Sunshine Act and Open Payments Reporting for MedTech Companies: Physician Payments Compliance Guide
Complete guide to Physician Payments Sunshine Act compliance for medical device manufacturers — covered recipients, reportable payment categories, 2026 thresholds, CMS submission process, state-level requirements, penalties, and audit preparation.
What the Sunshine Act Means for Medical Device Companies
The Physician Payments Sunshine Act — officially Section 6002 of the Patient Protection and Affordable Care Act of 2010 — requires pharmaceutical, biological, and medical device manufacturers to publicly report financial relationships with healthcare providers to the Centers for Medicare & Medicaid Services (CMS). CMS publishes this data through the Open Payments system, making every reported payment publicly searchable.
For medical device companies, compliance is not optional. The law applies to any manufacturer with at least one device covered under Medicare, Medicaid, or the Children's Health Insurance Program (CHIP) that requires premarket approval (PMA) or premarket notification (510(k)) by the FDA. This covers the vast majority of Class II and Class III device manufacturers operating in the United States.
This guide covers everything a medical device company needs to know: who must report, what must be reported, 2026 thresholds and deadlines, the CMS submission process, state-level overlay requirements, penalties for non-compliance, and practical steps for building a Sunshine Act compliance program.
Who Must Report (Reporting Entities)
Applicable Manufacturers
An "applicable manufacturer" is any entity that is:
- Operating in the United States (including territories)
- Engaged in the production, preparation, propagation, compounding, or conversion of a covered drug, device, biological, or medical supply
- Has at least one covered product under Medicare, Medicaid, or CHIP
For medical device companies, a "covered device" is one that requires:
- Premarket approval (PMA) under Section 515 of the FD&C Act, or
- Premarket notification (510(k)) under Section 510(m)
A manufacturer does not need to be the entity that submitted the PMA or 510(k). Any entity under common ownership that provides assistance and support to the manufacturer is also subject to reporting requirements.
Applicable Group Purchasing Organizations (GPOs)
GPOs that purchase, arrange for, or negotiate the purchase of covered drugs, devices, biologicals, or medical supplies for a group of individuals or entities (not solely for their own use) must also report.
Physician-Owned Distributors
Physician-owned distributors (PODs) of medical devices are not exempt and must comply with both reporting and record-keeping requirements.
Who Is Reported On (Covered Recipients)
Physicians
Any physician (MD, DO, dentist, podiatrist, optometrist, or chiropractor) with an active license in the United States, regardless of where the payment-related activity takes place. A payment to a US-licensed physician attending a conference overseas is reportable.
Non-Physician Practitioners (NPPs)
Since program year 2021, the definition of covered recipients was expanded to include:
- Physician assistants (PAs)
- Nurse practitioners (NPs)
- Clinical nurse specialists (CNSs)
- Certified registered nurse anesthetists (CRNAs)
- Anesthesiologist assistants (AAs)
- Certified nurse midwives (CNMs)
NPPs must be reported as covered recipients if they are not bona fide employees of the reporting entity.
Teaching Hospitals
Any institution that received payments under Section 1886(d)(5)(B), 1886(h), or 1886(s) of the Social Security Act during the last calendar year. CMS publishes an updated Teaching Hospital List annually.
What Must Be Reported: Three Categories
Category 1: General Payments
General payments are transfers of value that are not research-related and not ownership interests. The 14 nature-of-payment categories include:
| Nature of Payment | Examples | Common for Device Companies |
|---|---|---|
| Consulting fees | Advisory boards, clinical consultations | Yes — surgeon advisory boards are a major category |
| Speaking fees | Promotional talks, speaker training programs | Yes — product education events |
| Honoraria | Guest lectures, panel participation | Moderate |
| Gifts | Promotional items, non-educational gifts | Moderate |
| Entertainment | Sporting events, concerts, golf outings | Moderate |
| Food and beverage | Meals at meetings, conferences, hospital visits | Very common — highest volume of records |
| Travel and lodging | Flights, hotels for consulting or training | Yes — surgeon visits to training facilities |
| Education | Tuition for CME, training programs | Moderate |
| Research | Pre-clinical studies, investigator-initiated studies | Yes — but reported under Category 2 if tied to a research agreement |
| Charitable contributions | Donations to physician-affiliated organizations | Moderate |
| Royalties or licenses | IP licensing payments to physician inventors | Yes — surgeon inventors are common in orthopedics |
| Grants | Educational grants, fellowship support | Moderate |
| Space rental or facility fees | Physician offices used for training | Less common |
| Current or prospective ownership or investment interest | Stock, partnership shares | Reported under Category 3 |
Category 2: Research Payments
Payments made in connection with a research agreement or protocol, including:
- Direct research funding
- Payments to study investigators
- Research-related travel
- Supplies and materials provided for research
Research payments must include the study name, principal investigator, and research topic. CMS publishes research payment data with a 4-year delay for certain proprietary information.
Category 3: Ownership and Investment Interests
Any ownership or investment interest held by a physician or their immediate family members in an applicable manufacturer or GPO, including:
- Stock (excluding publicly traded shares below the reporting threshold)
- Partnership shares
- Ownership percentages
- Value of the investment
2026 Reporting Thresholds
CMS adjusts reporting thresholds annually for inflation.
Calendar Year 2026 Thresholds
| Threshold | Amount | Notes |
|---|---|---|
| Per-occurrence minimum | $13.82 | Individual payments below this amount are exempt from reporting |
| Annual aggregate minimum | $138.13 | If total payments to one covered recipient in the calendar year fall below this, all payments are exempt |
| Retroactive reporting trigger | Aggregate threshold | Once aggregate payments exceed $138.13, ALL payments including those under $13.82 must be reported retroactively |
Calendar Year 2025 Thresholds (For Reference)
| Threshold | Amount |
|---|---|
| Per-occurrence minimum | $13.46 |
| Annual aggregate minimum | $134.54 |
Always verify current thresholds on the CMS Open Payments website, as they are typically updated in November/December for the following calendar year.
2026 Reporting Timeline
| Event | Date | Responsibility |
|---|---|---|
| Data collection period | January 1 – December 31, 2026 | Reporting entity |
| Open Payments registration opens | January 2027 | Reporting entity |
| Data submission window | February 1 – March 31, 2027 | Reporting entity |
| Covered recipient review and dispute period | April 1 – May 15, 2027 | Covered recipient |
| Reporting entity correction period | May 16 – May 30, 2027 | Reporting entity |
| Public data release | June 30, 2027 | CMS |
Registration for the CMS Enterprise Portal and Open Payments System is available year-round. Record review, dispute, and correction can also occur year-round, but the dates above define the formal annual cycle.
Exclusions from Reporting
The following transfers of value are explicitly excluded from reporting requirements:
| Exclusion | Details |
|---|---|
| Product samples | Drugs or devices provided free of charge for patient use (not for office use) |
| Patient educational materials | Items directly benefiting patients or intended for patient use (e.g., anatomical models for patient education) |
| Short-term loans | Devices loaned to physicians for evaluation (up to 90 days) |
| In-kind donations for charity care | Devices or supplies donated for charitable purposes |
| Payments to non-covered recipients | Payments to individuals who are not physicians, NPPs, or teaching hospital employees (e.g., nurses who are not NPs, administrative staff) |
| Payments to bona fide employees | Salaries and benefits to employees of the reporting entity |
Device-Specific Reporting Challenges
Device Identifiers
Unlike pharmaceutical products (identified by NDC codes), medical devices are identified by device identifiers (DIs) from the Unique Device Identification (UDI) system. Each payment record can include up to 5 device identifiers.
This creates complexity because:
- A single device system may have many component DIs
- CMS leaves it to manufacturers to determine which combination of brand names and DIs to include
- Combination products (drug-device combinations) may require both NDC and DI reporting
Meal Reporting Nuances
Food and beverage is the highest-volume category for most device companies. Key gray areas:
- Conference meals where attendee identities are unknown: If a device company sponsors a meal at a conference and cannot identify individual covered recipients in attendance, the meal is not reportable
- Hospital staff lunches: If the value exceeds the per-person threshold ($13.82 for CY2026) and the attendees include covered recipients, it is reportable
- Meals provided in physician offices: Reportable if the value exceeds the per-occurrence threshold
Surgeon Advisory Boards and Consulting Arrangements
Advisory boards are among the highest-scrutiny payment categories. Compliance considerations:
- Fair market value must be documented and defensible
- The arrangement must have a legitimate business purpose (not simply a vehicle for payment)
- Services must actually be provided and documented
- Payments must not be contingent on product usage or prescribing decisions
The CMS Submission Process
Step 1: Register in CMS Systems
- Register in the CMS Enterprise Portal (one-time registration)
- Register in the Open Payments System (annual recertification required)
- Complete identity verification (vetting process, allow 48 hours minimum)
Step 2: Collect and Track Payment Data
Throughout the calendar year, maintain records of all payments and transfers of value to covered recipients. Each record must include:
- Covered recipient name, address, and NPI number (or state license number)
- Date of payment
- Amount or value
- Nature of payment (from the 14 categories)
- Form of payment (cash, in-kind, stock, etc.)
- Associated device(s) or product(s) by DI/brand name
Step 3: Prepare and Submit Data
Data is submitted in CSV or XML format through the Open Payments System. The submission must include:
- General payment records
- Research payment records (if applicable)
- Ownership and investment interest records (if applicable)
Step 4: Attest and Certify
An authorized official of the reporting entity must attest to the accuracy and completeness of the submitted data. This is a legal certification.
Step 5: Monitor Review and Dispute Period
Covered recipients can review and dispute their records during the April 1 – May 15 window. Reporting entities must respond to disputes during the May 16 – May 30 correction period. Unresolved disputes remain published but are flagged as "disputed."
State-Level Transparency Laws
Several US states have their own transparency reporting requirements that overlay the federal Sunshine Act:
| State | Key Requirements |
|---|---|
| Vermont | Prescribed Products Gift Ban and Disclosure Law — predates federal Sunshine Act and is broader in scope |
| Minnesota | Transparency reporting requirements; $50 annual gift limit to practitioners |
| Massachusetts | Pharmaceutical and medical device company conduct code; reporting requirements |
| Nevada | Requires certified compliance audit annually; reporting requirements for device companies |
| West Virginia | Transparency reporting requirements |
| Washington, DC | Transparency reporting requirements |
| California | Requires compliance program aligned with PhRMA/AdvaMed Codes |
| Connecticut | Requires compliance program aligned with PhRMA Code |
| Louisiana | $50 limit on meals per practitioner |
Medical device companies must evaluate both federal and applicable state requirements. Where state requirements are more stringent (lower thresholds, additional categories, additional recipients), the state requirements apply in addition to federal reporting.
Municipal and International Requirements
Several US municipalities (notably cities in California and New York) have begun exploring or enacting local transparency ordinances. Additionally, companies operating internationally face analogous requirements: France's "Sunshine Act" (loi Bertrand), the UK's Association of the British Pharmaceutical Industry (ABPI) Disclosure UK, and Denmark's transparency requirements all mandate disclosure of payments to healthcare professionals. Multinational device companies should maintain a global transparency compliance calendar that accounts for federal, state, municipal, and international obligations.
Penalties for Non-Compliance
Federal Penalties
CMS may impose civil monetary penalties (CMPs) on reporting entities that fail to report in a timely, accurate, or complete manner. Penalties are assessed both per unreported payment and as an annual aggregate:
| Violation Type | Per-Payment Penalty (base statutory amount) | Annual Maximum (base statutory amount) |
|---|---|---|
| Knowing failure to report | $10,000–$100,000 per unreported payment | Up to $1,000,000 per annual submission |
| Failure to report (not knowing) | $1,000–$10,000 per unreported payment | Up to $150,000 per annual submission |
These are base statutory amounts under 42 U.S.C. 1320a-7h(b) and are adjusted annually for inflation under 45 CFR Part 102. The actual inflation-adjusted penalty amounts are higher. The knowing failure standard requires demonstrating that the entity was aware of the obligation and deliberately chose not to comply. CMS has broad enforcement discretion in determining penalty amounts.
Enforcement Examples
- Medtronic: Paid $9.2 million to settle allegations of Anti-Kickback Statute (AKS) violations, False Claims Act (FCA) violations, and Open Payments reporting failures
- Medicrea International (French manufacturer): Settled allegations of AKS and FCA violations and Open Payments reporting failures for $2 million total ($1M for kickback/FCA claims, $1M for Sunshine Act reporting failures)
- These penalties are in addition to any AKS or FCA liability that may arise from the underlying conduct
Record Retention
CMS requires reporting entities to maintain all records related to financial transactions with covered recipients for at least five years after the records are published.
Practical Compliance Program for Medical Device Companies
Infrastructure Requirements
| Component | Recommendation |
|---|---|
| Expense tracking system | Implement an expense management platform that captures Sunshine Act data fields (recipient NPI, nature of payment, device association) |
| Covered recipient verification | Use NPPES database to verify physician NPI numbers; maintain an internal database of covered recipients your company interacts with |
| Sales force training | Annual training for all field personnel on reportable vs. non-reportable expenses, meal documentation requirements, and threshold amounts |
| HCP engagement process | Formal process for engaging healthcare professionals as consultants, speakers, or advisors — including fair market value determination and contract documentation |
| Aggregate spend tracking | Real-time tracking of cumulative payments per covered recipient to identify when the annual aggregate threshold is approaching |
| Quarterly reconciliation | Internal review of payment data against expense reports, contracts, and event records each quarter — do not wait until year-end |
Annual Compliance Calendar
| Quarter | Activities |
|---|---|
| Q1 (Jan–Mar) | Update thresholds from CMS; train new employees; begin data collection for new CY; submit prior CY data (Feb 1–Mar 31) |
| Q2 (Apr–Jun) | Monitor covered recipient review/dispute period for prior CY data; reconcile Q1 data; public data release for prior CY (Jun 30) |
| Q3 (Jul–Sep) | Mid-year aggregate spend review; identify recipients approaching threshold; reconcile H1 data |
| Q4 (Oct–Dec) | Full-year data reconciliation; prepare submission; verify covered recipient information; certify data |
Common Audit Findings
When CMS audits Sunshine Act compliance, common findings include:
- Missing or incorrect NPI numbers for covered recipients
- Payments categorized under the wrong nature-of-payment code
- Failure to report meals or travel expenses below the per-occurrence threshold but above the aggregate threshold
- Incomplete device identifier information
- Failure to reconcile internal records with submitted data
- Lack of documentation supporting fair market value for consulting arrangements
- Inadequate record retention (less than 5 years)
Key Takeaways
- The Sunshine Act applies to most medical device manufacturers — any company with a 510(k) or PMA device covered under Medicare/Medicaid/CHIP must report.
- Covered recipients expanded beyond physicians — since 2021, NPPs (physician assistants, nurse practitioners, clinical nurse specialists, CRNAs, AAs, and certified nurse midwives) are also covered recipients.
- 2026 reporting thresholds are $13.82 per occurrence and $138.13 annual aggregate — CMS adjusts these annually for inflation.
- Food and beverage is the highest-volume reporting category for most device companies — meal tracking is the single largest administrative burden.
- Device identifiers add complexity — each payment record can include up to 5 DIs, and CMS leaves it to manufacturers to determine which identifiers to report.
- Penalties can reach $1,000,000 per knowing violation — Medtronic paid $9.2M for combined AKS, FCA, and Open Payments failures.
- State-level requirements may be more stringent — Vermont, Minnesota, Massachusetts, Nevada, and other states impose additional reporting obligations.
- Records must be retained for 5 years after publication — implement a robust expense tracking system with Sunshine Act data fields from day one.