Getty Images / Jason Edwards

"Proactive compliance is more than simple data collection," says the new white paper "Federal and State Sunshine Act Compliance Readiness," by Alliance Life Sciences. "It is about comprehensively protecting and enabling your business to mitigate risk and address regulatory requirements, while increasing efficiencies and reducing cost." Certainly, advice such as this is applicable across the board, concerning compliance around the Sunshine Act, off-label marketing, and other compliance challenges today.

"Inside the pharmaceutical industry, compliance has grown. Compliance needs to assist the business units in operationalizing the legal and regulatory requirements and still have the business be able to do what it has to do," says John Oroho, executive vice president of Porzio Pharmaceutical Services, a subsidiary of the law firm Porzio, Bromberg, and Newman. Porzio Pharmaceutical Services advises companies on how to comply with current regulations in the industry. "Compliance officers have taken a more significant role in companies, and the compliance departments have gotten bigger because it is necessary for companies not only to understand what the requirements are and to operationalize them, but then you've got to show them that you are adhering to those best practices and adhering to the regulatory requirements," he says.

By this point, pharma should have all its ducks in a row when it comes to gearing up for the Sunshine Act. However, even though pharma was initially required to begin reporting physician payments as the law stipulates by Jan. 1, there may still be some pitfalls to avoid.

"When the Sunshine Act was proposed, pharma supported it because it was going to give some uniformity to what had been a hodgepodge of different requirements state to state," explains Oroho. This means that as of Jan. 1 pharma would have had to track financial interactions with physicians and teaching hospitals. And on March 31, 2013, the first report of these interactions (anything over $10) will have to be reported by pharma to Health and Human Services (HHS). HHS then has until September 30, 2013, to make that information available to the public in an easy-to-use, searchable website.

Now for the bad news: the specifics on how drug and device makers are supposed to submit info on payments to physicians—specifics that were supposed to be delivered by the Centers for Medicare and Medicaid Services (CMS) on October 1, 2011—were not released until December 15, 2011. The October 2011 deadline would have given pharma companies 90 days to digest the specifics of the regulations before they began tracking spending information on Jan. 1; specifics that, one could argue, are essential to know and understand in order to know exactly what to start keeping track of.

In light of the passing of the October 2011 deadline and the continuing absence of specifics from CMS and HHS, a letter was drafted from BIO, PhRMA, Consumers Union, AdvaMed, Community Catalyst, and Pew Health Group to HHS on October 25, 2011, requesting that the Jan. 1 deadline be extended.

"Delays in establishing procedures for the submission and public reporting of the required information will make it increasingly challenging for manufacturers to know whether they are meeting their statutory obligation as they begin to collect data in 2012. Given that Congress intended that industry have three months to complete implementation based on the government procedures following the October 1, 2011, statutory date to implement the new provisions, we request that a similar time period be permitted following establishment of final procedures for the submission and public reporting of 2012 information for companies to achieve full compliance," the letter reads. "An absence of established procedures could harm both the companies who are trying to comply with the law and the public who stands to benefit from increased transparency of these relationships."

The finally-released guidelines acknowledge the delay in this way: "Due to the timing of the publication of this notice ... a final rule will not be published in time for applicable manufacturers and applicable GPOs to begin collecting the information required ... on Jan. 1, as indicated in the statute. We will not require applicable manufacturers and GPOs to begin collecting the required information until after the publication of the final rule ... We seek comment on the amount of time [needed] following publication of the final rule in order to begin complying with the data collection requirements ... We are considering a preparation period of 90 days, since we believe this was the time period intended by Congress ... and [we] are requesting comments on whether that is a sufficient amount of time." Comments are being accepted through Feb. 17 of this year.

Clearly, Jan. 1 has come and gone, with the promised CMS guidelines turning up only weeks before the new year—and the show must go on. In the absence of timely guidelines, Oroho advises the Jiminy Cricket mentality: Let your conscience be your guide. "What you're trying to do with compliance is influence behavior so that people do it just because it's the right thing," he says. "If people are acting on a values-based proposition, rather than doing it so they don't get caught or penalized, you will have less improper behavior. I look at compliance as being the conscience of a company."