The Catholic University of America

Responsibilities of the Chief Ethics and Compliance Officer and Chief Privacy Officer

U.S. Federal Sentencing Guidelines for Organizations

These guidelines at §8B2.1 set forth the requirements for an effective compliance and ethics program for organizations. Organizations are vicariously liable under federal criminal law for acts committed by their agents. The definition of “organization” at 18 USC §18 includes non-profits such as the University. 

The guidelines require not only promoting compliance with laws, but promoting a "Culture of Compliance." The key elements of an effective compliance and ethics program per the guidelines include: 

1.  A Compliance Officer with authority and operational responsibility for the program.

2.  Establishing standards and procedures.

3.  Communicating standards, procedures and other aspects of the program.

4.  Board of Trustee oversight of program implementation and effectiveness.

5.  Periodic reporting to high level personnel and the Board by the Compliance Officer.

6.  Monitoring, auditing, and periodic evaluation of program effectiveness.

7.  A confidential mechanism for reporting legal violations or seeking guidance without fear of retaliation.

8.  Responding appropriately to criminal conduct with corrective action.

The University’s Chief Ethics and Compliance Officer and Chief Privacy Officer (CECO/CPO), reporting to the Office of the President and the Audit Committee of the Board of Trustees, works with the President, senior staff, and management personnel across campus to implement the University’s Compliance and Ethics Program so as to meet the requirements of the Sentencing Guidelines.

Federal Acquisition Regulation - Business Ethics Requirements

Federal contractors with contracts greater than $5,000,000 with a performance period of 120 days or more must: 

Adopt a written Code of Business Ethics and Conduct

Provide a copy to each employee performing on the contract, and promote compliance with the code

Prominently display hotline posters

Conduct an ongoing business ethics awareness and compliance program, and

Implement internal controls to:

Assign responsibility for managing compliance at a higher level

Prohibit hiring as principal employees individuals who have engaged in behavior that conflicts with the contractor’s code

Facilitate timely discovery and correction of improper conduct on federal contracts

Discipline improper conduct

Monitor and audit on an ongoing basis to detect criminal behavior

Periodically evaluate program effectiveness and review practices, procedures, and policies,

Periodically assess the risk of criminal conduct. 

Report timely to the federal government any credible evidence of a federal criminal law involving fraud, conflict of interest, bribery, gratuity violations, or a civil False Claims Act violation

The CECO/CPO is responsible for implementing the University’s Compliance and Ethics Program, including the Code of Conduct, Compliance and Ethics Helpline, training and communication of Program resources, investigation of potential non-compliance and oversight of corrective action, ongoing monitoring and risk assessment activities, and reporting to senior staff and the Audit Committee of the Board of Trustees regarding Program implementation and status.

False Claims Act (FCA) as amended by the Fraud Enforcement and Recovery Act of 2009 (FERA)

Claims submitted to the federal government must be accurate.  The FCA provides civil penalties of $5,000 to $10,000, plus three times the government's damages, for submission of false claims.  Intent to defraud is not necessary for a violation of the law to occur. A false claim may be found if the party submitting the claim had knowledge of the information and acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This law is sometimes known as the "whistleblower law," as qui tam plaintiffs (informers who may sue on their own behalf as well as for the government or institution) may bring actions under the law alleging the filing of a false claim.

FERA clarifies that the False Claims Act was intended to cover any false or fraudulent claim for government money or property, regardless of whether the claim is presented to a government official or employee, whether the government has physical custody of the money, or whether the defendant specifically intended to defraud the government. FERA also expands the False Claims Act provisions to subrecipients of federal funds.

The CECO/CPO is responsible for providing compliance training, for monitoring internal controls implemented to prevent false claims, for assessing risk of , for assisting in the implementation of additional controls, and for investigating potential financial irregularities in coordination with Internal Audit.

Whistleblower Protections Under Federal Law

The U.S. Federal Sentencing Guidelines for Organizations require, as a condition of an effective Compliance and Ethics Program, that the University implement a mechanism for reporting violations of law free from fear of retaliation or retribution.  In addition, numerous federal statutes prohibit an employer from discharging, demoting, disciplining or otherwise discriminating against any employee with respect to his or her compensation, terms, conditions, or privileges of employment because the employee filed or will file a complaint, or instituted or will institute a proceeding, or testified, assisted or participated in a proceeding or will do so.  Federal laws that apply to the University and that have such whistleblower protections include, but are not limited to the False Claims Act, the Fair Labor Standards Act, the Internal Revenue Code, and the Occupational Safety and Health Act. 

The Occupational Safety and Health Administration (OSHA), through its Whistleblower Protection Program, enforces the whistleblower provisions of many of the statutes that protect employees who report violations of laws.

The CECO/CPO is responsible for implementing and administering the University’s anonymous Compliance and Ethics Helpline, for maintaining and communicating the University’s Non-Retaliation Policy, and for investigating and coordinating responses to reports of potential retaliation.

Family Educational Rights and Privacy Act (FERPA)

FERPA regulates the storage and dissemination of “education records” at all institutions that receive federal funds, or who have students receiving federal funds. FERPA sets forth the requirements and limitations for:

Release of student information, including the method for obtaining student consent

Disclosure in the event of emergencies

Annual notification of rights to students

The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential FERPA issues.

Health Insurance Portability and Accountability Act (HIPAA) of 1996 as expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009                                        
HIPAA’s “Privacy Rule” limits access to Protected Health Information (PHI) in all forms (electronic, written, or oral), gives patients the right to view their records and know who has accessed them, and limits use and disclosure of PHI to the minimum necessary to accomplish the given task. HIPAA’s “Security Rule requires implementation of a security plan that explicitly provides administrative, physical and technical safeguards for PHI.  HITECH broadens HIPAA by extending coverage to business associates, and requires that covered providers implement administrative, physical and technical safeguards for PHI. HITECH requires that covered entities notify affected individuals and the Secretary of the Department of Health and Human Services (DHHS), and in some cases to the media, following the discovery of a breach of unsecured PHI.  “Unsecured PHI” is PHI that is not secured via technologies and methodologies, as defined by DHHS guidance, that make the PHI unusable, unreadable, or indecipherable to unauthorized individuals.  DHHS has specified encryption and destruction as those technologies and methodologies.

The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential HIPAA/HITECH issues.

Gramm-Leach-Bliley Act (GLBA)

GLBA regulates the handling of private financial information by financial institutions.  If covered, the University must develop a written information security plan that describes how it will protect the consumer’s non-public personal information.

The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential GLBA issues.

Payment Card Industry (PCI) Data Security Standard (DSS)

The PCI Standard is a contractual obligation imposed by credit card companies that requires that the University protect consumers and cardholders against identify theft by enforcing best practice security standards. The current PCI Standard consists of the following requirements:

Install and maintain a firewall configuration to protect data

Do not use vendor supplied defaults for system passwords and other security parameters

Protect stored data

Encrypt transmission of cardholder data and sensitive information across public networks

Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Restrict access to data by business need to know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain a policy that addresses information security.

The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential PCI DSS issues.

Related Policies

 

Code of Conduct

 

Conflict of Interest Policy for Staff and Faculty

 

Conflict of Interest Policy, Board of Trustees Policy

 

Credit Card Acceptance Policy

 

Gifts from Contractors/Vendors Policy

 

Identify Theft Prevention Policy

 

Information Security and Assurance Policy

 

Record Retention Policy

 

Reporting Ethics Misconduct and Non-Retaliation Policy 

 

Reporting Financial Irregularities Policy

 

Resources

Catholic University Mission Statement

 

Committee of Sponsoring Organizations (COSO) - Internal Control - Integrated Framework

Compliance and Ethics Helpline

Compliance and Ethics Program

Compliance and Ethics Program Brochure

Compliance Awareness Training

FERPA Awareness Training

Policy website

Privacy and Information Security Training