Key considerations for effective compliance programmes in the Brazilian healthcare sector
Clarissa Oliveira
Cascione Advogados, São Paulo
c.oliveira@cascione.com.br
Vinícius Cim
Cascione Advogados, São Paulo
v.cim@cascione.com.br
Introduction
Healthcare may be considered one of the largest and most complex sectors in the world. Different legal entities and professionals provide services, devices, facilities and insurance, or goods and services to facilitate the provision of healthcare to patients, usually under strong regulation in most countries.
With a complex regulatory environment, and multiple players and stakeholders, risks to integrity and corruption arise. Healthcare is the second-largest industry in the world in terms of Foreign Corrupt Practices Act (FCPA) enforcement, just behind oil and gas.[1] As a consequence, the US Securities Exchange Commission (SEC) and Department of Justice (DoJ) have been looking carefully at this industry over the last few years. These agencies are allocating more and more resources to federal investigations involving bribery, kickbacks, fraud and other misconduct related to health practices.
Brazil is not outside the statistics. For instance, in 2016, the ‘Prosthesis Mafia’ scandal (Escândalo da Máfia das Próteses) uncovered a network of corruption and kickbacks involving health professionals and public hospital managers in the procurement of prosthetic implants.[2] Following the pandemic, in 2020, operation False Negative (Falso Negativo) investigated a corruption scheme and overpriced public procurement involving Covid-19 tests and certain regional government health departments.[3]
In addition, several joint operations launched by the Brazilian Federal Police Department (Departamento de Polícia Federal or DPF) and the Brazilian General Comptroller Office (Controladoria Geral da União or CGU) have been investigating the embezzlement of federal public resources within public procurement in the health sector. Similar cases increased due to Covid-19-related public procurement. According to DPF's database,[4] during 2020, 34 operations were launched in Covid-19-related cases involving this sector.
There is not an easy way to build a culture of integrity in the context of strong regulations and a large history of corruption involving the sector. Understanding the local regulatory framework and conducting an enhanced risk assessment are essential to properly identifying and mitigating the risks arising from this kind of business. In other words, a ‘one-size-fits-all’ compliance programme is no longer enough to prevent corruption and is useless for promoting ethical behaviour in this industry.
Understanding regulatory frameworks in Brazil
In Brazil, a comprehensive compliance risk assessment must consider legal aspects involving corruption, public procurement, fraud, money laundering, politically exposed persons, electoral donations and conflict of interests, according to their respective related laws and regulations.
The 2013 Brazilian Clean Companies Act, regulated by the Federal Decree No 11,129/2022 (the ‘Anti-Corruption Decree’), is the major law for fighting corruption in Brazil. The law imposes strict civil and administrative liability on companies for corruption acts committed against domestic or foreign public administrations. Other similar laws impose sanctions for companies in the case of breaches for specific misconduct, such as Law No 14,133/2021 (the ‘Public Procurement Law’) and Law No 8,429/1992 (the ‘Administrative Misconduct Law’).
CGU is the main Brazilian authority responsible for entering into leniency agreements and filing Administrative Liability Procedures (Procedimento Administrativo de Responsabilização or PAR) in the case of a breach of the Brazilian Clean Companies Act. The agency is also responsible for issuing official guidelines and evaluating compliance programmes according to legal criteria.[5] In the case of leniency agreements or PAR, the existence of a compliance programme is considered a criterion for reducing the fine and mitigating other sanctions.
Moreover, healthcare companies also may be subject to administrative regulations and penalties issued by other Brazilian regulatory authorities, such as the Brazilian Health Surveillance Agency (Agência Nacional de Vigilância Sanitária or ANVISA) and the National Supplementary Health Agency (Agência Nacional de Saúde Suplementar or ANS). The fulfilment of these regulations is essential for healthcare companies to ensure compliance and avoid penalties related to ethical issues.
Implementing a risk-based approach
Risk has always permeated our society, and companies across all sectors are constantly engaged in identifying, preventing and handling their inherent risks according to their kind of business.[6] Nonetheless, corporate resources are not boundless. Unfortunately, it is not unusual for companies to have a constrained budget or a limited workforce to manage their compliance programme.
In this context, the risk-based approach (RBA) is a strategy of resource prioritisation and optimisation. RBA means discerning the most critical risks and allocating greater effort and high-quality dedicated resources to those with the highest level of exposure. The methodology must be conducted according to the company's own criteria, considering its size, operation location, structure, products or services, business operation and client profile, among others.
By means of an enhanced risk assessment, the company may address its major risks through specific policies and develop and implement robust internal controls and procedures according to them. Hence, it is possible to ensure that all critical issues are identified and properly addressed in policies and guidelines. After all, only risks that are previously known can be prevented.
Government interactions
In Brazil, different government agencies at all levels are part of a complex and robust regulatory environment. Every day, companies need to handle interactions with different public officials and agencies. Regulators, product approvals and licensing are all included in these interactions.
Establishing restrictions on gifts and hospitality, as well as guidelines for political donations and other political activity in internal policies, putting clear procedures into place and keeping accurate records, including on all meetings and communications, are a few examples of effective controls on government interactions.
Moreover, although it is an accepted practice in some jurisdictions, facilitation payments are perceived as corruption under Brazilian law. Any kind of facilitation payment must be strictly prohibited, as must all payments of any item of value to public officials.
Public procurement
Unethical behaviour may undermine the fairness and integrity of health procurement bids. Big ridding and misappropriation of public funds are two of the major risks during the public procurement process. This may occur through the manipulation of bids and prices, distribution of contracts among the bidders, falsification of invoices or collusion between bidders, healthcare providers or suppliers.
Beyond criminal and administrative liability under anti-corruption laws, collusive practices may lead to antitrust investigations and prosecution by the Brazilian antitrust authority (Conselho Administrativo de Defesa Econômica or CADE). Breaches of Brazilian antitrust laws can result in substantial penalties, including fines of up to 20 per cent of the company's gross revenue from the affected market. Internal policies shall address guidelines on public procurement, including antitrust considerations.
Hiring former public officers
Former Brazilian public officials frequently transition into positions or consulting roles within Brazilian healthcare companies following their tenure in regulatory agencies. These individuals often have access to confidential information, government connections and influence, which can be leveraged for personal gain or to bypass regulations. Moreover, the potential conflicts of interest arising from such hiring can undermine the integrity of decision-making processes and foster an environment conducive to corruption.
In Brazil, Law No 12,813/2013 (Law of Conflicts of Interest) establishes a mandatory quarantine period for former federal public officials who held certain positions in public administration. This legislation, along with other ethical principles, shall be strictly followed when considering the hiring of a former public official. Compliance departments must be involved in the hiring process of former public officials to assess and address any potential conflicts or other legal breaches.
Conflicts of interest
Conflicts of interest are ever-present in the healthcare sector. Physicians, researchers, pharmaceutical companies, medical and biological device suppliers, insurance companies, hospitals and distributors, among others, are frequently connected and trying to influence the decision-making process of each other.
To mitigate conflicts of interest, external relationships and activities must be properly addressed in internal policy and guidelines. Commercial courtesy, attending seminars and conferences, participating in outside activities, involvement in public health services and membership of professional organisations are a few examples of issues. Additionally, healthcare practitioners receiving fees, honoraria, consulting agreements and other financial relations must be addressed and monitored.
Collaboration among different entities, such as promotional activities, speaker programmes and research grants, also requires careful attention. Establishing transparent and well-documented processes for such interactions, along with clear guidelines and limits, in addition to pre-approval procedures, may prevent undue influence and encourage ethical practices. Healthcare companies shall ensure that any financial arrangements and benefits offered to their employees, acting as such, are legitimate, transparent and compliant with all applicable laws and regulations.
Examples of effective internal controls to address a conflict of interest may include mandatory periodic conflict self-declaration, pre-approval requirements for certain activities and a communication channel to disclose potential conflicts.
Kickbacks
Unfortunately, receiving kickbacks from pharmaceutical companies or medical device manufacturers in exchange for prescribing or promoting their products is still an acceptable, and sometimes encouraged, practice for some private clinics, hospitals and health professionals. These kickbacks may come in the form of excessive fees for speaking engagements, lavish gifts, all-expenses-paid trips or financial incentives disguised as research grants or consulting agreements.
Suspicious kickbacks must be investigated promptly, followed by proper disciplinary actions against violators, which may include termination of employment or contractual relations.
Third-party due diligence
Third parties can represent a considerable risk for companies. Conducting due diligence prior to an engagement may predict certain risks and make the company aware of any issues with its third parties. Criminal or related anti-corruption law claims, negative media or financial issues, among other red flags, may be identified during a due diligence procedure and addressed prior to the engagement.[7]
The scope and depth of due diligence are defined depending on the third party. High-risk third parties, such as those engaging with public officials, consulting firms, clearing agents and brokers, require an enhanced due diligence procedure. In all other cases, a minimum level of due diligence shall be conducted. If any red flags arise during simple due diligence, a second level of due diligence must be conducted to assess all risks.
Following the engagement, third parties must be subjected to continuous monitoring. Maintaining a comprehensive database that includes information on all the company's third parties and their respective background checks may facilitate monitoring processes. Furthermore, the inclusion of anti-corruption provisions in contracts entered into with third parties is imperative.
Comprehensive training
Promoting education and raising awareness are fundamental aspects of effective anti-corruption compliance programmes. Regular training sessions shall be provided to all employees, regardless of their position, as well as relevant third parties. These training sessions shall focus on anti-corruption policies and the code of conduct, high-priority risks, procedures and red flags. Emphasising the importance of ethical behaviour and highlighting the consequences of non-compliance are essential components of this training effort.
It is important to recognise that ethical behaviour is the responsibility of all individuals within the organisation, not just the compliance department. Each operational unit serves as the first line of defence against misconduct and compliance breaches.
Hotlines and whistleblower protection
The existence of an anonymous hotline is the main channel through which complaints may arise. Consequently, the hotline is the front door to identifying and investigating potential misconduct committed by employees or third parties.
In a high-risk environment, companies should make an effort to create a secure and confidential environment for reporting potential misconduct. Because there is an effective whistleblower protection mechanism in place, individuals are encouraged to come forward without fear of facing retaliation.
Final considerations
Managing a compliance programme may be challenging in Brazil, particularly in the healthcare sector. The multiple risks that may arise, coupled with the complexity of the Brazilian regulatory landscape, require the continuous enhancement and monitoring of the compliance programme. By having a deep understanding of the regulatory framework and properly assessing the level of risk exposure, companies are able to develop internal policies, guidelines and procedures that target the major risks faced by the business.
Nonetheless, policies and procedures are not enough if there is not a strong culture of integrity in the business. The engagement of all employees sets up the success and effectiveness of a compliance programme. However, senior management's support is required to achieve this. This support arises from clear and direct statements that unethical behaviour is no longer accepted and sufficient resources are available for compliance programme management, including ensuring that all hotlines’ complaints are investigated properly and promptly.
Health companies must be engaged in fostering a transparent and accountable environment in the industry. Ultimately, such an effort contributes to ensuring the safety of healthcare's users and the quality of all services and facilities.
Operações que envolvam investigações de recursos federais destinados ao combate da COVID-19[1] See ‘DOJ and SEC Enforcement Actions per Year’, (Standford Law School) https://fcpa.stanford.edu/statistics-analytics.html accessed 20 June 2023.
[3] See ‘Secretário de Saúde do Distrito Federal é preso na operação Falso Negativo’ (Poder 360, 29 April 2022) www.poder360.com.br/brasil/secretario-de-saude-do-distrito-federal-e-preso-na-operacao-falso-negativo/ accessed 20 June 2023.
[5] The evaluation criteria are disposed of in certain CGU publications. For instance: (1) practice guidelines for the evaluation of integrity programmes in administrative liability procedures; (2) integrity programme: guidelines for legal entities; and (3) evaluating integrity programmes within leniency agreements.
[6] Ulrich Beck, 'Living in the World Risk Society' (2006) 35 (3) Economy and Society 329.
[7] For further information on the effectiveness of due diligence: Marjorie Doyle, 'Third Party Essentials: A reputation/liability checkup when using third parties globally', Society of Corporate Compliance and Ethics, December 2011.