In September, Allergan, the $4.5 billion pharmaceutical company that makes items ranging from medical devices to pharmaceutical products, resolved federal charges that it marketed its blockbuster product—Botox—for unapproved conditions.
Allergan denied some of the allegations, such as those suggesting that its actions resulted in healthcare providers submitting fraudulent claims to Medicare and Medicaid. The company pleaded guilty to one charge and agreed to pay $600 million in fines, fees and profit forfeitures.
Writing a check, even one for $600 million, is simple compared to meeting the company’s new compliance burdens. But Allergan CIO Sue-Jean Lin says they’re ready for the challenge, because in 2008 Allergan began to revamp its compliance systems, bringing in business process management software from Metastorm.
Before the revamp, Allergan used a mix of homegrown and packaged systems to monitor compliance in different areas of the company. Its new system, which Allergan calls Beacon, went live last spring. IT worked with individual functional groups—sales, marketing and others—to map out the business processes they used and the regulations and laws the company must follow. Building these policies into the workflow also makes compliance easier for employees, Lin says.
The Botox settlement led Allergan to agree to a long list of behavior reforms and new self-monitoring requirements, on top of the hundreds of federal and state rules pharmaceutical firms must follow normally. Its compliance mandate will grow for five years under a so-called corporate integrity agreement.
In addition, the company must now prove its compliance by disclosing more reports, such as documents showing it has trained all relevant employees in how to market products within guidelines. Its senior executives must also certify that the company has met federal requirements, much like CEOs and CFOs must vouch personally for their companies’ Sarbanes-Oxley compliance.
Beacon tracks the common activities that all pharmaceutical companies keep track of, as well as the requirements specific to Allergan’s settlement. But the company is adding capabilities to generate additional reports proving compliance, says Karah Herdman, deputy compliance officer at Allergan. For example, Beacon already had the ability to monitor expenditures related to physicians, but now IT has to create a report from that data to put on the Web.
“Nothing has to change in Beacon,” Herdman says. “The change for us is to take all the data in Beacon and start to analyze and understand it.”
Compliance Is a CIO’s Job
Setting up IT systems for compliance can be done with forethought or in reaction to some new regulation or serious legal situation, says Chris McClean, an analyst at Forrester Research. Either way, he says, CIOs must work with compliance executives to make sure the right technology is in place.
Technology can limit behaviors, such as not allowing a contract to proceed through an electronic workflow until it has the required sign-offs. Or it can prove that a company does comply with pertinent regulations by generating reports documenting that specific steps were taken.
“If you don’t have a documentation system as part of your compliance systems, maybe you’ve complied with requirements in your industry, maybe you haven’t,” McClean says. “You just don’t know.”
Follow Senior Editor Kim S. Nash on Twitter: @knash99.