New Developments May Prompt Board Compliance/Risk Recalibration

Health care system boards may want to revisit their risk and compliance oversight protocols following multiple new fraud enforcement developments in the last two months. These developments reflect a notable level of activity and related pronouncements from the federal health care enforcement agencies and the courts. Collectively, they suggest a more intense enforcement environment with respect to health care fraud, the elements of which should be considered as part of health care system governance. Are existing oversight measures sufficient to address these challenges, or is a “compliance recalibration” necessary to protect the interests of the health care system? The general counsel is well equipped to lead the board through this process.

Even for an industry as heavily regulated as health care, the frequency of these recent, material enforcement developments is noteworthy. They include federal court decisions interpreting key provisions of the fraud prevention laws; a new Department of Health and Human Services (HHS) Office of Inspector General (OIG) fraud alert relating to a popular contracting practice; announcement of an OIG specialized litigation team; public emphasis on the activities of the “Medicare Strike Force;” and statements from the Department of Justice (DOJ) detailing expectations of effective internal investigations—and of “corporate cooperation” with the government.

It’s very unlikely that they represent some coordinated judicial and regulatory fraud prevention message to the health care industry. But, individually and collectively, these developments—and the timing of their release—are of such significance that they should be brought to the board’s attention.

The Developments: An Overview

DOJ Pronouncements. Over the last several months, the DOJ’s Criminal Division has been engaged in a very focused public discussion of its commitment to health care fraud enforcement, and the process DOJ applies when making a decision with respect to corporate prosecutions. This discussion has been reflected in a series of high-profile public presentations by senior Criminal Division officials, the most recent of which were on May 19 and June 18, respectively. ¹Leslie R. Caldwell, Assistant Att’y Gen., U.S. Dept. of Justice, Remarks at the Compliance Week Conference (May 19, 2015); Leslie R. Caldwell, Assistant Att’y Gen., U.S. Dept. of Justice, Remarks at the American Bar Association’s 25th Annual National Institute on Health Care Fraud (May 14, 2015); Leslie R. Caldwell, Assistant Att’y Gen., U.S. Dept. of Justice, Remarks at the New York City Bar Association’s Fourth Annual White Collar Crime Institute (May 12, 2015); Leslie R. Caldwell, Assistant Att’y Gen., U.S. Dept. of Justice, Remarks at the Press Conference to Announce a National Medicare Fraud Takedown (June 18, 2015). Noteworthy aspects of these presentations are the circumstances under which a corporation may receive “credit” for cooperating with a government investigation; incentives to disclose evidence relating to allegedly culpable executives and other employees; and what DOJ perceives to be elements of both an effective compliance plan and a meaningful internal investigation process.

The New OIG Fraud Alert. On June 9, 2015, the OIG issued a new fraud alert advising physicians (and, indirectly, health care systems), as to how certain types of financial arrangements can create potential personal liability exposure for them under the Federal Anti-Kickback statute. ²Fraud Alert: Physician Compensation Arrangements May Result in Significant Liability, U.S. Dep’t of Health and Human Services (June 9, 2015), available at https://oig.hhs.gov/compliance/alerts/guidance/Fraud_Alert_Physician_Compensation_06092015.pdf; see also Tony Maida, New Fraud Alert Shows OIG Focus on Physicians, McDermott Will & Emery FCA Update Blog (June 11, 2015), available at http://www.fcaupdate.com/2015/06/new-fraud-alert-shows-oig-focus-on-physicians/. A particular focus of the fraud alert was to ensure that compensation arrangements, such as medical directorships, “reflect fair market value for bona fide services the physicians actually provide” by “carefully consider[ing] the terms and conditions of medical directorships and other compensation arrangements before entering into them.” The alert provided examples of arrangements that do take into account the volume or value of referrals, or that either do not reflect fair market value for the services performed, or compensate the physician in ways that are unrelated to providing services.

Council for Urological Interests. On June 12, 2015, the U.S. Court of Appeals for the District of Columbia Circuit rejected a challenge from a urology trade association by upholding a 2008 rule change from the Centers for Medicare & Medicaid Services which effectively prohibited referring physician-owned companies from furnishing most hospital services “under arrangements.” ³Council for Urological Interests v. Burwell, 2015 BL 185992; see also Jason B. Caron, Eric B. Gordon, MD, Tony Maida, Daniel H. Melvin & Laura B. Morgan, Court Upholds CMS’ Prohibition on ‘Under-Arrangements’ Transactions, Strikes Down CMS’ Prohibition on ‘Per-Click’ Equipment Rental Arrangements, McDermott Will & Emery (June 29, 2015), available at http://www.mwe.com/Court-Upholds-CMS-Prohibition-on-Under-Arrangements-Transactions-with-Referring-Physicians-but-Strikes-Down-CMS-Prohibition-on-Per-Click-Equipment-Rental-Arrangements-with-Referring-Physicians-06-29-2015/. Council for Urological Interests v. Burwell ruled that the 2008 rule change, redefining an “entity furnishing designated health services” to include entities that perform the services, not just bill for them, reflected a reasonable construction of the Stark Law and thus deserved deference.

The Court struck down, however, the CMS’ 2008 prohibition on per-click equipment rental arrangements involving referring physician-owned equipment leasing companies.

Hebrew Homes. On June 16, 2015, DOJ announced what it described as the largest False Claims Act settlement ($17 million) for a nursing home that allegedly violated the Anti-Kickback statute. The settlement was with the Hebrew Homes Health Network, Inc., of Miami-Dade County (Fla.). and involved alleged kickback violations concerning medical director arrangements. ⁴Press Release, U.S. Dep’t of Justice, Florida Skilled Nursing Facility Agrees to Pay $17 Million to Resolve False Claims Act Allegations (June 16, 2015), available at http://www.justice.gov/opa/pr/florida-skilled-nursing-facility-agrees-pay-17-million-resolve-false-claims-act-allegations; see also Tony Maida, DOJ Announces Largest Kickback Settlement with Nursing Home for Medical Directorship Allegations, McDermott Will & Emery FCA Update Blog (June 25, 2015), available at http://www.fcaupdate.com/2015/06/doj-announces-largest-kickback-settlement-with-nursing-home-for-medical-directorship-allegations/.

The terms of the settlement involved the resignation of the CEO (with OIG expressly reserving its exclusion rights against the CEO). The nursing home also agreed to enter into a five-year corporate integrity agreement (CIA) with OIG, which involves OIG monitoring Hebrew Homes’ arrangements with referral sources. The CIA also requires the board of directors to hire a compliance expert to review and report on the compliance program. The settlement did not include the physicians who held the implicated medical directorships.

Medicare Strike Force. At a June 18 press conference, HHS Secretary Sylvia M. Burwell and Attorney General Loretta E. Lynch announced what they described as the “largest [coordinated] takedown” in the history of the DOJ/HHS Medicare Strike Force. ⁵Press Release, U.S. Dep’t of Justice, National Medicare Fraud Takedown Results in Charges Against 243 Individuals for Approximately $712 Million in False Billing (June 18, 2015), available at http://www.justice.gov/opa/pr/national-medicare-fraud-takedown-results-charges-against-243-individuals-approximately-712. According to their public comments, a “nationwide sweep” led by the Strike Force resulted in charges against 243 individuals, including 46 doctors, nurses and other licensed medical professionals, for their alleged participation in Medicare fraud schemes involving approximately $712 million in false billings. In addition, CMS also suspended a number of providers using its suspension authority under the Affordable Care Act.

OIG’s New Specialized Litigation Team. On June 30, 2015, HHS/OIG announced the creation of a new litigation team focused on pursuing civil penalty and exclusion cases. ⁶Tony Maida, OIG Announces New Penalty and Exclusion Litigation Team to ‘Level the Playing Field’, McDermott Will & Emery (July 1, 2015), available at http://www.mwe.com/OIG-Announces-New-Penalty-and-Exclusion-Litigation-Team-to-Level-the-Playing-Field-07-01-2015/. The announcement was made at the Annual Meeting of the American Health Lawyers Association, in a session entitled “Leveling the Playing Field: OIG-Initiated Administrative Litigation”. According to OIG officials, the main goals of the new litigation team include: (1) holding individuals accountable, (2) enforcing the OIG’s industry guidance, (3) filling enforcement gaps [e.g., pursuing cases that the DOJ does not], and (4) emphasizing other OIG component work. Separate comments made earlier in the day by Gregory Demske (OIG’s chief counsel) informed that the OIG and DOJ will be coordinating on the civil monetary penalties and exclusion cases OIG pursues.

In re Tuomey. On July 2, the U.S. Court of Appeals for the Fourth Circuit issued a decision with important implications for the technical application of the Stark law, as well as for the availability of the “reliance of counsel” defense (particularly in situations involving the application of complex statutes and regulations). In U.S. ex rel. Drakeford v. Tuomey, the Fourth Circuit affirmed the district court’s prior judgment of over $237 million in damages and penalties against a South Carolina nonprofit, tax-exempt health care system. ⁷No. 13-2219, 2015 U.S. App. LEXIS 11460, 2015 BL 212865 (4th Cir. July 2, 2015); see also Eric B. Gordon, MD, Tony Maida, Daniel H. Melvin, T. Reed Stephens & Laura B. Morgan, Tuomey’s Appeal of $237M False Claims Act Judgment Denied by the Fourth Circuit, McDermott Will & Emery (July 10, 2015), available at http://www.mwe.com/Info/news/Tuomey-Appeal-Special-Report.html. The judgment was based upon a jury finding that the Tuomey health care system had submitted over 21,000 false claims to Medicare pursuant to part-time physician employment contracts which the jury determined had been submitted in violation of both the federal False Claims Act (FCA) and the Stark law.

The Board’s Response

The ability of the board to exercise effective risk/compliance oversight depends upon a basic familiarity with industry-specific enforcement trends. These most recent developments suggest an increasingly vigorous health care enforcement climate. This won’t be “news” to most health care system leaders. Yet, the real governance question posed by these new developments is whether the board’s existing oversight practices are “up to the task.” Do they reflect an awareness of the regulatory environment? Do they provide meaningful checks-and-balances to management’s well-intentioned proposals? Or are they “out of date?” Regardless of the sophistication of the board, the question still needs to be asked. The timing, and significance, of these new developments provide a useful opportunity for the board to re-examine the effectiveness of its compliance/risk oversight.

This examination should be grounded in an understanding of the board’s obligations to monitor the risk/compliance profile of the organization. It should review such structural considerations as the risk reporting protocol; the use of committees to conduct oversight activities; expectations of management regarding the development of proposals; and the level of scrutiny to be applied by governance to those proposals, and to the related advice of management and advisors.

Fiduciary Considerations. There is some potential for the board to be held to a higher standard of care with respect to its oversight of, and decisions with respect to, the effectiveness of its compliance program and transactions that implicate the health care fraud prevention laws. Most state laws require courts to evaluate the fiduciary duties of corporate directors through the lens of the facts and circumstances presented to the directors when exercising oversight or making a decision. The question presented by these new developments is whether they are merely “business as usual”, or whether they signal more significant change. For, as the organizational “stakes” increase, the applicable standard of care must similarly increase. The advice of the general counsel will be critical in resolving this question for the board.

From an individual liability perspective, the business judgment rule may, in many states, offer protection for board actions that reflect disinterested decisions based on diligent inquiry. Similarly, recent judicial decisions applying the Caremark
⁸In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 standard of review to board actions require a high burden of proof (e.g., gross negligence or even bad faith) to find a basis for liability. Yet, evidence of a significantly more rigorous enforcement environment may, in certain circumstances, affect the level of basic diligence expected of directors. This would be a “you knew of the risks posed by the regulatory environment, yet you deliberately failed to do your homework and ask the right questions when the proposal was in front of you” type of argument.

Structural Review. A logical board response to the new developments would include a review of its existing decision-making and oversight protocols. Do they put the board in an informed position concerning management proposals that implicate the health care fraud prevention laws? Any related review might focus on the following elements of effective risk and compliance monitoring:

• Coordination of Risk Committees: For many health care system boards, compliance and risk oversight is delegated to one or more traditionally-focused committees (e.g., Compliance; Audit; Quality; Executive). In some systems, a separate committee is delegated the authority to establish board expectations for hospital-physician arrangements developed by management, and to review and approve certain “extraordinary” management proposals in this regard. Whatever the structure, greater clarity is often needed in terms of the respective roles of those “risk committees” to avoid inefficient overlap and to reduce the potential that certain issues may “fall between the cracks” of committee jurisdiction. This also extends to the quality and frequency of communications between risk-based committees; they should be “talking to each other”.
• Membership of the Risk Committees: There is an increasing recognition that service on a risk-based committee will require a greater individual time commitment. This arises from the increasing demands on these committees, and the complexity of those demands. The expectation is that the heightened level of involvement and commitment of committee members will demonstrate to executive leadership and employees the board’s commitment to effective risk and compliance monitoring. Along the same lines, the board should consider a higher “qualifications” bar for membership on these types of committees (raising the “reasonable compensation of directors” question). It should also assure that committee meetings are appropriately staffed with representatives from the office of general counsel (and, when necessary, corporate compliance and internal audit).
• Presentation of Information to the Risk Committees: An important goal is to assure that reporting mechanisms will effectively “organize and distill” information that the risk-based committees require in order for perform their respective obligations. Issues that “keep management awake at night” are to be timely shared with, and appropriately evaluated by, these committees. The general counsel should be authorized to regularly provide those committees with information concerning significant legal, regulatory and risk related developments. Arguably, the last two months’ developments are the type that should come to the attention of the risk-based committees as a matter of course. The question is, do they?
    Reporting from management should also address compliance with corporate risk management policies (e.g., board-established policies regarding the structuring of hospital-physician arrangements), including a periodic evaluation of the independence and capabilities of risk management staffing.
• Committee Meetings: An improved information reporting system should make the meetings of risk committees more efficient, and allow for a more streamlined agenda. That notwithstanding, these committees should consider the need to increase the frequency and length of individual meetings in order to allow proper consideration of issues presented to them. Are there circumstances when developments require a special meeting? And what is the frequency of reporting by risk committees to the full board? Is that reporting coordinated?
• Coordination of Legal/Compliance Risk Management Personnel: An appropriate risk committee (e.g., compliance) should assume responsibility for coordinating the activities of the various corporate executives with responsibility for legal, compliance and risk management matters. This includes the responsibility to work with senior leadership in establishing clear job responsibilities for those executives; horizontal and vertical reporting relationships; independence where necessary and advisable; and horizontal communication and coordination of activities. The general counsel will play a leading support role in this regard, given that most of the issues presented to the risk committees will be legal in nature, whether directly or indirectly.
• Reliance on Counsel: As the Tuomey decision suggests, risk committees should work with the general counsel and other members of senior management to refine existing (or create new) processes intended to assure the availability of the “advice of counsel” defense for the board and the organization. This is particularly with respect to the circumstances (and manner) in which the board/management deems it advisable to seek opinions from several different outside counsel as part of its diligence. In those situations, the process should address how to structure the review and consideration of those multiple opinions towards the goal of reaching an informed decision on the matter at hand, and to best demonstrate leadership’s good faith in this regard.
• Standard of Review: Risk-based committees should work to establish a culture stressing “constructive skepticism” and an active, independent role in exercising oversight over, and making decisions with respect to, management’s proposals. While committee members must necessarily rely on information provided by senior executive leadership and advisors in connection with hospital-physician relationships, they are nevertheless expected to be attentive, assertive and “courageous” (i.e., unafraid to ask difficult questions) in their monitoring role.

Conclusion

So what do these developments mean? That both the DOJ and OIG are focused on enforcing the health care fraud prevention laws, even to the extent of forming specially dedicated litigation teams; that DOJ and OIG scrutinize compliance programs in those enforcement efforts; that OIG has issued a “Fraud Alert” on what has been a fairly ubiquitous hospital-physician practice; that the Stark Law is “an impenetrably complex set of laws and regulations” and a “booby trap rigged with strict liability and potentially ruinous exposure…”; ⁹Tuomey, 2015 U.S. App. LEXIS 11460, at *69, 2015 BL 212865, at *26 (Wynn, J., concurring). that the Tuomey jury award exceeded the hospital’s annual net revenues; that the time frame associated with FCA litigation may involve years of controversy (e.g., the Tuomey controversy lasted almost ten years); that the “advice of counsel” defense is no “slam dunk”; and … get the picture?

And how should governance interpret all that? Perhaps as a timely and important reminder that they are the governing board of a sophisticated business operating in a highly visible, and highly regulated, industry. That these new developments are indicative of the breadth and depth of a complex environment. That their oversight efforts must be up to the challenge. And that it might make sense to confirm that.