Board and Executive Certification of Compliance Effectiveness: Implementation Implications of a Compliance Program Aligned with CIA Trends

(The following article was co-written and contributed to Corporate Compliance Insights by the following authors, all from Navigant Consulting:

• Julie Edgeworth
• Bernard J. Ford
• Saul B. Helman, M.D.
• Julia Singleton
• David Yarin

Contact the authors and learn more about Navigant Consulting at the company’s website: http://www.navigantconsulting.com/)

——————–

Board and Executive Certification of Compliance Effectiveness:

Implementation Implications of a Compliance Program Aligned with CIA Trends

Julie Edgeworth, Bernard J. Ford, Saul B. Helman, M.D., Julia Singleton, David Yarin

Recent Corporate Integrity Agreements (CIAs) from the Office of Inspector General of the Department of Health and Human Services (OIG) have included unique obligations requiring Board of Directors and Senior Management to be held accountable for compliance, while increasing the scope and sophistication of reviews performed by Independent Review Organizations (IROs). These emerging CIA trends are most evident in recent pharmaceutical and medical device company settlements.

What does this mean for Compliance Officers in companies that are either under some form of government enforcement, or who are trying to maintain a compliance program at a level expected by government? What are the implications in the context of Compliance Program design and implementation, beyond what has been considered standard/better practices up to this point?

We consider the evolving requirements of the OIG and propose actions that can be implemented to maintain a Compliance Program that meets or exceeds current OIG requirements.

To provide concrete examples of emerging Corporate Integrity Agreement (CIA) trends, specific requirements have been considered from five CIAs. These CIAs were selected for review because (1) they were implemented in three different years and therefore help to illustrate emerging trends over time, and (2) they emphasize different compliance risk areas (i.e., off-label marketing, arrangements, suppliers and government pricing).

Three of the five companies are biopharmaceuticals, one (Smith & Nephew, Inc.; Zimmer, DePuy, Biomet – collectively “Ortho Four”) specializes in orthopedic medical device manufacturing and one (Bayer) represents the diagnostics and pharmaceutical manufacturing industries.

[table id=1 /]

The unique requirements of these CIAs to be discussed in this paper are:

• Certification processes
• Compliance Effectiveness Reviews
• Board-level and Management Compliance Committees
• Systems and Transactions Reviews

Certification Processes

Many CIAs require that annual reports submitted to the OIG include a signed certification from the Chief Compliance Officer (CCO) to personally attest that the company is in compliance with all aspects of the CIA and that he or she has reviewed the report and reasonably tested its accuracy. Other provisions may also be included in the CCO’s certification.

An important trend in recent CIAs, however, is the requirement that other company employees and/or the Board of Directors (the “Board”) also provide signed certifications regarding compliance with the CIA and/or that the compliance program is effective.

The CIAs for Cephalon (2008), Bayer (2008) and Lilly (2009) required key management personnel to certify that they have been trained on compliance requirements and believe that their particular business units or divisions are in compliance with the CIA, federal health care program requirements, and FDA requirements. Collectively, employees required to provide individual certifications are referred to as “Certifying Employees.”

The Chief Executive Officer (CEO) was designated as a Certifying Employee in the three CIAs referenced above. In addition, certain Executive Vice Presidents (of “Worldwide Medical and Regulatory Operations” and “Worldwide Pharmaceutical Operations” for Cephalon and “Global Marketing and Sales” for Lilly) and vice presidents or directors of certain business units were also required to be Certifying Employees.

The Bayer agreements requires “all Bayer and Bayer Affiliate: presidents, chairpersons, chief executive officers; executive directors, vice presidents; and Chief Medical Officers, and directors of business units of Bayer or any Bayer Affiliate that perform pricing, sales, marketing, contracting, promotion, medical affairs, or medical information functions” be defined as Certifying Employees.

In contrast, the Ortho Four CIA (2007) did not include an employee certification provision beyond that of the CCO. Neither did the original Aventis CIA (2007), but a subsequent 2009 addendum added a requirement for certifications by the Vice President of Market Access and Business Development and the Vice President of Contract and Pricing Management.

Board certification is also a relatively new requirement that has appeared with increasing frequency in recent CIAs.

Board-level certification was not required by the Ortho Four or Aventis CIAs, but was included in the Cephalon, Bayer and Lilly CIAs. The required Board certification language was described in each CIA, requiring that the Board make a reasonable inquiry into the operations of the company’s compliance program and to resolve that the company has implemented an effective compliance program to the best of the Board’s knowledge. Similar to the Certifying Employees requirement, the 2009 Aventis CIA addendum added Board-level certification to the CIA requirements.

Potential implications to companies: To support Senior Management personnel in completing a compliance certification, many organizations require middle-management employees to complete similar certifications. Similarly, for these employees to certify to their business unit or division’s compliance, additional certifications may be required from certain department personnel.

The implication for companies may be that all levels of an organization should be involved in ensuring compliance and made aware of their related responsibilities.

The actual certification process, structure and reporting lines must be detailed, with individual roles and responsibilities identified. Consistency and transparency in the process should be reinforced with a non-retaliation policy in effect. In addition, by requiring Board certifications, one implication is that the OIG is placing ultimate responsibility with the Board for overseeing the company’s compliance program effectiveness.

The role of a comprehensive compliance auditing and monitoring program in providing data to further support compliance program effectiveness assessments cannot be overstated.

Compliance Effectiveness Audits

A required assessment of the company’s compliance program is another emerging CIA trend.

Of the five CIAs referenced above, only the most recent two included this provision. Specifically, Bayer’s CIA required that the Board “arrange for the performance of a review by the Compliance Expert Panel of the effectiveness of Bayer’s Compliance Program (Compliance Program Review), and Lilly’s CIA provided that the compliance committee must “arrange for the performance of a review on the effectiveness of Lilly’s Compliance Program for each Reporting Period of the CIA and shall review the results of the Compliance Program Review as part of the review and assessment of Lilly’s Compliance Program.” Copies of the review were to be submitted with each of the required annual reports to the OIG.

Potential implications to companies: Boards may require having independent compliance audits performed for the purposes of the Board level review, prior to coming under the scrutiny of government and resultant settlement through a CIA, Deferred Prosecution Agreement or Consent Decree. In addition, the certification process up to the CCO must be clearly understood by the Board. For the Board to be effective in their fiduciary responsibilities, the establishment of a separate compliance/compliance and ethics/compliance and risk management subcommittee should be considered.

Board-Level Compliance Committee

The Ortho Four and Aventis CIAs did not include mandates for a Board Compliance Committee, but the Cephalon, Bayer and Lilly CIAs required that Board-level committees provide oversight of their respective compliance programs and meet quarterly to review it. The Board committee review must include, at a minimum, a consideration of the performance of the CCO and the compliance department.

The Bayer CIA requires that the Board retain a Compliance Expert Panel, made up of three independent and objective individuals or entities with expertise in compliance with Federal health care program and FDA requirements. The Lilly CIA further specifies that the Board committee must be made up of at least three independent directors.

Potential implications to companies: As noted above, the implication is that the OIG is placing more responsibility on the Board for the effectiveness of the company’s compliance program. If there isn’t already a compliance committee of the Board in place, the organization’s Directors should consider creating one, and retaining an independent third party to complete compliance program effectiveness audits.

Management Compliance Committee

All five of the CIAs discussed above include provisions for the membership and responsibilities of each company’s management-level compliance committee. The language is the same for each: “The Compliance Committee shall, at a minimum, include the Chief Compliance Officer and other members of senior management necessary to meet the requirements of this CIA.”

In addition, each CIA provides specific examples of personnel and/or departments that should be included in the committee. In most cases, these include (but are not limited to) the CEO and members from the following departments: Legal, Human Resources, Marketing, Business Development, Operations, Finance, and Sales. The bio-pharmaceutical CIAs have also required medical affairs, research and regulatory participation in the committee, reflecting an evolving focus on aspects of the pre-market activities that impact future product performance on the market.

Potential implications to companies: With the requirement that many key divisions of a company be involved in the compliance committee, such as sales, finance, marketing, clinical, compliance becomes the responsibility of the entire company and not just the compliance department itself. One potential implication to companies is that they should make sure that systems are in place to ensure that relevant departments have ownership in compliance-related activities (e.g., policy and procedure development, monitoring activities). The seven elements of compliance are embedded throughout the organization, and not just marketing and sales.

Transactions Review / Systems Review

Each of the five CIAs discussed above include review components to be conducted by an Independent Review Organization (IRO), as summarized in the table below:

[table id=2 /]

Potential implications to companies: With each subsequent CIA requiring more in-depth and unique systems and transactions reviews, organizations should consider the policies and procedures they have in place to address the risks that could be identified in these reviews. Controls around relationships with health care professionals and health care institutions, the marketing of product on-label and government pricing management remain three areas of focus for the OIG, and any compliance program should address and maintain compliance effectiveness through a comprehensive compliance auditing and monitoring program and related corrective action, training and oversight at the Board level.

Conclusion

The five CIAs discussed indicate a clear trend for:

• Increased Board oversight of compliance program effectiveness
• Increased Senior Management Compliance accountability through certification requirements
• Increased requirements for system requirements that support controls around health care professional interactions, and
• Unique ways of identifying potential compliance risks in operations (e.g. call plan assessments)

Top ten compliance program related effectiveness questions for consideration:

1. Is there a Board level compliance committee in place?
2. What are the reporting lines into the Board level compliance committee and do they provide for the appropriate level of transparency?
3. What information does the organization’s Board-level compliance committee receive that allows them to meet their fiduciary responsibility for oversight of the compliance program?
4. Is there an independent audit of the compliance program, whose results are available for the Board level compliance committee?
5. Is there a comprehensive compliance auditing and monitoring program in place, with a sufficient level of independence?
6. Is there a senior management certification process on the effectiveness of the compliance program?
7. How is senior management involved to ensure that their respective business units are properly engaged in the organization’s compliance activities (e.g. in each of the seven elements of an effective compliance program)?
8. Are we incorporating an effective compliance program across the entire organization (vs marketing and sales), including research, clinical development, medical affairs, regulatory etc.
9. What types of risks might be identified if the organization were to perform reviews similar to those required by the CIAs discussed in this article?
10. Are we addressing these and other areas of compliance risk through a compliance risk assessment and prioritized compliance risk register?

Tags: Bayer, Biomet, CIA certification, CIAs, compliance effectiveness audits, compliance program, corporate integrity agreements, DePuy, navigant consulting, OIG, oig requirements, Ortho Four, Pharma Compliance, role of Chief Compliance Officer, Smith & Nephew, Zimmer