More Compliance Lessons From HHS Dept.
Rarely do we need a follow-up post about scandal in the government world, with even more lessons for compliance officers—but hats off to the Department of Health and Human Services, which nailed it with a recent, ill-advised foray into compliance training.
Just last week we had our first post, about the misconduct of now-former HHS Secretary Tom Price. He was sacked on Sept. 29 for flitting around the country on private charter flights, racking up more than $1 million in costs at taxpayer expense. The lesson there: if you hire ethical employees who obey policy in the first place, you can avoid onerous controls to enforce policy later.
Now comes news of ham-handed compliance training at HHS about leaking information—which was rushed to employees within hours of news first breaking that Price was flying the luxe life on the taxpayer dime.
First, remember that Politico.com broke the Price story on Sept. 21, citing “people with knowledge of his travel plans and a review of HHS documents.” That phrasing typically means that someone within the department leaked the information to the press. The article was posted at 5:58 p.m. ET.
Exactly 17 minutes later, a top HHS official sent an email to all department employees requiring them to take a one-hour training on “the unauthorized disclosure of controlled information” within 24 hours. Direct from the email:
“When personnel within our organization participates in the unauthorized disclosure of controlled information, it shakes the confidence of the American people in the federal government… We need to be unified in our commitment to safeguarding federal information and data.”
And how do we know that an email warning about leaks went to all HHS employees within minutes of an unflattering article based upon leaks? Because, of course, someone leaked it—to the International Business Times, which published its own unflattering article about this mess on Oct. 4.
Good Compliance Training, Wasted
The email includes a link to a 31-minute training video that had been uploaded to YouTube on Sept. 20, the day before the Price scandal broke. The video opens with a welcome from John Bardis, HHS assistant secretary for administration. Bardis talks about the damage that can come from unauthorized disclosure of information, and recites verbatim the message above from the email sent to employees.
The video itself is solid: reasonably high production quality, and detailed in how employees should treat sensitive information. It includes a skit of fictional HHS employees, who learn that an overseas terror attack might be due to a colleague who leaked sensitive data. Then comes a refresher in how HHS employees should handle various types of government data: classified, unclassified, and controlled, unclassified information (CUI).
In other words, on almost any other week, this would have been a fine compliance training video to distribute to employees. Leaks of sensitive information are a pressing concern for government agencies. Look at the National Security Agency; it recently discovered that a contract employee took home classified data, which Russian agents stole when the contractor placed the data on his home PC. That perfectly demonstrates why government agencies should train employees on this issue.
Alas, all that legitimacy was squandered because the timing of the training message is so suspicious. It looks like a slapdash effort to save Price from even worse news coverage. Any employee at HHS would be able to reach that conclusion. Apparently more than a few did, because they leaked all these hurried demands for training to the media.
Who knows? Maybe the department really had planned to send a training alert about leaks to all employees on Sept. 20. But the timing suggests Bardis sent the alert only to help cover the boss’s behind, and the mere appearance of a possible ulterior motive negates the benefit that training might otherwise have delivered. Context matters.
The Future of Whistleblowing Via Leak
This secondary spectacle of L’Affaire de Price raises, again, crucial questions about whistleblowing. At what point should employees divulge sensitive information in the name of exposing misconduct? When is information too sensitive to disclose? When is misconduct so egregious that normal standards of confidentiality fall by the wayside?
Maybe I’m crazy, but something tells me this won’t be the last time we have questions about misconduct in the Trump Administration. So we have plenty of grey area that needs more illumination from (ugh) Congress.
Under the Whistleblower Protection Enhancement Act, for example, government employees are protected for raising the alarm about “mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.” Price squandering more than $1 million of public funds on charter flights, when numerous cheaper commercial flights were readily available, seems to fit that description.
As it happens, just this week Democrats in Congress sought to clarify that point of law, with legislation that would protect whistleblowers who report pricey travel. Republicans voted down that idea.
Are a Cabinet secretary’s travel plans confidential? What if the official in question is a national security officer like the Secretary of Defense? What about someone disclosing the costs of SecDef’s travel, but not the specific itinerary?
My question isn’t what the law prescribes; it’s what is right in these situations. Because by definition, whistleblowers believe something is wrong, and it needs attention even if the law technically allows some other argument. Offenses to a person’s moral sensibilities—like, say, racking up luxury travel costs and hiding behind security claims to keep those expenses secret—tend to have that effect on whistleblowers. Compliance officers need to respect that fact of life.
The proper solution, as mentioned in my first post about Price, is for senior executives to set a strong ethical tone from the start. That tends to reduce questions about disclosure, whistleblowers, and misconduct further down the road.
Little surprise, then, that David Apol, acting director of the Office of Government Ethics, circulated a letter Oct. 5 where he lamented: “I am deeply concerned that the actions of some in government leadership have harmed perceptions about the importance of ethics and what conduct is, and is not, permissible.”
He then included some bullet points for agency leaders about how and why they should model ethical behavior. They certainly seem necessary.