Originally enacted in 1863, The False Claims Act (FCA) continues to serve as the key component to the government’s arsenal against fraud, waste, and abuse. In its 150-year history, the statute has undergone only two substantive amendments: one in 1943 and the latest in 1986. According to the Department of Justice (DOJ), “[t]he 1986 amendments strengthened the act and increased incentives for whistleblowers to file lawsuits on behalf of the government, leading to more investigations and greater recoveries.” (Justice Department Recovers Nearly $5 Billion in False Claims Act Cases in Fiscal Year 2012). A whistleblower or a qui tam suit can be initiated either by United States alone or by a “relator” (i.e. a private citizen bringing a claim on behalf of the government). Either way, the potential liability can be significant, especially in health care.
Both the 2009 Fraud Enforcement and Recovery Act (FERA) and Section 6401 of the Affordable Care Act (ACA) expanded liability and narrowed the public disclosure bar. Providers should be cognizant for a couple of reasons:
• Civil penalties range between $5,500 - $11,000 per violation PLUS treble damages (as provided by statute, three times the amount of actual financial loss per individual violation);
• Criminal penalties may be assessed;
• The ACA includes a provision that an entity MUST report and return a Medicare or Medicaid overpayment within 60 days of discovery to avoid FCA liability; and
• In 2009, the U.S. Attorney General and HHS jointly created the Health Care Prevention and Enforcement Action Team (HEAT).
For providers, this means that this collaborative effort between the DOJ and HHS has resulted in unprecedented recoveries in healthcare. Between January 2009 and September 2012, more than $9.5 billion was recovered in federal healthcare dollars. More recently, in December 2012, Amgen paid $762 million in criminal and FCA liability associated with the sale and promotion of certain pharmaceuticals.
As a way of assessing risk, by way of analogy, consider the HIPAA breach settlement that HHS announced January 2, 2013. In a breach affecting less than 500 patients, The Hospice of North Idaho agreed to pay HHS $50,000 to settle “potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” Here, an unencrypted laptop containing 441 patients’ electronic protected health information (ePHI) was stolen and it was discovered that no risk analysis had been conducted nor were their adequate policies and procedures in place to address ePHI security as required by the Security Rule.
Here, the fine was $50,000. Now, consider the potential financial liability if this had been brought as a whistleblower suit. The cost per violation ranges between $5,500 and $11,000. The total initial penalties would range from $2,425,500 to $4,851,000. On top of that, treble damages are assessed, which add an additional $7,276,500 to $14,553,000.
Providers should look beyond what HHS has assessed in these circumstances and consider the impact if a qui tam suit is brought. After all, as Principal Deputy Assistant Attorney General Delery indicated, “[t]he whistleblowers who bring wrongdoing to the government’s attention are instrumental in preserving the integrity of the government programs and protecting taxpayers from the costs of fraud.”
By initiating a comprehensive compliance program, as well as approaching risk from an enterprise risk management perspective, providers can mitigate financial, reputational, legal, clinical, and operational harm on a multitude of fronts.
Although the requirement of establishing a compliance program has been around for quite some time, the ACA reiterated its importance. For physicians and other providers, a good starting point is the CMS Manual on Compliance Program Guidelines. (See 75 Fed. Reg. 58204, Sept. 23, 2012 and 76 Fed. Reg. 5862, Feb. 2, 2011). The items contained within reflect an overall focus on effective prevention, detection, and correction of non-compliant areas, as well as minimizing fraud, waste, and abuse. Required core elements include:
• Written policies and procedures;
• Compliance officer and committee;
• Effective training and education;
• Communication protocol;
• Well-defined and notice of disciplinary standards;
• Monitoring and auditing system; and
• Response plan.
After reviewing these items, physicians should meet with their compliance officer or the hospital’s compliance officer, if they are employed. Taking these steps can establish a more collaborative effort among parties, mitigate risk and bring the organization into compliance with the various laws and regulations.