The Burden of Being Compliant
Device OEM Compliance Programs Must Encompass a Broad Scope to Ensure Protection Against Fines, Jail Time and Lawsuits
When it comes to time- consuming activities, building and maintaining a robust compliance program command perhaps more of an OEM’s time than nearly any other endeavor. It’s no surprise, considering the gauntlet of regulatory hurdles companies face from myriad agencies including the FDA, Office of the Inspector General (OIG), SEC and others.
Spanning from Sarbanes-Oxley to Quality System Regulations to ISO risk management mandates, these regulatory requirements force OEMs to spend an inordinate amount of time and energy to ensure that their compliance programs not only look out for the safety of patients but also that medical claims are true and accurate, marketing efforts don’t illegally reward physicians, products are produced under GMP and the company’s financial statements are strictly audited. If meeting all these mandates seems exhausting, welcome to the world of medical device manufacturing.
Compliance, of course, can encompass a broad scope, and medical device manufacturers unfortunately need to address all of them. Often, the immediate focus is on complying with the many aspects of QSR, but a spate of recent enforcement actions also has OEMs more carefully examining whether their marketing and physician education campaigns would pass muster under the watchful eye of regulators and government lawyers. Furthermore, the latest regulatory burden—in the form of Sarbanes-Oxley—has forced small and even midsize publicly held OEMs to shoulder a paralyzing new cost in their compliance efforts.
“That’s the single biggest driver of compliance costs today,” said Mark Leahey, executive director of the Medical Device Manufacturers Association, the Washington, DC-based industry trade group representing mostly small medical device OEMs.
Leahey pointed out that compliance costs and concerns related to FDA mandates vary on a company-by-company basis, but all publicly held companies must comply with Sarbanes-Oxley or face hefty fines and even jail time for company executives. With small startups accounting for a large portion of the medical device industry, Sarbanes-Oxley has placed an especially heavy burden on MDMA members, he added.
For instance, Leahey said that some companies with sales of $120 million may pay Sarbanes-Oxley compliance costs of as much as $1 million. The cost-to-revenue ratio may be even higher for businesses with significantly lower revenues. Leahey added that the burden has become so great that some device makers are considering buying back their shares to become privately held and avoid the Sarbanes-Oxley penalty.
Under Sarbanes-Oxley—the legislation passed in 2002 in the wake of the Enron and other corporate accounting scandals—public companies must ensure that adequate internal accounting controls are in place and that CEOs must certify financial results. Compliance costs are high because companies not only have to build more stringent internal controls, but also have to perform quarterly evaluations of those internal controls over financial reporting.
Compliance costs were initially estimated by the SEC to reach $1.2 billion, or an average of $91,000 per company, but in March of this year, Financial Executives International (FEI), a trade organization of CFOs and other finance executives, reported that a survey of 274 companies (with average revenues of $5.7 billion) showed that the average company incurred Sarbanes-Oxley compliance costs of $3.7 million each. The study revealed that the average microcap company (with less than $128 million in capitalization) incurred compliance costs of $1.2 million while large-cap businesses (those with more than $787 million in capitalization) had Sarbanes-Oxley compliance costs of $5.3 million. This clearly demonstrated the disproportionately higher compliance costs for small companies.
What can medical device companies do about reducing Sarbanes-Oxley costs? Nothing, for now. Already, there are discussions in Washington to change the law to alleviate some of the financial burdens imposed on small companies. Even larger counterparts may see relief, as SEC Chairman Christopher Cox has stated that publicly traded companies carry a significant burden in complying with the regulations. However, it’s not clear in what shape reform may come.
Furthermore, compliance costs are clearly falling after the second full year of living with Sarbanes-Oxley. In the same report, FEI noted that internal compliance costs fell 12.6% last year while external costs dropped 21.7%, indicating that companies found complying an easier task in the second year since the law went into effect.
Still, Leahey said Sarbanes-Oxley is clearly having a detrimental effect on small companies’ ability to innovate technology because they have to divert more precious startup capital on auditing and internal control and less on core activities such as R&D and marketing.
Meeting FDA Mandates
Of course, medical device compliance first and foremost means meeting FDA mandates, which encompass QSR, post-market surveillance, product submissions and a host of other aspects. Established device OEMs with products on the market usually can claim some form of a compliance program, but smaller startups face the challenge of building one from scratch and often look to outsource many aspects of this task. However, industry consultants point out that midsize and even large device manufacturers need specialized expertise or simply extra hands to help address gaps in their compliance programs.
Alan Schwartz, executive VP at consulting firm MDI Consultants in Great Neck, NY, pointed out that size doesn’t always indicate how much outside help a firm needs for its compliance program, and there are no areas of expertise off limits to outsourcing. These can cover everything from sterilization validation to product packaging, CAPA, MDR, material conformance and other issues. Often, surveillance becomes a significant bottleneck.
“Companies are having a hard time finding the data, gathering the data and trending the data,” he observed, adding that often they need assistance with interpretation as well.
He cautioned that medical device companies that fail to develop a robust and comprehensive compliance program can get into trouble in a number of ways, including receiving 483 forms (notice of inspectional observations indicating a deficiency in the QSR program following an inspection) and warning letters that are preludes to product recalls. These can stem from a weak or no CAPA policy or poorly defined MDR guidelines.
Schwartz, like many in the medical device industry, said he believes that the FDA may issue greater enforcement actions against medical device makers in the future after focusing much of its attention on the pharmaceutical sector. A common perception is that now that the FDA has pursued a number of high-profile cases in the pharma sector, it will usher in a new era of stricter enforcement against device makers.
That might become true in the near future, but a recent study issued by the US House Committee on Government Reform showed that, if anything, medical device manufacturers have been getting a reprieve of sorts from enforcement actions in the past five years. In June, the committee found that the number of warning letters issued by the agency has fallen 53% during the past five years. The 535 letters sent out in fiscal 2005, which ended Sept. 30 of last year, represented a 15-year low.
Although the agency has defended the decline by saying that it has focused its efforts on high-risk violations instead of minor infractions, it has nevertheless come under fire from some Washington lawmakers who accuse the agency of being too industry friendly. There will certainly be hearings and battles over these charges, but most likely the agency will engage in stepped-up enforcement efforts and confirm what many in the medical technology sector believe will be forthcoming.
For the uninitiated manufacturers, this will almost certainly mean greater regulatory scrutiny. Laurence Burke, who heads up FDA Regulatory Consulting near Philadelphia, said small-company clients often fail to understand the complexity of creating a compliance program that will meet FDA regulations. They don’t understand requirements for design and control documentation and how to perform gap analysis. Often, the companies are so small that there is no full-time compliance officer. He pointed out that this can lead to trouble down the road when many of these medical technology companies look to be acquired.
“It’s hard for them to plug into the QSR of the acquiring companies,” he said, adding that often, due diligence fails to reveal compliance deficiencies until the last hour, when 90% of the deal has been finalized.
But compliance shortcomings aren’t isolated to small device OEMs. Even large companies, Burke said, are mostly reactive than proactive. In other words, compliance deficiencies aren’t usually detected until a problem is reported, and only then do these OEMS take a hard look at the problem.
One particular area of concern for medical device manufacturers is in the new edition of IEC 60601, the international requirements for managing risks associated with electrical medical equipment. Harvey Rudolph, the global program manager for medical devices with product testing organization Underwriters Laboratories in Northbrook, IL, pointed out that device manufacturers may not be ready for the recently revised standards, which were updated in December of last year.
The new edition now requires electromedical manufacturers to implement a risk management program and specifies activities related to risk and how to apply those efforts. He said this may pose a significant challenge to companies that gloss over risk management discussions.
“They have an inadequate policy or nor policy at all,” he said. “It’s something you need to make a priority.”
He cautioned that with the new edition published, companies would have a transition period that he believes will start at the end of this year and last three years. During that time, companies that had complied under the old edition must implement changes specified in the new document. Failure to do so may result in products pulled from the shelves in European and other markets.
Rudolph pointed out that failure to adequately address risk management is indicative of a larger problem that exists at many companies: lack of management leadership. For instance, he said, some executives are satisfied simply knowing that they have a CAPA system in place but are less concerned about what the system can do to improve risk exposure. “What they should be doing is using all the quality data and driving it back into the management system,” he added.
Qui Tam Rewards
No discussion of compliance is complete without bringing up fraud and abuse. Following last year’s subpoenas (as well as the latest round last month) of major orthopedic device manufacturers, there may be a greater focus on the med-tech sector by the US Department of Justice, said one industry observer. Bob Rabecs, an attorney focused on healthcare fraud and abuse with the legal firm of Hogan & Hartson in Washington, DC, pointed out that the companies themselves are also more sensitive to fraud and abuse charges and are taking a more proactive approach in preventing prosecution.
“I think companies have been sensitized to this not only by what government is doing but also by private qui tam lawsuits,” he noted.
Qui tam suits allow private citizens to file cases on behalf of the government against companies suspected of engaging in fraud and abuse. These cases can have a more chilling effect on industry than regulatory action because qui tam plaintiffs share in the damages, potentially giving them millions of dollars. Companies are especially vulnerable to qui tam suits because disgruntled employees with intimate knowledge of their employers’ operations can easily bring to light any violations. They are also motivated by a potentially large payday.
“That has prompted many big and small companies to have a renewed focus on compliance training and ensuring that compliance policies are adequate and that there aren’t any gaps,” said Rabecs. “As a safeguard, companies are retaining (law) firms and consultants with experience in those areas.”
It also indicates that more companies are increasingly diligent in their fraud and abuse compliance efforts. This is demonstrated by widespread adoption of the AdvaMed code of ethics, for instance. The code helps compliant companies to avoid violating fraud and abuse charges by following a set of comprehensive guidelines.
Whether it’s fraud and abuse, quality issues or industry standards, being compliant is no small task for medical device manufacturers. However, industry observers point out that staying current with new legislation and enforcement action, as well as being willing to invest time and money, will keep companies off the radar screens of numerous regulators and prosecutors.