Life Sciences companies face ever increasing regulatory scrutiny, including complex issues related to their supply chains and specific risks associated with dealing with their third parties. Without doubt, the management of third parties represents some of their most significant challenges. Companies need to implement a risk-based approach to evaluate their relationships with third parties, focused not only on the broad risks affecting every sector but also the risks specific to their industry.
In addition to compliance with local laws and regulations (for example, by the U.S. Food and Drug Administration in the United States, the Medicines and Healthcare Products Regulatory Agency in the United Kingdom, the European Medicines Agency in the European Union, etc.), companies also need to ensure compliance with anti-corruption laws with cross boarder reach, such as the Foreign Corrupt Practices Act (“FCPA”) or the UK Bribery Act, and ever-changing sanctions.
Control Risks recently conducted a survey of compliance professionals in the life sciences sector, and 85% of the respondents thought that their companies were more scrutinized by regulators compared to five years ago. Only two percent of respondents thought that their companies were under less regulatory scrutiny now as compared to several years ago.
Much of the regulatory scrutiny as it relates to third parties is driven by Life Sciences companies’ interactions with Health Care Providers (“HCPs”). Enforcement action by the U.S. Department of Justice (“US DOJ”) against Health Care and Life Sciences companies are at all time highs. The US DOJ in 2002 settled 351 False Claim Act (”FCA”) cases with Life Sciences companies and initiated 948 new FCA matters, the largest number of new cases ever. Settlements with Health Care and Life Sciences companies resulted in over USD $1.7 billion in fees and penalties and many of the cases included violations when dealing with HCPs and HCOs.
Control Risks’ survey responses reflect the challenges when dealing with HCPs and HCOs. The life sciences professionals we asked considered HCPs to be second only to distributors as the riskiest type of third-party relationship.
In order to ensure compliance when interacting with HCPs, a company must ensure that the HCP has a valid license and is in a good standing, which is not as easy as it may seem. This is not surprising, since centralized, easily accessible online databases confirming that an HCP’s license is in good standing are few and far between, even in the US, Canada, Japan and the EU Five (Footnote: Germany, Spain, France, Italy and somewhat ironically, the UK), where the majority of pharma-dollars are spent. Companies offering HCP verification services limit their services almost exclusively to the US and UK for this reason.
For any HCPs that can be classified as Foreign Officials under to the FCPA, (for example, one who is part of any government agency or work for state-owned heath care facilities), additional enhanced-due diligence should be conducted to ensure the company does not violate the FCPA. This is why in our own third-party risk management division, VANTAGE, we have three distinct levels of due diligence report allowing for increased depth of research as the risk increases . In VANTAGE, we developed a specific HCP check that our clients can add into any standard due diligence report to meet this exact need.
Historically, grants, sponsorships and donations to patient Assistance Programs (“PAPs”) and community outreach and other charitable organizations have represented an enhanced risk for Life Sciences companies.
Over the past several years, there has been a growing number of government investigations and settlements in the US related to the practice of pharmaceutical companies donating to independent charities that provide financial assistance with out-of-pocket drug costs to patients. Specifically, these government investigations and settlements have examined whether donations to PAPs violate the Federal Anti-Kickback Statute. Many Life Sciences companies found themselves under government investigation and subsequent litigation due to their dealings with PAPs. In the largest settlement, United Therapeutics agreed to pay a USD 210 million fine for kickbacks and FCA violations related to its activities with PAPs. In addition to having proper internal key controls in place to manage the interaction with the PAPs, a company must, prior to engaging with the PAP, conduct a thorough due diligence regarding the PAP’s structure, ownership, identification of disease funds and eligible recipients, and other information necessary to ensure that the company can work with the PAP while maintaining independence.
Life Sciences companies also frequently find themselves in troubled waters when dealing with community programs and other charitable organizations in various countries for their operations or for a specific event. While it is expected that the Life Sciences companies will provide financial assistance to various local and international charitable organizations, these organizations represent an additional layer of risk. It is important to conduct a thorough due diligence on the charitable organization prior to providing any funds, including determining whether any HCPs are part of this organization or are part of its board. In many countries, especially in developing countries, HCPs that are also part of governmental agencies or part of government owned health care system play important roles in these organizations, and frequently hold a board position. This, of course, represents a significant risk for potential violations of the FCPA, the UK Bribery Act or other anti-corruption laws and regulations.
While there are general risks that affect every sector, pharma and life sciences stand apart due to the sheer variety of third parties, including some with very specific risks, such as interactions with HCPs and distributors.
Nevertheless, life sciences companies can successfully navigate these myriad risks. A risk-based approach is a good start, but without a sophisticated way to rate relative third party risks, compliance programs are left open to unexpected pitfalls. Companies should strengthen their compliance and resilience by combining their risk-based approach with a robust third-party due diligence program that takes into account sector-specific concerns and the different risk each type of third party poses. Ensuring that compliance departments and business units work closely together, understand each others’ motivations and obligations, and are prepared to act quickly and assertively when transgressions or issues of concern are discovered are the keys to sound third-party risk management.