Mitigating potential risk for stakeholders in light of latest Sunshine Act developments.
After nearly seven years of little to no enforcement scrutiny from federal agencies, the Department of Justice (DOJ) and the Department of Health and Human Services (HHS) signaled the beginning of a new era when they recently announced the first public settlement with a manufacturer involving alleged violations of the federal Physician Payment Sunshine Act (Sunshine Act).1 The enforcement action followed the enactment of a significant expansion of the law that now requires those subject to the Sunshine Act, including certain pharmaceutical manufacturers, to track and report payments they make to five additional provider types, as well as a rulemaking by the Centers of Medicare and Medicaid Services (CMS) that added three new categories for reporting entities to use to describe the nature of their reportable payments.
These developments are a call for compliance for those companies that have not attended to their Sunshine Act compliance programs, as well as those that have not recently audited the robustness of their Sunshine Act tracking and reporting practices. This article discusses the current state of Sunshine Act enforcement risk and offers practical tips to help stakeholders mitigate their potential risk in light of these developments.
The Sunshine Act was initially passed as part of the Patient Protection and Affordable Care Act of 2010, although CMS did not require compliance with the law until August 1, 2013.
Under the Sunshine Act, manufacturers of certain products that are reimbursed by Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP), referred to as “applicable manufacturers”, among others, are required to track and report all payments and other transfers of value they make to certain healthcare providers and U.S. teaching hospitals, collectively referred to as “covered recipients”, unless an exception applies. This includes compensation for consulting services and research, honoraria, grants, meals, travel, gifts, and other payments manufacturers routinely make to healthcare providers.
In addition, applicable manufacturers must also provide an annual report of all ownership or investment interests in the manufacturer that are held by a physician or an immediate family member of a physician during the preceding calendar year.
A manufacturer’s failure to accurately or timely report under the Sunshine Act may be subject to civil penalties, up to almost $1.2 million per year for knowing violations of the law.Further, CMS has always acknowledged that other agencies, including DOJ and the HHS, Office of Inspector General could leverage the reporting as part of an audit or investigation into an applicable manufacturer’s conduct, e.g., in connection with a federal Anti-Kickback Statute (AKS) or False Claims Act (FCA) investigation. However, until recently, there were no public enforcement actions involving Sunshine Act violations and little was done to ensure that applicable manufacturers complied with the law.
Congress broadened the Sunshine Act in October 2018 by expanding manufacturers’ reporting obligations to track and report payments and other transfers of value to five new categories of “covered recipients”, effective January 1, 2021–physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists and anesthesiologist assistants, and certified nurse-midwives. This expansion will undoubtedly increase the number of reports that many manufacturers make under the law.
In March 2019, the Senate Finance Committee wrote to CMS to request that the agency review the Open Payments database for potential Sunshine Act violations in connection with certain physician ownership and investment arrangements. In its letter, the committee noted that Sunshine Act compliance is important to ensure that “stakeholders can have confidence in the integrity of the Federal healthcare programs”, and articulated its support for the imposition of penalties “against bad actors who fail to report”.2 CMS responded to the Senate Finance Committee letter by noting that the agency “has taken substantial steps to enhance compliance in the Open Payments program”, and that it continues to analyze “data trends that have emerged after multiple years of reporting”.3
In November 2019, CMS announced revisions to the “nature of payment” categories outlined in the Sunshine Act’s regulations as part of its 2020 Physician Fee Schedule Final Rule.4 These revisions included the introduction of three new payment categories: “debt forgiveness”, “long-term medical supply or device loan”, and “acquisitions”, with the “acquisitions” category intended to capture “buyout payments made to covered recipients in relation to the acquisition of a company in which the covered recipient has an ownership interest”.5 The adoption of new payment categories confirms CMS’s expectation that manufacturers include such payments as part of their annual reports and signals the agency’s continued focus on refining reporting entities’ obligations under the law.
In October 2020, DOJ and HHS announced that, in addition to a payment of $8.1 million to resolve claims related to FCA and AKS allegations, Medtronic USA Inc. (“Medtronic”) had also agreed to pay $1.11 million to resolve allegations that it violated the Sunshine Act by failing to accurately report certain payments made to a neurosurgeon.6 According to the settlement agreement, the neurosurgeon in question, Wilson Asfora, M.D., owned a local restaurant with his wife.7 After Asfora informed Medtronic that business at the restaurant was slow, Medtronic held over 130 events at the restaurant worth approximately $87,000.8 The government alleged that 74 of these events occurred after the Sunshine Act went into effect in August 2013 and were therefore reportable under the law.9 However, according to the government, Medtronic underreported the events by only reporting the value of the food and drinks that each individual physician consumed at the restaurant in each physicians own name, rather than reporting the total amount paid to the restaurant as a payment or transfer of value to Asfora.10
In announcing the settlement, DOJ and HHS warned that manufacturers that do not comply with the Sunshine Act will be held accountable and suggested that the agencies will pursue similar actions in the future against those who “misreport their financial relationships with healthcare providers”, thereby “erod[ing] the integrity of the Open Payments System”.11 Importantly, the Medtronic settlement suggests that enforcement agencies are not only focused on manufacturers that fail to report altogether, but will also pursue those that underreport payments made to covered recipients, particularly where there may be other underlying violations such as violations under the AKS.
These developments send a message to manufacturers who may either be out of compliance with the law or who have yet to assess whether they are subject to the law that any perceived grace period for Sunshine Act noncompliance has passed.
Even those companies who are reporting to CMS pursuant to the law, but who have not taken steps to ensure the full scope of all payments and transfers of value made by the company are reported, should revisit their Sunshine Act policies and practices. This is particularly true in light of the expanded list of covered recipients and nature of payment categories, which requires manufacturers to track and report additional financial relationships and necessarily increases the opportunity for compliance missteps.
Historical noncompliance is also an issue for many companies who may not have reported to CMS reportable payments made in prior years dating back to when the law first went into effect in August 2013. To help mitigate historical risk, retroactive reporting may be a prudent risk mitigation measure, depending on the facts and circumstances, and may involve auditing historical payments and notifying the agency of payments made in prior years.
As the government ramps up its Sunshine Act enforcement efforts, those companies that take proactive steps to assess and enhance their compliance will be well-positioned to mitigate potential risk.
This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not reflect the views of the firm.