Actions under the False Claims Act may be brought by the Attorney General or as a qui tam action by a private individual on behalf of the federal government who shares in any amounts paid by the defendant to the government in connection with the action. The number of filings under these provisions has increased significantly in recent years. Conduct that violates the False Claims Act may also lead to exclusion from the federal healthcare programs. Further, violations of the False Claims Act can result in very significant monetary penalties and treble damages. In addition, the civil monetary penalties statute imposes penalties against any person who is determined to have presented or caused to be presented a claim to a federal health program that the person knows or should know is for an item or service that was not provided as claimed or is false or fraudulent. Many states have enacted similar laws modeled after the False Claims Act that apply to items and services reimbursed under Medicaid and other state healthcare programs, and, in several states, such laws apply to claims submitted to all payors. Given the significant size of actual and potential settlements, it is expected that the government authorities will continue to devote substantial resources to investigating healthcare providers’ and manufacturers’ compliance with applicable fraud and abuse laws.
Federal Prohibitions on Healthcare Fraud and False Statements Related to Healthcare Matters
The federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, created new federal criminal statutes that prohibit, among other actions, knowingly and willfully executing, or attempting to execute, a scheme to defraud any healthcare benefit program, including private third-party payors, knowingly and willfully embezzling or stealing from a healthcare benefit program, willfully obstructing a criminal investigation of a healthcare offense, and knowingly and willfully falsifying, concealing or covering up a material fact or making any materially false, fictitious or fraudulent statement in connection with the delivery of or payment for healthcare benefits, items or services. Similar to the U.S. federal Anti-Kickback Statute, ACA broadened the reach of certain criminal healthcare fraud statutes created under HIPAA by amending the intent requirement such that a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation.
Health Insurance Portability and Accountability Act
We may also be subject to data privacy and security regulation by both the federal government and the states in which we conduct our business. HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, and their respective implementing regulations, including the final omnibus rule published on January 26, 2013, impose specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s privacy and security standards directly applicable to “business associates,” defined as independent contractors or agents of covered entities that create, receive, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity. HITECH also increased the civil and criminal penalties that may be imposed against covered entities, business associates and possibly other persons, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorney’s fees and costs associated with pursuing federal civil actions. In addition, state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways and may not have the same requirements, thus complicating compliance efforts.
Furthermore, international laws, such as the EU Data Privacy Directive (95/46/EC) and Swiss Federal Act on Data Protection, regulate the processing of personal data within Europe and between European countries and the United States. Failure to provide adequate privacy protections and maintain compliance with safe harbor mechanisms could jeopardize business transactions across borders and result in significant penalties.
Physician Payments Sunshine Act
There has been a recent trend of increased federal and state regulation of payments made to physicians and other healthcare providers. The Physician Payments Sunshine Act requires most pharmaceutical manufacturers to report annually to the Secretary of HHS payments or “transfers of value” made by that entity to physicians and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members. Over the next several years, we will need to dedicate significant resources to establish and maintain systems and processes in order to comply with these regulations. Failure to comply with the reporting requirements can result in significant civil monetary penalties of up to an aggregate of $150,000 per year and up to an aggregate of $1.0 million per year for “knowing failures.” Covered manufacturers must submit reports concerning payments and ownership and investment interests for a calendar year by the 90th day of each subsequent calendar year. In addition, certain states require implementation of compliance programs and compliance with the pharmaceutical industry’s voluntary compliance guidelines and the relevant compliance guidance promulgated by the federal government, impose restrictions on marketing practices, and/or tracking and reporting of gifts, compensation and other remuneration or items of value provided to physicians and other healthcare professionals and entities. Similar laws have been enacted or are under consideration in foreign jurisdictions, including France which has adopted the Loi Bertrand, or French Sunshine Act, which became effective in 2013, and Belgium which enacted their Sunshine Act in 2016.