On December 7, 2018, the U.S. Food and Drug Administration (“FDA”) published a proposed rule (“Proposed Rule”) that, if finalized, would clarify the de novo classification process for medical devices, including (1) the format and contents of a de novo request and (2) the criteria for accepting or denying a de novo request. FDA intends to “enhance regulatory clarity and predictability… [and] provide a regulatory framework that sets clear standards, expectations and processes for de novo classification” through this proposed rulemaking.[1]

FDA regulates medical devices based on risk and has established three general classifications: “class I” (general controls required to provide reasonable assurance of the safety and effectiveness of the device), “class II” (special controls required), or class III (premarket approval required). The regulatory framework for class III devices is especially stringent—FDA reviews class III device safety and effectiveness under a premarket approval (“PMA”) application that takes six months or more to approve, if the device is found suitable for marketing. The 510(k) “premarket notification” submission, however, enables lower-risk devices that are “substantially equivalent” to existing, legally marketed (“predicate”) devices not subject to a PMA to obtain marketing clearance without a PMA. Under section 513(f)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), new devices receiving not substantially equivalent (“NSE”) determinations are automatically designated a class III device. The de novo process serves as an alternative pathway for receiving marketing authorization for class I or II devices.

In the Proposed Rule, FDA seeks to clarify and formalize the de novo pathway for novel devices without predicates. Many of these proposals are contained in various recent guidances from FDA.[2] Below we break down key components of the Proposed Rule:

 

FDA Reviewing Procedures: Facility Inspections Proposed

Perhaps the most controversial component of the proposed de novo pathway is a provision that enables FDA to conduct premarket manufacturing inspections of “relevant facilities” as part of its de novo review process. Although these manufacturing inspections are authorized under the FDCA as an element of the PMA application review, the FDCA does not grant this authority to FDA for de novo review.[3] If this provision remains upon rule finalization, de novo requesters must have their quality systems prepared for inspection. Failing to permit an authorized FDA employee to inspect a relevant facility results in automatic “withdrawal” of the de novo request.

This provision may also be problematic in light of FDA’s proposed timeline for de novo request acceptance. The Proposed Rule requires FDA to grant or decline a de novo request within 120 days from when it receives the request or any additional information. While de novo request devices are required to be classified within the same timeframe under the FDCA, 120 days is rarely met. According to the Medical Device User Fee Amendments 2017 (“MDUFA IV”), FDA articulates that it aims to “issue a MDUFA decision within 150 FDA days of receipt of the submission for . . . 55% of de novo requests received in FY 2019.” (emphasis added). FDA’s self-stated goals appear to make the proposed 120-day codification lofty, especially considering FDA’s authorization and intention to make premarket manufacturing inspections during its de novo request reviews.

 

Notable De Novo Request Content Requirements

The Proposed Rule intends to clarify the minimum content requirements as prescribed in section 513(f)(2) of the FDCA. Most of these components are consistent with de novo guidance recommendations, but there are a handful of new proposed requirements:

  • Bibliography of “all published reports” and other unpublished “identification, discussion, and analysis of any other data, information, or report” relevant to the safety and effectiveness of the device. This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(8).
  • Samples of the device and its components (if requested by FDA). This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(9).
  • Proposed advertisements and labels for the device. Although not uncommon for companies to include sample labeling information in 510(k) notifications, this proposed provision would now make it a requirement in de novo requests, similar to PMA applications under 21 C.F.R. 814.20(b)(10).
  • Information about “known or reasonably known existing [device] alternative[s].”
  • Statement that provides (1) a list of any required information that is omitted in the de novo request and (2) “a justification” for any omissions.

 

Acceptance Review

FDA proposes an acceptance review stage for de novo submissions during which FDA makes a “threshold determination” as to whether the de novo request contains sufficient information to warrant substantive review. Within 15 days of receiving the de novo request or additional information, FDA must complete the acceptance review and notify the requester—after 15 days, the de novo request is automatically accepted for substantive review. The Proposed Rule identifies several “deficiencies” that warrant a refusal to accept (“RTA”), including: (1) incorrect de novo request format; (2) incomplete submission of required content; and (3) the failure to provide a “complete response” to FDA requests for additional information or deficiencies identified by FDA in any prior submissions for the same device. These deficiencies are similar to the Refuse to Accept Policy for 510(k)s guidance and “Acceptance Checklist[s]” issued by FDA in January 2018.

 

Confidentiality Provisions

FDA sets forth confidentiality provisions that are similar to other FDA marketing submissions. FDA must maintain confidentiality of the requester’s de novo application until it issues an order granting the request. FDA must also maintain confidentiality of all information provided in the request. Public disclosure by the requester, however, renders these confidentiality requirements inapplicable.

The preamble makes it clear that FDA is proposing this rule to bring greater structure, clarity, and efficiency to the de novo classification process. This rule essentially formalizes many of the criteria recommended in various FDA guidances and provides more certainty (albeit less flexibility) for both de novo requesters and FDA enforcement.

The Proposed Rule is available for public comment until March 7, 2019. If finalized, FDA the regulations would go into effect 90 days after the final rule is published.

 

[1] 83 Fed. Reg. 63,129 (Dec. 7, 2018).

[2] See, e.g., U.S. FDA, Guidance: De Novo Classification Process (Evaluation of Automatic Class III Designation) (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm080197.pdf; U.S. FDA, Draft Guidance: Acceptance Review for De Novo Classification Requests (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm582251.pdf.

[3] In fact, the FDCA expressly prohibits FDA from conducting these premarket facility inspections in its 510(k) review (“other than a finding that there is a substantial likelihood that the failure to comply with such regulations will potentially presents a serious risk to human health”). See FDCA Sec. 513(f)(5).

According to a report by West Monroe Partners, approximately 40% of companies engaged in corporate transactions reported finding a cybersecurity issue during post-acquisition integration of the target company.  While companies routinely conduct robust transactional due diligence to manage legal risk, many fail to adequately conduct cybersecurity due diligence. As a consequence, many companies and investors are leaving themselves vulnerable to potentially severe latent cyber risks.

Cybersecurity is especially relevant in healthcare transactions as the industry continues to be riddled with cyber-attacks.  Protenus Breach Barometer reports that healthcare has been the most targeted industry over the last few years, with 1.13 million, 3.15 million, and 4.4 million patient records compromised in the first three quarters of 2018, respectively, and more than half of breaches occurring due to hacking.  The cat is out of the bag.  Healthcare entities usually amass very lucrative personal data – social security numbers, demographic information, health insurance records, and prescription information – making them attractive targets for hackers.

Despite the high frequency of cyber-attacks in the industry, many healthcare entities spend only half as much to improve security protections when compared to other industries.  As a result, these companies remain vulnerable to cyber threats.  In the case of a breach, companies could face penalties from government agencies as well as class action lawsuits. Cyber risks may intensify during acquisitions, as the likelihood of a breach increases with the expansion of the overall cyber footprint.  Further, in a transaction, the target company’s vulnerabilities ultimately become an issue for the acquiring company.  Thus, if the target entity does not have adequate safeguards to protect patient records, then the acquiring company is at financial and reputational risk for those failings.

Given the potential risks, it is important that acquiring companies prioritize cybersecurity as an integral part of due diligence efforts.  An effective due diligence process should at a minimum evaluate cybersecurity preparedness and risks related to the following: 1) current state of risk assessment; 2) technical security features of business critical information systems and network architecture; 3) implementation of policies and procedures related to information security; 4) policies and procedures related to detecting, responding to, and recovering from cyber incidents; and 5) historical indicators of legal and regulatory compliance issues related to cybersecurity.


Alaap B. Shah


Eric W. Moran


Brian Hedgeman

On December 18, 2018 the Food and Drug Administration (“FDA”) finalized guidance on its existing Breakthrough Device Program and announced plans for advancement of the Safer Technologies Program (“STeP”).  In the announcement, FDA Commissioner Scott Gottlieb emphasized the FDA’s efforts to promote innovation in medical devices that advance patient safety. This new medical device guidance could signal a year of opportunity for innovative medical device manufacturers that seek to advance patient safety.

Breakthrough Device Program

The Breakthrough Device program was created under the 21st Century Cures Act and seeks to facilitate the development and expedite the review of breakthrough technologies that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. Medical devices and device-led combination products that qualify for this program must meet specific criteria.  First, the device must provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating human diseases or conditions. Second, the device must meet at least one of the following criteria: (1) represent a breakthrough technology, (2) no approved or cleared alternatives exist, (3) offer significant advantages over existing approved or cleared alternatives, or (4) device availability is in the best interest of patients.  A manufacturer can send a breakthrough designation request at any time prior to sending its marketing submission. The Breakthrough Devices program replaces the Expedited Access Pathway and Priority Review for medical devices.

Safer Technologies Program (“STeP”)

STeP was first revealed in the Medical Device Safety Action Plan published in April 2018. The purpose of the program is to serve as an alternative for devices that cannot or do not fit into the breakthrough device construct, but still seek to make current treatments or diagnostics significantly safer.  The FDA anticipates creating guidelines for the STeP in 2019.

Opportunities for Stakeholders

The objective of both programs is to improve development through providing opportunity for additional interactions with FDA and faster reviews through a priority review designation and/or improving alignment on device development prior to regulatory marketing submissions.  These features can provide value to device manufacturers, and potentially accelerate development, although they are not a substitute for a manufacturer’s own planning regarding regulatory strategy.  Since its implementation in late 2016, approximately 110 devices have received Breakthrough Designation, so more manufacturers continue to take advantage of this program.  The STeP program could create even more opportunities.

On January 17, 2019, the FDA will host a webinar to help clarify the Breakthrough Devices program’s final guidance for manufacturers. Manufacturers should view this webinar to become better acquainted with the program and consider its potential benefits to products in development.

As 2019 begins, companies should seriously consider the financial and reputational impacts of cyber incidents and invest in sufficient and appropriate cyber liability coverage. According to a recent published report, incidents of lost personal information (such as protected health information) are on the rise and are significantly costing companies. Although cyber liability insurance is not new, many companies lack sufficient coverage. RSM US LLP, NetDiligence 2018 Cyber Claims Study (2018).

According to the 2018 study, cyber claims are impacting companies of all sizes with revenues ranging from less than $50 million to more than $100 billion.  Further, the average total breach cost alone is $603.9K. This does not include crisis services cost (average $307K), the legal costs (defense = $106K; settlement = $224K; regulatory defense = $514K; regulatory fines = $18K), and the cost of business interruption (all costs = $2M; recovery expense = $957K).  In addition to these financial costs, reputational impact stemming from cyber incidents can materially set companies back for a long-period of time after the incident.

Companies can reduce risk associated with cyber incidents by developing and implementing privacy and security policies, educating and training employees, and building strong security infrastructures.  Nevertheless, there is no such thing as 100% security, and thus companies should consider leveraging cyber liability insurance to offset residual risks.  With that said, cyber liability coverages vary across issuers and can contain many carve outs and other complexities that can prevent or reduce coverage.  Therefore, stakeholders should review their cyber liability policies to ensure that they understand the terms and conditions of such policies. Key items to evaluate can include: coverage levels per claim and in the aggregate, retention amounts, notice requirements, exclusions, and whether liability arising from malicious third party conduct are sufficiently covered.

While cyber liability insurance will not practically reduce risk or a cyber incident, it is increasingly a critical component of a holistic risk mitigation strategy given the world we live in.


Alaap B. Shah


Daniel Kim

On December 21, 2018, the Department of Justice (“DOJ”) announced in a press release the recoveries obtained in settlements and judgments from civil matters involving fraud and those brought under the False Claims Act (“FCA”) for the fiscal year (“FY”) ending September 30, 2018. While total recoveries were $2.88 billion—the ninth consecutive year exceeding $2 billion—this was down almost $600 million from FY 2017, the lowest level since 2009 and the second year in a row that total recoveries fell.

However, and of particular note to those involved in the healthcare and life sciences industries, over $2.5 billion—$329 million more than in FY 2017, and almost 88 percent of all recoveries—were generated from healthcare-related matters. Notably, recoveries in such cases brought by the DOJ directly rose to $568 million, the second-highest level since 1987. And, while more than 50 percent of the recoveries are identified as attributable to a finite number of matters, pharmaceutical and medical device companies, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians all continued to be enforcement targets.

Qui Tam Cases: A Concentration on Healthcare

The statistics also reflect that cases filed by qui tam relators are a principal driver of DOJ’s FCA enforcement efforts. While the number of qui tam cases filed dropped in FY 2018, 645 matters were brought last year, representing almost 85 percent of all new matters. Relative to the healthcare industry, 446 new qui tam cases were brought in FY 2018, a drop from FY 2017 but the fifth highest number since 1987. About 88 percent of all new FCA matters pursued against entities involved in the healthcare industry were brought by relators.

The greatest risk to entities continues to be qui tam matters in which the United States elects to intervene. More than 90 percent of all dollars recovered from qui tam cases in FY 2018 were from cases in which the government elected to intervene. However, relators continue to pursue matters post-declination. In FY 2018, almost $120 million was recovered from such matters; while a sharp decline from the $445 million collected in FY 2017, almost 70 percent of all recoveries in cases pursued post-declination were from the healthcare industry.

Although plainly not a record year, expect that these statistics will still serve to encourage new filings. In FY 2018, more than $300 million was paid out in relators’ share awards; more than $266 million of which came from matters involving the healthcare industry. While these were the lowest levels since 2009, since 1988 relators have been paid over $5 billion for matters brought involving the healthcare industry alone (total payments, all industries, exceed $7 billion). The potential for a major reward—as supported by these numbers—clearly continues to drive the filing of new cases.

Individuals in Focus

DOJ’s announcement also emphasized its effort in holding individuals accountable. The press release lists multiple examples of individual enforcement, whether pursued through joint and several liability along with corporate defendants, or otherwise. Significantly, multimillion-dollar recoveries were generated this year from individuals involved in the healthcare industry.

Recent announcements from the DOJ reflecting revisions to the “Yates Memo” suggest that senior corporate management, as well as members of boards of directors, continue to face enforcement risk.

*************

While overall recoveries dropped, the dollars generated from enforcement in the healthcare space grew and remain staggering. The statistics will only serve to encourage the government and qui tam relators to continue to pursue corporations and individuals involved in the healthcare and life sciences industries. They are also a strong reminder of the importance of the development and maintenance of programs designed to deter improper conduct and promote compliance across all organizational levels.

 

Did you know that your zip code is a better predictor of your health than your genetic code? Public health experts – and your health insurance provider – have long known that the air you breath, the education you receive, your net worth, and even the music that you listen to are strong indicators of your overall health – and the possibility that you might need expensive medical procedures in the future. By some measures, up to 50% of your overall health is determined by social, economic, and environmental factors. As the movement to value-based payment continues in health care, there has been a renewed focus from policymakers and payors on “social determinants of health” in an attempt to curtail health care costs by addressing the root problems of poor health; before the patient is at-risk and when the interventions may be cheaper than medical care.

The concept that social determinants of health play a crucial role in limiting health care costs is hardly new, but has been more prominently incorporated into payment reform programs recently. New York, for example, has established the Health and Recovery Plan (“HARP”), a program designed for Medicaid beneficiaries with serious mental illness or substance use disorders. The HARP program combines traditional medical care with “Home and Community Based Services,” with the intent to ensure that HARP beneficiaries also receive care for underlying social factors that exacerbate their mental health or substance use issues. HARP now includes, as part as the Medicaid managed care premium paid by New York State to managed care organizations administering the program, coverage for services ranging from assistance in accessing transportation, locating and securing housing, instruction on personal budgeting, and both general and vocational education services. While HARP is intended for beneficiaries over 21, New York is launching a similar program for children with behavioral health needs. New York has recently also implemented a rule for Medicaid managed care organizations requiring them to include services offered by “community-based organizations,” such as food programs or job training programs, in value-based contracts between Medicaid managed care organizations and downstream providers with the intent to address social factors in “traditional” health care payment arrangements.

While policymakers and payors are expanding attention to social determinants of health to shape health programs (and in so doing decrease money spent on medical interventions), so too are they eyeing social factors in determining the cost of health care. Companies, such as LexisNexis, are aggregating personal data and developing risk scores that are based almost entirely on an individual’s socioeconomic factors, and marketing that information to health care payors. Though LexisNexis states that it does not intend for the scores to be used to price insurance products, experts have identified risk scores as a potentially useful tool in pricing health plans. Since social factors tend to benefit wealthier individuals, with pricing health plans based on socioeconomic data has a potential to exacerbate disparities in health care access between the rich and poor. The connection between steady employment and better health outcomes has been used to justify Medicaid work requirements in states that have recently requested waivers from the federal government to implement such requirements. Others have pointed that this approach may confuse cause and effect; people with jobs are in a better socioeconomic position than those who aren’t, and therefore are generally healthier. These programs and products simply demonstrate the wide-ranging effect “social determinants of health” already have on health care and the opportunity for their role to grow substantially.

Social determinants of health are not a new idea, but they have a renewed focus as a cost-effective way to decrease health care expenditures. For providers, it may mean incentives or requirements to incorporate external factors into their delivery of care. For organizations that address such social issues, it may portend increased funding. Attention to this area may provide a unique opportunity to realize savings for providers in risk-based agreements and allow providers to get ahead of the curve in a “new” trend in health care.

Cassie Chang, a Legal Intern (not admitted to the practice of law) in the firm’s New York office, contributed significantly to the preparation of this post.

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

On November 26, 2018, the U.S. Food and Drug Administration (“FDA”) announced the process for clearing most medical devices for marketing is being updated to incorporate changes the FDA laid out in an April draft guidance. For over forty years, most medical devices have entered the United States market through the 510(k) clearance process. The 510(k) process offers an expedited approval process available only for products that are substantially equivalent to products already on the market (known as predicate devices). The FDA is considering no longer allowing sponsors to rely on predicates older than ten years and making public information about cleared devices that relied on predicates more than ten years old. In addition, the FDA intends to finalize guidance establishing an alternative 510(k) pathway with different criteria that reflect current technological principles.

In a statement, FDA Commissioner Scott Gottlieb reasoned that newer products relying upon older predicates might not reflect new performance standards or latest scientific and medical understanding. Commissioner Gottlieb believes this change will promote the continual improvement of medical devices. However, the announced change received quick pushback. Many manufacturers argue that reliance upon older predicates can be necessary when no newer predicates are available, and older predicates can provide data that helps sponsors make new devices safer. In addition, many industry-observers believe the FDA’s plans may contradict and exceed its statutory authority, and therefore require additional support from Congress.

If the current proposal becomes law, the implications will include increased costs for manufacturers forced to innovate because of the inability to rely on older predicates. The agency’s statement indicates that new medical devices that utilize the 510(k) pathway should be better than predicates, rather than the applicable legal standard of substantial equivalence. Thus, manufacturers can anticipate increased agency scrutiny when submitting information in the 510(k) summaries. In addition, manufacturers may need to make alternative plans if developing a new device based on an older predicate.

On November 19, 2018, the FDA submitted a proposal to the White House Office of Management and Budget (OMB) to approve a review that will assess current communication practices between FDA review staff and Investigational New Drug (IND) sponsors.  The FDA has contracted with Eastern Research Group (ERG) to determine whether the current mode of communication between these parties needs to be adapted moving forward.  Depending on the results of this review, communication practices and requirements could be altered, which might have an effect on the IND application process. Possible modifications might occur that could assist in removing communication bottlenecks hindering approval timelines.

By filing an IND, a drug developer seeks approval to conduct human trials of investigational new drugs.  After an organization submits an IND application to the FDA for approval, the FDA review team must review the submission within a 30 day period and determine whether to approve or deny the application.  During this period, the FDA review staff and IND sponsors communicate regarding IND status, concerns, and questions, and the clock stops on the 30-day period any time the FDA requests additional information from the sponsor. Overall, this process is designed to minimize the risk of harm to clinical trial volunteers and confirm that the clinical trial protocols are appropriate. Further, the FDA reviews the proposed study protocol to confirm sponsors’ plans support compliance with good clinical practice requirements.  The FDA released guidance last December on best practices for communication between IND sponsors and FDA review staff in order to assist in improving the effectiveness, timeliness, and transparency in communications between the parties.  Additionally, the FDA believes that improved communication may assist in facilitating the availability of effective and safe drugs to consumers.

The FDA expects that the upcoming review, pending OMB approval, will shed more light on how commercial IND sponsors perceive their communications with FDA staff.  During this review, ERG will collect data from sponsors of “a sample of up to 150 active commercial INDs that have activity during a one-year period.”  The surveys (which can be found here) and interviews with IND sponsors are intended to assess sponsors’ experiences when communicating with the FDA review staff, and will examine “what is working well, ongoing challenges and pain points, lessons learned, and opportunities for improvement.” After this data is analyzed and reported by ERG, the FDA will “publish the report on the Agency’s public website and hold a public meeting about the assessment.”

The study findings may be useful in assisting the FDA in meeting its PDUFA commitment to promote transparency between sponsors and review personnel.  The PDUFA plan emphasizes its goal to promote effectiveness and efficiency of the first cycle review process while minimizing the number of review cycles necessary for approval. Sponsor recommendations through the surveys may very well shed light on current communication issues as well as other factors that might hinder the approval process.  An understanding of such hindrances may assist FDA in improving communication and transparency between parties and, thus, the IND approval process itself.

EBG will continue to monitor all developments in FDA’s regulation of the IND approval process as well as the forthcoming results from ERG’s review of IND sponsor communication with FDA review staff.

During a November 29, 2018 speech, Deputy Attorney General Rod Rosenstein announced changes to Department of Justice (“DOJ”) policy concerning individual accountability in corporate cases.  The announcement followed the DOJ’s year-long review of its individual accountability policies and the September 2015 memorandum issued by then-Deputy Attorney General Sally Yates, commonly known as the “Yates Memo.”

While making clear that pursuing individuals responsible for corporate wrongdoing remains a top priority in every investigation conducted by DOJ, Mr. Rosenstein drew a substantial distinction between the treatment of individuals in criminal investigations and civil investigations.

Criminal Matters

In criminal cases, the revised policy provides that to receive cooperation credit, a company “must identify every individual who was substantially involved in or responsible for the criminal conduct.”  Responding to concerns that it was inefficient to require companies to identify every employee involved irrespective of culpability, Mr. Rosenstein stated that DOJ’s focus will be on those who play “significant roles in setting a company on a course of criminal conduct.” He also noted that “investigations should not be delayed merely to collect information about individuals whose involvement was not substantial, and who are not likely to be prosecuted.”   Importantly, Mr. Rosenstein made clear that if a company fails to work in good faith to identify substantially involved or responsible individuals, it would not receive any cooperation credit.

Civil Matters

According to Mr. Rosenstein, “[c]ivil cases are different.” Recognizing that the primary purpose of civil enforcement is the recovery of money, Mr. Rosenstein noted that the “all or nothing” approach to civil cases espoused in the Yates Memo was simply not practical and, in some circumstances could be counterproductive.  In those matters where criminal culpability is not in question, the revised policy recognizes a need for flexibility.

The most significant aspect of this revision is the focus on senior officials in the company, including members of “senior management or the board of directors.”  In civil matters, entities are expected to  identify all wrongdoing by these individuals.  Indeed, Mr. Rosenstein noted that if companies make any effort to hide misconduct by senior leaders, they “will not be eligible for any [cooperation] credit.”  Companies that want to receive “maximum credit” must “identify every individual person who was substantially involved in or responsible for the misconduct.”

The revised policy also provides DOJ lawyers with the flexibility to provide “partial credit” for companies that seek to cooperate with the government.  For instance, in situations where a company “honestly” and “meaningfully” provides “valuable assistance” to the government, the revised policy envisions the ability to award at least partial credit, even if the company does not agree with the government about every employee’s individual liability.  According to Mr. Rosenstein, when credit is all or nothing, resolution of cases can be delayed without any resultant benefit.

Additionally, in settling civil cases post-Yates, the DOJ has routinely refused to include releases for individuals regardless of culpability.  The revised policy returns to the pre-Yates practice of allowing DOJ’s civil attorneys the discretion to negotiate individual releases in cases where additional investigation of those individuals is not warranted “with appropriate supervisory approval.”

Finally, the Yates Memo stated that DOJ would not consider an individual’s ability to pay a civil settlement or judgment as part of its decision whether or not to pursue that individual.  Going forward, the revised policy permits DOJ attorneys to consider “ability to pay” issues in deciding whether or not to pursue a civil judgment against an individual.  According to Mr. Rosenstein, this commonsense change has been made so that DOJ civil attorneys are not wasting valuable resources pursuing individuals from whom there is no realistic source of recovery.

Key Takeaways

While noting that it is “revising” current policy, DOJ has made clear that the pursuit of individuals, whether in criminal or civil investigations, remains a top priority.  The specific identification in civil cases of the actions of senior management, including members of a company’s board of directors, is significant and should be top of mind for entities operating in the health care arena, where enforcement efforts are so routinely focused—whether by the government directly or through the efforts of qui tam relators.  This development suggests the continued need to focus compliance efforts throughout an organization and to ensure that its most senior leaders appreciate the spotlight that will be put on their activities.

The changes referenced above can be found in the documents identified below:

https://www.justice.gov/jm/jm-1-12000-coordination-parallel-criminal-civil-regulatory-and-administrative-proceedings#1-12.000

https://www.justice.gov/jm/jm-4-3000-compromising-and-closing#4-3.100

https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.210

https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.300

https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.700