DOJ's New Voluntary Self-Disclosure Policy Raises More Questions Than It Answers

Timothy Bado, Michael Lowe, Dominyka Plukaite, Callan Stein
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

Published in American Bar Association's Health eSource - April 2023, Vol. 19 No. 8 on April 26, 2023. © Copyright 2023, American Bar Association. Reprinted here with permission.

Introduction

On February 22, 2023, the Department of Justice (DOJ) issued a press release [1] highlighting the new Voluntary Self-Disclosure (VSD) Policy for U.S. Attorney's Offices (USAOs). The DOJ developed this policy, which is applicable to each of the 93 USAOs nationwide, several months after the September 15, 2022, Monaco Memo, [2] which had required each DOJ component to create and publish a self-disclosure policy. For healthcare organizations, this VSD policy is yet another self-disclosure procedure that must be considered for fraud and abuse violations subject to Office of Inspector General (OIG) and/or Centers for Medicare and Medicaid Services (CMS) enforcement.

While the stated purpose of the new DOJ VSD policy is to "to standardize how VSDs are defined and credited by USAOs nationwide, and to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations," the language of the policy itself raises more questions than it answers. This is particularly true in the highly regulated healthcare industry, where healthcare organizations are subject to more laws and more regulations and, thus, encounter more instances of potential or actual wrongdoing for which self-disclosure should be considered. Many of the VSD policy's apparent requirements are undefined and subject to potentially diverse interpretations. The policy also offers questionable guidance, beyond the obvious incentive for companies without robust compliance programs to develop and implement such programs in the hopes of taking advantage of the VSD policy. Furthermore, due to this lack of clarity, healthcare organizations in particular might find it challenging to align the new VSD policy with their existing fraud and abuse compliance policies.

Key elements of the VSD policy include:

  • A requirement that corporate self-disclosures be timely, coupled with guidance that a company is considered to have made a timely VSD if the company discloses the misconduct (1) when it becomes aware of the misconduct by employees or agents; (2) before that misconduct is publicly reported or otherwise known to the DOJ; and (3) in a manner that discloses all relevant facts known to it about the misconduct to a USAO in a timely fashion prior to an imminent threat of disclosure or government investigation.

  • A company that fully self-discloses under the policy and meets all other requirements, in the absence of any aggravating factors, [3] will receive significant benefits, including that the USAO will not seek a guilty plea, may choose not to impose any criminal penalty and, in any event, will not impose a criminal penalty that is greater than 50% below the low end of the sentencing guidelines fine range and will not seek the imposition of an independent compliance monitor if the company demonstrates that it has implemented and tested an effective compliance program.

The new policy's language raises many yet-unanswered questions. This ambiguity is magnified by the absence of any historical, real-world track record demonstrating how the DOJ will implement and interpret the policy with respect to healthcare organizations or other companies outside the healthcare industry. The immediate effect of this uncertainty will be to call into question the practicality of companies availing themselves of early voluntary self-disclosures.

VSD Policy Language That Raises Questions for Healthcare Organizations

"When it becomes aware"

Many, if not most, large healthcare organizations already have whistleblower hotlines in place. Those companies might get dozens, or even hundreds, of hotline calls that lead to no action being taken, whether the company conducts an in-house investigation of the call or retains outside counsel to do so. This raises an important question regarding how the DOJ will interpret the VSD policy's requirement that companies report "when they become aware" of misconduct. Will the DOJ, for example, interpret that requirement to mean "when the first call comes in to the company's internal whistleblower hotline?" And, if so, does that mean that companies investigating calls rather than immediately making self-disclosures will be considered ineligible for credit under the policy? For healthcare providers, for example, such a strict interpretation would interfere with the well-established six-month reasonable diligence period for investigation of potential Medicare overpayments, before the 60-day repayment window provided by Section 1128J(d)2) of the Social Security Act begins.

If the DOJ adopts such an interpretation of the timeliness requirement, it would likely prove unworkable for most large healthcare companies. For healthcare providers receiving Medicare funds, in particular, it would directly conflict with the Department of Health and Human Services (HHS) OIG Health Care Fraud Self-Disclosure Protocol (SDP), which specifically contemplates that a reporting party conduct an internal investigation and report its findings to OIG before it can be considered for admission into the SDP. Similarly, the CMS Voluntary Self-Referral Disclosure Protocol (SRDP) contemplates that the reporting party will conduct a "reasonable assessment" and identify actual or potential violations prior to self-disclosure. [4] The uncertainty on this point obscures the VSD policy's potential impact and might result in healthcare companies, in particular, having to question whether their disclosure, if not made immediately upon receipt of a whistleblower call, will be deemed timely by the DOJ.

In addition, it is not difficult to imagine a scenario in which a healthcare company, organization, or provider decides to conduct an internal investigation to ascertain whether an internally reported complaint has any viability, only to learn during the pendency of the investigation that the whistleblower has alerted the government, either personally or through counsel. In such a scenario, would the company be precluded from taking advantage of the DOJ VSD policy if it subsequently discloses the results of its investigation to the DOJ immediately upon its conclusion? The policy leaves this critical question open.

"Otherwise known to the DOJ"

Of greater uncertainty is the interaction of DOJ's VSD policy with the self-disclosure protocols of other agencies. Healthcare organizations are subject to several other self-disclosure procedures, including the OIG's SDP and CMS' SRDP. Under these protocols, the OIG and CMS will often notify the DOJ of a disclosed actual or potential fraud and abuse violation. As a coordinating agency, the DOJ is then able to elect whether it will participate in the settlement process. In fact, the OIG SDP makes clear that if the DOJ decides to get involved, the "DOJ determines the approach in cases in which it is involved. OIG also coordinates with DOJ on disclosures involving potential criminal conduct. OIG's Office of Investigations investigates criminal matters, and any disclosure of criminal conduct through the SDP will be referred to DOJ for resolution." [5]

However, the VSD policy dictates that a healthcare organization must disclose misconduct before it is "otherwise known to the DOJ." But what if the DOJ is made aware of the conduct due to the healthcare organization's self-disclosure to the OIG or CMS? Must any disclosure to the OIG or CMS be simultaneously made to the DOJ (or made to the DOJ beforehand), even if the DOJ may ultimately elect not to participate in the settlement? It is certainly within the realm of possibility that a healthcare organization or provider conducting an internal investigation of Medicare overbilling allegations, for example, in an effort to attempt to take advantage of the OIG SDP or CMS SRDP, may be precluded from taking advantage of the DOJ VSD safe harbor, if the DOJ deems the disclosure to be already known to the DOJ.

"Misconduct by employees or agents"

In addition to the timeliness requirement discussed above, the VSD policy requires self-disclosure of a broad scope of information, namely, any "misconduct by employees or agents." This phrase is, again, undefined. Left open to interpretation, it could mean almost anything. For example, must a healthcare organization or provider report to the DOJ everything and anything, anytime it gets even a whiff of any sort of employee misconduct? Is there any sort of de minimis threshold of "misconduct" that must be exceeded to trigger the requirement?

Similarly, does the VSD policy rely on the strict application of employment and agency law? This question is particularly germane in the healthcare industry. For example, many, if not all, hospitals grant certain hospital privileges to members of its medical staff who are not "employees," and many likewise utilize per diem and travel nurses who are typically deemed independent contractors for tax purposes. Another example can be found in the utilization of dental support organizations (DSOs), which is on the rise. Dental practices will contract with DSOs to manage the administrative, marketing, and business sides of the practice, including the processing of insurance claims. Where should these healthcare organizations and practices draw the line between "employees or agents" and independent contractors or service providers? And does it matter the capacity in which the individual was acting during the conduct in question? If a per diem nurse's conduct was, for example, beyond the scope of his/her contracted-for relationship, must a hospital still report it? Because the VSD policy does not provide answers to these questions, healthcare organizations and companies will be left to make these decisions for themselves and, candidly, guess how the DOJ would come down in any given circumstance.

"All relevant facts"

The VSD policy also requires disclosure of "all relevant facts." For members of the legal community, the issue this language presents is glaring: determining precisely which facts are "relevant" is about as easy as seating a jury of twelve "reasonable persons." How should companies go about determining "relevance," particularly those companies operating in the healthcare industry? Does the DOJ expect them to apply the broadest possible interpretation of the word—for example, the "relevance" standard in civil discovery—or does the concept of "relevance" depend on the specific circumstances of the potential misconduct being disclosed, thereby making the term more comparable to a "materiality" threshold? How can companies protect themselves, but not inadvertently disclose more than is necessary or required to reap the new policy's benefits? Are there any exceptions to the "all relevant facts" requirement, for example, for confidential or protected health information? The concern that a company's disclosure, even one made in the utmost good faith, might not be deemed a full disclosure of "all relevant facts" raises further uncertainty about the DOJ's new policy's implementation and might well serve as an obstacle for companies' adherence to it.

"In a timely fashion"

The issue of timeliness the new policy's language raises is certainly tied into the uncertainty raised by the phrase "when it becomes aware." Unlike the DOJ's Criminal Division's recently updated Corporate Enforcement and Voluntary Self-Disclosure Policy [6]—which specifically requires self-disclosure "at the earliest possible time," even if a company has not completed its internal investigation—the new VSD policy is silent on the issue. How is the DOJ likely to interpret the term "timely" under the VSD policy? Is it "as soon as humanly possible," or is disclosure "within a reasonable time" satisfactory?

In practice, one would expect that the DOJ would assess timeliness similarly under both the Criminal Division policy and the VSD policy. For example, healthcare providers faced with potential overbilling issues have historically operated under the HHS OIG SDP and CMS SRDP timetable and will generally conduct internal investigations to ascertain whether there was overbilling before facing the 60-day time crunch. The VSD policy adds a new wrinkle: Does the provider now have to choose between the DOJ VSD policy and the applicable HHS OIG SDP/CMS SRDP? Will an internal investigation conducted with reasonable diligence serve to "toll" the VSD policy's definition of "timely" much the way it tolls the running of the 60-day overpayment repayment obligation? Ultimately, it will most likely depend on the specific facts and circumstances of each case, including information reported to the company, information the company reveals itself through an internal investigation, and the chronology of events. All in all, the burden will almost certainly remain on the company to demonstrate the disclosure was "timely." It is simply not practical for a large company to immediately run to the DOJ and disclose every complaint it receives from its whistleblower hotline. In reality, most companies will need—and want—to investigate complaints to weed out those that have no merit before even considering notifying the DOJ or another agency about the potential misconduct. Yet the language of the new DOJ VSD policy fails to give adequate guidance as to whether such a normally prudent course of action will entitle the company to the safe harbor the policy intends to offer.

The Policy Creates Incentives For Strong Internal Investigation Capabilities

The potential benefits the new DOJ VSD policy dangles in front of healthcare organizations and companies are designed to drive more self-disclosures despite the uncertainty regarding the DOJ's interpretation and implementation of the policy. Avoiding criminal prosecution—by obtaining what white-collar practitioners refer to as a "non-pros" or "NPA" (non-prosecution agreement)—has a powerful allure. So, too, does the ability of a company to obtain a reduced fine. One of the few things that does appear certain is that these carrots will incentivize compliance and internal investigation activities. The policy should absolutely encourage healthcare organizations, companies, and providers that do not already have strong compliance programs to develop and implement such programs promptly. The policy should also motivate all healthcare companies to encourage internal reporting and to quickly undertake internal investigations (whether using in-house attorneys or outside counsel) in the hopes of identifying serious issues before the government gets involved. Only by doing so can the company preserve its ability to potentially take advantage of the new policy's benefits.

Conducting internal investigations in this manner is particularly important for healthcare organizations. Given the sheer volume of legal and regulatory requirements imposed in the healthcare industry, only by completing prompt investigation can companies make informed decisions about whether to voluntarily self-disclose violations to the DOJ. Without having proactive tools and approaches already in place (e.g., compliance programs, internal reporting mechanisms, investigation protocols, etc.), companies will likely find themselves unable to even consider whether to make voluntary self-disclosures that might be deemed to fall within the new policy's requirements.

While it remains to be seen how the DOJ will interpret the new policy's language and how often NPAs will be given, it is nevertheless more important now than ever before that healthcare organizations develop, implement, and abide by robust compliance programs, including, most importantly, quick investigations of internally reported allegations of misconduct. The use of experienced outside counsel to facilitate the development and implementation of these proactive tools is something companies should strongly consider, particularly when the allegations are serious or maintaining the attorney-client privilege is critical. Given the demonstrated uncertainties with the interpretation and application of the policy, and the lack of certainty as to whether disclosure will result in an NPA, there exists a very real risk that the scope of a disclosure could serve as a veritable roadmap for the USAO to draft charges. The engagement of outside counsel experienced in dealing with DOJ and the relevant USAO can certainly help health care organizations address these concerns through the submission of a finely tailored disclosure that maximizes the likelihood of obtaining an NPA and minimizes the indictment road-map risk.

[1] U.S. Attorney's Office, Eastern District of New York, Damian Williams and Breon Peace Announce New Voluntary Self-Disclosure Policy for United States Attorney's Offices, February 22, 2023, available at https://www.justice.gov/usao-edny/pr/damian-williams-and-breon-peace-announce-new-voluntary-self-disclosure-policy-united.

[2] U.S. Department of Justice, Office of the Deputy Attorney General, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, September 15, 2022, available at https://www.justice.gov/opa/speech/file/1535301/download.

[3] The policy identifies three aggravating factors that may warrant a USAO seeking a guilty plea even if the other requirements of the VSD policy are met, which include: (1) the misconduct poses a grave threat to national security, public health, or the environment; (2) the misconduct is deeply pervasive throughout the company; or (3) the misconduct involves current executive management of the company.

[4] Centers for Medicare & Medicaid Services, Voluntary Self-Referral Disclosure Protocol, available at https://www.cms.gov/medicare/fraud-and-abuse/physicianselfreferral/downloads/cms-voluntary-self-referral-disclosure-protocol-original.pdf

[5] U.S. Department of Health and Human Services Office of Inspector General, OIG's Healthcare Fraud Self-Disclosure Protocol, available at https://oig.hhs.gov/documents/self-disclosure-info/1006/Self-Disclosure-Protocol-2021.pdf

[6] U.S. Department of Justice, Criminal Division, Corporate Enforcement and Voluntary Self-Disclosure Policy, available at https://www.justice.gov/criminal-fraud/file/1562831/download. This policy was formerly known as the "FCPA Corporate Enforcement Policy" and applies to all FCPA cases nationwide and all other corporate criminal matters handled by the Criminal Division.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide