Image credit: Timon | stock.adobe.com

After more than a decade of relative inactivity, the Centers for Medicare & Medicaid Services (CMS) has signaled that it may soon commence audits of reporting entities under the Sunshine Act.

Limited Audit and Enforcement Activity To-Date

The Sunshine Act, formally known as the federal Physician Payments Sunshine Act, requires group purchasing organizations (GPOs) and manufacturers of certain drugs and devices that are reimbursed by certain federal healthcare programs to annually report to CMS payments or other transfers of value they make to US-licensed physicians, teaching hospitals, and certain other US-licensed healthcare professionals, referred to as “covered recipients,” during the prior calendar year.

They also must report any ownership or investment interests held in the reporting entity by a U.S.-licensed physician or a member of his or her immediate family.¹ Failure of reporting entities to timely and accurately report pursuant to the law may result in civil penalties.

The law first became effective in 2013, and since that time, the Department of Health and Human Services (“HHS”), CMS, the HHS Office of Inspector General (“OIG”), and their designees, have each retained authority to audit, inspect, investigate, and evaluate reporting entities’ compliance with the law.² However, these government agencies have not historically exercised this auditing authority, citing a lack of finalized audit strategies and audit plans.³ There have been limited instances of publicly-disclosed Sunshine Act enforcement actions in the decade that has transpired since reporting first went into effect.

CMS Shifts Its Attention to the Sunshine Act

CMS is signaling a shift in its attention to Sunshine Act compliance initiatives. For example, beginning in 2021, CMS required reporting entities to track payments or other transfers of value provided to additional provider types, including physician assistants and nurse practitioners, among others. And, effective this calendar year, reporting entities must evaluate whether they qualify under CMS’ recently promulgated and expansive definition of “physician-owned distributorship(s)” (PODs), and, if so, self-identify as a POD on their annual reports.⁴

The annual reports CMS makes to Congress also demonstrate a more forceful approach to enforcement, including a gradual uptick in pre-demand letters and civil monetary penalties for non-compliance (Figure 1). These developments all coincide with the Agency’s request to increase its budget for the Open Payments program, including to support “ongoing operations and enhancements.”⁵

Figure. Rising Stakes of Sunshine Act Compliance.

Forthcoming Audits

In November 2023, CMS updated its Open Payments FAQ guidance to include three new FAQs focused specifically on Sunshine Act audits, despite not having publicly reported the performance of any audits as of that date. The FAQs provide detailed insights into key audit issues and explain the following:

1. How Companies are Selected for Audit.⁶ CMS states it will use a combination of risk-based criteria and random selection to identify reporting entities for audits. The risk-based criteria identified by CMS include factors like prior history of noncompliance; credible third-party compliance tips, anomalies, or inaccuracies in reported data; and unusual or inconsistent reporting patterns, suggesting that CMS has or will comb through existing data to identify outliers when choosing which companies to audit.
2. How Audits are Initiated.⁷ Reporting entities subject to an audit will be provided notice at the physical mailing address and email addresses provided by the manufacturer during the Open Payments registration or recertification process.
3. What the Audit Process Looks Like.⁸ CMS states that each audit is unique but identifies a standard set of processes. Specifically, following the initiation of an audit, CMS will arrange a phone conference with the audited entity to discuss further instructions. At the conclusion of the audit, CMS will provide the reporting entity with the Agency’s audit findings and provide an opportunity to respond. If noncompliance is identified, CMS may issue a letter outlining the steps for the entity to come into compliance or pursue civil monetary penalties.
4. What Supporting Documentation Will Be Requested.⁹ Notably, CMS emphasizes that companies should have ready access to books and records pertaining to their compliance with the law. This includes supporting documentation for a period of five years from the date the data is published publicly on the Open Payments website. CMS states that the auditors may seek “receipts or checks; general ledgers; copies of contracts or agreements; standard operating procedures or directions to employees regarding transfer of value tracking; board meeting notes; or anything else that captures data concerning payments or transfers of value to covered recipients.”

Taken together, these signal CMS' efforts to ramp up its Sunshine Act auditing of reporting entities.

How to Prepare

Reporting entities should take note of the new guidance from CMS and use this opportunity to confirm their tracking and reporting practices align with the Sunshine Act’s detailed requirements. As the agency shifts its attention to Sunshine Act compliance, companies can take the following steps to prepare for potential audits, whether based on targeted or random selection criteria. These small but impactful measures can go a long way towards confirming compliance and facilitating an orderly process in the event a company is selected for audit by CMS:

1. Update Open Payments Contact Information. CMS’ new guidance states that audit notices will be submitted to the contact information in the Open Payments System. Accordingly, companies should ensure that contact information provided during the Open Payments registration or recertification process is accurate and up to date to avoid missing key communications from the Agency.
2. Confirm Key Policies and Processes are in Place. Companies should have policies, procedures, and training in place addressing Sunshine Act compliance, along with dedicated staff/professionals/outside vendors responsible for Sunshine Act compliance. Likewise, non-privileged written assumptions explaining the company's positions on select issues can be produced to the government in the event of an audit without causing any privilege waiver. These items could be among the first that are produced in response to an audit.
3. Conduct Test-Run Audits. Conduct an internal audit of Open Payments data to prepare internal teams and vendors for potential audits from government investigators and, importantly, to identify any potential process gaps. Companies should periodically repeat internal audits to identify potential errors and ensure data is ready for reporting on or before March 31 of each year.
4. Analyze Payment Trends. CMS has stated it will select companies for audit based on random and risk-based selection criteria, including unusual payment trends, past non-compliance, and other data anomalies. Companies should consider careful evaluation of their own payment trends and prior reporting practices to assess likelihood of being selected and to be prepared to explain any anomalies that might arise in the context of an audit.
5. Implement Sub-Certification Process. Require relevant department heads to certify that payment data reported by their departments are accurately and completely captured in the company’s system of record to assist the corporate officer ultimately responsible for attesting to these facts to the government.
6. Review Data Retention Requirements. Verify data retention policies (or contractual requirements with Sunshine Act vendors) comply with Sunshine Act requirements, including retention of receipts, sign-in sheets, policies and procedures, relevant contracts, board meeting notices, and similar documentation relating to Sunshine Act compliance.

By adopting these practical steps and others, reporting entities can reduce their risk of noncompliance and potential penalties and demonstrate their commitment to transparency and accountability in the healthcare industry. Importantly, these strategies can help make the audit process run smoother and more efficiently, if a company is chosen for an audit, thereby conserving company resources, avoiding distractions from day-to-day operations, and reducing the chances of attracting unwanted attention or scrutiny to matters involving transfers of value.

References

1. See 42 U.S.C. § 1320a-7h(a).
2. 42 C.F.R.§ 403.912(e)(1).
3. OIG, Open Payments Data: Review of Accuracy, Precision, and Consistency in Reporting, at p. 9 (Aug. 2018), https://oig.hhs.gov/oei/reports/oei-03-15-00220.pdf.
4. CMS, Medicare Program; CY 2022 Payment Policies Under the Physician Fee Schedule and Other Changes to Part B Payment Policies, 86 Fed. Reg. 64996, 65659 (Nov. 19, 2021).
5. CMS, Fiscal Year 2023: Justification of Estimates for Appropriations Committees, p. 143 (2022), https://www.cms.gov/files/document/fy2023-cms-congressional-justification-estimates-appropriations-committees.pdf.
6. CMS, Open Payments FAQ #2026 (last updated Nov. 14, 2024), https://www.cms.gov/OpenPayments/Downloads/open-payments-general-faq.pdf.
7. CMS, Open Payments FAQ #2025 (last updated Nov. 14, 2024), https://www.cms.gov/OpenPayments/Downloads/open-payments-general-faq.pdf.
8. CMS, Open Payments FAQ #2027 (last updated Nov. 14, 2024), https://www.cms.gov/OpenPayments/Downloads/open-payments-general-faq.pdf.
9. Id.