Pharmaceutical and device companies can expect federal agencies to begin pursuing enforcement actions against companies that fail to comply with Open Payment reporting requirements within the next year, according to Mary Riordan, senior counsel at the Health and Human Services' Office of Inspector General. The Affordable Care Act provides for penalties for manufacturers who fail to timely, accurately or completely report the information and for those who knowingly fail to timely, accurately or completely fail to report financial arrangements.
Moreover, Riordan, the keynote speaker at this year's Annual Pharmaceutical Compliance Congress and Best Practices Forum in October, noted for the audience, the Open Payments system is a very easily searchable public database with information that will be of interest to the public, law enforcement, the media, researchers, and many others. It's important for companies to be aware of and have controls around financial relationships the company has to ensure it can provide appropriate answers to questions that will inevitably come its way.
To ensure compliance with reporting requirements, Riordan advised the audience to set up meaningful controls around relationships and arrangements that could implicate kickback regulations, use the information collected about these relationships as a tool to improve compliance efforts, integrate compliance efforts into business operations, and develop monitoring and risk-assessment programs. Here's what the HHS-OIG senior counsel had to say about how to act on this advice.
Identify and Establish Meaningful and Effective Controls Around Relationships
Do you know all of the types of financial relationships that your company has with prescribers, purchasers, or recommenders of your product that could potentially implicate the kickback statute? Is there a legitimate need for those relationships? Are there processes and controls in place to make sure relationships are lawful and don't run afoul of kickback statutes? A company should ask and be able to answer all of these questions, Riordan told the audience.
Before establishing controls, the company must identify all relationships or arrangements, including contractual arrangements with healthcare providers such as speakers, consultants, and researchers. Also included are payments or transfers of value that the company makes to physicians or others: meals provided at speaker programs, food provided to physician officers, and gifts or educational items given to healthcare practitioners. Less common but still important are discount or rebate arrangements with individuals or entities in a place to recommend the use or prescription of the company's products, including specialty pharmacies, formulary decision makers, pharmacy benefit managers.
After identifying relationships and arrangements, companies should consider all implications of such arrangements and ensure their policies are consistent with applicable compliance requirements. For example, "while discount and rebate arrangements can raise issues under the anti-kickback statute, they can also implicate price reporting obligations in connection with Medicaid Drug rebate program and Medicare program," Riordan explained. "Make sure that company's methodologies for calculating average sales price, average manufacturer's price, best price, as applicable, are sound and legally compliant."
Use the Open Payments System As a Compliance Tool
Companies should think about ways the Open Payments system could be a tool in its ongoing compliance efforts, said Riordan. Companies should generate aggregate reports several times a year to review aggregate payments to individual physicians and use those reports to identify outliers to, for example, determine if the amount or number of payments are legitimate. Reports can also be helpful in identifying trends or spikes in number or amount of payments in geographic regions or for particular types of physicians.
"Your companies have spent a lot of time, effort, and resources to comply with open payments reporting requirement and I would recommend that you capitalize on those investments and use the information for compliance purposes as well," Riordan explained.
Weave Compliance Efforts Into Business Operations
Compliance cannot be the responsibility of just the compliance officer or department, said Riordan. Nor should it be just something that is discussed once or twice a year at the time of trainings or certifications. Compliance must be the responsibility of everyone, including the board of directors, which has a fiduciary duty to actively oversee and support compliance efforts at company. "Individuals across the organization, but especially in the sales, marketing, and medical affairs area really have to be involved in and accountable for compliance," Riordan advised.
Compliance officers should speak with business units and gain an understanding of the challenges they face and structure compliance in a way that is good for both the business and the company.
According to Riordan, the standard compliance program has a compliance officer with all the necessary support and resources, written policies and procedures, and a strong training program that is meaningful for employees (one that uses a variety of training methods, provides instruction and materials relevant to individual job functions), and a well-established and well-used program to appropriately discipline employees engaged in noncompliant behavior.
Programs can underscore individual accountability and make individuals accountable for compliance by, for example, requiring annual certifications from executives of the companies and managers in key business units or, as OIG has already seen, set up a series of subcertifications so that certifications for lower level staff provides the basis for certifications for executives. Companies can also set up a system of reward and discipline relating to compliance, using employee evaluations and bonuses within that system. For example, the completion of compliance training and the absence of any compliance incidents could be prerequisites to receiving a bonus. And according to Riordan, they should be.
Establish Monitoring Policies, Risk-Assessment Program
All of the above is not enough alone; compliance has to be monitored and tested. Companies should use monitoring programs to determine if the program is having the desired effect and if not, identify and fix those areas of vulnerability. "There's no single way to audit a company's practices. But instead, you have to understand your company's operations in order to develop monitoring methods that make sense for your company's operations," explained Riordan.
Companies should also establish risk-assessment programs and through them, routinely assess their risks and implement measures to reduce those risks. Think holistically about the organization and the risks it faces based on the culture of the company, the size of the organization, the way the organization is structured, and the products the company has.
A good risk assessment program is effective at assessing and identifying risks, helps lead to the development of a plan to monitor and mitigate the risks, and provides for the implementation of mitigation plans.