Effective Outsourcing Compliance Strategies

The economic downturn, the surging costs of healthcare and the shift of the aging population from private to public insurance are key factors straining the healthcare system in the United States. The urgency to respond to this crisis has served as a catalyst to expedite and prioritize legislative activities focusing on reform. While the industry continues to be heavily scrutinized by enforcement agencies, pharmaceutical and medical device manufacturers are overwhelmed by the sweeping reform legislation.

+1
Chrissy Spicer, Judy Foxand 1 more

June 29, 2012

15 Min Read
MDDI logo in a gray background | MDDI

The economic downturn, the surging costs of healthcare and the shift of the aging population from private to public insurance are key factors straining the healthcare system in the United States. The urgency to respond to this crisis has served as a catalyst to expedite and prioritize legislative activities focusing on reform. While the industry continues to be heavily scrutinized by enforcement agencies, pharmaceutical and medical device manufacturers are overwhelmed by the sweeping reform legislation. The new wave of regulations has created turbulent times and obstacles for compliance departments. Investing in outsourcing services for establishing and maintaining a corporate compliance program are crucial to sustain growth. This article focuses on innovative, tailored strategies and considerations for outsourcing compliance.

Legislative and Enforcement Trend

Over the past two years, the DOJ and state attorneys general (AGs) have been aggressive in investigating healthcare fraud and abuse. Amendments added in May 2009 expanded the scope of liability of the False Claims Act (FCA), the tool most commonly used to recover damages and penalties. Concurrently, the Health Care Fraud Prevention and Enforcement Action Team (HEAT) formed a collaborative effort between HHS and the DOJ to combat fraud, waste, and abuse.

Often, violations result in hefty CMPs and include criminal retribution, the prosecution of individuals, corporate integrity agreements (CIAs), and in some cases, exclusion from federal healthcare programs. To prevent exclusion, FCA settlements typically result in a CIA between manufacturers and the OIG lasting five years. Among other elements, the agreement requires the implementation of the OIG’s elements of a compliance program, annual reviews by an independent organization, and in some cases reporting and monitoring specific to the activities in violation of the FCA.

 Some states have enacted legislation requiring pharmaceutical and medical device manufacturers to establish a compliance program, adopt a code of conduct, and disclose interactions with healthcare professionals. The Patient Protection and Affordable Care Act (PPACA) has elevated transparency to a federal level by requiring pharmaceutical, medical device, and diagnostic manufacturers of covered drugs to annually disclose physician payments and other transfers of value and ownership or investment interests. The act also imposes civil monetary penalties (CMPs) for violations similar to those under the Social Security Act. Ultimately, Centers for Medicare & Medicaid Services (CMS) will aggregate the information to be publically disclosed.

Key Risk Areas

Although the OIG’s guidance does not specifically apply to medical device or diagnostic manufacturers, the converging focus of enforcement and reform initiatives has lead to the adoption of the guidance across the industry. Device and diagnostic manufacturers that violated the FCA often face CIAs, which also mandate the implementation and maintenance of a corporate compliance program. This article will focus on the key risk areas highlighted by the OIG in its April 2003 Compliance Program Guidance for Pharmaceutical Manufacturers, which parallels key risks within the medical device and diagnostic industry.

The OIG specifically pinpoints federal and state healthcare program reimbursement as a key risk area for manufacturers. It cites the FCA and antikickback statues as related laws and regulations that organizations must abide.

Table I. Overview of commercial risk areas and reporting requirements.

Law

Operational Risk Areas

Reporting Requirements

Federal and state FCA

Commercial and government contracting and price reporting

Government price reporting to CMS, Veterans Affairs, and certain states

Food and Drug Cosmetic Act

Promotional and nonpromotional material review and dissemination, advertising, informational presentations given by sales representatives, speaker training and programs, scientific and educational exchange, incentive compensation

Federal and state transparency disclosure and compliance declarations

Antikickback

Commercial contracting, pricing, consultant and speaker agreements, fair market value assessments, sponsorships, exhibits and trade shows, market research, educational grants and interactions with healthcare providers and healthcare organizations, gifts and items, and meals and entertainment

Federal and state transparency disclosure and compliance declarations

Health Insurance Portability and Accountability Act

Interactions with healthcare providers and patients

N/A 

Within the government-pricing arena, there are several opportunities for both auditing and monitoring to detect and correct potential noncompliance. Best practices among pharmaceutical manufacturers and medical device and diagnostic companies that participate in Medicare, Medicaid, and state healthcare programs include hiring an independent expert within the government programs area to review all government pricing submissions on a quarterly basis and assessing or auditing government pricing on at least an annual basis. The assessment and audit can range from a high-level review of policies, procedures, and the organization’s calculation methodology to detailed transactional testing of data inputs, testing for compliance with the 10-year rule, or even a recalculation to verify accuracy of the submitted calculations.

The second key risk area cited by the OIG within the guidance is activities related to the antikickback statuteand other illegal remuneration. Auditing and monitoring is a critical activity to ensure compliance within this area. Given the magnitude of antibribery and antikickback laws and regulations, medical device and diagnostic companies lean on the expertise of third-party compliance consultants to assist in auditing and monitoring oversight.

The commercial activities that expose manufacturers to the risk of fraud and abuse include participation in federal and state healthcare programs and interactions with healthcare professionals, healthcare organizations, and patients. Table I highlights the scope of commercial governance within the United States, the operational risk areas, and related reporting requirements.

Elements of an Effective Compliance Program

To mitigate risk and respond to the evolving regulatory landscape, organizations are encouraged and in some cases required to build, implement, and maintain a compliance program. Notably, emerging and specialized manufacturers are challenged with resource and financial limitations that impact the prioritization and integration of compliance into business operations. These limitations present hurdles and challenges to building and maintaining an effective corporate compliance program. However, embedding compliance into operations to proactively identify and respond to risk and sustain compliance over time is necessary to protect the growth of the company. Table II depicts key compliance program elements and highlights operational considerations for embedding compliance into operations.

Table II. Compliance program elements and operational considerations.

Compliance Program Element

Operational Considerations

Compliance Framework

Building and implementing a scalable program Strategy and planning, establishing a framework for compliance, shared accountability and alignment, committee charter, hotline or helpline, awarenessCorporate compliance committee charter

Policy and Procedure Development

Corporate compliance governance (i.e., code of conduct and corporate compliance policies) Operational governance of medical affairs, sales, and marketing

Training

Code of conduct, regulatory and compliance overview, standard operating protocol training, and case studies

Audit and Monitoring

Risk assessment; building, maintaining, and executing an auditing and monitoring plan; reporting results; and remediating identified issuesAuditing and monitoring techniques include transaction, procedural and system review, and observation

Disciplinary and Corrective Actions

Well-publicized guidelines for enforcing disciplinary actionsReporting, investigating, and tracking infractions and corrective actions Consistent and standardization of disciplinary action enforcement

Ongoing Compliance Support

Operational support of key compliance functions (i.e., speaker program monitoring, fair market value assessments, federal and state reporting, government programs)

Manufacturers should also expand upon the OIG’s core elements and tailor compliance initiatives to further integrate ethical business practices and guiding principles conducive to a culture of compliance. Considerations for expansion include rewarding compliance excellence, restructuring incentive compensation and rewards to reinforce ethical business practices, international expansion, and establishing a framework for shared accountability and ownership of compliance.

There are outsourcing opportunities across all aspects of compliance, but this article will focus on two of the most commonly outsourced compliance areas: auditing and monitoring and federal and state reporting.

Auditing and Monitoring Program

Outsourcing a compliance auditing and monitoring function can offer an array of benefits for medical device and diagnostic companies. Partnering with a compliance-consulting vendor gives an organization access to the vendor’s expertise across multiple compliance areas. Additionally, outsourcing auditing and monitoring can result in significant cost savings and increased efficiencies because of the cost of maintaining expertise in multiple compliance areas full-time internally. Additional cost savings can be realized in increased utilization per cost incurred because outsourcing fees are typically variable based on the amount of time spent executing billable work. Another key benefit is the potential for added value provided by the expertise of the compliance-consulting vendor and input received from the consultant’s experiences and best practices identified from other clients within the industry.

While auditing and monitoring in the government pricing area can be executed within the company, there are several reasons why outsourcing auditing and monitoring may be beneficial. First, government pricing is a very specific area and requires expertise that is difficult to find within audit organizations. In most cases organizations benefit by partnering with compliance consultants who are well-versed in all government program pricing calculations and keep abreast of changing laws and regulations to properly audit and monitor the pricing submissions. This verifies that the information reported to the government is complete and accurate.

Another reason for outsourcing auditing and monitoring of government pricing programs is to ensure independence in the audit process. To perform an adequate audit or assessment, the person or persons performing the audit or assessment must be independent from the function performing the primary government pricing activities. While most pharmaceutical manufacturers and medical device and diagnostic companies maintain an independent compliance function or internal audit function, due to specialization, it is difficult to retain a government pricing expert within one of those functions that is not also being used by the government pricing group. Organizations find that the best solution to ensure independence is to use a compliance-consulting vendor with auditing and monitoring capabilities within the government pricing area.

Finally, aspects of some government pricing programs provide organizations no choice but to outsource government pricing auditing and monitoring to third-party vendors. One example is with respect to 340B entity audits. Section 1 of the 1996 HRSA Manufacturer Audit Guidelines requires the manufacturer to hire an independent audit organization employed by the manufacturer to perform audits of 340B entities.

A third-party compliance consultant can also help organizations identify their unique risk areas related to kickbacks and other illegal remuneration. This article will touch on three areas where auditing and monitoring is common in order to mitigate risk related to antikickback: speaker programs, grants, and the Foreign Corrupt Practices Act (FCPA).

Speaker program monitoring is a critical activity for most medical device and diagnostic companies that conduct them due to the associated compliance risk. An assessment of speaker programs includes verifying adequate policies and procedures to ensure compliance is in place, nominating speakers in accordance with policies and procedures, and verifying that they were selected based on criteria outlined in the policy and procedure documents. Additionally, an audit can verify that payments to speakers are provided according to internally developed fair market value rates in order to mitigate the risk of perceived kickbacks or additional remuneration for marketing the organization’s products.

Grants, exhibits, and sponsorships are other high-risk areas that require regular monitoring and auditing. Today, many medical device and diagnostic companies provide support for sponsorships and exhibits at regional or local venues, which are primarily promotional in nature and may also include purchasing booth space or advertising. It is critical to have monitoring in place to ensure policies and procedures are adequate; documentation related to approvals, contracts, and retention of disbursement checks is adequate; and there is a documented legitimate need for the grant, exhibit, or sponsorship.

The other major antikickback-related risks are the FCPA and the UK Bribery Act, which prohibit payment of anything of value to a foreign official, foreign political party, or candidate for political office for the purpose of any act of that foreign official. Third-party compliance consultants can assist companies in performing fraud risk assessments of high-risk countries, fraud due diligence reviews of vendors in foreign countries, and transactional FCPA audits at locations or vendors within foreign countries to verify compliance. Compliance consultants may even be able to pull from local resources that understand the local language and culture, which can be an extremely valuable tool in conducting an effective FCPA audit.

Outsourcing auditing and monitoring is not a ticket to never worry about compliance again. The chief compliance officer or executive responsible for auditing and monitoring should treat the outsourced auditing and monitoring consultant as a member of their own team. While the consultant may be able to provide insights into key risk areas they observe at similar organizations, no one knows your particular business better than you do. Chief compliance officers should have a detailed plan to receive regular updates from the auditing and monitoring vendor and meet with the team to frequently adjust the auditing and monitoring plan as needed based on the ever-changing regulatory environment and shift in key risks within the organization.

Federal and State Reporting

Key components when considering and evaluating any outsourced operations should include incorporating compliance goals when evaluating systems and processes and incorporating business activities to ensure the entire process is feasible and sustainable. Key stakeholders from business units impacted by transparency reporting requirements and compliance goals should be included in the initial planning phases of outsourced compliance and reporting considerations. The stakeholders should have a good understanding of the regulatory environment driving internal requirements so that new initiatives are given the appropriate considerations and vetted to ensure they align with the established compliance programs.

With any outsourced compliance functions, operational considerations begin with the regulations. The goals of the compliance program, paired with corporate legal interpretations of the regulations, define the data and information needed to support the program and meet federal and state transparency and reporting requirements. Best practices include using the data to meet reporting obligations and compliance goals such as auditing and monitoring employee activities. It is common when standardizing and harmonizing data and information capture within an organization to go beyond the scope of regulatory requirements. Doing so allows for the use of data to make for a more robust compliance program and allows for additional business insight when appropriate. System and process owners have to be consulted early, so systems used to comply with data and information capture, analysis, and ultimate reporting are appropriately evaluated and assessed for the ability to capture all of the elements of the established standardized data.

Including key stakeholders in the initial planning phases helps to ensure any outsourced activities can be implemented with the least amount of disruption to the business while still allowing for the use of data and information for compliance considerations. Before outsourcing, operational considerations include identifying the nuances and unique qualities of the business activities at hand. Outsourced suppliers and vendors should be able to configure services and supporting systems to capture required data based on the specific legal interpretations and adapt to the business specifics. Systems and processes for managing data must be evaluated to ensure sufficient detail. Often, compliance officers find that implementing requirements for data capture that extends beyond the scope of reporting requirements allows for a more robust approach to using the data in support of monitoring and auditing initiatives. Systems and manual processes must be assessed for the capability to meet these requirements.

Sales activities specific to medical device and diagnostic manufacturing may include equipment loans for demonstration, evaluation, and training purposes. Such activities may be unique to manufacturers and require specific evaluations of these activities while establishing data capture requirements and business rules. This is especially critical when outsourcing program management. The ability to manage programs according to business expectations and capture data and information so that it meets the requirements of the compliance program and aligns with any standards implemented is critical.

Establishing corporate rules for aggregating and compiling data for reporting has to include a feasibility study on current and planned processes. For example, equipment loans or device samples provided to an institution may have to be reported as a transfer of value in a variety of ways, depending on specific federal and state regulations and corporate interpretation of those regulations. Systems used to compile, assign, and aggregate data for reporting must be incorporate such requirement specifics and have the flexibility to do so in a different way for each report generated. Systems that allow for ad hoc reports enable the compliance program to benefit from investments made to meet reporting obligations.

The proposed rule (42 CFR 402 and 403) provides an impact assessment with financial estimates for manufactures to implement the requirements. Included are the costs of building systems to capture and report data and allocate resources to manage physicians and become accustomed to the process for reviewing and correcting data. CMS estimates this burden to be $169,815 for the first year and $126,874 annually for each year thereafter.1 The estimates do not include the cost of developing policies and procedures, implementing those policies through training programs, monitoring compliance, and data retention efforts. Additionally, considerations and resources must be allocated to monitoring legislative changes, capturing legal interpretations of regulations, evaluating policies and procedures when those changes occur, and when necessary making changes to systems and processes to ensure compliance to those regulatory changes.

Conclusion

It can be beneficial to look to recent initiatives used by pharmaceutical manufacturers when building a compliance program and meeting reporting obligations. Successful initiatives would include a corporate commitment to transparency in business activities with covered recipients that extends beyond meeting minimal data collection and reporting. Manufacturers are realizing that the investment required to compile data for reporting can help make for a stronger compliance program. Data is used to evaluate the overall compliance program and pinpoint geographic areas or individuals with repeat offenses of noncompliance. Data capture requirements are included in contractual arrangement, and formats are standardized to ensure third parties provide information needed for compliance. Additionally, proactive communications are used to appropriately inform reportable recipients and institutions of the manufacturer’s commitment to meet its reporting obligation as well as its commitment to compliance. These same initiatives are reasonable and appropriate for medical device and diagnostic manufacturers when implementing a compliance program.

References

1.42 CFR part 402 and 403: Medicare, Medicaid, Children’s Health Insurance Programs; Transparency Reports and Reporting of Physician Ownership or Investment Interests; CMS Proposed Rule, section III: Collection of Information Requirements, (19 December 2011); available from Internet: http://op.bna.com/hl.nsf/id/bbrk-8pjtfc/$File/SunshineRegsDec2011.pdf.
 

Chrissy Spicer is a director of commercial consulting services at Compliance Implementation Services (CIS; Media, PA). She focuses on U.S. commercial, transparency reporting, and government program compliance.

Judy Fox is director of U.S. commercial compliance at CIS and leads the federal and state compliance and reporting and sample accountability service offerings.

Tim Krzeminski is director of audit services at CIS, where he manages the execution of value-added audits across all lines of pharmaceutical manufacturers and their third-party vendors.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like