The U.S. Department of Justice (DOJ) announced a “road map” for the healthcare industry last month to guide voluntary self-disclosures and cooperation with government investigations. Speaking at the annual American Health Lawyer’s Association (AHLA) Fraud & Compliance Forum in Baltimore, Sally Molloy, Assistant Chief, DOJ Criminal Division, Fraud Section, Health Care Fraud Unit, announced that her office will immediately begin using the guidelines outlined in DOJ’s Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy to govern corporate self-disclosures of healthcare fraud and other potentially criminal conduct by healthcare entities. Molloy indicated the Health Care Fraud Unit wants to provide greater clarity and certainty to healthcare organizations about the benefits of self-disclosure and cooperation. Molloy’s announcement is consistent with other DOJ announcements earlier in the year about expanding the application of the policy beyond the FCPA.
Healthcare organizations that do not have international operations may be unfamiliar with the FCPA Corporate Enforcement Policy. It began as a 2016 pilot project designed to incentivize voluntary self-disclosures by corporations, and to promote transparency and accountability in government charging decisions. It was formalized and incorporated into the United States Attorneys’ Manual in late 2017. It provides that, absent aggravating circumstances, there is a presumption that a company will receive a declination from prosecution so long as the company:
(1) voluntarily self-discloses the misconduct;
(2) fully cooperates with DOJ; and
(3) timely and appropriately remediates the problems.
In situations where aggravating circumstances exist and DOJ determines a criminal resolution is warranted, despite full compliance with the policy, DOJ may give a company partial credit. This consists of reductions from the low end of the United States Sentencing Guideline fine ranges and not requiring the appointment of a monitor. DOJ also may give limited credit in situations where a company has not voluntarily self-disclosed the misconduct, but later fully cooperated and timely and appropriately remediated in accordance with the policy.
This update summarizes the basic elements of the FCPA Corporate Enforcement Policy and its application to the healthcare industry. We also analyze some of the issues that healthcare companies should consider before making a self-disclosure in accordance with the policy.
Key Requirements of FCPA Corporate Enforcement Policy
While the FCPA Corporate Enforcement Policy was drafted with a specific statute in mind, its principles are generally applicable to the healthcare industry. Many of its requirements are consistent with—though in some ways more extensive than—existing self-disclosure protocols that are specific to the healthcare industry.
There are three factors DOJ uses to determine whether a self-disclosure was voluntary:
The disclosure occurred “prior to an imminent threat of disclosure or government investigation.” DOJ wants to reward true self-disclosures. It will not provide the same rewards to companies who come forward only because they know they’re about to be caught.
The conduct was disclosed “within a reasonably prompt time after becoming aware of the offense.” DOJ will not look favorably on disclosures that were delayed, perhaps for some strategic benefit to the disclosing company. For full credit, disclosures must occur contemporaneously with the identification and remediation of the misconduct and the burden is on the company to demonstrate timeliness.
The company discloses “all relevant facts” known to it, including “all relevant facts about all individuals involved in the violation of law.” Healthcare companies and their counsel should be familiar with DOJ’s focus on individual misconduct from the 2015 Yates Memo. The inclusion of this requirement illustrates that DOJ continues to focus on individual misconduct, particularly in the criminal context.
DOJ expects disclosing entities to provide proactive and transparent cooperation. Strategic or partial disclosures of information are not sufficient. To receive full credit for its cooperation, a company must satisfy five requirements:
Timely disclosure of all facts relevant to the conduct at issue. DOJ expects companies to disclose all relevant facts and attribute those facts to specific sources rather than just providing a general narrative (subject to attorney-client privilege constraints). In addition, the policy requires timely updates on the company’s internal investigation; information regarding the involvement of the company’s officers, employees or agents in criminal conduct; and information the company knows about the involvement of third parties in criminal conduct.
Proactive, not reactive, disclosure of facts and information. DOJ expects the company to disclose relevant facts without having to be asked. If there are relevant sources of information that the company is aware of but doesn’t have access to, DOJ also expects the company to flag those sources.
Timely preservation, collection and disclosure of relevant documents. DOJ expects detailed information about the company’s document collection and preservation efforts. It also expects companies to “facilitate” third-party production of documents. This element can be tricky to navigate, even for companies with contractual rights to obtain documents and information from third-party sources, such as downstream providers or vendors.
“De-confliction” of witness interviews and investigative steps. In criminal investigations, DOJ may wish to take certain steps before the company does, or delay certain steps, such as interviews of key witnesses. DOJ does this to protect the integrity of the investigation or to avoid conflicts with broader DOJ enforcement efforts. In such situations, DOJ may ask the company to delay portions of its internal review, which may hinder the company’s ability to satisfy all the required elements under the Enforcement Policy. DOJ recognizes this inherent conflict, and states any of its de-confliction requests will be narrowly tailored in scope and duration.
Making relevant employees, agents and third-party witnesses available for interviews by DOJ, including former officers and employees. DOJ expects companies to make significant efforts to assist DOJ in interviewing witnesses, subject to individuals’ Fifth Amendment rights. This factor may be the one that many healthcare companies may be unfamiliar with, and perhaps least comfortable. Companies will need to carefully consider whether and how they will provide counsel for current and former employees.
Timely and Appropriate Remediation
Self-disclosing misconduct and cooperating is not enough. DOJ expects companies to provide detailed information demonstrating that the company understands why and how the misconduct happened and has taken decisive steps to ensure it won’t happen again. The factors DOJ will consider include:
A root cause analysis and appropriate remediation. The FCPA Corporate Enforcement Policy provides that a company must pay “all disgorgement, forfeiture, and/or restitution” resulting from the self-disclosed conduct. But the return of improperly obtained government funds (and payment of fines or penalties) is only the beginning. DOJ also expects companies to investigate the root cause of the circumstances leading to the misconduct. Additional remedial steps, such as implementation of enhanced internal controls, also may be appropriate.
Implementation of an effective compliance and ethics organization. Healthcare companies have the benefit of decades of HHS OIG guidance on effective compliance programs, and, consequently, the bar to satisfying this element may be high. Sally Molloy told the AHLA audience that DOJ is not satisfied with a description of a company’s policies and procedures and basic statistics. DOJ wants disclosing companies to demonstrate how their compliance programs live and breathe, and for companies to provide evidence showing that the compliance program actually works. DOJ’s position is consistent with recent guidance from HHS OIG on how to measure compliance program effectiveness.
Appropriate discipline of employees. When appropriate, DOJ may expect companies to go beyond the obvious disciplinary measures. For example, companies may be encouraged to claw back compensation from executives who were responsible for the business units where misconduct occurred.
Appropriate retention of business records. DOJ’s policy notes that companies should prohibit the use of “software that generates but does not appropriately retain business records or communications.” While this will not be a major concern for traditional forms of records (e.g., medical records), healthcare companies should understand what messaging apps and other electronic communication platforms their employees are using and whether those systems are consistent with appropriate retention of business-related records and communications.
Additional steps. Leaving itself some flexibility, DOJ’s policy includes a “catch all” category for any other actions that might be appropriate under the circumstances.
Even when a company makes a voluntary self-disclosure, fully cooperates with DOJ and appropriately remediates misconduct, DOJ still may seek a criminal resolution where there are “aggravating circumstances.” These circumstances include misconduct by the company’s executive management, significant profit from company misconduct, pervasiveness of the misconduct within the company and criminal recidivism. However, even if one or more aggravating circumstances exist, companies should remember that they still may receive a 50% reduction from the low end of the United States Sentencing Guideline fine ranges and not be required to appoint an independent monitor.
DOJ’s decision to follow the FCPA Corporate Enforcement Policy in the healthcare industry provides companies with a potentially significant benefit for self-disclosing fraudulent conduct. However, companies still must deal with the thorny decisions surrounding any decision to self-disclose improper conduct to a regulator. Some of the issues that healthcare companies should consider before deciding to take advantage of this avenue for self-disclosure include:
Application. One of the first questions a company needs to answer when deciding to make a self-disclosure is “which government agency should receive it?” To make the most of a self-disclosure to DOJ’s Healthcare Fraud Unit, a company should be reasonably confident that DOJ would consider the disclosed conduct to be a violation of a criminal statute. But what if there is overlapping or parallel jurisdiction, as is frequently the case in healthcare? For example, HHS OIG has authority to resolve civil lability for potential violations of the Anti-Kickback Statute (AKS) and a well-developed self-disclosure program. Answering the “which agency” question will require a careful weighing of the pros and cons of each available option. Especially in the AKS context, companies need to be aware that a self-disclosure to DOJ does not toll the 60-day repayment requirement the way that a self-disclosure to OIG does.
Further, Molloy’s announcement that her office intends to follow the FCPA Corporate Enforcement Policy for healthcare cases is a good indicator, but not a guarantee, that local U.S. Attorney’s Offices will follow suit.
Timing. Healthcare companies that have enhanced their compliance programs and internal controls in response to CMS’ Final Rule for Reporting and Returning Overpayments should be well-positioned to respond quickly to identified problems. However, we are in an era of aggressive whistleblowing and expansive theories of liability. If a company expects that investigation and remediation of an issue may take more than a few months, or that the risk of a whistleblower is particularly high, it should consult counsel regarding options for making preliminary or interim reports to enforcement authorities while the investigation and remediation work is ongoing. Crafting a comprehensive self-disclosure takes time, and companies do not want to be beat to the punch.
Potential Impact on Work Product Doctrine. As described above, DOJ expects self-disclosures to be comprehensive as to “all relevant” facts and information about the disclosed conduct, including information specific to involved individuals. DOJ is careful to state that none of the requirements of the FCPA Enforcement Policy require waiver of either the attorney-client privilege or work product doctrine. And, at the AHLA conference, Molloy was careful to state that the DOJ’s “Principles of Federal Prosecution of Business Organizations” (commonly referred to as the Filip Memo), which prohibit DOJ from forcing companies to waive the attorney-client privilege, still apply under the FCPA Corporate Enforcement Policy. However, recent case law demonstrates that there is a needle-threading exercise inherent in making a self-disclosure of “all relevant facts” and fully cooperating, and there is a risk that companies will find they have inadvertently waived their protections.
Recidivism. One of the aggravating factors that could prevent a company from otherwise receiving full credit for a self-disclosure is recidivism. Understandably, the DOJ does not want to give repeat offenders a free pass for repeated bad behavior, but it has not been completely clear on what it considers to be recidivist conduct. The FCPA policy refers to “criminal recidivism.” In the healthcare context, will DOJ take the position that prior civil fraud, such as False Claims Act settlements, constitute recidivist conduct? Healthcare companies that are actively engaged in mergers and acquisitions should be wary. DOJ has informally stated that it will give full credit to acquiring companies who identify misconduct during due diligence or post-closing audits, but has not formalized this policy or specifically applied it to the healthcare industry yet. Further, many healthcare companies are massive organizations with subsidiaries, affiliates and joint ventures. In a complex environment, problematic conduct can still occur even with the most robust compliance programs. Given the lack of clarity from DOJ, companies are left to wonder whether they will only have one bite at the apple for full disclosure credit.
Partial Credit. Even if a company cannot satisfy each element of the FCPA Corporate Enforcement Policy, making a self-disclosure in accordance with the policy’s requirements may still be worthwhile. In addition to the tangible benefits available under the policy (reductions in fines, no monitor), companies can build credibility and demonstrate their bona fides as good corporate citizens to the government through transparency and cooperation. Having that credibility can pay big dividends the next time the company finds itself in front of the government.
The question of whether to self-disclose will always be difficult and intensely dependent upon the facts and circumstances of the issue at hand. While DOJ’s announcement provides guideposts for healthcare organizations, companies should always engage experienced counsel to help navigate the uncertain road ahead.
 Reporting and Returning of Overpayments, 81 Fed. Reg. 7654 (Feb. 12, 2016)
 See e.g. SEC v. Herrera, No. 17-cv-20301, 2017 WL 6041750 at *5 (S.D. Fla. Dec. 5, 2017) (holding that work product protection for attorney interview notes and memoranda was waived when company lawyers provided “oral downloads” of the interviews to the Securities and Exchange Commission)