Global Investigations Review - The law and practice of international investigations

The Guide to Monitorships - First Edition

The Healthcare Industry

Wilmer Cutler Pickering Hale and Dorr

For nearly 15 years, the Department of Justice (DOJ) has used independent monitors to address compliance issues with companies accused of violations of healthcare fraud statutes and regulations. The breadth and dynamic nature of those statutes and regulations, the ever-changing structure for delivery of healthcare, and the complexity of the operations of many of these companies present unique challenges to healthcare monitors. This chapter explores the history of healthcare monitorships and how they have worked in practice, with a focus on monitorships imposed by the DOJ's Criminal Division. The chapter proceeds by providing: the historical context; the legal context; enforcement actions and trends; unique challenges; and predictions for the future.

The historical context

The DOJ has prioritised healthcare fraud for more than two decades. In 1993, then-Attorney General Janet Reno cited healthcare fraud as a top priority.2 Similarly, a 1997 DOJ Report referred to healthcare fraud as 'the crime of the nineties'.3 During the 1990s, various government agencies underwent significant changes to meet the demand for increased healthcare enforcement. As one stark measure of the increased focus on healthcare fraud, the number of FBI agents assigned to investigate healthcare fraud in the 1990s increased nearly fivefold – from 112 in 1992 to 500 in 1999.4 The number of criminal healthcare fraud investigations increased nearly sixfold during the same time period – from 520 to 3,000 investigations.5

Around the same time, Congress passed legislation that significantly shaped the landscape of healthcare enforcement, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).6 HIPAA is best known for providing privacy protections to patients, but it also 'federalized much of the law of healthcare fraud'.7 For example, HIPAA required the establishment of the Health Care Fraud and Abuse Control Program (HCFAC), which was designed to coordinate law enforcement efforts with respect to healthcare fraud and abuse at the federal, state and local levels.8 The HCFAC operates under the joint direction of the Attorney General and the Secretary of the Department of Health and Human Services (HHS).9 HIPAA not only fostered the establishment of the HCFAC, but it also helped secure funding for enforcement activities.10 For example, HIPAA established a HCFAC account that provided $104 million for anti-healthcare fraud activities in fiscal year 1997.11 In contrast, $279.5 million in mandatory funding was allocated to the account in fiscal year 2017, which was supplemented by an additional $725 million in discretionary funding appropriated by Congress.12 These funds provide further evidence of the DOJ's commitment to combating healthcare fraud.

The enforcement and legal context

Coordinated efforts

Healthcare enforcement today is the result of coordinated efforts by federal, state and local law enforcement agencies. At the federal level, groups such as the Health Care Fraud (HCF) Unit of DOJ's Criminal Division, the joint HHS/DOJ Healthcare Fraud Strike Forces (the Strike Forces), the Civil Frauds Branch of DOJ's Civil Division, the US Attorneys' Offices (USAOs), the Federal Bureau of Investigation, and HHS OIG, all work collaboratively to combat healthcare fraud. The HCF Unit, within DOJ's Criminal Division, comprises approximately 60 prosecutors whose core mission is to prosecute healthcare fraud cases.13 The unit works closely with the DOJ's 11 strike forces, which are located in over a dozen cities across the United States, including Miami, Florida; Los Angeles, California; and Detroit, Michigan.14 Originally launched in 2007 and expanded in 2009 in the Health Care Fraud Prevention and Enforcement Action Team HEAT Initiative,15 the strike forces aim to focus on the 'worst offenders' engaged in healthcare fraud in the 'highest intensity regions'.16 The strike forces employ a 'cross-agency collaborative approach', which combines resources from the FBI, HHS-OIG, the Centers for Medicare & Medicaid Services (CMS), and other agencies, along with the prosecutorial resources of USAOs.17

The USAOs have long played a major role in healthcare fraud enforcement. They bring criminal and affirmative civil cases to recover funds obtained through fraud, waste and abuse;18 and litigate a variety of healthcare fraud matters, including false billings, overcharges by hospitals, Medicaid fraud, kickbacks, pharmaceutical and medical device fraud, and home health and hospice fraud. Each USAO also has designated criminal and civil healthcare fraud coordinators who work with outside agencies and trial attorneys, which further evidences the DOJ's commitment to healthcare enforcement.19 Not surprisingly, all but one healthcare monitorship imposed through a non-prosecution agreement (NPA) or deferred prosecution agreement (DPA) resulted from a USAO-led investigation.20

Finally, the Civil Frauds Branch of DOJ's Civil Division leads civil enforcement of the Claims Act nationally, and also plays a key role in healthcare fraud enforcement nationwide.

Criminal statutes

The Criminal Division charges a variety of different crimes in healthcare fraud cases, such as:

  • general healthcare fraud;21
  • Anti-Kickback Statute (AKS) violations;22
  • theft or embezzlement in connection with healthcare;23
  • unlawful use of health information;24 and
  • Food, Drug, and Cosmetic Act (FDCA) violations.25

The underlying misconduct that leads to these violations differs, but some common fraudulent activities include billing for no-show appointments; submitting claims for services at higher complexity levels or reimbursement levels than provided or documented; billing for services not furnished; and providing anything of value in exchange for referrals (i.e., providing kickbacks).

Civil statutes

Civil statutes also play a major role in protecting the government from healthcare fraud. The False Claims Act (FCA) and the Stark Law are two key civil statutes used to combat healthcare fraud. The FCA imposes liability on any person who knowingly submits a false claim seeking government funds.26 Both the DOJ and private citizens, known as 'relators', are allowed to bring actions on behalf of the United States asserting FCA violations.

The Stark Law is a civil statute that, together with the Stark Regulations,27 imposes prohibitions on physician referrals and billing where certain financial relationships exist involving physicians or physicians' immediate family members.28 The Stark Law is discussed further in 'Unique aspects of healthcare monitorships', which details some of the unique challenges in healthcare monitorships.

Enforcement actions and trends

The rise of monitorships in the early 2000s

In the early 2000s, corporate scandals, such as WorldCom and Enron, led to increased focus on corporate misconduct, including healthcare fraud. For example, in 2000, the DOJ entered into what was then the largest government fraud settlement in US history – a plea agreement resolving healthcare fraud allegations. The plea agreement was between the DOJ and HCA-The Health Care Company (HCA), which was the nation's largest hospital chain at the time.29 The agreement resolved allegations that, among other things, HCA engaged in fraudulent Medicare billing and paid kickbacks and other remuneration to doctors to induce referrals.30 HCA agreed to pay $745 million to the government, but the total penalty was increased over a number of years through various additional agreements.31 This was followed by numerous high-value criminal or civil settlements involving kickbacks, poor manufacturing practices, and illegal off-label promotion of pharmaceutical products.32

By the early 2000s, the DOJ was also more frequently entering into NPAs and DPAs, which provided useful vehicles for requiring defendant companies to strengthen their compliance programmes and systems through the retention of monitors for the life of the agreement.33 From 2002 to 2005, the DOJ entered into twice as many NPAs and DPAs as it had over the previous 10 years combined.34 In 2005, the US Attorney's Office for the District of New Jersey executed what is likely the first DPA to impose a monitor for healthcare fraud violations – a DPA with University Medicine and Dentistry of New Jersey (UMDNJ) that resolved allegations of double-billing Medicaid.35 The government alleged that UMDNJ's University Hospital submitted claims to Medicaid for outpatient physician services that were also being billed by doctors working in the hospital's outpatient centres.36 In addition to full reimbursement of Medicaid,37 the DPA imposed a term of two years, with a monitor imposed for the full term.

The US attorney who led the UMDNJ investigation later suggested a rationale for the monitorship: 'It would be highly irresponsible to allow a corporation whose prosecution is being deferred to go unsupervised during the deferral period.'38 Over the next several years, the DOJ imposed monitors as a part of some, but not all, NPAs and DPAs. Some viewed the DOJ's monitorship decisions as 'unpredictable' and 'inconsistent'.39 In fact, congressional leaders called for greater transparency into the monitor selection process, hoping to ensure greater consistency among NPAs and DPAs.40 The DOJ responded by publishing general guidelines for monitor selections, such as the 2008 Morford Memo,41 named after its author, then-Acting Deputy Attorney General Craig Morford. As discussed elsewhere in this guide, the memo instructed prosecutors to 'be mindful' of two broad considerations: 'the potential benefits that employing a monitor may have for the corporation and the public'; and 'the cost of a monitor and its impact on the operations of the corporation'.42 The 2018 Benczkowski Memo, also described elsewhere in the guide as well as in 'Predictions for the future', supplemented the Morford Memo.

Healthcare fraud resolutions to date in which a monitor was imposed include:

  • the 2007 settlements with DePuy Orthopedic, Inc; Smith & Nephew, Inc; Zimmer Holdings; Biomet; and Stryker (resolving allegations of kickback conspiracies through DPAs and NPAs, imposing 18-month monitorships on each company);43
  • the 2009 settlement with WellCare Health Plans, Inc (resolving allegations of fraudulent billing through a three-year DPA, imposing an 18-month monitorship);44
  • the 2010 settlement with Wright Medical Technology, Inc (resolving allegations of kickbacks through a DPA, imposing a 12-month monitorship);45
  • the 2010 settlement with Exactech, Inc (resolving allegations of kickbacks through a DPA, imposing an 18-month monitorship);46
  • the 2011 settlement with Maxim Healthcare Services, Inc (resolving allegations of fraudulent billing through a DPA, imposing a two-year monitorship);47
  • the 2016 settlement with Olympus Corporation of the Americas (resolving kickback allegations through a DPA, imposing a three-year monitorship);48 and
  • the 2016 settlement with Tenet HealthSystem Medical, Inc (resolving kickback violations through an NPA, imposing a three-year monitorship).49

Since 2005, the DOJ has imposed monitorships in at least 12 NPAs or DPAs resulting from violations of healthcare laws. Ten of the healthcare monitorships stemmed from investigations by the USAO for the District of New Jersey. Five of the 12 related to a conspiracy to pay kickbacks in the hip and knee industry. The other seven related to other kickback allegations and billing fraud. Most of these monitorships were for terms of 18 to 24 months. Three-year terms have been imposed only twice in the past 14 years, in resolutions with Olympus Corporation of the Americas and Tenet HealthSystem Medical, Inc. The defendants subject to the monitorships over this period have included hospital systems, home healthcare providers, medical technology companies, and medical equipment distributors.

Each of the monitorship agreements sets forth the duties and responsibilities of the monitor, generally to assess, oversee and monitor the company's compliance programme to reduce the risk of repeat violations of the healthcare laws. In fulfilment of those duties and responsibilities, monitors use guidance from both the DOJ and OIG50 on effective compliance programmes, structuring their review to assess elements such as analysis and remediation of underlying misconduct, compliance department autonomy and resources, training and communications, policies and procedures, and audit and monitoring. In some cases, the monitors may be required to review employment practices and make recommendations regarding the hiring or firing of senior management, and other relevant personnel. The monitor provides periodic reports of its findings and recommendations to the DOJ and the company and monitors the implementation of earlier recommendations. Typically, the monitored company is required to implement the monitors' recommendations or explain to the DOJ why it has declined to do so. Accordingly, the monitor must also assess whether recommendations from an earlier monitor period were successfully implemented within the organisation before the monitorship comes to a close.

Corporate integrity agreements

Companies that avoid a monitor as a part of their criminal resolutions are not necessarily 'off the hook' when it comes to governmental oversight related to compliance systems. HHS-OIG commonly imposes separate civil agreements in healthcare enforcement actions, including corporate integrity agreements (CIAs). The first CIA was executed by HHS-OIG in the mid 1990s.51 CIAs have been entered into by hospitals and health systems; physician practices; long-term care facilities, such as skilled nursing facilities; life science companies, including medical device manufacturers, pharmaceutical companies, and durable medical equipment suppliers; ambulance companies; laboratories; and rehab and therapy providers, such as wound care.

Similar in certain respects to monitorships, CIAs usually impose oversight by independent review organisations (IROs). In contrast to a monitorship, a CIA is agency-enforced. CIAs are usually more detailed and prescriptive than monitorship agreements. For example, CIAs usually require IROs to conduct specific claims reviews, such as the review of 50 randomly selected claims.52 CIAs also require IROs to employ individuals with specific credentials to assist with the monitoring, including 'individuals who have a nationally recognized coding certification to conduct the coding portion' of the IRO's review.53 Stipulated penalties are enforced for failure to comply with CIA obligations, and an entity's non-compliance can result in exclusion.54

Unique aspects of healthcare monitorships

Healthcare monitors perform the same general compliance monitoring and reporting duties as monitors in other contexts, but also face unique challenges relating to:

  • the complex and dynamic nature of healthcare fraud;
  • reporting requirements;
  • corporate structure and governance;
  • conduct of the monitorship;
  • complicated accounting and financial assessments; and
  • constantly changing modes of healthcare delivery.

The complexity of healthcare fraud

Healthcare fraud is complex for a number of reasons. First, under healthcare's traditional fee-for-service model, where providers (e.g., physicians, physician groups, hospitals) are compensated per unit of health service provided,55 there are numerous steps in the provision of and payment for those services and, thus, numerous ways to commit fraud. To name a few, providers can: bill for more expensive services than were actually provided or performed (known as upcoding); 56 bill each step of a procedure as if it were a separate procedure (known as unbundling);57 or bill for the same service more than once (known as double-billing). Healthcare monitors must not only be familiar with these fraudulent practices, but they must also anticipate new ways in which healthcare fraud can occur in the future.

Second, pharmaceutical and device manufacturing companies present unique compliance challenges because their primary goal is to sell a product.58 Employees at manufacturing companies often receive mixed messages from company leaders – they attend compliance trainings about the importance of integrity in business dealings, then attend a sales meeting where they are pressured to increase sales. Under these circumstances, monitors must remediate healthcare fraud under a profit-driven model. Monitors must scrutinise the company's business plans and place emphasis on strengthening the company's 'tone at the top' and 'conduct at the top'.59 Considering compliance as a part of an employee's performance evaluation or compensation structure is particularly important in these cases. Employees should know that they will be rewarded for doing business the right way in a compliant fashion, not just for profitability.

Third, the multiple parties involved in the delivery of healthcare services and products enter into agreements that can run afoul of the law; for example, by providing something of value in exchange for referrals of patients or customers (known as kickbacks). The AKS makes it a felony to knowingly and wilfully solicit, receive, offer or pay anything of value in exchange for the referral of federal healthcare programme business.60 The term 'anything of value' is construed broadly, and includes, among other things, gifts, discounts and free space.61

There are more than 30 safe harbours to the AKS, which scale back the broad prohibitions of the statute and simultaneously complicate it.62 Take, for example, an analysis of physician compensation, one of the most significant AKS risks. Payments to physician employees of a hospital could constitute remuneration intended to induce the employees to recommend programme-related goods or services. The Bona Fide Employment Exception safe harbour, however, generally protects compensation arrangements between hospitals and hospital-affiliated physician practices. The exception covers any amount paid by an employer to a physician (or immediate family member) who has a bona fide employment relationship with the employer if certain enumerated conditions are met.

Further, kickbacks encompass more than cash exchanges, gifts, or traceable wire transfers. At first blush, kickbacks can appear as something completely innocuous, such as a job promotion, a directorship agreement, office space rented at below fair market value, a teaching agreement, an on-call agreement, or a consulting agreement. These are items of value, and there is the potential that they might unlawfully be provided in exchange for referrals. Accordingly, monitors should look beyond the traditional assessments of whether an agreement is in writing and payments match invoices. They must review fair market value of the compensation, the totality of the physician's job positions, roles and responsibilities, and the physician's volume of referrals to the hospital. Monitors should assess whether and how physician-specific volume data is generated, who has access to that data, and for what purposes. The number and variation of relationships that could give rise to a kickback, as reflected in the many AKS safe harbours, complicate the work of the healthcare monitor.

Not only must healthcare monitors develop expertise on applicable healthcare laws to provide meaningful recommendations for mitigating compliance risks, they must be prepared for constant change. For example, on 25 June 2018, HHS announced a Regulatory Sprint to Coordinated Care, led by Deputy Secretary Eric Hargan.63 The initiative is designed to '[r]emov[e] unnecessary government obstacles to care coordination.'64 The plan involves:

identifying regulatory requirements or prohibitions that may act as barriers to coordinated care, assessing whether those regulatory provisions are unnecessary obstacles to coordinated care, and issuing guidance or revising regulations to address such obstacles and, as appropriate, encouraging and incentivizing coordinated care.65

On 30 January 2019, Deputy Secretary Hargan announced that HHS is close to finalising new healthcare fraud reforms related to this initiative, but he did not reveal the details of those reforms.66 Additionally, OIG issued a Request for Information seeking input to, among other things, help 'identify ways in which it might modify or add new safe harbors to the' AKS in August 2018.67 Providers will respond, as they must, to these regulatory changes, and so too must monitors. In short, healthcare monitors must manage the ever-changing nature of healthcare fraud laws and regulations.

Reporting requirements

NPAs and DPAs involving a monitor typically include reporting requirements for the company and for the monitor. Reporting requirements vary by agreement. Most are very broad, requiring the reporting of 'any credible evidence of criminal conduct or serious wrongdoing by, or criminal investigations of, the Company, its officers, directors, employees and agents, of any type that become known to the Company after the Effective Date'.68 Others are more narrow, requiring the reporting 'of evidence or allegations of actual or potential violations of the [AKS]'.69 Both approaches can prove challenging.

In the case of broad reporting requirements, the company risks overreporting, which can be detrimental. It can consume so many resources to identify, report and investigate that larger issues cannot receive the attention they demand. Narrow reporting requirements, on the other hand, can be ill-defined, which can lead to inconsistent reporting. It is vital for companies and monitors to understand the relevant reporting requirements because a failure to report may result in a breach of the agreement and subsequent extension of the monitorship. In addition, failures to report may deprive the monitor of critical information to investigate potential compliance system weaknesses and may deprive the DOJ of information it needs both for enforcement purposes and to inform its prioritisation of future monitor reports. As such, companies should have candid and frequent conversations with the DOJ and the monitor to clearly delineate reporting requirements early on and to foster a reporting process that is driven by a compliance focus rather than a legal focus. Fundamentally, monitors and companies must approach their reporting obligations with a determination to identify circumstances of concern and report them quickly and with transparency.

The Stark Law provides a specific example of the complexity of reporting requirements in a monitorship focused on the AKS. The Stark Law prohibits a physician from referring a patient to an entity for the provision of designated health services if the physician or the physician's immediate family member has a financial relationship with that entity. 70 Additionally, the Stark Law prohibits entities from billing for designated health services furnished pursuant to a prohibited referral.71 Like the AKS, the Stark Law also has its exceptions. 72 But unlike the AKS, the Stark Law is a civil statute that does not have an intent requirement. The Stark Law is a strict liability statute.

Because the Stark Law is civil, the AKS-focused monitorships have not required the reporting of Stark Law violations. Stark Law violations, however, can give rise to 'evidence' of an AKS violation, which is reportable. For example, the provision of services without a contract potentially violates the Stark Law, but without intent there is no AKS violation. The provision of services without a contract for a lengthy period of time, however, might suggest the absence of a contract is intentional, which may stem from an intent to induce referrals. The interplay between the AKS and the Stark Law is nuanced and complicates the monitor's role in ensuring the company meets its reporting obligations.

Finally, NPAs, DPAs, and associated monitorship agreements also impose reporting requirements directly on the monitors, and the complexity of healthcare fraud statutes and regulations and the potential implications for patient safety can introduce complications for the monitor. First, some reporting obligations arise from potential violations of the full range of healthcare fraud laws. That presents a challenge where those laws stretch beyond the particular focus of the monitorship. Moreover, in some instances, the DOJ requires the monitor to report potential misconduct solely to the DOJ, and not to the company being monitored. This reporting requirement often relates to misconduct that presents an elevated risk to the public. This requires the monitor to make judgements not only on potential legal and compliance policy violations, but also on public safety risks.

Corporate structure and governance

Understanding the corporate structure and governance of an organisation is essential to making well-informed compliance recommendations. Healthcare providers and supplier networks are often comprised of several different types of facilities. Adding to the complexity, facilities are often spread out geographically, spanning several states and, in some instances, multiple countries. The decentralised nature of these companies makes it difficult to assess whether the compliance programme is appropriately resourced and structured. Some of the critical questions are:

  • How many compliance coordinators and leaders should be placed at each facility?
  • How many layers of oversight should there be between frontline employees and headquarters?
  • How does the organisation foster consistency in compliance across different business or sales units?
  • How should compliance responsibilities be divided?
  • What is the appropriate amount of resources for the proposed compliance model?

The more complex the organisation, the more difficult it is to answer those questions.

Healthcare monitors are expected to be familiar with how the compliance programme works at all levels of the company, starting with the company's board of directors (the Board). The Board sets the compliance 'tone at the top', including through its allocation of resources, receipt of direct reports from the compliance department, and its prompt and effective handling of compliance weaknesses and failures. The Board can also provide information on company benchmarks, plans for future acquisitions and dissolutions, and plans for keeping up with an ever-changing regulatory landscape. Board engagement is a critical component of any successful monitorship. Monitors should confer with members of the Board early on and remain in contact throughout the monitorship. If possible, monitors should also attend Board meetings and review Board materials to foster transparency and open lines of communication. Monitor attendance at Board committees entrusted with compliance and ethics, and related functions such as audit, may be a critical way to gain insights.

Conduct of monitorship

The conduct of a monitorship in this area, as in others, demands significant interaction with the company's compliance department. The relationship between the monitor team and the compliance department should be a mutually supportive one. After all, achieving the best possible compliance programme and systems for the company is the central mission of both the monitor and the compliance department. And compliance department leadership and personnel are often the best sources of information for the monitor. At the same time, it is important for the monitor to remain independent of the compliance department and bring independent judgement to assessing the information and activities presented by the compliance department.

The thorough assessment of a company's compliance system requires a number of key steps. The monitor must review compliance resources to determine whether they are adequate, appropriately distributed in the field, sufficiently independent, and influential with management at the facility, headquarters and executive levels. The monitor should conduct similar reviews of the legal department, audit department and other functional areas key to the compliance programme. The monitor should assess the compliance programme 'on paper' – for example, the adequacy of compliance policies, risk assessments, structures, procedures and training. But it is even more critical for the monitor to assess how the programme works in practice. That requires field visits for organisations that are decentralised and witness interviews of not only executive, compliance and legal personnel, but also operational personnel whose conduct is at the centre of the compliance risk.

In many respects, the nuts and bolts of the monitor's work is similar to that of an internal investigation conducted by company counsel – thorough collection and review of documents (including email) and witness interviews. But the independence of the monitor – the monitor is a lawyer, but the company is not her client – introduces differences from the typical investigation by counsel. For example, the involvement of the company's legal department in transactions of interest to the monitor may require the monitor to request that the company waive privilege for those transactions. Given the sensitivity of waivers, including the possibility that the company may face third-party requests for waived materials in the context of litigation, it is best for the monitor to request waivers only where necessary and craft the waiver requests as narrowly as possible. Moreover, Upjohn warnings73 at the outset of witness interviews are not appropriate for monitor interviews because the monitor is not company counsel and the interviews are not covered by the attorney–client privilege. But it is appropriate to request that the interviewee does not discuss the interview with others, so as to encourage independent views of subsequent interviewees. In addition, it is important for the monitor to emphasise with interviewees that the purpose of the monitorship is to improve the company's compliance and that they should be candid with the monitor even when they have criticisms to share. Offering confidentiality to the interviewee (but there may be circumstances – for example, a subpoena – where the monitor would have to share the information with others) can help foster candour.

Another key component of a monitorship is testing. Whether the relevant legal issues involve the accuracy of coding and billing or agreements with referral sources that involve AKS risk, it is critical that the monitor sample relevant transactions for compliance with company policy and the law. The sample size (and distribution across a decentralised enterprise) and the substance of the testing must be adequate to satisfy the monitor that she will uncover any significant or systemic problems. The monitor should consider partnering with a forensic accounting expert in the area to assist with the sampling and testing.

There are a number of challenges for healthcare monitors, beginning with frequent corporate transactions. For example, a health system may acquire stand-alone hospitals or even an entire hospital network, consisting of dozens of hospitals or other facilities. Inevitably, some employees at the newly acquired facilities may leave the company or refuse to adopt change. Where the acquisition increases the geographic reach of the organisation, it may become difficult for company leaders, including the compliance and legal departments, to maintain an effective presence on the ground, which may embolden employees to ignore compliance guidance. Monitors are expected to assess their recommendations in light of how an acquisition (or dissolution) impacts the company's compliance system both to assist in the development of a new system that works given the current state of the company and is durable enough to accommodate future changes.

In addition, the healthcare field has the second highest turnover rate in the country – second only to hospitality.74 High turnover on the Board and at executive levels can present challenges with the organisation's management of change, such as a lack of ownership over compliance issues and lack of commitment to long-term compliance goals. High turnover in mid-management and at the facility level also presents compliance challenges and risks. Monitors should consider conducting exit interviews of key departing employees to assess compliance risks and develop recommendations for dealing with change management.

Finally, the DOJ has repeatedly and consistently emphasised the need for a strong compliance culture, noting that positive 'change[] in corporate culture' is a key consideration when deciding whether to impose a monitor.75 That culture should exist at every level within the company, from individual facilities, through market or regional management, to corporate executives, to the Board. Monitors assess culture through interviews with personnel at each level, detailed assessment of operations on the ground through field visits, and ethics and compliance surveys. Those surveys provide useful snapshots of the culture at different levels within the organisation and can help to guide both the company's compliance department and the monitor in terms of areas of future focus. In addition, repeating the survey, even after the completion of the monitorship, can provide company management with invaluable trending data on how well the company is developing its culture of compliance.

Complicated accounting and financial assessments

Internal audit functions and accounting practices play a critical role in detecting compliance issues, especially with respect to improper billing or kickbacks. As noted above, healthcare fraud schemes are varied in nature and often are not easily detected in a company's documentation, books and records. Yet, drilling down into those details can be an invaluable tool for uncovering and correcting flaws in the company's compliance programme. Payment documentation, such as ledgers, invoices, pay checks and other financial records must be examined by someone who understands, in detail, healthcare accounting and billing. Monitors often engage forensic accountants with healthcare billing and valuation experience to help identify and remediate compliance risks in the billing and kickback areas. The accountants can help test arrangements with referrals sources, review leases, provide recommendations for audit practices, and use predictive analysis to help identify compliance issues before they occur. Healthcare monitors are not alone in turning to experts for assistance; but there is no question that the transactions that raise compliance risks in this area are of a particularly high degree of complexity and breadth.

Evolving modes of healthcare delivery

Healthcare monitors must also be familiar with the different compliance risks presented by evolving modes of delivery of healthcare services and products. For example, healthcare networks sometimes comprise a variety of facilities, including traditional acute care hospitals, but also newer ambulatory centres, short-stay hospitals, and urgent-care centres. Each type of facility presents a different risk profile. Acute care hospitals have dozens or even hundreds of agreements with referral sources, each presenting the risk that the network is paying the physician or other referral source to obtain referrals to the network in violation of the AKS or the Stark Law. ASCs and some surgical hospitals may be jointly owned by physician and the healthcare network. This presents an entirely different and potentially serious set of compliance risks for the monitor to evaluate, namely that the network is conditioning physician ownership on the volume or value of referrals to the facility in which the network has a financial interest.76 These sorts of nuances permeate our healthcare system, and given the importance of healthcare in our political debate, more changes in healthcare delivery are inevitable. This will only further complicate the work of healthcare monitors.

Predictions for the future

The DOJ's priorities in the past few years have remained focused on healthcare fraud, but there may be a cooling of interest in monitorships in this area.

First, the DOJ has moved, and will likely continue to move, towards greater individual accountability. Historically, the DOJ placed greater emphasis on prosecuting organisations than on holding individuals responsible for the misconduct that led to the violations. Recently, the DOJ increased its focus on individuals, with the understanding that individual accountability may lead to greater deterrence.77 In 2017, Deputy Attorney General Rod Rosenstein observed that high corporate fines 'do not necessarily directly deter individual wrongdoers' because 'at the level of each individual decision-maker, the deterrent effect of a potential corporate penalty is muted and diffused'.78 Thus, he made clear the DOJ's continuing commitment to hold individuals accountable for corporate wrongdoing. In August 2018, HCF Unit Chief Joseph Beemsterboer noted that the HCF Unit and the USAOs are 'tackling . . . really bad professionals and doctors. . . . For the Health Care Fraud Unit, the focus is on individuals.'79

The statistics reflect the DOJ's shifting priorities. In 2016, the DOJ entered into five healthcare fraud-related NPAs or DPAs – two DPAs and three NPAs.80 In 2017, the DOJ entered into four healthcare fraud-related NPAs or DPAs – three DPAs and one NPA.81 In 2018, the DOJ entered into only one healthcare fraud-related criminal settlement – an NPA with Health Management Associates, LLC (HMA).82 At the same time, there has been a significant increase in individual enforcement actions. For example, as compared to 2017, in 2018 the HCF Unit had a 56 per cent increase in opioid defendants, and a 40 per cent increase in the number of individuals charged.83 Further, the DOJ announced two record-breaking recoveries against individuals within the past two years. In July 2017, the DOJ announced what was, at the time, the largest healthcare fraud enforcement action by the Medicare Fraud Strike Force against 412 individuals in 41 districts involving $1.3 billion in alleged fraud.84 Charges included medically unnecessary treatments, treatments that were never provided, and kickbacks.85 Many of the charges focused on opioid prescriptions and distribution.86 Then in June 2018, the DOJ broke that record when it announced charges against 601 individuals in 58 districts involving more than $2 billion in alleged fraud.87

The DOJ has also refined its approach to corporate monitors. In October 2018, Assistant Attorney General (AAG) Brian Benczkowski issued new guidance regarding the decision whether to require a corporate monitor and the selection process in Criminal Division matters (the Benczkowski Memo).88 AAG Benczkowski said the memo is intended to 'further refine the factors that go into the determination of whether a monitor is needed, as well as [to] clarify and refine the monitor selection process'.89 When a monitorship is needed, financial costs of the monitorship are a central consideration – in other words, DOJ attorneys should consider whether the monitorship's scope is narrowly tailored 'to avoid unnecessary burdens to the business's operations'.90 The guidance may lead to fewer monitorships.

In fact, the September 2018 settlement of a criminal investigation involving HMA is a good example of the DOJ's current views of monitorships.91 The government alleged that HMA, among others:

  • knowingly billed federal healthcare programmes for inpatient services that should have been billed as outpatient or observation services;
  • paid remuneration to physicians in return for patient referrals; and
  • submitted inflated claims for emergency department facility fees.

HMA entered into a three-year NPA with the DOJ, but no monitor was imposed. The DOJ noted that a compliance monitor was not necessary given 'HMA and HMA Parent's remediation and the state of their compliance program, the CIA between HHS-OIG and HMA Parent, and their agreement to' self-report compliance issues.92

Conclusion

Twenty years after the DOJ described healthcare fraud as 'the crime of the nineties', it remains a top priority of the DOJ. While the DOJ's current approach reflects a refinement of its approach to monitorships in corporate healthcare cases, we have surely not seen the end of monitors in this area. There is too much federal money in the healthcare system; too much fraud; and administrations and their priorities will change. Healthcare monitors will undoubtedly continue to face a set of compliance challenges from highly complex laws and regulations, ever-changing corporate structures and healthcare delivery modes, and high degrees of sophistication and variation in the manner by which fraud is perpetrated on the system.


Footnotes

1 David Ogden and Ronald Machen, partners at WilmerHale, are co-monitors in a healthcare fraud monitorship led by the Department of Justice's Criminal Division. Stephen Jonas, a WilmerHale partner, and Ericka Aiken, a WilmerHale senior associate, are members of that co-monitor team.

2 US DOJ Health Care Fraud Report Fiscal Years 1995 & 1996 (October 1997), https://www.justice.gov/archives/opa/us-department-justice-heatlh-care-fraud-report-fiscal-years-1995-1996.

3 id.

4 Salinger, Encyclopedia On White Collar And Corporate Crime, Vol. 1, at 394 (2005).

5 id.

6 See Pub. L. No. 104-191, 5701 110 Stat. 1936 (1996).

7 Hyman, David, 'HIPAA and Health Care Fraud: An Empirical Perspective', Cato Journal, Vol. 22, No. 1, 155 (2002), https://pdfs.semanticscholar.org/98ff/f0f837ae669cdbad7c1ed5d8010e541635e0.pdf.

8 HHS-OIG, Health Care Fraud and Abuse Control Program Report, https://oig.hhs.gov/reports-and-publications/hcfac/index.asp.

9 id.

10 HHS-OIG; 'Health Care Fraud and Abuse Control Program Report for Fiscal Year 2017' (April 2018) https://oig.hhs.gov/publications/docs/hcfac/FY2017-hcfac.pdf.

11 US Gov't accountability Off., GAO 11-446, Health Care Fraud and Abuse Control Program: Improvements Needed in Controls over Reporting Deposits and Expenditures (2011), https://www.gao.gov/assets/320/318299.html. A portion of these funds are to be used only for activities of the HHS-OIG, with respect to the Medicare and Medicaid programmes. For example, HCFAC appropriations supported over 66 per cent of the DOJ's healthcare fraud funding and over 75 per cent of HHS-OIG's appropriated budget for FY 2017. Supra note 10.

12 Supra note 10, at 3.

13 US DOJ, Fraud Section Year in Review 2018 (January 2019), https://www.justice.gov/criminal-fraud/file/1123566/download.

15 Eric Holder, Attorney General, US DOJ, Remarks at the HEAT Press Conference on Detroit Takedown (29 June 2009), https://www.justice.gov/opa/speech/attorney-general-eric-holder-heat-press-conference-detroit-takedown.

16 id.

17 id.

18 Supra note 10, at 72.

19 id.

20 See 'Enforcement actions and trends'.

21 18 U.S.C. Section 1347.

22 42 U.S.C. Section 1320a-7b(b).

23 18 U.S.C. Section 669.

24 42 U.S.C. Section 1320d-6.

25 21 U.S.C. Section 301 et seq. FDCA violations include off-label marketing; Good Manufacturing Practice (GMP) violations; and manufactured compound drugs.

26 See 31 U.S.C. Section 3729 et seq.

27 From 1991 through 1998, the Centers for Medicare and Medicaid Services (CMS) (formerly the Health Care Financing Administration) implemented a series of regulations (the Stark Regulations) to provide further guidance on the Stark Law. The Stark Regulations were codified as 42 C.F.R. Sections 411.350-411.389.

28 42 U.S.C. Section 1395nn(a)(1)(A).

29 Press Release, US DOJ, 'HCA – Largest Government Fraud Settlement in U.S. History' (December 2000), https://www.justice.gov/archive/opa/pr/2000/December/696civcrm.htm. One of the authors led the Civil Division as the Assistant Attorney General at the time DOJ reached this settlement with HCA.

30 id.

31 Press Release, US DOJ, 'HCA – Largest Government Fraud Settlement in U.S. History' (December 2000), https://www.justice.gov/archive/opa/pr/2000/December/696civcrm.htm.; see also Press Release, US DOJ, 'Largest Health Care Fraud Case in U.S. History Settled HCA Investigation Nets Record Total of $1.7 Billion' (26 June 2003), https://www.justice.gov/archive/opa/pr/2003/June/03_civ_386.htm; see also HCA 2003 Annual Report, 17, http://media.corporate-ir.net/media_files/irol/63/63489/pdfs/2003ar.pdf.

32 e.g., Press Release, US DOJ, 'TAP Pharmaceutical Products Inc. and Seven Others Charged with Health Care Crimes; Company Agrees to Pay $875 Million to Settle Charges' (3 October 2001), https://www.justice.gov/archive/opa/pr/2001/October/513civ.htm; Melody Peterson, 'Drug Maker to Pay $500 Million Fine for Factory Lapses', NY Times (18 May 2002), https://www.nytimes.com/2002/05/18/business/drug-maker-to-pay-
500-million-fine-for-factory-lapses.html; Press Release, United States DOJ, 'Serono to Pay $704 Million for the Illegal Marketing of Aids Drug' (17 October 2005), https://www.justice.gov/archive/opa/pr/2005/October/05_civ_545.html; Press Release, US DOJ, 'Pfizer to Pay $2.3 Billion for Fraudulent Marketing' (2 September 2009), https://www.justice.gov/opa/pr/justice-department-announces-largest-health-care-fraud-settlement-its-history; Press Release, US DOJ, 'Johnson & Johnson to Pay More Than $2.2 Billion to Resolve Criminal and Civil Investigations' (4 November 2013), https://www.justice.gov/opa/pr/johnson-johnson-pay-more-22-billion-resolve-criminal-and-civil-investigations.

33 Global Investigations Review, Fountain Court Chambers, Clifford Chance LLP, 'Monitorships' (4 January 2017), https://globalinvestigationsreview.com/chapter/1079360/monitorships.

34 Matyas & Snyder, 'Monitoring The Monitor? The Need For Further Guidance Governing Corporate Monitors Under Pre-Trial Diversion Agreements', as appeared in BNA's Health Care Fraud Report, Epstein Becker Green (14 April 2009), https://www.ebglaw.com/news/monitoring-the-monitor-the-need-for-further-guidance-
governing-corporate-monitors-under-pre-trial-diversion-agreements-as-appeared-in-bnas-health-care-
fraud-report/#_ftn1; see also Russell Mokhiber, 'Crime Without Conviction: The Rise of Deferred and Non Prosecution Agreements', Corporate Crime Reporter (28 Dec. 2005), https://www.corporatecrimereporter.com/news/200/crime-without-conviction-the-rise-of-deferred-and-non-prosecution-agreements-2/.

35 The DOJ does not keep a comprehensive list of all NPAs and DPAs to-date on its website. Scholars and universities, however, have maintained repositories of NPAs and DPAs collected over the years. Multiple repositories suggest that the UMDNJ DPA is the first time a monitor was imposed in a criminal resolution to resolve alleged violations of healthcare fraud. See, e.g., University of Virginia Law, Corporate Prosecution Registry, Data and Documents, http://lib.law.virginia.edu/Garrett/corporate-prosecution-registry/browse/browse.html.

36 id.

37 id.

38 Christopher J Christie and Robert M Hanna, 'A Push Down the Road of Good Corporate Citizenship: The Deferred Prosecution Agreement Between the U.S. Attorney for the District of New Jersey and Bristol-Myers Squibb Co.', 43 Am. Crim. L. Rev. 1043, 1054 (2006). USA Christie's remarks were made in reference to the imposition of a monitor against Bristol-Myers Squibb for alleged securities violations a few months before his office imposed the monitor in the UMDNJ resolution. While USA Christie did not directly address his reasons for imposing the UMDNJ monitor, his remarks shed light on his rationale.

39 See Kathleen Boozang, '“Monitoring” Corporate Corruption: DOJ's Use of Deferred Prosecution Agreements in Health Care', Am. J. of Law & Med. 35 (Feb. 2009).

40 Press Release, United States House of Rep, Remarks of Bill Pascrell (26 November 2007); see also The Accountability and Deferred Prosecution Act of 2014, H.R. 4540, 113th Cong. (2014) (calling for the establishment of rules for the selection of independent monitors for DPAs).

41 Memorandum from Craig S Morford, Acting Deputy Attorney Gen., to Heads of Department Components, United States Attorneys, 'Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations' (7 March 2008), https://www.justice.gov/sites/default/files/dag/legacy/2008/03/20/morford-useofmonitorsmemo-03072008.pdf.

42 id.

43 The settlements were with the USAO for the District of New Jersey. See News Release, US DOJ, Christopher J Christie, US Attorney, 'Five Companies in Hip and Knee Replacement Industry Avoid Prosecution by Agreeing to Compliance Rules and Monitoring' (27 September 2007), https://www.justice.gov/sites/default/files/usao-nj/legacy/2013/11/29/hips0927.rel.pdf.

44 See WellCare DPA at Paragraphs 10–11 (18 May 2009). The settlement was with the USAO for Middle District of Florida. See id.

45 See Wright Medical DPA at Paragraph 16. The settlement was with the USAO for District of New Jersey. See id. The Wright Medical DPA and monitorship were later extended by an additional 12 months. See Press Release, US DOJ, 'Wright Medical Technology, Inc. Deferred Prosecution Agreement with Government Extended for 12 Months' (15 September 2011), https://www.justice.gov/archive/usao/nj/Press/files/Wright%20Medical%20DPA%20Extension.html.

46 See Exactech DPA at Paragraph 16. The settlement was with the USAO for the District of New Jersey. See id.

47 See Maxim Healthcare DPA at Paragraph 15. The settlement was with the USAO for the District of New Jersey. See id.

48 The settlement was with the USAO for the District of New Jersey. See Press Release, US DOJ, 'Medical Equipment Company will Pay $646 Million for Making Illegal Payments to Doctors and Hospitals in United States and Latin America' (1 March 2016), https://www.justice.gov/opa/pr/medical-equipment-company-will-pay-646-million-making-illegal-payments-doctors-and-hospitals.

49 The settlement was with the DOJ's Criminal Division and the USAO for the Northern District of Georgia. See Press Release, US DOJ, 'Hospital Chain Will Pay over $513 Million for Defrauding the United States and Making Illegal Payments in Exchange for Patient Referrals; Two Subsidiaries Agree to Plead Guilty' (3 October 2016), https://www.justice.gov/opa/pr/hospital-chain-will-pay-over-513-million-defrauding-
united-states-and-making-illegal-payments.

50 US DOJ Criminal Division, 'Evaluation of Corporate Compliance Programs', https://www.justice.gov/criminal-fraud/page/file/937501/download (DOJ Evaluation of Corporate Compliance Programs); OIG Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8987-02, 8988 (1998).

51 HHS-OIG, Protecting Public Health and Human Services Programs: A 30 Year Retrospective, 38, https://oig.hhs.gov/publications/docs/retrospective/anniversarypub.pdf. In April 2016, HHS-OIG issued guidance noting that it would not require a CIA to resolve every healthcare fraud investigation and the number of civil resolutions not requiring a CIA does appear to be trending upward. See 2016 HHS-OIG Report.

52 HHS-OIG, Corporate Integrity Agreements, FAQ, https://oig.hhs.gov/faqs/corporate-integrity-agreements-faq.asp.

53 id.

54 id.

55 Rai, Arti, 'Health Care Fraud and Abuse: A Tale of Behavior Induced by Payment Structure', Univ. of Chicago – J. on Legal Studies (Jun. 2001).

56 National Health Care Anti-Fraud Association, What Does Health Care Fraud Look Like?, https://www.nhcaa.org/news/what-does-health-care-fraud-look-like.aspx.

57 id.

58 See Boozang, supra note 39, at 98.

59 See DOJ Evaluation of Corporate Compliance Programs, supra note 51.

60 See 42 U.S.C. Section 1320a-7b(b).

61 See United States v. Westmoreland, 2011 WL 4342721, at *25 (D. Mass. 15 September 2011) (The Anti-Kickback Statute 'makes it illegal to offer, pay, solicit or receive anything of value as an inducement to generate business payable by Medicare or Medicaid'.)

62 42 U.S.C. Section 1320a-7b(b)(3); see also HHS-OIG, Safe Harbor Regulations, https://oig.hhs.gov/compliance/safe-harbor-regulations/index.asp.

63 Medicare Program; Request for Information Regarding the Physician Self-Referral Law, 83 Fed. Reg. 29,524 (25 June 2018), https://www.gpo.gov/fdsys/pkg/FR-2018-06-25/pdf/2018-13529.pdf.

64 id.

65 id.

66 James Swann, Government Close to Releasing Health Anti-Fraud Reforms, Bloomberg Law (30 January 2019), https://news.bloomberglaw.com/health-law-and-business/government-close-to-releasing
-health-anti-fraud-reforms.

67 Medicare and State Health Care Programs: Fraud and Abuse; Request for Information Regarding the Anti-Kickback Statute and Beneficiary Inducements CMP, 83 Fed. Reg. 43,607, 43,608 (27 August 2018), https://www.govinfo.gov/content/pkg/FR-2018-08-27/pdf/2018-18519.pdf.

68 Maxim Healthcare Services, DPA, at Paragraph 19 (2011); see also Olympus Corporation of the Americas, DPA, at Paragraph 22 (2016).

69 Tenet HealthSystem Medical, NPA, at Paragraph 5(e) (2016).

70 42 U.S.C. Section 1395nn(a)(1)(A).

71 42 U.S.C. Section 1395nn(a)(1)(B).

72 42 U.S.C. Section 1395nn(b).

73 Upjohn warnings are derived from Upjohn Co v. United States, 449 U.S. 383 (1981).

74 Rosenbaum, Michael, 'Will 2018 be the year healthcare addresses its turnover problem?', Becker's Hospital Review (16 January 2018) https://www.beckershospitalreview.com/finance/will-2018-be-the-year-healthcare-addresses-its-turnover-problem.html.

75 US DOJ, Office of the Assistant Attorney General, Selection of Monitors in Criminal Division Matters (11 October 2018), https://www.justice.gov/opa/speech/file/1100531/download (the Benczkowski Memo).

76 See 42 C.F.R. Section 411.362(b)(3)(ii)(B).

77 See Nate Raymond, 'Q&A: DOJ's Health Care Fraud Chief on Priorities', Reuters Legal (24 August 2018).

78 Rod Rosenstein, Deputy Attorney General, US Dep't of Justice, Remarks at NYU Program on Corporate Compliance & Enforcement (6 October 2017), http://www.law.nyu.edu/sites/default/files/upload_documents/Rosenstein%2C%20Rod%20J.%20Keynote%20Addr ess_2017.10.6.pdf.

79 See Raymond, supra note 77.

80 Meiko America, DPA (2016); Olympus Corporation of the Americas, DPA (2016); B. Braun Medical, Inc, NPA (2016); GNC Holdings, Inc, NPA (2016); Tenet HealthSystem Medical, NPA (2016).

81 Aegerion Pharmaceuticals, DPA (2017); Baxter Healthcare, DPA (2017); PDQ Imaging Services, LLC, DPA (2017); Pharmaceutical Technologies, Inc, NPA (2017).

82 HMA, NPA (2018).

83 Supra note 13.

84 US DOJ Press Release No. 17-768, 'National Health Care Fraud Takedown Results in Charges Against Over 412 Individuals Responsible for $1.3 Billion in Fraud Losses' (13 July 2017), https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-charges-against-over-412-individuals-responsible.

85 id.

86 id.

87 US DOJ Press Release No. 18-866, 'National Health Care Fraud Takedown Results in Charges Against 601 Individuals Responsible for Over $2 Billion in Fraud Losses' (28 June 2018), https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-charges-against-601-individuals-responsible-over.

88 The Benczkowski Memo, supra note 75.

89 Brian A Benczkowski, Assistant Attorney General, U.S. Dep't of Justice, Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance (12 October 2018), https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-remarks-nyu-school-law-program.

90 The Benczkowski Memo, supra note 75, at 2.

91 US DOJ, Fraud Section Year in Review 2018, at 15, https://www.justice.gov/criminal-fraud/file/1123566/download.

92 HMA, NPA, at Paragraph 1(e).

Previous Chapter:US-Ordered Cross-Border Monitorships

Next Chapter:The Financial Services Industry