Here Comes the Sun: What You Need to Know about the Sunshine Act and Its Implementing Rules

After years of deliberation, the Center for Medicare & Medicaid Services (CMS) published its long-awaited regulations to implement the specific requirements of the Physician Payment Sunshine Act (Sunshine) on February 1, 2013. The clock is now winding down towards an unparalleled exposure of financial interactions between life sciences companies and the healthcare community. Complying with these regulations and understanding the implications of publishing this data poses great operational challenges and at the same time creates unique opportunities to tighten controls and more effectively manage these relationships.

In the past decade, governments, health systems, and above all prosecutors have applied heightened scrutiny on the relationship between manufacturers and healthcare professionals (HCPs). Government prosecutions, and resulting fines and penalties in the billions of dollars, have hit an all-time high based in part on the premise that financial arrangements between manufacturers and HCPs have improperly influenced prescribing and purchasing decisions for medicines and devices. The culmination of these efforts resulted in the passage of a series of new laws in the United States and overseas that require public disclosure of financial arrangements between HCPs and manufacturers.

In implementing Sunshine, regulators seek to force a fundamental change in behavior of and relationships between manufacturers and physicians—to focus decision making based on science-based facts and data, and away from transactions that can be viewed as buying sales. Transparency requirements are premised on the inference that these interactions are improper and the desire to see measurable change in behavior. What companies report will reflect their business practices and the business ethos of their organizations. Sunshine creates an important platform for companies to rethink and reshape their business models and leverage this information to their competitive advantage.

The new regulations expand the reporting obligations for companies that already disclose such data and broaden the scope of businesses required to report to include distributors and dealers of such products. Sunshine requires these companies, in most instances, to report payments or other “transfers of value” made to HCPs, including teaching hospitals, physicians, and others. With the publication of the final Sunshine regulations, foreign legislation (e.g., in France) will likely begin to rapidly progress toward implementation, moving the industry closer to global and disparate reporting obligations for HCP transactions.

Who Is Required to Report?

Sunshine’s reporting obligations extend to companies with U.S. operations that make or sell medicines, devices, and other products that are (i) subject to pre-market notification and (ii) reimbursable by federal healthcare programs, regardless of the volume of products sold under these programs. With certain narrow exceptions, manufacturers that produce at least one “Covered Product” that falls under both (i) and (ii) must report all financial interactions with physicians licensed in the United States and teaching hospitals, including transactions through foreign affiliates. This final definition of “applicable manufacturer” will involve substantial analysis of a company’s product portfolio, HCP relationships, and financial arrangements with the provider community in order to properly record and report the required data.

For organizations with complex legal entity structures, determination of which entities qualify as applicable manufacturers involves analysis of the business operations, products, markets, and customers. Evaluation of which (or all) entities are subject to transparency data capture and reporting requirements should be performed systematically, and the determination should be documented, which may include obtaining an independent legal opinion of the company’s analysis.

Importantly, the final Sunshine regulations specifically provide that distributors, dealers, and other entities that take title to such products, at any point during the manufacturing or sales cycle, shall be subject to the same HCP data-capture and reporting requirements as manufacturers. This includes wholesalers, repackagers, relabelers, and kit assemblers who take title to the product. Compliance with these regulations will require close coordination between manufacturers and these entities.

What Must Be Reported?

“Applicable manufacturers” must report a broad range of transactions and arrangements with “covered recipients,” which covers various HCPs. Reportable “payments and transfers of value” include “in-kind” items and services, in addition to cash or cash equivalents. For example, the fair market value of company products provided to support investigator-initiated research must be reported. Sunshine and its implementing regulations[1] require comprehensive tracking and reporting of almost all financial and other transactions of value, ranging from royalty payments, consulting, and speaking fees to the value of gifts, meals, and entertainment.[2]

The final rule contains several important exemptions from reporting based on certain defined criteria.[3] One important exemption relates to speaker arrangements associated with accredited continuing education events where the manufacturer does not provide substantive input—events not meeting these criteria are reportable. Other exemptions include, but are not limited to, bona fide educational items, product samples for patient use, and loans of covered devices for evaluation or demonstration purposes for less than 90 days of duration. From an operational perspective, such exempted transactions must be captured or otherwise documented in order to substantiate the exclusion.

In addition, if more than 10 percent of the manufacturer’s previous year’s gross revenue is attributable to sales of covered products, then all payments or transfers of value to HCPs must be reported. If the sale of covered products is less than 10 percent of the total prior year’s gross revenue, then manufacturers must report only payments or transfers of value associated with covered products.

The law requires designated employees (most likely CEOs, CFOs, and/or CCOs) to attest to the truth and accuracy of the information submitted. This attestation covers disclosed transactions as well as implicit or explicit exclusions. Failure to report required information, or reporting inaccurate information, could lead to the payment of substantial fines and penalties,[4] legal enforcement risk, and reputational damage for the company.

What Is at Stake?

The publication of Sunshine’s final rule has left many companies scrambling to revamp, or in some cases develop from scratch, their internal processes and procedures to adequately comply with the law. Time is of the essence, since data capture must begin by August 2013,[5] with the first report submission and certification due in March 2014[6] and the first CMS report to be made publicly available on September 30, 2014.

Complying with Sunshine’s reporting requirements will also invite increased government scrutiny and enforcement, as well as private legal actions. The submitted reports will be published on the Internet and undoubtedly used as an investigatory source by government enforcement agencies such as the Department of Justice, Health and Human Services Office of Inspector General, and Internal Revenue Service; whistleblowers and their attorneys; public interest and advocacy groups; and others.

Sunshine allows the voluntary submission of an “Assumptions Document” that explains the reasonable assumptions made, and methodologies used, when reporting payments or other transfers of value, or ownership or investment interests.[7] The Assumptions Document will not be made available to covered recipients, physician owners or investors, or the public; however, CMS envisions that it could be used by reporting companies as a potential risk-mitigation tool in defending governmental inquiries. Compliance with these laws, and the ability to demonstrate an effective compliance program if challenged, is of vital importance and will require a focused and systematic effort by all business stakeholders.

Additionally, the Sunshine regulations provide for a 45-day post-submission review period during which HCPs that register on the CMS website will be able to review data attributable to them and dispute such attribution if they are not in agreement.[8] After reviewing the information, the applicable manufacturer and covered recipient may either certify that the information is accurate or initiate a dispute. If the dispute is not resolved within 15 days after the review period, CMS will still publicly report the data but mark it as being disputed.[9] Importantly, CMS will not mediate such disputes. It is therefore imperative that manufacturers and HCPs gain alignment of the data before it is made publicly available lest CMS publish the data indicating that it is disputed, thus placing a bull’s-eye on the data from an external perspective.

How Do You Capture, Assess, Manage, and Store This Data?

The administrative burden of accurately capturing, tracking, and submitting the required information is heavy. Accordingly, it is imperative that manufacturers and distributors proactively assess their organizational readiness and current state; and align, develop, and implement policies and processes to ensure compliance with Sunshine. Moreover—and of paramount importance—companies must vet their HCP arrangements and understand what their published data will communicate to the external community (i.e., the government, public, customers, partners, and competitors) about their business practices.

With just fewer than five months remaining to identify and capture interactions by the August 1 reporting period, operationalizing Sunshine to ensure readiness to capture the appropriate scope of data may seem like a daunting exercise. Outlined below are a few suggestions to build a new or expand an existing transparency platform for sustainability.

  • Form a cross-functional team and get organized. Organization is the key to success. Designate a lead and engage a cross-functional team to include Legal and Compliance but also Finance, IT, and business functional areas. The team may need to access external resources like outside counsel and other advisors. An important part of this mobilization is the creation of a communication plan with internal and external stakeholders, including senior management, boards of directors, and the HCP community.
  • Revise current and/or develop new internal policies, procedures, workflows, forms, and templates. Leverage Sunshine as an opportunity to critically assess and build upon your existing compliance program. Ensure that policies and procedures are in place to provide a standard for interactions with HCPs, determine fair market value, and disclose conflicts of interest. Map business processes and workflows in accordance with policies and procedures to promote consistency and facilitate auditability—particularly in the areas of contracting, payments/approvals, travel and expense, and samples. Confirm that forms and templates are also updated and standardized, and align with policy—for example, contracts include language regarding payment disclosure and conflicts of interest.
  • Engage senior management. Disclosure reports require attestation by designated executives (i.e., CEO, CFO, CCO), and those stakeholders should be engaged early in the process. Recent corporate integrity agreements and deferred prosecution agreements provide valuable guidance on structure and standards for the certification process.
  • Train relevant employees, and hold them accountable. Allocate appropriate time and resources to educate employees and affiliates on compliance with Sunshine—including colleagues in Research and Development, Sales, Marketing, Finance, and Accounting. Integrate compliance with transparency policy into the performance evaluation and report process, and enforce non-compliance.
  • Establish a dialogue with their HCP stakeholders. Address with your HCP stakeholders the impact of reporting spend that will be publicly attributable to them.[10]
  • Inventory existing business systems, and assimilate transactional data. Identify, assimilate, and harmonize disparate data sources. Configure internal systems to align with data capture requirements, including Travel and Expense, Accounting, Sales/Inventory, Customer Relationship Management, and ERP (i.e., customer, vendor, product master data).
  • Define report needs and parameters. Beyond Sunshine compliance, this information will be powerful for the organization. Consider how the information gathered can better inform business decisions and address the organization’s needs for other regulatory reporting, management alerts, and business metrics.
  • Build or buy portal for entry and maintenance of HCP spend data. Companies with high volume of reportable transactions will most likely require a significant investment in either an internal or third-party portal for entry and maintenance of HCP spend data and direction of workflow. Such a decision should be based on a thorough analysis of current capabilities and future needs—and the design for which should be based on vetted and documented business and IT requirements.
  • Comply with books and records requirement. This is a critical piece, as the Sunshine regulations require spend data to be maintained for up to five years and in an auditable form. Coordinate with Internal Audit to incorporate into the organization’s audit program.

The passage of Sunshine is a game-changer and will require critical assessment of manufacturer/distributor/HCP/provider arrangements. At the same time, Sunshine presents a tremendous opportunity to refocus and enhance existing relationships that could prove to be mutually beneficial. Organizations that can adapt, adjust, and immediately meet the challenges of Sunshine will no doubt have a competitive advantage.

Berkeley Research Group, LLC is not a CPA firm and does not provide audit, attest, or public accounting services. BRG is not a law firm and does not provide legal advice.

[1] 42 CFR §403.900 et al.

[2] See Id. at §403.904(e)(2).

[3] See Id. at §403.904(i).

[4] Penalties range from $1,000 to $100,000 for each payment not timely, accurately, or completely reported, depending on the company’s knowledge of such failure. See Id. at §403.912(a)–(b).

[5] See Id. at §403.904(a)(2).

[6] See Id. at §403.908(f).

[7] See Id. at §403.908(f).

[8] See Id. at §403.908(g)(3)–(4).

[9] Id.

[10] Applicable manufacturers and covered recipients can review reported information by registering with CMS and logging into a secure website. See Id. at §403.908(g)(1). CMS’ “OPEN PAYMENTS” portal is located at: http://www.cms.gov/Regulations-and-Guidance/Legislation/National-Physician-Payment-Transparency-Program/index.html