2023 False Claims Act recoveries announced

It’s that time of the year again. Typically, in February of each year, the U.S. Department of Justice (DOJ) announces settlements and judgements under the False Claims Act (FCA) for the previous fiscal year. For FY2023, these recoveries exceeded $2.68 billion and were the result of the highest number of settlements and judgments in a fiscal year to date – 543 total. Notably, this metric is distinct from the overall annual recovered amount. Not surprisingly, the healthcare sector topped the list of sectors that contributed to the FY2023 recoveries. Some key highlights include:

• Over $1.8 billion related to matters that involved the health care industry, including managed care providers, hospitals, pharmacies, laboratories, long-term acute care facilities, and physicians;
• The $1.8 billion reflect recoveries arising only from federal losses, but in many of these cases, the department was instrumental in recovering additional amounts for state Medicaid programs; and
• Reflect the department’s focus on key enforcement priorities, including fraud in pandemic relief programs and alleged violations of cybersecurity requirements in government contracts and grants.

A FCA case can either be initiated by the government or brought under the statute’s qui tam provision, which is when a person is represented by a licensed attorney is known as a whistleblower. A whistleblower is required to substantiate that a claim was filed or money was wrongfully received and there is a duty to return the funds to the government. In FY2023, “[w]histleblowers filed 712 qui tam suits in fiscal year 2023, and this past year the Justice Department reported settlements and judgments exceeding $2.3 billion in these and earlier-filed suits.” This serves as a reminder that a comprehensive compliance program is critical for avoiding a FCA case and the potential associated liability. Continued areas of focus for the DOJ are cybersecurity, healthcare, and procurement fraud.

Switching gears to HHS, on February 21, the Office for Civil Rights announced its second ever ransomware cyber-attack under HIPAA against “Green Ridge Behavioral Health, LLC – a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy.” Although the payment amount is by healthcare recovery standards low at $40,000, there was also a corrective action plan. As the Resolution Agreement states,

Factual Background and Covered Conduct. On December 12, 2019, OCR initiated an investigation of GRBH pursuant to a Breach Report dated February 11, 2019. OCR' s investigation revealed that GRBH was subject to a ransomware attack that resulted in the acquisition of the protected health information of over 14,000 patients. The evidence gathered by OCR during the investigation indicates GRBH's noncompliance with the Privacy and Security Rules. HHS' investigation indicated potential violations of the following provisions ("Covered Conduct"):

1. The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI. (See 45 C.F.R. § 164.308(a)(l)(ii)(A)).

2. The requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. (See 45 C.F.R. § 164.308(a)(I)(ii)(B)).

3. The requirement to implement policies and procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (See 45 C.F.R. § 164.308(a)(l)(ii) (A)).

4. The requirement to not use or disclose protected health information except as permitted by the Privacy Rule. (See 45 C.F.R. § 164.502(a)).

As both the FCA and HIPAA items illustrate, compliance is critical for mitigating risk and an adverse outcome in a government enforcement action or case. Moreover, it is possible for HIPAA violations to form the basis of a FCA case, as I addressed in a recent Physicians Practice article. Being proactive and fostering a culture of compliance is critical to mitigating the risk of fraud, waste, and abuse, and cybersecurity violations under HIPAA, the HITECH Act, and the 21st Century Cures Act.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.