Kusserow on Compliance: OIG cautions pharmaceutical and medical device companies over speaker programs

The HHS OIG published a Special Fraud Alert cautioning pharmaceutical and medical device companies against conducting speaker programs given the “inherent risks” of implicating the Anti-Kickback Statute and False Claims Act. The OIG cited numerous enforcement actions related to speaker program arrangements, as well as Sunshine Act payment records reflecting significant payments for such programs in recent years. The OIG called for companies to assess the need for re-starting in-person speaker programs that have been paused during the COVID-19 pandemic. The Fraud Alert outlines “suspect” characteristics of a speaker program that may provoke an enforcement action, including the following:

  • Selected high-prescribing persons to be speakers and rewarded them with lucrative fees.
  • There is little or no substantive information presented at the program.
  • Alcohol is available or a meal exceeding “modest value” is provided to program attendees.
  • Held speaker programs at entertainment venues not conducive to educational presentation.
  • Company sponsors many programs on the same or substantially the same topic or product, especially if there has been no recent substantive change in relevant information.
  • Programs conducted where there has been a “significant period of time” with no new medical or scientific information nor new-FDA approval of a product or indication.
  • Programs where the attendees have attended other programs on the same or substantially the same topics more than once.
  • Attendees include individuals who do not have a legitimate business reason to attend the program, such as friends, significant others, family members, practice employees, and others with no use for the information.
  • Sales representatives or marketing personnel involved in the selection of speakers or the company selects HCP speakers or attendees based on past or potential revenue generated by prescriptions (e.g., a return on investment analysis).
  • Payment to HCP speakers exceeds fair market value for the speaking service or compensation takes into account the volume of business generated by the HCPs.
  • Conditioned speaker remuneration on sales targets (e.g., required speaker HCPs to write a minimum number of prescriptions in order to receive the speaker honoraria).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: A reminder about email compliance

The HHS Office for Civil Rights (OCR) continues to report HIPPA Privacy violations involving email transmissions. With the coming New Year, it may be advisable to review electronic patient health information (ePHI) email security, which must adhere to a specific regulatory standard. The HIPAA Security Rule introduced several requirements which must be satisfied before email communications can be considered in compliance with HIPPA. HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

Additionally, HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security in order to: (a) restrict access to PHI; (b) monitor how PHI is communicated; (c) ensure the integrity of PHI at rest; (d) ensure 10o percent message accountability; and (e) protect PHI from unauthorized access during transit. These standards extend to having a schedule for retaining, archiving, and destroying (after six years) emails containing ePHI. Furthermore, emails must be kept safe in transmissions by using encryption. Emails including PHI shouldn’t be transmitted unless the email is encrypted. If the PHI is in the body text, the message must be encrypted. The following email compliance issues should be verified:

  1. All email communications with PHI are being encrypted
  2. Emails are being monitored for compliance
  3. Data inside emails are being protected from cyberattacks
  4. Emails are being stored in an unalterable state
  5. Email retention schedules are being followed
  6. Email chain of custody standards are being followed
  7. Email access is being controlled with individual accounts and passwords
  1. Email accounts are only being used by registered users
  1. Email messages are complying with accepted professional and business practices
  2. Established log-on controlled access procedures and passwords are being followed

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Time for Compliance Program evaluation

  1. Have a 2021 workplan focusing on improving the Compliance Program
  2. Not having independent evaluations is evidence of lack of program effectiveness
  3. DOJ & OIG: Identifying & addressing weaknesses evidences program effectiveness

With 2020 coming to an end, it is time to look forward to the New Year and plan ways to identify areas for improvement of the Compliance Program, building off of results of independent evaluations. Both the OIG and DOJ stress the importance of evidencing Compliance Program (“CP”) effectiveness and that all programs are in progress, never completed. They see compliance officers identifying weakness and gaps that lead to improvements as positive evidence of an effective program. The DOJ “Evaluation of Corporate Compliance Programs” notes that there will always be ways the program can be improved and enhanced. The DOJ, in its 2020 Compliance Program Evaluation Guidelines noted: “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment.”  The DOJ highlights the importance of effective implementation and evaluation measures” to determine whether the compliance program a “paper program” or one that is fully “implemented, reviewed, and revised, as appropriate, in an effective manner.” DOJ prosecutors are directed to ask: Does the company evaluate periodically the effectiveness of the organization’s compliance program?” Regular, rigorous, and consistent review of compliance programs is now the expectation.  The OIG calls for ongoing monitoring and independent ongoing auditing of Compliance Programs to evidence continuous improvement.

There are three general ways for independent evaluations: (1) a complete compliance program evaluation; (2) a compliance program gap analysis; or (3) an independently developed and administered employee survey of compliance knowledge, attitude and perceptions.

  1. Compliance Program effectiveness evaluations is recognized by experts as by far the best method to evidence how well the program is functioning. It measures outcome by conducting a 360-degree evaluation that includes: (a) full document examination and review; (b) on site review and testing of operations in action; and (c) interviews of Board members, executives, selective key staff, and focus group meetings. If done properly, the resulting reports with be 60 to 100 pages that include findings, observations, along with recommendations and suggestions for program improvement.
  2. Compliance program gap analysis is about half of the cost or less than a full compliance program evaluation, but the reduction of costs is matched by the diminished value of results. It is primarily a document “checklist” review, focusing on output metrics, rather than outcome metrics related to program effectiveness. It is best used with organizations with new or incomplete programs, desiring assistance in identifying elements needed to complete development of their program.  It can identify gaps for inexperienced compliance officers but lacks details by which this can be accomplished.
  3. Independently developed, validated, and administered compliance surveys of employees is the least expensive means, at a fraction of the cost for either of the two other methods, for evidencing and benchmarking compliance program effectiveness. The use of surveys has long been advocated by regulatory bodies, including in the Federal Sentencing Guidelines, OIG Compliance Program Guidance and DOJ guidelines. These organizations advise using surveys of employees to gauge how well the program is functioning. Surveys that are anchored in a large database of organization, permit benchmarking an organization to the universe. Compliance knowledge surveys test knowledge of the compliance program structure and operations and can provide very credible empirical evidence of the advancement of program knowledge, understanding and effectiveness. Compliance culture surveys focuses on employee beliefs, attitudes, and perception concerning compliance, useful in measuring the extent to which individuals, coworkers, supervisors, and leaders demonstrate commitment to compliance. Both types of surveys should be considered as they are useful in benchmarking and measuring change in the compliance environment over a period and provide different dimensions and perspectives on a compliance program.

For more information on the difference in scope of work between a full compliance program evaluation and a gap analysis, send your queries to Richard Kusserow at rkussserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ compliance program guidelines once again focus on sufficiency of compliance resources

The 2020 Department of Justice (DOJ) Compliance Program Guidance for prosecutors places increased emphasis on questioning the adequacy of compliance resources that the DOJ views as essential for any program’s effective functioning. The DOJ elaborated that prosecutors should ask questions concerning whether the program is “adequately resourced and empowered to function effectively.” Put differently, even the most artfully constructed program is doomed to fail without sufficient funding, qualified compliance personnel, and widespread support throughout all levels of an organization. A question for many health care organizations is whether the organization would pass DOJ scrutiny on this point.

Results from the 2020 SAI Global Healthcare Compliance Benchmark Survey developed with and analyzed by Strategic Management included information regarding the adequacy of resources for Compliance Officers in meeting their challenges. Reading the details of the responses in the Survey suggest that many compliance offices are likely operating with less than fully adequate resources to meet DOJ expectations. The Survey results indicated that the average compliance office staff levels are five individuals with about one third of respondents reporting only one full-or part-time person. In a related question, over half of respondents indicated they are expecting their budget to remain mostly the same with about one quarter expecting some increase, while at the same time assuming new responsibilities, most notably those related to HIPAA Privacy and Security. Given the average staffing level of compliance offices, increasing responsibilities, heightened enforcement by government agencies, and limited increases in budgetary resources, it is likely that most compliance offices are stretching their limited resources and would have difficulty meeting the DOJ standards. The Survey also found that many are turning to external vendors to provide services and tools, to stretch limited staff resources and to lower operating costs.

 

For more information on this subject, contact Richard Kusserow at rkusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.