The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Medical Technology Compliance: FDA, AKS,

FCA and Other Regulatory Requirements Mitigating Medical Device and Healthcare Technology Risks

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

WEDNESDAY, SEPTEMBER 6, 2017

Jana Gerken, J.D., Co-Founder and Chief Legal Strategist,

Kinetic Compliance Solutions, Milwaukee

Ethan E. Rii, Shareholder, Vedder Price, Chicago

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-927-5568 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

MEDICAL TECHNOLOGY COMPLIANCE:

MITIGATING MEDICAL DEVICE AND HEALTHCARE TECHNOLOGY RISK

Jana Gerken, Esq.

janagerken@kineticcompliance.com

Ethan E. Rii, Esq.

erii@vedderprice.com

AGENDA

• Unique Risk Profile

• Key Enforcers

• Key Regulations

• Case Study - Olympus

• Key Elements - Effective Compliance Program

• External Investigations / Remediation

6

UNIQUE RISK PROFILE

• Constantly Evolving Regulatory Landscape

• Multiple enforcement agencies and layers of regulatory requirements

• Continuous need to evolve tech-wise

• Vigorous competition from many sides (cheaper, faster, better)

7

KEY ENFORCERS

HHS-OIG DOJ

FTC FBI

States

Medical Tech

Company

Whistleblower Competitors Courts 8

KEY REGULATIONS

• False Claims Act

• Anti-Kickback Statute

• Food, Drug and Cosmetic Act

• Federal Trade Commission Act

• Physician Payments Sunshine Act

• Health Insurance Portability and Accountability Act (HIPAA)

• Civil Monetary Penalties Statute

• State Statutes

9

FALSE CLAIMS ACT

• Civil War-era statute to combat military contractor fraud

• Prohibits anyone from knowingly submitting or causing to be submitted a

false claim for payment to the Government (note: need not be fraudulent)

• Whistle-Blower Actions: Under Qui Tam provisions, private individuals

(relators) may file enforcement actions on behalf of Government; entitled

to 15% - 30% of successful recovery

• 2016: $4.7 billion + recovered in settlements and judgments by DOJ; $2.5

billion of that from health care industry

Penalties:

• Civil: Treble Government’s damages plus $10,781.40 and $21,562.80 per

claim

• Other: Potential program suspension, debarment and exclusion

10

ANTI-KICKBACK STATUTE

• Criminal statute that prohibits transactions intended to induce or reward

referrals for (i) items or services reimbursed by federal health care

programs or (ii) the purchase of goods or services paid for directly or

indirectly, in whole or in part, by federal health care programs

• Anti-corruption statute designed ‎to protect federal health care program

beneficiaries from the influence of money on referral decisions and as

such is intended to guard against over utilization, increased cost, and poor

quality services

11

ANTI-KICKBACK STATUTE – CONT.

Standard:

“Knowingly and willfully” - If one purpose of a payment or arrangement is to

induce a referral (even if not the primary purpose), then the knowledge

requirement has been met (“One Purpose Rule” adopted by most US

Courts of Appeal)

Safe Harbors:

• Original AKS scope very broad and encompassed well-accepted and

even beneficial business practices – safe harbors subsequently added

• No AKS liability if practice fits squarely into safe harbor

• If it does not squarely fit - not per se illegal but do case-by-case analysis

• 26 safe harbors to date

12

ANTI-KICKBACK STATUTE – CONT.

Safe Harbors – Key Examples:

• Personal Services: Must be in writing with a term of no less than 1 year;

aggregate compensation consistent with FMV in arms-length transactions

and not determined in a manner that takes into account the volume or

value of any referrals or business otherwise generated between the

parties; aggregate services cannot exceed those reasonably necessary

• Discounts: Reduction in price based on arms-length transaction; seller

must disclose discount on invoice; buyer responsible for cost reporting to

Government

• Warranties: Seller must disclose the amount of the price reduction

obtained as part of the warranty on the invoice; buyer responsible for cost

reporting to Government

13

ANTI-KICKBACK STATUTE – CONT.

Penalties:

• Civil: Treble damages (up to 3x each kickback) plus $50K per violation

• Criminal: Up to 5-year prison term plus up to $25K per violation

• Conviction results in mandatory exclusion from participation in federal health care programs

• Absent conviction, individuals who violate AKS may still face exclusion from federal health care programs at the discretion of the Secretary of HHS

• No private right of action under AKS – but FCA provides vehicle for individuals to bring whistleblower action for alleged AKS violations

14

RESEARCH – SEPARATION OF DUTIES

OIG-HHS Guidance:

• Prudent manufacturers should develop contracting procedures that

clearly separate the awarding of research contracts from marketing

• Research contracts that originate through the sales or marketing functions

– or that are offered to purchasers in connection with sales contacts – are

particularly suspect (note: not per se illegal)

• To reduce risk, manufacturers should insulate research grant making from

sales and marketing influences

• Guidance aimed at pharma industry but expressly applies to medical

device manufacturers

• Guidance intended to help industry understand how HHS will evaluate

conduct outside of AKS Safe Harbors

15

RESEARCH – SEPARATION OF DUTIES – CONT.

• AKS: Failure to segregate research may result in

actions that would in turn violate AKS when

research arrangements are used to help close a

sale rather than for their independent value

• Objectivity in Medical Decisions: No illegal

remuneration to HCPs that can taint clinical

decision

• Integrity in Product Approval / Research Process:

Public and Government not misled into thinking

product is safer than it actually is

16

INDIVIDUAL ACCOUNTABILITY – YATES MEMO

• Memo issued September 2015 by Sally Yates, Deputy Attorney General of

the United States

• Response to criticism against Government for perceived failure to hold

individuals accountable for the 2008 financial crisis

• Individuals will be held personally liable for corporate misconduct

• Builds on Park Doctrine (United States v Park, 1975), which applies to the

FDA-regulated industry and allows the DOJ to prosecute a responsible

corporate officer for a felony “without proof that the corporate official

acted with intent or even negligence, and even if such corporate official

did not have any actual knowledge of, or participation in, the specific

offense” - strict liability standard

17

INDIVIDUAL ACCOUNTABILITY – YATES MEMO – CONT.

Six Key Principles:

1. Companies will not receive credit for cooperating with the

Government unless that cooperation includes producing facts relating

to the individuals involved in the alleged misconduct

• Open Questions: What does “cooperation” mean – refusal to waive

Attorney-Client Privilege = non-cooperative? Does company have to

tell Government when individuals located ex-US will be back in US /

provide travel itinerary (FBI greet them on tarmac)?

2. Government will focus on individual liability from inception of

investigation

• Open Questions: Should implicated individuals each obtain separate

counsel? Impact on company’s own internal investigation?

18

INDIVIDUAL ACCOUNTABILITY – YATES MEMO – CONT.

Six Key Principles - Cont:

3. Civil and criminal government attorneys should be in routine

communication about potential conduct that might give rise to

culpability

• Open Questions: Will a company have to jointly communicate with both the

civil and criminal sides of DOJ?

4. Government will not release an individual from liability as part of a

corporate resolution - appears consistent with existing practices

5. Corporate cases will not be resolved without a plan to resolve

investigations of any individuals - risk of serious delay meant to

incentivize companies to assist Government with individual cases

6. Government lawyers handling civil cases cannot use an individual’s

inability to pay as a factor in deciding whether to bring a case –

evidences that money is not driver but goal instead is to deter

wrongdoing – corporations cannot go to jail but losing one’s freedom is

a powerful deterrent for individuals

19

SUNSHINE REPORTING – KEY PRINCIPLES

• “Sunshine provision” in the Patient Protection and Affordable Health Act -

effective March 31, 2013

• Purpose: Transparency into financial relationships between industry and (i)

physicians and (ii) teaching hospitals

• Report due to Secretary of HHS by 90th day each year after effective date

(i.e. on June 30)

• Information reported is published on public website

• Requires “applicable manufacturers” (among others) to report certain

payments and other transfers of value given to physicians and teaching

hospitals, and any ownership or investment interest physicians, or their

immediate family members, have in their company.

• This information must be reported every year.

20

SUNSHINE REPORTING – KEY PRINCIPLES

• Applicable Manufacturer if:

• Operations

• Operate in the US (physical location in US and/or activities are in US - including territories and commonwealths of US)

• Activities

• Engages in the production, preparation, propagation, compounding, or conversion of a covered drug, device, biological, or medical supply (includes wholesalers and distributors)

• Covered Products

• Produces at least one product reimbursed by Medicare, Medicaid, or Children’s Health Insurance Program

AND

• If the product is a drug or biological, and it requires a prescription (or physician’s authorization) to administer

OR

If the product is a device or medical supply, and it requires premarket approval or premarket notification by the FDA.

21

SUNSHINE REPORTING – KEY PRINCIPLES – CONT.

Penalties:

• Failure to report: $1K to $10K per payment / Transfer of Value (TOV) not reported (up to $150K max per annual submission)

• “Knowing” failure to report: $10K to $100K per payment / TOV (up to $1MM max per annual submission)

• Total penalties may not exceed $1,150,000

• State Sunshine Laws – may also impose additional penalties

22

PRIVACY / HIPAA – KEY PRINCIPLES

• HIPAA: Health Insurance Portability and Accountability Act of 1996

• Key Enforcers: Office for Civil Rights (HHS) & FTC

• Protects all individually identifiable protected health information (PHI)

held or transmitted by a Covered Entity or Business Associate in any form

or media (paper, electronic, oral etc)

• Individually identifiable PHI is information that:

• Relates to (i) the individual’s past, present or future physical or mental

health or condition; (ii) the provision of health care to the individual; or

(iii) the past, present or future payment for the provision of health care

to the individual AND

• Identifies the individual or for which there is a reasonable basis to

believe can be used to identify the individual

• Identifiers include name, address, birth date, Social Security Number

23

PRIVACY / HIPAA – KEY PRINCIPLES – CONT.

• No restrictions on the use or disclosure of de-identified PHI

• Covered Entities:

• Healthcare provider (i.e. institutional providers such as hospitals and

non-institutional providers such as physicians, dentists and other

practitioners and any other person or organization that furnishes, bills

or is paid for health care)

• Health plans

• Health care clearinghouses

• Business Associate:

• Typically third-party service providers to Covered Entities, such as

equipment servicers (including device manufacturers), legal, accounting,

consulting, data, management, administrative

• Exception: If service does not involve use or disclosure of PHI and

where any access to PHI would be incidental

24

PRIVACY / HIPAA – KEY PRINCIPLES – CONT.

• “Business Associate Agreement” or BAA:

• Agreement between Covered Entity and Business Associate to provide

for the protection of PHI – must include specified written safeguards

for individually identifiable PHI

• Use & Disclosure Limited to:

• Expressly permitted by rules (e.g., to individual, for treatment &

payment)

• With individual’s written authorization

• Required by rules (to individual if requested by individual or to HHS

when it is undertaking a compliance investigation)

• “Minimum necessary” standard – disclose only PHI required to perform

the contract

• Federal preemption to extent of any conflict with state law, unless state

law is more restrictive

25

PRIVACY / HIPAA – KEY PRINCIPLES – CONT.

Penalties:

• Civil: $100 per failure to comply; not to exceed $25K per year for

multiple violations

• Criminal:

• If knowingly obtain individually identifiable PHI in violation of HIPAA -

$50K fine and up to 1 year imprisonment

• If wrongful conduct involves false pretenses - $100K fine and up to 5

years imprisonment

• If involves the intent to transfer or sell individually identifiable PHI for

commercial advantage, personal gain or malicious harm - $250K fine

and up to 10 years imprisonment

26

SAFETY, SECURITY AND RELIABILITY

• Safety

• Device proliferation - they are everywhere (for better or for worse)

• Reliance on medical technology increases patient’s exposure to risk

• Software-related issues

• Infusion Pump (GemStar) - 2012

• Pacemakers (St. Jude) - 2017

• Security

• Data hacks become regular in healthcare industry

• Given interconnectivity with large institutional providers (hospitals, health

systems), weak system becomes entry point for hackers

• Reliability

• Device must be reliable and work as advertised each time

27

SAFETY, SECURITY AND RELIABILITY

• More than 36,000 healthcare-related devices in US are discoverable on

Shodan (search engine for connected devices)

• 3% of exposed devices use Windows XP (as of 2017)

See https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

• “Target on back”

• Federal regulatory bodies (FDA, DOJ)

• Patients

• Competitors

• Hackers (ransomware)

• Clinical partners (hospitals, physicians, etc.)

28

CASE STUDY

• Olympus Corp

• Kickbacks, False Claims & Bribes – March 1, 2016

• $646MM to settle criminal and civil claims

• Largest total amount paid in US history for violations involving Anti-Kickback Statute (AKS) by a medical device company

• DOJ Statement: “The Department of Justice has longstanding concerns about Improper financial relationships between medical device manufacturers and the health care providers who prescribe or use their products … Such relationships can improperly influence a provider’s judgment about a patient’s health care needs, result in the use of inferior or overpriced equipment, and drive up health care costs for everybody. In addition to yielding a substantial recovery for taxpayers, this settlement should send a clear message that we will not tolerate these types of abusive arrangements, and the pernicious effects they can have on our health care system.”

29

CASE STUDY - CONT.

• AKS Violations:

• The criminal complaint against Olympus, which Olympus agreed is true,

charged that Olympus won new business and rewarded sales by giving

doctors and hospitals kickbacks, including consulting payments, foreign

travel, lavish meals, millions of dollars in grants and free endoscopes

• Examples:

• Gave a hospital a $5,000 grant to facilitate a $750,000 sale

• Held up a $50,000 research grant until a second hospital signed a

deal to purchase Olympus equipment

• Paid for a trip for three doctors to travel to Japan in 2007 as a quid

pro quo for their hospital’s decision to switch from a competitor to

Olympus

• A doctor with a major role in a New York medical center’s buying

decisions received free use of $400,000 in equipment for his private

practice

30

CASE STUDY - CONT.

• AKS Violations - Examples – Cont:

• At one Olympus-sponsored forum, the company paid for doctors’ lavish meals, ballooning, winery tours, golf and spa treatments because it was “a great way to network, talk business, socialize without our competitors” an Olympus employee had explained per the complaint

• These and other kickbacks helped Olympus obtain more than $600 million in sales and realize gross profits of more than $230 million

• False Claims Act (FCA):

• $310.8 million of the total fine was paid to resolve the civil claims that Olympus’ payment of kickbacks caused false claims to be submitted to federal health care programs Medicare, Medicaid and TRICARE, and thus violated not only the AKS but also the federal and various state False Claims Acts

• Whistleblower:

• Case brought by the former Chief Compliance Officer of Olympus, who received just under $45MM from the federal share and $7MM from the state share of the civil settlement amount

31

CASE STUDY - CONT.

• Total Impact:

• $623.2 MM & interest to resolve AKS violation

• Additional $22.8 MM to resolve Foreign Corrupt Practices Act (FCPA)

violations

• Corporate Integrity Agreement

• Appointment of Monitor

• Company loss of ~$470MM for the year ending March 2015 and

another ~$14MM in the following year

32

CASE STUDY - CONT.

• Remedial Actions: Olympus required to adopt several compliance

measures:

• Enhance its compliance training and maintain an effective compliance

program

• Maintain a confidential hotline and website for Olympus employees and

customers to report wrongdoing

• Chief Executive Officer and Board of Directors must certify annually

that the program is effective

• Adopt an executive financial recoupment program requiring executives

who engage in misconduct or fail to promote compliance to forfeit up

to three years of performance pay

33

CASE STUDY - CONT.

• Key Enforcers:

• Department of Justice (DOJ) / U.S. Attorney’s Office

• HEAT (Health Care Fraud Prevention and Enforcement Action Team)

initiative, which was announced in May 2009 by the Attorney General

and the Secretary of Health and Human Services (HHS)

• HHS-Office of Inspector General (OIG)

• Federal Bureau of Investigation (FBI)

• Whistleblower

34

WHY COMPLIANCE OFTEN GETS OVERLOOKED

• Focus is on the development of the technology

• IP protection & regulatory clearance / approval take precedence over

compliance matters

• Many times individuals tasked to manage compliance have limited to no

experience in compliance

• Limited resources prevent little if any resources applied to compliance

• Company is still a “gig” (part time)

• Individuals believe tech will “revolutionize” industry; some may forgo

typical parameters and protections as a result (well known example -

Theranos)

35

PILLARS OF AN EFFECTIVE COMPLIANCE PROGRAM

HHS-OIG - The 7 Pillars of an Effective Compliance Plan:

1. Implementing applicable written policies, procedures and standards

of conduct

2. Designating a qualified compliance officer and compliance committee

3. Conducting effective training and education

4. Developing effective lines of communication

5. Enforcing standards through well-publicized disciplinary guidelines

6. Conducting strong internal monitoring and auditing

7. Responding promptly to detected offenses and developing corrective

action

Certain industry-specific guidance is available from HHS-OIG

36

TYPICAL CHALLENGES

• Limited resources (legal, financial, manpower)

• Ineffective and infrequent compliance education

• Failure to properly imbed compliance within the business culture

• Failure to convince business leaders of importance of compliance

• Tone at the middle/manager buy-in (big soft spot)

• Inadequate commitment to auditing/internal reviews

• Lack of clear communications channels

37

COMMON PITFALLS TO AVOID

• Policies too complicated and theoretical

• Lack of policies in relevant and applicable risk areas (e.g., open payments; response to government inquiries)

• Inadequate internal controls to ensure policies are followed

• “Walled off” Legal/Compliance - last to know when issues arise

• Business leaders see compliance as the “department of no” and do not involve them in key business initiatives

38

KEY ELEMENTS – EFFECTIVE COMPLIANCE PROGRAM

• Get Business “Buy-In” – Culture is Key

• Ownership & Accountability – explain the “why”

• Require business ownership of all policies

• Business Leaders to incorporate Compliance messages (meetings, comms)

• “Train the Trainer”

• Make it “Stick” - Effective Training

• Institute an annual compliance education plan / curriculum

• Catch new hires early

• Don’t forget about contractors

• Retain training materials, agendas, sign-in sheets etc. in centralized location

• Leverage different learning modules as appropriate (live, online etc)

• Tip: Use scenario-based training whenever practicable

39

KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT

• Keep it Alive

• Regular / annual & as-needed (new regulation etc.) revamp of Policies

• E-mail blasts, newsletters and other forms of information exchange on Compliance issues

• Seek feedback & upgrade improvement areas (Policies & Training)

• Incorporate Compliance into annual / performance reviews (e.g., employee review process, 360 review)

• Make it fun (interactive, “Compliance Week” etc)

• Open Reporting

• Code of Conduct requires reporting

• Multiple, well-publicized communication channels available – for example:

• Consider hotline (staff appropriately & documented testing)

• Anonymous reporting option available

• Tip: Reporting channels posted in employee areas (kitchen, coffee station) and on intranet

• Non-Retaliation – Policy and / or mission statement (and comply with it!)

40

KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT.

• Investigate, Track & Audit

• Promptly assign investigator(s) – engage external help as needed / appropriate

• Document and track each case

• Status reports / updates (CEO, Board, Manager, GC – as appropriate)

• Timely closure – don’t let it linger!

• Close the loop with complainant

• Conduct regular audits

• Incorporate Governance “Best Practices”

• Form Compliance Committee – can be small to start

• Updates to CEO / Executive Team on program status / key issues

• Ability for Compliance Officer to make in-person reports to CEO, Executive Team, GC Office and/or Board

• Separate counsel from compliance – OIG comment - “Does the compliance officer have independent authority to retain legal counsel?”

• Tip: Establish org and flow charts to establish clear, established reporting structure

41

KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT.

• Enforcement “Best Practices”

• Develop policies and procedures with clear, specific disciplinary standards

• Timely and consistent enforcement (don’t make exceptions unless truly necessary)

• Tip: Promote awareness: communicate (no-name) examples of non-compliant conduct to your business team

• Document Creation & Retention / Hold

• “Right-Sized” Approach

• Do not limit yourself to cookie-cutter / one-size-fits-all approach

• Customize & adapt based upon risk profile, company size etc.

• Phased approach is ok (vs all at one) – demonstrate good faith effort on consistent / ongoing basis

• Tips:

• Code of Conduct: Adopt your trade association’s to start (AdvaMed, MDMA etc.)

• Compliance Officer: Start-ups may not need to hire someone in that position from get-go - can be external expert or CEO to start

• Compliance Committee: For start-ups, this may be Executive Team plus one designated Board member – sit down on regular basis to discuss Compliance matters – formalize as company grows

42

EXTERNAL COMPLIANCE INVESTIGATION - WHAT NOW?

• Rapid Response Team

• Implement a policy for document holds and records retention

• Know what you have

• Know where you have it

• Know what you have to keep

• Know why you have to keep it

• Keep what you have to keep for as long as you have to keep it

• Dispose of everything else

• Education

• Facility personnel need to understand in advance

• What to expect in an inspection

• How the company expects facility personnel to conduct themselves when the inspector(s) arrive

• How to react if the inspector finds a problem

• Whom to call and when to call them

43

EXTERNAL COMPLIANCE INVESTIGATION - WHAT NOW? - CONT.

• General Rule - Take it Seriously

• Implement corrective action plans designed to correct and prevent future

occurrences

• Assess corrective action plan effectiveness/lack of repeat issues

• Communicate resulting policy changes and educate your organization to prevent

recurrence of non-compliant behavior

• Report concerns to your escalation point-person (risk manager, compliance

manger, legal team, etc.) and coordinate next steps with legal department

• Report to government authorities or law enforcement when required or

deemed appropriate (decision should be handled in a coordinated effort with

legal)

44

KEY QUESTIONS TO CONSIDER

1. What is your ROI on the Compliance Program?

2. Is Compliance aligned with Legal?

3. Is Culture Evolving Toward (or Away From) Compliance?

4. How is Regulatory Enforcement Currently Affecting my Industry?

5. Are We Taking Advantage of All Resources?

6. Am I focusing on the right areas of risk?

45

MEDICAL TECHNOLOGY COMPLIANCE:

MITIGATING MEDICAL DEVICE AND HEALTHCARE TECHNOLOGY RISK

Jana Gerken, Esq.

janagerken@kineticcompliance.com

Ethan E. Rii, Esq.

erii@vedderprice.com

46