Upload
gina-m-cavalier
View
171
Download
0
Tags:
Embed Size (px)
Citation preview
Keeping House:Key Areas for Compliance Risk
Assessments for Device Manufacturers
Gina M. Cavalier
+1 (202) 626-5519
Laura Snodgrass
+1 (202) 626-3739
• Why are risk assessments important?
• What is a risk assessment?
• Who should conduct the risk assessment?
• When to conduct a risk assessment?
• How to conduct a risk assessment?
• What to cover in a risk assessment?
• What are the hot topics?
• Then what?
Outline of Presentation
2
• Risk assessments:
― Make compliance efforts more effective
― Lower legal risk
― Save money
― Legal fees, Settlements, Civil penalties
― Good for business
― Reputation, competition
― Good for culture and morale
― Consistency, fairness
― Give peace of mind
― Account for and help manage and mitigate evolving risk
Introduction: Big Benefits for Business
3
• Federal Sentencing Guidelines/OIG
― 7 elements of an “Effective Compliance and Ethics Program”
Why are risk assessments important?
4
• Federal Sentencing Guidelines
― “8th element”
― The 2004 revisions to the FSGs included an important new provision
― Section 8B2.1 Effective Compliance and Ethics Program
Why are risk assessments important?
5
• They are the future of compliance
― Health care reform laws and regulations have adopted, and government agencies have embraced or endorsed conducting risk assessments as part of an effective compliance program
― PPACA
― MA/Part D Regulations
― DOJ FCPA Guidance
― OIG CIAs
Why are risk assessments important?
6
• Health Care Reform Law: Patient Protection and Affordable Care Act (PPACA)
― Section 6102 - mandatory compliance program for SNFs/NFs, expressly includes 8th element in statutory language:
― Section 6401 PPACA- mandatory compliance program for all Medicare providers
― Rulemaking CMS indicated that compliance program core elements will be similar to those for SNFs/NF = include 8th
element
Why are risk assessments important?
7
• DOJ Guidance on FCPA
― Risk assessment is “fundamental to developing a strong compliance program, and is another factor DOJ” evaluates when assessing a company’s compliance program
Why are risk assessments important?
8
Why are risk assessments important?
• Abbott CIA
― Company had already been conducting risk assessment of sales, marketing and off-label promotion
― Contractually required to continue risk assessments
9
Why are risk assessments important?
• Amgen CIA
― Existing standard annual risk assessment process
10
• GSK CIA
― Company had started a risk assessment process
― CIA incorporates GSK’s specific system
Why are risk assessments important?
11
• Medicare Advantage and Part D Programs
• Mandatory compliance program requirements, effective January 1, 2011
• April 2010 final rule (72 Fed. Reg. 19,678), strengthened initial MA and Part D compliance program standards, incorporates 7 elements and reference to “external audits”
Why are risk assessments important?
12
• Enforcement environment is active and continuously evolving
• Top 15 Civil False Claims Act Cases
― 13 of 15 represent the healthcare industry
Why are Risk Assessments Important?
13
• Health Care Fraud and Abuse Control Program FY 2012
― Federal government won or negotiated over $3 billion in health care fraud judgments and settlements
― DOJ opened 1,131 new criminal health care fraud investigations (2,032 cases were pending) involving 2,148 potential defendants
― 826 defendants convicted of health care fraud related crimes
― DOJ opened 885 new civil health care fraud investigations (along with 1,023 already pending)
― OIG excluded 3,131 individual and entities
― HEAT (Health Care Enforcement Action Team) and “Medicare Strike Force” Teams
Why are Risk Assessments Important?
14
• Orthofix Inc - June 2012
― $42 million
― Civil FCA relating to the company’s sale of bone growth stimulator devices
― Felony obstruction of justice
• Blackstone Medical, Inc - November 2012
― $30 million
― Blackstone Medical is a subsidiary to OrthofixInternational, parent company of Orthofix, Inc.
― Kickbacks to spinal surgeons in the form of compensated travel and entertainment, sham consulting agreements, sham royalty agreements, and sham research grants
• GSK - July 2012
― $3 billion
― Criminal and civil liability arising from the company’s unlawful promotion of certain prescription drugs, its failure to report certain safety data, and its civil liability for alleged false price reporting practices.
• Amgen – December 2012.
― $1.4 billion
― Civil and criminal FCA liability related to the marketing and promotion of certain drugs, offering kickbacks to healthcare providers, and false price reporting practices
Why are Risk Assessments Important?
15
• Victory Pharma, Inc. - December 2012
― $11.4 million
― FCA allegations that it paid doctors illegal kickbacks to encourage them to prescribe the company’s products, including tickets to sporting events, dinners, ski and spa outings, and paying physicians to allow sales representatives to “shadow” them.
• Sanofi - June 2013
― 5 year exclusion
― A former Sanofi pharmaceutical sales representative and sales manager provided samples to physicians with the expectation that the physicians would bill Medicare for the samples
• Physician - April 2013
― $63,900
― Dr. Lux., Missouri, agreed to pay for allegedly receiving kickbacks, from a medical device manufacturer in the form of payments made under a clinical registry contract.
Examples of Manufacturer Enforcement and Settlements in 2012/13
Why are Risk Assessments Important?
• Practical Considerations
― Proactive versus reactive
― Identify, measure, and prioritize compliance risks
― Determine effectiveness of current compliance efforts
― Allocate resources effectively to mitigate compliance risks
― In a federal investigation, DOJ will consider whether the organization audited its compliance program
"I know one thing: that I know nothing" (Greek: ἓν οἶδα ὅτι οὐδὲν οἶδα hèn oîda ὃti oudèn oîda)
--The Socratic paradox derived from Plato's account of the Greek philosopher Socrates
16
• Systematic review of policies and practices to identify vulnerabilities in an environment of evolving risks
― Individual risks
― Comparative risks
― To other internal risks
― To external environment
― Overall risk profile
• Distinct from regular auditing and monitoring
• Baseline versus maintenance versus targeted
What is a risk assessment?
17
Who should conduct the risk assessment?
• External versus Internal?
― Independence
― Credibility with Board, government
― Fresh look (Red Team)
― Benchmarking – what are competitors doing
― Privileged v. need for transparency
― Resource Allocation (workforce utilization)
― Costs
― Administrative burdens, disruption to business
― Initial v. interim, smaller scope or maintenance assessments
18
When to conduct a risk assessment?
• When and How Often
― Now
― Federal Sentencing Guidelines: “Periodically”
― Regularly
― Again
• Factors that influence timing
― Resource allocation/budgeting
― Corporate calendar (annual sales meeting; end of fiscal year)
― Risk-based trigger; risk evolution
― OIG Workplan
― Settlements/Enforcement
19
How to conduct a risk assessment?
• No one right way
• Tailored
• DOJ: “One size fits all compliance programs are . . . ill-conceived and ineffective”
• CIA provisions are company-specific
20
How to conduct a risk assessment?
• Pre-assessment Planning
― Executive Support
― Identify key stakeholders/participants
― Compliance, Internal Audit, Marketing, Senior Management, Sales, etc.
― Range of levels/positions
― Budgeting
― Invest now
― Communication of objectives
― Foster an environment of cooperation
― Assurances against employee-specific targeting
21
How to conduct a risk assessment?
• Document collection and review
― General
― Compliance Code
― Compliance policies and procedures
― Previous audit/risk assessment reports (internal or external)
― Compliance hotline reports
― Customer complaints
― Template/sample agreements
― Training materials
― Budgeting materials
― Sample sales/marketing materials
― Compliance communications
― Specific
― For example, reimbursement assistance/information
22
How to conduct a risk assessment?
• Interviews
― Select personnel
― Management
― Staff
• Prepare Interview Outline
Ask general questions• Do you have a copy of the Code of
Conduct?
• Where do you go/who do you ask if have a
compliance question?
• What is the hotline phone number?
• What kind of compliance training did you
receive?
Ask specific questions• What are the Company’s policies regarding
meals?
• Recoupment of demonstration equipment?
• How do you interact with patients/HCPs?
Ask open-ended questions• What else do you think I should know?
• What else would you like to tell me?
• What are your compliance concerns?
23
What to cover in a risk assessment?
• The Company’s own past identified risk areas
― Hotline
― Prior settlements
― Customer complaints
― Competitor Compliance officer calls
― Sales force questions
― Employee discipline
24
What to cover in a risk assessment?
• Government enforcement trends: “hot topics”
― Relationships with HCPs
― Price reductions (Discounts, Rebates, Bundles)
― Value-added services
― “Free” items
― Demos, evals, loaners
― Reimbursement support
― Clinical Trials/Post-Market Studies/ Registries
― Referral Generation/Practice development and growth
― Sales incentives/sales commission
25
Then What?
Federal Sentencing
Guidelines 8B2.1
Company shall “assess the
risk of criminal conduct and
shall take appropriate steps
to design, implement, or
modify each” of the seven
elements of an effective
compliance program
26
Then What?
• Assess and identify possible risks/vulnerabilities
― Likelihood of the risk
― Impact if risk occurs
― Mitigating factors
• Test against Relevant Authorities
― Anti-Kickback Law, regulations, Advisory Opinion, Fraud Alerts, OIG Guidance
― Settlements and CIAs
― AdvaMed Code
• “Rate” or “Rank” Risks
27
Then What?
• Report findings
― Compliance Committee
― Senior Management
― Board
• Corrective Action/Remediation
• Accountability
28