The Healthcare Compliance field has been evolving for years. Early on, the focus was on large pharmaceutical companies, then on biotech companies and more recently on large and small medtech/device firms. In this evolution, core misconceptions rooted in myth keep coming up. In this article, we will explore five of these myths.
Myth 1: Regulators and prosecutors are only concerned with the behaviors of large companies with big operations and deep pockets—small or new companies don’t have to worry as much.
The Reality and Consequences: All life sciences companies, regardless of size, product maturity or sector operate in this highly regulated and extremely complex industry which is prone to mistakes, misunderstandings, and a combination of intended (rarely) and unintended gaffes.
The nature of healthcare make this industry a very attractive target for critics and those seeking to connect even lawful and appropriate payments with nefarious intent. Larger and more established companies have been on this journey for a long time and have established robust processes to effectively manage this area. They generally have greater resources that can be utilized to manage transparency initiatives. Newer and smaller companies are early on this path and have more constrained resources, leaving them relatively more vulnerable.
The availability of public information, thanks to voluntary and regulated transparency reporting, creates an expectation for all companies, regardless of size, stage or sector, to stay on top of their own data collection and reporting efforts. It is easier than ever to access information about what you are doing, how you are spending money, who you are spending money on and why are you doing it. The public, regulators, the Department of Justice (DOJ) and others are able to quickly compare payments to HCPs against Medicare reimbursements and draw theories of inappropriate payments. Size does not matter when coming up with these theories.
A significant amount of attention is now paid to the actions of small companies—often triggered by aggressive pricing actions or other lightning rods. This attention can spill over to all company activities, especially those involving scientific and commercial collaborations.
For a small firm, consequences can run the spectrum from strained and difficult relations with thought leaders and regulators, through to investigations and litigation that can be disproportionate to size or scale and possibly affect the firm’s reputation—and maybe even its survival.
Reviewing the prosecution landscape, evidence shows smaller firms are being scrutinized. Notable examples: Corporate Integrity Agreements (CIAs) in 2014 with DaVita Healthcare Partners, Endo Pharmaceuticals and others. The trend continued into 2015 with CIAs for Daichi Sankyo, HDL and Singulex.
What’s Needed: All companies, large and small, must establish and manage an effective and comprehensive compliance program that includes all the OIG’s Seven Elements. But, it cannot stop there. To operationalize these elements, companies need to design, implement and manage the right operational processes, including appropriately leveraging automated tools and work flows—with proper tools that ensure compliance becomes embedded into everyday business activities.
Myth 2: Boards of Directors and company executives are generally shielded from investigations and resulting actions. Only compliance officers or operating managers are usually held personally accountable for compliance and transparency violations.
The Reality and Consequences: This belief turned on its head almost overnight with the recently issued “Yates memo”1 where the U.S. Department of Justice expressed its intention to go after individuals to be held accountable for a company’s actions. This intention came to reality only a few weeks later with the DOJ criminally charging several former Warner-Chilcott executives.2
Separately, the OIG recently published educational guidance: “Practical Guidance for Health Care Governing Boards on Compliance Oversight” in which the obligations of Boards, large and small, in terms of risk management responsibilities is underscored.3
C-level executives, other senior officers and Boards of Directors members are increasingly asked to be on top of compliance programs and even to “sub-certify” the accuracy of various statements and reports.
For a C-level executive to personally attest to data accuracy will require one—or many levels of the organizational hierarchy—to review and certify the completeness and accuracy of their individual or departmental transactions first. Held at multiple checkpoints during the year, these stakeholder reviews can provide valuable insight into missing information, incomplete or inaccurate transactions and help signify companywide buy-in and accountability for interactions with HCPs and healthcare organizations. These sub-certification requirements are becoming industry practice—either as part of negotiated CIAs or adopted by many companies not under a CIA.
Chief Compliance Officers are also required to sign personal attestations to the accuracy of U.S. Sunshine Reports and are spreading that responsibility and accountability out by requiring key employees in HCP/HCO-facing departments to sub-certify the completeness and accuracy of information recorded/sent by the functions and their third-party vendors to the compliance department for reporting.
Another important wake-up call is what is referred to as the “Park doctrine” or The Responsible Corporate Officer Doctrine (RCO Doctrine), which holds corporate executives criminally responsible for violations by individuals who report to them—even if the official was unaware of the violation and did not cause it. Basically it lays responsibility on those who should have known about the activities in question—so simply not knowing may not be a valid excuse.
What’s Needed: In addition to knowing the company’s standards and abiding by them, all leadership and boards must become familiar with the compliance processes and measures that govern the company behaviors and its functions so they can certify their effectiveness, and more importantly, meet their obligations to shareholders, regulators, customers and patients. Of course, this includes setting the right “tone from the top” for expectations on how everyone in the company operates.
Reliance on Legal or Compliance functions alone to mitigate risks is not adequate. This area requires a complete effort that touches every employee, every system and third party involved in relevant activities.
Myth 3: Compliance and Transparency are primarily a U.S. issue due to laws and the very active whistleblower environment in the U.S.
The Reality and Consequences: While the U.S. led the life sciences compliance movement in the past decade or so, nations in the developed, and to lesser extent, the developing world, are rapidly following suit. A number of countries instituted transparency requirements similar to the U.S. Sunshine Act. Some regulators around the world see U.S. government actions as a model for impacting behavior and extracting penalties from both local and multi-national companies:
1. The Netherlands, France, Denmark, Portugal, Japan, Australia and Colombia passed Sunshine-style transparency reporting programs—more will follow. They are not always laws, but actions rooted on industry self-regulation goals. As an example: The EFPIA Disclosure Code is an industry code which technically only applies to signatory companies but is quickly becoming industry standard in that region, regardless of association membership. Companies globally are feeling pressure to voluntarily comply.
2. The U.S. Foreign Corrupt Practices Act (FCPA), is used by an increasingly aggressive U.S. Department of Justice (DOJ), which allows the U.S. government to extend its enforcement extra-territorially. The U.S. uses this law in a liberal manner. Even companies and individuals without a physical presence in the U.S. or not regulated by the SEC are being prosecuted. Increasingly, Chinese and U.S. regulators are cooperating in these types of cases. The UK is also starting to use its Bribery Act in a similar fashion as U.S. regulators are using the FCPA. The actions are a direct result of the notable corruption scandals in China, France, the UK, and elsewhere, which have attracted both public and regulatory attention.
What’s Needed: Companies must address not only laws, regulations and industry codes where they are based, but also pay attention to requirements across the globe. They need to pay special attention to business units or operations that might trigger one of these laws, regulations or industry codes and understand the subsequent impact on operations across the company, including the management of cross-border transactions.
The ideal approach is to adopt globally applicable standards and processes that allow some local flexibility, but generally meet the highest standards in each activity. This also applies to data collection processes and tools for transparency reporting. Using a “building block” approach, it’s best to collect every transaction in great detail consistently around the world and then adjust reporting based on local requirements. Of course, there needs to be certain allowances for data limitations and privacy restrictions in some jurisdictions.
We do foresee a future in which major jurisdictions require the reporting of a company’s activities worldwide. Whether or not such requests survive legal challenges, companies should adopt global standards and measures. Having a lowest common denominator of data capture across the organization can also facilitate enhanced business and operational reports.
Myth 4: The only transparency reporting requirements that companies need to be aware of and adhere to in the U.S. are for the U.S. Sunshine Act.
The Reality and Consequences: It’s about more than the U.S. Sunshine Act. In fact, a lot of it pre-dates the Act and, even after great efforts, have not been pre-empted by federal law. Several states have either restrictions or reporting requirements, or both. Some states have adjusted their reporting requirements now that the Sunshine Act is in place and reporting is required, but there are still additional state reporting requirements.
States can impose fines if reports aren’t submitted or aren’t submitted on time, in some cases even if a company has no reportable spend, a report needs to be submitted to validate that case. Not reporting can also have reputational consequences if called out by critics, which has happened already.
We have seen Vermont hold true to the additional rigor of its law, and the state fined companies for varying degrees of non-compliance. States including Minnesota and Connecticut feel that the Sunshine Act does not cover enough of the influencing population and their regulations and states show willingness to ensure the scope of transparency goes beyond Federal requirements.
Even the U.S. Sunshine Act is subject to evolution and expansion. Recent calls to include nurses, pharmacists and others represent an ever changing and increasingly complex environment.
What’s Needed: Create a comprehensive program to collect, assess, monitor and report transactions that involve every transfer of value—not only for U.S. Sunshine Act reporting, but for all spending-limit and transparency management.
More forward-looking companies realize this data collection and management on a continuous and most comprehensive basis provides a wealth of knowledge helpful to manage the business, beyond compliance. Companies use this data to make resourcing decisions, to feed ROI calculations (where permitted), and to make valuable business decisions.
Myth 5: My law firm gives me all the legal and compliance help I need.
The Reality and Consequences: Law firms are in the all-important business of providing legal advice to identify and mitigate risks, as well as handling company’s litigation work. Often this is privileged advice—and limited in scope.
A compliance program with robust policies and even conservative risk filters falls apart if it is not pulled-through the organization with adequate training and with business processes and systems that help manage the risks and collect necessary data. In general, law firms are not equipped or do not have the expertise to provide support in the implementation of compliance programs, especially in relation to compliance operations, business processes and systems and technologies. Although they fill a critical role, partnering with others provides the right complementary expertise and capabilities.
Also, the Office of Inspector General (OIG) has issued guidance and has long maintained the importance of separating the legal and compliance functions based on the belief that each serves different purposes, albeit related.
What’s Needed: An effective program must meet the full set of needs and realities of the organization. A well-sequenced program that gets integrated into the fabric has the highest likelihood of success.
The close collaboration and dedicated work of several functions ensures a truly effective compliance program that not only manages risk, but that is also minimally disruptive and helps the organization meet its business goals and obligations. The typical functions that work together, and by extension their external partners, are: Legal, Compliance, Audit, IT, Business Operations, and Training.
These five myths and accompanying realities are not the only ones. Similar myths are dispelled as leadership of new and established companies come to appreciate healthcare compliance is not a passing fad, or a U.S.-centric pressure—and not easily implemented at the last minute. Healthcare compliance and transparency strategies and capabilities must be considered as early as possible and built into the cultural and functional fabric of all companies, regardless of size or sector.