The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.

The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:

  • conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
  • develop and implement a risk management plan to mitigate those risks and vulnerabilities;
  • review—and potentially revise—its security policies for electronic devices and media; and
  • review—and potentially revise—its training program related to the security of ePHI.

Continue Reading HHS Office for Civil Rights Announces HIPAA Settlement for Exposure of Electronic PHI

wooden toolbox with tools. isolated on white.

As we reported last week, on January 17, 2017, staff from the Department of Health and Human Services Office of Inspector General (HHS-OIG) met with Health Care Compliance Association (HCCA) professionals for a roundtable meeting to develop a resource guide aimed at helping health care organizations develop ways to benchmark and measure the effectiveness of compliance programs.

The results of the roundtable meeting were released by HHS-OIG on March 27, 2017, with the release of the Resource Guide on Compliance Program Effectiveness (“Resource Guide”).  The Resource Guide provides a large number of measurement options designed to work across “a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” It covers the well-established seven elements of an effective compliance program, articulated in the U.S. Sentencing Guidelines:

  1. Standards, policies and procedures
  2. Compliance program administration
  3. Screening and evaluation of employees, physicians, vendors and other agents
  4. Communication, education and training on compliance issues
  5. Monitoring, auditing and internal reporting systems
  6. Discipline for noncompliance and
  7. Investigations and remedial measures

Continue Reading Regulatory Guidance Part II: Synthesizing 2017 DOJ Fraud Section and HHS-OIG Guidance

 

USDHHS-sealThe federal Health and Human Services’ Office of Inspector General (OIG) has recently circulated a new resource guide for compliance, titled “Measuring Compliance Program Effectiveness.”  Beyond reciting the seven elements of an effective compliance program, this guidebook provides concrete metrics for “what to measure” and “how to measure” compliance under each element, including for instance performing a fraud risk assessment.

The OIG is careful to remind the health care community that there is no “one size fits all” compliance plan, and that this latest guidance is not meant to serve as a checklist or substitute for a program particularized to the organization’s particular needs and industry risks. Nevertheless, the guidance can serve as a useful platform for building out an effective compliance program and for evaluating and enhancing a program already in place.  Performing a compliance review with the Guide as a tool can also help demonstrate a provider’s or health plan’s commitment to compliance “best practices.”

cheatsheetIn February, to little fanfare, the Department of Justice (DOJ) Criminal Division Fraud Section issued detailed criteria for evaluating corporate compliance programs.  The guidance, entitled Evaluation of Corporate Compliance Programs (“Evaluation Guidance” or “Guidance”) comes two years after DOJ hired Hui Chen as Compliance Counsel in the Fraud Section.  When her position was announced, the DOJ said that Chen would “help prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures” and would “communicat(e) with stakeholders in setting those benchmarks.”  The Evaluation Guidance provides those benchmarks used by the DOJ to evaluate the effectiveness of corporate compliance programs. It covers 11 key compliance program evaluation topics, along with a list of specific questions that DOJ considers important in evaluating compliance programs as part of a criminal investigation. Continue Reading DOJ Compliance Cheat Sheet

USDCSDNYEarlier this month, the Southern District of New York dismissed the remaining claim in United States ex rel. Kolchinsky v. Moody’s Corp., ruling that Moody’s alleged “false claim” was not material under the standards set in Universal Health Services, Inc. v. United States ex rel. Escobar. The analysis of this case is instructive for other FCA cases, including health care fraud, for the court’s analysis on dismissal of FCA claims on materiality grounds. The court had previously dismissed the Relator’s claims in February but gave leave for him to amend his complaint with respect to claims about certain inaccuracies in Moody’s Ratings Delivery Service. The Relator filed an amended and somewhat more specific complaint thereafter, alleging that Moody’s provided ratings it knew to be inaccurate directly to its subscribers, which included the federal government. Continue Reading FCA Case Dismissed on Materiality Standard

USDHHS-sealNew regulations have been released in the form of a Final Rule (announced at 82 Fed. Reg. 4100) (the “Final Rule”), revising and expanding the authority of the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) to exclude entities and individuals from participation in federal health care programs. The Final Rule adds to the OIG’s longstanding statutory authority to issue exclusions, which was most recently expanded by Congress in the 2010 Affordable Care Act.

The Final Rule was announced on January 12, 2017, and was intended to go into effect on February 13, 2017. The new administration’s temporary freeze on pending regulations delays that effective date until March 21, 2017. Continue Reading New Regulations Expand Authority of HHS OIG to Issue Exclusion Orders

stat-samplesThe U.S. Court of Appeals for the Fourth Circuit missed an opportunity earlier this month in United States ex rel. Michaels v. Agape Senior Cmty, Inc., No. 15-2145, 2017 WL 588356 (4th Cir. Feb. 14, 2017), to provide clarity on one of the hottest issues in FCA litigation—whether an FCA relator may use statistical sampling and extrapolation to establish FCA liability. Courts frequently permit the use of statistical sampling to establish damages in FCA cases where liability has already been established. Applying the method to the question of liability, however, remains highly contested, given that courts have long held that the False Claims Act requires a relator to prove the falsity of each claim submitted for payment and the resulting damages. While a number of district courts have faced this question—and have reached different conclusions on its propriety, especially since the District Court for the Eastern District of Tennessee’s decision in United States ex rel. Martin v. Life Care Centers of America, Inc., 114 F. Supp. 3d 549 (E.D. Tenn. 2014)—no appellate court has ruled on the issue. With the Fourth Circuit’s decision—or lack thereof—relators, federal healthcare program providers, and the FCA bar continue to await guidance.

In Agape, the relators—former employees of the defendant, an operator of a network of nursing facilities in South Carolina—filed an interlocutory appeal to the district court’s denial of their request to:

  1. examine a random sample of claims submitted by the defendant to federal healthcare programs for services that the relators claim were not provided or were not medically necessary;
  2. have their experts assess those claims for falsity; and then
  3. extrapolate their findings to a universe of more than 50,000 claims.

Continue Reading Statistical Sampling Stumble – Fourth Circuit Misses Opportunity to Provide False Claims Act Guidance

bikersIn a case with important considerations for False Claims Act cases, Lance Armstrong will face claims at trial that he fraudulently obtained funds from the United States Postal Service because of alleged violations of his sponsorship contract. On February 13, 2017, a D.C. federal judge ruled on competing motions for summary judgment setting the stage for a trial on the issues of implied certification and potential damages.

Armstrong argued that because the invoices sent to the Postal Service did not contain representations about the services rendered, the implied certification theory outlined in the Supreme Court case Universal Health Services, Inc. v. United States, ex rel. Julio Escobar and Carmen Correa (“Escobar”) was inapplicable.  Specifically, Armstrong argued that the Escobar implied certification test was inapplicable because Armstrong’s invoices did not make “specific representations about the goods or services provided . . . ” The D.C. district court agreed that the invoices merely requested payment and made no other representations, but held that the lack of a representation of the services in Armstrong’s invoices was not dispositive of the implied certification issue at summary judgment. Whereas the Supreme Court limited the holding in Escobar to its facts and expressly declined to “resolve whether all claims for payment implicitly represent that the billing party is legally entitled to payment,” the  D.C. Circuit had already explicitly addressed such omissions in United States v. Scientific Applications International Corp. In that case, the D.C. Circuit said that a claim for payment “need not include ‘express contractual language specifically linking compliance to eligibility for payment,’ . . . [but] ‘[r]ather, all the government must show is ‘that the [claimant] withheld information about its noncompliance with material contractual requirements.’”  In other words, Armstrong’s material omission that he was using performance enhancing drugs when he signed the sponsorship agreements was sufficient to allege implied certification, even though the invoices or demands for payment themselves did not make any representations. Continue Reading Federal Judge Ruling in United States ex rel. Landis v. Tailwind Sports Corporation, et al. Sets Stage for Trial on Issues of Implied Certification and Potential Damages

DOJEffective February 3, 2017, DOJ announced an increase in civil monetary penalties for FCA violations. This is the second annual increase, indexed to inflation, since the Bipartisan Budget Act of 2015, which required all federal agencies to increase civil monetary penalties under their jurisdiction by the change in the Consumer Price Index.

Last year’s “catch-up adjustment” almost doubled False Claims Act civil monetary penalties, given that they were last adjusted in 1986. That initial increase took minimum per-claim FCA penalties to $10,781 from $5,500 per claim and maximum per-claim penalties rose to $21,563 from $11,000 per claim. The adjustments announced last week increased minimum per-claim penalties by $176 to $10,957 and maximum penalties by $353 to $21,916.

These increases apply to any FCA penalties assessed after February 3, 2017, for FCA violations that occurred on or after November 2, 2015. For violations occurring before November 2, 2015, the 1986 penalty range ($5,500 – $11,000) still applies.