Corporate Integrity Agreements - Lessons for Life Science Experts

Maija Burtmanis LLB/BSc, LLM

What exactly does a CIA-tailored Compliance Program for a Life Sciences company cover, and are they effective?

Today, it seems that every high profile company has had a CIA or is currently operating under one - which can have far reaching impacts on employee retention, investor confidence and corporate “culture”.

Indeed, CIAs are the norm these days and most companies tailor their Compliance, Ethics & Integrity Programs around them………The fact is that many lessons can be learnt by astute Legal, Risk and Compliance folks - who wish to fine tune their own in-house programs - by keeping abreast of the evolution in CIA requirements which target operational areas of “key concern” (or topical industry interest).

Valuable Lessons to be Learnt from CIAs

Should a corporation be subject to an investigation for fraud, abuse or misconduct under a variety of US Federal healthcare legislation, then the Office of Inspector General (attached to the Dept of Health & Human Services) will typically negotiate a Corporate Integrity Agreement (CIA) as part of the settlement of alleged civil false claims.

Given the sheer volume of oversight legislation, the complexity of Life Science operations on a global stage, the number of “vested financial interests” in the private-public sector, and the imperfections in most companies / organizations which deal across jurisdictions, there is a robust library of CIAs to reflect upon. Indeed, not too many “notable” brand conscious companies are immune or absent from the “CIA Follow-up” list.

Whilst there may be some irony in keeping “good company” with many Fortune 500 companies in the CIA Hit List (no pun intended), there is nothing worse than finding oneself in “breach” of a legal undertaking to the US government or even in flagrant ignorance about existing CIA requirements amongst personnel within a leading organization. Importantly, a corporation may be subject to exclusion from US Federal healthcare programs for a material breach of an existing CIA and also subject to monetary penalties for less significant breaches.

The bottom line is that there are so many extant CIAs – that highlight “targeted” activities which many companies routinely engage in - that savvy Legal, Risk and Compliance professionals should be paying very close attention to, in both the short and long term.  

Such an investment of time would bring untold benefits to the organization in (i) focusing keen attention on high value preventative activities, (ii) in educating the workforce, (iii) in bridging “compliance gaps”, and (iv) in protecting the assets and reputation of the company. 

What is the legal framework which sits behind a CIA?

It is an understatement to observe that the legal framework, regulating innovative industries in the US, is both expansive and expensive.

The starting point is to appreciate the legal landscape in which the corporation operates in, both in its resident jurisdiction but also in all international markets in which it has a presence. The US Federal Healthcare laws and regulatory requirements form the legal basis of CIAs and comprise the following:

• Federal Food, Drug & Cosmetic Act
• US False Claims Act
• Federal Anti-kickback Act
• Foreign Corrupt Practices Act
• Medicaid Rebate Program Act
• Federal Civil Money Penalty Act
• Federal Exclusion Statute
• Sarbanes Oxley     

Other US laws and regulations address issues such as Privacy, Off-label Drug Promotion, Medical Education, Fraud & Abuse Safe Harbours, as well as the OIG Compliance Guidance for the Pharma Industry.

All of these statutes deal with specific areas of business and regulatory operation, and are fundamentally designed to “protect patients and the public purse” against fraud and abuse.

Elements of a CIA

A comprehensive CIA typically lasts 5 years and includes the following key requirements which a subject corporation should address:

• Hire a compliance officer/appoint a compliance committee;
• Develop written standards and policies;
• Implement a comprehensive employee training program;
• Retain an independent review organization to conduct annual reviews;
• Establish a confidential disclosure program;
• Restrict employment of ineligible persons;
• An obligation to report overpayments, reportable events, and ongoing investigations/legal proceedings; and
• Provision of an implementation report and annual reports to OIG on the status of the organization’s compliance activities.

What is “caught” in a CIA?

• CIAs have many common elements, with each one addressing the specific facts at issue whilst also endeavoring to make concessions to accommodate many elements of a preexisting voluntary compliance program.  
• An individual CIA will require a corporation to agree to certain “undertakings and commitments” over a period of time in order to redress some alleged corporate misbehaviour. Essentially, these “undertaking and commitments” translate into the corporation promising to take certain (defined) concrete actions to prevent repeat offences and / or to demonstrate that any gaps within an internal controls and compliance framework are being filled or tightened.
• Some common “observations” or call out actions within Life Sciences CIAs will initially focus on high level corporate legal requirements and then delve into many specific (regulated) activities, which revolve around the proper legal / ethical management of “promotional” and “non-promotional” practices. Some common CIA observations include the following:

High Level:

• Accuracy and integrity of books, records and accounts
• Embedding of company standards, policies & procedures
• Avoiding conflicts of interest
• Protection of confidential information
• Appropriate meals, gifts and entertainment

Targeted Activities / Engagements:

• Appropriate promotion of drug / medical device products – including, the creation, review and approval of both promo and non-promo material
• Legitimate use of drug samples
• Evaluation and / or demonstration of medical device products
• Responding to unsolicited requests
• Advisory Boards and Speaker Programs
• Appropriate Corporate Representation at certain events (Commercial, Medical, Regulatory, Corporate Affairs, Legal or Finance)
• Sponsorship for “professional services” – purpose, need, legitimacy
• Appropriate use and classification of “grants” and “donations”
• Investigator-initiated trials
• Post marketing studies and trials
• Scientific publications
• Appropriate distribution of educational items        

There is little doubt today, that smart companies should be paying close attention to the evolution of CIA mandates by Enforcement Agencies amongst industry peers in order to keep abreast of expected “internal control standards”.

This actually means investing in a robust (visible) CIA internal training program; having sufficient and appropriately skilled resources in place to review and approve “high value” activities; ensuring that Policies and Procedures are clear, concise and “executable”; and being in a confident position to advise senior management about the real risks or gaps in a compliance program which may be absent with regard to some of the expected key controls. In simplistic terms, this boils down to an ever present Tone at the Top and a genuine understanding by Management to appropriately embrace (and resource) a forward thinking “risk” mentality.

The “nirvana” of achieving a “bullet proof” compliance program is certainly a work in progress, best served through an organisation’s steady and consistent investment, interest and reward in integrity and ethics.  The ultimate goal should be to inculcate a natural attitude of “compliant” and ethical decision-making within all quarters of the Company, which has a huge positive impact on the organisation’s business practices, sales performance, employee engagement and corporate reputation.

This is surely a “win-win” cure for those who really strive to be the best.

                                                              *      *        *