Episode 24: Katie Norris and Heidi Sorensen - Commercialization Risk and Compliance
In this episode, we speak with BRG Director Katie Norris and Heidi A. Sorensen from Foley & Lardner LLP. Katie has more than seventeen years of experience in corporate governance and compliance in the pharmaceutical, medical device, and cosmetics industries. Heidi is a healthcare attorney who focuses on healthcare fraud and abuse and compliance issues.
Katie and Heidi discuss compliance considerations companies should factor into their strategy and planning when they are entering the US market from abroad, or when they are preparing to commercialize an FDA-regulated product. They walk us through the various regulatory agencies involved in this process and provide keen insight on how to structure and implement a sustainable compliance program.
[music] Welcome to BRG's ThinkSet Podcast. I'm your host, Eddie Newland. BRG is a global consulting firm that helps leading organizations advance in three key areas: disputes and investigations, corporate finance, and strategy and operations. Headquartered in California with offices around the world, we are an integrated group of experts, industry leaders, academics, data scientists, and professionals working beyond borders and disciplines. We harness our collective expertise to deliver the inspired insights and practical strategies our clients need to stay ahead of what's next. For more information, please visit thinkbrg.com.
On today's episode of the ThinkSet Podcast, we'll be speaking with BRG director Katie Norris. Katie has more than seventeen years of experience in corporate governance and compliance in the pharmaceutical, medical device, and cosmetics industries. During her career, she has focused primarily on compliance program development and oversight, as well as provided support during investigation and resolution of government enforcement actions.
Also joining today, Heidi A. Sorensen. Heidi is a healthcare attorney with Foley & Lardner LLP, where she focuses on healthcare fraud and abuse and compliance issues. Ms. Sorenson has over nineteen years of experience working with medical device and pharmaceutical manufacturers in the negotiation and resolution of False Claims Act settlements, corporate integrity agreements, and the HHS OIG's civil monetary penalties law and the exclusion authorities. Prior to joining Foley, Ms. Sorensen was chief, deputy chief, and senior counsel in the administrative and civil remedies branch of the HHS Office of the Counsel to the Inspector General. And with that, let's get started.
Heidi, we're here today to discuss compliance considerations companies should factor into their strategy and planning when they're entering the US market from abroad or when they're preparing to commercialize an FDA regulated product. What are some of the examples of those considerations?
So first, I would think about, as a company, what your key compliance risks are. And that's going to be based on the product that you're bringing to market, any payer considerations, particularly whether it's going to be covered by government programs, and then the applicable rules, regulation, and guidance from both the Food and Drug Administration, the Department of Health and Human Services, any state regulators, particularly state licensing boards, and other entities.
And then when I'm thinking about those compliance risks, I want to create a program that will address those risks for the company. And that program has to be scalable. So obviously, the expectation is as a newly commercializing company, you're going to want to grow that product and grow that product's market. And that means growing the company. So having a program that can scale up as the product becomes bigger and has more of a market is very important.
And then finally, making sure that your employees are trained and understand the goals of the compliance program and how it fits into the company's business goals.
Dovetailing off something that Heidi mentioned, I think it's really important to ensure that the compliance program has good support from the highest ranks of the organization. That's really essential to ensuring that the effort that you're putting into building this program, that if it's your business model, really sticks.
And further to the point that Heidi raised with respect to training, when employees see that this is an initiative that leadership cares about and it is a priority of the company, they tend to take it very seriously. And that helps to ensure, again, that the training is meaningful and that employees are likely to do their part to uphold the efforts that the company is putting forward in developing their program.
So imagine, Heidi, as you're putting all of this together, somebody has come to you with the desire to enter a market, or they've got a new product that they think will fall under the purview of the FDA. I imagine you probably get quite a few people that ask, "Do we really have to do this?" How do you usually respond to that?
Obviously, working with companies who are newly entering the market, we understand there are any number of things going on. But the facts of the matter are that in that situation, understanding before you enter the market how you're going to comply with all the payer requirements and any government requirements is really important and can undermine all the work you're doing in the other areas if you don't have a strategy in place. Understanding also what the consequences of not complying with some of these requirements might be is very helpful for the company and understanding how government inquiries can be very costly for a new company.
I think I see this particularly with companies who are entering who aren't as familiar with US regulation and the extent of US regulation. And the reason is because I think to many companies who aren't as familiar with the US market and government requirements in the United States, the amount of regulation seems incredible and challenging to them.
To build on that a little bit then, what are some of the key areas that you recommend companies focus on?
I think first and foremost is making sure that the arrangements that a new company in the US market has with physicians and other healthcare professionals are set up in a compliant fashion is very important. They've got to think about any relationships they have and make sure they're complying with requirements related to those relationships either from the state or from the federal government. Identifying even potential conflicts of interest is also very important so that they're considering those as they set up those relationships.
With respect to research, they need to think about how they will conduct research and what types of investigator initiated studies they might undertake. You want to think about payer requirements. I focused on government payer requirements, the federal healthcare programs in particular and Medicare most prominently. And then promotional activities, so promoting your product in the US is obviously different and has different requirements than promoting it in other countries. And that includes what types of pre-launch communications you might want to get out there.
Having an experienced FDA attorney review your website to make sure that any content on your website complies with FDA requirements is very important. If the company is public, determining how you're going to communicate with investors about the newly launching product. One area of risk we've seen that is challenging for companies is how you make comparative statements, comparing your product to other companies’ products that are in the market. And turning back to the first point, white-coat marketing, so how healthcare professionals can assist in the marketing in a way that the government will not raise concerns about.
So then when a company comes to you and they need to think about how to establish a compliance program, assuming that they haven't previously had one, what do you tell them to do first? Is it setting up and hiring folks? Or how do you get it off the ground from scratch?
Obviously, hiring experienced compliance professionals is important. You want to make sure that the individuals that you're working with within the company understand their roles. But I think it's a matter of establishing a company ethos, or understanding, about how the company will operate in this market and with this product. So making sure not just the company employees but the company itself has thought about, from a big picture standpoint, what their code of ethics will look like, what their risk parameters will be, and how to set those.
And in that situation, you can then educate everyone in the company, including your outside compliance professionals and legal counsel, about what kind of path you want to take. There's a lot of subjectivity in the area, particularly in the enforcement area, that makes evaluating risk even more difficult. So you want to make sure that everyone understands the risk parameters that are unique to your company. That doesn't allow you to take an off the shelf compliance program and just put it into place. It really requires you to step back and think about what will work for your company, your product, and the market at the time that you're entering into it.
[Are] there any other bits of advice that you'd give them beyond the how to get it started and the factors to consider, maybe from your experience, that you've seen that might come out of left field for certain firms?
I think it's important to review the existing guidance that's out and available, both government provided guidance but also guidance from professional organizations and compliance organizations. But you can't review everything that's out there. The amount of guidance that's available to entities, new companies, newly commercializing companies is staggering. So it helps to have someone who can guide you through it and choose the best, most applicable guidance for your company in your situation and use that guidance so that you don't have to reinvent something that isn't necessary to reinvent.
Making sure that you're thinking ahead of time about how you're going to scale up that compliance program, as I mentioned, so that the program isn't stagnant in any way but can grow with the company. And then focusing your resources and really striking a balance to make sure that what you set out to achieve is something you can achieve with the resources you have and appropriately with the extent of the information you have before you.
Katie, is there anything you would add to all that?
Evaluating risk on a company-by-company basis is something that takes a little bit of art and a little bit of science in the approach and especially for companies that are bringing something entirely new to the market. I would encourage companies to think creatively and inclusively about compliance risk relative to some of the cornerstone principles and key statutes that the government has typically relied upon through enforcement actions over time. So work closely with compliance professionals and your legal counsel to understand what the False Claims Act means and what the Anti-Kickback Statute requires of companies and how that's been interpreted over time because there may not be any really good examples that apply directly to your company.
Thinking creatively about how those concepts might apply in a new environment or in a new type of service offering I think is really critical because plowing new ground really does mean that there are going to be new and more creative ways for regulators to think about this also. So trying to stay abreast of not only what's happened before but where you might be leading the charge in the new risk area is really important.
Katie, picking up on what Heidi was talking about of building a compliance program from scratch, with the companies that you work for to implement these recommendations, what steps do you come in and help with?
We like to come in early. And we like to help companies think about, to the point of scalability, how to build a foundational compliance program that's going to meet the standard of effectiveness that the government has established through both the US sentencing guidelines and various guidance documents over time. And then try to think about how to apply this in an environment where we can help companies interpret the guidance of their attorneys in an operational environment, so that we can stand up training programs and help bring policies and procedures to life in a way that employees are able to understand and follow on a day-to-day basis, looking at ways to eventually test the internal control framework and create auditing and monitoring programs around those policies. Of course, that comes later on once the program has been established. But helping to ensure that communication strategies are in place and setting up some really important cornerstones of the compliance program, like hotlines, so that employees can raise questions or report potential concerns is another area where we like to help.
So I've picked up on a couple things. You both mentioned scalability and the ethos in the compliance. What are some of the other universal themes that you find across companies in this position? Katie, I think we can start with you.
Sure. I would say the companies that are venturing into healthcare for the first time or companies that are really coming into the United States market for the first time are sometimes surprised by the complexity of the healthcare regulatory schematic, and can easily become overwhelmed by the guidance and the nuances of these issues that really apply to their companies on multiple fronts. And trying to help them dissect this information and really boil it down to the applicability within their company structure is something that we like to help with, because I feel like that learning curve is something that we can help them overcome.
Companies do find that it can be a little bit bureaucratic in terms of setting up compliance programs and some of the requirements that are really essential in terms of creating separation of controls and monitoring and auditing control framework that can be tested. But really, in the end, it's very helpful. We identify a lot of opportunities to create efficiencies and to create transparency within an organization.
So I think, taking the bright-side approach, it's really a nice tool that helps to seam the business together in a lot of ways. Again, with the support from the executives, it certainly can be an advantage to a company that's bringing new technologies to market, new products to market, or coming into the United States for the first time.
What advice do you have for companies beginning this process? Heidi, you can answer that one first.
Well, I think you need to find a good, experienced in-house or outside counsel and compliance consultant to work with.
What about you, Katie?
I completely agree. I think that it's really helpful to have people that are in your corner that have been working with companies for a long time and really understand the complexities of the industry deeply, and also can help to reinforce some of the concerns that crop up from time to time. Companies might be surprised when they learn that business practices that are considered to be usual and customary, such as taking customers out to dinner, are not acceptable without certain conditions in the healthcare setting. Having people that can help you understand the whys—what really got us to this point, and why is this a concern, and why should we avoid certain activities that may be fairly pedestrian in other industries—is a useful application of the experienced professionals that we would hope that you would engage to support you through this process.
If we put ourselves in the shoes of an organization that is going through this—they're looking to enter the US market. The structure has been set up. The compliance program has been implemented.
Katie, at that point, how do you continue to work with companies to ensure that everything continues to work?
At that point, we do a lot of mock audits. We create some monitoring protocol. And we help companies, really, to go out into the field and test and obtain the assurances that they need to determine that policies and procedures are working, that employees are well trained, and also to identify novel risks that are emerging or ways that the company can enhance its program. Compliance programs need to grow with the company, as we've mentioned. And they need to be dynamic. What worked for a company in its first six to twelve months or two years may not necessarily work at year five as the company is growing and as the environment is constantly changing. So we like to help ensure that the model really is flexible in the sense that it keeps apace with the business.
Absolutely agree with what Katie said. It's really important that the company continue to assess risk, look at the environment, look at the payers, modify their policies, update their training. One of the things that government regulators recognize is that—this may be one of the most difficult tasks—is keeping a compliance program vital and allowing it to continue to grow. And that's one of the things that the government recognizes when they're looking at situations where there may have been an instance of non-compliance is whether the program grew with the applicable guidance.
Understood. So one thing we like to do here on the ThinkSet Podcast, we sort of like to end by looking forward. So we'll start with you, Heidi. Should companies entering the US market factor in new and growing telehealth industry into their planning, building off of the conversations we've been having about healthcare today?
Yeah. Absolutely, because telehealth is an important part of business strategies. So one thing I would say, keying off of our comment about making sure you're working with experienced professionals both inside and outside your organization, is making sure the folks you're working with understand the intersection between telehealth and issues that are unique to the medical device and pharmaceutical manufacturing industry as you help plan and build a compliance program and think about distribution and delivery models.
I 100 percent agree. And I think that another application might be artificial intelligence and machine learning. The FDA is, I think, on the precipice of developing some guidance and potentially some regulations that envelop these technologies. We've seen companies already bringing to market AI capabilities layered over medical devices and advertising some of the potential impacts to patient health related to those technologies. And that's an area, picking up on something Heidi mentioned earlier with respect to advertising and product claims, that the government's going to be watching carefully. And as the guidance is emerging, I think we have an opportunity to look forward and try to understand what that might look like and help companies to develop a framework that is sustainable in a more heavily regulated environment as the regulations try to keep pace with the world that we're living in.
The endless cycle. Well, Katie, Heidi, thank you both for joining us here on the ThinkSet Podcast today. We'll look forward to catching up with you down the line.
This ThinkSet Podcast is brought to you by BRG. You can subscribe to the podcast and access other content from ThinkSet magazine by going to thinksetmag.com. Don't forget to rate and review on iTunes as well. I'm Eddie Newland and thanks for listening. The views and opinions expressed in this podcast are those of the participants and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group or its other employees and affiliates.