His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the United Arab Emirates (UAE), has decreed various updates to Federal Law No. 3 of 1987, known as the UAE Penal Code, that bring the country’s bribery and corruption legislation positively into line with other regimes in other jurisdictions. Continue Reading
On May 31, 2019, the U.S. Attorney for the District of Kansas announced a $250,000 settlement with Coffey Health System, after two whistleblowers filed qui tam suit against Coffey for violations of the False Claims Act. The settlement resolved allegations that Coffey submitted false claims to Medicare and Medicaid pursuant to the Electronic Health Records Incentive Program. That program offers incentive payments to healthcare providers who adopt meaningful electronic health records (EHR) technology and systems. This case is the most recent in a slew pursued by the Department of Justice. It is a helpful reminder that clients should conduct effective risk analyses when determining whether to adopt EHR technologies in accordance with the federal incentive program.
What is the EHR Incentive Program?
The Electronic Health Records Incentive Program is a provision under the Health Information Technology for Economic and Clinical Health (HITECH) Act – a federal law enacted as part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5 (Feb. 17, 2009)), which amended the Health Insurance Portability and Accountability Act (HIPAA) to address privacy and security concerns associated with the electronic transmission of protected health information. The HITECH Act includes provisions aimed at encouraging health organizations to digitize their health records and record systems. The Act also includes a financial incentives program, or a “meaningful use program.”
Specifically, the Department of Health and Human Services (HHS), through Medicare and Medicaid, offers incentive payments to healthcare providers who agree to comply with certain EHR technology standards and requirements, such as using certified EHR systems, attesting that the organization satisfies certain implementation standards and security risk measures, and other ongoing compliance provisions. When companies attest they are in compliance with the incentive program’s requirements, healthcare providers must acknowledge that the filing of such an attestation equates to submitting a claim for federal funds. False statements in any federally filed documents related to the program are subject to federal and state criminal laws and civil penalties.
Businesses taking advantage of the incentive program must demonstrate meaningful use of the EHR records within one year of receiving funds, or face potential penalties, or delayed or cancelled future disbursements. Full noncompliance may lead to sanctions and mandatory reimbursement in full. Incentive payments are audited by HHS and Medicare/Medicaid, and often require documentation to support proof of any attestation that the providers are in compliance with the program, and have made the noted system improvements. Health care organizations who do not comply risk liability when making false attestations, or from knowingly receiving “reverse false claims” through overpayment or retention of payments unsubstantiated and unearned.
DOJ Enforces False Attestations in the EHR Incentive Program
The False Claims Act (31 U.S.C. Sections 3729-3733) creates civil liability for knowingly presenting, or causing to be presented, false or fraudulent claims to the United States. The Act permits private persons to file suit for violations of the state on behalf of the government, in what is known as a “qui tam” action. Such a suit triggers a government investigation if one has not already begun.
On May 7, 2019, the Department of Justice issued updated guidance on False Claim Act matters. Click here for prior post. Essentially, whistleblowers and cooperators are incentivized to voluntarily disclose misconduct within their organizations, and can receive financial compensation for their conduct. Companies are further encouraged to cooperate with any federal investigation, and under the updated policy, the Department will take into account any corrective action a company takes in response to an allegation of wrongdoing under the False Claims Act. Such credit generally takes the form of a reduction in damages assessed and/or civil penalties. Under the updated policy, the Justice Department “may” publicly acknowledge the company’s cooperation. The updated guidance is instructive insight to the Department’s recent push to prosecute those who falsely attest to complying with the EHR Incentive Program.
United States ex rel. Awad et al. v Coffey Health System (2:16CV02034 (D. Kan.))
Coffey Health System is a twenty-five-bed “critical access” hospital in central Kansas. In 2016, the hospital’s former Chief Information Officer (CIO) and corporate compliance officer filed a qui tam suit under the False Claims Act, claiming that Coffey falsely attested that it conducted and reviewed security risk analyses in accordance with the EHR Incentive Program. From 2011 through 2016, the whistleblowers contented that Coffey failed to comply with the appropriate standards, and received more than $3 million in payments from the incentive program, without adhering to its terms. During this same time period, the suit alleges that Coffey represented that patient data submitted to Medicare and Medicaid was captured and exported through certified EHR technology, when in fact it was captured and exported manually. The CIO stated that in 2014 he reported his concerns to hospital officials after he was able to access patient records through a county-wide shared firewall, in clear violation of EHR Incentive policies. Though the CIO attempted to correct many of the issues, the hospital allegedly failed to devote resources to the security risk analysis findings, and further failed to provide the CIO with the tools and support to correct the deficiencies. In addition, the hospital purportedly failed to properly document its efforts to adhere to the EHR. Coffey Health systems decided to settle the matter with the Department of Justice, returning $250,000 of the more than $3 million they received under the incentive program. Consistent with DOJ policy, the whistleblowers will receive $50,000 of the settlement.
Other Enforcement Actions
HHS and the Department of Justice have investigated and settled several similar cases. In 2015, the Eastern District of Texas criminally prosecuted the former Chief Financial Officer (CFO) of Shelby Regional Medical Center for making false statements in connection with funds distributed to the office by the EHR Incentive Program. The CFO pled guilty, was sentenced to 23 months in prison, and was personally ordered to pay over four million dollars in restitution. (U.S. v. White, 6:14CR0005-001 E.D. Tex.)
In what has been billed Vermont’s largest financial recovery, the Department investigated and negotiated a settlement with eClinicalWorks, one of the nation’s largest EHR software manufacturers, requiring them to pay $155 million to resolve the civil qui tam suit. (U.S. ex rel. Delaney v. eClinicalWorks LLC, 2:15CV00095 (D. Vt.)). In that case, the whistleblower filed suit alleging that the software company misrepresented its product’s capabilities to HHS, and falsely certified their software complied with the statutory requirements, among other claims. In that case, the qui tam claimant received more than $30 million as part of the settlement.
In 2019, Greenway Health, a Tampa, Florida-based developer of EHR software, agreed to pay a $57.25 million fine to settle allegations brought under the False Claims Act that Greenway misrepresented its software’s capabilities, leading to false claims submitted through its use. (U.S. v. Greenway Health, LLC, 2:19CV20 (D. Vt.)). In addition, Greenway was allegedly inducing new customers to use its software by making “unlawful remunerations,” thereby violating the Anti-Kickback statute. Greenway’s faulty software, according to the Department, did not comply with the requirements for EHR certification.
Best Practices: Requirements for Conducting Effective Risk Analysis
In general, electronic health records need to be maintained with an emphasis on sophisticated, HIPAA-compliant privacy systems. Participation in the EHR Incentive Program exacerbates a client’s potential exposure by requiring those receiving monies to consistently certify their adherence to the rules, and attest that the entity is consistently using, maintaining, and where necessary, improving the system in accordance with the guidelines. Health care providers should also do dogged due diligence to ensure their chosen EHR software is certified by HHS, and has a demonstrated successful track record of creating reliable outcomes. Further, when health care companies decide to implement EHR technological programs, they should provision for adequate internal processes and controls to collect and maintain appropriate records supporting the required incentive attestations, and to ensure the company is at all times in compliance with the program’s guidelines.
A UK court recently fixed a remand hearing in the extradition case of Nirav Modi, a fugitive diamond merchant and the prime accused in a USD 2 billion Punjab National Bank (PNB) fraud case.
After Vijay Mallya (Indian businessman) and Sanjeev Chawla (alleged cricket bookie), Mr. Modi’s case is the third in a series of Indian extraditions that mark a watershed moment for cooperation between Indian and British authorities to bring to justice cross-border corruption. Continue Reading
Another example about the costs of lax data security involves a medical imaging company in the U.S. The company did not perform a risk analysis and failed to respond properly when alerted to problems. See the full post here on the Triage blog.
Russian Duma Revisits Criminalization as Counter-sanction
The Russian Duma is considering a bill that would prohibit media communications that reveal non-compliance with sanctions or facilitate imposition of sanctions and would also impose criminal penalties on those that disclose or transfer information to organizations “directly or indirectly” under the control of an “unfriendly state”, any company organized under the laws of an “unfriendly state”, and persons affiliated with such organizations if such transfer or disclosure leads to the imposition or expansion of sanctions.
Related Squire Patton Boggs Sanctions and Counter-sanctions Content
We also recently held a webinar on “Sanctions, counter-sanctions and anti-corruption trends in Russia: doing business in the current climate.” It was presented by partners Patrick Brooks (Moscow) and Dan Waltz (Washington DC), and senior associate Kristina Arianina (Washington DC). You can view the webinar on demand here (requires Lexology login or signup).
- OFAC Compliance Guidelines, May 13, 2019 (The Anticorruption Blog)
- The Real Significance of OFAC’s Sanctions Compliance Guidance, May 13, 2019 (The Trade Practitioner Blog)
- Anti-Corruption Guidance in Russia: What’s a Company to Do?, May 6, 2019, (The Anticorruption Blog)
- DOJ Updates Guidance for Corporate Compliance Programs, May 2, 2019, (The Anticorruption Blog)
- Russia Continues Anticorruption Efforts in 2019, January 23, 2019, (The Anticorruption Blog)
Five months after Sigal Mandelker, Under Secretary of the US Treasury for Terrorism and Financial Intelligence, presented five of the hallmarks of an effective sanctions compliance program, the Office of Foreign Assets Control (OFAC) has finally published long-awaited guidance for national and international organizations subject to its regulation (the Framework). OFAC is the organization responsible for administering and enforcing US economic and trade sanctions programs, and its inaugural “Framework for OFAC Compliance Commitments” will likely be incorporated into compliance programs for entities worldwide.
The Framework is the most detailed statement to date of OFAC’s views on sanctions compliance best practices. It articulates guidance on the essential components of a sanctions compliance program and describes how OFAC may evaluate these components in resolving investigations and determining the amount of any penalties. The document also includes a brief root cause analysis of some frequent violations of US economic and trade sanctions laws.
Our new client alert covers the guidelines in more detail here.
This week, the Civil Division of the U.S. Department of Justice released guidelines on cooperation credit in False Claims Act cases. The guidelines strongly emphasize voluntary disclosure, but also provide insight into other actions that could give rise to cooperation credit.
Anti-corruption has been a hot topic in Russia for some time. But recently, the Russian government has begun to take creative approaches in the fight against corruption. These initiatives are aimed at raising public awareness of corruption among the general public. What appears to be missing in this outreach is compliance guidance to companies in Russia. The Russian Anti-Corruption Law outlines a compliance framework but lacks specifics. Guidance to U.S. companies may be able to fill the gap. Continue Reading
The U.S. Department of Justice (DOJ) announced an update to its earlier guidance on how the DOJ will evaluate the effectiveness of a company’s corporate compliance program. The updated compliance guideline (“Updated Guidance”) is twice the length of the original, and utilizes a more instructive approach, serving as a roadmap to prosecutors, and prudent companies. Although not binding on DOJ prosecutors, the Updated Guidance will certainly impact the way the DOJ evaluates corporate compliance programs during investigations and settlement negotiations.
Read our summary and analysis of the DOJ’s 18-page Updated Guidance, in which we focus on the important lessons a company can learn about the key elements necessary for a robust and effective compliance program.
The Ninth Circuit held that the anti-retaliation provisions of the Sarbanes-Oxley Act do not protect whistleblowers who make internal complaints about potential violations of the Foreign Corrupt Practices Act (FCPA). The court’s ruling limits the remedies available to employees who claim to have suffered adverse employment actions in retaliation for raising FCPA concerns. Continue Reading