WHITE COLLAR UPDATE:
HEALTH CARE PROSECUTIONS, SARBANES-OXLEY & THE PERFECT STORM
By Ronald H. Levine, Esq. Post & Schell, P.C.
Presented to:
PLUS Medical PL SymposiumChicago, Illinois
March 31, 2004
RONALD H. LEVINE, ESQUIRE
Mr. Levine is a partner at the Philadelphia-based law firm of Post & Schell, P.C., heading its White Collar Defense, Corporate Compliance and Risk Management Group. He has received a B.S. in economics summa cum laude from the University of Pennsylvania Wharton School (1974), an M.Phil. in sociology from Oxford University (1976) and a J.D. cum laude from Harvard Law School (1981).
Mr. Levine concentrates his practice on assisting corporations and other enterprises that are potential victims of economic crime or subject to government regulation and potential investigation. He coordinates and conducts internal corporate investigations of alleged misconduct, abuse or fraud, assists in the formulation of compliance plans, and helps track and respond to government investigations. Mr. Levine also advises and defends enterprises, directors, officers and other professionals accused of misconduct at criminal or civil trials and on appeal.
Prior to joining Post & Schell, Mr. Levine was Chief of the 80-prosecutor Criminal Division of the United States Attorney’s Office for the Eastern District of Pennsylvania where he prosecuted and supervised prosecutions of fraud involving health care, tax, securities, insurance, government contractors, financial institutions and computers as well as prosecutions of public corruption and domestic terrorism.
Familiar with a wide range of law enforcement agencies, including the FBI, IRS, SEC, Postal Inspection Service and Offices of Inspector General, Mr. Levine has taught or lectured on white collar crime, criminal procedure or trial advocacy at Temple University School of Law, the University of Pennsylvania Law School, the Wharton School and at CLE programs hosted by the ABA White Collar Crime Section, AHLA-HCCA Fraud & Compliance Forum, Institute on Federal Program Fraud and Philadelphia Bar Association . He has written for AHLA Members Briefing, Corporate Compliance Officer, Business Crimes Bulletin (editorial advisory board), Strategies for Corporate Compliance, Briefings On Long Term Care Regulations, Attorney-CPA Update, and Transport Topics and appeared on the "Law Journal" and Comcast SportsNet television programs.
Mr. Levine is an appointed member of the Homeland Security Advisory Committee to the Pennsylvania Commission on Crime and Delinquency. He also serves on the AHLA Sarbanes-Oxley Act Task Force and recently co-authored the AHLA’s member briefing on “A New Day for Healthcare Organizations: Sarbanes-Oxley Certification Requirements, Compliance and Exposures.”
Mr. Levine can be reached at 215-587-1071 or [email protected].
TABLE OF CONTENTS
I. THE SARBANES-OXLEY ACT (SOA) OF 2002. . . . . . . . . . . . . . . . . 1
A. HEALTH CARE AND THE SOA . . . . . . . . . . . . . . . . . . . . . . . . 1
B. POST-SOA PROSECUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 3
II. SOA RIPPLE EFFECTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A. OBSTRUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
B. WHISTLEBLOWER RETALIATION . . . . . . . . . . . . . . . . . . . 6
C. FINANCIAL/INTERNAL CONTROLS CERTIFICATION . 7
D. TAX EXEMPT BOND-RELATED DISCLOSURE FRAUD . 8
E. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
III. HIPAA “DATA TRADE” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
A. THE “DATA TRADE”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IV. FEDERAL SENTENCING GUIDELINES . . . . . . . . . . . . . . . . . . . . . 12
A. SENTENCING ORGANIZATIONS . . . . . . . . . . . . . . . . . . . . 14
V. DOJ’S REVISED PROSECUTION POLICY . . . . . . . . . . . . . . . . . . . 16
VI. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
For potential white collar defendants, the conditions for a perfect storm exist: heightened public attention, stiffer and more expansive criminal laws, more severe sentencing guidelines, more stringent appellate review, and the Department of Justice emphasizing a “get tough” attitude through its practices and policies.1
I. THE SARBANES-OXLEY ACT OF 2002
On July 30, 2002, after a spate of corporate scandals, President Bush signed the Sarbanes-Oxley Act (SOA).2 Ostensibly aimed at publicly owned corporations, one of the primary goals of the SOA is to increase the financial transparency and accountability.
Many provisions of the SOA, including its financial certification provisions, specifically apply to public corporations which would include, of course, publicly traded healthcare providers, pharmaceutical manufacturers, managed cared organizations, and the like. Some provisions of the SOA, however, also apply to privately owned entities, including not-for-profit healthcare corporations. These include SOA criminal provisions concerning obstruction of justice3 and whistleblower retaliation.4 SOA provisions also include new conflict of interest restrictions for public accounting firms5 and oblige the SEC to promulgate standards for auditing an organization’s internal financial controls.6 These firms may also audit or perform work for non-publicly traded healthcare organizations, so these SOA regulations will also impact private healthcare companies.
Other governance provisions of the SOA inevitably will be applied de facto, due to market pressures, or de jure, due to enhanced state regulation, to not-for-profit healthcare institutions. Indeed, the Attorneys General for New York and Massachusetts already have proposed state legislation that adopts SOA-type requirements regarding audits, related party disclosures, financial and internal controls certifications, audit committees and whistleblower retaliation.7
A. Healthcare and the SOA
The healthcare industry has long had a role in the corporate governance debate.
1 See Levine, R. and Short, J., A New Day for Healthcare Organizations: Sarbanes-Oxley Certification Requirements, Compliance, and Exposures at 32, AHLA Members Briefing (Jan. 2004).2 The Sarbanes-Oxley Act of 2002, H.R. 3763, 107th Cong. (2002).3 18 U.S.C. §§ 1519 (SOA § 802). 4 18 U.S.C. § 1513(e) (SOA § 1107); see also 18 U.S.C. § 1514A (SOA § 806–civil whistleblower protection statute). 5 15 U.S.C. § 78j-1(g) (SOA § 201).6 15 U.S.C. § 7262 (SOA § 404). .7 See, e.g., New York Attorney General Spitzer’s proposal, available at: www.oag.state.ny.us/press/2003/mar/mat12a_03.html.
1
1. Caremark
The Caremark case, as well two subsequent major accounting scandals in the healthcare sector, actually arose between 1995 and 2000. This was well before Enron et al. were even a gleam in the eye of the fed’s Corporate Fraud Task Force.8
Caremark International, Inc. provided alternative site healthcare services (e.g., home infusion) and operated a managed-care prescription drug program. In 1994, Caremark was indicted on charges of violating the Medicare Anti-Kickback Statute. The company eventually pleaded guilty to a single count of mail fraud. The well-known Caremark opinion arose out of a motion to the Court of Chancery of Delaware to approve a settlement of a parallel shareholder derivative suit involving claims that Caremark’s board of directors had breached its fiduciary duty to the corporation.
In assessing the proposed settlement, the court noted that in theory a board could be held liable for a failure to monitor. The court found that a corporate board must exercise good faith judgment and assure itself that “the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.”9
Thus the concept of adequate internal control and reporting systems, and the board’s responsibilities in that regard, were highlighted by the Caremark case. The opinion has had a broad influence on corporate board governance both within and outside the healthcare sector.
Two subsequent healthcare accounting scandals concerned the collapse of the not-for-profit Allegheny Health, Education and Research Foundation (AHERF) hospital system, and the mammoth earnings restatements of the publicly traded Rite Aid Corporation.
2. AHERF
In 1997, AHERF was the largest not-for-profit healthcare organization in Pennsylvania. In July of 1998, AHERF filed for bankruptcy protection with over $1 billion in liabilities. Allegations of misrepresentations of income in financial statements quickly surfaced.10 In April of 2000, AHERF’s CEO was prosecuted criminally by the Pennsylvania Attorney General, pleaded no contest to the charge of misappropriating entrusted property, and was sentenced to 11½ to 23 months in prison.11 A month later, without admission of liability, AHERF’s CFO and other senior AHERF officials settled civil fraud allegations with the SEC regarding AHERF’s financial statements and disclosures.12
8 The Corporate Fraud Task Force, created by Executive Order #13271 on July 9, 2002, combines the efforts of the Departments of Justice and Treasury, the SEC, and other agencies, and takes credit for over 250 corporate fraud convictions. Task Force achievements are available at: http://www.usdoj.gov/dag/cftf/cases.html.9 In re Caremark International, Inc., 698 A.2d 959, 970 (Del. Ch. 1996).10 See Weinstein, S., “Speech by SEC Staff: Understanding AHERF: Observations on the Recent Settlement Involving Allegheny Health, Education and Research Foundation,” (Aug. 1, 2000), available at: www.sec.gov/news/speech/spch406.htm.11 Commonwealth of Pennsylvania v. Abdelhak, Misc. Docket. No. 406 (Allegh. Co. Crim. Div. April, 2000).
2
3. Rite Aid
In the summer of 2000, Pennsylvania-based Rite Aid Corporation, a large retail pharmacy chain, restated its earnings by $1.6 billion, then the largest earnings restatement in United States history (later topped by WorldCom and others). Ensuing federal prosecutions of Rite Aid senior management related to, among other things, allegedly fraudulent disclosures to the SEC and obstruction of justice.13 This investigation has resulted in the convictions of Rite Aid’s former CEO, CFO, CLO, and other managers. They await sentencing.
B. Post-SOA Healthcare Prosecutions
Federal enforcement activity after the SOA’s enactment indicate that healthcare institutions–and the executives that manage them–fall within the corporate governance spotlight and are not immune from criminal prosecution.
1. United Memorial Hospital
In January of 2003, the not-for-profit United Memorial Hospital in Michigan signed a federal guilty plea agreement, admitting to fraud in connection with the alleged over utilization of pain management surgical procedures, one of which resulted in the death of a patient. Sentencing has been deferred. It is possible that United Memorial’s guilty plea will be expunged in the future.14 However, the allegations contained in United Memorial’s plea agreement15 read like a primer on corporate governance “not-tos” from the board on down. Systems for information reporting, internal audit and investigation, conflict of interest disclosure, and responding to complaints all were called into question.
2. Alvarado Medical Center
In July of 2003, the for-profit Alvarado Hospital Medical Center, Inc., along with Alvarado’s parent system and its CEO, were indicted on federal criminal charges concerning alleged violations of the Medicare Anti-Kickback Act in connection with alleged physician recruitment policies.16 The transparency of the hospital’s recruitment practices and the board’s role, if any, in sanctioning such practices no doubt will surface as issues, as this case progresses through the criminal justice system. The merits of the case are as yet unresolved, and the defendants must be presumed innocent. However, this prosecution reaffirms that the Department of Justice will prosecute entities and their officers and directors in what it deems to be appropriate cases.
12 See SEC v. McConnell and Morrison, CA No. 00-CV-2261 (E.D. Pa., May 2, 2000); In re Adamczak, CPA, Exchange Act Release No. 42743 (May 2, 2000); In re Spargo, CPA, Exchange Act Release No. 42742 (May 2, 2000).13 United States v. Grass, Bergonzi, Brown, Sorkin, 1:Cr-02-146-01 (W.D. Pa., June 21, 2002).14 A $1.05 million fine levied on United Memorial, however, will not be expunged. By virtue of an October, 2003, settlement agreement, $500,000 will be directed to fund indigent care programs, and the remainder will be paid to the government over two years. BNA Highlights, Oct. 8, 2003; Oct. 8, 2003, telephone conversation with United States Attorney’s Office (W.D. Mich).15 United States v. United Memorial Hospital, No. 1:01-CR-238 (W.D. Mich., Jan. 8, 2003).16 United States v. Tenet HealthSystem Hospitals, Inc., Crim. No. 03-CR-1587 (S.D. Cal., July 17, 2003).
3
3. HealthSouth
The federal criminal investigation of HealthSouth, one of the nation’s largest healthcare services providers, operating hospitals and outpatient surgery, diagnostic imaging, and rehabilitative facilities nationwide, is ongoing. The investigation is focused on allegations that, in an effort to “manage earnings” to meet the earnings-per-share expectations of Wall Street analysts, HealthSouth management conspired to inflate assets and overstate earnings by $2.7 billion17 through false and delayed accounting entries and bogus transactions.18
To date, federal criminal charges have been filed against sixteen former HealthSouth executives,19 including HealthSouth’s former CEO and chairman of its board.20 For the very first time, the government has brought criminal charges based on the SOA financial statement certification provision.21 HealthSouth’s former CEO and three former CFOs have been charged with, among other things, certifying to materially inaccurate reports of financial conditions and results of operations contained in HealthSouth quarterly reports (Form 10-Q) to the SEC.22
Fifteen executives charged to date have pleaded guilty, including all five of the CFOs in the history of HealthSouth. Sentences have been imposed on some relatively lower level executives ranging from probation with fines and restitution to five months in jail. The CEO’s trial presently is schedule to commence later this year. Whether this criminal probe will stop in the higher reaches of HealthSouth’s former management or extend even further into the board room is unknown.
4. AstraZeneca
In June of 2003, AstraZeneca Pharmaceuticals LP of Wilmington, Del., agreed to pay a $355 million fine to resolve criminal charges and civil liabilities stemming from an alleged illegal marketing and pricing scheme involving a drug to treat prostate cancer, Zoladex. The case arose out of a qui tam law suit and was prosecuted by the United States Attorney’s Office for the District of Delaware.
17 Note that to the extent any alleged fraudulent activity affected the books and records of individual HealthSouth facilities, the veracity of the Medicare and Medicaid cost reports submitted by these facilities may also be implicated. To date, however, no criminal Medicare or Medicaid fraud-related charges have been filed. 18 See, e.g., United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003).19 The HealthSouth investigation can be tracked on the Web site of the U.S. Attorney’s Office for the Northern District of Alabama, available at: http://www.usdoj.gov/usao/aln/.20 United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003). The government is seeking $278 million in forfeiture from the defendant. The SEC also has filed a civil suit against HealthSouth’s former CEO and board chairman alleging a scheme to inflate profits. SEC v. HealthSouth and Scrushy, CA No. CV-03-J-0615-S (N.D. Ala. 2003).21 18 U.S.C. § 1350 (SOA § 906). 22 See United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003); United States v. McVay, Crim. No. 03-CR-195 (N.D. Ala., April 23, 2003); United States v. Owens, Crim. No. 03-CR-131 (N.D. Ala., Mar. 26, 2003); United States v. Smith, Crim. No. 03-CR-126 (N.D. Ala., Mar. 19, 2003).
4
As part of a plea agreement, AstraZeneca Pharmaceuticals agreed to pay a fines: for violating the Prescription Drug Marketing Act as a result of the provision of free drug samples which were billed to medicare; to resolve charges that it caused false claims to be filed with the Medicare, TriCare, Department of Defense, and Railroad Retirement Board programs as a result of its fraudulent pricing and marketing of Zoladex; to the state governments to settle civil claims that it failed to provide state Medicaid programs with its best price for its drug, as required by law; and for inflating the price of Zoladex reported to Medicare as a basis for reimbursement, while "deeply discounting” the actual price charged to the physicians.
The settlement also resolved civil allegations that AstraZeneca offered other improper inducements to doctors, such as educational grants, travel and entertainment, consulting services, business assistance grants, and honoraria. AstraZeneca also agreed to the terms of a Corporate Integrity Agreement (CIA), which provides for close scrutiny of its marketing and sales practices for five years.
5. Merck-Medco
In December of 2003, the United States Attorney for the Eastern District of Pennsylvania filed an amended complaint under the False Claims Act and Anti-kickback Statute against Merck-Medco Managed Care L.L.C., Medco Health Solutions, Inc. and several executives.23 The complaint alleges a variety of misconduct conduct on the part of its mail order pharmacies including favoring more expensive Merck drugs, “shorting” pill quantities, and cancelling prescriptions to avoid delay penalties. Again, this matter was initiated by a qui tam filing.
6. Ernst & Young
In January of 2004, the United States Attorney for the Eastern District of Pennsylvania filed a complaint against the accounting firm of Ernst & Young, L.L.P. under the False Claims Act and under unjust enrichment and payment by mistake theories.24 According to the complaint, nine hospitals paid Ernst & Young for billing advice – advice which allegedly later caused the submission of false claims to the Medicare program. The complaint alleges that 200,000 claims for payment for outpatient clinical laboratory tests were billed to Medicare. The government seeks to recover more than $900,000 in damages resulting from laboratory payments improperly claimed and received by the nine hospitals.
This suit is notable for two reasons. First, it attacks a so-called “gatekeeper” – a CPA consultant ostensibly hired to look into a client’s behavior and advise it on a course of action. Second, as regards the government’s expected proof of “state of mind,” it charges the gatekeeper with keeping itself “deliberately ignorant” of the facts.
23 United States v. Merck-Medco Managed Care, L.L.C. et al., No. 00-CV-737 (E.D.Pa. Dec. 9, 2003). 24 United States v. Ernst & Young, L.L.P., (E.D.Pa. Jan. 5, 2004).
5
II. SARBANES-OXLEY ACT: RIPPLE EFFECTS
A. Obstruction of Justice
The SOA significantly expands the government’s ability to charge obstruction of justice for actions committed after July 30, 2002.25 Most importantly, the broad wording of Section 1519 of Title 18 does not appear to require that a federal investigation actually be pending, known about, or even expected at the time of the alleged obstruction. Rather, the knowing destruction or alteration of documents “in contemplation of” the “proper administration of any matter” before “any” federal agency can constitute obstruction. Of course, the “administration of a matter” before a federal agency can occur long before a civil or criminal investigation commences.
B. Whistleblower Retaliation26
Less well known is the sweeping, criminal SOA whistleblower law, located in the obstruction of justice chapter of Title 18, as well as a related SOA civil anti-retaliation statute. The new criminal statute provides:
Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense, shall be fined under this title [$250,000] or imprisoned for not more than 10 years, or both.27
Consider the sweep of this criminal statute which, incidentally, also constitutes a predicate act for criminal and civil RICO. On its face, it applies to: (a) any harmful action; (b) targeting any person; (c) who provides any quantum of truthful information to law enforcement; (d) about the possible commission; (e) of any federal crime.
Physical harm to a witness or an informant has long been the subject of a criminal retaliation statute.28 Yet short of physical harm, retaliation and employment issues usually have been the stuff of civil, not criminal, remedies. Moreover, anti-retaliation statutes usually have been confined to persons blowing the whistle on particular types of suspect activity, particular sectors of the economy or government employees. The SOA provision covers anybody in any sector of the economy, public or private.
The False Claims Act (FCA) already provides that employees discriminated against for assisting a qui tam investigation or litigation can bring a civil action and “shall” be “made whole” via
25 18 U.S.C. § 1519. 26 For a more complete discussion of this issue, see Levine, R. and Ostrelich, M., Whistleblower Retaliation Under Sarbanes-Oxley: It’s A Crime!, 10 BUSINESS CRIMES BULLETIN 4 (May 2003). 27 18 U.S.C. § 1513(e) (italics added); see 18 U.S.C. §§ 3571(b)(3), (c)(3) ($500,000 fine for a corporation).
28 18 U.S.C. § 1513.
6
reinstatement, double back pay, special damages and attorneys’ fees.29 Since the FCA has a criminal counterpart (18 U.S.C. § 287) a qui tam relator’s information arguably relates to the possible commission of a federal crime as well. Thus the relator, and the government, now have additional leverage. They can claim that an adverse employer action amounts to Section 1513(e) criminal violation.
C. Financial and Internal Controls Certification
The government has long been able to prosecute financial fraud under the criminal false statements statute, and under the mail, wire, bank, healthcare, and securities fraud statutes. individual liability within a corporation, however, is not easy to prove. Good faith reliance on others–subordinates, peers, accountants, and lawyers–can negate the knowledge, intent to defraud, willfulness, or scienter necessary to prove most of these crimes.
The SOA financial statement certification provisions30 are important for several reasons. They act to put CEOs and CFOs on notice of the importance of assuring the integrity of the entity’s financial reporting mechanisms. As a result, the provisions can give regulators, agents, and prosecutors a more direct way of reaching a CEO and CFO who might otherwise be insulated from prosecution.
Plainly, a true mistake would not rise to the level of a knowing certification, much less one submitted willfully. Similarly, if one truly is misled about material facts as to which a certification later is submitted, then he or she cannot have the requisite knowledge to sustain a conviction. Finally, good faith reliance on an expert, to whom all relevant facts have been disclosed, may still be a defense to a false certification charge.31
However, by requiring CEOs and CFOs to certify to the adequacy of financial and disclosure controls, as well as to certify to the material fairness and accuracy of financial statements and reports of operations, Congress may have been seeking to undercut traditional white collar defenses centering on an executive’s mistake, insulation from the alleged bad acts of subordinates, or reliance on others, including experts.
It has long been the law that reckless disregard of the truth or conscious avoidance of the truth can make out the knowledge necessary to sustain a criminal conviction.32 The SOA’s implicit due diligence requirements in combination with the doctrine of reckless disregard makes all of those knowledge and state of mind defenses that much harder to sustain. To the extent corporate officers do not make a concerted effort to ask the right questions and to document that those questions were asked and how they were answered, they may find themselves the subject of a reckless disregard allegation.
29 31 U.S.C. § 3730(h). 3018 U.S.C. § 1350; 15 U.S.C. § 7241. 31 See, e.g., United States v. Johnson, 730 F.2d 683 (11th Cir.), cert. denied, 469 U.S. 857 (1984) (§ 1001 false statements case). 32 See, e.g., United States v. Puente, 982 F.2d 156 (5th Cir.), cert. denied, 508 U.S. 962 (1993) (§ 1001 false statements case).
7
D. Tax Exempt Bond-Related Disclosure Fraud
Congress has exempted municipal securities offerings from the registration requirements of the Securities Act of 1933 and from the reporting requirements of the Securities Exchange Act of 1934.33 Thus, the SOA certification provisions are not directly applicable to municipal bond issuers and obligated entities.34 However, municipal securities transactions are still subject to the prohibitions of general commercial anti-fraud statutes as well as to the anti-fraud provisions of the 1933 and the 1934 Securities Acts.35
Not-for-profit entities, and occasionally for-profit affiliates, in the healthcare sector sometimes become involved in tax-exempt financings as the users of bond proceeds and the source of repayment, e.g., AHERF. These are referred to as “conduit bonds” or “conduit financings,” defined as “municipal securities [that] are issued by a state or local government for the benefit of a private corporation or other entity that is ultimately obligated to pay such bonds.”36 The obligation to provide full and honest financial disclosure by the third party healthcare entity to bond issuers and brokers can create a basis for allegations of fraud, both at the point of initial offering and in the secondary market.
In 1995, the SEC amended its municipal securities disclosure securities rule, Rule 15c2-12, to effectively require, with some exceptions, hospital systems and other organizations borrowing the proceeds of tax-exempt debt, and obligated on that debt, to make annual disclosures37 of financial statements and significant events available to bondholders and potential investors.38 Materially false representations in these Rule 15c2-12 disclosures expose the entity to a Rule 10b(5) prosecution for fraud and deceit in connection with the sale of securities or to prosecution under more general fraud statutes.39
E. Conclusion
33 See 15 U.S.C. §§ 77c(a)(2), 78(a)(29).34 See Peregrine, M., Horton, W., & Libby, J., The New Corporate Responsibility Law: How it Affects Health Care, 11 BNA HEALTH LAW REPORTER 34 at 1231 n.3 (Aug. 22, 2002). 35 See S. Weinstein, “Understanding AHERF: Observations on the Recent Settlements Involving Allegheny Health, Education and Research Foundation” at 4 (Aug. 1, 2000), available at: www.sec.gov/news/speech/spch406.htm.36 SEC Release Nos. 33-7049, 34-33741 at 17 (Mar. 9, 1994) (quoting Government Finance Officers Association policy statement).37 Disclosures are made to four Nationally Recognized Municipal Securities Information Repositories (MSIRs). Three states, Texas, Michigan, and Ohio, have their own repositories. Lists and addresses are available at: www.sec.gov/info/municipal/nrmsir.htm.38 17 C.F.R. § 240.15c2-12(b)(5); for background, see SEC Release No. 34-34961 (Nov. 10, 1994).39 See, e.g., In the Matter of the City of Miami, Securities Act of 1933, Rel. No. 8213 and Securities Act of 1934, Rel. No. 47552 (March 21, 2003), Admin. Proc. File No. 3-10022.
8
Privately held or not-for-profit healthcare companies no doubt will be touched by the ripples of SOA. Pressure for due diligence, if not outright certification, will result in similar obligations in the private sphere. The pressure is likely to come from a variety of sources:
Board members, more conscious of their own potential exposures, are pushing CEOs and CFOs for tighter internal compliance regimes and certifications.
State attorneys general and legislatures are recognizing that the policies served by the SOA apply to all organizations, whether they are profit-driven or mission-driven.
Bond dealers, investment banks, lenders, and bond rating services are demanding that SOA-type standards be put in place to protect and to help accurately gauge the risk of investments.
Underwriting requirements from Directors and Officers (D&O) liability insurers are becoming more demanding and tracking SOA standards in order to minimize insurers’ risk of exposure.
Auditors are seeking more stringent SOA-related representations and warranties from management in order to limit their gatekeeper liability.
A sensitized IRS40 likely will look to enforce more strictly intermediate sanctions41 to hold tax exempt organizations to SOA-type standards of behavior.
40 See IRS Exempt Organizations Office To Boost Compliance Efforts in 2004, 8 BNA HEALTH CARE DAILY REPORT 241, Dec. 16, 2003.41 26 U.S.C. § 4958.
9
III. HIPAA “DATA TRADE”42
HIPAA essentially makes “protected health information” contraband in much the same way as information protected by statutes aimed at insider information, computer hacking, identity theft, credit/debit card fraud, trade secret theft and economic espionage.
Found in Title 42, this provision of the HIPAA statute provides that:
A person who knowingly and in violation of this part --
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,…shall be…fined not more than $50,000, imprisoned not more than 1 year, or both…43
“Individually identifiable health information” (protected health information or PHI for short) includes demographic and other information collected from an individual by a health care provider or plan that relates to the “health, condition, care, or payment for care of that individual and which either identifies that individual or from which there is a reasonable basis to believe that individual can be identified.”
If the crime is committed under false pretenses, maximum penalties increase to five years in jail and a $100,000 fine. If committed with the intent to “sell, transfer, or use individually identifiable health information for commercial advantage” or “personal gain,” maximum penalties are further upped to ten years in jail and a $250,000 fine.
A relatively lenient civil enforcement provision also was enacted. It imposes a $100 penalty per violation, capped at $25,000 for identical violations during a calendar year.44 The civil provision also exempts those who did not reasonably know that they had violated the Act and those who failed to comply due to a reasonable cause and who promptly cure.
A. The “Data Trade”
Huge amounts of computerized patient health care information is created by health care providers and health benefit plans. Providers and plans in turn
42 For a more complete discussion of this issue, see Levine, R., HIPAA: Data Trade Prosecutions on the Horizon?, 10 Business Crimes Bulletin 9 (Oct. 2003).43 42 U.S.C. § 1320d-6.
44 42 U.S.C. § 1320d-5(a)(1).
10
do business with data clearinghouses, pharmacy benefits managers (PBMs) and commercial claims processors. The acquisition from one or more of these “downstream” data handlers of large amounts of patient health information, which is then aggregated, stored, analyzed and held for commercial sale constitutes the “data trade.” Buyers of this aggregated data use it for everything from research or marketing to insurance underwriting.
Business associates may receive PHI from HIPAA-covered entities (CE) solely for the purpose of providing processing, actuarial, data aggregation or other services to or on behalf of that CE.45 In the case of a business associate providing “data aggregation” services, HHS intends that the business associate receive PHI from several CEs with which it has relationships “in order to permit the creation of data for analyses [e.g., quality assurance and comparative analysis] that relate to the health care operations of the respective covered entities.”46 In other words, HHS may take the position that data aggregation by a business associate must be of some use or relate to the CE.
A carelessly drafted business associate contract, or reckless disregard of what the business associate actually is doing with PHI, could expose the covered health care entity to criminal (or civil) sanctions.
45 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000).46 65 Fed. Reg. 82642, 82475 (Dec. 28, 2000) (emphasis added).
11
IV. FEDERAL SENTENCING GUIDELINES
The federal sentencing guidelines create a matrix of imprisonment ranges with an “offense level” (based on specified offense characteristics) on one axis and an offender criminal history score on the other. Sentences must fall within the specified guideline range absent unusual factors, which justify upward or downward departures from that range. For the fraud guideline, the driving offense factor is actual or intended loss caused by the crime.47
The fraud sentencing guidelines were not exactly lenient pre-SOA. White collar offenders constituted about 17.5% (10,471 individuals) of all the federal offenders sentenced in 2001,48 and the average length of imprisonment for federal fraud offenses was 18.7 months.49 Nonetheless, the SOA mandated that the United States Sentencing Commission review the guidelines for obstruction of justice, accounting and financial fraud, and penalties for organizations.50
The Commission responded with “emergency” Guideline amendments effective January 25, 2003, and additional amendments that became effective on November 1, 2003. The fraud guidelines have been boosted dramatically for offenses occurring after the effective date of the particular guideline amendment. For example, the base offense level for fraud and false certifications has been raised one level to an offense level seven, if the underlying crime has a maximum prison penalty of twenty years or more.51 This will reach the new SOA crimes of securities fraud, 18 U.S.C. §§ 1348, and willful false SOA § 906 certifications, 18 U.S.C. § 1350. The effect of this seemingly small amendment is to narrow the availability of a pure “Zone A” probation sentence, assuming a two-level credit for acceptance of responsibility, to frauds causing losses of $10,000 or less rather than $30,000 or less as was previously the case.52 Similarly, a “Zone D” sentence of incarceration now is mandated if the fraud loss is more than $70,000, whereas previously the fraud loss had to exceed $120,000 for a similar result.53
This revised fraud guideline also contains new offense level enhancements pegged to the number of victims (over 10, 50, or 250)54 and to whether the solvency or financial security of a publicly traded organization, or of one hundred or more victims, is substantially endangered.55 Note that even in a “no loss” case, the Application Note to the fraud guideline encourages judicial and prosecutorial consideration of “upward departures” from the offense level determined under that guideline, where the level “substantially understates the seriousness of the offense.”56
47 U.S.S.G. at § 2B1.1(b).48 United States Sentencing Commission, Office of Policy Analysis, 2001 Datafile, OPAFY01.49 Id.50 28 U.S.C. § 994 (Note) (SOA §§ 805, 994, 1104).51 U.S.S.G. § 2B1.1(a) (eff. Nov. 1, 2003).52 U.S.S.G. § 5B1.1(a).53 U.S.S.G. § 5C1.1.54 Id. at § 2B1.1(b)(2) (eff. Jan. 25, 2003). 55 Id. at § 2B1.1(b)(12) (eff. Nov. 1, 2003). 56 Id. at § 2B1.1, App. Note 16 (eff. Jan. 25, 2003).
12
At the same time that fraud guidelines are being boosted, guideline downward adjustments and downward departures that once were available to white collar defendants are being cut back, more stringent appellate review of such departures has been mandated, and the government’s charging and plea bargaining policies have been made more restrictive:
(1) By direct Congressional amendment of the guidelines via the PROTECT Act,57 effective April 30, 2003, and by Commission guideline amendments effective October 27, 2003, made in response to the directives of that Act, a number of grounds for sentencing guideline downward departures now are prohibited: “super-acceptance” of responsibility, minor role in offense, gambling addiction, and repayment of legally required restitution. In addition, the availability of departures based on family ties and responsibilities and on aberrant behavior are limited.58 Defense counsel must be alert to ex post facto arguments based on the effective date of the particular amendment at issue.
(2) On April 30, 2003, provisions of the PROTECT Act59 changed the applicable standard of review on aspects of appeals from departures from the sentencing guidelines, including, of course, government appeals from downward departures granted to white collar defendants. The courts of appeals now are to review de novo a sentencing court’s application of the guidelines to the facts to ensure that a downward departure is authorized under the law and justified by the facts of the case.60 This is a big change from the prior “abuse of discretion” standard.61 Courts have already begun to reverse downward departures in healthcare fraud prosecutions that previously might have been upheld.62 Defense counsel should seek to pose the issue on appeal as a finding of fact still subject to a clearly erroneous standard.63
(3) The Attorney General recently has directed federal prosecutors, with limited exceptions, to charge, and accept guilty plea agreements to, only the most serious and readily provable offense. In other words, there can be no charge bargaining;64 no fact bargaining with defendants about issues affecting guideline offense level enhancements, e.g., amount of loss; and prosecutors should rarely acquiesce in downward departures from the guideline range other than for substantial assistance in the investigation and prosecution of another person.65 Therefore, if conviction seems likely, it behooves defense counsel to “get in early” to negotiate a guilty plea agreement and guideline offense characteristics like loss, before what is readily provable hardens
57 See Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today (PROTECT) Act of 2003, Pub. L. No. 108-21, 117 Stat. 650.58 U.S.S.G. Amendments effective October 27, 2003, available at: www.ussc.gov/departure/draft_depart6.pdf.59 PROTECT Act at § 401, Pub. L. No. 108-21, 117 Stat. 650; 18 U.S.C. § 3742(e) (amended eff. April 30, 2003). 60 18 U.S.C. § 3742(e) (amended eff. April 30, 2003). 61 Koon v. United States, 518 U.S. 81 (1996). 62 See, e.g., United States v. Thurston, 338 F.3d 50 (1st Cir. 2003) (reversing a downward departure to healthcare fraud defendant that had been granted on grounds including extraordinary charitable and community service). 63 18 U.S.C. § 3742(e)(3)(C). 64 Memorandum from Attorney General Ashcroft, Department Policy Concerning Charging Criminal Offenses, Disposition of Charges, and Sentencing (Sept. 22, 2003). 65 Memorandum from Attorney General Ashcroft, Department Policies and Procedures Concerning Sentencing Recommendations and Sentencing Appeals (July 28, 2003).
13
into evidence that the prosecutor may not ignore. The dilemma is that sometimes it is difficult to assess the risk of indictment and conviction in the early stages of a government investigation.
A. Sentencing Organizations
The sentencing of corporations and other entities is also governed by the federal sentencing guidelines.66 For fraud offenses, the court calculates the offense level as it would for an individual defendant.67 A “base fine” would then be the greater of that called for by this offense level calculation, the pecuniary gain to the organization, or the pecuniary loss caused by the offense.68 A “culpability score” based on aggravating and mitigating factors is then calculated in order to find “multipliers” to be applied to the base fine to generate the minimum and maximum of the guideline fine range.69
Of note is that this culpability score is reduced if the defendant corporation had in place an “effective program to prevent and detect violations of law” so long as high-level or compliance personnel were not involved in the charged offense and the corporation did not unreasonably delay reporting the offense to the government.70 An “effective program to prevent and detect violations of the law” requires “at a minimum” that the organization exercise due diligence by taking the following steps:
1. establish compliance standards and procedures,
2. assign high-level personnel to oversee compliance,
3. ensure that discretionary authority is not delegated to individuals with a propensity for illegal activity (background screening),
4. effectively communicate to employees about compliance standards and procedures (training),
5. take reasonable steps to ensure compliance with standards through monitoring, auditing and reporting systems,
6. adequately and consistently enforce standards, including, as appropriate, discipline for offenders, and
7. respond to infractions and take steps to prevent subsequent occurrences.71
“The precise actions necessary for an effective program” will depend on factors including the size of the organization, the risks attendant to the particular nature of the business, the organization’s history, and applicable industry practice and government regulation.72
66 U.S.S.G., Ch. 8 (eff. Nov. 1, 2002). 67 U.S.S.G. §§ 8C2.1(a), 8C2.3 (eff. Nov. 1, 2002). 68 U.S.S.G. § 8C2.4 (eff. Nov. 1, 2002). 69 U.S.S.G. §§ 8C2.5-8C2.8 (eff. Nov. 1, 2002). 70 U.S.S.G. § 8C2.5(f) (eff. Nov. 1, 2002). 71 U.S.S.G. § 8A1.2, App. Note 3(k)(1)-(7). These principles have become the foundation for the OIG Compliance Guidance issued for various types of healthcare providers. 72 Id. at App. Note 3(k)(i)-(iii).
14
Further culpability score reductions are available for corporate self-reporting, cooperation, and acceptance of responsibility.73 Conversely, as a condition of probation for recidivist entities or those without compliance plans, the court may order the entity to develop and submit to the court a program to prevent and detect violations of law, including a schedule for implementation, communication to employees and shareholders, and unannounced site inspections.74
This emphasis on corporate compliance programs will not likely abate. Note that an ad hoc advisory group to the federal Sentencing Commission recently issued a report recommending, among other things, a separate guideline to define with more precision the components of an “effective” compliance program, with an emphasis on organizational culture, leadership responsibilities, compliance staff and resources, training and periodic evaluation, and ongoing risk assessment.75
73 U.S.S.G. § 8C2.5(g) (eff. Nov. 1, 2002). 74 U.S.S.G. § 8D1.4(c) (eff. Nov. 1, 2002). 75 Report of the Ad Hoc Advisory Group on the Organizational Guidelines (Oct. 7, 2003), available at: www.ussc.gov/corp/advgrprpt/advgrprpt.htm.
15
V. DOJ’s REVISED PROSECUTION POLICY
Whether or not a corporation will be charged federally is a judgment made by the prosecutor. Federal prosecutors are guided in this decision by the DOJ’s recently revised policy directive on “Federal Prosecution of Business Organizations.”76 This policy lists and explains nine factors that are to go into the decision of whether or not to charge a corporation:
1. the nature and seriousness of the offense,
2. the pervasiveness of the wrongdoing within the corporation,
3. history of similar conduct including prior criminal, civil or regulatory actions,
4. timely and voluntary disclosure of wrongdoing to, and cooperation with, the government,
5. the adequacy of the corporation’s compliance program,
6. the corporation’s remedial actions,
7. collateral consequences of prosecution, e.g., to employees,
8. the adequacy of individual prosecutions, and
9. the adequacy of civil or regulatory remedies.77
Several points stand out. First, the government routinely expects voluntary disclosure and cooperation. The government defines cooperation to include “if necessary, waiver of attorney-client and work product protection” as to “the factual internal investigation and any contemporaneous advice given to the corporation concerning the conduct at issue.”78 While a waiver to be an “absolute requirement” of cooperation, it is “one factor in evaluating the corporation’s cooperation” and thus in deciding whether to charge the entity.79 (Another factor in the government’s evaluation of cooperation is whether or not the company is indemnifying target individuals or is otherwise seen to be protecting culpable employees.80)
Second, the existence and adequacy of a corporate compliance plan is paramount. The DOJ policy cites the Caremark case and goes on to provide:
Prosecutors should . . . attempt to determine whether a corporation’s compliance program is merely a “paper program” or whether it was designed and implemented in an effective manner . . . . [P]rosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance effort. In addition, prosecutors
76 Department of Justice, Federal Prosecution of Business Organizations, Criminal Resource Manual § 162 (Jan. 20, 2003), available at: www.usdoj.gov/dag/cftf/corporate_guidelines.htm.77 Id. at § II (A). 78 Id. at §§ II(A)(6), VI(B) n.3.79 Id. at § VI(B). 80 Id. at §VI(B). Some states by law require corporations to pay the legal fees of officers and directors prior to a formal determination of guilt. Compliance with such laws is not to be considered a failure to cooperate. Id. at n.4.
16
should determine whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.81
Of course, compliance plans neither absolve the corporation of respondeat superior liability nor guarantee immunity from prosecution. However, as a DOJ official stated recently, a company that does not have a compliance program is “a little like conducting your business without insurance.”82
81 Id. at § VII(B). 82 Levine, R., Health Care and Compliance After 9/11, CORPORATE COMPLIANCE OFFICER, July 2002, at 9 (quoting Michael Chertoff, then Chief of the DOJ Criminal Division).
17
VI. CONCLUSION
The last eighteen months have seen an unprecedented confluence of events, and reactions by the executive, legislative and judicial branches, which have increased white collar risks and exposures for healthcare organizations. The corporate governance spotlight and the prosecution of fraud now may reach to the upper spheres of management and even to the board. Moreover, governance failures can also spill back over more traditional healthcare compliance laws, such as the Anti-kickback Statute and the False Claims Act, to create the evidence of intent necessary to prosecute under those statutes as well.
18
