It has become difficult for FDA-regulated companies to ignore, in recent years, the potential fallout of violating current Good Manufacturing Practices (cGMPs). After making clear that cGMP compliance would be a top focus of regulatory and criminal enforcement, the Food and Drug Administration (FDA) and the Department of Justice (DOJ) have been true to their word, with a range of highly visible enforcement activities, from administrative actions (such as Warning Letters) to civil judicial actions (including seizures, consent decrees, and civil penalties) to a number of criminal prosecutions. That this emphasis on cGMP will continue and is likely to increase in the near term was underscored during the Food and Drug Law Institute’s recent annual conference: Members of the FDA bar urged drug and device companies to heed lessons from civil and criminal actions taken this year in the food context (against cheese company Roos Foods, Inc.) for alleged cGMP-related adulteration—especially in an environment where federal prosecutors are perhaps more empowered than ever.
Percolating largely (but not entirely) under the surface have been a number of actions relating specifically to the subset of cGMP issues concerning “data integrity.” When thinking of good documentation practices in the cGMP environment, there is an oft-repeated compliance adage “If it’s not documented, it didn’t happen.” This should perhaps be supplemented, relative to data integrity: “If it’s not documented completely, consistently, and accurately, it didn’t happen.” On April 14, 2016, FDA shone a renewed spotlight on data integrity violations in the cGMP context, announcing in a draft “Guidance for Industry: Data Integrity and Compliance with CGMP” (the “Draft Guidance”) that it was “troubl[ed]” by the growing number of such violations that were “increasingly” being discovered during cGMP inspections. The Draft Guidance was prepared by FDA’s Office of Pharmaceutical Quality and the Office of Compliance in the Center for Drug Evaluation and Research, in cooperation with the Center for Biologics Evaluation and Research, the Center for Veterinary Medicine, and the Office of Regulatory Affairs.
When we hear the words “data integrity,” we most often think of violations that appear to reflect intentional misconduct and manipulation of data and records. Some in the industry have argued, however, that many violations are unintentional and due in part to expectations that were not detailed in cGMP regulations or past guidance documents. Further, the best way to achieve compliance may evolve over time with new technologies and continuing improvement, and may depend on the unique features of a company and its products. The flipside of the FDA-recognized flexible and evolving nature of current Good Manufacturing Practices is potential ambiguity about the precise requirements and expectations.
The Draft Guidance could be seen as addressing critics seeking greater clarity in this area head on, as it is largely written in straightforward language, mainly in a Q-and-A format, with several real-world examples that reflect record-keeping technologies used in the modern cGMP environment. In this sense, the Draft Guidance does not draw a new line in the sand so much as provide additional signage warning more precisely where FDA thinks the existing lines lie. Future conduct will no doubt be viewed against the backdrop of this Draft Guidance. In that respect, the release of this Draft Guidance is a salutary reminder of enforcement risks that pervade the cGMP environment.
FDA’s cGMP Enforcement
To briefly restate the basics, the Food, Drug, and Cosmetic Act (“FDCA”) prohibits adulterated products from interstate commerce; adulteration is a “prohibited act.”
Even where detailed regulations are in place, however, there is an inherent degree of interpretation necessary when applying the cGMP regulations, and areas of arguable ambiguity when reading the regulations. Sometimes agency thinking or interpretation is communicated to the industry through emerging trends in Form 483 Observations or in Warning Letters rather than changes to the regulations or even a guidance document. During both 2014 and 2015 there were many hundreds of Form 483 Observations relating to alleged cGMP violations. More tellingly, roughly 220 Warning Letters citing violations of cGMP regulations were issued from 2014 through 2015. While the immediate consequences can vary, Warning Letters typically trigger extensive and potentially expensive remedial action to assure the agency that problems have been adequately resolved. Recent years have also seen a number of high profile consent decrees and permanent injunctions relating to cGMP violations, including multiple actions against various dietary supplement manufacturers in 2014.
Compounding LLC, et al., 15-CV-0148 (W.D. Tex. March 10, 2015).
While it may be debatable whether a company has complied with cGMPs on a particular point, when FDA takes the position that a manufacturer failed to comply with the cGMP requirements, countering that allegation of “adulteration” based on a technical reading of the law can be challenging in practice, as can convincing the agency that no further enforcement action is appropriate because the cGMP deviation has been fully corrected and did not, in fact, have an adverse impact on product quality or safety. Importantly, in an appropriate case, however, FDA can and will bring enforcement actions “even where there is no direct evidence of a defect affecting [a] drug’s performance.”
The False Claims Act
Failure to comply with cGMP regulations also can, in the government’s view, give rise to a violation of the False Claims Act (the “FCA”). In recent years, pharmaceutical companies have paid hundreds of millions of dollars to resolve FCA matters regarding alleged cGMP deficiencies. The Fourth Circuit had more recently, however, held that a cGMP violation could not support an FCA action because the federal payment under the Medicare and Medicaid statutes is not expressly conditioned on compliance with these FDA requirements: “[T]hose statutes do not require compliance with the CGMPs or any other FDA safety regulations as a precondition to reimbursement.”
United States ex rel. Rostholder v. Omnicare, Inc.,
The Supreme Court recently weighed in on some hotly debated aspects of FCA liability. Universal Health Services, Inc. v. United States et al. ex rel. Escobar et al., involved Medicaid claims for services that had been provided by staff members with undisclosed violations of state Medicaid qualification and licensing requirements. The Court held that an “implied certification” theory can be a basis for liability at least where two conditions are satisfied: “first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.”
Although the Court describes the FCA’s materiality standard as “demanding,” and states that the FCA is not “a vehicle for punishing garden-variety … regulatory violations,” with the likelihood that materiality will go to a jury one might question the protection the standard affords companies in practice.
This remains an area to watch.
Criminal Prosecution Under the FDCA
“Adulteration,” including cGMP failures, can also be prosecuted as a criminal offense under the FDCA. The same cGMP violations that can be (and initially typically are) handled through Warning Letters, consent decrees, or other non-criminal remedies can also lead to criminal prosecutions. Under the FDCA there is no de minimis exception for arguably “minor” or “technical” violations; any violation can be prosecuted under the FDCA’s misdemeanor provisions, while those previously convicted under the FDCA, or those who act with “the intent to defraud or mislead,” can potentially be exposed to felony liability.
That means FDA can seek to hold a person or company liable for selling a non-compliant product, even if the company was not aware that it was non-compliant—and even if the non-compliance was a third party’s (e.g., a contractor’s) “fault.” A misdemeanor conviction can then serve as a predicate to felony charges, with the “repeat offender” prong of the felony provisions not requiring intent. Under the felony provisions those convicted face heightened criminal fines and imprisonment up to three years. For a company, the consequences of such a prosecution, even one premised on a misdemeanor violation, can be crippling, including onerous criminal fines (e.g., $500,000 per offense or twice the gain or loss attributable to the offense), a term of probation, possibly coupled with a Corporate Integrity Agreement with an outside monitor, and even the specter of debarment. By definition, the consequences of a felony prosecution can be exponentially worse. In recent years, several pharmaceutical companies have pled guilty to felony FDCA counts, including felonies based on cGMP violations linked to incomplete laboratory testing records (for example, failure to document a complete record of all data (charts, graphs, and spectra) generated in the testing and analysis process), as well as other cGMP violations. These prosecutions have resulted in guilty pleas and hundreds of millions of dollars in fines, as well as other consequences.
For individual executives, the risk calculus has changed rather substantially in recent years, with the risk of criminal prosecution increasing. Starting in 2010, a series of FDA and DOJ officials pledged publicly to increase the use of the “responsible corporate official” doctrine to underpin “misdemeanor prosecutions … to hold responsible corporate officials accountable.”
For the first few decades after 1975’s Park decision, almost all such prosecutions involved defendants who were at least aware of the conduct giving rise to the violation. These cases, and their relative restraint, reflected the institutional views of FDA and DOJ. In 2011, however, FDA substantially lowered that bar. FDA now states that Park liability may be charged not only “without proof that the corporate official [had] actual knowledge of” the underlying violation, but also without any proof even of the individual defendant’s “negligence.”
Although one could speculate that this expansive policy was adopted largely for its in terrorem effect, recent prosecutions of individuals paint a troubling picture. This policy shift is not merely academic: In 2012, the D.C. Circuit seemingly embraced the government’s application of the Park doctrine in this context in the case of three pharma executives who had pled guilty to misdemeanor misbranding of OxyContin solely as responsible corporate officers; the government ultimately stipulated that the individual executives did not have personal knowledge of the misbranding. The corporate entity paid nearly $600 million to settle the overall case and the individual executives were sentenced to probation and fines totaling $34.5 million. While they avoided jail time—a decision the sentencing judge termed “a close one,” notwithstanding the lack of knowledge—the D.C. Circuit subsequently held they could be barred (i.e., permissively excluded) by the Department of Health and Human Services from working for any company that receives federal health care funds. The D.C. Circuit stated flatly that “[m]isdemeanor misbranding does not necessarily require a culpable mental state” because the responsible corporate officer doctrine “entails strict liability,” and an executive “may therefore be guilty of misdemeanor misbranding without ‘knowledge of’” the conduct.
Since 2012, there have been a number of other prosecutions of drug and food company executives under the FDCA’s strict liability provision with no allegations of knowledge or notice, resulting in criminal convictions, fines, debarments, and in a few instances jail time. Also in 2012, the owner and president of a compounding pharmacy that shipped drugs that due to a manufacturing problem were in some instances sub-potent and in other instances super-potent (and allegedly caused three deaths) was convicted of two misdemeanor counts. The government alleged that the executive was a “responsible corporate officer” but did not allege that he was involved directly in the manufacturing problems or that he even knew about the violations before they occurred, nor was there any allegation that FDA had provided any prior warning of violations. The executive was sentenced to probation and fined $100,000. United States v. Osborn, 3-12-cr-00047-M (N.D. Tex. Feb. 10, 2012).
In October 2013 two executives of a cantaloupe farm and processing plant (Jensen Farms) pled guilty to six misdemeanor counts of adulteration in connection with shipments of cantaloupes tainted with Listeria, which ultimately led to 33 fatalities. The executives (who were not charged with knowing conduct and who filed suit against the inspector they had hired, who had given their processing plant high marks) were sentenced to five years probation, six months home detention, and 100 hours of community service, plus $150,000 in restitution each.
Similarly, the CEO of KV Pharmaceutical pled guilty to two misdemeanor counts of misbranding as a responsible corporate officer, based on manufacturing problems that led to the production of over-sized (and hence over-potent) morphine tablets, and was sentenced to 30 days in jail and personal financial penalties of $1.9 million. He was also debarred by FDA.
In April 2015 two officials from Quality Egg, LLC, were each sentenced to three months in prison (and a $100,000 fine) as a result of a Salmonella epidemic attributed to tainted eggs, notwithstanding the fact that the government stipulated in their plea agreements that the executives lacked personal knowledge that the eggs were contaminated.
In addition to the somewhat more aggressive application of the venerable Park doctrine by FDA and DOJ to hold corporate officers liable for misconduct within their own corporations, FDA has recently begun citing Park in Warning Letters focused on misconduct by the corporations’ contractors.
This spate of Park doctrine prosecutions is likely to increase given public clamor for punishment of individual corporate executives and in the wake of the September 2015 memorandum from Deputy Attorney General Sally Yates (the “Yates Memo”) which outlined changes to DOJ policy to increase focus on charging individuals. In this atmosphere, charging high-ranking food, drug, and medical device executives using FDA’s responsible corporate officer approach could appear to be tempting low-hanging fruit to DOJ.
Multi-Pronged Approaches to Enforcement
The trend toward criminal enforcement does not mean, however, that FDA has forgotten the other tools at its disposal. Following concerns that had arisen two years prior with Listeria cases attributed to cheese company Roos Foods, Inc., in March of 2016 the company pled guilty to a misdemeanor adulteration charge, and agreed to pay a fine of $100,000. In a noteworthy multi-pronged approach, FDA had filed a civil Complaint for Permanent Injunction, along with a proposed Consent Decree on the same date as the criminal information was filed. FDA also, in the criminal proceeding, sought forfeiture of the allegedly adulterated food. The company and its two principals agreed to enter the Consent Decree. In announcing the resolution of these matters, the head of DOJ’s Civil Division emphasized: “The Department of Justice will use all of the tools available to us – criminal and civil … .”
The Draft Guidance Reflects a Growing Focus on Data Integrity as Part of cGMPs
The data integrity component of cGMP has come to the fore in part because of recent high-profile data integrity violations uncovered by FDA, including a number of egregious and intentional instances of falsified tests and other data, clustered largely but not entirely in India and China. As many as 15 India-based companies face, effectively, a ban on importing their products to the U.S. (“import alerts” that result in any attempted imports being detained, and subject to “refusal of admission”) because of various problems with their data. Numerous Chinese companies are in the same situation. FDA has issued at least 13 Warning Letters that it characterized explicitly as involving “data integrity” issues (which is no doubt under-inclusive) in 2015-16. Common data integrity problems flagged by FDA in Warning Letters and otherwise include:
- failure to provide adequate controls to prevent manipulation and omission of data;
- failure to enable (or affirmatively disabling) computerized audit trail functions on high performance liquid chromatography and other systems;
- multiple analysts sharing a single username and password;
- the use of “unofficial” or “rough” notebooks or other paper records for documenting cGMP relevant data;
- instances of deletion of data or the mere ability to do so;
- “instances on non-contemporaneous documentation” of cGMP activities (i.e., “backdating”); and
- failure to maintain adequate written records of major equipment maintenance.
26 See, e.g., Warning Letter to Zhejang Hisun Pharmaceutical Co. (December 31, 2015).
The Draft Guidance states expressly that, “[i]n recent years, FDA has increasingly observed cGMP violations involving data integrity during cGMP inspections,” a “troubling” trend that has “led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.” European and other regulators have noted the same. The Draft Guidance is an attempt to reverse this trend by highlighting the importance of data integrity to cGMP and underscoring the degree to which FDA will continue to focus on these issues. The Draft Guidance also underscores that the concern is not just falsification of data but the necessity to protect crucial data from even carelessness, inattention, or inadequate safeguards—a point it has also made explicitly in certain Warning Letters. The goal, as FDA has stated before, is to ensure that data is Attributable, Legible, Contemporaneously recorded, Original, and Accurate (“ALCOA”). The Draft Guidance stresses the importance of capturing and maintaining “all associated metadata required to reconstruct the cGMP activity,” the role of audit trails in helping a company demonstrate that its “cGMP-compliant record-keeping practices prevent data from being lost or obscured,” and the necessity of “appropriate controls to assure that only authorized personnel [can] make changes” to cGMP records and that such actions “are attributable to a specific individual.” The Draft Guidance gives specific direction on how and when cGMP data is to be recorded and stored, to reduce the opportunity for manipulation. For example, “chromatograms should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of a day’s runs”; more generally, data “that are automatically saved [initially] into temporary memory do not meet cGMP documentation or retention requirements.” The agency makes clear that any “blank forms” used (such as worksheets and laboratory notebooks) should be treated as controlled documents, companies should have procedures to detect “unofficial” notebooks being kept, as well as any gaps in notebook pages. More generally, the Draft Guidance makes the broad point that in addition to the general requirement to retain such data under cGMPs, “[a]ny data created as part of a cGMP record must be evaluated by the quality unit as part of release criteria” (meaning it must be included in decision-making about whether a lot is acceptable for distribution), unless there is “a valid documented, scientific justification for its exclusion.” FDA also recommends that “audit trails that capture changes to critical data be reviewed with each record and before final approval of the record.” Under cGMP regulations all production and control records must be reviewed and approved by the quality unit before a lot is released.
The implications when data integrity concerns are discovered are multi-pronged. First, FDA states the matters “must be fully investigated under the CGMP quality system.” In other words you can’t take an investigation completely out of the standard cGMP processes. That said, the Draft Guidance suggests a response that extends beyond the quality organization of a company.
Implications and Takeaways
After years of prosecutorial focus on off-label promotion as a source of FDCA, Anti-Kickback Statute, and False Claims Act exposure, it appears DOJ may be shifting its sights to cGMP matters which—although they have always been a critical piece of FDA’s enforcement responsibility and its mission of protecting the public health—may not have always seemed the most exciting of cases.
The Draft Guidance is a timely reminder that FDA is calling attention to data integrity in the cGMP context, and DOJ is likely paying attention. Record-keeping may not be glamorous, but the Draft Guidance shouts loud and clear that “ensuring data integrity is an important component of [the] industry’s responsibility to ensure the safety, efficacy, and quality of drugs” and medical devices.
Most companies seek to avoid being in the FDA and DOJ crosshairs, and to this end a proactive and conservative compliance approach is prudent to remain squarely within FDA’s stated expectations. That said, in the event that the government does become focused on potential criminal action for alleged data integrity or other cGMP violations, consider that—particularly in regulatory gray areas and where non-binding guidance serves as the agency’s “standard”—a vigorous defense may be possible. Given the highly technical nature of cGMPs, if it can be demonstrated that reasonable regulatory and legal minds may differ, the Government may face challenges proving adulteration beyond a reasonable doubt.