Duke Alert Bar


Duke University Compliance Program

David Falcone
David J. Falcone
Director of Privacy, Ethics and Compliance
University Compliance Officer


University Compliance Mission Statement:  University Compliance promotes the achievement of Duke's strategic, financial, and operational goals while adhering to Duke's values and standards. Our ethics, privacy, and compliance program expertise provides risk-based decision guidance and pragmatic solutions to navigate complex compliance and regulatory issues.

An ineffective compliance program can burden people with unnecessary processes, produce decision paralysis and ultimately fail to adequately protect our institution.  Duke’s compliance program is operationally efficient, produces assurance from which quality risk-based decisions are made and assists our stakeholders in achieving Duke’s institutional compliance objectives.

Our stakeholders may not understand all the compliance risks to their organizations or buy in to the purpose behind what they are being asked to do in the name of compliance.  Our department can help Duke community members navigate increasingly complex risk and regulatory environments while still enabling productive work.  Our team builds trust through being knowledgeable and sympathetic to individual and departmental objectives, being pragmatic and solutions-oriented, and recognizing our stakeholders’ intentions align to institutional welfare.

I invite you to explore this page and our privacy page to learn more about our team and the services we provide.  Please reach out to us by phone, email or through our hotlines if you have questions, need guidance or wish to report instances of noncompliant or unethical behavior.

Compliance Program Accountability

Duke University maintains a decentralized organization structure for compliance across the institution. The president designates the executive vice president (EVP) as the compliance risk owner and the chief audit, risk and compliance officer as the compliance assurance owner. The EVP delegates particular institutional responsibilities to area-specific compliance officers and they are directly responsible to the respective operational area senior leaders.

The Office of Audit, Risk and Compliance (OARC) compliance division provides guidance and monitoring, and performs evaluations to assess the decentralized programs’ design and effectiveness in mitigating associated compliance risks within institutional risk tolerance. Four compliance areas under OARC provide this assurance: Research Compliance Assurance (RCA), Privacy, Ethics and Compliance Program (ECP), and Sponsored Programs Assurance (SPA). Assurance obtained in the course of these activities is reported to the Audit, Risk and Compliance Committee, a subset of the Duke University Board of Trustees.

Duke University Compliance Program Accountability and Assurance: See Policy (approved and issued by the university president on March 20, 2017)

Program Overview

Our ECP performs proactive assessments of decentralized compliance programs to help ensure alignment with standards (e.g., U.S. Federal Sentencing Guidelines). This area also administers our institutional conflict of interest (ICOI) program and maintains the Duke University Compliance and Fraud Hotline. Our Privacy program not only provides guidance, analyses, and training on matters involving sensitive information, but also conducts proactive risk-based reviews to help ensure information is adequately protected. Our RCA and SPA teams provide guidance and evaluation on human subject safety, research integrity and compliance with sponsored programs administration requirements, respectively. In the aggregate, these risk-based programs are designed to provide assurance over the following institutional compliance risks.

Compliance Assurance Framework













Research excellence, responsibility and integrity. Research programs are inherently complex and dependent on culture and processes that support scientific, administrative and cost quality and accuracy. Additionally, clinical trials present unique risks related to human subject protection. Proactive and thoughtful evaluation of potential issues, timely response and resolution to known issues, and ability to balance the regulatory burden are important aspects of risk management strategies.

Sexual harassment or misconduct. It is important to foster an environment where all campus community members are safe, secure and free from sexual harassment or misconduct. This priority includes risk management processes required by Title IX and Campus SaVE regulations.

Safeguard sensitive information. Duke collects, stores and uses a wide range of information considered sensitive or protected under contractual obligations, federal and state regulations, and institutional policies. High-risk areas include: Health Insurance Portability and Accountability Act (HIPAA), North Carolina Identity Theft Protection Act, Payment Card Industry Data Security Standards, Family Educational Rights and Privacy Act (FERPA), and the National Institute of Standards and Technology.

Research and sponsored program administration, oversight and reporting. This priority statement focuses on sponsored research program costs, billing and other federal regulations. The landscape for both federal and state regulations is complex and dynamic. It is important to interpret and apply the regulations from an institutional perspective while balancing the administrative burden and impact at the local level. Demonstration of the institution’s fiduciary responsibility is key for nonfederal awards and gifts. To support organizational culture, principled decision-making and research integrity, Duke evaluates and manages disclosed financial and/or institutional conflicts of interest.

Institutional control and subject matter expertise for athletics compliance requirements. Institutional control is the foundation for National Collegiate Athletic Association (NCAA) compliance. NCAA revised its governance structure several years ago, granting rule-making authority to the major conferences. The Duke Athletics Compliance Office continually evaluates high-risk NCAA requirements and modifies its monitoring and educational efforts accordingly.

Critical accreditation status. Accreditation is vital to support institutional research, program quality and academic delivery. Loss of accreditation or significant instances of noncompliance could lead to the suspension or shutdown of a regulated facility and/or research program. In addition to academic accreditation through the Southern Association of Colleges and Schools (SACS) and professional school accrediting bodies, examples include accreditation for human subject research (Association for the Accreditation of Human Research Protection Programs, Inc., or AAHRPP), animal research (Association for Assessment and Accreditation of Laboratory Animal Care International, or AAALAC), use of radioactive materials (Nuclear Regulatory Commission, or NRC), select agents (Centers for Disease Control and Prevention, or CDC), and overall facility/lab safety (Occupational Safety and Health Administration, or OSHA) and Environmental Protection Agency, or EPA).

Oversight of regulations and reporting requirements for continuing federal funding eligibility. This incorporates various compliance areas, other than sponsored research, associated with federal funding, such as: Higher Education Opportunity Act, federal financial aid and the Annual Security Report required by the Jeanne Clery Disclosure of Campus Security Policy and Crime Statistics Act (Clery Act).

High-risk transactions under domestic or international laws. The institution operates in a global environment requiring adherence to widely varied – and sometimes contradictory – regulatory requirements. Examples of activities include export controls, anti-corruption, and not contracting with debarred or suspended individuals or organizations for federally funded activities. In addition, Duke’s activities are subject to international laws for corporate presence, employment, sponsored research, data privacy and security, and financial activities.

Code of Conduct

The Duke University Statement of Ethical Principles and Code of Conduct 

This document serves as a statement of principles and responsibilities for the full Duke community, whose members include Duke University Health System (DUHS) directors, trustees, senior officials, faculty, staff, students, student employees, student leaders and university-authorized volunteers acting on behalf of Duke. School of Medicine and School of Nursing faculty and staff and DUHS personnel are also subject to the Duke Health code of conduct, called Integrity in Action.

Both the Duke Code of Conduct and the DUHS Integrity in Action emphasize that confidentiality of individuals reporting violations of laws, rules or policies will be maintained to the extent practicable, and individuals reporting issues in good faith will be protected from retaliation. The Compliance Reporting (Non-Retaliation/Non-Retribution) policy mentioned in the Duke Health Integrity in Action is found on the DUHS policy site: egrc.duhs.duke.edu.  

Reporting Your Concerns

Duke University Compliance maintains both the Duke University Compliance and Fraud Hotline and the HIPAA Privacy Line. Duke University Compliance encourages you to use these hotlines to report any concerns (e.g., research integrity and exposure of sensitive information) or to ask for guidance to help preserve Duke’s reputation as an ethical institution. Also included on our site are the Duke Health Integrity Line and the Animal Welfare Hotline. If you are unsure which line to use, choose one and the attendant will direct your concern to the appropriate area.

Conflict of Interest (COI) Policies

Duke University policies require the disclosure, review and, where necessary, management of relationships that could be considered or perceived as conflict of interests. For more information, please see the COI policies section.

Office of Export Controls

The Duke University Compliance Program works with the Office of Export Controls to provide assistance with activities in embargoed/sanctioned countries. Travel and/or financial transactions may be restricted in these countries. Please contact the Office of Export Controls before engaging in any activities involving these countries.