Compliance Perspectives

By Adam Turteltaub The 340B Drug Pricing Program was created to protect safety net hospitals from rising drug prices. It allows them to purchase outpatient drugs, and pharma companies to sell those drugs, at a discount. In this podcast, Jason Reddish (LinkedIn), Principal and Mark Ogunsusi (LinkedIn), Associate, at Powers Pyles Sutter & Verville provide an overview of the program and the compliance requirements. They are also two of the authors of the chapter “Pharmacy:  340B Drug Pricing Program” in the Complete Healthcare Compliance Manual. The 340B program helps hospitals that are the last line of defense for underserved communities, including those with a large percentage of Medicaid patients. Often, they are the only hospital around in rural areas. Also helped by the program are federal grantees such as Ryan White clinics and those providing treatment for STDs. The program dictates which entities can buy discounted drugs and have very specific requirements including two very important ones. First, th

By Adam Turteltaub Currently on hold due to pending court challenges, the SEC’s rules to standardize climate-related disclosures created a fire storm of controversy and comments when first proposed. The final rules (assuming the courts sides with the SEC), explains Laura Ann Smith and Judy Mayo of the communications firm Labrador (LinkedIn), reflected strong industry pushback, easing the burden on some 4000 filers. Nonetheless, there are serious demands on industry. To quote from the SEC press release, registrants will be required to disclose: Climate-related risks that have had or are reasonably likely to have a material impact on the registrant’s business strategy, results of operations, or financial condition; The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook; If, as part of its strategy, a registrant has undertaken activities to mitigate or adapt to a material climate-related risk, a quantitative and qualit

By Adam Turteltaub It used to be that tracking email usage was considered tough. These days the workforce is also communicating via text, WeChat, Slack and countless other channels both internally and externally. That can be a total nightmare since prosecutors want access to all those conversations. What makes things harder is that employees may be resistant, feeling that the communications they have on their phone, especially in organizations with a Bring Your Own Device (BYOD) policy, is private. The employee owns the phone, not the company. Eddie Green (LinkedIn), CEO of SnippetSentry advises companies get their heads around this problem. Digital compliance is broadening out from the investment community to pharma and elsewhere. To manage the issue, some companies are now scrapping BYOD policies and making it clear that all work communications need to go on work-owned devices. They are also looking for solutions which enable employees to communicate in familiar ways, but with the tracking that logs all

By Adam Turteltaub In January 2024 the US Attorney’s Office for the Southern District of New York (SDNY) set a shockwave through the business world by announcing a new whistleblower pilot program. To understand what the policy says and what it likely means for compliance programs, we spoke with Todd Haugh (LinkedIn), Associate Professor of Business Law and Ethics, Arthur M. Weimer Faculty Fellow in Business Law at the Kelley School of Business at Indiana University. Under the policy, he explains, individuals who have participated in a fraud may be eligible for a non-prosecution agreement, if the individual meets three key criteria: They provide information that is not previously known to prosecutors and is produced voluntarily, not subsequent, say, to an arrest. The information is full, substantial and truthful. The individual is not otherwise disqualified, such as serving as a government official or the CEO or CFO of the company. Given the incentives already in place for companies to self-report wr

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into th

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosyste

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very

By Adam Turteltaub Krista Muszak is organized. More importantly, the longtime compliance professional and Senior Manager, Regional Process & Optimization Lead for Pfizer knows how to keep others organized as well. She will be sharing some of this wisdom in Nashville at the 2024 HCCA Compliance Institute in the session “Muda, Mura, Muri to Veni Vidi Vici: Applying Project Management and Process Improvement to Your Compliance Program.”  She also shares a bit of it here in the latest Compliance Perspectives podcast. First, she explains that the title comes from terms used by Toyota to improve the process flow at their plants and eliminate waste. Muda is about eliminating waste and activities that don’t add value. Mura speaks to addressing variability in operations to increase stability and reduce unnecessary variations. Mudi addresses not overloading people and the business with too many asks, such as releasing a round of training at the same time as year-end activities. Embracing these concepts can incre

By Adam Turteltaub When it comes to compliance technology, there are two challenges. First is finding the right solutions to increase your programs effectiveness. Second is securing the resources to acquire and deploy the technology. Parth Chanda, Founder and CEO of Lextegrity, covers both topics in this podcast. When it comes to tech, he explains, you want tools that give you the confidence that your program is effective in practice and not just on paper. You also need to prioritize based on risk, and your organization’s own experience with technology. If the history is short or non-existent, start with something relatively simple such as training or policy management.  Tools that can make it easier for employees to report wrongdoing are also invaluable. To secure the resources you need, he advises making the business case by focusing on the ROI, for example, by showing that investigations can be completed in less time and with less staff. But, as you look at technology, be realistic and recognize that

By Adam Turteltaub Imagine you are at a large company with thousands of suppliers. As a part of the compliance team you need to understand the risk of working with each and every one of them. To do that you may need to understand the ownership structure, where they source materials, where and how they manufacture, and a host of other data about each and every one of them. That’s a daunting task. It’s also one that Jenna Wells, Chief Customer and Product Officer at Supply Wisdom believes is ideally suited for AI. With human supervision it can help with such a large, seemingly impossible undertaking. AI, she argues, can be an effective tool for enabling compliance programs to better understand the risks they face and then focus on the most important ones. To get there, compliance teams need to get a handle on the data that they have that is normally siloed. Look to external sources for regulatory data and emerging legislation, she suggests. At the same time, though, it’s important to understand the limitat

By Adam Turteltaub Traditionally, explains, Tanya Ganguli (LinkedIn), Principal Associate, Law Offices of Panag & Babu, India’s criminal law framework revolved around the Indian Penal Code, The Code of Criminal Procedure and the Indian Evidence Act, two of which dated back to the 19th century. That changed with the passage of three new laws: the Bharatiya Nyaya (Second) Sanhita, 2023, the Bharatiya Nagarik Suraksha (Second) Sanhita, 2023 and the Bharatiya Sakshya (Second) Bill, 2023. Together they seek to bring criminal law into the 21st century and build off of long-established precedents. They are designed, she reports, to address loopholes, enhance efficiency and ensure justice. The laws are now more victim centric, but may not be too transformative, according to Tanya, for most compliance and ethics programs. Nonetheless, there are changes. New rules for searches and seizures will likely require updated training on dawn raids. Summons can now be delivered electronically. There is much greater need to d

By Adam Turteltaub As of January 2024, there’s a new Code of Conduct of the Volkswagen Group, replacing one developed in 2017. To understand what led to the latest iteration of the code and the vision behind it we spoke with Silke Becker and Sarah Specht (LinkedIn) of Volkswagen Group Integrity & Compliance. They are part of a team lead by Tina Landsmann, Head of Volkswagen Group Center of Competence Integrity & Compliance Awareness & Qualification and Dr. Kurt Michels, Volkswagen Group Chief Integrity & Compliance Officer. The code was updated to reflect changing times, including the draft European Supply Chain Act. This required a change in content, but the team also chose to update the tone and feel. The language of the document now focuses on “we” and “us”, and it is very proactive, making the document less about what the board or management calls for and is instead about what we as a group are committing to. Each section of the code has a headline that reinforces this message: “We take responsibility

By Adam Turteltaub On January 5, 2023 the EU Corporate Sustainability Reporting Directive went into force. The directive broadens the scope of companies report on sustainability issues, adds to the amount of information that needs to be reported, and even requires external assurance, reports Elena Sychenko (LinkedIn), Adjunct Professor at the Department of Management at the University of Bologna and currently a Fulbright Scholar at the Wharton School of Business. The directive now covers all listed companies with the exception of micro enterprises. Also falling under it are non-EU companies that have a significant presence in the EU. The reporting requirements, which are still being fully developed, closely follow the Global Reporting Initiative (GRI) standards and focus on ESG explicitly, with several areas of reporting under E, S, and G. These include: E: climate change, pollution, water, biodiversity S: the organization’s own workforce, the workforce in the value chain, affected communities, consum

By Adam Turteltaub The No Surprises Act is a significant change to how healthcare coverage is handled and billed. In general, it eliminates balance billing in three typical areas: A patient is brought to an emergency room in an out of network hospital A patient is transported by air ambulance A patient is being cared for at an in-network hospital but, unbeknownst to him or her, a physician or service that is out of network provides care. To understand the Act more fully, we spoke with Brian Stimson, Partner, Arnall Golden Gregory, who will be leading the session The All Surprises Act:  Avoiding Compliance Pitfalls and Responding to Administrative Enforcement Actions under the Surprise Billing Laws at the 2024 HCCA Compliance Institute. As he explains, there is a two-tiered enforcement structure to the law, with both individual states and the federal government involved. Compliance teams looking to ensure their organizations are complying need to pay close attention to patient complaints. These can

By Adam Turteltaub When it comes to risk assessments, the word “annual” comes up a lot. But, Kelly Alwin, Regional Compliance Officer North America for SAP America, believes that once a year may be more than a bit too long. To her, a risk assessment is more than a periodic assessment and an annual chore. It is critical to the program’s success and lends credibility and substance to the compliance program. She points out that from the Delaware Chancery Court to the US Department of Justice, the importance of a strong risk assessment is underscored. In this podcast she argues that, for the risk assessment to play the role it should, it can’t afford to sit on the shelf. It needs to be a dynamic document that both informs all the other elements of the program and evolves as risks evolve, whether due to a new go to market strategy, a merger or an entry into a new market. Bottom line: look at your risk assessment, she advises, not as a discrete activity but as a continuous analysis. Incorporate micro assessment

By Adam Turteltaub Behavioral health shares many of the same compliance challenges as the rest of healthcare, but it also has several of its own. To understand the risks, we sat down with Community Counseling Solutions’ Executive Director Kimberly Lindsay and Compliance & Privacy Officer Tim Timmons. They will be leading the session “Developing an Ethics and Compliance Program in Behavioral Health” at the HCCA 28th Annual Compliance Institute, which will be in Nashville, April 14-17 and also offered in a virtual format. In this podcast they identify several typical compliance challenges in the behavioral health setting: Managers and supervisors who are well intentioned but busy, not holding staff accountable and not reporting in a timely manner. Incidents after hours when a patient is in crisis. This is a very difficult situation.  The team is eager to help the patient get better, but with lots of adrenaline flowing in a difficult situation, they may find themselves sharing more information about the

By Adam Turteltaub While Ericsson is best known for its mobile phones, the company’s reach in wireless is far greater. It is the creator of Bluetooth technology, owns patents on much of the critical IP that wireless systems depend on, and is active in more than 180 countries providing much of the hardware, and even cellphone towers, that enables all of us to talk, text, and surf the web wherever we are in the world. Jan Sprafke, Chief Compliance Officer at Ericsson, explains in this podcast that with that global reach – including operations in approximately 100 high risk countries – also comes a large network of suppliers. To manage the potential compliance challenges that go along with it, the company uses a risk-based approach to supplier management They assess the country risk, go to market approach and whether the supplier will be using subcontractors. Then they work closely with sourcing and other assurance functions on an ongoing basis. The company’s supplier code of conduct is shared with their ven

By Adam Turteltaub Julie Janeway (LinkedIn), General Counsel and principal owner, Principled  Healthcare Consulting will be speaking about internal and parallel investigations at the 2024 HCCA Compliance Institute. In this podcast she slices off a bit of that expertise. A thorough investigation is needed, she advises whenever there is an issue that could require arbitration, a court case, administrative hearing, contractual dispute or reputational issues, whether by an employee, contractor or the organization itself. The same is true if there is a policy breach or alleged violation of the code of conduct. So how best to do it? Have both an investigation plan and a preplan which designates who will be responsible for the investigation depending on what the issue is. For example, a privacy officer would likely play the lead role in a HIPAA breach allegation. As for the plan itself, it should be thorough. The team executing it should include individuals with a wide range of skills and, she highly recommends

By Adam Turteltaub In 1984 I went to my friend Chris’s wedding, and one of the other groomsmen, Drew Neisser (LinkedIn), his then boss, talked me into pursuing a career in advertising. Just a few months shy of 40 years later, I caught a video on LinkedIn of him with chief marketing officers discussing the struggles of managing remote workers. It didn’t matter that these were marketing people, the problems sounded just like we in compliance face. So, I asked Drew, who is the founder of CMO Huddles and the author of the book Renegade Marketing:  12 Steps to Building Unbeatable B2B Brands, to sit down and do a podcast on the topic. Drew points out that, despite workers being required to come into the office more often, there is still a cost to remote work. Churn is higher than before. Partners at law firms complain that their associates are years behind in their development, likely due to the inability to learn by osmosis. So what do we do? He recommends that we recognize the present reality and look to hire