FDA Regulatory Compliance Symposium Special PreConference Workshop August

FDA Regulatory & Compliance Symposium Special Pre-Conference Workshop August 24, 2005 Legal Issues and Trends in Corporate Compliance Programs John T. Bentivoglio jbentivoglio@kslaw. com 202 -626 -5591

Overview • Corporate Compliance Programs (CCPs) – What’s Required? • CCPs -- What’s Expected? • Current Status of CCPs in the Pharmaceutical and Medical Device Industry • Thoughts on What Makes CCPs Effective 2

CCPs – What’s Required? • As a general rule, companies are not obligated by law to establish a CCP • US Sentencing Guidelines, widely recognized and accepted as establishing standards for CCPs, are not mandatory; rather, companies following guidelines may receive “credit” in sentencing for a criminal conviction. • HHS OIG Guidance explicitly provides that it is voluntary and not a binding set of requirements. 3

CCPs – What’s Required? • What is required? Key compliance requirements: – Sarbanes-Oxley compliance initiatives (mostly around financial reporting) – FDA requirements (GCPs, GMPs, promotion, etc. ) – Obligations imposed by Corporate Integrity Agreements – Other function-specific requirements (EH&S, OSHA, etc. ) • New California law requires pharmaceutical companies (and possibly some medical device companies) to establish a CCP in accordance with HHS OIG Guidance • Upshot: Until recently, most companies had some latitude on whether and, if so, how to implement a CCP – and programs have varied widely 4

CCPs – What’s Expected? • Companies under scrutiny frequently seek to receive “credit” for their compliance programs • What do prosecutors look for in evaluating whether to give such credit? Some key factors: – Evidence of commitment of senior management – Widespread awareness and support throughout organization – Robust efforts to monitor and audit – Prompt follow-up to reports of misconduct (including disciplinary action and efforts to prevent repeat violations) • Paper programs won’t suffice; experienced prosecutors know where and how to look 5

What’s Expected – Factors Affecting Prosecutorial Decision-Making • Knowledge and intent – considered even under FDCA, which is a strict liability statute • The extent and seriousness of the wrongdoing – Extent (length of time, number of violations – e. g. , rogue employee, system breakdown, or intentional misconduct) – Financial or physical harm to individuals – Lack of controls contributing to misconduct – What did the company do when it learned • Response of management to detected violations – Investigation – Corrective/preventive action – Disciplinary action (including holding managers accountable) 6

What’s Expected – Factors Affecting Prosecutorial Decision-Making • Documentation – Documents provide the most powerful evidence, particularly of knowledge and intent – E-mails are providing powerful evidence in civil and criminal litigation (e. g. , Anderson, Vioxx) • Contrary to common perceptions, most prosecutors: – Don’t want to prosecute honest mistakes or negligence – Will consider a company’s compliance efforts • But … – Prosecutors are skeptical (sometimes cynical) and will want proof – Prosecutors won’t accept “everybody’s doing it” as a defense (indeed, if everybody’s doing it, it may be a more attractive case) 7

State of CCPs in the Pharma and Device Industries • Most mid- and large-size companies have established basic compliance programs that are organized around the HHS OIG Guidance, USSC Guidelines, and CIA requirements • Companies are farthest along in the first four “elements” of a compliance program: – – Designation of senior-level compliance officer Establishment of written policies and procedures Implementation of compliance training Establishment of a hotline and/or other internal reporting mechanism 8

State of the Industry (cont’d) • Companies are not as far along in the “back end” of compliance programs: – Auditing and monitoring – Establishment of compliance-focused performance and disciplinary standards – Procedures for responding to potential violations and/or implementation of corrective action plans – Periodic risk assessments to identify emerging risk areas • And even in the first four areas, some programs have significant deficiencies. Examples: – Policies cover only basic areas (e. g. , Adva. Med Code areas) – and not other risk areas (e. g. , grants) – Education is simplistic and not tailored to personnel in high-risk areas 9

State of the Industry (cont’d) • Auditing – Most companies don’t have solid auditing programs – Obstacles include concern about detecting problems that could expose the company to future liability – Few companies audit obvious areas – (e. g. , call notes for sales/marketing compliance) – Companies operating under CIAs (with Reportable Events provisions) face particular challenges • Performance and Disciplinary Standards – Some companies still do not have good policies/procedures that provide consistent discipline – Few companies have responded to government’s concern regarding incentive compensation and other measures of performance 10

Thoughts for RA/QA Professionals • RA/QA issues are important – but they are not the only (or even the most important) compliance issues confronting management • Many companies are moving toward a broad, enterprise-wide risk management approach – Recognizes the wide variety of compliance requirements and challenges confronting pharma/device companies – Allows management to allocate resources (money, attention) based on risk – Leverages compliance infrastructure across functional areas (e. g. , hotlines, web-based training platforms, incorporation of compliance in performance measures) 11

Thoughts for RA/QA Professionals • Many senior managers recognize the importance of compliance issues generally, but are concerned that: – Additional compliance measures will lead to more bureaucracy – and not more compliance – Compliance professionals raise “concerns” but do not provide clear suggestions on solutions – Compliance programs are not dynamic and fail to identify and address future risks – There are few metrics to judge performance – every other function is measured and evaluated, but there are few agreedupon metrics for compliance and legal activities 12

Thoughts for RA/QA Professionals • What are some senior compliance professionals doing to address these issues? – Developing compliance metrics – Spend more time on internal communications • Branding the program • Communicating the importance of compliance (testimonials) • Leveraging internal communications resources – Aligning and communicating more closely with the business to identify and solve problems earlier and at lowest-possible level (while maintaining integrity of compliance function) 13

Fine Print The views expressed in these slides and accompanying discussion do not necessarily reflect the views of King & Spalding LLP and/or any of the firm’s clients. These slides and accompanying discussion provide a general summary of the law. They are not, and should not be relied upon, as legal advice. 14