Investigations Protocol

Effective Date:
Owner (Business Unit): / Compliance Office

Purpose

To provide uniform, general requirements for The Company and its subsidiaries for initiating and conducting investigations of allegations, concerns or incidents involving potential non-compliance with law, company policy and business or legal requirements. This protocol provides direction and tools for determining investigative ownership and an overview of required tasks and notifications. It is not intended to be a comprehensive instruction about how to conduct investigations. Each investigative team will employ its own investigative procedures.

Compliance and Ethics uses information collected in the course of such investigations for reporting to the Corporate Compliance Committee and other senior management and to fulfill The Company’s reporting and notification obligations under the Corporate Integrity Agreement and, as required, to clients and others. The investigative procedures include tracking and reporting requirements so that these obligations can be met. Details are provided in the Investigative Procedures Grid in this document.

Adherence to the protocol will ensure:

  • Prompt designation of responsibility to follow up on each allegation, concern or incident and identification of deadlines
  • Consistent, efficient and timely investigative practices
  • Upward communication and awareness to senior management for tracking and reporting purposes
  • That all appropriate areas and resources are engaged in each investigation for complete and accurate results, avoiding unintentional omissions.

.

Scope

This protocol applies to The Company and its subsidiarieswithout regard to the source of the notification and includes, but may not be limited to, the following investigative owners:

  • Compliance and Ethics and Privacy
  • Legal – Regulatory
  • Legal - Employment
  • Human Resources
  • Safety, Health and Environmental
  • General Counsel – Employment and Regulatory
  • Medicare – Employment and Regulatory
  • Vendors
  • Media/Public Affairs

Note: In certain instances, an investigation relating to any subject may be conducted under the direction of a lawyer or outside counsel.

Contents:

Terms and Definitions

General Rules of Engagement

  • Intake and Awareness
  • Triage: Investigative owner and team responsibilities
  • Investigative Activity
  • Notifications
  • Corrective Action

Resources and tools for investigation

  • Investigative Procedures Grid
  • Investigative Resources Chart
  • Investigative Protocols flow chart illustration

General Rules of Engagement

Intake and Awareness

Events may be reported by a variety of areas and channels which include but may not be limited to:

Investigations Protocol

  • Compliance and Ethics line
  • Privacy hot line
  • Medicare FWA Hotline
  • Ethics Office
  • Medicare Part D Compliance
  • Privacy Office
  • Privacy Services Unit
  • Global Security
  • Boards of Pharmacy
  • Other regulators
  • Human Resources
  • Management
  • Office of the President
  • Management Committee
  • Audit Reports
  • Non-pharmacy regulatory bodies (OSHA, EPA)

Investigations Protocol

  1. Upon receipt of an allegation, concern or incident, refer to the procedural grid below to determine the appropriate Investigative Owner and additional groups to be engaged for the subject matter or allegation in question.

Limit communication to a “need-to-know” basis.

Notify all additional Compliance Offices relevant to each investigation.

  1. Engage the investigative owner and team members.
  1. If case ownership cannot be readily determined, consult with the Corporate Compliance Officer.
  1. If the reported issue involves a member or department for which you are responsible, refer the issue to one of the following people who is not responsible for that person or area:
  • Senior Vice President Corporate Compliance Officer
  • Senior Vice President of Human Resources
  • Senior Vice President General Counsel

Triage: Investigative owner and team responsibilities

  1. Open an incident file and begin tracking.

The following groups maintain tracking in The Company Compliance Link inCase Management system.

Investigations Protocol

  • Privacy
  • Ethics Office
  • Global Security
  • Medicare Part D

Investigations Protocol

If you are tracking in another system, please ensure that all required reporting is made available to the Compliance and Ethics office for inclusion in the Case Management system.

  1. Consult with the Corporate Compliance Officer to determine whether the issue is a reportable event under the Corporate Integrity Agreement (CIA).
  1. Assess the merit and significance of the incident.

If an incident involving alleged employee misconduct is deemed by the investigative owner to have no merit, notify the investigative team of the determination.

If an incident involving alleged employee misconduct is deemed to have merit and warrants investigation, promptly engage the designated team to consult on the processes for investigation, remediation and follow-up.

Note: Each investigative team will utilize or develop its own protocols for investigation and/or customize procedures, select participants and assign tasks internally or externally as appropriate for each case as needed

Investigative Activity

  1. Identify and implement an appropriate action plan for investigation.
  1. Engage the appropriate subject matter experts and assign tasks as needed. Appropriate team composition is essential.

Note: Team composition and reporting requirements may vary depending on whether the allegation involves employee misconduct or external actors.

  1. Reassess merit and significance as research continues.
  1. Update the incident file with status, outcome, resolution and response to the Reporter.

Notifications

  1. At any point during the investigation that an issue is identified as a possible reportable event under the Corporate Integrity Agreement (CIA), consult with the Corporate Compliance Officer to confirm.
  1. Notify all the areas specified in the procedural grid.
  1. Engage the Human Resources (HR) team that is designated to handle events involving external actor(s) as indicated in the procedural grid.
  1. Ensure completion of all other appropriate upward reporting to management or the Compliance Office that is required in the ordinary course of business.

Corrective Action

An allegation, concern or incident that is substantiated should have a corrective action.

  1. The investigative owner will advise the Business Owner of the findings of the investigation.
  1. Determine a remediation plan in conjunction with the Business Owner to include priorities and dates of completion.
  1. The investigative owner will report all details and results to the Compliance Office.

The Compliance Office, in turn, will report to the Corporate Compliance Committee and Audit Committee based on standards established and endorsed by the Audit Committee.

Unless the purpose of the investigation is to give legal advice to senior management, all team members are responsible for informing their own management teams of all allegations, concerns or incidents as well as the progress of the investigation and remedial activity.

Resources & Tools for Investigation

INVESTIGATIVE PROCEDURES GRID (Page 1 of 2)
Owner / Allegation / Investigative Teams / Notifications
Compliance and Ethics and Privacy / Accusation of Company Misconduct
  • Internal/Whistle-blower
  • External accusation
  • AG/DOJ Non-compliance
/
  • Legal – litigation
  • Legal –employment if whistleblower
  • Legal–regulatory – if relevant
  • HR
/
  • CCC
  • Audit - if required by High / Moderate standard
  • SVP responsible for area
  • Possibly Public Affairs
  • Compliance –activity & results

Corporate Policy Breach
  • Code of Conduct
  • Insider Trading
  • Conflict of Interest
  • Gifts & Entertainment
  • Charitable Contributions
/
  • Legal – Employment
  • HR VP responsible for Area
  • Area owning policy
/
  • CCC
  • Audit - if required by High / Moderate standard
  • Compliance –activity & results

Data Breach /
  • Legal – Employment
  • HR
  • VP responsible for Area
  • Global Security
/
  • Global Security
  • Business area VP
  • Compliance –activity & results

Legal – Regulatory / Regulatory Breach
  • Regulatory Policy
  • Regulations (Tech Ratio; R.Ph. role)
  • Client guarantee
/
  • Legal – Employment
  • VP responsible for Area
  • Professional Practices
/
  • CCC
  • Audit (if required by High / Moderate standard)
  • Compliance –activity & results

Human Resources / Employment Practices
  • Harassment
  • Discrimination
  • Other Employee misconduct
/
  • Legal – Employment
  • Legal - Regulatory (as relevant)
  • HR
  • VP responsible for Area
/
  • Compliance –activity & results

Safety,
Health & Environmental
(SH&E) / Safety, Health & Environmental
  • Federal, State
  • Local OSHA
  • EPA issues
/
  • Legal – Employment
  • HR VP responsible for Area
  • DPP
/
  • Compliance –activity & results
  • DPP

INVESTIGATIVE PROCEDURES GRID (Page 2 of 2)
Owner / Event / Investigative Teams / Notifications
GLOBAL
SECURITY / Worksite Violence /
  • Legal – Employment
  • HR
  • VP responsible for area
  • Security representative
/
  • Compliance –activity & results Local law enforcement

Theft
Drugs, including diversion *
Corporate assets
Personal Property /
  • Legal-Employment
  • Legal-Regulatory if relevant
  • HR
  • VP responsible for area
  • Legal, if drugs
  • DEA
  • Local law enforcement
/
  • Compliance –activity & results Audit – if $100k plus
  • Public Affairs as needed
  • Account Mgt as needed
  • Local law enforcement
  • State boards

Fraud
Credit Card
Drug Utilization / :
  • Legal – Employment
  • HR
  • VP responsible for Area
  • Treasury – Hosp (for credit)
  • Audit – if $100k +
/ :
  • Compliance –activity & results Audit – if over $100K
  • Public Affairs, as needed
  • Account Mgt, as needed
  • Law enforcement authorities
  • Physician, other as appropriate
  • Plan

Physical Security Breach /
  • Legal – Employment
  • HR
  • VP responsible for Area
  • Compliance –Privacy
  • Compliance-Privacy
/
  • Compliance –activity & results Law enforcement authorities

System Security Breach /
  • Legal – Employment
  • HR
  • VP responsible for Area
  • Privacy Office (Privacy)
  • Compliance – Privacy
/
  • Compliance –activity & results
  • ????????? ?

* Note: In certain instances, an investigation relating to any subject may be conducted under the direction of a lawyer or outside counsel.

Investigative Resources Chart

The Investigative Resources chart below is intended to assist in identifying appropriate information resources and areas that may be able to assist in the investigative process. Example: If eSD access records are needed, you may submit a request for specific data on the ODS website. (Please inform the Compliance Office of any changes in your areas so that the guide can be updated.)

[NOTE: CHART WAS DELETED TO PROTECT COMPANY INFORMATION]