By Scott Gallisdorfer
This is Part 2 of a two-part blog post. Access Part 1 here.
With the Department of Justice (DOJ) and other government agencies enforcing healthcare fraud and abuse laws as aggressively as ever, healthcare companies and investors in every sector of the industry should be vigilant to a host of old and new risks. In a previous article, I discussed compliance challenges associated with pandemic aid and the Controlled Substances Act (CSA). In this article, I will address healthcare enforcement risks related to cybersecurity, Medicare Advantage and private equity.
Cybersecurity: Healthcare at the forefront
With data breaches and cyber-attacks in the news on a seemingly weekly basis, it comes as no surprise that cybersecurity requirements present healthcare organizations with yet another source of newly emerging enforcement risk. For its part, DOJ launched a Civil Cyber-Fraud Initiative in 2021, which is only just beginning to bear fruit.
Late last year, for example, Verizon Business Network Solutions agreed to pay roughly $4 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement various cybersecurity controls required by its government contracts. And in April 2024, DOJ intervened for the first time in an FCA cybersecurity case, when it joined a qui tam lawsuit against Georgia Tech Research Corporation alleging ongoing failures to comply with controls required by hundreds of contracts with the Department of Defense.
So far, DOJ has mostly trained its cybersecurity sights on industries other than healthcare. But there is good reason to believe that is beginning to change. Coupled with high-profile healthcare security incidents like the February 2024 Change Healthcare cyberattack, regulators are increasingly talking tough about data security in the healthcare industry.
Earlier this year, for instance, Principal Deputy Assistant Attorney General Brian Boynton highlighted cybersecurity among DOJ’s highest FCA enforcement priorities for 2024. And around the same time, in conjunction with the White House’s National Cybersecurity Strategy Implementation Plan, the Department of Health and Human Services (HHS) touted an “HHS-wide strategy to support greater enforcement and accountability” around cybersecurity requirements and initiatives across the healthcare sector.
As these developments make clear, simply training employees on HIPAA and other privacy and security requirements is no longer enough. Healthcare organizations must act promptly and proactively to protect their data from hostile actors, including by implementing state-of-the-art cybersecurity defenses. Not only does failing to act potentially compromise the security and integrity of patient information and other sensitive data, it is increasingly likely to come at a substantial enforcement-related cost.
Medicare advantage: Moving beyond MAOs
Announcing a nine-figure FCA settlement with the Cigna Group in September 2023, Deputy Assistant Attorney General Michael Granston noted that “over half our nation’s Medicare beneficiaries are now enrolled in Medicare Advantage plans, and the government pays private insurance over $450 billion each year to provide for their care.” Given these statistics, it is little surprise that combatting fraud and abuse within the Medicare Advantage program has become a key government priority. And, increasingly, it is not just the payors who find themselves at risk. In remarks delivered in February 2024, Principal Deputy Assistant Attorney General Brian Boynton noted that, in addition to continuing to target the risk adjustment practices of Medicare Advantage Organizations (MAOs), DOJ “expects to expand its focus on the Medicare Part C Program to include an examination of the role that vendors and providers play” in the risk adjustment data that MAOs submit to the government.
At least one recent settlement offers a preview of what those efforts may look like. In May 2023, a Philadelphia primary care physician practice and two of its providers agreed to pay more than $1.5 million to resolve FCA allegations that they caused the submission of false claims by misrepresenting the severity of illnesses and services with the effect of inflating Medicare Part C reimbursement. Announcing the settlement, U.S. Attorney Jacqueline Romero emphasized that DOJ “will hold accountable those who report unsupported diagnoses to inflate Medicare Advantage.” Vendors providing services for MAOs should also be wary. In addition to referencing enforcement against vendors in public remarks, DOJ has intervened in at least one qui tam lawsuit alleging that a vendor caused the submission of false claims by assisting MAOs with preparing inflated risk adjustment data. Litigation in that case, U.S. ex rel. Ross v. Independent Health Association, is ongoing.
By now, MAOs themselves are likely well aware of the enforcement risks posed by the submission of inaccurate diagnosis codes and other risk adjustment data. DOJ’s recent pronouncements and actions, however, make clear that other healthcare organizations—including providers—face significant risks as well. Among other takeaways, this trend highlights the need for accurate coding and regular auditing—even beyond the traditional fee-for-service claims that often receive the most attention under providers’ and vendors’ regulatory compliance programs.
Private equity investment in healthcare: Following the money
As private equity investment in the healthcare industry has exploded, holding investors responsible for false claims submitted by their portfolio companies has become a frequent topic of discussion. So far, however, the returns for regulators have been limited. Although a few high-profile resolutions have made clear that private equity sponsors are not immune from healthcare-focused enforcement, those examples have been few and far between.
Like with cybersecurity enforcement, though, that trend may be poised to change. Among other signals, DOJ has expressly called out private equity investment as a 2024 FCA enforcement priority, somewhat cynically cautioning about a perceived potential for third-party investors to “undermine medical judgment, inappropriately influence the doctor/patient relationship, and cause the submission of false claims.” Other regulators and authorities are on the beat as well. Officials at the Federal Trade Commission (FTC), for example, have repeatedly expressed concerns about perceived antitrust and consumer-protection risks posed by private equity in healthcare and have begun taking action at least in a few instances.
In light of these threats, private equity investors in healthcare should prepare now to respond to regulatory concerns or enforcement inquiries that may arise. While investing in a portfolio company is by itself typically not a sufficient basis for assigning liability, undue influence on a portfolio company’s operations or ignoring corporate formalities may provide a hook for moving up the chain to a healthcare company’s private equity owner. Investors should therefore be careful about maintaining legal and operational independence from their investments. And they should do all they can to encourage and support compliance. That includes undertaking and appropriately acting on robust diligence at the time of an initial investment.
Conclusion
As detailed above, recent enforcement activities, as well as public pronouncements by DOJ, reveal at least five new focus areas likely to shape compliance risk going forward. Organizations exposed to these trends must take steps now to ensure they are ready should a regulator or whistleblower come calling.
Scott D. Gallisdorfer is a member at Bass, Berry & Sims PLC in its Nashville, Tennessee, office. He focuses his practice on complex litigation and government and internal investigations, with an emphasis on matters related to the healthcare industry. Scott has significant experience in FCA litigation and healthcare fraud and abuse investigations, including civil and criminal investigations by the DOJ, HHS-OIG and other federal and state regulators. Scott can be reached at [email protected].