Avoiding a CIA: Analytics and the Search for Dangerous Data

Jul 31, 2017

When it comes to promoting compliance in the pharmaceutical industry, corporate integrity agreements (or “CIAs”) may be the most important—and most onerous—tools in the government’s toolbox.

The U.S. Department of Health and Human Services’ Office of the Inspector General (“OIG”) issues CIAs to settle misconduct charges. Failing to comply with a CIA is serious business, as the government can exclude offending companies from all important federal health care programs including Medicaid and Medicare.

Pharmaceutical companies subject to a CIA have increasingly stringent obligations, including the duty to hire an outside compliance expert or advisor to assist the board in overseeing management’s implementation of a compliance program. In addition to measuring corporate compliance engagement and accountability, CIAs require company-wide training and education plans and provide a framework for monitoring and reporting compliance measures.

The reality is that any pharmaceutical company has a high risk of running afoul of the OIG due to the myriad missteps their numerous constituents could take. Employeesmay inadvertently or intentionally engage in improper pharmaceutical sales and marketing tactics, such as off-label promotions, kickback payments, physician referrals and unreported adverse events. These risks are exponentially multiplied by the exploding growth of corporate data volume and sources, rise in regulatory oversight, globalization of workforces and operations, and increasing use of third-party vendors and suppliers.

This proliferation of risks is driving forward-thinking pharmaceutical companies to take new analytics-based approaches to either learn from their mistakes or proactively detect non-compliance issues before they turn into a CIA.   

Hidden Data Risks  

A CIA does not limit itself to core data compliance, such as auditing a transactional system with an enterprise risk management approach. Notably, CIAs include provisions on monitoring transactions and electronic communications because email and messaging platforms are rife with opportunities for noncompliance.

Take, for example, an online chat between employees involved in increasing sales:  

Sales Representative 1 to Manager: “My goals are not realistic, and I cannot achieve them. Please help.”

Manager reply: “You have to hit them! We’re counting on you.”

Sales Rep 1 to Sales Rep 2: “This is hopeless! I’ll never be able to meet my goals.”

Sales Rep 2 reply to Sales Rep 1: “The clinical trial is only a few months out…try promoting on the new indicator.”

Sales Rep 1 to Sales Rep 2: “Already discussed the clinical trial drug with Dr. Z.”

A traditional rule-based compliance process based in enterprise risk management and transaction systems will miss this important communication that could eventually require the employer to pull the drug off the market. It is exactly this type of communication where evidence of non-compliance increasingly lurks, undetected.

Big data versus traditional screening approaches

In this case study, a large pharmaceutical company planning the launch of a new drug that had encouraging revenue projections was concerned about possible compliance breaches resulting in fines and litigation that would cut deeply into profits and spur a multiyear CIA. Management needed to proactively detect risk in their communications, rather than rely on the traditional—and reactive—electronic discovery approaches legal, compliance and audit teams use to uncover risk in data once they are hit with an internal or regulatory investigation or in response to litigation.

The pharmaceutical company already applied compliance technology on their transactional databases. The challenge was identifying noncompliant email communications between employees and outside parties: This data was in multiple storage systems and email servers, and the company needed to go back as far as five years to satisfy regulatory agencies’ requirements. They had to locate and move the data into a central repository and then analyze and review tens of thousands of emails for suspicious communication patterns.

Traditional methods for mining relevant data would not be sufficient, as these are applied on a case-by-case basis and do not easily transfer data insights. They often rely on tools like keyword searches that can generate hundreds of millions of records, yield  high volumes of false positives or irrelevant results requiring significant manual and costly review. Legal teams can further cull data through more sophisticated analytics included in many "eDiscovery" review platforms, such as predictive coding, email threading and concept clustering. These analytical tools enable prioritization of datasets by potential relevance; present visuals of at-risk activities, such as expensive travel and entertainment for sales reps and doctors; and uncover hidden data patterns and relationships. Linguistic analysis can further identify hidden meanings such as code words and phrases.

A big data analytics approach, however, enables companies to more easily evaluate the real risks and plan appropriate actions by aggregating company data from many sources into a single, secure repository to detect and pinpoint potential compliance infractions, “bad actor” communications, and key document facts and trends. Based on a company’s priorities, areas of highest risk are identified, and algorithms run across the data to detect emails or other data indicating potential risk. Specific documents—often less than 1 percent of the entire document population being mined—are flagged and routed for legal and compliance review and, if warranted, remediation.

In the case study, the pharmaceutical company leveraged outside experts and big data technology to consolidate potentially relevant emails into a centralized repository. From there, advanced analytics refined the search mechanisms and applied advanced linguistics, sampling and statistics to identify suspicious patterns. Company attorneys and third party review teams reviewed the culled data and identified several risky communications that the company remediated before releasing the new drug. The new compliance process was defensible and repeatable, so the company could consistently monitor communications going forward, as well as run periodic audits.

A three-pronged approach with big data analytics technology was used to achieve the sustainable compliance program:

  • Look-back and Validation Review. Look-back processes allow companies to quickly and cost-effectively review very large amounts of data across cases and platforms to detect potential noncompliance. It protects the company when regulatory agencies request a detailed compliance review.
     
  • Electronic Monitoring. Continuous compliance monitoring gives companies ongoing, actionable insight into corporate communications to enable them to address developing problems going forward. For example, high-risk messaging could include an unusual quantity of emails between reps and a single medical group, sudden deletion of emails within certain date ranges, or emails with competitors that indicate your intellectual property is about to walk out of the building. The process runs continually without impacting data traffic because it does not need to read all employee emails and only flags concepts and phrases that indicate risk. The monitoring may be broad or may be targeted at known pockets of potential noncompliance risk, such as sales or marketing teams.
     
  • Communications Auditing. Monthly or quarterly audits use the same technology and process to deliver actionable and defensible audits. This level of insight enables the company to understand and to identify compliance issues across multiple areas of company data.

Adaptive training

Compliance doesn't end with big data analytics. The insights generated from electronic communications and monitoring can be used to provide direction into specific issues or regulatory areas that warrant additional and strengthened training. 

Although outright malfeasance happens, many employees do not set out to be deliberately noncompliant. Education and training alerts employees to activities that are noncompliant. CIAs do not limit training to sales reps but extend it to the entire company, including the executive council and the board.

This is not a simple matter of attending a four-hour workshop and calling it a day. Written training plans need to be comprehensive, and CIAs strongly suggest training certifications for all employees. Forward-looking companies understand that rote training is inadequate for detailed areas like compliance; these companies go a step farther and adopt interactive and adaptive training programs that allow the company to customize training for its employees. Adaptive technology analyzes student responses and interaction, and customizes training around those responses.

Completed training not only fulfills CIA certification requirements but also produces valuable information that compliance and legal teams can leverage to optimize the compliance process.

Conclusion                                                                                                                         

Internal oversight and the tools to remain compliant are critical to pharmaceutical companies seeking to avoid CIAs or efficiently fulfill existing agreements. In either case, CIAs can be a business advantage, if they encourage big pharma to adopt data-driven compliance. With new analytics tools, organizations can efficiently investigate data for noncompliance and proactively engage in remediation efforts through repeatable analytics processes.

Gabriela P. Baron ([email protected]) is a member of the New York bar and a graduate of New York University School of Law and Vassar College. She is Senior Vice President at Conduent Legal and Compliance Solutions.

 

 

native1_300x100
lorem ipsum