In a recent landmark decision, the United States District Court for the District of Minnesota dramatically reduced the damages and penalties awarded in a major False Claims Act (“FCA”) case. United States of America ex rel. Kipp Fesenmaier v. The Cameron-Ehlen Group, Inc., et al., Case No. 13-cv-3003 (D. Minn., Feb. 8 2024) (Dkt. 1086). The case initially concluded with a staggering judgment of over $487 million against the defendants. However, after post-trial motions, the court reduced the judgment over 55% to approximately $216 million, citing the Excessive Fines Clause of the federal constitution as a limiting factor.
Continue Reading Monumental Reduction in FCA Damages Based on Excessive Fines ClauseThe Complexities of Assessing Damages in FCA Cases
Calculating and predicting damages in a False Claims Act (“FCA”) case can be a daunting task for the most seasoned FCA practitioners. In fact, even judges presiding over years of litigation and weeks of trial can get it wrong by tens of millions of dollars.
Last week, the United States District Court for the District of Columbia issued an Order and corresponding Memorandum Opinion granting in part and denying in part a motion from the United States to amend and supplement the court’s findings of facts and conclusions of law following a bench trial that concluded in March 2022. United States ex rel. Morsell v. Gen Digital (f/k/a Symantec Corporation), Case No. 1:12-cv-00800 (Jan. 16, 2024) (Dkt. Nos. 374-75).
The court published its initial findings in January 2023, entering a partial judgment in favor of the United States in the amount of $1,229,950 in damages and penalties. In that initial ruling, the court noted that Symantec had knowingly violated the FCA by failing to inform the General Services Administration (“GSA”) about transactions that should have triggered a price reduction clause in the governing contract. Although clear on liability, the court acknowledged its inability to discern damages with any degree of certainty and that any damages assessment would be as reliable as “pulling a number out of thin air.” Id. at 5. Given the lack of clarity, the court “adopted a ballpark (and indeed exceptionally conservative) estimate to serve as a baseline” for damages and awarded the United States $1,068,950.16 in treble damages along with penalties totaling $231,000. Id. at 6-7.
In its amended filings, the court reiterated its initial position on liability; but acknowledged that it had erred in its calculations of both damages and penalties. Id. at 10. After accepting the analysis offered by the United States in post-trial briefing, the court increased the damages finding to $16,121,696.04 and its assessment of civil penalties to $36,872,000. Id. at 29. To put this in perspective, the court’s revised calculations resulted in a number that was more than 40 times larger than its initial assessment.
This ruling demonstrates how difficult it can be to assess damages in an FCA case. Counsel must read more than tea leaves to predict damages in an FCA case. They must: (1) understand the expert analyses from the respective parties; (2) articulate a comprehensive, comprehensible, and compelling approach to calculating damages; and (3) pivot to alternative approaches when it becomes clear that the fact finder is not buying the initial pitch.
For more information on calculating damages, please contact the professionals listed below.
ONC Releases Final Rule on Information Blocking and Health IT Certification Program Updates, Including Requirements Related to AI
On December 13, 2023, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) released the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule.
Continue Reading ONC Releases Final Rule on Information Blocking and Health IT Certification Program Updates, Including Requirements Related to AIOIG Issues Updated General Compliance Program Guidance: Overview of Key Elements & Changes
The Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) published the General Compliance Program Guidance (GCPG) on November 6, 2023. The GCPG provides updated descriptions of the seven elements of an effective compliance program that health care entities have long relied upon. The new guidance also includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance.
Starting in 2024, OIG will publish industry segment-specific compliance program guidance (ICPGs) for different types of providers, suppliers, and other participants in health care industry subsectors. OIG emphasized that the purpose of the GCPG and ICPGs is to set forth voluntary compliance guidelines and tips and not to be one-size-fits-all or binding on organizations. We will discuss the implications of compliance with the GCPG in an upcoming alert.
Health care entities should review this updated guidance and evaluate whether their organization should make changes to their compliance program consistent with the updates. While the guidance does not prescribe mandatory requirements, it helps organizations create effective health care compliance programs. Efforts to comply with this guidance are often viewed favorably by OIG should inadvertent noncompliance occur. Below we provide key summaries and notable takeaways from the GCPG.
Updating the Seven Elements of a Compliance Program
OIG’s discussion of the seven elements of an effective compliance program largely tracks prior guidance issued by OIG. However, this updated guidance provides new recommendations and addresses new healthcare business entrants, delivery arrangements, and technologies. OIG’s updated take on the seven elements is briefly summarized below.
(1) Written policies and procedures
Written policies and procedures should continue to include a code of conduct. Compliance policies should be developed under the direction and supervision of the compliance officer and compliance committee and should address the implementation and operation of an entity’s compliance program and processes. OIG’s key new recommendation in the GCPG is that the compliance committee should conduct annual risk assessments to identify and address risk areas, including through policies and procedures.
In the GCPG, OIG outlines the following common risk areas: billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business. OIG highlights that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. OIG also specifically calls out the growing presence of private equity and other forms of private investment in health care and recommends that such investors scrutinize their operations and oversight to ensure compliance with fraud and abuse laws and the delivery of high-quality care for patients.
Policies and procedures should be updated regularly and easily accessible to relevant individuals.
(2) Compliance leadership and oversight
(a) Compliance Officer
OIG reiterates that every entity should designate a compliance officer, who has the authority, stature, access, and resources necessary to lead an effective compliance program. The compliance officer should report directly to the CEO with access to the company’s board of directors and must have sufficient funding to properly run a compliance program. The compliance officer’s primary responsibilities are to advise the CEO, board, and other senior leaders on the compliance risks facing the entity. The compliance officer must have authority to review any pertinent documents, data and information, and must be able to interview anyone related to the organization with respect to any compliance investigation.
Importantly, OIG also outlines that the compliance officer should not: (i) lead, report to or advise the legal or financial departments; (ii) be responsible (directly or indirectly) for the delivery of health care items and services or billing, coding, or claim submission; or (iii) be involved in functions such as contracting, medical review, or administrative appeals.
Compliance leadership makeup may vary depending on the size of the entity.
(b) Compliance Committee
The compliance officer should be the chair of the compliance committee, which should include relevant leaders from both operational and supporting departments – for example, billing and coding, clinical and medical, finance, internal audit, IT, HIM, human resources, legal, quality, risk management, sales and marketing, and other operational managers.
The main role of the compliance committee is to assist the compliance officer in implementing, operating, and monitoring the compliance program. This includes: (i) analyzing applicable legal and regulatory requirements; (ii) developing and updating policies and procedures; (iii) monitoring and recommending internal systems and controls; (iv) assessing training needs and effectiveness; (v) developing a disclosure program and promoting compliance reporting; (vi) assessing effectiveness of the disclosure program and other reporting mechanisms; (vii) conducting annual risk assessments; (viii) developing a compliance workplan; (ix) evaluating effectiveness of a compliance workplan and any action plans for risk remediation; and (x) evaluating the effectiveness of a compliance program. OIG underscores that compliance committee members sometimes mistakenly view their duties as overseeing the compliance officer and compliance program rather than supporting and working with the compliance officer on the compliance program.
OIG recommends that (i) the compliance committee meet once quarterly with an agenda circulated before each meeting; (ii) minutes of the compliance committee meetings are kept to record the Committee’s activities and accomplishments; (iii) individual committee members’ attendance and active participation are included in each member’s performance plan and compensation evaluation; and (iv) the compliance officer periodically report the committee’s performance to the board and examine how the entity implemented committee recommendations.
(c) Board Compliance Oversight
OIG underscores the importance of the board empowering the compliance officer, meeting with the compliance officer at least quarterly, understanding the entity’s compliance risks, overseeing and monitoring the compliance operation and its effectiveness, including with respect to the compliance officer and committee, and receiving an annual compliance report. OIG specifically references the United States Sentencing Commission’s Guidelines that require that an entity’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics effectiveness of the compliance and ethics program.” OIG also points out that corporate boards have a fiduciary duty of care to ensure that “information and reporting systems exist in the organization . . . to allow management and the board, each within its scope, to reach informed judgments concerning… the corporation’s compliance with the law….” In re Caremark, 698 A.2d 959, 970 (Del. Ch. 1996).
OIG provides the Practical Guidance for Health Care Boards on Compliance Oversight as a resource for specific suggestions for how boards can effectively exercise their oversight role.
(3) Providing Appropriate Training and Education
The compliance officer and compliance committee should develop (and review at least annually) (i) a training plan that includes the training topics discussed and the audience for each topic, and (ii) education and training materials that cover the entity’s compliance program, pertinent Federal and state standards and potential compliance risks, and board governance and oversight of a health care entity, including materials addressing concerns identified in audits and investigations. All board members, officers, employees, contractors and medical staff (if applicable) of the entity should receive training at least annually. An entity may waive training requirements for independent contractors that demonstrate a satisfactory compliance program but the compliance officer must ensure that those independent contractors are aware of how to report compliance concerns to the entity directly.
OIG recommends that an entity also develop targeted training for individuals based on their roles and responsibilities and risks specific to those roles and responsibilities, including board members and their compliance oversight responsibilities.
OIG states that there is no preference to whether the training materials are developed by the entity itself, purchased, or obtained through consultants; but emphasized that training must appropriately address the entity’s compliance program and compliance risks. The training must be accessible to all staff, including in several languages if needed due to culturally diverse staff. Finally, OIG recommends that participation in required training should be a condition of employment and a component of an annual performance evaluation.
(4) Maintaining Open and Effective Lines of Communication
OIG recommends that entities inform personnel about the ways they can report any concerns. First, personnel should be able to reach the compliance officer directly (e.g., via email, telephone, messaging) and the entities should explain how on commonly frequented physical and virtual spaces. Second, the compliance committee should develop several independent reporting paths for employees to report their concerns to the committee directly so that reports cannot be diverted by supervisors or other staff.
OIG continues to recommend that the entity have at least one reporting path that allows for anonymous reporting through a channel that is independent of the business and operational functions, such as a hotline, website, email address, or mailbox.
Policies and procedures should include confidentiality and nonretaliation policies. The entity should always strive to maintain the confidentiality of the reporting employee’s identity to the extent possible and always explain any limitations to the employee.
Finally, all disclosures of compliance concerns reported should be recorded in a log maintained by the compliance officer or their designee. The disclosure log should include: (i) the date the report was received; (ii) the individual or department responsible for review; (iii) a description of the investigation’s findings; (iv) any corrective actions taken; (v) any policy or process changes made as a result of the investigation; (vi) the date resolved; and (vii) any resulting referral or disclosure to Federal or state authorities. The compliance officer should regularly include information about concerns received and investigations conducted in communications with the compliance committee and in reports to the CEO and board.
(5) Establish and Enforce Appropriate Standards, Consequences, and Incentives
The organization should establish and publicize its procedures for identifying, investigating, and remediating noncompliance. OIG believes that corporate officers, managers, supervisors, health care professionals, and medical staff should be held accountable for failing to comply with the applicable standards, laws, policies and procedures, or for the foreseeable violations of subordinates where a responsible individual’s failure to detect a violation is attributable to their ignorance, negligence, or reckless conduct. Consequences should be consistently applied and enforced.
OIG also emphasizes the positive role that incentives can encourage participation in an entity’s compliance program. The compliance officer and committee should devote time, thought, and creativity to the compliance activities and contributions that the entity would like to incentivize.
(6) Compliance Risk Assessment, Auditing, and Monitoring
(a) Compliance Risk Assessment
OIG emphasizes the importance of at least annual compliance risk assessments. OIG defines compliance risk assessment for entities participating in or affected by government health care programs as a process for identifying, analyzing, and responding to risk stemming from violations of government health care program requirements and other actions (or failures to act) that may adversely affect the entity’s ability to comply with those requirements. A formal compliance risk assessment process pulls information about risks from a variety of external and internal sources, evaluates and prioritizes them, and then decides which risks to address and how. For example, OIG recommends that all entities use data analytics to highlight outliers or other data trends indicating potential noncompliance.
The compliance committee should be responsible for conducting and implementing the compliance risk assessment. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks, including based on changing or developing laws and regulations. New entrants to health care business must become familiar with the risks associated with their healthcare business operations while seasoned health care operators must ensure they keep up with risks presented by new and evolving lines of health care business.
(b) Auditing and Monitoring
The compliance work plan should include a schedule of audits to be conducted based on risks identified by the annual risk assessment and address routine monitoring of ongoing and known risks. Examples of routine monitoring to known risks include: (i) monthly screening of the LEIE and State Medicaid exclusion lists; (ii) regular screening of state licensure and certification databases; and (iii) annual review of the entity’s policies and procedures.
OIG advises that the compliance committee should ensure that the compliance officer has the capacity to conduct any necessary audits and monitoring, including the capacity to monitor the effectiveness of the monitoring. OIG states that the audits can be done by internal or external auditors, as necessary, and provides the Measuring Compliance Program Effectiveness resource.
Finally, the board should direct the entity to perform the compliance program effectiveness review and have reviewers report findings and recommendations directly to the board. Depending on circumstances, the board may consider outside experts for such a review.
(7) Responding to Detected Offenses and Developing Corrective Action Initiatives
OIG notes that no matter how effective an entity’s policies and procedures are, a compliance officer will inevitably receive a report or audit result that raises concerns. (And, in fact, expressly notes that if, over time, a compliance officer does not receive this type of information, the compliance officer should consider conducting a compliance program effectiveness review). The final element of an effective compliance program is ensuring the entity takes the proper steps to respond to concerns, including through investigation to identify the root cause of the conduct, government reporting of any identified misconduct as necessary, and implementing corrective actions to prevent recurrence in the future.
(a) Investigation of Violations
Compliance officers should act promptly to notify appropriate leaders and coordinate with entity counsel as needed upon receipt of reports or reasonable indications of suspected noncompliance to determine whether a material violation of applicable law has occurred that requires corrective action and reporting. Most internal investigations require interviews and review of relevant documents, so the compliance officer or legal counsel should ensure documents and other evidence are not destroyed. OIG recommends that the compliance officer keep a contemporaneous record of the investigation, which should include: (i) documentation of the alleged violation; (ii) a description of the investigative process; (iii) copies of interview notes and key documents; (iv) a log of the witnesses interviewed and the documents reviewed; (v) the results of the investigation; and (vi) any disciplinary action taken or corrective action implemented.
(b) Reporting to the Government
If credible evidence of misconduct from any source is discovered and, after a reasonable inquiry, the compliance officer has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the entity should promptly (not more than 60 days after the determination that credible evidence of a violation exists) self-report and notify the appropriate government authority of the misconduct. Prompt reporting demonstrates an entity’s good faith and willingness to work with the government to remedy the problem.
OIG also points out that the following types of violations may be so serious as to warrant immediate reporting to the government, before or simultaneous with an internal investigation: (i) clear violation of criminal law; (ii) has a significant adverse effect on patient safety or quality of care provided; and (iii) indicates evidence of systemic failure to comply with applicable laws, an existing corporate integrity agreement (CIA), or other standards of conduct, regardless of impact on federal health care programs.
(c) Implementing Corrective Action Initiatives
Once an entity determines the nature of the misconduct, it should implement prompt corrective action, including (i) refunding overpayments; (ii) enforcing disciplinary policies and procedures; (iii) making any policy or procedure changes necessary to prevent recurrence of the misconduct; and (iv) determining whether misconduct exposed other systemic weaknesses.
Providing Compliance Program Adaptations for Small and Large Entities
OIG acknowledges how the needs, finances, and other resources of an entity vary significantly. The GCPG provides guidance and tips for how small entities can implement an effective compliance program that meets the seven elements even with limited resources. For large organizations, OIG emphasizes the need for significant compliance resources and expertise to develop and monitor a compliance program capable of addressing the breadth and complexity of compliance issues that a large organization faces.
Quality and Patient Safety
Although quality and patient safety considerations are typically treated as distinct from compliance, the GCPG integrates quality and patient safety oversight into existing compliance processes. OIG explains that implementing quality and safety considerations into a compliance program can help to prevent excessive or medically unnecessary services that can lead to overpayments. The GCPG recommends an entity’s compliance committee receive regular reports from senior leadership on quality, patient safety, and adequacy of patient care.
New Entrants in the Health Care Industry
OIG warns that many business practices that are common in other sectors create compliance risk in health care. This is particularly relevant given the increasing number of new entrants in the health care industry, including technology companies, new investors, and organizations providing non-traditional services. The GCPG is equally applicable to new entrants in establishing and operating effective compliance programs for healthcare lines of business.
Resources
Finally, the GCPG references various compliance and legal resources for the health care community to consult for additional assistance, including advisory opinions, compliance toolkits, trainings, and FAQs. Throughout the GCPG manual, OIG provides hyperlinks, practical tips, and helpful examples in easy to digest formats.
OCR Takes Enforcement Action for Phishing Attack
Last week, the Office for Civil Rights (“OCR”) announced a settlement with Lafourche Medical Group (“LMG”), a Louisiana medical group, for a 2021 phishing attack and breach that affected the protected health information (“PHI”) of 34,862 individuals. In addition to paying $480,000 to OCR, LMG agreed to a corrective action plan that will include implementing security measures to protect electronic PHI, developing written policies and procedures to comply with HIPAA rules, and training staff members.
Continue Reading OCR Takes Enforcement Action for Phishing AttackAvoiding a Cautionary Tale: Policy Considerations for Artificial Intelligence in Health Care
On November 8, 2023, the Senate Health, Education, Labor and Pensions (HELP) Committee Subcommittee on Primary Health and Retirement Security discussed the impact of artificial intelligence (AI) on the healthcare sector in the Committee’s second AI hearing in nine days. The hearing comes as the White House and Congressional leaders seek to quickly respond to AI threats, mitigate its dangers, and harness its potential for American industry. Senators discussed the recent Executive Order issued by the White House to guide AI regulation and innovation across all sectors, including in the health and human services sectors.
Continue Reading Avoiding a Cautionary Tale: Policy Considerations for Artificial Intelligence in Health CareOCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security
Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).
Continue Reading OCR Issues Guidance to Providers and Patients on Telehealth Privacy and SecurityHHS Aims to Strengthen Anti-Discrimination Rules for Disabled Patients in New Proposed Rule
On September 14, 2023, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule updating Section 504 of the Rehabilitation Act of 1973 (“Section 504”). The new rule entitled Discrimination on the Basis of Disability in Health and Human Service Programs or Activities(the “Proposed Rule”) is the first major regulatory update to Section 504 in nearly 50 years. Section 504 prohibits discrimination against individuals on the basis of disability in programs and activities that receive Federal financial assistance (“FFA”) or are conducted by a Federal agency. Section 504 covers all health care and human services programs and activities funded by HHS, from providers, like hospitals and doctors that accept Medicare or Medicare, to state child welfare programs, as well as Medicare Advantage Plans, and Medicaid Managed Care Plans.
Continue Reading HHS Aims to Strengthen Anti-Discrimination Rules for Disabled Patients in New Proposed RuleCMS Proposes Minimum Staffing Requirements and Enhanced Facility Assessments for Nursing Homes
On September 1, 2023, the U.S. Department of Health and Human Services, through the Centers for Medicare & Medicaid Services (“CMS”) issued a much anticipated and contested proposed rule that seeks to establish minimum staffing level requirements for nursing homes. The proposed rule represents the first time the federal government has proposed comprehensive nationwide nursing home staffing requirements, although various states have already enacted their own staffing requirements.
Continue Reading CMS Proposes Minimum Staffing Requirements and Enhanced Facility Assessments for Nursing HomesNew Transparency Requirements for Skilled Nursing Facilities in California
On July 21, 2023, the Department of Health Care Access and Information of the California Health and Human Services Agency released a Notice of Proposed Rulemaking (the “Proposed Rule”) with regulations that would implement new financial and ownership transparency requirements for skilled nursing facilities (“SNFs”) in California.
Continue Reading New Transparency Requirements for Skilled Nursing Facilities in California