30 Day Trial

ORTHOKNOW content is posted to these pages in real time.

Monthly compilations are available in PDF form.

Current & Critical

Five Steps to Sunshine: Strategies for Complying with CMS Reporting Requirements

By Edward J. Buthusiem, Cheray Lynch Sieminski, Vahan Minassian; Berkeley Research Group, LLC

U.S. and global regulators heavily scrutinize financial arrangements between healthcare professionals (HCPs) and life sciences companies, including orthopaedic manufacturers and distributors. Recent prosecutions and settlements involving drug and device manufacturers frequently allege that certain payments and other incentives provided to physicians are being improperly made in order to promote their products. Indeed, several prominent medical device companies have been subject to investigations and corporate integrity agreements stemming from alleged improper consulting payment arrangements with physicians.1
The passage of the Physician Payment Sunshine Act (Sunshine) will serve to heighten this scrutiny by requiring transparent disclosure of most financial interactions with HCPs, thus providing a potential prosecutorial roadmap to vigorously pursue investigations and enforcement actions involving these arrangements. It is therefore imperative that companies subject to Sunshine conduct a rigorous analysis of their HCP financial interactions prior to disclosure and build a robust, efficient and effective internal process to comply with Sunshine’s reporting requirements, which go into effect August 1.
Sunshine requires manufacturers and distributors of certain FDA-regulated devices to report almost all payments and financial arrangements with U.S. HCPs to the Centers for Medicare & Medicaid Services (CMS).2 Reportable payments include cash or cash equivalents (e.g., gift cards), in-kind items, consulting agreements, free products, honoraria and more.3 
Along with payment data, manufacturers and distributors will have to obtain and report certain identifying information for each healthcare professional they pay. This data will then be aggregated and published on CMS’s website for public consumption. Penalties for non-compliance range from $1,000 to $100,000 for each payment not timely, accurately or completely reported, depending on the company’s knowledge of such failure.4 
However, monetary penalties associated with non-compliance pale in comparison to the potential fines enforcement agencies may pursue and reputational risks imposed by public scrutiny of the reported data from interest groups. Further, with the publication of Sunshine, foreign legislation (e.g., France) will likely begin to rapidly progress toward implementation, moving the industry closer to global and disparate reporting obligations for HCP transactions.
Building an effective Sunshine compliance program requires a deep understanding of a company’s business model—its regulated products, markets, go-to-market strategy and, most importantly, the manner in which it conducts business with HCPs. Moreover, building an effective program requires close coordination among various functional areas within the organization. Each of them most likely interacts with HCPs in some fashion, oftentimes without the knowledge or involvement of other functional areas. 
Therefore, it is imperative that companies conduct a comprehensive, thoughtful assessment and, in some cases, a recalibration of their compliance infrastructure and relationships with HCPs. A company must understand the impact of disclosing its financial interactions with HCPs in areas that are most likely to draw heightened scrutiny, particularly those involving the provisions of gifts, entertainment and consulting/royalty payments.
As your company prepares for Sunshine compliance, consider the following five-step strategy to better enable you to deal with the complexities and collateral impact of this law.
Step 1: Preparation and Initial Assessment
First, determine whether and to what extent your company is subject to the Sunshine reporting requirements. Sunshine applies to so-called “applicable manufacturers” (and in some cases their distributors) that manufacture or distribute at least one “covered product” in the U.S.5 Covered product is defined as a prescription drug or medical device that is (i) subject to FDA pre-market registration (i.e., does not qualify under a registration exemption) and (ii) is reimbursable by Medicare, Medicaid or the Children’s Health Insurance Program (CHIP).
Sunshine further provides that a company deriving more than ten percent of its revenue from the sale of covered products must report all payments to HCPs.7 Companies that derive less than ten percent of revenue from the sale of covered products need only report payments to HCPs associated with covered products.8 In making these determinations, the company must understand its corporate structure as well as its FDA-approved product portfolio and its sales/distribution model. Complex corporate organizational structures with multiple entities that manufacture or distribute covered products should designate, communicate and coordinate reporting roles, responsibilities and workflows.
This analysis should be documented and the resulting inventory could ultimately support the assumptions document that may be submitted to CMS with the reported data.
Having the right people and adequate resources are critical to the success of a Sunshine readiness assessment and program implementation. A capable and empowered team must be assembled that represents a cross-section of relevant stakeholders in the Sunshine process (e.g., personnel from legal, compliance, finance, IT, sales and marketing, medical education and other functional areas).
It is equally important that companies engage and enlist the support and leadership of senior management. A program built from the bottom up, without visible and prominent support from the highest echelons, is likely to be of limited utility. Senior management must have a substantive and operational understanding of Sunshine, as designated executives (CFO, COO, CCO) will ultimately be required to attest to reports submitted to CMS. 
Step 2: Information Gathering and Scoping 
Conduct due diligence in a systematic and organized manner to ensure that all processes, stakeholders and appropriate technology resources relevant to Sunshine compliance are identified. This involves the review of key company documentation and interviews with relevant personnel. 
The goal is to identify a comprehensive definition of the way in which the company interacts with the HCP community to ensure that the data capture and reporting transparency program is flexible and scalable to the evolving regulatory landscape. This process can be approached as a who/what/where/how analysis, though not necessarily in that order:
Who? Know what types of healthcare professionals and entities you currently (and prospectively) interact with in order to guide their data capture requirements. Sunshine requires applicable manufacturers to report payments and transfers of value to physicians and teaching hospitals. “Physicians” under Sunshine include doctors of medicine who are licensed to practice by the state in which they operate.
     In contrast, certain state aggregate spend laws, such as in Vermont and Massachusetts, define covered recipients more broadly (e.g., individuals who can lawfully purchase, refer or dispense prescribed products in their respective state are covered under the law). CMS has committed to publish a list of covered teaching hospitals that will be designated as reportable HCPs. Companies must review this list to confirm whether reportable spend has been incurred through interactions with these institutions. Companies should establish an internal definition of HCP that comprehensively includes all individuals and entities potentially subject to reporting.
     Finally, companies must identify third-party entities that market or distribute their products, or otherwise engage in reportable transactions with HCPs on the manufacturers’ behalf. Sunshine requires applicable manufacturers to report these payments, with certain limitations, made through a third party. 
What? Identify and categorize current and anticipated HCP payments (cash or in-kind) and arrangements, and establish common definitions (e.g., spend types, functional areas). Sunshine provides a list of examples for types of reportable interactions, such as consulting fees, honoraria, food and beverage and physician ownership interest. Carefully compare findings with exceptions to reporting requirements provided by respective Federal and state regulations in order to later craft your reporting process. 
Where? Determine the geographic extent of your business operations and interactions with HCPs. Under Sunshine, payments or transfers of value to covered recipients made outside the U.S. are reportable. Further, other laws governing interactions with HCPs outside the U.S. may be implicated, such as local transparency laws and other local laws regulating interactions with HCPs. As such, it is critical that companies coordinate with their ex-U.S. subsidiaries and distributors so that these payments can be accurately vetted, captured and submitted.
How? Identify and assess the mechanism with which each of the aforementioned payments or arrangements with HCPs takes place. This includes a review of policies, procedures, forms and templates associated with interactions with HCPs: Is there a consistent process for request, review and audit of payments and arrangements? Does the process align with regulatory standards and safe harbors? Have relevant personnel been interviewed to corroborate that the written policies and processes are being carried out day-to-day?
     Also, assess current IT capabilities and business systems governing interactions with HCPs to identify what tools exist and how they may be leveraged for data capture and reporting. Supporting technology and data resources may include accounting, sales and distribution, inventory management, travel and expense systems and master data of customers, vendors and products.
Step 3: Enable Processes with Technology 
Consider configuring internal systems to comply with data capture requirements dictated by, at a minimum, Sunshine—and, where different, state analogues. Some companies may find that they can use existing systems to build a reporting module internally. Other companies may find that the scope, volume or diversity of potentially reportable transactions or the company’s existing IT infrastructure will not support an internal data capture platform and/or reporting program. 
In these cases, it may be worth investing in one or more third-party portals for entry, maintenance and reporting of data. Proceed cautiously with technology investments—purchasing third-party software solutions without defined business processes and vetted requirements often results in inefficient, and ultimately unsuccessful, implementation.
Step 4: Training and Communication
All relevant employees, including senior management, should be given an adequate substantive overview of Sunshine, as well as training on the internal processes involved in complying with these regulations. Consider including adherence to these processes, and the company’s overall compliance program, in employee performance evaluations and develop disciplinary guidelines for non-compliance. 
Coordination with business partners and customers is critical to a successful Sunshine compliance program. Communicate with distributors, packagers, dealers and other third parties to develop effective and comprehensive methods for capturing and delivering back incurred HCP spend data. 
Moreover, consider communication with your HCP constituents prior to reporting required data. HCPs should be educated on the regulatory requirements of Sunshine, and how these requirements will affect your company’s internal policies and its relationship with the HCP community. It is advisable to stipulate in written agreements for consulting services, evaluation units and other arrangements that the value transferred may be subject to disclosure under Sunshine and/or state laws. 
Sunshine provides for a 45-day period for HCPs to review submitted data and either certify or dispute its accuracy.10 Data disputes that remain unresolved within 15 days will result in the data being published and marked as being disputed, potentially drawing closer attention from public and private entities that view these reports.11 As such, maintaining strong communication with the HCP community plays a significant role in the operation and success of a company’s Sunshine compliance program.
Step 5: Critical Assessment
The final and arguably most important step is to undertake a critical assessment of the way in which your company interacts with healthcare professionals. Determine the potential implications/optics from disclosing the collected financial data. What does this data mean, and how will it be viewed by the public, particularly government enforcement entities? Based on these determinations, consider whether any changes to company policies, structure or culture are necessary. 
For example, your company may choose to prohibit the provision of gifts to HCPs, institute limitations on travel and accommodations and the provision of food and beverages to physician practices, or institute restrictions on in-kind items or free products, based on collected data portraying potential impropriety to government agencies. 
Moreover, critical review of the financial interactions captured provides new insight into your business and offers substantial intelligence that can be leveraged as a tool to inform process and operational improvement.
Corporate Integrity Agreements: Exactech (December 2010), accessed at: https://oig.hhs.gov/fraud/cia/agreements/exactech_inc_12072010.pdf; Orthofix (May–June 2012), accessed at: https://oig.hhs.gov/fraud/cia/agreements/Orthofix_International_06062012.pdf; Synthes, Inc. (September 2010), accessed at: https://oig.hhs.gov/fraud/cia/agreements/synthes_inc_09232010.pdf; Wright Medical Technology, Inc. – Amendment to Corporate Integrity Agreement (September 2011), accessed at: https://oig.hhs.gov/fraud/cia/agreements/wright_medical_technology_inc_09292010_amendment.pdf
2 42 CFR §403.900 et al.
3 42 CFR §403.904(e)(2).
4 42 CFR §403.912(a)–(b).
5 42 CFR §403.902.
6 Ibid.
7 42 CFR §403.904(b).
8 Ibid.
9 42 CFR §403.902.
10 42 CFR §403.908(g)(3)–(4).
11 Ibid.
Edward J. Buthusiem is a director in the Health Analytics practice of Berkeley Research Group, advising executive management and general counsels on strategic business and operational issues.
Cheray Lynch Sieminski is a principal in the Health Analytics Practice of Berkeley Research Group, providing forensic and regulatory advisory services to healthcare and life sciences companies and their legal counsel. 
Vahan Minassian is a consultant in the Health Analytics and Compliance practices of Berkeley Research Group, assisting medical device manufacturers and healthcare providers on Federal and State regulatory compliance concerns. Please contact these authors at Berkeley Research Group, www.brg-expert.com.