Strategic Risk Assessment in Medical Device Compliance: Proactive Strategies for Effective Risk Management
Michelle D. Axelrod, Esq.
Jennifer A. Romanski, Esq.
Disclaimer
The views and opinions expressed during this presentation are solely that of the presenters and do not reflect the official policy, position or views of any employer or client. Information has been gleaned from experience in various settings as well as from publicly available information.
This presentation is provided for educational purposes only. This presentation does not constitute legal advice.
Why are Compliance Risk Assessments Important?
Businesses move fast and change course regularly
Compliance needs to be managed and maintained in a changing environment
Addressing and mitigating compliance risk is critical to the ongoing success of the business
To maintain an effective compliance program, risk assessments are essential
The government expects it – it is included as one of the seven elements of an effective compliance program
Importance of Compliance Risk Assessments
Always better to be proactive vs. reactive
Identifies compliance risks
Allows for prioritization of risk areas
Evaluates the effectiveness of existing compliance program/framework
Identifies gaps in compliance
Facilitates allocation of resources
Government recognition (“credit”) in the event of investigation
Risk Assessment, Monitoring & Auditing
Government expectation: identify, analyze, and respond to risk areas
A Key Component of an Effective Compliance Program (OIG Guidance)
One of the 7 elements
Addressed in Federal Sentencing Guidelines
Required by ALL Corporate Integrity Agreements
An Effective Compliance Program
The OIG has identified seven elements that are required for an effective compliance program – General Compliance Program Guidance November 2023
Application of the Seven Elements to Your Organization
1. Written Policies and Procedures
2. Compliance Leadership and Oversight
3. Training and Education
4. Effective Lines of Communication
5. Enforcing Standards: Consequences and Incentives
6. Risk Assessment, Auditing and Monitoring
7. Responding to Detected Offenses and Developing Corrective Action Initiatives
DOJ: Evaluation of Corporate Compliance Programs
Intended to assist prosecutors in program evaluation, including design, application and effectiveness, at the time of the offense and at the time of a charging decision or resolution
Topics and common questions described in the document that DOJ’s Fraud section has frequently found relevant in evaluating corporate compliance programs include:
1. Analysis and Remediation of Underlying Misconduct
2. Senior and Middle Management Commitment
3. Autonomy and Resources
4. Policies and Procedures
5. Risk Assessment
6. Training and Communications
7. Confidential Reporting and Investigation
8. Incentives and Disciplinary Measures
9. Continuous Improvement, Periodic Testing and Review
10.Third Party Management
11.Mergers and Acquisitions
DOJ Risk Assessment Analysis
“Prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’”
Risk Management Process
Risk-Tailored
Resource Allocation
• What methodology/metrics has company used to identify, detect and address risks?
• Does company devote the appropriate amount of time to the correct risk areas?
• Is the risk assessment current/subject to periodic review? Is it just a snapshot in time? Has the review led to updates in policies, procedures and controls? Updates and Revisions
Lessons Learned
• Does the company have a process for tracking lessons learned from its own issues or from other companies’?
DOJ Guidance for the Board
Read the company’s code of conduct, which should set forth the company’s commitment to full compliance with relevant Federal laws
Set the appropriate tone for the rest of the company and clearly articulate the company’s ethical standards
Be periodically trained on the company’s policies and procedures and certify that they have taken such training
Receive periodic briefings from personnel within the compliance function, including in executive or private sessions
Require reports from company management to assess whether the company’s compliance program is effective
Be available to personnel within the compliance function
The Guidance directs that the compliance function should be sufficiently autonomous from management through, for example, direct access to the Board of Directors or the board’s audit committee
Receive regular reports from internal audit on, among other things, the compliance function and financial controls
Follow up on the reporting by personnel within the internal audit and compliance functions, especially with respect to audit findings, risk assessments and any ongoing remediation
Exercise reasonable oversight over the company’s regular risk assessments
Receive briefings from management to assess the design of the company’s compliance program, and to confirm that it reflects and addresses the risks related to such things as the location of the company’s operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel and entertainment expenses, and charitable and political donations, etc.
Before Conducting a Risk Assessment
Do you have BoD/Senior Leadership support?
Have you identified who lead and who will participate?
Have you budgeted for an assessment?
Have you clearly communicated the objectives?
Planning for Risk Assessment
Identify areas to be addressed
Enterprise compliance risk or focused risk areas (i.e., HCP engagement, Data Privacy, other)
Consider methodology & approach
Internal v. External Assessment Lead
Document review
Interviews with stakeholders
Consideration of past identified risk areas/history of compliance violations
What is your deliverable and how/where and with whom will it be shared?
Focus of Risk Assessment
The focus of your risk assessment will depend on your company.
Consider facts and current state
Address high risk areas – it will likely be impossible to measure everything
The focus can change from one year to the next
Consider DOJ & OIG/HSS Recommendations and Guidelines, and Government Investigations/Settlements
Understanding the Business
Tactics
Department Strategy
(e.g., Sales/Marketing; Medical; Clinical Operations; Market Access; Communications; Patient Advocacy)
(e.g., interactions and with HCPs, patients; social media; reimbursement support)
Internal & External Environment
(e.g., jurisdiction; new product; type of product and patient population; M&A; company structure; legal requirements; enforcement)
Develop a Compliance Risk Matrix
Value of a Risk Matrix:
Identify risks
Address Risks
Prioritize risk based on:
Probability of occurrence
Severity of Impact
Measure the risk
Likelihood
Potential Impact
Use as a tool in the decision-making process
Identify risks Prioritize and measure risk
Evaluate/Confirm appropriate controls or strategies to minimize the risk
The structure of your company will likely drive your risk profile
Develop Priorities and Timelines
How will the “results” of the risk assessment be communicated within the company?
What will the company do to manage the risk(s) (policies, training, monitoring, etc.)?
What resources does the company have to manage the risk?
When will implementation take place?
What role will everyone play?
Compliance Risk Assessment Matrix
Sample Risk Matrix - General
Risk: Describes the specific compliance risk.
Likelihood: The probability of the risk occurring (e.g., Low, Medium, High).
Impact: The potential consequence or severity if the risk occurs (e.g., Minor, Moderate, Severe).
Risk Level: A combination of likelihood and impact to determine the overall risk level (e.g., Low, Medium, High, Critical).
Mitigation Measures: Actions or controls put in place to reduce the risk.
Risk
Likelihood Impact Risk Level
Mitigation Measures
Violation of Antikickback laws
High Severe Critical
Violation of False Claims Act
High Severe Critical
Implement employee training program and robust HCP interaction and engagement policies, regular monitoring, and compliance checks
Violation of FDA Promotional Rules
Medium Moderate Medium
Implement employee training program and compliance policies to address reimbursement support and related activities
Implement materials review process that involves Legal, Regulatory, and Medical/Technical reviewers; conduct review/audit of materials in use; conduct training to applicable employees creating materials
Compliance Risk Assessment & Hypotheticals
Risk Assessment Hypotheticals
Review the hypothetical company information
Consider need and approach for a risk assessment
What risk(s) will you assess? Why?
Who should be involved? Who will lead/conduct the assessment?
Who should be interviewed (which individuals based on roles, insights, etc.)?
What questions are important to ask?
What materials do you need to review?
Based on the basic information provided, can you identify the following:
Identify potential risk areas
Applicable Compliance Laws, Guidance or Standards
Level of risk for each identified risk area – LOW/MEDIUM/HIGH/CRITICAL
Potential mitigation/response to address risk – WHAT IS NEEDED? WHAT MAY
NEED TO BE PUT IN PLACE/ADDRESSED FROM A COMPLIANCE PERSPECTIVE?
Consider
High Risk Areas
Consider High Risk Areas
Interactions and engagements with HCPs
Interactions and communications with patients
Reimbursement activities and communications
Funding – grants/donations/sponsorships
Third party distributors
Promotional activities/off-label
Product training
Clinical trial/research activities
Data Privacy
Social Media
SCAN THE QR CODE
TO VIEW THE HYPOTHETICALS
US-only company
Hypothetical Company #1
Sells 2 Medical Devices in the Diabetes market
Insulin Pen (new technology)
Insulin pump with blue tooth technology (with enhanced security measures, robust encryption algorithms)
Aggressive Leadership
Chief Compliance Officer is on Executive Team
Very competitive market
Sales have been in steady decline
Plan to increase size of field teams, including use of contract sales organizations
High budget for grants and sponsorships; no funding review committee; commercial involvement in funding decisions
Broad communications with patients (including DTC and social media); no applicable policies
Planning to launch social media campaign; no social media training conducted
Heavily engaged in HCP activities (e.g. Speaker Programs, conference activities, consulting arrangements)
Sales team permitted to engage HCPs for local services
Payments for consulting sometimes made without documentation
CEO active on X
Data driven company with multiple databases of information – strong access controls and security practices
Risk Area: Fraud and Abuse Likelihood
Grants and sponsorships
HCP Engagements
Speaker Programs
Increase in field/Use of CSOs
Mitigation Measures
Review and update policy; Create funding review committee and guidelines/checklist; create grant intake form; address role of sales and marketing in process
Create/update policies that limit sales rep involvement in HCP selection; create BNA form to ensure proper documentation and approval; confirm/address FMV; review and update contract template for HCP engagements
Implement HCP engagement measures and apply to Speaker Programs; create speaker program business rules/guidelines. Consider more focused risk assessment for speaker program activities.
Review HR vetting processes and training programs and review incentive comp arrangements; consider incentives with CSOs and kickback risks with independent contractors and include proper safeguards in agreements.
Risk Area: FDA
Create and train on policies for patient interactions and communications, including for DTC promotional communications. Confirm materials review process/SOP and monitor same.
Review social media policies and update as necessary. Review materials process to ensure all social media is reviewed and approved; monitor same. Counsel CEO and Senior Management on social media tools and train. Monitor social media activities.
Review Speaker Program activities and confirm materials review process/SOP for review of all speaker program materials; monitor same. Train speakers on compliant speaker program communications. Train field on speaker program business rules (and process to report non-compliance).
Review outward facing privacy policies and ensure they address uses of data (including on company operated websites). Implement/review/update patient engagement/interaction policies and data privacy compliance policy to address privacy issues and company handing of personal data. Train on data privacy risks and policies.
Consider with Medical/Clinical team how technology may capture patient data and how company handles. More focused privacy risk assessment/analysis may be warranted.
Work with IT to review existing security policies and address safeguards regarding collection, storage, and maintenance of data. Ensure that relevant personal are trained on procedures for handling data (e.g., obligations of confidentiality, appropriate use of company equipment, including laptops and phones). Confirm restrictions and access controls.
Global company
Hypothetical Company #2
Parent based in EU; Leadership in EU
US subsidiary is the leader in revenues; parent company forecasts for US business are very high
Plan to expand into new, emerging markets
Markets products in the oncology space; Products are unique; only 2 competitors worldwide
Head of US Quality & Regulatory is responsible for Compliance
No specific US compliance policies
Significant off-label use on products in US market
Significant reimbursement challenges for HCPs
Large number of high value/high-cost HCP consultants, including high travel and meal expenses
CRM tool includes large amounts of HCP details and specific claims data
Observational study with real world data outcomes recently completed
Lots of publications on off-label use and active Medical Affairs/MSL team
Company provides significant funding for research grants/ISRs
Significant investment (large budget) for product education and training programs
Training for Senior Management/Board to educate on compliance; consider new personnel and reporting structure for compliance; create & train on policies/procedures; implement process to address other elements of CCP.
Review process for HCP selection and spend; implement policy and BNA process; conduct FMV review & analysis; develop and implement HCP consultant travel and expense policy, including meal limitations; consider prior TOVs and Sunshine and state law compliance; consider potential OUS reporting requirements (or pre-approval requirements).
Confirm policies and training for promotional communications and prohibitions on off-label promotion; confirm process for addressing unsolicited requests for off-label information; Consider medical-commercial interactions policy; confirm all reimbursement communications are limited to on-label information only.
Implement reimbursement support procedures and guidelines; conduct training for field and all those involved in reimbursement questions/discussions. Review and update as necessary HUB and other vendor agreements.
Address reasons for claims data in CRM system and consider revisions; add compliance and privacy component to CRM system training.
Create research funding review committee and SOP; prepare and train on policy/procedure for research grants; monitor/audit process.
Implement policy for training and education and prepare BNA form and review and approval process. Review venues for training, meals provided in past and implement corrective measures as necessary. Ensure training and educational materials go through appropriate materials review committee.
Risk Area: FDA
Dissemination of OffLabel Information (also raises Fraud and Abuse issues)
Publications, Observational Study, and Other Research
Active MSL Teams
Product Training and Education
Mitigation Measures
Create and train on policy on off-label risks and dissemination of off-label information, including appropriate use of MIRFs. Ensure sound materials review process/procedure.
Create and train on publication policy and dissemination of publications. Confirm status of publication review committee. Train field force on appropriate use/potential dissemination of recent observational study.
Fully engage Medical Affairs in compliance program; ensure implementation of appropriate procedures and training for MSLs.
Ensure product training and educational materials go through materials review process. Consider monitoring process for how off-label questions are handled/addressed.
Risk Area: Anti-Bribery / Anti-Corruption
Measures Risk Area: Privacy
Review and update Anti-Bribery and Anti-Corruption policies; implement third party vetting procedure; review and update distributor agreements (as applicable); consider plan for distributor training and auditing.
Engagements
Review process for HCP selection and spend; implement policy and BNA process; review/update or prepare global anti-bribery anticorruption policies and consider payments to oUS HPCs; consider global process for HCP engagement; Review HCP engagements/TOVs for compliance with oUS requirements; conduct FMV review & analysis.
Determine if and why oUS data is included in CRM, how data is being used, and where CRM is located. Consider and address potential privacy implications.
Questions to Ask
Are we considering the right risks?
Are we limiting risks?
Are we mitigating the risks and preventing them from reoccurring?
Compliance efforts become more effective
Potential Benefits
Reduce Legal/Compliance Risk
Save $$$ (Legal fees, penalties, settlement costs)
Improve Reputation
Improve company culture Manage and mitigate existing and new risk areas WILL HELP YOU SLEEP AT NIGHT
Stay connected.
Sign up to receive the latest communications, events, and industry trends.
Michelle Axelrod
mdaxelrod@pbnlaw.com
Jennifer Romanski jaromanski@pbnlaw.com
