Amidst a Rising Tide of FDCA Criminal Enforcement,
FDA Cautions Companies to Remain Mindful of cGMP Data Integrity

It has become difficult for FDA-regulated companies to ignore, in recent years, the potential fallout of violating current Good Manufacturing Practices (cGMPs). After making clear that cGMP compliance would be a top focus of regulatory and criminal enforcement, the Food and Drug Administration (FDA) and the Department of Justice (DOJ) have been true to their word, with a range of highly visible enforcement activities, from administrative actions (such as Warning Letters) to civil judicial actions (including seizures, consent decrees, and civil penalties) to a number of criminal prosecutions. That this emphasis on cGMP will continue and is likely to increase in the near term was underscored during the Food and Drug Law Institute’s recent annual conference: Members of the FDA bar urged drug and device companies to heed lessons from civil and criminal actions taken this year in the food context (against cheese company Roos Foods, Inc.) for alleged cGMP-related adulteration—especially in an environment where federal prosecutors are perhaps more empowered than ever.

Percolating largely (but not entirely) under the surface have been a number of actions relating specifically to the subset of cGMP issues concerning “data integrity.” When thinking of good documentation practices in the cGMP environment, there is an oft-repeated compliance adage “If it’s not documented, it didn’t happen.” This should perhaps be supplemented, relative to data integrity: “If it’s not documented completely, consistently, and accurately, it didn’t happen.” On April 14, 2016, FDA shone a renewed spotlight on data integrity violations in the cGMP context, announcing in a draft “Guidance for Industry: Data Integrity and Compliance with CGMP” (the “Draft Guidance”) that it was “troubl[ed]” by the growing number of such violations that were “increasingly” being discovered during cGMP inspections. The Draft Guidance was prepared by FDA’s Office of Pharmaceutical Quality and the Office of Compliance in the Center for Drug Evaluation and Research, in cooperation with the Center for Biologics Evaluation and Research, the Center for Veterinary Medicine, and the Office of Regulatory Affairs.

When we hear the words “data integrity,” we most often think of violations that appear to reflect intentional misconduct and manipulation of data and records. Some in the industry have argued, however, that many violations are unintentional and due in part to expectations that were not detailed in cGMP regulations or past guidance documents. Further, the best way to achieve compliance may evolve over time with new technologies and continuing improvement, and may depend on the unique features of a company and its products. The flipside of the FDA-recognized flexible and evolving nature of current Good Manufacturing Practices is potential ambiguity about the precise requirements and expectations.

The Draft Guidance could be seen as addressing critics seeking greater clarity in this area head on, as it is largely written in straightforward language, mainly in a Q-and-A format, with several real-world examples that reflect record-keeping technologies used in the modern cGMP environment. In this sense, the Draft Guidance does not draw a new line in the sand so much as provide additional signage warning more precisely where FDA thinks the existing lines lie. Future conduct will no doubt be viewed against the backdrop of this Draft Guidance. In that respect, the release of this Draft Guidance is a salutary reminder of enforcement risks that pervade the cGMP environment.

FDA’s cGMP Enforcement

To briefly restate the basics, the Food, Drug, and Cosmetic Act (“FDCA”) prohibits adulterated products from interstate commerce; adulteration is a “prohibited act.” ¹21 U.S.C. §351. A drug or medical device is “adulterated” if the methods used in, or the facilities or controls used for, its manufacture, processing, packing, holding or storage, or (for devices) installation do not conform to cGMP. ²21 U.S.C. §§351 (a)(2)(B), 351 (h), 360j (f). Said differently, a process or facility failure adulterates the finished product, even if there is not otherwise something necessarily “wrong” with the finished product. ³FDA, Facts About the Current Good Manufacturing Practices (CGMPs) (January 6, 2015). While the statutory requirement to adhere to cGMP lacks detail, FDA’s implementing regulations offer fairly extensive and detailed expectations for certain products including finished drugs (21 C.F.R. Parts 210 and 211) and medical devices (21 C.F.R. Part 820).

Even where detailed regulations are in place, however, there is an inherent degree of interpretation necessary when applying the cGMP regulations, and areas of arguable ambiguity when reading the regulations. Sometimes agency thinking or interpretation is communicated to the industry through emerging trends in Form 483 Observations or in Warning Letters rather than changes to the regulations or even a guidance document. During both 2014 and 2015 there were many hundreds of Form 483 Observations relating to alleged cGMP violations. More tellingly, roughly 220 Warning Letters citing violations of cGMP regulations were issued from 2014 through 2015. While the immediate consequences can vary, Warning Letters typically trigger extensive and potentially expensive remedial action to assure the agency that problems have been adequately resolved. Recent years have also seen a number of high profile consent decrees and permanent injunctions relating to cGMP violations, including multiple actions against various dietary supplement manufacturers in 2014. ⁴See, e.g., Consent Decree of Permanent Injunction, United States v. Scilabs Nutraceuticals Inc., 14-CV-1759 (C.D. Cal. Nov. 12, 2014). During 2015 similar actions were taken against drug compounding and medical device companies, likewise premised on cGMP violations. ⁵See, e.g., Consent Decree of Permanent Injunction, United States v. Specialty
Compounding LLC, et al., 15-CV-0148 (W.D. Tex. March 10, 2015).

While it may be debatable whether a company has complied with cGMPs on a particular point, when FDA takes the position that a manufacturer failed to comply with the cGMP requirements, countering that allegation of “adulteration” based on a technical reading of the law can be challenging in practice, as can convincing the agency that no further enforcement action is appropriate because the cGMP deviation has been fully corrected and did not, in fact, have an adverse impact on product quality or safety. Importantly, in an appropriate case, however, FDA can and will bring enforcement actions “even where there is no direct evidence of a defect affecting [a] drug’s performance.” ⁶FDA, Facts About the Current Good Manufacturing Practices at 2 (discussing seizures, injunction cases, and criminal cases “seeking fines and jail time” for cGMP violations). In other words, even “technical” breaches of cGMP standards that did not, in practice, result in a product or patient concern are potentially subject to enforcement action, up to and including criminal prosecution. As explained below, FDA and DOJ action is typically scaled to the severity of the offense and the risk to patient health, but this is subject to a wide degree of enforcement discretion on the part of the government. Depending on the products involved and the specific circumstances, FDA may consider product seizures, withholding or withdrawal of product approvals, civil injunction proceedings, civil monetary penalties, debarment of individuals from future employment by FDA-regulated companies, and (of great concern to companies and executives) even criminal prosecution. Violations of the FDCA can also trigger exclusion from participation in federal health care programs, which is often referred to as a corporate “death sentence” due to its financial impact.

The False Claims Act

Failure to comply with cGMP regulations also can, in the government’s view, give rise to a violation of the False Claims Act (the “FCA”). In recent years, pharmaceutical companies have paid hundreds of millions of dollars to resolve FCA matters regarding alleged cGMP deficiencies. The Fourth Circuit had more recently, however, held that a cGMP violation could not support an FCA action because the federal payment under the Medicare and Medicaid statutes is not expressly conditioned on compliance with these FDA requirements: “[T]hose statutes do not require compliance with the CGMPs or any other FDA safety regulations as a precondition to reimbursement.” ⁷U.S. ex rel. Rostholder v. Omnicare, Inc., 745 F.3d 694, 702 (4th Cir. 2014). Although the “implied certification” theory of FCA liability is one often advanced in qui tam cases in the drug and device context, the Fourth Circuit said it was not addressing the “implied certification” theory in that case: “Because adulterated drugs are subject to reimbursement by Medicare and Medicaid and therefore any claim for payment cannot be ‘false,’ we do not separately address relator’s arguments for FCA liability under ‘implied certification’ or ‘worthless services’ theories.” ⁸U.S. ex rel. Rostholder v. Omnicare, Inc., 745 F.3d 694, n.7 (4th Cir. 2014). The Fourth Circuit later (in 2015) recognized contractual “implied certification” as one of the “variety of ways” a claim could be false. United States ex rel. Badr v. Triple Canopy, Inc.., 775 F.3d 628 (4th Cir. 2015). Notwithstanding this decision, the government, however, maintained the position that where cGMP violations are “significant, substantial, and give rise to actual discrepancies” in the quality of the drug or device, those violations may indeed result in FCA liability. ⁹United States ex rel. Rostholder v. Omnicare, Inc., No., CCB-07-1283, 2011 WL 10857612, at *1 (D. Md. November 18, 2011); see also
United States ex rel. Rostholder v. Omnicare, Inc., 2012 BL 211994, at *16 n.19 (D. Md. August 14, 2012) (“This opinion should not be taken to suggest that a violation of the CGMP may never result in FCA liability.”), aff’d, 745 F.3d 694 (4th Cir. 2014).

The Supreme Court recently weighed in on some hotly debated aspects of FCA liability. Universal Health Services, Inc. v. United States et al. ex rel. Escobar et al., involved Medicaid claims for services that had been provided by staff members with undisclosed violations of state Medicaid qualification and licensing requirements. The Court held that an “implied certification” theory can be a basis for liability at least where two conditions are satisfied: “first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” ¹⁰Universal Health Services, Inc. v. United States et al. ex rel. Escobar et al., 136 S. Ct. 1989, 2001 (2016). The Court further held that “False Claims Act liability for failing to disclose violations of legal requirements does not turn upon whether those requirements were expressly designated as conditions of payment.” ¹¹Id. at 2 (emphasis added). On the flip side, the Court also concluded that not every undisclosed violation of an express condition of payment automatically triggers liability. “Whether a provision is labeled a condition of payment is relevant to but not dispositive of the materiality inquiry.” ¹²Id. at 12. Further: “What matters is not the label the Government attaches to a requirement, but whether the defendant knowingly violated a requirement that the defendant knows is material to the Government’s payment decision.” ¹³Id. at 2.

Although the Court describes the FCA’s materiality standard as “demanding,” and states that the FCA is not “a vehicle for punishing garden-variety … regulatory violations,” with the likelihood that materiality will go to a jury one might question the protection the standard affords companies in practice. ¹⁴Id. at 15.

This remains an area to watch.

Criminal Prosecution Under the FDCA

“Adulteration,” including cGMP failures, can also be prosecuted as a criminal offense under the FDCA. The same cGMP violations that can be (and initially typically are) handled through Warning Letters, consent decrees, or other non-criminal remedies can also lead to criminal prosecutions. Under the FDCA there is no de minimis exception for arguably “minor” or “technical” violations; any violation can be prosecuted under the FDCA’s misdemeanor provisions, while those previously convicted under the FDCA, or those who act with “the intent to defraud or mislead,” can potentially be exposed to felony liability. ¹⁵21 U.S.C. §§331, 333(a). Importantly, the misdemeanor provisions include no intent requirement. The result? That the government treats distribution of an adulterated product—with adulteration potentially based on a highly technical discrepancy—as a strict liability criminal offense. It should be noted, however, that the government must still prove its case beyond a reasonable doubt; the criminal burden of proof remains the same, but the intent element is excised.

That means FDA can seek to hold a person or company liable for selling a non-compliant product, even if the company was not aware that it was non-compliant—and even if the non-compliance was a third party’s (e.g., a contractor’s) “fault.” A misdemeanor conviction can then serve as a predicate to felony charges, with the “repeat offender” prong of the felony provisions not requiring intent. Under the felony provisions those convicted face heightened criminal fines and imprisonment up to three years. For a company, the consequences of such a prosecution, even one premised on a misdemeanor violation, can be crippling, including onerous criminal fines (e.g., $500,000 per offense or twice the gain or loss attributable to the offense), a term of probation, possibly coupled with a Corporate Integrity Agreement with an outside monitor, and even the specter of debarment. By definition, the consequences of a felony prosecution can be exponentially worse. In recent years, several pharmaceutical companies have pled guilty to felony FDCA counts, including felonies based on cGMP violations linked to incomplete laboratory testing records (for example, failure to document a complete record of all data (charts, graphs, and spectra) generated in the testing and analysis process), as well as other cGMP violations. These prosecutions have resulted in guilty pleas and hundreds of millions of dollars in fines, as well as other consequences.

For individual executives, the risk calculus has changed rather substantially in recent years, with the risk of criminal prosecution increasing. Starting in 2010, a series of FDA and DOJ officials pledged publicly to increase the use of the “responsible corporate official” doctrine to underpin “misdemeanor prosecutions … to hold responsible corporate officials accountable.” ¹⁶Letter from Margaret A. Hamburg, Commissioner of Food and Drugs, to Senator Charles E. Grassley (March 4, 2010) at 2. This policy shift was putatively based on the “Park doctrine,” grounded on the eponymous Supreme Court decision in United States v. Park, 421 U.S. 658 (1975); in the context of the FDCA, a corporate officer who stands in a “responsible relation” to misconduct may be held criminally responsible for that misconduct even without any direct role in it. Since 2010, FDA and DOJ have embraced such cases with redoubled rigor.

For the first few decades after 1975’s Park decision, almost all such prosecutions involved defendants who were at least aware of the conduct giving rise to the violation. These cases, and their relative restraint, reflected the institutional views of FDA and DOJ. In 2011, however, FDA substantially lowered that bar. FDA now states that Park liability may be charged not only “without proof that the corporate official [had] actual knowledge of” the underlying violation, but also without any proof even of the individual defendant’s “negligence.” ¹⁷FDA, Regulatory Procedures Manual §6-5-3 (June 2015). In other words, it is FDA’s position that it can—as a matter of both legal precedent and agency policy and discretion—seek to hold corporate officers strictly criminally liable for cGMP violations about which they had no personal knowledge.

Although one could speculate that this expansive policy was adopted largely for its in terrorem effect, recent prosecutions of individuals paint a troubling picture. This policy shift is not merely academic: In 2012, the D.C. Circuit seemingly embraced the government’s application of the Park doctrine in this context in the case of three pharma executives who had pled guilty to misdemeanor misbranding of OxyContin solely as responsible corporate officers; the government ultimately stipulated that the individual executives did not have personal knowledge of the misbranding. The corporate entity paid nearly $600 million to settle the overall case and the individual executives were sentenced to probation and fines totaling $34.5 million. While they avoided jail time—a decision the sentencing judge termed “a close one,” notwithstanding the lack of knowledge—the D.C. Circuit subsequently held they could be barred (i.e., permissively excluded) by the Department of Health and Human Services from working for any company that receives federal health care funds. The D.C. Circuit stated flatly that “[m]isdemeanor misbranding does not necessarily require a culpable mental state” because the responsible corporate officer doctrine “entails strict liability,” and an executive “may therefore be guilty of misdemeanor misbranding without ‘knowledge of’” the conduct. ¹⁸Friedman v. Sebelius, 686 F.3d 813, 817-19 (D.C. Cir. 2012).

Since 2012, there have been a number of other prosecutions of drug and food company executives under the FDCA’s strict liability provision with no allegations of knowledge or notice, resulting in criminal convictions, fines, debarments, and in a few instances jail time. Also in 2012, the owner and president of a compounding pharmacy that shipped drugs that due to a manufacturing problem were in some instances sub-potent and in other instances super-potent (and allegedly caused three deaths) was convicted of two misdemeanor counts. The government alleged that the executive was a “responsible corporate officer” but did not allege that he was involved directly in the manufacturing problems or that he even knew about the violations before they occurred, nor was there any allegation that FDA had provided any prior warning of violations. The executive was sentenced to probation and fined $100,000. United States v. Osborn, 3-12-cr-00047-M (N.D. Tex. Feb. 10, 2012).

In October 2013 two executives of a cantaloupe farm and processing plant (Jensen Farms) pled guilty to six misdemeanor counts of adulteration in connection with shipments of cantaloupes tainted with Listeria, which ultimately led to 33 fatalities. The executives (who were not charged with knowing conduct and who filed suit against the inspector they had hired, who had given their processing plant high marks) were sentenced to five years probation, six months home detention, and 100 hours of community service, plus $150,000 in restitution each. ¹⁹Amended Judgments, United States v. Eric Jensen, 13-mj-01138 (D. Colo. May 13, 2014).

Similarly, the CEO of KV Pharmaceutical pled guilty to two misdemeanor counts of misbranding as a responsible corporate officer, based on manufacturing problems that led to the production of over-sized (and hence over-potent) morphine tablets, and was sentenced to 30 days in jail and personal financial penalties of $1.9 million. He was also debarred by FDA. ²⁰Press Release, DOJ, Marc S. Hermelin, Former CEO of KV Pharmaceutical, Pleads Guilty to Misbranding Drugs and Agrees to Pay United States $1.9 Million as Fines and Forfeiture (March 10, 2011). In December 2014 the co-owner of a compounding pharmacy pled guilty to a misdemeanor count based on “numerous deviations from [cGMP] requirements for drug products” resulting in bacterial contamination. He was sentenced to one year of probation and fined $25,000. ²¹Press Release, FDA, FDA resolves criminal and civil actions against Main Street Family Pharmacy (December 4, 2014).

In April 2015 two officials from Quality Egg, LLC, were each sentenced to three months in prison (and a $100,000 fine) as a result of a Salmonella epidemic attributed to tainted eggs, notwithstanding the fact that the government stipulated in their plea agreements that the executives lacked personal knowledge that the eggs were contaminated. ²²United States v. Quality Egg, LLC, 99 F. Supp. 3d. 920 (N.D. Iowa 2015). These officials appealed, arguing that their prison sentences were unconstitutional under the Due Process Clause and the Eighth Amendment; and in the alternative that their sentences were procedurally and substantively unreasonable. In July 2016, the Eight Circuit affirmed the district court’s judgment, upholding the sentences. ²³United States v. Austin DeCoster, No. 15-1890, 2016 BL 216013 (8th Cir. July 6, 2016).

In addition to the somewhat more aggressive application of the venerable Park doctrine by FDA and DOJ to hold corporate officers liable for misconduct within their own corporations, FDA has recently begun citing Park in Warning Letters focused on misconduct by the corporations’ contractors. ²⁴See, e.g., Warning Letter to Entrenet Nutritionals, Inc. at 3 (May 8, 2013). FDA has for a number of years expressed the sentiment, in a variety of settings, that a company cannot “outsource” or contract away its ultimate responsibly for compliant products. Now with FDA reciting this mantra in the same breath as it references Park, corporate officers have additional motivation to ensure that their company has rigorous vendor qualification and oversight processes.

This spate of Park doctrine prosecutions is likely to increase given public clamor for punishment of individual corporate executives and in the wake of the September 2015 memorandum from Deputy Attorney General Sally Yates (the “Yates Memo”) which outlined changes to DOJ policy to increase focus on charging individuals. In this atmosphere, charging high-ranking food, drug, and medical device executives using FDA’s responsible corporate officer approach could appear to be tempting low-hanging fruit to DOJ.

Multi-Pronged Approaches to Enforcement

The trend toward criminal enforcement does not mean, however, that FDA has forgotten the other tools at its disposal. Following concerns that had arisen two years prior with Listeria cases attributed to cheese company Roos Foods, Inc., in March of 2016 the company pled guilty to a misdemeanor adulteration charge, and agreed to pay a fine of $100,000. In a noteworthy multi-pronged approach, FDA had filed a civil Complaint for Permanent Injunction, along with a proposed Consent Decree on the same date as the criminal information was filed. FDA also, in the criminal proceeding, sought forfeiture of the allegedly adulterated food. The company and its two principals agreed to enter the Consent Decree. In announcing the resolution of these matters, the head of DOJ’s Civil Division emphasized: “The Department of Justice will use all of the tools available to us – criminal and civil … .” ²⁵Press Release, DOJ, Delaware Cheese Company Pleads Guilty to Food Adulteration Charge; U.S. District Court Also Issues Permanent Injunction Against Company and Two Principals (March 3, 2016).

The Draft Guidance Reflects a Growing Focus on Data Integrity as Part of cGMPs

The data integrity component of cGMP has come to the fore in part because of recent high-profile data integrity violations uncovered by FDA, including a number of egregious and intentional instances of falsified tests and other data, clustered largely but not entirely in India and China. As many as 15 India-based companies face, effectively, a ban on importing their products to the U.S. (“import alerts” that result in any attempted imports being detained, and subject to “refusal of admission”) because of various problems with their data. Numerous Chinese companies are in the same situation. FDA has issued at least 13 Warning Letters that it characterized explicitly as involving “data integrity” issues (which is no doubt under-inclusive) in 2015-16. Common data integrity problems flagged by FDA in Warning Letters and otherwise include:

• failure to provide adequate controls to prevent manipulation and omission of data;

• failure to enable (or affirmatively disabling) computerized audit trail functions on high performance liquid chromatography and other systems;

• multiple analysts sharing a single username and password;

• the use of “unofficial” or “rough” notebooks or other paper records for documenting cGMP relevant data;

• instances of deletion of data or the mere ability to do so;

• “instances on non-contemporaneous documentation” of cGMP activities (i.e., “backdating”); and

• failure to maintain adequate written records of major equipment maintenance. ²⁶See, e.g., Warning Letter to Zhejang Hisun Pharmaceutical Co. (December 31, 2015).

The Draft Guidance states expressly that, “[i]n recent years, FDA has increasingly observed cGMP violations involving data integrity during cGMP inspections,” a “troubling” trend that has “led to numerous regulatory actions, including warning letters, import alerts, and consent decrees.” European and other regulators have noted the same. The Draft Guidance is an attempt to reverse this trend by highlighting the importance of data integrity to cGMP and underscoring the degree to which FDA will continue to focus on these issues. The Draft Guidance also underscores that the concern is not just falsification of data but the necessity to protect crucial data from even carelessness, inattention, or inadequate safeguards—a point it has also made explicitly in certain Warning Letters. The goal, as FDA has stated before, is to ensure that data is Attributable, Legible, Contemporaneously recorded, Original, and Accurate (“ALCOA”). The Draft Guidance stresses the importance of capturing and maintaining “all associated metadata required to reconstruct the cGMP activity,” the role of audit trails in helping a company demonstrate that its “cGMP-compliant record-keeping practices prevent data from being lost or obscured,” and the necessity of “appropriate controls to assure that only authorized personnel [can] make changes” to cGMP records and that such actions “are attributable to a specific individual.” The Draft Guidance gives specific direction on how and when cGMP data is to be recorded and stored, to reduce the opportunity for manipulation. For example, “chromatograms should be sent to long-term storage (archiving or a permanent record) upon run completion instead of at the end of a day’s runs”; more generally, data “that are automatically saved [initially] into temporary memory do not meet cGMP documentation or retention requirements.” The agency makes clear that any “blank forms” used (such as worksheets and laboratory notebooks) should be treated as controlled documents, companies should have procedures to detect “unofficial” notebooks being kept, as well as any gaps in notebook pages. More generally, the Draft Guidance makes the broad point that in addition to the general requirement to retain such data under cGMPs, “[a]ny data created as part of a cGMP record must be evaluated by the quality unit as part of release criteria” (meaning it must be included in decision-making about whether a lot is acceptable for distribution), unless there is “a valid documented, scientific justification for its exclusion.” FDA also recommends that “audit trails that capture changes to critical data be reviewed with each record and before final approval of the record.” Under cGMP regulations all production and control records must be reviewed and approved by the quality unit before a lot is released. ²⁷21 C.F.R. §211.192. The Draft Guidance states that this “includes audit trails.” ²⁸Draft Guidance at 7. FDA also specifically calls out “the change history of finished product test results” as one of several audit trails that should be regularly reviewed. ²⁹Draft Guidance at 6.

The implications when data integrity concerns are discovered are multi-pronged. First, FDA states the matters “must be fully investigated under the CGMP quality system.” In other words you can’t take an investigation completely out of the standard cGMP processes. That said, the Draft Guidance suggests a response that extends beyond the quality organization of a company. ³⁰Draft Guidance at 9 – 10. “[R]emoving at all levels individuals responsible for problems from cGMP positions” calls for coordination with a company’s human resources department and employment lawyers. ³¹Draft Guidance at 10. To the extent the cGMP data impacts an application, a company’s regulatory department and regulatory counsel will be key voices, with consideration of FDA’s Application Integrity Policy. Companies may also want to take stock of their Compliance Program and its potential role, working with other key company stakeholders, in cGMP data integrity matters.

Implications and Takeaways

After years of prosecutorial focus on off-label promotion as a source of FDCA, Anti-Kickback Statute, and False Claims Act exposure, it appears DOJ may be shifting its sights to cGMP matters which—although they have always been a critical piece of FDA’s enforcement responsibility and its mission of protecting the public health—may not have always seemed the most exciting of cases.

The Draft Guidance is a timely reminder that FDA is calling attention to data integrity in the cGMP context, and DOJ is likely paying attention. Record-keeping may not be glamorous, but the Draft Guidance shouts loud and clear that “ensuring data integrity is an important component of [the] industry’s responsibility to ensure the safety, efficacy, and quality of drugs” and medical devices. ³²Draft Guidance at 1. Even the largest and most sophisticated companies may have potential issues lurking, and it would behoove all companies to discover them before the next time FDA is at the door.

Most companies seek to avoid being in the FDA and DOJ crosshairs, and to this end a proactive and conservative compliance approach is prudent to remain squarely within FDA’s stated expectations. That said, in the event that the government does become focused on potential criminal action for alleged data integrity or other cGMP violations, consider that—particularly in regulatory gray areas and where non-binding guidance serves as the agency’s “standard”—a vigorous defense may be possible. Given the highly technical nature of cGMPs, if it can be demonstrated that reasonable regulatory and legal minds may differ, the Government may face challenges proving adulteration beyond a reasonable doubt.