Compliance programs are key to reducing legal risk

The Department of Justice is cracking down on inadequate compliance programs. During fiscal year 2018, the Department of Justice (DOJ) opened 1,139 new criminal healthcare fraud investigations, launched 918 new civil healthcare fraud investigations and filed criminal charges in 572 cases involving 872 defendants.

The takeaway from the DOJ’s annual report: Make sure you have an adequate compliance program in place.

In April 2019, the DOJ’s Criminal Division issued guidance entitled, Evaluation of Corporate Compliance Programs. Physicians and providers alike should take note of some key statements contained in this guidance because in the unfortunate event of a criminal investigation or an indictment, prosecutors often consider specific factors when determining whether to bring charges or negotiate plea agreements.

These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” JM 9-28.300 (citing JM 9-28.800 and JM 9- 28.1000).

Additionally, the memorandum entitled “Selection of Monitors in Criminal Division Matters” issued by Assistant Attorney General Brian Benczkowski instructs prosecutors to consider, at the time of the resolution, “whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems” and “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future” to determine whether a monitor is appropriate.

By appreciating “hot areas” of the DOJ, providers can take proactive steps to mitigate the risk of a False Claims Act case and/or criminal investigation. Five measures that physicians and providers should take include:

• Conduct internal audits on billing and coding to ensure the appropriate code is being utilized and submitted for reimbursement;

• Audit corporate books and records to ensure that there is no manipulation or exploitation of inadequate internal controls;

• Utilize enterprise risk management to address everything from HIPAA to cybersecurity to compliance with Medicare conditions of participation;

• Confirm that no kickbacks are either being paid or received; and

• Ensure that the analysis includes testing mechanisms, so your compliance program and the internal controls are adequate.

Compliance begins at the top and with a culture of compliance. Don’t wait until an investigation commences in order to make the necessary changes.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.