Compliance Perspectives

By Adam Turteltaub Healthcare is often rife with fraud, and organizations struggle to prevent it. To gain a different perspective on how to prevent wrongdoing, we spoke with Alec Burlakoff, a convicted fraudster from Insys Pharmaceuticals who now leads Limitless! Consulting. To prevent fraud, he recommends seriously looking at the incentives program in your organization, especially if there are individuals whose commissions may make up  more than half of their compensation. Such high rates of reward, he warns, provide serious temptation to skirt, or outright disregard, the rules. Look also at the messages that lucrative incentive programs send to others in the organization. Individuals who are inclined to do the right thing may find themselves envying those they see breaking the rules and getting rewarded. It can cause them to emulate the bad behavior that they see. Better, he advises, is to seek ways to reward people who do things the right way and build sales for the long term. When it comes to discipline, he takes a very hard line. Many companies, he finds, have zero tolerance policies, but they may not apply them. That, he believes, has to stop. The only way to get the attention of the workforce is to swiftly punish, including terminating, employees who break the rules. Finally, he advises compliance teams to understand the thinking of businesspeople. Know what motivates them, understand their thinking, and get inside their heads. Only then will you be able to effectively reach them. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Are your helpline calls being responded to properly? Are the investigations proceeding expeditiously and properly? To find out, it’s good to do an audit periodically. Before you can begin, though, you need to determine if there is enough available data for an audit, cautions Juliette Gust, President of Ethics Suite, and author of the chapter “Auditing the Confidential Reporting Hotline and Case Management Program Effectives” in the new edition of The Complete Compliance and Ethics Manual. Many compliance programs still do not have formal processes in place, and for them, it’s best to start with a gap analysis. If you do have data, look at how you are tracking both the allegations and the work being doing as a result. How quickly are allegations being reviewed? Is someone letting the reporter know that their allegation has been received and is being acted on? How are you safeguarding the data, including being sensitive to the potential need for attorney-client privilege? Spend time, too, on auditing what is being done to encourage whistleblowing. What is the tone at the top? Are managers doing their compliance training and how quickly? How often does the compliance and ethics committee meet? Does it have a charter? Do the meetings have an agenda, and are they being followed? Another area for potential audit is the investigator. Are your investigators properly trained?  Is there enough staff to do the investigation? Is the investigation appropriately scoped? Curious to learn more about how to audit your helpline and responses to allegations? Listen in now and check out The Complete Compliance and Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Think you don’t have to worry about the SEC because you’re at a private company or a non-profit? Think again says, Kevin Muhlendorf, attorney at Wiley Rein. You may still end up in the Commission’s crosshairs. He warns that the SEC’s power of investigations expands far and wide, and just being a supplier to a publicly-traded company may lead them to focus on your business. If a private company is acquired by a public one or makes even a non-public offering, there is risk of fraud and SEC action. Lie to an accounting firm and the SEC may become involved. And don’t forget about the risk of parallel investigations involving multiple enforcement authorities. Another risk area is shadow trading. Let’s say your hospital is a part of a clinical trial, and an employee sees it is going well. If that employee decides to short the stock of the drug’s competitor, that could be an issue that falls under the SEC. So what should you do? Keep an eye out for these risks and pay attention to recent enforcement activity and dispositions. Oh, and listen to this podcast. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Business transformations can be times both of risk and opportunity for compliance programs. Employees, struggling to understand the changes around them and feeling stressed, may opt to do the wrong or at least ill-advised things. By the same token, transformations provide an opportunity for compliance teams to change their roles within the organization and redefine the value that they bring. Jill Swain, Global Ethics Manager and Dawn Wood, Engagement, Training and Programme Manager at Rolls-Royce went through a major business transformation and will be sharing their insights from that experience in a session at the 2025 SCCE European Compliance & Ethics Institute. In this podcast they share an abbreviated version of the journey and lessons taken from it. Rolls-Royce, as it transformed itself, wanted employees to understand that ethics and compliance are a part of “winning right” and helping the companies achieve its goals. The compliance teams met the challenge by embarking on several initiatives, both broad and narrow. They: Conducted a Win Right Week Identified the need for ensuring that conflicts of interest were reviewed when reporting lines changed Helped employees understand common dilemmas and how to resolve them Became an integral part of the employee hub to make it easier to access information and ask questions Rolled out a new third party risk management platform In sum, it was a transformation both of the organization and the compliance program within it. Listen in to learn more about what they did and learned through a period of corporate transformation.  Then, join them at the 2025 SCCE European Compliance & Ethics Institute. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Oh, Artificial Intelligence. So much promise, and so much risk. What’s a compliance and ethics professional to do? Start by listening to this podcast about the chapter “Managing the Ethics and Compliance Risks of Artificial Intelligence” in the 2025 edition of The Complete Compliance & Ethics Manual. We spoke with the article’s co-authors, Gwen Hassan (chief compliance officer at Unisys), Dr. Anthony J. Rhem (CEO and principal consultant at A.J. Rhem & Associates), and Patrick Henz (special advisor for compliance, Latin America, for Mitsubishi Heavy Industries Americas). They explain that when we speak of AI we aren’t talking about one technology but a wide range of them. Generative Ai may be getting the most attention but there is also natural language processing, neural networks, expert systems, machine learning and many more. As a result, compliance teams need to understand what form of AI is being used at their organization. When it comes to legal and regulatory frameworks to serve as guidance, it is probably best to look to Europe, which has taken a much more active approach than the US. The United States has just a patchwork of state laws. On the federal level, an executive order from the previous administration has been rescinded by the current one, leaving no national guidance. Despite the legal vacuum, there ae still risks such as bias to manage. As a result organizations need to have clear guidance on what AI can and cannot be used for. There should also be a risk assessment framework that includes: Assessing the data risk Understanding the model Assessing cybersecurity and compliance risk Evaluating ethical risk Continuous monitoring and updating Listen in to learn more about how to manage the possibilities and risks of AI. Then be sure to check out the 2025 edition of The Complete Compliance & Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Sometimes you make a few technical changes to a compliance program  because a law or regulation has changed. Autoliv didn’t want to do that and just meet technical requirement of the EU Whistleblower Directive. They wanted to use it as an opportunity to assess what they were doing to encourage employee reporting, whether it was working, and to improve support for people speaking up. Erica Wikman, Vice President, Corporate Compliance, Autoliv and David Barr (LinkedIn), co-founder of Campbell Barr, tells us in this podcast that they shared a vision of moving away from just whistleblowing. Research showed it can have negative connotations.  In addition, whistleblowing tended to be interpreted narrowly, with tremendous variations by region. They also found a fear of either retaliation or that nothing would be done. So, the Autoliv compliance team began to think more broadly and encourage people not just to speak up when they saw a potential compliance issue but also when they saw something positive in the organization or just wanted to express gratitude. Along with that change of scope, they decided to open the lines of communication and encourage employees to bring their concerns and praise wherever they were most comfortable. To make it work they reached out to HR, manufacturing, quality and the health and safety team. Together these groups identified similar needs and dialogue and a willingness of leadership in those areas to come up with a common, welcoming approach to speaking up. By making speaking up more natural and a part of the business dialogue, they were able to lower the barrier to raising issues and turn perceptions around. A potential negative had become a positive. Listen in to learn more about what they did and how you could change the entire atmosphere around speaking up. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub So the IT folk can’t wait for your business people to delete those old documents, meantime, the business people want to hold onto them because they never know when they might need that info again. Then, all of a sudden there’s a legal issue and a hold is in place. Instantly the game changes. Chris Kruse, Executive Vice President & Advisor at CasePoint explains that when a legal hold is placed several things need to happen: Employees with relevant need to be identified They need to be placed on notice of the obligation to preserve any relevant information. They need to be instructed on how to proceed going forward The custodians of the data need to acknowledge that they have been notified and understand their obligations Individuals with the data need to be reminded that if they create new data it also needs to be retained Securing all the documents and data can be difficult for several reasons. These range from the simple, such as an employee who doesn’t read the email with the instructions to preserve data, to the complex, such as identifying all the different kinds of documents and where they may be stored. Get it wrong, and things can go south pretty quickly. Listen in to learn more about how to ensure that your document hold doesn’t cause more problems than it solves. Listen now

By Adam Turteltaub You do all that work but how do you know you’re being successful? It’s not like people come running in the door and say, “Hey, guess what bad thing I almost did.” The compliance team at the National Security Agency (NSA) had that same challenge. In this podcast, Natalie Knowles, Director of Compliance, and Zack Conyne, Manager, first provide an overview of the NSA. As they explain it has two primary missions:  cybersecurity and signals intelligence. Every employee there annually takes an oath to defend the Constitution, which is, of course, a great reminder of the organization’s values. The compliance team is there to ensure that NSA activities are consistent with the law, including policies and procedures designed to protect privacy and civil liberties. The team measures the success of the program both using quantitative and qualitative metrics. Along the way they have learned a great deal, including the importance of telling a story, managing the complexity of data, and the importance of looking to trends. Listen in to learn more and to benefit from the insights they have gained in measuring the success of their compliance program. Listen now

By Adam Turteltaub When we last spoke with Tyler Shultz back in 2020, he discussed his experience at Theranos as both an employee and a whistleblower. Four years later, the case is in the rearview mirror, the former CEO is in prison, he founded two startups of his own, and he now speaks to corporations about cultivating courageous work cultures With the benefit of some time and distance, he shares in this podcast his experiences and what he has learned, particularly about corporate culture. The behaviors he saw at Theranos provided for him a lesson in what not to do. There, he felt the dysfunctional culture was created intentionally. Management, he believed, wanted employees to fear them and reinforced that through locked doors, barricades and firing people who disagreed with leadership.  here were even NDAs that restricted the ability of employees to speak with each other. To create a good culture, he argues, companies need to do the opposite of what he saw at Theranos. First, start by defining what the core values of the organization are to give employees a common language with which to discuss potential issues. Next, create a culture that reinforces those values.  That includes: Ensuring that the policies match the values Not having overly restrictive NDAs Preventing the formation of silos Encouraging collaboration Watching out for high levels of turnover Being transparent with regulators and investors Listen in to learn more about how to create the right culture and avoid becoming the next Theranos. Listen now

By Adam Turteltaub Few things hold more promise, or cause more stress for compliance professionals, than AI. What is it?  How does it work? And does anyone know how to keep it from showing so much bias? David Silva, Chief Compliance Officer at Collaborative Imaging, will be addressing the topic of “Healthcare, Artificial Intelligence, and Compliance” at the 2025 HCCA Compliance Institute, which will takes place April 28-May 1 in Las Vegas. To get some of his insights now, we sat down  for this podcast. David explains that part of the challenge is that AI is so fast changing that it’s hard to keep up. We don’t yet know what we don’t know about it. At the same time, though, the technology is showing great promise in healthcare in areas such as coding, simple reports and helping with third-party vetting. Compliance teams have an important role to play in the implementation of AI in healthcare, he explains. Ideally, they should be a part of the AI governance team, working with a broad range of departments and helping to ensure that programs are monitored to avoid issues with privacy or the False Claims Act, for example. So how should compliance professionals become a valued and effective part of AI efforts? He advocates for staying engaged and pushing to be invited to meetings. When there, keep your ear to the ground, learn more about operational workflows, and try to make sure that AI does what it is supposed to do, without crossing legal and regulatory lines. Listen in to learn more, then join us for even more at the 2025 HCCA Compliance Institute. Listen now