Tom Price is out as Secretary of the U.S. Department of Health and Human Services (“HHS”).  Mr. Price announced his resignation on September 29th as he faced more questions and increasing scrutiny over his use of taxpayer-funded private planes.  While Mr. Price’s departure from HHS will impact some aspects of the Trump Administration’s health care agenda, health care enforcement and compliance issues are bi-partisan in support and therefore less volatile.

Under Inspector General Daniel Levinson, who has led HHS’ Office of Inspector General (“OIG”) for twelve years, HHS remains committed to detecting, preventing, and prosecuting individuals and companies for health care fraud.  Accordingly, all signs point to OIG continuing to focus on detecting fraudulent billing practices and illegal physician referral programs, and using corporate integrity agreements to ensure that health care providers obey Medicare and Medicaid rules and policies.

In addition to fighting fraud in HHS programs, Health Information Portability and Accountability Act (“HIPAA”) security and cyber security are top priorities for HHS’ Office for Civil Rights (“OCR”).  To combat cyber security threats and to mitigate damage caused by cyber security breaches, OCR will likely increase its enforcement of HIPAA privacy rules and regulations and scrutinize providers’ cyber security policies, best practices, and response procedures.  Driving home this point, new OCR Director Roger Severino said, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target.  At most I will say the big, juicy case is going to be my priority and the methods for us finding it – stay tuned.”[1]

Under Attorney General Jeff Sessions, the U.S. Department of Justice has maintained a high tempo in its efforts to combat health care fraud.  For example, in July 2017 DOJ announced a partnership between its Health Care Fraud Unit’s Corporate Fraud Strike Force and Foreign Corrupt Practices Act (“FCPA”) prosecutors to ensure that health care companies are held accountable to the standards of the False Claims Act and the FCPA.  And DOJ’s new Opioid Fraud and Abuse Detection Unit will help combat the ongoing opioid crisis, in keeping with Attorney General Sessions’ enforcement priorities.

Tom Price’s departure as HHS Secretary is significant for other important aspects of health care, including the future of the Affordable Care Act and the Medicare and Medicaid bundled payment models.  However, current HHS and DOJ enforcement programs remain a priority under President Trump and Attorney General Sessions.

[1] Marianne K. McGee, Top HIPAA Enforcer Names His Top Enforcement Priority, Data Breach Today (Sept. 5, 2017), https://www.databreachtoday.com/top-hipaa-enforcer-names-his-top-enforcement-priority-a-10258.

DOJIn July, we reported on Attorney General Sessions dismantling DOJ’s Health Care Corporate Fraud Strike Force.  On July 25, Sandra Moser, acting chief of the DOJ’s Fraud Section, announced a partnership between the Health Care Fraud Unit’s Corporate Fraud Strike Force and Foreign Corrupt Practices Act (“FCPA”) prosecutors.  Together, these moves signal DOJ’s reorganization to ensure health care companies are held accountable to the standards of the False Claims Act and the FCPA, and, at the same time, free-up prosecutors at Main Justice to focus on Sessions’ priorities of cracking down on drugs, violent crime, and illegal immigration.

DOJ’s latest move to coordinate the health care fraud enforcement mission with FCPA efforts is not novel—it simply creates an efficient partnership to encourage U.S. health care companies to adopt and follow anti-corruption best practices.  Speaking at last month’s Global Forum on Anti-Corruption in High Risk Markets in Washington, D.C., Moser highlighted the intersection between the FCPA and the health care industry.  Moser noted that, because most foreign health care systems are government run, health care companies will invariably deal with public officials when engaged in business overseas and must ensure that executives and lower-level employees act appropriately to avoid potential FCPA liability.

Citing the need to draw from all necessary DOJ resources to effectively prosecute global health care fraud, Moser pointed to several recent resolutions that DOJ has reached with major pharmaceutical companies to resolve FCPA and domestic bribery charges.  These resolutions include a December 2016 deal reached with Teva Pharmaceuticals, which paid $519 million dollars to resolve charges over FCPA violations in Ukraine, Mexico and Russia.

Moser announced that FCPA prosecutors and the Health Care Fraud Unit Corporate Strike Force will formalize this cooperation into a unified effort to jointly investigate and prosecute foreign and domestic bribery in the health care industry.  Although there had been some level of cooperation between the two on a case-by-case basis, this new arrangement will likely lead to increased DOJ scrutiny into the foreign business dealings of health care companies.  The Health Care Corporate Fraud Strike Force and FCPA prosecutors’ partnership will streamline government efforts to crack down on FCPA violations and signals to the health care industry that, like all companies conducting substantial overseas business in countries with corruption risk, health care companies should ensure that effective safeguards are in place to prevent their employees, subsidiaries and foreign agents from running afoul of the FCPA.

Both DOJ and HHS-OIG have released resource guides on combating fraud this year.  Corporate executives and compliance departments should refer to DOJ’s Evaluation of Corporate Compliance Programs for baseline standards and questions to consider when developing or re-assessing a corporate compliance program.  Health care companies should also design compliance programs, training, and internal controls to prevent FCPA violations and detect them early enough to stop or mitigate the extent of the violation.

The issue of self-reporting takes on added emphasis with the coordination between health care and FCPA.  During her speech, Moser promoted DOJ’s recently introduced FCPA Pilot Program and much better outcomes for companies who voluntarily disclosed violations (self-reporting companies obtaining either a declination with disgorgement of illicit profits, or a non-prosecution agreement with a 50% reduced fine) compared with those that did not (80% of the cases against these companies were resolved through guilty pleas or deferred prosecution agreements, none received more than a 25% guidelines reduction, and most had a monitor appointed).

Health care companies are now on alert that, even though Sessions has been focused on prosecuting drugs, violent crime, and illegal immigration, DOJ will continue to put energy and resources towards its anti-corruption enforcement efforts, particularly in the health care industry.

After years of defrauding the U.S. government and taxpayers, Mylan, the maker of EpiPen, last week resolved allegations that it profited at the expense of Medicaid.

On August 17, Mylan and its subsidiaries agreed to pay $465 million to resolve claims they violated the False Claims Act (“FCA”) for knowingly misclassifying its lifesaving EpiPen product as a generic drug to avoid paying rebates owed to the U.S. government.  In a press release, the Department of Justice (“DOJ”) stated, “this settlement demonstrates the DOJ’s unwavering commitment to hold pharmaceutical companies accountable for schemes to overbill Medicaid, a taxpayer-funded program whose purpose is to help the poor and disabled.”

The settlement was first announced in October 2016, amidst fierce public criticism of Mylan’s triple-digit price hikes for the EpiPen, but the settlement agreement, and the fact that Sanofi was the whistleblower, was just released last week.  It is rare for one health care company to blow the fraud whistle on another health care company.

Sanofi’s Qui Tam Suit

Inquiries into Mylan’s misconduct started when rival Sanofi-Aventis US LLC (“Sanofi”) filed a qui tam lawsuit against Mylan under seal in 2016, in the District of Massachusetts, under the whistleblower provisions of the FCA.  The government then intervened in the case.

Sanofi, which had been selling a competing product to Mylan’s EpiPen, alleged that Mylan knowingly misclassified EpiPen as a generic drug, or “non-innovator” product, even though it was marketed and priced as a brand-name product.  Under the Medicaid program, manufacturers must pay higher rebates for brand-name drugs, i.e. drugs only available through a single source.  To avoid price gouging, Medicaid receives a 23 percent discount on brand-name drugs but only a 13 percent discount on generics.  The intentional misclassification of the EpiPen as a generic allowed Mylan to underpay hundreds of millions of dollars in rebates to Medicaid sold through its health coverage program from 2010 to 2016.  During that timeframe, the company increased the price of the EpiPen by 400% but paid the lesser rebate for generic drugs.

Mylan’s $465 Million Settlement

Mylan’s August 17 settlement agreement with DOJ and the Office of the Inspector General of Health and Human Services (“OIG-HHS”) resolves Sanofi and the government’s allegations that Mylan knowingly skirted its rebate obligations under the FCA.

Without admitting any wrongdoing, effective retroactive to April 1, 2017 Mylan reclassified EpiPen as a brand-name product for rebate purposes and Mylan entered into a corporate integrity agreement.  The company’s five year corporate integrity agreement with OIG-HHS requires that Mylan fulfill numerous obligations, including: (1) retain an independent review organization to assess annually whether Mylan is complying with the Medicaid program, and (2) hold executives and board members individually accountable for the company’s compliance with the corporate integrity agreement and federal health care programs.

As the whistleblower, Sanofi was awarded $38.7 million as its share of the federal recovery for alerting the government about Mylan’s misconduct.  Sanofi also stands to recover some money state Medicaid programs will receive under the settlement.

Public Outcry – Mylan’s Settlement “Shortchanges” Taxpayers

Both Republican and Democratic Senators have issued statements showing disapproval with Mylan’s settlement with DOJ.  Senator Chuck Grassley (R-IA) spoke out against the settlement, calling it a “disappointment.”  Senator Grassley continued, “the government’s own watchdog said the taxpayers may have overpaid for EpiPen by as much as $1.27 billion over 10 years.  Did the Justice Department consider the inspector general estimate?  If not, why not?”  Senator Richard Blumenthal (D-CT) also issued a fiery response, saying, “quite simply, the Department of Justice is letting this deceptive pharmaceutical behemoth off the hook.  Absolving Mylan from a finding of wrongdoing has cleared the way for the company to pocket the money it embezzled from an American public in desperate need of lifesaving and affordable medications.”

Mylan is not completely off the hook, at least to other private actions – it still faces Sanofi’s separate antitrust suit in New Jersey federal court.  There, Sanofi alleges that Mylan, to preserve its monopoly over EpiPen-like injectors, offered large rebates to insurers that did not cover competing products.

Combating health care fraud will continue to be a priority for the Jeff Sessions-led Department of Justice (DOJ).

DOJ Criminal Division’s Acting Assistant Attorney General Kenneth Blanco, in a May 18 speech at the ABA’s Institute on Health Care Fraud, said that Attorney General Jeff Sessions “feels very strongly” that “health care fraud is a priority for the Department of Justice.”  Mr. Blanco called health care fraud “despicable” and said, “the investigation and prosecution of health care fraud will continue; the department will be vigorous in its pursuit of those who violate the law in this area.”  Mr. Blanco continued, “I can tell you that [Attorney General Sessions] has expressed this to me personally.”

Mr. Blanco sent a strong and clear message to the audience of health care attorneys, defense counsel, compliance professionals, and relators counsel that the Justice Department’s longstanding commitment to combating health care fraud will continue. His speech appeared to be designed to address concerns that changes in emphasis in the DOJ Criminal Division towards  immigration and violent crime would come at the expense of health care fraud investigations.  Attorney General Sessions is committed to investigating and prosecuting health care fraud because, Mr. Blanco said, health care fraud hurts vulnerable people seeking medical care and costs the government and tax payers almost $100 billion annually. Continue Reading DOJ’s Focus on Health Care Fraud Continues

The Supreme Court will not hear the most important Park doctrine case in over 40 years. In DeCoster v. United States, the DeCosters appealed their convictions under the Responsible Corporate Office doctrine, commonly referred to as the Park doctrine, because they did not have “actual knowledge” that their egg distribution company sold eggs contaminated with salmonella. The DeCosters presented two arguments in their cert. petition, (1) their convictions and three month prison terms were based on vicarious liability and violated due process, and (2) the Supreme Court should overrule the Park doctrine altogether because anyone in the chain of command faces criminal liability.

Until another case tests the limits of the Park doctrine – or another Court of Appeals conflicts with the Eighth Circuit’s holding – the Supreme Court’s decision not to review DeCoster means executives in the food and drug industries may still face imprisonment for supervisory lapses.

We detailed the DeCoster case and the Responsible Corporate Officer doctrine in an earlier blog post and clients and friends memo.

The most important Park doctrine case in over forty years may be heading to the Supreme Court – but not if the federal government has its way.  On April 12, 2017, the Acting Solicitor General of the United States filed his brief in opposition to the U.S. Supreme Court’s potential review of United States v. DeCoster and the Responsible Corporate Officer doctrine (“RCO doctrine”).  The RCO doctrine, commonly referred to as the Park doctrine, permits the government to prosecute employees for corporate misconduct when they are in a “position of authority” and fail to prevent or correct a violation of the Food, Drug and Cosmetic Act (FDCA).[1]  Not only is it a strict liability offense, it is a vicarious liability offense and is rarely used by the Department of Justice (DOJ) to seek prison time for supervisory employees.[2]

In the DeCosters’ January 10 Petition for Writ of Certiorari, the company’s executives contend that their convictions as responsible corporate officers are based on vicarious liability, because they did not have “actual knowledge” that their egg distribution company sold contaminated eggs.[3]  Therefore, they argue, federal precedent dictates that imprisonment violates due process.[4]  Anticipating the government’s argument that the DeCosters’ own negligence as responsible corporate officers is the source of their liability, the DeCosters state that Park doctrine liability has historically not been based on negligence by the responsible corporate officer.[5]  Rather, the argument continues, the Park doctrine is a strict liability offense based on the corporate officer’s position of authority and the presumption that the officer is in a position to prevent violations of the FDCA.  A sentence of imprisonment for a strict liability violation, they maintain, violates due process.[6]  Accordingly, the DeCosters argue that the Eighth Circuit’s holding, affirming the conviction and sentencing of both executives to three months’ imprisonment, gravely expands the RCO doctrine and an “innocent” supervisor convicted of vicarious criminal liability should not face imprisonment.[7]  Secondarily, the DeCosters argue that the Park doctrine itself should be overruled because it “creates a nearly boundless risk of arbitrary enforcement” whereby it exposes “essentially anyone in the chain of command of a company, large or small, with at least nominal responsibility for a given activity” to criminal liability.[8]  The latter argument was advanced in the cert. petition even though it had not been raised in the lower courts.

The Acting Solicitor General, however, opposes the Supreme Court’s review and contends the DeCosters’ prison terms were based on their acts and omissions, not vicarious liability.[9]  The government cites United States v. Park to explain the prison terms are appropriate because the FDCA “imposes not only a positive duty to seek out and remedy violations when they occur but also, and primarily, a duty to implement measures that will insure that violations will not occur.”[10]

If the Supreme Court reviews DeCoster, it will provide long-sought-after guidance for corporate executives in the food and drug industries.  Additionally, the DOJ’s defense of the DeCosters’ conviction and sentencing, coupled with its ongoing focus on prosecuting individuals for corporate misconduct, both via the Yates Memo and recent guidance from the Fraud Section, which we highlighted in a prior blog post, suggests that the government’s interest in holding individuals accountable and liable, including those in the c-suite, is not waning in the new administration.

For additional information, please see our Client & Friends memo: The Responsible Corporate Officer Doctrine in the Wake of DeCoster.

 

[1] United States v. Park, 421 U.S. 658 (1975); see also Jose P. Sierra, The Park Doctrine: All Bark and No Bite, pharmarisc.com, (Apr. 6, 2012), http://www.pharmarisc.com/2012/04/the-park-doctrine-all-bark-and-no-bite/.
[2] 21 U.S.C. § 301 et seq.
[3] United States v. DeCoster, 828 F.3d 626, 629, 631 (8th Cir. 2016).
[4] Petition for a Writ of Certiorari at *12-16, DeCoster v. United States (filed Jan. 10, 2016).
[5] Id. at *17.
[6] Id. at *23-26.
[7] Id. at *30.
[8] Id. at *32.
[9] Brief for the United States in Opposition, DeCoster v. United States, at *10 (filed Apr. 12, 2017).
[10] Id.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.

The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:

  • conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
  • develop and implement a risk management plan to mitigate those risks and vulnerabilities;
  • review—and potentially revise—its security policies for electronic devices and media; and
  • review—and potentially revise—its training program related to the security of ePHI.

Continue Reading HHS Office for Civil Rights Announces HIPAA Settlement for Exposure of Electronic PHI

wooden toolbox with tools. isolated on white.

As we reported last week, on January 17, 2017, staff from the Department of Health and Human Services Office of Inspector General (HHS-OIG) met with Health Care Compliance Association (HCCA) professionals for a roundtable meeting to develop a resource guide aimed at helping health care organizations develop ways to benchmark and measure the effectiveness of compliance programs.

The results of the roundtable meeting were released by HHS-OIG on March 27, 2017, with the release of the Resource Guide on Compliance Program Effectiveness (“Resource Guide”).  The Resource Guide provides a large number of measurement options designed to work across “a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” It covers the well-established seven elements of an effective compliance program, articulated in the U.S. Sentencing Guidelines:

  1. Standards, policies and procedures
  2. Compliance program administration
  3. Screening and evaluation of employees, physicians, vendors and other agents
  4. Communication, education and training on compliance issues
  5. Monitoring, auditing and internal reporting systems
  6. Discipline for noncompliance and
  7. Investigations and remedial measures

Continue Reading Regulatory Guidance Part II: Synthesizing 2017 DOJ Fraud Section and HHS-OIG Guidance

cheatsheetIn February, to little fanfare, the Department of Justice (DOJ) Criminal Division Fraud Section issued detailed criteria for evaluating corporate compliance programs.  The guidance, entitled Evaluation of Corporate Compliance Programs (“Evaluation Guidance” or “Guidance”) comes two years after DOJ hired Hui Chen as Compliance Counsel in the Fraud Section.  When her position was announced, the DOJ said that Chen would “help prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures” and would “communicat(e) with stakeholders in setting those benchmarks.”  The Evaluation Guidance provides those benchmarks used by the DOJ to evaluate the effectiveness of corporate compliance programs. It covers 11 key compliance program evaluation topics, along with a list of specific questions that DOJ considers important in evaluating compliance programs as part of a criminal investigation. Continue Reading DOJ Compliance Cheat Sheet

USDHHS-sealNew regulations have been released in the form of a Final Rule (announced at 82 Fed. Reg. 4100) (the “Final Rule”), revising and expanding the authority of the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) to exclude entities and individuals from participation in federal health care programs. The Final Rule adds to the OIG’s longstanding statutory authority to issue exclusions, which was most recently expanded by Congress in the 2010 Affordable Care Act.

The Final Rule was announced on January 12, 2017, and was intended to go into effect on February 13, 2017. The new administration’s temporary freeze on pending regulations delays that effective date until March 21, 2017. Continue Reading New Regulations Expand Authority of HHS OIG to Issue Exclusion Orders