Compliance program auditing/monitoring is #5 of the 7 elements of the OIG Compliance Program Guidance. Auditing is also required by law in some states.
The Office of Inspector General (OIG) expects drug and device manufacturers to follow its Compliance Program Guidance, which identifies auditing/monitoring as a fundamental element of an effective compliance program.
Additionally, California and Connecticut laws require manufacturers to adopt compliance programs that conform to the CPG. Massachusetts and Nevada laws require the company compliance officer to certify annually, under penalty of perjury, that a compliance audit has been performed. If the compliance officer attests to such certifications without performing an audit, they are taking on personal liability and putting their company at risk.
Figure 1: OIG Compliance Program Guidance (“CPG”)
OIG Compliance Program Guidance (“CPG”)
- The development and distribution of written standards of conduct, as well as written policies, procedures and protocols that verbalize the company’s commitment to compliance (e.g., by including adherence to the compliance program as an element in evaluating management and employees) and address specific areas of potential fraud and abuse, such as the reporting of pricing and rebate information to the federal health care programs, and sales and marketing practices;
- The designation of a compliance officer and other appropriate bodies (e.g., a corporate compliance committee) charged with the responsibility for developing, operating, and monitoring the compliance program, and with authority to report directly to the board of directors and/or the president or CEO;
- The development and implementation of regular, effective education and training programs for all affected employees;
- The creation and maintenance of an effective line of communication between the compliance officer and all employees, including a process (such as a hotline or other reporting system) to receive complaints or questions, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation;
- The use of audits and/or other risk evaluation techniques to monitor compliance, identify problem areas, and assist in the reduction of identified problems;
- The development of policies and procedures addressing the non-employment or retention of individuals or entities excluded from participation in federal health care programs, and the enforcement of appropriate disciplinary action against employees or contractors who have violated company policies and procedures and/or applicable federal health care program requirements; and
- The development of policies and procedures for the investigation of identified instances of noncompliance or misconduct. These should include directions regarding the prompt and proper response to detected offenses, such as the initiation of appropriate corrective action and preventive measures and processes to report the offense to relevant authorities in appropriate circumstances.
Auditing and monitoring health care compliance is important to help mitigate the risk of being sued by the government. The government continues to target manufacturers, executives and even compliance officers.
Examples of recent enforcement activities:
- On July 23, 2019 the Department of Justice (DOJ) announced that it filed a lawsuit against Life Spine, Inc., a spinal implant manufacturer, its CEO, and another executive for allegedly illegally paying millions of dollars in kickbacks to surgeons in exchange for purchasing Life Spine products. Of note, the amount of “general payments” reported by Life Spine in its 2018 Physician Payments Sunshine Act submission accounted for 10% of Life Spine’s total sales revenue. Ten percent is high and according to the DOJ, Life Spine under reported. Industry benchmarks are scarce but a small sample analysis of Open Payments data, shows that general payments often account for up to 2% of total sales, and more commonly, 1% or less. What percentage is your organization paying?
- On September 4, 2019, the DOJ announced that drug maker Mallinckrodt agreed to pay over $15 million to resolve allegations brought by whistleblowers that it violated the False Claims Act and Anti-Kickback Statute by bribing health care professionals (HCPs) by “wining and dining” them “in the form of lavish meals and entertainment expenses.”
- Earlier this year Covidien agreed to pay $17 million to resolve allegations brought forth by whistleblowers that the company violated the False Claims Act and Anti-Kickback Statute, among other laws. Alleged activities included Covidien paying physicians for services that exceeded fair-market-value or were not performed, providing free or discounted marketing staff who were tasked with driving referrals to customers, drafting free marketing plans, providing meals to referral physicians with the intent to drive referrals to customers, providing improperly structured discounts and free product and promoting off-label. The government also alleged that Covidien violated its own internal policies.
- Novartis reported in July that they are setting aside $700 million to settle a kickback case. The government alleges that the Novartis speaker programs consisted of lavish dinners, fishing trips, and other social events, which amounted to kickbacks for speakers and attendees to induce them to prescribe Novartis drugs. The government alleges that Novartis paid doctors for speaker programs that did not occur and that the drug maker violated its own internal policies which require speaker programs to have a legitimate educational purpose.
- Allscripts disclosed in their latest 10-Q a $145 million preliminary settlement with the DOJ related to HIPAA and kickback violations related to an electronic health record (EHR) vendor that it had acquired. The government alleges that the EHR vendor misrepresented the capabilities of its technologies in order to obtain a certification offered by an HHS EHR Incentive Program.
- The government recently charged two compliance officers working at pharmaceutical distribution companies for their alleged connection to the opioid epidemic. In July the DOJ charged wholesaler Miami-Luken along with its CEO and compliance officer for allegedly unlawfully distributing painkillers. Earlier this year the DOJ also charged Rochester Drug Co-Operative (RDC), its CEO, and the chief compliance officer for alleged violations.
The government shows no signs of relenting. Since fiscal year 2004, the OIG has reported over $53 billion in “expected investigative recoveries” in cases alleging health care fraud.
Senator Charles Grassley complained on September 4, 2019 to U.S. Attorney General William Bar that the DOJ is dismissing whistleblower cases without appropriate consideration. Senator Grassley, the champion of the Physician Payments Sunshine Act, has long been critical of the drug and device industry. He wrote in his letter to Attorney General Barr, “The qui tam provisions have reinvigorated an Act which had been mostly left for dead after the 1940s. In order for the law to continue working, DOJ must let the qui tam provision work the way it was intended and allow relators to proceed with litigation on their own.”
We predict an increase in whistleblower, a.k.a., “qui tam” or “relator” lawsuits alleging violations of the Anti-Kickback Statute and False Claims Act because prosecuting off-label promotion has become less popular among prosecutors due to repeated losses in court.
What can you do to protect yourself and your company—and ultimately benefit patients and payors?
Answer: Follow the CPG. Begin by auditing your compliance program and conducting monitoring activities.
Manufacturers are often reluctant to conduct auditing and monitoring activities because they feel they don’t have time to be proactive and are too busy reacting to issues and putting out fires. Many manufacturers also fear the unknown of looking under the hood and believe they won’t have adequate time and resources to fix issues uncovered. This is a myopic and dangerous strategy.
Manufacturers and employees can be “excluded” from health care – which is effectively a career-ending penalty for responsible executives. Best practice is to dedicate appropriate resources for monitoring and auditing programs to help uncover issues that can be resolved before it is too late.
What is auditing? Also known as a “gap assessment,” a compliance audit is a more formal and systematic examination of company behavior applied against legal, regulatory and industry best practices and company rules set forth in the compliance program. Audits are often conducted under privilege. Focus is directed towards company interactions with those in a position to purchase company products and/or influence prescribing behavior.
During an audit, functions that interact with HCPs and health care entities are interviewed. Documentation is reviewed, e.g., consulting and grant agreements, transparency reports, job descriptions, commercial plans, policies and procedures, promotional materials, among other things. Testing is also often performed in order to determine whether rules are being followed.
The scale of an audit is largely driven by the size of an organization and commercial activities. Some organizations choose to have their entire compliance program audited while others focus on auditing specific activities. The output of an audit includes a report and action plan for remediation as necessary.
What standards are audited against? Best practice is to audit the compliance program against the CPG, internal policies and procedures, the PhRMA Code for drug makers and the AdvaMed Code for device makers (which was recently updated as we reported in June), and ACCME guidance. The following laws are also audited against: Anti-Kickback Statute; False Claims Act; HIPAA; Physician Payments Sunshine Act; and the Food, Drug & Cosmetic Act.
What is typically audited?
- Speaker bureaus (audit contracts for compliance with Personal Services and Management Contracts Safe Harbor; audit speaker compliance with FDA off-label safe harbors; and perform copy review)
- HCP consulting arrangements
- Provision of meals to HCPs
- Promotional materials, including social media
- Transparency reporting and gift-ban law adherence
- Provision of health economic and reimbursement information and support for patients and customers
- Discounts, rebates and free product programs
- Compliance training
- Scientific exchange (responses to off-label questions and requests for off-label information)
- Provision of grants and charity
- Collaborative marketing with customers
- Research activities
- Distributor practices
- Educational and training programs
- Privacy exposure
- General commercial staff adherence to Compliance Program policies and procedures, PhRMA Code or AdvaMed Code, ACCME guidance, and the CPG
What is monitoring? Monitoring is less intensely focused and involves ongoing day-to-day compliance management and oversight of activities and processes. This involves addressing questions from staff and issues as they surface—e.g., staff providing inappropriate reimbursement or health economic advice; responding to a question from a sales leader asking if they can discount product; addressing an expense report violation involving an HCP whose spouse received a meal; staff paying an HCP to speak when they are not under a contract; addressing a salesperson making a homemade sales presentation discussing off-label uses; staff promising an HCP a grant before appropriate staff have vetted the request; and a sales person promising a customer a lucrative consulting job in order to gain their loyalty.
Manufacturers should embed compliance support into day-to-day operations. A compliance point person needs to be available to answer questions. Absent one, employees will make their own decisions without guidance—which is risky, especially in a high-pressure environment.
Other examples of monitoring include:
- Ride-alongs in the field with commercial staff
- Holding periodic Compliance Committee meetings to discuss hot spots
- Having a promotional review committee consisting of qualified Medical, Legal (compliance) and Regulatory professionals who review all promotional materials and advertising prior to use
- Systematic grant review by a Grant Committee
- Annual needs assessment for consultants
- Establishing and enforcing a robust speaker bureau procedure
- Periodic Board reporting about compliance
- Qualifying and performing background checks on HCP consultants before they are hired
- Reviewing hotline reports
- Monitoring consultant compensation caps
Benchmarking. As part of ongoing monitoring, a manufacturer may also consider periodically comparing its Open Payments data with competitors and industry averages. For example, see Figure 3. As we reported in our July Transparency Regulatory Alert a company officer must attest that the physician payments and physician ownership data the company is required to submit annually to the Centers for Medicare and Medicaid Services (CMS) is “timely, accurate, and complete to the best of his or her knowledge and belief.” As we recently reported, the Sunshine Act was recently expanded to cover certain nurse specialties. There are also state requirements that manufacturers are often unaware of and fail to meet.
Figure 3: Example Comparison of Open Payments Data