By Jennifer Gallop
An effective non-retaliation/whistleblower policy is
essential for all organizations, but it's especially important
for health care providers and for nonprofit organizations in
light of industry-specific legal mandates and best practices.
An organization's whistleblower policy does not operate in
a vacuum. Ideally premised on the organization's code of
ethics and a strong investigation protocol, the policy should
function as a central piece of an employee handbook and
The code of ethics is the principal means of communicating
to staff the strong corporate culture of legal compliance and
ethical integrity as implemented by the whistleblower policy,
which encourages internal reporting. The investigation
protocol - by standardizing the procedures for handling all
types of complaints - demonstrates the organization's
commitment to responding proactively to all reported issues,
thus protecting against claims of retaliation and discouraging
The purpose of a whistleblower policy is to bring to light
potential legal and ethical issues affecting the organization
as a whole. It should not be co-mingled with an organization's
basic human resources mechanisms for internal reporting of
general grievances or personal complaints.
Types of suspected misconduct to be reported under a
whistleblower policy include financial improprieties; misuse
of corporate resources; violations of internal policies;
failure to comply with legal requirements; and breaches of
Examples are: questionable billing; accounting or auditing
practices; substantive failures in carrying out the mission of
the organization; and failure to comply with federal legal
requirements applicable to tax exempt organizations.
A whistleblower policy has three basic components:
An expectation that staff report internally and in good
faith suspected legal/ethical violations regarding the
organization's operational and substantive business practices;
A description of the process for confidential and
anonymous reporting (typically through a hotline); and
A guaranty of protection for the reporter against
victimization or retaliation, to encourage and enable the
reporting process. The code of ethics is a more free-form
document developed by the board of directors with input from
stakeholders and tailored to the mission of the organization.
An investigation protocol, in contrast to a whistleblower
policy, may cover investigation of all instances of actual or
potential non-compliance, whether identified through a
whistleblower report, the organization's regular monitoring
and auditing or compliance activities, patient complaints,
employee grievances or otherwise.
Care should be taken to harmonize all corporate policies
that may feed into the investigation protocol. The protocol at
a minimum should provide for prompt, thorough and discreet
investigations of known or potential legal violations,
requiring the organization to undertake all reasonable steps
to do so.
It should also call for employee cooperation and prohibit
investigations not directed by the compliance officer or
committee appointed to undertake the investigation.
An investigation protocol should lay out the full
investigation process, including: members of the investigation
team; evaluation of need to preserve the attorney-client
privilege; steps to prevent destruction of evidence;
identification of witnesses/interviewees; identification and
assembly of documentation; identification of issues and
applicable legal standards; evaluation of need for outside
experts (e.g. accountants, attorneys); method of presenting
findings and recommendations; and the creation of the final
investigation record and report including summary of actions
Laws calling for a whistleblower policy
Under Sarbanes-Oxley, criminal penalties apply to
nonprofits and for-profits alike for taking retaliatory action
against an employee who reports suspected illegal activity.
Having an effective whistleblower policy evidences intent to
comply with SOX.
With respect to nonprofits, the Panel on the Nonprofit
Sector issued a report to Congress in 2005 entitled
"Strengthening Transparency and Governance Accountability of
The Panel recommended policies and procedures to facilitate
reporting of suspected malfeasance and misconduct by managers.
In response, the IRS released its "Good Governance Practices
for 501(c)(3) Organizations" including a recommendation for a
Most recently, the IRS' new Form 990 (Return of
Organizations Exempt from Income Tax) for tax years commencing
2008 incorporates governance provisions, including disclosure
of whether an organization has a written whistleblower policy.
In addition, the IRS now provides whistleblowers with up to a
30 percent reward for reporting suspected tax code violations,
and recently has established a special Whistleblower Office to
handle such allegations.
Pursuant to the federal Deficit Reduction Act (DRA) as of
2007, organizations receiving at least $5 million in Medicaid
payments annually must educate their employees about the
whistleblower protections provided under the federal and state
false claims acts. The Massachusetts Office of Medicaid
implemented this mandate by incorporating the federal
requirements into MassHealth provider agreements via emergency
amendments to the agency's administrative and billing
regulations. The new regulations require providers to attest
annually as to DRA compliance.
In light of the DRA requirements, health care providers
must implement a false claims prevention policy, which
incorporates the whistleblower policy.
A false claims prevention policy should include the
State that employees have a responsibility both to comply
with the law and to report promptly within the organization a
good faith belief of any such violations;
Recite that state and federal laws provide both civil and
criminal penalties and administrative sanctions for making
false claims against the government, including significant
fines (plus multiple damages, expenses and fees), imprisonment
and exclusion from government programs;
Reference the investigation protocol; and
State that employees who lawfully report false claims are
protected from reprisals and discrimination in any manner by
both by federal and state law and the organization's
Also in 2007, the U.S. Department of Health and Human
Services Office of Inspector General (OIG) published guidance
for boards of directors of health care providers entitled:
Corporate Responsibility and Health Care Quality: A
Resource for Health Care Boards of Directors.
In educating board members on their fiduciary duties in the
oversight of health care quality, the OIG recommends that
directors be aware of the corporate policies and procedures
that promote the reporting of quality concerns. The OIG
emphasizes that a lack of transparency in response to concerns
about safety/qualify can contribute to a culture where
problems are not addressed and are likely to reoccur.
Personnel at all levels need to participate in improving
quality of care and the board is charged with verifying that
effective whistleblower mechanisms exist to encourage
constructive criticism and reporting of errors.
Massachusetts statutory protections
A 1999 Massachusetts statute addresses whistleblower
reports where there is a concern of "risk to public health"
due to a legal/ethical violation by the organization.
Massachusetts G.L. chapter 149, section 187, states that "a
health care facility shall not refuse to hire, terminate a
[contract]... or take any retaliatory action" against a health
care provider because s/he "discloses or threatens to disclose
[internally or externally], a policy or practice of the health
care facility or of another health care facility with whom
[there is] a business relationship, that the health care
provider reasonably believes is in violation of law ... or
violation of professional standards of practice which the
health care provider reasonably believes poses a risk to
This law includes a little known posting requirement, and
dovetails with the organization's whistleblower policy in two
ways. First, the posting notice must include the name and
telephone number of the organization's designee for receiving
complaints. Second, health care providers are instructed that
in order to receive the statutory non-retaliation protections,
they must first report through the internal whistleblower
procedures so that the health care facility has a reasonable
opportunity to make corrections.
What if your company doesn't have an effective
From a liability perspective, media, public interest groups
and private litigants are likely to compare an organization's
policies and practices with the applicable legal and best
practice standards, and challenge those organizations which
An effective whistleblower policy demonstrates some degree
of adequacy of internal controls or at least provides evidence
that safeguards exist. Conversely, the lack of such a basic
policy can suggest corporate mismanagement or at least a
general lack of interest in preventing and responding to
corporate abuses. A properly implemented whistleblower policy
can only reflect well on the organization.
From a risk management perspective, internal reporting
should produce more effective management and governance, and
ultimately provide better protection to the organization, its
directors and officers against future liability. If the
organization's culture promotes such reporting, problems can
be addressed before they escalate, can be handled proactively,
and external reporting and qui tam filings might be avoided.
Such a policy dissuades rather than encourages external
reports by encouraging proactive, internal reporting before
things deteriorate. A strong whistleblower policy should help
prevent claims from disgruntled employees.
The benefits of having a whistleblower policy, however, are
only realized to the extent the policy is implemented and
enforced properly. Organizations should ensure the policy is
disseminated, staff is trained, and the policy operates
effectively by documenting activities evidencing
implementation and auditing them on a periodic basis.
Ignoring any policy can be more damning to an organization
than not having one at all.
Jennifer Gallop is a partner at Krokidas and Bluestein
in Boston where she practices in the areas of health care,
non-profit, administrative and corporate law.
Reprinted with permission from New England
In-House, a bimonthly publication of Dolan Media.
© 2008 Dolan Media, All Rights