Saturday, April 17, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Internal Controls: Good People and Wishful Thinking Are Not Effective Compliance Strategies

A Guide to Avoiding Compliance “Bear Traps,” Part 2

by Jim Nortz
May 13, 2020
in Compliance, Featured
woman in red dress with fingers crossed behind her back

Jim Nortz continues a six-part series discussing a number of regulatory “bear traps” in the health care industry with a discussion on the importance of effective internal controls in preventing fraud.

Bob was a good guy. He was a trusted friend and colleague earning a healthy salary serving as CFO at a multinational corporation. I worked with Bob on several internal investigations of employee misconduct and on the design and implementation of our company’s Sarbanes-Oxley controls. Bob was also a fraudster who stole millions of dollars from our company over a 10-year period. He did so via a classic asset misappropriation scheme in which he used his access to the company’s check-signing machine and general ledger to pay himself nearly $5,000 per week via a fake vendor account he’d set up.

I had the grim task of reporting my friend’s criminal activities to the FBI, which ultimately led to his imprisonment for five years in a federal penitentiary. This painful experience drove home for me something I already knew: Hiring “good people” and practicing wishful thinking alone do not prevent financial fraud; sound internal controls and continuous vigilance does. The same is true with respect to preventing your firm from being the next one caught and maimed in one or more of the “bear traps.”[1]

Development and implementation of effective internal controls to avoid the bear traps is not a trivial exercise; it is detailed, time-consuming, complex work that necessarily impacts virtually every aspect of the business. The following is a high-level recitation of factors you should consider when constructing your firm’s bear trap avoidance strategy.

Start your work by heeding Deep Throat’s advice to Woodward and Bernstein: “Follow the money.” Specifically, health care product manufacturers must develop controls for every activity in which there is transfer of value to health care providers (HCPs) or institutions. This includes, but is not limited to:

  • Gifts
  • Meals
  • Entertainment
  • Educational grants
  • Research grants
  • Charitable contributions
  • Personal services and management contracts
  • Commercial discounts
  • Royalties
  • Investment interests
  • Product samples
  • Demonstration/loaner equipment

Similarly, HCPs and health care institutions must establish internal controls to monitor and regulate the receipt of such value transfers from manufactures and distributors. They must also have internal controls to monitor and regulate patient referrals.

To be effective, all such internal controls must:

  • Be consistent with regulatory guidance and applicable industry ethics standards;
  • Provide real-time line of sight to value transfers and/or referrals as they happen;
  • Compel documentation and transparency with the capacity to rapidly flag policy violations;
  • Be overseen on a continuous basis by knowledgeable, independent corporate counsel, accountants and/or compliance professionals who:
    • Do not deliver health care services;
    • Are not part of the sales and marketing team; and
    • Have the authority to halt risky or illegal activities;
  • Be routinely audited; and (perhaps most importantly)
  • Be practical, integrated into routine operations, strongly advocated by company leadership and embraced by company business professionals.

Satisfying all these criteria for any single control system is a tall order. The challenge is compounded by the fact that bear trap avoidance controls are required for many commercial activities that are critical to business success. Detailing the design of each of the controls necessary for all the risk areas listed above is beyond the scope of this essay. However, by way of example, I’ll outline the key features of an internal control system designed to regulate one of the highest-risk activities for manufacturers: personal services and management contracts with HCPs or health care institutions.

As health care sector compliance professionals are well aware, to ensure compliance with the AKS, personal services and management contracts with HCPs or health care institutions must satisfy all seven requirements specified in the AKS Safe Harbor Regulations. The following are some of the critical attributes of the internal controls necessary to ensure consistent compliance with these requirements:

  • Permit only designated authorized individuals to select counterparties and administer such contracts. These individuals should be highly trained and not be front-line sales and marketing personnel.
  • Compel completion of a “Needs Assessment Form” detailing the following information:
    • Name and contact information of the employee recommending the contract.
    • Name and contact information and qualifications of the HCP or health care institution to provide the services.
    • An affirmative acknowledgement that the HCP’s employer has been notified and consented to the HCP providing the desired services.
    • A description of the services to be performed.
    • An explanation of the commercial need for the services.
    • A fair market value analysis documenting that no more than fair market value will be paid for the services.
    • A compliance certification that the services are being sought for legitimate purposes and that the selection of the HCP or health care institution was not made based on the volume or value of referrals or business generated between the parties.
    • Signature of the requestor.
    • Signature of a senior executive.
    • Signature of corporate counsel and or compliance professional.
  • Compel use of a standardized contract drafted to fully satisfy all relevant AKS Safe Harbor requirements.
  • Mandate collection and retention of documentation that services were performed.
  • Mandate detailed invoices describing the services performed and the associated fees.
  • Record management systems capable of cataloging and reporting payments made and all other associated information necessary to satisfy relevant transparency reporting regulations.
  • Continuous monitoring and periodic auditing by trained accounting and/or compliance professionals.

At first blush, these measures may appear to be a bit overblown. However, if your company does not have tight control over this essential but high-risk activity, you and your colleagues are balancing on the high wire with no net and only a giant bear trap below to break your fall.

Although the most significant risks may be associated with activities such as personal services and management contracts – comprising billions of dollars in value transfers from health care companies to providers per year – you must also pay attention to comparatively trivial value transfers, like business meals. In September 2019, drug maker Mallinckrodt paid more than $15 million to resolve FCA and AKS liability for “wining and dining” doctors as a means of inducing prescriptions of the company’s drugs. The following quote from one of the prosecutors involved in this case provides a window into their mindset regarding the importance of aggressive FCA and AKS enforcement:

“The Department of Justice will hold companies accountable for the payment of illegal kickbacks in any form. Improper inducements have no place in our federal health care system, which depends on physicians making decisions based on the health care needs of their patients and not on or influenced by personal financial considerations.”

As often as not, companies and individuals stumble into one or more bear traps out of ignorance of the rules rather than deliberate malfeasance. Consequently, a critical component of your firm’s compliance and ethics program is detailed sales and marketing codes of conduct that effectively communicate what employees can and cannot do in the jurisdictions in which you do business. Part 3 of this series provides practical tips for drafting and distributing such codes.


[1] As mentioned in part 1, the term “bear traps” as used herein refers to the anti-kickback statute (AKS), the False Claims Act (FCA), the Physician Self-Referral Law (aka the Stark Law), the Civil Monetary Penalties Law (CMP) or the Eliminating Kickbacks in Recovery Act (EKRA). Enforcement actions pursuant to these laws against thousands of individuals and companies in the health care sector have resulted in incarcerations and tens of billions of dollars in fines.


Tags: anti-kickback statutecivil monetary penalty laweliminating kickbacks recovery act/EKRAfalse claims actinternal controls
Previous Post

Navigating and Weathering the COVID-19 Storm with Your Trade Secrets Intact

Next Post

NICE Actimize and Infosys Announce Strategic Partnership to Offer End-to-End Financial Crime Solutions

Jim Nortz

Jim NortzJim Nortz is Founder & President of Axiom Compliance & Ethics Solutions LLC, a firm dedicated to driving ethical excellence by helping organizations implement effective compliance and ethics programs. Jim is a nationally recognized expert and thought leader in the field of business ethics and compliance with over a decade of experience serving multinational petrochemical, staffing, business process outsourcing, pharmaceutical and medical device corporations. Jim spent the first 17 years of his career as a criminal and civil litigator and Senior Corporate Counsel before becoming Crompton Corporation’s first Vice President, Business Ethics and Compliance in 2003. Since then, Jim has served as a compliance officer at Crompton and for five other multinational corporations, the most recent of which was as Chief Compliance Officer at Carestream Health. Jim has extensive experience in implementing world-class compliance and ethics programs sufficiently robust to withstand U.S. Department of Justice scrutiny. Jim is a frequent guest lecturer at the University of Rochester’s Simon School of Business, RIT’s Saunders School of Business, St. John Fisher College, Nazareth College and other law schools, universities and organizations around the country. Jim writes the monthly business ethics columns for the Association of Corporate Counsel Docket magazine and the Rochester Business Journal. Jim is a National Association of Corporate Directors Fellow, a member of the International Association of Independent Corporate Monitors and serves on the Board of Directors of the Rochester Chapter of Conscious Capitalism as the Board’s Secretary and Chair of the Governance and Nomination Committee. Previously, Jim served on the Board of Directors for the Ethics and Compliance Officers Association and the Board of the Rochester Area Business Ethics Foundation.

Related Posts

Business professionals stand in silhouette in a conference room.

How Far Will You Go?

April 16, 2021
allustration of a man looking at a moon through a telescope

Periodic Reporting for Public Companies in 2021: What Lies Ahead

April 14, 2021
A view of the Veriff mobile app

Estonian Identity Verification Service Veriff Raises $69M in Series B Led by IVP and Accel

April 13, 2021
President Joe Biden.

The Biden Administration Is Ramping Up Numerous Cross-Border Enforcements. Compliance Teams Should Take Note.

April 13, 2021
Next Post
businessmen connecting large puzzle pieces

NICE Actimize and Infosys Announce Strategic Partnership to Offer End-to-End Financial Crime Solutions

2Behavox and CCI webinar: Power of Ai in F
OneTrust offers download to demonstrate privacy management leadership
Top 10 Risk and Compliance Trends

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2021 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe

© 2021 Corporate Compliance Insights