On October 3, 2002, the Office of Inspector General ("OIG") of the U.S. Department of Health and Human Services ("HHS") issued its draft compliance guidance for the pharmaceutical industry.1 The draft guidance comes at a time when the pharmaceutical industry has become and remains under the microscope of government enforcement agencies. Pharmaceutical companies have become the target for numerous investigations by the Medicare and various state Medicaid programs. These investigations have often resulted in very substantial financial penalties being paid by the pharmaceutical companies. Even more significant is the fact that nearly all the settlements have also resulted in the company being bound by the stringent requirements of a "corporate integrity agreement." In some cases, criminal liability has resulted in prison terms imposed on corporate executives and physicians alike.

The OIG's draft guidance follows a format established by the OIG when it published its draft compliance guidance for other segments of the healthcare industry.2 Seven key elements, originally derived from the U.S. Sentencing Guidelines, are included in each of the OIG's pronouncements. Thus, the guidance for the pharmaceutical industry contains few surprises. While a compliance program may be expensive and time consuming to implement, a well designed program has the potential to yield significant protections for the company.

INTRODUCTION

The OIG's draft guidance specifically applies to pharmaceutical manufacturers, i.e., those companies that develop, manufacture, market and sell pharmaceutical drugs or biological products. It does not apply to retail pharmacies or to medical device manufacturers, although pharmacies and particularly device manufacturers can easily adapt some of the principles contained in the draft guidance to their operations. The draft guidance was issued in proposed form and it may be subject to revision or refinement based on the comments received by the OIG after its publication.3 A final version of the draft guidance is likely to be published sometime in 2003.

SEVEN KEY ELEMENTS

Similar to all of the OIG's prior compliance pronouncements, the draft guidance for the pharmaceutical industry outlines seven essential elements for a basic compliance program. These seven elements are: 1.) written standards of conduct and related policies and procedures; 2.) a compliance officer and other appropriate corporate bodies such as a compliance committee or task force; 3.) education and training programs; 4.) effective lines of communication including the establishment of a hotline or similar reporting system; 5.) audits and similar evaluation techniques; 6.) policies and procedures regarding "excluded" persons or entities and disciplinary procedures for employee violation of corporate compliance policies; and 7.) policies and procedures for the investigation of identified noncompliance. Although not listed by the OIG as an element of a compliance program, the author submits that high level buy-in is absolutely essential for the implementation and on-going operation of an effective compliance program.4

Code of Conduct


A company's written code of conduct should encompass the specific risk factors identified by the OIG in its draft guidance and discussed later in this paper. These risk factors relate to issues involving Medicare and Medicaid reimbursement and the company's relationship with its sales force and its arrangements with various healthcare providers. The code of conduct should also include other legal risk areas including antitrust considerations, FDA regulatory issues, and employment-related matters. Compliance with the obligations of the Sarbannes-Oxley Act of 2002 may also be relevant for inclusion in the Code of Conduct.

Compliance Officer and Committees

No compliance program will be effective without the accountability of a person or persons within the organization dedicated to the overall success of the program. Therefore, a designated compliance officer is absolutely essential to the successful workings of the program. Critical considerations impacting the compliance officer's success include the budgetary resources allotted to compliance, direct access to the CEO and/or the board of directors, and coordination with various departments within the organization (e.g., HR, legal, finance, marketing). Additional support and accountability may be achieved through the establishment of a compliance committee or task force. The size and complexity of the company will be relevant factors for determining whether and to what extent committees and/or task forces will be needed or advisable. Committees and task forces provide a broad range of talents and experience to the task of corporate compliance.

Training and Education

A compliance program is only effective if its content is known and understood by the company's employees. In addition, it is important for the company's commitment to compliance (i.e., a culture of compliance) to be communicated to its staff. Thus, another element deemed essential by the OIG is effective training and education. While some amount of general training is necessary at all levels within the organization, specific and more extensive training will apply to particular areas of the organization. One of the more obvious areas is the marketing and sales force, given the risks identified by the OIG in the draft guidance. Specific training should be made mandatory for the entire sales staff with a special focus on the PhRMA Code and laws such as the Medicare Anti-Kickback Law and the Prescription Drug Marketing Act. As noted above, such training should be mandatory for all sales and marketing personnel. All new sales personnel should receive extensive training on these issues and the company's expectations prior to conducting any work in the field. Documentation of attendance is an absolute necessity in order to realize the full benefit of a compliance program.

Another area of particular training focus is the finance department, especially in connection with the establishment of the average wholesale price for the company's products.

Lines of Communication

The OIG has emphasized the need for effective lines of communication. In its draft guidance, the OIG stated that "employees must be able to ask questions and report problems."5 Open door policies are recommended and access by all employees to the compliance officer is deemed important to the successful implementation of the compliance program. One means encouraged by the OIG is the establishment of a "hotline" or other forms of information exchanges. Such hotlines should encourage the employees to identify themselves when reporting a suspect matter in the event follow up questions are necessary. However, the system utilized should also allow for anonymous reporting in order to fully and completely encourage reporting of potential noncompliance.

Audits and Other Forms of Monitoring

The OIG strongly recommends incorporating a monitoring program into the compliance plan. Audits and other reviews provide an assessment of a company's compliance with applicable laws. Many companies conduct a fairly extensive review upon initially implementing a compliance program. The results of such a review provide a benchmark for future measurement. However, when conducting such a review, a company must be prepared to deal with the results of the review. In some cases, this may require self-disclosure to the government of significant problems.

Enforcement Standards

The draft guidance makes it clear that an effective compliance program should include specific disciplinary policies for violations of pertinent laws or the company's code of conduct. A graduated series of sanctions up to and including termination should be developed in conjunction with the human relations department. The existence of union contracts may complicate this aspect of the compliance program.

Responding to Detected Problems


The final element recommended by the OIG is response mechanisms for detected noncompliance. As noted by the OIG in its draft guidance, detected but uncorrected misconduct can "endanger the reputation and legal status of the company."6 Thus, it is important for the compliance program to outline the general steps to be taken whenever there are reasonable indications of suspected noncompliance. The compliance program should include the investigatory steps to be taken by the compliance officer, possibly with the assistance of legal counsel, to determine whether noncompliance has occurred and to what extent. In addition, the compliance program should require a corrective action plan to fix the issue on a going-forward basis. In the case of serious noncompliance, the compliance plan should contemplate the process for reporting the matter to the appropriate government agency.

IDENTIFIED RISK AREAS

A well designed compliance program will include specific focus on issues perceived by the OIG to pose a particular risk for pharmaceutical compliance. In its draft guidance, the OIG identified several specific risk areas which the OIG believes to be especially pertinent to pharmaceutical manufacturers.

Data Integrity

The first risk area identified by the OIG concerns the pricing and sales data directly or indirectly furnished to the government by pharmaceutical companies. Recent events, in fact, indicate that this is an area of intense focus by government investigators. Numerous companies have been sued under the federal False Claims Act for alleged manipulation of their average wholesale price (AWP). This issue is especially pertinent in connection with the Medicaid Rebate Program. Since the company is, in the words of the OIG, "responsible for ensuring the integrity of the data they generate"7, an effective compliance program will need to focus significant resources on this issue.

An effective compliance program will specifically address issues related to product pricing. A detailed baseline audit of the company's current pricing practices might be undertaken in this regard. As a result of the complex nature of the calculation of the AWP, the compliance officer may need to rely on internal or external experts in determining whether the company is, in fact, in compliance with this complicated area of the law.

Kickbacks and Other Illegal Remuneration


The federal Anti-Kickback Law8 places considerable constraint on the sales and marketing practices of healthcare-related companies. Practices that are common in other industries may, in fact, result in criminal liability when utilized by a pharmaceutical company. The Anti-Kickback Law is a broadly worded statute that prohibits the payment of anything of value in return for patient referrals or in return for the purchasing, leasing, ordering or arranging for or recommending the purchase, lease or ordering of any item or service reimbursable in whole or in part by a federal healthcare program.9

Given the broad scope of this law, the OIG has promulgated "safe harbor" regulations that exempt certain arrangements from prosecution. Relevant safe harbors include those for discounts, warranties, employee relationships, group purchasing organizations, and shared risk arrangements.10

In its draft guidance, the OIG cautions pharmaceutical companies to carefully structure their relationships with purchasers of their products. Discounts and other terms of sale may potentially implicate the Anti-Kickback Law if the products are reimbursable, in whole or in part, by a federal healthcare program. In addition, incentive payments to those in a position to influence the purchase of a manufacturer's products also implicate the Anti-Kickback Law.

Discounts clearly implicate the law, but a broad safe harbor exception potentially exempts many pricing arrangements utilized by pharmaceutical companies. However, detailed requirements including certain reporting obligations must be satisfied for this exception to apply. In addition, certain arrangements such as conversion payments, signing bonuses and up-front rebates do not by their very nature qualify for the discount exception and must be carefully reviewed.11

Another area potentially implicating the Anti-Kickback Law concerns the company's relationship with physicians and other healthcare professionals in a position to make recommendations regarding the company's products. "Switching" arrangements and other payments made to physicians potentially violate the Anti-Kickback Law and the OIG recommends that a company's compliance program pay particular attention to such arrangements. It is important to note in this regard that remuneration for purposes of the Anti-Kickback Law goes beyond the direct payment of cash. Entertainment, travel and in-kind payments potentially invoke the law's prohibitions. In addition, payments allegedly made for consulting services or grants for research or education may constitute illegal remuneration if one purpose of the payment is to influence the physician's recommendations or referrals.

Given the broad reach of the Anti-Kickback Law, it is sometimes difficult to determine what practices will result in legal difficulties for the company. The OIG notes in its draft guidance that a "good starting point" for questions of this nature is the voluntary code promulgated by the Pharmaceutical Research and Manufacturers of America (PhRMA). The PhRMA Code contains a detailed framework for reviewing questions related to the Anti-Kickback Law. Certainly, if a practice is prohibited by the PhRMA Code, it is likely to be suspect under the Anti-Kickback Law. However, the OIG emphasizes that the PhRMA Code is only a minimum standard and compliance officers are cautioned that in many cases questions related to the Anti-Kickback Law can only be resolved based on detailed legal analysis of all the pertinent facts and circumstances. In any event, an effective pharmaceutical compliance program will devote considerable attention to this issue. The program should include extensive education sessions with pertinent personnel. In addition, random audit procedures should be developed to ensure compliance with this critical issue.

PRACTICAL CONSIDERATIONS

While the benefits of a compliance program are quite clear and the draft guidance provides a general framework for designing an effective program, pharmaceutical companies are nonetheless left with considerable uncertainty as to how to best tailor a program to meet their specific needs. Discussed below are a few practical recommendations to consider when implementing a compliance program.

Limited Budgets

It is quite clear that in regard to compliance programs "one size shoe does not fit all." While large companies may have the financial resources and in-house capabilities to operate a comprehensive compliance program, small start-ups will be inherently limited in terms of their compliance capabilities. Probably the only constant is the risks faced by all pharmaceutical manufacturers for violation of the law. That said, it is clear that each company will need to establish an effective compliance program within the needs and constraints of the organization.

For those companies faced with budgetary restrictions, the first step should be a prioritization of the risks and challenges confronting the company. The compliance officer should, therefore, conduct an assessment of the factors particular to the company that may involve high risk areas. If resources are limited, the initial focus should be on issues that have the greatest probability of impacting the company, or which have the highest likelihood of having very serious financial or other impact on the company. The specific risk areas identified by the OIG in its draft guidance also provide a good starting point for most compliance programs. Obviously, those risk areas have and will continue to receive ample attention from the government enforcers, and a compliance program limited by budgetary constraints would be well served by focusing on those areas. After reviewing the high-risk areas, as time and resources permit,, other areas of potential risk can be reviewed.

A compliance program on a limited budget should also make use of the vast amount of resources available today. Trade associations provide a significant amount of relevant material and the internet is a very useful tool for a variety of compliance-related matters.

Resistance, Stonewalling and Other Scary Events

Compliance officers are occasionally confronted with situations where it appears that senior management are not taking compliance matters as seriously as they should. Hopefully, such situations are rare, especially in these days of heightened awareness of corporate internal activities in the wake of the Enron, Adelphia, Tyco and other corporate scandals. However, a compliance officer should have an action plan for dealing with such resistance. First and foremost, a compliance officer confronted with entrenchment should recheck his or her facts and confirm that their assertions are correct. If still convinced that a serious problem exists, confirm your beliefs in writing to as high a level as necessary. If necessary, matters may need to be taken to the board of directors or the board's audit committee. The directors should be especially sensitive to compliance program issues in light of judicial statements in cases such as In Re Caremark International, Inc., a Delaware Chancery Court decision wherein the court held that directors face personal liability for failure to maintain corporate compliance programs.

Personal Liability of Compliance Officers

As if the discussion of the situation described above is not frightening enough, compliance officers are not afforded any special protection from liability by virtue of their position. However, by performing their job in good faith and using reasonably prudent judgment, the compliance officer should not be exposed to substantial personal risk. That said, it is incumbent on all compliance officers to follow the recommendations outlined above. If your organization persists in ignoring clear cut compliance problems, it is better to dust off your resume than to face the unpleasant consequences witnessed recently in the previously mentioned corporate scandals.

Attorney-Client Privilege

As discussed previously, a well-designed compliance program will include various levels of audits and reviews. In addition, issues reported to the compliance officer will need to be investigated until satisfactory closure of the issue. In such instances, there is always the chance of uncovering a substantial situation of noncompliance. While there are no hard and fast rules, such instances may warrant conducting the review under the protections of the attorney-client and attorney work product privileges. Please note, however, that such privileges are not ironclad. They may be lost in numerous ways, including inappropriate waiver or disclosure, the application of the crime fraud exception, or, in certain instances, assertions that in-house counsel was not functioning in a legal capacity. In any event, in such situations, it is better to discuss the matter with legal counsel before going too far with the review process.

Corporate Integrity Agreements

An effective compliance program will hopefully keep a company out of trouble with the federal government. However, if a company has already been the target of a federal investigation it is possible that a corporate integrity agreement ("CIA") has been imposed as part of the settlement of the matter. In such cases, the CIA will mandate compliance program activities be undertaken by the organization. Strict adherence to the requirements of the CIA is absolutely necessary and the compliance officer will need to ensure that the CIA requirements are followed whenever those requirements differ from the procedures outlined in the company's compliance program.

Compliance takes on an entirely new level of risk when a company is operating under a CIA. The CIA will likely require certain certifications regarding compliance. The organization needs to be absolutely certain when making such certifications. Incorrect certification can lead to additional civil and/or criminal penalties.

FOOTNOTES

1 The draft guidance was originally published in Volume 67 of the Federal Register beginning on page 62057. It can also be found on the OIG's website (oig.hhs.gov).
2 The OIG has previously published compliance guidance for hospitals, skilled nursing facilities, third party billing companies, ambulance suppliers, physician groups, durable medical equipment companies, hospices, clinical labs, and home health agencies.
3 Public comments were received by the OIG until December 3, 2002.
4 See 67 Fed. Reg. 62057 at 62058 (right hand column) where the OIG states that "[I]n order for a compliance program to be effective, it must have the support and commitment of senior management and the company's governing board."
5 See 67 Fed. Reg. 62057 at 62065 (10/3/02).
6 See 67 Fed. Reg. 62057 at 62066.
7 Id. At 62061.
8 42 U.S.C. section 1320a-7b.
9 The most common examples of federal healthcare programs are the Medicare and Medicaid Programs. However, the Anti-Kickback law also covers all other federal healthcare programs, such as Tricare (formerly Champus).
10 The safe harbor regulations can be found at 42 CFR section 1001.952.
11 The OIG has expressed a large amount of skepticism regarding such arrangements as evidenced by a letter dated July 17, 2000, wherein the OIG stated "these practices appear to pose a significant risk of fraud and abuse." The letter is published by the OIG on its web site at http://www.oig.hhs.gov/fraud/docs/safeharborregulations/prebate.htm