Compliance Perspectives

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into th

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosyste

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very

By Adam Turteltaub Krista Muszak is organized. More importantly, the longtime compliance professional and Senior Manager, Regional Process & Optimization Lead for Pfizer knows how to keep others organized as well. She will be sharing some of this wisdom in Nashville at the 2024 HCCA Compliance Institute in the session “Muda, Mura, Muri to Veni Vidi Vici: Applying Project Management and Process Improvement to Your Compliance Program.”  She also shares a bit of it here in the latest Compliance Perspectives podcast. First, she explains that the title comes from terms used by Toyota to improve the process flow at their plants and eliminate waste. Muda is about eliminating waste and activities that don’t add value. Mura speaks to addressing variability in operations to increase stability and reduce unnecessary variations. Mudi addresses not overloading people and the business with too many asks, such as releasing a round of training at the same time as year-end activities. Embracing these concepts can incre

By Adam Turteltaub When it comes to compliance technology, there are two challenges. First is finding the right solutions to increase your programs effectiveness. Second is securing the resources to acquire and deploy the technology. Parth Chanda, Founder and CEO of Lextegrity, covers both topics in this podcast. When it comes to tech, he explains, you want tools that give you the confidence that your program is effective in practice and not just on paper. You also need to prioritize based on risk, and your organization’s own experience with technology. If the history is short or non-existent, start with something relatively simple such as training or policy management.  Tools that can make it easier for employees to report wrongdoing are also invaluable. To secure the resources you need, he advises making the business case by focusing on the ROI, for example, by showing that investigations can be completed in less time and with less staff. But, as you look at technology, be realistic and recognize that

By Adam Turteltaub Imagine you are at a large company with thousands of suppliers. As a part of the compliance team you need to understand the risk of working with each and every one of them. To do that you may need to understand the ownership structure, where they source materials, where and how they manufacture, and a host of other data about each and every one of them. That’s a daunting task. It’s also one that Jenna Wells, Chief Customer and Product Officer at Supply Wisdom believes is ideally suited for AI. With human supervision it can help with such a large, seemingly impossible undertaking. AI, she argues, can be an effective tool for enabling compliance programs to better understand the risks they face and then focus on the most important ones. To get there, compliance teams need to get a handle on the data that they have that is normally siloed. Look to external sources for regulatory data and emerging legislation, she suggests. At the same time, though, it’s important to understand the limitat

By Adam Turteltaub Traditionally, explains, Tanya Ganguli (LinkedIn), Principal Associate, Law Offices of Panag & Babu, India’s criminal law framework revolved around the Indian Penal Code, The Code of Criminal Procedure and the Indian Evidence Act, two of which dated back to the 19th century. That changed with the passage of three new laws: the Bharatiya Nyaya (Second) Sanhita, 2023, the Bharatiya Nagarik Suraksha (Second) Sanhita, 2023 and the Bharatiya Sakshya (Second) Bill, 2023. Together they seek to bring criminal law into the 21st century and build off of long-established precedents. They are designed, she reports, to address loopholes, enhance efficiency and ensure justice. The laws are now more victim centric, but may not be too transformative, according to Tanya, for most compliance and ethics programs. Nonetheless, there are changes. New rules for searches and seizures will likely require updated training on dawn raids. Summons can now be delivered electronically. There is much greater need to d

By Adam Turteltaub As of January 2024, there’s a new Code of Conduct of the Volkswagen Group, replacing one developed in 2017. To understand what led to the latest iteration of the code and the vision behind it we spoke with Silke Becker and Sarah Specht (LinkedIn) of Volkswagen Group Integrity & Compliance. They are part of a team lead by Tina Landsmann, Head of Volkswagen Group Center of Competence Integrity & Compliance Awareness & Qualification and Dr. Kurt Michels, Volkswagen Group Chief Integrity & Compliance Officer. The code was updated to reflect changing times, including the draft European Supply Chain Act. This required a change in content, but the team also chose to update the tone and feel. The language of the document now focuses on “we” and “us”, and it is very proactive, making the document less about what the board or management calls for and is instead about what we as a group are committing to. Each section of the code has a headline that reinforces this message: “We take responsibility

By Adam Turteltaub On January 5, 2023 the EU Corporate Sustainability Reporting Directive went into force. The directive broadens the scope of companies report on sustainability issues, adds to the amount of information that needs to be reported, and even requires external assurance, reports Elena Sychenko (LinkedIn), Adjunct Professor at the Department of Management at the University of Bologna and currently a Fulbright Scholar at the Wharton School of Business. The directive now covers all listed companies with the exception of micro enterprises. Also falling under it are non-EU companies that have a significant presence in the EU. The reporting requirements, which are still being fully developed, closely follow the Global Reporting Initiative (GRI) standards and focus on ESG explicitly, with several areas of reporting under E, S, and G. These include: E: climate change, pollution, water, biodiversity S: the organization’s own workforce, the workforce in the value chain, affected communities, consum

By Adam Turteltaub The No Surprises Act is a significant change to how healthcare coverage is handled and billed. In general, it eliminates balance billing in three typical areas: A patient is brought to an emergency room in an out of network hospital A patient is transported by air ambulance A patient is being cared for at an in-network hospital but, unbeknownst to him or her, a physician or service that is out of network provides care. To understand the Act more fully, we spoke with Brian Stimson, Partner, Arnall Golden Gregory, who will be leading the session The All Surprises Act:  Avoiding Compliance Pitfalls and Responding to Administrative Enforcement Actions under the Surprise Billing Laws at the 2024 HCCA Compliance Institute. As he explains, there is a two-tiered enforcement structure to the law, with both individual states and the federal government involved. Compliance teams looking to ensure their organizations are complying need to pay close attention to patient complaints. These can

By Adam Turteltaub When it comes to risk assessments, the word “annual” comes up a lot. But, Kelly Alwin, Regional Compliance Officer North America for SAP America, believes that once a year may be more than a bit too long. To her, a risk assessment is more than a periodic assessment and an annual chore. It is critical to the program’s success and lends credibility and substance to the compliance program. She points out that from the Delaware Chancery Court to the US Department of Justice, the importance of a strong risk assessment is underscored. In this podcast she argues that, for the risk assessment to play the role it should, it can’t afford to sit on the shelf. It needs to be a dynamic document that both informs all the other elements of the program and evolves as risks evolve, whether due to a new go to market strategy, a merger or an entry into a new market. Bottom line: look at your risk assessment, she advises, not as a discrete activity but as a continuous analysis. Incorporate micro assessment

By Adam Turteltaub Behavioral health shares many of the same compliance challenges as the rest of healthcare, but it also has several of its own. To understand the risks, we sat down with Community Counseling Solutions’ Executive Director Kimberly Lindsay and Compliance & Privacy Officer Tim Timmons. They will be leading the session “Developing an Ethics and Compliance Program in Behavioral Health” at the HCCA 28th Annual Compliance Institute, which will be in Nashville, April 14-17 and also offered in a virtual format. In this podcast they identify several typical compliance challenges in the behavioral health setting: Managers and supervisors who are well intentioned but busy, not holding staff accountable and not reporting in a timely manner. Incidents after hours when a patient is in crisis. This is a very difficult situation.  The team is eager to help the patient get better, but with lots of adrenaline flowing in a difficult situation, they may find themselves sharing more information about the

By Adam Turteltaub While Ericsson is best known for its mobile phones, the company’s reach in wireless is far greater. It is the creator of Bluetooth technology, owns patents on much of the critical IP that wireless systems depend on, and is active in more than 180 countries providing much of the hardware, and even cellphone towers, that enables all of us to talk, text, and surf the web wherever we are in the world. Jan Sprafke, Chief Compliance Officer at Ericsson, explains in this podcast that with that global reach – including operations in approximately 100 high risk countries – also comes a large network of suppliers. To manage the potential compliance challenges that go along with it, the company uses a risk-based approach to supplier management They assess the country risk, go to market approach and whether the supplier will be using subcontractors. Then they work closely with sourcing and other assurance functions on an ongoing basis. The company’s supplier code of conduct is shared with their ven

By Adam Turteltaub Julie Janeway (LinkedIn), General Counsel and principal owner, Principled  Healthcare Consulting will be speaking about internal and parallel investigations at the 2024 HCCA Compliance Institute. In this podcast she slices off a bit of that expertise. A thorough investigation is needed, she advises whenever there is an issue that could require arbitration, a court case, administrative hearing, contractual dispute or reputational issues, whether by an employee, contractor or the organization itself. The same is true if there is a policy breach or alleged violation of the code of conduct. So how best to do it? Have both an investigation plan and a preplan which designates who will be responsible for the investigation depending on what the issue is. For example, a privacy officer would likely play the lead role in a HIPAA breach allegation. As for the plan itself, it should be thorough. The team executing it should include individuals with a wide range of skills and, she highly recommends

By Adam Turteltaub In 1984 I went to my friend Chris’s wedding, and one of the other groomsmen, Drew Neisser (LinkedIn), his then boss, talked me into pursuing a career in advertising. Just a few months shy of 40 years later, I caught a video on LinkedIn of him with chief marketing officers discussing the struggles of managing remote workers. It didn’t matter that these were marketing people, the problems sounded just like we in compliance face. So, I asked Drew, who is the founder of CMO Huddles and the author of the book Renegade Marketing:  12 Steps to Building Unbeatable B2B Brands, to sit down and do a podcast on the topic. Drew points out that, despite workers being required to come into the office more often, there is still a cost to remote work. Churn is higher than before. Partners at law firms complain that their associates are years behind in their development, likely due to the inability to learn by osmosis. So what do we do? He recommends that we recognize the present reality and look to hire

By Adam Turteltaub Some people have a gift for invisibly attending a conference, and no one knows that they were even there. That’s great for a conference of spies, but most people at compliance conferences like to meet at least some of the other attendees. For many, though, connecting with strangers is difficult, whether they know no one or they are shy about going beyond their usual circle of contacts. So what do you do if you are one of them? To find out we spoke with Richard Bistrong (LinkedIn), newsletter author and CEO Of Frontline Antibribery, who will be moderating a general session at the 2024 SCCE European Compliance & Ethics Institute in Amsterdam. If you spot someone standing alone and looking a bit lost, he recommends you think like a host and invite them to join you. Even if you’re already talking with friends, he advises being a croissant and not a bagel: be sure there is an opening for others. Make the effort to catch them up with the conversation – “we were just discussing helplines”—and

By Adam Turteltaub Compliance programs have come far over the last few decades, but there is still more that they could do to elevate their performance. In this podcast, Alison Taylor, Clinical Associate Professor at NYU Stern School of Business and author of the book Higher Ground shares some intriguing and provocative ideas for improvement. She is a strong believer in what she calls “firm foundations”. These foundations avoid having too many rules which can, inadvertently, have a negative impact, causing employees to abdicate responsibility for their action and grow overly reliant on following rules. Instead, she argues for simplifying and being attuned to human behavior and the role of incentives. Be wary too, she advises, of mixed messages and potentially pernicious effects when it appears, whether true or not, that the rules for the rank and file do not apply to leadership. It degrades trust and the culture. To get more employees to speak up when they see wrongdoing, she advises investing the time in

By Adam Turteltaub Clara Becerra Campos, Senior Compliance Analyst-Europe for TD SYNNEX, and Dr. Tobias Kruis, Head of Corporate Compliance, Giesecke+Devrient, will be addressing the new EU whistleblowing requirements at the 2024 SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 18-20. In this podcast, they delve into the challenges posed by the directive, which significantly expands the number of EU-based and non-EU-based companies that must comply. The directive not only provides protections for whistleblowers, they explain. It also establishes procedures and deadlines for handling reports. As significantly, it leaves the door open to variations among EU member states, which complicates the picture considerably. So what should you do? If your organization does not have a whistleblower line already in place they recommend you: Implement an internal reporting channel Be sure it’s aligned with legal and data privacy Consider who will manage the system and conduct the

By Adam Turteltaub At the 2024 SCCE European Compliance & Ethics Institute, Segev Shani, Chief Compliance & Regulatory Officer at Neopharm Group will be leading the session “Corporate Use of Third-Party Artificial Intelligence (AI) Tools.” In this podcast he shares that a great deal of risk comes from the headlong pursuit of AI technology. Businesses believe that if they are not using Ai that they will be left behind, but the adoption rate is not being matched with a complete understanding of what AI is. To manage this issue, he recommends creating an AI governance model that balances the risks and rewards. It can help employees and managers understand the risks, including inaccuracy, bias and both misuse and improper use of intellectual property. And, of course, there can be substantial privacy risks as well. Listen in as he discusses proper governance, the need for training and the importance of integrating AI governance into business processes. Then plan on joining us in Amsterdam, 18-20 March, at the