Compliance Perspectives

By Adam Turteltaub You do all that work but how do you know you’re being successful? It’s not like people come running in the door and say, “Hey, guess what bad thing I almost did.” The compliance team at the National Security Agency (NSA) had that same challenge. In this podcast, Natalie Knowles, Director of Compliance, and Zack Conyne, Manager, first provide an overview of the NSA. As they explain it has two primary missions:  cybersecurity and signals intelligence. Every employee there annually takes an oath to defend the Constitution, which is, of course, a great reminder of the organization’s values. The compliance team is there to ensure that NSA activities are consistent with the law, including policies and procedures designed to protect privacy and civil liberties. The team measures the success of the program both using quantitative and qualitative metrics. Along the way they have learned a great deal, including the importance of telling a story, managing the complexity of data, and the importance

By Adam Turteltaub When we last spoke with Tyler Shultz back in 2020, he discussed his experience at Theranos as both an employee and a whistleblower. Four years later, the case is in the rearview mirror, the former CEO is in prison, he founded two startups of his own, and he now speaks to corporations about cultivating courageous work cultures With the benefit of some time and distance, he shares in this podcast his experiences and what he has learned, particularly about corporate culture. The behaviors he saw at Theranos provided for him a lesson in what not to do. There, he felt the dysfunctional culture was created intentionally. Management, he believed, wanted employees to fear them and reinforced that through locked doors, barricades and firing people who disagreed with leadership.  here were even NDAs that restricted the ability of employees to speak with each other. To create a good culture, he argues, companies need to do the opposite of what he saw at Theranos. First, start by defining what the

By Adam Turteltaub Few things hold more promise, or cause more stress for compliance professionals, than AI. What is it?  How does it work? And does anyone know how to keep it from showing so much bias? David Silva, Chief Compliance Officer at Collaborative Imaging, will be addressing the topic of “Healthcare, Artificial Intelligence, and Compliance” at the 2025 HCCA Compliance Institute, which will takes place April 28-May 1 in Las Vegas. To get some of his insights now, we sat down  for this podcast. David explains that part of the challenge is that AI is so fast changing that it’s hard to keep up. We don’t yet know what we don’t know about it. At the same time, though, the technology is showing great promise in healthcare in areas such as coding, simple reports and helping with third-party vetting. Compliance teams have an important role to play in the implementation of AI in healthcare, he explains. Ideally, they should be a part of the AI governance team, working with a broad range of departments an

By Adam Turteltaub Chart auditing may not be the sexiest part of healthcare compliance, but it plays an important role in discouraging Medicare fraud and catching problems early. Madhavi Perumpalath, Director-Physician Practice Compliance at Northeast Georgia Health System and Alka Kumar, Compliance Director and Privacy Officer at Resolve Pain Solutions, explain that CMS provides good guidance to healthcare providers, such as diagnosis and procedure codes that are appropriate to bill for. Take advantage of it. Embrace proactive auditing, they advise, to help identify issues and ensure the quality of the claim before it goes out the door.  It can also prevent both over and under billing. How frequently should you audit? It depends on several factors, including the size of your organization, regulatory requirements, resources available and the overall risk environment. And, remember, you can’t audit everything. Instead, they recommend developing an annual audit plan focusing on the high-risk areas, but also

By Adam Turteltaub With value-based care growing, what role does compliance play?  To find out we spoke with Carolyn Barton, Vice President, West Regional Compliance Officer at Kaiser Permanente. She explains that at Kaiser they define value-based care as a healthcare delivery and financing model that improves health outcome and increases access to affordable care in the community through evidence-based care, a commitment to equity and simplicity and aligned incentives. Doctors and health plans, she reports, work in an integrated system focused on the patient and delivering the right care at the right time and place. To make that work their electronic health record (EHR) system is the foundation not just for collecting patient data but also for sharing protocols for treating patients. By implementing systematic, evidence-based approaches through these protocols, they help mitigate racial and ethnic inequities. The results she shares are impressive. Kaiser patients are 20% less likely to die prematurely fr

By Adam Turteltaub No one would dispute that stress and compliance go hand in hand, but Scot Eibel (LinkedIn), a former chief compliance officer and currently leading Eibel Coaching and Compliance Consulting, warns that doesn’t mean it has to get out of control. There are steps we can all take to manage our stress levels. One stressor to watch for is over vigilance.  While we all need to be vigilant, assessing risk and watching out for threats, it needs to be tempered. Resist the temptation, he warns, to engage in worst case scenario thinking, which increases stress and makes it difficult to focus on any positives. Catastrophic thinking isn’t healthy for you or for the organization. Another stressor for compliance professionals can be feelings of isolation. In some ways it is inherent to the job, but that doesn’t mean it needs to be absolute. Look to others in the compliance community for connections and build cohesiveness on your compliance team. Stress is much more manageable when you have support. Whe

By Adam Turteltaub Benjamin Christenson, Trial Attorney and Special Assistant to the Director for Criminal Enforcement at the US Department of Justice Antitrust Division, joins us for this podcast in which he sheds light on the their document, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (ECCP). First issued in 2019, the ECCP was updated in 2024 to reflect changes in business, the law and technology, as well as what the Antitrust Division had learned over the last five years. He shares that there are three significant areas of focus in the ECCP worth particular study: AI and Emerging Technology. As companies deploy AI, it’s essential that compliance teams have visibility into what is being done, understand it and monitor antitrust issues such as using the technology to fix prices. NDAs and Whistleblowers. Like others in enforcement, the DOJ is concerned when a non-disclosure agreement may have a chilling effect on potential whistleblowers who are considering reportin

By Adam Turteltaub Want to improve your code of conduct? Don’t miss the session: Cornering the Code: A Multi-Disciplinary Approach Toward a Better Code of Ethics at the 2025 SCCE European Compliance &  Ethics Institute. In this podcast Matej Drascek, Head of Internal Audit at LON d.d. and Ursula Schmidt of Schmidt Advisory recommend starting with the right language. Research has shown, they explain, that people react more strongly to words like “we” and “our”, which can convey a stronger sense of shared responsibility  than words like “you”, “I” or “it”. Also, words like “must” or “have to” carry more weight than “may” or “should”. Of course, just using “we” and “must” won’t do it all. The code, they tell us, should have a service character that gives guidance to people and gives employees a sense of purpose. It should also be dynamic and work as a bit of a safety valve. It should provide reassurance that it protects them from making mistakes and helps them feel safer when addressing issues. For the code

By Adam Turteltaub I want to write enough about this podcast to get you to listen to it, but not too much because then you might decide that reading this was enough. I’m conflicted, and conflicts of interest are the topic of this podcast with Kasturi Venkatesh, who spoke on the topic “Ethics in Action: A Fun Guide to Tackling Personal Conflicts of Interest” at the 2024 SCCE Compliance & Ethics Institute. When it comes to managing the issue, she explains, the primary goal for compliance teams is to help the workforce identify and bring forward potential conflicts. The challenge is that they often hesitate to bring these issues to management or the compliance team out of fear and a lack of understanding. Training is helpful, but it can’t demonstrate all the potential issues, nor can it always overcome the anxiety. That takes a personal touch of reassurance. In this podcast, Kasturi makes the case for a gentle hand a nuanced eye. The compliance team needs to be aware of the sensitivities of workers and also

By Adam Turteltaub On November 6, 2024, the U.K.'s Home Office issued Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud (the Guidance). It comes out of the  Economic Crime and Corporate Transparency Act (ECCTA), which establishes that a corporation can be held criminally liable for failing to prevent fraud committed by any “associated person” for the benefit of the company. This “associated person” can be an employee or even a third party. There is a defense, explains James Tillen, member at Miller & Chevalier, for organizations that had reasonable prevention procedures at the time of the offence. What constitutes reasonable? There are six principles: Top level commitment A risk assessment Proportionate risk-based prevention procedures Due diligence Communication and training Monitoring and review Sound familiar? It is, since it builds off the guidance for the UK Bribery Act and is very similar to the US approach. It’s not

By Adam Turteltaub Auditing and monitoring of the compliance program is pretty standard these days.  Entain’s Karen Nightingale, Group Director of Ethics & Compliance and Jonathan Fox, Group Head of Ethics & Compliance Programmes, make the case in this podcast for going to the next level and actively testing your program. The two will also be addressing the topic at the 2025 SCCE European Compliance & Ethics Institute, which will take place in Lisbon, 10-12 March. Doing so, they suggest, can turn a reactive compliance program into a proactive one by actively searching for points of weakness, identifying red flags in advance and addressing them early. In practice, testing is more like an audit. It should be done periodically and provide an in-depth look at whether processes and controls are working as intended. By going deeper, it can uncover where there may be a weakness in what may appear to be a strong process as a whole. To determine what controls to test, there are several factors. First is recognizin

By Adam Turteltaub Note:  This podcast was recorded on December 17, 2024.  Any changes made after this date will be addressed at the Compliance Institute. At the 2025 HCCA Compliance Institute in Las Vegas, Adam Greene (LinkedIn), partner at Davis Wright Tremaine LLP will be leading the session “New Developments in Health information Privacy.” In this podcast he provides an overview of what he sees as notable privacy compliance challenges and what compliance teams need to be doing. Starting with the HIPAA Privacy Rule, reproductive information is the top of the list. There was a December 23, 2024 deadline for covered entities and business associates to have implemented a prohibition of using any personal health information (PHI) for the purposes of imposing liability or investigating reproductive health care that is lawful under state or federal law. That information, per the rule, should not even be provided to law enforcement or courts that seek to punish an individual for providing or facilitating tha

By Adam Turteltaub Well, it turns out that you can be in two places at once, if you are a surgeon. Even better, you can bill the government under the Medicare program for being at both of them. It’s not quite as strange as it sounds, explains Sara Brinkmann, Partner, and Lauren Gennett, Counsel, of King & Spalding, and, of course, there are rules. Overlapping surgeries occur when one attending surgeon is responsible for procedures that overlap in time. The attending may perform the critical part of the procedure in both, assuming they are not supposed to happen at the exact same time. Non-critical portions of the procedure, such as closing the patient, are left to a resident. There must also be a backup surgeon in case something goes awry. Payment for both surgeries is possible so long as there are the requisite safeguards in place and the various other CMS rules are followed. There may also be state requirements to be mindful of as well. If those rules aren’t followed, there is substantial risk. As they

By Adam Turteltaub On November 22, 2024, Principal Deputy Assistant Attorney General Nicole Argentieri recapped the changes made during the Biden Administration in enforcement policies and announced a few new ones. To better understand what this all means, we spoke with Daniel Kahn (LinkedIn) , partner at Davis Polk, and himself a veteran of the DOJ. There were a number of meaningful changes during the last few years, he noted. Most notably the voluntary disclosure program was significantly expanded, with companies with aggravating circumstances now able to still have the possibility of a declination. There is a catch, though, the bar for cooperation has been raised. The organization must have disclosed promptly, engaged in extraordinary cooperation and remediation and have had an effective compliance program at the time of the incident. A new change, just announced, is the addition of what we referred to in the podcast as “clawforwards” in addition to clawbacks.  Organizations are expected to not pay bonu

By Adam Turteltaub Once again it is time to sit down with Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance and discuss what happened last year and where the compliance profession is going in the new one. In this podcast we looked back at 2024 and explored five key topics. Changes from the DOJ The DOJ recently issued a recap of its key activities over the last year or so, and Matt notes that a key change has been an increased willingness to give credit to companies that work with the Department of Justice.  In the past, the DOJ had only given full credit to companies that had self-disclosed, but now there is greater leniency for organizations who have demonstrated that they are willing to cooperate with the government and make serious remediation efforts. Lessons from Recent Dispositions Matt pointed to the TD Bank case and noted that, as he saw it, the company laid the seeds for its scandal by having a zero expense growth strategy  across its business.  That led to compliance spending shrinking

By Adam Turteltaub Retaliation is the bane of every compliance program, with the potential of destroying employee confidence in reporting systems, not to mention embarrassing and expensive lawsuits. It is also complex and can be subtle, explains Keith Read, a former chief ethics and compliance officer and author of the book The Unconventional Compliance Officer: Doing Things Differently. There is overt retaliation, such as firing an employee for blowing the whistle. But there is also softer, more subtle retaliation, such as not including the whistleblower in meetings or on projects. He advises compliance teams to be sensitive to all of the many forms of retaliation and to treat it  as a risk area. That means look at where and how retaliation can occur, and then take the time to determine if is occurring. Track how the careers of whistleblowers go and see if the trajectory has changed for the worse. Also, look to patterns in management.  He found that retaliation followed certain managers around the organiz

By Adam Turteltaub How do you know your compliance program is working, both for your peace of mind or if the government comes knocking? It’s a tough question, and many wonder either how to start measuring or if they’re measuring the right thing. Andrew McBride, Founder & Chief Executive Officer at Integrity Bridge, has a great deal of experience in this area from his time serving as Chief Compliance Officer at Albemarle. In the wake of an FCPA scandal, the company had to be able to demonstrate the strength and effectiveness of its efforts. In this podcast he advises you remember three key questions from the US Department of Justice’s compliance program evaluation criteria: Is the program well designed? Is it applied earnestly and in good faith? Is it working? At the same time, though, he cautions not to just seek simple metrics alone. It’s important to also track why you are measuring what you are measuring. Compliance teams need to take the time to build out the supporting narratives that explain why and

By Adam Turteltaub Oh, come on, we all know it: sometimes the business people get tired of all those compliance requirements. That’s okay and to be expected.  But, how do you know when it has progressed beyond the usual (and maybe healthy) resistance to full-blown exhaustion? Cecilia Fellouse, General Manager of Compliance for Good, warns that, ironically, when the business team stops pushing back, it can be a sign of compliance fatigue. They may just be going behind your back to get what they want. Another troubling sign to watch out for is systematic escalation. Instead of addressing issues to you, they’re taking the issue straight to higher-level management. So, what can cause compliance fatigue and these bad behaviors? She cites several factors and ways to avoid them. Saying “no” too often and being perceived as operating from an ivory tower. Constantly denying requests without providing constructive feedback can make the compliance team seem out of touch. Lack of engagement with frontline teams.

By Adam Turteltaub Do you ever ask yourself, “What kind of compliance officer am I?” Netherlands-based  Susan du Becker, Director, Risk & Compliance at Microsoft, thinks we all should. To her experience, there are two answers to that question. One is a regulatory compliance officer: someone who is focused on the requirements of regulators, potential fines and legal consequence. The other is a business compliance officer, who is focused on what the business needs and how to ensure it achieves its goals while staying within the multitude of white lines the laws and regulations have painted. She envisions herself as the latter, balancing business and regulatory requirements. She recognizes that the business unit will test the limits, and that she is there to make sure there are always two feet solidly on the ground. To keep the business team focused on their legal and regulatory obligations, she advocates for making it clear what lines absolutely may not be crossed, taking the time to meet with them regularl

By Adam Turteltaub Rob Tull (LinkedIn), Managing Director at Effective Compliance LLC wants every compliance officer to be both competent and able to demonstrate it. He advocates for the development of four sequential, underlying skills: Communication The ability to be aware of risks Adaptability, and Decision-making/judgement Underlying all of them is knowledge, and together they form a framework for effective compliance programs. The single most important competency area, he argues, is communication. The ability to translate complex laws and regulations into simple language that helps the business make good decisions is paramount. So, too, is the ability to tailor your message to the audience:  management and the board likely need to hear something different than line managers. Listen in to learn more about what makes for competency for compliance professionals. Listen now