FDA Regulatory & Compliance Symposium Special Pre-Conference Workshop August 24, 2005 Legal Issues and Trends in Corporate Compliance Programs John T. Bentivoglio

2 Overview Corporate Compliance Programs (CCPs) – What’s Required? CCPs -- What’s Expected? Current Status of CCPs in the Pharmaceutical and Medical Device Industry Thoughts on What Makes CCPs Effective

3 CCPs – What’s Required? As a general rule, companies are not obligated by law to establish a CCP US Sentencing Guidelines, widely recognized and accepted as establishing standards for CCPs, are not mandatory; rather, companies following guidelines may receive “credit” in sentencing for a criminal conviction. HHS OIG Guidance explicitly provides that it is voluntary and not a binding set of requirements.

4 CCPs – What’s Required? What is required? Key compliance requirements: –Sarbanes-Oxley compliance initiatives (mostly around financial reporting) –FDA requirements (GCPs, GMPs, promotion, etc.) –Obligations imposed by Corporate Integrity Agreements –Other function-specific requirements (EH&S, OSHA, etc.) New California law requires pharmaceutical companies (and possibly some medical device companies) to establish a CCP in accordance with HHS OIG Guidance Upshot: Until recently, most companies had some latitude on whether and, if so, how to implement a CCP – and programs have varied widely

5 CCPs – What’s Expected? Companies under scrutiny frequently seek to receive “credit” for their compliance programs What do prosecutors look for in evaluating whether to give such credit? Some key factors: –Evidence of commitment of senior management –Widespread awareness and support throughout organization –Robust efforts to monitor and audit –Prompt follow-up to reports of misconduct (including disciplinary action and efforts to prevent repeat violations) Paper programs won’t suffice; experienced prosecutors know where and how to look

6 What’s Expected – Factors Affecting Prosecutorial Decision-Making Knowledge and intent – considered even under FDCA, which is a strict liability statute The extent and seriousness of the wrongdoing –Extent (length of time, number of violations – e.g., rogue employee, system breakdown, or intentional misconduct) –Financial or physical harm to individuals –Lack of controls contributing to misconduct –What did the company do when it learned Response of management to detected violations –Investigation –Corrective/preventive action –Disciplinary action (including holding managers accountable)

7 What’s Expected – Factors Affecting Prosecutorial Decision-Making Documentation –Documents provide the most powerful evidence, particularly of knowledge and intent – s are providing powerful evidence in civil and criminal litigation (e.g., Anderson, Vioxx) Contrary to common perceptions, most prosecutors: –Don’t want to prosecute honest mistakes or negligence –Will consider a company’s compliance efforts But … –Prosecutors are skeptical (sometimes cynical) and will want proof –Prosecutors won’t accept “everybody’s doing it” as a defense (indeed, if everybody’s doing it, it may be a more attractive case)

8 State of CCPs in the Pharma and Device Industries Most mid- and large-size companies have established basic compliance programs that are organized around the HHS OIG Guidance, USSC Guidelines, and CIA requirements Companies are farthest along in the first four “elements” of a compliance program: –Designation of senior-level compliance officer –Establishment of written policies and procedures –Implementation of compliance training –Establishment of a hotline and/or other internal reporting mechanism

9 State of the Industry (cont’d) Companies are not as far along in the “back end” of compliance programs: –Auditing and monitoring –Establishment of compliance-focused performance and disciplinary standards –Procedures for responding to potential violations and/or implementation of corrective action plans –Periodic risk assessments to identify emerging risk areas And even in the first four areas, some programs have significant deficiencies. Examples: –Policies cover only basic areas (e.g., AdvaMed Code areas) – and not other risk areas (e.g., grants) –Education is simplistic and not tailored to personnel in high-risk areas

10 State of the Industry (cont’d) Auditing –Most companies don’t have solid auditing programs –Obstacles include concern about detecting problems that could expose the company to future liability –Few companies audit obvious areas – (e.g., call notes for sales/marketing compliance) –Companies operating under CIAs (with Reportable Events provisions) face particular challenges Performance and Disciplinary Standards –Some companies still do not have good policies/procedures that provide consistent discipline –Few companies have responded to government’s concern regarding incentive compensation and other measures of performance

11 Thoughts for RA/QA Professionals RA/QA issues are important – but they are not the only (or even the most important) compliance issues confronting management Many companies are moving toward a broad, enterprise-wide risk management approach –Recognizes the wide variety of compliance requirements and challenges confronting pharma/device companies –Allows management to allocate resources (money, attention) based on risk –Leverages compliance infrastructure across functional areas (e.g., hotlines, web-based training platforms, incorporation of compliance in performance measures)

12 Thoughts for RA/QA Professionals Many senior managers recognize the importance of compliance issues generally, but are concerned that: –Additional compliance measures will lead to more bureaucracy – and not more compliance –Compliance professionals raise “concerns” but do not provide clear suggestions on solutions –Compliance programs are not dynamic and fail to identify and address future risks –There are few metrics to judge performance – every other function is measured and evaluated, but there are few agreed- upon metrics for compliance and legal activities

13 Thoughts for RA/QA Professionals What are some senior compliance professionals doing to address these issues? –Developing compliance metrics –Spend more time on internal communications Branding the program Communicating the importance of compliance (testimonials) Leveraging internal communications resources –Aligning and communicating more closely with the business to identify and solve problems earlier and at lowest-possible level (while maintaining integrity of compliance function)

14 Fine Print The views expressed in these slides and accompanying discussion do not necessarily reflect the views of King & Spalding LLP and/or any of the firm’s clients. These slides and accompanying discussion provide a general summary of the law. They are not, and should not be relied upon, as legal advice.