Contributed Commentary by Michael B. Lampert and Richard A. Harris II
May 15, 2019 | Compliance is foundational—it supports the sustainability of a business model and revenue. Noncompliance can yield assessment of penalties, revocation of licenses, distraction of management, reputational harm and loss of employees. It also can yield erosion of revenue, if the business model under it is found to be unstable, and significant value depletion.
Medical technology company Theranos’s $9 billion stock value suddenly collapsed when federal regulators found the company’s laboratory practices to “pose immediate jeopardy to patient safety.” The myriad of the company’s compliance failures resulted in the federal government’s banning the company from using its propriety finger-prick technology, and banning the Theranos CEO from owning or running a medical laboratory for two years, in addition to civil and criminal investigations followed by two class action fraud lawsuits. According to NAVEX Global, Inc. it is not surprising to find that companies with strong compliance programs tend to see greater overall profitability and productivity, fewer material lawsuits, lower litigation settlement costs, and fewer external whistleblower reports.
Healthcare is one of the most heavily regulated industries. Healthcare companies, especially in growth phase, must be able to demonstrate the ability to comply with the laws that control their business and to identify fissures in operations quickly. Entrepreneurs and investors should therefore view compliance as a competitive advantage that puts the company in a favorable position to avoid—and swiftly and effectively to tackle—potential regulatory challenges.
Seven Elements of a Compliance Program
The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services, in addition to other authorities, like the Department of Justice, has developed general expectations of compliance programs that organizations in the healthcare industry should operate. The scope of a company’s compliance program will vary depending on the size of the company and the risks that it faces. Extracted from OIG guidance, the discussion below outlines the seven elements that are expected to be part of an effective compliance program, and how startups may consider addressing them.
1. Policies, Procedures and Standards of Conduct
A foundational element is a written Code of Conduct that guides the company’s operations and articulates a commitment to compliance by all. Models are readily available and can be adapted with ease. Having a Code of Conduct is table stakes that any company can easily meet.
Next up are written policies and procedures. Here, companies should think about where their greatest risks lie in their space in the industry. Having even rudimentary policies appropriate for a startup in the core areas of risk is important, as policies provide an important launching point for basic training and articulation of standards.
2. Compliance Team
Mature companies will have not only a full-time compliance officer but a significant compliance staff. A startup just out of the gate obviously will not be at that stage. But a startup of any size should have a designated individual who is responsible for compliance, and, as the company grows, compliance should become more and more of the person’s role—until there eventually is a freestanding compliance group. While OIG guidance leans against having the compliance officer be, or be subordinate to, a company’s general counsel, for smaller companies the commonalities in expertise often will support a dual legal and compliance role. The individual chiefly responsible for compliance should have access to the CEO and to the board as needed.
3. Training and Education
Companies that fail properly to train and educate their staff obviously risk greater likelihood of liability for violating healthcare laws, and greater penalties. They also deny themselves the opportunity to multiply—through their staff—the number of eyes out to identify areas of potential noncompliance to be addressed. Training should include the company’s Code of Conduct and key policies for the relevant personnel, and as a general matter should recur annually. Companies should keep track of training that they offer, and of individuals’ completion of it.
4. Effective Lines of Communication
Companies should educate their staff—including through the Code of Conduct and training—of the critical value of reporting compliance concerns. Key messaging for a startup can be that unsustainable practices should be nipped in the bud.
An important element of compliance programs for all companies is providing an opportunity for individuals to report their concerns anonymously. That arguably is even more important in a relatively smaller company where smaller staffs preclude natural opportunities for individuals with concerns to report them to someone not in a direct supervisory position. Messaging of the value of reporting therefore should emphasize not only that the company, from day one, has a policy of non-retaliation for good-faith reports of concerns, but also that individuals should make use of anonymous reporting means if they feel it necessary.
5. Well-Publicized Disciplinary Guidelines
As alluded to above, company staff should be educated on the critical importance of compliance and that noncompliance has consequences. At the minimum, the company’s Code of Conduct should set forth general expectations of disciplinary action, including termination for violations of the Code and applicable laws and regulations.
6. Internal Monitoring and Auditing
In a very small company, it is not hard for management to know everything that is happening. However, as companies grow, there comes a point at which it is impossible to know that. CEOs of quickly-developing companies probably will remember the first day when the company hired someone whom they did not know—and that day almost surely occurred long after the CEO no longer had visibility to all employees’ work. Companies in growth stage therefore need to consider what activities are occurring without natural oversight; which of those activities present the most risk; and how they might monitor them on an ongoing basis, and periodically audit them looking back.
Inherent in the process that we describe above is assessing which activities present the most risk. Periodically stepping back to conduct a risk assessment is a crucial element of compliance programs (indeed, OIG guidance suggests that the process be conducted annually). The nature of a risk assessment will change as a company matures, but, for companies of all sizes, the process is an important tool in assessing where to prioritize efforts and to focus resources to get the most bang for the buck. For companies in growth—and fundraising—modes, a risk assessment also presents an opportunity to demonstrate to potential partners and investors that the company has soundly plotted its future.
7. Development of Corrective Actions
Whenever an audit, ongoing monitoring, or a staff member’s concern has identified a problem, a company of course must address it. As a company grows, it should formalize a process to log material corrective actions, in order to demonstrate its responsiveness to concerns when they are raised. That not only establishes discipline to remediate problems, but also establishes a record of attentiveness and development to show prospective partners or investors the company’s stewardship of its business and its establishment of a platform for sustainable growth.
Health entrepreneurs and health-focused investors seeking to scale quickly may be tempted to view compliance programs as a luxury item to address when the business is more mature. But that fails to view compliance in its fullest form—which is ongoing confirmation that a business is sound, on a sound track, and developing a business and revenue model that is reliable. Attention to a compliance program as one of the many pillars that a company will need, and building it while building the other pillars at its side, can help to position a company for sustainable, and hopefully exponential growth.
Michael B. Lampert is a partner in the health care practice with global law firm Ropes & Gray in Boston. He provides clients with strategic, regulatory and transactional advice. He also guides clients in rigorous compliance assessment and development projects as a component of investigations arising from allegations of significant noncompliance. Michael can be reached at Michael.Lampert@ropesgray.com.
Richard A. Harris, II is an associate practicing health law in the corporate practice at Ropes & Gray in New York. He works with health care clients confronting a variety of complex transactional, regulatory and compliance issues including mergers and acquisitions, federal and state fraud and abuse laws, and government enforcement defense. Richard can be reached at Richard.Harris@ropesgray.com.