Medical Device Link.

GOVERNMENT & LEGAL AFFAIRS

Public relations professionals used to say there was no such thing as bad publicity. And years ago, for medical device companies laboring to improve public health while in the shadow of the pharmaceutical industry, that proverb may have seemed plausible. However, those days are long gone.

In recent years, the medical device industry has received its fair share of public attention. And with it has come increased attention from regulators and enforcement officials. The U.S. Department of Justice, the U.S. Department of Health and Human Services Office of Inspector General (OIG), and state attorneys have expanded their investigations into situations of potential healthcare fraud in the relationships between medical device companies and physicians. And although there are understandable reasons for the increased scrutiny, there are also sobering consequences for the medical device industry, which relies heavily on physicians to develop and validate its technologies (see sidebar).

Legal and Financial Risks

For medical device manufacturers, close interactions with physicians are necessary from both a business and technological standpoint. Nevertheless, such arrangements pose both legal and business risks under the Federal Healthcare Antikickback Act and the False Claims Act.^1,2 Indeed, the two rounds of subpoenas issued last year to orthopedic and cardiac device manufacturers were focused on their financial relationships with physicians. The government is investigating whether these manufacturers induced or rewarded physicians for their patronage in violation of the antikickback statute.

The antikickback statute makes it a criminal offense to offer, pay, solicit, or receive any remuneration (i.e., anything of value) to induce or reward referrals, purchases, or recommendations of the purchase of items or services reimbursable by a federal healthcare program. The law is so broad that it is implicated by virtually any arrangement wherein a device manufacturer or one of its representatives compensates a physician in a position to generate business. Moreover, courts have interpreted the law to cover any arrangement in which one purpose of the remuneration was to obtain money for the referral of services or to induce further referrals. Even a slide presentation at a company sales meeting that shows a doctor or patient surrounded by dollar signs could fuel speculation regarding a company's marketing policies and programs. Specific situations that can garner attention include those in which a physician receives more than fair market value for services and those that involve comingling of product funding and product purchases.

Both sides of an impermissible kickback transaction—manufacturers and physicians—are subject to serious penalties, including imprisonment, hefty fines and penalties, and, perhaps most significantly, administrative exclusion from participation in federal healthcare programs. In addition to generally accepted practices endorsed by trade association codes, there are numerous regulatory safe harbors, but those are narrowly crafted. As a result, many common arrangements between device manufacturers and physicians do not satisfy all the elements necessary to qualify for safe harbor protection.

Increasingly, the U.S. Department of Justice is improving its return on investment for antikickback investigations by using the same evidence in subsequent civil False Claims Act (FCA) cases. Known as bootstrapping, because the government uses kickback allegations as the basis for sustaining a claim under the FCA, this tactic has delivered impressive financial results for the federal government.

The FCA prohibits individuals from submitting or causing to be submitted false claims for payment to the U.S. government. Manufacturers have paid significant financial penalties under the theory that they caused physicians and hospitals to submit tainted claims in violation of the act. Violations provide for civil monetary penalties of $11,000 per claim plus treble damages based on the amount of the claim. In FY 2006, that allowance translated into settlements and judgments in excess of $3.142 billion, highlighting the financial advantages to the government of the bootstrapping approach.

The qui tam, or whistle-blower, provisions of the False Claims Act have given federal prosecutors a powerful ally. The provision allows individuals who have evidence of fraud against government programs to sue under the FCA on behalf of the government and share in the recovery. There is a clear incentive for such individuals to file qui tam lawsuits: the potential for generational wealth. Indeed, the whistle-blower in the 2001 TAP Pharmaceuticals case personally netted in excess of $85 million. Not surprisingly, according to Jim Moorman, president of Taxpayers against Fraud (Washington, DC), 80% of all successfully resolved FCA cases are initiated by whistle-blowers under the qui tam provisions.³

Companies, their officers and managers, and their shareholders all face risks resulting from noncompliant financial relationships with physicians. Beyond the obvious fines and penalties that can be imposed on a company in violation of the law, individuals—including officers and managers—can face civil and criminal liability. Likewise, health fraud settlements are also a source of shareholder derivative suits against the company. And government settlements almost always include corporate integrity agreements, which contain mandatory, onerous, and costly compliance requirements and heavy oversight by the U.S. Department of Health and Human Services Office of Inspector General.

The Compliance Responsibilities of Corporate Directors

Earlier this decade, highly publicized failures of corporate ethics led to enactment of the Sarbanes-Oxley Act, which sets standards of expected integrity and compliance for profit and nonprofit organizations, their management, and their directors.⁴ Those standards have been raised even further by the U.S. Sentencing Commission and the OIG, which have released voluntary guidelines for compliance.⁵ Although these guidelines are voluntary, they affect every U.S. medical device manufacturer. The fact that a manufacturer has—or has not—followed the guidelines in creating an effective compliance program can be considered by the U.S. Department of Justice in deciding whether or not to prosecute a company for alleged healthcare fraud.

Unlike company managers, who are charged with providing day-to-day management of the company's compliance program, company directors are expected to fulfill 'duty of care' responsibilities, which center on reasonable inquiry and oversight. A director has the right to rely, in good faith, on company officers, employees, and subcontracted professionals to develop and manage an effective compliance program. However, directors are required to make reasonable inquiries to ensure that those individuals are fulfilling their responsibilities.

In the event that "suspicions are aroused or should be aroused," the director faces a heightened responsibility for duty of care. Any number of activities might be considered suspicious enough to require directorial attention. Certainly, the existence of a government investigation or enforcement action constitutes an activity that would reasonably trigger directors' inquiries. Other activities that warrant scrutiny by directors might include employee complaints about possible fraud, inadequate documentation presented to the board about compliance activities, or suggestions of questionable financial transactions. Once the director is made aware of information that reasonably raises suspicions, the director should, under duty of care, conduct inquiries until the director's concerns have been resolved.

The director's oversight function runs parallel with the responsibility of reasonable inquiry. Under that oversight responsibility, the director should make a good faith attempt to ensure that the corporation has a compliance program able to prevent, detect, and correct violations of the law. Case law identifies two specific obligations of directors under their oversight function. They should make a good faith attempt to ensure that the corporation has an information and reporting system, and that the system is able to bring relevant compliance-related information to the board's attention in a timely manner and as a matter of ordinary business.

In practice, the company's information and reporting system should incorporate the means to document compliance activities, quickly identify noncompliant activities, distribute appropriate information to the board as a normal business function, and validate that the information has been received and understood by responsible parties.

Addressing Oversight Responsibilities

Since directors are responsible for oversight of compliance activities rather than management of them, they are faced with ensuring a broad-based standard of effectiveness for the compliance program as a whole. According to the OIG, "in order for a compliance program to be effective, it must have the support and commitment of senior management and the company's governing body." Such top-down support could include resolutions and communications regarding the compliance plan; the constitution of the board's compliance committee; the audit plan; and other critical compliance functions, including systems to document, monitor, report, and audit compliance-related activities.

The compliance program for a medical device manufacturer can be extensive and is often vulnerable to issues of noncompliance throughout the research, production, marketing, and postmarket phases. Common compliance challenges range from the integrity of informed consent procedures to appropriate handling of grant requests.

For directors of medical device companies, the scrutiny by regulators over the company's consulting relationships with physicians and other referral sources adds another, often unfamiliar layer of oversight responsibility.

Many companies simultaneously have hundreds of consulting agreements and a corresponding number of scheduled deliverables. As the government is assessing the correctness of those engagements, the challenge for companies lies in maintaining a constantly updated system to track schedules, agreements, payments, and deliverables; document all activities in audit-ready formats; and ensure that directors routinely receive relevant information in a timely manner.

Technology is virtually indispensable for the monitoring, communication, documentation, and storage of all stages of the company-physician relationship, beginning with consultant selection through agreement creation, fulfillment, and termination. While directors are not required to be technology experts, they should ensure that management oversees the operation of any technology-based system, to be certain that it facilitates the following key functions.

Policy Communication. Effective communication of policies and procedures governing physician relationships. These policies should be well publicized to all employees and subcontractors, must be regularly reinforced, and must be documented.

Training Activities. Training specifically focused on physician relationships. Training should be conducted throughout the organization and should be assessed for effectiveness.

Real-Time Monitoring. Documentation of all financial agreements in a format that enables ongoing monitoring and management across business units. Optimal systems will provide real-time data to identify late or missing deliverables, flag approaching deadlines for rapid follow-up, or trigger a prescribed action in response to potential violations. All systems should accommodate rapid updates of information as new agreements are added and older ones are terminated.

Compliance Documentation. Documentation of all activities taken to manage the company's compliance activities related to physician relationships, including training of personnel responsible for various aspects of the program and distribution of information such as codes of conduct. Validated receipts and documented comprehension provide an indisputable audit trail of compliance.

Complaint Reporting. Documentation of all activities related to complaints and follow-up regarding potential instances of fraud and abuse related to physician consulting relationships. Those activities include training for all personnel to recognize potential issues, a reporting system to lodge possible complaints, a corresponding system to update, and a clear record of all corporate actions taken in response to complaints.

Timely Reporting. Timely distribution of relevant information and validation that the information was received by affected personnel as a routine course of business operation.

Record Maintenance. Storage of related materials in audit-ready formats, easily and quickly available to directors, managers, and regulators for review.

Managing Risk through Increased Vigilance

Medical device companies gain substantial value from relationships with physicians at stages ranging from early product development through physician education efforts and the provision of feedback. Despite the legitimate and necessary use of consulting physicians, however, expanding compliance requirements and regulatory scrutiny are escalating risks to companies and individuals.

For directors, fulfilling duty of care responsibilities centers on answering the following key questions about their company's program for complying with regulations governing consulting agreements with physicians.

• Does the company have an adequate compliance infrastructure, including an organization of systems and personnel with the authority and resources needed to assure compliance?
• Is the reporting and documentation infrastructure adequate to ensure accurate, current, and compliant recordkeeping?
• Does the information management system ensure that critical information—whether policies and procedures destined for employees or regular reports intended for directors—is distributed, validated, understood, and documented?
• Is the system for educating personnel across the organization adequate to ensure comprehension of compliance-related information and compliant behavior?

Conclusion

As the market and financial opportunities for all medical treatments grow, scrutiny over the healthcare system by regulators, advocacy groups, and the public at large inevitably will grow alongside. For medical device companies, that scrutiny translates into greater compliance responsibilities and greater noncompliance risks, not only for managers and officers of the company, but for the directors charged with oversight.

For companies and their directors, the risks of noncompliance—along with their associated financial and legal liabilities—can be reduced through straightforward procedures, practical systems, and effective technologies that comply with applicable standards.

Jason B. Meyer is chief legal officer and ethics officer and Denise Queffelec is senior vice president for the life sciences practice at EduNeering (Princeton, NJ), a firm that provides regulatory compliance solutions and consulting to medical device companies.