The U.S. Department of Justice (DOJ) raised the bar for the use of artificial intelligence (AI) by businesses with the recent update to its Evaluation of Corporate Compliance Programs (ECCP). These new standards offer important clarifications for health care compliance programs, in particular, while emphasizing the critical need for robust AI governance frameworks and signaling that effective compliance must evolve alongside technological advancements.
This ECCP update provides companies with a blueprint for evaluating the risks associated with AI, establishing safeguards, and fostering a culture of both innovation and accountability. In this dynamic regulatory landscape, health care businesses that pay attention to these DOJ guidelines can ensure AI success while also mitigating risks.
Why this ECCP Update Is Important
Health care businesses are often at risk for criminal and civil liability. The ECCP guides federal prosecutors when deciding on criminal penalties for a company and its leaders. These standards also translate to the civil liability realm—both in enforcement and private lawsuits. Liability can be minimized if a health care company has a robust and effective compliance program in place. Lack of a strong compliance program, however, can contribute to a finding of negligent or reckless disregard for the law, increasing liability risk.
The DOJ’s ECCP offers guidance for prosecutors to assess the effectiveness of compliance programs. While no business can totally prevent all liability risks, aligning closely with the ECCP can work in a company’s favor when prosecutors are deciding on resolutions, fines, or compliance measures following criminal misconduct. The same principles apply in the civil context. The ECCP gets regular updates, and the most recent one, released in September, underscores the importance of creating and maintaining a strong AI governance framework. It also gives prosecutors criteria to determine whether a company’s AI governance program really works in practice.
The DOJ expects companies to implement governance programs that take the rapidly evolving nature of new technologies into consideration, specifically calling out the use of AI. The DOJ defines the term “AI” broadly, to encompass almost all machine learning. Given the nearly ubiquitous nature of AI in health care under the DOJ’s expansive definition, virtually every health care business is required to formalize policies and procedures governing its AI use.
ECCP Provides Specific Standards Required for AI Governance
The ECCP encourages prosecutors to look at how well a company identifies and responds to potential risks as they arise, with particular attention to challenges posed by new technologies. Companies are expected to evaluate whether new technologies are trustworthy and reliable before rolling them out and to continuously monitor whether their outputs remain legally compliant, accurate, and in sync with company policies. These are in essence the same goals of a governance program, which is simply a risk management or compliance program that begins at the board level.
The DOJ also emphasizes the importance of training employees on the use and risks of AI. Prosecutors will gauge whether that training makes sense given how the technology is used and the company’s specific circumstances, while evaluating the efficacy of the training in real-world situations.
The ECCP provides a list of questions that companies should ask internally to assess the success of any compliance program. The September 2024 update provides questions companies should be prepared to answer regarding new technologies like AI, including the following:
- How do we identify, analyze and address risks? Is this done in a proactive or reactive manner?
- How have we used the information collected in this process to evolve the compliance program? Are more resources being allocated to areas of higher risk? How are we learning from our own mistakes and from competitors?
- How do we assess the impact of new technologies, including AI, on our ability to comply with the law? Is the way we manage the risks of new technologies integrated with our broader enterprise risk management strategies? What is our governance strategy for managing these risks?
- How do we manage the risks of integration of new technologies, including AI, in light of both our commercial business and compliance program? Are we considering the risks of both intentional and inadvertent misuse of AI, including from company insiders?
- How did we assess the risks of new technologies prior to implementation? Has this assessment continued as these technologies are rolled out?
- Do all employees know the policies on new technologies? How do we disseminate these policies and train employees who will be utilizing new tech? What methods are we using to track access to these policies? How do we hold all users accountable for compliance with our policies and the law?
The ECCP emphasizes the importance of a proactive approach to compliance in light of the rapid pace of new technology adoption. It also is a sound business practice to explore new technologies and how they might impact operations and profitability. According to the DOJ, this analysis is required to include a thorough investigation into the possible compliance risks of adopting new technologies.
Access to Data and Reporting Policy Changes
A few additional noteworthy changes are included in the ECCP update. The DOJ, for instance, expects compliance and control personnel to have the tools they need to run effective programs, including data resources and access. To comply with the standards set forth in the ECCP, compliance personnel are required to have access to data that allows them to effectively monitor and test how the policies and controls put in place by the board and other officials are being implemented. If there are barriers to accessing this data, companies should have valid reasons for putting these barriers in place. The ECCP update also prompts companies to ensure they have adopted an anti-retaliation policy effective in fostering a culture in which employees feel safe and supported in speaking up about misconduct.
AI Governance Takeaways
In the rush to develop and adopt AI in health care, businesses may find it easier to be reactive and ad hoc rather than spend the time and resources necessary to institute an overall AI governance program. But that would be ill-advised. The complexity of trade-off decisions, the need for specialized knowledge, and the participation of multiple stakeholders require a coordinated and consistent approach to AI compliance and governance. Moreover, the ECCP mirrors existing and developing laws in requiring this overall compliance program for AI, and health care businesses that take a more strategic approach right now are more likely to be successful using AI to increase efficiency and effectiveness.
Our attorneys stand ready to answer questions or assist your business with designing and implementing an AI compliance framework to comply with ECCP standards and applicable laws and best practices. Please contact the authors of this article or any attorney with Frost Brown Todd’s Health Care Innovation team.