Affidavit: Healthcare and the Law - DOJ Updates Guidance on Corporate Compliance Programs

Contributors: Kristine Murphy Gallagher and Lisa Clark JD’89
To learn more about Kristine and Lisa, click here.


1242.jpgLike all corporate entities, healthcare entities rely on rigorous compliance programs to ensure they are operating within the bounds of a complex regulatory environment.  On April 30, 2019, the United States Department of Justice (DOJ) Criminal Division released updated guidance on corporate compliance programs.  The new guidance document,1 which updates a previous version issued by the Division’s Fraud Section in 2017, is designed to assist prosecutors in evaluating whether a corporate entity’s compliance program was effective at the time criminal conduct occurred.  In its announcement of the updated guidance,2 the DOJ indicated the document was prepared with input from across the Division, including the Office of the Assistant Attorney General, the Fraud Section, and the Money Laundering and Asset Recovery Section.  

In updating its guidance, the DOJ sought to “better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.”  Acknowledging that each compliance program must be evaluated in its specific context, the guidance is centered around three “fundamental questions” that prosecutors should ask:  

  1. Is the corporation’s compliance program well-designed?
  2. Is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

Although the guidance applies broadly to corporate entities, healthcare entities should take particular note of the DOJ’s focus on effective design, implementation, and continuing operation of compliance programs.  Healthcare entities should look to the DOJ’s updated guidance when assessing and updating their compliance programs to ensure they are able to prevent misconduct and appropriately respond when misconduct does occur.

Is the corporation’s compliance program well designed?
The updated guidance emphasizes the DOJ’s expectation that, for maximum effectiveness, compliance programs should be tailored to address an entity’s unique risk profile.  The guidance cites a number of factors that should be considered in determining whether a program is well-designed.  These factors include risk assessments, by which corporate entities can identify the particular risks they face, determine how resources should be allocated, and update existing aspects of their compliance programs.  The DOJ also cites policies and procedures, including a code of conduct, which help to establish a culture of compliance.  Like previous guidance, the April update emphasizes the importance of periodic training and effective communication that provides guidance to employees.  Additionally, the DOJ points to a confidential reporting structure and investigation response as a “hallmark of a well-designed compliance program.”  

The DOJ’s guidance also indicates compliance programs should be designed to allow corporate entities to assess their third-party relationships.  Companies should fully understand the potential risks in associating with parties such as consultants and distributors and should monitor those relationships on an ongoing basis.  Similarly, a well-designed compliance program will allow corporate entities to conduct comprehensive due diligence of any targets for mergers or acquisitions.  

As companies operating in the healthcare industry consider the design of their compliance programs, the DOJ’s guidance provides helpful tips.  Conducting risk assessments is a crucial aspect of operating a compliant company in a highly regulated industry, and regularly updating those assessments allows healthcare entities to stay on top of the ever-changing regulatory framework.  Additionally, the DOJ’s guidance on designing an effective compliance program overlaps in several key areas with guidance from the United States Department of Health and Human Services Office of Inspector General, which has also emphasized the importance of documented policies and procedures, training, and confidential reporting mechanisms.  Further, as merger and acquisition activity in the healthcare industry continues to grow, healthcare entities should be mindful of the ways in which a well-designed compliance program may protect them from taking on financial and reputational risk associated with misconduct at a target entity.

Is the program being implemented effectively?
Like its previous guidance, the DOJ’s April update emphasizes that even a well-designed compliance program must be more than just a “paper program.”  Companies must be committed to appropriately implementing their programs in order to effectively prevent misconduct.  Specifically, the DOJ indicates that a culture of compliance starts at the top.  Senior management must display a commitment to implementation of the compliance program and must lead by example in adhering to the requirements.  Such commitment should be shared by middle management, who encourage compliance among the employees they oversee.  Additionally, the DOJ emphasized that a compliance program cannot succeed without appropriate autonomy and resources. A compliance program should be structured to permit experienced personnel with appropriate levels of seniority and autonomy to effectively implement the compliance function.  Furthermore, the DOJ indicated companies should have clear incentives for compliance, with appropriate disciplinary measures to address violations.  

In implementing their compliance programs, healthcare entities must ensure their organization as a whole is committed to the program.  Leadership must not only set an example, but also play a crucial role in exercising their decision-making influence to direct appropriate and adequate resources to the compliance function.  Healthcare companies should consider whether the personnel involved in their compliance program are educated on the particular risks their corporate entities face, especially in highly specialized industries like pharmaceuticals, medical devices, and the provision of healthcare services.  Furthermore, all members of an organization should be aware of the potential consequences of violating the compliance program’s requirements. 

Does the corporation’s compliance program work in practice?
Finally, the DOJ’s updated guidance notes that a key question in evaluating a compliance program is whether the program was operating effectively at the time of an incident of misconduct.  The DOJ noted the fact misconduct occurred “does not, by itself, mean that a compliance program did not work or was ineffective,” and that no compliance program can prevent all misconduct.  Corporate entities should, however, consider whether and how any misconduct was detected and the thoroughness of their response.  Effective compliance programs must demonstrate the capacity to evolve, and companies must make proactive efforts through practices such as internal audits to ensure their compliance program adapts with the business.  Responding to reports or allegations of misconduct is a key function of a compliance program, and the DOJ’s guidance emphasizes that investigative functions must be “well-functioning and appropriately funded.” Furthermore, a company must take active steps to remediate misconduct, by determining the root cause, identifying areas of weakness that may have allowed misconduct to occur and persist, and taking appropriate disciplinary actions to prevent future occurrences.  

When misconduct does occur, it’s crucial for healthcare entities to look inward for any failures that may have allowed inappropriate behavior to go unnoticed.  Such incidents can serve as key learning opportunities and allow a company to adapt to ensure similar issues will not arise in the future.  In an industry that is continuously shifting, healthcare companies must evolve to ensure they continue to operate ethically and in compliance with the law.

The DOJ’s updated guidance is instructive to corporate entities in all areas of the healthcare industry and provides valuable insight on designing, implementing, and maintaining effective compliance programs.  Healthcare entities should take the DOJ’s cue to assess their own compliance programs and ensure they identify and address any gaps that could lead to liability for compliance failures.


Contact Kristine at:
[email protected]

Contact Lisa at:
[email protected]



  1. Available at: 
  2. See