In a February blog post, we detailed the summary judgment rulings in a False Claims Act case involving Lance Armstrong: United States ex rel. Landis v. Tailwind Sports Corporation, et al.  The federal government alleges that Lance Armstrong, his Tailwind Sports team, and its manager, Johan Bruyneel, submitted false claims to the United States Postal Service (“USPS”) and violated sponsorship agreements by using and then denying the use of banned performance enhancing drugs.

In June 2017, in anticipation of a November 2017 trial, the government and Armstrong filed Motions in Limine (“MIL”) to exclude evidence from being introduced before the court.  The parties’ MIL, specifically those motions aimed at barring expert economic testimony via Daubert challenges, could have a significant impact on the government’s ability to meet its burden of proof with respect to damages.  Likewise, Armstrong could suffer a similar misfortune on the MIL as his expert testimony may be critical to combat the government’s claims.  In addition, two  of the MIL, which essentially argue that “everybody does it” and that the “first to come clean benefits,” could have far-reaching implications for FCA cases in the future.  Regardless of the outcome of the MIL, such posturing suggests that this matter is almost certainly headed for trial. Continue Reading Lance Armstrong False Claims Act Suit Cycles Through Motions on Way to Trial

On June 22, 2017, the United States Court of Appeals for the Fifth Circuit, in Maxmed Healthcare, Inc. v. Price, upheld an administrative determination by a Medicare Administrative Contractor (MAC) based on an audit of a sample of 40 home care claims. From its sample findings, the MAC extrapolated to a universe of 130 claims and determined that the home care agency under audit had been overpaid almost $800,000 on the grounds that the sampled patients were not homebound or the services provided were not “medically necessary.” The Maxmed Court’s endorsement of sampling and extrapolation involving medical-necessity reviews may have broader implications for the use of that tool in False Claims Act (FCA) investigations and lawsuits.

Among other arguments, Maxmed Healthcare, the home care agency under audit, maintained that any overpayment based on lack of medical necessity “should only be determined after a review of each beneficiary’s specific claims, and it is fundamentally at odds with extrapolation concerning home health care claims.” Citing to the federal Centers for Medicare and Medicaid Services (CMS) Medicare Benefit Policy Manual and the Medicare Act, the Fifth Circuit held, to the contrary, that Congress and CMS contemplated the use of sampling and extrapolation in post-payment audits, where “there is a sustained or high level of payment error.”  Citing 42 U.S.C. § 1395ddd(f)(3)(A).

In defending against FCA actions premised on the alleged lack of medical necessity of services, providers have argued that disputes over medical necessity involve essentially subjective differences in medical opinion as opposed to the “objective falsity” of Medicare or Medicaid claims, and that a medical-necessity determination requires a particularized claim-by-claim review, specific to each patient, that does not allow for extrapolation to a universe of hundreds or thousands of other claims.  Those arguments may be more difficult to sustain under the Eleventh Circuit’s holding in Maxmed. To avoid the reach of Medmax, providers in FCA cases will likely try to distinguish the “garden variety” audit liability involved in Medmax from the liability imposed under the False Claims Act – with its per claim penalties and treble damages – premised as it is on a finding of falsity among other rigorous elements.

Cyber_securityThe U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently issued a checklist that details suggested best practices for entities covered by the Health Insurance Portability and Accountability Act (HIPAA) in responding to potentially damaging cyber attacks.  The checklist, and an accompanying infographic, provide welcome guidance for health care companies, which have found themselves increasingly targeted by cybercriminals who seek to steal valuable data or launch potentially devastating ransomware attacks.  Indeed, last month’s WannaCry ransomware attack crippled portions of the U.K.’s National Health Service, resulting in the cancellations of medical procedures and the closure of emergency rooms across the U.K.

OCR’s guide should serve as a quick response tool for all HIPAA-covered entities – including health care organizations and their vendors – to efficiently and effectively react to a cyber attack.  Importantly, the checklist identifies the minimum criteria, or foundational elements, a company must meet in the wake of a cyber emergency to safeguard data. Specifically, OCR’s checklist recommends that HIPAA covered entities (and affiliates) pursue the following actions:

  1. Execute mitigation procedures to immediately fix the technical problem that caused or permitted the cyber attack;
  2. Report the breach to local and federal law enforcement;
  3. Share all cyber threat indicators with information-sharing and analysis organizations (ISAOs), which include the Department of Homeland Security, Health and Human Services Assistant Secretary for Preparedness and Response, and private sector ISAOs; and
  4. Disclose the breach to OCR immediately – but no later than 60 days following the discovery of a breach that affects at least 500 people – and to those whose information has been compromised.  If a cyber attack affects fewer than 500 people, the HIPAA covered entity must notify the affected individuals “without unreasonable delay” and report the breach to OCR within 60 days of the end of the calendar year.

Compliance with these protocols by health care entities will be considered by OCR as a mitigating factor in any OCR investigation into a data breach.

It is important to note, however, that the checklist only addresses post-breach compliance under HIPAA.  Health care providers may have other reporting obligations under federal and state laws, particularly state data breach notification laws.  Health care providers that are the victims of a data breach should consult with counsel to determine the extent of their reporting obligations.

DOJOn May 31, 2017, the Department of Justice announced a $155 million settlement with eClincialWorks (ECW), an electronic health records (EHR) software vendor, to resolve a whistleblower complaint that alleged violations of the False Claims Act and the Anti-Kickback Statute.  This settlement, the “largest financial recovery in the history of the State of Vermont,” should put EHR vendors on notice, as well as vendors that offer services or products to health care providers: providing misinformation to a government contractor or health care provider about their products or services, or furnishing nonconforming goods or services, may expose them to significant financial exposure under the False Claims Act, even if they do not themselves submit claims to the government.

Background:  Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, the United States Department of Health and Human Services (HHS) established a program to provide incentive payments to health care providers who demonstrated “meaningful use” of “certified” EHR technology.  The incentive payments are to encourage health care providers to transition to using EHR.  To obtain the proper certification, EHR vendors are required to affirm that their products meet certain requirements adopted by HHS and then pass certain tests by a certifying agency approved by HHS.

Allegations:  The lawsuit, in which the federal government intervened, alleged that ECW falsely attested that its products met the applicable certification criteria and prepared its software to pass the certification testing without actually meeting the certification criteria.  Significantly, ECW was alleged to have violated the False Claims Act because it had “caused” the end user health care providers to submit inaccurate attestations concerning their use of “certified” EHR in support of their claims to the government for “meaningful use” incentive payments.

Settlement:  ECW agreed to pay $155 million to settle the complaint and entered into an onerous, five-year Corporate Integrity Agreement (CIA).  In what the DOJ described as “innovative,” the CIA requires, among other things, that ECW (a) retain an Independent Software Quality Oversight Organization to assess ECW’s software quality control systems, (b) provide prompt notice to its customers of any safety related issues, (c) maintain on its customer portal a comprehensive list of issues and steps users should take to mitigate potential patient safety risks, (d) provide its customers with updated versions of their software free of charge, (e) offer customers the option to have ECW transfer their data to another EHR vendor without penalties or charges, and (f) retain an Independent Review Organization to review ECW’s arrangements with health care providers to ensure compliance with the Anti-Kickback Statute.

Implications:  EHR and other health care vendors cannot assume that their liability is limited to breach of contract or indemnification of its customers.  Rather, the ECW case points to the risk of direct exposure under the False Claims Act, without ever submitting a single claim to the government.  In a similar vein, in the context of the Health Insurance Portability and Accountability Act (HIPAA), software and other vendors may also be directly subject to penalties under HIPAA for breaches of protected health information – as a business associate to their health care provider customers.

Combating health care fraud will continue to be a priority for the Jeff Sessions-led Department of Justice (DOJ).

DOJ Criminal Division’s Acting Assistant Attorney General Kenneth Blanco, in a May 18 speech at the ABA’s Institute on Health Care Fraud, said that Attorney General Jeff Sessions “feels very strongly” that “health care fraud is a priority for the Department of Justice.”  Mr. Blanco called health care fraud “despicable” and said, “the investigation and prosecution of health care fraud will continue; the department will be vigorous in its pursuit of those who violate the law in this area.”  Mr. Blanco continued, “I can tell you that [Attorney General Sessions] has expressed this to me personally.”

Mr. Blanco sent a strong and clear message to the audience of health care attorneys, defense counsel, compliance professionals, and relators counsel that the Justice Department’s longstanding commitment to combating health care fraud will continue. His speech appeared to be designed to address concerns that changes in emphasis in the DOJ Criminal Division towards  immigration and violent crime would come at the expense of health care fraud investigations.  Attorney General Sessions is committed to investigating and prosecuting health care fraud because, Mr. Blanco said, health care fraud hurts vulnerable people seeking medical care and costs the government and tax payers almost $100 billion annually. Continue Reading DOJ’s Focus on Health Care Fraud Continues

The Supreme Court will not hear the most important Park doctrine case in over 40 years. In DeCoster v. United States, the DeCosters appealed their convictions under the Responsible Corporate Office doctrine, commonly referred to as the Park doctrine, because they did not have “actual knowledge” that their egg distribution company sold eggs contaminated with salmonella. The DeCosters presented two arguments in their cert. petition, (1) their convictions and three month prison terms were based on vicarious liability and violated due process, and (2) the Supreme Court should overrule the Park doctrine altogether because anyone in the chain of command faces criminal liability.

Until another case tests the limits of the Park doctrine – or another Court of Appeals conflicts with the Eighth Circuit’s holding – the Supreme Court’s decision not to review DeCoster means executives in the food and drug industries may still face imprisonment for supervisory lapses.

We detailed the DeCoster case and the Responsible Corporate Officer doctrine in an earlier blog post and clients and friends memo.

Cyber_securityLast week’s massive ransomware attack should serve as a wake-up call that companies across all industries, including and perhaps especially the health care industry, must take the threat of global ransomware seriously.

The WannaCry attack reportedly crippled some of the computer systems of the U.K.’s National Health Service (NHS), forcing emergency room closures and the cancellations of patient appointments and medical procedures throughout the U.K., before spreading rapidly around the world to the computer networks of businesses and organizations in a variety of industries and regions.

The attack on the NHS echoed attacks in early 2016 on U.S. healthcare providers, including the February 2016 ransomware attack on the Hollywood Presbyterian Medical Center in California, which was forced to pay hackers approximately $17,000 in bitcoins to restore access to patient data and computer systems.  The WannaCry attack comes after the July 2016 announcement by the Department of Health and Human Services Office of Civil Rights (OCR) that it will consider ransomware attacks to constitute potential breaches of the Health Insurance Portability and Accountability Act (HIPAA) if confidential patient data is compromised, adding the prospect of enforcement actions and penalties for health care providers who find themselves to be the victims of ransomware attacks.

In a recent Clients & Friends Memo, we examine the nature of the threat posed by ransomware, what happened in the WannaCry attack, and three key lessons that have emerged for all businesses seeking to protect themselves:

  • First, as ransomware attacks continue to be successful, they will increase in frequency and scale.
  • Second, the WannaCry attack might have been prevented if companies had been more diligent about implementing basic cybersecurity practices, such as patching software vulnerabilities and training staff to detect phishing emails, i.e., emails that appear legitimate but contain links or files that deploy computer viruses if opened.
  • And, third, companies that fail to take reasonable measures to prevent attacks might find themselves to be the subject of costly regulatory enforcement actions or private litigation.

Read our full Clients & Friends Memo.

The most important Park doctrine case in over forty years may be heading to the Supreme Court – but not if the federal government has its way.  On April 12, 2017, the Acting Solicitor General of the United States filed his brief in opposition to the U.S. Supreme Court’s potential review of United States v. DeCoster and the Responsible Corporate Officer doctrine (“RCO doctrine”).  The RCO doctrine, commonly referred to as the Park doctrine, permits the government to prosecute employees for corporate misconduct when they are in a “position of authority” and fail to prevent or correct a violation of the Food, Drug and Cosmetic Act (FDCA).[1]  Not only is it a strict liability offense, it is a vicarious liability offense and is rarely used by the Department of Justice (DOJ) to seek prison time for supervisory employees.[2]

In the DeCosters’ January 10 Petition for Writ of Certiorari, the company’s executives contend that their convictions as responsible corporate officers are based on vicarious liability, because they did not have “actual knowledge” that their egg distribution company sold contaminated eggs.[3]  Therefore, they argue, federal precedent dictates that imprisonment violates due process.[4]  Anticipating the government’s argument that the DeCosters’ own negligence as responsible corporate officers is the source of their liability, the DeCosters state that Park doctrine liability has historically not been based on negligence by the responsible corporate officer.[5]  Rather, the argument continues, the Park doctrine is a strict liability offense based on the corporate officer’s position of authority and the presumption that the officer is in a position to prevent violations of the FDCA.  A sentence of imprisonment for a strict liability violation, they maintain, violates due process.[6]  Accordingly, the DeCosters argue that the Eighth Circuit’s holding, affirming the conviction and sentencing of both executives to three months’ imprisonment, gravely expands the RCO doctrine and an “innocent” supervisor convicted of vicarious criminal liability should not face imprisonment.[7]  Secondarily, the DeCosters argue that the Park doctrine itself should be overruled because it “creates a nearly boundless risk of arbitrary enforcement” whereby it exposes “essentially anyone in the chain of command of a company, large or small, with at least nominal responsibility for a given activity” to criminal liability.[8]  The latter argument was advanced in the cert. petition even though it had not been raised in the lower courts.

The Acting Solicitor General, however, opposes the Supreme Court’s review and contends the DeCosters’ prison terms were based on their acts and omissions, not vicarious liability.[9]  The government cites United States v. Park to explain the prison terms are appropriate because the FDCA “imposes not only a positive duty to seek out and remedy violations when they occur but also, and primarily, a duty to implement measures that will insure that violations will not occur.”[10]

If the Supreme Court reviews DeCoster, it will provide long-sought-after guidance for corporate executives in the food and drug industries.  Additionally, the DOJ’s defense of the DeCosters’ conviction and sentencing, coupled with its ongoing focus on prosecuting individuals for corporate misconduct, both via the Yates Memo and recent guidance from the Fraud Section, which we highlighted in a prior blog post, suggests that the government’s interest in holding individuals accountable and liable, including those in the c-suite, is not waning in the new administration.

For additional information, please see our Client & Friends memo: The Responsible Corporate Officer Doctrine in the Wake of DeCoster.

 

[1] United States v. Park, 421 U.S. 658 (1975); see also Jose P. Sierra, The Park Doctrine: All Bark and No Bite, pharmarisc.com, (Apr. 6, 2012), http://www.pharmarisc.com/2012/04/the-park-doctrine-all-bark-and-no-bite/.
[2] 21 U.S.C. § 301 et seq.
[3] United States v. DeCoster, 828 F.3d 626, 629, 631 (8th Cir. 2016).
[4] Petition for a Writ of Certiorari at *12-16, DeCoster v. United States (filed Jan. 10, 2016).
[5] Id. at *17.
[6] Id. at *23-26.
[7] Id. at *30.
[8] Id. at *32.
[9] Brief for the United States in Opposition, DeCoster v. United States, at *10 (filed Apr. 12, 2017).
[10] Id.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced on April 24, 2017, a $2.5 million settlement with mobile health services company CardioNet related to its “potential noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the exposure of unsecured electronic protected health information (ePHI) of more than a thousand individuals. OCR touted the settlement as its first with a wireless health services provider.

The settlement requires CardioNet to adopt a Corrective Action Plan, as part of which CardioNet must:

  • conduct a risk analysis to identify the security risks and vulnerabilities to its systems that house ePHI;
  • develop and implement a risk management plan to mitigate those risks and vulnerabilities;
  • review—and potentially revise—its security policies for electronic devices and media; and
  • review—and potentially revise—its training program related to the security of ePHI.

Continue Reading HHS Office for Civil Rights Announces HIPAA Settlement for Exposure of Electronic PHI

wooden toolbox with tools. isolated on white.

As we reported last week, on January 17, 2017, staff from the Department of Health and Human Services Office of Inspector General (HHS-OIG) met with Health Care Compliance Association (HCCA) professionals for a roundtable meeting to develop a resource guide aimed at helping health care organizations develop ways to benchmark and measure the effectiveness of compliance programs.

The results of the roundtable meeting were released by HHS-OIG on March 27, 2017, with the release of the Resource Guide on Compliance Program Effectiveness (“Resource Guide”).  The Resource Guide provides a large number of measurement options designed to work across “a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” It covers the well-established seven elements of an effective compliance program, articulated in the U.S. Sentencing Guidelines:

  1. Standards, policies and procedures
  2. Compliance program administration
  3. Screening and evaluation of employees, physicians, vendors and other agents
  4. Communication, education and training on compliance issues
  5. Monitoring, auditing and internal reporting systems
  6. Discipline for noncompliance and
  7. Investigations and remedial measures

Continue Reading Regulatory Guidance Part II: Synthesizing 2017 DOJ Fraud Section and HHS-OIG Guidance