The United States government continues to aggressively enforce the Foreign Corrupt Practices Act (FCPA), the principal US law for combating corruption and improper business dealings abroad. Enforcement efforts especially target heavily regulated companies, which means regular interaction with government officials.
Given its regulatory burden, the healthcare industry—including pharmaceutical, medical device, and biotechnology companies—is particularly vulnerable to FCPA issues.
This article summarizes both the FCPA itself and specific challenges for healthcare companies. It also outlines enforcement actions involving healthcare companies. The article concludes with lessons learned from those enforcement actions—and the specific challenges healthcare companies face—along with some suggested compliance best practices.
At base, the FCPA is quite simple: it prohibits bribes, whether actually made or simply offered or promised, to officials and other employees of non-US governments. In addition, the law includes internal controls and books and records requirements that apply to companies that are publicly traded in the US.
The law is administered by the Department of Justice (DOJ) and, in the case of publicly traded companies in the US, the Securities and Exchange Commission (SEC).
The FCPA was first enacted in 1977 but was not consistently enforced until the early 2000s. In fact, one of the earlier FCPA enforcement resolutions was a 2003 settlement between the SEC and pharmaceutical company Schering-Plough Corporation (now part of Merck & Co.). The matter involved Schering-Plough purportedly making donations to a Polish charity whose director was also a Polish government health procurement official. According to the SEC, although the donations were not to the government official directly, they were for his benefit and were intended to improperly influence his procurement decisions.
In the last decade, DOJ and SEC have brought enforcement actions against more than 20 healthcare companies resulting in nearly $2 billion in disgorged profits or fines.
Permissible domestic practices could run counter to the FCPA
An array of US statutes, such as the federal Anti-Kickback Statute (AKS), regulate the domestic behavior of healthcare companies and their employees. The AKS prohibits life sciences and healthcare companies from “knowingly and willfully” offering or paying “remuneration,” directly or indirectly, to induce patient referrals, reward a referral source, or generate business involving any item or service “for which payment may be made in whole or in part under a Federal health care program.” This prohibition—on a payment to obtain a business advantage—mirrors the language of the FCPA.
Yet, the AKS also includes important safe harbors for payments that facilitate interactions between healthcare companies and healthcare professionals. For example, the AKS recognizes that healthcare companies often engage medical professionals to serve as advisers, speakers, and consultants. Such arrangements are permitted under the AKS so long as certain conditions are met.
The FCPA lacks this same sort of safe harbor. In fact, DOJ and SEC appear to be generally skeptical of such engagements in the international context and have brought several enforcement actions related to payments to foreign healthcare professionals as consultants, speakers, or for clinical trial fees.
Broad definition of “foreign official”
The US government pursues FCPA enforcement actions in the context of payments to or for the benefit of foreign medical professionals because of the very broad definition of the term foreign official. The term covers any employee, regardless of rank or title, of a government department, agency, or instrumentality, including any company or other entity owned or controlled by a government. Because many foreign hospitals, healthcare facilities, and systems are owned or controlled by a government, physicians, pharmacists, procurement personnel, lab technicians, and other hospital or healthcare employees are considered foreign officials under the FCPA. A doctor or other healthcare professional who appears just like a private practitioner in the US is often, in fact, a foreign official under the FCPA and needs to be treated accordingly.
The following are a few examples of enforcement actions resulting, at least in part, from the broad definition of a foreign official:
In 2015, New York-based Bristol Myers agreed to pay more than $14 million to settle SEC allegations that the company’s Chinese subsidiary falsely recorded expenses for “gifts, meals, travel, entertainment, and sponsorships for conferences and meetings” to employees of state-run hospitals and pharmacies. According to SEC, these benefits were provided to healthcare professionals to increase prescription sales.
In 2018, Sanofi (based in France but subject to FCPA jurisdiction because it is publicly traded in the US) settled allegations related to payments to medical professionals employed at a state-controlled facility for “consulting, speaking, and clinical trial fees.”, The SEC asserted that these payments, made across multiple countries, were part of a scheme to increase tender awards and increase prescriptions for Sanofi products.
In 2020, Swiss pharmaceutical company Novartis agreed to pay over $345 million in penalties for allegedly bribing employees of state-owned healthcare facilities in Greece to prescribe Novartis-branded pharmaceuticals and surgical products. Among other things, a Novartis subsidiary based in Greece paid for employees of state-controlled institutions to travel to US “medical congresses” to induce those employees to prescribe more Novartis products. The company also allegedly falsely recorded the payments.
Among the most significant FCPA risks for any company, whether in healthcare or any other industry, comes from third-party representatives. The FCPA specifically covers agents of otherwise covered parties, and, in fact, the actions of agents and other third-party representatives have often been the basis for FCPA liability. (While the statutory language only explicitly references an “agent,” in practice, DOJ and SEC interpret the term “agent” to cover any party acting on behalf of a covered company or entity.) Nearly any representative acting on a company’s behalf can expose the company to compliance issues: sales or marketing agents, distributors, consultants, advisers, clinical trial investigators, comarketing partners, educational grant recipients, and others.
To be clear, such representatives are often essential to help develop and expand business in new markets. But it is also necessary to take steps to protect against the compliance issues such representatives can create.
For example, in 2017, Alere Inc., a diagnostic testing company, paid over $13 million to settle charges that the company’s Indian and Colombian subsidiaries used third parties to bribe government officials to retain business. Similarly, in 2019, Fresenius Medical Care AG & Co KGaA, a German solutions provider for individuals with kidney disease, agreed to pay a penalty of more than $230 million for, in part, “funneling bribes through a system of third party intermediaries.” The SEC highlighted the fact that the countries in which Fresenius operated were known to present compliance risk. Yet the company failed to devote adequate resources to its compliance program, which apparently lacked basic risk mitigation measures such as third-party due diligence.
Risks related to regulatory approvals
Many FCPA enforcement actions involve regulatory approvals, meaning the difference between winning or losing business. Such approvals fall within the broad category of what constitutes obtaining or retaining business or an “improper advantage” under the FCPA. Given how heavily regulated healthcare companies are, it is common that regulatory approvals must be sought, whether for new pharmaceutical products, medical devices, or even simply for clearing goods through a country’s customs process.
In 2012, Pfizer Inc.’s indirect wholly owned subsidiary, Pfizer H.C.P. Corporation, agreed to pay $15 million in penalties to resolve a DOJ investigation related to payments allegedly made, at least in part, to influence approval and registration decisions for company products. DOJ claimed that payments were made to officials in Bulgaria, Croatia, Kazakhstan, and Russia. Similarly, in 2020, Alexion Pharmaceuticals agreed to pay $21 million to SEC to resolve allegations that it paid Russian and Turkish officials in exchange for favorable regulatory treatment of its drug Soliris.
Compliance recommendations for healthcare businesses
With important gaps between domestic and international statutory requirements and in the context of a heavy regulatory burden, healthcare companies face unique compliance challenges under the FCPA. Correspondingly, an effective compliance program is necessary.
The starting point of any effective program is culture. In our experience, this has two components.
The first is management involvement and support so the compliance message is strong and consistent from the very top. This can be easily communicated through the company’s code of conduct or ethics. But it also must be reinforced on a regular basis in (frankly) more mundane ways. Managers should insert compliance reminders or vignettes in meetings. Periodic communications from the compliance department should be circulated to relevant personnel. And companies should consider compliance incentives, for example, rewarding personnel with a small promotional item, like a branded mug or mousepad, for submitting complete expense reports in a timely fashion. Such compliance incentives—and penalties for compliance failures—are taking on particular importance in light of the Pilot Program DOJ announced in March in conjunction with the revised Evaluation of Corporate Compliance Programs (ECCP).
What underpins management support, and the second component of establishing an effective compliance culture, is implementing a tailored compliance program. This requires a prerequisite step of assessing risk so that compliance measures appropriately address those risks.
For instance, a healthcare company that only markets products internationally through distributors will have a different risk profile than one that uses sales agents to market and sell products directly to foreign government procurement departments. A company that sells only limited products and thus only needs a few safety and other regulatory approvals for those products will likely interact with government regulators less frequently than a company that sells multiple sophisticated medical devices worldwide. A company that relies on joint ventures to conduct non-US business will have different compliance risks (and may have different books and records and internal controls requirements) than a company that operates through long-established subsidiary operations.
Ultimately, every company is different, meaning the risks attendant for each company’s operations differ. Compliance programs must reflect this reality or else risk being both over- and under-inclusive and, therefore, ineffective. A program that is not well-conceived will not be well-supported by managers nor responsive to what the company and its personnel need. This almost inherently means that a healthy compliance culture cannot be maintained.
While every program will and should be different, there are elements of a compliance program that are foundational—and will help underpin the culture of compliance at the company.
For one, careful due diligence on transactions and transaction partners is critical. Before engaging a third party to act on the company’s behalf, companies need to conduct risk-based due diligence. This typically entails obtaining information from the potential partner, such as ownership details and any government affiliation, reviewing financial reports and any applicable compliance policies, conducting a credit-risk analysis, checking references, and any other measures (e.g., interviews of the partner’s personnel, auditing the partner’s books, training partner personnel on applicable anti-corruption laws) deemed necessary under the circumstances.
Throughout the initial diligence process and throughout any actual engagement, companies should recognize and evaluate the presence of compliance red flags, i.e., any unusual or concerning fact that suggests a partner might lack credibility or be likely to engage in improper conduct. Even when diligence is complete, a third party should not act on the company’s behalf without a written agreement that binds the party to comply with applicable anti-corruption (and other) laws, allows the company to conduct compliance audits as needed, permits the company to require the partner to participate in compliance training, and other steps as needed.
For example, we have seen instances in which—in the case of a third party acting in a high-risk jurisdiction—the third party must submit invoices in a specific form and with a written activity report, including a certification that no improper payment has been made, before it can be paid. This may not be required in all instances, but it is the type of compliance requirement that should be considered based on the risk associated with a particular kind of business, location, and/or third party.
Another key component of a compliance program is equipping personnel with an adequate understanding of their obligations, both under the law and company compliance policies and procedures. Most often, this is done through awareness training. Again, to maximize efficiency of compliance resources, training should be done on a tiered basis in accordance with risk. For example, a PhD researcher at a US-based pharmaceutical company is unlikely to carry as much FCPA risk as the company’s South American sales director. Appropriately targeted training should be provided to employees, including using translation to the full extent possible to ensure employees receive training in their primary language.
Training provides an opportunity to educate personnel on relevant laws and perhaps more importantly, on the company’s resources to help personnel comply with the laws. Policies and procedures should be specifically addressed in training, and compliance personnel’s names, contact information, and other identifying details should be provided. The idea with training is not to make employees experts in the FCPA but rather to ensure they can spot a potential issue and know where to turn for help in addressing that issue. In the process, training also helps instill the company’s culture of compliance.
It is impossible to eliminate all risks under the FCPA. The law is interpreted broadly, and the government has considerable discretion. Even well-intended companies and their employees can misstep from time to time.
Given their regular interaction with government regulators, healthcare companies are at particular risk. In our experience, the risk can be managed so long as an appropriate compliance culture is established. The culture can be founded on and furthered by policies, processes, and training that equip individuals to comply with the law and, if they identify potential issues, help the company address them before they become major problems. This type of compliance infrastructure is the best defense against serious compliance violations and penalties.
Healthcare companies face particular Foreign Corrupt Practices Act (FCPA) compliance risks because of how heavily regulated they are.
Many healthcare professionals outside the United States are considered foreign officials under the FCPA.
Dealings with foreign officials, who may otherwise appear like private sector employees, create compliance risk.
Companies should implement compliance programs tailored to their particular risks based on thoughtful assessment of those risks.
A culture of compliance underpinned by a well-designed compliance program is the best means to protect against violations and corresponding penalties.