keeping house compliance risk assessment medical device summit.pptx

Keeping House:Key Areas for Compliance Risk

Assessments for Device Manufacturers

Gina M. Cavalier

+1 (202) 626-5519

[email protected]

Laura Snodgrass

+1 (202) 626-3739

[email protected]

• Why are risk assessments important?

• What is a risk assessment?

• Who should conduct the risk assessment?

• When to conduct a risk assessment?

• How to conduct a risk assessment?

• What to cover in a risk assessment?

• What are the hot topics?

• Then what?

Outline of Presentation

2

• Risk assessments:

― Make compliance efforts more effective

― Lower legal risk

― Save money

― Legal fees, Settlements, Civil penalties

― Good for business

― Reputation, competition

― Good for culture and morale

― Consistency, fairness

― Give peace of mind

― Account for and help manage and mitigate evolving risk

Introduction: Big Benefits for Business

3

• Federal Sentencing Guidelines/OIG

― 7 elements of an “Effective Compliance and Ethics Program”

Why are risk assessments important?

4

• Federal Sentencing Guidelines

― “8th element”

― The 2004 revisions to the FSGs included an important new provision

― Section 8B2.1 Effective Compliance and Ethics Program


5

• They are the future of compliance

― Health care reform laws and regulations have adopted, and government agencies have embraced or endorsed conducting risk assessments as part of an effective compliance program

― PPACA

― MA/Part D Regulations

― DOJ FCPA Guidance

― OIG CIAs


6

• Health Care Reform Law: Patient Protection and Affordable Care Act (PPACA)

― Section 6102 - mandatory compliance program for SNFs/NFs, expressly includes 8th element in statutory language:

― Section 6401 PPACA- mandatory compliance program for all Medicare providers

― Rulemaking CMS indicated that compliance program core elements will be similar to those for SNFs/NF = include 8th

element


7

• DOJ Guidance on FCPA

― Risk assessment is “fundamental to developing a strong compliance program, and is another factor DOJ” evaluates when assessing a company’s compliance program


8


• Abbott CIA

― Company had already been conducting risk assessment of sales, marketing and off-label promotion

― Contractually required to continue risk assessments

9


• Amgen CIA

― Existing standard annual risk assessment process

10

• GSK CIA

― Company had started a risk assessment process

― CIA incorporates GSK’s specific system


11

• Medicare Advantage and Part D Programs

• Mandatory compliance program requirements, effective January 1, 2011

• April 2010 final rule (72 Fed. Reg. 19,678), strengthened initial MA and Part D compliance program standards, incorporates 7 elements and reference to “external audits”


12

• Enforcement environment is active and continuously evolving

• Top 15 Civil False Claims Act Cases

― 13 of 15 represent the healthcare industry

Why are Risk Assessments Important?

13

• Health Care Fraud and Abuse Control Program FY 2012

― Federal government won or negotiated over $3 billion in health care fraud judgments and settlements

― DOJ opened 1,131 new criminal health care fraud investigations (2,032 cases were pending) involving 2,148 potential defendants

― 826 defendants convicted of health care fraud related crimes

― DOJ opened 885 new civil health care fraud investigations (along with 1,023 already pending)

― OIG excluded 3,131 individual and entities

― HEAT (Health Care Enforcement Action Team) and “Medicare Strike Force” Teams


14

• Orthofix Inc - June 2012

― $42 million

― Civil FCA relating to the company’s sale of bone growth stimulator devices

― Felony obstruction of justice

• Blackstone Medical, Inc - November 2012

― $30 million

― Blackstone Medical is a subsidiary to OrthofixInternational, parent company of Orthofix, Inc.

― Kickbacks to spinal surgeons in the form of compensated travel and entertainment, sham consulting agreements, sham royalty agreements, and sham research grants

• GSK - July 2012

― $3 billion

― Criminal and civil liability arising from the company’s unlawful promotion of certain prescription drugs, its failure to report certain safety data, and its civil liability for alleged false price reporting practices.

• Amgen – December 2012.

― $1.4 billion

― Civil and criminal FCA liability related to the marketing and promotion of certain drugs, offering kickbacks to healthcare providers, and false price reporting practices


15

• Victory Pharma, Inc. - December 2012

― $11.4 million

― FCA allegations that it paid doctors illegal kickbacks to encourage them to prescribe the company’s products, including tickets to sporting events, dinners, ski and spa outings, and paying physicians to allow sales representatives to “shadow” them.

• Sanofi - June 2013

― 5 year exclusion

― A former Sanofi pharmaceutical sales representative and sales manager provided samples to physicians with the expectation that the physicians would bill Medicare for the samples

• Physician - April 2013

― $63,900

― Dr. Lux., Missouri, agreed to pay for allegedly receiving kickbacks, from a medical device manufacturer in the form of payments made under a clinical registry contract.

Examples of Manufacturer Enforcement and Settlements in 2012/13


• Practical Considerations

― Proactive versus reactive

― Identify, measure, and prioritize compliance risks

― Determine effectiveness of current compliance efforts

― Allocate resources effectively to mitigate compliance risks

― In a federal investigation, DOJ will consider whether the organization audited its compliance program

"I know one thing: that I know nothing" (Greek: ἓν οἶδα ὅτι οὐδὲν οἶδα hèn oîda ὃti oudèn oîda)

--The Socratic paradox derived from Plato's account of the Greek philosopher Socrates

16

• Systematic review of policies and practices to identify vulnerabilities in an environment of evolving risks

― Individual risks

― Comparative risks

― To other internal risks

― To external environment

― Overall risk profile

• Distinct from regular auditing and monitoring

• Baseline versus maintenance versus targeted

What is a risk assessment?

17

Who should conduct the risk assessment?

• External versus Internal?

― Independence

― Credibility with Board, government

― Fresh look (Red Team)

― Benchmarking – what are competitors doing

― Privileged v. need for transparency

― Resource Allocation (workforce utilization)

― Costs

― Administrative burdens, disruption to business

― Initial v. interim, smaller scope or maintenance assessments

18

When to conduct a risk assessment?

• When and How Often

― Now

― Federal Sentencing Guidelines: “Periodically”

― Regularly

― Again

• Factors that influence timing

― Resource allocation/budgeting

― Corporate calendar (annual sales meeting; end of fiscal year)

― Risk-based trigger; risk evolution

― OIG Workplan

― Settlements/Enforcement

19

How to conduct a risk assessment?

• No one right way

• Tailored

• DOJ: “One size fits all compliance programs are . . . ill-conceived and ineffective”

• CIA provisions are company-specific

20


• Pre-assessment Planning

― Executive Support

― Identify key stakeholders/participants

― Compliance, Internal Audit, Marketing, Senior Management, Sales, etc.

― Range of levels/positions

― Budgeting

― Invest now

― Communication of objectives

― Foster an environment of cooperation

― Assurances against employee-specific targeting

21


• Document collection and review

― General

― Compliance Code

― Compliance policies and procedures

― Previous audit/risk assessment reports (internal or external)

― Compliance hotline reports

― Customer complaints

― Template/sample agreements

― Training materials

― Budgeting materials

― Sample sales/marketing materials

― Compliance communications

― Specific

― For example, reimbursement assistance/information

22


• Interviews

― Select personnel

― Management

― Staff

• Prepare Interview Outline

Ask general questions• Do you have a copy of the Code of

Conduct?

• Where do you go/who do you ask if have a

compliance question?

• What is the hotline phone number?

• What kind of compliance training did you

receive?

Ask specific questions• What are the Company’s policies regarding

meals?

• Recoupment of demonstration equipment?

• How do you interact with patients/HCPs?

Ask open-ended questions• What else do you think I should know?

• What else would you like to tell me?

• What are your compliance concerns?

23

What to cover in a risk assessment?

• The Company’s own past identified risk areas

― Hotline

― Prior settlements

― Customer complaints

― Competitor Compliance officer calls

― Sales force questions

― Employee discipline

24

What to cover in a risk assessment?

• Government enforcement trends: “hot topics”

― Relationships with HCPs

― Price reductions (Discounts, Rebates, Bundles)

― Value-added services

― “Free” items

― Demos, evals, loaners

― Reimbursement support

― Clinical Trials/Post-Market Studies/ Registries

― Referral Generation/Practice development and growth

― Sales incentives/sales commission

25

Then What?

Federal Sentencing

Guidelines 8B2.1

Company shall “assess the

risk of criminal conduct and

shall take appropriate steps

to design, implement, or

modify each” of the seven

elements of an effective

compliance program

26

Then What?

• Assess and identify possible risks/vulnerabilities

― Likelihood of the risk

― Impact if risk occurs

― Mitigating factors

• Test against Relevant Authorities

― Anti-Kickback Law, regulations, Advisory Opinion, Fraud Alerts, OIG Guidance

― Settlements and CIAs

― AdvaMed Code

• “Rate” or “Rank” Risks

27

Then What?

• Report findings

― Compliance Committee

― Senior Management

― Board

• Corrective Action/Remediation

• Accountability

28

keeping house compliance risk assessment medical device summit.pptx

Documents

compliance risk assessments

risk assessments important

companys compliance

strong compliance program

compliance efforts

ethics program

critical risk management

evolving risk introduction