Compliance managers at pharmaceutical companies and medical device manufacturers can stay ahead of enforcement trends by monitoring and voluntarily implementing provisions reflected in Corporate Integrity Agreements (CIAs) between various corporations and the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG).
For example, in April 2013, Policy and Medicine reported that financial recoupment programs, known as “clawbacks,” were new compliance case provisions used to hold current and former corporate executives accountable for their role in compliance violations. At that time, Johnson & Johnson (J&J) said it agreed in principle with expanded clawbacks as a deterrent to unethical and inappropriate behavior, but the company did not have a timetable for adopting a concrete policy. The new CIA J&J entered into on October 31, 2013 has forced the company’s hand, and J&J is required to create compensation packages including clawbacks, according to the government’s timetable and under HHS-OIG supervision. Arnold & Porter, LLP provided a client alert analyzing the facts behind the settlement.
Industry experts, from health consultants to medical researchers, agree that CIAs provide invaluable compliance insight. In fact, CIAs “provide the industry not only with clear direction for, but also an expectation of, responsible behavior,” according to Certified Medical Publication Professional Frank Rodino.
In February 2013, we provided a list of CIAs HHS-OIG entered into with major pharmaceutical and medical device manufacturers. A review of the content of CIAs created over the last few years reveals the specific roadmap OIG-HHS would like to see companies follow when creating comprehensive compliance programs to prevent health care fraud.
Background on Corporate Integrity Agreements
In 2009, Attorney General Eric Holder and HHS Secretary Kathleen Sebelius announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative. The partnership between the Department of Justice (DOJ) and HHS focuses efforts to reduce and prevent Medicare and Medicaid financial fraud through enhanced cooperation.
According to the most recent DOJ press release, since 2009, the Justice Department has recovered more than $17.9 billion due to cases involving health care fraud, largely through global settlements where corporations agree to pay a certain amount to resolve criminal and civil investigations arising out of Food, Drug, and Cosmetic Act (FDCA), False Claims Act (FCA), and federal anti-kickback statute violations. As part of these settlements, corporations often also agree to enter into Corporate Integrity Agreements (CIAs) and HHS-OIG in return agrees not to seek exclusion of the corporation’s participation in federal health care programs.
According to DOJ, “CIAs have many common elements, but each one addresses the specific facts at issue and often attempts to accommodate and recognize many of the elements of preexisting voluntary compliance programs.” CIAs typically last 5 years and require the corporation to:
- Hire a compliance officer/appoint a compliance committee;
- Develop written standards and policies;
- Implement a comprehensive employee training program;
- Retain an independent review organization (IRO) to conduct annual reviews;
- Establish a confidential disclosure program;
- Restrict employment of ineligible persons;
- Report overpayments, reportable events, and ongoing investigations/legal proceedings; and
- Provide an implementation report and annual reports to OIG on the status of the entity’s compliance activities.
These requirements basically enforce specific behaviors suggested by the compliance principles outlined in the 2003 OIG Compliance Program Guidance for Pharmaceutical Manufacturers, with additional provisions that reflect principles in more recent regulations such as the Dodd-Frank financial overhaul, the Physician Payment Sunshine Act, and the updated Provider Self-Disclosure Protocol.
It is clear that the more robust compliance provisions a company proactively, voluntarily implements, the less disruptive and costly a potential HHS-OIG enforcement action will be. Proactive implementation may also demonstrate good faith commitment to compliance and help a company avoid misconduct and subsequent enforcement action.
Compliance Trends Revealed by Recent CIAs
CIAs are a publically available resource that compliance managers should use to their advantage. The following table compares the provisions of 4 of the most notable big pharmaceutical company CIAs since 2009, including Pfizer, Ortho-McNeil-Janssen (OMJ), GlaxoSmithKline (GSK), and the recent Johnson & Johnson (J&J) agreement. According to PharmExecBlog, CIAs may push the industry to create new business models.
When Reuben Guttman, false claims litigation plaintiffs’ lawyer and Emory Law School Center for Advocacy and Dispute Resolution Senior Fellow, wrote the article Corporate Integrity Agreements: Asking the Companies to Police Themselves, Please, he analyzed 9 CIAs dating from 2003-2010.
Several points he identified that were not addressed in those CIAs are now routinely addressed in CIAs since 2011, including: sales representative bonus plans for off-label promotion, the role of marketing personnel in the selection of outside speakers, separation of marketing personnel from compliance monitoring, using an independent review organization to ensure settlement compliance as opposed to just the internal compliance officer, and transparency of FDA information that could affect patient safety.
Beyond the provisions noted above, the GSK settlement, including the historic $3 billion payment, included many new CIA provisions that look like they may become standard, including: breaking the tie between sales compensation and volume, clawback provisions, “Dear Payer” letters notifying payers about the settlement (expanding the “Dear Doctor” program), and tracking off-label inquiries from physicians.
Also, it is interesting to note that HHS-OIG seems to still be experimenting with the creation of meaningful monitoring provisions. In the new J&J CIA, J&J will have the flexibility to create approved monitoring plans for the final three years of the agreement. Provisions that seem to mark new boilerplate inclusions are highlighted in yellow. We have also made this chart available to you for download.
Compliance Responsibilities: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Compliance Officer |
X |
x |
x |
x |
Compliance Committee |
X |
x |
x |
x |
Board of Directors provides compliance review and oversight |
X |
x |
x |
|
Retain external Compliance Expert |
X |
x |
||
Certifying Employees |
X |
x |
x |
x |
Prescribed Certification Language |
X |
x |
x |
|
Certification clause “I understand this certification is being provided to and relied on by the federal government” |
X |
x |
||
Written Standards (Code of Conduct): |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Company commitment to compliance |
X |
x |
x |
x |
Covered personas expected to comply and report violations |
X |
x |
x |
x |
Obligations/consequences regarding failure to report |
x |
x |
||
Disclosure Program |
X |
x |
x |
x |
Code to 3rd Party Personnel |
X |
x |
x |
x |
Policies & Procedures address: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Code of conduct expectations |
X |
x |
x |
x |
Ways to conduct promotional & product related function |
X |
x |
x |
x |
Ways to conduct Payer/Managed Healthcare related functions |
X |
x |
||
Manner of response to off-label inquiries |
X |
x |
x |
x |
Prohibition of all direct or indirect off-label promotion |
X |
x |
||
Database to track inquiries |
X |
x |
x |
x |
Signature from medical professional certifying off-label use inquiry was unsolicited |
x |
|||
Social media and direct-to-consumer advertising |
X |
x |
||
Manner and circumstances of medical personnel at meeting or events with HCPs |
X |
x |
x |
|
Call/target plans |
X |
x |
x |
x |
Sample distribution plans |
X |
x |
x |
x |
Consultant/speaker written agreements |
X |
x |
x |
x |
Consultant fees are fair market value |
X |
x |
x |
x |
Funding of grants |
X |
x |
x |
x |
Provision that grant funding is not to influence use of products or services |
x |
|||
Third party educational support is disclosed, educational focus, non-promotional, fair/balanced, and not misleading |
X |
x |
x |
x |
Review of outside promotional material by qualified personnel |
X |
x |
x |
x |
Promotional material must reflect FDA communications |
X |
x |
||
Sponsorship/funding/disclosures relating to product related functions |
X |
x |
||
Compensation (salary & bonuses) |
X |
x |
x |
x |
Include mechanisms to exclude incentive compensation that may indicate off-label promotion |
X |
x |
x |
|
Compensation Recoupment |
X |
x |
||
Annual review to ensure accuracy of data/info submitted to Compendia |
X |
x |
||
Sponsorship of post-marketing research (clinical trials, articles) |
X |
x |
x |
x |
Disciplinary policy for violating company or federal requirements |
X |
x |
x |
x |
Research/Publication Practices ensure: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Commercial personnel shall not participate in/approve research |
X |
x |
||
Disclosure of funding support and/or affiliation in publications |
X |
x |
||
Registration of clinical studies |
X |
x |
||
Adverse research event data properly reported to FDA |
X |
x |
||
Authorship Requirements: | ||||
Adherence to ICMJE |
x |
x |
||
Made substantial contributions to study and approved final version |
x |
x |
||
Training & Education: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
1 hr. annual general CIA and compliance program training to all covered persons |
x |
x |
x |
x |
3 hr. annual specific training for covered persons engaged in promotional or product related functions |
x |
x |
x |
x |
Additional specific training topics for covered persons engaged in payer/managed healthcare related functions |
x |
x |
||
Compliance Training for Management |
x |
x |
||
2 hr. board member training |
x |
x |
||
Certify receipt of training |
x |
x |
x |
x |
Risk assessment and mitigation plan process |
x |
x |
x |
|
Review Procedures: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Independent Review Organization |
x |
x |
x |
x |
Certified independent Annual Review Report |
x |
x |
x |
x |
Outside review of risk assessment and mitigation plan process |
x |
|||
Monitoring: | ||||
Speaker monitoring program tracked through centralized system |
x |
x |
x |
x |
Consultant arrangements legitimate need/business rationale |
x |
x |
x |
x |
Annual speaker program audits |
100 1st year; 150 2nd year; then according to monitoring plan |
150 1st year; 75 after 1st year |
40 |
200 |
Annual observations of sales reps (ride-alongs) by non-marketing personnel |
50 1st and 2nd year; then according to monitoring plan |
50 1st year; 25 after 1st year |
30 |
60 |
Annual consultant program audits |
50 1st and 2nd year; then according to monitoring plan |
50 1st year; 25 after 1st year |
50 |
50 |
Annual researcher arrangement audits |
30 1st and 2nd year; then according to monitoring plan |
20 1st year; 10 after 1st year |
||
Annual publication activities audits |
20 1st year; 30 2nd year; then according to monitoring plan |
50 1st year; 25 after 1st year |
30 |
|
Annual Third Party medical education activities audits |
20 1st year; 30 2nd year; then according to monitoring plan |
10 1st year; 5 after 1st year |
50 |
|
Other: |
J&J 2013 |
GSK 2012 |
OMJ 2010 |
Pfizer 2009 |
Compliance disclosure hotline |
x |
x |
x |
x |
Maintain disclosure log |
x |
x |
x |
x |
Screen for and remove all ineligible persons |
x |
x |
x |
x |
No sales financial rewards based on volume |
x |
|||
Recoup up to 3 years incentive pay for misconduct |
x |
x |
||
Notify OIG of investigation or legal proceedings |
x |
x |
x |
x |
Report reportable events within 30 days |
x |
x |
x |
x |
OIG notification of FDA communications |
x |
x |
x |
x |
“Dear Doctor” letters |
x |
x |
x |
x |
“Dear Payer” Letter |
x |
x |
||
Posting physician payments on website |
x |
x |
x |
x |
Post grants and charitable contributions |
x |
x |
It is notable that only 2 of the top 15 pharmaceutical companies (as listed by 2013 PharmExec Top 50) have not been subject to a CIA within the last year. Takeda Pharmaceuticals’ previous CIA, resulting from a joint venture with Abbott Laboratories, ended in 2006.
Roche appears to be the only top pharmaceutical company that has never been subject to a CIA. Nevertheless, a cursory review of the Roche website, including the company’s Group Code of Conduct, reveals that Roche has voluntarily incorporated many of the compliance provisions required by recent CIAs. Roche has a Chief Compliance Officer, a “SpeakUp” hotline where employees can confidentially report wrongdoing, a written “code of conduct” formally endorsed by the CEO and the Board of Directors, electronic compliance and integrity training modules (Roche Behaviour in Business, or RoBiB, e-learning program) where all employees certify their participation in the training, and an online business ethics reporting system to monitor and track alleged violations from initial report through resolution. In the changing compliance landscape, these measures seem to be examples of compliance best practices.
Smaller companies are not immune from compliance expectations and targeted enforcement. Brian Dahl, of ProPharma Group, noted that recent settlements with ISTA Pharmaceuticals and TranS1/Baxano Surgical, among others, ranged between $6 and $35 million, but included CIA provisions similar to requirements for big pharmaceuticals. Although the large settlements make headlines, smaller companies should also use existing CIAs as benchmarks for their compliance programs.
Implications of CIA Enforcement
By statute, HHS-OIG can pursue recoupment of civil money penalties and provider exclusion from federal health care programs as a consequence for wrongdoing. To avoid exclusion, many companies enter into a CIA; however, CIAs contractually permit HHS-OIG to enforce very specific measures that companies otherwise have the flexibility and discretion to implement or not.
After an interview with the Chief Counsel to the Inspector General in 2012, PharmExec concluded that “CIAs of the future [will] be much more comprehensive than the CIAs of the past.” The trend we observe is that HHS-OIG continues to create new provisions to address specific misbehavior, and then those provisions get added to future boilerplate CIA language.
Current CIAs routinely include provisions specifically meant to hold company boards of directors accountable for compliance violations. In a recent legal working paper, Professor Wulf Kaal and attorney Elizabeth Malay explore the role of CIAs in the expansion of directors’ fiduciary duties. The authors conclude that the duties imposed by CIAs, including passing of specific resolutions, appointment of specific officers and committees, annual reviews through an IRO, and board certification of compliance with the CIA, all expand directors’ liability and the “legal duty of care.”
As a prime example, the authors note that the New Jersey District Court dismissed a 2011 complaint against J&J’s board of directors alleging the board permitted and fostered a culture leading to widespread legal violations. At the time, J&J was not subject to a CIA.
In contrast, the Southern District of New York Court allowed a 2009 derivative suit against Pfizer’s board to move forward. The court referenced Pfizer’s multiple CIAs as proof that the directors may have breached their fiduciary duty to their shareholders, concluding that “in the case of a company with an executed CIA, [the court] will allow an assumption that the directors were fully informed, and thus willing participants in the corporate malfeasance.” Directors of corporations with CIAs should understand that they are held to a higher standard and are expected to have more knowledge and exercise more control regarding compliance issues.
Additionally, companies operating under CIAs should be aware that HHS-OIG can enforce CIA provisions through criminal prosecution, fines, penalties, additional CIAs, exclusion, and most recently forced divestiture. When Skadden attorneys reported that HHS-OIG required Church Street Health Management to sell one of its dental clinics within 90 days to avoid corporate exclusion from federal programs, Skadden noted that it was the “first time in a health care fraud case OIG has used forced divestiture of a company subsidiary to cure deviation from CIA-imposed compliance obligations.”
By all accounts, forced divestiture was first used as an HHS-OIG enforcement strategy in 2010, when Synthes, Inc. entered into an initial CIA that included a divestiture agreement to sell or dissolve its subsidiary, Norian Corporation, within seven months.
Most recently, parent company Bausch+Lomb entered into a CIA that included a divestiture agreement to transfer all assets belonging to its subsidiary ISTA Pharmaceuticals within six months, after which time ISTA would be excluded for 15 years. Forced divestitures are examples of HHS-OIG’s novel efforts to enforce compliance without having to resort to complete exclusion. HHS-OIG has also excluded individual executives and indicated that divesting a particular product or taking away a company’s patent rights might be future enforcement tools contractually included to address CIA violations.
CIA violations also open a company up to additional private rights of action under the FCA. In 2012, the U.S. Court of Appeals for the Eleventh Circuit held that failure to comply with CIA contractual obligations, like certification of compliance, remittance of overpayments, and cooperation with an IRO audit process, can provide an independent basis for FCA liability. United States ex rel. Matheny v. Medco Health Solutions, Inc., 671 F. 3d 1217 (11th Cir. 2012). Thomas Beimers, attorney with Faegre Baker Daniels, observed that this “novel whistleblower complaint…represents a potentially significant extension of False Claims Act liability for companies operating under CIAs.”
Conclusion
The industry should take note of the expanded enforcement actions CIAs permit as well as the consequences of CIA violations. After the 2012 Pharmaceutical Compliance Roundtable, attended by HHS-OIG officials and representatives of 23 pharmaceutical companies under CIAs, we reported that the government was seeking a middle ground to avoid exclusion (which can leave beneficiaries without needed drugs) but also provide sufficient consequences to deter further misconduct. Gibson Dunn’s 2012 Year-End Health Care Compliance Update noted enforcement officials are imposing “increasingly harsh penalties… on companies and individuals alike, ‘seeking to disprove the ill-advised notion that health care fraud enforcement is simply the cost of doing business.'”
Because of implementation and IRO requirements, a CIA can be very costly, particularly in the first year. To stay ahead of the compliance curve, companies that want to do business with the government should continually utilize existing CIAs as guidance to voluntarily structure rigorous compliance programs in a timetable and manner that works best for each individual company.