Draft OIG Compliance Program Guidance for Recipients of PHS Research Awards

AGENCY:

Office of Inspector General (OIG), HHS.

ACTION:

Notice and comment period.

SUMMARY:

This Federal Register notice seeks the comments of interested parties on draft compliance guidance developed by the Office of Inspector General (OIG) for recipients of extramural research awards from the National Institutes of Health (NIH) and other agencies of the U.S. Public Health Service (PHS). Through this notice, OIG is setting forth its general views on the value and fundamental principles of compliance programs for colleges and universities and other recipients of PHS awards for biomedical and behavioral research and the specific elements that these award recipients should consider when developing and implementing an effective compliance program.

DATES:

To assure consideration, comments must be delivered to the address provided below by no later than 5 p.m. on December 28, 2005.

ADDRESSES:

Please mail or deliver written comments to the following address: Office of Inspector General, Department of Health and Human Services, Attention: OIG-1026-CPG, Room 5246, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201.

We do not accept comments by facsimile (FAX) transmissions. In commenting, please refer to file code OIG-1026-CPG. Comments received timely will be available for public inspection as they are received, generally beginning approximately 2 weeks after publication of a document, in Room 5527 of the Office of Inspector General at 330 Independence Avenue, SW., Washington, DC 20201 on Monday through Friday of each week from 8 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT:

Richard B. Stern, Office of Counsel to the Inspector General, (202) 619-0335, or Joel Schaer, Office of External Affairs, (202) 619-0089.

SUPPLEMENTARY INFORMATION:

Background

Compliance program guidance (CPG) is a major OIG initiative that was developed to assist the health care community in preventing and reducing fraud and abuse in Federal programs. In the last several years, OIG has developed and issued compliance program guidance directed at the following segments of the health care industry: clinical laboratories; hospitals; home health agencies; third-party medical billing companies; durable medical equipment, prosthetics, orthotics and supply companies; Medicare+Choice organizations offering coordinated care plans; hospices; nursing facilities; individual and small group physician practices; ambulance suppliers; and pharmaceutical manufacturers. Copies of these CPGs can be found on the OIG Web site at http://oig.hhs.gov/fraud/complianceguidance.html.

Under its governing statute, OIG's oversight responsibility extends to all programs and operations of the Department of Health and Human Services (HHS or Department) and, accordingly, OIG promotes compliance efforts by all recipients of Department funds. One community of paramount importance to the Department's public health efforts is that of colleges, universities, and other recipients of public funds that conduct biomedical and behavioral research. These institutions may have organizational differences from the users of past compliance guidances, but we believe they have the same basic need to promote compliance measures. We understand that research institutions have been developing compliance programs in increasing numbers. Moreover, over the last several years slightly more than 50 percent of recipients of NIH research awards have been medical schools, many of which may already have health care compliance programs in their affiliated hospitals.

As with OIG's earlier CPGs, the purpose of this draft guidance is to encourage the use of internal controls to effectively monitor adherence to applicable statutes, regulations, and program requirements. In developing the guidance, we have focused specifically on grant compliance and administration issues, i.e., whether recipients of research awards have misused program funds under the statutes, regulations, and other requirements governing the use of those funds. We believe this focus is consistent with OIG's responsibility for the identification of program overpayments and, in appropriate situations, the investigation of civil or criminal fraud. However, we believe that the principles set forth in the guidance will also assist institutions in developing compliance programs for their other activities wherein issues of program compliance arise.

This draft guidance for recipients of PHS research awards contains seven elements that have been widely recognized as fundamental to an effective compliance program, and an additional element—number 8 below—that we believe is especially important for research institutions. The eight elements include:

1. Implementing written policies and procedures,

2. Designating a compliance officer and compliance committee,

3. Conducting effective training and education,

4. Developing effective lines of communication,

5. Conducting internal monitoring and auditing,

6. Enforcing standards through well-publicized disciplinary guidelines,

7. Responding promptly to detected problems and undertaking corrective action, and

8. Defining roles and responsibilities and assigning oversight responsibility.

As with previously issued guidances, this draft CPG represents OIG's suggestions regarding how institutions can establish internal controls to ensure adherence to applicable rules and program requirements. The contents of the guidance should not be viewed as mandatory or as an exclusive discussion of the advisable elements of a compliance program. Moreover, the guidance does not establish a set of program rules or standards by which to evaluate the compliance of an institution. Rather, it is merely a set of suggestions regarding how institutions may establish internal controls to allow the institution to better comply with rules and standards that apply to PHS extramural research awards.

Developing This Draft Compliance Program Guidance

In developing this draft guidance, we have consulted closely with NIH, which dispenses the majority of biomedical and behavioral research awards within HHS, and have coordinated as well as with other PHS agencies that have compliance responsibilities for biomedical and behavioral research awards. The statutes, regulations, and policies pertaining to NIH and other PHS awards constitute an appropriate focus for award recipients who seek to establish an effective compliance program. We have also consulted with the U.S. Department of Justice and with OIGs of other agencies—such as the National Science Foundation—that fund significant extramural research.

In an effort to receive initial input on this guidance from the research community, we published a Federal Register notice on September 5, 2003, (68 FR 52783), “Solicitation of Information and Recommendations for Developing Compliance Program Guidance for Recipients of NIH Research Grants.” In response to that notice, we received a total of 20 comments from research institutions, associations, and from one individual.

Although the September 5, 2003, solicitation notice requested information and recommendations for developing a CPG for recipients of research awards only from NIH, we have expanded the scope of the guidance to other biomedical and behavioral research awards from the public health agencies of this Department. In part, we made this change based on a comment, received in response to the solicitation, that we avoid inconsistent sets of guidance from various agencies. In addition to NIH, which awards the majority of HHS (and Federal) research awards, other public health agencies that fund biomedical and behavioral research include the Agency for Healthcare Research and Quality, the Agency for Toxic Substances and Disease Registry, the Health Resources and Services Administration, the Indian Health Service, the Centers for Disease Control and Prevention, the Substance Abuse and Mental Health Services Administration, and the Food and Drug Administration.

In an effort to ensure that all parties have an opportunity to provide input into OIG's guidance, we are publishing this guidance in draft form. We welcome any comments regarding this document from interested parties. OIG will consider all comments that are received within the above-cited timeframe, incorporate any specific recommendations as appropriate, and then prepare a final version of the guidance for publication in the Federal Register The final version of the guidance will be available on the OIG Web site at http://oig.hhs.gov.

Draft OIG Compliance Program Guidance for Recipients of PHS Research Awards (November 2005)

I. Introduction

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS or Department) is continuing in its efforts to promote voluntary compliance programs for recipients of Department funding. This is the first guidance that is designed for a segment of the Federal grant community and that is not specifically focused on Medicare and Medicaid issues. However, many recipients of Public Health Service (PHS) research awards are familiar with our previous compliance guidances, in part because among the largest recipients of PHS research funds are academic medical centers, which were the focus of one of our first compliance guidances, to the hospital industry, in February 1998.

As with the earlier guidances, this compliance guidance is intended to assist recipients of PHS biomedical and behavioral research awards in developing and implementing internal controls and procedures that promote adherence to applicable statutes, regulations, and other requirements of PHS programs. This compliance guidance follows closely those earlier guidances in its format and basic elements. At the same time, this guidance departs from those earlier publications in certain areas to accommodate the many differences for recipients of extramural research awards.

As with hospitals and other health care companies, an increasing number of colleges, universities, and other recipients of PHS biomedical and behavioral research funds have developed compliance programs. One purpose of this guidance is to assist these institutions in evaluating and, as necessary, refining existing compliance programs.

This guidance is not a compliance program itself, nor does it establish a set of cost principles or program requirements, which would be beyond the responsibility of OIG. This guidance does not establish criteria by which to conduct an audit or review of regulatory or program compliance. Rather, it is intended to serve as a set of guidelines that recipients of extramural research awards may consider when developing and implementing a compliance program or evaluating an existing one. For those institutions with an existing compliance program, this guidance may serve as a useful comparison against which to measure ongoing efforts.

We recognize that there are recipients of biomedical and behavioral research awards that may be small institutions or businesses, such as those receiving funds under the Small Business Innovation Research (SBIR) program, or that may be larger institutions that receive a relatively small amount of PHS funding. We anticipate that these institutions share with larger entities the same basic concern about establishing effective internal controls to monitor adherence with Federal program requirements. However, some of these institutions may determine that it is not practicable to establish the same type of comprehensive compliance program that may exist, for example, at an academic research institution associated with a medical school. We encourage these institutions to develop a compliance program that relies on the same eight basic elements of the guidance, but that is suited to their own size and needs.

A. Scope of the Compliance Program Guidance

Because the responsibilities of OIG are focused on the effective operation of this Department's programs and the misuse of its funds, the scope of this voluntary guidance concentrates on issues that fall under the rubric of grant compliance and administration. By this, we mean those issues involving the application of statutes, regulations, and other program requirements that affect the “allowability” of costs and whether awardees should be subjected to a disallowance action or, in appropriate circumstances, an investigation for criminal or civil fraud. This guidance is also focused specifically on PHS awards from this Department. We recognize that institutions may have multiple sources of funding and that the term “compliance” is used more broadly by the research community to include areas such as human and animal subject research, conflicts of interest, research misconduct, and intellectual property issues. While this guidance is not focused on these other award sources and these other regulatory areas, the compliance elements presented by this guidance may be useful in connection with other sources of funding and with regard to other regulatory areas. For example, appointing a compliance officer and committee, developing a code of conduct, and instituting a training and education program would contribute to promoting compliance with National Science Foundation award requirements, as well as requirements related to research misconduct and human subject research.

Institutions may currently have, or be considering, separate compliance systems for their various areas of regulated activity. We recognize that each of these areas may involve distinct personnel and present different regulatory frameworks. However, because the basic elements for a compliance program are shared among these systems, institutions may receive management efficiencies by integrating their compliance efforts through the elimination of overlapping systems or by developing a single compliance program covering all compliance areas. Integrating compliance systems may also offer collateral benefits. For example, audits and reviews of one area of compliance may develop information useful to other areas.

OIG also recognizes that a body of literature already exists on research compliance issues, including guidance on establishing a compliance program. Nonetheless, we believe that providing OIG CPG consistent with the other compliance guidances we have published is appropriate. For the convenience of the reader, we have compiled a bibliography of some of these other publications, which is attached to this guidance as Appendix A.

Our experience with compliance programs is that an institution's implementation of a serious, meaningful, and effective compliance program may require a significant commitment of time and resources, especially for those institutions that have not developed a compliance program in the past. We believe, however, that this commitment is justified by the benefits of a compliance program.

B. Benefits of a Compliance Program

While the decision to implement a compliance program is entirely voluntary, OIG believes that an effective compliance program provides numerous advantages that will inure to the benefit of institutions that choose to establish one. An effective compliance program addresses the Government's and research community's mutual goals of ensuring good stewardship of Federal funds by eliminating erroneous or improper expenditure of Federal research funds, improving administration of grants (both from the Federal Government and from private sources), and demonstrating to employees and the community at large the institution's commitment to honest and responsible conduct. These goals may be achieved by:

• Identifying and correcting unlawful and unethical behavior at an early stage;
• Encouraging employees to report potential problems and allowing for appropriate internal inquiry and corrective action;
• Minimizing, through early detection and reporting, any financial loss to the Government and any resulting financial loss to the institution; and
• Reducing the possibility of Government audits or investigations regarding unallowable payments or fraud that could have been prevented at an early stage.

Institutions may also want to note that several of the elements of this compliance guidance are considered “mitigating factors” that must be considered as part of a formal debarment action by the Department.

C. Application of Compliance Program Guidance

There is no single “best” compliance program. Institutions may take differing approaches to how they rely upon internal audits in monitoring compliance issues, how they comprise their compliance committee, and whether they include compliance for research misconduct and human and animal subject protections as part of a single compliance program. Some institutions may already have a compliance program in place; others only now may be initiating such efforts.

Institutions may also have identified, through audits or internal inquiries, particular management concerns or areas of high risk that may call for developing or refining compliance elements to address these areas.

OIG has identified three major potential risk areas for recipients of NIH research awards: (1) Time and effort reporting, (2) properly allocating charges to award projects, and (3) reporting of financial support from other sources. These risk areas, although not exhaustive of all potential risk areas, are discussed in greater detail in section II below.

The compliance measures adopted by an institution should be tailored to fit the unique environment of the institution (including its organizational structure, operations and resources, as well as prior enforcement experience). In short, OIG recommends that each institution should adapt the objectives and principles underlying the measures outlined in this guidance to its own particular circumstances.

II. Risk Areas

As with previous OIG CPGs, in this section we highlight examples of risk areas to assist institutions in developing a compliance program. The identification of risk areas is an important aspect of formulating policies and procedures, developing a training and education program, and conducting internal monitoring and audits. This section addresses a few examples of risk areas for recipients of PHS research awards that have come to OIG's attention: (1) Time and effort reporting, (2) properly allocating charges to award projects, and (3) reporting of financial support from other sources. The areas identified in this section are in no way intended to be exhaustive of all potential risk areas. Institutions may identify other areas based on their own operations and experiences. As an example, subrecipient monitoring may be an important risk area for those institutions that rely heavily on their own grants and contracts to fulfill the purposes of a PHS award.

A. Time and Effort Reporting

One critical compliance issue is the accurate reporting of research time and effort. Because the compensation for the personal services of researchers—both direct salary and fringe benefits—is typically a major cost of a project, it is critical that the portion of the researcher's compensation for particular research projects be accurately reported. One reason that we view time and effort reporting as a critical risk area is that many researchers have multiple responsibilities—sometimes involving teaching, research, and clinical work—that must be accurately measured and monitored. In the course of a researcher's workday, the separation between these areas of activity can sometimes be hard to discern, which heightens the need to have effective timekeeping systems.

For this reason, institutions need to be especially vigilant in accurately reporting the percentage of time devoted to projects. Accurate time and effort reporting systems are essential to ensure that PHS and other funding sources are properly charged for the activities of researchers. The failure to maintain accurate time and effort reporting may result in overcharges to funding sources and, in certain circumstances, could subject an institution to civil or criminal fraud investigations.

We are aware of situations in which researchers falsely report the amount of time they intend to devote to research projects. For example, it would be clearly improper for researchers in award applications to separately report to three awarding agencies that they intend to spend 50 percent of their time on each of the three awards. Some recent cases we have seen involved the “commitment of effort” by researchers wherein the Government believed that the institution failed to account properly for the clinical practice time of researchers, in addition to their academic and research time at the institution. As an example, it would be improper to report to NIH or another awarding agency that 70 percent of a researcher's time would be spent on an award when 50 percent of the researcher's time would be spent on clinical responsibilities.

For colleges and universities, the rules governing compensation for personal services, including payroll distributions, are contained in OMB Circular A-21, Cost Principles for Educational Institutions, section J.10. Under section J.10 of OMB Circular A-21, institutions must establish a system of payroll distribution and must usually maintain “after-the-fact Activity Reports” or employ another method to report accurately the distribution of activity of employees. (See especially, section J.10, paragraphs b.(2)(a)—(c)). The accuracy of these activity reports is critical for the awarding agency to understand the amount of research conducted under the award. More specific guidance is contained in the instructions to PHS Form 398, Application for a Public Health Service Grant, available at www.grants.nih.gov/grants/funding/phs398/phs398.html (“Definitions,” definition of “Institutional Base Salary”), and in the NIH Grants Policy Statement, Part I, Definitions, available at http://grants1.nih.gov/grants/policy/nihgps (“Glossary,” definition of “Institutional Base Salary,” and Selected Items of Cost, “Salaries and Wages” and “Payroll Distribution”).

Another issue in reporting the commitment of effort to research projects is the accurate and consistent treatment of “institutional base salary” (IBS). IBS effectively serves as the denominator in calculating the proportion of an employee's activity that is allocated to particular Federal awards. While IBS typically includes only nonclinical work of employees, certain institutions include clinical work based on a more expansive definition of the “institution” for cost reporting purposes. For those institutions, it is critical that the clinical and nonclinical work activities of researchers are reported so that salary is correctly allocated among Federal and non-Federal sources.

B. Properly Allocating Charges to Award Projects

Research institutions commonly receive multiple awards for a single research area. It is essential that accounting systems properly separate the amount of funding from each funding source. Institutions must also be vigilant about clearly fraudulent practices such as principal investigators on different projects banking or trading award funds among themselves. The failure to account accurately for charges to various award projects can result in significant disallowances or, in certain circumstances, could subject an institution to criminal or civil fraud investigations.

In one recent civil fraud action, an institution settled allegations by the Government that it made end-of-year transfers of direct costs on various Federally funded research awards from overspent accounts to underspent accounts, with the purpose of maximizing its Federal reimbursement and, in some cases, avoiding the refunding of unused grant proceeds.

The general principles governing the allocation of costs are found in the appropriate sets of cost principles, such as OMB Circular A-21 for colleges and universities. Among those principles in Circular A-21 is the rule that a “cost is allocable to a particular cost objective * * * if the goods or services involved are chargeable or assignable to such cost objective in accordance with relative benefits received or other equitable relationship.” Circular, § C.4. Additional guidance on the allocation of costs may be found in the NIH Grants Policy Statement, Part II, Cost Considerations, available at htttp://grants1.nih.gov/grants/policy/nihgps. Also, the Departmental Appeals Board has jurisdiction over cost allocation and rate disputes, as well as more generally over direct, discretionary grants, including biomedical research grants from NIH. (The Board's process is described in 45 CFR part 16.) Several Board decisions address the proper allocation of costs by colleges and universities.

As with other administrative requirements governing Federal awards, the improper allocation of charges to various sources is not a mere “accounting problem,” in the sense that it has no real impact on the conduct of science. On the contrary, the failure to allocate correctly charges—whether because of poor record-keeping or as part of an intent to deceive funding sources—has the effect of drawing away limited Federal research funds from projects for which they were intended and subverting the Government's ability to distribute funds to those projects most in need of support.

C. Reporting Financial Support From Other Sources

As with the proper reporting of time and effort and the allocation of charges, the reporting of financial support from other sources is critical for the awarding agency to understand the commitment of resources by the grantee to a particular project or award. Without complete and accurate information on other funding sources, PHS may be unable to determine whether a particular project should be funded and the amount of such funding. In some cases, failure to identify other support for a research project could cause PHS to provide duplicate funding to the project. At a minimum, information on other support would allow PHS to use its limited resources on other worthy projects that might otherwise be left unfunded.

For PHS awards, the reporting of other financial support is a required element of award applications and the failure to provide this information could, in certain, subject an institution to a criminal or civil fraud investigation. Other funding support is required to be reported as part of the application for funding (PHS Form 398), the instructions for which state that the applicant organization must disclose all compensation and salary support. (See PHS 398 Rev. 9/2004, § III.H (“Other Support”) available at http://www.grants.nih.gov/grants/funding/phs398/PolAssurDef.doc.) Moreover, the face page of the PHS application includes a certification by both the Principal Investigator/Program Director and by the Applicant Organization that all statements in the application are “true, complete, and accurate to the best of my knowledge” and that “false, fictitious, or fraudulent statements or claims could subject me to criminal, civil, or administrative penalties.” (The face page is available at http://www.grants.nih.gov/grants/funding/phs398/fp1.doc.) Additional guidance for NIH grants is found in the NIH Grants Policy Statement, Part II, Just-in-Time Procedures, available at http://grants1.nih.gov/grants/policy/nihgps .

A problem related to the failure to accurately and completely report support from other financial sources is the charging of both award funds and Medicare and other health care insurers for performing the same service. This is clearly improper and has subjected institutions to fraud investigations.

III. Compliance Program Elements

A. The Basic Compliance Elements

At a minimum, a comprehensive compliance program should include the following elements:

(1) The development and distribution of written standards of conduct, as well as written policies and procedures, that reflect the institution's commitment to compliance.

(2) The designation of a compliance officer and a compliance committee charged with the responsibility for developing, operating, and monitoring the compliance program, and with authority to report directly to the head of the organization, such as the president and/or the board of regents in the case of a university.

(3) The development and implementation of regular, effective education and training programs for all affected employees.

(4) The creation and maintenance of an effective line of communication between the compliance officer and all employees, including a process (such as a hotline or other reporting system) to receive complaints or questions that are addressed in a timely and meaningful way, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.

(5) The clear definition of roles and responsibilities within the institution's organization and ensuring the effective assignment of oversight responsibilities.

(6) The use of audits and/or other risk evaluation techniques to monitor compliance and identify problem areas.

(7) The enforcement of appropriate disciplinary action against employees or contractors who have violated institutional policies, procedures, and/or applicable Federal requirements for the use of Federal research dollars, and

(8) The development of policies and procedures for the investigation of identified instances of non-compliance or misconduct. These should include directions regarding the prompt and proper response to detected offenses, such as the initiation of appropriate corrective action and preventive measures.

B. Written Policies and Procedures

In developing a compliance program, every institution should develop and distribute written policies and procedures addressing compliance with Federal award requirements. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and relevant institution officials. They should also be reviewed at regular intervals to ensure that they are current and relevant.

At a minimum, the policies and procedures should be provided to all faculty members and other employees who are affected by them, to students who may be conducting research with Federal awards, and to any agents or contractors who may furnish services in connection with Federal research awards. The policies and procedures should be easily found and accessible, such as, for example, on the institution's Internet or intranet site. Since institutions also typically maintain policies and procedures governing other compliance issues, including conflicts of interest, human subject research, and the maintenance and reporting of research data, they may choose to compile these various policies and procedures on a single Internet or intranet site.

In addition to a clear statement of detailed and substantive policies and procedures, OIG recommends that institutions that receive PHS research awards develop a general institutional statement of ethical and compliance principles that will guide the institution's operations. One common expression of this statement of principles is the code of conduct. The code should function in the same fashion as a constitution, i.e., as a document that details the fundamental principles, values, and framework for action within an organization. The code of conduct for research institutions should articulate the institution's expectations of commitment to compliance by management, employees, and agents, and should summarize the broad ethical and legal principles under which the institutions must operate. Unlike the more detailed policies and procedures, the code of conduct should be brief and cover general principles applicable to all employees.

OIG strongly encourages the participation and involvement, as appropriate, of senior management of the institution, such as the board of regents and president, as well as other personnel from various levels of the organizational structure, in the development of all aspects of the compliance program, especially the code of conduct. Management and employee involvement in this process communicates a strong and explicit commitment by management to foster compliance with applicable program requirements. It also communicates the need for all employees to comply with the organization's code of conduct and policies and procedures.

C. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer

Every research institution should designate a compliance officer who will have day-to-day responsibility for overseeing and coordinating the compliance program. For smaller institutions, the compliance officer responsibilities might be added to other management responsibilities, or, for very large institutions, there could be several compliance officers who would have responsibility for different major activities of the institution. However, designating a compliance officer with the appropriate level of authority is critical to the success of the program. Optimally, the officer should report directly to the institution's president and should have direct access to the board of regents or other governing body, senior administration officials, and legal counsel. For very large institutions, if it is not possible to report directly to the president, the officer should report to the provost or official with similar high-level responsibility for the oversight of research administration. The compliance officer should have sufficient funding, resources, and staff to perform his or her responsibilities fully.

The compliance officer's primary responsibilities should include:

• Overseeing and monitoring implementation of the compliance program;
• Reporting on a regular basis to the board of regents, president, and compliance committee (if applicable) on compliance matters and assisting these individuals or groups to establish methods to reduce the institution's vulnerability to fraud and abuse;
• Periodically revising the compliance program, as appropriate, to respond to changes in the institution's needs and applicable program requirements, identified weakness in the compliance program, or identified systemic patterns of noncompliance;
• Developing, coordinating, and participating in a multifaceted educational and training program that focuses on the elements of the compliance program, and seeking to ensure that all affected employees understand and comply with pertinent Federal and State standards;
• Developing policies and procedures;
• Assisting the institution's internal or independent auditors in coordinating compliance reviews and monitoring activities;
• Reviewing and, where appropriate, acting in response to reports of noncompliance received through the hotline (or other established reporting mechanism) or otherwise brought to his or her attention (e.g., as a result of an internal audit or by counsel who may have been notified of a potential instance of noncompliance);
• Independently investigating and acting on matters related to compliance. To that end, the compliance officer should have the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action (e.g., making necessary improvements to policies and practices, and taking appropriate disciplinary action) with particular departments or institution activities;
• Participating with counsel in the appropriate reporting of any self-discovered violations of Federal requirements; and
• Continuing the momentum and, as appropriate, revising or expanding the compliance program after the initial years of implementation.

The compliance officer must have the authority to review all documents and other information relevant to compliance activities. This review authority should enable the compliance officer to determine whether the institution is in compliance with PHS or other Federal program requirements. Where appropriate, the compliance officer should seek the advice of competent legal counsel about these matters.

2. Compliance Committee

OIG recommends that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program. If structured appropriately, the committee can provide the compliance officer with contacts in various parts of the institution and the names of individuals who possess subject matter expertise. If the institution employs individuals who already have responsibility for compliance in various subject areas, for example biosafety or care and use of animals, these individuals would be obvious candidates for the compliance committee.

When developing an appropriate team of people to serve as the compliance committee, the institution should also consider including individuals with a variety of skills and personality traits as team members. The institution should expect its compliance committee members and compliance officer to demonstrate integrity, good judgment, assertiveness, and an approachable demeanor, while eliciting the respect and trust of employees. These interpersonal skills are as important as the professional experience of the compliance officer and each member of the compliance committee. Examples of individuals that the institution might consider as members of the compliance committee include institutional ombudsman staff and alternative dispute resolution staff.

Once an institution chooses the members of the compliance committee, the institution needs to train these individuals on the policies and procedures of the compliance program, as well as how to discharge their duties. In essence, the compliance committee should function as an extension of the compliance officer and provide the organization with increased oversight.

D. Conducting Effective Training

The training of appropriate administrators, both at the institution and department levels, faculty (including principal investigators), other staff, and contractors on award administration and other program requirements is an important element of an effective compliance program. The focus of the training and its level of detail will depend on the particular needs of the institution. In addition to training sessions, the institution may also undertake other educational efforts, such as disseminating publications that explain specific requirements in a practical manner. In developing training programs, it may be helpful to involve faculty, such as principal investigators, who will be receiving the training. This will allow these individuals to offer their insights, encourage more enthusiastic participation in the training sessions, and promote buy-in with the compliance program.

An institution should provide general training sessions that cover such issues as ethical standards and the institution's commitment to compliance issues. All employees, and where feasible and appropriate contractors, should receive the general training. General training should include the contents of the institution's compliance program, such as the role of the compliance officer and committee and the availability of an anonymous complaint mechanism. It should include both a description of the many types of compliance issues that administrators, faculty and other employees may need to address in the course of their careers, and the sources of guidance in resolving those issues.

More specific training programs would be designed for more specialized audiences. For example, administrative personnel who manage award funding should receive detailed training on Federal cost principles and grant administration regulations and policies. Employees who are involved with clinical research should receive training on the protection of human subjects, the Institutional Review Board process, and the responsible conduct of research. Administration officers and other key staff can assist in identifying additional specialized areas for training. Areas of training may also be identified through internal audits and monitoring and from a review of any past compliance problems.

Training instructors may come from outside or inside the organization, but must be qualified to present the subject matter involved and sufficiently experienced in the issues presented to adequately field questions and coordinate discussions among those being trained. Ideally, training instructors should be available for follow-up questions after the formal training session has been conducted.

General and specific training sessions should be provided both upon initial employment with the institution as well as on some periodic schedule, depending on the needs of the audience. Specialized training should be provided on a more frequent basis, perhaps annually or more frequently.

One technique to consider for training is to report actual examples of compliance problems at the institution or at other institutions, typically without any identifying information. This may serve to educate staff on these issues the institution considers important, how the compliance process works, and the actions that can be taken against individuals for more serious problems.

An institution may wish to vary the manner of training, both for general and specific training. In-person training sessions may be more effective than other types of training and are usually important for initial training sessions for new employees or when employees have changed their job responsibilities. However, follow-up training may be provided in other formats, such as through videotaped presentations or web-based training in which participants certify that they have completed the training curriculum. If videos or computer-based programs are used for compliance training, OIG suggests that the institution make a qualified individual available to field questions from trainees.

The compliance officer should maintain records of all formal training undertaken by the institution as part of the compliance program. This should include attendance logs, descriptions of the training sessions, and copies of the material distributed at training sessions. Depending on need, an institution may require that employees receive a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities.

The institution needs to establish a mechanism to ensure that employees receive the training they need. Training could be made a condition of continued employment and failure to comply with training requirements could result in disciplinary action. Adherence to the training requirements as well as other provisions of the compliance program should be a factor in the annual evaluation of each employee.

E. Developing Effective Lines of Communication

1. Access to Supervisors and/or the Compliance Officer

For a compliance program to work, employees must be able to ask questions and report problems. University officials, department chairpersons or other supervisors play a key role in responding to employee concerns and it is appropriate that they serve as a first line of communication. Research institutions should consider the adoption of open-door policies to foster dialogue between management and employees. To encourage communications, confidentiality and nonretaliation policies should also be developed and distributed to all employees.

Open lines of communication between the compliance officer and employees are equally important to the successful implementation of a compliance program. In addition to serving as a contact point for reporting problems and initiating appropriate responsive action, the compliance officer should be viewed as someone to whom personnel can go for clarification on the institution's policies.

2. Hotlines and Other Forms of Communication

OIG encourages the use of hotlines, e-mails, newsletters, suggestion boxes, and other forms of information exchange to maintain open lines of communication. In addition, an effective employee exit interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of the institution's policies and procedures. Institution officials may also identify areas of risk or concern through periodic surveys.

If an institution establishes a hotline or other reporting mechanism, information regarding how to access the reporting mechanism should be made readily available to all employees and contractors by including that information in the code of conduct or by circulating the information (e.g., by publishing the hotline number or e-mail address on wallet cards) or conspicuously posting the information in common work areas. Employees should be permitted to report matters on an anonymous basis.

For the reporting mechanism to maintain credibility, it is important that the institution's review of the allegations be meaningful and that prompt and appropriate followup be conducted. Reported matters that suggest substantial violations of Federal program requirements should be documented and investigated promptly to determine their veracity and the scope and cause of any underlying problem. The compliance officer should maintain a thorough record of such complaints as well as any investigation, its results, and any remedial or disciplinary action taken. The institution may wish to provide such information, redacted of individual identifiers, to the institution's senior management, such as the board of regents and the president, and to the compliance committee.

F. Auditing and Monitoring

Auditing of an institution's operations and activities is a critical internal control mechanism. Under the Single Audit Act of 1984 (Pub. L. 98-502), as amended, all institutions that expend $500,000 or more in Federal assistance are required to have a single audit of the “non-Federal entity,” which must be conducted in accordance with generally accepted Government auditing standards. (31 U.S.C. 7502, OMB Circular A-133.) Major institutions typically also have an annual financial statement audit, often conducted by the same firm that conducts its single audit, for the purpose of expressing an opinion as to the fairness of the information contained in the financial statements for the institution.

In addition to the mandated single audit and the financial statement audit, institutions should consider having additional performance audits, focused on particular areas of activity. Internal auditors may already be performing such audits, although an external auditor may in some cases be able to provide a greater level of independence in this work or should be considered when there is a particular problem or risk area that needs attention. Whether audits of compliance with Federal program requirements are performed by internal or external auditors, they should follow generally accepted Government auditing standards, published by the Government Accountability Office as “Government Auditing Standards,” known as the “Yellow Book.”

Institutions should consider conducting risk assessments to determine where to devote audit resources, such as for separate performance audits, and may wish to consider the risk areas we identified above in section II. Risk assessments could be coordinated by the compliance officer. The institution's disclosure statement under OMB Circular A-21—if it is required to submit one—may already include identification of risk areas. The A-133 audit itself may also identify risk areas or the program agencies may identify risk areas based on their review of the A-133 audit.

An effective compliance program should also incorporate thorough monitoring of its implementation and an ongoing evaluation process. The compliance officer should document this ongoing monitoring, including reports of suspected noncompliance, and provide these assessments to the institution's senior management and the compliance committee. The extent and frequency of the compliance audits may differ depending on variables such as the institution's available resources, prior history of noncompliance, and the risk factors particular to the institution. The nature of the reviews may also vary and could include a prospective systemic review of the institution's processes, protocols, and practices, or a retrospective review of actual practices in a particular area.

Although many assessment techniques are available, it is often effective to engage internal or external evaluators who have relevant expertise to perform regular compliance reviews. The reviews should focus on those divisions or departments of the institution that have substantive involvement with or impact on Federal programs and on the risk areas identified in this guidance. The reviews should also evaluate the policies and procedures regarding other areas of concern identified by OIG and Federal and State law enforcement agencies. Specifically, the reviews should evaluate whether: (1) The institution has policies covering the identified risk areas, (2) the policies were implemented and communicated, and (3) the policies were followed.

G. Enforcing Standards Through Well-Publicized Disciplinary Guidelines

An effective compliance program should include clear and specific disciplinary policies that set out the consequences of violating Federal or State requirements, the institution's code of conduct, or its policies and procedures. Any research institution should consistently undertake appropriate disciplinary action across the institution for the disciplinary policy to have the required deterrent effect. Intentional and material noncompliance should not be tolerated and should subject transgressors to significant sanctions. Such sanctions could range from oral warnings to suspension, termination or other sanctions, as appropriate. Disciplinary action also may be appropriate when a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct. Each situation must be considered on a case-by-case basis, taking into account all relevant factors, to determine the appropriate response.

H. Responding to Detected Problems and Developing Corrective Action Initiatives

1. Violations and Investigations

Violation of an institution's compliance program, failure to comply with applicable Federal or State law, and other types of misconduct threaten the institution's reputation in the scientific and research community. Consequently, upon receipt of reasonable indications of suspected noncompliance, it is important that the compliance officer or other officials immediately investigate the allegations to determine whether a material violation of applicable law or the requirements of the compliance program has occurred and, if so, take decisive steps to correct the problem. The exact nature and level of thoroughness of the investigation will vary according to the circumstances, but the review should be detailed enough to identify the cause of the problem. As appropriate, the investigation may include a corrective action plan, an assessment of internal controls, a report and repayment to the Government, and/or a referral to law enforcement authorities or regulatory bodies.

2. Reporting

Where the compliance officer, compliance committee, or member of the institution's administration discovers credible evidence of misconduct from any source and, after a reasonable inquiry, believes that the conduct may violate criminal, civil, or administrative law, the institution should promptly report the existence of misconduct to the appropriate authorities within a reasonable period, but not more than 60 days, after determining that there is credible evidence of a violation. This includes the reporting of criminal or civil misconduct to Federal and State authorities, or, for example, in the case of research misconduct to the appropriate institutional body or to the Department's Office of Research Integrity. Prompt voluntary reporting will demonstrate the institution's good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct may be considered a mitigating factor by the responsible law enforcement or regulatory office, including OIG.

When reporting to the Government, an institution should provide all information relevant to the alleged violation of applicable Federal or State law(s) and the potential financial or other impact of the alleged violation. The compliance officer, under advice of counsel and with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, and especially if the investigation ultimately reveals that criminal, civil or administrative violations have occurred, the compliance officer should notify the appropriate authorities of the outcome of the investigation.

I. Establishing Roles and Responsibilities and Assigning Oversight Responsibility

It is especially important that roles and responsibilities regarding the use of PHS research awards be clearly defined and understood. Defining roles and responsibilities promotes accountability and is essential to the overall internal control structure of the institution.

Institutions should clearly delineate the responsibilities of all persons involved with the conduct of federally supported research, including both administration or department personnel with oversight responsibility as well as principal investigators and other personnel who are engaged in research.

Under PHS regulations, it is typically the institution itself that qualifies as the “responsible legal entity” for grant compliance purposes. (See 42 CFR 52.2 (definition of “Grantee”).) Clearly defining roles and responsibilities can assist institutions in fulfilling their legal responsibility to comply with Department requirements, removing any uncertainty as to the precise responsibility of all individuals involved in the research enterprise. It can also assist individuals in defending against allegations that they recklessly disregarded award requirements.

Roles and responsibilities for each position should be clearly communicated and accessible. Including roles and responsibilities in the institution's written policies and procedures and in its formal training and education program could accomplish this objective.

IV. Conclusion

The growth in Federal funding for scientific research over the past decade has prompted a need for more effective compliance by recipient institutions. Many institutions have recognized this need and have developed formal compliance programs. We believe that all research institutions would benefit from compliance programs that, if effectively implemented, would foster a culture of compliance that begins at the administration or management level and permeates throughout the organization. The purpose of this voluntary guidance is to offer a “checklist” of items that we believe is critical for refining or developing an effective compliance program. While the guidance focuses on award administration, adopting the principles and standards in the guidance would benefit other activities that are subject to Government regulation, including human subject research, ethics, and the responsible conduct of science.

Appendix A

Association of American Medical Colleges, Protecting Subjects, Preserving Trust, Promoting Progress: Policy and Guidelines for the Oversight of Individual Financial Interests in Human Subjects Research (December 2001).

Association of American Medical Colleges, Protecting Subjects, Preserving Trust, Promoting Progress: Principles and Recommendations for the Oversight of Individual Financial Interests in Human Subjects Research II (October 2002).

Council on Governmental Relations, Managing Externally Funded Research Programs: A Guide to Effective Management Practices (June 2005), available at http://www.cogr.edu/docs.

Grant, Geoffrey, et al., Creating Effective Research Compliance Programs in Academic Institutions, 74 American Medicine 9 (September 1999).

Kenney, Jr., Robert J., “Dual Compensation” and “Separate Compensation” Arrangements in the Wake of the Northwestern University Settlement, 14 Research Management Review 1 (Spring 2004).

Murphy, Diane E., The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics, 87 Iowa L. Rev. 697 (January 2002).

National Council of University Research Administrators (NCURA), A Guide to Managing Federal Grants for Colleges and Universities, available at www.ncura.edu/publications/aispub.htm.

National Institutes of Health, Office of Extramural Research, Proactive Compliance Site Visits FY 2000-FY 2002: A Compendium of Findings and Observations (2002).

Steinberg, Nisan A., Regulation of Scientific Misconduct in Federally Funded Research, 10 S. Cal. Interdisc. L.J. 39 (Fall 2000).

Walsh, Barbara E., et al., The Compliance Umbrella, Business Officer 18 (January 2000).

Walsh, Barbara E., et al., A Model Operating Process, Business Officer 42 (March 2000).