Compliance in the Era of COVID-19 – Where and How Life Sciences and Health Care Companies Should Focus in the Era of Social Distancing
April 22, 2020
Since the onset of the coronavirus pandemic, we have been introduced to an entirely new everyday language, beginning with the term COVID-19 itself, the more scientific term used to describe the incredibly contagious virus spreading so quickly around the world. COVID-19, or Coronavirus Disease 2019, as it is more colloquially known, has brought “social distancing,” “stay-at-home sheltering,” and “incubation periods” into our daily conversations, and continues to affect nearly every aspect of professional and personal life, forcing businesses across the globe to adapt to a new operating landscape. The total number of confirmed cases has surpassed 2.5 million worldwide, with approximately 32 percent from the United States alone. And the world has lost more than 170,000 individuals as a result of this scourge. Self-quarantining, sheltering in place, and social distancing have become key public health mechanisms to “flatten the curve” of transmission. Meanwhile, companies are facing the stark reality that work from home and contactless business are the “new norm,” and, as we all focus on the news, we do not know how long this will all last.
It is true that this is not the first time that a global pandemic or health scare has disrupted life and business. The Spanish flu pandemic in 1918 lasted nearly three years and infected about a quarter of the world’s population, claiming the lives of tens of millions of people (many estimates place the death toll at approximately 50 million people), during the impact of the First World War no less, which itself claimed more than 35 million lives. It was a combined impact on a scale that the COVID-19 pandemic has not even come close to approaching. In the early 2000s, there was also the Severe Acute Respiratory Syndrome (“SARS”) outbreak, which incited fear as it spread throughout East Asia and into Europe and the Western Hemisphere, resulting in a 9.5 percent mortality rate. Even more recently, the swine flu pandemic of 2009 infected an estimated 11 to 21 percent of the global population as the economy struggled to rebound from a recession. There are countless other examples of disruptive public health crises, such as the polio outbreak in the 1950s and the spread of the Middle East Respiratory Syndrome (“MERS”) in 2012. This is nothing new, right? But, in fact, it is.
Although the world has faced several major pandemics over the past 100 years, the effects of COVID‑19 on business are unique to our time. Increased globalization and interconnectivity have changed the way companies operate and the interdependence of economies. At this time, and unlike ever before, vast swaths of different country populations, including the United States, are social distancing or under full quarantine, with the only people remaining in the “office” being those employed by essential businesses like hospitals, doctors’ offices, grocery stores, banks, and utilities. People are doing their best “to work from home,” but there are clearly limitations. COVID-19 is also the first global crisis that has had a major impact on corporate compliance departments in their present form. As recently as the SARS outbreak in 2001, compliance as a profession was in its nascent stage. And unlike during the 2008 financial crisis, compliance departments and other colleagues are able to perform their jobs, albeit under remote circumstances.
It has been a little over a month since President Trump declared a state of national emergency on March 13, 2020. While social distancing, sheltering in place, and the closure of businesses and schools have exposed the fault lines across society and have devastated the lives of so many, the rapid spread of the coronavirus itself—and now growing concerns around a possible resurgence if restrictions are lifted prematurely—are affirmations of the extent to which we are a global community—one that is more mobile, more wired, indeed, more connected, than any prior generation that has survived a pandemic.
As health care professionals and other essential workers bravely care for patients with COVID-19, the race to develop treatments, vaccines, and rapid test kits for the virus is well underway. That has placed life sciences companies, particularly pharmaceutical and biotech companies and research institutions, along with government agencies and regulators with the authority to expedite the development and trial of therapies and vaccines, front and center. COVID-19 also has demanded, in ways perhaps unique to the life sciences and health care industries, that we respond nimbly to customers—our patients, and the health care professionals who care for them. Our customers are more vulnerable, under siege, and arguably more at risk than consumers of other products and services because of medical needs unrelated to COVID-19. Could surgeries proceed, and if so, which ones and where? How and where should patients get their physician-administered or infusion therapies; or, what if any bridge therapies might tide patients over for a few days, while longer term solutions are explored? What do we do about unexpected drug shortages, and what other shortages are we anticipating, and how imminently? And how do pharmaceutical and medical device manufacturers communicate around these critical issues?
Notwithstanding the challenges distinct to the life sciences and health care industries, there certainly has been no shortage of obstacles common across all industries. Most employees are working remotely, which has dramatically altered the day-to-day experience of our colleagues. Field teams and health care professionals have significantly restricted, if any, in-person access. These changes have introduced new pressures on employees, particularly in the field, around meeting business goals under unprecedented circumstances, all at a time when business communications are being driven significantly to alternative channels, including social media, and onto personal devices—all of which raises the question of whether business activities are being sufficiently (or overly) memorialized and retained. Furthermore, as OECD Working Group on Bribery Chair Drago Kos recently recognized, not even a pandemic will stop bribery and corruption—indeed, a “high risk of corruption poses a major challenge to tackling this global health crisis.” The sudden disruption of global demand and supply chains from their usual course creates new opportunities for bribery, and corruption has tainted prior disaster relief efforts, from the Ebola outbreak to Hurricane Katrina. To be sure, enforcement is continuing work remotely and virtually on criminal, civil, and administrative fronts. In fact, the pandemic has prompted the creation of federal and state anti-fraud task forces across the country. COVID-19, without doubt, has challenged all of our notions of how we can get business—and thus, the work of compliance—done.
Where and How to Focus
While companies and their compliance programs range in size, resources, and maturity, there are seven areas that are worth examining or reexamining, in order to ensure that compliance programs are effectively identifying, understanding, and mitigating pre-pandemic as well as new compliance risks in light of changed circumstances: (1) risk assessment and planning; (2) tone at the top and middle; (3) policies and procedures; (4) training; (5) investigations; (6) third-party risk; and (7) monitoring.
Situational Risk Assessment and Planning. As things seem to be changing nearly daily or weekly, it is now, more than ever, imperative that compliance teams have a seat at the table when business plans and meetings are taking place, and to make (or re-make) such a case for a seat at the table. As companies are conducting business differently in response to the new COVID-19 reality, a compliance program that once effectively mitigated pre-pandemic risks may now be less effective. Controls that were in place to mitigate certain risks may now be overly restrictive, making it difficult for employees to execute day-to-day activities. Other controls may be ineffective, giving companies a false sense of security that issues are being detected. As such, it is critical that companies quickly assess their new overall risk profile to understand the areas where the company may have some exposure or gaps in its program. It may be that existing risks need to be prioritized differently; or, there may be entirely new risks presented. Consider your internal stakeholders, as well as the external—such as patient- and HCP-directed activities and engagements. Identify your key third-party relationships to better understand existing and anticipated business disruptions as well as any relevant contractual terms that might govern extraordinary circumstances like those we currently face. By conducting a COVID‑19-related risk assessment, the company will be able to help ensure that its compliance program is keeping pace with all of the evolving ways of working and conducting business.
Commitment by Senior and Middle Management. Always arguably the most critical of compliance program elements, and probably much more so the case in a time of great uncertainty, tone at the top and middle will be a key driver of employee behavior. Senior and middle management should frequently express their commitment to compliance to help ensure employees understand that compliance remains a priority for the company. During this time of economic challenge on a global scale, employees will look to their leaders and managers for guidance on how to conduct business now, in view of the new COVID-19 reality, as well as once things get back to some semblance of normal. The company’s leadership and compliance teams must help ensure that, despite these uncertain times, employees understand what is expected of them and that leadership encourages reporting of any potential misconduct by reinforcing the compliance culture. Through their words and actions, leaders and managers can help maintain a measure of calm for employees; reinforce that, as business continues, compliance is still a priority and that the impact of COVID-19 on business will not be an excuse for non-compliant behavior; and reaffirm key policies to help ensure that employees feel safe reporting potential problems and concerns or asking questions (e.g., Open Door Policy, Non-Retaliation Policy).
It is paramount that leaders and managers address these issues and develop effective strategies for periodically communicating with employees to help reinforce the company’s compliance culture and principles. Similarly, it is essential that the compliance team maintains visibility and encourages employees to ask questions or seek guidance or clarification before taking action. While there may be an understandable tendency for compliance departments and professionals to be sensitive, and to calibrate their profiles with, in effect, matters of life and death all around, they must still be present. Through periodic compliance messaging, virtual town hall meetings, and other mechanisms, both management and compliance teams can help ensure that employees understand that, while external circumstances have most certainly changed, the company’s commitment to compliance has not.
What to Do with Existing Policies and Procedures. An organization’s policies and procedures are generally designed to govern employee conduct under normal operating conditions. As the organization’s operations and processes adapt to the changing circumstances caused by COVID-19, however, compliance teams should consider how such changes may affect certain policies and procedures. Surely existing policies and procedures cannot be expected to capture this moment.
Compliance teams may want to consider whether the organization’s employees would benefit from specific COVID-19 interim guidance as employees adjust to the changed circumstances. For example, life sciences companies may experience changes in the way that employees interact with health care professionals through activities such as remote speaker programs, virtual sales calls, or alternative channels to intake medical information requests. With these changes, compliance teams may consider providing supplemental written guidance that addresses frequently asked questions, or otherwise instructs employees on how these changes affect their day-to-day compliance obligations.
In addition, compliance teams should proactively evaluate existing policies and procedures and ensure that any required modifications are in writing and clearly communicated. Now would be the ideal time to assess whether the organization has a global exceptions process to address deviations from existing policies and procedures, or whether individual policies and procedures have exceptions provisions for exigent circumstances that can be followed during this time and in future situations like the COVID-19 pandemic. Whatever the approach, it is important to have a thoughtful and documented process for how the organization will ensure that policies and procedures remain effective during this time, and how it will consider any necessary exceptions, whether on a global or individual basis.
Training. Policy and procedure changes or exceptions, as well as other guidance specific to COVID‑19, will need to be effectively communicated throughout the organization and included in the organization’s revised training plans. An organization’s annual training plan generally includes an appropriate mix of in-person, video, online, and “read and acknowledge” training and communications, and compliance teams should consider how the changes to workforce dynamics may affect the company’s training plans.
For example, compliance teams should consider updating their annual training plan to account for the inevitably greater need for remote training mediums (e.g., video, online, etc.) and potentially reformatting previously scheduled in-person training sessions as video conferencing sessions. Now is a good time to consider how to improve existing video or online training content, and whether the organization may benefit from a knowledge management platform or further investments to an existing knowledge management platform. Without the typical face-to-face interactions, at least perhaps for the foreseeable future, compliance teams will need to stay visible and ensure that employees remain adequately trained on their ongoing compliance obligations.
Monitoring. Compliance monitoring activities—namely, what and how we should be monitoring—should be reexamined in light of the remote work environment and the social distancing and shelter-in-place policies in place across the country. Monitoring should continue to track risk areas, so it is important for companies to re-evaluate their pre-pandemic monitoring plans with a strategy that is responsive to current risk, and/or develop specific COVID-19-related risk assessments. For example, with in-person interactions virtually eliminated, companies may want to consider devoting more resources to email, and to the extent possible, text message monitoring. Individuals across the board are utilizing alternative channels of communication—from video conferencing and instant messaging platforms to personal and professional social media outlets—but what do we know about our monitoring capabilities across these channels and the terms of any relevant governing policies? With regulatory attention devoted to public health communications and the review of vaccines and therapies to battle COVID-19, many companies may be facing delays in government registrations and approvals. Are we positioned to monitor the third-party intermediaries who have been engaged to help us in these areas, and whether there are any associated payments being made to expedite review?
To the extent field monitoring activities have been suspended for the present time, consider whether resources could be devoted to internal analytics to support and direct existing compliance monitoring and other program activities. Have hotline volumes dipped or surged? Has the substance of confidential reports changed? Which data results, if any, appear to signal concerning trends or patterns of activity that may need to be escalated or would warrant an employee “reminder” communication? As the risk landscape has changed, corporate monitoring plans should be modified accordingly.
Internal Investigations. With circumstances on the ground changing rapidly during the last several weeks, the internal investigations landscape within companies may look much different today than it did two weeks ago, and certainly different than it looked a month ago. For example, it is too soon to tell how COVID-19 is impacting confidential reporting. Face-to-face interactions with colleagues are no longer occurring, which may make the experience of reporting feel safer to employees, but COVID-19 itself also could distract from or diminish the motivation of internal colleagues to confidentially report issues of concern. For new complaints that are received, will the nature of complaints shift from matters like compliance in the field to fraudulent activity by third parties? And how do we vet new complaints—do we still initiate contact with potential witnesses, if in-person discussions are no longer an option, and if so, do we do so in all cases (if not, which ones?), when and how? The topic of investigations may be the one that feels the most misplaced with a pandemic going on, but it is too risky to be left behind.
First, keep making progress on investigations. Action on ongoing and new investigations feeds into compliance’s visibility, responsiveness, and credibility as colleagues who can be trusted to respond to concerns, no matter the toughness of the times. Second, be flexible. It is important to keep things moving, but of course also to allow for adjustments in turnaround times and expectations of colleagues. Data may not be collected and digested as quickly—but it can still be done. Third, prioritize and consider changes in approach that will help you move higher priority matters, despite the absence of your usual tools—human resources, time, and face-to-face interactions. For example, are there preliminary data or other forensic reviews that could help focus issues in a case, and potentially obviate the need for interviews or reduce the number of necessary interviews? Are there matters that require face-to-face encounters that need to be relegated, at least for now? If we need to continue investigating, should we perform certain interviews via video conference? And just as the United States District Court for the Southern District of New York ultimately decided to continue grand jury proceedings by video conference, how will we ensure the confidentiality and effectiveness of video interviews in a remote world? Continuing investigations and fielding confidential reports not only will enhance the team’s visibility and credibility internally now and in the future, but also provides an ongoing means of staying connected to employees and current with their concerns.
Third-Party Management. Legal and compliance teams will need to be just as, if not more, vigilant than before as to the activities and expectations of their third-party vendors and business partners. Most businesses are responding to sudden, unanticipated changes internally, and it should be no surprise that our third-party partners are doing the same. Whether it’s as headline-grabbing as Ford, 3M, or GE switching from manufacturing cars to ventilators, respirators, and face shields to battle COVID-19, or the exponentially increasing production of existing products, or the drug shortage concerns recently expressed by the FDA in the United States, or even the added pressures to the pharmaceutical supply chain by unanticipated manufacturing issues, companies are adapting to new economic, medical, and work realities in different ways.
For this reason, it is important to understand where each company’s risk exposures are and to take stock of which exposures could be exacerbated by third parties. Have you checked in with your vendors, if they have not already checked in with you, about what has changed so far, and what changes they expect in the near term? Understand the new pressure points for your third-party business partners and how they might impact your business. Third parties may have changed locations or other operations in response to COVID-19, and companies may need to fill gaps with fourth-party arrangements. This is one of those points of intersection for compliance and business stakeholders, as the business will need to understand the economic or other changes driven by the pandemic with its third parties, as will compliance, so there is no doubt some useful cross-leveraging to be done.
COVID-19 has upended the normal operations and business approaches of most companies—and the life sciences and health care industries are no exception. Business activities and focus undoubtedly have shifted. As quickly and as best as possible, understand how activities have changed—for your own company and for third-party business partners—and what that means for your company’s risk profile. With these risk assessments in hand, revisit your compliance plans and objectives, and document new ones that are responsive to present circumstances. While there have been even more impactful pandemics in the past, if measured by the numbers of the sick and dead, the situation globally today is unprecedented in many ways, including its economic impact, and the fact that compliance professionals and departments have never faced such a crisis. While the people and departments that have led the compliance efforts for years must maintain a human balance through this worldwide crisis, it will also be important to keep up the good work to be done, and not simply hope for the best when this passes.
We have addressed the seven priority areas for compliance programs of any size to consider under these difficult times, but above all, compliance teams need to be reasonable and flexible not only with the business colleagues they support but also (and no less importantly) with themselves. The key is to keep on keepin’ on, even if it is nearly all online. Leverage technology to the fullest to conduct what previously were in-person activities—from investigations, to proactive compliance reviews, to policy updates and related training program roll-outs—all while, of course, modulating for privacy and security protections and your own assessments of the efficacy of a virtual approach in a given situation.
And while COVID-19 has stretched individual and collective limits, consider whether the pandemic has escalated the importance of certain projects that have been on the “goal” list for a while, but have been deferred one or more times before, and whether a remote environment might better enable a compliance team to execute on them. From refreshing policies and procedures to conducting program assessments to more deeply analyzing emerging risks, compliance teams, working together even if apart, can make significant headway.
Finally, while so much of the road ahead is still unclear, some semblance of “normal” will return. Rather than wait, identify now the myriad ways in which the business is solving for lost time, opportunities, and in-person interactions. Determine now, as best as possible, the things that, in all likelihood, will become priorities as soon as business operations begin to resemble “normal” later. As we aspire for the better “later” to arrive sooner, we should be ready when it does.