Introduction

With heightened anti-corruption enforcement by the Chinese government, the landscape of compliance in China is changing rapidly, especially for the already highly regulated life science industry. As China’s life science industry enters an era of strict compliance and strengthened supervision, how to ensure adherence to the dynamic regulatory changes remains a key concern for both domestic and global companies operating in China. On February 26, 2021, a new milestone local compliance standard, the Pharmaceutical Industry Compliance Management Practices (the “PICMP”, PIAC/T 00001-2020),[1] promulgated by the China Pharmaceutical Industry Association (the “CPIA”) became effective. The PICMP sets out detailed guidelines for compliance systems and practices for life science companies and by life science companies.

Compliance and risk management has been a consistent focus of regulatory bodies and industrial organizations in China. For example, the Code of Practice[2] from the R&D-based Pharmaceutical Association Committee (the “RDPAC”), organized under the China Association of Enterprises with Foreign Investment, has already been certified by many multinational pharmaceutical companies in China for years. The Code of Practice, despite its non-mandatory nature, provides ethical standards for member companies to be integrated into their own compliance policies. Subsequently, when China started to promote the Belt and Road Initiative[3] and with more and more Chinese companies (particularly state-owned companies) expanding business across borders, these companies started to build up their compliance infrastructure, and internal control programs and there was a market need to consult compliance standards for reference. It was almost at the same time that the International Organization for Standardization (“ISO”) released two international standards relating to compliance—ISO 19600 and ISO 37001, respectively—in 2014 and 2016, which quickly became a reference of compliance guidance in the Chinese legal market. ISO 19600 offers general guidelines on what is required to build a compliance management system, while ISO 37001 provides comparatively more detailed requirements for an anti-bribery management system. In April 2021, ISO also published a further updated version, ISO 37301,[4] specifying requirements and guidelines on establishing an effective compliance management system.

The recent promulgation of PICMP shows China’s ambition to not only follow compliance standards set up by international organizations and industrial organizations that are led by multinational companies, but also set its own local compliance standards for all life science companies that operate in China. Although the PICMP is also a non-mandatory industrial standard according to the PRC Standardization Law,[5] as a national association, CPIA currently has more than 440 members, covering both Chinese subsidiaries of major multinational life science companies and Chinese life science and biotech companies.[6] In addition, the draft of the PICMP was co-authored by the China Biochemical Pharmaceutical Industry Association, the China Association for Medical Devices Industry, and other national organizations, which reflects China’s ambition to influence more market participants than the RDPAC’s Code of Practice and the ISO standards.

The PICMP contains compliance standards in eight areas, including (1) anti-commercial bribery, (2) antitrust, (3) finance and tax, (4) product promotion, (5) centralized procurement, (6) environment, health and safety, and (7) adverse reaction reporting, as well as (8) data compliance and cybersecurity.[7] These areas timely reflected the focus of Chinese regulatory and enforcement oversight at the time. The wide scope of topics included here also represents the CPIA’s comprehensive approach toward compliance, with a goal to assist pharmaceutical and medical device companies to set forth internal controls on data protection, enhanced compliance system, and risk management.[8] The PICMP is applicable to all Market Authorization Holders (“MAHs”) of pharmaceuticals and medical devices, as well as other relevant parties in the life science industry.[9]

It is important to understand the key sections in the PICMP that will affect multinational life sciences companies’ operation in China, and how compliance and legal departments will need to address them. We will also provide a more detailed comparison between PICMP and RDPAC Code of Practice 2019 later in a sister article, as companies will need to reconcile the requirements of these two key points of guidance.

Anti-Commercial Bribery and Product Promotion

The provisions in the annexes of Anti-Commercial Bribery and Product Promotion of the PICMP set forth standards on the payment of certain marketing expenses, such as speaker fees to health care professionals (“HCPs”) and sponsorships to third-party conferences. In addition, the PICMP also provides guidance on Patient Assistance Programs (“PAPs”) and other areas of commercial and medical operations.

• Speaker Fees: Under current PRC laws, the speaker fees are at this time mostly regulated based on the PRC Anti-Unfair Competition Law (the “AUCL”). The AUCL broadly and generally prohibits business operators from seeking transactional opportunities or competitive edges by bribing relevant parties.[10] However, whether the payment of speaker fees violated the AUCL varies among local regulators. The PICMP allows payments of speaker fees to HCPs based on the fair market value for the speaking services provided and prohibits speaker fees paid with the intent of influencing HCP’s presentations or cultivating future business generated by HCPs.[11]

This is consistent with the RDPAC Code of Practice 2019, whereby speaker fees are regulated as fees for services to HCPs; and limitations on value, compensation governance, and prohibitions are enumerated.[12] Neither code, however, provides more details on fair market value (“FMV”), which, in practice, still triggers questions by companies and local benchmark information is needed for reference. A strong and defensible FMV methodology will be increasingly important going forward.

• Sponsorships: Sponsorship to HCPs for third-party conferences is allowed under the PICMP, as long as such sponsorship is (1) limited to cover the expenses of transportation, accommodation, food, and conference registration based on fair market value, and (2) not directly paid to any individual HCP.[13] Conferences held at venues that could be considered luxurious are also explicitly prohibited, including, but not limited to, spas, hot springs, holiday resorts, golf clubs, etc.[14] The PICMP also provides that meeting minutes for such conference should be kept for at least five years, thereby imposing a documentation and document retention requirement on companies.[15]

In addition, the PICMP further allows promotions at third-party conferences based on mutual interests of health care organizations and companies and legitimate business interest, so long as it is based on reasonable grounds and a public invitation of investment is duly provided and recorded.[16] Although the criteria of reasonable grounds are not specified, the PICMP explicitly allows promotions for corporate image, brand, and products.[17]

Thus, the PICMP takes a similar approach as the RDPAC Code of Practice 2019 in allowing for sponsorships for HCPs to attend medical interaction programs subject to limitations on gifts, reimbursement, and allowance. However, the PICMP provides more detailed recommendations on the limitation, including specific requirements on application and approval procedures of activities, attendees and venue of conferences, and the limitations on academic sponsorship and commercial sponsorship, among others.[18]

• Interacting with Government Officials: Unlike the RDPAC Code of Practice 2019, which only provides guidance on interactions with HCPs, the PICMP further provides sections on interacting with government officials and personnel of similar function. The PICMP recommends companies to restrain the interactions to legitimate business communication and to be cautious when interacting with officials who have substantive decision-making power that can influence companies’ business.[19] It also prohibits briberies with the intent of obtaining any unfair advantage in market competitions, including, but not limited to, obtaining drug licenses, filing and registration of medical devices, and price negotiations, among others.[20]
• Interacting with HCPs and Health-Care Organizations: When it comes to interaction with HCPs and health-care organizations (“HCOs”), the PICMP provides practical guidance on medical representatives’ daily work. In-person interactions between medical representatives and HCPs are allowed under the PICMP, as long as the communications are limited to the exchange of product information, drug usage, and feedback on products’ clinical and adverse reactions.[21] The PICMP also requires MAHs or their medical representatives to get approval from the medical institutions prior to such in-person meetings and prohibits direct or indirect briberies to HCPs[22] This seems to be a new requirement that is not mentioned under other industry codes, yet how this requirement may be implemented remains to be seen. Here, the PICMP also takes a similar approach in recommending extensive requirements on HCPs/HCOs interactions from the anti-corruption perspective, which has been a regulatory enforcement focus, centering on showing the scientific and educational nature of the interactions.
• Patient Assistant Programs: The PICMP also has a section on PAPs, which are described under Chinese law as programs that offer free drugs to low-income individuals through charitable organizations, including prescriptions and Class A Non-Prescription drugs.[23] Under the PICMP, pharmaceutical companies can support PAPs initiated by qualified charities and provide free drugs for charities.[24] In regulating PAP-related activities, the PICMP prohibits any PAP in connection with marketing campaign or drug promotions, or using any sample that is provided to medical institutions.[25] The PICMP also includes a data privacy provision which prohibits companies from collecting patients’ personal data through PAP.[26] In comparison to the PICMP, the RDPAC Code of Practice 2019 seems to provide a more restricted PAP rule, which only allows offering related PAP items of less than 500 RMB (per item) in a non-occasional basis, even if each individual item is appropriate.[27]

Data Compliance

Using electronic patient health records and platforms has become more prevalent, especially since the onset of the COVID-19 pandemic; specifically, there has been an urgent need for governments to bring out comprehensive and updated regulations to ensure that pharmaceutical companies and medical organizations act appropriately and use personal information in a legal and secure method. Moreover, as pharmaceutical companies embrace digital transformation and unlock innovative business models, they also need to fully integrate data protection and cybersecurity into their compliance and risk management priorities. The PICMP does not provide specific details in this regard, but it does note the data compliance obligations for all parties in the transaction route-to-market, including market authorization holders, contract research organizations, contract manufacturing companies and contract development manufacturing companies, contract sales organizations, and distributors and sub-distributors.

Considering the Civil Code of the PRC, the Data Security Law, and the Personal Information Protection Law, all of which were released in 2020 and 2021, and, along with the Cybersecurity Law that came into effect in 2017, the basic legal framework for cybersecurity and data protection in China has gradually taken shape. The 2020 revision of the Personal Information Security Specification also provides reference for law enforcement and corporate compliance work in relation to personal data protection.

Currently, China is reinforcing its efforts to further tighten its data regulations. For example, the newly issued Data Security Law governs almost all sorts of information generated from a company’s operations, either in electronic or other forms. In addition, it requires all data processors to develop a life-cycle management system for data security in order to assess risks, handle violations, and take corrective measures effectively. It is expected that, for the life science industry, the collection, storage, processing, and utilization of personal information will face more stringent compliance obligations, which will be reflected in the future PICMP annex on data compliance and cybersecurity.

Conclusion

The fast pace and high frequency of regulatory legislation and local enforcement in China over the recent years, together with the issuance of the PICMP, reflect Chinese regulatory authorities’ pursuit of enhancing compliance nation-wide in the life science industry. In the foreseeable future, Chinese regulatory authorities are likely to increase their enforcement actions across these compliance areas. It will be imperative for both multinational and local companies to stay on top of these local developments, and take a broader and more local view when assessing risks for compliance infrastructure, check and balance, and data security issues. This will help convey the companies’ commitment to compliance and potentially serve as a persuasive defense or mitigating factor in government investigations by Chinese and foreign regulators.