In light of the rapidly changing coronavirus (COVID-19) situation, Troutman Sanders and Pepper Hamilton have postponed the effective date of their previously announced merger until July 1, 2020. The new firm – Troutman Pepper – will feature 1,100+ attorneys across 23 U.S. offices. Read more.


Insight Center: Publications

Protecting Your Company From Increased Scrutiny After Release of ARCOS Opioid Data

Client Alert

Authors: Callan G. Stein, John W. Jones Jr. and Thomas M. Gallagher

Protecting Your Company From Increased Scrutiny After Release of ARCOS Opioid Data

In July, The Washington Post published data showing approximately 76 billion oxycodone and hydrocodone pills were purchased and sold in the Unites States from 2006 to 2012. The data came from the Automation of Reports and Consolidated Orders System (ARCOS), a database maintained by the U.S. Drug Enforcement Administration that tracks the path of every single pain pill sold in the United States. Until this publication, the DEA kept all ARCOS data — which is provided to the DEA directly by its registrants — strictly confidential. The Washington Post was only able to obtain and publish the data after a protracted legal battle that culminated in the Sixth Circuit Court of Appeal’s ordering its release.

The public release of this ARCOS data has already resulted in unwanted scrutiny and attention for opioid manufacturers, distributors and dispensers nationwide. And given the data’s direct connection to the opioid epidemic, that trend is likely to continue. Already, media scrutiny of the released ARCOS data has generated questions about opioid purchase and sales practices. Although the government has long used ARCOS data to identify targets for criminal investigations and civil enforcement actions, the recent public scrutiny and media attention may cause regulators and enforcement authorities to initiate new investigations.

Indeed, increased government scrutiny over companies in the opioid supply chain would be in line with a recent DOJ prosecution trend that saw two unprecedented prosecutions brought within a period of three months against two opioid distributors — the Rochester Drug Co-Operative and Miami-Luken Inc. — and several individual executives based on improper opioid sales. These types of cases may well become the norm as the DOJ enters the next stage of its fight against the opioid epidemic, and companies that face public scrutiny and backlash based on the now-published ARCOS data make for prime targets.

Given the extremely high stakes, companies whose 2006-2012 ARCOS data was published would be wise to take preemptive steps to protect themselves and their individual executives in the event this unwanted scrutiny places them atop a government target list. Companies can take careful and swift action now to control and change the narrative, ensure remedial measures are in place, and position themselves to the make the best possible presentation to the government in a potential investigation. Here are three steps that any company that purchases or sells opioids can take to achieve that goal.

Step 1: Understand your ARCOS data and how it looks, and ensure it is accurate.

All DEA registrants involved in the opioid supply chain (manufacturers, distributors, pharmacies) should review their ARCOS data that was recently published. This review should be conducted with an eye toward identifying any trends or patterns in the data that could be interpreted — by the public or the media — as being questionable or indicative of wrongdoing, including spikes in volume of opioid purchases or sales and purchases/sales in volumes that appear excessive. This review should be as unbiased as possible. There may be perfectly innocuous explanations for data trends, but they may not be readily apparent to an ambitious journalist trying to make a name in the local medial or a member of the public who is looking for answers related to the opioid epidemic.

Once registrants have a handle on any trends their ARCOS data reveals, they should ensure those trends are accurate. All DEA registrants are required to report acquisition and disposition information to ARCOS. That means that ARCOS contains data points from multiple sources on each oxycodone and hydrocodone pill that is sold. Consequently, any DEA registrant must rely on other registrants with which it interacted to report information accurately. A reporting mistake could result in an overstatement of the volume or frequency of opioid purchases or sales, and ARCOS would not be in a position to detect or prevent these mistakes.

Step 2: Conduct a privileged internal investigation of any potential compliance failings.

If a registrant identifies one or more potentially problematic trends or patterns, it should then conduct an internal investigation to first verify that the ARCOS data showing the trend/pattern is correct, and second to identify and understand how and why the trend occurred. It is highly advisable that registrants engage legal counsel to conduct these investigations to maintain the attorney-client privilege and to obtain proper legal advice.

If a registrant identifies what it believes to be incorrect data, ARCOS does have a mechanism that allows for corrections. However, these corrections must be submitted by the reporting entity. This is yet another benefit of conducting a privileged internal investigation. A registrant that collects all of the relevant information and documents during an internal investigation will be in a far better position to prove the inaccuracy of the erroneous report to the entity that made it and, therefore, demand that it be corrected.

Conversely, there also may be cases when a registrant finds a problematic trend or pattern that cannot be explained by incorrectly reported data. Internal investigations are even more important when this is the case. Spikes in opioid sales or unaccounted-for pills that were purchased but not sold could reflect serious compliance failures and breakdowns in anti-diversion practices. When an investigation reveals those types of failings, it will be important for the registrant to identify the causes of those failings, including processes that broke down or, worse, direct misconduct by individual employees.

Conducting internal investigations is one of the best ways a company can protect itself (and its executives) from government action. Earlier this year, the DOJ released updated guidance on corporate compliance programs that stated, in no uncertain terms, that the DOJ looks favorably on companies that conduct genuine and thorough investigations of potential wrongdoing. The guidance stated:

Another hallmark of a compliance program that is working effectively is the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.

Put another way, if a troublesome pattern or trend in ARCOS data leads to government or prosecutorial scrutiny, the registrant will want to be able to say that it has already conducted a full investigation into the pattern/trend and has taken appropriate action.

Step 3: Take sift action to remediate and prevent the recurrence of verified compliance failures.

Finally, if an internal investigation reveals compliance failures or opportunities to enhance a current compliance program, the registrant should take swift and decisive action both to remediate the exposed problem and prevent its recurrence. Indeed, engaging in “timely and appropriate” remediation is yet another “hallmark” of an effective compliance program that the DOJ identified in its recent guidance.

Remedial action should be proportionate to the severity of the misconduct and should take into account its extent and pervasiveness. Since the published ARCOS data concerns opioids, any problems that the data reveal are likely to be significant, especially if they implicate drug diversion or excessive or illegal opioid sales. In such an event, it may be necessary for a company to take disciplinary action against the responsible individuals, up to and including termination of any individuals who are still employed by the company, even (or perhaps especially) those in managerial positions. Under its new guidance, the DOJ makes clear that it expects companies to do so, stating, “Prosecutors should consider . . . disciplinary action against past violators uncovered by the prior compliance program.”

But while punishing offenders for past misconduct is important, it is by no means the only remedial step companies should take. In the eyes of the DOJ, it is equally, if not more, important to identify the root cause of the problem within the organization and then update compliance policies to fill in any gaps. Time and again throughout its new guidance, the DOJ emphasizes the importance of revising a corporate compliance program “in light of lessons learned.” Any time a company uncovers process gaps or compliance blind spots that allowed opioid diversion or illegal opioid sales to occur, they must be rectified.

Remember, if a company’s ARCOS data reveals a compliance deficiency, the overall goal should be to take every possible action that will demonstrate to the government that the deficiency (and those responsible for it) have been dealt with and that it will not happen again. Being able to communicate a narrative that includes both the proper response and the enhancement of existing compliance programs will put a company in the best possible position to protect itself in an environment of increased scrutiny.

The authors are partners in Pepper Hamilton’s Health Sciences Department, a team of 110 attorneys who collaborate across disciplines to solve complex legal challenges confronting clients throughout the health sciences spectrum.


The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.