Internal Controls: Good People and Wishful Thinking Are Not Effective Compliance Strategies

Bob was a good guy. He was a trusted friend and colleague earning a healthy salary serving as CFO at a multinational corporation. I worked with Bob on several internal investigations of employee misconduct and on the design and implementation of our company’s Sarbanes-Oxley controls. Bob was also a fraudster who stole millions of dollars from our company over a 10-year period. He did so via a classic asset misappropriation scheme in which he used his access to the company’s check-signing machine and general ledger to pay himself nearly $5,000 per week via a fake vendor account he’d set up.

I had the grim task of reporting my friend’s criminal activities to the FBI, which ultimately led to his imprisonment for five years in a federal penitentiary. This painful experience drove home for me something I already knew: Hiring “good people” and practicing wishful thinking alone do not prevent financial fraud; sound internal controls and continuous vigilance does. The same is true with respect to preventing your firm from being the next one caught and maimed in one or more of the “bear traps.”[1]

Development and implementation of effective internal controls to avoid the bear traps is not a trivial exercise; it is detailed, time-consuming, complex work that necessarily impacts virtually every aspect of the business. The following is a high-level recitation of factors you should consider when constructing your firm’s bear trap avoidance strategy.

Start your work by heeding Deep Throat’s advice to Woodward and Bernstein: “Follow the money.” Specifically, health care product manufacturers must develop controls for every activity in which there is transfer of value to health care providers (HCPs) or institutions. This includes, but is not limited to:

• Gifts
• Meals
• Entertainment
• Educational grants
• Research grants
• Charitable contributions
• Personal services and management contracts
• Commercial discounts
• Royalties
• Investment interests
• Product samples
• Demonstration/loaner equipment

Similarly, HCPs and health care institutions must establish internal controls to monitor and regulate the receipt of such value transfers from manufactures and distributors. They must also have internal controls to monitor and regulate patient referrals.

To be effective, all such internal controls must:

• Be consistent with regulatory guidance and applicable industry ethics standards;
• Provide real-time line of sight to value transfers and/or referrals as they happen;
• Compel documentation and transparency with the capacity to rapidly flag policy violations;
• Be overseen on a continuous basis by knowledgeable, independent corporate counsel, accountants and/or compliance professionals who:
  • Do not deliver health care services;
  • Are not part of the sales and marketing team; and
  • Have the authority to halt risky or illegal activities;
• Be routinely audited; and (perhaps most importantly)
• Be practical, integrated into routine operations, strongly advocated by company leadership and embraced by company business professionals.

Satisfying all these criteria for any single control system is a tall order. The challenge is compounded by the fact that bear trap avoidance controls are required for many commercial activities that are critical to business success. Detailing the design of each of the controls necessary for all the risk areas listed above is beyond the scope of this essay. However, by way of example, I’ll outline the key features of an internal control system designed to regulate one of the highest-risk activities for manufacturers: personal services and management contracts with HCPs or health care institutions.

As health care sector compliance professionals are well aware, to ensure compliance with the AKS, personal services and management contracts with HCPs or health care institutions must satisfy all seven requirements specified in the AKS Safe Harbor Regulations. The following are some of the critical attributes of the internal controls necessary to ensure consistent compliance with these requirements:

• Permit only designated authorized individuals to select counterparties and administer such contracts. These individuals should be highly trained and not be front-line sales and marketing personnel.
• Compel completion of a “Needs Assessment Form” detailing the following information:
  • Name and contact information of the employee recommending the contract.
  • Name and contact information and qualifications of the HCP or health care institution to provide the services.
  • An affirmative acknowledgement that the HCP’s employer has been notified and consented to the HCP providing the desired services.
  • A description of the services to be performed.
  • An explanation of the commercial need for the services.
  • A fair market value analysis documenting that no more than fair market value will be paid for the services.
  • A compliance certification that the services are being sought for legitimate purposes and that the selection of the HCP or health care institution was not made based on the volume or value of referrals or business generated between the parties.
  • Signature of the requestor.
  • Signature of a senior executive.
  • Signature of corporate counsel and or compliance professional.
• Compel use of a standardized contract drafted to fully satisfy all relevant AKS Safe Harbor requirements.
• Mandate collection and retention of documentation that services were performed.
• Mandate detailed invoices describing the services performed and the associated fees.
• Record management systems capable of cataloging and reporting payments made and all other associated information necessary to satisfy relevant transparency reporting regulations.
• Continuous monitoring and periodic auditing by trained accounting and/or compliance professionals.

At first blush, these measures may appear to be a bit overblown. However, if your company does not have tight control over this essential but high-risk activity, you and your colleagues are balancing on the high wire with no net and only a giant bear trap below to break your fall.

Although the most significant risks may be associated with activities such as personal services and management contracts – comprising billions of dollars in value transfers from health care companies to providers per year – you must also pay attention to comparatively trivial value transfers, like business meals. In September 2019, drug maker Mallinckrodt paid more than $15 million to resolve FCA and AKS liability for “wining and dining” doctors as a means of inducing prescriptions of the company’s drugs. The following quote from one of the prosecutors involved in this case provides a window into their mindset regarding the importance of aggressive FCA and AKS enforcement:

“The Department of Justice will hold companies accountable for the payment of illegal kickbacks in any form. Improper inducements have no place in our federal health care system, which depends on physicians making decisions based on the health care needs of their patients and not on or influenced by personal financial considerations.”

As often as not, companies and individuals stumble into one or more bear traps out of ignorance of the rules rather than deliberate malfeasance. Consequently, a critical component of your firm’s compliance and ethics program is detailed sales and marketing codes of conduct that effectively communicate what employees can and cannot do in the jurisdictions in which you do business. Part 3 of this series provides practical tips for drafting and distributing such codes.

[1] As mentioned in part 1, the term “bear traps” as used herein refers to the anti-kickback statute (AKS), the False Claims Act (FCA), the Physician Self-Referral Law (aka the Stark Law), the Civil Monetary Penalties Law (CMP) or the Eliminating Kickbacks in Recovery Act (EKRA). Enforcement actions pursuant to these laws against thousands of individuals and companies in the health care sector have resulted in incarcerations and tens of billions of dollars in fines.