Two of the biggest challenges in corporate compliance are improper gifts and conflicts of interest. Perhaps nowhere are those challenges more on display than in the healthcare sector.
Today we kick off a two-part series about those challenges. First up is the Sunshine Act, and the compliance program that companies need to meet its obligations for disclosing gifts and other payments to doctors.
The Sunshine Act is a federal law in the United States enacted as part of healthcare reform in 2010. It requires pharmaceutical firms and medical device manufacturers to disclose annually any monetary payments or other “transfers of value” those companies make to doctors and hospitals.
Why? So that regulators and patients alike can see whether those payments are influencing doctors’ research and prescribing decisions. For example, if a pharmaceutical company is paying a certain doctor “consulting fees” to help the company run a clinical trial, and that doctor also tends to prescribe that company’s products to his patients — that might be improper use of federal healthcare dollars.
Scale up that example to the entire U.S. healthcare system, where trillions of dollars are spent on medical research and services every year, and the management of those potential conflicts becomes an enormous compliance challenge. Let’s unpack what that challenge entails and how compliance teams can build the robust systems necessary to meet it.
What the Sunshine Act Requires
The Sunshine Act requires pharmaceutical and medical device makers (plus a few other players in the healthcare world) to report the payments they make to doctors. Those reports must be made annually to the Centers for Medicare and Medicaid Services (CMS), which then publishes the information in a searchable database.
What qualifies as a payment under the Sunshine Act is quite broad. It includes direct payments such as consulting fees, speaking fees, grants, or royalties for licensing intellectual property. It also includes indirect payments such as travel and lodging costs to attend a conference, funding for clinical trials, charitable donations made on the doctor’s behalf, entertainment (say, passes to a sporting event or a spa day), or grants of stock in certain businesses.
In short, companies must disclose anything that might qualify as a payment or some other financial inducement. Those reports must go to CMS annually, and they are subject to audits by CMS itself, the Department of Health & Human Services, and even independent parties such as recovery audit contractors.
To make matters even more challenging, the monetary thresholds for reporting payments are quite low: any payment with a value of $13.07 or more for 2024 (the threshold increases every year); or all payments made to a doctor if the total value of those payments exceeds $130.66.
What Are the Components of Sunshine Act Compliance?
We can divide Sunshine Act compliance into several basic elements:
- A gift policy, to guide employees on what payments (monetary or otherwise) they can give to physicians.
- Training, so that employees know what the policy is, what payments and spending are or aren’t acceptable, and how to behave when interacting with physicians.
- A data collection system so that employees can document and report the spending they incur.
- Data review procedures so that the compliance team can validate employees’ data before the company makes its annual report to CMS.
- Internal audits to test your policies, procedures, and controls; followed by remediation to address any weaknesses those audits identify.
Not all of those elements are within a compliance officer’s direct control. For example, audits of your program will generally be done by the internal audit team (or an audit firm you hire). The data collection system might be one managed by your IT department, even if you have considerable input into what that system is or how it’s designed.
That said, compliance officers do play a critical role, above all in policy development and training.
What Should a Gifts Policy Include?
A gifts policy for compliance with the Sunshine Act should include all the basics that any corporate policy should have, tailored to our specific goal: getting employees to report payments to physicians. Therefore…
- Define who is covered by the policy, such as all employees and third parties working on your behalf.
- Define key terms such as “gifts,” “transfers of value,” “covered recipients,” and “designated health services” and so forth. Give examples, and make them relevant to your business and the services or products you offer.
- Outline what gifts and other payments are prohibited, such as gifts exceeding a certain dollar value or specific types of gifts.
- Along similar lines, outline what gifts and payments are acceptable. For example, you might allow meals under a certain value, office supplies, reasonable speaking fees at a research conference, and the like.
- Explain employees’ reporting obligations. For example, declare that they must report all expenditures over that $13.07 limit (with documentation!) and identify the system they should use to submit that data.
- Warn employees of the consequences of non-compliance, up to and including termination.
Again, defining who is covered by a policy, what the policy is, how it should be followed, what happens if you don’t — those points should be included in any policy. Compliance officers need to think about the specific requirements of the Sunshine Act and your own business operations, and then tailor your policy accordingly.
What Training is Necessary?
Your gifts policy will fall flat without training. That training should explain what the policy is, why it’s important, and how employees can follow it.
As always, the more relevant you can make your training, the better. Provide specific examples of gifts that are or aren’t permitted, and place those examples in scenarios that employees are likely to encounter. Demonstrate the reporting system employees are expected to use to submit expense reports, showing all the documentation they’re expected to provide.
Also remember that different groups of employees will need different types of Sunshine Act training. Sales reps should receive training on what payments might be improper, and how to report their expenses. Accounting employees, on the other hand, should receive training in how to identify discrepancies in those reports that might suggest under-reporting.
Regulators simply want to see that your company has put thought into its training; that you’ve considered how your workforce might violate the Sunshine Act, and then rolled out policies and training to keep them on the right path. Template policies and training are fine as “raw material,” but ultimately you’ll need to refine that material into something precise, specific, and relevant.
That’s enough on the Sunshine Act and its challenges for gifts. In our next post we’ll look at how the healthcare sector needs to tackle conflicts of interest.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.