Draft OIG Compliance Program Guidance for Recipients of PHS Research Awards, 71312-71320 [E5-6548]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of Inspector General
• Inspector General Office, Health and Human Services Department

[Federal Register Volume 70, Number 227 (Monday, November 28, 2005)]
[Notices]
[Pages 71312-71320]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E5-6548]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Draft OIG Compliance Program Guidance for Recipients of PHS 
Research Awards

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice and comment period.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice seeks the comments of interested 
parties on draft compliance guidance developed by the Office of 
Inspector General (OIG) for recipients of extramural research awards 
from the National Institutes of Health (NIH) and other agencies of the 
U.S. Public Health Service (PHS). Through this notice, OIG is setting 
forth its general views on the value and fundamental principles of 
compliance programs for colleges and universities and other recipients 
of PHS awards for biomedical and behavioral research and the specific 
elements that these award recipients should consider when developing 
and implementing an effective compliance program.

DATES: To assure consideration, comments must be delivered to the 
address provided below by no later than 5 p.m. on December 28, 2005.

ADDRESSES: Please mail or deliver written comments to the following 
address: Office of Inspector General, Department of Health and Human 
Services, Attention: OIG-1026-CPG, Room 5246, Cohen Building, 330 
Independence Avenue, SW., Washington, DC 20201.
    We do not accept comments by facsimile (FAX) transmissions. In 
commenting, please refer to file code OIG-1026-CPG. Comments received 
timely will be available for public inspection as they are received, 
generally beginning approximately 2 weeks after publication of a 
document, in Room 5527 of the Office of Inspector General at 330 
Independence Avenue, SW., Washington, DC 20201 on Monday through Friday 
of each week from 8 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT: Richard B. Stern, Office of Counsel to 
the Inspector General, (202) 619-0335, or Joel Schaer, Office of 
External Affairs, (202) 619-0089.

SUPPLEMENTARY INFORMATION:

Background

    Compliance program guidance (CPG) is a major OIG initiative that 
was developed to assist the health care community in preventing and 
reducing fraud and abuse in Federal programs. In the last several 
years, OIG has developed and issued compliance program guidance 
directed at the following segments of the health care industry: 
clinical laboratories; hospitals; home health agencies; third-party 
medical billing companies; durable medical equipment, prosthetics, 
orthotics and supply companies; Medicare+Choice organizations offering 
coordinated care plans; hospices; nursing facilities; individual and 
small group physician practices; ambulance suppliers; and 
pharmaceutical manufacturers. Copies of these CPGs can be found on the 
OIG Web site at https://oig.hhs.gov/fraud/complianceguidance.html.
    Under its governing statute, OIG's oversight responsibility extends 
to all programs and operations of the Department of Health and Human 
Services (HHS or Department) and, accordingly, OIG promotes compliance 
efforts by all recipients of Department funds.\1\ One community of 
paramount importance to the Department's public health efforts is that 
of colleges, universities, and other recipients of public funds that 
conduct biomedical and behavioral research. These institutions may have 
organizational differences from the users of past compliance guidances, 
but we believe they have the same basic need to promote compliance 
measures. We understand that research institutions have been developing 
compliance programs in increasing numbers.

[[Page 71313]]

Moreover, over the last several years slightly more than 50 percent of 
recipients of NIH research awards have been medical schools, many of 
which may already have health care compliance programs in their 
affiliated hospitals.
---------------------------------------------------------------------------

    \1\ OIG and the PHS agencies, including NIH, share 
responsibility for encouraging compliance by recipients of research 
awards. In distinguishing the roles of the two agencies, we note 
that NIH is more focused on compliance with administrative, 
scientific, and financial requirements, while OIG is more focused on 
the avoidance of fraudulent activities. OIG has chosen to publish 
this guidance, in close coordination with NIH and other PHS 
agencies, as part of a larger initiative that is designed in part to 
assist institutions in avoiding criminal and civil fraud 
investigations. This compliance guidance is consistent with guidance 
provided by NIH on its Web site, https://grants1.nih.gov/grants/
oer.htm.
---------------------------------------------------------------------------

    As with OIG's earlier CPGs, the purpose of this draft guidance is 
to encourage the use of internal controls to effectively monitor 
adherence to applicable statutes, regulations, and program 
requirements. In developing the guidance, we have focused specifically 
on grant compliance and administration issues, i.e., whether recipients 
of research awards have misused program funds under the statutes, 
regulations, and other requirements governing the use of those funds. 
We believe this focus is consistent with OIG's responsibility for the 
identification of program overpayments and, in appropriate situations, 
the investigation of civil or criminal fraud. However, we believe that 
the principles set forth in the guidance will also assist institutions 
in developing compliance programs for their other activities wherein 
issues of program compliance arise.
    This draft guidance for recipients of PHS research awards contains 
seven elements that have been widely recognized as fundamental to an 
effective compliance program, and an additional element--number 8 
below--that we believe is especially important for research 
institutions. The eight elements include:
    1. Implementing written policies and procedures,
    2. Designating a compliance officer and compliance committee,
    3. Conducting effective training and education,
    4. Developing effective lines of communication,
    5. Conducting internal monitoring and auditing,
    6. Enforcing standards through well-publicized disciplinary 
guidelines,
    7. Responding promptly to detected problems and undertaking 
corrective action, and
    8. Defining roles and responsibilities and assigning oversight 
responsibility.
    As with previously issued guidances, this draft CPG represents 
OIG's suggestions regarding how institutions can establish internal 
controls to ensure adherence to applicable rules and program 
requirements. The contents of the guidance should not be viewed as 
mandatory or as an exclusive discussion of the advisable elements of a 
compliance program. Moreover, the guidance does not establish a set of 
program rules or standards by which to evaluate the compliance of an 
institution. Rather, it is merely a set of suggestions regarding how 
institutions may establish internal controls to allow the institution 
to better comply with rules and standards that apply to PHS extramural 
research awards.

Developing This Draft Compliance Program Guidance

    In developing this draft guidance, we have consulted closely with 
NIH, which dispenses the majority of biomedical and behavioral research 
awards within HHS, and have coordinated as well as with other PHS 
agencies that have compliance responsibilities for biomedical and 
behavioral research awards. The statutes, regulations, and policies 
pertaining to NIH and other PHS awards constitute an appropriate focus 
for award recipients who seek to establish an effective compliance 
program. We have also consulted with the U.S. Department of Justice and 
with OIGs of other agencies--such as the National Science Foundation--
that fund significant extramural research.
    In an effort to receive initial input on this guidance from the 
research community, we published a Federal Register notice on September 
5, 2003, (68 FR 52783), ``Solicitation of Information and 
Recommendations for Developing Compliance Program Guidance for 
Recipients of NIH Research Grants.'' In response to that notice, we 
received a total of 20 comments from research institutions, 
associations, and from one individual.
    Although the September 5, 2003, solicitation notice requested 
information and recommendations for developing a CPG for recipients of 
research awards only from NIH, we have expanded the scope of the 
guidance to other biomedical and behavioral research awards from the 
public health agencies of this Department. In part, we made this change 
based on a comment, received in response to the solicitation, that we 
avoid inconsistent sets of guidance from various agencies. In addition 
to NIH, which awards the majority of HHS (and Federal) research awards, 
other public health agencies that fund biomedical and behavioral 
research include the Agency for Healthcare Research and Quality, the 
Agency for Toxic Substances and Disease Registry, the Health Resources 
and Services Administration, the Indian Health Service, the Centers for 
Disease Control and Prevention, the Substance Abuse and Mental Health 
Services Administration, and the Food and Drug Administration.
    In an effort to ensure that all parties have an opportunity to 
provide input into OIG's guidance, we are publishing this guidance in 
draft form. We welcome any comments regarding this document from 
interested parties. OIG will consider all comments that are received 
within the above-cited timeframe, incorporate any specific 
recommendations as appropriate, and then prepare a final version of the 
guidance for publication in the Federal Register The final version of 
the guidance will be available on the OIG Web site at https://
oig.hhs.gov.

Draft OIG Compliance Program Guidance for Recipients of PHS Research 
Awards (November 2005)

I. Introduction

    The Office of Inspector General (OIG) of the Department of Health 
and Human Services (HHS or Department) is continuing in its efforts to 
promote voluntary compliance programs for recipients of Department 
funding. This is the first guidance that is designed for a segment of 
the Federal grant community and that is not specifically focused on 
Medicare and Medicaid issues.\2\ However, many recipients of Public 
Health Service (PHS) research awards are familiar with our previous 
compliance guidances, in part because among the largest recipients of 
PHS research funds are academic medical centers, which were the focus 
of one of our first compliance guidances, to the hospital industry, in 
February 1998.\3\
---------------------------------------------------------------------------

    \2\ Although we refer in this guidance to commonly used terms 
such as grant community and grant compliance and administration, the 
guidance is intended to apply more broadly to all PHS research 
``awards,'' which includes cooperative agreements and certain 
contracts that are not governed by Federal procurement laws and 
regulations. For a definition of the term ``awards,'' see 45 CFR 
part 74, Uniform Administrative Requirements for Awards and 
Subawards to Institutions of Higher Education, Hospitals, Other 
Nonprofit Organizations, and Commercial Organizations,'' Sec.  74.2 
(``Definitions'').
    \3\ That guidance was recently supplemented. See OIG 
Supplemental Compliance Program Guidance for Hospitals, 70 FR 4858 
(January 31, 2005).
---------------------------------------------------------------------------

    As with the earlier guidances, this compliance guidance is intended 
to assist recipients of PHS biomedical and behavioral research awards 
in developing and implementing internal controls and procedures that 
promote adherence to applicable statutes, regulations, and other 
requirements of PHS programs. This compliance guidance follows closely 
those earlier guidances in its format and basic elements. At the same 
time, this guidance departs from those earlier publications in certain 
areas to accommodate the many differences for recipients of extramural 
research awards.

[[Page 71314]]

    As with hospitals and other health care companies, an increasing 
number of colleges, universities, and other recipients of PHS 
biomedical and behavioral research funds have developed compliance 
programs. One purpose of this guidance is to assist these institutions 
in evaluating and, as necessary, refining existing compliance programs.
    This guidance is not a compliance program itself, nor does it 
establish a set of cost principles or program requirements, which would 
be beyond the responsibility of OIG. This guidance does not establish 
criteria by which to conduct an audit or review of regulatory or 
program compliance. Rather, it is intended to serve as a set of 
guidelines that recipients of extramural research awards may consider 
when developing and implementing a compliance program or evaluating an 
existing one. For those institutions with an existing compliance 
program, this guidance may serve as a useful comparison against which 
to measure ongoing efforts.
    We recognize that there are recipients of biomedical and behavioral 
research awards that may be small institutions or businesses, such as 
those receiving funds under the Small Business Innovation Research 
(SBIR) program, or that may be larger institutions that receive a 
relatively small amount of PHS funding. We anticipate that these 
institutions share with larger entities the same basic concern about 
establishing effective internal controls to monitor adherence with 
Federal program requirements. However, some of these institutions may 
determine that it is not practicable to establish the same type of 
comprehensive compliance program that may exist, for example, at an 
academic research institution associated with a medical school. We 
encourage these institutions to develop a compliance program that 
relies on the same eight basic elements of the guidance, but that is 
suited to their own size and needs.

A. Scope of the Compliance Program Guidance

    Because the responsibilities of OIG are focused on the effective 
operation of this Department's programs and the misuse of its funds, 
the scope of this voluntary guidance concentrates on issues that fall 
under the rubric of grant compliance and administration. By this, we 
mean those issues involving the application of statutes, regulations, 
and other program requirements that affect the ``allowability'' of 
costs and whether awardees should be subjected to a disallowance action 
or, in appropriate circumstances, an investigation for criminal or 
civil fraud. This guidance is also focused specifically on PHS awards 
from this Department. We recognize that institutions may have multiple 
sources of funding and that the term ``compliance'' is used more 
broadly by the research community to include areas such as human and 
animal subject research, conflicts of interest, research misconduct, 
and intellectual property issues. While this guidance is not focused on 
these other award sources and these other regulatory areas, the 
compliance elements presented by this guidance may be useful in 
connection with other sources of funding and with regard to other 
regulatory areas. For example, appointing a compliance officer and 
committee, developing a code of conduct, and instituting a training and 
education program would contribute to promoting compliance with 
National Science Foundation award requirements, as well as requirements 
related to research misconduct and human subject research.
    Institutions may currently have, or be considering, separate 
compliance systems for their various areas of regulated activity. We 
recognize that each of these areas may involve distinct personnel and 
present different regulatory frameworks. However, because the basic 
elements for a compliance program are shared among these systems, 
institutions may receive management efficiencies by integrating their 
compliance efforts through the elimination of overlapping systems or by 
developing a single compliance program covering all compliance areas. 
Integrating compliance systems may also offer collateral benefits. For 
example, audits and reviews of one area of compliance may develop 
information useful to other areas.
    OIG also recognizes that a body of literature already exists on 
research compliance issues, including guidance on establishing a 
compliance program. Nonetheless, we believe that providing OIG CPG 
consistent with the other compliance guidances we have published is 
appropriate. For the convenience of the reader, we have compiled a 
bibliography of some of these other publications, which is attached to 
this guidance as Appendix A.
    Our experience with compliance programs is that an institution's 
implementation of a serious, meaningful, and effective compliance 
program may require a significant commitment of time and resources, 
especially for those institutions that have not developed a compliance 
program in the past. We believe, however, that this commitment is 
justified by the benefits of a compliance program.

B. Benefits of a Compliance Program

    While the decision to implement a compliance program is entirely 
voluntary, OIG believes that an effective compliance program provides 
numerous advantages that will inure to the benefit of institutions that 
choose to establish one. An effective compliance program addresses the 
Government's and research community's mutual goals of ensuring good 
stewardship of Federal funds by eliminating erroneous or improper 
expenditure of Federal research funds, improving administration of 
grants (both from the Federal Government and from private sources), and 
demonstrating to employees and the community at large the institution's 
commitment to honest and responsible conduct. These goals may be 
achieved by:
     Identifying and correcting unlawful and unethical behavior 
at an early stage;
     Encouraging employees to report potential problems and 
allowing for appropriate internal inquiry and corrective action;
     Minimizing, through early detection and reporting, any 
financial loss to the Government and any resulting financial loss to 
the institution; and
     Reducing the possibility of Government audits or 
investigations regarding unallowable payments or fraud that could have 
been prevented at an early stage.
    Institutions may also want to note that several of the elements of 
this compliance guidance are considered ``mitigating factors'' that 
must be considered as part of a formal debarment action by the 
Department.\4\
---------------------------------------------------------------------------

    \4\ See 45 CFR 76.860(l), (n), (p), and (q).
---------------------------------------------------------------------------

C. Application of Compliance Program Guidance

    There is no single ``best'' compliance program. Institutions may 
take differing approaches to how they rely upon internal audits in 
monitoring compliance issues, how they comprise their compliance 
committee, and whether they include compliance for research misconduct 
and human and animal subject protections as part of a single compliance 
program. Some institutions may already have a compliance program in 
place; others only now may be initiating such efforts.
    Institutions may also have identified, through audits or internal 
inquiries, particular management concerns or areas of high risk that 
may call for

[[Page 71315]]

developing or refining compliance elements to address these areas.
    OIG has identified three major potential risk areas for recipients 
of NIH research awards: (1) Time and effort reporting, (2) properly 
allocating charges to award projects, and (3) reporting of financial 
support from other sources. These risk areas, although not exhaustive 
of all potential risk areas, are discussed in greater detail in section 
II below.
    The compliance measures adopted by an institution should be 
tailored to fit the unique environment of the institution (including 
its organizational structure, operations and resources, as well as 
prior enforcement experience). In short, OIG recommends that each 
institution should adapt the objectives and principles underlying the 
measures outlined in this guidance to its own particular circumstances.

II. Risk Areas

    As with previous OIG CPGs, in this section we highlight examples of 
risk areas to assist institutions in developing a compliance program. 
The identification of risk areas is an important aspect of formulating 
policies and procedures, developing a training and education program, 
and conducting internal monitoring and audits. This section addresses a 
few examples of risk areas for recipients of PHS research awards that 
have come to OIG's attention: (1) Time and effort reporting, (2) 
properly allocating charges to award projects, and (3) reporting of 
financial support from other sources. The areas identified in this 
section are in no way intended to be exhaustive of all potential risk 
areas. Institutions may identify other areas based on their own 
operations and experiences. As an example, subrecipient monitoring may 
be an important risk area for those institutions that rely heavily on 
their own grants and contracts to fulfill the purposes of a PHS award.

A. Time and Effort Reporting

    One critical compliance issue is the accurate reporting of research 
time and effort. Because the compensation for the personal services of 
researchers--both direct salary and fringe benefits--is typically a 
major cost of a project, it is critical that the portion of the 
researcher's compensation for particular research projects be 
accurately reported. One reason that we view time and effort reporting 
as a critical risk area is that many researchers have multiple 
responsibilities--sometimes involving teaching, research, and clinical 
work--that must be accurately measured and monitored. In the course of 
a researcher's workday, the separation between these areas of activity 
can sometimes be hard to discern, which heightens the need to have 
effective timekeeping systems.
    For this reason, institutions need to be especially vigilant in 
accurately reporting the percentage of time devoted to projects. 
Accurate time and effort reporting systems are essential to ensure that 
PHS and other funding sources are properly charged for the activities 
of researchers. The failure to maintain accurate time and effort 
reporting may result in overcharges to funding sources and, in certain 
circumstances, could subject an institution to civil or criminal fraud 
investigations.
    We are aware of situations in which researchers falsely report the 
amount of time they intend to devote to research projects. For example, 
it would be clearly improper for researchers in award applications to 
separately report to three awarding agencies that they intend to spend 
50 percent of their time on each of the three awards. Some recent cases 
we have seen involved the ``commitment of effort'' by researchers 
wherein the Government believed that the institution failed to account 
properly for the clinical practice time of researchers, in addition to 
their academic and research time at the institution. As an example, it 
would be improper to report to NIH or another awarding agency that 70 
percent of a researcher's time would be spent on an award when 50 
percent of the researcher's time would be spent on clinical 
responsibilities.
    For colleges and universities, the rules governing compensation for 
personal services, including payroll distributions, are contained in 
OMB Circular A-21,\5\ Cost Principles for Educational Institutions, 
section J.10.\6\ Under section J.10 of OMB Circular A-21, institutions 
must establish a system of payroll distribution and must usually 
maintain ``after-the-fact Activity Reports'' or employ another method 
to report accurately the distribution of activity of employees. (See 
especially, section J.10, paragraphs b.(2)(a)--(c)). The accuracy of 
these activity reports is critical for the awarding agency to 
understand the amount of research conducted under the award. More 
specific guidance is contained in the instructions to PHS Form 398, 
Application for a Public Health Service Grant,\7\ available at 
www.grants.nih.gov/grants/funding/phs398/phs398.html (``Definitions,'' 
definition of ``Institutional Base Salary''), and in the NIH Grants 
Policy Statement, Part I, Definitions, available at https://
grants1.nih.gov/grants/policy/nihgps (``Glossary,'' definition of 
``Institutional Base Salary,'' and Selected Items of Cost, ``Salaries 
and Wages'' and ``Payroll Distribution'').
---------------------------------------------------------------------------

    \5\ For State and local governments, the rules governing 
compensation for personal services is contained in OMB Circular A-
87, Cost Principles for State, Local and Indian Tribal Governments, 
Attachment B, Sec.  11. For non-profit organizations, it is 
contained in OMB Circular A-122, Cost Principles for Non-Profit 
Organizations, Attachment B, paragraph 7. For hospitals, the rules 
are contained in 45 CFR part 74, Appendix E, Principles for 
Determining Costs Applicable to Research and Development under 
Grants and Contracts with Hospitals, Sec.  IX, paragraph B.7.
    \6\ By regulation, OMB Circular A-21 and the other cost 
principles are made applicable to recipients of Department awards. 
45 CFR 74.27(a). The cost principles have also recently been 
codified in title 2 of the CFR.
    \7\ The Public Health Service Grant Application, PHS Form 398, 
is being replaced with an electronic application form, the standard 
form 424 R&R. According to NIH, the new form will incorporate all 
the policies and definitions currently contained in the Form 398.
---------------------------------------------------------------------------

    Another issue in reporting the commitment of effort to research 
projects is the accurate and consistent treatment of ``institutional 
base salary'' (IBS). IBS effectively serves as the denominator in 
calculating the proportion of an employee's activity that is allocated 
to particular Federal awards. While IBS typically includes only 
nonclinical work of employees, certain institutions include clinical 
work based on a more expansive definition of the ``institution'' for 
cost reporting purposes. For those institutions, it is critical that 
the clinical and nonclinical work activities of researchers are 
reported so that salary is correctly allocated among Federal and non-
Federal sources.\8\
---------------------------------------------------------------------------

    \8\ NIH has recently expanded its guidelines addressing when 
institutions may include clinical practice compensation as part of 
institutional base salary. Among other tests, the compensation must 
be set by the institution, be paid through or at the direction of 
the institution, and be included and accounted for in the 
institution's effort reporting and/or payroll distribution system. 
See Guidelines for Inclusion of Clinical Practice Compensation in 
Institutional Base Salary Charged to NIH Grants and Contracts, 
https://grants.nih.gov/grants/guide/notice-files/NOT-OD-050061.html.
---------------------------------------------------------------------------

B. Properly Allocating Charges to Award Projects

    Research institutions commonly receive multiple awards for a single 
research area. It is essential that accounting systems properly 
separate the amount of funding from each funding source. Institutions 
must also be vigilant about clearly fraudulent practices such as 
principal investigators on different projects banking or trading award 
funds among themselves. The failure to account accurately for charges 
to various award projects can result in

[[Page 71316]]

significant disallowances or, in certain circumstances, could subject 
an institution to criminal or civil fraud investigations.
    In one recent civil fraud action, an institution settled 
allegations by the Government that it made end-of-year transfers of 
direct costs on various Federally funded research awards from overspent 
accounts to underspent accounts, with the purpose of maximizing its 
Federal reimbursement and, in some cases, avoiding the refunding of 
unused grant proceeds.
    The general principles governing the allocation of costs are found 
in the appropriate sets of cost principles, such as OMB Circular A-21 
for colleges and universities. Among those principles in Circular A-21 
is the rule that a ``cost is allocable to a particular cost objective * 
* * if the goods or services involved are chargeable or assignable to 
such cost objective in accordance with relative benefits received or 
other equitable relationship.'' Circular, Sec.  C.4.\9\ Additional 
guidance on the allocation of costs may be found in the NIH Grants 
Policy Statement, Part II, Cost Considerations, available at htttp://
grants1.nih.gov/grants/policy/nihgps. Also, the Departmental Appeals 
Board has jurisdiction over cost allocation and rate disputes, as well 
as more generally over direct, discretionary grants, including 
biomedical research grants from NIH. (The Board's process is described 
in 45 CFR part 16.) Several Board decisions address the proper 
allocation of costs by colleges and universities.\10\
---------------------------------------------------------------------------

    \9\ For State and local governments, a similar principle 
governing the allocation of costs is contained in OMB Circular A-87, 
Cost Principles for State, Local and Indian Tribal Governments, 
Attachment A, Sec.  C.3. For non-profit organizations, it is 
contained at OMB Circular A-122, Cost Principles for Non-Profit 
Organizations, Sec.  A.4. For hospitals, the principle is contained 
in 45 CFR Part 74, Appendix E, Principles for Determining Costs 
Applicable to Research and Development under Grants and Contracts 
with Hospitals, Sec.  III, D.
    \10\ Board decisions may be found on the Board's Web site at 
www.hhs.gov/dab/search.html, as well as with legal information 
services such as Westlaw and Lexis.
---------------------------------------------------------------------------

    As with other administrative requirements governing Federal awards, 
the improper allocation of charges to various sources is not a mere 
``accounting problem,'' in the sense that it has no real impact on the 
conduct of science. On the contrary, the failure to allocate correctly 
charges--whether because of poor record-keeping or as part of an intent 
to deceive funding sources--has the effect of drawing away limited 
Federal research funds from projects for which they were intended and 
subverting the Government's ability to distribute funds to those 
projects most in need of support.

C. Reporting Financial Support From Other Sources

    As with the proper reporting of time and effort and the allocation 
of charges, the reporting of financial support from other sources is 
critical for the awarding agency to understand the commitment of 
resources by the grantee to a particular project or award. Without 
complete and accurate information on other funding sources, PHS may be 
unable to determine whether a particular project should be funded and 
the amount of such funding. In some cases, failure to identify other 
support for a research project could cause PHS to provide duplicate 
funding to the project. At a minimum, information on other support 
would allow PHS to use its limited resources on other worthy projects 
that might otherwise be left unfunded.
    For PHS awards, the reporting of other financial support is a 
required element of award applications and the failure to provide this 
information could, in certain, subject an institution to a criminal or 
civil fraud investigation. Other funding support is required to be 
reported as part of the application for funding (PHS Form 398), the 
instructions for which state that the applicant organization must 
disclose all compensation and salary support. (See PHS 398 Rev. 9/2004, 
Sec.  III.H (``Other Support'') available at https://www.grants.nih.gov/
grants/funding/phs398/PolAssurDef.doc.) Moreover, the face page of the 
PHS application includes a certification by both the Principal 
Investigator/Program Director and by the Applicant Organization that 
all statements in the application are ``true, complete, and accurate to 
the best of my knowledge'' and that ``false, fictitious, or fraudulent 
statements or claims could subject me to criminal, civil, or 
administrative penalties.'' (The face page is available at https://
www.grants.nih.gov/grants/funding/phs398/fp1.doc.) Additional guidance 
for NIH grants is found in the NIH Grants Policy Statement, Part II, 
Just-in-Time Procedures, available at https://grants1.nih.gov/grants/
policy/nihgps.
    A problem related to the failure to accurately and completely 
report support from other financial sources is the charging of both 
award funds and Medicare and other health care insurers for performing 
the same service. This is clearly improper and has subjected 
institutions to fraud investigations.

III. Compliance Program Elements

A. The Basic Compliance Elements

    At a minimum, a comprehensive compliance program should include the 
following elements:
    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures, that reflect the 
institution's commitment to compliance.
    (2) The designation of a compliance officer and a compliance 
committee charged with the responsibility for developing, operating, 
and monitoring the compliance program, and with authority to report 
directly to the head of the organization, such as the president and/or 
the board of regents in the case of a university.
    (3) The development and implementation of regular, effective 
education and training programs for all affected employees.
    (4) The creation and maintenance of an effective line of 
communication between the compliance officer and all employees, 
including a process (such as a hotline or other reporting system) to 
receive complaints or questions that are addressed in a timely and 
meaningful way, and the adoption of procedures to protect the anonymity 
of complainants and to protect whistleblowers from retaliation.
    (5) The clear definition of roles and responsibilities within the 
institution's organization and ensuring the effective assignment of 
oversight responsibilities.
    (6) The use of audits and/or other risk evaluation techniques to 
monitor compliance and identify problem areas.
    (7) The enforcement of appropriate disciplinary action against 
employees or contractors who have violated institutional policies, 
procedures, and/or applicable Federal requirements for the use of 
Federal research dollars, and
    (8) The development of policies and procedures for the 
investigation of identified instances of non-compliance or misconduct. 
These should include directions regarding the prompt and proper 
response to detected offenses, such as the initiation of appropriate 
corrective action and preventive measures.

B. Written Policies and Procedures

    In developing a compliance program, every institution should 
develop and distribute written policies and procedures addressing 
compliance with Federal award requirements. These policies and 
procedures should be developed under the direction and supervision of 
the compliance officer, the compliance committee, and relevant 
institution officials. They should also be

[[Page 71317]]

reviewed at regular intervals to ensure that they are current and 
relevant.
    At a minimum, the policies and procedures should be provided to all 
faculty members and other employees who are affected by them, to 
students who may be conducting research with Federal awards, and to any 
agents or contractors who may furnish services in connection with 
Federal research awards. The policies and procedures should be easily 
found and accessible, such as, for example, on the institution's 
Internet or intranet site. Since institutions also typically maintain 
policies and procedures governing other compliance issues, including 
conflicts of interest, human subject research, and the maintenance and 
reporting of research data, they may choose to compile these various 
policies and procedures on a single Internet or intranet site.
    In addition to a clear statement of detailed and substantive 
policies and procedures, OIG recommends that institutions that receive 
PHS research awards develop a general institutional statement of 
ethical and compliance principles that will guide the institution's 
operations. One common expression of this statement of principles is 
the code of conduct. The code should function in the same fashion as a 
constitution, i.e., as a document that details the fundamental 
principles, values, and framework for action within an organization. 
The code of conduct for research institutions should articulate the 
institution's expectations of commitment to compliance by management, 
employees, and agents, and should summarize the broad ethical and legal 
principles under which the institutions must operate. Unlike the more 
detailed policies and procedures, the code of conduct should be brief 
and cover general principles applicable to all employees.
    OIG strongly encourages the participation and involvement, as 
appropriate, of senior management of the institution, such as the board 
of regents and president, as well as other personnel from various 
levels of the organizational structure, in the development of all 
aspects of the compliance program, especially the code of conduct. 
Management and employee involvement in this process communicates a 
strong and explicit commitment by management to foster compliance with 
applicable program requirements. It also communicates the need for all 
employees to comply with the organization's code of conduct and 
policies and procedures.

C. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer
    Every research institution should designate a compliance officer 
who will have day-to-day responsibility for overseeing and coordinating 
the compliance program. For smaller institutions, the compliance 
officer responsibilities might be added to other management 
responsibilities, or, for very large institutions, there could be 
several compliance officers who would have responsibility for different 
major activities of the institution. However, designating a compliance 
officer with the appropriate level of authority is critical to the 
success of the program. Optimally, the officer should report directly 
to the institution's president and should have direct access to the 
board of regents or other governing body, senior administration 
officials, and legal counsel. For very large institutions, if it is not 
possible to report directly to the president, the officer should report 
to the provost or official with similar high-level responsibility for 
the oversight of research administration. The compliance officer should 
have sufficient funding, resources, and staff to perform his or her 
responsibilities fully.
    The compliance officer's primary responsibilities should include:
     Overseeing and monitoring implementation of the compliance 
program;
     Reporting on a regular basis to the board of regents, 
president, and compliance committee (if applicable) on compliance 
matters and assisting these individuals or groups to establish methods 
to reduce the institution's vulnerability to fraud and abuse;
     Periodically revising the compliance program, as 
appropriate, to respond to changes in the institution's needs and 
applicable program requirements, identified weakness in the compliance 
program, or identified systemic patterns of noncompliance;
     Developing, coordinating, and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program, and seeking to ensure that all 
affected employees understand and comply with pertinent Federal and 
State standards;
     Developing policies and procedures;
     Assisting the institution's internal or independent 
auditors in coordinating compliance reviews and monitoring activities;
     Reviewing and, where appropriate, acting in response to 
reports of noncompliance received through the hotline (or other 
established reporting mechanism) or otherwise brought to his or her 
attention (e.g., as a result of an internal audit or by counsel who may 
have been notified of a potential instance of noncompliance);
     Independently investigating and acting on matters related 
to compliance. To that end, the compliance officer should have the 
flexibility to design and coordinate internal investigations (e.g., 
responding to reports of problems or suspected violations) and any 
resulting corrective action (e.g., making necessary improvements to 
policies and practices, and taking appropriate disciplinary action) 
with particular departments or institution activities;
     Participating with counsel in the appropriate reporting of 
any self-discovered violations of Federal requirements; and
     Continuing the momentum and, as appropriate, revising or 
expanding the compliance program after the initial years of 
implementation.\11\
---------------------------------------------------------------------------

    \11\ There are many approaches the compliance officer may enlist 
to maintain the vitality of the compliance program. Periodic on-site 
visits of offices, bulletins with compliance updates and reminders, 
distribution of audiotapes, videotapes, CD ROMs, or computer 
notifications about different risk areas, lectures at campus 
meetings, and circulation of recent articles or publications 
discussing fraud and abuse are some examples of approaches the 
compliance officer may employ.
---------------------------------------------------------------------------

    The compliance officer must have the authority to review all 
documents and other information relevant to compliance activities. This 
review authority should enable the compliance officer to determine 
whether the institution is in compliance with PHS or other Federal 
program requirements. Where appropriate, the compliance officer should 
seek the advice of competent legal counsel about these matters.
2. Compliance Committee
    OIG recommends that a compliance committee be established to advise 
the compliance officer and assist in the implementation of the 
compliance program.\12\ If structured appropriately, the committee can 
provide the compliance officer with contacts in various parts of the 
institution and the names of individuals who possess subject matter 
expertise. If the

[[Page 71318]]

institution employs individuals who already have responsibility for 
compliance in various subject areas, for example biosafety or care and 
use of animals, these individuals would be obvious candidates for the 
compliance committee.
---------------------------------------------------------------------------

    \12\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities and areas 
of knowledge in the organization, such as operations, finance, 
audit, human resources, and legal, as well as faculty members. The 
compliance officer should be an integral member of the committee. 
All committee members should have the requisite seniority and 
comprehensive experience within their respective areas to recommend 
and implement any necessary changes to policies and procedures.
---------------------------------------------------------------------------

    When developing an appropriate team of people to serve as the 
compliance committee, the institution should also consider including 
individuals with a variety of skills and personality traits as team 
members. The institution should expect its compliance committee members 
and compliance officer to demonstrate integrity, good judgment, 
assertiveness, and an approachable demeanor, while eliciting the 
respect and trust of employees. These interpersonal skills are as 
important as the professional experience of the compliance officer and 
each member of the compliance committee. Examples of individuals that 
the institution might consider as members of the compliance committee 
include institutional ombudsman staff and alternative dispute 
resolution staff.
    Once an institution chooses the members of the compliance 
committee, the institution needs to train these individuals on the 
policies and procedures of the compliance program, as well as how to 
discharge their duties. In essence, the compliance committee should 
function as an extension of the compliance officer and provide the 
organization with increased oversight.

D. Conducting Effective Training

    The training of appropriate administrators, both at the institution 
and department levels, faculty (including principal investigators), 
other staff, and contractors on award administration and other program 
requirements is an important element of an effective compliance 
program. The focus of the training and its level of detail will depend 
on the particular needs of the institution. In addition to training 
sessions, the institution may also undertake other educational efforts, 
such as disseminating publications that explain specific requirements 
in a practical manner. In developing training programs, it may be 
helpful to involve faculty, such as principal investigators, who will 
be receiving the training. This will allow these individuals to offer 
their insights, encourage more enthusiastic participation in the 
training sessions, and promote buy-in with the compliance program.
    An institution should provide general training sessions that cover 
such issues as ethical standards and the institution's commitment to 
compliance issues. All employees, and where feasible and appropriate 
contractors, should receive the general training. General training 
should include the contents of the institution's compliance program, 
such as the role of the compliance officer and committee and the 
availability of an anonymous complaint mechanism. It should include 
both a description of the many types of compliance issues that 
administrators, faculty and other employees may need to address in the 
course of their careers, and the sources of guidance in resolving those 
issues.
    More specific training programs would be designed for more 
specialized audiences. For example, administrative personnel who manage 
award funding should receive detailed training on Federal cost 
principles and grant administration regulations and policies. Employees 
who are involved with clinical research should receive training on the 
protection of human subjects, the Institutional Review Board process, 
and the responsible conduct of research. Administration officers and 
other key staff can assist in identifying additional specialized areas 
for training. Areas of training may also be identified through internal 
audits and monitoring and from a review of any past compliance 
problems.
    Training instructors may come from outside or inside the 
organization, but must be qualified to present the subject matter 
involved and sufficiently experienced in the issues presented to 
adequately field questions and coordinate discussions among those being 
trained. Ideally, training instructors should be available for follow-
up questions after the formal training session has been conducted.
    General and specific training sessions should be provided both upon 
initial employment with the institution as well as on some periodic 
schedule, depending on the needs of the audience. Specialized training 
should be provided on a more frequent basis, perhaps annually or more 
frequently.
    One technique to consider for training is to report actual examples 
of compliance problems at the institution or at other institutions, 
typically without any identifying information. This may serve to 
educate staff on these issues the institution considers important, how 
the compliance process works, and the actions that can be taken against 
individuals for more serious problems.
    An institution may wish to vary the manner of training, both for 
general and specific training. In-person training sessions may be more 
effective than other types of training and are usually important for 
initial training sessions for new employees or when employees have 
changed their job responsibilities. However, follow-up training may be 
provided in other formats, such as through videotaped presentations or 
web-based training in which participants certify that they have 
completed the training curriculum. If videos or computer-based programs 
are used for compliance training, OIG suggests that the institution 
make a qualified individual available to field questions from trainees.
    The compliance officer should maintain records of all formal 
training undertaken by the institution as part of the compliance 
program. This should include attendance logs, descriptions of the 
training sessions, and copies of the material distributed at training 
sessions. Depending on need, an institution may require that employees 
receive a minimum number of educational hours per year, as appropriate, 
as part of their employment responsibilities.
    The institution needs to establish a mechanism to ensure that 
employees receive the training they need. Training could be made a 
condition of continued employment and failure to comply with training 
requirements could result in disciplinary action. Adherence to the 
training requirements as well as other provisions of the compliance 
program should be a factor in the annual evaluation of each employee.

E. Developing Effective Lines of Communication

1. Access to Supervisors and/or the Compliance Officer
    For a compliance program to work, employees must be able to ask 
questions and report problems. University officials, department 
chairpersons or other supervisors play a key role in responding to 
employee concerns and it is appropriate that they serve as a first line 
of communication. Research institutions should consider the adoption of 
open-door policies to foster dialogue between management and employees. 
To encourage communications, confidentiality and nonretaliation 
policies should also be developed and distributed to all employees.
    Open lines of communication between the compliance officer and 
employees are equally important to the successful implementation of a 
compliance program. In addition to serving as a contact point for 
reporting problems and initiating appropriate responsive action, the 
compliance officer should be viewed as someone to whom personnel can go 
for clarification on the institution's policies.

[[Page 71319]]

2. Hotlines and Other Forms of Communication
    OIG encourages the use of hotlines, e-mails, newsletters, 
suggestion boxes, and other forms of information exchange to maintain 
open lines of communication. In addition, an effective employee exit 
interview program could be designed to solicit information from 
departing employees regarding potential misconduct and suspected 
violations of the institution's policies and procedures. Institution 
officials may also identify areas of risk or concern through periodic 
surveys.
    If an institution establishes a hotline or other reporting 
mechanism, information regarding how to access the reporting mechanism 
should be made readily available to all employees and contractors by 
including that information in the code of conduct or by circulating the 
information (e.g., by publishing the hotline number or e-mail address 
on wallet cards) or conspicuously posting the information in common 
work areas.\13\ Employees should be permitted to report matters on an 
anonymous basis.
---------------------------------------------------------------------------

    \13\ Institutions might also choose to post in a prominent area 
the HHS-OIG Hotline telephone number, 1-800-447-8477 (1-800-HHS-
TIPS).
---------------------------------------------------------------------------

    For the reporting mechanism to maintain credibility, it is 
important that the institution's review of the allegations be 
meaningful and that prompt and appropriate followup be conducted. 
Reported matters that suggest substantial violations of Federal program 
requirements should be documented and investigated promptly to 
determine their veracity and the scope and cause of any underlying 
problem. The compliance officer should maintain a thorough record of 
such complaints as well as any investigation, its results, and any 
remedial or disciplinary action taken. The institution may wish to 
provide such information, redacted of individual identifiers, to the 
institution's senior management, such as the board of regents and the 
president, and to the compliance committee.

F. Auditing and Monitoring

    Auditing of an institution's operations and activities is a 
critical internal control mechanism. Under the Single Audit Act of 1984 
(Pub. L. 98-502), as amended, all institutions that expend $500,000 or 
more in Federal assistance are required to have a single audit of the 
``non-Federal entity,'' which must be conducted in accordance with 
generally accepted Government auditing standards. (31 U.S.C. 7502, OMB 
Circular A-133.) Major institutions typically also have an annual 
financial statement audit, often conducted by the same firm that 
conducts its single audit, for the purpose of expressing an opinion as 
to the fairness of the information contained in the financial 
statements for the institution.
    In addition to the mandated single audit and the financial 
statement audit, institutions should consider having additional 
performance audits, focused on particular areas of activity. Internal 
auditors may already be performing such audits, although an external 
auditor may in some cases be able to provide a greater level of 
independence in this work or should be considered when there is a 
particular problem or risk area that needs attention. Whether audits of 
compliance with Federal program requirements are performed by internal 
or external auditors, they should follow generally accepted Government 
auditing standards, published by the Government Accountability Office 
as ``Government Auditing Standards,'' known as the ``Yellow Book.''
    Institutions should consider conducting risk assessments to 
determine where to devote audit resources, such as for separate 
performance audits, and may wish to consider the risk areas we 
identified above in section II. Risk assessments could be coordinated 
by the compliance officer. The institution's disclosure statement under 
OMB Circular A-21--if it is required to submit one--may already include 
identification of risk areas. The A-133 audit itself may also identify 
risk areas or the program agencies may identify risk areas based on 
their review of the A-133 audit.
    An effective compliance program should also incorporate thorough 
monitoring of its implementation and an ongoing evaluation process. The 
compliance officer should document this ongoing monitoring, including 
reports of suspected noncompliance, and provide these assessments to 
the institution's senior management and the compliance committee. The 
extent and frequency of the compliance audits may differ depending on 
variables such as the institution's available resources, prior history 
of noncompliance, and the risk factors particular to the institution. 
The nature of the reviews may also vary and could include a prospective 
systemic review of the institution's processes, protocols, and 
practices, or a retrospective review of actual practices in a 
particular area.
    Although many assessment techniques are available, it is often 
effective to engage internal or external evaluators who have relevant 
expertise to perform regular compliance reviews. The reviews should 
focus on those divisions or departments of the institution that have 
substantive involvement with or impact on Federal programs and on the 
risk areas identified in this guidance. The reviews should also 
evaluate the policies and procedures regarding other areas of concern 
identified by OIG and Federal and State law enforcement agencies. 
Specifically, the reviews should evaluate whether: (1) The institution 
has policies covering the identified risk areas, (2) the policies were 
implemented and communicated, and (3) the policies were followed.

G. Enforcing Standards Through Well-Publicized Disciplinary Guidelines

    An effective compliance program should include clear and specific 
disciplinary policies that set out the consequences of violating 
Federal or State requirements, the institution's code of conduct, or 
its policies and procedures. Any research institution should 
consistently undertake appropriate disciplinary action across the 
institution for the disciplinary policy to have the required deterrent 
effect. Intentional and material noncompliance should not be tolerated 
and should subject transgressors to significant sanctions. Such 
sanctions could range from oral warnings to suspension, termination or 
other sanctions, as appropriate. Disciplinary action also may be 
appropriate when a responsible employee's failure to detect a violation 
is attributable to his or her negligence or reckless conduct. Each 
situation must be considered on a case-by-case basis, taking into 
account all relevant factors, to determine the appropriate response.

H. Responding to Detected Problems and Developing Corrective Action 
Initiatives

1. Violations and Investigations
    Violation of an institution's compliance program, failure to comply 
with applicable Federal or State law, and other types of misconduct 
threaten the institution's reputation in the scientific and research 
community. Consequently, upon receipt of reasonable indications of 
suspected noncompliance, it is important that the compliance officer or 
other officials immediately investigate the allegations to determine 
whether a material violation of applicable law or the requirements of 
the compliance program has occurred and, if so, take decisive

[[Page 71320]]

steps to correct the problem.\14\ The exact nature and level of 
thoroughness of the investigation will vary according to the 
circumstances, but the review should be detailed enough to identify the 
cause of the problem. As appropriate, the investigation may include a 
corrective action plan, an assessment of internal controls, a report 
and repayment to the Government, and/or a referral to law enforcement 
authorities or regulatory bodies.
---------------------------------------------------------------------------

    \14\ Instances of noncompliance must be determined on a case-by-
case basis. The existence or amount of a monetary loss to PHS or 
other Federal programs is not solely determinative of whether the 
conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss, but corrective actions are still 
necessary to protect the integrity of the program.
---------------------------------------------------------------------------

2. Reporting
    Where the compliance officer, compliance committee, or member of 
the institution's administration discovers credible evidence of 
misconduct from any source and, after a reasonable inquiry, believes 
that the conduct may violate criminal, civil, or administrative law, 
the institution should promptly report the existence of misconduct to 
the appropriate authorities within a reasonable period, but not more 
than 60 days, after determining that there is credible evidence of a 
violation. This includes the reporting of criminal or civil misconduct 
to Federal and State authorities,\15\ or, for example, in the case of 
research misconduct to the appropriate institutional body or to the 
Department's Office of Research Integrity. Prompt voluntary reporting 
will demonstrate the institution's good faith and willingness to work 
with governmental authorities to correct and remedy the problem. In 
addition, reporting such conduct may be considered a mitigating factor 
by the responsible law enforcement or regulatory office, including OIG.
---------------------------------------------------------------------------

    \15\ Appropriate Federal authorities include OIG, the Criminal 
and Civil Divisions of the Department of Justice, the U.S. Attorney 
in the institution's district, and the Federal Bureau of 
Investigation. State authorities may include the appropriate 
division of the State Attorney General's office or, if separate from 
the Attorney General, the District Attorney or other criminal 
prosecutive office.
---------------------------------------------------------------------------

    When reporting to the Government, an institution should provide all 
information relevant to the alleged violation of applicable Federal or 
State law(s) and the potential financial or other impact of the alleged 
violation. The compliance officer, under advice of counsel and with 
guidance from the governmental authorities, could be requested to 
continue to investigate the reported violation. Once the investigation 
is completed, and especially if the investigation ultimately reveals 
that criminal, civil or administrative violations have occurred, the 
compliance officer should notify the appropriate authorities of the 
outcome of the investigation.

I. Establishing Roles and Responsibilities and Assigning Oversight 
Responsibility

    It is especially important that roles and responsibilities 
regarding the use of PHS research awards be clearly defined and 
understood. Defining roles and responsibilities promotes accountability 
and is essential to the overall internal control structure of the 
institution.
    Institutions should clearly delineate the responsibilities of all 
persons involved with the conduct of federally supported research, 
including both administration or department personnel with oversight 
responsibility as well as principal investigators and other personnel 
who are engaged in research.
    Under PHS regulations, it is typically the institution itself that 
qualifies as the ``responsible legal entity'' for grant compliance 
purposes. (See 42 CFR 52.2 (definition of ``Grantee'').) Clearly 
defining roles and responsibilities can assist institutions in 
fulfilling their legal responsibility to comply with Department 
requirements, removing any uncertainty as to the precise responsibility 
of all individuals involved in the research enterprise. It can also 
assist individuals in defending against allegations that they 
recklessly disregarded award requirements.
    Roles and responsibilities for each position should be clearly 
communicated and accessible. Including roles and responsibilities in 
the institution's written policies and procedures and in its formal 
training and education program could accomplish this objective.

IV. Conclusion

    The growth in Federal funding for scientific research over the past 
decade has prompted a need for more effective compliance by recipient 
institutions. Many institutions have recognized this need and have 
developed formal compliance programs. We believe that all research 
institutions would benefit from compliance programs that, if 
effectively implemented, would foster a culture of compliance that 
begins at the administration or management level and permeates 
throughout the organization. The purpose of this voluntary guidance is 
to offer a ``checklist'' of items that we believe is critical for 
refining or developing an eff