Duke University Compliance Program
The Duke University Compliance Program provides oversight for compliance activities across the entire university. There are three sections which perform compliance review and advisory activities; Human Subject Research Compliance, HIPAA/Privacy, and Compliance Monitoring. The Chief Ethics and Compliance Officer (CCO) reports to the Audit, Risk and Compliance Committee of the Board of Trustees through the Chief Audit Executive and the President.
This overview memorandum provides a description of the significant components of the Duke University Compliance Program and how the program fulfills the federal standards for an effective compliance program (PDF).
The Duke University Compliance Program:
- Exercises oversight responsibility for compliance and ethics activities across Duke
- Provides oversight of compliance liaisons
- Ensures fulfillment of the federal standards for an effective compliance program
- Provides advice and guidance to senior leadership related to compliance risks
- Administers the Duke University Privacy Program
- Conducts proactive compliance reviews in the highest priority compliance risk areas; and
- Evaluates and responds to instances of noted noncompliance.
Code of Conduct
Duke University’s Statement of Ethical Principles and Code of Conduct
This document serves as a statement of principles and responsibilities for the full Duke community. Members of the Duke University community include Duke University Health System trustees, senior officials, faculty, staff, students, student employees, student leaders and university-authorized volunteers acting on behalf of Duke.
School of Medicine and School of Nursing faculty and staff and DUHS personnel are also subject to the Duke Health code of conduct; Duke Integrity in Action. Both the Code of Conduct and the Integrity in Action emphasize that confidentiality of individuals reporting violations of laws, rules or policies will be maintained to the extent practicable, and individuals reporting issues in good faith will be protected from retaliation.
The non-retaliation and non-retribution policy are contained in the Code of Conduct for the University and Duke Health. Confidentiality of individuals reporting violations of laws, rules or policies will be maintained to the extent practicable, and individuals reporting violations in good faith will be protected from retaliation.
Risk and Compliance Steering Committee
The Risk and Compliance Steering Committee (RCSC) is comprised of the President (as Chair), the Chancellor of the Health System, the Provost, the Executive Vice President, the Dean of the School of Medicine, the General Counsel and a Dean appointed by the President (currently the Dean of the Engineering School) and the Executive Director of Audit, Risk and Compliance. This Committee receives reports from the Chief Ethics and Compliance Officer regarding significant compliance issues and provides advice and consultation on these issues including levels of institutional risk acceptance and defined pathways for resolution.
Compliance Program Standards and Responsibilities
The U.S. Federal Sentencing Guidelines describe the required elements it considers when determining whether an organization has an effective compliance program: “an organization shall (1) exercise due diligence to prevent and detect criminal conduct, and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
Duke has ensured it meets all elements of federal guidance for an effective compliance program. The Compliance Program Standards and Responsibilities chart (PDF) defines the elements, governance, program oversight, risk ownership and audit roles and responsibilities.
Compliance Assurance Framework
OARC has developed a Compliance Assurance Framework using the Institute of Internal Auditors’ three lines of defense model to describe the roles of management, compliance, and audit in assuring compliance at Duke. Management, the first line of defense, is responsible for culture and process (controls, risk tolerance and monitoring). Compliance, the second line of defense, is responsible for ethics oversight, coordination of the compliance liaison program, administration of the Duke University privacy program, coordination of compliance advisory and facilitation services and the conduct of centralized compliance reviews in areas of highest priority compliance risks. Internal Audit, the third line of defense, is responsible for conducting horizontal audits of processes that support sponsored programs administration and compliance, and vertical audits of business units with suspected challenges. Audits focus on process efficiency and effectiveness as well as root cause analysis for confirmed issues.
Conflict of Interest Policies
Duke University policies require the disclosure, review, and, where necessary, management of relationships that could be considered or perceived as a conflict of interest.
The Financial COI Policy applies to the entire Duke community including all faculty and staff. The Institutional COI Policy relates to Duke's potential conflicts rather than those related only to an individual. Lastly, there are specific COI policies related to Duke University Trustees and Duke University Health System Directors.
The Compliance Program is involved in the conflict of interest (COI) governance process by:
- Participating in the COI related committees including: SOM and Campus COI, Administrative COI, Institutional COI, and COI Advisory.
- Performing reviews of the COI process.
- Review of Trustee COI disclosures and developing conflict management plans.
- Advising on administrative and institutional COI issues and processes.
- Communication of COI matters to the Audit, Risk and Compliance Committee.
Below are the COI policies. Please contact Duke University Compliance Program (link sends e-mail) for questions relating to:
- DU Trustees Conflict of Interest Policy (approved May 2013)
- DUHS Directors Conflict of Interest Policy (approved January 2010)
- Financial Conflict of Interest Policy (approved May 2011)
- FAQs - Information relating to gifts is included here. (February 2014)
- Institutional Conflict of Interest Policy (approved April 2014)
- Statement of Policy about Senior Administrators Serving On External For-Profit Boards (March 2012)
Key Risk Areas
- Animal Research Compliance
- Clinical Trials Billing
- Conflict of Interest
- Export Controls
- Foreign Corrupt Practices Act (FCPA)
- Gifts: Duke Health and University
- Health Insurance Portability and Accountability Act (HIPAA)
- Human Research Protection Program (HRPP)
- Human Subject Research Compliance
- IT Security (HIPAA, FISMA, NCIDTPA)
- Research Financial Compliance
- Title IX (Sexual Discrimination, Sexual Harassment, and Other Related Misconduct)
Statement Regarding 21 CFR Part 11
Duke University Health System Statement Regarding 21 CFR Part 11
Duke University Health System (DUHS) utilizes various electronic records systems for treatment, payment and operations. Based on analysis of these systems and an understanding of current regulations, DUHS believes these systems meet HIPAA Security Standards and CMS requirements. These systems have not been 21 CFR Part 11 certified. DUHS continues to review regulatory requirements and best practices related to the use and security of electronic records systems. Policies and procedures will be revised and developed as requirements dictate.