In the medical device industry, recent healthcare reforms such as the Federal Sunshine Act and the medical device tax present new and challenging regulatory risks.

In the absence of enforcement precedent, or even regulatory guidance, assessment and management of these risks have yet to yield a set of best practices. Of course, even within longstanding areas of regulatory compliance, and where there is ample precedent and guidance, there are still plenty of lessons to be learned, especially as regulators increasingly turn their eye to new areas of enforcement for the industry.

For example, the onslaught of Foreign Corrupt Practices Act enforcement actions in the medical device industry is evidence of the compliance challenges for the industry and the risks that face this increasingly global medical marketplace.

Why the crackdown on bribery in the medical device industry? Prior to 2007, the Department of Justice and the Securities and Exchange Commission found great success with an industry-wide investigation of the customs and permitting practices of the oil and gas services industry, resulting in over $235 million of settlements for FCPA-related charges. On the heels of this success, both agencies turned their investigative eye toward the healthcare industry and specifically to medical devices. Among the catalysts for this attention was a voluntary disclosure of FCPA violations by Johnson & Johnson in 2007, but there were other contributing factors unique to the medical device industry.

Greater focus on healthcare in developing nations, the prevalence and establishment of government controlled healthcare, and the global harmonization of standards, coupled with the total sales figures being generated overseas, created the perfect environment for high-risk activities and a bulls-eye emerged on the industry's back. It came as no surprise when in 2007 five medical device manufacturers disclosed that they were the subject of SEC investigations related to FCPA charges. The coordinated agency attention on the device industry was affirmed not long thereafter when Lanny Breuer, U.S. assistant attorney general, and lead for the Justice Department's criminal division announced during an industry conference that an area of increased focus and enforcement for the Justice Department would be the application of FCPA to the medical device industry.  

And the bulls-eye from the regulator perspective was big. In 2007, while estimates vary, the industry accounted for about $98 billion in revenues and was growing annually at a rate of 6 percent. The settlements the SEC and Justice Department secured followed suit: $70 million from a Johnson & Johnson settlement in 2007; $22 million for Smith and Nephew following allegations of discounts off of product sales to an offshore shell; $23 million for Biomet after its employees allegedly concealed improper payments to healthcare professionals in Argentina, Brazil, and China to secure business; $7.4 million for Orthofix for alleged sales contracts bribes. And with additional medical device FCPA investigations still ongoing (Stryker, Zimmer, Medtronic, and others) the list is likely to grow.

The figures represent both the SEC and the Justice Department's combined settlement share and are typically representative of a combination of an equitable disgorgement remedy (SEC) and the product of a U.S. Sentencing Commission Guidelines formula (Justice Department). Both are intended not as much to punish the wrongdoing as they are to prevent unjust enrichment. A significant ancillary effect these settlements have is the insight they provide to other medical device firms about just how big an FCPA risk they face. Indeed, through a careful dissection of the circumstances surrounding the FCPA violations and the agreed upon settlement and a subsequent fair and honest application of this analysis to a company's own compliance program, a gap analysis is effectively performed, the result of which yields a level of risk exposure which may then be appropriately assessed and managed.

Although this may sound logical enough, it may be suspected that the above steps were not taken by some of these recent victims of FCPA investigations, or did they in fact have stringent internal controls that simply failed?

Orthofix's FCPA violations were rooted in the alleged mischaracterization of bribes by their Mexican subsidiary Promeca to Mexico's social services institution. For seven years, the government accused Promeca executives of falsifying invoices to support the provision of bribes, which took the form of cash, laptops, televisions, even the lease of a car. To obtain needed cash, Promeca executives wrote checks to themselves in the name of cash advances. As amounts grew higher, bribes were classified as other business expenses such as training and promotions. Although these larger expenses caught the eye of Orthofix managers as exceeding the budget, they allegedly ceased investigating and were unable to prevent the excessive spend. Coupled with a lack of FCPA compliance policy or related training, and only brief code of conduct language related to anti-bribery (incidentally, Orthofix's code of conduct was only written and distributed in English to Promeca's primarily non-English speaking employees), one might assume Orthofix's internal controls were not wholly sufficient. In fact, it was not until a Promeca executive expressly disclosed the bribes for what they were that Orthofix began its implementation of more robust compliance controls.

Both Orthofix and S&N present what is perhaps the single most glaring and unique factor for the medical device industry that presents FCPA risk: to sell product, you need to interact with the people who use and purchase the product.

Orthofix ultimately reached a deferred prosecution agreement with the Justice Department, which required Orthofix to implement a “compliance and ethics program designed to prevent and detect violations of the FCPA and other applicable anti-corruption laws”. Additionally, Orthofix must “periodically report to the Justice Department during the term of the DPA regarding such remediation and implementation of compliance measures.” This presents an example where significant due diligence within compliance program planning and robust internal controls can lead to the minimization of compliance red flags.

The Department of Justice's S&N investigation alleged that S&N diverted offshore funds they used to pay doctors in Greece. The interesting point in the S&N case is that the red flags were seemingly more apparent than those at Orthofix. Throughout the period at issue, S&N executives and employees appeared to have been aware that bribes were being paid to public doctors using diverted funds. Whatever controls were subsequently implemented were apparently unable to stop the practices from occurring and contracts were renewed.

The deferred prosecution agreement for S&N took the same language as Orthofix's, and in addition required S&N retain an independent compliance monitor for 18 months to review its anti-corruption compliance program.

Risk Factors

Both Orthofix and S&N present what is perhaps the single most glaring and unique factor for the medical device industry that presents FCPA risk: to sell product, you need to interact with the people who use and purchase the product. And in this industry, those with the buying power are typically the healthcare professionals at government-run hospitals and other healthcare organizations. It is this factor alone that presents the most significant challenge to the international medical device company, a challenge that must be dealt with in a compliant and ethical manner. 

The industry best practices to meet this challenge are illustrated by the facts surrounding these FCPA investigations, in addition to the arsenal of guidance available to the compliance and ethics professional or in-house attorney. Compliance program guidance issued by the Office of Inspector General at the Department of Health and Human Services lays a foundation for compliance and ethics programs that drastically minimize risk of non-compliance for an organization. Subsequent application of FCPA precedent to those OIG foundation elements creates even less room for internal controls to fail at detecting non-compliant practices. For example, if internal financial controls mandated full accounting, thorough investigations, and multiple checks and balances when program components raised red flags, non-compliance might be preventable.

Perhaps the single most important factor considered by regulators during investigations and settlements is whether firms possess a strong “culture of compliance,” including robust internal controls, self-investigation or policing procedures, and free, open organizational communication. With these measures in place, organizations are better able to promptly, and thoroughly disclose misconduct if and when it does slip through the cracks. This latter point is especially worth highlighting as it weighs heavily within the Justice Department's Federal Sentencing Guidelines penalty calculation as well as the SEC's ‘Exchange Act Release No. 44969' which contains the relationship of organizational cooperation to agency enforcement decisions.

It would appear the future holds some promise for the medical device industry as well in the area of best practices for FCPA compliance. The Department of Justice's Breuer was recently asked what parts of compliance programs in actual cases helped earn credit, and what practices were looked upon as defective. He responded with comment on the achievement of transparency within the FCPA area: “we are always open to exploring new ways to increase transparency about our enforcement efforts. In fact, we are currently working on a detailed new FCPA guide, which we will be releasing later this year. Maintaining a regular dialogue with industry groups and businesses on important issues, such as compliance programs, is a priority for us.”

Andrew Finkelstein is a Healthcare Compliance Professional who focuses on compliance program development and implementation, including corporate policy development, risk assessment, monitoring and auditing, and corrective action implementation. Andrew has previously served as Director of Regulatory Compliance and Ethics for Coventry Health Care where he focused on compliance program development, particularly for their Medicare business and vendor relationships. During his career, he has been involved with multiple government audit initiatives and has worked with federal agencies and leading industry experts to assure effective corporate compliance.