DOJ Revises Corporate Compliance Guidance on Technology Risks and Reporting Mechanisms

On September 23, 2024, the US Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs (ECCP) guidance, aimed at helping prosecutors assess corporate compliance frameworks. The ECCP serves as a tool for prosecutors to determine whether to charge a company and how to resolve cases, while also assisting companies in developing and evaluating their compliance strategies. This year’s revisions highlight the increasing importance of managing risks associated with emerging technologies, particularly artificial intelligence (AI).

The DOJ’s revisions emphasize the following key areas:

Risk Management Related to Technology: The updated ECCP requires companies to integrate technology risk management into their compliance strategies. This includes establishing governance frameworks to identify and address risks stemming from AI use, such as potential misuse by employees or vendors. Prosecutors will evaluate whether companies have proactive processes for identifying technology-related risks, including the potential for intentional misuse, like manipulating records or accessing confidential data.

Confidential Reporting Structures and Whistleblower Protection: The updated guidance highlights the importance of having an efficient and trusted mechanism for employees to anonymously or confidentially report breaches of the company’s code of conduct, policies, or suspected misconduct. Companies should implement proactive measures to foster a workplace atmosphere free from fear of retaliation, including effective processes for submitting complaints and protecting whistleblowers. Prosecutors will scrutinize whether companies actively encourage reporting and whether disciplinary actions are fairly administered.

Dynamic and Well-Resourced Compliance Programs: The revisions highlight the necessity for companies to allocate adequate resources—such as personnel and technology—to their compliance programs. Prosecutors will consider whether compliance efforts are proportionately funded compared to other business areas. Furthermore, companies are encouraged to regularly assess the effectiveness of their compliance programs based on employee engagement and the success of training initiatives.

To effectively mitigate risks, companies need robust controls, monitoring, and employee training. Prosecutors will assess how well risks associated with technology are integrated into the overall risk management framework. This includes ensuring that any technology is used correctly, and that human oversight remains a priority. Companies are encouraged to develop comprehensive policies governing AI use, maintain clear communication with third-party vendors, and create extensive training programs on the responsible use of technology.

The ECCP emphasizes that compliance programs are not static. Companies should incorporate lessons learned from past issues, whether internal or from industry peers, to prevent future occurrences. Regular updates to governance policies and procedures are crucial for adapting to emerging technologies and regulatory changes.

For more information, you can access the guidance here.

Compliance Perspective

Issue

Healthcare organizations are required to have an effective compliance and ethics program that is effective in preventing and detecting criminal, civil, and administrative violations to reduce the likelihood of fraud, waste, and abuse of government funds. The “Principles of Federal Prosecution of Business Organizations” in the Justice Manual provides guidance for prosecutors on investigating corporations when determining whether to bring charges. Key factors include evaluating the effectiveness of the corporation’s compliance program both at the time of any alleged wrongdoing and during the investigation. Prosecutors will look at any efforts the organization has made to improve its compliance program. Additionally, the United States Sentencing Guidelines suggest that having a strong compliance program can influence the fines a corporation may face if misconduct occurs. Lastly, when deciding whether to appoint a monitor to oversee compliance, prosecutors will consider the investments made in compliance improvements and whether those changes have been tested to ensure they effectively prevent future issues.

Discussion Points

    • Review and update your policies and procedures for operating an effective compliance and ethics program to ensure they are effective and relevant, particularly in relation to emerging technologies like AI. Policies should be reviewed at least annually, with revisions made promptly to reflect new information or regulatory requirements. Include specific guidelines on the responsible use of AI and clear protocols for reporting concerns, emphasizing protections for whistleblowers.
    • Train all staff on your compliance and ethics policies and procedures upon hire and at least annually. Emphasize that maintaining an effective compliance and ethics program is a shared responsibility. Ensure that employees are aware of anti-retaliation policies that protect those who report concerns. Document all training sessions, and maintain signed records in each employee’s education file.
    • Periodically perform audits to ensure that all staff are familiar with compliance and ethics policies and guidelines and understand their responsibility to report any concerns to their supervisor, the compliance and ethics officer, or via the anonymous hotline. Provide the audit information and any necessary action steps to the compliance and ethics committee and the governing body.

*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*

You May Also Like