Tufts University Logo SITE_NAME

Search  GO >

this site tufts.edu people

Regulatory Compliance Programs

What is a regulatory compliance program?

A regulatory compliance program comprises the activities that support the coordination, management, and monitoring of various federal, state, and local laws and regulations. While Tufts has individuals responsible for monitoring compliance with specific laws and regulations in various areas of operations, establishing a common framework across the University to ensure all significant compliance risks are addressed and effectively managed is considered a best practice.

What are the typical activities involved in managing regulatory compliance?

  • Identifying the management infrastructure needed to support key areas of regulatory compliance (e.g. EHS, OEO, Research Administration, Finance, Data Privacy and Security, FERPA. HIPAA, Financial Aid)
  • Providing required compliance education and training
  • Identifying the resources to manage required compliance with specific areas of regulation
  • Assessing compliance risks
  • Developing risk mitigation strategies
  • Systematic monitoring of compliance with specific laws and regulations
  • Raising awareness concerning significant new or revised regulations among university management and stakeholders

Why is a regulatory compliance program advisable?

Laws and regulations affecting universities are complex and varied.  Certain universities have experienced adverse publicity in the press and incurred substantial fines for research, environmental health and safety, employment, student aid, and other types of compliance violations.

Is there guidance for developing and maintaining regulatory compliance programs?

The U.S. Sentencing Commission issues and periodically updates the U.S. Sentencing Guidelines for Organizations which describe the elements of effective compliance. The National Association of College and University Business Officers has many resources available for managing compliance in various areas (e.g. Facilities and Environmental Compliance). The National Institutes of Health and other federal agencies offer grants compliance guidance. The Open Compliance and Ethics Group, a not-for profit organization, offers a number of resources for managing risk and compliance.

With all of this guidance, what do we follow?

Most compliance guidance is broad and has common themes. Establishing a regulatory compliance program may, in certain environments, be a long term process.  No single approach to program development works for all organizations. However, each program should share the following core elements:

  • Risk Assessment: All key regulated areas should be systematically evaluated for compliance risks. A process should be instituted to ensure risks are regularly evaluated. Resources and internal controls can then be more effectively matched to the severity of each identified risk.
  • Responsible Parties and Roles: Roles and responsibilities for the oversight of regulatory compliance risk areas should be clearly defined and documented. Individuals should be adequately empowered to carry out their responsibilities.
  • Standards and Procedures to promote compliance should be clearly communicated and reasonably designed to reduce the risk of non-compliant conduct. Expected standards of conduct should also be documented and communicated.
  • Program Oversight: A compliance officer or other appropriate bodies (e.g., compliance committees) should be designated and charged with the responsibility for guiding and monitoring each of the established compliance programs, with the authority to report any concerns directly to the Board and/or the chief administrator.
  • Awareness, Education and Training regarding specific regulations should be effectively communicated; the institution should ensure that responsible individuals receive timely and updated education and training.
  • Lines of Communication: An effective method of communication should be established between each compliance function and all employees, including a “hot line” to receive complaints, as well as a mechanism to respond to questions.
  • Monitoring and Auditing Systems should be implemented to discourage and detect non-compliant conduct and identify potential regulatory risks.
  • Enforcement Standards/Sanctions should be established and consistently enforced.
  • Processes for Corrective Actions should ensure prompt investigation of non-compliance, reporting where appropriate, and development of adequate responses to prevent similar breakdowns in the observance of regulations in the future.

What are some major areas of regulatory compliance?

For research universities, some of the most significant compliance laws and regulations are in the area of sponsored research. This includes the use of human subjects and animals in research; policies pertaining to research misconduct and conflict of interest; grants administration; laboratory safety and licensing technology etc. For all educational institutions, student financial aid and the privacy and security of data are important. Federal and state regulations governing non-discrimination, employment, finance, environmental health and safety, employment, discrimination, and privacy are also heavily regulated.

If I think there is a significant regulatory non-compliance issue, what should I do first?

Tufts has developed a policy for reporting significant instances of suspected non-compliance.

You should become familiar with this policy and follow its guidance. In general, suspected instances of non-compliance should first be reported to the appropriate University manager responsible for enforcement and monitoring the issue. The policy provides a mechanism for reporting significant instances of suspected regulatory non-compliance through Tufts’ anonymous reporting system hosted by EthicsPoint when other options have been exhausted or you feel uncomfortable discussing the matter with a supervisor or responsible manager.

Return to top