Responsibilities of the Chief Ethics and Compliance Officer and Chief Privacy Officer
These guidelines at §8B2.1 set forth the requirements for an effective compliance and ethics program for organizations. Organizations are vicariously liable under federal criminal law for acts committed by their agents. The definition of “organization” at 18 USC §18 includes non-profits such as the University.
The guidelines require not only promoting compliance with laws, but promoting a "Culture of Compliance." The key elements of an effective compliance and ethics program per the guidelines include:
1. A Compliance Officer with authority and operational responsibility for the program.
2. Establishing standards and procedures.
3. Communicating standards, procedures and other aspects of the program.
4. Board of Trustee oversight of program implementation and effectiveness.
5. Periodic reporting to high level personnel and the Board by the Compliance Officer.
6. Monitoring, auditing, and periodic evaluation of program effectiveness.
7. A confidential mechanism for reporting legal violations or seeking guidance without fear of retaliation.
8. Responding appropriately to criminal conduct with corrective action.
The University’s Chief Ethics and Compliance Officer and Chief Privacy Officer (CECO/CPO), reporting to the Office of the President and the Audit Committee of the Board of Trustees, works with the President, senior staff, and management personnel across campus to implement the University’s Compliance and Ethics Program so as to meet the requirements of the Sentencing Guidelines.
Federal contractors with contracts greater than $5,000,000 with a performance period of 120 days or more must:
Adopt a written Code of Business Ethics and Conduct
Provide a copy to each employee performing on the contract, and promote compliance with the code
Prominently display hotline posters
Conduct an ongoing business ethics awareness and compliance program, and
Implement internal controls to:
Assign responsibility for managing compliance at a higher level
Prohibit hiring as principal employees individuals who have engaged in behavior that conflicts with the contractor’s code
Facilitate timely discovery and correction of improper conduct on federal contracts
Discipline improper conduct
Monitor and audit on an ongoing basis to detect criminal behavior
Periodically evaluate program effectiveness and review practices, procedures, and policies,
Periodically assess the risk of criminal conduct.
Report timely to the federal government any credible evidence of a federal criminal law involving fraud, conflict of interest, bribery, gratuity violations, or a civil False Claims Act violation
The CECO/CPO is responsible for implementing the University’s Compliance and Ethics Program, including the Code of Conduct, Compliance and Ethics Helpline, training and communication of Program resources, investigation of potential non-compliance and oversight of corrective action, ongoing monitoring and risk assessment activities, and reporting to senior staff and the Audit Committee of the Board of Trustees regarding Program implementation and status.
Claims submitted to the federal government must be accurate. The FCA provides civil penalties of $5,000 to $10,000, plus three times the government's damages, for submission of false claims. Intent to defraud is not necessary for a violation of the law to occur. A false claim may be found if the party submitting the claim had knowledge of the information and acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This law is sometimes known as the "whistleblower law," as qui tam plaintiffs (informers who may sue on their own behalf as well as for the government or institution) may bring actions under the law alleging the filing of a false claim.
FERA clarifies that the False Claims Act was intended to cover any false or fraudulent claim for government money or property, regardless of whether the claim is presented to a government official or employee, whether the government has physical custody of the money, or whether the defendant specifically intended to defraud the government. FERA also expands the False Claims Act provisions to subrecipients of federal funds.
The CECO/CPO is responsible for providing compliance training, for monitoring internal controls implemented to prevent false claims, for assessing risk of , for assisting in the implementation of additional controls, and for investigating potential financial irregularities in coordination with Internal Audit.
The U.S. Federal Sentencing Guidelines for Organizations require, as a condition of an effective Compliance and Ethics Program, that the University implement a mechanism for reporting violations of law free from fear of retaliation or retribution. In addition, numerous federal statutes prohibit an employer from discharging, demoting, disciplining or otherwise discriminating against any employee with respect to his or her compensation, terms, conditions, or privileges of employment because the employee filed or will file a complaint, or instituted or will institute a proceeding, or testified, assisted or participated in a proceeding or will do so. Federal laws that apply to the University and that have such whistleblower protections include, but are not limited to the False Claims Act, the Fair Labor Standards Act, the Internal Revenue Code, and the Occupational Safety and Health Act.
The Occupational Safety and Health Administration (OSHA), through its Whistleblower Protection Program, enforces the whistleblower provisions of many of the statutes that protect employees who report violations of laws.
The CECO/CPO is responsible for implementing and administering the University’s anonymous Compliance and Ethics Helpline, for maintaining and communicating the University’s Non-Retaliation Policy, and for investigating and coordinating responses to reports of potential retaliation.
FERPA regulates the storage and dissemination of “education records” at all institutions that receive federal funds, or who have students receiving federal funds. FERPA sets forth the requirements and limitations for:
Release of student information, including the method for obtaining student consent
Disclosure in the event of emergencies
Annual notification of rights to students
The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential FERPA issues.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 as expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
HIPAA’s “Privacy Rule” limits access to Protected Health Information (PHI) in all forms (electronic, written, or oral), gives patients the right to view their records and know who has accessed them, and limits use and disclosure of PHI to the minimum necessary to accomplish the given task. HIPAA’s “Security Rule requires implementation of a security plan that explicitly provides administrative, physical and technical safeguards for PHI. HITECH broadens HIPAA by extending coverage to business associates, and requires that covered providers implement administrative, physical and technical safeguards for PHI. HITECH requires that covered entities notify affected individuals and the Secretary of the Department of Health and Human Services (DHHS), and in some cases to the media, following the discovery of a breach of unsecured PHI. “Unsecured PHI” is PHI that is not secured via technologies and methodologies, as defined by DHHS guidance, that make the PHI unusable, unreadable, or indecipherable to unauthorized individuals. DHHS has specified encryption and destruction as those technologies and methodologies.
The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential HIPAA/HITECH issues.
GLBA regulates the handling of private financial information by financial institutions. If covered, the University must develop a written information security plan that describes how it will protect the consumer’s non-public personal information.
The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential GLBA issues.
The PCI Standard is a contractual obligation imposed by credit card companies that requires that the University protect consumers and cardholders against identify theft by enforcing best practice security standards. The current PCI Standard consists of the following requirements:
Install and maintain a firewall configuration to protect data
Do not use vendor supplied defaults for system passwords and other security parameters
Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security.
The CECO/CPO is responsible for monitoring for appropriate privacy and security practices, for providing privacy guidance, for administrating the University’s Privacy and Information Security Training, and for investigating potential PCI DSS issues.