medical technology compliance: fda, aks, fca and other regulatory...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Medical Technology Compliance: FDA, AKS,
FCA and Other Regulatory Requirements Mitigating Medical Device and Healthcare Technology Risks
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, SEPTEMBER 6, 2017
Jana Gerken, J.D., Co-Founder and Chief Legal Strategist,
Kinetic Compliance Solutions, Milwaukee
Ethan E. Rii, Shareholder, Vedder Price, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-927-5568 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
MEDICAL TECHNOLOGY COMPLIANCE:
MITIGATING MEDICAL DEVICE AND HEALTHCARE TECHNOLOGY RISK
Jana Gerken, Esq.
Ethan E. Rii, Esq.
AGENDA
• Unique Risk Profile
• Key Enforcers
• Key Regulations
• Case Study - Olympus
• Key Elements - Effective Compliance Program
• External Investigations / Remediation
6
UNIQUE RISK PROFILE
• Constantly Evolving Regulatory Landscape
• Multiple enforcement agencies and layers of regulatory requirements
• Continuous need to evolve tech-wise
• Vigorous competition from many sides (cheaper, faster, better)
7
KEY ENFORCERS
HHS-OIG DOJ
FTC FBI
States
Medical Tech
Company
Whistleblower Competitors Courts 8
KEY REGULATIONS
• False Claims Act
• Anti-Kickback Statute
• Food, Drug and Cosmetic Act
• Federal Trade Commission Act
• Physician Payments Sunshine Act
• Health Insurance Portability and Accountability Act (HIPAA)
• Civil Monetary Penalties Statute
• State Statutes
9
FALSE CLAIMS ACT
• Civil War-era statute to combat military contractor fraud
• Prohibits anyone from knowingly submitting or causing to be submitted a
false claim for payment to the Government (note: need not be fraudulent)
• Whistle-Blower Actions: Under Qui Tam provisions, private individuals
(relators) may file enforcement actions on behalf of Government; entitled
to 15% - 30% of successful recovery
• 2016: $4.7 billion + recovered in settlements and judgments by DOJ; $2.5
billion of that from health care industry
Penalties:
• Civil: Treble Government’s damages plus $10,781.40 and $21,562.80 per
claim
• Other: Potential program suspension, debarment and exclusion
10
ANTI-KICKBACK STATUTE
• Criminal statute that prohibits transactions intended to induce or reward
referrals for (i) items or services reimbursed by federal health care
programs or (ii) the purchase of goods or services paid for directly or
indirectly, in whole or in part, by federal health care programs
• Anti-corruption statute designed to protect federal health care program
beneficiaries from the influence of money on referral decisions and as
such is intended to guard against over utilization, increased cost, and poor
quality services
11
ANTI-KICKBACK STATUTE – CONT.
Standard:
“Knowingly and willfully” - If one purpose of a payment or arrangement is to
induce a referral (even if not the primary purpose), then the knowledge
requirement has been met (“One Purpose Rule” adopted by most US
Courts of Appeal)
Safe Harbors:
• Original AKS scope very broad and encompassed well-accepted and
even beneficial business practices – safe harbors subsequently added
• No AKS liability if practice fits squarely into safe harbor
• If it does not squarely fit - not per se illegal but do case-by-case analysis
• 26 safe harbors to date
12
ANTI-KICKBACK STATUTE – CONT.
Safe Harbors – Key Examples:
• Personal Services: Must be in writing with a term of no less than 1 year;
aggregate compensation consistent with FMV in arms-length transactions
and not determined in a manner that takes into account the volume or
value of any referrals or business otherwise generated between the
parties; aggregate services cannot exceed those reasonably necessary
• Discounts: Reduction in price based on arms-length transaction; seller
must disclose discount on invoice; buyer responsible for cost reporting to
Government
• Warranties: Seller must disclose the amount of the price reduction
obtained as part of the warranty on the invoice; buyer responsible for cost
reporting to Government
13
ANTI-KICKBACK STATUTE – CONT.
Penalties:
• Civil: Treble damages (up to 3x each kickback) plus $50K per violation
• Criminal: Up to 5-year prison term plus up to $25K per violation
• Conviction results in mandatory exclusion from participation in federal health care programs
• Absent conviction, individuals who violate AKS may still face exclusion from federal health care programs at the discretion of the Secretary of HHS
• No private right of action under AKS – but FCA provides vehicle for individuals to bring whistleblower action for alleged AKS violations
14
RESEARCH – SEPARATION OF DUTIES
OIG-HHS Guidance:
• Prudent manufacturers should develop contracting procedures that
clearly separate the awarding of research contracts from marketing
• Research contracts that originate through the sales or marketing functions
– or that are offered to purchasers in connection with sales contacts – are
particularly suspect (note: not per se illegal)
• To reduce risk, manufacturers should insulate research grant making from
sales and marketing influences
• Guidance aimed at pharma industry but expressly applies to medical
device manufacturers
• Guidance intended to help industry understand how HHS will evaluate
conduct outside of AKS Safe Harbors
15
RESEARCH – SEPARATION OF DUTIES – CONT.
• AKS: Failure to segregate research may result in
actions that would in turn violate AKS when
research arrangements are used to help close a
sale rather than for their independent value
• Objectivity in Medical Decisions: No illegal
remuneration to HCPs that can taint clinical
decision
• Integrity in Product Approval / Research Process:
Public and Government not misled into thinking
product is safer than it actually is
16
INDIVIDUAL ACCOUNTABILITY – YATES MEMO
• Memo issued September 2015 by Sally Yates, Deputy Attorney General of
the United States
• Response to criticism against Government for perceived failure to hold
individuals accountable for the 2008 financial crisis
• Individuals will be held personally liable for corporate misconduct
• Builds on Park Doctrine (United States v Park, 1975), which applies to the
FDA-regulated industry and allows the DOJ to prosecute a responsible
corporate officer for a felony “without proof that the corporate official
acted with intent or even negligence, and even if such corporate official
did not have any actual knowledge of, or participation in, the specific
offense” - strict liability standard
17
INDIVIDUAL ACCOUNTABILITY – YATES MEMO – CONT.
Six Key Principles:
1. Companies will not receive credit for cooperating with the
Government unless that cooperation includes producing facts relating
to the individuals involved in the alleged misconduct
• Open Questions: What does “cooperation” mean – refusal to waive
Attorney-Client Privilege = non-cooperative? Does company have to
tell Government when individuals located ex-US will be back in US /
provide travel itinerary (FBI greet them on tarmac)?
2. Government will focus on individual liability from inception of
investigation
• Open Questions: Should implicated individuals each obtain separate
counsel? Impact on company’s own internal investigation?
18
INDIVIDUAL ACCOUNTABILITY – YATES MEMO – CONT.
Six Key Principles - Cont:
3. Civil and criminal government attorneys should be in routine
communication about potential conduct that might give rise to
culpability
• Open Questions: Will a company have to jointly communicate with both the
civil and criminal sides of DOJ?
4. Government will not release an individual from liability as part of a
corporate resolution - appears consistent with existing practices
5. Corporate cases will not be resolved without a plan to resolve
investigations of any individuals - risk of serious delay meant to
incentivize companies to assist Government with individual cases
6. Government lawyers handling civil cases cannot use an individual’s
inability to pay as a factor in deciding whether to bring a case –
evidences that money is not driver but goal instead is to deter
wrongdoing – corporations cannot go to jail but losing one’s freedom is
a powerful deterrent for individuals
19
SUNSHINE REPORTING – KEY PRINCIPLES
• “Sunshine provision” in the Patient Protection and Affordable Health Act -
effective March 31, 2013
• Purpose: Transparency into financial relationships between industry and (i)
physicians and (ii) teaching hospitals
• Report due to Secretary of HHS by 90th day each year after effective date
(i.e. on June 30)
• Information reported is published on public website
• Requires “applicable manufacturers” (among others) to report certain
payments and other transfers of value given to physicians and teaching
hospitals, and any ownership or investment interest physicians, or their
immediate family members, have in their company.
• This information must be reported every year.
20
SUNSHINE REPORTING – KEY PRINCIPLES
• Applicable Manufacturer if:
• Operations
• Operate in the US (physical location in US and/or activities are in US - including territories and commonwealths of US)
• Activities
• Engages in the production, preparation, propagation, compounding, or conversion of a covered drug, device, biological, or medical supply (includes wholesalers and distributors)
• Covered Products
• Produces at least one product reimbursed by Medicare, Medicaid, or Children’s Health Insurance Program
AND
• If the product is a drug or biological, and it requires a prescription (or physician’s authorization) to administer
OR
If the product is a device or medical supply, and it requires premarket approval or premarket notification by the FDA.
21
SUNSHINE REPORTING – KEY PRINCIPLES – CONT.
Penalties:
• Failure to report: $1K to $10K per payment / Transfer of Value (TOV) not reported (up to $150K max per annual submission)
• “Knowing” failure to report: $10K to $100K per payment / TOV (up to $1MM max per annual submission)
• Total penalties may not exceed $1,150,000
• State Sunshine Laws – may also impose additional penalties
22
PRIVACY / HIPAA – KEY PRINCIPLES
• HIPAA: Health Insurance Portability and Accountability Act of 1996
• Key Enforcers: Office for Civil Rights (HHS) & FTC
• Protects all individually identifiable protected health information (PHI)
held or transmitted by a Covered Entity or Business Associate in any form
or media (paper, electronic, oral etc)
• Individually identifiable PHI is information that:
• Relates to (i) the individual’s past, present or future physical or mental
health or condition; (ii) the provision of health care to the individual; or
(iii) the past, present or future payment for the provision of health care
to the individual AND
• Identifies the individual or for which there is a reasonable basis to
believe can be used to identify the individual
• Identifiers include name, address, birth date, Social Security Number
23
PRIVACY / HIPAA – KEY PRINCIPLES – CONT.
• No restrictions on the use or disclosure of de-identified PHI
• Covered Entities:
• Healthcare provider (i.e. institutional providers such as hospitals and
non-institutional providers such as physicians, dentists and other
practitioners and any other person or organization that furnishes, bills
or is paid for health care)
• Health plans
• Health care clearinghouses
• Business Associate:
• Typically third-party service providers to Covered Entities, such as
equipment servicers (including device manufacturers), legal, accounting,
consulting, data, management, administrative
• Exception: If service does not involve use or disclosure of PHI and
where any access to PHI would be incidental
24
PRIVACY / HIPAA – KEY PRINCIPLES – CONT.
• “Business Associate Agreement” or BAA:
• Agreement between Covered Entity and Business Associate to provide
for the protection of PHI – must include specified written safeguards
for individually identifiable PHI
• Use & Disclosure Limited to:
• Expressly permitted by rules (e.g., to individual, for treatment &
payment)
• With individual’s written authorization
• Required by rules (to individual if requested by individual or to HHS
when it is undertaking a compliance investigation)
• “Minimum necessary” standard – disclose only PHI required to perform
the contract
• Federal preemption to extent of any conflict with state law, unless state
law is more restrictive
25
PRIVACY / HIPAA – KEY PRINCIPLES – CONT.
Penalties:
• Civil: $100 per failure to comply; not to exceed $25K per year for
multiple violations
• Criminal:
• If knowingly obtain individually identifiable PHI in violation of HIPAA -
$50K fine and up to 1 year imprisonment
• If wrongful conduct involves false pretenses - $100K fine and up to 5
years imprisonment
• If involves the intent to transfer or sell individually identifiable PHI for
commercial advantage, personal gain or malicious harm - $250K fine
and up to 10 years imprisonment
26
SAFETY, SECURITY AND RELIABILITY
• Safety
• Device proliferation - they are everywhere (for better or for worse)
• Reliance on medical technology increases patient’s exposure to risk
• Software-related issues
• Infusion Pump (GemStar) - 2012
• Pacemakers (St. Jude) - 2017
• Security
• Data hacks become regular in healthcare industry
• Given interconnectivity with large institutional providers (hospitals, health
systems), weak system becomes entry point for hackers
• Reliability
• Device must be reliable and work as advertised each time
27
SAFETY, SECURITY AND RELIABILITY
• More than 36,000 healthcare-related devices in US are discoverable on
Shodan (search engine for connected devices)
• 3% of exposed devices use Windows XP (as of 2017)
See https://www.wired.com/2017/03/medical-devices-next-security-nightmare/
• “Target on back”
• Federal regulatory bodies (FDA, DOJ)
• Patients
• Competitors
• Hackers (ransomware)
• Clinical partners (hospitals, physicians, etc.)
28
CASE STUDY
• Olympus Corp
• Kickbacks, False Claims & Bribes – March 1, 2016
• $646MM to settle criminal and civil claims
• Largest total amount paid in US history for violations involving Anti-Kickback Statute (AKS) by a medical device company
• DOJ Statement: “The Department of Justice has longstanding concerns about Improper financial relationships between medical device manufacturers and the health care providers who prescribe or use their products … Such relationships can improperly influence a provider’s judgment about a patient’s health care needs, result in the use of inferior or overpriced equipment, and drive up health care costs for everybody. In addition to yielding a substantial recovery for taxpayers, this settlement should send a clear message that we will not tolerate these types of abusive arrangements, and the pernicious effects they can have on our health care system.”
29
CASE STUDY - CONT.
• AKS Violations:
• The criminal complaint against Olympus, which Olympus agreed is true,
charged that Olympus won new business and rewarded sales by giving
doctors and hospitals kickbacks, including consulting payments, foreign
travel, lavish meals, millions of dollars in grants and free endoscopes
• Examples:
• Gave a hospital a $5,000 grant to facilitate a $750,000 sale
• Held up a $50,000 research grant until a second hospital signed a
deal to purchase Olympus equipment
• Paid for a trip for three doctors to travel to Japan in 2007 as a quid
pro quo for their hospital’s decision to switch from a competitor to
Olympus
• A doctor with a major role in a New York medical center’s buying
decisions received free use of $400,000 in equipment for his private
practice
30
CASE STUDY - CONT.
• AKS Violations - Examples – Cont:
• At one Olympus-sponsored forum, the company paid for doctors’ lavish meals, ballooning, winery tours, golf and spa treatments because it was “a great way to network, talk business, socialize without our competitors” an Olympus employee had explained per the complaint
• These and other kickbacks helped Olympus obtain more than $600 million in sales and realize gross profits of more than $230 million
• False Claims Act (FCA):
• $310.8 million of the total fine was paid to resolve the civil claims that Olympus’ payment of kickbacks caused false claims to be submitted to federal health care programs Medicare, Medicaid and TRICARE, and thus violated not only the AKS but also the federal and various state False Claims Acts
• Whistleblower:
• Case brought by the former Chief Compliance Officer of Olympus, who received just under $45MM from the federal share and $7MM from the state share of the civil settlement amount
31
CASE STUDY - CONT.
• Total Impact:
• $623.2 MM & interest to resolve AKS violation
• Additional $22.8 MM to resolve Foreign Corrupt Practices Act (FCPA)
violations
• Corporate Integrity Agreement
• Appointment of Monitor
• Company loss of ~$470MM for the year ending March 2015 and
another ~$14MM in the following year
32
CASE STUDY - CONT.
• Remedial Actions: Olympus required to adopt several compliance
measures:
• Enhance its compliance training and maintain an effective compliance
program
• Maintain a confidential hotline and website for Olympus employees and
customers to report wrongdoing
• Chief Executive Officer and Board of Directors must certify annually
that the program is effective
• Adopt an executive financial recoupment program requiring executives
who engage in misconduct or fail to promote compliance to forfeit up
to three years of performance pay
33
CASE STUDY - CONT.
• Key Enforcers:
• Department of Justice (DOJ) / U.S. Attorney’s Office
• HEAT (Health Care Fraud Prevention and Enforcement Action Team)
initiative, which was announced in May 2009 by the Attorney General
and the Secretary of Health and Human Services (HHS)
• HHS-Office of Inspector General (OIG)
• Federal Bureau of Investigation (FBI)
• Whistleblower
34
WHY COMPLIANCE OFTEN GETS OVERLOOKED
• Focus is on the development of the technology
• IP protection & regulatory clearance / approval take precedence over
compliance matters
• Many times individuals tasked to manage compliance have limited to no
experience in compliance
• Limited resources prevent little if any resources applied to compliance
• Company is still a “gig” (part time)
• Individuals believe tech will “revolutionize” industry; some may forgo
typical parameters and protections as a result (well known example -
Theranos)
35
PILLARS OF AN EFFECTIVE COMPLIANCE PROGRAM
HHS-OIG - The 7 Pillars of an Effective Compliance Plan:
1. Implementing applicable written policies, procedures and standards
of conduct
2. Designating a qualified compliance officer and compliance committee
3. Conducting effective training and education
4. Developing effective lines of communication
5. Enforcing standards through well-publicized disciplinary guidelines
6. Conducting strong internal monitoring and auditing
7. Responding promptly to detected offenses and developing corrective
action
Certain industry-specific guidance is available from HHS-OIG
36
TYPICAL CHALLENGES
• Limited resources (legal, financial, manpower)
• Ineffective and infrequent compliance education
• Failure to properly imbed compliance within the business culture
• Failure to convince business leaders of importance of compliance
• Tone at the middle/manager buy-in (big soft spot)
• Inadequate commitment to auditing/internal reviews
• Lack of clear communications channels
37
COMMON PITFALLS TO AVOID
• Policies too complicated and theoretical
• Lack of policies in relevant and applicable risk areas (e.g., open payments; response to government inquiries)
• Inadequate internal controls to ensure policies are followed
• “Walled off” Legal/Compliance - last to know when issues arise
• Business leaders see compliance as the “department of no” and do not involve them in key business initiatives
38
KEY ELEMENTS – EFFECTIVE COMPLIANCE PROGRAM
• Get Business “Buy-In” – Culture is Key
• Ownership & Accountability – explain the “why”
• Require business ownership of all policies
• Business Leaders to incorporate Compliance messages (meetings, comms)
• “Train the Trainer”
• Make it “Stick” - Effective Training
• Institute an annual compliance education plan / curriculum
• Catch new hires early
• Don’t forget about contractors
• Retain training materials, agendas, sign-in sheets etc. in centralized location
• Leverage different learning modules as appropriate (live, online etc)
• Tip: Use scenario-based training whenever practicable
39
KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT
• Keep it Alive
• Regular / annual & as-needed (new regulation etc.) revamp of Policies
• E-mail blasts, newsletters and other forms of information exchange on Compliance issues
• Seek feedback & upgrade improvement areas (Policies & Training)
• Incorporate Compliance into annual / performance reviews (e.g., employee review process, 360 review)
• Make it fun (interactive, “Compliance Week” etc)
• Open Reporting
• Code of Conduct requires reporting
• Multiple, well-publicized communication channels available – for example:
• Consider hotline (staff appropriately & documented testing)
• Anonymous reporting option available
• Tip: Reporting channels posted in employee areas (kitchen, coffee station) and on intranet
• Non-Retaliation – Policy and / or mission statement (and comply with it!)
40
KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT.
• Investigate, Track & Audit
• Promptly assign investigator(s) – engage external help as needed / appropriate
• Document and track each case
• Status reports / updates (CEO, Board, Manager, GC – as appropriate)
• Timely closure – don’t let it linger!
• Close the loop with complainant
• Conduct regular audits
• Incorporate Governance “Best Practices”
• Form Compliance Committee – can be small to start
• Updates to CEO / Executive Team on program status / key issues
• Ability for Compliance Officer to make in-person reports to CEO, Executive Team, GC Office and/or Board
• Separate counsel from compliance – OIG comment - “Does the compliance officer have independent authority to retain legal counsel?”
• Tip: Establish org and flow charts to establish clear, established reporting structure
41
KEY ELEMENTS - EFFECTIVE COMPLIANCE PROGRAM - CONT.
• Enforcement “Best Practices”
• Develop policies and procedures with clear, specific disciplinary standards
• Timely and consistent enforcement (don’t make exceptions unless truly necessary)
• Tip: Promote awareness: communicate (no-name) examples of non-compliant conduct to your business team
• Document Creation & Retention / Hold
• “Right-Sized” Approach
• Do not limit yourself to cookie-cutter / one-size-fits-all approach
• Customize & adapt based upon risk profile, company size etc.
• Phased approach is ok (vs all at one) – demonstrate good faith effort on consistent / ongoing basis
• Tips:
• Code of Conduct: Adopt your trade association’s to start (AdvaMed, MDMA etc.)
• Compliance Officer: Start-ups may not need to hire someone in that position from get-go - can be external expert or CEO to start
• Compliance Committee: For start-ups, this may be Executive Team plus one designated Board member – sit down on regular basis to discuss Compliance matters – formalize as company grows
42
EXTERNAL COMPLIANCE INVESTIGATION - WHAT NOW?
• Rapid Response Team
• Implement a policy for document holds and records retention
• Know what you have
• Know where you have it
• Know what you have to keep
• Know why you have to keep it
• Keep what you have to keep for as long as you have to keep it
• Dispose of everything else
• Education
• Facility personnel need to understand in advance
• What to expect in an inspection
• How the company expects facility personnel to conduct themselves when the inspector(s) arrive
• How to react if the inspector finds a problem
• Whom to call and when to call them
43
EXTERNAL COMPLIANCE INVESTIGATION - WHAT NOW? - CONT.
• General Rule - Take it Seriously
• Implement corrective action plans designed to correct and prevent future
occurrences
• Assess corrective action plan effectiveness/lack of repeat issues
• Communicate resulting policy changes and educate your organization to prevent
recurrence of non-compliant behavior
• Report concerns to your escalation point-person (risk manager, compliance
manger, legal team, etc.) and coordinate next steps with legal department
• Report to government authorities or law enforcement when required or
deemed appropriate (decision should be handled in a coordinated effort with
legal)
44
KEY QUESTIONS TO CONSIDER
1. What is your ROI on the Compliance Program?
2. Is Compliance aligned with Legal?
3. Is Culture Evolving Toward (or Away From) Compliance?
4. How is Regulatory Enforcement Currently Affecting my Industry?
5. Are We Taking Advantage of All Resources?
6. Am I focusing on the right areas of risk?
45
MEDICAL TECHNOLOGY COMPLIANCE:
MITIGATING MEDICAL DEVICE AND HEALTHCARE TECHNOLOGY RISK
Jana Gerken, Esq.
Ethan E. Rii, Esq.
46