BY Kianna Sitarski, Esq. and Michael R. Alexander, Esq., Brown & Fortunato, P.C.
As enforcement for civil and criminal healthcare fraud continues to be on the rise, it is more important than ever that healthcare companies implement and adhere to effective corporate compliance plans to prevent and detect any potential misconduct. To assist healthcare companies in understanding (i) their legal obligation to prevent, detect, and possibly report misconduct, and (ii) the potential consequences for failing to satisfy those obligations, the United States Department of Justice (DOJ) Criminal Division publishes its Evaluation of Corporate Compliance Programs (“ECCP”) criteria. This guidance serves as a “roadmap [for DOJ] Criminal Division prosecutors… to evaluate a company’s compliance program, including the questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.” Because DOJ prosecutors will consider a healthcare company’s adherence to the ECCP guidelines both at the time of the offence, and at the time criminal charges based on the misconduct are brought, it is imperative that healthcare companies remain aware of any changes to the ECCP guidance, and update their compliance programs in a quick, but effective manner.
Background
While the DOJ Criminal Division specifically notes that each healthcare company has a unique risk profile and mechanisms for reducing its risks, Section JM 9-28.800 of the Justice Manual (the DOJ’s official policies and procedures for investigating, litigating, and prosecuting violations of federal law) describes three “fundamental questions” a criminal prosecutor should consider when determining the appropriateness, the form, and the terms of any resolution or prosecution of an identified violation. The “fundamental questions” are as follows:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
While the Justice Manual and ECCP guidance go into greater depth in describing how a DOJ prosecutor should evaluate corporate compliance programs in light of these questions, healthcare companies should remain focused on satisfying these objectives, and identifying where the company might be falling short, as they regularly review and revise their compliance plans.
Recent Changes
Periodically, the DOJ releases new initiatives when it observes certain vulnerabilities or fraud trends. For example, on September 23, 2024, the DOJ announced its most recent changes to the ECCP guidelines, including (i) the DOJ’s assessment of how healthcare companies can assess and manage risk associated with the use of artificial intelligence (“AI”) and other new, disruptive technologies; (ii) how corporate compliance plans should incorporate the DOJ’s whistleblower awards program; and (iii) the importance of “gathering and leveraging data for compliance purposes.”
- AI and New Technology
A corporate compliance plan should demonstrate that the healthcare company has identified, assessed and defined its risk profile, based on a variety of factors, including but not limited to “the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.” Further, the corporate compliance plan should enact measures to appropriately mitigate the identified risks and manage industry-wide emerging risks. Specifically, with the September 2024 changes to the ECCP guidance, compliance plans should address how the use of AI may impact a healthcare company’s ability to comply with applicable laws and regulations, including specifics on staff training for the use of AI, the scope of decision-making for which AI may be used, which company personnel will be responsible, and held accountable for, monitoring and enforcing the corporations policies on the use of AI, and so on.
- Whistleblower Protections
Whistleblower, or qui tam, lawsuits are an important enforcement mechanism for the DOJ to detect potential civil and criminal violations of federal healthcare laws. While monetary reward for the whistleblower was previously only available to whistleblowers for civil cases based on alleged violations of the federal False Claims Act, the DOJ Criminal Division recently launched its Corporate Whistleblower Awards Pilot Program, wherein a “whistleblower who provides the Criminal Division with original and truthful information about corporate misconduct [here, health care fraud schemes involving private insurance plans] that results in a successful [criminal or civil] forfeiture may be eligible for an award.”
To further incentivize whistleblowers to report suspected violations of health care laws, the updated ECCP guidelines require corporate compliance plans to allow for confidential internal reporting structures and robust investigation processes for such reports. These ECCP guidelines are primarily focused on ensuring that a healthcare company has both internal and external anti-retaliation policies in place. The guidelines additionally focus on ensuring that the healthcare company properly documents its investigation of complaints and enacts remedial measures (disciplining bad actors, self-reporting to authorities, updating internal policies to address the vulnerability allowing for the misconduct, etc.) as may be required by law.
- Leveraging Data or Compliance
Lastly, the changes implemented to the ECCP guidelines allow a DOJ prosecutor to consider how a corporation has “leveraged its data to gain insights into the effectiveness of its compliance program…” This change underscores the importance of viewing a corporate compliance program as a living thing that must adapt and change as new information and guidance becomes available. In other words, mere detection and correction of misconduct may be insufficient if the company does not utilize its prior mistakes and identified vulnerabilities to create a more robust compliance program. Continuous improvement upon the corporate compliance plan is a helpful action to demonstrate to the DOJ, and other regulatory and enforcement authorities, that the healthcare company is committed to compliance.
Conclusion
The ECCP guidelines serve as a helpful roadmap for companies to navigate their compliance obligations in an everchanging regulatory landscape. The changes to the ECCP announced by the DOJ Criminal Division reflect enforcement trends, and common pitfalls that healthcare companies may encounter. To best mitigate the risk of noncompliance, healthcare companies should regularly review and update their corporate compliance plans to ensure that the plan is well designed, properly implemented, and effective.