How to Protect Your Company From Criminal Health Care Enforcement

The picture in Washington, D.C. is unmistakable: We are in an era of unprecedented civil and criminal enforcement.

The Justice Department’s (DOJ) crown jewel is its Health Care Fraud initiative, which primarily focuses on Medicare and Medicaid fraud and off-label promotion cases. The False Claims Act is the principal tool used by DOJ.

For FY 2011, DOJ recovered over $3 billion in fraud cases. Approximately $2.8 billion of those recoveries were the result of whistleblower complaints, an increase of $500 million over FY 2010. Also in that year, the department recovered more than $5.6 billion in civil and criminal penalties.

In the last few years, Congress has increased funding by nearly $1 billion to combat health care fraud and abuse. It has been estimated that each dollar spent on enforcement results in a recovery or savings of one-and-a-half times that amount.

DOJ, Health and Human Services (HHS) and related agencies use a number of strategies to identify, investigate and prosecute health care fraud. The Center for Medicare and Medicaid (CMS) has initiated new procedures for identifying fraud before CMS makes any payments to health care providers or suppliers. CMS’s new program works like existing fraud programs used by financial institutions for credit cards and debit cards, allowing it to identify unusual billing patterns that suggest potential fraud.

In addition, the federal government has used its Health Care Prevention and Enforcement Action Team (HEAT), which was started in 2009 and recently expanded to additional cities, to target Medicare and Medicaid fraud. The HEAT program is akin to past organized crime task forces and is an extremely successful model for increasing enforcement of health care fraud cases.

By virtue of these efforts, in the past year, a large number of false claims and anti-kickback cases have been brought against hospital systems. Some of the largest include:

1. Seven hospitals agreed to pay $6.3 million to resolve allegations that they submitted false claims to Medicare related to kyphoplasty procedures (treatment for spinal fractures).

2. The Detroit Medical Center agreed to pay $30 million to resolve allegations of improper relationships between the health system and physicians involving reduced leasing arrangements below market value, free advertising and tickets to events and seminars.

3. The Catholic Healthcare System agreed to pay $9.1 million to settle allegations that it submitted false Medicare claims for overpayments which were not returned; claims based on inflated costs for home health care agencies, and claims related to  kidney-treatment services for which the hospital system was ineligible.

4. Dartmouth Hitchcock Medical Center in New Hampshire agreed to pay $2.2 million to resolve allegations that it improperly billed various federal health programs for services performed by resident physicians without required supervision.

Aggressive Prosecution Strategies and Tools

Not in the past 30 years have government prosecutors and regulators so aggressively enforced the law. Clearly, they are emboldened–launching initiatives that were previously kept on the shelf because of practical or political concerns.

As part of these more-aggressive enforcement strategies, prosecutors are relying on the responsible corporate officer doctrine to hold pharmaceutical and medical device executives criminally responsible for conduct where there is insufficient evidence to show the executive knew about the illegal activity. A federal judge in Philadelphia recently sentenced several executives from a medical device company to prison terms ranging from six to nine months, and ordered one executive to begin serving the time immediately at the sentencing hearing.

In an unprecedented move, DOD criminally prosecuted Laura Stevens, in-house counsel for GlaxoSmithKline (GSK), for obstruction of justice and false statements. The U.S. Attorney’s Office for the District of Maryland refused to participate in the criminal prosecution, which is especially telling. The evidence against Ms. Stevens centered on her failure to ensure that GSK produced certain documents in response to an informal letter request from the Food and Drug Administration relating to off-label marketing practices. At the conclusion of the government’s case, the judge dismissed the case, and made a blistering statement on the record which rebuked the government prosecutors for bringing the action (and vindicated the U.S. Attorney’s opposition). The prosecutors who handled the case have since restated their intent (and DOJ’s) to prosecute similar cases.

Creating Effective Compliance Programs

The increased risk of criminal prosecution once again underscores the need for lawyers, compliance officers and internal auditors to document their actions, as well as their interactions with the government. In the end, contemporaneous documentation is the window into the mind of every actor and will protect in-house counsel from criminal prosecution.
Since the government is focusing so heavily on health care fraud and abuse, regulated entities must take action to ensure they are in compliance with the law. And because there is such a rich history of compliance in the health care industry, the risks faced by compliance officers are numerous, involving a number of state and federal laws and regulations.

The challenge for every organization is to create a culture of compliance; to define compliance standards and procedures, and to explain in detail compliance obligations. Health care organizations need to dedicate adequate resources to the compliance function, prioritize training programs and encourage the prevention and deterrence of potential violations. At its core, the compliance program must have a procedure for ongoing risk assessments–the lifeblood and intelligence foundation of every compliance program.

CMS has outlined seven required elements for a compliance program and is planning to update this list. These include:

1. Standards and Procedures, which need to include a code of conduct separate from compliance policies and procedures, training programs for all employees and vendors, and use of certifications to focus compliance attention. Policies and Procedures need to be endorsed and committed by senior leadership and the board of directors. The policies and procedures need to be reviewed and revised periodically to respond to new risks, and to identify compliance needs and improvements to the program. It is important to monitor and assess the effectiveness of the policies and procedures on an ongoing basis.

2. Training and Education programs developed by the compliance office with personal training seminars keyed to high-risk topics.

3. Oversight Authority, which must be built on the board’s authority, supervision by an audit/compliance committee, and filtered down to the compliance office and designated subject-matter experts on specific risk areas.

4. Monitoring and Auditing procedures and programs, which are developed from a risk assessment and include reviewing previous audits, monitoring other pertinent internal and external information, and the sharing of information and results across the organization.

5. Reporting and Investigation mechanisms, which should include anonymous reporting programs (e.g. hotlines), updating complainants, electronic tracking of investigations, regular reports to leadership, whistleblower protocols, and a non-retaliation policy. In order to prioritize internal investigations, a triaging system needs to be established to rank allegations. A team of investigators should be on call to respond to matters as they arise.

6. Enforcement and Discipline procedures need to be outlined so that matters are handled quickly, efficiently and in a consistent manner.

7. Response and Prevention efforts need to include internal investigations protocols and procedures so that information can be gathered, privileges preserved, and documentation of compliance and investigation efforts reviewed and created.

Criminal prosecutions are fast replacing government civil enforcement. DOJ is committed to aggressive health care fraud enforcement—for now and in the future. Health care entities would be wise to implement proactive measures to avoid the pain and discomfort of an investigation and prosecution.