Compliance lessons in the healthcare sector

As a healthcare or life sciences company, perhaps you’ve never been in trouble with the Department of Health and Human Services—and perhaps you never will—but it would be a mistake to overlook the important compliance lessons learned by those who have, lest you suffer the same fate.

When enforcement actions against healthcare or life sciences companies arise, many choose to settle their cases prior to litigation, often resulting in a corporate integrity agreement (CIA) with the Department of Health and Human Services Office of Inspector General (HHS-OIG) to avoid exclusion from federal healthcare programs. CIAs generally impose compliance obligations on companies with the intent to prevent future misconduct.

By carefully scrutinizing these agreements, compliance and audit teams in the healthcare and life sciences industries can get a better sense of where to focus their own efforts. “Typically, you don’t find out exactly what the government wants until after the fact,” says Sarah Crotts, an associate with law firm Wall Babcock. “It’s always good to keep an eye out to see what the government is requiring of similarly situated entities.”

And companies have no shortage of guidance: As of February, the HHS-OIG had 216 open CIAs, including 12 involving amendments to prior agreements, according to data on the agency’s website. The number of CIAs over the last five years has fluctuated from a low of 35 in 2012 to a high of 53 in 2015. To date, only one CIA has been reached in 2016.

Although HHS-OIG tailors each CIA to address the specific facts of each case, they all require the following seven core elements of a compliance program under the U.S. Sentencing Guidelines:

Designation of a compliance officer and compliance committee;

Written policies and procedures;

Comprehensive employee training and education;

Effective and open lines of communication;

Consistent enforcement of standards as demonstrated by disciplinary action;

Auditing and monitoring to detect misconduct; and

Developing corrective action initiatives.

Beyond these baseline compliance obligations, many of the provisions included in these CIAs are industry-focused. Settlements pertaining to pharmaceutical companies, for example, now typically demand stringent and widespread monitoring obligations.

“Those requirements can be quite onerous on an entity,” says Crotts. “It adds a level of scrutiny that we haven’t really seen before.”

For example, under separate CIAs with Switzerland-based pharmaceutical giant Novartis and U.S.-based healthcare giant Abbott Laboratories, both companies must formally establish a comprehensive “Field Force Monitoring Program” (FFMP) to evaluate and monitor their sales representatives’ interactions with healthcare professionals and healthcare companies to identify potential off-label promotional activities or other misconduct. This includes the review of records relating to these interactions, a speaker monitoring program, and direct field observations of sales reps.

“Typically, you don’t find out exactly what the government wants until after the fact. It’s always good to keep an eye out to see what the government is requiring of similarly situated entities.”
Sarah Crotts, associate, Wall Babcock

In May 2012, Abbott Labs pleaded guilty and agreed to pay $1.5 billion to resolve criminal and civil liability arising from the company’s unlawful promotion of its prescription drug Depakote for uses not approved by the Food and Drug Administration. The terms of the CIA will expire in 2017.

Novartis’ CIA, which would have expired last year, has been amended and extended for an additional five years as part of a $370 million settlement reached with the Justice Department in November 2015 to resolve allegations that the company paid kickbacks—in the form of patient referrals and rebates—to specialty pharmacies in exchange for those pharmacies recommending Novartis drugs.

Board Oversight

Another emerging development in recent CIAs is the increasingly expanding scope of compliance obligations imposed on boards of directors and management. Although the compliance obligations demanded by many CIAs are not new, “they’re being refined to assure greater focus on the accountability provisions for management and the board,” says Kathleen McDermott, a partner with law firm Morgan Lewis.

Field Force Monitoring and Review Efforts

Below is an excerpt from the original corporate integrity agreement that Novartis Pharmaceuticals entered into with the Department of Justice in 2010, which was extended in November 2015 for another five years.
To the extent not already accomplished, within 120 days after the Effective Date, Novartis shall establish a comprehensive Field Force Monitoring Program (FFMP) to evaluate and monitor its sales representatives’ interactions with HCPs and HCIs. The FFMP shall be a formalized process designed to directly and indirectly observe the appropriateness of sales representatives’ interactions with HCPs and HCIs and to identify potential off-label promotional activities or other improper conduct. As described in more detail below, the FFMP shall include: (1) a Speaker Monitoring Program; (2) direct field observations (Observations) of sales representatives; and (3) the monitoring and review of other records relating to sales representatives’ interactions with HCPs and HCIs (Records Reviews).
Prior to the Effective Date, Novartis had systems to address detailing, sampling, and medical inquiries. The detailing systems shall continue to include controls designed to ensure compliance with Federal health care program and FDA requirements and shall permit the tracking of detailing-related activities, including the submission of Inquiries (as defined above in Section III.B.2.g) and the distribution of samples of Government Reimbursed Products to HCPs. The detailing systems shall continue to include centralized mechanisms through which sales representatives may submit Inquiries to Medical Affairs. With regard to the distribution of samples, the detailing systems and its controls shall prevent the delivery of samples of particular Government Reimbursed Products to HCPs that Novartis has identified as belonging to a specialty group that is unlikely to prescribe the particular Government Reimbursed Product for a use consistent with the FDA-approved label for the product.
Speaker Program Activities. With regard to speaker programs, Novartis shall maintain processes to require all speakers to complete training and enter written agreements that describe the scope of work to be performed, the speaker fees to be paid, and compliance obligations for the speakers (including requirements that the speaker may only use Novartis approved materials and may not directly or indirectly promote the product for off-label uses.) Novartis shall maintain centralized processes and related electronic systems through which all speaker programs are tracked. This system shall establish controls regarding eligibility and qualifications of speakers and venues for the programs, Novartis shall ensure that speakers are paid and tracked according to a centrally managed process, and using a pre-set rate structure determined based on a fair-market value analysis conducted by Novartis.
Novartis shall maintain a comprehensive list of speaker program attendees through its centralized system. In addition, Novartis shall track and review the aggregate amount (including speaker fees, travel, and other expenses) paid to each speaker in connection with speaker programs conducted during each Reporting Period. Novartis shall require certified evaluations by sales representatives or other Novartis personnel regarding whether a speaker program complied with Novartis requirements, and in the event of non-compliance, Novartis shall ensure appropriate follow up activity to address the violation.
Source: Justice Department.

In that context, boards of directors are now often required to review and oversee matters related to compliance with both federal healthcare laws and obligations imposed under the CIA, “so it gives the board a direct role in compliance,” says McDermott. Additionally, many CIAs require that each member of the board receive training regarding these responsibilities, and further provide written certification that the company meets the requirements of an effective compliance program.

For example, healthcare services company Kindred Healthcare and RehabCare Group last month entered into a five-year CIA that requires the board to meet at least quarterly to review and oversee Kindred’s compliance program for RehabCare, “including but not limited to the performance of the compliance officer and compliance committee,” the CIA states.

CIAs also now commonly require that the board hire an outside compliance expert with knowledge of federal healthcare programs to assist the board in reviewing the effectiveness of the company’s compliance program. Such a provision is included in CIAs reached with Novartis and Millennium Health.

Increasingly, too, HHS-OIG through the force of CIAs is imposing greater accountability on management. The Novartis CIA, for example, requires that any employee at the vice president level and higher—more than two dozen executives in all—monitor and oversee activities within their areas of authority, and annually certify that the applicable business unit is in compliance with healthcare laws and the CIA.

A similar provision was included in a CIA that Tuomey Healthcare System reached with the government in October 2015. That CIA, along with a $237 million judgment, resolved allegations that Tuomey illegally billed Medicare for services referred by physicians with whom the hospital had improper financial relationships. 

From the HHS-OIG’s standpoint, expanding the scope of managers who must certify compliance will help not only mitigate abuses of federal healthcare laws, but also make directly accountable those who are in a position to prevent, uncover, correct, or report misconduct.

CIA Negotiations

McDermott says another “notable trend” in recent settlements is that some companies have resolved civil fraud matters without getting a CIA. “That’s a very good sign that the OIG is not indiscriminately imposing CIAs on companies that have demonstrated they have sufficient compliance program safeguards,” she says.

Examples include Teva Pharmaceuticals’ $27.6 million settlement reached with the Justice Department in May 2014, and medical-device company C.R. Bard’s $48.2 million settlement reached in May 2013. Both cases resolved violations of the False Claims Act.

In some cases, a corporate parent also may be able to evade a CIA in situations where the wrongdoing was confined to a subsidiary or operating division of the corporate parent. In those cases, during CIA negotiations, the HHS-OIG will closely scrutinize where authority resides within the company.

These investigations frequently go on for years, over which time the company may have gone through significant changes, “such that it’s simply not the same organization with the same people,” says McDermott. Compliance enhancements may have been sufficiently implemented that negate the need for government oversight, she says.

The costs alone are reason enough to negotiate the terms of a CIA. “Even those with robust compliance programs still incur a great deal of training and auditing costs to ensure timely compliance,” says McDermott. The repercussions for breaching a CIA can be even more severe, with the worst case scenario being a bar from participating in federal health care programs.

“CIAs, in general, place the company under a lot of scrutiny,” says Crotts. The time, and effort, and staffing—including the reallocation of responsibilities, in many instances—that it takes to simply comply with CIA, can be daunting.

At the inception of a subpoena or that the beginning of an investigation, McDermott recommends that the company and their counsel should contemplate not only how to respond to an investigation, but also be thinking about the overall health of the compliance program: “Is it effective? If you’re thinking about that at the end of the investigation when you’re talking about a resolution, that’s a little too late.”

CIAs are one of many valuable resources companies have to better understand what the government considers to be a robust compliance program. As such, companies in the healthcare and life sciences industries should continually review new CIAs as part of their annual risk assessment.