A Lesson From HIPAA: Adequate Policies and Procedures are Equally as Important for Foreign Corrupt Practices Act Compliance

Abstract

The U.S. Department of Health and Human Services has cited and fined more than one company for not having adequate policies and procedures in place relating to the Health Insurance Portability and Accountability Act (HIPAA), as required under 45 CFR §164.316. Just as covered entities, business associates, and subcontractors are required to conduct a risk analysis to determine compliance with the standards related to HIPAA, so are entities doing business internationally required to show that a compliance program, which includes a risk assessment that has adequate policies and procedures, anti-bribery provisions, and adequate internal controls for accounting books and records to be compliant with the U.S. Foreign Corrupt Practices Act (FCPA). This article will highlight the FCPA, provide an example of a recent case where inadequate policies and procedures led to a significant fine, and provide a list of items that both internal and external auditors may include in their own compliance evaluations.

Notes

i. American Bar Association, The International Lawyer Vol. 45, No. 4 (Winter 2011). http://www.americanbar.org/content/dam/aba/publications/international_law_news/inl45_4_issue_blurb.authcheckdam.pdf (accessed February 28, 2015)

ii. U.S. Securities and Exchange Commission, Spotlight on Foreign Corrupt Practices Act, https://www.sec.gov/spotlight/fcpa.shtml (accessed February 28, 2015) (indicating that the SEC has a specialized unit within its Enforcement Division dedicated to FCPA enforcement).

iii. The Foreign Corrupt Practices Act of 1977, as amended, 15 U.S.C. §§78dd-1, et seq.

iv. 15 U.S.C. § 78m.

v. U.S. Department of Justice—Criminal Division, Foreign Corrupt Practices Act, https://www.us.doj.gov (accessed February 28, 2015).

vi. See, http://www.justice.gov/opa/pr/ralph-lauren-corporation-resolves-foreign-corrupt-practices-act-investigation-and-agrees-pay (accessed February 28, 2015).

vii. See, http://www.sec.gov/news/press/2008/2008-294.htm (accessed February 28, 2015).

viii. U.S. Department of Justice—Office of Public Affairs, Ralph Lauren Corporation Resolves Foreign Corrupt Practices Act Investigation and Agrees to Pay $882,000 Monetary Penalty, http://www.justice.gov/opa/pr/ralph-lauren-corporation-resolves-foreign-corrupt-practices-act-investigation-and-agrees-pay (accessed February 28, 2015).

ix. See, http://www.justice.gov/criminal/fraud/fcpa/cases/ralph-lauren.html (accessed February 28, 2015).

x. Anja Manuel, Creating an Effective FCPA Compliance Program: A Comprehensive Checklist (August 2011), www.eca.lrn.com

xi. Ibid. at 1.

xii. Ibid.

xiii. Ibid. at 2–3.

Additional information

Notes on contributors

Rachel V. Rose

Rachel V. Rose, JD, MBA is a Principal with Rachel V. Rose—Attorney at Law, P.L.L.C. located in Houston, TX. Ms. Rose holds an MBA with minors in healthcare and entrepreneurship from Vanderbilt University, and a law degree from Stetson University College of Law, where she graduated with various honors, including the National Scribes Award and The William F. Blews Pro Bono Service Award. Ms. Rose is licensed in Texas. Currently, she is chair of the Federal Bar Association’s Corporations and Associations Counsel Division, the co-editor of the American Health Lawyers Association’s Enterprise Risk Management Handbook for Healthcare Entities (2nd edition) and Vice-chair of the Distance Learning Committee for the Health Law Section of the American Bar Association and co-author of the ABA’s publications, What Are International HIPAA Considerations? and The ABCs of ACOs. Ms. Rose is an Affiliated Member with the Baylor College of Medicine’s Center for Medical Ethics and Health Policy. She can be reached at [email protected].