Exclusion Rules For Those Who Receive Funds From Federal Health Care Programs May Get Even More Complicated

The Office of Inspector General (OIG) of the Department of Health and Human Services identifies the underlying purpose of its exclusion authority as to protect federal health care programs and their beneficiaries from “untrustworthy health care providers, i.e., individuals and entities who pose a risk to program beneficiaries or the integrity of these programs.” The OIG now has published a new proposed rule that would greatly expand the bases upon which it could affirmatively exclude an individual or entity from participation in federal health care programs, and Reed Smith lawyers Carol Loepere, Elizabeth Carder-Thompson, Scot Hasselman, Katie Hurley, and Erin Atkins have prepared a full summary of this proposed rule.

In particular, this summary examines the OIG’s position that there should be no statute of limitations applicable to when it may seek exclusion, because limitless look-back authority could place a tremendous burden on providers and suppliers if their conduct and compliance efforts are second-guessed many years into the future, when supporting documentation and witnesses are long gone. The proposed rule also revises relevant definitions, provides new grounds for exclusion, proposes procedures for early reinstatement, among other things, and is a by-product of provisions of the Affordable Care Act, which expanded the OIG’s exclusion authority and allowed for testimonial subpoenas in investigations of exclusion cases.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Are Internal Compliance Investigations Privileged? D.C. District Court Rules No

We want to alert life sciences and health care entities to a recent decision out of the U.S. District Court for the District of Columbia.

  • U.S. District Court for the District of Columbia holds documents related to internal investigations of possible violations of corporate code of conduct not protected from disclosure under either attorney-client privilege or attorney work product doctrine
  • Ruling serves as timely reminder for companies in a wide variety of industries to review internal procedures relating to internal corporate compliance program or code of conduct investigations to maximize the likelihood that appropriate privileges will be honored

On March 6, 2014, the U.S. District Court for the District of Columbia granted a qui tam relator’s motion to compel the production of documents relating to the defendant Kellogg Brown & Root Services, Inc.’s (KBR’s) “Code of Business Conduct (COBC) investigations,” holding such documents were not protected from disclosure under either the attorney-client privilege (ACP) or the attorney work product doctrine (AWP). The court concluded that the company’s investigations were conducted pursuant to “regulatory law and corporate policy,” rather than for the purpose of obtaining legal advice. Accordingly, KBR was ordered to produce some 89 documents that it previously claimed as privileged under the ACP and/or AWP. U.S. ex rel Barko v. Halliburton Company, No. 1:05-CV-1276 (D.D.C., March 6, 2014). The court’s broader statements could have significant implications for companies in regulated industries where corporate compliance programs are commonplace, or even required.

For more information, read the full alert written by Reed Smith lawyers Lawrence Sher and Erin Atkins.

China's Life Sciences Regulatory Crackdown: September 10 Update

The regulatory enforcement environment in China remains tense, as both the Chinese government and media bring new actions and allegations against life sciences manufacturers in both the pharmaceutical and device sectors. We are seeing:

  • Increased attention to medical device sector
  • Enforcement actions spreading to smaller cities
  • Continued pressure on pharmaceutical sector
  • Reports of misconduct by local manufacturers
  • Questionable vendors named

Reed Smith continues to monitor the life sciences regulatory and media environment in China and has prepared a summary of recent developments. For additional information, please contact Reed Smith lawyer John Tan at jtan@reedsmith.com.

How to Mitigate Compliance Requirements and Code of Conduct Obligations with Data Protection Regulation: Reed Smith Paris Provided Some Illustrative Examples

As reported on our Global Regulatory Enforcement Blog, Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

The panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.  The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.  To read the full post, click here.

Government Investigations: Don't Forget About D&O Insurance When That Subpoena Arrives

This post was written by Mark S. Hersh and Paul E. Breene.

Government investigations can be both time-consuming and hugely expensive. Earlier this year, the U.S. Department of Justice and the U.S. Department of Health and Human Services announced that its 2011 health care fraud prevention and enforcement efforts resulted in record-breaking recoveries totaling more than $4 billion -- the largest sum ever recovered in a single year. With health care fraud and abuse as a top priority for the current administration, life sciences and health care organizations would benefit from reviewing their insurance policies to ensure they are protected in the event of an investigation.

When an investigation is commenced by a federal or state government entity, a company should have two standard operating procedures: first, hire experienced counsel to respond to the investigation or subpoena; and second, determine whether insurance coverage may be available to pay for what are frequently significant defense costs that may be incurred in connection with the investigation. Securing insurance coverage for subpoenas and informal investigations, both civil and criminal, can be an arduous process, but policyholders who plan ahead and know the pitfalls can give themselves a significant advantage by having coverage to pay for the defense and cost of responding to such an investigation. Failing to secure coverage for an investigation can mean that there will be no coverage if the investigation leads to lawsuits or other legal proceedings.

To learn more about how your life sciences or health care company can secure coverage to protect against costly government investigations, read the full alert.

Supreme Court Rules That Juries - Not Judges - Must Determine Facts Supporting Large Criminal Fines

The Reed Smith Global Regulatory Enforcement Law blog has an interesting post about a recent U.S. Supreme Court ruling that protects the Sixth Amendment rights of defendants in high-stakes criminal cases. In Southern Union Co. v. United States, the Court ruled that any fact supporting a "substantial" criminal fine must be found by a jury applying the "beyond a reasonable doubt" standard. In this post, Efrem M. Grail and Kyle R. Bahr explain the opinion and discuss the wide impact it will have on criminal actions, from investigation to sentencing.

Pennsylvania Federal Court Undercuts Attorney-Client Privilege To Force Disclosure of Information from Internal Company Investigation

Over on the Reed Smith Global Regulatory Enforcement Law Blog, there is an interesting post about a recent Third Circuit opinion concluding that there is no immediate avenue to challenge a court order invading the protections of the attorney-client privilege unless the subject first suffers a judicial contempt citation and risks fines and imprisonment.  In this article, Reed Smith attorneys Kyle Bahr and Efrem Grail highlight the difficult choices faced by clients in protecting their privileged materials from discovery by the Government in federal criminal investigations.

Notes on the National Summit on Health Care Fraud

This post was written by Elizabeth Carder-Thompson.

Last week, in my capacity as president of the American Health Lawyers Association, I attended the first National Summit on Health Care Fraud, a joint undertaking by the U.S. Department of Health and Human Services and the U.S. Department of Justice. The conference brought together private sector leaders, law enforcement personnel, and health care experts as part of the Obama Administration’s coordinated effort to fight health care fraud. This was the first national gathering on health care fraud between law enforcement and the private and public sectors.

I.      Presentations and Trends

Leading the morning session, HHS Secretary Kathleen Sebelius vowed to “prevent, catch, and discourage fraudsters,” stating “Criminals – your days are numbered.” She promised an aggressive new fraud prevention focus, including enhanced Medicare Strike Force activities in a number of US cities, and continued coordinated, multi-agency initiatives under HEAT – the Health Care Fraud Prevention and Enforcement Action Team Secretary Sebelius also stated that, next week, the President’s budget likely will request an additional $1.7 billion in funding for fraud prevention and detection.

Attorney General Eric Holder disclosed that, in 2009, DOJ charged over 800 individuals in health care fraud cases, and obtained 580 convictions so far. DOJ also recovered billions of dollars in False Claims Act (qui tam) recoveries. He also promised that future fraud-busting efforts will include actively engaging the private sector (including Medicare beneficiaries recruited to serve on “Senior Medicare Patrols”), the insurance industry, and health care providers.

A panel comprised of representatives from CMS, FBI, OIG, DOJ, and others who have worked on what they call “the viral fraud cases in the Miami-Dade area” (i.e., spreading like a virus) told stories about the highly-aggressive and coordinated tactics and techniques they now employ. An Assistant United States Attorney who serves as the South Florida Health Fraud Coordinator, Luis Perez, said the days of prolonged subpoena productions, accountant analyses, extended research into cases, and deference to white collar defendants, are over: “We arrest everyone,” he said. His team of government agents and prosecutors seeks to bring the highest possible provable charges as offenses are committed, and then bring in additional evidence during the sentencing phase in order to seek upward adjustments under the Sentencing Guidelines to obtain maximum prison times.

The CEO of the Tufts Health Plan in Boston, James Roosevelt, highlighted anti-fraud tactics increasingly employed by private payers. For example, Tufts has hired Nick Messuri – formerly head of the Massachusetts Attorney General’s Medicaid Fraud Control Unit and a well-known, tough prosecutor in the state – as head of its antifraud group, which includes nine other attorneys. Tufts and other payers conduct their own clinical and other investigations relating to medical necessity, upcoding, miscoding, overutilization, outliers, illegal referrals, and more. Tufts currently has 128 open investigations, some of which are being conducted in cooperation with governmental entities to which it has made reports. 

II.      Investigative and Enforcement Predictions

During the afternoon, attendees were divided into discussion groups to consider such issues as effective law enforcement tactics, the role of states in fraud prevention, effective use of data, and more. A report on the break out-sessions will be published in the future, but some of the common themes I observed – and the future actions I predict – are as follows:

1) There will be heightened cooperation and more aggressive, coordinated enforcement in the public and private sectors to combat fraud, abuse, and waste. The main focus used to be Medicare fraud – now it is health care fraud across-the-board.

2) Increasingly, efforts will be directed at fraud and abuse prevention, and pre-payment scrutiny, rather than just focusing on “pay-and-chase” enforcement. CMS and private payers will be seeking to justify deviating from “prompt pay” requirements in the name of fraud and abuse prevention. A number of speakers commented that investment in health care fraud provides a multiple return – for DOJ, it was a $4 return for every dollar; for Tufts, a $7 return for every dollar; and for OIG, an $8 return for every dollar.

3) There will be increased attention paid to data coordination. Currently, Medicare, Medicaid, and private payers collect and maintain data in different ways, making utilization and other “pattern” comparisons difficult. This is going to change.

4) Governmental entities are directing their resources in a more data-driven and targeted way in order to identify fraudulent patterns. For example, they know that “fraudsters” who used to operate in Miami-Dade are moving up Route 95 into South Carolina and other states. Data shows that those who defrauded fee-for-service programs for a specific item or service, e.g., orthotics and diabetes supplies, are now moving to defraud Medicare Advantage plans. Providers sanctioned and excluded in one state are moving to another. Some of these schemes have worked in the past – but they will not in the future.

5) There will be greatly increased efforts to engage the general public – Medicare beneficiaries, their families, and others – in whistleblowing.

III.     What Does All of This Mean for the Future?

None of us committed to health care in America would countenance or want less than full punishment for “real” health care fraud. Unquestionably, many of the cases cited at the Summit fall in this category – billing for services not rendered, beneficiaries selling their Medicare numbers, false certifications by physicians for items of durable medical equipment, dental clinics pulling children’s teeth unnecessarily to obtain Medicaid payment, clinics billing for outmoded infusion therapy for HIV/AIDS patients, and more. I applaud aggressive and coordinated investigation and enforcement efforts to rid our system of these practices and their perpetrators, and the fraud-fighters in the government clearly are a very smart, very dedicated group 

I worry, however, that the zeal for health care fraud enforcement will inappropriately ensnare committed, compassionate health care providers, suppliers, and manufacturers. In our practice, we are increasingly seeing qui tam relators – whistleblowers – with dollar signs in their eyes, bringing questionable and even frivolous actions against their employers or former employers. We are seeing overburdened prosecutors taking years to make qui tam intervention decisions – while the relators continue to work and gather “data” at their employers’ places of business, to “support” their cases. 

I worry about Medicare contractors, eager to keep their contracts, trying a little too hard to prove to CMS that they are fraud-conscious. I have several supplier clients on 100% pre-pay Medicare review facing significant potential disallowances because a contractor decided for the first time to implement a technical Medicare manual provision about recording a specific date of service – when there is no question from the medical record that medically necessary, physician ordered, and readily documented services were in fact provided.

I worry about constitutional due process. One private insurance company representative at the Summit suggested that the government send announcements to all private payors when any qui tam cases are unsealed, so that the insurance companies can place “edits” on claims filed by the defendants, or at least pre-payment reviews – well before the case has been decided. I worry that the “arrest them all” enforcement mentality will harm the reputations and future livelihood of individuals not yet tried, who are later exonerated. 

There are no easy answers. At a minimum, though, in this rapidly-evolving investigative and enforcement environment, health care providers, suppliers, and manufacturers need to concentrate more than ever before on compliance. Moreover, their compliance efforts need to be real and not token ones, including comprehensive training, and internal auditing and monitoring with real consequences for employees and representatives falling short. The stakes are very high, and the so-called “radar screen” that companies used to joke about “flying under” now reaches all the way to the ground.

Reed Smith will continue to monitor developments with respect to health care fraud as the health care reform debate continues. In the interim, please contact Elizabeth Carder-Thompson in our Washington office if you have questions regarding this topic.

Hospital Agrees to Pay $700,000 To Texas AG For Allegedly Orchestrating an Insurer Boycott of Competitor

This post was written by Diane Green-Kelly and Karl A. Thallner.

In a time of economic crisis, when hospitals, like most other businesses, are struggling to operate within a constrained budget, Memorial Hermann Healthcare System (“Memorial Hermann”) agreed Jan. 26, 2009 to pay $700,000 to settle claims of the Texas Attorney General alleging that Memorial Hermann orchestrated an agreement among health plans not to do business with a new competitor, Town and County Hospital (“Town and Country”).  According to the complaint, Memorial Hermann, which owns and operates acute care hospitals furnishing inpatient care, is the largest hospital system in the Houston area.  Town and County, a physician-owned hospital, opened in November 2005.  Before opening, Town and County approached insurers to enter into contracts to be included in those insurers’ hospital networks.  Memorial Hermann allegedly took steps to discourage insurers from entering into contracts with Town and Country, including sending notification of an intent to terminate its contract with one insurer as to all Memorial Hermann facilities, and subsequently renegotiating a contract with the insurer for substantially higher rates. 

According to the complaint, the rate increase proposed by Memorial Herman exceeded any increase reflective of a reasonably foreseeable change in volume resulting from increased competition from Town and Country. Memorial Hermann also was alleged to have notified another insurer of a 25 percent rate increase after learning that that insurer was considering entering into a contract with Town and Country. According to the Texas AG, that increase exceeded any reasonably expected economic impact of increased competition. Pursuant to the settlement agreement, Memorial Hermann has agreed to refrain from engaging in the foregoing conduct and pay $700,000 to the Texas AG as partial reimbursement for the cost of the investigation.

Now more than ever, especially in light of the current economic woes and the new administration’s stated intention to focus on health care and antitrust enforcement, it is essential that health care providers be prepared for an increase in antitrust enforcement activities at the state and federal levels, and be ready to ensure that contract negotiations are conducted with this in mind. What may be intended to be merely tough negotiation tactics designed to increase revenue or reduce costs may be viewed by government authorities as anti-competitive conduct when coupled with other factors. The decision of a health care provider, or group of health care providers, to revise contractual arrangements to respond to changes in the competitive environment should take care to support proposed changes with objective data. Further, exclusive arrangements between health care providers and suppliers, while often considered to be pro-competitive, should be approached with careful consideration.

Current Issues Under The Civil False Claims Act: Worthless Services, Off-Label Use, and More

This post was written by Elizabeth Carder-Thompson and Andrew L. Hurst.

A dizzying array of civil and criminal provisions address false or fraudulent representations made to, and false claims filed with, Medicare, Medicaid, and state and federal health care programs. This attached article, first published by the American Health Lawyers Association, briefly identifies relevant criminal and civil provisions relating to these issues, and then focuses more closely on recent uses of the civil False Claims Act (“FCA”) in government investigations of health care providers, suppliers, and manufacturers, including a section on state false claims legislation. Finally, it discusses the issue of distinguishing overpayments from false claims and provide information on the voluntary disclosure program of the Office of the Inspector General (“OIG”) of the Department of Health and Human Services (HHS).