50 Shades of Medical Device Compliance

The regulatory landscape for the medical device industry is becoming increasingly complex; and compliance has never been more important. The Department of Justice set a new record in 2014 in FCA litigation by recovering nearly $6 billion, with qui tam relator recoveries totaling nearly $3B. Healthcare fraud continues to be a substantial component of these recoveries.  Additionally, FCPA and Anti-kickback statute investigations, HIPAA and Sunshine Act compliance, and international trade compliance all continue to be top concerns for medical device executives as they look to expand their offerings across the globe. A robust compliance program is necessary to adequately and quickly respond to the aforementioned, and other, potential threats.  That’s easier said than done.  Navigating compliance with the myriad of domestic and international regulations, while balancing the pressures to meet individual and company revenue goals, can be a real challenge for any organization. There are rarely black and white answers – only shades of gray.

When an issue arises, many compounding and mitigation factors can shape its outcome. Can the claim(s) be substantiated? How do we interpret the relevant statute against the claim(s) at issue – is it really a violation? Are internal corrective measures warranted? Are they enough? Should we self-disclose to HHS/OIG? What is our liability and exposure? There’s no easy answer to any of these questions. Entire books can be, and have been, written on each of the four issues profiled here; but even just scratching their surface will demonstrate the complexities facing the medical device industry.

Foreign Corrupt Practices Act (“FCPA”)

The FCPA prohibits corrupt payments, or offers of payment, to foreign officials. In addition to corrupt payments made by direct employees, companies are also liable for bribes paid by a third party or intermediary (e.g., distributor) when the company knew, or should have known, payments would be made in a corrupt way. Additionally, the legislation contains a successor liability clause so it becomes particularly important for compliance to participate in M&A due diligence. Two main areas of uncertainty are present – what constitutes a corrupt payment, and who constitutes a foreign official? With regard to the latter, a complicating factor arises when companies are partially state owned, as is common in some countries. Payments to these companies aren’t necessarily prohibited, but one must tread lightly. A fact specific analysis of the foreign entity’s ownership must be undertaken to determine the government’s instrumentality – its control, status, and function – in the company. The DOJ does provide some guidance here with the general rule hinging on whether the state owns a majority share of the company.  However, that isn’t a hard and fast rule as the DOJ and SEC have pursued cases where the state owned less than 50% of the company at issue.

Similarly, not all payments to foreign officials are corrupt. One of the affirmative defenses to FCPA allegations, though rarely used, is the “local law” defense.  Essentially, the local law defense asserts payments made were lawful under the written laws of the foreign country. Another affirmative defense, the “reasonable and bona fide business expenditure” defense, asserts that the money paid was spent as part of demonstrating a product or performing a contractual obligation – all things that are permitted.  This is more widely invoked.

Distributor Networks & the Office of Foreign Asset Control (“OFAC”)

In addition to the vicarious liability companies carry for the actions of their distributors under FCPA, companies are also liable for their distributor networks, or Sales & Marketing Intermediaries, when doing business in US embargoed countries. With certain exceptions, OFAC allows medical devices and medicines to be sold into countries with US imposed economic sanctions. In order to do business in these countries, a license must be sought and received from OFAC.  Generally these licenses have limitations on what medical products can be imported, who can sell them, and what organizations (or category of organizations) they can be sold to.  For instance a company seeking to sell products into Iran may be granted an OFAC license that states only certain of its respiratory devices can be imported, they’re to be sold exclusively by Distributor XYZ, and only to university and teaching hospitals.  Failure by Distributor XYZ to comply with the restrictions may result in OFAC revoking the license, leading to direct revenue loss for the company.  The activities of distributors must be properly supervised; and they must be adequately and continually trained in the company’s compliance requirements – OFAC, FCPA, and otherwise.

False Claims Act (“FCA”)

On top of the compliance programs directed at operations abroad, medical device companies clearly also need compliance programs directed at managing their US operations. The FCA is just one of the regulations aimed at preventing fraud and abuse in the healthcare industry in the US. It imposes liability on individuals or entities who knowingly submit false or fraudulent claims to the federal government for payment. With programs like Medicare and Medicaid making up a substantial component of many providers’ revenue, FCA compliance is very much top of mind. At first blush this may not seem applicable to non-provider medical device and pharmaceutical companies. However, manufacturers may be liable for FCA penalties (and treble damages) for inducing false claims to be made. This can happen when sales pitches and marketing collateral make claims for off-label uses or outcomes. If those impermissible statements induce a provider to use the product in off-label clinical procedures, and submit for Medicare reimbursement for its use, then that may cause a violation of FCA. The FCA also provides qui tam relators a share in a percentage of the proceeds from any FCA action or settlement they bring forward to the government; and it provides protection to these whistleblowers against retaliation as a result of their providing information related to FCA violations. Companies would be wise to have robust corporate compliance programs that provide their employees’ ample opportunity, and appropriate anonymity, to first report any issues internally.

Physician Payment Sunshine Law (“Sunshine Act”)

Sales and marketing efforts are also a compliance concern when it comes to the Sunshine Act. Enacted in 2012, Sunshine aims to provide patients with transparency into relationships between doctors and device manufacturers. It requires device manufacturers report all payments/transfers of value to physicians of $10 or more, or when items less than $10 aggregate to $100 or more. It’s important to note that the Sunshine Act doesn’t prohibit or restrict industry/physician collaboration, interaction, or transfers of value (that are otherwise permissible – i.e., not a kickback or fraudulent transfer). The Act also requires disclosure of investment interests held by physicians, and their immediate family members, in group purchasing organizations and manufacturers. Certain exclusions do apply, and it is the job of compliance to know what they are. It is also their job to audit the program, sales expense reports, and HCP agreements, as well as to timely, accurately, and completely report the company’s physician payments. Penalties for failing to report or for reporting inaccurate or incomplete information can be up to $1.15M a year.

By now it should be clear that compliance in the medical device industry isn’t black and white; and aiming for compliance perfection is likely an unattainable goal. There are many more pressing issues affecting the industry, beyond the four highlighted here. Moreover, with the record number of actions and recoveries coming from DOJ and SEC enforcement actions, the tide is unlikely to turn anytime soon when it comes to regulatory compliance issues in healthcare. Medical device companies would be wise to adopt a culture of compliance and implement robust compliance programs with ample internal training, reporting, and response systems in place.  Having the right policies and procedures in place is only the first step, however.  Acting upon them, thoroughly investigating allegations of wrongdoing, and following through with appropriate corrective measures are what’s required to keep organizations in the, as you might say, lighter shades of compliance gray.