Data forensics: effectively responding to non-compliance allegations in the US

Clarissa Crain and Chrissy Spicer describe the key forensic and investigative techniques that manufacturers should consider when developing and implementing a data forensics plan.

As enforcement activity increases across the industry in the US, data forensics has become more important than ever in defending the integrity of manufacturer data. Increasingly, regulatory and compliance professionals are faced with inquiries regarding non-compliance infractions, which can lead to allegations of false claims by government enforcement agencies.

Developing and implementing a response plan to address these and other allegations is critical; it requires data forensics to evaluate the validity of claims and identify potential risk.

Data forensics is the process of utilising data evaluation techniques to evaluate or prove a hypothesis which is based on business knowledge or generally held understanding. It differs from data mining in that data mining is focused on the review of data within defined parameters where the outcome is expected to be self-evident through results.

This article describes key forensic and investigative techniques that manufacturers should consider when developing and implementing a data forensics plan.

Data forensics in context

The US Congressional Budget Office has been tracking healthcare spend as a portion of gross domestic product for decades. During this time, the investment into federally funded healthcare programmes, namely Medicaid and Medicare, has steadily increased, representing approximately 5% of the US GDP today¹. In 2009 alone, the government spent $74 billion for drugs within the Medicaid and Medicare programmes; therefore, it is no surprise that the government continues to seek ways to control costs associated with government funded programmes².

As part of its cost-containment measures, the government has chartered enforcement agencies like the Office of Inspector General, which supports the programmes administered by the Department of Health and Human Services, to investigate and uphold the statutory and regulatory requirements outlined for drug and device manufacturers. The OIG has gone forward with a significant volume of investigations and litigation in this area, primarily referencing the Federal False Claims Act (FCA) as the legal underpinning for its activities. States have followed suit, developing similar state-level FCAs and working with their attorneys general and Medicaid fraud units to investigate compliance and pursue litigation as appropriate.

The Federal FCA, in conjunction with certain state FCA legislation, is at the core of many large settlements impacting the industry at the federal and state level. FCA-based settlements, such as Medtronic’s $40 million settlement of anti-kickback allegations associated with providing financial incentives to surgeons through kickbacks hidden in consulting agreements³, or Synthes' $24 million settlement and forced sale of subsidiary Norian based on allegations that it illegally conducted clinical trials⁴, are primary examples of the ability of the OIG, the Department of Justice and other enforcement agencies to levy significant penalties against manufacturers alleged to have defrauded the government by causing false claims for payment to be submitted to federal programmes including Medicaid and Medicare.

Because the allegations associated with these, and so many other large settlements, stem from activities across the organisation, it is important that manufacturers understand risk and know how to respond appropriately based on any allegations that may be levied. Responding to FCA allegations, by virtue of the FCA, requires advanced data analytics to assess the validity of claims and identify possible risk. Further, appropriate response to allegations requires that groups from development through commercialisation understand how their activities are interdependent. In this way, operational data analytics becomes a key to these cases, and thus legal counsel often engages operational experts to assess allegations and evaluate potential exposure.

Regulatory affairs and the FCA

Regulatory and compliance professionals across the industry are becoming increasingly involved in the response to FCA allegations from the perspective of providing factual information that may relate to allegations raised by a given enforcement agency. The FCA, as it relates to government drug pricing programmes, relates to the prices paid by programmes such as Medicaid or Medicare. Furthermore, FCA allegations are often coupled with other non-compliance issues such as off-label promotion. In alleging off-label promotion, the government may argue that sales were inappropriately increased by the off-label promotion of a product, resulting in price impact and/or inappropriate claims submitted to the government for payment. As such, the activities used to qualify FCA allegations and assess the impact of allegations are based on good data forensics; however, the reliance on business partners from clinical development to regulatory affairs through trade and distribution is also required.

Allegation response processes

The pharmaceutical, medical device and biotechnology sectors are committed to ensuring that their compliance programmes have implemented effective measures to ensure that all activities undertaken by the company uphold regulatory and ethical standards. Unfortunately, as evidenced through the volume of FCA-based settlements affecting the industry, at times the industry’s perspective does not align with those of regulators and enforcement agencies. Or, worse yet, controls may fail. Thus, all should be "audit ready" and prepared to perform appropriate analytics to validate and respond, as appropriate, to allegations.

Having a response plan for allegations that may stem from alleged FCA violations requires not only that legal counsel oversee the company’s due diligence and response to allegations, but that legal counsel be able to secure the operational resources necessary for meaningful analytics, at their request. It is important to note that these analytics are meant to be fact-based only, and operational data analysts are not involved in interpreting results or directly responding to allegations.

Hypothesis

The process of building data forensics for validation and assessment of allegations stems from the hypothesis to be proven. Typically, the hypothesis is reflective of the allegations levied and may include a sense for the validity of the claim(s). By way of example, and referencing the recent Physician Payment Sunshine Act that is likely to be referenced in future FCA claims, a hypothesis related to allegations of "inappropriate payments to primary investigators in an investigator led study, that are actually inducements to prescribe other products within the company’s portfolio" may result in a hypothesis such as: Payments made to investigators were for bona fide business purposes and of fair market value (FMV) and were directly attributable to the clinical activities undertaken by the healthcare practitioner (HCP). Based on this hypothesis, data forensics relate to ensuring FMV was maintained and estimating impact, if any, of the payments on pricing to the government.

The hypothesis should, in the end, help to direct how data forensics will be approached. However, it may require that multiple scenarios or views of data be considered. These varying scenarios require that a manufacturer understands the complaint made by the enforcement agency and how the data available to the manufacturer can be used to confirm the complaint.

Data forensics scenario development

Scenario identification is a collaborative effort in that operational representatives must assist legal counsel in understanding what data is available, what limitations may exist in the data and the level of confidence in the data validity. Data availability is often a major consideration for the determination of litigation approaches. Because FCA cases are typically historical in nature, data required to perform necessary reviews may be difficult to come by. Additionally, FCA allegations are often tied with transactions that manufacturers did not see as necessary in the determination of government pricing; as such, data may not be available for these transaction types. Based on the complexities in identifying a usable data set and validating the complete and accurate nature of the data, communication with legal counsel is imperative. Ensuring that legal counsel understands the level of certainty and granularity in data will ensure that the most appropriate scenarios, based on the available data, are identified.

With this information, legal counsel can develop scenarios that evaluate allegations appropriately, based on the nature of the complaint made by the government. Legal counsel may additionally consider information as outlined in the complaint or provided to legal from other sources. Because the teams responsible for data forensics are fact-based teams only, and not directly involved in scenario development, they are only responsible for communicating data availability considerations and then ultimately performing analysis as required by the scenarios determined by legal. Other considerations outside of the data availability should not be made by the data forensics team.

Analytical approach determination

There are a number of different analytical approaches that can be taken to respond to a scenario. It is the responsibility of the data forensics team to evaluate a given scenario and propose the appropriate data forensics approach to legal counsel. Understanding the basics of the complaint and allegation may be beneficial to the data forensics team in evaluating analytical tools. However, it is important that such information does not change their ability to remain fact-based in their overall analysis approach.

Data gathering and data analytic techniques

Once legal counsel has devised the hypothesis to be tested through the scenarios identified and operational and data analytical resources have been secured, data gathering efforts can be initiated. Operational and data analytical resources should collaborate with internal and/or external legal counsel to identify the data and documentation to be requested, as well as the individuals responsible for responding to requests. It is critical that data and documentation collection is solely based upon legal’s request and direction, in order to be protected as such, and clearly marked as "Confidential Attorney-Client Work Product". Further, any data or documentation potentially related to imminent or ongoing legal action is considered to be "on hold", preserved, until further notice, and suspended from destruction to ensure availability, as necessary, to support litigation efforts.

In an effort to streamline data and documentation collection, data gathering responsibility is typically assigned to an individual supporting an analytical role, and requests for data and documentation are consolidated and centralised within the scope of the testing to be performed. In many cases, the information needed to test the hypothesis spans across multiple operations and time periods. Due to the volume of information resulting from these activities, having a secure site to easily store and access the information is a key consideration.

The approaches for implementing data forensics vary depending on the hypothesis to be tested; however, adopting certain tools and techniques can drive the effectiveness of testing and outcomes. By having the infrastructure, processes and tools in place to extract data, a company’s ability to support data-focused investigations and effectively respond is greatly increased. In implementing these tools and techniques, a company should also consider the fluctuating nature and scope of investigations; therefore, data forensics must allow for pivoting focuses and changes in scope.

A strategy and roadmap outlining the workflow sequence and considerations for conducting analytics are valuable to ensure that key stakeholders, including data analytical resources as well as internal and external legal counsel, are in agreement with the approach and that expectations are clearly understood. The resources responsible for performing data forensics are often the gatekeepers of the strategy and roadmap and collaborate closely with internal and/external legal counsel to address pivoting in the scope, or additional information to be considered.

Interviews

Often, interviews are a helpful technique utilised to gain an understanding of the processes in place during the time period in question, or to facilitate the discovery process for capturing additional information and supporting documentation. During interviews, an internal and/or external legal delegate is present during and is responsible for upfront communication of the attorney-client privilege and related scope of the discussion. Interviews conducted at this phase are operational and questions should focus on details related to the data or documentation collected. Communications surrounding the discovery process should be conducted through the interview process to provide a baseline for understanding data and information provided. All communications exchanged should be limited to fact finding and should be objective in nature.

Discovery and forensics analysis

Data mining through review of historical data and documentation, such as contracts and related terms, supporting transactions, decision making and methodologies retained to derive payments and pricing, enables analytical resources to establish a roadmap for hypothesis testing. Understanding the variables and processes driving outputs helps to establish a foundation and framework for the analysis to be performed. Analysis and fact finding are coupled with interviews until a baseline has been formed. At the conclusion of this stage, the hypothesis may be revisited and scenarios may be adjusted according to the results of these activities.

Scenario analysis and workflow sequence

Scenario analysis is performed to identify outcomes given predetermined inputs. Scenario analysis is useful for providing outcomes according to varying inputs identified to support the hypothesis testing. Different scenarios and outcomes to allegations and supporting inquiries, and unexpected results or additional data considerations, should be vetted with internal and external counsel.

Variance analysis

A variance analysis compares a value resulting from a scenario-based input, to the original value. The explanation of the variance is derived from the knowledge and understanding gained during the discovery process and data forensics performed.

Trending analysis

A trending analysis is a valuable technique for identifying changes in data and drivers over a specific period of time. To appropriately identify data outliers and drivers over time, the baseline trend of outcomes should be compared to the trending of outcomes based on agreed upon scenarios.

Summary and production of outcomes

A summary analysing the outcome of testing, to support the hypothesis, is often the end product. The summary produced captures the hypothesis and outcome of testing performed. The summary also includes explanation data outliers and ensures drivers are adequately described. It is best practice to cross reference the outcomes to the supporting analytics and ensure that all supporting documentation is appended accordingly.

Conclusion

With increasing enforcement activity and resulting settlements in business risk areas that include an extensive amount of transactional data, successfully responding to significant allegations may hinge on proving "innocence" via data forensics. Often, off-label activities and inappropriate selling practices lead to violations of the Federal FCA (and potentially state FCAs) because a false or fraudulent claim ultimately was submitted and paid by the government. The forensic and investigative considerations and techniques explored in this article can facilitate the investigative process and support the testing necessary to achieve desired outcomes.

References

1. Total Spending for Health Care Under CBO’s Extended-Baseline Scenario, accessed 8 May 2011, www.cbo.gov/ftpdocs/102xx/doc10297/Chapter2.5.1.shtml#1096883

2. Center for Medicare & Medicaid Services, National Health Expenditures, by Source of Funds and Type of Expenditure: Calendar Years 2003-2009, accessed 8 May 2011, www.cms.gov/NationalHealthExpendData/downloads/tables.pdf

3. Medtronic settles kickback lawsuit in the US, Regulatory Affairs Medtech, 20 July 2006

4. DOJ press release, 4 October 2010, www.justice.gov/usao/pae/News/Pr/2010/Oct/synthes,norian_release.pdf

Clarissa Crain is managing director, Commercial Operations, at Compliance Implementation Services (CIS) and Chrissy Spicer is the company's director, US Commercial Compliance. Website: www.cis-partners.com. Email: [email protected] or [email protected].