For nearly 20 years, the Department of Justice (US DOJ) has used independent monitors to address compliance issues with companies accused of violations of healthcare fraud statutes and regulations. The breadth and dynamic nature of those statutes and regulations, the ever-changing structure for delivering healthcare and the complex operations of many of these companies present unique challenges to healthcare monitors. This chapter explores the history of healthcare monitorships and how they have worked in practice, with a focus on monitorships imposed by the US DOJ’s Criminal Division. The chapter takes you through the historical context, the legal context, enforcement actions and trends, unique challenges and predictions for the future.
The historical context
The US DOJ has prioritised healthcare fraud for almost three decades, starting with the then Attorney General Janet Reno in 1993. A US DOJ report in 1997 referred to healthcare fraud as ‘the crime of the nineties’. Throughout that decade, various government agencies underwent significant changes to meet the demand for increased healthcare enforcement. As one stark measure of this increased focus, the number of agents assigned by the Federal Bureau of Investigation (FBI) to look into healthcare fraud during the 1990s increased nearly fivefold – from 112 in 1992 to 500 in 1999. The number of criminal healthcare fraud investigations increased nearly sixfold during the same period – from 520 to 3,000.
Around the same time, Congress passed legislation that significantly shaped the landscape of healthcare enforcement, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is best known for providing privacy protections to patients but it also ‘federalized much of the law of healthcare fraud’. For example, HIPAA required the establishment of the Health Care Fraud and Abuse Control (HCFAC) programme, which was designed to coordinate law enforcement efforts with respect to healthcare fraud and abuse at federal, state and local levels. The HCFAC programme operates under the joint direction of the Attorney General and the Secretary of the Department of Health and Human Services (HHS). HIPAA not only fostered the establishment of the HCFAC programme but also helped secure funding for enforcement activities. For example, HIPAA established a HCFAC account that provided US$104 million for anti-healthcare fraud activities in fiscal year 1997. In contrast, US$308.7 million in mandatory funding was allocated to the account in fiscal year 2020, which was supplemented by an additional US$786 million in discretionary funding appropriated by Congress. These funds provide further evidence of the US DOJ’s commitment to combating healthcare fraud.
The enforcement and legal context
Healthcare enforcement today is the result of coordinated efforts by federal, state and local law enforcement agencies. At the federal level, groups such as the Health Care Fraud (HCF) Unit of the US DOJ’s Criminal Division, the joint HHS/US DOJ Healthcare Fraud Strike Forces (the strike forces), the Civil Frauds Branch of the US DOJ’s Civil Division, the US Attorneys’ Offices (USAOs), the FBI and the Office of Inspector General at the HHS (HHS-OIG) all work collaboratively to combat healthcare fraud. The HCF Unit comprises more than 80 prosecutors whose core mission is to prosecute healthcare fraud cases. The unit works closely with the US DOJ’s 15 strike forces, some of which are located in specific cities across the United States (i.e., Miami, Florida; Los Angeles, California; and Detroit, Michigan) while others operate regionally (i.e., the Gulf Coast region and the Appalachian region) or US-wide. Originally launched in 2007 and expanded in 2009 in the Health Care Fraud Prevention and Enforcement Action Team HEAT Initiative, the strike forces aim to focus on the ‘worst offenders’ engaged in healthcare fraud in the ‘highest intensity regions’. The strike forces employ a ‘cross-agency collaborative approach’, which combines resources from the FBI, the HHS-OIG, the Centers for Medicare and Medicaid Services (CMS) and other agencies, as well as the prosecutorial resources of USAOs. The programme continues to expand. In 2020, the US DOJ announced the creation of a new National Rapid Response Strike Force charged with investigating and prosecuting fraud cases involving major healthcare providers that operate in multiple jurisdictions.
The USAOs have long played a major part in healthcare fraud enforcement. They bring criminal and affirmative civil cases to recover funds obtained through fraud, waste and abuse, and litigate a variety of healthcare fraud matters, including false billings, overcharges by hospitals, Medicaid fraud, kickbacks, pharmaceutical and medical device fraud, and home health and hospice fraud. Each USAO also has designated criminal and civil healthcare fraud coordinators who work with external agencies and trial attorneys, which further evidences the US DOJ’s commitment to healthcare enforcement. Not surprisingly, all but one healthcare monitorship imposed through a non-prosecution agreement (NPA) or deferred prosecution agreement (DPA) resulted from a USAO-led investigation.
Finally, the Civil Frauds Branch of the US DOJ’s Civil Division leads civil enforcement of the False Claims Act (FCA) nationally and is a key part of healthcare fraud enforcement nationwide.
The Criminal Division charges a variety of different crimes in healthcare fraud cases, such as:
- general healthcare fraud;
- Anti-Kickback Statute (AKS) violations;
- theft or embezzlement in connection with healthcare;
- unlawful use of health information; and
- violations of the Food, Drug, and Cosmetic Act.
The underlying misconduct that leads to these violations differs, but common fraudulent activities include billing for no-show appointments, submitting claims for services at higher complexity levels or reimbursement levels than provided or documented, billing for services not furnished, and providing anything of value in exchange for referrals (i.e., kickbacks).
Civil statutes also play a major part in protecting the government from healthcare fraud. The FCA and the Stark Law are two key civil statutes used to combat healthcare fraud. The FCA imposes liability on any person who knowingly submits a false claim seeking government funds. Both the US DOJ and private citizens, known as ‘relators’, are allowed to bring actions on behalf of the United States asserting FCA violations.
The Stark Law, with the Stark Regulations, imposes prohibitions on physician referrals and billing where certain financial relationships exist involving physicians or physicians’ immediate family members. The Stark Law is discussed further in the section titled ‘Unique aspects of healthcare monitorships’, below, which details some of the unique challenges in healthcare monitorships.
Enforcement actions and trends
The rise of monitorships in the early 2000s
In the early 2000s, corporate scandals, such as WorldCom and Enron, led to an increased focus on corporate misconduct, including healthcare fraud. For example, in 2000, the US DOJ entered into what was then the largest government fraud settlement in US history – a plea agreement resolving healthcare fraud allegations. The plea agreement was between the US DOJ and HCA Healthcare (HCA), which was the nation’s largest hospital chain at the time. The agreement resolved allegations that, among other things, HCA engaged in fraudulent Medicare billing and paid kickbacks and other remuneration to doctors to induce referrals. HCA agreed to pay US$745 million to the government, but the total penalty was increased over a number of years through various additional agreements. This was followed by numerous high-value criminal and civil settlements involving kickbacks, poor manufacturing practices and illegal off-label promotion of pharmaceutical products.
By the early 2000s, the US DOJ was also more frequently entering into NPAs and DPAs, which have provided useful vehicles for requiring defendant companies to strengthen their compliance programmes and systems through the retention of monitors for the life of the agreement. Between 2002 and 2005, the US DOJ entered into twice as many NPAs and DPAs as it had during the previous 10 years combined. In 2005, the US Attorney’s Office for the District of New Jersey executed what was probably the first DPA to impose a monitor for healthcare fraud violations – the agreement with the University of Medicine and Dentistry of New Jersey (UMDNJ) resolved allegations of double-billing Medicaid. The government alleged that UMDNJ’s University Hospital submitted claims to Medicaid for outpatient physician services that were also being billed by doctors working in the hospital’s outpatient centres. In addition to full reimbursement of Medicaid, the DPA imposed a term of two years, with a monitor imposed for the full term.
The US attorney who led the UMDNJ investigation later suggested a rationale for the monitorship: ‘It would be highly irresponsible to allow a corporation whose prosecution is being deferred to go unsupervised during the deferral period.’ For several years subsequently, the US DOJ imposed monitors as a part of some, but not all, NPAs and DPAs. Some viewed the US DOJ’s monitorship decisions as ‘unpredictable’ and ‘inconsistent’. In fact, congressional leaders called for greater transparency in the monitor selection process, hoping to ensure greater consistency in NPAs and DPAs. The US DOJ responded by publishing general guidelines for monitor selections, such as the 2008 Morford Memorandum, named after its author, the then Acting Deputy Attorney General Craig Morford. As discussed elsewhere in this Guide, the memorandum instructed prosecutors to ‘be mindful’ of two broad considerations: ‘the potential benefits that employing a monitor may have for the corporation and the public’ and ‘the cost of a monitor and its impact on the operations of the corporation’. The Morford Memorandum was supplemented by the 2018 Benczkowski Memorandum, which (as is also discussed in the section titled ‘Predictions for the future’, below) was itself revised, supplemented and superseded in part by the Monaco Memorandum. In October 2021, Deputy Attorney General Lisa Monaco returned to this subject, announcing that the US DOJ would ‘study how [it] select[s] corporate monitors, including whether to standardize [the Department’s] selection process across the divisions and offices’.
Recent healthcare monitorships
Since 2005, the US DOJ has imposed monitorships in at least 12 NPAs or DPAs resulting from violations of healthcare laws. Some of the most notable resolutions in which a monitor was imposed include:
- the 2007 settlements with DePuy Orthopedic, Inc, Smith & Nephew, Inc, Zimmer Holdings, Biomet and Stryker (resolving allegations of kickback conspiracies through DPAs and NPAs, imposing 18-month monitorships on each company);
- the 2009 settlement with WellCare Health Plans, Inc (resolving allegations of fraudulent billing through a three-year DPA, imposing an 18-month monitorship);
- the 2010 settlement with Wright Medical Technology, Inc (resolving allegations of kickbacks through a DPA, imposing a 12-month monitorship);
- the 2010 settlement with Exactech, Inc (resolving allegations of kickbacks through a DPA, imposing an 18-month monitorship);
- the 2011 settlement with Maxim Healthcare Services, Inc (resolving allegations of fraudulent billing through a DPA, imposing a two-year monitorship);
- the 2016 settlement with Olympus Corporation of the Americas (resolving kickback allegations through a DPA, imposing a three-year monitorship); and
- the 2016 settlement with Tenet HealthSystem Medical, Inc (resolving kickback violations through an NPA, imposing a three-year monitorship).
Ten of the healthcare monitorships imposed since 2005 stemmed from investigations by the USAO for the District of New Jersey. Five of the NPAs or DPAs were concerning a conspiracy to pay kickbacks in the hip and knee industry. Another seven were in respect of other kickback allegations and billing fraud. Most of these monitorships were for terms of 18 to 24 months. Three-year terms have been imposed only twice in the past 15 years, in resolutions with Olympus Corporation of the Americas and Tenet HealthSystem Medical, Inc. The defendants subject to the monitorships during this period have included hospital systems, home healthcare providers, medical technology companies and medical equipment distributors.
Each of the monitorship agreements sets forth the duties and responsibilities of the monitor, generally to assess, oversee and monitor the company’s compliance programme to reduce the risk of repeat violations of the healthcare laws. In fulfilment of those duties and responsibilities, monitors use guidance from both the US DOJ and the HHS-OIG on effective compliance programmes, structuring their review to assess elements such as analysis and remediation of underlying misconduct, compliance department autonomy and resources, training and communications, policies and procedures, and audit and monitoring. In some cases, monitors may be required to review employment practices and make recommendations regarding the hiring or firing of senior management and other relevant personnel. The monitor provides periodic reports of its findings and recommendations to the US DOJ and the company, and monitors the implementation of earlier recommendations. Typically, the monitored company is required to implement its monitor’s recommendations or explain to the US DOJ why it has declined to do so. Accordingly, the monitor must also assess whether recommendations from an earlier monitor period were successfully implemented within the organisation before the monitorship comes to a close.
Corporate integrity agreements
Companies that avoid a monitor as a part of their criminal resolutions are not necessarily in the clear when it comes to government oversight regarding compliance systems. The HHS-OIG commonly imposes separate civil agreements in healthcare enforcement actions, including corporate integrity agreements (CIAs). The first CIA was executed by the HHS-OIG in the mid 1990s. CIAs have been entered into by hospitals and health systems, physician practices, long-term care facilities (such as skilled nursing facilities), life science companies (including medical device manufacturers, pharmaceutical companies and durable medical equipment suppliers), ambulance companies, laboratories, and rehabilitation and therapy providers, such as wound care.
Similar in certain respects to monitorships, CIAs usually impose oversight by independent review organisations (IROs). In contrast to a monitorship, a CIA is agency-enforced. CIAs are usually more detailed and prescriptive than monitorship agreements. For example, CIAs usually require IROs to conduct specific claims reviews, such as the review of 50 randomly selected claims. CIAs also require IROs to employ individuals with specific credentials to assist with the monitoring, including ‘individuals who have a nationally recognized coding certification to conduct the coding portion’ of the IRO’s review. Stipulated penalties are enforced for failure to comply with CIA obligations, and an entity’s non-compliance can result in exclusion.
For example, in September 2019, the HHS-OIG executed a five-year CIA with Avanir Pharmaceuticals, Inc as part of a settlement to resolve allegations that Avanir paid kickbacks to a physician to induce prescriptions of its drug Nuedexta. The CIA spans more than 60 pages and includes staffing requirements (e.g., Avanir must hire a compliance officer and appoint a compliance committee), training and education requirements (e.g., Avanir must provide annual compliance training for a subset of employees), and policy-development requirements (e.g., Avanir must ‘develop and implement a centralized annual risk assessment and mitigation plan process’). Should Avanir fail to comply with these requirements, it is potentially subject to a rising series of financial penalties. As evidenced by several recent settlements imposing lengthy CIA terms, HHS-OIG’s use of this enforcement tool remains robust.
Unique aspects of healthcare monitorships
Healthcare monitors perform the same general compliance monitoring and reporting duties as monitors in other contexts, but also face unique challenges relating to:
- the complex and dynamic nature of healthcare fraud;
- reporting requirements;
- corporate structure and governance;
- conduct of the monitorship;
- complicated accounting and financial assessments; and
- constantly changing modes of healthcare delivery.
The complexity of healthcare fraud
Healthcare fraud is complex for a number of reasons. First, under healthcare’s traditional fee-for-service model, whereby providers (e.g., physicians, physician groups and hospitals) are compensated per unit of health service provided, there are numerous steps in the provision of and payment for those services and, thus, numerous ways to commit fraud. To name a few, providers can bill for:
- more expensive services than were actually provided or performed (known as upcoding);
- each step of a procedure as if it were a separate procedure (known as unbundling); or
- the same service more than once (known as double-billing).
Healthcare monitors must not only be familiar with these fraudulent practices but they must also anticipate new ways in which healthcare fraud may occur in the future.
Second, pharmaceuticals and device manufacturing companies present unique compliance challenges because their primary goal is to sell a product. Employees at manufacturing companies often receive mixed messages from company leaders – they attend compliance training sessions about the importance of integrity in business dealings, then attend a sales meeting in which pressure is put on them to increase sales. Under these circumstances, monitors must remediate healthcare fraud under a profit-driven model. Monitors must scrutinise a company’s business plans and place emphasis on strengthening the company’s ‘tone at the top’ and ‘conduct at the top’. Considering compliance as part of an employee’s performance evaluation or compensation structure is particularly important in these cases. Employees should know that they will be rewarded for doing business the right way in a compliant fashion, not just for profitability.
Third, the multiple parties involved in the delivery of healthcare services and products enter into agreements that can run afoul of the law; for example, by providing something of value in exchange for referrals of patients or customers (known as kickbacks). The AKS makes it a felony to knowingly and wilfully solicit, receive, offer or pay anything of value in exchange for the referral of federal healthcare programme business. The term ‘anything of value’ is construed broadly and includes, among other things, gifts, discounts and free space.
There are roughly three dozen statutory and regulatory safe harbours to the AKS, which scale back the broad prohibitions of the statute and simultaneously complicate it. Take, for example, an analysis of physician compensation, one of the most significant AKS risks. Payments to physician employees of a hospital could constitute remuneration intended to induce the employees to recommend programme-related goods or services. The Bona Fide Employment Exception safe harbour, however, generally protects compensation arrangements between hospitals and hospital-affiliated physician practices. The exception covers any amount paid by an employer to a physician (or immediate family member) who has a bona fide employment relationship with the employer if certain enumerated conditions are met.
Further, kickbacks encompass more than cash exchanges, gifts or traceable wire transfers. At first, a kickback can appear as something completely innocuous, such as a job promotion, a directorship agreement, office space rented at below the fair market value, a teaching agreement, an on-call agreement or a consulting agreement. These are items of value and there is the potential that they might be provided unlawfully in exchange for referrals. Accordingly, monitors should look beyond the traditional assessments of whether an agreement is in writing and that payments match invoices. They must review fair market value of the compensation, the totality of the physician’s job positions, roles and responsibilities, and the physician’s volume of referrals to the hospital. Monitors should assess whether and how physician-specific volume data is generated, who has access to that data and for what purposes. The number and variation of relationships that could give rise to a kickback, as reflected in the many AKS safe harbours, complicate the work of the healthcare monitor.
Not only must healthcare monitors develop expertise in applicable healthcare laws to provide meaningful recommendations for mitigating compliance risks, they must be prepared for constant change. For example, on 25 June 2018, the HHS announced a Regulatory Sprint to Coordinated Care, led by Deputy Secretary Eric Hargan. The initiative is designed to remove ‘unnecessary government obstacles to care coordination’. The plan involves:
identifying regulatory requirements or prohibitions that may act as barriers to coordinated care, assessing whether those regulatory provisions are unnecessary obstacles to coordinated care, and issuing guidance or revising regulations to address such obstacles and, as appropriate, encouraging and incentivizing coordinated care.
In late 2020, the HHS-OIG issued a set of final rules implementing changes to the AKS effective as of January 2021, including the introduction of seven new safe harbours and the modifications of four existing safe harbours. Furthermore, changes to the Stark Law that came into effect on 1 January 2022 alter how group medical practices are permitted to allocate profits, among others things. Providers will respond, as they must, to these regulatory changes, and so too must monitors. In short, healthcare monitors must manage the ever-changing nature of healthcare fraud laws and regulations.
NPAs and DPAs involving a monitor typically include reporting requirements for the company and for the monitor. Reporting requirements vary by agreement. Most are very broad, requiring the reporting of ‘any credible evidence of criminal conduct or serious wrongdoing by, or criminal investigations of, the Company, its officers, directors, employees and agents, of any type that become known to the Company after the Effective Date’. Others are more narrow, requiring the reporting ‘of evidence or allegations of actual or potential violations of the [AKS]’. Both approaches can prove challenging.
In the case of broad reporting requirements, the company risks over-reporting, which can be detrimental. It can consume so many resources to identify, report and investigate that larger issues cannot receive the attention they demand. Narrow reporting requirements, on the other hand, can be ill-defined, which can lead to inconsistent reporting. It is vital for companies and monitors to understand the relevant reporting requirements because a failure to report may result in a breach of the agreement and subsequent extension of the monitorship. In addition, failures to report may deprive the monitor of critical information to investigate potential compliance system weaknesses and may deprive the US DOJ of information it needs both for enforcement purposes and to inform its prioritisation of future monitor reports. As such, companies should have candid and frequent conversations with the US DOJ and the monitor to delineate reporting requirements clearly early on and to foster a reporting process that is driven by a compliance focus rather than a legal focus. Fundamentally, monitors and companies must approach their reporting obligations with a determination to identify circumstances of concern and report them quickly and with transparency.
The Stark Law provides a specific example of the complexity of reporting requirements in a monitorship focused on the AKS. The Stark Law prohibits a physician from referring a patient to an entity for the provision of designated health services if the physician or a member of the physician’s immediate family has a financial relationship with that entity. Additionally, the Law prohibits entities from billing for designated health services furnished pursuant to a prohibited referral. Like the AKS, the Stark Law has its exceptions but, unlike the AKS, it is a civil statute that does not have an intent requirement. The Stark Law is a strict liability statute.
Because the Stark Law is civil, the AKS-focused monitorships have not required the reporting of Stark Law violations. However, Stark Law violations can give rise to ‘evidence’ of an AKS violation, which is reportable. For example, the provision of services without a contract potentially violates the Stark Law but, without intent, there is no AKS violation. The provision of services without a contract for a lengthy period, however, might suggest the absence of a contract is intentional, which may stem from an intent to induce referrals. The interplay between the AKS and the Stark Law is nuanced and complicates a monitor’s role in ensuring a company meets its reporting obligations.
Finally, NPAs, DPAs and associated monitorship agreements also impose reporting requirements directly on monitors, and the complexity of healthcare fraud statutes and regulations and the potential implications for patient safety can introduce complications for monitors. First, some reporting obligations arise from potential violations of the full range of healthcare fraud laws, which presents a challenge where those laws stretch beyond the particular focus of the monitorship. Moreover, in some instances, the US DOJ requires the monitor to report potential misconduct solely to the US DOJ and not to the company being monitored. This reporting requirement often relates to misconduct that presents an elevated risk to the public. This requires the monitor to make judgements not only on potential legal and compliance policy violations, but also on public safety risks.
Corporate structure and governance
Understanding the corporate structure and governance of an organisation is essential to making well-informed compliance recommendations. Healthcare providers and supplier networks are often comprised of several different types of facilities. Adding to the complexity, facilities are often spread out geographically, spanning several states or, in some instances, several countries. The decentralised nature of these companies makes it difficult to assess whether a compliance programme is appropriately resourced and structured. Some of the critical questions are as follows:
- How many compliance coordinators and leaders should be placed at each facility?
- How many layers of oversight should there be between front-line employees and headquarters?
- How does the organisation foster consistency in compliance across different business or sales units?
- How should compliance responsibilities be divided?
- What is the appropriate amount of resources for the proposed compliance model?
The more complex the organisation, the more difficult it is to answer these questions.
Healthcare monitors are expected to be familiar with how a compliance programme works at all levels of a company, starting with its board of directors (the Board). The Board sets the compliance ‘tone at the top’, including through its allocation of resources, receipt of direct reports from the compliance department, and its prompt and effective handling of compliance weaknesses and failures. The Board can also provide information about company benchmarks, plans for future acquisitions and dissolutions, and plans for keeping up with an ever-changing regulatory landscape. Board engagement is a critical component of any successful monitorship. Monitors should confer with members of the Board early on and remain in contact throughout the monitorship. If possible, monitors should also attend Board meetings and review Board materials to foster transparency and open lines of communication. Monitor attendance at meetings of Board committees entrusted with compliance and ethics, and related functions such as audit, may be a critical way to gain insights.
Conduct of monitorship
The conduct of a monitorship in this area, as in others, demands significant interaction with a company’s compliance department. The relationship between the monitor team and the compliance department should be a mutually supportive one. After all, achieving the best possible compliance programme and systems for the company is the central mission of both the monitor and the compliance department. And compliance department leadership and personnel are often the best sources of information for the monitor. At the same time, it is important for the monitor to remain independent of the compliance department and bring independent judgement to assessing the information and activities presented by the compliance department.
The thorough assessment of a company’s compliance system requires a number of key steps. The monitor must review compliance resources to determine whether they are adequate, appropriately distributed in the field, sufficiently independent, and influential with management at the facility, headquarters and executive levels. The monitor should conduct similar reviews of the legal department, audit department and other functional areas key to the compliance programme. The monitor should assess the compliance programme ‘on paper’ – for example, the adequacy of compliance policies, risk assessments, structures, procedures and training. However, it is even more critical for the monitor to assess how the programme works in practice. That requires field visits to organisations that are decentralised and witness interviews of not only executive, compliance and legal personnel, but also operational personnel whose conduct is at the centre of the compliance risk.
In many respects, the nuts and bolts of the monitor’s work are similar to those of an internal investigation conducted by company counsel – thorough collection and review of documents (including email) and witness interviews. However, the independence of the monitor – the monitor is a lawyer but the company is not the client – introduces differences from a typical investigation by counsel. For example, the involvement of the company’s legal department in transactions of interest to the monitor may require the monitor to request that the company waive privilege for those transactions. Given the sensitivity of waivers, including the possibility that the company may face third-party requests for waived materials in the context of litigation, it is best for the monitor to request waivers only where necessary and craft the waiver requests as narrowly as possible. Moreover, Upjohn warnings at the outset of witness interviews are not appropriate for monitor interviews because the monitor is not company counsel and the interviews are not covered by the attorney–client privilege. However, it is appropriate to request that an interviewee does not discuss the interview with others, so as to encourage independent views of subsequent interviewees. In addition, it is important for the monitor to emphasise with interviewees that the purpose of the monitorship is to improve the company’s compliance and that they should be candid with the monitor even when they have criticisms to share. Offering confidentiality to the interviewee (although there may be circumstances – for example, a subpoena – in which the monitor would have to share the information with others) can help to foster candour.
Another key component of a monitorship is testing. Whether the relevant legal issues involve the accuracy of coding and billing, or agreements with referral sources that involve AKS risk, it is critical that the monitor sample relevant transactions for compliance with company policy and the law. The sample size (and distribution across a decentralised enterprise) and the substance of the testing must be adequate to satisfy the monitor that he or she will uncover any significant or systemic problems. The monitor should consider partnering with a forensic accounting expert in the area to assist with the sampling and testing.
There are a number of challenges for healthcare monitors, beginning with frequent corporate transactions. For example, a health system may acquire stand-alone hospitals or even an entire hospital network, consisting of dozens of hospitals or other facilities. Inevitably, some employees at the newly acquired facilities may leave the company or refuse to adapt to change. When an acquisition increases the geographical reach of an organisation, it may become difficult for company leaders, including the compliance and legal departments, to maintain an effective presence on the ground, which may embolden employees to ignore compliance guidance. Monitors are expected to assess their recommendations in light of how an acquisition (or dissolution) affects the company’s compliance system, both to assist in the development of a new system that works given the current state of the company and is sufficiently durable to accommodate future changes.
In addition, the healthcare field has the second highest turnover rate in the country – second only to hospitality. High turnover on the Board and at executive levels can present challenges with the organisation’s management of change, such as a lack of ownership regarding compliance issues and a lack of commitment to long-term compliance goals. High turnover in middle management and at the facility level also presents compliance challenges and risks. Monitors should consider conducting exit interviews with key departing employees to assess compliance risks and develop recommendations for dealing with change management.
Finally, the US DOJ has repeatedly and consistently emphasised the need for a strong compliance culture, noting that positive ‘change in corporate culture’ is a key consideration when deciding whether to impose a monitor. That culture should exist at every level within the company, from individual facilities, through market or regional management, to corporate executives and the Board. Monitors assess culture through interviews with personnel at each level, detailed assessment of operations on the ground through field visits, and ethics and compliance surveys. Those surveys provide useful snapshots of the culture at different levels within an organisation and can help to guide both the company’s compliance department and the monitor in terms of areas of future focus. In addition, repeating the survey, even after the completion of the monitorship, can provide company management with invaluable trending data on how well the company is developing its culture of compliance.
Complicated accounting and financial assessments
Internal audit functions and accounting practices are critical in detecting compliance issues, especially with respect to improper billing or kickbacks. As noted earlier in the chapter, healthcare fraud schemes are varied in nature and often are not easily detected in a company’s documentation, books and records. Yet, drilling down into those details can be an invaluable tool for uncovering and correcting flaws in a company’s compliance programme. Payment documentation, such as ledgers, invoices, pay cheques and other financial records must be examined by someone who understands, in detail, healthcare accounting and billing. Monitors often engage forensic accountants with healthcare billing and valuation experience to help identify and remediate compliance risks in the billing and kickback areas. The accountants can help to test arrangements with referrals sources, review leases, provide recommendations for audit practices, and use predictive analysis to help identify compliance issues before they occur. Healthcare monitors are not alone in turning to experts for assistance; however, there is no question that the transactions that raise compliance risks in this area are of a particularly high degree of complexity and breadth.
Evolving modes of healthcare delivery
Healthcare monitors must also be familiar with the different compliance risks presented by evolving modes of delivery of healthcare services and products. For example, healthcare networks sometimes comprise a variety of facilities, including traditional acute care hospitals, but also newer ambulatory centres, short-stay hospitals and urgent-care centres. Each type of facility presents a different risk profile. Acute care hospitals have dozens or even hundreds of agreements with referral sources, each presenting the risk that the network is paying the physician or other referral source to obtain referrals to the network in violation of the AKS or the Stark Law. Ambulatory surgery centres and some surgical hospitals may be owned jointly by physicians and the healthcare network. This presents an entirely different and potentially serious set of compliance risks for the monitor to evaluate, namely that the network is conditioning physician ownership on the volume or value of referrals to the facility in which the network has a financial interest. These sorts of nuances permeate the US healthcare system and, given the importance of healthcare in the political debate, more changes in healthcare delivery are inevitable. This will only further complicate the work of healthcare monitors.
Predictions for the future
The US DOJ’s priorities in the past few years have remained focused on healthcare fraud, but the monitorship programme was marked by a sharp cooling of interest during the Trump Administration, followed now by an express revival of interest in the Biden Administration’s US DOJ.
First, the US DOJ has moved and, if its public statements are any indication, will probably continue to move towards greater individual accountability. Historically, the US DOJ placed greater emphasis on prosecuting organisations than on holding individuals responsible for the misconduct that led to the violations. More recently, however, the US DOJ has increased its focus on individuals, with the understanding that individual accountability may lead to greater deterrence. In 2015, for example, Deputy Attorney General Sally Quillian Yates issued guidance asserting that ‘[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing’. To do so, she continued, the US DOJ would ‘focus on individual wrongdoing from the very beginning of any investigation of corporate misconduct’; would refuse to extend cooperation credit to corporations who failed to ‘completely disclose to the department all relevant facts about individual misconduct’; and would refuse to ‘agree to a corporate resolution that includes an agreement to dismiss charges against, or provide immunity for, individual officers or employees’, absent ‘extraordinary circumstances’.
In August 2018, the US DOJ’s Health Care Fraud Unit (HCF Unit) Chief Joseph Beemsterboer noted that the HCF Unit and the USAOs are ‘tackling . . . really bad professionals and doctors. . . . For the Health Care Fraud Unit, the focus is on individuals’. And in October 2021, the US DOJ doubled-down on this emphasis on individual accountability. Deputy Attorney General (DAG) Lisa Monaco issued new guidance (the Monaco Memorandum) mandating that ‘[t]o receive any consideration for cooperation’ with the government, a ‘company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status, or seniority, and provide to the [US DOJ] all nonprivileged information relating to that misconduct’. Holding ‘accountable the individuals who perpetrated the wrongdoing’, DAG Monaco asserted was ‘[o]ne of the most effective ways to combat corporate misconduct’ and was necessary to ‘promote the public’s confidence in [the US] justice system and economy’.
Indeed, the remarkable decline in the number of healthcare fraud-related agreements entered into by the US DOJ during the past six years reflects the diminished role of company-wide accountability efforts in the Department’s enforcement toolkit:
- 2016: two DPAs and three NPAs;
- 2017: three DPAs and one NPA;
- 2018: one NPA and zero DPAs;
- 2019: one DPA and one NPA;
- 2020: zero DPAs and zero NPAs; and
- 2021: zero DPAs and zero NPAs.
However, at the same time that the number of healthcare fraud-related agreements has decreased, there has been a significant – though uneven – increase in individual enforcement actions during the past five years. For example, as compared with 2017, in 2018 the HCF Unit had a 56 per cent increase in opioid defendants and a 40 per cent increase in the number of individuals charged. In 2019, the number of individuals charged by the HCF Unit was 10 per cent higher than in 2018. In 2020, however, the number of individuals charged by the HCF Unit dropped by about 50 per cent from the previous year. Whether this drop was the result of the covid-19 pandemic and whether the number of individual prosecutions rebounded in 2021 remains to be seen. Nevertheless, we have seen two record-breaking recoveries against individuals in recent years. In July 2017, the largest healthcare fraud enforcement action up to that date was taken by the Medicare Fraud Strike Force against 412 individuals in 41 districts involving US$1.3 billion in alleged fraud. Charges included medically unnecessary treatments, treatments that were never provided and kickbacks. In June 2018, the US DOJ broke that record when it announced charges against 601 individuals in 58 districts involving more than US$2 billion in alleged fraud. And in September 2020, the US DOJ shattered that record again, announcing charges against 345 defendants in 51 districts involving more than US$6 billion in alleged fraud losses.
As the covid-19 pandemic enters its third year, the US DOJ has also signalled that pursuing enforcement actions against individuals accused of participating in healthcare fraud schemes exploiting the pandemic will be a top priority for the Department. For example, in March 2021, it announced efforts to ‘combat COVID-19 related fraud, including schemes targeting the Paycheck Protection Program’ and unemployment insurance programmes. As part of that effort, Acting Assistant Attorney General Brian M Boynton asserted that the US DOJ would ‘not allow American citizens or the critical benefits programs that have been created to assist them to be preyed upon by those seeking to take advantage of this national emergency’. In May 2021, the US DOJ announced criminal charges against 14 individuals for a series of schemes that involved, among other things, offering covid-19 tests to Medicare beneficiaries to induce them to provide a blood or saliva sample that was then used to submit Medicare claims for wholly unrelated, unnecessary and more costly laboratory tests. Other individuals were charged with taking advantage of new policies permitting the expansion of telehealth services to submit claims to Medicare for telemedicine encounters that did not occur.
The US DOJ has also repeatedly refined its approach to corporate monitors. In October 2018, for example, Assistant Attorney General (AAG) Brian Benczkowski issued new guidance regarding the decision whether to require a corporate monitor and the selection process in Criminal Division matters (the Benczkowski Memorandum). AAG Benczkowski said in his memorandum that, when a monitorship was needed, the financial costs of that monitorship would be a central consideration. In other words, US DOJ attorneys should consider whether a monitorship’s scope is tailored narrowly ‘to avoid unnecessary burdens to the business’s operations’. In 2019, Deputy Assistant Attorney General Matthew Miner offered some additional colour on this guidance, noting that ‘the state of a company’s compliance program’ would play a ‘significant role’ in the decision as to whether to impose a monitor, and that the Criminal Division’s ‘bottom line standard’ under the guidance was that a monitor should only be imposed ‘where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens’. Indeed, for several years, the number of newly appointed corporate monitors has been dropping noticeably. Nine of the 35 NPAs or DPAs the US DOJ executed in 2016 (the last year of the Obama Administration) required corporate monitors; by contrast, of the 21 newly executed NPAs or DPAs in 2018, only one contained the same requirement.
In October 2021, DAG Monaco issued new guidance that was meant to ‘revise, supplement, and, in part, supersede’ the Benczkowski Memorandum, and signalled robust support for corporate monitors by asserting that monitors can ‘be an effective means of reducing the risk of repeat misconduct and compliance lapses’ and declaring that the US DOJ was ‘committed to imposing monitors where appropriate’. DAG Monaco said in her memorandum that when ‘assessing the need for and propriety of a monitor’, the US DOJ would be guided by ‘two broad considerations’: ‘(1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation.’ The US DOJ ‘should favor the imposition of a monitor’, she continued, echoing prior guidance, ‘where there is a demonstrated need for, and clear benefit to be derived from, a monitorship’ and where the ‘corporation’s compliance program and controls are untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’. DAG Monaco also reinforced the US DOJ’s previous guidance requiring that a monitorship be tailored to the ‘specific issues and concerns that created the need for the monitor’ in the first place.
The September 2018 settlement of a criminal investigation involving Health Management Associates, LLC (HMA) is a good example of the US DOJ’s approach to monitorships during the Trump Administration. The government alleged that, among other things, HMA:
- knowingly billed federal healthcare programmes for inpatient services that should have been billed as outpatient or observation services;
- paid remuneration to physicians in return for patient referrals; and
- submitted inflated claims for emergency department facility fees.
Although HMA entered into a three-year NPA with the US DOJ, the Department noted that a compliance monitor was not necessary given ‘HMA and HMA Parent’s remediation and the state of their compliance program, the CIA between HHS-OIG and HMA Parent, and their agreement to’ self-report compliance issues. Whether the US DOJ under its current leadership would have made the same decision is an open question.
Nearly 25 years after the US DOJ described healthcare fraud as ‘the crime of the nineties’, it remains a top priority for the Department. Although it has refined its approach to monitorships in corporate healthcare cases with greater experience and through changes in administration, it is certain that we have not seen the end of monitors in this area. Indeed, the Department’s renewed emphasis on the importance of effective compliance systems, and seemingly reduced emphasis on imposing massive punishments on corporate defendants, could lead to greater emphasis on remediation, including monitorships, that help to build effective compliance programmes moving forward rather than the imposition of record-breaking fines. Healthcare monitors will undoubtedly continue to face a number of compliance challenges from highly complex laws and regulations, ever-changing corporate structures and healthcare delivery modes, and high degrees of sophistication and variation in the manner in which fraud is perpetrated on the system.