On July 8, 2019, Anthony Camillo, owner of Allegiance Medical Laboratory and AMS Medical Laboratory, was sentenced to 30 months in prison by a federal judge in the Eastern District of Missouri. He was ordered to pay $3.4 million in restitution for violations of the anti-kickback statute, associated conspiracy charges, and illegal kickbacks related to various health care fraud schemes to defraud federal health care benefit programs. Those operating in the clinical laboratory testing space or referring specimens to such laboratories should know that what happened in this case is likely a bellwether of continued enforcement action by the federal government with respect to marketing arrangements involving laboratory testing of human tissue.

In July of 2017, Camillo, as well as eight of his co-conspirators, were charged in a 31- count indictment with conspiracy, false statements to a federal agency, engaging in a healthcare fraud scheme, and illegal kickbacks for referrals. According to the indictment, the defendants conducted an elaborate scheme wherein they paid illegal kickbacks to marketers for sending biological samples to their laboratories. Camillo’s labs would then bill Medicare and Medicaid for lab testing services, and Camillo would split the profits between himself and his marketers. Some specimens were reimbursed at over $600 per sample, amounting to millions of dollars in illegal profits. Because both Medicaid and Medicare only reimburse for tests ordered by an appropriate medical provider, the defendants utilized doctors who were willing to put their names on the test orders without ever actually seeing the patient. In fact, some doctors claimed that they did not know their names were being put on the testing orders at all. Many of these samples were obtained at churches and public fairs.

The anti-kickback statute prohibits exchanging anything of value for referrals of services which are payable by federal programs, including Medicaid and Medicare. There are safe-harbors that permit limited defined business relationships; however, in 2018, Congress passed the Eliminating Kickbacks in Recovery Act of 2018 (“EKRA”). This statute prohibits the exchange of anything of value for many types of referrals to laboratories, as well as other enumerated healthcare entities. EKRA does not limit its scope to government payors—instead, EKRA applies to all healthcare benefit programs, which includes private as well as public Medicaid and Medicare plans.

In March of 2018, Camillo pled guilty to 30 charges pursuant to a plea agreement with the government. In that plea agreement, Camillo admitted that his presumptive sentencing guidelines range under the U.S. sentencing guidelines was at least 70 months. However, court filings revealed that Camillo agreed to testify at the trials of his co-conspirators, which is, ostensibly, why he received a sentence less than half of his pre-cooperation sentencing guidelines range. All of Camillo’s co-conspirators were convicted of felonies and received sentences ranging from imprisonment to house arrest, along with hefty monetary penalties.

Camillo’s status as the lead-named defendant in this case is evidence that the government considered him to be the ringleader of this conspiracy. However, that he was used by the government to testify against presumably less culpable co-conspirators is telling of the government’s significant interest in prosecuting participants in illegal laboratory marketing agreements to the fullest extent of the law—regardless of the optics of using those most culpable to make cases against those who are less culpable.  Expect DOJ’s increased commitment to clinical laboratory fraud prosecution to result in more robust federal investigations to come, especially with the expanded jurisdiction it has over clinical laboratories, emanating from EKRA.

Epstein Becker & Green has a tremendous depth of knowledge advising clinical laboratories and practitioners with respect to the healthcare regulatory and statutory rules unique to clinical laboratory testing. Our team of seasoned former federal prosecutors can assess, assist, and advise in developing compliant marketing strategies to operate within this changing landscape.

Devon Minnick, a 2019 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office, contributed significantly to the preparation of this post.

The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests.  The global market for this industry is projected to hit $2.5 billion by 2024.  Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry.  However, as more consumers’ genetic data becomes available and is shared, legal experts are growing concerned that safeguards implemented by U.S. companies are not enough to protect consumers from privacy risks.

Some states vary in the manner by which they regulate genetic testing.  According to the National Conference of State Legislatures, the majority of states have “taken steps to safeguard [genetic] information beyond the protections provided for other types of health information.”  Most states generally have restrictions on how certain parties can carry out particular actions without consent.  Rhode Island and Washington require that companies receive written authorization to disclose genetic information.  Alaska, Colorado, Florida, Georgia, and Louisiana have each defined genetic information as “personal property.”  Despite these safeguards, some of these laws still do not adequately address critical privacy and security issues relative to genomic data.

Many testing companies also share and sell genetic data to third parties – albeit in accordance with “take-it-or-leave-it” privacy policies.  This genetic data often contains highly sensitive information about a consumer’s identity and health, such as ancestry, personal traits, and disease propensity.

Further, despite promises made in privacy policies, companies cannot guarantee privacy or data protection.  While a large number of companies only share genetic data when given explicit consent from consumers, there are other companies that have less strict safeguards. In some cases, companies share genetic data on a “de-identified” basis.  However, concerns remain relative to the ability to effectively de-identify genetic data.  Therefore, even when a company agrees to only share de-identified data, privacy concerns may persist because an emerging consensus is that genetic data cannot truly be de-identified. For instance, some report that the existence of powerful computing algorithms accessible to Big Data analysts makes it very challenging to prevent data from being de-identified.

To complicate matters, patients have historically come to expect their health information will be protected because the Health Insurance Portability and Accountability Act (“HIPAA”) governs most patient information. Given patients’ expectations of privacy under HIPAA, many consumers assume that this information is maintained and stored securely.  Yet, HIPAA does not typically govern the activities of DTC genetic testing companies – leaving consumers to agree to privacy and security protections buried in click-through privacy policies.  To protect patient genetic privacy, the Federal Trade Commission (“FTC”) has recommended that consumers withhold purchasing a kit until they have scrutinized the company’s website and privacy practices regarding how genomic data is used, stored and disclosed.

Although the regulation of DTC genetic testing companies remains uncertain, it is increasingly evident that consumers expect robust privacy and security controls.  As such, even in the absence of clear privacy or security regulations, DTC genetic testing companies should consider implementing robust privacy and security programs to manage these risks.  Companies should also approach data sharing with caution.  For further guidance, companies in this space may want to review Privacy-Best-Practices-for-Consumer-Genetic-Testing-Services-FINAL issued by the Future of Privacy Forum in July 2018.  Further, the legal and regulatory privacy landscape is rapidly expanding and evolving such that DTC genetic testing companies and the consumers they serve should be watchful of changes to how genetic information may be collected, used and shared over time.

Brian Hedgeman

Alaap B. Shah

On February 27, 2019, Tennessee-based holding company Vanguard Healthcare, LLC (“Vanguard”), agreed to pay over $18 million to settle a False Claims Act (“FCA”) action brought by the United States and the state of Tennessee for “grossly substandard nursing home services.” The settlement stems from allegations that five Vanguard-operated facilities failed to do the following: (1) administer medications as prescribed, (2) provide standard infection control resulting in urinary tract and wound infections, (3) attend to the basic nutrition and hygiene requirements of residents, (4) take prophylactic measures to prevent pressure ulcers, and (5) use physical restraints only when necessary. The FCA makes it illegal for anyone to submit claims (or cause claims to be submitted) for reimbursement to Medicare or Medicaid that are known to be false or based on false information. This settlement also resolves allegations that the Director of Operations, CEO, and several Vanguard companies caused false and/or fraudulent claims to be submitted.  Both the CEO and Director of Operations agreed to pay $250,000, and Vanguard will enter into a chain-wide corporate integrity agreement. The $18 million settlement is the largest “worthless services” settlement to date in Tennessee.

“Worthless services” is not a defined term in the FCA, but it is a newer theory that has, in some cases, extended FCA applicability to issues related to quality of care. The theory has been increasingly employed in qui tam lawsuits alleging that a facility’s services are so deficient that it is tantamount to no services being provided. The rationale of the theory is that because providers are knowingly submitting claims for reimbursement for services with no medical value, the claims are considered false, thereby violating the FCA.

The Vanguard settlement comes at an interesting time. The National Health Care Fraud Takedowns of 2017 and 2018, the largest health care fraud enforcement actions in history, demonstrate the government’s continued commitment to combatting fraud in the health care industry. As part of these efforts, protecting elderly Americans, in particular, from fraudulent activity is a focus of the Trump administration. The focus on prosecuting those who capitalize on the vulnerability of this population was first made evident by the Elder Abuse Prevention and Prosecution Act of 2017. The two largest elder fraud enforcement actions in history followed in February 2018 and March 2019. Attorney General William Barr again reiterated the commitment to protecting aging Americans in the March 2019 remarks announcing the latest elder fraud sweep. In addition, addressing sub-standard care in skilled nursing facilities has remained an active item on the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) Work Plan in recent years.

While enforcement actions in this space are on the rise, circuits remain split on the definition of the term “worthless.” The U.S. Court of Appeals for the Second Circuit was the first to find “worthless services” as a separate and distinct claim under the FCA, defining the term as the performance of services so deficient that, for all practical purposes, it is the equivalent to no service at all.[1] Although the Second Circuit defined this term in the context of a worthless product case,[2] the Third, Sixth, Eighth, and Ninth Circuits have generally accepted the Second Circuit’s definition of the term and apply it to quality of care in health care matters.[3] These circuits now generally look for qualitatively deficient care.

In 2014, the Seventh Circuit demanded a higher evidentiary burden for proving worthless services. The Seventh Circuit concluded that it is not sufficient to prove that services provided were worth less than what was expected; rather, it must be shown that the services were of absolutely no value. The court noted that because the facility in question was able to continue its operation after regular visits from government surveyors, the services provided could not have been so deficient to be considered worth no value.[4] Accordingly, the circuits are split as to whether diminished value or no value is the proper standard. However, it is unlikely that the current split is deep enough to warrant Supreme Court review.

In addition to the circuit split, district courts have struggled with two issues relating to the worthless services theory: (1) the scienter element of the FCA and (2) defining the point at which bundled services are considered worthless.[5]

  • Scienter: The overwhelming majority of facilities surveyed through the normal survey process are cited for deficiencies. Most cited facilities receive at least one quality of care deficiency. Despite how common such deficiencies are, it is difficult for those in the facility responsible for submitting claims—individuals typically not at all involved in patient care—to know when a service provided could be considered worthless. However, knowledge is more easily established when it involves a patient death or serious injury.[6]
  • The defining point of worthless bundled services: The aforementioned circuit split is largely due to the difficulty of applying a definition originally used in a worthless product case to quality of care cases. Federal payors reimburse nursing homes on a fixed per diem rate as opposed to reimbursing for each individual service provided to a patient. The frequency of quality of care deficiencies and this bundling of services make it difficult for courts to determine how many services must be deficient or of no value for a claim to be false. Employing a strict standard, a federal judge in California dismissed a worthless services claim because the plaintiff failed to allege that the defendant’s neglect of its patients was so severe that “for all practical purposes, the patients were receiving no room and board services or routine care at all.”[7] However, in denying a motion to dismiss, a federal judge in Kentucky decided that it is sufficient to show that “patients were not provided the quality of care which meets the statutory standard.”[8] A Mississippi district court found the following evidence to be sufficient to move forward under a worthless theory claim: inadequate staffing, failure to maintain hygiene standards, reuse of medical tubing, pervasive mold and pest issues, forcing patients to shower in groups, widespread neglect, failure to monitor patients at a heightened risk for wandering, and failure to safeguard medications.[9]

It is the provider’s responsibility to ensure that services provided meet the minimum statutory standard before filing a claim for federal reimbursement. Providers should be cognizant of internal compliance issues to ensure that services are not being underprovided. Providers should seek to remedy any issues internally, if possible, and follow HHS OIG self-disclosure protocol. Monitoring the quality of services provided through an effective and well-documented quality assurance program is critical to remaining compliant and defending against allegations of worthless services. Finally, providers should monitor for updates as this theory continues to evolve in the courts.

[1] United States ex rel. Mikes v. Straus, 274 F.3d 687 (2d Cir. 2001).

[2] Id.

[3] See also George Breen & Daniel Fundakowski, Quality of Care, Medical Necessity, and Worthless Services under the False Claims Act: Where Are We Headed Now?, Am. Health Lawyers Assoc. (2013), available at https://www.healthlawyers.org/Events/Programs/Materials/Documents/PHY13/L_breen_article.pdf (explaining how courts view the theory of worthless services).

[4] United States ex rel. Absher v. Momence Meadows Nursing Ctr., Inc., 764 F.3d 699 (7th Cir. 2014).

[5] Richard Hughes IV, With a Worthless Services Hammer, Everything Looks Like a Nail: Litigating Quality of Care Under the False Claims Act, 37 J. Legal Med. 65 (2017).

[6] Id.

[7] United States ex rel. Swan v. Covenant Care, Inc., 279 F. Supp. 2d 1212, 1221 (E.D. Cal. 2002).

[8] United States v. Villaspring Health Care Ctr., Inc. 2011 U.S. Dist. LEXIS 145534, *16 (E.D. Ky.).

[9] United States ex rel. Acad. Health Ctr., Inc. v. Hyperion Found., Inc., 2014 U.S. Dist. LEXIS 93185 (S.D. Miss.).

When we think about the top players in the medical device development space, we often see device company sponsors, clinicians, scientists, and FDA regulators as the ones driving the process. But what about the patient perspective? Does that get factored in?

On May 3, 2019, FDA established a docket to collect public input on a proposed list of patient preference-sensitive areas for medical device review, and posed certain related questions (comments are due July 2, 2019). By identifying these key areas (which it committed to as part of the reauthorization of the Medical Device User Fee Amendments of 2017 (MDUFA IV)), FDA hopes to advance patient input, which can help inform and improve regulatory decision-making. FDA has grouped these proposed patient-preference sensitive areas (full list available here) into the following four umbrella categories:

  1. Patient values in diagnosis and treatment
  2. Relevant clinical endpoints for specific patient populations
  3. Patient benefit-risk tradeoffs for treatment options or diagnostic approaches
  4. Impact of uncertainty in benefit-risk tradeoffs

Stepping back for a moment, though, it’s important to understand what exactly patient preference information is and how FDA has addressed patient preference information to date.

What is Patient Preference Information (PPI)?

FDA defines PPI as “qualitative or quantitative assessments of the relative desirability or acceptability to patients of specified alternatives or choices among outcomes or other attributes that differ among alternative health interventions.” Put simply, PPI can help inform what’s important to patients and can be useful in evaluating a device’s benefit-risk profile, particularly when treatment options are “preference sensitive” (i.e., multiple treatments exist and no option is clearly superior or the evidence supporting one option over the others is uncertain).

What Efforts has FDA Previously Undertaken to Advance the Patient Perspective?

Since 2013, FDA has taken several actionable steps to recognize the voice of patients, including the following:

  • 2013 – FDA launched the Patient Preference Initiative, and hosted a public workshop to discuss ways to incorporate patient preferences on device benefit-risk trade-offs into Center for Devices and Radiological Health (“CDRH”) decision-making, and advance the science of measuring patient and provider treatment preferences.
  • 2015 – FDA announced the first Patient Engagement Advisory Committee (PEAC), supported by CDRH, which provides advice to the FDA Commissioner on complex issues relating to devices and their use by patients, with the goal of increasing integration of patient perspectives into the regulatory process.
  • 2016 – FDA released final guidance entitled “Patient Preference Information – Voluntary Submission, Review in Premarket Approval Applications, Humanitarian Device Exemption Applications, and De Novo Requests, and Inclusion in Decision Summaries and Device Labeling”
  • 2017 – FDA co-hosted a workshop presenting current progress on incorporating PPI into medical product reviews and how PPI can be collected and presented (among other topics).

As patients become increasingly interested and engaged in their health care decisions, it makes a lot of sense for their perspectives to be considered by regulators who are evaluating the benefits and risks of proposed products.  Of course, however, it is important that patient preference information is accurately measured and appropriately weighted in the decision-making process. To that end, FDA advises sponsors that are considering patient preference studies to consult with the Agency early on in the process.

Following a two-day meeting by a Food and Drug Administration (“FDA”) advisory committee on breast implant safety earlier this year, FDA on May 2, 2019, released a statement announcing that no breast implant models will be banned from the U.S. market at this time. Also described in the statement are a number of measures the agency is undertaking in order to assist women in making more informed decisions regarding breast implants.

The March 26, 2019, meeting of the General and Plastic Surgery Devices Panel was convened to discuss issues and concerns related to the benefit-risk profile of breast implants, including a potential link between textured breast implants and breast-implant associated anaplastic large cell lymphoma (“BIA-ALCL”). The panel heard testimony from nearly 40 member surgeons of the American Society of Plastic Surgeons as well as from a number of women who stated that they suffered adverse health consequences after receiving breast implants. The panel recommended that health care providers implement stronger informed consent practices for breast implant surgeries, including disclosure of information regarding the signs and symptoms of breast implant illness (“BII”) and BIA-ALCL as well as the increased risk of BIA-ALCL with textured implants.

According to the May 2 statement, which was jointly issued by FDA Principal Deputy Commissioner Amy Abernethy and Center for Devices and Radiological Health Director Jeff Shuren, FDA concluded after reviewing available data and information that textured breast implants do not meet the legal standard for imposing a ban under the Food, Drug, and Cosmetic Act. The statement points out that while “the majority of women who develop BIA-ALCL have had textured implants, there are known cases in women with smooth-surface breast implants and many reports do not include the surface texture of the implant at the time of diagnosis.”

The statement also announced a change of policy with respect to adverse event reporting. Manufacturers of breast implants will no longer be permitted to submit summary reports of adverse events and instead will be required to file individual medical device reports (“MDRs”) that will be publicly available in the Manufacturer and User Facility Device Experience (“MAUDE”) database. FDA will also make the previously submitted summary reports public in the coming weeks. Additionally, FDA will work with primary stakeholders on developing the content and format of possible boxed warnings or patient checklists for breast implants in order to communicate significant health concerns and risks associated with breast implants.

According to the statement, FDA also is undertaking new efforts to improve the characterization of, and risk factors for, BII and to increase information available to women to enable more informed decision-making about “whether to obtain breast implants or to remove existing breast implants in an effort to reverse systemic symptoms.” The agency also plans to examine whether device materials may cause immune or inflammatory reactions among certain predisposed individuals, and may require disclosure of breast implant ingredient information to be included in product labeling.

Shortly before the March 26 meeting, FDA sent warning letters to two manufacturers of breast implants for failing to adequately comply with post-market commitments to study the long-term safety of their products. These actions, coupled with FDA’s recent statement, signal that breast implant safety is a high-priority issue for the agency. Manufacturers, providers, payors, and other stakeholders should carefully evaluate the potential impact of FDA’s announced initiatives on their activities.

On April 30, 2019, Assistant Attorney General Brian Benczkowski announced that the Department of Justice (“DOJ”) had published an updated version of the Criminal Division’s 2017 guidance publication “Evaluation of Corporate Compliance Programs.”  In making the announcement, Assistant Attorney General Benczkowski said the update was designed to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”  He noted that DOJ also sought “to provide additional transparency in how [it] will analyze a company’s compliance program.”

The updated guidance document focuses on answering three principal questions:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith?  In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

The new guidance addresses the topic areas from the original publication – some of which have been re-phrased – by grouping them under one of these three questions.  It also raises additional questions prosecutors should ask when evaluating compliance programs and adds one new topic, “Investigation of Misconduct.”

  1. Is the corporation’s compliance program well-designed?

Under the updated DOJ guidance, “the starting point for the prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”  Notably, specificity is key: the DOJ asks whether the program is “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business and complex regulatory environment.”

Additionally, DOJ will focus on an entity’s programs, policies and procedures to assess such things as comprehensiveness, how the policies and procedures are communicated to employees and third parties, who has ownership responsibility for integrating the policies and procedures and whether there are gatekeepers (i.e., is guidance and training provided by individuals with approval authority or certification responsibilities).

DOJ will also look at the organization’s training and communications efforts and will evaluate how the organization integrates its policies and procedures into its operations.  This includes determining whether there is risk-based training, assessing the form, content and effectiveness of the training, the availability of guidance to employees and communications about potential misconduct. In other words, what senior management has “done to let employees know the company’s position concerning misconduct and whether there are communications when an employee is terminated or otherwise disciplined for failure to comply.”

Another key element DOJ looks for is a confidential reporting mechanism that employees can use to report concerns. When evaluating the effectiveness of the reporting program, prosecutors take into account whether employees are able to make reports anonymously and whether qualified employees are involved in the investigation of the reported concerns through properly scoped investigations that ensure that the correct issue is examined.  Beyond just evaluating the results of a compliance function, this requires an assessment of how investigations are responded to, whether the corporation allocates appropriate resources to the investigation, and how the company monitors status.

Finally, DOJ wants to know how an entity is managing third party partners, including “agents, consultants, and distributors who are commonly used to conceal misconduct.”  This means an assessment of the third-party management process, whether appropriate controls were in place regarding use of third parties and how the third-party relationship was managed.

Of particular note, the update reminds corporations that DOJ has a continuing interest in mergers and acquisitions, and it expects that a well-designed program conducts “comprehensive due diligence of any acquisition targets.”  Believing that this pre M&A due diligence puts the company in a better position to evaluate potential issues, DOJ will want to see how the compliance function has been integrated into the M&A process, and whether there is a crosswalk in place to connect it to due diligence implementation.  Put plainly, how does the company track and remediate any misconduct identified as part of the due diligence?

  1. Is the Corporation’s Compliance Program Being Implemented Effectively?

DOJ evaluates whether the corporate compliance program is effectively implemented and engrained in the company’s culture so that it affects employee behavior. A corporation must actively foster a culture of ethics and compliance that originates from the top—that is, Boards of Directors, executives, and senior management. Not only must employees be informed about compliance processes, but they should also be convinced the company is committed to compliance based on the words and actions of the corporate leadership.

Prosecutors next look at the structure of the compliance program, specifically, whether the personnel tasked with implementing the program have sufficient seniority, resources, and autonomy from management to be effective. As with many other factors detailed in the update, each corporation’s implementation is dependent upon the size, structure, and risk profile of the particular entity. Regardless of program structure, the guidance stresses empowerment of the compliance personnel: a corporation must ensure that the compliance program has “adequate resources, appropriate authority” and direct access to the governing authority or a subgroup thereof.

Finally, prosecutors evaluate the program’s incentive structure to determine whether it adequately motivates compliance. Again, the methodology chosen should be specific to each company’s culture: whether it comes in the form of publicizing disciplinary actions as a deterrent or providing financial and career advancement as positive incentives is dependent upon the outcomes observed by a company.

  1. Does the Corporation’s Compliance Program Work in Practice?

DOJ acknowledges that the third question—whether a company’s well-designed and implemented corporate compliance program is effective in practice—may be difficult to assess, particularly when misconduct that becomes the focus of an investigation is not immediately detected by the compliance program. The guidance instructs prosecutors that the mere presence of misconduct does not indicate that the compliance program is ineffective. Indeed, if the misconduct was identified through the compliance program’s mechanisms, this factor may weigh in favor of a defendant’s compliance efforts.

Prosecutors may need to address this third question both at the time of the misconduct and at the time of a charging decision or resolution.  Different concerns are evaluated at each stage. At the time of misconduct, prosecutors should evaluate “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.”

Corporate compliance obligations do not end once the misconduct has been identified; effective corporate compliance programs “improve and evolve” over time in response to business changes and new areas of risk. Prosecutors may re-assess the compliance program at the time of charging or resolution, addressing “whether the program evolved over time to address existing and changing compliance risks” and “whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”

Second, DOJ asks whether there are effective (and funded) mechanisms for timely and thoroughly investigating allegations or suspicions of misconduct. Ensuring that investigations into misconduct are independent, objective, and documented is essential to an effective compliance program.

Finally, DOJ assesses the corporation’s root-cause analysis and remediation of any misconduct identified. The guidance underscores the importance of the corporation engaging in its own remedial actions, including appropriate disciplinary actions, even after DOJ is involved.


The DOJ has provided a detailed update to its guidance and framed the key questions that it will ask during an investigation when evaluating compliance program effectiveness. This update provides insight into the steps that any health care entity can proactively take to ensure it receives the benefit of a robust and effective compliance program should misconduct occur. DOJ has signaled that being proactive, rather than reactive, is what is expected. In particular, DOJ will look at what a company did in the face of an allegation of misconduct as part of its evaluation of the compliance function when determining an appropriate remedy – or in deciding to forego one. It is also clear that DOJ does not view compliance as a “one size fits all” enterprise, and will be looking at how a company adapts its program to its own specific risk profile. It also expects the compliance function to operate independently and that the organization fosters a “culture of compliance.” Companies should review their corporate compliance programs to ensure that they are current, disseminated on a regular basis to all employees, and a central, visible focus throughout the organization.

On May 7, 2019, the Department of Justice (“DOJ”) released new guidance for trial attorneys in the DOJ’s civil division regarding how entities under False Claims Act investigation can receive credit for cooperation.  The release of this new guidance follows public comments delivered in March by Michael Granston, director of DOJ’s civil fraud section, noting that DOJ was considering issuing additional guidance on cooperation credit related to False Claims Act matters.

The policy explains that cooperation credit in False Claims Act cases may be earned by “voluntarily disclosing misconduct unknown to the government, cooperating in an ongoing investigation, or undertaking remedial measures in response to a violation.” In its press release, DOJ noted that cooperation credit will involve a reduction in the damages multiplier and civil penalties and DOJ may publicly acknowledge the company’s cooperation.

The authors are in the process of preparing a Client Alert addressing potential implications of this new guidance on health care entities. The Client Alert will be ready in the coming days and will be posted on the EBG website, linked to this blog post, and distributed through EBG’s email lists.

DOJ Press Release

Link to the New Guidance

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties.  The notice provides: “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers in the HITECH Act.”

The HITECH Act implemented a tiered penalty scheme for violations of HIPAA.  That tiered approach was dependent on the level of culpability associated with the violation.  At the lowest level of culpability -when the “person did not know (and by exercising reasonable diligence would not have known)” of the violation – the penalty was established at $100 for each violation “except that the total amount imposed on the person for all such violations may not exceed $25,000.”  Each level of culpability had successively higher penalties attached.  At the top tier – when the violation was due to willful neglect- the penalty is $50,000 for each violation “except that the total amount imposed on the person for all such violations may not exceed $1.5 million.”  P.L. 111-5, Section 13410(d); codified at 42 U.S.C. §1320d–5.  However, the statutory language included some unclear language, as noted in the preamble to the regulations implementing the statute.

In adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘‘for each violation,’’ each of which provided a penalty amount ‘‘for all such violations’’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [Interim Final Rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year. For violations due to willful neglect that are not timely corrected, the IFR adopted the penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in a calendar year.

78 Fed. Reg. 5566, 5582 (Jan. 25, 2013) (emphasis added).

At the time, HHS chose to interpret Congress’ meaning to allow it to impose the highest fine ($50,000) and the highest aggregate amount ($1.5 million) for every tier category – regardless of the tier and degree of culpability of the covered entity.  Under that scheme, the penalty assessment was as follows:

Culpability Minimum penalty per violation Maximum penalty per violation Annual Limit
No Knowledge $100 $50,000 $1.5 million
Reasonable Cause $1000 $50,000 $1.5 million
Willful Neglect- Corrected $10,000 $50,000 $1.5 million
Willful Neglect- Not Corrected $50,000 $50,000 $1.5 million

The interpretation above arguably turned the four tier approach set forth in the statute into a two tier approach.  However, as of April 26, 2019, HHS “[u]pon further review of the statute by the HHS Office of the General Counsel” HHS has determined that “all HIPAA enforcement actions will be governed” by a revised set of penalty tiers that mirrors the statute’s four tiers.  The new penalty tiers will be as follows.

Culpability Minimum penalty per violation Maximum penalty per violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1000 $50,000 $100,000
Willful Neglect- Corrected $10,000 $50,000 $250,000
Willful Neglect- Not Corrected $50,000 $50,000 $1.5 million

HHS also noted that it would engage in future rulemaking “to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”  With these changes, organizations with robust privacy and security compliance programs (with strong reporting mechanisms) may see an advantage of being in the lower penalty tiers in the event a violation occurs.

Florida has been at the forefront of some very interesting healthcare M&A activity in the past year, including an influx of private equity and consistent growth in Hospital and Health Plan vertical integration.  Unless subject to antitrust filing requirements, these high profile transactions are typically carried out under veils of confidentiality and announced upon completion.  However, Florida M&A is not insulated from recent Florida House health reform initiatives.  If the Florida House gets its way, the pace of healthcare transactions in Florida may hit a speed bump in the form of a notice, delay and potential for a pre-close assessment by the Florida Attorney General.

The Florida House activity in the health care space cannot be understated.  In a striking video, the Florida House promises the 2019 legislative session will bring “more affordab[ility], more choices, more practitioners, more access, more quality, and more value” to the State’s health care market. In the video, the Florida House promises to end “government protection for hospital monopolies” and increase “enforcement against providers who violate antitrust laws.”

On April 11, 2019 the Florida House demonstrated its bipartisan commitment to increase visibility of provider consolidation activities in the State by unanimously voting to pass Florida House Bill 1243 (“HB 1243” or “Bill”) sponsored by Rep. Colleen Burton (R). The Bill’s unanimous passage, only a month after introduction, sends a strong signal that the Florida House is committed to more transparency for certain Florida healthcare transactions and providing a “waiting period” to ensure antitrust law is followed and enforced.  The Bill was forwarded to the Senate, and we will be closely monitoring how the Senate responds to this initiative.

If enacted into law, HB 1243 would require each party of any transaction involving a group practice, hospital, or hospital system that results in a material change to another group practice of four or more physicians, hospital, or hospital system to provide written notice to the Florida Office of Attorney General (“AG”) at least 90 days before the effective date of such a transaction. A party’s failure to provide proper written notice would subject such entity to sizable potential civil penalties of up to $500,000.00.  Additionally, in counties where there is only one entity contracting with or employing any category of medical specialists, such entity’s restrictive covenants would be void and unenforceable until there is new market entry by a competitor entity for at least three years.

HB1243 is designed to provide the Florida AG with an opportunity to scrutinize hospital and group practice health care transactions of all sizes, including transactions that might not otherwise have required a federal pre-merger notification, filing, and review under the Federal Hart-Scott-Rodino Act (“HSR”).   Because the proposed waiting period of ninety days is longer than that required under HSR, it may delay transactions already covered under HSR.

If HB1243 is enacted, health care buyers and sellers will need to be aware of the impact on their plans to buy, sell, and operationalize health care transactions in Florida.  This would add an additional layer of regulatory submissions to the AHCA approvals already on the radar of private equity investors. While the Bill may not pass before the Senate’s legislative session adjourns on May 3rd, we are closely monitoring the political climate around health care.

Businesses should carefully evaluate their acquisition pipeline and growth strategies in light of the bipartisan support for HB1243.  This issue has momentum and, if not passed in this session, is likely to resurrect in future sessions. We recommend that physicians closely evaluate the timing of any exit strategy, taking into account the risk of an M&A slowdown caused by new regulatory requirements. Businesses should carefully consider whether to expedite acquisitions and other material business transformations before the Bill’s likely chilling effect on investor interest due to the pre-transaction waiting period and increased regulatory scrutiny.

The Epstein Becker Green St. Petersburg, Florida office is closely monitoring this legislation as well as other Florida health reform efforts.  If you have questions about HB1243 or the antitrust implications of your hospital or physician transaction, please contact Kathleen Premo and Elizabeth Scarola  to discuss pro-active strategies for such a transaction in our current Florida political environment.