As we have covered numerous times over the past few years, pharmaceutical and medical device manufacturers have been increasingly prosecuted and fined for improper, illegal, and unethical behavior. As a recent article from USA Today noted, “the nation’s largest drugmakers have paid at least $8 billion in fines for repeatedly defrauding Medicare and Medicaid over the past decade.”
However, as the article noted, these companies “remain in business with the federal government because they are often the sole suppliers of critical products.” In order to keep doing business with federal healthcare programs, companies have entered into Corporate Integrity Agreements (CIAs) with the Department of Health and Human Services (HHS) Office of the Inspector General (OIG).
Consequently, HHS OIG recently released a report summarizing discussions from a Government-industry Pharmaceutical Compliance Roundtable the Office held on February 23, 2012.
The Roundtable provided an opportunity for OIG to discuss with compliance professionals in the pharmaceutical industry their experiences under Corporate Integrity Agreements (CIAs) and with various types of compliance activities. One goal of the Roundtable was to identify compliance measures that participants find effective and share these with others within and beyond the pharmaceutical industry.
While positive highlights of CIAs were discussed at the Roundtable, government investigators say their hands are tied with the tools they have. They can exclude Pfizer and other pharmaceutical companies from providing medications to Medicaid and Medicare beneficiaries as punishment for bad behavior, but that would leave beneficiaries without drugs patented through a particular company. Alternatively, OIG can fine the companies and force them to enter CIAs.
However, OIG is “seeing some of the big companies a second and third time,” said Gregory Demske, assistant inspector general for legal affairs for Health and Human Services. “The corporate integrity agreement is not sufficient to deter further misconduct.” In addition, the cases are labor- and cost-intensive as the companies fight often for years to avoid an exclusion, Demske said.
To try to change that trend, the government announced in 2010 that, rather than exclude an entire company, investigators would go after individuals within a company. Demske said OIG, the Justice Department and the Food and Drug Administration have come up with some ideas to use within the scope of the rules — such as taking away a company’s patent rights as a condition of a settlement. That could begin with cases being investigated now, he said.
Sen. Chuck Grassley, R-Iowa, introduced a bipartisan bill that would make it easier for the government to find a middle ground, saying the law now forces “the inspector general to use all-or-nothing, mandatory exclusion penalties against corporations that have committed fraud.” The bill would allow the exclusion of individuals from working with the government even after they’ve left the company where the fraud occurred.
At least 12 pharmaceutical and medical device companies are lobbying specifically against a House bill, HR 675, that complements Grassley’s. The industry’s trade group, the Pharmaceutical Research and Manufacturers of America, says excluding an individual should occur only when there is “significant wrongdoing” that the individual knew about and did nothing to stop, said Matthew Bennett, the group’s senior vice president.
Roundtable
Forty-two compliance officers and other compliance professionals from 23 pharmaceutical manufacturers currently under CIAs attended the day-long event. The Roundtable consisted of large and small group sessions. During the small group sessions, industry representatives engaged in dialogue with more than 15 representatives from the Office of Counsel to the Inspector General, including several CIA monitors for the companies in attendance.
The Roundtable began with a large group session during which Inspector General Daniel Levinson and Chief Counsel Lewis Morris delivered introductory remarks. The large group then divided into smaller breakout sessions. During the day, all attendees discussed each of these five topics:
(1) Challenges in Implementing CIAs;
(2) Compliance Program Structure and Oversight;
(3) Risk Assessment and Monitoring Activities;
(4) Policies, Procedures, and Training Activities; and
(5) Compliance Post-CIA.
Topic 1: Challenges in Implementing CIAs
Participants discussed issues related to challenges in implementing CIA requirements. The primary issues were:
(1) the definition of “Relevant Covered Person,”
(2) the deadlines for the initial implementation of CIA requirements,
(3) training requirements,
(4) the health care provider (HCP) notice letter,
(5) payment-posting requirements, and
(6) working with Independent Review Organizations (IROs). Participants described their experiences in implementing the CIAs and recommended changes to CIAs.
Definition of “Relevant Covered Persons”: CIAs require that companies provide specified written policies and procedures and training to individuals who meet the CIA definition of “Relevant Covered Persons.” Participants reported that their companies interpret the definition broadly and that this creates challenges in correctly identifying all Relevant Covered Persons.
Deadline for initial implementation of CIA requirements: CIAs typically require companies to develop and implement codes of conduct, policies and procedures, and training within specific timeframes following the effective date of the CIAs. Participants expressed concern that the timeframes are too short to allow for effective development of company-specific policies, procedures, and training materials. Participants reported that as a result, their companies may use “generic” policies, procedures, and training materials to meet the CIA deadlines for initial implementation. Participants recommended that to allow for development of more meaningful and effective policies, procedures, and training, CIA deadlines be extended.
Training requirements: CIAs require companies to certify that they have trained all Relevant Covered Persons. Participants reported that these requirements cause companies to develop and implement computer-based training modules for which completion is easier to track. While participants believe that small group training (such as that provided during in-person sales meetings) is more effective than computer-based training, attendance at such training may be difficult (and labor-intensive) to track.
Participants offered several suggestions to improve training. These included:
(1) permitting companies to develop more flexible training plans (especially after the initial reporting period of the CIA) that would be approved by the CIA monitor annually;
(2) permitting general training requirements to be satisfied through competency testing (in such cases, employees who pass a compliance test would be exempted from additional training requirements for the year); and
(3) revising CIA requirements to allow companies to satisfy CIA obligations with training tailored to identified risk areas.
Notice to health care providers: Some CIAs require companies to send to HCPs a letter briefly describing the terms of the settlement between the Government and the company and the alleged misconduct at issue. Some participants reported that sending this letter is expensive and that it is not an effective vehicle to promote awareness of compliance issues among HCPs. Some participants recommended that OIG permit more flexibility in how the content of the letter is delivered. Suggested alternatives were:
(1) hand delivery of the letter by sales representatives;
(2) posting the pertinent information on a company Web site; or
(3) sending the letter by less expensive means (e.g., by regular mail or email) than required by the CIA.
Payment-posting requirements: Certain CIAs require companies to track and post on company Web sites information about payments made by the companies to HCPs. Participants expressed concern about the differences between, and possible inconsistencies in, the CIA requirements and those in the ACA—the Sunshine Act. Some participants requested that OIG permit companies to satisfy CIA requirements by certifying that they complied with the ACA provisions. Others requested that OIG suspend or alter the transparency requirements in CIAs after the ACA transparency regulations are finalized.
Topic 2: Compliance Program Structure and Oversight
These sessions focused on two main topics:
(1) boards of directors’ oversight of, and participation in, compliance-related activities;
(2) integration of compliance activities into business functions beyond the compliance department. Participants uniformly agreed that it is critical for boards of directors to be involved in compliance oversight and that the integration of compliance efforts into business activities materially enhances compliance effectiveness.
Board resolutions and certifications: Some CIAs require that board members annually pass and sign a resolution confirming, if they can, that the company has implemented an effective compliance program. Participants reported that these requirements lead board members to better understand compliance issues and ask more questions about compliance (and their own potential liability).
Some participants opined that the CIAs did not adequately account for differences in the organizational and oversight structures of companies. These differences may arise, in part, because of the national or international nature of the company (including whether there are national and/or international boards) and whether the company is publicly traded or privately held. Participants recommended that OIG take into account these differences and consider: (1) more flexible approaches to board training requirements and (2) flexibility in IRO and compliance expert review requirements.
Examples of compliance/business integration:
(1) appointing deputy compliance officers within individual business units;
(2) requiring business unit managers to incorporate compliance considerations in business decisionmaking;
(3) increasing individual accountability by requiring compliance-related certifications from senior management in key business units;
(4) imbedding compliance representatives (sometimes called liaisons, ambassadors, or champions) in individual business units;
(5) including compliance-related requirements as an element in performance plans of all employees;
(6) staffing compliance committees with individuals from varied business units and disciplines; and
(7) fostering lines of communication between headquarters compliance staff and business unit personnel, including through monitoring of field activities by headquarters staff.
Topic 3: Risk Identification and Monitoring Activities
These sessions focused on risk-assessment processes and methods by which companies conduct internal monitoring. Many CIAs require companies to monitor specified types of activities during each year of the CIA (through internal programs and/or IROs). Participants commented on various types of monitoring activities and recommended that CIAs allow for increased flexibility for required monitoring activities.
Participants reported that compliance training for management and field representatives is essential to an effective risk-identification program because it enables individuals “in the business” to better identify compliance risks and take appropriate mitigation steps. In addition, participants reported that if compliance personnel have “a seat at the table” when sales and marketing activities are planned or discussed, they can help ensure that risks are preemptively identified and addressed.
Many CIAs require companies to annually monitor a specified set of activities. Required monitoring activities include reviews of: (1) sales representative call notes; (2) the activities of the medical information department (including responses to inquiries about off-label uses of drugs); and/or (3) speaker program activities. Several CIAs also require that compliance personnel “ride along” with field representatives on sales calls to HCPs.
Flexibility in monitoring: As a general comment, many participants requested that OIG permit greater flexibility under CIAs to monitor new or different activities in later years of a CIA. Participants asserted that the monitoring obligations of CIAs can be focused on past conduct and that by the time a CIA is implemented, the company has likely identified new risk areas (e.g., as a result of risk-assessment or auditing practices) to which oversight resources would be better deployed. Some participants also suggested that companies be relieved of certain obligations in the later years of the CIA if they are able to demonstrate compliance with CIA requirements and positive results through auditing and monitoring.
Identity of monitors: Participants requested that CIAs permit more extensive use of outside consultants or company employees from outside the compliance department in conducting auditing and monitoring activities. This would allow companies to deploy their limited compliance resources for collaborative and educational purposes.
Speaker programs: CIAs require compliance or other personnel to attend speaker programs in order to conduct “live” monitoring of the programs. Some participants recommended that the CIAs permit the monitoring of speaker programs or other events via teleconference or videoconference. This would reduce costs associated with deploying headquarters-based compliance personnel to attend programs throughout the country.
Ride-along activities: Many participants reported that such ride-alongs do not generally lead to the identification of specific noncompliant conduct by sales representatives. However, participants widely agreed that these activities are beneficial because they establish a line of communication between field and compliance personnel and enable the development of relationships between the two groups.
Topic 4: Policies, Procedures, and Training Activities
Participants offered insights about the development and dissemination of policies and procedures and training activities at their companies.
Development and revision of policies and procedures: Participants uniformly recommended that to generate the most effective policies and procedures, business unit personnel and other affected stakeholders participate in the development and revision process.
Accessibility and format: Participants agreed widely that policies must be accessible to employees and be provided in a useful format. Participants also emphasized the need to make compliance information available in different formats and to permit questions to be asked through various mechanisms. In addition to reporting a compliance department Intranet site and a hotline, some participants reported that their companies established electronic search capabilities that enable employees to search for particular topics within compliance-related documents.
Training of contractors: Participants reported that they spend a significant amount of time determining which contractors must receive training under the CIAs. Participants suggested that OIG and/or companies under CIAs create baseline training for Relevant Covered Person contractors and permit the completion of the baseline training to satisfy CIA training requirements for all companies. Another variation on the theme was a suggestion that CIAs permit contractors to use certificate-based training.
Topic 5: Compliance Post C.I.A.
In these sessions, participants were asked to identify which CIA-required compliance measures they would recommend their companies continue after the conclusion of the CIAs. Participants were also asked to predict the biggest compliance risks likely to face their companies and the industry in the next 5 years. Most participants expect that their companies will continue a number of compliance activities following the conclusion of the CIA.
Certifications and board involvement: Participants expressed wide agreement that management certifications are valuable and would likely be continued. Participants also predicted that boards would continue to be substantively involved in post-CIA compliance programs and that such involvement would be vital.
Training and disclosure programs: Participants indicated that their companies would continue training efforts but would make the training more flexible and tailor it to their companies’ current risks and values. Participants expect that post-CIA training will emphasize quality of training over the number of hours of training. In addition, participants recommended that disclosure programs be continued because they permit employees to raise compliance issues and underscore that every employee has a role in ensuring compliance.
Field monitoring: Participants expect their companies to continue to monitor field-based activities after their CIAs ended, including ride-alongs. However, participants also suggested that the monitoring likely would become more flexible to focus on current risk areas (which change over time). However, participants also expect their companies to conduct fewer such activities and use other means to monitor the field sales force.
Changing regulatory and other requirements: Across the board, participants identified their biggest compliance challenge as staying abreast of changing requirements and regulatory complexities, especially in the area of transparency. Many participants cited as an example the requirements relating to the ACA sunshine provisions and the analogous (but different) State reporting requirements. Other participants identified compliance with expanding global requirements (including those in the area of transparency) as a challenge. Finally, participants noted that their companies also face challenges associated with new Government requirements, including those relating to accountable care organizations.
Social media and technology: Participants also identified growing future challenges associated with information about products found on the Internet, including on social media Web sites. This would include information posted by manufacturers as well as other information found on the Internet.