FR Doc E5-6548

[Federal Register: November 28, 2005 (Volume 70, Number 227)]
[Notices]
[Page 71312-71320]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28no05-56]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

Draft OIG Compliance Program Guidance for Recipients of PHS
Research Awards

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice and comment period.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice seeks the comments of interested
parties on draft compliance guidance developed by the Office of
Inspector General (OIG) for recipients of extramural research awards
from the National Institutes of Health (NIH) and other agencies of the
U.S. Public Health Service (PHS). Through this notice, OIG is setting
forth its general views on the value and fundamental principles of
compliance programs for colleges and universities and other recipients
of PHS awards for biomedical and behavioral research and the specific
elements that these award recipients should consider when developing
and implementing an effective compliance program.

DATES: To assure consideration, comments must be delivered to the
address provided below by no later than 5 p.m. on December 28, 2005.

ADDRESSES: Please mail or deliver written comments to the following
address: Office of Inspector General, Department of Health and Human
Services, Attention: OIG-1026-CPG, Room 5246, Cohen Building, 330
Independence Avenue, SW., Washington, DC 20201.
We do not accept comments by facsimile (FAX) transmissions. In
commenting, please refer to file code OIG-1026-CPG. Comments received
timely will be available for public inspection as they are received,
generally beginning approximately 2 weeks after publication of a
document, in Room 5527 of the Office of Inspector General at 330
Independence Avenue, SW., Washington, DC 20201 on Monday through Friday
of each week from 8 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT: Richard B. Stern, Office of Counsel to
the Inspector General, (202) 619-0335, or Joel Schaer, Office of
External Affairs, (202) 619-0089.

SUPPLEMENTARY INFORMATION:

Background

Compliance program guidance (CPG) is a major OIG initiative that
was developed to assist the health care community in preventing and
reducing fraud and abuse in Federal programs. In the last several
years, OIG has developed and issued compliance program guidance
directed at the following segments of the health care industry:
clinical laboratories; hospitals; home health agencies; third-party
medical billing companies; durable medical equipment, prosthetics,
orthotics and supply companies; Medicare+Choice organizations offering
coordinated care plans; hospices; nursing facilities; individual and
small group physician practices; ambulance suppliers; and
pharmaceutical manufacturers. Copies of these CPGs can be found on the
OIG Web site at http://oig.hhs.gov/fraud/complianceguidance.html.

Under its governing statute, OIG's oversight responsibility extends
to all programs and operations of the Department of Health and Human
Services (HHS or Department) and, accordingly, OIG promotes compliance
efforts by all recipients of Department funds.\1\ One community of
paramount importance to the Department's public health efforts is that
of colleges, universities, and other recipients of public funds that
conduct biomedical and behavioral research. These institutions may have
organizational differences from the users of past compliance guidances,
but we believe they have the same basic need to promote compliance
measures. We understand that research institutions have been developing
compliance programs in increasing numbers.

[[Page 71313]]

Moreover, over the last several years slightly more than 50 percent of
recipients of NIH research awards have been medical schools, many of
which may already have health care compliance programs in their
affiliated hospitals.
---------------------------------------------------------------------------

\1\ OIG and the PHS agencies, including NIH, share
responsibility for encouraging compliance by recipients of research
awards. In distinguishing the roles of the two agencies, we note
that NIH is more focused on compliance with administrative,
scientific, and financial requirements, while OIG is more focused on
the avoidance of fraudulent activities. OIG has chosen to publish
this guidance, in close coordination with NIH and other PHS
agencies, as part of a larger initiative that is designed in part to
assist institutions in avoiding criminal and civil fraud
investigations. This compliance guidance is consistent with guidance
provided by NIH on its Web site, http://grants1.nih.gov/grants/oer.htm
.

---------------------------------------------------------------------------

As with OIG's earlier CPGs, the purpose of this draft guidance is
to encourage the use of internal controls to effectively monitor
adherence to applicable statutes, regulations, and program
requirements. In developing the guidance, we have focused specifically
on grant compliance and administration issues, i.e., whether recipients
of research awards have misused program funds under the statutes,
regulations, and other requirements governing the use of those funds.
We believe this focus is consistent with OIG's responsibility for the
identification of program overpayments and, in appropriate situations,
the investigation of civil or criminal fraud. However, we believe that
the principles set forth in the guidance will also assist institutions
in developing compliance programs for their other activities wherein
issues of program compliance arise.
This draft guidance for recipients of PHS research awards contains
seven elements that have been widely recognized as fundamental to an
effective compliance program, and an additional element--number 8
below--that we believe is especially important for research
institutions. The eight elements include:
1. Implementing written policies and procedures,
2. Designating a compliance officer and compliance committee,
3. Conducting effective training and education,
4. Developing effective lines of communication,
5. Conducting internal monitoring and auditing,
6. Enforcing standards through well-publicized disciplinary
guidelines,
7. Responding promptly to detected problems and undertaking
corrective action, and
8. Defining roles and responsibilities and assigning oversight
responsibility.
As with previously issued guidances, this draft CPG represents
OIG's suggestions regarding how institutions can establish internal
controls to ensure adherence to applicable rules and program
requirements. The contents of the guidance should not be viewed as
mandatory or as an exclusive discussion of the advisable elements of a
compliance program. Moreover, the guidance does not establish a set of
program rules or standards by which to evaluate the compliance of an
institution. Rather, it is merely a set of suggestions regarding how
institutions may establish internal controls to allow the institution
to better comply with rules and standards that apply to PHS extramural
research awards.

Developing This Draft Compliance Program Guidance

In developing this draft guidance, we have consulted closely with
NIH, which dispenses the majority of biomedical and behavioral research
awards within HHS, and have coordinated as well as with other PHS
agencies that have compliance responsibilities for biomedical and
behavioral research awards. The statutes, regulations, and policies
pertaining to NIH and other PHS awards constitute an appropriate focus
for award recipients who seek to establish an effective compliance
program. We have also consulted with the U.S. Department of Justice and
with OIGs of other agencies--such as the National Science Foundation--
that fund significant extramural research.
In an effort to receive initial input on this guidance from the
research community, we published a Federal Register notice on September
5, 2003, (68 FR 52783), ``Solicitation of Information and
Recommendations for Developing Compliance Program Guidance for
Recipients of NIH Research Grants.'' In response to that notice, we
received a total of 20 comments from research institutions,
associations, and from one individual.
Although the September 5, 2003, solicitation notice requested
information and recommendations for developing a CPG for recipients of
research awards only from NIH, we have expanded the scope of the
guidance to other biomedical and behavioral research awards from the
public health agencies of this Department. In part, we made this change
based on a comment, received in response to the solicitation, that we
avoid inconsistent sets of guidance from various agencies. In addition
to NIH, which awards the majority of HHS (and Federal) research awards,
other public health agencies that fund biomedical and behavioral
research include the Agency for Healthcare Research and Quality, the
Agency for Toxic Substances and Disease Registry, the Health Resources
and Services Administration, the Indian Health Service, the Centers for
Disease Control and Prevention, the Substance Abuse and Mental Health
Services Administration, and the Food and Drug Administration.
In an effort to ensure that all parties have an opportunity to
provide input into OIG's guidance, we are publishing this guidance in
draft form. We welcome any comments regarding this document from
interested parties. OIG will consider all comments that are received
within the above-cited timeframe, incorporate any specific
recommendations as appropriate, and then prepare a final version of the
guidance for publication in the Federal Register The final version of
the guidance will be available on the OIG Web site at http://oig.hhs.gov
.

Draft OIG Compliance Program Guidance for Recipients of PHS Research
Awards (November 2005)

I. Introduction

The Office of Inspector General (OIG) of the Department of Health
and Human Services (HHS or Department) is continuing in its efforts to
promote voluntary compliance programs for recipients of Department
funding. This is the first guidance that is designed for a segment of
the Federal grant community and that is not specifically focused on
Medicare and Medicaid issues.\2\ However, many recipients of Public
Health Service (PHS) research awards are familiar with our previous
compliance guidances, in part because among the largest recipients of
PHS research funds are academic medical centers, which were the focus
of one of our first compliance guidances, to the hospital industry, in
February 1998.\3\
---------------------------------------------------------------------------

\2\ Although we refer in this guidance to commonly used terms
such as grant community and grant compliance and administration, the
guidance is intended to apply more broadly to all PHS research
``awards,'' which includes cooperative agreements and certain
contracts that are not governed by Federal procurement laws and
regulations. For a definition of the term ``awards,'' see 45 CFR
part 74, Uniform Administrative Requirements for Awards and
Subawards to Institutions of Higher Education, Hospitals, Other
Nonprofit Organizations, and Commercial Organizations,'' Sec. 74.2
(``Definitions'').
\3\ That guidance was recently supplemented. See OIG
Supplemental Compliance Program Guidance for Hospitals, 70 FR 4858
(January 31, 2005).
---------------------------------------------------------------------------

As with the earlier guidances, this compliance guidance is intended
to assist recipients of PHS biomedical and behavioral research awards
in developing and implementing internal controls and procedures that
promote adherence to applicable statutes, regulations, and other
requirements of PHS programs. This compliance guidance follows closely
those earlier guidances in its format and basic elements. At the same
time, this guidance departs from those earlier publications in certain
areas to accommodate the many differences for recipients of extramural
research awards.

[[Page 71314]]

As with hospitals and other health care companies, an increasing
number of colleges, universities, and other recipients of PHS
biomedical and behavioral research funds have developed compliance
programs. One purpose of this guidance is to assist these institutions
in evaluating and, as necessary, refining existing compliance programs.
This guidance is not a compliance program itself, nor does it
establish a set of cost principles or program requirements, which would
be beyond the responsibility of OIG. This guidance does not establish
criteria by which to conduct an audit or review of regulatory or
program compliance. Rather, it is intended to serve as a set of
guidelines that recipients of extramural research awards may consider
when developing and implementing a compliance program or evaluating an
existing one. For those institutions with an existing compliance
program, this guidance may serve as a useful comparison against which
to measure ongoing efforts.
We recognize that there are recipients of biomedical and behavioral
research awards that may be small institutions or businesses, such as
those receiving funds under the Small Business Innovation Research
(SBIR) program, or that may be larger institutions that receive a
relatively small amount of PHS funding. We anticipate that these
institutions share with larger entities the same basic concern about
establishing effective internal controls to monitor adherence with
Federal program requirements. However, some of these institutions may
determine that it is not practicable to establish the same type of
comprehensive compliance program that may exist, for example, at an
academic research institution associated with a medical school. We
encourage these institutions to develop a compliance program that
relies on the same eight basic elements of the guidance, but that is
suited to their own size and needs.

A. Scope of the Compliance Program Guidance

Because the responsibilities of OIG are focused on the effective
operation of this Department's programs and the misuse of its funds,
the scope of this voluntary guidance concentrates on issues that fall
under the rubric of grant compliance and administration. By this, we
mean those issues involving the application of statutes, regulations,
and other program requirements that affect the ``allowability'' of
costs and whether awardees should be subjected to a disallowance action
or, in appropriate circumstances, an investigation for criminal or
civil fraud. This guidance is also focused specifically on PHS awards
from this Department. We recognize that institutions may have multiple
sources of funding and that the term ``compliance'' is used more
broadly by the research community to include areas such as human and
animal subject research, conflicts of interest, research misconduct,
and intellectual property issues. While this guidance is not focused on
these other award sources and these other regulatory areas, the
compliance elements presented by this guidance may be useful in
connection with other sources of funding and with regard to other
regulatory areas. For example, appointing a compliance officer and
committee, developing a code of conduct, and instituting a training and
education program would contribute to promoting compliance with
National Science Foundation award requirements, as well as requirements
related to research misconduct and human subject research.
Institutions may currently have, or be considering, separate
compliance systems for their various areas of regulated activity. We
recognize that each of these areas may involve distinct personnel and
present different regulatory frameworks. However, because the basic
elements for a compliance program are shared among these systems,
institutions may receive management efficiencies by integrating their
compliance efforts through the elimination of overlapping systems or by
developing a single compliance program covering all compliance areas.
Integrating compliance systems may also offer collateral benefits. For
example, audits and reviews of one area of compliance may develop
information useful to other areas.
OIG also recognizes that a body of literature already exists on
research compliance issues, including guidance on establishing a
compliance program. Nonetheless, we believe that providing OIG CPG
consistent with the other compliance guidances we have published is
appropriate. For the convenience of the reader, we have compiled a
bibliography of some of these other publications, which is attached to
this guidance as Appendix A.
Our experience with compliance programs is that an institution's
implementation of a serious, meaningful, and effective compliance
program may require a significant commitment of time and resources,
especially for those institutions that have not developed a compliance
program in the past. We believe, however, that this commitment is
justified by the benefits of a compliance program.

B. Benefits of a Compliance Program

While the decision to implement a compliance program is entirely
voluntary, OIG believes that an effective compliance program provides
numerous advantages that will inure to the benefit of institutions that
choose to establish one. An effective compliance program addresses the
Government's and research community's mutual goals of ensuring good
stewardship of Federal funds by eliminating erroneous or improper
expenditure of Federal research funds, improving administration of
grants (both from the Federal Government and from private sources), and
demonstrating to employees and the community at large the institution's
commitment to honest and responsible conduct. These goals may be
achieved by:
Identifying and correcting unlawful and unethical behavior
at an early stage;
Encouraging employees to report potential problems and
allowing for appropriate internal inquiry and corrective action;
Minimizing, through early detection and reporting, any
financial loss to the Government and any resulting financial loss to
the institution; and
Reducing the possibility of Government audits or
investigations regarding unallowable payments or fraud that could have
been prevented at an early stage.
Institutions may also want to note that several of the elements of
this compliance guidance are considered ``mitigating factors'' that
must be considered as part of a formal debarment action by the
Department.\4\
---------------------------------------------------------------------------

\4\ See 45 CFR 76.860(l), (n), (p), and (q).
---------------------------------------------------------------------------

C. Application of Compliance Program Guidance

There is no single ``best'' compliance program. Institutions may
take differing approaches to how they rely upon internal audits in
monitoring compliance issues, how they comprise their compliance
committee, and whether they include compliance for research misconduct
and human and animal subject protections as part of a single compliance
program. Some institutions may already have a compliance program in
place; others only now may be initiating such efforts.
Institutions may also have identified, through audits or internal
inquiries, particular management concerns or areas of high risk that
may call for

[[Page 71315]]

developing or refining compliance elements to address these areas.
OIG has identified three major potential risk areas for recipients
of NIH research awards: (1) Time and effort reporting, (2) properly
allocating charges to award projects, and (3) reporting of financial
support from other sources. These risk areas, although not exhaustive
of all potential risk areas, are discussed in greater detail in section
II below.
The compliance measures adopted by an institution should be
tailored to fit the unique environment of the institution (including
its organizational structure, operations and resources, as well as
prior enforcement experience). In short, OIG recommends that each
institution should adapt the objectives and principles underlying the
measures outlined in this guidance to its own particular circumstances.

II. Risk Areas

As with previous OIG CPGs, in this section we highlight examples of
risk areas to assist institutions in developing a compliance program.
The identification of risk areas is an important aspect of formulating
policies and procedures, developing a training and education program,
and conducting internal monitoring and audits. This section addresses a
few examples of risk areas for recipients of PHS research awards that
have come to OIG's attention: (1) Time and effort reporting, (2)
properly allocating charges to award projects, and (3) reporting of
financial support from other sources. The areas identified in this
section are in no way intended to be exhaustive of all potential risk
areas. Institutions may identify other areas based on their own
operations and experiences. As an example, subrecipient monitoring may
be an important risk area for those institutions that rely heavily on
their own grants and contracts to fulfill the purposes of a PHS award.

A. Time and Effort Reporting

One critical compliance issue is the accurate reporting of research
time and effort. Because the compensation for the personal services of
researchers--both direct salary and fringe benefits--is typically a
major cost of a project, it is critical that the portion of the
researcher's compensation for particular research projects be
accurately reported. One reason that we view time and effort reporting
as a critical risk area is that many researchers have multiple
responsibilities--sometimes involving teaching, research, and clinical
work--that must be accurately measured and monitored. In the course of
a researcher's workday, the separation between these areas of activity
can sometimes be hard to discern, which heightens the need to have
effective timekeeping systems.
For this reason, institutions need to be especially vigilant in
accurately reporting the percentage of time devoted to projects.
Accurate time and effort reporting systems are essential to ensure that
PHS and other funding sources are properly charged for the activities
of researchers. The failure to maintain accurate time and effort
reporting may result in overcharges to funding sources and, in certain
circumstances, could subject an institution to civil or criminal fraud
investigations.
We are aware of situations in which researchers falsely report the
amount of time they intend to devote to research projects. For example,
it would be clearly improper for researchers in award applications to
separately report to three awarding agencies that they intend to spend
50 percent of their time on each of the three awards. Some recent cases
we have seen involved the ``commitment of effort'' by researchers
wherein the Government believed that the institution failed to account
properly for the clinical practice time of researchers, in addition to
their academic and research time at the institution. As an example, it
would be improper to report to NIH or another awarding agency that 70
percent of a researcher's time would be spent on an award when 50
percent of the researcher's time would be spent on clinical
responsibilities.
For colleges and universities, the rules governing compensation for
personal services, including payroll distributions, are contained in
OMB Circular A-21,\5\ Cost Principles for Educational Institutions,
section J.10.\6\ Under section J.10 of OMB Circular A-21, institutions
must establish a system of payroll distribution and must usually
maintain ``after-the-fact Activity Reports'' or employ another method
to report accurately the distribution of activity of employees. (See
especially, section J.10, paragraphs b.(2)(a)--(c)). The accuracy of
these activity reports is critical for the awarding agency to
understand the amount of research conducted under the award. More
specific guidance is contained in the instructions to PHS Form 398,
Application for a Public Health Service Grant,\7\ available at
http://www.grants.nih.gov/grants/funding/phs398/phs398.html (``Definitions,''

definition of ``Institutional Base Salary''), and in the NIH Grants
Policy Statement, Part I, Definitions, available at http://grants1.nih.gov/grants/policy/nihgps
(``Glossary,'' definition of

``Institutional Base Salary,'' and Selected Items of Cost, ``Salaries
and Wages'' and ``Payroll Distribution'').
---------------------------------------------------------------------------

\5\ For State and local governments, the rules governing
compensation for personal services is contained in OMB Circular A-
87, Cost Principles for State, Local and Indian Tribal Governments,
Attachment B, Sec. 11. For non-profit organizations, it is
contained in OMB Circular A-122, Cost Principles for Non-Profit
Organizations, Attachment B, paragraph 7. For hospitals, the rules
are contained in 45 CFR part 74, Appendix E, Principles for
Determining Costs Applicable to Research and Development under
Grants and Contracts with Hospitals, Sec. IX, paragraph B.7.
\6\ By regulation, OMB Circular A-21 and the other cost
principles are made applicable to recipients of Department awards.
45 CFR 74.27(a). The cost principles have also recently been
codified in title 2 of the CFR.
\7\ The Public Health Service Grant Application, PHS Form 398,
is being replaced with an electronic application form, the standard
form 424 R&R. According to NIH, the new form will incorporate all
the policies and definitions currently contained in the Form 398.
---------------------------------------------------------------------------

Another issue in reporting the commitment of effort to research
projects is the accurate and consistent treatment of ``institutional
base salary'' (IBS). IBS effectively serves as the denominator in
calculating the proportion of an employee's activity that is allocated
to particular Federal awards. While IBS typically includes only
nonclinical work of employees, certain institutions include clinical
work based on a more expansive definition of the ``institution'' for
cost reporting purposes. For those institutions, it is critical that
the clinical and nonclinical work activities of researchers are
reported so that salary is correctly allocated among Federal and non-
Federal sources.\8\
---------------------------------------------------------------------------

\8\ NIH has recently expanded its guidelines addressing when
institutions may include clinical practice compensation as part of
institutional base salary. Among other tests, the compensation must
be set by the institution, be paid through or at the direction of
the institution, and be included and accounted for in the
institution's effort reporting and/or payroll distribution system.
See Guidelines for Inclusion of Clinical Practice Compensation in
Institutional Base Salary Charged to NIH Grants and Contracts,
http://grants.nih.gov/grants/guide/notice-files/NOT-OD-050061.html.

---------------------------------------------------------------------------

B. Properly Allocating Charges to Award Projects

Research institutions commonly receive multiple awards for a single
research area. It is essential that accounting systems properly
separate the amount of funding from each funding source. Institutions
must also be vigilant about clearly fraudulent practices such as
principal investigators on different projects banking or trading award
funds among themselves. The failure to account accurately for charges
to various award projects can result in

[[Page 71316]]

significant disallowances or, in certain circumstances, could subject
an institution to criminal or civil fraud investigations.
In one recent civil fraud action, an institution settled
allegations by the Government that it made end-of-year transfers of
direct costs on various Federally funded research awards from overspent
accounts to underspent accounts, with the purpose of maximizing its
Federal reimbursement and, in some cases, avoiding the refunding of
unused grant proceeds.
The general principles governing the allocation of costs are found
in the appropriate sets of cost principles, such as OMB Circular A-21
for colleges and universities. Among those principles in Circular A-21
is the rule that a ``cost is allocable to a particular cost objective *
* * if the goods or services involved are chargeable or assignable to
such cost objective in accordance with relative benefits received or
other equitable relationship.'' Circular, Sec. C.4.\9\ Additional
guidance on the allocation of costs may be found in the NIH Grants
Policy Statement, Part II, Cost Considerations, available at htttp://
grants1.nih.gov/grants/policy/nihgps. Also, the Departmental Appeals
Board has jurisdiction over cost allocation and rate disputes, as well
as more generally over direct, discretionary grants, including
biomedical research grants from NIH. (The Board's process is described
in 45 CFR part 16.) Several Board decisions address the proper
allocation of costs by colleges and universities.\10\
---------------------------------------------------------------------------

\9\ For State and local governments, a similar principle
governing the allocation of costs is contained in OMB Circular A-87,
Cost Principles for State, Local and Indian Tribal Governments,
Attachment A, Sec. C.3. For non-profit organizations, it is
contained at OMB Circular A-122, Cost Principles for Non-Profit
Organizations, Sec. A.4. For hospitals, the principle is contained
in 45 CFR Part 74, Appendix E, Principles for Determining Costs
Applicable to Research and Development under Grants and Contracts
with Hospitals, Sec. III, D.
\10\ Board decisions may be found on the Board's Web site at
http://www.hhs.gov/dab/search.html, as well as with legal information

services such as Westlaw and Lexis.
---------------------------------------------------------------------------

As with other administrative requirements governing Federal awards,
the improper allocation of charges to various sources is not a mere
``accounting problem,'' in the sense that it has no real impact on the
conduct of science. On the contrary, the failure to allocate correctly
charges--whether because of poor record-keeping or as part of an intent
to deceive funding sources--has the effect of drawing away limited
Federal research funds from projects for which they were intended and
subverting the Government's ability to distribute funds to those
projects most in need of support.

C. Reporting Financial Support From Other Sources

As with the proper reporting of time and effort and the allocation
of charges, the reporting of financial support from other sources is
critical for the awarding agency to understand the commitment of
resources by the grantee to a particular project or award. Without
complete and accurate information on other funding sources, PHS may be
unable to determine whether a particular project should be funded and
the amount of such funding. In some cases, failure to identify other
support for a research project could cause PHS to provide duplicate
funding to the project. At a minimum, information on other support
would allow PHS to use its limited resources on other worthy projects
that might otherwise be left unfunded.
For PHS awards, the reporting of other financial support is a
required element of award applications and the failure to provide this
information could, in certain, subject an institution to a criminal or
civil fraud investigation. Other funding support is required to be
reported as part of the application for funding (PHS Form 398), the
instructions for which state that the applicant organization must
disclose all compensation and salary support. (See PHS 398 Rev. 9/2004,
Sec. III.H (``Other Support'') available at http://www.grants.nih.gov/grants/funding/phs398/PolAssurDef.doc.
) Moreover, the face page of the

PHS application includes a certification by both the Principal
Investigator/Program Director and by the Applicant Organization that
all statements in the application are ``true, complete, and accurate to
the best of my knowledge'' and that ``false, fictitious, or fraudulent
statements or claims could subject me to criminal, civil, or
administrative penalties.'' (The face page is available at http://www.grants.nih.gov/grants/funding/phs398/fp1.doc.
) Additional guidance

for NIH grants is found in the NIH Grants Policy Statement, Part II,
Just-in-Time Procedures, available at http://grants1.nih.gov/grants/policy/nihgps
.

A problem related to the failure to accurately and completely
report support from other financial sources is the charging of both
award funds and Medicare and other health care insurers for performing
the same service. This is clearly improper and has subjected
institutions to fraud investigations.

III. Compliance Program Elements

A. The Basic Compliance Elements

At a minimum, a comprehensive compliance program should include the
following elements:
(1) The development and distribution of written standards of
conduct, as well as written policies and procedures, that reflect the
institution's commitment to compliance.
(2) The designation of a compliance officer and a compliance
committee charged with the responsibility for developing, operating,
and monitoring the compliance program, and with authority to report
directly to the head of the organization, such as the president and/or
the board of regents in the case of a university.
(3) The development and implementation of regular, effective
education and training programs for all affected employees.
(4) The creation and maintenance of an effective line of
communication between the compliance officer and all employees,
including a process (such as a hotline or other reporting system) to
receive complaints or questions that are addressed in a timely and
meaningful way, and the adoption of procedures to protect the anonymity
of complainants and to protect whistleblowers from retaliation.
(5) The clear definition of roles and responsibilities within the
institution's organization and ensuring the effective assignment of
oversight responsibilities.
(6) The use of audits and/or other risk evaluation techniques to
monitor compliance and identify problem areas.
(7) The enforcement of appropriate disciplinary action against
employees or contractors who have violated institutional policies,
procedures, and/or applicable Federal requirements for the use of
Federal research dollars, and
(8) The development of policies and procedures for the
investigation of identified instances of non-compliance or misconduct.
These should include directions regarding the prompt and proper
response to detected offenses, such as the initiation of appropriate
corrective action and preventive measures.

B. Written Policies and Procedures

In developing a compliance program, every institution should
develop and distribute written policies and procedures addressing
compliance with Federal award requirements. These policies and
procedures should be developed under the direction and supervision of
the compliance officer, the compliance committee, and relevant
institution officials. They should also be

[[Page 71317]]

reviewed at regular intervals to ensure that they are current and
relevant.
At a minimum, the policies and procedures should be provided to all
faculty members and other employees who are affected by them, to
students who may be conducting research with Federal awards, and to any
agents or contractors who may furnish services in connection with
Federal research awards. The policies and procedures should be easily
found and accessible, such as, for example, on the institution's
Internet or intranet site. Since institutions also typically maintain
policies and procedures governing other compliance issues, including
conflicts of interest, human subject research, and the maintenance and
reporting of research data, they may choose to compile these various
policies and procedures on a single Internet or intranet site.
In addition to a clear statement of detailed and substantive
policies and procedures, OIG recommends that institutions that receive
PHS research awards develop a general institutional statement of
ethical and compliance principles that will guide the institution's
operations. One common expression of this statement of principles is
the code of conduct. The code should function in the same fashion as a
constitution, i.e., as a document that details the fundamental
principles, values, and framework for action within an organization.
The code of conduct for research institutions should articulate the
institution's expectations of commitment to compliance by management,
employees, and agents, and should summarize the broad ethical and legal
principles under which the institutions must operate. Unlike the more
detailed policies and procedures, the code of conduct should be brief
and cover general principles applicable to all employees.
OIG strongly encourages the participation and involvement, as
appropriate, of senior management of the institution, such as the board
of regents and president, as well as other personnel from various
levels of the organizational structure, in the development of all
aspects of the compliance program, especially the code of conduct.
Management and employee involvement in this process communicates a
strong and explicit commitment by management to foster compliance with
applicable program requirements. It also communicates the need for all
employees to comply with the organization's code of conduct and
policies and procedures.

C. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer
Every research institution should designate a compliance officer
who will have day-to-day responsibility for overseeing and coordinating
the compliance program. For smaller institutions, the compliance
officer responsibilities might be added to other management
responsibilities, or, for very large institutions, there could be
several compliance officers who would have responsibility for different
major activities of the institution. However, designating a compliance
officer with the appropriate level of authority is critical to the
success of the program. Optimally, the officer should report directly
to the institution's president and should have direct access to the
board of regents or other governing body, senior administration
officials, and legal counsel. For very large institutions, if it is not
possible to report directly to the president, the officer should report
to the provost or official with similar high-level responsibility for
the oversight of research administration. The compliance officer should
have sufficient funding, resources, and staff to perform his or her
responsibilities fully.
The compliance officer's primary responsibilities should include:
Overseeing and monitoring implementation of the compliance
program;
Reporting on a regular basis to the board of regents,
president, and compliance committee (if applicable) on compliance
matters and assisting these individuals or groups to establish methods
to reduce the institution's vulnerability to fraud and abuse;
Periodically revising the compliance program, as
appropriate, to respond to changes in the institution's needs and
applicable program requirements, identified weakness in the compliance
program, or identified systemic patterns of noncompliance;
Developing, coordinating, and participating in a
multifaceted educational and training program that focuses on the
elements of the compliance program, and seeking to ensure that all
affected employees understand and comply with pertinent Federal and
State standards;
Developing policies and procedures;
Assisting the institution's internal or independent
auditors in coordinating compliance reviews and monitoring activities;
Reviewing and, where appropriate, acting in response to
reports of noncompliance received through the hotline (or other
established reporting mechanism) or otherwise brought to his or her
attention (e.g., as a result of an internal audit or by counsel who may
have been notified of a potential instance of noncompliance);
Independently investigating and acting on matters related
to compliance. To that end, the compliance officer should have the
flexibility to design and coordinate internal investigations (e.g.,
responding to reports of problems or suspected violations) and any
resulting corrective action (e.g., making necessary improvements to
policies and practices, and taking appropriate disciplinary action)
with particular departments or institution activities;
Participating with counsel in the appropriate reporting of
any self-discovered violations of Federal requirements; and
Continuing the momentum and, as appropriate, revising or
expanding the compliance program after the initial years of
implementation.\11\
---------------------------------------------------------------------------

\11\ There are many approaches the compliance officer may enlist
to maintain the vitality of the compliance program. Periodic on-site
visits of offices, bulletins with compliance updates and reminders,
distribution of audiotapes, videotapes, CD ROMs, or computer
notifications about different risk areas, lectures at campus
meetings, and circulation of recent articles or publications
discussing fraud and abuse are some examples of approaches the
compliance officer may employ.
---------------------------------------------------------------------------

The compliance officer must have the authority to review all
documents and other information relevant to compliance activities. This
review authority should enable the compliance officer to determine
whether the institution is in compliance with PHS or other Federal
program requirements. Where appropriate, the compliance officer should
seek the advice of competent legal counsel about these matters.
2. Compliance Committee
OIG recommends that a compliance committee be established to advise
the compliance officer and assist in the implementation of the
compliance program.\12\ If structured appropriately, the committee can
provide the compliance officer with contacts in various parts of the
institution and the names of individuals who possess subject matter
expertise. If the

[[Page 71318]]

institution employs individuals who already have responsibility for
compliance in various subject areas, for example biosafety or care and
use of animals, these individuals would be obvious candidates for the
compliance committee.
---------------------------------------------------------------------------

\12\ The compliance committee benefits from having the
perspectives of individuals with varying responsibilities and areas
of knowledge in the organization, such as operations, finance,
audit, human resources, and legal, as well as faculty members. The
compliance officer should be an integral member of the committee.
All committee members should have the requisite seniority and
comprehensive experience within their respective areas to recommend
and implement any necessary changes to policies and procedures.
---------------------------------------------------------------------------

When developing an appropriate team of people to serve as the
compliance committee, the institution should also consider including
individuals with a variety of skills and personality traits as team
members. The institution should expect its compliance committee members
and compliance officer to demonstrate integrity, good judgment,
assertiveness, and an approachable demeanor, while eliciting the
respect and trust of employees. These interpersonal skills are as
important as the professional experience of the compliance officer and
each member of the compliance committee. Examples of individuals that
the institution might consider as members of the compliance committee
include institutional ombudsman staff and alternative dispute
resolution staff.
Once an institution chooses the members of the compliance
committee, the institution needs to train these individuals on the
policies and procedures of the compliance program, as well as how to
discharge their duties. In essence, the compliance committee should
function as an extension of the compliance officer and provide the
organization with increased oversight.

D. Conducting Effective Training

The training of appropriate administrators, both at the institution
and department levels, faculty (including principal investigators),
other staff, and contractors on award administration and other program
requirements is an important element of an effective compliance
program. The focus of the training and its level of detail will depend
on the particular needs of the institution. In addition to training
sessions, the institution may also undertake other educational efforts,
such as disseminating publications that explain specific requirements
in a practical manner. In developing training programs, it may be
helpful to involve faculty, such as principal investigators, who will
be receiving the training. This will allow these individuals to offer
their insights, encourage more enthusiastic participation in the
training sessions, and promote buy-in with the compliance program.
An institution should provide general training sessions that cover
such issues as ethical standards and the institution's commitment to
compliance issues. All employees, and where feasible and appropriate
contractors, should receive the general training. General training
should include the contents of the institution's compliance program,
such as the role of the compliance officer and committee and the
availability of an anonymous complaint mechanism. It should include
both a description of the many types of compliance issues that
administrators, faculty and other employees may need to address in the
course of their careers, and the sources of guidance in resolving those
issues.
More specific training programs would be designed for more
specialized audiences. For example, administrative personnel who manage
award funding should receive detailed training on Federal cost
principles and grant administration regulations and policies. Employees
who are involved with clinical research should receive training on the
protection of human subjects, the Institutional Review Board process,
and the responsible conduct of research. Administration officers and
other key staff can assist in identifying additional specialized areas
for training. Areas of training may also be identified through internal
audits and monitoring and from a review of any past compliance
problems.
Training instructors may come from outside or inside the
organization, but must be qualified to present the subject matter
involved and sufficiently experienced in the issues presented to
adequately field questions and coordinate discussions among those being
trained. Ideally, training instructors should be available for follow-
up questions after the formal training session has been conducted.
General and specific training sessions should be provided both upon
initial employment with the institution as well as on some periodic
schedule, depending on the needs of the audience. Specialized training
should be provided on a more frequent basis, perhaps annually or more
frequently.
One technique to consider for training is to report actual examples
of compliance problems at the institution or at other institutions,
typically without any identifying information. This may serve to
educate staff on these issues the institution considers important, how
the compliance process works, and the actions that can be taken against
individuals for more serious problems.
An institution may wish to vary the manner of training, both for
general and specific training. In-person training sessions may be more
effective than other types of training and are usually important for
initial training sessions for new employees or when employees have
changed their job responsibilities. However, follow-up training may be
provided in other formats, such as through videotaped presentations or
web-based training in which participants certify that they have
completed the training curriculum. If videos or computer-based programs
are used for compliance training, OIG suggests that the institution
make a qualified individual available to field questions from trainees.
The compliance officer should maintain records of all formal
training undertaken by the institution as part of the compliance
program. This should include attendance logs, descriptions of the
training sessions, and copies of the material distributed at training
sessions. Depending on need, an institution may require that employees
receive a minimum number of educational hours per year, as appropriate,
as part of their employment responsibilities.
The institution needs to establish a mechanism to ensure that
employees receive the training they need. Training could be made a
condition of continued employment and failure to comply with training
requirements could result in disciplinary action. Adherence to the
training requirements as well as other provisions of the compliance
program should be a factor in the annual evaluation of each employee.

E. Developing Effective Lines of Communication

1. Access to Supervisors and/or the Compliance Officer
For a compliance program to work, employees must be able to ask
questions and report problems. University officials, department
chairpersons or other supervisors play a key role in responding to
employee concerns and it is appropriate that they serve as a first line
of communication. Research institutions should consider the adoption of
open-door policies to foster dialogue between management and employees.
To encourage communications, confidentiality and nonretaliation
policies should also be developed and distributed to all employees.
Open lines of communication between the compliance officer and
employees are equally important to the successful implementation of a
compliance program. In addition to serving as a contact point for
reporting problems and initiating appropriate responsive action, the
compliance officer should be viewed as someone to whom personnel can go
for clarification on the institution's policies.

[[Page 71319]]

2. Hotlines and Other Forms of Communication
OIG encourages the use of hotlines, e-mails, newsletters,
suggestion boxes, and other forms of information exchange to maintain
open lines of communication. In addition, an effective employee exit
interview program could be designed to solicit information from
departing employees regarding potential misconduct and suspected
violations of the institution's policies and procedures. Institution
officials may also identify areas of risk or concern through periodic
surveys.
If an institution establishes a hotline or other reporting
mechanism, information regarding how to access the reporting mechanism
should be made readily available to all employees and contractors by
including that information in the code of conduct or by circulating the
information (e.g., by publishing the hotline number or e-mail address
on wallet cards) or conspicuously posting the information in common
work areas.\13\ Employees should be permitted to report matters on an
anonymous basis.
---------------------------------------------------------------------------

\13\ Institutions might also choose to post in a prominent area
the HHS-OIG Hotline telephone number, 1-800-447-8477 (1-800-HHS-
TIPS).
---------------------------------------------------------------------------

For the reporting mechanism to maintain credibility, it is
important that the institution's review of the allegations be
meaningful and that prompt and appropriate followup be conducted.
Reported matters that suggest substantial violations of Federal program
requirements should be documented and investigated promptly to
determine their veracity and the scope and cause of any underlying
problem. The compliance officer should maintain a thorough record of
such complaints as well as any investigation, its results, and any
remedial or disciplinary action taken. The institution may wish to
provide such information, redacted of individual identifiers, to the
institution's senior management, such as the board of regents and the
president, and to the compliance committee.

F. Auditing and Monitoring

Auditing of an institution's operations and activities is a
critical internal control mechanism. Under the Single Audit Act of 1984
(Pub. L. 98-502), as amended, all institutions that expend $500,000 or
more in Federal assistance are required to have a single audit of the
``non-Federal entity,'' which must be conducted in accordance with
generally accepted Government auditing standards. (31 U.S.C. 7502, OMB
Circular A-133.) Major institutions typically also have an annual
financial statement audit, often conducted by the same firm that
conducts its single audit, for the purpose of expressing an opinion as
to the fairness of the information contained in the financial
statements for the institution.
In addition to the mandated single audit and the financial
statement audit, institutions should consider having additional
performance audits, focused on particular areas of activity. Internal
auditors may already be performing such audits, although an external
auditor may in some cases be able to provide a greater level of
independence in this work or should be considered when there is a
particular problem or risk area that needs attention. Whether audits of
compliance with Federal program requirements are performed by internal
or external auditors, they should follow generally accepted Government
auditing standards, published by the Government Accountability Office
as ``Government Auditing Standards,'' known as the ``Yellow Book.''
Institutions should consider conducting risk assessments to
determine where to devote audit resources, such as for separate
performance audits, and may wish to consider the risk areas we
identified above in section II. Risk assessments could be coordinated
by the compliance officer. The institution's disclosure statement under
OMB Circular A-21--if it is required to submit one--may already include
identification of risk areas. The A-133 audit itself may also identify
risk areas or the program agencies may identify risk areas based on
their review of the A-133 audit.
An effective compliance program should also incorporate thorough
monitoring of its implementation and an ongoing evaluation process. The
compliance officer should document this ongoing monitoring, including
reports of suspected noncompliance, and provide these assessments to
the institution's senior management and the compliance committee. The
extent and frequency of the compliance audits may differ depending on
variables such as the institution's available resources, prior history
of noncompliance, and the risk factors particular to the institution.
The nature of the reviews may also vary and could include a prospective
systemic review of the institution's processes, protocols, and
practices, or a retrospective review of actual practices in a
particular area.
Although many assessment techniques are available, it is often
effective to engage internal or external evaluators who have relevant
expertise to perform regular compliance reviews. The reviews should
focus on those divisions or departments of the institution that have
substantive involvement with or impact on Federal programs and on the
risk areas identified in this guidance. The reviews should also
evaluate the policies and procedures regarding other areas of concern
identified by OIG and Federal and State law enforcement agencies.
Specifically, the reviews should evaluate whether: (1) The institution
has policies covering the identified risk areas, (2) the policies were
implemented and communicated, and (3) the policies were followed.

G. Enforcing Standards Through Well-Publicized Disciplinary Guidelines

An effective compliance program should include clear and specific
disciplinary policies that set out the consequences of violating
Federal or State requirements, the institution's code of conduct, or
its policies and procedures. Any research institution should
consistently undertake appropriate disciplinary action across the
institution for the disciplinary policy to have the required deterrent
effect. Intentional and material noncompliance should not be tolerated
and should subject transgressors to significant sanctions. Such
sanctions could range from oral warnings to suspension, termination or
other sanctions, as appropriate. Disciplinary action also may be
appropriate when a responsible employee's failure to detect a violation
is attributable to his or her negligence or reckless conduct. Each
situation must be considered on a case-by-case basis, taking into
account all relevant factors, to determine the appropriate response.

H. Responding to Detected Problems and Developing Corrective Action
Initiatives

1. Violations and Investigations
Violation of an institution's compliance program, failure to comply
with applicable Federal or State law, and other types of misconduct
threaten the institution's reputation in the scientific and research
community. Consequently, upon receipt of reasonable indications of
suspected noncompliance, it is important that the compliance officer or
other officials immediately investigate the allegations to determine
whether a material violation of applicable law or the requirements of
the compliance program has occurred and, if so, take decisive

[[Page 71320]]

steps to correct the problem.\14\ The exact nature and level of
thoroughness of the investigation will vary according to the
circumstances, but the review should be detailed enough to identify the
cause of the problem. As appropriate, the investigation may include a
corrective action plan, an assessment of internal controls, a report
and repayment to the Government, and/or a referral to law enforcement
authorities or regulatory bodies.
---------------------------------------------------------------------------

\14\ Instances of noncompliance must be determined on a case-by-
case basis. The existence or amount of a monetary loss to PHS or
other Federal programs is not solely determinative of whether the
conduct should be investigated and reported to governmental
authorities. In fact, there may be instances where there is no
readily identifiable monetary loss, but corrective actions are still
necessary to protect the integrity of the program.
---------------------------------------------------------------------------

2. Reporting
Where the compliance officer, compliance committee, or member of
the institution's administration discovers credible evidence of
misconduct from any source and, after a reasonable inquiry, believes
that the conduct may violate criminal, civil, or administrative law,
the institution should promptly report the existence of misconduct to
the appropriate authorities within a reasonable period, but not more
than 60 days, after determining that there is credible evidence of a
violation. This includes the reporting of criminal or civil misconduct
to Federal and State authorities,\15\ or, for example, in the case of
research misconduct to the appropriate institutional body or to the
Department's Office of Research Integrity. Prompt voluntary reporting
will demonstrate the institution's good faith and willingness to work
with governmental authorities to correct and remedy the problem. In
addition, reporting such conduct may be considered a mitigating factor
by the responsible law enforcement or regulatory office, including OIG.
---------------------------------------------------------------------------

\15\ Appropriate Federal authorities include OIG, the Criminal
and Civil Divisions of the Department of Justice, the U.S. Attorney
in the institution's district, and the Federal Bureau of
Investigation. State authorities may include the appropriate
division of the State Attorney General's office or, if separate from
the Attorney General, the District Attorney or other criminal
prosecutive office.
---------------------------------------------------------------------------

When reporting to the Government, an institution should provide all
information relevant to the alleged violation of applicable Federal or
State law(s) and the potential financial or other impact of the alleged
violation. The compliance officer, under advice of counsel and with
guidance from the governmental authorities, could be requested to
continue to investigate the reported violation. Once the investigation
is completed, and especially if the investigation ultimately reveals
that criminal, civil or administrative violations have occurred, the
compliance officer should notify the appropriate authorities of the
outcome of the investigation.

I. Establishing Roles and Responsibilities and Assigning Oversight
Responsibility

It is especially important that roles and responsibilities
regarding the use of PHS research awards be clearly defined and
understood. Defining roles and responsibilities promotes accountability
and is essential to the overall internal control structure of the
institution.
Institutions should clearly delineate the responsibilities of all
persons involved with the conduct of federally supported research,
including both administration or department personnel with oversight
responsibility as well as principal investigators and other personnel
who are engaged in research.
Under PHS regulations, it is typically the institution itself that
qualifies as the ``responsible legal entity'' for grant compliance
purposes. (See 42 CFR 52.2 (definition of ``Grantee'').) Clearly
defining roles and responsibilities can assist institutions in
fulfilling their legal responsibility to comply with Department
requirements, removing any uncertainty as to the precise responsibility
of all individuals involved in the research enterprise. It can also
assist individuals in defending against allegations that they
recklessly disregarded award requirements.
Roles and responsibilities for each position should be clearly
communicated and accessible. Including roles and responsibilities in
the institution's written policies and procedures and in its formal
training and education program could accomplish this objective.

IV. Conclusion

The growth in Federal funding for scientific research over the past
decade has prompted a need for more effective compliance by recipient
institutions. Many institutions have recognized this need and have
developed formal compliance programs. We believe that all research
institutions would benefit from compliance programs that, if
effectively implemented, would foster a culture of compliance that
begins at the administration or management level and permeates
throughout the organization. The purpose of this voluntary guidance is
to offer a ``checklist'' of items that we believe is critical for
refining or developing an effective compliance program. While the
guidance focuses on award administration, adopting the principles and
standards in the guidance would benefit other activities that are
subject to Government regulation, including human subject research,
ethics, and the responsible conduct of science.

Dated: November 21, 2005.
Daniel R. Levinson,
Inspector General.

Appendix A

Association of American Medical Colleges, Protecting Subjects,
Preserving Trust, Promoting Progress: Policy and Guidelines for the
Oversight of Individual Financial Interests in Human Subjects
Research (December 2001).
Association of American Medical Colleges, Protecting Subjects,
Preserving Trust, Promoting Progress: Principles and Recommendations
for the Oversight of Individual Financial Interests in Human
Subjects Research II (October 2002).
Council on Governmental Relations, Managing Externally Funded
Research Programs: A Guide to Effective Management Practices (June
2005), available at http://www.cogr.edu/docs.

Grant, Geoffrey, et al., Creating Effective Research Compliance
Programs in Academic Institutions, 74 American Medicine 9 (September
1999).
Kenney, Jr., Robert J., ``Dual Compensation'' and ``Separate
Compensation'' Arrangements in the Wake of the Northwestern
University Settlement, 14 Research Management Review 1 (Spring
2004).
Murphy, Diane E., The Federal Sentencing Guidelines for
Organizations: A Decade of Promoting Compliance and Ethics, 87 Iowa
L. Rev. 697 (January 2002).
National Council of University Research Administrators (NCURA),
A Guide to Managing Federal Grants for Colleges and Universities,
available at http://www.ncura.edu/publications/aispub.htm.

National Institutes of Health, Office of Extramural Research,
Proactive Compliance Site Visits FY 2000-FY 2002: A Compendium of
Findings and Observations (2002).
Steinberg, Nisan A., Regulation of Scientific Misconduct in
Federally Funded Research, 10 S. Cal. Interdisc. L.J. 39 (Fall
2000).
Walsh, Barbara E., et al., The Compliance Umbrella, Business
Officer 18 (January 2000).
Walsh, Barbara E., et al., A Model Operating Process, Business
Officer 42 (March 2000).

[FR Doc. E5-6548 Filed 11-25-05; 8:45 am]

BILLING CODE 4152-01-P