Whether you’re dealing with medical devices or new drugs–regardless if it’s a product or a service, and whether that product or service ever even leaves the United States, export controls affect every organization in one way or another. That’s why I was so excited to sit down with Export Controls and Compliance expert, Wendy Epley, the president of Epley Consulting, for this episode of Compliance Conversations.
As a compliance professional in healthcare, you might hear the word “export” and think ‘I don’t ship anything out of the country, so export controls don’t apply to me.’ But surprisingly it does!
Epley explained, “[export controls] is referring to a very complicated network of federal agencies and regulations that are interconnected to regulate or control how things are to be protected in order that they are not used in a way that would cause harm...regardless of where those persons are located, including if they are here within the United States.”
I asked Epley how that might impact those of us in healthcare compliance and she was quick to give a surprising answer.
Epley said, “per healthcare institutions, export control laws and regulations that are likely to be most prominent in the day to day activities will be those under four different agencies. It would be either under the jurisdiction of the international traffic and arms regulations, which are military inherent items. The export administration regulations, which are the commercial or dual-use items, dual-use items are those that are commercial, but they can also be applied in a military setting as well. Then you have the foreign assets control regulations, which have to deal with sanctions programs. Then, of course, an area that your listeners are likely more familiar with, the food and drug administration, where we have our medical devices and drugs and other items that may come into play.”
Later in our discussion, Epley also went into detail about the foreign corrupt practices act, an important act for many of you in various healthcare compliance roles. “Just a few years ago, Teva Pharmaceutical Industries paid nearly five hundred and twenty million...for its role in violations with the FCPA.” Said Epley.
Find out how export controls apply to all of you healthcare compliance professionals out there. Tune in to my latest episode of Compliance Conversations, Export Controls: The Most Important Compliance Element You Probably Haven’t Heard Of, to learn why one doctor went to prison for his research, why some medical equipment, and new drugs pose a risk, why you need to institute export protocols and training in a research uni setting, and find out why Teva Pharmaceutical Industries paid nearly $520 Million in violations.
That’s right, $520 Million. Listen on your commute and let us know your thoughts in the comments below.
CJ: Welcome everybody to another episode of Compliance Conversations. I’m CJ Wolf with Healthicity, I’m Healthicity's Sr. Compliance Executive, and one of the most enjoyable parts about what I do is that I get to talk to compliance experts at conferences and on the phone, and I just really enjoy picking their brain. Today we have a brain for sure. Her name is Wendy Epley, and she is an expert, an expert in export control, when it comes to compliance, welcome Wendy.
Wendy: Thank you, thank you so much for inviting me, it’s a pleasure to be here today.
CJ: One thing that we do Wendy, before we jump into the topic, is we want our guests to introduce themselves, and tell our listeners maybe a little bit about their compliance background, how you ended up where you are, and what you’re doing today in the field of compliance, and specifically with export controls.
Wendy: That sounds good. I hope we have enough time for all of that, but I’ll be brief. My name is Wendy Epley, and I am president of Epley Consulting which helps organizations to strengthen their compliance programs from a process-based approach. I use methods that are known by six sigma practitioners, I have a masters of science degree in regulatory compliance, I have a bachelors science degree in global business, I’m also certified as an expert compliance professional, in both the export administration regulations, or EAR for short, and the international traffic in arms regulations, it’s also referred as the ITAR. I’m in my twelfth year in this very fascinating field. I got into this field, I guess you could say serendipitously while I was working at Honeywell Aerospace.
Wendy: It really was not export control specifically, not something I had any real knowledge about before then, and I think probably most of our listeners could say twelve years ago they didn’t even know what export controls were, but I could be wrong.
Wendy: When I was given that role, to handle export controls for the engineering test services group, there was no easy end to it. This was my dad throwing me into the deep end of the swimming pool kind of role, where I was tasked with classifying eight thousand parts, components and assemblies, along with six thousand technical drawings and specifications. There was a three-month time crunch period that I had to get that all done in because there was a factory that was moving overseas.
Wendy: My mentor at Honeywell told me either I would love it or hate it, and it only took me about two months to realize that this was something I really loved. That is when I started learning all that I could, getting involved with various organizations, subscribing to listers, and after a few years of doing that I was hired by the University of Miami to be their first export compliance officer and establish and manage their export compliance program, and after several years there New York University approached me, and I became their first import and export compliance officer, which also included their global campuses in Shanghai and Abu Dhabi.
Wendy: Then in 2016 I’ve been a part of the export compliance program here at the University of Arizona in Tucson. CJ: Yeah, and you and I met at a research compliance conference where export controls is a very important topic. I listened to Wendy and her co-presenter, and I thought this was a great presentation, I jumped up and gave you my card and asked if you would please be a guest, and you were kind enough to agree and I really appreciate you sharing some of your time today.
Wendy: Thank you for inviting me. It was a great conference, and export controls is something that is important for everybody, regardless of what field you are in.
CJ: Yeah, and what I kind of wanted to talk a little bit about today, because a lot of our listeners, we’re mainly in the Healthcare space, and your presentation focused a little bit about export controls and the healthcare space, but before we get specific to healthcare, could you maybe just describe, what is export controls? Compliance officers that maybe are not at a University, or maybe not working for a technical company, as you described, might not know just what does it mean in general. If you hear export control compliance, what are you talking about?
Wendy: Yeah, I kind of get that deer in the headlights look every time somebody asks me what I do, and I reply export controls. Export controls effect every organization in every industry or business sector; however, you want to identify that. Regardless if it’s a product or a service, and whether that product or service ever even leaves the United states.
Wendy: This is something that is hard for people to imagine, since they hear the word export and they think ‘I don’t ship anything out of the country, so export controls don’t apply to me.’
CJ: Exactly, and that’s not true.
Wendy: No, not at all. When you hear export controls, it’s referring to a very complicated network of federal agencies and regulations that are interconnected to regulate, or control, how things are to be protected in order that they are not used in a way that would cause harm, whether to people or even national security interests.
Wendy: We have these laws and regulations that control technologies, they control information, and even services to prohibited parties, regardless of where those persons are located, included if they are here within the United States.
CJ: That’s right, and how might that apply now, in kind of the healthcare space. So we’re not, in healthcare we’re not making jet engines, and those types of things, so what, how does that apply in healthcare?
Wendy: Great question. Per healthcare institutions, export control laws and regulations that are likely to be most prominent in the day to day activities will be those under four different agencies. It would be either under the jurisdiction of the international traffic and arms regulations, which are military inherent items. The export administration regulations, which are the commercial or dual use items, dual use items are those that are commercial, but they can also be applied in a military setting as well. Then you have the foreign assets control regulations, which have to deal with sanctions programs. Then of course, an area that your listeners are likely more familiar with, the food and drug administration, where we have our medical devices and drugs and other items that maybe come into play.
Wendy: Now for, go ahead.
CJ: No, please go ahead.
Wendy: Well, I was just going to continue, it’s unlikely that healthcare institutions, in general, would be involved with projects that, or products, that are subject to the ITAR, the military inherent items, but it still is possible. For example, a physician might be using, on a trauma patient, a forward looking infrared thermal imaging camera, and he might be using that to detect acute department syndrome. Another example could be research being conducted to develop atropine injections that are designed to counter nerve agent poisoning.
Wendy: Or even another example might be, where assistance is being provided to a foreign naval regime to help in averting the compression illness. It maybe is not likely, but it still is possible when we consider what it is that is involved and who is involved.
CJ: Right. In those examples that you just described, you know, I might be sitting listening to this, and go we don’t send those, or that, equipment overseas or to these countries, but there is such a thing, and I don’t want to be getting ahead of you if you’re going this way, as deemed exports, where you might have somebody from a nation that is in a restricted ration, and that’s a national citizen from those nations, and if they are working with these devices, or have a knowledge about these devices, that could be a deemed an export, am I thinking along the right lines there?
Wendy: You certainly are, and that is the issue with these types of items that are export controls, and where an export could take place within the borders of the United States, and that is exactly what you described. It is a deemed export because it is deemed that that item, or that information, which is normally going to require a license to send to an individual in their home country, it would likely require a license for them to have access to that information, or that technology here in the United States because once that technology is given to that individual, you can’t take it back.
Wendy: You can not unlearn what you learned.
CJ: That’s right.
CJ: Yeah. I remember once, working with a client, that they had a camera that the shutter speed, or something on the camera was so high tech they were using it in a medical scenario, but the camera being used was so high tech that it was on one of these lists, and so, as I brought that up people thought ‘you know, who would have ever thought that export controls is related to healthcare’, but that was an example that I ran into. Is that also an example that is valid today?
Wendy: Yeah, very much so. That is the thing behind understanding where the items you are working with, whether it be a piece of documentation, or a piece of equipment, where they fall within the regulations. That high-speed camera, like you had mentioned, that, depending on the frames per second, just to get a little technical, is where that characteristic of that item is making it fall within the regulation.
Wendy: But to just do a general search, and say ‘oh, I’m looking for’, this is actually a true story, when I was at the University of Miami, I love my little buyer because she was so good about trying to research the commerce control list, and try to tell me ‘oh I see it’s on the list’, but she sent me an email that ‘I found this pneumatic hammer, and it’s on the CCL, are we still able to order it?’, so I’m like ‘pneumatic hammer, what are they doing?’, so I’m looking up what she had identified, and it’s a pneumatic hammer for construction equipment, for digger holes into the ground, and I said ‘well what are you guys doing that you’re ordering something like this?’, and she says, ‘well the medical department is using it, they are going to be using it on cadavers.’, and I went, ‘no no no, this is not the same thing, that’s going to be completely different’.
Wendy: So, it was just a matter of characteristics of that item. It does take some training, some skill I guess, and definitely some experience to make sure what you’re looking at is indeed the correct thing, because you don’t want to misclassify anything either. That can get you into just as much trouble as ignoring something that may be controlled.
CJ: Yeah. So, the basic premise here is that if you have an item, or information, or service, or something that is on a controlled list, there are procedures you have to follow in order to safeguard that information, or that item, right? If you’re going to disclose it, or share it, or ship it to certain places you have to get licenses. Could you tell us a little bit about some of those rules are, you mentioned CLA, and EAR, and those types of things, could you maybe summarize some of those, where healthcare folks might need to know where to look for some of those things?
Wendy: Yeah. A lot of it will depend on what are they doing. We know investigational new drugs, IND’s, are, we typically see those under the food and drug administration, however, depending on the circumstances, the IND’s may also be subject to the EAR. You may have to check both sets of regulations in order to discern whether or not that IND is going to be subject to the EAR as well as the FDA, and if they are, you may require authorization from both agencies that have jurisdiction over those regulations. Most medical equipment, I will say, that is used for medical treatment or practice of medicine is typically not a problem, but that doesn’t include items that might be associated with nuclear proliferation, or chemical or biological weapons.
Wendy: That can be a hard thing. The scientist could be looking at that as ‘well it’s a humanitarian effort’, and while that may be, you also have to look at what could happen if that item ends up in the wrong hands of somebody who has a malicious intent?
Wendy: So, it’s not necessarily about what you’re doing, but who can take that and apply it to something that may cause harm.
CJ: Right, you might have a visiting scholar or visiting medical professor from one of these countries, and if they are doing research with those agents, or with those items, that kind of takes us back to those deemed export example.
Wendy: Exactly. Institutions of various sized and colors and strengths all are usually getting propositioned from a foreign person. Foreign persons are those who are not a US Citizen or not a US Permanent resident. If they are here in the United States on a Visa, they are pretty much a foreign person. That also goes for conflict and businesses that are not registered here in the United States, and so if those persons come to say ‘I want to sit with this particular professor for six months and study decompression syndrome’, let’s say for example, that may be fine, but what is the background of that individual, are they coming from an environmental engineer and now want to learn about the compression syndrome?
Wendy: I don’t know enough about those two fields, but it doesn’t feel like they are related. At the same time, if there is some overlap that I’m not aware of, that’s all great, but do you know that individual? Is this somebody that you just met at a conference, and you want to help them out? All of that is good and fine, except you should do your due diligence in making sure that, not only is the individual not appearing on a prohibited party list, but that any institution in which they are affiliated with is also not on a prohibited party list.
Wendy: Because remember, that affiliation, that’s where the allegiance is to, and that’s where that foreign influence that we’ve been hearing a lot about, especially over the past year with the NIH memo, is what was taking some concern as well. Make sure you’re doing your due diligence and checking these people out, because once they do come into the United States, and you’re sponsoring that Visa, or you’re at least giving, sponsoring them, giving them that ability to come and work at your institution, you’re responsible. I have spoke with FBI agents who wanted to say ‘the institution sponsored this person, where are they at?’ and you have to go back then to that person who was suppose to be their supervisor, and often they are like ‘well, I saw them once…’.
CJ: Yeah, exactly.
Wendy: We really want to make sure the protocols are in place. It’s not that we have to keep a tight grip on them, but we do need to be accountable.
CJ: Right, absolutely. All of those principals of a good compliance program can really come into effect here, right? Having good policies, doing training, in my limited exposure to export controls in compliance roles that I have filled, most of it is just educating people. They had no clue that export controls had anything to do with what they were doing with in their field or in their work. So, these elements of a compliance program of policies, training, maybe even audits, those are all types of things that you would recommend perhaps for export controls compliance programs?
Wendy: Absolutely. I would say 90, maybe 90% is too much, definitely 80% of what you’re going to do as a compliance professional is educate. Knowledge is power I think is the quote someone has said, and if you don’t have that knowledge how can you expect people to do the right thing?
Wendy: A child a taught from their parents from the beginning of what is right and what is wrong, and those moral codes stay with them until they grow until adult hood and go on to do their own life. It’s the same thing here, if you do not educate, and teach what is right, and what is wrong, what you can and can not do, or what we have to do, in order for your to do x, y, z, then we can’t get too upset when somebody turns around and does something that they shouldn’t have done. That is one of the things about the regulations, and there is a lot. There are thousands and thousands of pages, minor little notes, major notes, and you need to check all these things, and accidents do happen, and people can make a mistake. That doesn’t mean that you will be prosecuted to the extent, but you certainly need to do that investigation to say, ‘how did this happen, and what are we going to do to ensure that it doesn’t happen again?’, and if it is something that is a gross negligence, then you have to then go even further. What is the company’s policies, what are the US sentencing guidelines state? You got to make that voluntary self-disclosure, that ‘I don’t know if I can do that.’, but it’s better that you are up front with the government first about a mistake that has happened, and what you’ve done to rectify it.
Wendy: Rather than the government come knocking on your door, saying ‘we’d like to look at your books, and oh please tell us about this situation.’, and when that happens it’s too late.
CJ: Exactly, and that’s a principle that applies in all areas of compliance as I work with clients. Not just export controls, but with billing issues, or HIPAA issues, or any sort of mistake, or non-compliance that may have taken place. If you can self-disclose, the results are typically better. I wanted to ask you a question about, because you brought up kind of enforcement a little bit, are there examples that you can think of where there have been example or two of enforcement maybe against a hospital or a physician or something, that there was some violation of export controls?
Wendy: Yeah. There is a case of Dr. Butler, Dr. Thomas Butler, and I think it happened around 2004. He was convicted on, I think it was on about 45, 47, on various counts of various criminal activities, related to work that he was doing as a medical researcher, at Tech University. Three of those counts were related to the transportation of a human plague bacteria that is controlled under the EAR. He ended up serving 2 years in prison, and he had to pay a fine, as well as restitution to Texas Tech.
CJ: Interesting, yeah that’s a really interesting one, and that, let me just ask you, in that one, the issue was the research that he was doing was using an agent that was on one of these controlled lists, is that right? Wendy: That’s correct. I believe, actually, that particular bacteria, I could be wrong, but I believe that was also one of the select agents on the US Select Agents program. That list, you can find on the Center for Disease control website. I believe that was the situation there.
Wendy: A little more recently, this was a case we brought up at that conference you and I attended, was Mohammad Nazemzadeh, he was prosecuted for attempting to send a coil for an MRI machine to his home country which was Iran. He was arrested in 2012, but in 2016 there was a lot of changes to the regulations across many of the agencies, and because of those changes, which affected sanctions with Iran, those charges were dropped. No idea where he’s at today, but I’m certain that he’s probably had some reputation damage done there.
CJ: Yeah, so that was just a coil, or a part, for an MRI machine. So maybe the intentions were good, we don’t know right, but they may have been good, right? To help some people in that country get better imaging, so they can have better medical care, but that still doesn’t absolve you from that, is that, am I saying that right?
Wendy: Yeah. I mean, saying ‘I didn’t know’, can being a defense, it’s just not a very good defense. You get a license to drive, you are still responsible to understand the laws of the road.
Wendy: The same thing holds true here. You can put something in a box, and you can send it out of the country, but that doesn’t absolve you from understanding what other regulations or documentation needs to be followed for sending that package out of the country.
CJ: Great example.
Wendy: Something we have not talked about CJ, and I think it’s worth mentioning, is the foreign corrupt practices act.
Wendy: There has been an increase in US enforcement actions of the FCPA, based on the export of goods to countries subject to sanctions regulations and export controls.
CJ: Ah, interesting.
Wendy: Just to explain briefly though, what the foreign corrupt practices act is, it has to deal with bribery to foreign officials. Foreign government officials, so this is anything of value, which does not always mean money, it could be lavish gift, a loan, a contribution of some sort, or even a title of honor. Its purpose is to obtain an unfair advantage, and that unfair advantage could be influencing an official act, or a decision, maybe detaining some sort of business, or special tax or customs treatment and so forth. This law is written very broadly, and it can affect US persons and businesses wherever they are located.
CJ: That’s right.
Wendy: Just a few years ago, Teva Pharmaceutical Industries, they paid nearly five hundred and twenty million, that’s ‘M’, million, for its role in violations with the FCPA. I believe their schemes involved Russia, Ukraine, and Mexico. The compliance program is important, it doesn’t matter whether it’s putting something in a box and shipping it overseers, or what our relationships and transactions that we’re having with non-US persons.
Wendy: Wherever they may be located. It’s an important thing.
CJ: That’s a really good example. I spent a lot of my compliance career dealing in FCPA compliance, and in healthcare, in particular, a lot of us don’t recognize that in other parts of the world, physicians can be deemed as government officials under FCPA because in many parts of the world there is socialized medicine, and so the hospital is owned by the government, or the Dr.’s an employee of the government, and that is not as common here in the US. So, a lot of people, medical device companies, pharmaceutical companies as you mentioned, they can sometimes forget that fact, and think ‘oh, government official, that’s just if I’m meeting with the secretary of state’. No. Government official can be broadly defined in healthcare, and can include a lot of these healthcare providers, so I’m glad you brought that example.
Wendy: Yeah. A government official can even be the secretary.
CJ: That’s right.
Wendy: We have to be cognizant of who we’re talking to, who we’re engaging with, what information we’re sharing, because it only takes one small piece of that puzzle. You don’t have to give them the entire puzzle, if all they take is that one little piece, they’ll go to somebody else and get another piece from them, and so on and so forth, and then they will eventually get that entire puzzle together, and see the big picture.
Wendy: That’s another thing.
CJ: Let me ask you one other, kind of specific question. I’ve heard this example used, and I don’t know if it’s out of date, maybe you can shed some light. A lot of people talk about, look if you’re bringing your laptop, and it has encryption software on it, and let’s say you’re going to a conference to China, or to Iran, or something, it might be a medical conference, but you’re a Dr. and you’re going. Are there certain common devices like that, like encryption software that a lot of us have on computers, that are on this list, or is that kind of an outdated example?
Wendy: No. I would say not outdate, but there is certainly better flexibility than there was maybe 15 years ago. However, there is a lot of businesses, regardless of the field, and especially with healthcare where you’ve got to worry about HIPAA. Many businesses are employing a program called Duo, and it is for dual authentication in order to gain access into that businesses network. Well, Duo, recently updated their end user license agreement, and it now specifically states that you can not export that software to a prohibited country. Even though the software, which is a form of cryptography, it decrypts your device so that you can gain access securely, even though it is what we call on the EAR, it’s classified as EAR-99, that software cannot be taken.
Wendy: If you have a scientist at your facility who is an Iran national, and they go home to visit family, they can not have that Duo software installed on their device.
Wendy: A good rule of thumb though is, if you don’t need it, don’t take it.
Wendy: Take what they call a clean device. A clean device does not have all the bells and whistles. The encryption controls, it’s not going to have your passwords, your bookmarks, or any of that stuff, but it will have the basics enough for you to be able to check your email or do basic functions like that. Then when the device comes back to the United States, re-image it. Take it back to factory default settings and start fresh. Many organizations IT departments are employing this kind of practice for those persons that they do, that travel to high risk countries like China, and the other parts of the Middle East.
Wendy: I also recommend, don’t take your only copy. Things happen.
Wendy: I can not tell you how many times, decades ago, when I would go through the x-ray scanner at the airport, and my entire palm pilot, that’s how far back we’re going, got erased.
CJ: Oh, my goodness.
Wendy: I still keep paper copies to this day, but it’s still something, accidents do happen, so also do not take your only copy when you travel.
CJ: that is great advice Wendy. We are out of time now, obviously you and I could talk about this all day. I do want to offer you though, an opportunity, I know, we could probably include this on the link in the short description of the podcast, but would you mind sharing either a phone number or a website, or an email, that if listeners do want additional help, it sounds like your consulting company could do some of that. Is there a way for people to contact you?
Wendy: Yeah, definitely, I mean, if anyone is ever feeling overwhelmed, not even sure where to start. That’s okay. Sometimes you just need to talk things through with someone who is experienced, and can take an unbiased view of things, so they can reach out to me. My direct email address is Wendy@EpleyConsulting.com I’m usually responsive, I think. Yeah, they can give me a call.
CJ: I think we can include that in the brief description when people are listening to the podcast. Wendy thank you so much for your expertise and sharing what you know about this really important topic, I appreciate your time. Wendy: Thank you so much CJ, I appreciate you allowing me to be part of your program today.
CJ: To all of our listeners, thank you for listening to another episode of Compliance Conversations, until next time have a great day, bye bye.