July 2008: GXps

Recognizing Corporate Compliance Governance as a Critical Business Issue
By David L. Chesney

In today’s pharmaceutical and medical device industry, the term “compliance” means different things to different parts of each organization. To some, it means “GxP” (Good Manufacturing, Laboratory or Clinical Practice). To others, it means other areas of FDA compliance such as advertising and labeling, the Prescription Drug Marketing Act ( PDMA ),¹ or pharmacovigilance, device safety monitoring and postmarketing reports of adverse events. To still others, it means any of a wide array of other healthcare compliance concerns, including Medicare/Medicaid reimbursement, the seven-point compliance program of the Health and Human Services Office of Inspector General (HHS OIG), the Health Insurance Portability and Accountability Act ( HIPAA ),² the Federal Anti-Kickback Statute,³ or any of a variety of state and even local statutes and regulations. Industry generally treats these compliance matters as discrete issues. They are, at least to the extent that the skills required to assess and man­age compliance vary with the issues. Many com­panies rely upon Quality Assurance or specialized Good Manufacturing Practice (GMP) compliance units for oversight of GMP or Quality System Regulation (QSR) requirements, clinical Quality Assurance Units to manage Good Clinical Practice (GCP) compliance, regulatory affairs for FDA submission-related compliance issues, sales organizations to monitor PDMA compliance, and still others to handle reimbursement and HIPAA. The specific areas of compliance about which a company needs to be concerned vary with the nature of the product(s) it produces, and hence, the applicable statutory sections and regu­lations; the stage of development (e.g., whether the company has an approved product on the market); and whether the company is public or privately held. For example, companies with no marketed products need not concern themselves with provisions that apply only to marketed prod­ucts. Medicare reimbursement rules do not apply to products that are not available under Medicare. Companies that adhere to the US Department of Health & Human Services—Office of Inspector General (HHS OIG) seven-point compliance pro­gram for pharmaceutical companies⁴ or voluntary codes such as the PhARMA code⁵ or the AdvaMed (Advanced Medical Technology Association) code⁶ for device companies typically appoint a chief compliance officer (CCO), who may or may not be an attorney, and may or may not work for the legal department, to oversee the rest of the com­pliance landscape. In public companies, the CCO typically has some form of direct reporting rela­tionship with the CEO or the audit committee of the board of directors. Added to this increasingly complex array is the impact of non-FDA compliance concerns, including some aspects of the Sarbanes-Oxley Act, is the proliferation of qui tam lawsuits⁷aris­ing from the Federal False Claims Act.⁸ This act is a Civil-War era statute under which any citizen may file a claim that the United States has been defrauded and seek to recover damages for the US, of course sharing in the proceeds should the government prevail and should there be a settle­ment. The person filing the case is called the relator meaning the one relating the story. Qui tam cases are being filed by the hundreds against pharmaceutical, device and healthcare delivery companies, often by current or former employees who are rightly or wrongly disgruntled about some compliance issue. Many cases have resulted in very large settlements against major pharma­ceutical companies, ranging from approximately $50 million to $560 million. Furthermore, companies may become sub­ject to deferred prosecutions by the Department of Justice; in some cases, they may decide to dis­close self-identified issues in order to reduce their “score” under the Federal Sentencing Guidelines. Of course, there are concerns about personal accountability under strict liability doctrine for Federal Food, Drug and Cosmetic Act (FD&C Act) violations.⁹ Many of these examples are only applicable to the US; however, other countries may have variations on the same theme, especially within the GxP universe. The consequences of noncompliance in one area may either directly or indirectly impact another. For example, consider the public case of a medical device company that pled guilty to charges of failing to report a large number of serious adverse events to FDA.¹⁰ In addition to paying a large fine, this company was placed under a Corporate Integrity Agreement (CIA)¹¹ with the HHS OIG, on the basis that the prod­uct in question, which was purchased by the US through Medicare funds, was in violation of the FD&C Act, and, therefore, the government was defrauded since it believed the product was in compliance at the time of purchase. Thus, a medical device reporting violation (21 CFR Part 803) and some aspects of the QSR (21 CFR Part 820) resulted in a sanction being applied at the departmental level of HHS, by the OIG, under Title 42 (Medicare). These situations point to the critical need for management oversight designed to prevent violations from happening in the first place and, where that fails, to detect them early on, contain their impact, and take the necessary steps to protect the health and safety of patients as well as mitigate the company’s own regulatory risk. In our consulting practice, often in concert with internal and external counsel, we regularly help companies facing these types of issues, which pro­vides a unique view of the compliance landscape across many segments of the industry, in compa­nies large and small, publicly and privately held. It is rare to find a well-coordinated approach to these disparate compliance issues. More often, responsibilities for each area are isolated from the others, with the result that no one has an com­plete picture of the company’s overall compliance status, much less an awareness of the impact of the discovery of a compliance risk in one area on the compliance status of another. This is particu­larly true in companies where significant compli­ance issues have become manifest in the form of an FDA sanction, a failed preapproval inspection, a CIA or some similar event.

Prescription for Corporate Compliance governance
In recent years, there have been several good approaches to compliance governance advocated by FDA, OIG and in voluntary codes published by industry organizations such as PhARMA and AdvaMed. All of these are useful in their own right, but each has a specific purpose in mind as the primary reason for its existence, be it GMP, advertising or interaction with healthcare provid­ers, Medicare/Medicaid, etc. There is an opportu­nity to coordinate and manage compliance more effectively from a corporate level. While this need takes a different form in large, public companies than in small, privately held firms, the general principles apply to all companies.

The most important steps to take include:

• Recognize that compliance is not just a “cost of doing business,” but rather a critical business issue on a par with oth­ers that require careful management.

• Develop a corporate culture that is sup­portive of attaining and maintaining a state of compliance. Do this through both the words and actions of the leadership team. Subscribe to a formal ethics program such as that advocated by the HHS OIG in its seven-point compliance program, or the PhARMA or AdvaMed code. Establish “safe” channels by which employees may raise concerns without fear of retribution. Communicate the elements of the pro­gram, point out successes and provide training in relevant policies and proce­dures.

• Decide who will manage each of the compliance issues that apply to the company (based upon product(s), stage of development and whether public or private). Provide authority and resources commensurate with responsibility.

• Establish a central point of coordination for all compliance activities, preferably at the senior executive level. If there is a chief compliance officer, this person may be a logical choice. It is not neces­sary for this person to directly oversee all activities conducted to support compli­ance. The objective should be to have a unified view of the company’s overall compliance status, and to recognize linkages that may exist between the various components. In our experience, some companies have accomplished this via a “compliance council” or coordinat­ing committee approach, meeting peri­odically to review relevant compliance metrics and discuss emerging issues.

• Establish meaningful metrics to assess the company’s overall compliance health. Develop concise reporting for­mats that display progress against these metrics and review them systematically on at least a quarterly basis, or more often if needed.

• Develop action items to address issues identified through the process that has been established; document decisions and establish accountability for follow-through on the action items; and verify effectiveness of steps taken.

Conclusion
Today’s healthcare compliance world is complex. Companies can no longer afford a fragmented approach that fails to recognize the interrelation­ship of the various compliance concerns facing the pharmaceutical and medical device industry. Compliance should be recognized as a criti­cal business issue that commands the attention and support of the highest levels of the organiza­tion. Systematic, well-coordinated management of the company’s compliance status is needed not only to avoid adverse consequences but also to create and sustain a corporate culture that is sup­portive of compliance objectives.

REFERENCES
1. Prescription Drug Marketing Act (PDMA), P.L. 100-293, 22 April 1988.
2. Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, 21 August 1996.
3. Federal Anti-Kickback Statute, 42 USC §1320a-7b(b).
4. OIG Compliance Program Guidance for Pharmaceutical Manufacturers, Federal Register, Vol. 68, No. 86, Monday, 5 May 2003.
5. PhARMA Code on Interaction with Health Care Professionals, Pharmaceutical Research and Manufacturers of America, 1 July 2002.
6. AdvaMed Code of Ethics on Interactions with Health Care Professionals, Advanced Medical Technology Association, 1 January 2004.
7. The phrase qui tam is derived from a Latin phrase, “qui tam pro domino rege quam pro sic ipso in hoc parte sequitur,” which roughly translates as “He who sues on behalf of the king as well as for himself.” Black’s Law Dictionary provides a definition of a qui tam action as “an action brought by an informer, under a statute which establishes a penalty for the commission or omis­sion of a certain act, and provides that the same shall be recoverable in a civil action, part of the penalty to go to any person who will bring such action and the remain­der to the state or some other institution.”
8. Federal False Claims Act, 31 U.S.C. § 3729–3733.
9. U.S. v. Dotterweich, 320 U.S. 277, 64 S.Ct. 134[1943];
U.S. v. Park, 421 U.S. 658, 95 S.Ct. 1903[1975.
10. U.S. v. Endovascular Technologies, Inc., Plea Agreement, CR 02-0179 SI, June 2003, USDC N.Dist. Calif., San Francisco Division.
11. Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Endovascular Technologies, Inc., June 2003.

AUTHOR
David L. Chesney is Vice President, Strategic Compliance Services for PAREXEL Consulting, working with cli­ents in the pharmaceutical, biologics and medical device industries worldwide. He directs PAREXEL Consulting’s Strategic Compliance Services Group. Previously, he served 23 years with FDA, joining the agency as an Investigator and completing his tenure as District Director of the San Francisco District Office. Chesney holds a BA in biology from California State University, Northridge, and subse­quently completed postgraduate study in biology there and at California State University, San Diego. He recently received a Certificate in Health Care Compliance from Seton Hall University School of Law. Chesney can be reached at david.chesney@parexel.com.