Chapter 4. Standards, Policies, and Procedures

Chapter 4. Standards, Policies, and Procedures

Industry guidance recommends that the first basic compliance element for an organization is to establish standards and procedures that prevent and detect violations of policies, procedures, rules and regulations, fraud, and criminal conduct. The standards, code of conduct, policies, and procedures become the foundational tools with which you can build your compliance program.

Code of Conduct

First and foremost, the standards/code of conduct demonstrate the organization’s overarching ethical attitude and its organization-wide emphasis on compliance with all applicable laws and regulations. The code of conduct is meant for all employees and representatives of the organization. This includes management, as well as vendors, suppliers, business associates, third parties, and those working on behalf of an organization (which frequently are overlooked groups). From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards within the code of conduct. For this reason, the code should be written plainly and concisely in a style that is easy to understand. Using legalese in a code of conduct targets it toward a certain audience, rather than for the general population of employees.

Plain and concise language does not mean it should be generic, however. The contents of the code of conduct need to be tailored to the organization’s culture, business, and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in languages other than English and making it accessible for those with disabilities (i.e., using Braille, audio availability, or large print for anyone with visual impairments) as appropriate. When providing the code in multiple languages, the organization should test the translation with another translator and a test group of individuals who primarily speak the language in which the code was written. The purpose is to be sure the translation is accurate.

The code of conduct also provides a process for proper decision-making and for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, incorporating elements or standards into performance reviews. Compliance with the code must be enforced through appropriate discipline when necessary. Disciplinary procedures should be clearly stated in the code, and the penalty—up to and including termination—for serious violations of the code of conduct must be mentioned and consistently imposed to emphasize the organization’s commitment. Remember, the code of conduct is one of the most important and foundational pieces of infrastructure for your compliance program.

Code of Conduct—Purpose

  • To present overarching guidelines for employees to follow

  • To confirm that all employees comprehend what is required of them

  • To provide a process for proper reporting of potential noncompliance

  • To provide employees with a rationale for putting standards into everyday practice

  • To elevate corporate performance in basic business relationships

  • To confirm that the organization upholds and supports proper compliance conduct

Writing a Code of Conduct

How the code of conduct is written can vary. In some organizations, it is prepared at the board of directors’ level. In others it is the responsibility of a compliance officer or compliance committee. If you are in the position of drafting your organization’s code of conduct, there are many sources of sample materials to reference. Look for books with sample codes of conduct or search online for healthcare organizations that post their code on their websites. Try tapping into your network to solicit codes from other organizations. However, it is inadvisable to take a code of conduct from another source, make minor tweaks, and try to make it fit your organization. Your code of conduct should reflect your organization’s spirit, tone, and culture. If the code does not fit your culture, securing employees’ participation and cooperation in the compliance program will be much more difficult.

There may not be a one-size-fits-all code of conduct, but there are certain elements that every code should include. Most begin with the official board of directors’ resolution approving the compliance program or the memo announcing the launch of the program. This is a strong endorsement from the highest levels of management. An endorsement signed by the board chairperson or the CEO makes the message personal and sends the message, “You have my word on it.” This executive message is the place to state unequivocally that everyone in the organization and all affiliates are expected to act in an ethical manner and abide by all applicable laws and regulations affecting the organization. A strong message in support of staff is also in order. The code of conduct provides guidelines and tools developed to help employees in situations created by today’s confusing and complex environment. Staff honesty is not the issue. When a situation poses uncertainty, the code of conduct provides guidance for appropriate conduct or, in more challenging situations, offers a way to get answers within the organization.

The code of conduct might be seen as an elaboration on the organization’s mission or vision, both of which deserve a highly visible place in the document. Many organizations have identified specific values that help accomplish the mission. If your organization has values in addition to the mission, these too should be prominently featured in the code of conduct.

As a resource for all staff and affiliates, the code also should include a detailed outline of procedures for handling questions about compliance or ethical issues, beginning with a description of the organization’s chain of command. The best reporting mechanism is an open door. When a question arises, the goal is for an employee to feel comfortable approaching his or her supervisor, the first link in the chain of command. In the event the employee and the supervisor cannot resolve the issue, usually the department manager is the next step. If discussions with the supervisor and department head are not satisfactory, in some organizations the corporate human resources representative is called in. Ultimately, if a compliance-related matter cannot be resolved at the department head or human resources level, the corporate compliance officer (who represents executive management) gets involved. These steps should be delineated in the code of conduct along with a clearly stated promise of nonretaliation.

Not every employee will be comfortable talking to management, however, and so alternate methods of reporting potential problems or posing questions should be covered. The code of conduct should provide a clear, concise explanation of how those alternate reporting methods work. For instance, some organizations list a hotline (or helpline) telephone number along with hours of operation. In this context, emphasize that all reports will be anonymous (up to the extent the law) and held in confidence. To the extent possible, the code will help outline procedures for how the organization will respond to reports or questions. For example, can you promise that the compliance department will investigate all reports? Can you promise that all compliance-related questions or allegations—whether received through chain of command, the hotline, or other reporting mechanism—will be investigated within 48 hours? Such specifics are important to include; they will reassure staff, however, only if they are achievable.

As a key element of an effective compliance program, every code of conduct should include a description of the resources available to employees if they want to raise an issue. Add phone numbers and email addresses for contact personnel as well as the compliance officer’s contact information.

The narrative section of the code of conduct can deal with a wide variety of issues. For instance, it can include summarized policies on sexual harassment, data privacy and security, and controlled substances. Every code needs to cover expectations regarding conflicts of interest and the acceptance of gifts and gratuities. For information about accepting and giving gifts, see Appendix 5, Nonprofit Organization FAQS: Giving and Receiving Gifts. Areas of specific weakness or risk should be addressed in the code depending on the organization setting. Most importantly, the code must emphasize zero tolerance for fraud or abuse, a commitment to submitting accurate and timely accounting materials, and compliance with all laws and regulations. Consequences of malicious or uncorrected wrongdoing should be noted with a description of the progressive discipline procedures, if appropriate. Also, clearly state that everyone has a personal obligation to report any possible wrongdoing; not reporting makes an employee subject to discipline, too.

Code of Conduct: Content Checklist

Content included in the code of conduct should:

  • Demonstrate an organizational emphasis on compliance with all applicable laws and regulations

  • Be written plainly and concisely so all employees can understand the standards

  • Be translated into languages applicable to your employee population and accommodate disabilities as appropriate

  • Include frequently asked questions or scenarios based on high-risk areas

  • Include expectations for employees on interactions with other employees, vendors, and clients

  • Include notice of individual accountability toward reporting potential areas of noncompliant conduct

  • Mention organizational policies without completely restating them

  • Be consistent with company policies and procedures

  • Include management’s responsibility to explain and enforce the code

The code of conduct holds the potential to be an abstract document, one that might not seem relevant to the daily work of individuals. Therefore, many organizations include a section with frequent scenarios or “examples of compliance violations” to help make the information more relevant to the general employee population. A mixture of general and specific scenarios is suggested. Sample general scenarios and questions might be:

  • I think I saw a violation of industry regulations. Whom should I contact?

  • Should I report a possible problem even if I am not sure? Will I get in trouble?

  • What if my supervisor asks me to do something I think is wrong?

  • How can I be sure that my report will be kept confidential?

Finally, most codes of conduct come with an acknowledgement or attestation form. As a best practice, organizations should obtain a signed attestation (paper or electronic) on an annual basis. The attestation form requires employee signatures, emphasizes the importance of the code, and could provide certain legal advantages should there ever be a government inquiry. If using a paper form, encourage employees to return their attestation forms promptly. Some organizations require signed attestations before new employees can be assigned perquisites, such as a parking space. Attestation forms should be kept in the employee’s official human resources file. The compliance department may also want to maintain copies. For an example form, see Appendix 6, Sample Attestation/Acknowledgement Form.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings