“If you don't know where you’ve come from, you don't know where you’re going.” —Maya Angelou
Understanding the expectations and operation of current healthcare compliance programs is very difficult without a fundamental grounding in how these programs have evolved over the past three decades. Like many things in life, the history of healthcare compliance is both complex and convoluted, involving multiple stakeholders with differing interests. Although healthcare compliance began as a response to the corporate and healthcare environment and rampant, unchecked fraud, healthcare compliance programs have emerged to become a societal expectation that also gave rise to an entirely new profession.
The Murky Origins of Healthcare Compliance
Pinpointing an exact date compliance programs and the profession came into existence is difficult. Some scholars and practitioners believe the true origin of the compliance program is traceable to the enactment of the Foreign Corrupt Practices Act (FCPA) in 1977. However, the consensus is that the origins of compliance programs date to a series of procurement scandals in the mid-1980s involving the Department of Defense, the Pentagon, and various defense contractors.
Of the various procurement defense department scandals in 1980s, the so-called “spare parts scandal” in 1985 became the major driving force for reform. It was a scandal that captured the attention of both Congress and the public with the revelation of the incredible prices the Pentagon often paid for basic equipment, such as a $435 hammer and the infamous $600 toilet seat. In response to growing public outrage over the abuse of taxpayer funds, President Ronald Reagan appointed the President’s Blue Ribbon Commission on Defense Management to review the situation and recommend reforms.
The Packard Commission, as the group was more informally known, issued an interim report in February 1986. For compliance history, the crucial recommendation by the Blue Ribbon Commission was that:
To assure that their houses are in order, defense contractors must promulgate and vigilantly enforce codes of ethics that address the unique problems and procedures incident to defense procurement. They must also develop and implement internal controls to monitor these codes of ethics and sensitive aspects of contract compliance. [emphasis added]
The Blue Ribbon Commission also stressed that “[g]overnment actions should foster contractor self-governance,” urging the Defense Department not to routinely subpoena internal audit materials to avoid discouraging “aggressive self-review.”
In response to the interim report, 18 of the country’s top defense contractors formed the Defense Industry Initiative on Business Ethics and Conduct (DII). Under the leadership of Jack Welch, then-CEO of General Electric, the DII developed five core principles, which 32 defense contractors signed onto by July 1986.
The central tenet of the principles, which still exist, is a commitment to “act honestly in all business dealings with the U.S. government.” To achieve this objective, DII members agreed to:
Establish written codes of business conduct.
Reinforce an ethical culture through communications and training.
Encourage employee reporting of suspected misconduct and prohibit retaliation against reporters.
Share business ethics and compliance best practices.
Transparently and publicly report on individual company progress to establish an ethical culture.
It was the formation of the DII and its principles that set the stage for the next major leap in the evolution of compliance programs.
In the Beginning—The U.S. Federal Sentencing Commission
Prior to the Sentencing Reform Act of 1984, federal district court judges possessed almost unlimited authority to fashion a sentence for criminal defendants within a broad statutorily prescribed minimum and maximum range. Thus, individual judges exercised broad discretion to determine “the various goals of sentencing, the relevant aggravating and mitigating circumstances, and the way in which these factors would be combined in determining a specific sentence.” As a result of this unregulated discretion, the sentences for similar criminal conduct varied dramatically, creating the justifiable perception that the federal sentencing system resulted in “an unjustifiably wide range of sentences [for] offenders convicted of similar crimes.”
With the enactment of the Sentencing Reform Act of 1984, Congress sought to address the apparent inequities caused by discretionary judicial sentencing. Rather than remove all judicial discretion, Congress chose instead to create the independent U.S. Sentencing Commission (the Commission) tasked with establishing “sentencing policies and practices for the Federal criminal justice system.” However, Congress also tasked the Commission with maintaining “sufficient flexibility to permit individualized sentences when warranted by [evaluating individual] mitigating or aggravating factors.” Thus, Congress expressly charged the Commission to pay “particular attention” to “providing certainty and fairness in sentencing and reducing unwarranted sentence disparities.”
To accomplish this purpose, Congress directed the Commission to establish a set of guidelines that federal judges must use for selecting sentences within the prescribed statutory ranges.
As laid out by the Sentencing Reform Act, the Commission’s guidelines needed to consider:
The seriousness of the offense while promoting respect for the law and providing a just punishment.
Whether the punishment would create an adequate deterrence of criminal conduct and protect the public from further crimes of the criminal defendant.
Whether the punishment provides the defendant with educational or vocational training, medical care, or other correctional treatment in the most effective manner.
The primary focus of the Sentencing Reform Act involved sentencing disparities for individual criminal defendants. For example, Congress noted that:
Major white collar criminals often are sentenced to small fines and little or no imprisonment. Unfortunately, this creates the impression that certain offenses are punishable only by a small fine that can be written off as a cost of doing business. 
However, Congress also granted the Commission broad latitude to “include in the guidelines any matters it considers pertinent to satisfy the purposes of sentencing.” Thus, the Sentencing Reform Act also addressed the sentencing of organizations, which are defined as “a person other than an individual.” As the Senate Report outlining the legislative history of the Sentencing Reform Act stated:
Current law...rarely distinguishes between individuals and organizations for sentencing purposes. Thus, present law fails to recognize the usual differences in the financial resources of these two categories of defendants and fails to take into account the greater financial harm to victims and the greater financial gain to the criminal that characterizes offenses typically perpetrated by organizations.
Therefore, it is not surprising that the Commission ultimately addressed the sentencing of organizations, as well as individuals, in its set of guidelines.
Compliance Programs and the Federal Sentencing Guidelines
Although the Commission was organized in late 1985 and published its initial set of guidelines in November 1987, it took until 1991 for the Commission to publish chapter eight of its guidelines—the Federal Sentencing Guidelines for Organizations (FSGO). With the publication of the organizational guidelines and its seven elements of an effective compliance program, healthcare compliance programs were born.
As conceived by the Commission, the new chapter eight was intended as a “mechanical structure [that] determines an appropriate monetary fine through means of a mathematical formula: assigning a dollar figure to the seriousness of the offense and multiplying that number by a figure representing the culpability level of the organization.”
Thus, the Commission employed a carrot-and-stick approach allowing judges to consider a series of aggravating and mitigating factors that they could use to determine the final sentence for an organization (i.e., the culpability score).
Under the FSGO, an organization’s final penalty is calculated using this formula:
Statutory Base Fine x (Aggravating Factors - Mitigating Factors) = Final Fine
Consequently, the intent of the FSGO was not only to “encourage corporations to exemplify ‘good corporate citizenship’ but also provide a means to ‘rehabilitate’ corporations that have engaged in criminal conduct.” The Commission hoped that:
[O]rganizations would come to view this guideline scheme as a powerful financial reason for instituting effective internal compliance programs that, in turn, would minimize the likelihood that the organization would run afoul of the law in the first instance.”
In other words, organizations would implement compliance programs proactively before any illegal activities occurred.
Where an organization could prove it had an effective compliance program in place, the FSGO allowed a three-point reduction in the culpability score if “the offense occurred despite an effective program to prevent and detect violations of law.” Therefore, according to the Commission, “[t]he hallmark of an effective [compliance] program...is that the organization exercises due diligence in seeking to prevent and detect criminal conduct by its employees and other agents.” This statement by the Commission, however, makes clear that compliance programs were never intended as an absolute guarantee that criminal conduct would not occur.
To guide organizations wishing to implement a compliance program, the Commission defined within an application section comment the seven criteria for a compliance program to qualify as “effective” and receive mitigation credits. This comment launched the now famous seven elements of an effective compliance program.
Summarizing the application comment, an effective compliance program requires that an organization:
Appoint someone with sufficient authority in the organization to oversee the compliance program (e.g., a compliance officer).
Develop compliance standards that employees and others working on behalf of the organization can follow to reduce the likelihood of breaking the law (e.g., policies and procedures).
Communicate those compliance standards to employees and others working on behalf of the organization (e.g., training or publications).
Create steps to ensure compliance standards are working as intended (e.g., monitoring and auditing).
Create a mechanism for anyone to report suspected misconduct without retribution (e.g., the hotline) and enforce compliance standards with appropriate sanctions (e.g., discipline).
Avoid granting substantial discretionary authority to anyone the organization knew or should have known would commit illegal activities (e.g., bad actors).
Take the necessary steps to correct any misconduct detected to prevent it from reoccurring (e.g., corrective actions).
These elements, however, were not industry specific, but were intended to apply to all organizations across industries. As the Commission explicitly recognized, any determination of whether an organization’s compliance program was effective required considering several factors, including “the size of the organization,” “the likelihood that certain offenses may occur because of the nature of its business,” and the organization’s prior history.
The mere existence of a program that on paper contains the seven elements does not automatically guarantee that an organization will receive the mitigation credits. Various actions, or inactions, by the organization can invalidate any potential benefits of having a compliance program. For example, the Commission also recognized the importance of industry practices or standards and determined that the failure to apply those practices and standards would weigh against “a finding of an effective program to prevent and detect violations of law.” Other factors that could invalidate the possibility of receiving credit for the compliance program included the participation of high-level company personnel in the misconduct or their willful blindless to its existence.
Defining High-Level Personnel
According to the 1991 version of the FSGO, “high-level personnel” meant “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.” Therefore, the term specifically included “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.” It also included agents within a business unit who set the policy for or control that business unit.
Compliance Programs Become the ‘Gold Standard’
From 1991 through 2010, compliance programs meeting the seven elements were encouraged but were not legally or regulatorily mandated. However, the FSGO provide a universal framework and starting point for compliance professionals developing effective ethics and compliance programs.
The Caremark shareholder derivative decision, decided in 1996, is widely recognized by courts, compliance professionals, and experts as standing for the proposition that a critical aspect of good corporate governance is for a corporation to implement and maintain an effective compliance program that meets the elements laid out in the FSGO. In the Caremark decision, the Delaware Chancery Court wrote:
It is important that the board exercise a good faith judgment that the corporation's information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.
Therefore, the Delaware Chancery Court observed that in the context of corporate governance “[t]he [Federal Sentencing] Guidelines offer powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts.” Therefore, the Chancery Court concluded “[a]ny rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.”
The result of the Caremark decision, and other enforcement actions, is that “thousands of companies across the United States, and even outside the U.S.,” have created or enhanced their compliance or ethics programs. Therefore, it is no exaggeration to conclude that the seven elements of an effective compliance program remain the gold standard to this day.
Validating the Effect of the FSGO: Izraeli and Schwartz Paper
The 1998 Izraeli and Schwartz paper, published only seven years after the Commission adopted the seven elements, was important validation that the FSGO compliance framework had become universal. The authors presented substantial evidence supporting that conclusion.
This evidence included a survey of 333 companies, across industries, that found that more than 60% of the respondents either created a compliance program or reinvigorated an existing compliance program because of the FSGO. Another survey of 750,000 employees from 203 large US corporations revealed 38% of the participating companies “significantly improved their ethics compliance environments following enactment of the Guidelines.” Finally, a 1994 survey of more than 4,000 US workers determined that “ethics programs are beneficial in improving organization ethics.”
Program Adoption: Planting the Seeds
Without an express government mandate, the adoption of healthcare compliance programs was exceedingly slow. However, two events coincided to jumpstart those efforts, thereby planting the seeds of today’s healthcare compliance programs.
In 1993, Janet Reno, President Clinton’s attorney general, announced that healthcare fraud was the Department of Justice's (DOJ) second priority behind violent crimes. To support this priority, Reno requested additional funds to free up FBI agents to investigate healthcare fraud as part of a Health Care Fraud Task Force. The task force used resources from the U.S. Attorneys’ offices, FBI, Department of Health & Human Services (HHS), Office of Inspector General (OIG), and state Medicaid Fraud Control Units together with private insurers to investigate and prosecute healthcare fraud.
That same year, HealthSpan Health Systems Corporation, which later became part of the Allina Health System, settled with the DOJ to resolve claims that the company had submitted thousands of incorrect bills for unnecessary ambulance transport services. According to Dan Roach, former in-house counsel to Allina, the $3 million settlement “contained two paragraphs that essentially stated that the company would implement a compliance program and file annual reports with the OIG for a period of three years.” The company also was required to provide employee education, conduct a “statistically valid audit” of submitted claims, and report the results to the government.
Healthcare Compliance Starts Taking Root
In 1994, two settlements—one involving a healthcare provider organization and the other a life sciences company—demonstrated that seeds of healthcare compliance programs had germinated and were taking root within the industry. Both settlements went further than the HealthSpan settlement and detailed the structure of the respective compliance programs. Although couched as plea agreements, these settlements were the forerunners to the corporate integrity agreements (CIAs) seen today.
The case against National Medical Enterprises (NME) resulted from a wide-ranging investigation conducted by six separate federal agencies and multiple U.S. attorneys’ offices for alleged kickbacks and fraudulent Medicare billing. In addition to $379 million in fines and penalties, NME was required “to develop a corporate integrity plan to assure fair patient treatment.”
The C.R. Bard, Inc. case began as an investigation by the U.S. Food and Drug Administration (FDA) and the U.S. attorney’s office in Boston for violations of the Federal Food, Drug, and Cosmetic Act (FFDCA). In the end, Bard, a medical device manufacturer, pleaded guilty to 391 felony counts and agreed to pay almost $62 million in fines and penalties. District Court Judge Wolf, in his opinion accepting Bard’s settlement and guilty plea, condemned the company’s actions, stating that “[i]n the view of this court…the officers and directors of Bard…are morally responsible for a corporate culture which placed potential profit above the value of human life.”
As illustrated by the NME and Bard settlements, the initial focus for compliance programs was largely confined to establishing the role of the compliance officer and instituting the basic compliance framework outlined by the FSGO. These baseline requirements typically involved:
Hiring a compliance officer and establishing a compliance committee.
Developing written compliance standards and policies.
Implementing an employee training program.
Establishing a confidential disclosure program (e.g., hotline).
Restricting the employment of ineligible persons (e.g., pre-employment screening).
For companies under a plea agreement, providing implementation and annual reports to the OIG on the status of the entity’s compliance activities.
For companies under a plea agreement, providing implementation and annual reports to the OIG on the status of the entity’s compliance activities also was a fundamental requirement.
Compliance Coordinator vs. Compliance Officer
Also, as a historical note, the Bard plea agreement did not use the term “compliance officer.” It referred to that position as “compliance coordinator.” Although the title did not have the same gravitas as compliance officer, given the role that compliance officers play in overseeing and coordinating a company’s compliance efforts, it perhaps was a better descriptor of the role.
Although many of the mandated compliance program provisions in the Bard settlement appear rudimentary by today’s standards, it marked the first time that a drug or device company was required to implement a compliance program embodying the seven elements. Therefore, like the HealthSpan and NME settlements did for providers, the Bard settlement motivated both pharmaceutical and medical device companies to view corporate compliance as an operational priority.
The routine adoption of healthcare compliance programs took another significant step forward with the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is perhaps best known for its efforts to protect the privacy of patient identifiable health information, but the statute is more than just an insurance and privacy law.
What is often overlooked is that HIPAA also specifically tackled fraud and abuse within federal healthcare programs. For example, HIPAA mandated the creation of the Health Care Fraud and Abuse Control Program and outlined the use of exclusion from federal healthcare programs as the ultimate penalty for healthcare violations.
In response to HIPAA mandates, the DOJ issued a series of directives and guidelines in the Justice Manual outlining the operation of the Health Care Fraud and Abuse Control Program. Beyond detailing how various federal and state enforcement entities should work together, the DOJ specified that, as a general rule, any “settlement of health care fraud issues should have an accompanying compliance agreement or compliance provisions aimed at preventing future wrongdoing by putting safeguards in place to correct past misconduct, and identify and correct any future misconduct.” Furthermore, the Justice Manual noted that in the case of healthcare, “the responsibility of HHS to negotiate such an agreement where the Medicare or Medicaid program is implicated.”
Less than a year after establishment of the Health Care Fraud and Abuse Control Program and the DOJ’s Justice Manual directives, SmithKline Beecham Clinical Laboratories announced that the company had agreed to pay $325 million to settle allegations that the company defrauded federal and state healthcare programs, including Medicare and Medicaid. The original suit was brought by Robert Merena (a whistleblowing ex-employee), but the government intervened as part of its larger investigation of laboratory company billing practices. Known as Operation Labscam, the suit and investigation alleged that SmithKline engaged in various practices allowing the company to bill for unauthorized or medically unnecessary laboratory tests. Beyond the monetary settlement, SmithKline was obligated to implement a compliance program.
The OIG’s Compliance Program Guidance Documents
In addition to its monetary settlement, SmithKline was required to implement a compliance program that followed the OIG’s new model compliance program guidance for clinical laboratories, which was announced as part of the settlement agreement. According to June Gibbs Brown, then-inspector general for HHS, the model compliance program guidance was an effort toward “‘promoting a high level of ethical and lawful corporate conduct and preventing future scams.’”
From 1998 to 2003, the OIG issued a series of compliance program guidance documents that pertained to a wide variety of healthcare organizations and companies, including hospitals, home health agencies, and clinical laboratories in 1998; durable medical equipment and hospices in 1999; nursing facilities in 2000; and pharmaceutical manufacturers in 2003.
The OIG’s stated purpose in issuing these guidance documents was “to encourage the use of internal controls to efficiently monitor adherence to applicable statutes, regulations and program requirements.” The guidance documents also were consistent with the Health Care Fraud and Abuse Control Program’s efforts to provide additional clarity to the healthcare industry on “the anti-kickback statute and other statutory provisions.”
Each guidance followed a standard pattern of discussing the elements of an effective compliance program as outlined by the FSGO in the context of the target industry segment. Therefore, the OIG articulated what it felt constituted leading practices at the time for various industry segments.
Although the OIG did not establish specific guidance for every healthcare industry segment (e.g., medical device manufacturers or pharmaceutical distributors), a close reading of the guidance for pharmaceutical manufacturers published in 2003 revealed the OIG thought the guidance might be useful to other groups as well:
In addition, the compliance program elements and potential risk areas addressed in this compliance program guidance may also have application to manufacturers of other products that may be reimbursed by federal health care programs.
Therefore, in the OIG’s opinion, compliance program guidance does not necessarily need to be written for a specific industry segment to contain pertinent insights on what constitutes effective compliance.
Life Sciences Compliance: The TAP Settlement and the PhRMA Code
Two years before the OIG formally released its compliance program guidance for pharmaceutical manufacturers, the TAP Pharmaceutical Products, Inc. settlement ushered in the modern era of healthcare compliance programs for drug and device companies. Although TAP was not the first life sciences case, it was in a class by itself.
Like the SmithKline clinical laboratories case, the TAP case originated as a whistleblower claim, which at the time was still relatively rare. However, unlike the SmithKline settlement, the
fine in TAP was unprecedented.
At $875 million, it was more than 2.5 times the fine in the SmithKline case ($325 million), and it quickly grabbed the attention of industry boards of directors. But perhaps most importantly, TAP ushered in the era of the modern drug and device company CIAs.
With the TAP CIA came many of the requirements we view as standard in today’s CIAs and compliance programs. For example, the TAP CIA introduced the now well-established concepts of the compliance committee, Independent Review Organizations (IROs), and reportable events. It also expressly mandated that the chief compliance officer be part of the company’s senior management and have access to the board of directors to make regular reports. Furthermore, just like the SmithKline settlement did for clinical laboratories, many of the provisions of the TAP CIA ultimately were incorporated into the OIG’s Compliance Program Guidance for Pharmaceutical Manufacturers issued two years later in 2003.
In between, and less than a year after the TAP settlement, the Pharmaceutical Research and Manufacturers of America (PhRMA) issued a voluntary code for its members that took effect on July 1, 2002. Although often overshadowed by the OIG’s compliance program guidance, the “Code on Interactions with Health Care Professionals” was developed largely as a response to the pharmaceutical industry’s increasingly negative compliance image. The PhRMA guidance was an important development, as it was industry-generated, and some states required adherence to its provisions as a condition for obtaining and maintain a business license. For example, pharmaceutical manufacturers registered with the states of Massachusetts and Nevada must annually certify their compliance with the PhRMA provisions. 
The FSGO Matures: 2004 Amendments
By 2004, researchers, legal commentators, and regulators had a substantial body of evidence demonstrating that compliance programs were a valuable tool for addressing corporate misconduct, including healthcare fraud and abuse. However, at that time, judges and compliance professionals were still operating from the FSGO comment first articulated in 1991.
However, that changed in 2004 when the Commission elevated the corporate compliance discussion from a comment to an entire section and made substantive changes to the comment’s original requirements. The 2004 amendments were the “culmination of a multi-year review of the organizational guidelines [that] implements several recommendations issued on October 7, 2003, by the Commission’s Ad Hoc Advisory Group on the Organizational Sentencing Guidelines (Advisory Group)….” Thus, the Commission created the new section “[i]n order to emphasize the importance of compliance and ethics programs and to provide more prominent guidance on the requirements for an effective program.”
Furthermore, the Commission was explicitly clear that the new compliance program section was not intended simply for judges at the time of sentencing, but to “provide an important roadmap for compliance officers and corporate officials throughout the country” and “encourage compliance among corporations.” Unfortunately, the proactive use of the FSGO is something that federal defendants and judges can overlook.
The Commission also added the term “ethics” to the program name, signaling compliance programs have a critical role beyond just detecting and preventing criminal conduct. This expanded role involves promoting “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Therefore, as the Commission wrote its intention was “to reflect the emphasis on ethical conduct and values incorporated into recent legislative and regulatory reforms.”
The Commission also added a new eighth element—risk assessment—to the original seven elements of an effective compliance program. Although the Commission explicitly highlighted risk assessment for the first time, this element was implied in the very last sentence of the original 1991 guidelines comment:
An organization's failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective program to prevent and detect violations of law.
The 2004 amendment clarified the implied nature of risk assessments by stating:
In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
The Commission explained that when implementing an ongoing risk assessment process, “organizations should evaluate the nature and seriousness of potential criminal conduct, the likelihood that certain criminal conduct may occur because of the nature of the organization’s business, and the prior history of the organization.”
The Commission also clarified and expanded how it expected judges and compliance professionals to evaluate and incorporate relevant industry practices and governmental standards into an effective ethics and compliance program. Thus, the Commission wrote:
In General.—Each of the requirements set forth in this guideline shall be met by an organization; however, in determining what specific actions are necessary to meet those requirements, factors that shall be considered include: (i) applicable industry practice or the standards called for by any applicable governmental regulation; (ii) the size of the organization; and (iii) similar misconduct.
Applicable Governmental Regulation and Industry Practice.—An organization’s failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective compliance and ethics program.
At the same time the Commission added the eighth element, it also revisited the original seven elements to provide “significant additional guidance,” because it considered those elements as the hallmarks of an effective program that encourages compliance with the law and ethical conduct. As a result, the Commission emphasized the need to provide “incentives to perform in accordance with the compliance and ethics program.” Therefore, the Commission introduced “additional rigor generally and imposing significantly greater responsibilities on the organization’s governing authority and executive leadership.”
Recognizing that not all organizations, especially healthcare organizations, are large market capitalization companies, the Commission also expended significant time and attention to address the apparent lack of incentives in the FSGO for small organizations (e.g., those with fewer than 200 employees) to develop compliance programs. The Commission’s commentary encouraged “larger organizations to promote the adoption of compliance and ethics programs by smaller organizations, including those with which they conduct or seek to conduct business.”
Although the new compliance program section subsequently was amended in 2010, 2011, and 2013, those amendments were technical in nature and did not affect the overall requirements for an effective compliance program. Therefore, the 2004 amendments represent the last major substantive updates to the compliance program section of the FSGO.
The Era of Big Enforcement
After the 2004 FSGO amendments, federal healthcare enforcement settled into a steady pattern of ever-increasing fines and penalties for violations of the Anti-Kickback Statute (AKS) and False Claims Act (FCA). Therefore, from 2004 to 2012, healthcare compliance rapidly evolved into the form we recognize today.
For drug and device companies, the alleged violations of the AKS and FCA were frequently linked to off-label promotion of pharmaceutical and medical device products. With the 2009 Pfizer settlement and the 2012 GlaxoSmithKline (GSK) settlement, there came a dramatic increase in the number and types of baseline requirements included in CIAs. The Pfizer and GSK settlements also are significant because they remain the largest monetary fines and penalties ever assessed against the pharmaceutical industry (Pfizer at $2.3 billion and GSK at $3 billion). These fines and penalties were more than two and even three times the fines seen in the TAP case.
The Basics of Off-Label Promotion
The FDA has primary jurisdiction concerning product advertising and promotional claims made by pharmaceutical and medical device manufacturers. The central premise of FDA regulation is that a product’s labeling and advertising must be truthful and not misleading.
If a product’s labeling or advertising are not truthful or are misleading, the product is considered misbranded under the FFDCA. Under the FFDCA, “labeling” is defined as “all labels and other written, printed, or graphic matter (1) upon any article or any of its containers or wrappers, or (2) accompanying such article.” The U.S. Supreme Court expanded that definition by defining “accompanying” to mean that “[o]ne article or thing is accompanied by another when it supplements or explains it...No physical attachment [of] one to the other is necessary. It is the textual relationship that is significant.”
In general, a manufacturer can engage in limited discussion of a specific product’s use (i.e., indications) before the FDA has determined that the product is safe and effective for its intended use. Until a product is approved, it cannot have adequate directions for use, which the FDA defines as “directions under which the lay[person] can use a drug safely and for the purposes for which it is intended.”
The three recent commercial free speech cases of Caronia, Amarin, and Vascular Solutions did little to alter these central tenets of labeling and promotion. In U.S. v. Caronia, the Second Circuit held that “[w]e construe the misbranding provisions of the [FFDCA] as not prohibiting and criminalizing the truthful off-label promotion of FDA-approved prescription drugs.” The cases of Amarin and Vascular Solutions reached similar conclusions. Therefore, the Caronia, Amarin, and Vascular Solutions cases stand for the proposition that a manufacturer may disseminate truthful, nonmisleading information about its product.
In the Pfizer CIA, the OIG added several new provisions, including mandates requiring:
Detailed compliance obligations for the board audit committee, including adopting an annual resolution that Pfizer “has implemented an effective Compliance Program to meet Federal health care program requirements, FDA requirements and the requirements of the CIA.”
Detailed management certifications demonstrating appropriate oversight.
Maintenance of a formal risk assessment and mitigation process.
Making required “self-disclosure” of certain noncompliance situations to the OIG (reportable events).
Implementation of a detailed monitoring program of various activities, including speaker programs, sales representative customer calls, grants, and publications.
Tracking of payments to customers (a forerunner to the Physician Payments Sunshine Act).
Three years later, GSK’s CIA built upon the provisions contained in the Pfizer CIA, but took it even further. In GSK’s agreement, the OIG added new enhancements requiring:
Establishment of an executive financial recoupment (i.e., clawback) program to recoup performance pay and incentives of senior company executives in the event of wrongdoing.
Submission of compliance reports directly to the Health Care Fraud Unit of the U.S. Attorney’s Office for the District of Massachusetts and the DOJ’s Consumer Protection Branch.
Continued maintenance of a system of deputy compliance officers assigned to each U.S. commercial business units and the Medical Affairs department.
Law of the Land: Compliance Programs and the Affordable Care Act
Between the Pfizer and the GSK cases, perhaps the most significant change for healthcare compliance programs occurred with the passage of the Affordable Care Act (ACA). Although the standards detailing the infrastructure and practices of an effective compliance program had existed since 1991 and were expanded upon in 2004, the 2010 passage of the ACA substantially increased the incentive for healthcare companies and organizations to adopt and implement effective ethics and compliance programs.
The ACA required that:
A provider of medical or other items or services or supplier within a particular industry sector or category shall, as a condition of enrollment in the program under this title, title XIX, or title XXI, establish a compliance program that contains the core elements established under subparagraph (B) with respect to that provider or supplier and industry or category.
Therefore, ACA now required that healthcare providers and organizations have an ethics and compliance program if they wished to receive reimbursement under the Medicare program. The ACA applied the same requirement to participants in state Medicaid programs, as well as the Children’s Health Insurance Program (CHIP).
Building off the FSGO provision that compliance programs incorporate applicable industry practice and government standards, Congress used the concept of “core elements” in the ACA, stating:
The Secretary, in consultation with the Inspector General of the Department of Health and Human Services, shall establish core elements for a compliance program under subparagraph (A) for providers or suppliers within a particular industry or category.
Congress also specified that:
The Secretary shall determine the timeline for the establishment of the core elements under subparagraph (B) and the date of the implementation of subparagraph (A) for providers or suppliers within a particular industry or category. The Secretary shall, in determining such date of implementation, consider the extent to which the adoption of compliance programs by a provider of medical or other items or services or supplier is widespread in a particular industry sector or with respect to a particular provider or supplier category. [emphasis added]
To date, the HHS secretary has not issued a formal determination of “core elements” under subparagraph (B) or the implementation date under subparagraph (C).
However, given the existence of the FSGO and the OIG compliance program guidance documents, the pragmatic compliance reading of these sections is that the “core elements” and timing requirements have been satisfied. Consequently, by 2010, any organization receiving federal healthcare dollars, either directly or indirectly, needed an effective healthcare compliance program that addressed the risks in its industry segment.
The ACA Changes the Health Law Landscape
The ACA also made significant changes to the health law landscape with amendments to the imposition of civil monetary penalties, as the AKS, Stark Law, and FCA also did.
In the case of civil monetary penalties, the ACA imposed new penalties for individuals who knowingly:
Order or prescribe a medical or other item or service during a period in which the person was excluded from a federal health care program when the person knows or should know that a claim for the item or service will be made under the program;
Make or cause to be made any false statement, omission, or misrepresentation of a material fact in any application, bid, or contract to participate or enroll as a provider of services or a supplier under a federal healthcare program;
Fail to report and return an overpayment within specified time limits;
Fail to grant the OIG timely access (upon reasonable request) for the purpose of audits, investigations, evaluations, or other statutory functions; and
Make or use a false record or statement material to a false or fraudulent claim for payment for items and services furnished under a federal healthcare program.
Of these new penalty provisions, the time limit on returning overpayments has perhaps had the most impact on compliance programs. As implemented by HHS, any overpayment must be returned within 60 days after it is discovered or by the date of the next cost report. Thus, after 2010, organizations have a finite time in which to investigate, determine that any overpayments occurred, and return the overpayments to the U.S. Department of the Treasury.
The ACA also revised the intent requirement under the AKS by providing that individuals can violate the AKS even though they do not have actual knowledge of or intent to commit a kickback violation. However, it is still a requirement that the offer or payment must be made “knowingly and willfully.” The net effect made it easier for the government and whistleblowers to bring kickback cases forward and survive the inevitable defendants’ motions to dismiss.
The changes to the Stark Law, which generally limits physician self-referrals to entities where the physician has a financial interest, focused on the whole hospital exception and in-office ancillary services.
The whole hospital exception allowed patient referrals to a hospital in which the physician had a financial interest if the physician normally provided services at the hospital and the financial interest involved the whole hospital and not a specific subdivision. The ACA amendments placed new restrictions on the nature of those financial interests and the organizational changes the hospital can make.
For in-house ancillary services, the ACA added a new requirement that physicians must inform patients of other provider options for certain services (e.g., magnetic resonance imaging). It also required that a physician obtain the patient’s consent before the physician’s office performed the services.
Finally, with respect to the FCA, the ACA made it easier for whistleblowers to overcome the public disclosure bar that previously had prohibited some cases moving forward where the information was already in the public domain.
The ACA and Physician Payments Transparency
Beyond mandating effective compliance programs for healthcare programs and changing the health law landscape, the ACA also codified the Physician Payments Sunshine Act, or what is now known as Open Payments. Prior to the ACA’s passage, Congress repeatedly and unsuccessfully attempted to create an overarching federal disclosure regime out of concerns about financial payments from life sciences companies to various medical professionals.
In 2007, Senators Charles Grassley and Herbert Kohl introduced the Physician Payments Sunshine Act of 2007 in the U.S. Senate. It ostensibly was presented as a framework to force the disclosure of payments between life science companies and physicians. However, even among the sponsors, there was a lack of agreement as to the bill’s purposes, and, in some respects, the Physician Payments Sunshine Act was all things to all sponsors.
To Senator Grassley, the bill addressed the concern that “[r]ight now the public has no way to know whether a doctor’s been given money that might affect prescribing habits.” On the other hand, then-Senator Claire McCaskill felt that the bill simply empowered “patients to talk with their doctors about the drugs they are prescribed.” Despite bipartisan support, as well as industry support from PhRMA, it failed to pass.
Undeterred, Grassley, Kohl, and nine other sponsors (including Senators Edward Kennedy and John Kerry), introduced the Physician Payments Sunshine Act of 2009 at the outset of the 111th Congress. At the same time, Representatives Baron Hill and Bart Stupak introduced a companion version in the House of Representatives. When the House and Senate began work on the overhaul of the US healthcare system, which ultimately became the ACA, provisions from the House and Senate bills were folded into the ACA.
In its final iterations, the Sunshine Act provisions of the ACA required the disclosure of various types of payments (i.e., nature of payments) from pharmaceutical and medical device manufacturers to physicians and teaching hospitals: so-called “covered recipients.” Although the ACA was enacted in 2010, the law delayed the effective date of the Sunshine Act provisions until 2013 (covering payments made in 2012). The delay was necessary to give HHS time to develop an implementation plan and build a disclosure portal website.
HHS ultimately designated the Centers for Medicare & Medicaid Services (CMS) as the operating division responsible for administering the statute, and CMS promulgated its final implementing regulations in 2013.
Nature of Payments Under the Physician Payments Sunshine Act
Since 2013, CMS has frequently updated the regulatory requirements and its guidance. For example, with passage of the SUPPORT Act in 2018, the term “covered recipient” was expanded to include physician assistants and nurse practitioners, certified nurse midwives, certified registered nurse anesthetists, and certified nurse specialists (collectively, advanced practice registered nurses). Furthermore, in 2019, CMS consolidated two nature of payment categories and added three new ones. The three new categories were debt forgiveness, long-term medical supply or device loans, and acquisitions.
Achieving Effectiveness: Compliance Programs Continue to Evolve
Seven years after ACA’s passage, the overall focus for healthcare compliance programs shifted from how to establish a healthcare compliance program to determining whether the program is truly effective. In 2017, both the DOJ and Health Care Compliance Association (HCCA) (in conjunction with the OIG) published guidance on compliance program effectiveness: Evaluation of Corporate Compliance Programsand Measuring Compliance Program Effectiveness: A Resource Guide, respectively. At the outset, both sets of guidance stressed that they were not a “‘checklist to be applied wholesale to assess a compliance program’” but were a list of common elements to be considered when “‘making…individualized determination[s]’” about effectiveness.
While there are similarities and a level of consistency between the two guidance documents, there are some significant differences. For example, the DOJ’s evaluation was developed as a list of factors to guide federal prosecutors, while the HCCA-OIG resource guide (developed after a meeting between compliance professionals and OIG staff) was intended for in-house practitioners. Therefore, the HCCA-OIG resource guide takes a checklist approach outlining items to measure and how to accomplish those measurements.
The DOJ has updated its evaluation criteria twice: once in 2019 and most recently in 2020. According to the DOJ, the 2019 update sought “to better harmonize the guidance with other Department guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.” It also extended the DOJ’s support for voluntary disclosure beyond its previous self-disclosure position statements involving FCPA matters that dated back to 2016. As then-Assistant Attorney General Brian Benczkowski said, “Effective compliance programs play a critical role in preventing misconduct, facilitating investigations, and informing fair resolutions,” and therefore they remain a critical part of the DOJ’s “broader efforts…to help promote corporate behaviors that benefit the American public.”
The DOJ’s 2019 update suggested that there are three fundamental questions to ask about any corporate compliance program:
Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith?
Does the corporation’s compliance program work in practice?
Therefore, the hallmark of a well-designed corporate compliance program was that it “is well-integrated into the company’s operations and workforce.” Thus, prosecutors were directed to explore at least six areas:
Policies and procedures
Training and communications
Confidential reporting and investigations
Mergers and acquisitions
The update noted that it was critical to probe a company’s compliance program to determine whether it is a “’paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.’” Therefore, prosecutors were directed to focus on the commitment by both senior and middle management, the autonomy of and resources provided to the compliance program, as well as the incentive and disciplinary measures employed by the company.
The DOJ also emphasized that compliance programs were expected to improve and evolve over time. Thus, the DOJ counseled it was crucial to see evidence of whether the company addressed both existing and changing compliance risks and, when misconduct occurs, “whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” Organizations, therefore, needed to undertake a comprehensive root cause analysis that not only examined what controls failed but also whether there were “prior opportunities to detect the misconduct” that were missed. Finally, with the 2019 update, the DOJ made the criteria applicable not only to the DOJ’s Fraud Section but also to the entire Criminal Division.
Although the updated DOJ guidance was widely embraced, it did have its share of critics. For example, Hui Chen, former compliance counsel for the DOJ Fraud Section turned independent consultant, argued:
The Guidance [was] written for a defendant in the dock, not good citizens on the street. It is a best-among-worst practices guide.
She went on to elaborate that the guidance “was about aiming slightly higher than the lowest common denominator.” Therefore, she advised companies use the current guidance to review “compliance programs strategically and generically.”
Little more than a year after the 2019 revisions, the DOJ once again updated the evaluation guidance. The latest revisions clarified that when evaluating whether a compliance program works in practice, prosecutors must examine the program “both at the time of the offense and at the time of the charging decision and resolution” of the case.” This statement again highlighted the DOJ’s previously espoused position that compliance programs must improve and evolve.
The DOJ also outlined the criteria it uses when making “a reasonable, individualized determination” of the program’s effectiveness. While again emphasizing each evaluation is unique, the factors in any assessment need to include “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
In the latest revisions, the DOJ chose to focus on three specific compliance program areas emphasizing the need for compliance programs to show demonstrable outcomes. These areas were resourcing and empowerment of the compliance function, continuous improvement using available data, and holding employees accountable.
The timing of the 2020 update during the COVID-19 pandemic suggests that the DOJ was aware of and wanted to call attention to the fact that—despite its repeated warnings and enforcement actions—compliance functions generally remain understaffed and are prone to being ignored by company leadership. Therefore, the DOJ intently and forcefully sent the signal that the days of “paper, cookie-cutter” programs are over. Compliance programs must achieve results.
Increasing the Fight Against Healthcare Fraud
In the years immediately following the ACA’s passage, there was a notable increase in state and federal enforcement efforts to address healthcare fraud. This increased enforcement is inextricably linked to the increased number of qui tam actions brough on behalf of the U.S. government by whistleblowers.
With the increased number of qui tam actions came a corresponding increase in recoveries.
However, this period is marked not only by a general increase in healthcare fraud enforcement, but an expansion of organizations targeted, new types of settlements, and increased attention to holding individuals (especially compliance officers) accountable for corporate misdeeds. Together with the current ongoing opioid public health crisis, these developments have created the perfect enforcement storm.
Understanding the Opioid Crisis Context
The sheer breadth and magnitude of the opioid crisis is difficult to comprehend. A 2018 House Committee on Energy and Commerce report declared that the “opioid epidemic is the worst drug crisis in America’s history.” That report noted that “[a]ccording to the Centers for Disease Control and Prevention, more than 351,000 lives have been lost to opioid overdoses since 1999, with no signs of abating.” In fact, the report concluded the epidemic had reached a point that it has “helped drive a decline in the U.S. life expectancy at a time when life expectancy is improving in many places around the world.”
The crisis also has generated a massive amount of litigation. The opioid multidistrict litigation alone consolidated all pending federal opioid-related cases (more than 180) under the auspices of one federal district (the Northern District of Ohio) and one judge (Judge Daniel Aaron Polster). However, as of September 2019, the cases against just one manufacturer, Purdue Pharma, involved 23 states and more than 2,000 cities and counties.
In January 2020, the DOJ announced a $145 million settlement and deferred prosecution agreement with Practice Fusion Inc., an electronic health records (EHR) vendor, to resolve criminal and civil investigations of alleged kickbacks. The government alleged that Practice Fusion received unlawful kickbacks from pharmaceutical companies in exchange for implementing clinical decision support (CDS) alerts in its EHR software. These CDS alerts helped medical providers by providing evidence-based CDS interventions within their EHR technology.
Practice Fusion, in exchange for “sponsorship payments,” was accused of allowing pharmaceutical companies to participate in the CDS alerts, including selecting the guidelines used to develop the alerts; setting the criteria that would determine when a healthcare provider received an alert; and, in some cases, even drafting the language used in the alert itself. For example, Practice Fusion solicited a payment of almost $1 million from an unnamed opioid company (Pharma Co. X), later revealed to be Purdue Pharma, to create a CDS alert in its EHR that would prompt doctors to prescribe more extended-release opioids. While pharmaceutical kickback arrangements are nothing new, this case represented the first time that an EHR software supplier was held liable for an alleged kickback scheme.
In October 2020, the DOJ announced a global settlement with Purdue Pharma and the Sackler family. In addition to the $8.34 billion in civil and criminal penalties, Purdue Pharma (now in bankruptcy) agreed to plead guilty to three conspiracy charges, including conspiracy to violate the FFDCA and the AKS.
Under the terms of the civil settlement and by virtue of its guilty plea, the company would be excluded from participating in federal healthcare programs under the mandatory exclusion provisions in the Social Security Act. However, the HHS secretary may waive the exclusion in certain limited circumstances.
In Purdue’s case, HHS was willing to allow Purdue to avoid exclusion provided it emerged from bankruptcy as a public benefit company. As the DOJ explained:
[O]ne important condition in the resolution is that the company would cease to operate in its current form and would instead emerge from bankruptcy as a public benefit company (PBC) owned by a trust or similar entity designed for the benefit of the American public, to function entirely in the public interest. Indeed, not only will the PBC endeavor to deliver legitimate prescription drugs in a manner as safe as possible, but it will aim to donate, or provide steep discounts for, life-saving overdose rescue drugs and medically assisted treatment medications to communities, and the proceeds of the trust will be directed toward State and local opioid abatement programs.
While transforming Purdue Pharma into a public benefit corporation is a novel approach to dealing with egregious misconduct, it is not the first time that the government has imposed both a drastic and unusual remedy.
Back in 2010, Synthes Inc. and its subsidiary Norian Corporation agreed to sell the assets of Norian after Norian pleaded guilty to two misdemeanor counts of violating the FFDCA. While Norian Corporation was permanently excluded from federal healthcare programs, Synthes, by selling Norian’s assets, was able to avoid permissive exclusion by the OIG. Highlighting the new approach, then-Assistant Inspector General for Legal Affairs Gregory Demske noted that:
In the past a lot of these cases have been resolved with the conviction of basically a shell subsidiary where our exclusion had no impact on the company’s business….We didn’t allow the parent company to essentially shift operations of the convicted entity to another part of the corporate family.
Several recent cases also highlight that DOJ’s continued focus on individual accountability now includes accountability for healthcare compliance officers. Although the focus on individual liability can be traced back to the 2010 case against Christy Sulzbach, associate general counsel and corporate integrity program director for National Medical Enterprises, as well as the memorandum issued by then-Deputy U.S. Attorney General Sally Yates in 2015 and its progeny, these cases highlight the very real liability risks for compliance officers, who are either directly involved in or ineffective at curbing corporate misdeeds.
In April 2019, the DOJ and the U.S. Drug Enforcement Administration (DEA) charged Rochester Drug Co-operative (RDC) (a wholesale drug distributor), along with its chief executive officer and former chief compliance officer, with violations of the Controlled Substances Act. William Pietruszewski, the former chief compliance officer, was charged with narcotics conspiracy and conspiracy to defraud the United States. He also was charged with failing to file required reports of suspicious orders with the DEA by allowing RDC customers to obtain controlled substances, despite knowing that they were being distributed “outside the scope of professional practice and not for a legitimate medical purpose.” Pietruszewski ultimately pleaded guilty and agreed to cooperate with prosecutors.
Likewise, in the case of Miami-Luken, another wholesale drug distributor, James Barclay, its former compliance officer, was charged for his role in ignoring the “obvious signs of abuse” resulting from Miami-Luken’s distribution of oxycodone and hydrocodone to pharmacies engaged in diversion. Thus, Barclay, like Pietruszewski, was allegedly complicit in Miami-Luken’s failure to report suspicious activity to the DEA.
In July 2019, the DOJ intervened in an FCA qui tam suit filed against Life Spine Inc. and two of its senior executives. Life Spine is a small privately held company that manufacturers spinal implants and surgical equipment. The DOJ alleged that the company was “engaged in an illegal kickback scheme by paying physicians ostensibly for consulting services when in reality the payments were intended to induce sales of Life Spine products.”
One of the executives named in the case, Richard Greiber, was the vice president of business development from 2012 to 2015, and he was allegedly involved in selecting and approving surgeons who would serve as paid consultants for the company. Since Life Spine did not have a compliance department until 2018, Greiber was “supposed to be responsible for ensuring Life Spine’s relationships with surgeons complied with applicable laws and regulations, including the AKS.” In other words, Greiber was the de facto chief compliance officer for the company.
These recent cases illustrate the aggressiveness of federal healthcare fraud enforcement, especially when patient safety is at stake. They also highlight the breadth in the types of organizations and individuals that the government will pursue to remedy fraudulent activities. Those efforts will likely only increase in wake of federal COVID-19 stimulus aid and other pandemic assistance programs.
Lessons of Compliance History
“Those who cannot remember the past are condemned to repeat it.” —George Santayana
The complex history of healthcare compliance programs provides healthcare compliance professionals with many valuable lessons. Perhaps the most important lesson is that while the elements of compliance are easy to recite, achieving truly effective compliance is difficult and requires consistent, sustained effort.
Healthcare compliance programs emerged more than three decades ago to counter the risks posed by widespread fraud and abuse in the healthcare system. Despite an uncertain beginning, healthcare compliance programs, and the profession that arose from them, remain an essential societal expectation for all healthcare organizations—more so than ever in the face of new and emerging risks. In short, healthcare compliance is here to stay.