Yes, you read the title of this post correctly.  Under the False Claims Act, a whistleblower is not required to report compliance concerns internally through a company’s internal reporting system before filing a “qui tam” court action.  Indeed, the False Claims Act — with its potential “bounty” of 15 to 30 percent of the government’s recovery — may actually encourage employees to file suit in the first instance, to qualify as an “original source,” and bypass the organization’s reporting system altogether, thereby frustrating a key component of an effective compliance program.  Whistleblower organizations have recently gone so far as to discourage individuals employed by health care providers from bringing compliance concerns directly to their employer so that they can get a share of the government’s recovery.

A provider or other entity participating in the Medicare or Medicaid programs, however, can mitigate that risk through, among other things, employee training and disciplinary policies encouraging good-faith reporting and the promotion of a culture of compliance, including setting the right “tone from the top.”

Internal Reporting System.  The cornerstone of any effective compliance program is developing and implementing a robust internal reporting system that employees can use to raise any compliance concerns on an anonymous basis.  Among other things, when compliance concerns are brought to the attention of the organization’s compliance personnel, the organization can investigate the issue and take appropriate steps to prevent or remediate any continued potential misconduct.  Likewise, having such a system in place may serve as a defense to liability under the False Claims Act.  Even if improper billing is found to have taken place, evidence that the organization has an effective, anonymous internal compliance reporting system may show that the improprieties were not the result of deliberate indifference or reckless disregard for such practices.

False Claims Act.  Plainly, the risk of treble damages and per claim penalties under the False Claims Act is a powerful incentive for a health care organization to implement an effective compliance program.  What is more, the provision for whistleblower awards under the False Claims Act can be an effective tool to aid the government in detecting and preventing overpayments by Medicare and Medicaid to fraudulent operators and other bad actors.  By allowing whistleblowers to file relator actions under seal and potentially share in any of the government’s recovery — as well as to seek damages for any retaliatory employment action — the False Claims incentivizes employees in the health care industry to come forward with information about fraudulent billing, without the fear of reprisal.

The Tension Between The Two.  At the same time, a whistleblower’s potential recovery can operate as a countervailing disincentive for an employee to report compliance concerns internally.  That is because under the False Claims Act, a qui tam relator is entitled to a “bounty” only if the individual is the “original source” of information to the government about the improper billing practices that are the subject of the relator’s action.  On the other hand, if an employee does dutifully report a compliance concern internally through the organization’s reporting system, and the organization itself reports any overpayments to the government or remediates the misconduct itself, the whistleblower may be unable to sue and recover any “bounty.”  As noted earlier, this point is not lost on the relator bar.

Overcoming The Tension.  How does a provider overcome the entreaties of the relator bar, along with the incentives under the False Claims Act whistleblower provisions, to convince employees with compliance concerns to avail themselves of the company’s internal reporting system?  At the outset, the reporting system must be both effective and credible to instill  confidence in the system so that employees will take full advantage of it – that is, the organization must deliver on its promise of anonymity and protection of good-faith reporting and must follow through on a timely basis with a thorough investigation and meaningful corrective action, if indicated.  Further, a robust reporting system, standing alone, will not be effective unless all other elements of an organization’s compliance program are working effectively as well, starting with a “culture of compliance,” reinforced by the executive team and management, and continuing with inservice compliance training, underscoring the importance of timely reporting and the anonymity and other protections afforded to reporting employees.

Likewise, the organization must have personnel and disciplinary policies that reward good-faith reporting and punish compliance lapses, both for engaging in unlawful conduct as well as for failing to report it.  That said, taking any disciplinary action against an employee who files suit as a relator, without ever having reported the compliance concerns in breach of the employee’s duties, is fraught with the risk that the termination or other action will be challenged as retaliation for filing the False Claims Act action, and that the cited ground — failing to report   — is allegedly merely pretextual.

However, with the proper messaging and training, coupled with a robust anonymous reporting system, the company can give its employees good reason to “do the right thing” and report compliance concerns to the company in the first instance, despite the lure of a False Claims Act bounty.

Under the federal Controlled Substances Act, DEA registrants are required to prevent the diversion of controlled substances outside the closed system of distribution that governs and licenses those entities and individuals who can manufacture, distribute, dispense and prescribe controlled substance medications.  One of the hallmarks of the closed system of distribution is the duty of all registrants to detect and prevent suspicious orders.  Beginning in 2007, the DEA began to place great emphasis on wholesale distributors, a relatively small class of DEA registrants, and began imposing on those distributors more real-time responsibility in monitoring and stopping potentially suspicious orders.

Between 2007 and 2016, DEA brought a number of administrative and civil actions against wholesale distribution companies for failing to adequately monitor and prevent suspicious orders of controlled substances, revoking the DEA licenses of various distribution warehouses and collecting hundreds of millions of fines in the ensuing years.  With the increasing public health crisis caused by opioid addiction, DEA and the courts have ramped up its enforcement efforts with increasingly harsh results.

One such example of the increased pressure on distributors is the case of Masters Pharmaceuticals v. DEA, decided June 30, 2017.  In that recent case, the DEA sought to revoke Masters’ registration as a wholesale distributor for its failure to report suspicious orders to DEA.  Masters fought back, trying the case in DEA’s administrative courts, and then appealing the matter to the U.S. Circuit Court of Appeals for the District of Columbia.  In a blow not just to Masters but to DEA-registered wholesale distributors everywhere, the court found in the DEA’s favor.  And, in an opinion unmistakably influenced by the current prescription drug crisis, it announced an interpretation of the regulations regarding suspicious order monitoring that will require almost all wholesale drug distributors, many of which already had robust monitoring systems in place, to change their processes for reporting suspicious orders.

It is doubtful that this increased reporting will actually benefit DEA.  The result of Masters is that while the volume of reports will increase, the quality of those reports will necessarily decrease.  Rather, companies now have to report the results of their automated monitoring processes rather than those that highly experienced regulatory staff evaluated in a qualitative matter.  DEA has neither the time nor resources to evaluate the magnitude of orders that it will receive given Masters.  That helps no one.

 

 

In early July, and with little fanfare, Attorney General Jeff Sessions and the Department of Justice (DOJ) all but gutted the Health Care Corporate Fraud Strike Force – stripping it of several key personnel.  Nevertheless, the investigation and prosecution of health care fraud will likely continue, and the Department will remain vigorous in its pursuit of health care fraud, perhaps with a more individual focus.  In a May 2017 speech at the Annual Institute on Health Care Fraud, Deputy Assistant Attorney General Kenneth Blanco said, “health care fraud is a priority for the Department of Justice.  Attorney General Sessions feels very strongly about this.  I can tell you that he has expressed this to me personally.”

Anonymous sources close to DOJ reported that three of five full-time attorneys had been removed from the Corporate Fraud Strike Force.[1]  Asked for comment on the new-look Corporate Fraud Strike Force, a DOJ spokesperson stated, “the Health Care [Corporate Fraud] Strike Force, as with the entire health care fraud unit, is going strong under steady leadership—continuing to vigorously investigate and hold accountable individuals and companies that engage in fraud, including tackling an opioid epidemic that claimed 60,000 American lives last year.”[2]  Interestingly, AG Sessions did not cut positions within other strike forces, such as the Medicare Fraud Strike Force and the Organized Crime Drug Enforcement Task Forces Program.  In distinction to the Medicare Fraud Strike Force, the DOJ’s Health Care Corporate Fraud Strike Force focuses on complex corporate health care fraud.

Gutting the Corporate Fraud Strike Force Aligns with AG Sessions’ Priorities

On the surface, it may appear that the dismantling of the Corporate Fraud Strike Force comes as the Department of Justice shifts resources to combat new priorities.  AG Sessions has repeatedly announced his commitment to combating health care fraud, as well as cracking down on drugs, violent crime, and illegal immigration.  However, a deeper dive into AG Sessions’ priorities signals a clear shift: corporate health care fraud investigations will take a back seat to the focus of DOJ headquarters on the prescription drug epidemic ravaging America.  Indeed, the appointment of Kenneth Blanco as Deputy Assistant Attorney General fits Sessions’ priority commitment to tackling the opioid crisis—Blanco brings experience from several narcotics-focused roles throughout his career, including Acting Chief of Narcotics in the United States Attorney’s Office for the Southern District of Florida and Chief of the Narcotic and Dangerous Drug Section at DOJ.

While acknowledging extensive health care corruption at the corporate and grass roots levels, the Sessions-led DOJ has put the opioid crisis at the top of its list and will divert resources to components better positioned to tackle drug abuse.  For example, in July 2017 Sessions announced that 412 defendants in over 20 states were charged with orchestrating health care fraud schemes totaling $1.3 billion in false claims.  Importantly, over 120 of the defendants were charged for their roles in the unlawful distribution of opioids and other prescription narcotics.

Caution: Corporate Health Care Fraud Prosecutions Are Not Dead

The DOJ established the Medicare Fraud Strike Force during the George W. Bush administration to coordinate and staff the investigation and prosecution of health care fraud cases in “hot spots” around the country, identified by data analysis.  Those hot spots were originally Miami and Los Angeles.  The Obama Administration expanded the Medicare Fraud Strike Force to seven more “hot spot” cities: Detroit, Houston, Tampa, Baton Rouge, Brooklyn, Dallas, and Chicago.  As DOJ and the Medicare Fraud Strike Force took on more cases – and as complex Medicare fraud cases involving large corporates became even more common – the Department identified a need for dedicated attorneys to oversee the most complicated corporate health care fraud cases.

As a result, in 2015, Attorney General Eric Holder formally established the Health Care Corporate Fraud Strike Force, separate and apart from the Medicare Fraud Strike Force.  With a staff of five experienced trial attorneys, the Corporate Fraud Strike Force had one mission: to detect, investigate, and prosecute complex corporate health care fraud matters.  Notably, in October 2016 the Corporate Fraud Strike Force orchestrated the Justice Department’s $516 million settlement with Tenet Healthcare Corporation to resolve civil and criminal allegations that Tenet received kickbacks in exchange for patient referrals.  John Holland, a former senior vice president at Tenet, was also charged in connection with the fraud.

Even though the Corporate Fraud Strike Force has been effectively dismantled, private and public companies must realize that corporate health care fraud prosecutions are not dead.  Because expertise in complex health care fraud investigations and prosecutions has been developed over the past decade, the need to augment expertise in the field from Main Justice has diminished.  U.S. Attorney’s Offices around the country now have a well-trained, sophisticated staff to continue the Department’s work in combating corporate health care fraud.  While the Department of Justice continues its re-positioning of resources to focus on Sessions’ priorities – drugs, violent crime, and illegal immigration – don’t expect to see a reduction in interest from U.S. Attorney’s Offices, given past successes and the Department’s overall commitment to health care fraud.  Sessions has expressed no soft spot for corporate fraud, saying, “I was taught if [companies] violated a law, you charge them.  If they didn’t violate the law, you don’t charge them.”

Additionally, the President’s proposed FY2018 budget request would increase spending in Health and Human Services’ Health Care Fraud and Abuse Control (HCFAC) program by $70 million, to $751 million.  Money allocated to the HCFAC is shared among the Centers for Medicare and Medicaid Services, DOJ, and Health and Human Services Office of Inspector General.  The takeaway for the health care sector is that the federal focus on health care fraud will continue.  Stay tuned.

[1] Sue Reisinger & Kristen Rasmussen, As Priorities Shift at DOJ, Health Care Corporate Fraud Strike Force Gutted, The National Law Journal (July 10, 2017), http://www.nationallawjournal.com/id=1202792591440/As-Priorities-Shift-at-DOJ-Health-Care-Corporate-Fraud-Strike-Force-Gutted.
[2] Id.

In a February blog post, we detailed the summary judgment rulings in a False Claims Act case involving Lance Armstrong: United States ex rel. Landis v. Tailwind Sports Corporation, et al.  The federal government alleges that Lance Armstrong, his Tailwind Sports team, and its manager, Johan Bruyneel, submitted false claims to the United States Postal Service (“USPS”) and violated sponsorship agreements by using and then denying the use of banned performance enhancing drugs.

In June 2017, in anticipation of a November 2017 trial, the government and Armstrong filed Motions in Limine (“MIL”) to exclude evidence from being introduced before the court.  The parties’ MIL, specifically those motions aimed at barring expert economic testimony via Daubert challenges, could have a significant impact on the government’s ability to meet its burden of proof with respect to damages.  Likewise, Armstrong could suffer a similar misfortune on the MIL as his expert testimony may be critical to combat the government’s claims.  In addition, two  of the MIL, which essentially argue that “everybody does it” and that the “first to come clean benefits,” could have far-reaching implications for FCA cases in the future.  Regardless of the outcome of the MIL, such posturing suggests that this matter is almost certainly headed for trial. Continue Reading Lance Armstrong False Claims Act Suit Cycles Through Motions on Way to Trial

On June 22, 2017, the United States Court of Appeals for the Fifth Circuit, in Maxmed Healthcare, Inc. v. Price, upheld an administrative determination by a Medicare Administrative Contractor (MAC) based on an audit of a sample of 40 home care claims. From its sample findings, the MAC extrapolated to a universe of 130 claims and determined that the home care agency under audit had been overpaid almost $800,000 on the grounds that the sampled patients were not homebound or the services provided were not “medically necessary.” The Maxmed Court’s endorsement of sampling and extrapolation involving medical-necessity reviews may have broader implications for the use of that tool in False Claims Act (FCA) investigations and lawsuits.

Among other arguments, Maxmed Healthcare, the home care agency under audit, maintained that any overpayment based on lack of medical necessity “should only be determined after a review of each beneficiary’s specific claims, and it is fundamentally at odds with extrapolation concerning home health care claims.” Citing to the federal Centers for Medicare and Medicaid Services (CMS) Medicare Benefit Policy Manual and the Medicare Act, the Fifth Circuit held, to the contrary, that Congress and CMS contemplated the use of sampling and extrapolation in post-payment audits, where “there is a sustained or high level of payment error.”  Citing 42 U.S.C. § 1395ddd(f)(3)(A).

In defending against FCA actions premised on the alleged lack of medical necessity of services, providers have argued that disputes over medical necessity involve essentially subjective differences in medical opinion as opposed to the “objective falsity” of Medicare or Medicaid claims, and that a medical-necessity determination requires a particularized claim-by-claim review, specific to each patient, that does not allow for extrapolation to a universe of hundreds or thousands of other claims.  Those arguments may be more difficult to sustain under the Eleventh Circuit’s holding in Maxmed. To avoid the reach of Medmax, providers in FCA cases will likely try to distinguish the “garden variety” audit liability involved in Medmax from the liability imposed under the False Claims Act – with its per claim penalties and treble damages – premised as it is on a finding of falsity among other rigorous elements.

Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

DOJOn May 31, 2017, the Department of Justice announced a $155 million settlement with eClincialWorks (ECW), an electronic health records (EHR) software vendor, to resolve a whistleblower complaint that alleged violations of the False Claims Act and the Anti-Kickback Statute.  This settlement, the “largest financial recovery in the history of the State of Vermont,” should put EHR vendors on notice, as well as vendors that offer services or products to health care providers: providing misinformation to a government contractor or health care provider about their products or services, or furnishing nonconforming goods or services, may expose them to significant financial exposure under the False Claims Act, even if they do not themselves submit claims to the government.

Background:  Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, the United States Department of Health and Human Services (HHS) established a program to provide incentive payments to health care providers who demonstrated “meaningful use” of “certified” EHR technology.  The incentive payments are to encourage health care providers to transition to using EHR.  To obtain the proper certification, EHR vendors are required to affirm that their products meet certain requirements adopted by HHS and then pass certain tests by a certifying agency approved by HHS.

Allegations:  The lawsuit, in which the federal government intervened, alleged that ECW falsely attested that its products met the applicable certification criteria and prepared its software to pass the certification testing without actually meeting the certification criteria.  Significantly, ECW was alleged to have violated the False Claims Act because it had “caused” the end user health care providers to submit inaccurate attestations concerning their use of “certified” EHR in support of their claims to the government for “meaningful use” incentive payments.

Settlement:  ECW agreed to pay $155 million to settle the complaint and entered into an onerous, five-year Corporate Integrity Agreement (CIA).  In what the DOJ described as “innovative,” the CIA requires, among other things, that ECW (a) retain an Independent Software Quality Oversight Organization to assess ECW’s software quality control systems, (b) provide prompt notice to its customers of any safety related issues, (c) maintain on its customer portal a comprehensive list of issues and steps users should take to mitigate potential patient safety risks, (d) provide its customers with updated versions of their software free of charge, (e) offer customers the option to have ECW transfer their data to another EHR vendor without penalties or charges, and (f) retain an Independent Review Organization to review ECW’s arrangements with health care providers to ensure compliance with the Anti-Kickback Statute.

Implications:  EHR and other health care vendors cannot assume that their liability is limited to breach of contract or indemnification of its customers.  Rather, the ECW case points to the risk of direct exposure under the False Claims Act, without ever submitting a single claim to the government.  In a similar vein, in the context of the Health Insurance Portability and Accountability Act (HIPAA), software and other vendors may also be directly subject to penalties under HIPAA for breaches of protected health information – as a business associate to their health care provider customers.

Combating health care fraud will continue to be a priority for the Jeff Sessions-led Department of Justice (DOJ).

DOJ Criminal Division’s Acting Assistant Attorney General Kenneth Blanco, in a May 18 speech at the ABA’s Institute on Health Care Fraud, said that Attorney General Jeff Sessions “feels very strongly” that “health care fraud is a priority for the Department of Justice.”  Mr. Blanco called health care fraud “despicable” and said, “the investigation and prosecution of health care fraud will continue; the department will be vigorous in its pursuit of those who violate the law in this area.”  Mr. Blanco continued, “I can tell you that [Attorney General Sessions] has expressed this to me personally.”

Mr. Blanco sent a strong and clear message to the audience of health care attorneys, defense counsel, compliance professionals, and relators counsel that the Justice Department’s longstanding commitment to combating health care fraud will continue. His speech appeared to be designed to address concerns that changes in emphasis in the DOJ Criminal Division towards  immigration and violent crime would come at the expense of health care fraud investigations.  Attorney General Sessions is committed to investigating and prosecuting health care fraud because, Mr. Blanco said, health care fraud hurts vulnerable people seeking medical care and costs the government and tax payers almost $100 billion annually. Continue Reading DOJ’s Focus on Health Care Fraud Continues

The Supreme Court will not hear the most important Park doctrine case in over 40 years. In DeCoster v. United States, the DeCosters appealed their convictions under the Responsible Corporate Office doctrine, commonly referred to as the Park doctrine, because they did not have “actual knowledge” that their egg distribution company sold eggs contaminated with salmonella. The DeCosters presented two arguments in their cert. petition, (1) their convictions and three month prison terms were based on vicarious liability and violated due process, and (2) the Supreme Court should overrule the Park doctrine altogether because anyone in the chain of command faces criminal liability.

Until another case tests the limits of the Park doctrine – or another Court of Appeals conflicts with the Eighth Circuit’s holding – the Supreme Court’s decision not to review DeCoster means executives in the food and drug industries may still face imprisonment for supervisory lapses.

We detailed the DeCoster case and the Responsible Corporate Officer doctrine in an earlier blog post and clients and friends memo.

Cyber_securityLast week’s massive ransomware attack should serve as a wake-up call that companies across all industries, including and perhaps especially the health care industry, must take the threat of global ransomware seriously.

The WannaCry attack reportedly crippled some of the computer systems of the U.K.’s National Health Service (NHS), forcing emergency room closures and the cancellations of patient appointments and medical procedures throughout the U.K., before spreading rapidly around the world to the computer networks of businesses and organizations in a variety of industries and regions.

The attack on the NHS echoed attacks in early 2016 on U.S. healthcare providers, including the February 2016 ransomware attack on the Hollywood Presbyterian Medical Center in California, which was forced to pay hackers approximately $17,000 in bitcoins to restore access to patient data and computer systems.  The WannaCry attack comes after the July 2016 announcement by the Department of Health and Human Services Office of Civil Rights (OCR) that it will consider ransomware attacks to constitute potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) if confidential patient data is compromised, adding the prospect of enforcement actions and penalties for health care providers who find themselves to be the victims of ransomware attacks.

In a recent Clients & Friends Memo, we examine the nature of the threat posed by ransomware, what happened in the WannaCry attack, and three key lessons that have emerged for all businesses seeking to protect themselves:

  • First, as ransomware attacks continue to be successful, they will increase in frequency and scale.
  • Second, the WannaCry attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.
  • And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.

Read our full Clients & Friends Memo.