Given a handful of recent cases, and a recent update to the CMS Voluntary Self-Referral Disclosure Protocol, it appears that the federal government may be using the existence of these audits as a means for demonstrating that the provider "knew or should have known" that fraud occurred.
Linda A. Malek
Over the course of the past few years, the Department of Justice has stepped up its enforcement of the False Claims Act1 (“FCA”) against health care providers at all levels. In an effort to comply with FCA, Stark2, Anti-kickback3 and other self-reporting laws and regulations,4 providers have enhanced their compliance efforts and instituted various levels of self-audits and internal investigations to help identify areas for improvement. Guided in part by the Office of Inspector General’s policies encouraging self-evaluation, health care providers have operated under the assumption that self-disclosure will demonstrate mitigation efforts should violations or potential violations be identified.
Given a handful of recent cases, and a recent update to the CMS Voluntary Self-Referral Disclosure Protocol, it appears that the federal government may be using the existence of these audits as a means for demonstrating that the provider “knew or should have known” that fraud occurred.
In New York, Education Law §6527(3) confers, in the context of self-critical analyses, confidentiality on proceedings and records prepared by or for a wide variety of medical institutions, including hospitals, in connection with the performance of medical or quality assurance review functions. This includes immunity from document discovery and from disclosure during depositions. The statute specifically provides protection for documents prepared and submitted to the state as part of a statutory or regulatory compliance program. “The thrust of section 6527(3) is to promote the quality of care through self-review without fear of legal reprisal."5 The privilege is not exclusive to healthcare matters, but is sometimes invoked in lawsuits involving hospitals or other health care organizations.6
Until the late 1990s, the self-critical analysis privilege was also alive and well in New Jersey, thanks to a Superior Court decision in Wylie v. Mills.7 Wylie involved a public utilities employee who had been injured in an automobile accident while on the job. Shortly after the accident, the utility company conducted an internal investigation to evaluate its policies and procedures to determine whether future employee injuries could be reduced or prevented. The employee sought discovery of this internal self-analysis, but the court shielded the documents, relying on the self-critical analysis privilege.8
Within a year of the Wiley decision, New Jersey courts began to reject a blanket privilege, and instead began advocating the use of a “balancing test.” In McClain v. College Hospital,9 the plaintiff in a wrongful death suit sought to compel disclosure of certain hospital internal-review documents. These internal reviews included an Executive Committee report completed by the Board of Medical Examiners, which detailed the treatment of the decedent, as well as testimony and findings by the Board’s internal expert witness.10
While the Court acknowledged the existence of the self-critical analysis privilege in Wylie, it also recognized that the personal injury suit in Wiley was fundamentally different from a wrongful death suit against a hospital. Wiley’s case could proceed without the information in the internal audit documents it requested, whereas McClain’s case relied heavily on the fact that the hospital knew there were problems and it failed to act to fix them.
The court found that it was in the interest of public policy to allow “disclosure of the materials involved in an internal investigation into health-care services….”11 The McClain court advocated using a balancing approach to determine whether internal audit documents could be subject to discovery. The balancing test is intended to weigh the need for maintaining confidentiality against the need for the plaintiff to have those documents to prove its case.12
Allyson M. Beach
The Court dealt a final blow to the blanket application of the self-critical analysis privilege in Payton v. N.J. Turnpike Authority in 1997.13 In Payton, the plaintiff asked the defense to turn over documents related to an internal investigation into her complaints of sexual harassment. Instead of advocating an absolute privilege for all cases in which a defendant had conducted some form of internal self-critical investigation, the Court held that the issue of disclosure of such materials should be addressed through a balancing test similar to that set forth in McClain.14 “Self-critical analysis, although deserving of substantial consideration when a court balances a party's need to know against another party's need for confidentiality, is not qualitatively different from other confidential information, and thus does not require the protection of a broad privilege as opposed to a balancing of interests.”15
After the court’s decision in Payton and McClain, it became clear that the self-critical analysis privilege should no longer be assumed to apply, and hospitals and other corporations would have to show a truly compelling reason to keep internal audit documents from the plaintiff.
It is also important to note that New Jersey subsequently amended its statutory Rules of Evidence to create a privilege for “information and data secured by and in the possession of utilization review committees (“URCs”) of certified hospitals or extended care facilities.”16 However, at least one court has limited this privilege to URCs that are established as conditions of participation in Medicare and Medicaid, and should not be extended to include URCs created outside that scope.17 That being said, while documents and investigations prepared by the URC may be protected under the self-critical analysis privilege, it is unclear whether courts will afford the same protection to other internal hospital or medical practice reviews.18
“Whether or not a self-critical analysis privilege may exist as a matter of state law, neither the United States Supreme Court nor the Second Circuit have recognized such a privilege.”19 In fact, the doctrine is unsettled and various circuits interpret in a variety of ways.20 Notwithstanding the absence of a federal privilege, the Department of Justice has in many instances considered internal audits, which were conducted in a good faith effort to comply with regulations, as a mitigating factor in assigning penalties for self-reported misconduct.
Yet the mere existence of a compliance program, without robust implementation, is not in and of itself a defense to corporate noncompliance with Medicare and Medicaid False Claims Act violations.
According to the DOJ Attorney’s Manual, the “Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own. However, the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct.”21 The manual outlines several specific factors to consider when considering mitigation, including “timely and voluntary disclosure of wrongdoing,” cooperation with the investigation, the existence and effectiveness of a corporate compliance program, and the corporation’s efforts to implement or improve an effective corporate compliance program.22
The DOJ also considers whether, once wrongdoing is identified in the organization, it replaces irresponsible management, disciplines or fires wrongdoers, makes restitution, and cooperates with government agency reviews.23 It has been made clear, both from the DOJ manual and in the Federal Regulations, that “even the most sincere and thorough effort to cooperate cannot necessarily absolve a corporation that has, for example, engaged in an egregious, orchestrated, and widespread fraud. Cooperation is a relevant potential mitigating factor, but it alone is not dispositive.”24
Furthermore, “OIG encourages health care providers to promptly self-disclose conduct that violates Federal health care program requirements and provides them a self-disclosure protocol and guidance.”25 What becomes problematic in this self-reporting and self-auditing scenario is that once the audit uncovers the possibility of fraudulent activity—whether accidental or deliberate—according to the knowledge standard under the FCA, the results of the audit may establish “there is evidence that the defendant knew, or should have known, that his or her conduct was prohibited.”26
When a provider complies with the mandate to self report an actual or suspected FCA, Stark or Anti-kickback violation, that provider must “provide a summary of any auditing activity undertaken and a summary of the documents the disclosing party has relied upon relating to the actual or potential violation(s) disclosed.”27 According to the Voluntary Self Reporting protocol, it appears that CMS reserves the right to review those same documents that providers might otherwise try to protect under the self-critical analysis privilege.28
Internal audits may also be used as evidence of Medicare and Medicaid fraud when those audits uncover past problems.
If the organization does not look back far enough, or do more than acknowledge that errors were made and make repayments, courts may be willing to allow any inaction to serve as grounds for a False Claims suit to proceed. For example, In United States ex rel Keltner v. Lakeshore Med. Clinic29 an employee of a medical clinic filed a qui tam suit in which she alleged Lakeshore Medical knowingly filed fraudulent Medicare claims because it “ignored audits disclosing a high rate of upcoding and ultimately eliminated audits altogether.”30 The plaintiff alleged that an annual internal audit of 25 claims per physician demonstrated that two physicians had each upcoded more than 10% of his claims.
Although the medical group returned all overpayments related to those specific claims, the group did not review any additional claims by those physicians, and the plaintiff alleged that the organization thereafter stopped reviewing billing codes altogether, in effect allowing all providers to upcode claims without being detected.31 In its ruling, the court equated defendant’s failure to take direct action as equivalent to “ignoring” the results of the audit.32 The case was ultimately dismissed on unrelated grounds,33 but the takeaway from Keltner is that providers must not only conduct compliance audits, but must address problematic audit findings in a timely and comprehensive manner in order to show they did not ignore the results and possibly risk incurring additional liability.
Despite the concern that self-critical analyses may no longer protect health care providers from False Claims Act actions, self-disclosure is still the best practice. Continue fostering an environment of compliance, and continue to conduct your internal audits as required by law.
These recent developments should serve as a wake-up call that once irregularities are discovered, your organization will be deemed to have knowledge that there may be a deeper, farther reaching problem that needs to be investigated. The government will now consider not only your plans for preventing repeat occurrences in the future, they will look to see what you have done to uncover additional problems from the past, and that you have investigated your organization’s operations adequately enough to uncover any systematic failures, patterns, or even foreseeable individual events. Keep in mind that the more cooperative your organization is, and the more evidence it can provide to show its internal investigation was thorough and findings were acted upon, the better results you will likely have.
About the authors:
Linda A. Malek is a partner at Moses & Singer LLP and chair of the Healthcare and Privacy and Cybersecurity departments. She concentrates on regulatory, technological and business matters in the healthcare industry.Lauren Mack is a partner at Moses & Singer LLP and member of the Healthcare Practice group, focusing on compliance, fraud and abuse. She is also a member of the White Collar Criminal Defense and Government Investigations Litigation groups.Allyson M. Beach, Law Clerk, a third-year law student at Hofstra University School of Law, is a Dean’s Honor Scholar and member of Hofstra Law Review. She spent several years as a legislative liaison representing healthcare organizations.