With great crisis comes great compliance risk. The COVID-19 pandemic is no exception. The Coronavirus Aid, Relief, and Economic Security (CARES) Act is infusing an initial $2.2 trillion in government funds to mitigate the economic effects of COVID-19.
Healthcare providers— from large hospitals to small practices — are receiving portions of these federal funds. Former crises teach us that even before the dust begins to settle, government enforcement actors will aggressively search for fraud in the form of any misrepresentations made to the government to receive these funds, invoking the federal False Claims Act (FCA) and seeking treble damages, fines and criminal referrals where appropriate. There also remains the potential for individuals to report potential false claims as a whistleblower.
Healthcare providers who submitted information to the government in connection with getting any type of claim paid (e.g., emergency Medicare relief, a Paycheck Protection Program (PPP) loan, a bill for medical services) will face enhanced compliance risk in connection with the FCA and potential criminal enforcement. But there are steps that can be taken to help mitigate this risk.
The False Claims Act in times of emergency public healthcare spending
The FCA is the federal government’s primary tool for combating fraud on the public purse. It presents substantial compliance risk from two directions. First, it provides government enforcement officials with a remedy for treble damages and civil penalties against businesses and individuals who submit materially false claims for payment to the government — whether they do so knowingly or act in deliberate ignorance or reckless disregard of the falsity of the claims. Second, it deputizes private plaintiffs to bring qui tam suits as “relators” (whistleblowers) standing in the government’s shoes, sometimes incented by receiving a share of any recovered government funds.
Crises typically beget heightened government spending, with increased FCA enforcement activity following closely on its heels. The COVID-19 crisis is already on track to follow the same pattern on a larger scale. The CARES Act set aside $100 billion in emergency relief administered by the U.S. Department of Health & Human Services (HHS) through the Public Health and Social Services Emergency Fund. The fund — allocated to providers proportionately based on how much a given provider billed Medicare fee-for-service in 2019 — can be utilized to support COVID-19-related expenses or lost revenue due to the cancelation of non-essential elective procedures. In addition, the $350-billion PPP adds an additional $75 billion to the fund.
The Department of Justice has already begun “urging the public to report suspected fraud schemes related to COVID-19” and “directed all U.S. Attorneys to prioritize the investigation and prosecution of Coronavirus-related fraud schemes.” Plaintiffs’ law firms who represent whistleblowers can be expected to follow suit on the whistleblower front. In short, the COVID-19 crisis and CARES Act provide fertile ground for FCA enforcement actions and criminal referrals, heightening healthcare organizations’ associated compliance risk.
Measures to minimize FCA exposure amid the COVID-19 crisis
Many healthcare providers will understandably be interested in participating in one or more of the relief programs established by the CARES Act. These programs, however, are conditioned on various eligibility requirements and approved uses of program funds. Compliance with those and other requirements is critical for minimizing exposure to FCA enforcement actions by the government, qui tam suits by private whistleblowers and potential criminal referrals. Follow these steps to make safe decisions:
REVIEW PROGRAM RULES CAREFULLY AND DEVELOP REASONABLE AND DEFENSIBLE INTERPRETATIONS
Generally speaking, a company or individual cannot be held liable under the FCA unless there has been a violation of a material “statutory, regulatory, or contractual requirement.” The first step in FCA compliance is reviewing all applicable requirements in connection with a claim for payment from the government to ensure that one’s certifications of compliance are accurate. That task, however, can be complicated in the face of ambiguity.
For instance, healthcare providers that receive emergency relief from the Public Health and Social Services Emergency Fund must certify that the payments will “only be used to prevent, prepare for, and respond to coronavirus, and [will] reimburse the Recipient only for healthcare related expenses or lost revenues that are attributable to coronavirus.” Ascertaining exactly what the government will later apply as its test for the required connection between a payment’s use and the coronavirus is no easy task. Likewise, it is not yet entirely clear what the government might ultimately say constitutes a false certification in an application for PPP loan funds that “current economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.”
Fortunately, the FCA provides a defense for such cases: when a payment recipient’s conduct is based upon a reasonable interpretation of an ambiguous requirement, and the government has not provided any contrary official alternative interpretation, there is no FCA “knowledge” of falsity as a matter of law. Healthcare providers should read program rules and certifications carefully and develop reasonable, defensible interpretations of them, consulting counsel as necessary in the process.
KEEP A RECORD
Hospitals and healthcare practices can further reduce exposure to FCA liability by documenting their understanding of the underlying rules, communicating that understanding to the government and tracking their fund expenditures. This includes ensuring that any specific directions from the government are committed to writing, as well as documenting the following:
- Any government modification or waiver of requirements (especially if the government deviation is informal, such as an oral representation)
- The services and items provided by a healthcare provider fund-recipient that are in direct response to the COVID-19 pandemic (to justify reimbursement).
In fact, any healthcare organization receiving more than $150,000 in CARES Act relief is required to submit to HHS and the Pandemic Response Accountability Committee a report outlining and documenting how those funds were utilized.
All providers should keep a record of their communications with the government and their utilization of federal funds. Careful documentation reduces compliance risk. For example, keeping a record as to the government’s knowledge of how a fund-recipient would use federal funds can defeat an FCA case by showing that the recipient did not knowingly defraud the government or that the way the funds were utilized were not material to the government’s payment or lending decision.
EVALUATE COMPLIANCE AND REPORTING PROGRAMS AND ADOPT BEST PRACTICES
Throughout the COVID-19 crisis and recovery, healthcare organizations should continue to review existing compliance programs and risk-management procedures, and adopt supplemental compliance practices where appropriate to shore up heightened risks posed by the pandemic.
As a starting point, catalogue all statutory, regulatory and contractual requirements governing providers’ claims for government funds, and implement policies and controls around any certifications of compliance with such requirements made to the government. Healthcare entities should then ensure that they have proper accounting and billing procedures in place to track expenditures and services from federal funding for approved purposes. Separately, companies should intensify their efforts to maintain effective internal reporting and compliance certification systems.
Finally, healthcare providers should be wary of business relationships in which there is a heightened risk of fraud, waste or abuse, and should conduct due diligence before entering into new business relationships. Failure to perform basic due diligence on business partners could subject companies’ conduct to government scrutiny.
The risk is not hypothetical. Just recently, the DOJ indicted an individual who ran a marketing company that generated leads to testing companies, alleging that he conspired with other healthcare providers to receive kickbacks for COVID-19 tests, provided that those tests were bundled with a much more expensive test that does not identify or treat COVID-19. Committing to an effective compliance and reporting regime on the front-end helps mitigates such risks.