From Carrot to Stick?: Use of Self-Audits as Evidence Against Healthcare Entities in False Claims Act Cases

Introduction

In recent years, many healthcare entities have invested tremendous resources into compliance programs. They have done so with the understanding that good faith compliance efforts – while by no means an absolute shield to enforcement actions under the False Claims Act (FCA)[1] and other laws – will be taken into consideration by the Department of Justice (DOJ) and its client agencies as a favorable indicator of a company’s commitment to ethical business practices. However, with respect to at least one key component of many healthcare compliance programs, companies may need to exercise caution in proceeding under this assumption. That component is the self-audit.

In what may be an emerging trend, at least three FCA actions have been filed in the past two-and-a-half years against healthcare entities whose self-audits not only failed to mitigate their FCA exposure, but, worse still, were offered as evidence probative of their alleged knowledge of the submission of false claims. These cases were not situations in which one might reasonably expect to see such evidence offered against a company – that is, when a compliance program is part and parcel of an overall scheme to defraud the government, or when a self-audit reveals the submission of an objectively false claim and the entity intentionally disregards that finding. Rather, these cases involved healthcare compliance programs that seemed to constitute good faith efforts at self-policing, if imperfect ones. Furthermore, the evidence related to self-audits was leveraged against defendants in novel ways. General findings about documentation shortcomings and other areas for improvement were employed as evidence of a company’s knowledge of specific false claims, or alternatively, the results of narrowly targeted audits were criticized as being insufficiently comprehensive and then were broadly interpreted or extrapolated to establish knowledge of other allegedly systemic types of false claims.

These new strategies for imposing liability under the FCA are characteristic of the aggressive methods that relators and their counsel employ in the hopes of obtaining a lucrative FCA award. More troubling, though, is the possibility that DOJ – which elected not to intervene in the first two cases – may now join the pursuit, as it seemed to signal in May 2013 when it initiated the third of the recent FCA actions involving self-audits. Under pressure to bring ever more cases and recover ever larger sums of money, DOJ is in danger of overlooking the risk that punitive use of self-audits will generate significant controversy in the industry and cause healthcare companies and compliance professionals to reconsider the ways in which they incorporate self-audits into their efforts to address fraud and inefficiency.

The Government’s Role in Shaping Expectations About the Benefits of Self-Audits

Compliance programs are a cornerstone of prudent management for any healthcare entity. Companies face enforcement initiatives at the federal and state levels, as well as the scrutiny of the media and the public. To help meet this challenge, many have added qualitative and/or quantitative internal reviews, i.e., self-audits, to their compliance portfolios.

Self-audits serve a number of purposes. First, they apprise companies of possible legal risks so that the risks can be mitigated. Second, they deter legal violations. Third, they underscore a company’s commitment to compliance in ways that employee training and the development of written policies cannot, demonstrating that a company has prioritized the promotion of lawful business practices over the discomfort of developing potentially unfavorable information about certain aspects of its operations.

Companies, in turn, hope that good faith efforts at self-auditing will mitigate the severity of an enforcement action or government investigation into their business practices. Inevitably, companies also rely heavily on the government’s enforcement practices and public pronouncements to determine the nature and breadth of their compliance initiatives.

In its published guidance, DOJ has consistently stated that it will favorably consider good-faith compliance efforts should a company be subject to government scrutiny. One of the more recent and prominent examples of that guidance is known as the “Filip Memo,” authored by former Deputy Attorney General Mark Filip and preceded by a series of similar memoranda issued by former Deputy Attorneys General Paul McNulty, Larry Thompson and Eric Holder.[2] The Filip Memo addresses the factors that a prosecutor should consider in determining whether to charge a corporation with a crime. Although it does not explicitly address factors bearing upon DOJ’s discretion in the resolution of alleged civil violations under the FCA, the Filip Memo is often invoked as persuasive authority in FCA cases by defendants and government officials alike (especially where the government’s investigation includes, or might expand into, a parallel criminal investigation).

The Filip Memo provides that when DOJ investigates a corporate entity, it should assess, among other things, “the existence and effectiveness of the corporation’s pre-existing compliance program” and “the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.”[3] It further provides that a “corporation’s timely and voluntary disclosure of wrongdoing . . . may be [a] relevant factor[ ]” in determining whether to decline prosecution.[4] This, of course, presupposes that corporations have the ability to detect some compliance failures before the government detects them, likely through self-audits.

Other government agencies charged with civil and administrative authority over the healthcare industry, most notably the Department of Health and Human Services (HHS) through its Office of Inspector General (OIG), have issued their own policy statements and guidance endorsing corporate adoption of compliance best practices, including self-audits. For instance, in 1997, OIG issued a notice in the Federal Register entitled “Criteria for Implementing Permissive Exclusion Authority Under Section 1128(b)(7) of the Social Security Act,”[5] which sets forth OIG’s internal agency guidelines for permissive exclusion of individuals or entities determined to pose a risk to federal healthcare programs. The notice states that one consideration bearing upon OIG’s exercise of its discretion to exclude is whether “regular audits [were] undertaken at the time of the unlawful activity[.]”[6]

As a final example, in an April 24, 2006 “Open Letter to Health Care Providers,” Inspector General Daniel R. Levinson stated that “[f]or those providers that demonstrate the requisite level of trustworthiness and that also have in place, or are willing to develop, an effective compliance program, OIG will waive its exclusion authority concurrent with resolution of monetary liability under the False Claims Act[.]”[7] An “effective” compliance program is repeatedly described in OIG’s published compliance guidance as one that includes the use of self-audits or other risk evaluation techniques.[8]

Of course, the legal landscape regarding compliance has changed with the passage of the Patient Protection and Affordable Care Act (PPACA) in 2010.[9] PPACA made compliance programs mandatory for healthcare providers enrolled in Medicare and Medicaid, though it did not set forth a definite timeline for entities to establish their compliance programs (except nursing facilities, which were required to establish their programs by March 23, 2013).[10]

PPACA makes it incumbent upon healthcare entities to develop and formalize their compliance systems to a degree that they might not have believed was necessary under the prior voluntary regime, but HHS and OIG have not yet promulgated rules for what core elements these compliance programs must include (again, except with regard to compliance programs at nursing facilities).[11] Thus, even today it remains a company’s prerogative whether, and to what extent, to include self-audits in its compliance initiatives. Moreover, DOJ, OIG and other government authorities have repeatedly reassured the industry that they understand that there is no single “best” compliance program, and that even the most effective compliance programs “may not entirely eliminate fraud and abuse.”[12]

Not surprisingly, then, healthcare entities tend to assume that a sincere compliance effort – even one that some believe should have probed more deeply or more broadly – will weigh favorably in the government’s assessment of a company’s conduct. At worst, companies expect their self-audits to constitute a neutral factor in an evaluation of their conduct. They probably do not, however, anticipate that the government might leverage the results of a self-audit against them.

Self-Audits in Recent FCA Cases

In the past two-and-a-half years, at least three FCA actions have been filed against healthcare entities in which allegations regarding the defendants’ use of self-audits were central to the claims. Specifically, the self-audits were cited as evidence that the defendants had “knowledge” of the false claims. “Knowledge” is a prerequisite for FCA liability and means, in this context, (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.[13] These cases did not involve allegations of “sham” compliance programs, yet the defendants’ self-audits were used to their detriment under the FCA – a troubling development.

United States ex rel. Stone v. OmniCare, Inc. (N.D. Ill. 2011)

The first case in this trio is United States ex rel. Stone v. OmniCare, Inc.,[14] in which the government elected not to intervene. Stone was a qui tam action against a large provider of pharmaceutical and related pharmacy services to long-term healthcare institutions. The complaint alleged that OmniCare had unlawfully retained Medicare and Medicaid overpayments and had submitted other false claims related to drug stockpiling and a Medicaid pricing scheme.[15]

The relator’s allegations relied heavily on two “probe-sample” audits that he averred proved OmniCare’s knowledge of the submission of false claims (the probe-sample audits in question were audits that “lack[ed] random selection” and therefore could not be statistically extrapolated).[16] As OmniCare explained in its motion to dismiss, the probe-sample audits focused on possible deficiencies in claim documentation (e.g., missing or inadequate forms) and did not establish that bona fide services were not provided or that fraudulent documentation was submitted to the government in support of claims for reimbursement.[17] The relator, however, alleged that because the audits had uncovered high error rates in the documentation related to certain claims, OmniCare was on notice of systemic fraud related to the audited claims and unspecified other claims.

The relator’s argument was unavailing before the court. Rejecting relator’s contention that “the sheer volume of deficiencies [in documentation] means that the claims must be false and that OmniCare knew or should have known this based on that high rate,” the court concluded on the motion to dismiss that relator’s broad interpretation of the audit results were inadequate to plead knowledge under the heightened pleading standard of Federal Rule of Civil Procedure 9(b).[18] Dismissal was granted with respect to all of the substantive FCA claims supported by the allegations regarding the self-audits because relator had not identified “specific false claims for payment or specific false statements made in order to obtain payment.”[19]

United States & State of Wisconsin ex rel. Keltner v. Lakeshore Med. Clinic, Ltd. (E.D. Wis. 2013)

In United States & State of Wisconsin ex rel. Keltner v. Lakeshore Med. Clinic, Ltd., [20] also a case in which the government did not intervene, the defendant did not fare as well as the defendant in Omnicare. In Keltner, the relator alleged that Lakeshore had knowledge of physician “upcoding” based on annual audits that had revealed upcoding error rates greater than 10 percent for two physicians.[21] Though Lakeshore took remedial action to correct the upcoded claims identified through the audits, the relator alleged that, in light of the error rates, Lakeshore should have explored possible upcoding of other non-audited physician consultations. The relator also supported her claims by alleging that Lakeshore eventually ceased conducting audits.[22]

On a motion to dismiss under Rules 9(b) and 12(b)(6), the court sided with the relator. The court acknowledged that the relator did “not allege that defendant knew that specific requests for reimbursement for . . . services were false,” but it held that the company’s decision to “ignore” the high error rate, along with its decision to cease its audits, provided grounds for the claims to survive dismissal.[23]

It is noteworthy that the court condoned the relator’s characterization of Lakeshore as having “ignored” the self-audits.[24] According to the court’s own recitation of the facts, that is not what took place. Rather, Lakeshore simply declined to expand the scope of its voluntary self-audits in response to what the relator unilaterally determined was a “high” error rate – but the company did take action to correct the problems identified by the audits.

More interesting still is the opinion’s first footnote, which states: “Relator actually claims that 13 physicians had error rates over 10 percent for one year between 2006 and 2011. However, the audits referenced in the complaint indicate that most of the errors in question were the result of undercoding, not upcoding.”[25] Thus, more often than not, the errors uncovered by Lakeshore’s audits were mistakes that had financially benefitted federal healthcare programs at Lakeshore’s expense. However, the court did not appear to factor this issue into its ruling that the case should not be dismissed.

United States v. Vitas Hospice Servs., L.L.C. (W.D. Mo. 2013)

On May 2, 2013, DOJ seemingly blessed the attack on companies’ good faith self-audits through a complaint it filed in United States v. Vitas Hospice Servs., L.L.C.,[26] a case that may be a harbinger of future DOJ enforcement tactics.

In Vitas, the United States alleged that Vitas and other defendant hospice companies had “focused on maximizing Medicare reimbursement for as many patients as possible while disregarding patients’ medical need and Medicare guidelines.”[27] To that end, defendants allegedly submitted false claims for which they had knowledge due to regular internal audits that revealed, among other things, a “69 percent score” for crisis claims, “indicating a significant deficiency in compliance with Medicare requirements.”[28]

Interestingly, the government cites a “Patient Care Documentation and Compliance Internal Review” as one example of the internal audits that allegedly conferred knowledge on the company.[29] Documentation audits, though, typically assess the adequacy of documentation, not the propriety of the underlying medical services and associated Medicare billings (though we cannot know from the audit’s title alone precisely what it entailed, and the inclusion of the word “Compliance” in that title may reflect that the audit focused on more than the adequacy of documentation). Perhaps the government here is misconstruing audits intended to be used for one purpose as demonstrative of something different altogether.

That is not the only questionable aspect of the government’s reliance on Vitas’ self-audits. In addition, the complaint lists myriad instances of patients on whose behalf false claims were allegedly submitted. However, the United States did not claim that any of those particular patients’ situations were brought to defendants’ attention through the audits. A plausible alternative conclusion is that the audits, far from demonstrating reckless disregard for the law, were simply a good-faith attempt at identifying the severity of the company’s problems; maybe they even limited the expansion and severity of those problems. Vitas is still in its early stages and much remains to be learned about the actual facts underlying the government’s claims. But what the government’s allegations in Vitas underscore, along with the relators’ conduct in OmniCare and Lakeshore, is that healthcare entities conducting self-audits may be vulnerable to FCA liability, depending on the scope of the audit and the organization’s response to the findings. The very objective of self-audits is to uncover compliance vulnerabilities, yet relators, and perhaps government investigators, seem all too willing to leverage the results of those audits (now neatly documented for them) to gain an edge in litigation. It may be that in some large, claim-intensive FCA cases, pointing to a company’s own audits may be the only way that relators and DOJ can hope to develop sufficient evidence to prove all of the legal elements at issue.

The Risk of Chilling Good Faith Efforts at Compliance in the Healthcare Industry

No one is quarreling with the government’s goal of reducing waste, fraud and abuse through FCA actions, but the use of self-audits as evidence of “knowledge” of false claims raises the question of whether short-term enforcement goals are displacing a focus on what might best promote lawful business practices among healthcare entities.

For one thing, the invocation of self-audits as evidence of wrongful conduct ignores many realities of today’s business environment. Like any other part of a company’s operations, compliance programs require research, development, trial and error, revision, further refinement and so on. They involve, at their best, an iterative process. A good faith program implemented in an especially complex regulatory environment might be “ineffective” (to borrow the government’s terminology) until it is appropriately refined, while an “effective” program applauded by government authorities might become obsolete in light of new legislation or new business practices. Companies must be allowed a reasonable degree of freedom to experiment – and even to fail – in confronting these challenges. They must be encouraged to set ambitious compliance goals that, at first, they may not meet. But they may hesitate to engage in self-audits, and to innovate in the field of compliance more generally, if they fear every misstep will boomerang back in the form of evidence to support a new FCA claim.

OmniCare, Lakeshore and Vitas are also troubling to the healthcare industry insofar as they may reflect a tendency by third parties to prematurely draw negative conclusions about self-audits. For example, the cases thus far arguably suggest that relators and the government believe that high error rates or other unfavorable audit results, such as those dealing with documentation shortcomings, can be extrapolated to other parts of a company’s operations. Many companies specifically target their compliance efforts, including their self-audits, at the parts of their business that they deem most likely to require investigation and remediation. In a world of finite resources, the government should encourage companies to take precisely this approach. Instead, however, the recent case law and the actions of DOJ may have the unintended consequence of deterring healthcare companies from targeting the parts of their operations that present the greatest risk for fear that audit findings will be treated as representative of the compliance weaknesses of the entire business. We encourage health lawyers to follow case law in this area closely, including the final rulings in these cases and future complaints asserting similar grounds for FCA liability.

* * *

This article was originally published in the December 2014 issue of American Health Lawyers Association’s Connections magazine. © 2015 American Health Lawyers Association. Reprinted with permission.