Andrew S. Ittleman, with Fuerst Ittleman David & Joseph. Andrew S. Ittleman, with Fuerst Ittleman David & Joseph.

In early May, a jury in Boston found that the founder of Insys Therapeutics, John Kapoor, as well as four other company executives, were guilty of a racketeering conspiracy.

The scheme involved illegal payments to physicians who prescribed Insys’s highly potent fentanyl spray Subsys and false statements to insurance companies that covered the prescriptions. At their forthcoming sentencings, they will all face significant prison sentences and forfeitures.

This case has also devastated the company: Insys agreed last week to pay $225 million to settle the federal government’s criminal and civil cases against it and filed for Chapter 11 bankruptcy protection Monday.

So, what are the takeaways here — other than that the reckoning has finally come for the opioid industry? Here are just a few:

First, payments by product manufacturers to treating physicians can carry significant consequences. Enforcement authorities can easily see beneath “consulting” and “speaker program” arrangements to determine whether payments are actually designed to compensate physicians for prescriptions and referrals. In the Insys case, doctors were paid for participating in a “speaker program” even if lectures never occurred, or no one attended, leading to allegations that the arrangements were mere shams. Executives in the pharmaceutical and healthcare industries should understand that these arrangements are high risk, and in no way should payments be tied to prescriptions or referrals.

Second, the days of executives being immune from the consequences of corporate misconduct are over. In 2016, Deputy Attorney General Sally Yates issued the Yates Memo, which directed the Justice Department to “focus on individual wrongdoing” when investigating corporate misconduct, and required prosecutors to obtain special authorizations to avoid charging responsible individuals. Since then, high-level executives from a variety of industries have been prosecuted, and in spite of the change in administrations, this policy has continued unabated.

In the Insys trial, Kapoor’s primary defense was that he was unaware of the illegal conduct, but cooperating witnesses testified otherwise, and the jury reviewed numerous damaging emails among Insys personnel on which Kapoor was copied. In this new era of individual liability, Kapoor’s purported lack of knowledge was insufficient to avoid prosecution.

Third, the Insys prosecution revealed a corporate culture that completely disregarded the nature of fentanyl and the consequences of its marketing scheme. Indeed, media reports from after the trial described the jury as “sickened” by a rap video produced by Insys encouraging sales reps to encourage physicians to prescribe higher doses of Subsys. The video featured Insys sales executives and a dancing bottle of 1600 mcg Subsys, the highest available dosage of the product.

As tone deaf as the video was, it provides a valuable lesson about corporate culture and compliance. The lesson starts with this question: how can corporate personnel be so oblivious of their surroundings that they would make a rap video showcasing a dancing bottle of fentanyl? The answer is that the company allowed it to happen, encouraged it, and fostered a culture completely divorced from its compliance obligations. This corporate failure does not justify the criminal conduct of the Insys executives, but it does help explain it.

In recent years, various federal agencies have expressed the importance of having “cultures of compliance.” On the one hand, a company with a strong culture of compliance may avoid worst case scenarios if the company, or an individual working there, violates the law in some way. But on the other hand, those worst-case scenarios — including criminal prosecutions of corporate executives—become far more likely when the company has no culture of compliance and draws scrutiny from government agencies.

So how can a company create a culture of compliance? It starts from the top: the company, its executives, its investors, and its board must be committed not only to compliance, but to dedicating the necessary resources even when compliance is inconsistent with short-term revenues. Next, the company must conduct a gap analysis to understand its compliance obligations and risks. From there, the company must build a program to prevent the specific compliance failures the company faces. The program should feature written policy documents, a compliance officer with stature, and employee education and trainings, all of which must be kept current to address changing regulations, new product lines, and the unique needs of the company. Employees should also have a way to communicate their concerns to management and the compliance officer, anonymously if necessary.

Even if imperfect, a bona fide compliance program is invaluable. In addition to being the company’s best way to avoid worst-case scenarios, it can help create a culture of compliance that improves the operations of the company. It can teach employees about how the company is regulated, allowing them to spot possible compliance failures, and report them to management. Then, the company can extinguish those failures and self-report them as required by law. Compliance programs can also define the role of each employee, allowing them to stay in their lanes and avoid taking on tasks they have not been trained to complete. Finally, having created a culture of compliance, the company will have a better working environment because its employees will feel less anxious and vulnerable, reducing the risk that they will quit or become whistleblowers.

It may be that Kapoor had bad intent and got what he deserved. But Insys may simply have been a massive compliance failure that took on a life of its own and turned the company into a RICO organization. Regardless, addressing compliance at the earliest possible moment can help insulate a company from bad actors, avoid worst-case scenarios, obtain favorable treatment from regulators, and create a better, smoother working environment. This is no longer optional.

Andrew S. Ittleman is a founding partner with Fuerst Ittleman David & Joseph in Miami. He concentrates his practice on compliance and transactional matters for regulated businesses and government enforcement actions. Contact him at aittleman@fidjlaw.com.