Health Care Corporate Governance: Board Oversight of Compliance in Light of DOJ’s New Guidance Artwork

AHLA's Speaking of Health Law

The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.

All Episodes

AHLA's Speaking of Health Law

Health Care Corporate Governance: Board Oversight of Compliance in Light of DOJ’s New Guidance

October 18, 2024 • AHLA Podcasts

Rob Gerberry, Senior Vice President and Chief Legal Officer, Summa Health, speaks with Michael Peregrine, Partner, McDermott Will & Emery, about the Department of Justice’s (DOJ’s) updated compliance program guidance and its implications for Board oversight of compliance. They discuss the DOJ’s updated Evaluation of Corporate Compliance Programs guidance, what Boards need to know, and specific considerations for the health care industry.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1: 0:00

Speaker 2: 0:07

This episode of A HLA speaking of health law is brought to you by A HLA members and donors like you. For more information, visit american health law.org.

Speaker 3: 0:21

Welcome everyone. I'm Rob Berry. I'm the Chief Legal Officer at Summa Health, and a member of the American Health Law Board of Directors. I'd like to welcome you to the latest in our continuing series of key corporate governance issues affecting healthcare organizations. Today's topic is the continuing board obligation around its oversight of compliance and how that's impacted by something new. The release of updated compliance program, guidance from the Department of Justice, something of a fundamental but critical change around the implic implications to corporate officerships. And as always, we're joined by my HLA colleague and friend Michael Peregrine of McDermott. Will Michael is a fellow of the American Health Law Association, and also a fellow of the American College of Governance Council . So, welcome, Michael

Speaker 4: 1:06

Rob , how are you ?

Speaker 3: 1:08

Doing well. So Michael, what are we talking about related to this new Department of Justice development? What would you share with our membership?

Speaker 4: 1:15

Well, you know, Robbie , only a compliance officer or a health lawyer would find this interesting and exciting. Uh, but yeah , that's what we do, I guess, for a living. Uh , and , uh, on September 23rd, on Monday, the Department of Justice, without any fanfare , uh, released the latest version of what they call, it's a mouthful, the Evaluation of Corporate Compliance Programs Guidance. And I think a lot of our listeners know that this is a very valuable resource historically , uh, as a guide to compliance officers and legal counsel and , and structuring the compliance plan. Uh , the DOJ refers to it as the roadmap by which it's criminal division. Prosecutors evaluate the effectiveness of a company's compliance program for purposes of resolving a criminal investigation. So when , when they make changes to it, we pay attention.

Speaker 3: 2:09

That's great. And something interesting maybe to you and I, but I suspect a whole , a lot of other organizations listening today , um, they may not be on the brink of A DOJ investigation. So what's the connection to our governance audience today?

Speaker 4: 2:22

Well , that's a real fair question, Rob, and I think it all goes back to the Board's Care Mart obligation to, to monitor the central compliance risks of the organization, especially , especially its its mission critical risk. Uh , this is the obligation that's consistently interpreted as the fiduciary basis for the board's monitoring the effectiveness of the compliance program. In other words, Caremark tells the boards you all need to have in place as an aspect of your duty of care, some mechanism to monitor the compliance risk of the organization. That is , uh, generally interpreted be the organization's compliance plan and the , uh, uh, ECCP as well as the federal sentencing guidelines are , are the best resources for helping us to determine whether or not those compliance plans are effective. So , uh, there , that's a technical answer your question. The simple answer is the board's got a duty to keep an eye on what the , whether the compliance plan is working, and the ECCP is an , is a great tool to help it in that regard.

Speaker 3: 3:29

So the thinking is the boards can best meet their Caremark obligations by evaluating the new ECCP guidance and the compliance program messaging that it sends.

Speaker 4: 3:38

Yeah, I think that's, if I'm a board member, if I'm an audit and compliance committee member, I'm saying, you know, okay , uh, Rob, you're telling me that I have a fiduciary obligation to monitor the effectiveness of the compliance plan, and I get it, that that's case law. How do I do that? Where are the rules of the road? In our answer would be the federal sentencing guidelines , uh, some material from , uh, the Office of Inspector General and , and the ECCP. That's the , your universe of information. Uh, that helps tell you what, and I should also mention a series of publications going back to when I was a young pup , uh, uh, a HLA, some material monographs prepared by , uh, A HLA . Uh , but it's a small universe of guidelines.

Speaker 3: 4:17

So Michael , in our world, we spend a lot of time providing governance counsel on what's a governance responsibility, what's a management responsibility? Do you see this issue more being one that's an operational issue that management should handle the chief legal officer, the chief compliance officer, they read the changes, they implement the changes and make sure that it gets done? Or how do you see that balance of responsibilities?

Speaker 4: 4:37

Oh, yeah. I, I think , uh, I'd be concerned about a board member who read all 23 pages of the E-C-C-P-I, you know, if they have asked them if they have a , uh, another life there. But so practically speaking to your question, sure. Yeah. Uh , but the board, and I think more directly it's audit compliance Committee needs to have a general feel for what's in this document, what changes it proposes, and the overall implications for compliance oversight. Uh , it's gonna expect us legal and compliance leadership to get into the weeds of the document and brief them on these points. But I think our message to our board clients is that they need to be prepared to take some action with respect to what they hear. In other words, this is what's new. We want you to understand the, we've read it for you, here are our , our highlights, but it's important that you have some kind of reaction to it .

Speaker 3: 5:29

So, Michael, if you were presenting to a board or to a board audit committee, what would you share with them about these new revisions?

Speaker 4: 5:35

Uh, uh, well, I , it depends on how much time I have, but let's just say I have the typical three minutes or four minutes into time and before the board , uh, I think from a 10,000 foot level , uh, I think I'm going to tell them that , uh, this latest version of the , uh, guidelines incorporates what the Department of Justice calls critical additions in three principle categories. Number one, and I think this is super important , uh, uh, they ask , uh, many questions about the risk of misusing disruptive technology like artificial intelligence, that , that , that should get board members' attention. Number two, they add additional questions about the extent to which the company has protection for whistleblowers , uh, along with the promotion of what they call a reporting culture reporting up the ladder. And the third category of critical edition , uh, and this is I think perhaps the most subtle of the changes. They're asking questions about whether a company's compliance program has the appropriately high level of internal resources to access data that would then be helpful in assessing program effectiveness.

Speaker 3: 6:45

So, Michael, shockingly, the board comes back and says, no , we want you to keep going. Give us more in , in depth , uh, commentary on this. What would you share if they give you additional time?

Speaker 4: 6:54

No, I , I'd say I'm busy right now, but can I come back later? No, I , uh, <laugh> , uh, I , I would say let's , all right , let's, let's peel 'em back a bit. Let's take a look at the first change, and I think it should be no news to the Audit Compliance committee , uh, that for about the last six to eight months, the , the Department of Justice has been expressing concern about AI and the extent to which AI could be used in masking criminal activity. So the first principle change I would tell the board relates to the government's concern about that risk misusing disruptive technology. And it's asking the criminal division to make sure when they're looking at compliance plan effectiveness, that they're looking at , uh, whether the program assesses disruptive technology risks, especially ai , uh, uh, and they're going to also want , uh, to ask how companies are monitoring and managing new technology risks, both in their business and their compliance programs. So, takeaway number one is saying , you understand what the government's interest is, AI as a vehicle to conduct illegal activity, and then they're gonna wanna know , uh, what the company is doing in terms of monitoring and managing that risk. I would say that the second big, you know, going into detail on the second change about whistleblower activity is this just goes and kind of underscores that whistleblower stuff. Is the center pre the , really the centerpiece to DOJs approach to corporate compliance and enforcement? You know, we may be , uh, as a board member, we may think that we've got a great , uh, whistleblower protection plan and hotline and all that stuff, but it's , this is gonna be a proven situation because the new version of the ECCP asks questions that are designed to focus on whether the company number one, encourages its employees to report misconduct. Uh, and number two, whether the company takes steps to discourage, or I should say, or whether the company takes steps to discourage that reporting, then if I've got a few more minutes, if I hadn't put 'em totally to sleep, I'm going to get into the issue that's gonna likely to get a lot of people agitated, especially the CFO. And that's whether the compliance program has appropriate high level resources dedicated for accessing data, including that kind of data that's gonna be helpful, engaging program effectiveness. There are a bunch of new questions that zero in on the ability of compliance personnel to access specific data sources as well about the assets and the resources and the tech that are available to compliance and risk management personnel. They're gonna wanna know, are you up to speed? Uh, are you putting in , uh, you know, I , I'll give you a baseball analogy, Rob, you'll appreciate that. You know, my team, the , the Chicago White Sox just finished it had an ignominious world record of losses. And one of the principle factors attributed to their decline was they never embraced analytics. Um , old time baseball is extreme. I think this is the governance of what , uh, the government's way of saying, we expect the healthcare organization to embrace analytics and data review across a broad spectrum to make sure that their compliance program is truly active at an effective level that's gonna cost money, and that's gonna require more personnel.

Speaker 3: 10:15

Michael, my baseball team has embraced analytics and allowed us to win the division, but my football team, who also heavily embraces analytics as in last place as well, so we can sympathize. Oh,

Speaker 4: 10:24

You mean Notre Dame

Speaker 3: 10:26

<laugh>? Um, we'll tackle that one on our next episode. So this all sounds like good generic advice. It applies across all industries, but are there specific healthcare issues that we wanna flag for our membership?

Speaker 4: 10:39

Yeah, I think that's right. And that's a great question. And , and a board member could legitimately ask, how much attention do I have to give? Isn't this going to every, isn't this of interest the same interest to every, every business entity in the United States? Uh, in , in a sense that's true. The ECCP is not industry specific, but I do think that there are some things that the healthcare industry should pay particular attention to. I , I really do.

Speaker 3: 11:02

Are there , uh, certain things, for instance, that you would point out?

Speaker 4: 11:05

Yeah, what jumps out to me is the heavy focus on data and technology, and especially ai because, you know, we, we, we practice in an industry that's diving headfirst into AI application. And, and here you have DOJ indicating a strong desire for compliance programs to do the same thing , zero in on the risks of ai, especially to the extent that they can be used for criminal purposes. Uh, so, and , and it doesn't, I think it's not an effective answer to say, well, we would never use ai , um, uh, to use it for criminal purposes. Of course not. That's not the point. The point is, if for any reason the government or some other party is looking at the effectiveness of the compliance program, and they're gonna say, well, you know , we're gonna look at this , do you have an answer ? If you don't have an answer that's not , that's not helpful , that just means the inquiry will become , uh, more intensive . So I think, again, the , the big focus on ai, it should really , uh, really have be viewed as having a healthcare industry specific impact. I'll also point out that , uh, I think in a lot of our , uh, healthcare organization boards, they're struggling with the role of board oversight , uh, of ai. Uh , and I , you know, we, we , we have now new guidance, extremely important new guidance coming out from the National Association of Corporate Directors, all about board oversight of the company's use of ai. So I think from the AI perspective generally, and from the introduced , uh, induction of these new best practices from NACD about board oversight, that that makes this a particularly time , uh, timely guidance from the government.

Speaker 3: 12:42

So Michael, often , uh, we as chief legal officers or chief compliance officers, you know, get time with our board chairs or committee chairs to give them an update on why they should include these items on their agenda as a COO or CCO. What would you be telling those individuals as far as why this should deserves agenda time ?

Speaker 4: 12:59

Well , I think first I'd break to them the bad news. And I think that , and that's because it's a , it's a money budgetary staffing issue in my mind. The , the government appears to be focusing more on the substance of the compliance program. And by that I mean available resources and the breadth of program coverage rather than the program's form. And by that I mean, you know, we've got a grid here , uh, we're gonna check the box, and that's gonna be our evaluation of if you, if we check all the boxes, we've got an effective compliance plan. Uh, and, and I see the DOJ getting much more sophisticated in here, and I think it's gonna place new pressure on the audit and compliance committee to pursue more of an in-depth evaluation of the substantive elements of the compliance program that's gonna take time and effort and add to the budget at a time when a lot of our a a member organizations don't have the financial resources , uh, to do that. So it's going to be, I think a , a , a difficult discussion between the audit compliance committee and board and executive leadership and say , uh, you know, here's this pressure company , uh, we , we really need to know, you know, how should , are , are we matching? Do we have good answers for these questions? Or, or, or do we have no answers to these questions? Uh, so it's, again, and I'm having this meeting with the compliance , uh, committee chair. I'm gonna say we're, our backs are gonna be up on the wall a little bit on this and unwelcome development from a budgetary perspective to be sure. I think second is something that , uh, has been happening subtly. I think you and I talked in one of our podcasts last year about how DOJ is looking for , uh, organizations to adopt , uh, uh, financial incentives and disincentives that are compliance based into executive compensation. And that has meant that the executive board , the board's executive compensation committee has to be much more focused , uh, on coordination with compliance because the government says , uh, see, the government sees the link between executive compensation and improving compliance programs. And we think we have the same thing happening today with , uh, the board's technology committee. The need for intra board , uh, collaboration between the tech committee or whatever it may well be , uh, and the compliance committee. So bottom line, I guess I would be telling the audit committee chair, we need to have more , uh, horizontal communication between the increasing number of committees that touch corporate compliance, whether it be exec comp, human resources, technology, data, whatever. And that's, that's something that I want my board chair to know as well. Everybody's gotta be talking horizontally a lot more than they have been before. And , and the the third , uh, item is something that , uh, is a message that may be difficult to send given everything else that's on the agenda. But , uh, I , a big takeaway from me for the ECCP is once again, we need a greater board board engagement in compliance program oversight. And , uh, the Delaware courts continue to be , uh, churning out cases that mold and refine their interpretation of caremark's compliance oversight duty. And , and , and there's been a couple of recent cases, you know, it , it , the cases will all the historical cases say the toughest thing in corporate law , uh, to justify is a breach of duty action under Caremark. In other words, it's a hugely difficult standard. It's a bad faith standard. Uh , but if, if boards allow their oversight practices to lapse as the types of fact patterns increase demonstrating where boards have gone wrong on compliance oversight, that's a problem. In other words , uh, i , I think we have to make sure that board oversight of the compliance program is keeping up with changes in the compliance environment and , and, and doesn't take false comfort in the fact that, again, it's very, very difficult to sustain a Caremark allegation. 'cause once it's done, once you're into that mode , um, that kind of takes over your next three or four years of the board's life. And I think the NACD's new recommendations are gonna add to this.

Speaker 3: 17:07

Well, Michael, thank you again for sharing your thoughts with the membership, making sure they're briefed on the latest development center industry. We'll be back next month for review of the , those new National Association of Corporate Director recommendations around board oversight of technology. We'll also do an update on where our sports teams are at with their analytics.

Speaker 4: 17:25

Absolutely. And Rob , my pleasure and Rob, I would end with a note that, you know, so many , uh, executives are justifiably tired of corporate compliance as an agenda item. It's been there since the , uh, out there since the sarbanes days . And I guess , uh, I , I would encourage our compliance officer and chief legal officer , uh, representatives who are listening in on the call to, to take heart that it just, it's a , yeah , it's sometimes like a pushing a rock up a hill. But I do think that the combination of the new Caremark cases, the NACD's new recommendations on AI risk monitoring and the e ccp , that's a lot of new stuff that give you the opportunity to go to the compliance committee chair and say, let's have a talk. And , uh, and hopefully the compliance chair committee chair will be receptive. So until next time, thanks again, Rob.

Speaker 3: 18:16

Great. Thank you, Michael.

Speaker 2: 18:25

Thank you for listening . If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.