The Department of Health and Human Services (HHS) and the Department of Justice (DOJ) have continued to ramp up their attention to fraud, waste and abuse activities in recent weeks. Last week, the Centers for Medicare & Medicaid Services (CMS) issued a Proposed Rule on the Medicaid Recovery Audit Contractor (RAC) program.1 The HHS Office of Inspector General (OIG) has recently renewed focus on its permissive exclusion authority. The OIG released a notice on October 20, 2010, entitled “Guidance for Implementing Permissive Exclusion Authority Under Section 1128(b)(15) of the Social Security Act.”2 In addition, the OIG issued a notice in the Federal Register on November 12, 2010,3 soliciting information and recommendations for updating its Special Advisory Bulletin, entitled “The Effect of Exclusion from Participation in Federal Health Care Programs.”4 This advisory also includes a brief discussion of a recent DOJ indictment against a former vice president and lawyer for GlaxoSmithKline and the recent exclusion of Marc Hermelin, chairman of the board of KV Pharmaceutical Co., from participation in federal health care programs. Finally, we discuss expanded use of the Park Doctrine to hold medical products company executives strictly liable for misdemeanor violations of the Food, Drug and Cosmetic Act (FDCA).


On Wednesday, November 10, CMS issued a Proposed Rule on the Medicaid Recovery Audit Contractor (RAC) program. Comments are due on January 10, 2011.

Medicaid RACs will review post-payment Medicaid claims, identify underpayments and overpayments and recoup overpayments from providers. States will be required to report to CMS on general program descriptions and metrics describing the effectiveness of Medicaid RAC programs.

The Proposed Rule includes guidance to states related to funding of state start-up, operation and maintenance costs of Medicaid RACs and addresses the methodology for state payments to Medicaid RACs. CMS also proposes requirements for states to assure that adequate appeal processes are in place for providers to dispute adverse determinations made by Medicaid RACs. Finally, the rule proposes that states and Medicaid RACs coordinate with other contractors and entities auditing Medicaid providers, and with state and federal law enforcement agencies.


Under Section 6411 of the Patient Protection and Affordable Care Act (ACA), states and territories are required to set up programs to contract with one or more Medicaid RACs by December 31, 2010. However, while states are required to set up programs to contract with the RACs by then, they do not have to have a specific vendor on board by that date. Under the Proposed Rule, states must fully implement their Medicaid RAC programs by April 1, 2011, and it is by that date that specific vendors must be selected. CMS requests comments on this proposed implementation date. States are to establish Medicaid RAC programs via a State Plan Amendment (SPA). CMS advises that states where legislation is required to establish a Medicaid RAC program and where the legislatures will not meet before the end of the year should submit a SPA indicating that the Medicaid RAC cannot be established until legislative authority is granted.

Payment Methodology

Payments to Medicaid RACs may be made only from amounts recovered. CMS interprets this to mean that payments may not exceed the total amounts recovered and may not be made based upon amounts merely identified but not recovered, or amounts that must be repaid due to determinations made in appeals proceedings. States could structure timing of payment of contingency fees to RACs either when a RAC recovers an overpayment (subject to the outcome of appeals), or not until the recovery amount is finally adjudicated.

Rather than prescribing a set contingency fee rate, CMS is proposing certain guidelines and giving states discretion to set their fees within those guidelines. CMS proposes that, in general, it would not provide federal financial participation (FFP) with respect to any amount of a state’s contingency fee in excess of the highest Medicare RAC contingency fee rate at the time. Current Medicare RAC contingency fee rates range from 10.86 percent to 12.50 percent. Any additional payment from a state to a Medicaid RAC would be from state-only funds.

CMS has authority to vary Medicaid RAC programs for each state. As an example, the Proposed Rule states that CMS may exempt a state from the requirement to pay Medicaid RACs on a contingency fee basis where state law expressly prohibits contingency fee contracting. CMS proposes that states seeking exceptions from contracting with Medicaid RACs must submit a written justification for the request to CMS. CMS anticipates granting complete Medicaid RAC program exceptions “rarely, and only under the most compelling of circumstances.”

CMS instructs that states must also choose a methodology to incentivize Medicaid RACs to detect underpayments. CMS is proposing to grant states flexibility to specify the underpayment fee for Medicaid RACs. CMS will monitor methodologies and amounts paid by states, and may consider additional regulation in the future. Total fees paid to Medicaid RACs, for identification of both overpayments and underpayments, may not exceed the amounts recovered. Because overpayment recoveries exceed underpayment identification by more than a 9:1 ratio in the Medicare RAC program, CMS does not anticipate that states will need to maintain a reserve of funds to pay Medicaid RACs. States must maintain an accounting of amounts recovered and paid, and report overpayments to CMS based on the net amount remaining after all fees are paid to the Medicaid RAC.

CMS recognizes that states will incur necessary and proper administrative expenses for the efficient administration of a Medicaid RAC program under the state plan or waiver. Therefore, CMS proposes that FFP would be available to states for administrative costs subject to reporting requirements.

CMS proposes that states must refund the federal share of the net refund amount of overpayment recoveries after deducting a RAC’s fee payments. Thus, states would take a RAC’s fee “off the top” before calculating the federal share of the overpayment recovery to be returned to CMS. Separate rules will apply to the territories.

Requirements for Medicaid RACs

Based on lessons learned from the Medicare RAC program, CMS proposes to require that Medicaid RACs employ trained medical professionals to review Medicaid claims. This is one component of an entity’s demonstration that it has the technical capability to perform the functions of a Medicaid RAC. States may also consider establishing requirements regarding the documentation of good cause to review a claim. CMS proposes that, whenever RACs have reasonable grounds to believe that fraud or criminal activity has occurred, they must report it to the appropriate law enforcement officials. CMS further proposes that Medicaid RACs must meet additional requirements that states may establish.

States must have appeals procedures in place for providers. CMS is proposing to give states flexibility to determine the appeals process that would be available to providers who seek review of adverse RAC determinations. This will allow states to accommodate Medicaid RAC appeals within their existing Medicaid provider appeal structure and not have to adopt a new administrative review infrastructure to conduct Medicaid RAC appeals.

CMS proposes that entities wishing to contract with a state as a Medicaid RAC must agree to coordinate efforts with other contractors or entities performing audits of entities receiving Medicaid payments. CMS notes that Medicaid RACs are not intended to replace any existing programs. CMS intends to work to minimize the likelihood of overlapping audits. The Proposed Rule discusses establishment of Memoranda of Understanding between Medicaid RACs and Medicaid Fraud Control Units to promote coordination with law enforcement agencies.

Regulatory Impact Analysis

CMS estimates that the Proposed Rule may be economically significant as measured by the $100 million threshold under the Congressional Review Act. However, based on the experience of the Medicare RAC program, CMS expects a limited financial impact on most providers, as significant improper payments are relatively rare. The CMS Office of the Actuary estimates that potential net savings to the federal Medicaid program from the expansion of the RAC program are $80 million in 2011, $170 million in 2012, $250 million in 2013, $310 million in 2014 and $330 million in 2015.

Approximately 75 percent of Medicaid providers are considered to be small businesses according to Small Business Administration revenue and size standards. Because Medicaid providers are already required to maintain accurate billing records and comply with audits, CMS does not believe the Proposed Rule will have a significant economic impact on a substantial number of small entities. CMS also does not believe the proposed rule will have a substantial impact on small rural hospitals. Finally, CMS does not expect that the Proposed Rule will have an effect on state, local or tribunal governments in the aggregate, or on the private sector of $135 million or more.

Impact on Providers

The issuance of the Medicaid RAC guidance is yet another signal by CMS that Medicaid program-integrity activities are being developed to closely resemble Medicare program-integrity activities. As such, providers should begin putting equal emphasis on their Medicaid compliance efforts as they do on the efforts they currently expend on Medicare compliance. To help ramp up for the Medicaid RACs, providers should begin familiarizing themselves with the Medicaid appeals process, review their denial rates and other Medicaid claims data to see patterns of behavior that may signal potential problems, and revisit their record retention policy with respect to Medicaid claims. The Medicaid Integrity Contractors are allowed to review provider claims that are up to five years old (consistent with most states’ record retention policy) and the Medicare RACs are allowed to go back three years.


I. OIG Permissive Exclusion Guidance

On October 20, 2010, the OIG released “Guidance for Implementing Permissive Exclusion Authority Under Section 1128(b)(15) of the Social Security Act.” Section 1128(b)(15) of the Social Security Act allows the OIG to exclude individuals who serve as officers or managing employees of, or who have ownership interests in, sanctioned entities. A sanctioned entity is one that has either been convicted of certain offenses or excluded from Medicare and/or Medicaid. These exclusions are not subject to administrative or judicial review. The guidance document focuses primarily on the factors the OIG will consider when determining whether to exercise its authority to exclude an officer or managing employee of a sanctioned entity. This memorandum summarizes the guidance document and provides a brief analysis of its implications. The full text of the guidance document can be found at the following web address:

A. Exclusion of Individuals with an Ownership Interest

Section 1128(b)(15)(A)(i) allows the OIG to exclude an individual with direct or indirect ownership or control interest in a sanctioned entity, when that individual knew or should have known about the conduct that served as the basis of the entity’s conviction or exclusion. The OIG will operate with a presumption in favor of exclusion if the evidence shows that the individual knew or should have known of the conduct. The OIG retains discretion not to exclude the individual if significant factors weigh against it.

B. Exclusion of Officers and Managing Employees of Sanctioned Entities

Section 1128(b)(15)(A)(ii) allows the OIG to exclude an officer or a managing employee of a sanctioned entity regardless of whether the individual knew or should have known about the conduct that served as the basis of the entity’s exclusion. A managing employee is defined as a general manager, business manager, administrator or director who exercises operational or managerial control over the entity, or who directly or indirectly conducts the day-to-day operations of the entity. While the OIG has the authority to exclude all officers and managers of an entity that is sanctioned, the agency states in the guidance document that it does not intend to exclude all of these individuals. However, as is the case with individuals who have an ownership interest in a sanctioned entity, the OIG will operate with a presumption in favor of exclusion, if the evidence shows that the individual knew or should have known of the conduct.

The majority of the guidance document is focused on the internal guidelines, which the OIG will use when determining whether to exclude officers or managing employees of a sanctioned entity. Specifically, the OIG states that it will review the factual basis for the criminal conviction or exclusion, as well as any other conduct considered relevant (including allegations in criminal, civil and administrative matters involving the convicted or excluded entity). The agency will also look at matters involving entities that are or were related to the sanctioned entity (e.g., a corporate parent of a sanctioned entity).

The nonbinding and informal guidelines that the OIG will use when determining whether to use its permissive exclusion authority for officers and managing employees of sanctioned entities can be summarized as follows:

1. Circumstances of the Misconduct and Seriousness of the Offense

The OIG will consider (i) the nature and scope of the misconduct for which the entity was sanctioned; (ii) the criminal sanction and penalty, civil or administrative payment, and the length of the period of the exclusion imposed against the entity; (iii) whether there is evidence that the misconduct resulted in harm to program beneficiaries or other entities, or in financial harm to the program or other entities; and (iv) whether the incident was isolated or part of a pattern.

2. Individual’s Role in Sanctioned Entity

The OIG will consider (i) the individual’s current and past positions with the entity, including his position at the time of the misconduct and what degree of managerial control the individual had at that time; and (ii) the relation of the individual’s position to the misconduct.  

3. Individual’s Actions in Response to the Misconduct

The OIG will consider (i) whether the individual attempted to stop or mitigate the effects of the misconduct and when this action took place; and (ii) whether the individual disclosed the misconduct and/or cooperated with individuals investigating or prosecuting the misconduct. In addition, the OIG states that, if an individual can demonstrate that the misconduct could not have been prevented, or that extraordinary care was taken to prevent the misconduct although it still occurred, the OIG may consider this as a mitigating factor weighing against exclusion.  

4. Information About the Entity

The OIG will consider (i) whether the sanctioned entity or related entity was previously involved in misconduct and what the nature of this misconduct was; and (ii) the size and corporate structure of the entity.

II. Solicitation of Comments for the OIG Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs

On November 12, 2010, the OIG issued a notice in the Federal Register announcing its intent to update the Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs. This bulletin was originally published in September 1999. In the Federal Register notice, the OIG states that it has become apparent over the years that exclusion not only affects the excluded individuals, but also entities that employ or contract with these excluded individuals, and as a result, subsequently face liability for overpayments and civil monetary penalties. The agency notes that many entities have designed compliance programs that seek to minimize the risk that they will submit claims to a federal health program for items or services that were furnished, ordered or prescribed by an excluded individual. As the OIG updates this Special Advisory Bulletin, it is asking interested parties and organizations to make recommendations on how the agency could best supplement the Special Advisory Bulletin. Comments are due by 5 p.m. EST on January 11, 2011.  

III. Indictment of GlaxoSmithKline Executive

On November 9, 2010, the Department of Justice announced charges against Lauren Stevens, a former vice president and lawyer for GlaxoSmithKline (GSK). Stevens is charged with one count of obstructing an official proceeding, one count of concealing and falsifying documents to influence a federal agency and four counts of making false statements to the Food and Drug Administration (FDA).5 The charges stem from the company’s marketing of Wellbutrin, which is indicated to treat depression. GSK is under investigation for marketing the drug for weight loss, which is an unapproved use. The indictment alleges that Stevens told the FDA that Wellbutrin was not being marketed off-label when she had clear evidence to the contrary. Typically, companies are targeted for misconduct rather than executives, which makes this case unique. It could signal that the DOJ plans to step up its enforcement against executives involved in illegal conduct.  

IV. Exclusion of Drug Company Executive

On November 16, 2010, the OIG announced the exclusion of Marc Hermelin from participation in federal health care programs. Hermelin, who had been the chairman of the board, and a significant shareholder, of KV Pharmaceutical Co. Ethex Corp., a wholly owned subsidiary of KV Pharmaceutical, pleaded guilty in March to federal criminal charges of making and distributing medicines of the wrong size, which endangered public safety. It is believed that this is the first instance in which a drug company executive who has not been personally convicted of wrongdoing has been banned from participating in federal health care programs. If a director or shareholder with an ownership interest of five percent or more is excluded from participating in federal or state health care programs, the OIG has discretionary authority to exclude the company. According to a November 17, 2010, press release, the executive has resigned from the board of directors effective November 10, 2010, to prevent the company from being excluded. Hermelin has reportedly also entered into a settlement agreement with the OIG that requires him to resign as trustee of all family trusts that hold KV stocks, divest his personal ownership interests in the company’s class A and B common stock and divest all voting interests in the company.

V. Analysis

All of these actions fit within a broader pattern of increasing accountability of owners, officers and managing employees of sanctioned entities. The Health Insurance Portability and Accountability Act of 1996 granted the OIG permissive exclusion authority for individuals controlling a sanctioned entity. Although the OIG has possessed this exclusion authority under Section 1128(b)(15) of the Social Security Act for over 10 years, the issuance of this guidance signals the agency’s heightened focus on owners, officers and managing employees of sanctioned entities. This is consistent with recent congressional testimony of OIG Chief Counsel Lewis Morris, who highlighted the need to hold managing employees accountable for the corporate schemes they create.6

It also appears that the OIG is attempting to expand its authority within the current statutory framework when determining whether to exclude an officer or managing employee of a sanctioned entity. In the guidance, OIG indicates that the conduct of “related entities” will be taken into account in addition to the sanctioned entity, even though related entities are not referenced in Section 1128(b)(15). There also has been a recent legislative effort to extend the permissive exclusion authority under Section 1128(b)(15) beyond current owners, officers and managing employees of sanctioned entities. H.R. 6130, the Strengthening Medicare Anti-Fraud Measures Act of 2010, which was introduced by Representatives Pete Stark (D-CA) and Wally Herger (R-CA), would expand the OIG’s permissive exclusion authority to affiliated entities (including those entities affiliated with the sanctioned entity at the time the misconduct took place) and owners, officers and managing employees of those affiliated entities. In addition, H.R. 6130 would reach owners, officers, and managing employees of sanctioned and affiliated entities who subsequently leave those entities but were present at the time the misconduct took place.

H.R. 6130 was passed in the House of Representatives on September 22, 2010, and has been received in the Senate and referred to the Senate Committee on Finance for consideration.

In the meantime, regulators possibly face the challenge of reconciling the exclusion authorities in Section 1128(b)(15) with Section 6502 of the Patient Protection and Affordable Care Act (ACA, P.L. 111-148) as they apply to the Medicaid program. ACA Section 6502 adds paragraph 1902(a)(78) to the Social Security Act and requires states to exclude from the Medicaid program an individual or entity that owns, controls or manages an entity that (or if such entity is owned controlled, or managed by an individual or entity that):

1. has unpaid Medicaid overpayments;

2. is suspended or excluded from participating in, or whose participation has been terminated from, the Medicaid program; or  

3. is affiliated with an individual or entity that has been suspended or excluded from participating in, or whose participation has been terminated from, the Medicaid program.

While exclusion of owners, officers and managing employees under Section 1128(b)(15) is permissive in nature, exclusion under Section 1902(a)(78), as required by ACA Section 6502, is mandatory. Since the enactment of the ACA, there have been a number of legislative proposals to repeal ACA Section 6502.

Additional statutory authority may be required to actually expand the permissive exclusion authority under Section 1128(b)(15) beyond current owners, officers and managing employees of sanctioned entities. However, the OIG’s indication in the guidance that it plans to consider matters involving entities that are or were related to the sanctioned entity when determining whether to exclude an owner, officer or managing employee represents a significant expansion of the agency’s permissive exclusion authority. This may be the first step towards increased exclusion authority for the agency, and entities and individuals should closely monitor this issue.

Expanded Use of the Park Doctrine to Hold Medical Products Company Executives Strictly Liable for Misdemeanor Violations of FDCA

In mid-October, Eric Blumberg, FDA’s Deputy Chief Counsel for Litigation, indicated that that the FDA will pursue misdemeanor prosecutions against food and drug industry executives using a strict liability standard under the Park Doctrine.  

Section 303(a)(1) of the Federal Food, Drug & Cosmetic Act (FDCA), 21 U.S.C. § 333(a)(1), creates one of the few strict liability misdemeanors in federal criminal law for “any person who violates a provision of section 301 [21 U.S.C. § 331]” of the FDCA. Any person who violates a provision of section 301 “shall be imprisoned for no more than one year or fined not more than $1,000, or both.” 21 U.S.C. § 333(a)(1). And under Section 301, a number of specified acts “and the causing therof” are prohibited. In United States v. Park, 421 U.S. 658 (1975), the Supreme Court extended the responsible corporate officer doctrine, in the context of this misdemeanor strict liability provision, to a corporate official who had, “by reason of his position in the corporation, responsibility and authority either to prevent in the first instance, or promptly to correct, the violation complained of, and . . . failed to do so.” United States v. Park, 421 U.S. at 673-74. (Park recognized an affirmative defense to such a charge that the “defendant was ‘powerless’ to prevent or correct the violation” or was “without the power or capacity to affect the conditions” upon which the charges were founded. Id. at 673, 676-78.) The Park Doctrine has thus been interpreted to permit conviction, for violations of the FDCA, of corporate executives, officers and managers who did not personally participate in the actions or conditions that give rise to the criminal violation, or have knowledge of such actions or conditions, but who nevertheless have, within the corporate organization, a position with some “responsibility and authority” with respect to the area or issue with respect to which the violation occurred.

In recent years, the Park Doctrine has been seldom applied. However, Blumberg was recently reported to have indicated that FDA intends to look for cases in which to use the Park Doctrine. Howard Sklamberg, director of FDA’s enforcement office, confirmed that FDA intends to pursue more Park Doctrine cases and would consider bringing cases where there is no felony or fraud involved, but in which violations of the FDCA have occurred. FDA is developing awareness within the agency of the Doctrine through training and the development of a section in FDA’s Regulatory Procedures Manual on misdemeanor cases, and is committed to spending the time and resources to bring “worthwhile” misdemeanor cases. Blumberg indicated that a particular focus would be on FDCA violations involving off-label promotion of medical products.

These developments are of particular concern when coupled with the OIG’s permissive exclusion guidance. Moreover, in this enforcement climate, FDA may also be expected to develop more felony cases. Under Section 303(a)(2) of the FDCA, any person who commits an act prohibited under Section 301 “with the intent to defraud or mislead,” or who commits such an act “after a conviction of him under this section has become final,” shall be imprisoned for not more than three years or fined not more than $10,000 or both.