Open Payments: Key Compliance Considerations

On June 30, the Centers for Medicare and Medicaid Services (CMS) released the first full year of data under The Affordable Care Act’s transparency program, also known as Open Payments or the "Sunshine Act." This included approximately 11.4 million records totaling about $6.5 billion in payments made to 607,000 physicians and 1,121 teaching hospitals by 1,444 reporting entities during 2014. Combined with CMS’s September 2014 release of 2013 data for the period Aug. 1, 2013 through Dec. 31, 2013, there are now over 15.7 million payments totaling almost $10 billion publically available on CMS’s website.

Applicable drug and device manufacturers and group purchasing organizations, collectively known as “reporting entities,” have spent millions of dollars building their Open Payments programs, implementing systems to collect payment data, and allocating resources to prepare the data for submission to CMS. While heavier costs are likely to be incurred during the first few years, companies will continue to spend significant dollars complying with this law. But this is not the only issue companies need to consider.

Public perception of promotional activities within the industry is already a concern, and the availability of Open Payments information may result in additional reputational risks for some companies. Open
Payments data may also create added challenges for reporting entities in managing relationships with healthcare providers. In addition, CMS

 plans to audit reporting entities for compliance with program requirements, with potential civil monetary penalties of up to $1,150,000 annually per reporting entity for violations. Such requirements include the submission of timely, accurate, and complete data to CMS, as well as retention of all records related to payments and other transfers of value and/or ownership or investment interest for at least five years from the date of submission to CMS.

It is also possible that Open Payments data could be leveraged by other government agencies, such as the Department of Justice and state Attorneys General offices, during enforcement actions by these agencies. Needless to say, reporting entities need to get it right, which means providing complete and accurate data that is well supported by appropriate documentation. They also need to understand what the data is saying about their practices regarding interactions with physicians and teaching hospitals, and use this data as a means to assess compliance controls associated with these practices.

Reporting strategies

Over years of helping companies develop, implement, assess and independently test their Open Payments and similar data, we’ve developed several observations on ways that companies can effectively managing Open Payments processes to enhance compliance efforts and minimize potential risks.

1. Know your data: What is the breakdown of payments by payment type and dollar volume? Who are the highest-paid physicians? Are physicians receiving both promotional payments (such as speaker or consulting fees) and research payments? Is one region or brand team averaging greater per person meal costs than others?

Understanding what is in the data, including how budgets are being spent from a promotional, research, and investment standpoint, is critical to ensuring the company is allocating resources appropriately to address risks and conflicts. Some companies are surprised by what’s in their data, which is often not evident without significant digging. Some have been surprised when they only learn of certain reported payments when a third party brings it to light publicly. How might individuals use this data to bring lawsuits against the company? How will government enforcement agencies use the data in conjunction with investigative inquiries or enforcement actions? Companies should know their own data better than anyone else.

The easiest place to start is by performing high-level analyses in order to understand baseline payment patterns and identify potential outliers. Ongoing analysis of the data can be helpful in identifying trends, as well as spotting outliers that might require additional follow-up, which allows the company to quickly respond to external inquiries regarding the company’s payment information.

2. Make sure payment listings are accurate: How accurate is the aggregate payment amount? It is not uncommon for the smallest dollar amount related to a lunch with a physician to be incorrect on the listing, or an honoraria payment to be attributed to the wrong Dr. James Smith in the system. Calculation errors, inconsistent expense practices, system mismatching, and other issues can quickly turn into inaccuracies in a company’s data.

Mistakes we see that lead to payment inaccuracies occur when company employees do not include the right expenses in the inputs related to physician payments or when the number of physicians associated with an activity is not accurately recorded. This generally results from unclear company policies and procedures, resulting in inconsistent employee behavior, as well as inconsistent compliance with established policies and procedures.

3. Confirm that supporting information is available and complete: Do you have documentation that supports the detailed transactions that make up each aggregate payment reported? Supporting documentation is a key component to proving that the payments that make up the aggregate amount reported meet federal, state, and company requirements. CMS requires that companies maintain accurate and complete records related to reported Open Payments data and that records must be retained by the company for five years.

Ongoing monitoring of supporting documentation for payments is necessary to ensure that it will be available should the company be required to provide it. Regardless of whether employees fail to submit required documentation, submit incomplete documentation, or simply do not understand all the documentation that is required, missing or incomplete documentation may result in a lack of evidence that the payment met federal, state, and company requirements.

Companies are often surprised to find how hard it is to track down payment records, especially when third parties are involved or are responsible for maintaining such records. It is important to understand what documentation is required for each payment type and the location of this documentation; to identify who is responsible for maintaining this documentation, including third parties acting on your behalf; and to test the processes used by those responsible for verifying completeness and accuracy of the documentation on an ongoing basis.

4. Make sure policies and procedures are clear: Are company policies and procedures vague or left open for interpretation? How do you know? Words like “should” or “may” can be understood to mean “nice to have” rather than “required.” While it makes sense for some policies and procedures to guide behavior rather than direct it, companies must think about how policies and procedures may be interpreted and whether they could result in inconsistent practices.

The most commonly misinterpreted or misunderstood policies and procedures we see are those that address expense reporting. For example, allowable meals may include delivery fees, room/audio/video rental, or administration charges. The company’s position should be clear as to whether these charges are included or excluded from recorded payments to physicians.

Review your policies and procedures to determine whether language could be open for multiple interpretations and clarify as appropriate. Distinguish between language that suggests that a requirement is optional versus mandatory and ensure that language related to tracking and reporting aggregate spend information specifies that the requirements are mandatory. Participate in employee training and ask questions to assess whether employees have a clear understanding of the requirements. Finally, confirm employee understanding by testing payment-related activities to verify consistent application of the requirements across the organization.

5. Verify that employees are following policies and procedures: For many companies in the healthcare industry, policies and procedures are developed, reviewed and approved with the utmost attention. Employees are frequently trained when they are hired, and many receive repeat training on an annual basis. Many compliance and internal audit departments incorporate compliance auditing and monitoring at the forefront of their annual plans. But how do you really know that employees understand what you expect and are complying with company requirements, especially when it comes to activities that affect Open Payments reporting? To start, you need to understand the different types of payments being reported, as well as the policies and procedures that apply to these payments. This will allow you to develop criteria that can be used to test whether the policies and procedures were followed, as well as to test whether supporting documentation is available and complete. This becomes even more important when third parties are used to perform activities affecting Open Payments.

Others will follow

Payment transparency requirements will expand as international industry associations, such as the European Federation of Pharmaceutical Industries and Associations (EFPIA), and other countries, such as France, Australia, and Japan, roll out their versions of Open Payment requirements. This further underscores the importance of establishing effective and consistent processes to collect and report accurate and complete payment information, maintain well-kept records that support payments made, and implement policies and procedures that are clear, are understood, and are being followed.

Eileen Erdos is a principal in the Life Sciences Fraud Investigation & Dispute Services practice of Ernst & Young. She can be reached at eileen.erdos@ey.com. Michael Ricks is Senior Manager in the Life Sciences Fraud Investigation & Dispute Services practice of Ernst & Young. He can be rached at michael.ricks@ey.com.