The Role of Compliance Programs in Mitigating False Claims Act Liability
In this episode of 1st Talk Compliance, Kevin Chmura is joined by Rachel Rose, JD, MBA, as they discuss the False Claims Act in detail. The FCA, one of five federal laws built to combat fraud, waste, and abuse, is the government’s primary fraud fighting tool, with the healthcare industry paying the largest contributor in recoveries for over a decade.
Learn not only about how to avoid running afoul of this law, but also some details of cases in which it was violated, and the repercussions those who did so faced. In addition, find out how a proper compliance program can protect your practice in various ways, including staying up to date on cybersecurity training.
Subscribe: Apple Podcasts | Amazon Music | Android | Email | RSS | More
Kevin Chmura
Rachel, welcome to the podcast. Thanks for joining us.
Rachel V. Rose
Thank you, Kevin, for having me back for another round of a very major healthcare compliance topic.
Kevin Chmura
It very much is, yeah. This one generates some revenue for the government. So this is one that I think especially in today’s environment, people should be paying a lot of attention to. So as I said in the intro, we’re here to talk about the False Claims Act. It’s one of the most important fraud, waste and abuse laws that applies to physicians and health care practitioners of all kinds.
The healthcare industry has consistently been one of the, if not the highest contributor to funds received under the False Claims Act. And it’s essential to be familiar with the law and maintain compliance programs to mitigate that risk. Rachel, I know you spend a fair amount of time in your practice in and around the False Claims Act defending and representing customers and providers.
So you’re perfect to cover this topic for us. Wondering, though, if you could give us a brief synopsis of the False Claims Act and why is it unique?
Rachel V. Rose
Absolutely. So as you mentioned, my practice focuses a lot on the False Claims Act, and I am fortunate to do a lot of compliance work not only around the False Claims Act, but HHS. OIG has identified five important federal fraud, waste and abuse laws. The False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Authorities, and the Civil Monetary Penalties.
And Kevin, as you mentioned, the False Claims Act is really the federal government’s primary fraud fighting tool. And in 2024, there were more than $2.9 billion in recoveries and, moreso healthcare represented over two thirds of that amount. That healthcare trend, as you mentioned, being the largest contributor, has gone on for at least the last decade.
And what the False Claims Act does that makes it unique are really, I would say, five main things. But first, the False Claims Act goes back to 1863, and it is also known as the Lincoln Law. Its primary purpose, even back during the Civil War, was to root out fraud that was being perpetrated on the government. So how would that be done?
Congress thought about it and said, well, the government could do it on its own if they caught wind of something, or they could insert a provision which gave an individual known as a relator, also known as a whistleblower, the potential to bring fraud to the government’s attention and receive a portion of the recovery. It’s very important to note that a relator and I represented several relators successfully, sometimes with co-counsel, sometimes with not, so I get to see the False Claims Act from the whistleblower standpoint as well. But this notion of being able to represent a whistleblower is the first distinguishing factor. And that’s because most other civil cases, a person can represent themselves on a pro say basis, meaning they don’t need a lawyer. There was a provision in the False Claims Act which in fact requires an individual to be represented by a lawyer.
So unless the relator is a lawyer, then the individual needs to obtain counsel in order to file a False Claims Act case. That’s the first thing. Secondly, only the government can choose to open a criminal investigation. So even though certain laws like the federal Anti-Kickback Statute can have criminal penalties or civil penalties associated with them, only the federal government, or if a state has a similar type of law, the state can actually move and bring a parallel criminal investigation in potential proceeding.
So that notion that only the government can bring in a criminal case is not unique to the False Claims Act. But what is unique is that a private party can bring a type of case, and that’s how the government learns of something to then potentially open a parallel criminal action. The process for the relator’s counsel is also very different.
Normally, if I want to file a lawsuit in federal district court, I have to make sure that either a federal question is involved under 1331, or I need to meet the amount in controversy and diversity of the party’s requirement under 1332. While first, the False Claims Act is a federal statute, so it falls under 1331. So that’s the same.
What is not the same is that before I even file a case under seal in a United States District Court, I have to provide a disclosure in evidence to the local United States attorney where I’m going to file the case, as well as providing that same information to Main Justice in Washington, D.C.. Another area that is relevant that I just mentioned is the seal.
So that’s the third item. And initially, the statute itself provides for 60 days that the case is filed under seal, meaning no one knows about it but the relator, the lawyers, the judge, and whatever the court staff are, and that’s the way it has to stay. Now, the government may request what are known as deal extensions in this type of case.
And another provision relates to the breaching of the seal. In the 2016 Supreme Court case, Rigsby versus State Farm, is the case that outlined different fact orders, which first stated A. Just because there may be a seal breached doesn’t mean that the case is automatically dismissed. But the court said we get to apply these factors and make that determination.
I will say that even if the court says no, this case doesn’t need to be dismissed and the Government agrees with that, that the government on the back end, when we start to get to the fee issue where the relator can recover, they, the government, has the right to drop the recovery. If there has been a breach of the seal below what the typical statutory threshold is, and I’ll get to that in a moment.
The other distinguishing factor in a False Claims, that case is once I filed the case, it’s really in the government’s hands until they make a decision. And there are three ways a case can go. The government can intervene in the case and intervention can occur at different times. I’ve had cases that have settled under seal and then the intervention decision is made and the seal is lifted by the court, so the government has taken the case through settlement, even though there has not been any action in court, so to speak.
The second way to intervene is that if the defendant won’t settle while the case is under seal, the government can say, Hey, all right, relator, we like the case, we have adequate resources. And I don’t necessarily mean monetary resources. I made the specific notion of adequate human resources, right? Because the government only employs so many people and so many assistant U.S. attorneys to work on these cases. So the Georgia Tech case is an excellent example where the government intervened and they’re the ones who are leading trial.
So in that instance, the relator’s counsel and the relator just sit back, and if the government needs help with something, then they’ll ask. Declining to intervene means that the government is not going to intervene, but they say to myself or other relator’s counsel, if you would like to move forward with the case and prosecuted, you’re able to. And so I’ve had that scenario as well. And then lastly, they can dismiss the case under C two way, and that’s always the government’s discretion.
And the Supreme Court case, the Polansky case is a case from 2023 that actually addressed that very issue. Now, penalties and damages, damages can be trebled under these circumstances. Penalties up until 2016 ranged from $1500 to approximately, not $1500, $5500 to approximately $11,000 per violation. So that was per healthcare claim. Now the absolute minimum is over $11,500, and the upper end of that penalty range per claim is closer to $25,000.
Oftentimes we don’t see penalties assessed unless a case goes all the way through to verdict in a trial. But it can still be costly for damages being trebled depending on the type of case. The relator’s recovery, if the government intervenes in the case, is between 15 to 25% of the total recovery. If the government declines, then the relator is entitled to 25 to 30% in the event of a successful recovery. And it’s important to note that the False Claims Act is not an intent based statute.
Kevin Chmura
So. Well, wow that was great, that’s so, it’s dense, right. And there’s, yeah there’s a lot there, and expensive for those that find themselves on the wrong end of this, and so super important. And you touched on I think a few of them but I wonder if you could zero in a little bit on what healthcare laws are often included in False Claims Act cases.
Rachel V. Rose
Several laws that are included, Kevin, include the Stark Law and the Toomey case, which was brought several years ago and to date is still one of the largest False Claims Act cases involving the Stark Law. It went up to the Fourth Circuit and that had to do with, in essence, paying kickbacks to physicians where a Stark exception was not met and they were getting remuneration outside of what met fair market value in order to refer patients for designated health services.
Now, designated health services is a term of art within the Stark Law. We don’t see that term in the Anti-Kickback Statute, which is another term. One main difference, aside from the designated health services being the only areas that apply to Stark Law, is that Stark is a civil statute, and more importantly, it’s a strict liability. So it’s like speeding.
If you go over the speed limit, you can get a ticket the same as the Stark Law. By way of contrast, the Anti-Kickback Statute, which actually predates Stark Law by at least 17 years, is a criminal statute. It applies to every single federal healthcare program, with the exception of the federal employee health benefits program, and it applies to any type of remuneration, whether in cash or in-kind, for referrals to, or utilization of, goods or services related to the provision of health care to a Medicare beneficiary, Medicaid beneficiary, TRICARE or beneficiary, etc..
And there are safe harbors.
Kevin Chmura
That’s good stuff. I know from my now a few decades in healthcare and all of the compliance and other training that you are really required to do, I spent a fair amount of time being educated on particularly Anti-Kickback, and I wonder if it would be helpful. Maybe if you could highlight a few recent cases involving AKS violations.
I think it is kind of where the rubber meets the road on these. It can be very, very informative for folks.
Rachel V. Rose
Absolutely. And one unique aspect of the False Claims Act that I did not address earlier, because I highlighted more of the procedure associated with the False Claims Act. But one of the more unique or interesting items, especially as it relates to the Anti-Kickback Statute, is the idea that first there’s a different see/enter requirement or knowledge requirement.
So knowledge under the False Claims Act is defined as actual knowledge, deliberate disregard for truth or falsity of the information, or reckless disregard for truth or falsity of the information. Now, the Anti-Kickback Statute is intent based. Remember, the False Claims Act is not. So intent must be proven and it must meet that statute’s definite kind of knowing or willful.
But a nice thing occurred in 2010 for relator’s counsel, and that was that Congress said, if you can substantiate and clear the hurdle of an AKS violation, then the False Claims Act violation really comes along for the ride, which makes sense because it’s a higher level of see/enter. And as I mentioned before, the AKS itself is criminal.
So when we think about the types of cases where we see a lot of AKS violations, one great case is from 2021 is the settlement date on that. And that was United States Ex Rel Goodman versus Areva medical. And that was a case out of the middle District of Tennessee. That case settled for $160 million after the relator’s counsel, it was a decline case and the relator’s counsel move forward, responded to the defendant’s motion to dismiss. The judge denied the motion to dismiss, and the case settled. At issue was a type of kickback, which some people may not be as familiar with, but it has to do with the carte blanche waiver of co-pays and deductibles. And so a co-pay is able to be waived if there’s documentation that an individual had a financial need, but only for that individual.
So you can’t just say, I’m going to waive all co-pays or deductibles without having individual documentation substantiating it. So that case is really telling in terms of that area, and that’s an area too, Kevin, as you can imagine, that a lot of providers could really sidestep and eventually end up in hot water for not appreciating that type of risk.
Another case that involved the Anti-Kickback Statute was actually a case that I had that the government intervened in and settled while it was under seal in May of 2024. So just about a year ago, and that was in the Northern District of Texas, and there the medical device company had physician owners and there is a safe harbor in the Anti-Kickback Statute known as the 4060 Rule, or the small business safe harbor, where if you, an individual physician or a group of physicians, own a certain amount of a company, then the revenues that they generate cannot be a certain amount.
And so, a certain percentage of total revenues. And that’s what happened here. They didn’t meet the framework. And for anyone who looks at compliance of fraud, waste and abuse laws, it’s very important to note that you have to fit within the four corners of the safe harbor in order for it to be applicable.
A couple of other really big cases that have been around lately. One is one of my favorite cases. It’s called the Sayid case, and it went up to the Seventh Circuit. And the Seventh Circuit issued an opinion on May 2nd of 2024. And in this instance, a creative entrepreneur, I will say, started coloring outside the lines. And instead of being satisfied with the existing relationship he had with the Healthcare Consortium of Illinois, which really had a primary purpose of coordinating healthcare for lower income seniors in the state, he created a third entity and entered into a managed services agreement to pay this consortium $5000 a month for allegedly providing management services.
But in practice, what he was doing was accessing the patient data, using that patient data to solicit business, and that in turn was billed to Medicare. And as you hear the term PHI, your HIPAA flare should be going off, too. And that’s exactly what the judges both at the district court level and at the appellate court level said.
And one of the things that caught their attention and this is, this is pretty rich, which is why it always stands out in my mind. But Sayid testified that he had spent over three decades in the healthcare industry and knew that buying protected health information was illegal. And as we know, HIPAA has a criminal provision as well.
And so what the appellate court says was, you know, the district court was right. They did not err in finding that the defendant knowingly and willfully violated both the Anti-Kickback Statute and HIPAA, and also that this type of personal service or management contract did not qualify under that particular safe harbor for the AKS.
And then very recently, Kevin, we have a few cases. One was against Omnicare, CVS, we had Controlled Substances Act violations which were very significant. And then there was a case that was actually filed in 2012 and that was United States and various states Ex Relator Panelo versus Janssen products. And as I mentioned, that case has been ongoing since 2012. The original firm that filed the lawsuit brought in really good trial counsel, who I’ve been fortunate to co-counsel with, and it went to a jury trial.
The jury did not focus on the Anti-Kickback claims, but what they did focus on was the illegal promotion of an HIV drug. And the judge entered a final judgment of $1.6 billion.
Kevin Chmura
Wow, that is a very large number. You know, and so, you know, there is the big is why it’s helpful to look at actual cases, right. Where these, like I said before, where’s the rubber meeting the road in terms of actions being brought in settlements being a tell you what, you know, there are bad actors out there and some people that are knowingly skirting.
So it’s, I think when you tell the story about the co-pay waiving it’s really, it really highlights why it’s so important to understand the False Claims Act, particularly in AKS, you know, that you could really just be in a situation where you think you’re doing something kind or nice for an individual or group of individuals and not even realize that you’re in violation of this.
And it just speaks to the criticality of the understanding of what your obligations are. So that was super helpful. I wonder if we could pivot for just a just a few minutes, because you can’t really talk about healthcare today without also covering cybersecurity. There’s been such a huge push to digitizing everything over the last several decades, and we were digitizing things faster than we could keep up with. Those people that wanted to get at those digital records.
And I wonder if you could highlight a few recent cybersecurity case settlements.
Rachel V. Rose
Yeah, absolutely. So in terms of False Claims Act cases, I was fortunate, along with my co-counsel, to represent the whistleblower who brought the first case that settled under the DOJ’s Civil Cyber Fraud Initiative, and that announcement was made in March of 2022. At issue, there was a government contract with the State Department and some of our armed services.
And in essence, there was a requirement to safeguard the information. There was an additional requirement to ensure that the HIPAA information was being secured in a way that HIPAA information should be secured. So in that instance, the government intervened and that was the first case. So I’d seen it, cybersecurity violations from the whistleblower side, I have actually conducted HIPAA audits for well over a decade and I’ve also represented people post-breach on the enforcement side, some more recent cybersecurity-related cases are, one of my favorite ones is actually the Jelly Bean case that came out of the middle district of Florida that was not a whistleblower case.
The government brought that on its own. And it’s unfortunate because there was a breach of over 500,000 minors’ information. And what the government said about this company, Jelly Bean, and their owner was, hey, we contracted with you to provide services to keep this information secure. And it was an item that came about because of the breach, but what they found upon doing due diligence was that the common patches that should be done with software weren’t done for over a decade. They were using non-supported software, data was not encrypted, there were password issues, you name it, in this company had it. So they actually brought a False Claim that case because as we learned right out of the gate, the government can bring that too. So that was the Jelly Bean case. We’ve also seen it more recently, again with government contracts, That’s the morse case MORSE, that’s it, one that’s important.
Penn State University settled a case. A colleague of mine brought that case that was brought in the Eastern District of Pennsylvania. And I will say this because in my experience, the whistleblowers in cyber cases are very sophisticated. They’re typically Chief Information Officers or highly educated people who understand what regulations are supposed to be met and what’s not being met.
So I would say that if I am any type of company, whether it’s a business associate or a covered entity, I would ensure that I have my items in a row in terms of HIPAA compliance, because that’s one of the greatest areas of potential risk. And this area of the law is only going to be a focus of the DOJ, per their January of this year statement, that cybersecurity is going to continue to be an area that they focus on.
Kevin Chmura
Yeah, totally. And really in healthcare today, you should have an orientation towards data security, cybersecurity training, all safeguards, and many of them are just good business practices to begin with, right? Certain things can be more complicated than others. But the, really to just run a business in healthcare, which we all do, it’s not really that complicated to stay to stay in good stead, but it’s something you were touching on there, and I think it’s maybe a good way to close. And that’s really, you know, how do we mitigate all of these risks really through, I guess, an effective compliance program?
I mean, if you’re up on compliance, if you take it seriously, these things should fall into order. But I wonder if you could give our listeners maybe some advice and guidance in that direction.
Rachel V. Rose
Absolutely. So there are five main areas that I would focus on. The first is make sure, to your point, Kevin, that your HIPAA compliance is where it needs to be in terms of the Security Rule, the Privacy Rule, the Breach Notification Rule, as well as information blocking, which was part of the 21st Century Cures Act. And as you and I talked about in another podcast episode, the HIPAA Reproductive Rules.
So that’s one area that’s key. Cybersecurity also dovetails into a case in Stark Law, because of the December 2nd, 2020 Final Rules. Those are the, quote, “New Stark and AKS Final Rules,” but they updated their safe harbors related to what types of cybersecurity services or goods could be provided and what needs to be done.
So you need to have an agreement in place. You need to make sure it’s not based on volume or value, and it needs to be for fair market value. So those are some areas to look at when you’re considering the intersection of cybersecurity as well as fraud, waste and abuse laws. In terms of fraud, waste and abuse, 42 C.F.R. Section 483.85 requires a mandatory compliance program, and this specific provision was highlighted in the November 2023 HHS OIG guidance.
And although guidance is not binding in that sense, it provides a great roadmap. But the laws and the regulations that it references are binding. So it’s a great item to look at right out of the gate. So the seven elements, I call them the dirty seven, that are required for fraud, waste and abuse laws are: written policies and procedures, compliance and leadership, and oversight training, effective lines of communication, with a compliance point person in forcing the standards, having consequences, and incentives.
Those should be documented both in an employee handbook as well as your regular policies and procedures. There should also be a non-retaliation provision for concerns that are brought in good faith. And I added that term good faith because I actually represented a client where they had a rogue former employee file, literally, a false claim with the government agency that they were not compliant.
And so, it came back after I defended them that, yeah, they were compliant with everything that they had, and the individual did not bring that concern either to the company. He didn’t bring it to the company first, but he went externally and just filed it completely invalid and factually false complaint with a government agency. So that’s why if it’s in good faith, then people should listen.
And I, on the flip side of that, a positive situation I had with another client was that they had someone who was in billing bring a coding issue to their attention. And lo and behold, there was a glitch in the EHR system. So it was applying the wrong code. They were able to get the EHR company involved, address that, and then resubmit the claims right away to government and private insurers.
And that isn’t a great example of a good faith concern that was brought. It was investigated, and it really ended up helping the organization. And so that’s the benefit of looking like that instead of just retaliating against someone.
Last two items are a risk assessment. And for audit, that’s a great way to have a third party come in and do an audit assessment and then responded to detected offenses as well. So the last part is just to review your contracts and make sure that if persons are receiving money that there is a contract that is in place and that it’s legal.
Kevin Chmura
Wow. So a lot, but a very important topic because you can see it intersects with day to day life in healthcare myriad ways. So that’s great. Maybe a quick summary. I mean, if organizations are proactively investing in a compliance program, living it, taking it seriously, and it’s not just a binder on the shelf, it’s going to mitigate risk through from the False Claims Act, potentially reduce penalties, and avoid legal repercussions that can just, that can linger for quite some time.
So Rachel, this has been great. Appreciate you as always. Your knowledge in this space is unbound and we’re really glad that you choose to share it with us, and I’ll reserve the right to bring you back for future episodes. Maybe catch up on some other things that are happening relative to this very important topic.
So with that, I’ll say thank you, Rachel.
Rachel V. Rose
Thank you, Kevin. And thank you, Panacea and First Healthcare Compliance for having me again as a guest.
Kevin Chmura
We’ll have you back soon. Thanks.
Rachel V. Rose
Thanks.
