25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

DoJ Updates Guidance for the Evaluation of Corporate Compliance Programs

Posted By on Apr 4, 2023

The Department of Justice has updated its guidance for the Evaluation of Corporate Compliance Programs to incorporate directions given by the “Monaco Memo” – e.g. to consider the existence and application of compensation claw back policies and to investigate how organizations monitor the potential misuse of personal mobile devices in the workplace.

The Evaluation of Corporate Compliance Programs is a document produced by the Department of Justice’s Criminal Division to guide federal prosecutors on factors they should evaluate when considering a resolution agreement. Although intended for the Criminal Division, other agencies within the DoJ have been encouraged to refer to the guidance when prosecuting non-criminal cases.

In the context of how the Evaluation of Corporate Compliance Programs might impact healthcare organizations, two of the agencies encouraged to refer to the guidance are the Civil Division – which prosecutes civil cases of fraud against the Government (i.e., Medicare fraud) – and the Civil Rights Division, which enforces laws prohibiting discrimination in federally funded programs (i.e., SAMHSA).

The Background to the Guidance Update

Guidance for the evaluation of corporate compliance programs was first published by the Fraud Section of the DoJ’s Criminal Division in 2017. The original guidance contained 119 sample questions developed from the Principles of Federal Prosecution of Business Organizations that the Fraud Section had found relevant when evaluating corporate compliance programs and their effectiveness.

The guidance was updated in 2019 and again in 2020. In the first update, the structure was changed to be more focused on three key questions and the guidance applied to all Sections of the Criminal Division. The second update expanded the guidance on topics such as using data to shape corporate compliance programs and ensuring organizations adequately resource the compliance function.

The Monaco Memorandum Section D

The latest update is attributable to the content of a memorandum issued by Deputy Attorney General Lisa Monaco (the “Monaco Memo”). Section D Part 1 of the Memo directs prosecutors to consider whether organizations have – and apply – policies to claw back compensation from a current or former executive when the executive is responsible for the criminal conduct being investigated.

Section D Part 2 of the Memo directs the Criminal Division to consider the ability of companies to monitor the use of personal mobile devices for misconduct, and their ability to recover relevant data from the devices during a subsequent investigation. The Memo states corporate compliance programs should include policies on the use of personal mobile devices, organizations should provide training on the policies, and sanctions should be applied when the policies are violated.

How Has the Memo Changed the Guidance?

The directions of the Monaco Memo have been carefully worked into several sections of the revised guidance for the evaluation of corporate compliance programs. For example, Question II Section C (“Compensation Structures and Consequence Management”) includes several references to recouping previously awarded compensation and imposing financial penalties for misconduct.

Similarly, Question III Section B (“Investigation of Misconduct”) has multiple questions relating to BYOD and personal messaging applications. These include whether or not an employee has ever refused to permit access to corporate data maintained on a personal mobile device, what the consequences of such a refusal would be, and have the consequences ever been applied.

Why the Update is Relevant to Healthcare Organizations

The update is relevant to healthcare organizations because of the number of workforce members that use personal mobile devices in their daily workplace routines. Although it is unlikely that workforce members are stealing or misusing corporate data (although the possibility exists), the potential for Protected Health Information to be used and disclosed impermissibly is high.

Healthcare organizations should review the updated guidance for the evaluation of corporate compliance programs – not only to assess the effectiveness of policies relating to claw backs and mobile devices, but also to identify what else OCR investigators may be looking for in the organization’s HIPAA compliance program in the event of a data breach investigation.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist