While defendants typically breathe a sigh of relief when the Department of Justice (DOJ) declines to intervene in a qui tam False Claims Act (FCA) case, a more favorable outcome is by no means guaranteed when the relator takes the lead in the litigation. One settlement in 2022 underscored that fact when the parties settled for $900 million to resolve FCA allegations related to purported kickbacks offered or paid by a pharmaceutical company through its speaker programs. After litigating the case for over seven years, the relator, a former employee, agreed to a settlement and received 29.6 percent of the $900 million, which is reportedly the largest settlement ever paid in a declined case.
As we predicted, DOJ’s pursuit of electronic health record (EHR) technology vendors continued in 2022, and DOJ continued to focus on EHR vendors’ sales and marketing practices. The latest EHR vendor to settle a FCA case was Modernizing Medicine Inc. (ModMed), which agreed to pay $45 million to resolve allegations that it violated the FCA by accepting and providing kickbacks in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments. This settlement marks the fourth EHR vendor settlement for the Vermont U.S. Attorney’s Office, and it is noteworthy for at least two reasons. First, this case marks the first in which the government has alleged that an EHR vendor accepted kickbacks in return for helping to generate referrals for a particular health care provider with which it had a relationship. Second, unlike most of the other EHR vendors that have settled FCA investigations, ModMed managed to avoid a corporate integrity agreement. We have no way of knowing the reasons why the Office of Inspector General for the Department of Health and Human Services apparently did not request that ModMed enter into a CIA, but the complaint mentions that an investor came into the picture in May 2017 and made substantial changes, some of which related to compliance. In addition, the conduct giving rise to the settlement ended a number of years ago.
Despite President Biden’s State of the Union remarks expressing concern about private investment in the nursing home industry, health care fraud enforcement actions targeting private equity firms and other investors in the health care industry seem to have cooled based on the lack of activity in 2022. This fact is not surprising given that small handful of qui tam FCA cases targeting investors have involved unique fact patterns. Even so, federal and state agencies may remain interested in such cases depending on, among other things, the extent of an investor’s involvement in day-to-day operations and decision-making and the investor’s knowledge of potentially risky activities that they nonetheless permit to continue. To avoid becoming a qui tam defendant, investors should, for example, consider hiring consultants or counsel with relevant health care regulatory expertise to conduct due diligence; directing the company after closing to address identified compliance concerns as soon as possible (or, if appropriate, require the company to make a self-disclosure and take corrective action as a condition of closing); and take steps to help ensure that the company has adequate resources to support an effective compliance program.
In October 2021, DOJ announced with great fanfare that it was launching a Civil Cyber-Fraud Initiative that would use the FCA to combat “new and emerging cyber threats to the security of sensitive information and critical systems.” While this initiative is not specific to the health care industry, the first civil cyber-fraud settlement publicized by DOJ in March 2022 involved Comprehensive Health Services LLC (CHS), a provider of medical services at government-run facilities overseas. CHS paid $930,000 to resolve FCA-related allegations that it failed to disclose to the State Department that it did not consistently store patients’ medical records on a secure EHR system even though it submitted claims for the cost of such a system. At the 10th Annual Advanced Forum on False Claims and Qui Tam Enforcement on January 23, 2023, Michael Granston, Deputy Attorney General, Civil Division, informed the audience that cyber-fraud investigations are ongoing and that they are complex cases that take time. He also observed three common cybersecurity failings, which include the knowing (1) violation of cybersecurity standards; (2) misrepresentation of cybersecurity controls and operations; and (3) failure to timely report suspected data breaches. Given DOJ’s ongoing investigations in this area, DOJ likely will announce additional settlements in the coming year. Health care companies and providers that contract with (or receive grant money from) the federal government should take steps to protect themselves from accusations of cybersecurity shortfalls of the type that DAG Granston identified.
Dr. Thomas M. Prose, a serial whistleblower who has filed multiple qui tam FCA cases against long-term care providers, now knows how the other half lives. In April 2022, DOJ announced that it had filed suit against Prose and various corporate entities owned by Prose. Notably, DOJ, rather than a relator, initiated the case. According to the press release, DOJ alleged that the defendants (which had received over $40 million from Medicare during a five-year period) “violated the [FCA] in a widespread healthcare fraud scheme involving the submission of thousands of false claims to the Medicare program.”According to a Law360 article, DOJ’s investigation may have stemmed from a qui tam case filed under the Illinois Whistleblower Act by a former employee of Prose in 2018. That employee assisted with a federal investigation of Prose, and she later pleaded guilty to health care fraud.