An effective non-retaliation/whistleblower policy is essential for all organizations, but it’s especially important for health care providers and for nonprofit organizations in light of industry-specific legal mandates and best practices.
An organization’s whistleblower policy does not operate in a vacuum. Ideally premised on the organization’s code of ethics and a strong investigation protocol, the policy should function as a central piece of an employee handbook and compliance program.
The code of ethics is the principal means of communicating to staff the strong corporate culture of legal compliance and ethical integrity as implemented by the whistleblower policy, which encourages internal reporting. The investigation protocol – by standardizing the procedures for handling all types of complaints – demonstrates the organization’s commitment to responding proactively to all reported issues, thus protecting against claims of retaliation and discouraging external reporting.
The purpose of a whistleblower policy is to bring to light potential legal and ethical issues affecting the organization as a whole. It should not be co-mingled with an organization’s basic human resources mechanisms for internal reporting of general grievances or personal complaints.
Types of suspected misconduct to be reported under a whistleblower policy include financial improprieties; misuse of corporate resources; violations of internal policies; failure to comply with legal requirements; and breaches of ethical obligations.
Examples are: questionable billing; accounting or auditing practices; substantive failures in carrying out the mission of the organization; and failure to comply with federal legal requirements applicable to tax exempt organizations.
A whistleblower policy has three basic components:

An expectation that staff report internally and in good faith suspected legal/ethical violations regarding the organization’s operational and substantive business practices;

A description of the process for confidential and anonymous reporting (typically through a hotline); and

A guaranty of protection for the reporter against victimization or retaliation, to encourage and enable the reporting process. The code of ethics is a more free-form document developed by the board of directors with input from stakeholders and tailored to the mission of the organization.

Investigation protocol

An investigation protocol, in contrast to a whistleblower policy, may cover investigation of all instances of actual or potential non-compliance, whether identified through a whistleblower report, the organization’s regular monitoring and auditing or compliance activities, patient complaints, employee grievances or otherwise.
Care should be taken to harmonize all corporate policies that may feed into the investigation protocol. The protocol at a minimum should provide for prompt, thorough and discreet investigations of known or potential legal violations, requiring the organization to undertake all reasonable steps to do so.
It should also call for employee cooperation and prohibit investigations not directed by the compliance officer or committee appointed to undertake the investigation.
An investigation protocol should lay out the full investigation process, including: members of the investigation team; evaluation of need to preserve the attorney-client privilege; steps to prevent destruction of evidence; identification of witnesses/interviewees; identification and assembly of documentation; identification of issues and applicable legal standards; evaluation of need for outside experts (e.g. accountants, attorneys); method of presenting findings and recommendations; and the creation of the final investigation record and report including summary of actions taken.

Laws calling for a whistleblower policy

Under Sarbanes-Oxley, criminal penalties apply to nonprofits and for-profits alike for taking retaliatory action against an employee who reports suspected illegal activity. Having an effective whistleblower policy evidences intent to comply with SOX.
With respect to nonprofits, the Panel on the Nonprofit Sector issued a report to Congress in 2005 entitled “Strengthening Transparency and Governance Accountability of Charitable Organizations.”
The Panel recommended policies and procedures to facilitate reporting of suspected malfeasance and misconduct by managers. In response, the IRS released its “Good Governance Practices for 501(c)(3) Organizations” including a recommendation for a whistleblower policy.
Most recently, the IRS’ new Form 990 (Return of Organizations Exempt from Income Tax) for tax years commencing 2008 incorporates governance provisions, including disclosure of whether an organization has a written whistleblower policy. In addition, the IRS now provides whistleblowers with up to a 30 percent reward for reporting suspected tax code violations, and recently has established a special Whistleblower Office to handle such allegations.
Pursuant to the federal Deficit Reduction Act (DRA) as of 2007, organizations receiving at least $5 million in Medicaid payments annually must educate their employees about the whistleblower protections provided under the federal and state false claims acts. The Massachusetts Office of Medicaid implemented this mandate by incorporating the federal requirements into MassHealth provider agreements via emergency amendments to the agency’s administrative and billing regulations. The new regulations require providers to attest annually as to DRA compliance.
In light of the DRA requirements, health care providers must implement a false claims prevention policy, which incorporates the whistleblower policy.
A false claims prevention policy should include the following components:

State that employees have a responsibility both to comply with the law and to report promptly within the organization a good faith belief of any such violations;

Recite that state and federal laws provide both civil and criminal penalties and administrative sanctions for making false claims against the government, including significant fines (plus multiple damages, expenses and fees), imprisonment and exclusion from government programs;

Reference the investigation protocol; and

State that employees who lawfully report false claims are protected from reprisals and discrimination in any manner by both by federal and state law and the organization’s whistleblower policy.

OIG guidance

Also in 2007, the U.S. Department of Health and Human Services Office of Inspector General (OIG) published guidance for boards of directors of health care providers entitled: Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors.
In educating board members on their fiduciary duties in the oversight of health care quality, the OIG recommends that directors be aware of the corporate policies and procedures that promote the reporting of quality concerns. The OIG emphasizes that a lack of transparency in response to concerns about safety/qualify can contribute to a culture where problems are not addressed and are likely to reoccur.
Personnel at all levels need to participate in improving quality of care and the board is charged with verifying that effective whistleblower mechanisms exist to encourage constructive criticism and reporting of errors.

Massachusetts statutory protections

A 1999 Massachusetts statute addresses whistleblower reports where there is a concern of “risk to public health” due to a legal/ethical violation by the organization.
Massachusetts G.L. chapter 149, section 187, states that “a health care facility shall not refuse to hire, terminate a [contract]… or take any retaliatory action” against a health care provider because s/he “discloses or threatens to disclose [internally or externally], a policy or practice of the health care facility or of another health care facility with whom [there is] a business relationship, that the health care provider reasonably believes is in violation of law … or violation of professional standards of practice which the health care provider reasonably believes poses a risk to public health.”
This law includes a little known posting requirement, and dovetails with the organization’s whistleblower policy in two ways. First, the posting notice must include the name and telephone number of the organization’s designee for receiving complaints. Second, health care providers are instructed that in order to receive the statutory non-retaliation protections, they must first report through the internal whistleblower procedures so that the health care facility has a reasonable opportunity to make corrections.

What if your company doesn’t have an effective whistleblower policy?

From a liability perspective, media, public interest groups and private litigants are likely to compare an organization’s policies and practices with the applicable legal and best practice standards, and challenge those organizations which fall short.
An effective whistleblower policy demonstrates some degree of adequacy of internal controls or at least provides evidence that safeguards exist. Conversely, the lack of such a basic policy can suggest corporate mismanagement or at least a general lack of interest in preventing and responding to corporate abuses. A properly implemented whistleblower policy can only reflect well on the organization.
From a risk management perspective, internal reporting should produce more effective management and governance, and ultimately provide better protection to the organization, its directors and officers against future liability. If the organization’s culture promotes such reporting, problems can be addressed before they escalate, can be handled proactively, and external reporting and qui tam filings might be avoided.
Such a policy dissuades rather than encourages external reports by encouraging proactive, internal reporting before things deteriorate. A strong whistleblower policy should help prevent claims from disgruntled employees.
The benefits of having a whistleblower policy, however, are only realized to the extent the policy is implemented and enforced properly. Organizations should ensure the policy is disseminated, staff is trained, and the policy operates effectively by documenting activities evidencing implementation and auditing them on a periodic basis.
Ignoring any policy can be more damning to an organization than not having one at all.

Jennifer Gallop is a partner at Krokidas & Bluestein in Boston where she practices in the areas of health care, non-profit, administrative and corporate law.