Portfolio Media. Inc. | 111 West 19th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected] Questions Remain After OIG Releases Fraud Risk Indicator By Howard Young, Jacob Harper, Brian Bewley and Kaitlyn Dunn (October 1, 2018, 3:39 PM EDT) On Sept. 27, 2018, Gregory Demske, chief counsel to the inspector general for the U.S. Department of Health and Human Services, announced a new initiative designed to increase transparency for health care organizations and their lawyers. Specifically, HHS’ Office of Inspector General has created a new “Fraud Risk Indicator” to, in pertinent part, publicize instances when a health care provider that is potentially subject to a permissive exclusion by the OIG, generally in connection with the settlement of a civil False Claims Act case, refuses to agree to a corporate integrity agreement, or CIA. This new initiative comes on the heels of a clear pattern, as noted in a May 2018 U.S. Government Accountability Office report, of a marked decrease in the number of CIAs, notwithstanding a steady stream of FCA settlements. Many questions remain about the effect of the OIG’s new Fraud Risk Indicator and whether it will change the settlement dynamics for health care providers when resolving FCA allegations. History Behind Development of CIAs For over 20 years, the OIG has negotiated CIAs with entities, mostly health care providers and manufacturers. These CIAs are, in effect, mandatory compliance program requirements imposed by the OIG on various health care stakeholders that settle civil FCA allegations with the U.S. Department of Justice, often arising out of qui tam whistleblower lawsuits. The purpose of the CIA, which typically has a term of five years, is to monitor that entity’s compliance with federal health care program (e.g., Medicare and Medicaid) requirements to satisfy the OIG that it can and should waive its authority to exclude the entity from participation in federal health care programs. CIAs are contractual agreements between two willing parties with established terms, breach and default provisions, and various reporting requirements; they are not a creature of regulation or statute, nor is entry into a CIA the only means by which the OIG can resolve its permissive exclusion authority. Over the last 20 years, CIAs have varied somewhat in style and approach, but in that time, OIG has also established many standardized CIA provisions that, by and large, it will not agree to alter or negotiate. And CIAs are expensive for entities to implement, requiring substantial investments in compliance systems and processes and the Howard Young Jacob Harper Brian Bewley Kaitlyn Dunn engagement of one or more specialized external auditors, or independent review organizations, or IROs, that report results to the OIG. Penalties or even exclusion for CIA breaches are real threats and no longer a remote possibility. In the late 1990s and early 2000s, it was common for health care providers to operate either without an established compliance program, or with a bare-bones compliance program. CIAs with those entities often meant they were embarking on a rigorous and formalized compliance program effort for the first time. But through the efforts of the OIG and the health care industry’s embrace of voluntary compliance programs over the last 20 years, it is now rare to operate a health care business without a compliance program. Since 1998, the OIG has issued 11 compliance program guidance for various health care industry sectors, with several supplemental updates, although it has not issued any new industry subsector compliance guidance since 2008. Instead, the OIG has partnered with groups like the American Health Lawyers Association and Health Care Compliance Association to publish guidance for monitoring compliance for boards of directors and assessing compliance program effectiveness. Increasingly, compliance program assessment has become part of the fabric of transactional due diligence associated with acquisitions and investments in health care organizations and lender financing. By and large, voluntary health care compliance programs are more entrenched and sophisticated, and a regular part of many health care providers’ and manufacturers’ regular business processes to monitor and mitigate regulatory risk. With the maturity of health care compliance programs, and an increase in qui tam settlements that do not involve widespread or pervasive fraud, or any fraud at all, an increased resistance to costly CIAs that offer in the view of many, marginal return on investment has emerged. The GAO Study: A Performance Audit of CIA Implementation On May 10, 2018, the Government Accountability Office publicly released a 32-page report evaluating the OIG’s use and oversight of CIAs over a nearly 12-year period. The GAO conducted this review at the request of two U.S. senators — Homeland Security and Governmental Affairs Committee Ranking Member Claire McCaskill, D-Mo., and Finance Committee Ranking Member Ron Wyden, D-Ore., — concerned about the level of transparency surrounding the OIG’s implementation of CIAs. The GAO’s review evaluated three core areas: (1) the number and general characteristics of the CIA’s; (2) the circumstances that may lead the OIG to seek a CIA and the standard provisions included; and (3) the mechanisms the OIG uses to monitor and enforce CIA compliance. According to the GAO, from July 14, 2005, to July 26, 2017, (the review period), the OIG entered into 652 new CIAs. Slightly more than half (51 percent) were with three types of entities: solo or small group practices, hospitals and skilled nursing facilities. Based on the GAO’s review, the proportion of CIAs executed by the OIG that were associated with qui tam cases — as opposed to cases initiated by the DOJ or matters pursued administratively by the OIG — rose over the review period to roughly triple in 2016. This is consistent with the general rise in whistleblower-led FCA cases over the review period. However, the GAO found that, from 2006 to 2016, the number of CIAs in effect for any part of the calendar year decreased by 44 percent. Based on the GAO’s interviews with OIG officials, this decline stems from the OIG’s decision to focus its resources on entities that OIG concludes, based on its weighing of various criteria, present greater risk of program abuse. For example, the OIG has historically applied a presumption in favor of seeking a CIA where the single damages that an entity caused to the federal health care programs exceed a certain monetary threshold. In 2014, the OIG increased this threshold to $1 million for larger entities and $500,000 for smaller entities, although as the GAO noted, the presence of other risk factors (e.g., patient harm) may lead OIG to seek a CIA even where damages fall below this threshold. Notwithstanding its comprehensive quantitative and qualitative summary of OIG’s historical activities vis-à-vis CIA implementation and enforcement, the GAO’s report notably did not attempt to evaluate the effectiveness of CIAs as a means of promoting compliance in the modern health care environment. Additionally, though the GAO identified various trends in the OIG’s use of CIAs over time, the report did not account for several health care industry realities that might appropriately place those trends in context. These include the following: • The high rate of adoption of voluntary compliance programs in the health care sector. Particularly in qui tam cases, there is often a considerable lapse — sometimes four or five years — between the date that the underlying conduct ended and the time a settlement is reached. During this period, the organization’s risk profile may have changed significantly, thereby eliminating any real benefit of a CIA for the risks targeted in the qui tam case. • OIG often takes the position that larger organizations which may find themselves the subject of multiple qui tams — including those brought by opportunistic relators — must agree to a CIA where they make a business decision to settle a matter and avoid litigation costs rather than litigate. This approach may not accurately reflect the future risk to the federal health care programs or the effectiveness of the entity’s compliance program. • The current monetary thresholds applied by the OIG for CIAs are relatively low, particularly given how the government calculates single damages for certain types of conduct (e.g., AntiKickback Statute and Stark Law violations). As a result, virtually every resolution surpasses the OIG’s threshold. • Notwithstanding the necessary costs entities incur maintaining an existing compliance program, CIAs require many entities to divert both monetary and nonmonetary resources away from service line development, quality improvement initiatives and other mission-enhancing activities to simply maintain compliance with the CIA. Contemporaneous with the release of its report, the GAO released supplemental material that identified independent review organizations engaged under multiple CIAs, as well as health care entities that entered into multiple CIAs with the OIG or had their CIAs extended beyond the original term. On that same day, Sens. McCaskill and Wyden issued a letter to the OIG that specifically called attention to the GAO’s findings on the issuance of stipulated penalties, multiple agreements executed with the same entity and extensions of agreements. McCaskill and Wyden urged the OIG to revise its practices and make accessible — presumably through the OIG’s website — a “record of integrity agreement histories” that would allow the public to readily identify health care providers or vendors that are “repeat offenders” or “prior offenders.” This request for increased transparency notably did not address in any way entities that settle fraud allegations with the government without entering into a CIA in exchange for a permissive exclusion release. And yet, the OIG has now seen fit to publicly report those entities that refuse to agree to a CIA. The OIG “risk spectrum,” which forms the basis for the new Fraud Risk Indicator, was developed in the OIG’s April 2016 release of its updated, nonbinding criteria for implementing its permissive exclusion authority, in which the OIG made it clear that: (1) CIAs should be the presumptive outcome of most FCA settlements not derived from self-disclosures; and (2) refusals to enter into a CIA may result in unilateral monitoring by the OIG. Nonetheless, since that 2016 policy statement was released, the number of OIGnegotiated CIAs has continued to decline. It appears, then, that the OIG has now doubled down on its view that most FCA settlements should be accompanied by a CIA. Through the Fraud Risk Indicator, the OIG will identify providers, suppliers and manufacturers that have, in OIG’s determination, refused a CIA, irrespective of the specific circumstances that led to the settlement, the age of the alleged misconduct, and the likelihood such alleged misconduct could reoccur. OIG’s New Fraud Risk Indicator — What Will it Mean? Shortly, the OIG will begin posting a list of entities that, after Oct. 1, 2018, refused to agree to a CIA as part of a civil FCA settlement when the OIG had determined a CIA was necessary. The publication of the new list of CIA refusers, which is not compelled by statute or regulation, and indeed was not part of McCaskill or Wyden’s request for increased transparency, raises a number of interesting new issues. For instance, what right does an entity that disagrees with the OIG’s assessment of fraud risk or even whether it has refused a CIA have to object to its listing? Will the OIG create a process for that objection, and will that be transparent to the public? Will the new list result in delaying DOJ settlement agreements as providers must complete CIA negotiations before FCA settlements are finalized, and what will happen when the DOJ and a court mandate a speedy settlement when no more seal extensions are granted? Will entities that believe the FCA allegations lack merit, but are otherwise willing to settle the matter to avoid litigation costs and disruption, instead choose to litigate those matters more frequently to avoid the potential public stigma of having “refused” a CIA? Will the effect of the Fraud Risk Indicator be to “shame” entities into reluctantly agreeing to CIAs, or will this list come to be viewed as another government data point that lacks nuance and context? Finally, how will the public ultimately react to an entity’s categorization on the Fraud Risk Indicator? These questions will be answered in due time. Howard J. Young is a partner at Morgan Lewis & Bockius LLP. He leads the firm's health care practice and co-leads its health care industry initiative. Jacob J. Harper is an associate at Morgan Lewis. Brian D. Bewley is a member and Kaitlyn L. Dunn is an associate at Bass Berry & Sims PLC. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.  U.S. Gov’t Accountability Office, Department of Health and Human Services: Office of Inspector General’s Use of Agreements to Protect the Integrity of Federal Health Care Programs, GAO-18-322 (April 3, 2018), available at https://www.gao.gov/products/GAO-18-322.  This figure includes both corporate integrity agreements that the OIG entered into with larger entities, as well as integrity agreements with smaller health care providers.  Letter from Sen. Claire McCaskill and Sen. Ron Wyden to The Honorable Daniel R. Levinson (May 10, 2018), available at https://www.hsgac.senate.gov/imo/media/doc/McCaskill-Wyden%20letter.pdf.