Is 2016 The Year That CMS Starts Fining Sunshine Act Violators?

In Consulting, Industry Reposts by Mark Gardner

The third annual Physician Payments Sunshine Act (“Sunshine Act”) reporting deadline has come and gone. If you are an applicable manufacturer and this law is news to you, you might be getting fined. The most recent reporting deadline was March 31st, 2016. Previous reporting cycles included 2013 (partial report out) and 2014. Failure to report can result in Civil Monetary Penalties (“CMPs”) assessed by the Centers for Medicare and Medicaid Services (“CMS”) and bad publicity. Presumptively, when CMS fines the first manufacturer or group purchasing organizations (“GPOs”) for a reporting failure, it will be publicized in order to compel industry compliance with the 3-year old regulation. Companies that failed to report previously may still be able to report in arears, although, there are no guarantees that CMS will not fine organizations for such failures. Are you at risk? This short article discusses the current reporting cycle, which companies are at risk for fines, and how companies can mitigate exposure to the Sunshine Act.

The Current Reporting Cycle

We are currently in the review period for the 2015 reporting cycle. Physicians and teaching hospitals have 45 days from April 1, 2016, to log onto the CMS Open Payments website and review payments that manufacturers and GPOs reported for 2015. That period is followed by a 15-day industry correction period. Also reported are physician ownership or investment interests. If physicians or teaching hospitals take issue with the reported information, they can “dispute” it. Unresolved reporting entries are still published on the Open Payments website as “disputed.” For example, if a physician disputes a meal provided by the company, yet the company has record of providing it, and refuses to change it in Open Payments, the meal will be reported under the physician and marked disputed.

Are You at Risk?

When is CMS going to start fining violators? Short answer: No one knows; but there is reason to believe CMS will start auditing and fining companies soon (if this has not already started). After all, CMS used the word “audit” many times (20x) in the Final Rule: “HHS, CMS, OIG or their designees may audit, inspect, investigate and evaluate any books, contracts, records, documents, and other evidence of applicable manufacturers…that pertain to their compliance with the requirement to timely, accurately or completely submit information in accordance with the rules established under this subpart.” See Paragraph Citation 78 FR 9528.

CMS wrote in its 2015 report last year to Congress that although no fines were issued (prior to April of 2015) that CMS has been “engaged in an effort to increase submission compliance of specific entities that did not submit data.” The report is available at CMS goes on to state in the report that it “will launch targeted audits to identify applicable manufacturers and GPOs that should have submitted payment information but did not for 2013.” Perhaps some of these audits will result in fines? It remains to be seen. CMS was contacted while writing this article and they did not have any news to report about fines. The 2016 Open Payments report to Congress is due out any day. Stay tuned.

Other likely targets for CMS to fine and subject to adverse publicity include companies that have their data disputed often by physicians and teaching hospitals. As discussed above, CMS is currently in the “review” phase of the 2015 reporting cycle. In short, sloppy reporting leads to disputes. CMS notes in its Fact Sheet for Applicable Manufacturers that they “will monitor the frequency of disputes reported by physicians, teaching hospitals, and physician owners or investors and the volume of disputes unresolved between physicians, teaching hospitals, and applicable manufacturers to inform the auditing process.” In other words, the more disputes, the more likely a manufacturer is likely to be audited. This reinforces the importance of presenting payment information to recipients for verification prior to reporting it to CMS.

What Can Be Done to Mitigate Risk?

Do not underestimate the business impact the Sunshine Act can have on your company. Reporting errors can lead to not only CMPs, but also reputational harm, and damage to customer relationships. Several states (CA, NV, MN, LA, VT, MA, CT, and DC) also have laws that require registration and reporting, ban gifts, and regulate behavior. Some of these laws only apply to pharmaceutical manufacturers and not medical device manufacturers.

In order to avoid exposure and fines, manufacturers should develop policies and procedures that address the requirements of the law, train employees, and audit themselves for compliance before CMS does. Companies that are behind in their reporting should take action and report, even if that means reporting in arears.

This article is not legal advice. Questions regarding the Sunshine Act should be discussed with legal counsel.


Mark Gardner, MBA, JD, is an Associate Attorney at DuVal & Associates, PA, a law firm dedicated to counseling FDA-regulated companies. Mark’s areas of expertise include FDA regulation; enforcement actions; design and implementation of regulatory compliance programs addressing sunshine, anti-kickback, false claims, and privacy laws and regulations; promotional and marketing strategy review; and regulatory submissions. Prior to practicing law Mark worked in product commercialization at three medical device companies over a 10-year span. Mark teaches FDA law at Hamline University School of Law, co-chairs the Regulatory Special Interest Group at LifeScience Alley, and is the former chairman and a current council member for the Minnesota State Bar Association Food, Drug and Device Law Section.