Summary: Podcast featuring the top Compliance and Ethics thought leaders from around the globe. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association will keep you up to date on enforcement trends, current events, and best practices in the compliance and ethics arena. To submit ideas and questions, please email: firstname.lastname@example.org
Posted by Adam Turteltaub Proctor & Gamble (P&G) is one of the best-known companies in the world, boasting top brands such as Tide, Crest and Charmin. The company is also well recognized for its highly strategic marketing and its integrity. In fact, its reputation for principled behavior is what attracts and helps retain top talent at the organization, reports Jay Ernst (LinkedIn), Director – Ethics & Compliance Office, P&G, in this podcast. How strong is the organization’s commitment to ethical behavior? In annual surveys the company's purpose, values and principles are cited most frequently by employees as something that they do not want to change. For its annual Corporate Compliance & Ethics Week celebration, which they have dubbed the “Do The Right Thing Celebration”, the compliance team ties the program and compliance training into one of three commitments – respect, integrity and stewardship -- that are part of their refreshed code of conduct. In 2021 the theme was “Leading with Respect”. Activities included marquee events featuring external or high-profile internal speakers. They also had videos highlighting challenges people may face, risk areas and how to deal with them. To make the program relevant to its employees around the world, they enlisted the help of the employee relations group, which helped them identify individuals to lead the local activation of the program. The same people each year now lead the activities in their region. While the local activation follows the common theme, there is opportunity to customize the program to increase the relevance to their communities. Each year there are even global recognition awards for activations that demonstrate creative activity and engagement. The company also has a peer recognition program known as the Power of You, which recognizes excellence across a range of areas, including ethics. Employees can nominate their peers who have gone above and beyond in their work. It has proven to be an excellent opportunity to recognize ethical actions on a peer-to-peer basis. Listen in to learn more about P&G’s experience and how you may be able to apply it to your own organization.
Posted by Adam Turteltaub Getting employees to come forward and provide feedback on the corporate compliance and ethics program is often a challenge. Many are hesitant to talk to compliance at all. Still others may fear that their conversation may lead to more scrutiny by the compliance team. Mary Shirley, Head of Culture of Integrity and Compliance Education at Fresenius Medical Care and co-host of the Great Women in Compliance podcast, found an interesting way to change the dynamic. She made feedback an integral part of the organization's annual Corporate Compliance & Ethics Week celebration. The compliance team there recognized that during the week-long celebration people are eager to participate. That means there is a golden opportunity to collect data from them that can provide insights that might not otherwise be captured. This includes both informal conversations and using things like quizzes to determine how much information from earlier training has been retained. Also, games can help. In one fun exercise they had a ring toss in which to get a ring the individual had to answer correctly a question related to compliance. The program has yielded remarkable insights. For example, one part of the compliance team was concerned that it was sending too much email. When they used this opportunity to ask employees what they felt, they were surprised to discover that it was actually a preferred means of communications. Listening has one other benefit: it enables the compliance team to demonstrate that it is responsive to employee workplace concerns. Listen in to learn more about how you can turn Corporate Compliance & Ethics Week into a learning experience both for employees and for the compliance team.
Post by Adam Turteltaub While we have all grown accustomed to seeing access ramps and automated doors in the physical world, it is easy to forget that the Americans with Disabilities Act (ADA) requires digital accessibility as well. In this podcast, Michelle Landis, co-founder of Accessible360, explains that the challenges start with organizations not even realizing that the ADA sets numerous requirements that organizations must comply with. The challenge posed by this knowledge gap has been both exposed and increased by the pandemic, which has accelerated the need for online resources that are available to all. How do you bank, order groceries, and work from home if the websites you need are not accessible to individuals with physical challenges? For organizations looking to catch up with the digital requirements of the ADA, she recommends starting by taking an inventory of your consumer facing websites and mobile apps. Those are the ones most likely to be subject to litigation. Next, get a live user assessment by individuals trained in this area and from people who are living with disabilities. She advises being cautious around companies promising to provide a quick fix with a simple overlay. Another pitfall, she warns, is underestimating the time it takes to implement suitable changes to your websites and apps that need them. When faced with a demand letter for changes within 21 days, you should engage your legal team to respond in an appropriate way. Finally, she advises that, as with the physical world, it is better to build in accessibility from the start rather than adding it later. That means keeping it front and center when designing and evolving your organization's digital assets.
Posted by Adan Turteltaub There are a lot of things you can do to make your organization’s celebration of Corporate Compliance & Ethics Week a success. But sometimes, less is more. Adam Balfour, vice president and general counsel for corporate compliance and Latin America, Bridgestone America's, explains in this podcast that they realized that it would be better to evolve their celebration from a lot of different activities to just a few and to make them bigger. So what are they doing? For the last few years they have bestowed a series of Leading With Integrity awards. These go to managers who have been nominated by employees for their exemplary leadership when it comes to compliance and ethics issues. All 50,000 of the organization's employees can nominate any leader, manager or supervisor that they think deserves the prize. The nominations are evaluated by a cross functional panel which is good for bringing in and engaging other leaders in the organization. Then five or six winners are selected each year, and they are announced during a leadership panel with about 1100 employees on the call. For the winners the greatest impact comes from the recognition and knowing that the CEO knows your name and for a very positive reason. This program has also helped the compliance team gain exposure to people they didn't realize were embodying the organization's commitment to compliance. Another event that they do, or more accurately two events, are leadership panels wherein employees are invited to join in and listen as leaders discuss compliance and ethics issues. It sets a clear tone at the top for the organization and illustrates ethical decision making. Each year, for a little bit of fun, the compliance team puts together an event using ethics issues found in popular TV shows and movies. This helps teach compliance in a more relatable way and leverages good adult learning theory. Finally, the compliance organization offers a Compliance Battle Royale every year. It's a big production with a bracket of 16 teams competing against each other over a period of four days. There is daily elimination, and it gets very competitive. Got any good ideas of your own to share? If so add them to the comments below. And be sure to listen to this podcast.
Posted by Adam Turteltaub If you have ever considered joining the Health Care Compliance Association (HCCA) but haven’t, this podcast will give you cause to reconsider. Julie Sheppard, Founder and President of First Healthcare Compliance joined the association a decade ago when she was looking for a reliable source of information on healthcare compliance issues. She wanted an unbiased, trusted source of information that would keep her updated on the challenges of managing compliance. Through the years she has taken advantage of a wide range of HCCA programs, from an Academy to web conferences to reading the magazine Compliance Today. She also obtained her Certified in Healthcare Compliance (CHC) designation, which she sees as a means to differentiate herself and demonstrate her expertise. Listen in to learn more about her journey with HCCA and how she sees healthcare compliance evolving over the next few years.
Posted by Adam Turteltaub Conflicts of interest are a particularly challenging issue in healthcare. Medical professionals may moonlight at a rival hospital, have an interest in a medical device or real estate a hospital is thinking of acquiring, and, of course, family members who might work at a key vendor. Steven Melinosky, Regional Director Compliance/Investigations and Policy at Trinity Health of New England, explains in this podcast that managing conflicts of interest is possible, with the right policies and procedures in place. That begins with recognizing that one policy is likely not enough. The conflicts faced by leadership and the board are likely quite different than those faced by rank-and-file employees. Conflicts for senior leaders and board members likely should be reviewed by the board chair. Those for employees can typically be handled by the compliance team working with frontline managers. Underlying these efforts must be a culture of compliance from the top down and bottom up. The danger of conflicts of interest must be taught from day one, along with encouragement to report and a clear explanation of the disclosure process. Supervisors need to be trained to identify conflicts, and periodic reminders need to be scheduled. One tool that can help make conflict of interest management simpler is something he created and calls a “Conflict of Interest Dictionary.” It is a spreadsheet designed to help respond to common conflicts. It contains several columns: * What the conflict is * What else needs to be known about it, such as if the individual affected has purchasing authority, is in management and at what level * Why this issue poses a conflict * Standardized action plans that lay out expectations for behavior Having this dictionary helps to ensure consistency in the process and greatly expedites actions since a starting point (and potentially an ending post) is already in place. Along with this dictionary it’s important to take the time to assess the risk – both likelihood and potential impact – of a conflict and to ensure that the plans put in place are sufficient to mitigate the risk. He also recommends providing both the affected employee and his or her manager with a written plan which includes the background, the risks and expectations. Listen in to learn more about how to better manage conflicts of interest and whether a Conflict of Interest Dictionary is right for your program.
Posted by Adam Turteltaub The 340B program was set up to providers of care to Medicaid patients to stretch federal dollars. Hospitals and clinics are able to buy covered, outpatient drugs at a discounted price from manufacturers. As usual, though, what sounds like a simple program poses compliance risks for manufacturers and front-line providers, explains Peggy Tighe (LinkedIn) and Mark Ogunsusi (LinkedIn) of the law firm Powers Pyles Sutter & Verville PC. Providers can either pass the discounted price along to patients or dispense the drugs and get reimbursement from a private or federal payer at regular rates, using the difference to support their services. While the 340B program is designed to be flexible, there are several strings attached. Providers need to ensure that the drugs prescribed go to the patient. In addition, the individual has to meet specific guidance as to what constitutes a patient. Simply writing a prescription is not enough. A set of criteria must be met, and those rules are strict enough that an entire category of software providers has emerged to manage this issue. Other risks for providers to consider include virtual inventories and over purchasing 340B drugs For drug manufacturers, it’s essential to ensure that price data is accurate, and that prices do not exceed the ceiling price. A mistake could lead to civil monetary penalties and even termination from the program. Duplicate discounts are also prohibited and pose another risk. Listen in to learn more about how to avoid the many compliance challenges of 340B drug pricing programs.
Posted by: Adam Turteltaub There are lots of ways to make your organization’s Corporate Compliance & Ethics Week a success. For Tiffany Turner Lynch (LinkedIn) and her colleagues at Winston-Salem State University that meant timing it to the launch of their compliance training initiative. They saw the joint effort as an excellent opportunity to demonstrate that supporting a culture of compliance and ethics is the responsibility of everyone and is something that the university values highly. Before beginning the training, she and the chief counsel met with internal audit to discuss policies that are audited the most. They also discussed issues that most frequently led to calls to audit and legal. In addition, they identified issues that are central to compliance in higher education, such as the Family Educational Rights and Privacy Act (FERPA). Throughout the week they reinforced elements of the training They also developed a five-part podcast series, each one featuring a different “no” department: Internal Audit, Equal Employment Opportunity, Title IX, the police, legal and compliance. The podcasts served to the lift the veil on what happens when an investigation is conducted. They demonstrated not just the process, but also that these departments exist to protect the university and its staff. To add some fun to the celebration they conducted a virtual scavenger hunt. Everyone who was able to answer all the questions was entered into a drawing to win one of two $100 cash gifts. As Tiffany reports in this podcast, the results were outstanding. It helped people understand more about the compliance office, built rapport, raised the comfort level with reporting and engagement with the policy portal. Listen in both to learn more and get some inspiration for your own Corporate Compliance & Ethics Week efforts.
Posted by: Adam Turteltaub Nobody likes delivering bad news, but if you’re in compliance and ethics, you’re going to have to do it sooner or later. When that time comes, it’s essential you do so in the best way possible. In this podcast, Jeff Hahn (LinkedIn), author and the owner and principal of Hahn Marketing & Communications, reveals that one secret for sharing bad news is to provide the right context. Give management the salient facts and avoid burdening them with every detail. Second, he advises following what he has dubbed “The Goldilocks Rule”. Present options that are not hot enough, not cold enough, and just right. In practice this means ranging from doing nothing to doing something extreme. Generally, the “just right” option prevails and enables leadership to feel bought in to the path forward. Once the goals are set and the organization’s response moves into the implementation stage, it’s time to bring in the line managers. That conversation, he relates, needs to be focused on implementation, and the conversation switches from creative to directive. What about the wider workforce? It’s important to remember that they are brand ambassadors. Inform them to the best of your abilities. Be authentic, and remember that they can check up on you from the inside. When it comes to external communications, the compliance team can be invaluable in creating stakeholder talking points, including a timeline of what happened when. Finally, the conversation explores what not to do a crisis. There are three things to avoid: * Make an absolute and outright denial, unless the claim is obviously false and ridiculous * Attack the accusers * Scapegoat, especially those who are tangential to the core issue Listen in to learn more about how to break bad news and be an integral, appreciated part of a crisis response.
Posted by: Adam Turteltaub The war in Ukraine and pandemic have both dramatically changed the cyberthreat landscape for healthcare entities. There are many more employees working from home, as well as patients communicating with their physicians remotely. At the same time, governments have warned of potential cyberattacks by Russia. Even without these threats, ransomware provides its own challenges. As Blaise Wabo, Healthcare and Financial Services Leader for A-Lign explains in this podcast, it’s a fast-growing threat. Deloitte research indicates that ransomware attacks increased by 1755% in 2021. So how should healthcare entities respond? Start by focusing on your people, he advises. They tend to be the weakest link in the security chain. Some common challenges: * A lack of encryption of their home WIFI * Routers still with the default password * Connecting from Starbucks, the airport or hotel without using a VPN * Falling for a phishing attack To manage the risk, he recommends starting with a risk assessment that includes third-party suppliers and your supply chain. Determine the vulnerabilities and rank the risks. Then begin implementing controls. Encrypt PHI, even in transit. Conduct phishing training for your staff. Hire a third party to do a penetration test and identify gaps in your security. In addition to preventing problem, steps like these can help when one occurs, given the provisions of the HIPAA Safe Harbor Act. Listen in for more advice and learn how to navigate an increasingly challenging cyber landscape.
Posted by: Adam Turteltaub Hybrid work is likely here to say, and, as Sheila Limmroth, privacy specialist at DCH Health System, and the author of the chapter Hybrid Work Environment in the Complete Healthcare Compliance Manual observes in this podcast, it’s up to compliance teams to manage the risks, many of which, even at this stage of the current era, aren’t always recognized. For example, we’re all familiar with the need to secure electronic PHI, but if your employees have printers at home, are they permitted to print out any data? If so, do they have shredders or some other way to destroy the document? Are employees even trained to destroy it? One other consideration: is Alexa listening in on what they are saying? These are but two examples that point to the need to think through all the implications of having a hybrid workforce, even after two years of remote working. So, what should compliance team be doing? Education is essential so that employees understand that certain behaviors are risky: * Talking on your cell about a patient while sitting in Starbucks is not a good idea. * Phishing remains a substantial risk in the home office as it is in the workplace. * The router needs to be secured with a password other than the default one that comes out of the box. At the same time there’s a need to also recognize the new challenges inside the facility. When it comes to telehealth, not all videoconferencing software is created equal. The platform must be HIPAA compliant. Even for video conference calls it’s probably a good idea to issues PINs to the attendees. The bottom line is it’s time to revisit your organization’s risks and policies to determine what works and what doesn’t as more employees return to the office while many remain at home. Listen in to learn more, and be sure to check out the Complete Healthcare Compliance Manual.
Post by: Adam Turteltaub Isabella Porter is the director of compliance and privacy officer of District Medical Group and author of the chapter “Patient Privacy and Security: Business Associates” in the Complete Healthcare Compliance Manual. In this podcast she shares the key consideration that covered entities – physicians, hospitals, health plans and others who fall under the requirements of HIPAA – must consider when working with their various business associates (BA) with whom they share personal health information (PHI). When considering a potential new business associate she recommends ensuring that the vendor understand that it meets the definition of a business associate. Quite often they do and already have on hand a business associate agreement. It’s preferable to ask them to default to your own agreements, but if they do not – for practical reasons business associates with a large number of customers cannot accommodate each customer’s agreement – see if they are willing to amend their own, if necessary. When assessing a BA, also take the time to determine if they are using subcontractors. If they do, they should be referenced in the BA agreement. Also, ask the vendor what kind of checks they are doing on their vendors and their own ongoing monitoring efforts One important thing to also check: where the data is housed. If the servers are outside of the US, there may be other laws to consider such as the European General Data Protection Regulation (GDPR). Listen in to learn about the requirements of ensuring the safety of your BA agreements, including ten elements that need to be included in each one.
Posted by: Adam Turteltaub The EU Whistleblower Directive, enacted in 2019, has as its primary goal to protect whistleblowers. As Geert Vermuelen, CEO of The Integrity Coordinator and long-time compliance professional explains in this podcast, the Directive reflects a significant change in course for the EU where, for a long time, there had been a great hesitancy to trust whistle blowing. The Directive reflects a new approach that embraces the idea that, if whistleblowers are better protected, we can better detect and prevent harm to the public. The directive applies to organization of 250 or more employees, and from the end of 2023 companies as small as 50 employees. In addition, it applies to all companies in financial services, regardless of size, as well as those subject to AML legislations. These include real estate brokers, law firms and accountancies. Whistleblowers are protected against retaliation, and the burden of proof is shifted to the employer, who must prove that any adverse action taken against a whistleblower was unrelated. Other provisions of the Directive include: * Non-disclosure agreements are invalid in the context of whistle blowing * Reports at subsidiaries may only be reported up to the group level if the whistleblower permits * There must be secure and confidential whistle blowing channel for each legal entity * A neutral party must receive the report and follow up * The compliance team can be that party but its charter must reflect its independence * GDPR still applies, but when processing personal data of the accused person, he or she does not need to be immediately notified * The identity of the reporter must be kept confidential, unless the reporter agrees with making the identity public * The reporter should be notified of the receipt of the report within seven days and provided substantial feedback on the report within three months Adding to the complexity is that each country in the EU will need to pass its own laws to implement the directive, leading to subtle, and potentially significant, differences from nation to nation. All in all, it’s a substantial change and worth listening in to learn more about what the EU Whistleblower Directive means for your compliance and ethics program.
By Adam Turteltaub While the Covid pandemic has grabbed the headlines, opioids have continued to kill Americans in large numbers. As Seth Whitelaw, President and CEO of Whitelaw Compliance Group explains in this podcast and in the chapter “The Opioid Crisis and the Risk of Diversion” in the Complete Healthcare Compliance Manual, while prescription-related deaths have seen some decline, they remain far too high, largely due to the problem of diversion into illegal forms of distribution. To prevent diversion, healthcare providers and their compliance teams need to pay close attention to the information they are receiving. Distributors, manufacturers, physicians and pharmacists all generate and have access to prescribing data. It’s essential to ask questions such as is the patient demonstrating addictive behavior? Is a physician writing prescriptions at a rate suggesting he or she is spending little to no time with patients before prescribing? Did the pharmacy order ten times more opioids than usual because something is awry, or because someone innocently added a zero at the end of the order? All of this means there is a strong human element to controlling diversion. While the automated systems are good at identifying outlying activity, there is still a need for a person to find out what exactly is going on. That can include seeing if there is a line of people waiting outside a physician’s office, or if a pharmacy parking lot is filled with out of state license plates. There are not necessarily any bright lines, he explains, which makes it all the more important to pay attention and make the necessary disclosures to the DEA if a good explanation cannot be found. Listen in to learn more, and be sure to check out the Complete Healthcare Compliance Manual.
Post by: Adam Turteltaub Antitrust is a long-time risk area for compliance teams to manage, but its longevity does not mean it is not evolving. New issues arise as times and Administrations in Washington change. Nathan Mendelsohn, Associate in the Washington, DC office of the law firm Wilson Sonsini Goodrich & Rosati lays out what is new in antitrust in this podcast and in the chapter “Federal Antitrust Law Risks – 2022” in The Complete Compliance and Ethics Manual. Some areas of antitrust law are well known. Agreements by competitors to rig bids, allocate markets or set prices are generally considered illegal per se and can open up the door to criminal prosecutions of both individuals and organizations. Other kinds of agreements, he explains, are subject to what is known as the “rule of reason”. In a nutshell, it calls for an assessment as to whether the agreement makes sense and was not designed just to protect the parties and unfairly hurt others. As for compliance programs in antitrust, the ground is changing. During the leniency program era, only the first company to self-report anticompetitive behavior received credit. Its co-conspirators, no matter how good the compliance program, received none. Then in 2015 the Department of Justice began giving credit for forward looking compliance programs: what the company had done since the violation to protect against its reoccurrence by strengthening compliance efforts. Then, beginning in 2019, the Antitrust Division began, at least on paper, giving credit for existing compliance programs. Thus far, though, no organization has qualified for it. At the same the focus of attention for the DOJ has continued to evolve, most notably when it comes to the labor market. The division has pursued several cases related to no poach agreements, in which companies agree not to poach each other’s workers. Many believe that this has kept wages lower than they might be. Non-compete agreements are also under scrutiny. Another trend to watch out for: transnational prosecutions. Listen in to learn more, and be sure to explore what’s available in The Complete Compliance and Ethics Manual.