Sarah E. Gregory
With less than a week left in the semester, the Journal of Regulatory Compliance editors are hard at work studying for exams, gearing up for summer jobs, or eagerly awaiting graduation. However, before we shutter INSIDE COMPLIANCE for the summer session, I want to take this opportunity to look back over the past year, and how much our members have accomplished.
The Journal of Regulatory Compliance is a young law journal, even for Loyola University Chicago School of Law. It’s only been a few years since our first annual symposium, and the debut of the Center for Compliance Studies here at Loyola University Chicago School of Law. In many ways, this year was an experiment—we debuted a new Board structure, a new editorial process, a new blog format and a new time of year for our Symposia. Despite that uncertainty, the 30-plus members of the Journal of Regulatory Compliance have accomplished extraordinary things.
David R. Jackson is a compliance manager, and has been for over twenty years. As a consequence, he knows better than anyone the delicate balancing act being a compliance professional requires.
Compliance leadership within a business requires maintaining five different conversations concurrently: (1) with the business, (2) with senior management, (3) with other teams that support the business, (4) with the government agencies and industry groups that provide external oversight, and (5) with the compliance staff. The challenge is not carrying out any one conversation, but juggling all conversations at the same time, and constantly shifting gears between conversations with different audiences.
“What is the Role of a Regulation if it is Not Enforced?”
Friday, February 16
9 a.m.–4 p.m.
Philip H. Corboy Law Center
25 E. Pearson Street
Power Rogers & Smith Ceremonial Courtroom, 10th Floor
The symposium will explore questions of theory and practice related to an administrative state that has such a largesse of regulations (and quasi-regulations in the form of interpretative guidance) that administrative agencies cannot possibly audit or enforce all of their expectations for regulated actors. The size and decentralized control of the administrative state poses questions of legal theory on the role of regulations in society if the state has no intention or lacks resources for enforcing them and practical questions for the regulated actors in how or when to comply with the regulations. But it also sets up a minefield for the regulated actor if enforcement agencies can play “gotcha” on technical strict liability rules which may be buried amid manuals or have been previously enforced. Although focusing on law, the symposium is intended to be multi-disciplinary and seeks to bring together scholars from law, ethics, political science, business, economics, and philosophy.
Last month Josh Rosen, a junior at UCLA who plays quarterback, was quoted by a national sports news website saying, “Football and school don’t go together.” Within hours UCLA’s coach and Stanford’s coach each tried to paint the young man as unenlightened.
Research shows that Rosen is more correct than the coaches admit, but that’s only part of the story. What’s news is that a twenty-year-old—not a university trustee or president, not a U. S. District Court judge or an antitrust lawyer—put his finger on a regulatory reality that higher education may not be able to ignore for much longer.
by William Devine, Guest Contributor
Apple has developed and distributed a curriculum that will teach students at 30 community colleges around the country to write code and create apps. What prompts this gift? A belief that we all bear responsibility for sustaining a functional economy. At a time when some corporate leaders and their legal teams focus on the perils of overregulation, the greatest regulatory risk an enterprise confronts may not be high compliance hurdles, but rather the possibility that regulators can’t keep the economy functioning well enough for the enterprise to do its most commercially inventive and societally valued work.
Though the rain has stopped falling, Houston is still dealing with the aftermath of Hurricane Harvey, one of the largest and most destructive rainfall events on record. Healthcare providers in particular find themselves struggling to keep up with the various health problems caused by the flooding itself, on top of getting life-sustaining care to individuals with chronic or preexisting conditions. Crises like Harvey create serious problems for the delivery of care, but also for regulating it—circumstances are so uniquely devastating that standards can feel like barriers to necessary medical attention. And when family and friends are desperate to know if their loved one is out of danger, even the right of privacy seems negligible.
However, natural disasters and emergency events shouldn’t be used as an excuse to regulate away protections individuals depend on, such as the privacy and confidentiality of their personal information. Regulators must be careful when determining how to respond in a crisis—overreaching for the sake of bringing relief or under-regulating for flexibility can leave the public high and dry when the floodwaters recede.
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.
Compliance programs rely heavily on internal investigations. Yet unlike their counterparts in the in-house counsel’s office, compliance professionals rarely give notice when they are conducting such investigations. Whether compliance professionals have duty to notify individual directors, officers and employees of an internal investigation remains unclear. This lack of clarity leads to confusion with employees and officers regarding the limits of confidentiality, and the compliance officer’s duty of loyalty. A robust ethics and compliance program should therefore take a proactive stance and integrate Upjohn warnings—a standard of corporate counsel, but modified to fit the compliance function—into the internal investigation process.
ADAM C. SOLANDER is a Member of Epstein Becker Green’s Health Care and Life Sciences practice, in the firm’s D.C. office. Mr. Solander advises clients on data breach/cybersecurity issues across industry lines, including compliance with HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements.
The following is an interview with him discussing the unique cybersecurity challenges facing the healthcare sector, and how the industry can move past HIPAA compliance to a more robust definition of privacy and security.