the data worth keeping, take the trouble to classify it. Most of all, treat this as an ongoing issue to manage. Data tends to collect itself, in many ways, and organizations need to be aware of what it has and what it’s for. That requires the creation of better policies for collecting and managing data. Those policies need to be pragmatic, reflecting both business needs and the inevitable collection of ever more amounts of data. Listen in to learn more about dark data and how you can start bringing it into the light.

Post By: Adam Turteltaub You’re about to begin a complex investigation. What should you be thinking about? What should your first steps be?  And what tricks of the trade are there? To find out we spoke with Tech Data’s Jannica Houben (LinkedIn), Vice President Global Legal Transformation and Katarzyna Golonka (LinkedIn), Vice President Global Compliance. The two of them will be leading the virtual session “Advanced Investigations in Multi-National Companies” at the 2021 SCCE Compliance & Ethics institute, which takes place September 19-22, 2021. A good investigation, they explain, needs to be properly scoped and be staffed with qualified personnel. In thinking who those people would be for your organization, they advise remembering to consider both the obvious and the subtle issues such as the languages you need on the team. And, of course, be sure your interviewers are well trained, not just eager. Other things to think about right at the start: * The legal expertise needed to understand reporting obligations, privacy and labor laws * How enforcement authorities operate * Whether there will be a need for IT and forensic resources * Sector-specific knowledge * Other expertise required such as in finance, sales, operations even SAP One of the biggest decisions to make early is whether this is an investigation that is best handled using an internal or external team. Each has its own plusses and minuses. As they note in the podcast, an external team can bring in skillsets that you don’t have, including the often expensive and complex forensic resources. But, since an external team likely doesn’t know your culture as well as you do, they may miss the small things that an inside team wouldn’t. They also discuss here the report that will come at the conclusion of an investigation. Documenting the steps you have taken is key, so much so that they believe if it isn’t documented it’s as if it never happened. It’s a part of demonstrating that the company took the issue serious and investigated thoroughly. Make sure the report language is as concise and to the point as possible. The findings need to be reported objectively and accurately and, of course, state whether they allegations were substantiated or not. Listen in to learn more and don’t miss their virtual session at the 2021 SCCE Compliance & Ethics institute.

Post By: Adam Turteltaub Social media has now become a permanent fixture of our lives, but that doesn’t mean we’re altogether comfortable with it.  And for compliance professionals, there is  a constant and changing range of risks, reports Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer for Deluxe.  She will be leading the session “Social Media:  Old Platforms, New Risks” at the 2021 SCCE Compliance & Ethics Institute. To understand the risks, in this podcast we take a look at several different types, starting with the organization’s own social media activities.  She advises that, despite the informality of social media, companies need to think through their communications like they would advertising or PR: professionally.  That means using appropriate language, checking the hashtags to make sure that they aren’t being used elsewhere online where the meaning may be inappropriate, and having someone responsible for the activity.  It also means having a defined objective and a method for measuring if the social media is achieving what it is supposed to. Organizations should also engage in what she calls “social listening”:  seeing what others are saying about you online.  Visit sites such as Facebook, Twitter, LinkedIn, Glassdoor, Yelp, Amazon and Google reviews.  Use them to understand how people are interacting with your organization and their experiences. When it comes to looking at what employees are doing online, she cautions that the National Labor Relations Act covers a wide range of employee activities and protects them.  Generally speaking, the National Labor Relations Board has found that employees have the right to complain online about compensation and work conditions. Also, exercise caution when reacting to that bikini-clad photo on Facebook.  There’s probably nothing you can or should do about it. Be cautious, too, about the new platforms that have emerged.  Their data practices may be cause for concern. Finally, she recommends using social media as a means for compliance teams to connect with the business people.  It provides opportunity to engage with them both in a formal professional way, as well as informally. Listen in to learn more, and be sure to catch her session “Social Media:  Old Platforms, New Risks” at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub While the pandemic put many things on hold, it did not do the same for the False Claims Act (FCA). To find out what is happening in FCA activity we spoke with Patrick Hooper, Jordan Kearney and Alicia Macklin, partners at the law firm Hooper, Lundy & Bookman, PC and authors of the chapter Cutting Edge Topics in the FCA for the new HCCA book False Claims In Healthcare. In this podcast they share that the opioid pandemic will still receive enforcement focus, particularly in areas such as treatment fraud. That’s likely to happen because of the increased number of people receiving medical coverage and the resurgence of the opioid epidemic during the pandemic. They point to recent press releases and public comments by the FDA. The government also signaled it is looking at fraud related to electronic health records, which oven overlaps with opioid-related fraud. We also discuss the now confusing area of subregulatory guidance. With the US Supreme Court decision in Azar v. Allina Health Services requiring more formal processes, and with a subsequent decision regarding local coverage decisions, many are wondering what to do. Listen in to learn what to consider as you navigate these thorny, cutting edge FCA issues. And be sure to check out False Claims in Healthcare.

Post By: Adam Turteltaub Third party anti-corruption due diligence didn’t stop during the pandemic, but it was different.  And, as the world begins to, hopefully, emerge from the pandemic Ashley Coselli, Senior Ethics and Compliance Counsel, Total American Services and Daniel Wendt, Member, Miller & Chevalier suggest in this podcast that companies should now go back to their files and see where there are holes The two of them will be leading the session Managing the Most Difficult and Most Important Anti-Corruption Due Diligence Projects at the 2021 SCCE Compliance & Ethics Institute, which will be taking place September 19-22. As you look through the due diligence files you are likely to find that one of the more important pieces missing is the face-to-face interaction that can be so important when gauging the risks posed by a third party. Once travel becomes safe and practical again, it’s important to get those relationship going, especially with high-risk relationships such as those with sales agents and joint venture partners. Next, determine how effective their compliance programs are, and begin to triage based on the greatest risks. But, they advise, don’t try to do everything all at once. It can just be too much. Also, invest the time to fill in the knowledge gaps about ownership structure to determine if anyone from the government, a former government official, or even a close family member of one has a stake in the organization. As you fill in the blanks, make sure to document what you are doing and have done, including the business justification for using a third party. It can be dreadfully difficult during a government investigation five years from now answering why the company decided it needed a third party, how it made the selection and why there were gaps in the due diligence. But, if you have been documenting your actions all along, the challenge is much less significant. One issue to consider that doesn’t involve the pandemic: Stop periodically to assess your current relationships. Sometimes a third party is brought on to handle one issue, and then over time the relationship expands greatly. Be sure to periodically ask: Is there the necessary due diligence for all the entity is doing, or just what it was initially hired to do? Listen in to learn more about this very thorny risk area, and then join us virtually or in person at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub When the helpline rings, it’s a make or break opportunity. Get it right, and you could find out about potential wrongdoing and useful details. Get it wrong, and the caller may decide it’s not worth it, give perfunctory information, or, at worst, hang up. Adam Balfour (LinkedIn), Vice President and General Counsel for Corporate Compliance and Latin America at Bridgestone Americas, Inc. strongly advocates in this podcast starting by asking yourself a question: Who is this helpline really meant to help? Is it simply there to collect information about issues or is it there to help employees? If an organization wants a speak-up culture, then the intake process can’t be an unpleasant, rote one. That will discourage employees from calling in. Instead, he argues, it is better to embrace a process in which the organization demonstrates to callers that it hears them. That includes using a more empathetic approach, using language such as, “I’m sorry to hear that and it sounds like it was upsetting to you.” This can help encourage the employee to open up and share more. Leading by addressing emotions can help open up people to sharing more facts, he has found. To guide the conversation, a script is helpful, but it should not get in the way of the conversation. More important is to keep in mind the goal of getting information. So, what do you do when setting up (or revising) the helpline with your vendor? He recommends laying out what processes and experiences you want for your workforce. Then, take a look at how they incentivize employees. If their goals are designed to get callers off the phone as quickly as possible, that could be sending exactly the wrong message. Listen in to learn more about listening up.