The Federal Trade Commission (“FTC”) and the Antitrust Division of the Department of Justice (“Antitrust Division”) released their respective year-end reviews highlighted by aggressive enforcement in the health care industry. The FTC, in particular, indicated that 47% of its enforcement actions during calendar year 2016 took place in the health care industry (including pharmaceuticals and medical devices). Of note were successful challenges to hospital mergers in Pennsylvania (Penn State Hershey Medical Center and Pinnacle Health System), and Illinois (Advocate Health Care Network and North Shore University Health System). In both actions, the FTC was able to convince the court that the merger would likely substantially lessen competition for the provision of general acute-care hospital services in relevant areas in violation of section 7 of the Clayton Act. See FTC v. Penn State Hershey Med. Center, 838 F. 3d 327 (3d Cir. 2016); and FTC v. Advocate Health Care Network et al No. 1:15-cv-11473, 2017 U. S. Dist. LEXIS 37707 (N.D. Ill.Mar. 16, 2017)

The Antitrust Division, in similar fashion, touted its actions to block the mergers of Aetna and Humana, and Anthem and Cigna. Complaints against both mergers were filed simultaneously in July of 2016, and tried before different judges in the Federal District Court for the District of Columbia. After extensive trials, Judge Bates blocked the Aetna/Humana deal, and Judge Amy Berman Jackson blocked the Anthem/Cigna transaction. United States v. Aetna Inc., No. 1:16-cv-1494, 2017 U.S. Dist. LEXIS 8490 (D.D.C. Jan 23, 2017) and United States v. Anthem Inc., No. 1:16-cv-01493, 2017 U.S. Dist. LEXIS 23614 (D.D.C. Feb8, 2017).

In addition to their enforcement activities, the agencies promoted jointly issued policy guidelines, including their “Antitrust Guidance for Human Resources Professionals.” Although not specific to any industry, this guidance has particular relevance to the health care industry. Among other things, this guidance makes clear that naked wage-fixing (such as the wave of wage fixing claims relating to nurses) and no-poaching agreements (that would include agreements not to hire competing physicians) are not only per se illegal, but also subject to criminal prosecution.

While a marginal enforcement shift may be in store as a result of the change in administration, most signs point to a continued focus on the health care industry. Maureen K. Ohlhausen, appointed by President Trump as acting Chair of the FTC, reiterated in a speech recently delivered at the spring meeting of the American Bar Association’s antitrust section, that “[i]t’s extremely important we continue our enforcement in the health care space.” Likewise the Acting Director of the FTC’s Bureau of Competition – Abbott (Tad) Lipsky, appointed by Chairman Ohlhausen, applauded the FTC’s success in challenging the Advocate/Northshore Hospital merger noting, in a related FTC press release, that the “merger would likely have reduced the quality, and increased the cost, of health care for residents of the North Shore area of Chicago.”

Makan Delrahim, President Trump’s selection (awaiting confirmation) to head the Antitrust Division, recently lobbied on behalf of Anthem and its efforts to acquire Cigna, and has openly stated with respect to certain announced mergers, that size alone does not create an antitrust problem. Nevertheless, given the political climate and overall impact the health care industry has on the U.S. economy, the Antitrust Division’s efforts to open markets in the health care sector, particularly to generics and new medical technologies by challenging pay for delay deals and scrutinizing unnecessarily restrictive agreements among medical device manufacturers is likely to continue.

A wild card affecting future antitrust enforcement is increasing possibility of passage of the Standard Merger and Acquisitions Review Through Equal Rights Act of 2017 (H.R. 659 a/k/a the “SMARTER ACT”). This bill, recently approved by the House Judiciary Committee, would eliminate the FTC’s administrative adjudication process as it relates to merger enforcement, forcing the FTC to bring all such actions in court. In addition, it would align current preliminary injunction standards such that both the FTC and DOJ would face the same thresholds required of the Clayton Act rather than the more lenient standard under the FTC Act. A similar bill passed the House in 2016, but was not taken up by the Senate.

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR’s presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS’s ransomware guide provides that:

“Unless the covered entity or business associate can demonstrate that there is a ‘low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. … The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.”

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President’s Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

Recently, Judge Robert T. Conrad, Jr. of the United States District Court for the Western District of North Carolina (Charlotte Division), rejected efforts by The Charlotte- Mecklenberg Hospital Authority, doing business as the Carolinas Health Care System (“CHS”), to dismiss, at the pleadings stage, a complaint filed by the United States’ Antitrust Division of the Department of Justice, and the State of North Carolina, asserting that CHS’s anti-steering provisions in its payer contracts unreasonably restrain trade in violation of section 1 of the Sherman Act. Recognizing the Court’s limited review of preliminary motions, Judge Conrad, in the matter styled as United States of America et al v. The Charlotte-Mecklenberg Hospital Authority d/b/a Carolinas Health Care System, Civil Action No.3:16-cv-00311-RJC-DCK (W.D. N.C., Mar. 30,2017), ultimately concluded that the allegations of the Complaint, taken as true for purposes of ruling on the motion, asserted a claim that was “plausible,” meeting the pleading standards established by the Supreme Court in Bell Atlantic Corp. v. Twombly, 550 U.S. 544,570 (2007).

The complaint alleges that CHS is the largest hospital system in the Charlotte, North Carolina area, operating ten acute-care hospitals and garnering a market share of fifty percent (50%). CHS’s next closest competitor is alleged to have only half the number of acute-care hospitals, and less than half of CHS’s annual revenue. The complaint also alleges that “[a]n insurer selling health insurance plans to individuals and employees in the Charlotte area must have CHS as a participant in at least some of its provider networks, in order to have a viable health insurance business in the Charlotte area.” Based on these purported facts, the Complaint alleges that CHS maintains “market power” for the sale of acute care hospital services in the Charlotte area.

The complaint goes on to assert that CHS maintains anti-steering provisions in many of its payer contracts including those that collectively insure up to eighty-five percent of the insured residents in the Charlotte area. Furthermore, it is alleged that CHS is able to demand these provisions as a result of its market power.

Finally, the Complaint alleges that these anti-steering provisions impose an unreasonable restraint on competition. Among other things, these provisions have the effect of preventing payers from directing patients to lower cost, higher quality providers, and even prohibit payers from providing its enrollees with information about their health care options. The ultimate effect of these provisions is to allow CHS to maintain its dominant position in the market, and maintain supra competitive prices.

CHS filed an Answer to the Complaint, and a motion on the pleadings which is governed by the same standards as a motion to dismiss filed under Federal Rule of Civil Procedure 12 (b) (6). The essence of CHS’s motion is that the Plaintiff’s allegations were conclusory, and, in particular, the Complaint lacked factual allegations that show “actual competitive harm” resulting from the anti-steering provisions. In addition, CHS argued that: the steering restrictions were beneficial and procompetitive; CHS’s prices were higher due to superior product and consumer loyalty; payers were still able to steer and no payer had ever asked to remove the steering provisions. CHS also relied upon the recently issued Second Circuit decision in United States v. American Express Co., 838 F. 3d 179 (2d. Cir 2016), which ultimately rejected a lower Court’s finding, after a bench trial, that similar steering provisions were unlawful.

Judge Conrad ultimately concluded that while many of the allegations in the Complaint were conclusory, and not factual, the Plaintiff had sufficiently alleged anticompetitive harm. In particular, the Complaint contains plausible allegations that CHS maintains market power, and that as a result of this market power CHS is able to force the anti-steering provisions on payers resulting in CHS’s ability to charge supra-competitive prices. Judge Conrad rejected CHS’s additional factual arguments concluding that these were not appropriate arguments to address on a preliminary motion.

Finally, Judge Conrad rejected the invitation to compare the case before him with that of United States v. American Express. In doing so, Judge Conrad noted: 1) he was not bound by a decision of the Second Circuit; 2) the health care industry is different from the credit card industry; and 3) the case before him was still in the preliminary stages while United States v. American Express was decided after discovery and a full trial on the merits.

On April 18, 2017, the U.S. District Court for the Middle District of Florida adopted a magistrate judge’s recommendation to grant summary judgment in favor of defendant BayCare Health System (“BayCare”) in a False Claims Act whistleblower suit that focused on physician lease agreements in a hospital-owned medical office building, thereby dismissing the whistleblower’s suit.

The whistleblower, a local real-estate appraiser, alleged that BayCare improperly induced Medicare referrals in violation of the federal Anti-Kickback Statute and the Stark Law because the lease agreements with its physician tenants included free use of the hospital parking garage and free valet parking for the physician tenants and their patients, as well as certain benefits related to the tax-exempt classification of the building. The brief ruling affirms the magistrate judge’s determination that the whistleblower failed to present sufficient evidence to establish either the existence of an improper financial relationship under the Stark Law or the requisite remuneration intended to induce referrals under the Anti-Kickback Statute.

The alleged violation under both the Anti-Kickback Statute and the Stark Law centered on the whistleblower’s argument that the lease agreements conferred a financial benefit on physician tenants – primarily, because they were not required to reimburse BayCare for garage or valet parking that was available to the tenants, their staff and their patients.  However, the whistleblower presented no evidence to show that the parking was provided for free or based on the physician tenants’ referrals.  To the contrary, BayCare presented evidence stating that the garage parking benefits (and their related costs) were factored into the leases and corresponding rental payments for each tenant.  Further, BayCare presented evidence to support that the valet services were not provided to, or used by, the physician tenants or their staff, but were offered only to patients and visitors to “protect their health and safety.”

In light of the evidence presented by BayCare, and the failure of the whistleblower to present any evidence that contradicted or otherwise undermined BayCare’s position, the magistrate judge found that: (i) no direct or indirect compensation arrangement existed between BayCare and the physician tenants that would implicate the Stark Law, and (ii) BayCare did not intend for the parking benefits to induce the physician tenants’ referrals in violation of the Anti-Kickback Statute.

Continue Reading New Ruling on Hospital-Physician Real Estate/Leasing Compliance

Surprisingly amidst the Federal Bureau of Investigation (FBI) uproar, President Trump today signed an executive order addressing cybersecurity for the federal government and critical infrastructure, along with international coordination and cyber deterrence. The substance of the order, which is about to be made public, comes from various press releases and interviews with administration officials. The order is composed of three sections on cybersecurity and IT modernization within the federal government, protecting critical infrastructure, and establishing a cyber deterrence policy and coordinating internationally on cyber issues. In directing cabinet agencies to protect critical infrastructure, the order references the Obama administration’s “section 9” list of most critical entities, which already has prompted questions from industry.  Specifically, the order directs the Commerce Department and the Department of Homeland Security to coordinate an effort to reduce botnet cyber-attacks through a voluntary partnership with industry. This effort mirrors health industry association comments to Commerce’s National Institute of Standards and Technology (NIST), which next week will have an open forum to address the many comments made to its  rulemaking proposals. Interestingly, the Order directs the cabinet agencies to coordinate their own efforts with NIST.  The White House staff has been quoted as saying that “it is about time” the federal government was held to the same standard as private industry in addressing cybersecurity. Consistent with Industry requests, the framework is a voluntary tool actually developed in collaboration with industry, which argues that flexibility is required because policies must be adapted to the needs of different entities.

On the health care cyber front, it is interesting to note that James Comey’s last formal speech was given on May 8th to the American Hospital Association in which he raised concerns about the ability of the FBI to combat cyber-attacks and urged cooperation with hospitals and health systems not to get patient records but “fingerprints of digital intrusion.” I note that this is the point of the work of InfraGard, a cooperative effort between industry and the FBI, and is consistent with the public proposals of the Information Sharing and Analysis Organization Standards Organization (ISAO-SO), established by executive order.  Further information regarding those efforts, in which this author is active, can be provided at sgerson@ebglaw.com.

Comey’s abrupt departure suggests that his statements may quickly become passing memories, but the cooperative tone struck is more than a little inconsistent with proposals, for example, from the Department of Health & Human Services’ Office of Civil Rights (OCR), the enforcement agency for Health Insurance Portability and Accountability Act (HIPAA) matters, and from the Federal Trade Commission (FTC), which soon may inherit enhanced powers as the Federa l Communications Commission is attempting to leave the cyber security enforcement field.  Both the Office of Human Rights and the FTC stress enforcement as the optimal mode of gaining cyber compliance.

In the coming days, you may expect further analysis by Epstein Becker Green of OCR’s developing enforcement stance and other emergent government policies in the wake of the new Executive Order.

On May 9, 2017, Scott Gottlieb, M.D. was confirmed by the Senate as the new Commissioner of the Food and Drug Administration (“FDA”).  As Commissioner, he will be immediately responsible for shaping FDA policy on a number of current issues, including addressing and implementing several mandates stemming from the 21st Century Cures Act, (“Cures Act”), which was signed into law on December 13, 2016 with tremendous bipartisan support. The Cures Act contains over 200 sections that create new obligations for FDA; however, most pressing for Commissioner Gottlieb are three requirements that must be fulfilled within 180 days of the Cures Act’s passage (June 11th, 2017).

These requirements are:

  • Submission of a work plan to the Committee on Health, Education, Labor, and Pensions and the Committee on Appropriations of the Senate and the Committee on Energy and Commerce and the Committee on Appropriations of the House of Representatives for any projects, which will use funding from the FDA Innovation Account created under Section 1002 of the Cures Act;
  • Development of “a plan to issue draft and final versions of one or more guidance documents, over a period of 5 years, regarding the collection of patient experience data, and the use of such data and related information in drug development” pursuant to Section 3002 of the Cures Act, which is codified at 21 U.S.C. 360bbb-8c; and
  •  Publication of “a list of reusable device types” pursuant to Section 3059 of the Cures Act, which is codified at 21 U.S.C. 360.

Commissioner Gottlieb has a long professional history in the pharmaceutical industry working in both the public and private sectors. His firsthand experience as a former Deputy Commissioner at the FDA provides him with unique insights into the internal workings of the administration. As a former consultant advising on FDA policies to the pharmaceutical industry, Commissioner Gottlieb is also familiar with recent issues and trends affecting the industry, many of which are addressed within the Cures Act.  Despite having only one month to organize and address the mandates of the three above-referenced sections of the Cures Act, we believe Commissioner Gottlieb will likely meet these deadlines based on his prior knowledge and experience.

We will continue to monitor and provide insight on Commissioner Gottlieb’s activity as FDA Commissioner, and the implementation of key Cures Act provisions as they develop. For insight into how Commissioner Gottlieb has historically viewed key issues impacting the FDA, and mandates under the Cures Act, please view our previously published client alert.

A recent settlement demonstrates the importance of compliant structuring of lending arrangements in the health care industry. The failure to consider health care fraud and abuse risks in connection with lending arrangements can lead to extremely costly consequences.

On April 27, 2017, the Department of Justice (“DOJ”) announced that it reached an $18 Million settlement with a hospital operated by Indiana University Health and a federally qualified health center (“FQHC”) operated by HealthNet. United States et al. ex rel. Robinson v. Indiana University Health, Inc. et al., Case No. 1:13-cv-2009-TWP-MJD (S.D. Ind.).  As alleged by Judith Robinson, the qui tam relator (“Relator”), from May 1, 2013 through Aug. 30, 2016, Indiana University Health provided HealthNet with an interest free line of credit, which consistently exceeded $10 million.  It was further alleged that HealthNet was not expected to repay a substantial portion of the loan and that the transaction was intended to induce HealthNet to refer its OB/GYN patients to Indiana University.

While neither Indiana University Health nor HealthNet have made any admissions of wrongdoing, each will pay approximately $5.1 million to the United States and $3.9 million to the State of Indiana. According to the DOJ and the Relator, the alleged conduct violated the Federal Anti-Kickback Statute and the Federal False Claims Act.

For more details on the underlying arrangement and practical takeaways . . .

Continue Reading Avoiding Fraud and Abuse in Health Care Lending Arrangements

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming executive order will reflect the Trump administration’s focus on improving the security of federal networks, protecting critical infrastructure, and establishing a global cyber strategy based on international law and deterrence, other policy demands have intruded. Indeed as the 100-day mark approached, President Trump announced that he has charged his son-in-law, Jared Kushner, with developing a strategy for “innovation” and modernizing the government’s information technology networks. This is further complicating an already arduous process for drafting the long-awaited executive order on cybersecurity, sources and administration officials say.

The Importance of NIST Has Been Manifested Throughout the Hundred Days

The expected cyber order likely will direct federal agencies to assess risks to the government and critical infrastructure by using the framework of cybersecurity standards issued by the National Institute of Standards and Technology, a component of the Department of Commerce.

The NIST framework, which was developed with heavy industry input and released in 2014, was intended as a voluntary process for organizations to manage cybersecurity risks. It is not unlikely that regulatory agencies, including the Office of Civil Rights of the Department of Health and Human Services, the enforcement agency for HIPAA, will mandate the NIST framework, either overtly or by implication, as a compliance hallmark and possible defense against sanctions.

NIST has posted online the extensive public comments on its proposed update to the federal framework of cybersecurity standards that includes new provisions on metrics and supply chain risk management. The comments are part of an ongoing effort to further revise the cybersecurity framework. NIST will host a public workshop on May 16-17, 2017

Health Industry Groups Are Urging NIST to Set up a ‘Common’ Framework for Cybersecurity Compliance

Various health care industry organizations including the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have asked NIST to help the industry develop a “common” approach for determining compliance with numerous requirements for protecting patient data. Looking for a common security standard for compliance purposes, commenters also argue that the multiplicity of requirements for handling patient data is driving up healthcare costs. Thus, the groups urge NIST to work with the Department of Health and Human Services and the Food and Drug Administration “to push for a consistent standard” on cybersecurity. One expects this effort, given strong voice in the First Hundred Days, to succeed.

The Federal Trade Commission is Emerging as the Pre-eminent Enforcement Agency for Data Security and Privacy

With administration approval, the Federal Communications Commission is about to release today a regulatory proposal to reverse Obama-era rules for the internet that is intended to re-establish the Federal Trade Commission as the pre-eminent regulatory agency for consumer data security and privacy. In repealing the Obama’s “net neutrality” order, ending common carrier treatment for ISP and their concomitant consumer privacy and security rules adopted by the FCC, the result would be, according to FCC Chairman Pai, to “restore FTC to police privacy practices” on the internet in the same way that it did prior to 2015. Federal Trade Commission authority, especially with regard to health care, is not without question, especially considering that the FTC’s enforcement action against LabMD is still pending decision in the 9th Circuit. However, the FTC has settled an increasing number of the largest data breach cases The Federal Trade Commission’s acting bureau chief for consumer protection, Thomas Pahl, this week warned telecom companies against trying to take advantage of any perceived regulatory gap if Congress rolls back the Federal Communications Commission’s recently approved privacy and security rules for internet providers.

OCR Isn’t Abandoning the Field; Neither is DoJ

While there have been no signal actions during the First Hundred Days in either agency. The career leadership of both has signaled their intentions not to make any major changes in enforcement policy.  OCR is considering expanding its policies with respect to overseeing compliance programs and extending that oversight to the conduct off Boards of Directors.

The Supreme Court Reaches Nine

Many would argue that the most important, or at least most durable, accomplishment of the Trump Administration to date is the nomination and confirmation of Neil Gorsuch to the Supreme Court. Justice Gorsuch is a conservative in the Scalia mold and is expected to case a critical eye on agency regulatory actions. There is no cybersecurity matter currently on the Supreme Court’s docket, but there will be as the actions and regulations of agencies like the FTC, FCC and DHHS are challenged.

Both the Department of Justice and the Department of Health and Human Services Inspector General have long urged (and in many cases, mandated through settlements that include Corporate Integrity Agreements and through court judgments) that health care organizations have “top-down” compliance programs with vigorous board of directors implementation and oversight. Governmental reach only increased with the publication by DoJ of the so-called Yates Memorandum, which focused government enforcers on potential individual liability for corporate management and directors in fraud cases. Thus, if it isn’t the case already, compliance officers should assure that senior management and directors are aware of their oversight responsibilities and the possible consequences if they are found not to have fulfilled them.

The OIG’s views regarding board oversight and accountability are discussed in white papers issued by the OIG and also the American Health Lawyers Association. See: “An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors“; “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors“; and “Practical Guidance for Health Care Governing Boards on Compliance Oversight.”

Directors are not only subject to government actions, but to private ones as well. For example, several months ago, a pension system shareholder in Tenet Healthcare Corp. filed a derivative suit claiming that Tenet’s board members shirked their fiduciary duties by not stopping a kickback scheme that led to a $513 million False Claims Act settlement.  The City of Warren Police and Fire Retirement System is seeking to impose a constructive trust on all salaries, bonuses, fees and insider sales proceeds paid to eight of Tenet’s fourteen board members, along with damages for alleged corporate waste and gross mismanagement of the company. It’s also seeking uncapped punitive damages for what it says was Tenet’s act of securing the execution of documents by deception and the misapplication of fiduciary property.  The Michigan-based pension system says Tenet and its board breached their fiduciary duties by failing to adopt internal policies and controls to detect, deter and prevent illegal kickbacks and bribes. And the board participated in efforts to conceal or disguise those wrongs from Tenet’s shareholders, it said.

Cases like this, both private and public (in the wake of the Yates memorandum), likely will proliferate. Indeed, notwithstanding the transition to a new Presidential administration that many hoped would lessen the intensity of its enforcement actions, the current leaders of the DoJ and various U.S. Attorneys’ offices as well as the OIG have signaled their intention to keep the pressure on.

A significant compliance resource of value to health care organizations’ boards recently was issued by the Baldrige Performance Excellence Program of The National Institute of Standards and Technology. The Baldrige Excellence Framework for health care organizations which sets out seven criteria for performance excellence and the means for success. A copy of the document is available for purchase here.

Frequently, parties in both civil and criminal cases where fraud or corporate misconduct is being alleged attempt to defend themselves by arguing that they lacked unlawful intent because they relied upon the advice of counsel. Such an assertion instantly raises two fundamental questions:  1) what advice did the party’s attorney actually give?;  and 2) what facts and circumstances did the party disclose, or fail to disclose, in order to obtain that opinion?  It is well understood that raising an advice of counsel defense consequently waives attorney/client privilege.  Moreover, because a limited waiver of the privilege is rarely recognized, the door likely will open to an examination of any relevant communication between the party and the attorney, even beyond the area that encompasses the particular alleged advice of counsel at issue. But what about the so-called “attorney work product” doctrine?  While attorney/client privilege protects confidential communications between clients and their lawyers related to seeking or obtaining legal advice, attorney work product is protected because it includes, among other things, the sense impressions, analyses and strategies prepared and recorded by and for the attorneys themselves in anticipation of litigation or other adversarial engagements. To what extent, if any, does assertion of advice of counsel expose the attorney’s work product to discovery?

An interesting and cautionary analysis of that question was provided recently by the United States District Court for the District of South Carolina, where the defendants in a False Claims Act lawsuit who asserted an advice of counsel defense were ordered to hand over to government prosecutors all attorney communications related to an alleged Medicare kickback scheme. United States ex reI. Lutz v. Berkeley Heartlab, Inc., 2017 BL 111755, D.S.C., No. 9:14-cv-230, April 5, 2017).

While the court did not explain its thinking in great depth, particularly with regard to the facts of the case itself, one suggests that it still reached a respectable decision. The court readily acknowledged that there is a difference between attorney/client privilege and the work product doctrine (though I note, in some contexts like that presented in Upjohn Co. v. United States, 449 U.S. 383 (1981) concerning corporate internal investigations, the difference can be immaterial) but it went on to hold that, in the case at bar, work-product protection was waived.  As noted, it is unexceptionable that, when a party relies upon an advice of counsel defense, attorney/client privilege necessarily is waived.  After all, one of the determinative issues – what advice did the attorneys actually give – necessarily depends upon getting past the privilege, which is not absolute in any event. The Lutz court recognized that the same rationale logically applies to any work-product materials that actually were shared with the client as part of the advice process. Thus, there is little exception to be taken with the court’s extension of the waiver to such materials. Accordingly, the point of controversy comes down to whether work product protection is to be held waived as to materials prepared by the lawyers that never were shared with the client.  Here, the court recognizes that there is competing authority on the subject

Ultimately, the court relies upon a line of cases holding that, when a party asserts an advice of counsel defense, the waiver of the work product protection extends to “uncommunicated work product.”  In the case at bar the court concluded that to rebut the defense, the government was entitled to  discover ” what facts were provided by [Defendants] to [their counsel]; discover what facts [Defendants’ counsel] may have obtained from any other sources other than Defendants; discover the legal research conducted by and considered by [Defendants’ counsel]; discover the opinions that [Defendants’ counsel] gave [Defendants] and discover whether [Defendants] selectively ignored any of the facts and opinions given [them] by [their counsel] in reaching a decision …”   While a defense lawyer would be unlikely to express any agreement with this if he or she were representing a client who was asserting an advice of counsel defense, one recognizes that an experienced judge is logically dealing with the reality of litigating the frequent situation where the client might have given the lawyer incomplete or misleading information about the facts, and the lawyer’s opinion very well would not have been given, or would have been different, if a more complete rendition of what was to be relied on in opining had been made. Indeed, adversaries frequently ask opinion witnesses – both lawyers and acknowledged experts —  that very question:  “If you had known X which had not been revealed to you by your client, your opinion would not have been the same; isn’t  that right.” Attorney notes very well may contain narrative information from client interviews that usefully addresses the issue of what the client actually disclosed when asking for advice.

In sum, while less scholarly and comprehensive than it might have been, the Lutz opinion did appropriately enunciate the issues, distinguish the two doctrines and reached a supportable conclusion.  One could, however, envision a case in which a trial court would be upheld for not ordering disclosed work product materials that had not been shared with the client.  But as Lutz warns:  don’t count on it.  Advice of counsel is a risky defense that must be approached carefully.  Problems are best avoided by attorneys asking searching questions and assuring that all relevant matters have been disclosed before opining.