Winning the cGMP Whistleblower Game

March 16, 2011
Respond fully to allegations, experts say; if you’re considering blowing the whistle, be sure the noncompliance is serious enough to threaten product integrity.

For years, FDA has warned industry that “employees and former employees” would be critical in examining questions of cGMP compliance and corporate data integrity. A groundbreaking legal decision has since borne out this statement, emphasizing the importance of compliance and data integrity in preventing legal liability, and even criminal charges against noncompliant companies and managers.

Last October, former GlaxoSmithKline quality assurance manager Cheryl Eckard received a $96-million settlement after suing her former employer under the False Claims Act (FCA). Her legal complaint, which she had first brought to the FDA, had documented numerous cGMP noncompliance problems, including major data integrity issues, at the company’s former Cidra facility in Puerto Rico.

In addition to such flagrant problems as product mixups, she cited unsigned, undated and missing validation, investigation and change control documents, and SOP’s in need of revision. The company did not appeal, making Eckard’s case the first pharmaceutical whistleblowing lawsuit to invoke cGMP’s and succeed.

“Companies are now on notice that cGMP violations are open to the scrutiny of whistleblowers,” says Neil Getnick, of Getnick and Getnick Law (New York, N.Y.), who, with colleague Lesley Ann Skillen, represented Eckard.

Today, at least one pharma cGMP whistleblower case is reportedly under seal, involving compliance and the use of computerized quality controls, at a generic drug manufacturer in the northeastern U.S. Theoretically, whistleblowing cases can be brought against an employer based on the FCA, Sarbanes-Oxley reporting requirements, or evolving SEC regulations (Box). Experts agree that, whatever side you’re on, due diligence is key.

This article will briefly examine expert opinion on the potential for cGMP whistleblower cases, from both the employee’s and the corporate manager’s perspectives, touch very lightly on the gray area between chronic noncompliance and criminal fraud, and highlight the importance of data integrity to overall compliance efforts.

Untested Framework
When Cheryl Eckard first approached them, it was the first time that Getnick and Skillen had considered a False Claims Act suit based on cGMP noncompliance. “This was a challenge, as Medicare and Medicaid statutes do not speak directly to cGMP compliance . . . the legal framework was untested,” Getnick says.

Ken Nolan, founding partner of Nolan and Auerbach, P.A. (Philadelphia), has successfully represented qui tam whistleblowers regarding off-label marketing. He had received inquiries from other would-be cGMP whistleblowers in the past. However, he notes, their cases were either too difficult to prove, or cited technical noncompliance issues that did not directly threaten product integrity. In addition, Nolan notes, the U.S. government has been reluctant to get involved unless egregious manufacturing deficiencies are involved that clearly put patients at risk, he says.

Drug manufacturers leave themselves most vulnerable to potential cGMP qui tam lawsuits by neglecting 21 CFR Parts 211.180-208, which cover recordkeeping, equipment use and cleaning, and maintaining and responding to CAPA data, says Nolan, who writes extensively on this topic [1].

However, these issues are also most frequently found in 483’s and inspection reports. Is there a boundary between chronic noncompliance and intentional fraud? Consultant John Avellanet, founder of Cerulean Associates, an FDA compliance consulting firm, sees a continuum, from ignorance to sloppiness to fraud, quoting Eugene Thirolf, head of the U.S. Department of Justice’s Office of Consumer Litigation. “Noncompliance always comes down to two reasons: ignorance or financial pressures.” “It’s the pressure to cut corners that causes most intentional fraud,” Avellanet says.

As Nolan explains, the False Claims Act only affects those who knowingly present a fraudulent claim, leaving simple negligence or innocent mistakes out. However, to suggest intent, he says, one must only establish that the defendant had actual knowledge of the information and either acted in deliberate ignorance, or reckless disregard of the information’s truth or falsity.

“FCA could apply in situations that show substantial gross negligence, or, in the plain language of the cGMP code itself, ‘reckless disregard,’ ” Nolan says.

This allows the Act to reach beyond the “head-in-the-sand” type manager, who may hide behind the fact that he or she was not personally aware that manufacturing or cGMP testing problems were made to appear okay in written responses to the Government. In addition, says Nolan, the criticality of the data is a decisive factor. If a company makes false statements about the sufficiency of its assay testing, one must ask: Would the lack of proper assay testing likely lead to a material deficiency in the product, or would such a deficiency be entirely speculative?

Once a pharma company submits paperwork that is false, that materially affects the integrity of the product, and it can be shown that the submission was not due to an oversight, the company faces liability.

There is no simple “litmus test” for determining whether cGMP violations are sufficiently serious to attract FCA liability, says Skillen. However, she notes that GMP non-compliance, if chronic and serious, will often amount to fraud on the government, which pays for drugs based on manufacturers’ claims of quality, strength, identity and purity as set forth in the NDA. “Without that assurance, the government is not getting what it paid for,” she says.

In the GSK whistleblowing case, Cheryl Eckard had pursued internal corporate communication channels before seeking legal help. Meetings and calls to senior managers, and a call to the CEO, met with insufficient, or no, response, her complaint says. It was this lack of response that may have helped build her case. Management’s involvement in the false record or statements, either through gross negligence or knowledge, is sufficient to establish corporate liability, says Nolan.

Compliance Systems
“Critics who complain that whistleblower lawsuits are undermining corporate compliance programs have it backwards,” says Skillen. “Instead, it is ineffective compliance programs that are undermining the ability of employees to have their well-founded concerns about unethical and illegal corporate conduct properly addressed internally without resort to a lawsuit.”

“Proper compliance systems can prevent whistleblower cases from being filed in the first place,” says Getnick, who suggests that individuals first try to solve issues internally, provided they have confidence that the compliance program is robust and that they won’t suffer any retaliation.

Nolan agrees that employees should try to fix compliance problems internally if and only if they are sure they won’t be retaliated against. If the employee reaches a dead end in these efforts, he or she should send emails documenting the issue and his or her efforts, to the extent possible, Nolan advises. The employee should keep a diary/running log on what is said and by whom, and should copy all relevant documents that he or she has access to as part of his or her job duties.

When people with potential qui tam cases say, “I’m concerned about my job but I can’t go on any longer without doing something about it,” that’s a sign they have already asked themselves the right questions, say Getnick and Skillen. A qui tam case doesn’t automatically result in job loss, Getnick says. It is filed under seal without being served on the defendants so the government can undertake an investigation without the defendants’ knowledge.

The seal is initially for 60 days, but the government can and generally does obtain extensions and, in a complex case involving a criminal investigation, Getnick says, the seal can be in place for years. The case will eventually be unsealed, at which point the person who filed it may be identified.

What Should GSK Have Done?
When asked how GSK should, have responded to Eckard’s complaints, Getnick and Skelling offer the following opinion, noting that GSK would have a different view. “The company should have shut down the Cidra plant and fixed its problems before resuming production, and they should have rewarded Ms. Eckard’s efforts to improve quality instead of marginalizing and terminating her.”

In addition, they write, GSK’s compliance department should have made an objective determination of her complaints, they say, especially since the company had signed a Corporate Integrity Agreement with the federal government just six months before its compliance department claimed to have found Cheryl Eckard’s concerns to be “unsubstantiated.” After she called in the FDA, GSK should have disclosed fully to the FDA and taken immediate corrective action.

In general, Getnick suggests that companies use the following guidelines in dealing with would-be whistleblower employees. “Listen. Respect his or her confidences. Conduct a thorough, objective and, above all, an independent investigation of the complaints, and with speed. Make determinations that are guided by legal compliance and ethics rather than impact to profit centers,” Getnick says, noting that, in the end, good ethics make for good business. “It’s not that companies don’t understand the ‘how-to.’ It’s the commitment to practice what is preached that is often lacking,” he says.

Nolan boils the best practices down to some very simple steps. First, he says, have a compliance department in place where employees feel free to voice their concerns to objective people who will not disclose their identity, and who view them as allies. Secondly, actively investigate the employee’s concerns, and update the employee on the findings of the investigation.

In short, Nolan says, publicity about large whistleblower recoveries has increased in frequency and size over the past decade. Since the Eckard case, the risk that employees will pursue whistleblower actions upon discovering cGMP-related fraud will increase exponentially. Strong compliance programs that encourage internal whistleblowing by investigating and remediating any false statements in cGMP reporting—and the underlying sloppy or worse manufacturing practices—is the first step, he says.

Data Integrity
Data integrity is a recurring theme in noncompliance and whistleblowing cases. Long after a drug has gone off patent, the data associated with that drug show how well its manufacturer controlled its processes, ran its operations, and met FDA’s regulations. Today, of course, all data are computerized. Yet, ever since FDA soft-pedaled its enforcement of its electronic recordkeeping requirements, as set out in 21 CFR Part 11, some drug company managers may have viewed electronic data management as less of an enforcement priority, consultants say.

As a result, especially during economically challenging times, some have been devoting fewer resources to improving compliance and data management strategies. They continue to do so at their own risk, experts suggest.

Poor data management is cited in an increasing number of 483’s and inspection reports, and figures in recent Consent Decrees. As more inspections reveal disconnects or discrepancies between everyday plant realities and the way they are documented, regulators are emphasizing data integrity in their enforcement efforts.

Within the past few years, on the R&D side, FDA has tightened clinical data requirements, and invoked its Application Integrity Policy (AIP), effectively stopping all review of new or pending drug applications from a company, a move that can cost a manufacturer roughly $8,100 per day (not including potential loss of income from the new drug), says consultant John Avellanet. This year, FDA has promised to devote more time in its cGMP plant inspections to verifying compliance with 21 CFR Part 11, and to scrutinizing electronic data management practices.

Ensuring data integrity is already a critical part of cGMP compliance, says consultant and former FDA specialist Johnny Guerra. But the efforts required should start well before validation and manufacturing, ideally at the process development stage, he says. “One needs to take a Quality by Design (QbD) approach,” he says, noting that the cGMP code spells this out clearly, predating FDA’s QbD initiative by more than thirty years.

Michael Gregor, consultant with Compliance Gurus (Boston), notes a need for more thorough training. “IT departments need to be trained in GMPs and 21 CFR Part 11,” he says. “To set up teams to evaluate/ensure data integrity, you want to ensure your teams are trained properly in 21 CFR Part 11. Next, you want to ensure that Part 11 is part of the computer system validation and software vendor selection process” so that it is addressed throughout the validation lifecycle.

Avellanet traces data integrity problems to ignorance and sloppiness, generally caused by the following common mistakes, between clinical through manufacturing through CAPA through adverse event reporting and handling:

  1. Not having a plan in place with regular, reasonable data/document integrity controls
  2. Not maintaining the links/traceability between source documents (original data) and the stored record (such as in a database format or in a PDF version)
  3. Not keeping complete and accurate records

Examples of the latter issue include forms with missing signature fields or backdated signatures, and databases with fields missing information in them. More subtle examples: not keeping data or document sets or linkages together, such as documents associated with a CAPA, investigating an adverse event, or a training session.

Questions of Fraud
Fraud, he says, takes the following forms regardless of the type of data (QC, QA, manufacturing, CAPA, etc.): fake data; substituting data (like copying over data points from a successful batch record into a failed batch record); omitting negative data (like OOS or, in trending graphs, eliminating outliers); or hiding/obscuring SOP or protocol deviations.

To ensure data integrity, he says, “You have to have a plan, and it should cover items such as a records retention schedule and associated policies and procedures, training for personal and regular records reviews, plus regular data audits.” SOPs are an important part of this plan, he says. As part of crafting each SOP in your quality system, or your regulatory affairs program, make sure your SOPs capture and document various decision points, actions and responsibilities, Avellanet says, examining complaint handling as an example.

“For instance, when examining a complaint handling SOP, all decisions on any follow-up actions need to be documented with supervisory review and approval,” he says. “Second, the SOP should lay out basic criteria to prioritize complaints as high or low priority.” The quality department, he says, will want to audit the prioritization results. Finally, he says, a due date should be assigned for any investigation, and again, a supervisor should be involved in reviewing and signing off on the results.

The receipt of the complaint, the follow-up and any actions taken—all generate data points with dates, review signatures or approvals, and opportunities for independent verifications. “In fact,” Avellanet adds, “consider a case where all complaint handling documentation is documented first on paper and then input into a database with some scanned copies of signatures. The key would be to have a review of the input process to verify that the transferred info is all correct.”

Quality professionals (and FDA inspectors) can still go back and plow through all the information to reconstruct the decisions and actions and responsible individuals associated with any specific complaint, Avellanet says. “Thus the data is said to have integrity—it’s attributable, legible, complete, original, and accurate.” He uses the acronym ALCOA to stand for ideal data characteristics. Nothing is missing. The same holds for all such critical processes that generate records—batch review, QC inspection, adverse event handling, and CAPAs.

But as Avellanet says, it all starts with a plan. “If you don’t know that you need to keep various records together, and you don’t know that you need to have documented records review and approval points, and you don’t know that you should be doing regular data and record audits, all you’re doing is setting yourself up for failure. And a costly failure at that,” he says.

False Claims Act and Alternatives
An alternative to filing a qui tam lawsuit under the False Claims Act would be to go directly to the FDA, says Ken Nolan of Nolan and Auerbach. Sometimes, the company will figure out the identity of the whistleblower once it is contacted by the Agency, as there is usually a short list of people in a position to give certain information about cGMP deficiencies.

Sarbanes-Oxley (SOX), the basis for the first pharma cGMP-based whistleblower case, which failed [2], has afforded little protection for America’s whistleblowers, Nolan says. Congress hastily crafted SOX in the wake of Enron and Worldcom, but it lacks real teeth, particularly when compared to the FCA and its powerful whistleblower protection provisions.

The False Claims Act is under the purview of the judicial system from day one, Nolan says. Moreover, because FCA cases are filed on behalf of the federal government, they represent a public-private partnership, with the U.S. Department of Justice standing on the side of the whistleblower if the case has sufficient merit.

Lastly, the False Claims Act has a long history of affording real protection and rewards to whistleblowers, Nolan says, returning nearly $30 billion to the U.S. government and protecting individuals since the U.S. Civil War days, where only a handful of SOX whistleblower cases have crossed the finish line over the past ten years.

In 2009, say Neil Getnick and Lesley Ann Skillen of Getnick and Getnick Law, the FDA indicated it would increase the use of misdemeanor prosecutions on the basis of the Park doctrine, i.e. the “responsible corporate officer” doctrine as set forth in U.S. v. Park, 421 U.S. 658 (1975).

cGMP violations provide a natural fit for the use of that doctrine, they say. It could certainly come into play in instances of systemic cGMP violations, particularly where there is evidence that corporate management misled the federal government. It could send a clear message that “dishonest executives cannot hide behind the corporate veil.”


About the Author

Agnes Shanley | Editor in Chief