Spotlight on the False Claims Act
Focus on the Foreign Corrupt Practices Act—The FCPA Pilot Program: A Tale of Two Cases
HIPAA—“Largest-To-Date” Single Entity Settlement Announced
White Collar Enforcement Roundup—Summertime Blue[Sheet] Edition
Keeping an Eye Out—Updates and Briefly Noted
Spotlight on the False Claims Act
Why it matters: This month, we review a recent Ninth Circuit case that allowed a qui tam relator’s action against various Medicare Advantage organizations to proceed, holding that the relator had adequately stated a “cognizable legal theory” of liability under the False Claims Act (FCA) in connection with the organizations’ practices regarding retrospective medical record reviews. In addition, we review an interesting District of Massachusetts case that clarified what constitutes an “alternative remedy” under the FCA. We also take note of a recent increase by the DOJ in the civil monetary penalty amounts imposed under the FCA—effective August 1, 2016—that made the cost of violating the FCA much more prohibitive. Finally, we do our usual review of recent government FCA resolutions and actions that caught our eye.
Detailed discussion: Here, we discuss a few of the FCA matters that came to our attention since our last newsletter.
FCA in the courts:
United States ex rel. Swoben v. United Healthcare Insurance Company et al.: On August 10, 2016, the Ninth Circuit vacated a Central District of California court’s judgment that had dismissed without leave to amend the third amended complaint of qui tam relator James Swoben (Swoben). Swoben had alleged that the defendant Medicare Advantage (MA) organizations United Healthcare, Aetna, WellPoint and Health Net (Defendants) submitted false certifications to the Centers for Medicare & Medicaid Services (CMS) in connection with risk adjustment data, in violation of the FCA. The Ninth Circuit remanded the case with instructions to allow Swoben to file a proposed fourth amended complaint. In so doing, the Court held that Swoben’s proposed fourth amended complaint sufficiently alleged that the Defendants violated the FCA by using biased review procedures designed to not reveal erroneously reported diagnosis codes.
The ruling will have significant implications for health insurers and their risk adjustment vendors not only in MA, but also in Medicaid managed care and the individual and small group commercial health insurance markets. The Ninth Circuit held that even though the MA regulations may not require MA organizations to conduct retrospective chart reviews to verify submitted diagnosis data, when MA organizations choose to do so—and especially when CMS’s risk adjustment data validation efforts independently document a high error rate—MA organizations must design chart reviews to identify overreported diagnosis codes that could reduce federal payments to MA plans, and not just underreported diagnosis codes that could result in higher payments to plans. Because such retrospective chart reviews are common throughout risk-adjusted health insurance programs, the ruling creates new compliance concerns for insurers, even if they do not participate in MA.
Swoben filed a qui tam complaint alleging that, commencing in 2005, the Defendants and a physician group (which provided care to enrollees in exchange for a percentage of the organizations’ capitated payments) performed biased reviews of enrollee health risk data that were designed to “cause the CMS to make inflated capitated payments” to the Defendants. Specifically, Swoben alleged that, where Medicare Advantage organizations engaged in retrospective reviews of previously reported risk adjustment data, they must identify (and report to CMS) both favorable and unfavorable errors. Unfavorable errors would include previously submitted diagnosis codes that were “not supported by the enrollee’s medical records (over-reporting errors).” Swoben alleged that Defendants’ one-sided retrospective reviews, designed to identify only unfavorable errors, rendered their periodic required certifications to CMS false in violation of the FCA.
The Defendants moved to dismiss Swoben’s claims in June 2013, arguing among other things that his complaint failed to allege a claim under the FCA. The district court granted the Defendants’ motion to dismiss, and denied Swoben leave to amend. Swoben appealed to the Ninth Circuit, which asked the parties to submit supplemental briefing to address “when conducting retrospective medical record reviews designed to identify only diagnoses that would trigger additional payments by CMS, not errors that would result in negative payment adjustments, would cause a certification to be false” under the FCA. Although the Government declined to intervene in district court against Defendants, the Justice Department did file an amicus brief on appeal in support of Swoben, upon which the Court relied in vacating the district court’s judgment.
The Court found that the district court had erred as to the sufficiency of Swoben’s allegations to support his FCA claims:
when … Medicare Advantage organizations design retrospective reviews of enrollees’ medical records deliberately to avoid identifying erroneously submitted diagnosis codes that might otherwise have been identified with reasonable diligence, they can no longer certify, based on best knowledge, information and belief, the accuracy, completeness and truthfulness of the data submitted to CMS. This is especially true, when, as alleged here, they were on notice that their data included a significant number of erroneously reported diagnosis codes. We do not see how a Medicare Advantage contractor who has engaged in such conduct can in good faith certify that it believes the resulting risk adjustment data reported to CMS are accurate, complete and truthful.
The Court made clear that “[b]y holding that one-sided retrospective reviews can result in false certifications under § 422.504(l), we do not suggest that they necessarily always do… We do not in this opinion attempt to define the parameters of these requirements.” Instead, the Court said that “[w]e hold only that the theory alleged here—that the defendants designed their retrospective review procedures to not reveal unsupported diagnosis codes, allegedly for no other reason than to avoid reporting that information to the government—states a cognizable legal theory under the False Claims Act.”
The Court also clarified that its decision did not invalidate the practice of “blind coding.” The Court held “[w]e also do not intend to suggest that the practice of concealing previously submitted diagnosis codes from coders conducting retrospective reviews is necessarily a suspect practice. On the contrary, blind coding may help ensure the integrity of a retrospective review.” However, the Court said that “blind coding cannot be squared with the good faith required by § 422.504(l) when it is employed as a means of avoiding or concealing over-reporting errors. If Medicare Advantage organizations acquire the codes identified by retrospective coders, compare them to the codes previously submitted to CMS, identifying both under- and over-reporting errors, but withhold information about the over-reporting errors from CMS, this would result in a false certification.” The Court went on to helpfully give an example of when blind coding would pass muster, stating “[o]n the other hand, if through reasonable diligence the comparison between the codes identified by the retrospective reviewers and the codes previously submitted to CMS is capable of identifying only under-reporting errors, we assume this would not result in false certifications under current CMS regulations. The due diligence standard requires only reasonable efforts.”
The Court thus concluded that “[t]he district court abused its discretion by dismissing Swoben’s third amended complaint without leave to amend. Swoben’s proposed fourth amended complaint adequately alleges a false certification claim under the False Claims Act, so amendment would not have been futile.”
United States ex rel. Willette v. University of Massachusetts: On July 11, 2016, a District of Massachusetts judge ruled that where an entity voluntarily repaid stolen funds—after proactively cooperating with the government to do so as soon as the theft was discovered—there was no “alternative remedy” pursued by the government under the FCA that would entitle a qui tam relator to a share of the recovery. The case is interesting because the underlying qui tam lawsuit was brought under a nontypical provision of the FCA—dealing with the retention of funds owed to the government rather than the filing of false claims—and the qui tam relator was seeking his “relator’s share” under the similarly nontypical “alternative remedy” provision of the FCA qui tam statute.
To briefly recap the facts of the case, in 2013 an employee (Relator) of the University of Massachusetts, Worchester (UMass) informed UMass that a deceased coworker, a financial analyst in UMass’s estate recovery division, had misappropriated approximately $3.8 million in healthcare reimbursements that were intended for remittance to the Massachusetts Executive Office of Health and Human Services (EOHHS). The facts show that “the decision to repay the Commonwealth was made almost immediately after UMass officials found out about [the deceased employee’s] conduct, although it took time to investigate the matter and determine the appropriate method of repayment.” In 2015, after a two-year internal investigation and cooperation with the EOHHS and the Medicare Fraud division of the Massachusetts Attorney General’s Office, UMass repaid the misappropriated funds to the EOHHS in full. During the two-year investigatory period, the Relator filed qui tam actions against UMass and the deceased employee’s estate under both the federal and commonwealth FCA statutes, and even though the underlying FCA actions were subsequently dismissed, the Relator still sought a qui tam whistleblower award—which was the subject of the instant case.
In December 2015, the District of Massachusetts judge granted the parties two months of limited discovery in order to investigate the “issue of whether [the Relator] may be entitled to a relator’s share pursuant to the ‘alternate remedy’ provision of the FCA, 31 U.S.C. § 3730(c)(5).” After hearing oral argument in June 2016, the judge denied the Relator’s motion on July 11, 2016.
In his opinion, the judge first reviewed the congressional intent behind the enactment of the FCA and the qui tam provisions, stating that the applicable statutory language at issue in this case “imposes liability on a person who ‘has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property.’ § 3729(a)(1)(D).” Furthermore, Section 3730(c)(5) of the FCA allows a qui tam relator to share in any recovery if the government chooses to pursue an “alternative remedy” to intervening in the relator’s qui tam lawsuit, as follows:
[T]he Government may elect to pursue its claim through any alternate remedy available to the Government, including any administrative proceeding to determine a civil money penalty. If any such alternate remedy is pursued in another proceeding, the person initiating the action shall have the same rights in such proceeding as such person would have had if the action had continued under this section.
Thus, the issue at hand was whether the course of action the government pursued in this case constituted an “alternative remedy” entitling the Relator to his share of the recovery. The judge ruled that it was not, stating that “I find no indication that either the Commonwealth or the United States pursued an alternate remedy against UMass or the [deceased employee’s] estate.” The judge concluded that, based on the factual record, “[t]here was no need for an alternate remedy, because UMass began investigating the fraud immediately and never exhibited an intent to withhold repayment of the stolen funds.” Furthermore, “there is no evidence that UMass’s actions were motivated by the Relator’s lawsuit, or that the Commonwealth or the United States took affirmative action to enforce the repayment.” Thus, although the Relator “unquestionably did the honorable thing by alerting UMass of [the deceased employee’s] misconduct, he is not entitled to a share of the proceeds under the FCA or MFCA.”
Increase in FCA civil monetary penalties: In an attempt to keep up with inflation, the DOJ made the civil liability penalties for violating the FCA provisions much more cost-prohibitive. On June 30, 2016, the DOJ posted a “Civil Monetary Penalties Inflation Adjustment” (via an “Interim Final Rule with Request for Comments”) in the Federal Register that made inflationary adjustments to the civil monetary penalties imposed under numerous statutes administered by the DOJ, including the FCA. The adjustments for the FCA took effect on August 1, 2016 and provided for a steep, almost double increase in the civil monetary penalty amounts applicable to FCA violations that occurred after November 2, 2015 as follows: The new minimum per-claim penalty amount increased from $5,500 to $10,781, and the maximum per-claim penalty amount increased from $11,000 to $21,563.
Recent FCA resolutions: Last, we highlight a few of the healthcare and non-healthcare DOJ FCA resolutions and actions that caught our attention this month.
On July 28, 2016, the DOJ announced that Lexington County Health Services District Inc. d/b/a Lexington Medical Center (LMC) agreed to pay $17 million to resolve FCA and Stark Law violations: The DOJ said that the South Carolina hospital ran afoul of the Stark Law (a.k.a. the Physician Self-Referral Law) which generally—subject to limited exceptions—prohibits a hospital from billing Medicare for services referred by physicians who have a financial relationship with the hospital. In this case, the DOJ alleged that LMC (which did not admit to liability) violated the Stark Law by entering into either asset purchase agreements (for the acquisition of physician practices) or employment agreements with 28 physicians that improperly “took into account the volume or value of physician referrals, which were not commercially reasonable or provided compensation in excess of fair market value.” As part of the settlement, LMC agreed to enter into a Corporate Integrity Agreement with the Department of Health and Human Services-Office of the Inspector General (HHS-OIG) that required it to implement measures designed to avoid or promptly detect future similar misconduct. Qui tam whistleblower to receive award of $4.5 million.
On July 22, 2016, the DOJ announced that Acclarent, Inc. (Acclarent) agreed to pay $18 million to resolve FCA allegations that it caused healthcare providers to submit false claims to federal healthcare programs in connection with one of its medical device products: The DOJ alleged that California-based medical device manufacturer Acclarent (a subsidiary of Ethicon, a Johnson & Johnson company) agreed to pay $18 million to resolve allegations that it caused healthcare providers to submit false claims to Medicare and other federal healthcare programs by marketing and distributing one of its products, the Relieva Stratus, for use as a drug delivery device without U.S. Food and Drug Administration approval. Acclarent did not admit liability in the settlement. Related to the settlement, the DOJ said that on July 20, 2016, Acclarent’s former Chief Executive Officer and Vice President of Sales were convicted by a federal jury on July 20, 2016 of 10 misdemeanor counts of fraud in connection with distributing adulterated and misbranded medical devices in interstate commerce. The jury acquitted them of 14 felony counts of fraud.
On July 13, 2016, the DOJ announced that Evercare Hospice and Palliative Care (Evercare) agreed to pay $18 million to resolve FCA allegations that it claimed Medicare reimbursement for hospice care for patients that were not terminally ill: The DOJ alleged that the Minnesota-based hospice provider (now known as Optum Palliative and Hospice Care) knowingly submitted false claims to Medicare for hospice care from January 1, 2007 through December 31, 2013 for Medicare patients who were not eligible for the Medicare hospice benefits because Evercare’s medical records did not support that the patients were terminally ill. Evercare did not admit liability as part of the settlement. Qui tam whistleblower award not yet determined.
On June 30, 2016, the DOJ announced that a Florida cardiologist and his practice The Institute of Cardiovascular Excellence (ICE) agreed to pay an aggregate of $8 million to resolve claims that they violated the FCA by filing false claims with government-funded healthcare programs for medically unnecessary procedures and providing illegal kickbacks to patients: The DOJ said that the cardiologist and ICE agreed to pay LMOAR $8 million (consisting of a $2 million penalty plus release of claims to $5.3 million in suspended Medicare funds) to resolve claims that they violated the FCA by improperly billing Medicare, Medicaid and TRICARE for medically unnecessary procedures, and paying kickbacks to patients by waiving Medicare co-payments irrespective of financial hardship. The cardiologist also agreed to a three-year period of exclusion from participating in any federal healthcare program followed by a three-year Integrity Agreement with the HHS-OIG. Qui tam whistleblowers to split award of $1.3 million.
Non-healthcare DOJ actions:
On August 1, 2016, the DOJ announced that Jacintoport International LLC (Jacintoport) and Seaboard Marine Ltd. (Seaboard) agreed to pay almost $1.1 million to settle allegations that they violated the FCA in connection with the delivery of humanitarian food aid: The DOJ said that the affiliated cargo handling/warehousing and ocean transport companies violated the FCA in connection with inflated stevedoring charges under a warehousing and logistics contract entered into in 2007 with the U.S. Agency for International Development for the storage and redelivery of humanitarian food aid. Qui tam whistleblower to receive award of $215,000.
On July 28, 2016, the DOJ announced that it filed a complaint against the former CEO and CFO of Louis Berger Group Inc. (LBG) for FCA violations in connection with reconstruction contracts in Iraq and Afghanistan: The DOJ said that the two executives violated the FCA by conspiring to overbill the U.S. Agency for International Development and other government agencies for costs incurred performing reconstruction contracts in Afghanistan and Iraq. The DOJ had resolved criminal and civil claims against LBG arising from the same conduct in November 2010 pursuant to which LBG entered into a DPA with the DOJ and paid $50.6 million to resolve FCA allegations. See also our “Focus on the Foreign Corrupt Practices Act” article in this same newsletter where we discuss the criminal sentencing under the FCPA of two former Louis Berger International executives in connection with a bribery scheme to secure government construction management contracts in India, Indonesia, Vietnam and Kuwait.
On July 19, 2016, the DOJ announced that it filed a complaint against DynCorp International Inc. alleging FCA violations in connection with a state department contract: The DOJ alleged that DynCorp knowingly submitted inflated claims in connection with a State Department contract to train Iraqi police forces.
See here to read the Ninth Circuit’s 8/10/16 opinion in United States ex rel. Swoban v. United Healthcare Insurance Company et al.
See here to read the District of Massachusetts’ 7/11/16 opinion in United States ex rel. Willette v. University of Massachusetts.
See here to read the DOJ’s “Civil Monetary Penalties Inflation Adjustment” published in the Federal Register on 6/30/16.
See here to read the DOJ’s 7/28/16 press release entitled “South Carolina Hospital to Pay $17 Million to Resolve False Claims Act and Stark Law Allegations.”
See here to read the DOJ’s 7/22/16 press release entitled “Medical Device Manufacturer Acclarent Inc. to Pay $18 Million to Settle False Claims Act Allegations.”
See here to read the DOJ’s 7/13/16 press release entitled “Minnesota-Based Hospice Provider to Pay $18 Million for Alleged False Claims to Medicare for Patients Who Were Not Terminally Ill.”
See here to read the DOJ’s 6/30/16 press release entitled “Florida Cardiologist and His Practice Pay Millions and Agree to Three Years of Exclusion to Resolve Alleged False Billings for Unnecessary Procedures and Illegal Kickbacks.”
See here to read the DOJ’s 7/28/16 press release entitled “United States Sues Former Executives of Government Contractor for Making False Claims in Connection with Reconstruction Contracts in Afghanistan and Iraq.”
See here to read the DOJ’s 7/19/16 press release entitled “United States Files Suit against DynCorp International Alleging Submission of False Claims under State Department Contract.”
Focus on the Foreign Corrupt Practices Act—The FCPA Pilot Program: A Tale of Two Cases
Why it matters: July 2016 saw two DOJ resolutions under the Foreign Corrupt Practices Act (FCPA) where we saw the DOJ’s new FCPA Pilot Program in operation. One case resulted in a DPA, and the other resulted in a declination letter (the third such letter issued to date by the DOJ since the FCPA Pilot Program was announced in April 2016). The different results appeared to turn on the disparate levels of voluntary self-disclosure to and cooperation with the DOJ by the two target companies, as well as the robustness (or lack thereof) in the companies’ remediation efforts.
Detailed discussion: Here, we discuss two DOJ resolutions from July 2016 where we saw the DOJ’s new FCPA Pilot Program in operation. One case resulted in the DOJ entering into a deferred prosecution agreement (DPA) with LATAM Airlines Group, S.A., while in the other case the DOJ sent Johnson Controls, Inc. a declination letter (the third such letter issued to date by the DOJ since the FCPA Pilot Program’s inception in April 2016—we discussed the first two declination letters in our July 2016 newsletter under “Focus on the FCPA: Self-Disclosure + Cooperation = Declinations and NPAs Edition”). The disparate levels of self-disclosure to and cooperation with the DOJ in the investigations, as well as the relative robustness of remediation efforts undertaken by the two target companies, appeared to be the key factors for the DOJ in arriving at these different resolutions.
Case #1—DPA for LATAM Airlines Group S.A. (LATAM): On July 25, 2016, the DOJ announced that LATAM, a commercial airline company based in Chile, agreed to pay a $12.75 million criminal penalty and enter into a three-year DPA to resolve allegations that it violated the FCPA by paying bribes to Argentine union officials via a false consulting contract with a third-party intermediary (we covered the resolution of FCPA charges against former LAN CEO Ignacio Cueto Plaza in our February 2016 newsletter under “FCPA and Anti-Money Laundering Enforcement Review—‘Follow the Money’ ”). In a related settlement in the parallel investigation by the SEC, LATAM agreed to pay over $9 million in disgorgement plus pre-judgment interest.
According to the DOJ’s press release, LATAM admitted to the following facts in the resolution documents: (a) executives at LATAM’s predecessor-in-interest, LAN Airlines S.A. (LAN), executed a fictitious $1.15 million consulting agreement with an advisor to the Secretary of Argentina’s Ministry of Transportation in October 2006 under which the consultant was to undertake a study of Argentine airline routes, (b) the advisor never provided the consulting services and instead funneled the monies he received pursuant to the contract to Argentine labor union officials in exchange for the union agreeing to accept lower wages and to not enforce what would have been a costly labor rule and (c) such bribes to the Argentine labor union officials resulted in over $6.7 million in profits to the airline.
As part of the three-year DPA the DOJ entered into with LATAM to resolve the matter, in addition to the criminal penalty LATAM was obligated to continue to cooperate with the DOJ’s investigation, enhance its compliance program and retain an independent corporate compliance monitor for a term of at least 27 months. While not specifically invoking the FCPA Pilot Program in the press release, the DOJ said that it arrived at its resolution with LATAM based on factors that comprise distinct elements of the FCPA Pilot Program, including LATAM’s failure to voluntarily self-disclose the alleged wrongdoing or adequately remediate, and its belated cooperation in the investigation:
The department reached this resolution based on a number of factors, including the fact that LATAM did not voluntarily disclose the FCPA violations, but did cooperate with the department’s investigation after the press in Argentina uncovered and reported the conduct approximately four years after it had occurred. After LATAM began cooperating, it did so fully and provided all relevant facts known to it, including about individuals involved in the misconduct. LATAM did not, however, remediate adequately. LATAM failed to discipline in any way the employees responsible for the criminal conduct, including at least one high-level company executive, and thus the ability of the compliance program to be effective in practice is compromised. As a result, the company paid a penalty within the U.S. Sentencing Guidelines range instead of receiving a discount off the bottom of the range (emphasis added).
Case #2—Declination letter for Johnson Controls, Inc. (JCI): On July 11, 2016, the SEC announced that JCI, a Wisconsin-based global provider of HVAC systems, agreed to pay more than $14 million (consisting of $11.8 million in disgorgement, pre-judgment interest of almost $1.4 million, and a civil penalty of almost $1.2 million) to settle charges that it violated the books and records and internal accounting controls provisions of the FCPA. According to the SEC’s findings (which were neither admitted to or denied by JCI), Johnson’s wholly owned Chinese subsidiary used sham vendors to make improper payments of approximately $4.9 million to employees of Chinese government-owned shipyards to obtain and retain business.
Also on July 11, 2016, the DOJ released a letter (dated June 21, 2016) to JCI declining prosecution in the parallel DOJ investigation. The declination letter specifically invoked the FCPA Pilot Program and cited to JCI’s strong levels of self-disclosure, cooperation and remediation as the key elements in the DOJ’s decision not to prosecute:
Based upon the information known to the Department at this time and consistent with the FCPA Pilot Program, we have closed our inquiry into this matter despite the bribery by employees of JCI’s subsidiary in China. We have reached this decision based on a number of factors, including but not limited to: the voluntary self-disclosure of the matter by JCI; the thorough investigation undertaken by the Company; the Company’s full cooperation in this matter (including its provision of all known relevant facts about the individuals involved in or responsible for the misconduct) and its agreement to continue to cooperate in any ongoing investigations of individuals; the steps that the Company has taken and continues to take to enhance its compliance program and its internal accounting controls; the Company’s full remediation (including separating from the Company all 16 employees found to be involved in the misconduct, including high-level executives at the Chinese subsidiary); and the fact that JCI will be disgorging to the SEC the full amount of disgorgement as determined by the SEC, as well as paying a civil penalty to the SEC (emphasis added).
In other FCPA news:
On August 8, 2016, Zimmer Biomet Holdings Inc. (which acquired Biomet in 2015 and assumed its liabilities) disclosed in a securities filing that “it is probable that Biomet will incur additional liabilities” related to the ongoing DOJ and SEC investigations into FCPA violations that have occurred subsequent to Biomet’s FCPA settlement (which resulted in a DPA with the DOJ) in 2012. The company said that it has accrued additional unspecified amounts for possible FCPA penalties because “[t]he DOJ has informed Biomet that it retains its rights under the DPA to bring further action against Biomet relating to the conduct in Brazil and Mexico disclosed in 2014 or the violations set forth in the DPA.”
On July 8, 2016, the DOJ announced that two former executives of Louis Berger International (LBI) were sentenced in connection with a long-running bribery scheme to secure government construction management contracts by bribing officials in India, Indonesia, Vietnam and Kuwait. The DOJ said that (1) the former SVP of operations in Indonesia, Thailand, the Philippines and Vietnam was sentenced to two years of probation and fined $10,000 and (2) the former SVP of operations in India and Vietnam was sentenced to one year plus one day in jail. The former executives had each pleaded guilty to violating the FCPA on July 17, 2015, the same day that LBI had entered into a DPA with the DOJ and agreed to pay a $17.1 million criminal penalty for admitting to criminal violations of the FCPA for the same violations. See also our “Spotlight on the False Claims Act” article in this same newsletter where we discuss the DOJ’s filing of a complaint against the former CEO and CFO of Louis Berger Group Inc. for False Claim Act violations in connection with reconstruction contracts in Iraq and Afghanistan.
See here to read the DOJ’s 7/25/16 press release entitled “LATAM Airlines Group Resolves Foreign Corrupt Practices Act Investigation and Agrees to Pay $12.75 Million Criminal Penalty.”
See here to read the DOJ’s 6/21/16 declination letter to Johnson Controls, Inc.
See here to read the SEC’s 7/11/16 press release entitled “Global HVAC Provider Settles FCPA Charges.”
See here to read the DOJ’s 7/8/16 press release entitled “Two Former Executives Of Louis Berger International Sentenced In Foreign Bribery Scheme.”
HIPAA—“Largest-To-Date” Single Entity Settlement Announced
Why it matters: On August 4, 2016, the U.S. Department of Health and Human Services announced that Advocate Health Care Network agreed to pay $5.5 million for “multiple potential” violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information. The settlement was the agency’s “largest to-date against a single entity.” Read on for a recap.
Detailed discussion: On August 4, 2016, the U.S. Department of Health and Human Services (HHS) announced that its Office for Civil Rights (OCR) had entered into a settlement with Advocate Health Care Network (Advocate)—described as the “largest fully-integrated health care system in Illinois”—pursuant to which Advocate agreed to pay $5.5 million for “multiple potential” violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). HHS called the settlement its “largest to-date against a single entity.”
OCR Director Jocelyn Samuels said that “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure… This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
According to the facts in the press release, Advocate submitted three breach notification reports under HIPAA in 2013 pertaining to “separate and distinct” incidents involving its subsidiary, Advocate Medical Group (described as a nonprofit physician-led medical group in the Chicago area) that affected the ePHI (including “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth”) of approximately four million individuals. After conducting investigations into the breach notification reports, OCR found that Advocate failed to: (1) “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI”; (2) “implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center”; (3) “obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession”; or (4) “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.”
HHS said that the “significant” settlement was the result of the “extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule [under HIPAA] in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”
See here to read HHS’s 8/4/16 press release entitled “Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million.”
White Collar Enforcement Roundup—Summertime Blue[Sheet] Edition
Why it matters: What do fraudulent FX transactions, front running, overcharging for exchange and clearing fees, blue sheet violations, hoots and squawks and the Customer Protection Rule have in common? They all figured prominently in recent white collar enforcement actions, many having to do with compliance failures. We recap it for you here.
Detailed discussion: Read on for a recap of recent white collar enforcement actions that caught our eye.
Fraudulent foreign exchange (FX) transactions:
“Hidden Mark-Ups”: On July 26, 2016, the DOJ announced that Massachusetts-based State Street Bank and Trust Company (State Street) agreed to pay an aggregate of $382.4 million (comprised of a $155 million civil penalty to the DOJ, $167.4 million in disgorgement and penalties to the SEC and at least $60 million to ERISA plan clients in an agreement with the Department of Labor) to settle allegations that it deceived its custody clients when providing them with indirect foreign currency exchange (FX) services in violation of the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). As part of the settlement with the DOJ, State Street admitted that, contrary to its representations to its custody clients, its State Street Global Markets division did not price FX transactions at prevailing interbank market rates and that the prices were instead largely driven by “hidden mark-ups designed to maximize State Street’s profits.” The DOJ said that its investigation arose from filings made pursuant to the whistleblower provisions of FIRREA. The DOJ also said that State Street will pay an additional $147.6 million to resolve private class action lawsuits filed by the bank’s customers alleging similar misconduct.
Compliance failures: The Financial Industry Regulatory Authority (FINRA), the SEC and the Commodities Futures Trading Commission (CFTC) all cracked down on alleged compliance shortcomings this summer, including two separate fines imposed by FINRA on Deutsche Bank Securities, Inc. for indiscreet “hoots and squawks” and “blue sheet” violations. The SEC also separately imposed a fine against Citigroup Global Markets for “blue sheet” violations, making it two fines imposed within weeks of each other for a relatively infrequently prosecuted compliance failure. Read on for a recap.
“Inadequate supervision of internal communications”: On August 8, 2016, the Financial Industry Regulatory Authority (FINRA) announced that it had fined Deutsche Bank Securities Inc. (DBS) $12.5 million for “significant supervisory failures” related to research and trading-related information it disseminated to its employees, called “hoots” or “squawks,” over internal speakers commonly known as “squawk boxes.” According to FINRA’s findings, which were neither admitted to or denied by DBS, DBS failed to establish adequate supervision over registered representatives’ access to hoots or their communications with customers regarding hoots despite multiple red flags regarding the potential dissemination of material nonpublic and confidential price-sensitive information. In addition to paying the fine, FINRA said that DBS also agreed as part of the settlement to provide a written certification that it had adopted and implemented supervisory systems and written procedures concerning hoots that are “reasonably designed to achieve compliance with FINRA rules and federal securities laws.”
“Supervision failures over fee processing”: On August 8, 2016, the CFTC announced that Barclays Capital, Inc. (Barclays) agreed to pay an $800,000 civil penalty for failing to “diligently supervise” the processing by its employees of exchange and clearing fees it charged customers for trading and clearing Chicago Mercantile Exchange products from 2011 to 2015. This failure to supervise included the failure by Barclays to “implement and maintain” adequate software systems, policies, and employee training procedures for reconciling invoices from exchange clearinghouses with the amounts of fees actually charged to its customers. According to the CFTC, such failures led to “instances in which Barclays overcharged some customers in an aggregate amount of approximately $1.1 million.” The CFTC said that Barclays promptly took remedial steps when it discovered the problem in 2012, including refunding adversely affected customers, and cooperated with the CFTC’s investigation. The CFTC pointed out that this was only the second action it has brought involving “a clearing firm’s supervisory failures over fee processing” (the CFTC brought the first such action in 2014).
“Blue sheet” violations:
On July 12, 2016, the SEC announced that Citigroup Global Markets agreed to pay a $7 million penalty and admit wrongdoing to settle charges that a computer coding error caused the firm to provide the agency with incomplete “blue sheet” information about trades it executed. The SEC said that the coding error occurred in the software that Citigroup used from 1999 to 2014 to process SEC requests for blue sheet data, including the time of trades, types of trades, volume traded, prices, and other customer-identifying information, which resulted in the omission of 26,810 securities transactions from its responses to more than 2,300 blue sheet requests. After discovering the coding error, the SEC found that Citigroup failed to report the incident to the SEC or take any steps to produce the omitted data until nine months later.
On June 29, 2016, FINRA announced that it had imposed a separate fine of $6 million against DBS for failing to provide complete and accurate trade data in “blue sheets” submitted to FINRA and the SEC. According to FINRA’s findings, which were neither admitted to nor denied by DBS, from approximately 2008 through 2015 DBS experienced “significant failures” with its systems used to compile and produce blue sheet data, causing DBS to submit thousands of blue sheets to regulators that misreported or omitted critical information on over one million trades. In addition, FINRA found that a significant number of DBS’s blue sheet submissions did not meet regulatory deadlines. As part of the settlement, DBS agreed to retain an independent consultant to “improve its policies, systems and procedures related to blue sheet submissions.”
Violation of Customer Protection Rule: On June 23, 2016, the SEC announced that Merrill Lynch agreed to pay $415 million (consisting of $57 million in disgorgement and a $358 million penalty) and admit to wrongdoing to settle charges that it “misused customer cash to generate profits for the firm and failed to safeguard customer securities from the claims of its creditors” in violation of the SEC’s Customer Protection Rule. The SEC said that Merrill Lynch, which admitted to wrongdoing as part of the settlement, violated the SEC’s Customer Protection Rule from 2009 to 2012 by (a) misusing customer cash that “rightfully should have been deposited in a reserve account,” freeing up billions of dollars per week that Merrill Lynch used to finance its own trading activities and (b) failing to adhere to requirements that “fully-paid for customer securities be held in lien-free accounts and shielded from claims by third parties should a firm collapse.” The SEC said that, in conjunction with this settlement, it had established a two-part initiative designed to uncover additional abuses of the Customer Protection Rule: “The first encourages broker-dealers to proactively report potential violations of the rule to the SEC and provides for cooperation credit and favorable settlement terms in any enforcement recommendations arising from self-reporting. Second, the Enforcement Division, in coordination with the Division of Trading and Markets and the Office of Compliance Inspections and Examinations, will conduct risk-based examinations of certain broker-dealers to assess their compliance with the Customer Protection Rule.”
See here to read the DOJ’s 7/26/16 press release entitled “State Street Bank to Pay $382 Million to Settle Allegations of Fraudulent Foreign Currency Exchange Practices.”
See here to read FINRA’s 8/8/16 press release entitled “FINRA Fines Deutsche Bank Securities Inc. $12.5 Million for Inadequate Supervision of Internal Communications.”
See here to read the CFTC’s 8/4/16 press release entitled “CFTC Orders Barclays Capital, Inc. to Pay $800,000 for Supervision Failures.”
See here to read the SEC’s 7/12/16 press release entitled “SEC: Citigroup Provided Incomplete Blue Sheet Data for 15 Years.”
See here to read FINRA’s 6/29/16 press release entitled “FINRA Fines Deutsche Bank Securities Inc. $6 Million for Submitting Inaccurate and Late Blue Sheet Data.”
See here to read the SEC’s 6/23/16 press release entitled “Merrill Lynch to Pay $415 Million for Misusing Customer Cash and Putting Customer Securities at Risk.”
Keeping an Eye Out—Updates and Briefly Noted
D.C. Circuit rejected petition to review “Appointments Clause” Article II constitutional challenge to SEC “in house” administrative proceedings: On August 9, 2016, the D.C. Circuit in Lucia v. SEC denied petitioner Raymond J. Lucia’s petition for review of the SEC administrative proceeding pursuant to which an SEC administrative law judge (ALJ) imposed liability and sanctions against him for violations of the Investment Advisors Act of 1940 (the ALJ’s decision was later affirmed by formal order of the full Commission). Lucia had argued in his petition for review to the D.C. Circuit that the SEC’s administrative proceedings are unconstitutional because its ALJs are “Constitutional Officers” that must be appointed under Article II of the Constitution (Appointments Clause). In denying Lucia’s petition for review, the Court rejected Lucia’s argument and ruled, among other things, that ALJs cannot be considered “Constitutional Officers” because their decisions only become final after they are affirmed by the full Commission with a formal order. We discussed the constitutional challenges to the SEC’s administrative proceedings in our October 2015 newsletter under “ ‘Wherefore Art Thou, Due Process?’ Part III.” See below in “New rulemaking” for a discussion of the SEC’s recent amendment to its rules of practice to make them more parallel to rules of practice in state and federal courts, perceived as an effort by the SEC to dispel allegations of “home court advantage” and stanch further constitutional challenges to the SEC’s “in house” proceedings.
Federal whistleblower programs (see our May 2016 newsletter under “Still Whistling While You Work—Whistleblower Programs Update”):
On August 10, 2016, the SEC announced that BlueLinx Holdings, Inc. (BlueLinx), an Atlanta-based buildings products distributor, agreed to pay a $265,000 penalty for violating securities laws by using severance agreements that required outgoing employees to waive their rights to any whistleblower awards or other monetary recovery in the event they file a complaint or charges against BlueLinx with the SEC or other federal agencies. The SEC said that “BlueLinx’s restrictive language forced employees leaving the company to waive possible whistleblower awards or risk losing their severance payments and other post-employment benefits.” In addition to paying the penalty, BlueLinx (which did not admit or deny liability) agreed “(1) to amend its severance agreements to make clear that employees may report possible securities law violations to the SEC and other federal agencies without BlueLinx’s prior approval and without having to forfeit any resulting whistleblower award, and (2) to make reasonable efforts to contact former employees who had executed severance agreements after Aug. 12, 2011 to notify them that BlueLinx does not prohibit former employees from providing information to the SEC staff or from accepting SEC whistleblower awards.”
On July 26, 2016, the CFTC announced that it had paid its fourth award under its Whistleblower Program in the amount of approximately $50,000 to an unnamed whistleblower who “voluntarily provided key original information that led to a successful CFTC enforcement action.”
Eye on the courts—a brief recap of recent noteworthy cases:
National Association of Criminal Defense v. Department of Justice: On July 19, 2016, the DC Circuit affirmed a district court ruling that the internal DOJ publication known as the Federal Criminal Discovery Blue Book falls within the attorney work-product privilege and therefore is exempt from disclosure under the Freedom of Information Act’s Exemption 5 (which exempts from disclosure certain agency records that would be privileged from discovery in a lawsuit with the agency).
Louisiana Municipal Police Employees’ Retirement Fund v. Wynn: On July 18, 2016, the Ninth Circuit affirmed the dismissal of a shareholder derivative lawsuit alleging that the Wynn Resorts board breached its fiduciary duties and committed corporate waste by, among other things, approving a $135 million donation to the University of Macau (the subject of FCPA scrutiny in 2012 but no investigation), which donation caused the company to incur legal expenses and be exposed to potential FCPA liability. Applying Nevada law, the Court held that the shareholders failed to prove that a demand on the board would have been futile.
Microsoft v. United States: On July 14, 2016, the Second Circuit reversed a district court ruling and found that Microsoft was not required to comply with a U.S. warrant for customer emails stored on a server in Dublin. The Court held that the Stored Communications Act does not have extraterrestrial application and does not authorize U.S. courts to issue and enforce warrants for the seizure of emails stored exclusively on foreign servers.
U.S. v. Nosal: On July 5, 2016, the Ninth Circuit held that the defendant, a former employee whose computer access credentials were revoked, knowingly and with intent to defraud accessed a protected computer without authorization in violation of the Computer Fraud and Abuse Act (CFAA) when he or his former employee co-conspirators used the login credentials of a current employee to gain access to computer data owned by the former employer and to circumvent the revocation of access. In a strong dissent, Judge Stephen Reinhardt wrote that the case was about nothing more than password sharing, and that the CFAA was not intended to make the millions of people who engage in this “ubiquitous, useful, and generally harmless” conduct into unwitting federal criminals.
On July 17, 2016, in an effort to dispel allegations of “home court advantage,” the SEC approved amendments to its rules of practice for its “in-house” administrative hearings to make them more parallel to rules of practice in state and federal courts. The new rules provide, among other things (1) that parties in complex cases will be permitted to take depositions of three persons in single respondent cases and five persons in multiple-respondent cases, and will be permitted to request two additional depositions in each case under an expedited process, (2) for three types of dispositive motions—i.e., motions for ruling on the pleadings, motions for summary judgment and motions for ruling as a matter of law—and detail the standards and procedures for such motions, and (3) for the establishment of other rules of practice, such as standards for when an initial decision must be issued following completion of post-hearing or dispositive motions, and when evidence may be excluded (e.g., irrelevant, immaterial, unduly repetitious or unreliable) and the limited situations when hearsay can be admitted. We last discussed the status of cases challenging the constitutionality of the SEC’s in-house administrative proceedings in our October 2015 newsletter under “ ‘Wherefore Art Thou, Due Process?’ Part III.”
On June 28, 2016, the SEC proposed new Rule 206(4)-4 under the Investment Advisers Act of 1940 that would require registered investment advisers to adopt and implement written business continuity and transition plans. The plans must be “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.” The SEC also proposed amendments to existing Rule 204-2 that would impose recordkeeping and other compliance requirements related to business continuity and transition plans.
On July 27, 2016, the Financial Crimes Enforcement Network (FinCEN) expanded its Geographic Targeting Orders (GTOs) to cover six major metropolitan areas in the United States. FinCen renewed the GTOs currently in effect in the Manhattan and Miami-Dade county metropolitan areas (which were set to expire on July 27, 2016), and expanded its money-laundering vigilance to establish GTOs for high-end real estate purchases in the metropolitan areas of Los Angeles, San Francisco, San Diego, and San Antonio, Texas. We covered FinCen’s initial institution of the GTOs in Manhattan and Miami in our February 2016 newsletter under “FCPA and Anti-Money Laundering Enforcement Review—‘Follow the Money.’ ”
On June 30, 2016, the New York Department of Financial Services (NYDFS) issued the final rule that establishes the minimum requirements for transaction monitoring and filtering programs that must be used by regulated institutions to monitor for potential Bank Secrecy Act/anti-money laundering violations, suspicious activity reporting and sanctions violations. The final rule imposes the new reporting requirement that regulated institutions annually submit to the NYDFS a board resolution or a senior officer’s certification that all necessary steps have been taken to ensure compliance. The final rule will become effective on January 1, 2017 and regulated institutions must commence filing the required annual compliance certification on April 15, 2018. We reported on the rule in its proposed stage in our January 2016 newsletter under “DFS and FinCen—The Rise of the New Enforcers.”
In brief—other enforcement matters of note:
On July 22, 2016, the DOJ announced that the owner of more than 30 Miami-area skilled nursing and assisted living facilities, a hospital administrator and a physician’s assistant were charged with conspiracy, obstruction, money laundering and healthcare fraud in connection with a $1 billion scheme involving numerous Miami-based healthcare providers. In the press release, Assistant Attorney General Leslie Caldwell described the case as “the largest single criminal health care fraud case ever brought against individuals by the Department of Justice.”
On July 7, 2016, the DOJ announced that the U.S. government was returning approximately $1.5 million to Taiwan, the proceeds of the sale of a forfeited New York condominium and a Virginia residence that the U.S. alleged were purchased with the proceeds from $200 million in bribes paid in 2004 by Yuanta Securities Co. Ltd. to the family of Taiwan’s former President Chen Shui-Bian. The return of funds was part of the U.S. Kleptocracy Initiative.
On July 4, 2016, the U.K. Serious Fraud Office (SFO) announced that, after an 11-week trial, three former employees of Barclays Bank plc (including an American) were convicted by a London jury of manipulating the U.S. Dollar LIBOR. The SFO said that the jury failed to reach verdicts for two other defendants (one of which was an American), as to which it is anticipated that the SFO will seek retrial.