By Scott Gallisdorfer
Enforcement of the healthcare fraud and abuse laws is as aggressive as ever, and healthcare companies and investors in every sector of the industry must remain on guard against myriad compliance risks involving nearly every aspect of their businesses. Fresh risks continue to emerge every year. As government regulators and whistleblowers actively pursue new targets, theories and subject matter, the regulatory environment is only becoming more complex.
Consider the most recent False Claims Act (FCA) enforcement statistics published by the U.S. Department of Justice (DOJ). In fiscal year 2023 alone, FCA recoveries by the government exceeded $2.68 billion, and the government or qui tam whistleblowers, also known as relators, were involved in more than 500 individual settlements and judgments. And there is no slowdown in sight. Last year also saw nearly 450 new FCA matters initiated in the healthcare space, nearly three quarters of which were filed by relators.
Much of this enforcement activity has continued to focus on areas and issues that are well known to industry veterans—for example, the Stark Law and Anti-Kickback Statute (AKS), upcoding and medical necessity issues, and pharmaceutical and medical device marketing practices. But among those more traditional enforcement priorities are several emerging risk areas that are only beginning to come to prominence. Indeed, a review of recent enforcement efforts by regulators and relators illustrates at least five areas marked by new or significantly increasing risk. For providers and other healthcare businesses, fully understanding the activity and trends in each of these areas is essential to ensuring a healthy and robust compliance function—and avoiding unnecessary risk.
In this first of two articles, I will review two aspects of the fraud enforcement environment:
- How pandemic-related fraud enforcement, particularly for large organizations and more complex schemes, is likely just beginning; and
- How Controlled Substances Act (CSA) enforcement, which has traditionally focused on the bad actors responsible for diverting prescription drugs, increasingly includes pursuing pharmacies, providers and other participants in the supply chain who fail to prevent diversions from occurring.
In a second article, I will review issues regarding cybersecurity, Medicare Advantage and private equity in healthcare.
COVID-19 and provider relief: Are headlines just beginning?
While the COVID-19 public health emergency may now have passed, the associated enforcement efforts are just beginning. DOJ has made policing the use of provider relief funds a significant priority, with Deputy Assistant Attorney General Lisa Miller emphasizing last year DOJ’s “whole of government approach to identifying, investigating, and prosecuting COVID-19 related health care fraud.” Only confirming this focus, DOJ announced in April 2024 that its cross-agency COVID-19 Fraud Enforcement Task Force, first established in 2021, has to date criminally charged more than 3,500 defendants and filed more than 400 civil lawsuits, resulting in seizures and forfeitures of more than $1.4 billion and over $100 million in total civil judgments.
Until recently, these efforts had mostly focused on relatively small-scale criminal matters. But an increasing number of civil FCA actions—including ones brought by whistleblowers—are now targeting provider relief funds, Paycheck Protection Program (PPP) loans, and other pandemic-related programs and services. For example, in February 2024, a clinical laboratory and its owner agreed to pay more than $14 million to settle an FCA action alleging they “sought to profit off the COVID-19 pandemic” by paying sales representatives to recommend expensive, unnecessary respiratory tests to senior communities interested only in COVID-19 tests. In December 2023, United Memorial Medical Center agreed to pay more than $2 million in an FCA settlement resolving allegations that it double-billed government healthcare programs for COVID-19 tests. Beyond the healthcare industry, several larger companies have also recently settled FCA allegations involving false information provided in connection with PPP loans.
With DOJ and the whistleblower bar continuing to tout an aggressive focus on pandemic-era fraud, these kinds of actions are unlikely to dissipate anytime soon. If anything, given the time and resource requirements of more extensive fraud investigations, criminal and FCA actions against larger entities—based on more sophisticated schemes—are almost certainly just starting. Healthcare businesses and organizations would therefore be wise to remain vigilant when it comes to oversight of pandemic-related billing and benefits, including by promptly investigating concerns and returning identified overpayments to the relevant government programs.
Drug Diversion and the Controlled Substances Act: Broadening the enforcement net
Another emerging risk for healthcare providers and pharmacies, in particular, is the rapidly expanding enforcement landscape under the Controlled Substances Act (CSA). The CSA has been around for a long time, but only recently have regulators, including the Drug Enforcement Administration (DEA), begun to systematically shift their focus from policing individual bad actors responsible for diverting prescription drugs to monitoring the providers, pharmacies and other larger organizations responsible for safeguarding those drugs.
The CSA and its associated regulations impose burdensome obligations on every actor in the controlled substances supply chain, including manufacturers, distributors, pharmacies and providers. And, increasingly, even otherwise well-meaning organizations may find themselves in the enforcement crosshairs by failing to maintain accurate records or have in place adequate security measures and controls to prevent theft and diversion.
Several recent settlements illustrate this risk. In March 2023, People’s Pharmacy in Colorado accepted a $3.5 million civil penalty to resolve allegations that it ignored red flags when filling prescriptions for opioids, which the government alleged facilitated the diversion of those drugs into the community. Cheshire Medical Center in New Hampshire also paid $2 million last year to resolve allegations that it violated the CSA by failing to maintain accurate records of pharmaceuticals, including opioids. And earlier this year—in what was the fourth-largest CSA settlement in history—e-commerce giant eBay agreed to pay nearly $60 million to resolve allegations that it violated the CSA by failing to properly report to DEA thousands of transactions involving the sale of pill presses and encapsulating machines.
Given the sophisticated and surreptitious means through which bad actors are increasingly seeking to divert prescription opioids and other drugs, eliminating all CSA enforcement risk may be more aspiration than reality. But organizations can still do plenty to protect themselves from future liability. By proactively implementing and auditing the necessary controls and recordkeeping requirements, educating employees on the red flags that often accompany nefarious activity and promptly reporting incidents to DEA when they occur, organizations can make themselves a partner, rather than prey, for regulators’ increasing focus on drug diversion and the CSA.
Conclusion
As most healthcare compliance professionals well know, regulatory and enforcement threats are constantly evolving. In that environment, it is essential that healthcare organizations understand what enforcement activity is already underway—and what regulators are signaling may come next—to align their compliance efforts to meet emerging threats. Please look for my next installment on cybersecurity, Medicare Advantage and private equity in healthcare.
Scott D. Gallisdorfer is a member at Bass, Berry & Sims PLC in its Nashville, Tennessee, office. He focuses his practice on complex litigation and government and internal investigations, with an emphasis on matters related to the healthcare industry. Scott has significant experience in FCA litigation and healthcare fraud and abuse investigations, including civil and criminal investigations by the DOJ, HHS-OIG and other federal and state regulators. Scott can be reached at scott.gallisdorfer@bassberry.com.