Seven Elements of an Effective Compliance Program
Organizations act only through their employees and, in every scandal, employees engaged in illegal conduct. To avoid or minimize
illegal conduct, organizations should take appropriately diligent efforts to ensure that employees and contractors are aware of their
legal obligations, and that the organization is not endorsing or permitting this illegal conduct.
To that end, both the Federal Sentencing Guidelines and the OIG Compliance Program Guidance for Pharmaceutical
Manufacturers have articulated seven structural elements necessary for an effective compliance program. While the guidance
specifically concerns pharmaceutical companies, the OIG has noted that it may also have application to medical device companies
that receive federal reimbursement, id., n 5, and AdvaMed has also "strongly encouraged [its members] to follow the seven
elements of an effective compliance program, appropriately tailored for each Company." See AdvaMed Code of Ethics on
Interactions with Health Care Professionals.
In providing this guidance, the OIG has noted the benefits of a comprehensive compliance program for manufacturers:
The OIG believes a comprehensive compliance program provides a mechanism that addresses thepublic and private
sectors’ mutual goals of reducing fraud and abuse; enhancing health care provideroperational functions; improving the
quality of health care services; and reducing the cost of healthcare. Attaining these goals provides positive results to the
pharmaceutical manufacturer, thegovernment, and individual citizens alike. In addition to fulfilling its legal duty to avoid
submittingfalse or inaccurate pricing or rebate information to any federal health care program or engaging inillegal
marketing activities, a pharmaceutical manufacturer may gain important additional benefits byvoluntarily implementing a
compliance program. The benefits may include:
• A concrete demonstration to employees and the community at large of the company’scommitment to honest and
responsible corporate conduct;
• An increased likelihood of preventing, or at least identifying, and correcting unlawful andunethical behavior at an
• A mechanism to encourage employees to report potential problems and allow forappropriate internal inquiry and
corrective action; and
• Through early detection and reporting, minimizing any financial loss to the government andany corresponding
financial loss to the company.
While the OIG recognizes that no compliance program will completely eliminate all illegal actions, it believes that an organization's
commitment, and allocation of sufficient resources and authority, to the following seven elements are to establish a culture of
compliance and minimize wrongdoing:
Written Policies and Procedures
A code of conduct is one of the most fundamental documents. It should be a high level statement of general legal principles and
commitment to ethical conduct. It should be brief, easily understandable, and have general application to all employees. (See, e.g.,
Ethisphere's benchmark of pharmaceutical and biotech codes of conduct; chart is at lower left of link page)
While high-level principles are important, more detailed guidance may also be required. The specific policies should address risk
areas, as identified by the company, based on the laws relating to the company's business, enforcement activities, and the
company's past compliance issues. While the OIG identified three risk areas (data for government reimbursement, kickbacks and
samples), it is important that each company conduct its own periodic risk assessment to ensure that it is addrssing evolving risk,
based both on external factors (new laws and enforcement action) and internal issues (new or evolving business methods or
products, investigations and violations).
Compliance Officer/Compliance Committee
According to the OIG, every pharmaceutical manufacturer should designate a compliance officer to serve as the focal point for
compliance activities. Depending on the size and resource of the organization, this individual may be solely dedicated to
compliance activities or may have additional responsibilities. (see Ethics Resource Center, "Leading Corporate Integrity: Defining
the Role of the Chief Ethics and Compliance Officer")
The Compliance Officer's responsibilities should include:
• Overseeing and monitoring implementation of the compliance program, including modifying theprogram based on
The OIG also recommends the establishment of a compliance committee, of relevant high level employees, to assist the
changing needs and laws as well as identified weaknesses or violations;
• Regular reports on compliance matters to senior management and the compliance committee (ifapplicable) to establish
• Developing targeted and effective educational and training programs;
• Ensuring that relevant independent contractors and agents are aware of the requirements of thecompany’s compliance
• Coordinating personnel issues with the company’s Human Resources Department to ensure thattheList of Excluded
Individuals/Entitieshas been checked with respect to all employees andindependent contractors;
• Assisting the company’s internal auditors in coordinating internal compliance review andmonitoring activities;
• Reviewing and, where appropriate, acting in response to reports of noncompliance receivedthrough thehelpline(or other
reporting mechanisms) or otherwise brought to his or her attention;
• Independently investigating and acting on matters related to compliance;
• Participating with the company’s counsel in reporting, as appropriate, any self-discoveredviolations of federal health care
program requirements; and
• Continuing the compliance program's momentum after the initial years of implementation.
Compliance Officer in these functions.
Training and Education
Policies and other compliance requirements may not be effective if no one knows about them. The OIG has therefore stated that
an effective compliance program must include training to affected employees. The training should include high level issues, as well
as more targeted training based on risk areas and employee/contractor functions. While the method, subjects and frequency of
training may vary based on the organization's needs and resources, the OIG recommends that each employee be required to attend
a specific number of hours of training per year, that appropriate disciplinary action be taken for failure to complete training, and
that the compliance officer maintain training logs. Further, employees should be trained on compliance-related issues shortly after
they are hired.
Lines of Communication
After employees have been trained on issues, there should be some mechanisms for them to raise questions or alert the company
of potential violations. While employees frequently ask questions during and immediately following training sessions, this is not
adequate. The OIG has noted that both supervisors and the compliance officer should have open door policies, with confidentiality
and non-retaliation policies.
Employees may also want to remain anonymous. Accordingly, companies should consider adopting a compliance hotline or
helpline, so that employees and others may make complaints anonymously and confidentially. While the OIG recognizes that
anonymity cannot always be guaranteed, given the need to investigate, and the small size of some companies, employees should
still be assured of non-retaliation for complaints raised in good faith. All reported matters should be documented, and promptly and
impartially investigated. The compliance officer should report redacted information regarding investigations. It is also a good idea
to periodically review the investigations for trends or other systemic issues.
Monitoring and Auditing
It is not adequate solely to rely on employees to come forward with suspected violations. A company should engage in reasonable
audit and monitoring activities to find out whether the organization is compliant. The subject, techniques and frequency of
monitoring efforts may vary depending on the size of the organization and its risk areas. The OIG recommends, however, that
companies focus on those departments and activities that have a substantial impact on high risk areas, such as federal healthcare
reimbursement and kickbacks.
Periodic reviews should also be conducted to determine whether the:
(1) company has policies covering the identified risk areas;
(2) policies were implemented and communicated; and
(3) policies were followed.
A compliance program must have teeth. Policies should state that violators will be subject to disciplinary action. And such action
should consistently be taken when violations are uncovered as a deterrent. The OIG recognizes, however, that the type of
discipline may be flexible based on the severity of the violation; simply put, not all violations will, or should, lead to termination.
According to the OIG, management should promptly report any misconduct to the appropriate state or federal authorities promptly,
but in any event, no later than 60 days after it has credible evidence that a violation has occurred.
The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your
individual situation. We invite you to contact us and welcome your calls, letters and electronic mail. Contacting us does not create an attorney-
client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been
Lurie Law Firm LLC represents employees and employers throughout Northern New Jersey and Central New Jersey, including Montclair,
Livingston, Caldwell, West Orange, Newark, Morristown, Hackensack, Newark, Elizabeth, New Brunswick, Paterson, Jersey City, Ridgewood,
Wayne, Clifton, Passaic, Union City, Bayonne, Teaneck, Irvington, Union, Edison, Piscataway, Lawrenceville, Princeton, Hoboken, East
Hanover, Saddlebrook, Parsippany, Roseland and Woodbridge; as well as the counties of Essex, Bergen, Passaic, Middlesex, Morris, Union,
Sussex, Warren, Hudson and Mercer.
Copyright 2010, Lurie Law Firm LLC. All rights reserved.