Cybersecurity and HIPAA

Aetna ACE, a health insurer, reported a cyber-incident that involved the protected health information of 326,278 plan members. The cyber-incident affected one of Aetna’s business associates, OneTouchPoint, Inc. (“OTP”), which provides printing and mailing services to various health insurance carriers and medical providers. OTP posted a breach notice on its website on behalf of over three dozen healthcare companies, including health plans, related to the incident. According to OTP, on April 28, 2022, OTP discovered encrypted files on some of its computers. Based on its internal investigation, there was an unauthorized access to some OTP servers beginning April 27, 2022. OTP could not determine the specific files that were accessed or viewed within OTP’s network. However, OTP noted that information potentially involved includes protected health information, such as information that may have been provided during a health assessment. 

The cyber-incident affecting OTP is not the first time an Aetna business associate or vendor has suffered a cyber-incident that directly affected Aetna’s plan members. In June 2020, EyeMed, a business associate of Aetna, suffered a cyber-incident (phishing attack) that exposed the PHI of over 484,000 Aetna plan members. According to some reports, the hack occurred after an employee responded to a phishing email. EyeMed’s breach notification stated that the hacker’s access was blocked on the same day it was discovered. However, it was later reported that the hacker’s access was not blocked until about a week later. 

Overall, the PHI of over 810,000 Aetna plan members has been exposed due to breaches of Aetna’s business associates and vendors. Aetna likely will undergo some of the same breach-response activities as its business associates, which may require it to expend resources. Besides potential erosion of plan members’ trust, Aetna may also face litigation and/or government investigations because of its business associate’s cyber-incident.  

Covered entities should not ignore the cybersecurity efforts of their business associates and vendors. Organizations must take cybersecurity seriously and should verify the security of their business associates and vendors, including audits, receipt of assurances, and contemplation of how to handle damages a covered entity suffers because of the actions (or inaction) of a business associate or vendor. Cyber-incidents are not going away, and business associates remain susceptible to cyber incidents similar to healthcare providers and plans. According to Fortified Health Security’s 2022 mid-year Horizon Report, while healthcare providers account for 72% of the breaches, business associates and health plans made up 16% and 12% of the breaches, respectively. Moreover, breaches affecting business associates increased in 2021. 

Another Business Associate Breach Impacts over 940K Patients

Around the same time that Aetna reported the data breach suffered by its BA, another company that serves as a BA for several health companies provided notice that it too was a victim of a cyber-incident. Practice Resources, LLC (“PRL”) notified the California Attorney General’s Office that it suffered a cyber-incident, specifically a ransomware attack. PRL provides professional services, such as billing services, remote scribing services, payroll services, provider services, practice consulting, and other services. 

PRL’s HHS notice was on behalf of twenty-eight covered entities and affected 942,138 patients. PRL did not list Aetna as an impacted covered entity and there is no indication that the cyber-incident affecting Aetna’s business associate is related to PRL cyber-incident. PRL indicated that the breach occurred on a network server and resulted in an unauthorized party gaining access to patient names, home addresses, dates of treatment, health plan numbers, and medical record numbers. The affected covered entities include hospitals and private practices. The Salvation Army is also listed as an affected party. There is no information on whether PRL paid a ransom. There is also no information concerning the identities of the cyber attackers. 

337 Healthcare Data Breaches Affecting at least 500 Records in the First Half of 2022

Continuing on the topic of cybersecurity in the healthcare space,  Fortified Health Security, a cybersecurity company dedicated to helping medical providers, payers, and business associates with cybersecurity, recently released its 2022 mid-year Horizon Report. Fortified has been publishing its Horizon Reports since 2017 to help stakeholders navigate the complex landscape of cybersecurity.  

Fortified’s newest Horizon Report offers surprising and not-so-surprising data points related to cybersecurity. First, there was a slight reduction in the number of breaches affecting 500 or more records in the first half of 2022 (357 breaches) compared to the number of breaches (368) in 2021. However, healthcare providers should not take a victory lap. The number of breaches affecting 500 or more records in 2022 is over 300% higher than in 2012, which saw just 111 breaches. And the number of breaches in the first half of 2022 is the second highest number of breaches since 2010. Also, healthcare providers account for 72% of the breaches, followed by business associates and health plans which made up 16% and 12% of the breaches, respectively. Breaches affecting business associates increased in 2021. Overall, over 19.9 million records have been affected so far in 2022. Despite these striking numbers, according to a survey by Fortified, 54% of Chief Information Security Officers believe that the C-suite is not investing enough in cybersecurity. With 80% of the breaches arising from Hacking/IT incidents (a 7% increase from 2021), Fortified warned that “[t]he continued prevalence of healthcare cyberattacks should serve as a wakeup call for all healthcare leaders to assess their current security postures and take action to decrease risk and increase visibility and capability.”

Fortified also provided valuable tips for any person or entity concerned about cybersecurity. According to Fortified, leaders should consider: (1) the resilience of their organization’s cybersecurity to defend against attacks; (2) any changes in their work environment and whether their cybersecurity program adapted to those changes; (3) how staffing affects an organization’s ability to monitor, detect, and protect critical assets; and (4) where the cybersecurity program ranks amount C-suite priorities. In addition to these considerations, Fortified also provided general tactics that organizations can utilize in strengthening their cybersecurity program.

Organizations must take cybersecurity seriously, as the ramifications of an incident can be detrimental and have a widespread impact on an organization’s resources, operations, and consumer trust. As Fortified noted, “[a]dopting a proactive security approach with a comprehensive monitoring and detection capability will serve as the first line of defense…”

OCR’s Right of Access Initiative: OCR Announces Eleven Settlements

Chilivis Grubman attorneys have written extensively about the HIPAA Right of Access Initiative by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), which was first announced in 2019. Under the initiative, OCR has communicated its intent and commitment to vigorously enforce the HIPAA rules that allow patients to access their protected health information, as delineated in 45 C.F.R. § 165.524. HIPAA rules allow patients (or designated representatives) to request copies of their health information. Once a covered entity receives a request, it has 30 days (absent an extension) to respond to provide the records to the requester.    

Since 2019, there have been dozens of settlements. Chilivis Grubman has cautioned that OCR’s Right of Access Initiative was not limited to large medical practices. OCR’s enforcement efforts and related monetary settlements have been broad and wide-reaching, affecting covered entities of all sizes, and have not been limited to medical practices. In April 2022, OCR announced one of its first settlements involving a dental practice. OCR has constantly cautioned providers that it will continue to aggressively investigate complaints related to patients accessing their records. 

On July 15, 2022, OCR announced eleven enforcement actions as part of its Right of Access Initiative. The eleven settlements involve small medical practices, large healthcare institutions, dental practices, and a not-for-profit health system. The violations include (1) failure to timely provide a patient with a copy of their medical records; (2) failure to provide a complete copy of requested medical records; and (3) failure to provide a patient’s personal representative with timely access to medical records. The eleven enforcement actions resulted in over $645,000 in settlements. While the eleven settlements involve failure to provide a patient or personal representative with timely access to records, covered entities can also run afoul of HIPAA requirements by instituting an overly burdensome process for patient records to be disclosed. The manner to request records, the charges associated with records requests, and delivery/pickup requirements of records are all areas where covered entities can inadvertently create an overly burdensome process.  

With OCR’s most recent announcement, the total enforcement actions stemming from OCR’s Right of Access Initiative is now thirty-eight, and there are no signs that OCR will reduce the priority of its Right of Access Initiative. OCR Director Lisa J. Pino warned: “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.” OCR’s Right of Access Initiative will continue and covered entities should familiarize themselves with patients’ rights under HIPAA to access protected health information by reviewing the related statutes (45 C.F.R. § 165.524) and HHS guidance.

Eighth Circuit Issues Significant Decision in False Claims Act Case Predicated Upon Alleged Kickbacks

Over the last decade, violations of the Anti-Kickback Statute (AKS) have served as the predicate to some of the largest settlements and judgments under the False Claims Act (FCA). This is because, since a 2010 amendment to the AKS, the AKS itself has provided that a claim that includes items or services “resulting from a violation” of the AKS are considered false or fraudulent for purposes of the FCA. This has led to what many practitioners refer to as the “tainted claim” theory of liability: if an FCA plaintiff can show that a claim was tainted by a violation of the AKS, then that claim is typically considered a false or fraudulent claim for purposes of the FCA without much (if any) further analysis. For example, in United States ex rel. Greenfield v. Medco Health Solutions, the Third Circuit held that:

For a False Claims Act violation, [the plaintiff] must prove that at least one of [the defendant’s] claims sought reimbursement for medical care that was provided in violation of the Anti-Kickback Statute (as a kickback renders a subsequent claim ineligible for payment).

Last month, however, the Eighth Circuit issued a decision that calls this lucrative legal theory into serious question. In United States ex rel. Cairns v. D.S. Medical, the plaintiffwhistleblowers filed an FCA qui tam lawsuit against a neurosurgeon and his medical practice, as well as a spinal implant distributor and its owner, who was also the neurosurgeon’s fiancé. After filing a notice of intervention, the government filed its own complaint in which it alleged that the defendants violated the FCA when they submitted claims to federal health care programs that were tainted by violations of the AKS. Specifically, the complaint alleged that the defendant neurosurgeon ordered all of his implants from D.S. Medical, a distributor wholly owned by the neurosurgeon’s fiancé and that, in return, the neurosurgeon received an offer from the manufacturer from which his distributor-fiancé ordered the product.

At trial, the judge instructed the jury that “the government could establish falsity or fraud once it proved, by a preponderance of the evidence, ‘that the Medicare or Medicaid claim failed to disclose the Anti-Kickback Statute violation.” The jury returned a verdict for the government and the district court entered a judgment for just under $5.5 million.

On appeal, the Eighth Circuit reversed the jury’s verdict and remanded after finding that the district court erred in giving the above-referenced jury instruction. Specifically, the Eighth Circuit focused on the express language of the AKS, which states: “a claim that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of the [FCA].” The Eighth Circuit held that because the phrase “resulting from” was not defined by the AKS itself, it was required to apply the phrase’s “plain meaning” at the time it was enacted in 2010.

The court first cited the Supreme Court’s decision in Burrage v. United States, which interpreted a similar phrase (“results from”) as it related to a violation of the Controlled Substances Act. The Eighth Circuit cited the holding from Burrage, wherein the Supreme Court held that the phrase “results from” “imposes a requirement of actual causality”; in other words, but for causation. The Eighth Circuit went on to examine two separate dictionary definitions which, according to the court, supported the same conclusion. For example, the American Heritage Dictionary of the English Language defines the word “resulting” as “to happen as a consequence” or “something that follows naturally from a particular action, operation, or course; a consequence or outcome.”

The government in D.S. Medical urged the Eighth Circuit to adopt an “alternative causal standard” and hold that all that an FCA plaintiff is required to prove is that the illegal kickbacks “tainted” the claim at issue or that the AKS violation “itself may have been a contributing factor.” The Eighth Circuit rejected the government’s theory and found that the district court’s jury instruction was erroneous. Specifically, the Eighth Circuit held that “just because a claim fails to disclose an [AKS] violation does not mean that there is a connection between the violation and the included ‘items or services.’ Causation is an ‘essential element’ that must be proven, not presumed.”

Noting that the phrase “resulting from” is “unambiguously causal,” the Eighth Circuit held (in what it referred to as a “narrow” ruling) that “when a plaintiff seeks to establish falsity or fraud through he 2010 amendment, it must prove that a defendant would not have included particular ‘items or services’ but for the illegal kickback.” The Eighth Circuit recognized that the Third Circuit in Medco Health reached a different conclusion, but concluded that the Third Circuit incorrectly relied upon legislative history and the “drafters’ intentions” to interpret the AKS because the statute itself was unambiguous.

The decision in D.S. Medical will certainly make it difficult (if not, in many cases, impossible) for a plaintiff within the Eighth Circuit to prove an FCA case based upon an alleged violation of the AKS. After D.S. Medical, in order to defeat summary judgment, an FCA plaintiff would have to point to evidence that the defendant would not have submitted claims for the items or services at issue but for the alleged kickback arrangement. This would likely require some sort of “smoking gun” evidence (e.g., an email or text message or sworn testimony) that, quite simply, is not present in every FCA case.

The effect of the D.S. Medical decision outside of the Eighth Circuit, however, is far from certain. As noted above, the Third Circuit’s decision in Medco Health Solutions specifically rejected application of the but for causation standard. Ultimately it may be left for the Supreme Court to eventually resolve this budding circuit split. In the meantime, however, it is likely that FCA defendants throughout the country will cite the Eighth Circuit’s D.S. Medical decision in summary judgment motions and proposed jury instructions.

Private Helicopter Training Company and Community College Will Pay $7.5 Million to Resolve FCA Allegations

In another FCA matter, the DOJ announced that Universal Helicopters Inc. (UHI) and Dodge City Community College (DC3) have agreed to pay $7.5 million to resolve allegations of violating the False Claims Act. It was alleged that UHI and DC3 falsely certified compliance with a requirement implemented to avert abuse of funds from the U.S. Department of Veteran Affairs (VA)— the “85/15 Rule”.

UHI is a private helicopter flight instructor training company that offered a program in conjunction with the DC3 campuses located in Dodge City, Kansas, and Chandler, Arizona. Through the Post-9/11 GI Bill program, the VA provides tuition and fee payments to qualifying schools. Institutions must certify that no more than 85 percent of students, in any particular course, are receiving VA benefits to receive veterans’ education benefits. The 85/15 rule was designed to ensure institutions are offering fair market value tuition rates and not unfairly inflating prices because of guaranteed VA payments. 

According to the government, from 2013 to 2018, almost all students enrolled in the UHI/DC3 flight instructor program received VA benefits. It was specifically alleged that DC3 counted part-time students, only enrolled in one online class, to satisfy the 85/15 rule when true compliance only compares VA supported students to full-time non-VA supported students. UHI agreed to pay $7 million and DC3 agreed to pay $500,000 to resolve the government’s allegations. William Rowe, a veteran and former student of the UHI/DC3 flight instructor program, will receive $1.125 million of the foregoing settlement. Rowe initiated this action under the qui tam provisions of the FCA, which allow private whistleblowers to recover anywhere between 15 and 30 precent of the government's total recovery for reporting violations of the FCA. Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, commented “[t]he department will continue to help safeguard the integrity of VA programs intended for the advancement and benefit of veterans.”

Biotech Company Agrees to Settle FCA Case for $900 Million

Biogen IDEC, Inc., a Cambridge, Massachusetts-based pharmaceutical company, agreed to pay $900 million to resolve alleged violations of the federal Anti-Kickback Statute and False Claims Act. The agreement was made days before the trial – which was expected to begin on July 26, 2022. The U.S. Department of Justice must approve the settlement.

The lawsuit alleged that Biogen provided illegal kickbacks to healthcare providers to incentivize providers to prescribe its multiple sclerosis drugs. The whistleblower, a former Biogen employee, alleged that the kickbacks took various forms. For example, Biogen allegedly hired the highest prescribers as consultants to consult on topics or projects for which it did not need consultation or for consultant advice never utilized. Kickbacks also allegedly came in the form of hiring high-prescribers of Biogen’s medications as speakers for its speaking program, which was described as having little-to-no educational value. The whistleblower also noted that Biogen’s compliance department routinely expressed concerns that were ignored. Overall, Biogen allegedly submitted hundreds of millions of dollars in false claims to state and federal healthcare programs. In its attempt to dismiss the lawsuit, Biogen argued (in part) that payments made were consistent with fair market value and were within applicable safe harbor provisions.  

The lawsuit was originally filed in 2012 in the US District Court for the District of Massachusetts under the qui tam provisions of the FCA. 

The case is captioned: United States ex rel Bawduniak v. Biogen Idec Inc, U.S. District Court, District of Massachusetts, No. 12-cv-10601.

Alleged Kickbacks Lead Biotronik Inc. to a $12.95 Million Settlement

On July 22, 2022, around the same time that Biogen entered into its settlement, the DOJ issued a press release announcing that another healthcare entity, Biotronik Inc., agreed to pay $12.95 million to resolve allegations it violated the False Claims Act and the Anti-Kickback Statute.

According to the press release, the government alleged that Biotronik (a medical device manufacturer based in Oregon) paid favored physicians “to induce and reward their use of Biotronik’s pacemakers, defibrillators and other cardiac devices.” The government alleged that Biotronik paid providers for an excessive number of trainings and for trainings that either never occurred or were of little educational value as part of its new employee training. Interestingly, according to the government, Biotronik’s compliance department raised concerns that salespeople had too much influence in selecting providers for the new employee training program and that payments for these programs were over-utilized. Regarding the alleged AKS violations, Biotronik allegedly provided physicians holiday parties, winery tours, lavish meals, and international business class airfares.

Again, this case was brought under the qui tam provisions of the FCA. The whistleblowers in this case were previously employed by Biotronik as independent sales representatives and will collectively receive approximately $2.1 million from the settlement. Since some of the underlying claims involved Medicaid, several states will receive $933,200 of the settlement, according to the press release.

Federal Government Contractor Pays $9 Million to Resolve Allegations of Cybersecurity-Related FCA Violations

In another FCA settlement, Aerojet Rocketdyne, Inc. (“Aerojet”), an aerospace and defense company headquartered in California, agreed to pay $9 million to resolve allegations that it misrepresented its compliance with cybersecurity requirements in violation of the FCA. This matter was initiated by Brian Markus, Aerojet’s former Senior Director of Cyber Security, Compliance, and Controls, under the qui tam whistleblower provisions of the FCA.

Aerojet manufactures products used in the aerospace and defense industry, and their primary customers include the Department of Defense (“DoD”) and the National Aeronautics & Space Administration (“NASA”). Both the DoD and NASA impose specific regulations, along with Federal Acquisition Regulations, with which their contractors must comply. Contractors awarded contracts from the DoD must comply with 48 C.F.R. § 252.204-7012 (2013), or pre-approved alternative measures, to ensure their contractors have “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” 48 C.F.R. § 252.204–7012(a). Contractors awarded contracts from NASA must comply with 48 C.F.R. § 1852.204-76. According to the Relator, Aerojet entered into several federal government contracts with knowledge that their systems did not meet minimum-security standards.

Aerojet agreed to enter a $9 million settlement on the second day of trial, and the Relator will receive a settlement share of $2.61 million. This settlement is another signal of the Civil Cyber-Fraud Initiative and its dedication to pursue government contractors who do not follow required cybersecurity standards. The Civil Cyber-Fraud Initiative was announced in October 2021 and pledged to use the FCA to pursue cybersecurity related fraud. Deputy Attorney General Monaco specifically commented that they we will use “[…] civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

U.S. Supreme Court Intervenes in Case Finding Georgia’s Method of Electing Public Service Commissioners to Be Discriminatory

On August 19, 2022, the U.S. Supreme Court vacated a decision by the Eleventh Circuit Court of Appeals, which had halted a lower court’s order finding that the way in which Georgia elects its Public Service Commissioners was discriminatory. Specifically, the District Court for the Northern District of Georgia found that electing commissioners for Public Service Commission (PSC) districts at large, i.e., on a statewide basis, disadvantaged Black voters by diluting their voting power and, further, ruled that the State of Georgia must postpone its upcoming elections for commissioners to the two PSC districts that would have otherwise been on the ballot this November (Districts 2 and 3) until a new system for electing PSC commissioners could be established.  

After the Supreme Court issued its decision, the State of Georgia withdrew its emergency motion seeking a stay that would prevent the District Court’s ruling from taking effect, capitulating that the ballots must be printed now to be ready by the November election and that there would not be time to add the elections for the PSC commissioners back onto the ballot even if the courts ultimately determined that those elections should proceed. 

The Supreme Court has weighed in on a number of similar lawsuits challenging the fairness of maps after redistricting occurred in various states and generally has been unwilling to intervene in a manner that would disrupt preparations for an upcoming election. In this case, however, by vacating the Eleventh Circuit’s stay of the District Court’s order, the Supreme Court did the opposite here, essentially requiring that the PSC elections set for this year be postponed. 

In light of the Supreme Court’s decision, the Eleventh Circuit will still determine whether to affirm or reverse the District Court’s ruling which found the voting process for electing PSC commissioners to be discriminatory, but regardless the elections for PSC District 2 and District 3 commissioners will not occur this November.

Court Rules That One-Year Residency Requirement Does Not Apply to Georgia Candidate Who Was Drawn Out of Her District

Previously we wrote about a candidate for the Georgia Public Service Commission (PSC), Patty Durand, who faced possible removal from the ballot because her PSC district (District 2) was redrawn to exclude the county in which she resided less than one year before the general election in November. Georgia law requires that candidates to be commissioner of a PSC district must reside in that district for at least one year prior to the election.

Georgia’s Secretary of State Brad Raffensperger issued a decision disqualifying Durand for failure to meet that residency requirement. However, Durand appealed the Secretary’s decision, and Fulton County Superior Court Judge Melynee Leftridge stayed Durand’s disqualification pending adjudication of the appeal. On August 18, 2022, Judge Leftridge issued her Final Order.

Judge Leftridge held that the one-year residency requirement for PSC candidates was unconstitutional as applied to Durand because it violated her First Amendment right to free association and her Fourteenth Amendment right to equal protection. Judge Leftridge noted that text messages between Durand’s opponent, the incumbent PSC Commissioner for District 2, and another PSC commissioner “strongly” suggested that the “district lines were motivated, at least in part, by a desire to draw Ms. Durand’s address out of District 2.”

Separate litigation unrelated to Durand’s candidacy has now postponed the election for District 2 PSC commissioner, which will no longer occur this November. In that litigation, a federal court found the manner in which Georgia elects its PSC commissioners to be discriminatory and ruled that no PSC elections may occur until a new system for electing PSC commissioners could be established.

Amarin Pharma Survives Summary Judgment on Its Claims of Breach of Restrictive Covenants by Former Executive

Restrictive covenants have received relatively intense scrutiny by courts in recent years, as lawmakers seek to balance employers’ and employees’ respective rights—restrictive covenants acknowledge that employers invest time and monetary resources in their employees’ careers and seek to retain talent, while at the same time, employees generally have the right to change employment and move freely. For the most part, restrictive covenants remain legal so long as they are reasonable. For example, Georgia’s Restrictive Covenant Act, O.C.G.A. § 13-8-50 et seq., provides that restrictions are permissible but must be “reasonable in time, geographic area, and scope of prohibited activities.” O.C.G.A. § 13-8-53(a). 

On Monday, August 22, 2022, a New Jersey state judge denied a “premature” summary judgment motion brought by Dr. Craig Granowitz, the former Chief Medical Officer of Amarin Pharma, Inc. Dr. Granowitz quit his job at Amarin and took the same job at Lexicon Pharmaceuticals Inc., within the one-year time period of the restrictive covenants contained in his employment agreement with Amarin. Amarin also alleges that he solicited Amarin employees to work for Lexicon within the one-year period. 

Pursuant to Amarin and Dr. Granowitz’s employment agreement, he was entitled to about $545,000 in severance payments, but Amarin stopped paying after $204,000 in payments were made once it found out about Dr. Granowitz’s potential breach of his restrictive covenants. Dr. Granowitz filed suit, seeking in part a declaratory judgment that he was entitled to the remaining severance payments. Amarin filed an answer and counterclaims, alleging breach of the restrictive covenants and restitution of the monies already paid. Dr. Granowitz claimed that the two companies are not competitors, so he was not in breach. 

The court, in denying Dr. Granowitz’s motion, held that the parties had not yet conducted discovery and important questions of fact remained. Amarin is now entitled to obtain documents and depose the plaintiff and others to establish whether there has been a breach of the restrictive covenants by Dr. Granowitz. 

This case continues to demonstrate that restrictive covenants are generally enforceable. Of course, they must be properly drafted to be reasonable and withstand judicial scrutiny. Employees should be mindful of the laws of the state that govern their employment agreements before entering into an agreement or changing employment. Employees should also read the terms of any restrictive covenants carefully and consult a lawyer to ensure compliance.

Tennessee State Representative and Former Chief of Staff Charged with Bribery and Conspiracy

On August 23, the Department of Justice announced a Tennessee state representative and his former chief of staff were arrested at their homes on criminal charges of conspiracy to commit theft from programs receiving federal funds; bribery and kickbacks concerning programs receiving federal funds; honest services wire fraud; and conspiracy to commit money laundering. 

According to court documents, State Representative Glen Casada, 63, of Franklin, and Cade Cothren, 35, of Nashville, and “another conspirator” used Casada’s and the other conspirator’s official positions as legislators to obtain state approval of Phoenix Solutions, a company approved as vendor to provide constituent mail services to members of the Tennessee General Assembly. Casada and the other conspirator are alleged to have enriched themselves by obtaining bribes and kickbacks from Cothren, in exchange for securing the approval of Phoenix Solutions.

The defendants allegedly told members of the state’s General Assembly that the company was run by a man named “Matthew Phoenix” who was described as “an experienced political consultant,” but was merely a fictious person, according to prosecutors. Casada, Cothren, and the other conspirator allegedly concealed their involvement in Phoenix Solutions by submitting sham invoices to the State of Tennessee in the names of political consulting companies owned by Casada and the other conspirator. In 2020, these companies and Phoenix Solutions allegedly received approximately $51,947 from the State in payments associated with the mailer program. 

Casada, previously one of the state General Assembly’s most powerful Republicans, did not seek re-election this year and resigned as House speaker in 2019 amid a text scandal where he allegedly exchanged explicit and racist text messages with Cothren while he was his chief of staff.

This is the first time a current or former Tennessee speaker of the House has been indicted in over 100 years, according to The Tennessean. The 20-count indictment follows an extensive federal corruption investigation. Casada and Cothren appeared in federal court on Tuesday. Casada entered a plea of not guilty “and will present a vigorous defense at trial,” according to his lawyer. If convicted, Casada and Cothren each face up to 20 years in prison for certain individual counts.

Drug Charges Dropped Against Opioid Manufacturer and Pharmacists After Recent SCOTUS Ruling

The U.S. Supreme Court issued an opinion in Ruan v. United States that clarified the mens rea requirement for those who manufacture, distribute, or dispense drugs and are subsequently prosecuted under the Controlled Substances Act, specifically 21 U.S.C. § 841. The Supreme Court held that the Department of Justice “must prove beyond a reasonable doubt that the defendant knew that he or she was acting in an unauthorized manner, or intended to do so” in order to sustain a conviction under § 841. Essentially, the Supreme Court clarified that a “bad faith” finding on the part of a physician was not enough—physician liability under the CSA requires knowledge. 

At the time, the legal community speculated on what effect this ruling would have on pending and future prosecutions under the CSA. Now, it seems to have affected at least one pending case. The U.S. Department of Justice has dropped charges against a defunct drug distributor, Miami-Luken, two of its executives, and two pharmacists who were charged with conspiracy to distribute a controlled substance. Miami-Luken was alleged to have sent millions of pills of both oxycodone and hydrocodone to locations in small towns in Appalachia, which were ultimately distributed by pharmacies run by two of the individual defendants, Devonna Miller-West and Samuel Ballengee. 

While the DOJ did not expressly state that the reason it was dismissing the charges was due to the heightened mens rea requirement articulated by the Supreme Court in Ruan, it was discussed during a July 19 status conference in the Miami-Luken case. On August 11, 2022, U.S. District Judge Matthew W. McFarland of the Southern District of Ohio granted the government’s unopposed motion to dismiss the charges.

Pain Management Physician Convicted of Unlawfully Distributing Opioids

In another opioid-related enforcement action, the DOJ announced that an Ohio physician was convicted by a federal jury of unlawfully distributing opioids and other controlled substances.

Per court documents and evidence presented at trial, Thomas Romano, 72, owned and operated a self-named pain management clinic. His clients reportedly traveled hundreds of miles to obtain prescriptions for controlled substances. Romano, who charged $750 for an initial prescription and $120 for subsequent monthly prescriptions, only accepted cash. This was likely a glaring red flag for investigators. According to the government, the prescriptions Romano issued for controlled substances “greatly exceeded recommended dosages and were in dangerous, life-threatening combinations which served to fuel the addiction of his clients.” Romano prescribed over 111,000 pills, including opioids, benzodiazepines, and muscle relaxants to nine of his clients. 

Romano was convicted of 24 counts of “unlawful distribution of a controlled substance, outside the usual course of professional practice, and not for a legitimate medical purpose.” He faces a maximum of 480 years in prison; 20 years for each charge..

Pharmacists Enter a Consent Decree to Resolve Unlawful Opioid Distribution Allegations

In yet another opioid matter, the DOJ announced that father and son pharmacists, Isaac F. Brady III and Isaac F. Brady IV, entered a consent decree to resolve allegations of unlawful opioid distributions. The consent decree restrains and enjoins the pharmacy, Asheboro Drug Company, and its employees from dispensing any controlled substances, unless they do so in strict compliance with 21 U.S.C. § 842, C.F.R. §§ 1306.04, 1306.06, or any of North Carolina’s controlled substance regulations. The Defendants were also ordered to pay $300,000 in civil penalties.

According to the Complaint, these Asheboro pharmacists ignored blatant red flags of drug abuse and filled opioid prescriptions in violation of the Controlled Substances Act. Specifically, it was alleged that the pharmacists filled high opioid prescriptions on a long-term basis, dispensed the same prescriptions to multiple members of the same family, and recklessly filled prescriptions of dangerous combinations often sought by drug users. The pharmacists also allegedly overlooked signs of patients shopping around for doctors willing to prescribe controlled substances and disregarded repeat prescriptions from the same doctors. 

The Asheboro pharmacy is now required to review the North Carolina prescription data monitoring program, and other available information, prior to distributing controlled substances. The pharmacy and its pharmacists are also prohibited from filling certain prescriptions— like combinations of an opioid, a benzodiazepine, and a carisoprodol. Special Agent in Charge Robert J. Murphy of the DEA Atlanta Field Division commented that, “Pharmacists are not simply pill-counters. The penalty and injunction in this case serves notice that DEA will not turn a blind eye when pharmacists shirk their duty by ignoring red flags of abuse and diversion.”

$600,000 in Civil Penalties and Permanent Closure of Pain Clinic for Violations of CSA

The DOJ also announced that Paragon Community Healthcare, a Tampa-area pain management clinic, would close its door as part of an agreement to  resolve allegations of violating the Controlled Substances Act (“CSA”). The clinic owners, Theodore Ferguson II and Timothy Ferguson (the “Fergusons”) along with the prescribing doctor, Dr. Tobias Bacaner, were ordered to collectively pay $600,0000 in civil penalties for their alleged violations.

According to the Complaint filed in February 2021, Dr. Bacaner prescribed illegitimate opioids while working as the prescribing physician at Paragon. Dr. Bacaner prescribed opioids, in the highest formulas, to almost every patient who received a controlled substance without any medical justification. He predominately prescribed 30 milligrams of oxycodone, and he regularly prescribed dangerous combinations of controlled substances. Dr. Bacaner allegedly ignored obvious red flags, like cash payments and immediate release opioids, to profit from the opioid epidemic. In turn, Dr. Bacaner’s patients went to Cobalt Pharmacy Inc., a pharmacy also owned by the Fergusons, to have their prescriptions filled without question. It is alleged that Cobalt Pharmacy filled 78 controlled substance prescriptions for one patient within two years.

The United States further alleged that Dr. Bacaner’s unlawful prescriptions led to the death and/or permanent injuries of multiple individuals. Dr. Bacaner is now prohibited from prescribing, administering, dispensing, or distributing controlled substances. He was also ordered to pay $500,000 in civil penalties. The Fergusons were ordered to pay $100,000 in civil penalties, to permanently close Paragon, and restricted from working for or owning entities that distribute controlled substances. They also previously agreed to permanently dissolve Cobalt Pharmacy. 

U.S. Attorney Roger B. Handberg for the Middle District of Florida noted that “Dr. Bacaner and his associates profited from unlawfully prescribing opioids without a legitimate medical purpose […]” and “[w]e will continue to protect the community from those who place a higher value on profit than the safety of the public.”

COVID-19 Relief Fraud Enforcement Continues

The Paycheck Protection Program (PPP) was part of the CARES Act in response to the COVID-19 pandemic. Under the PPP, the federal government made billions of dollars in forgivable loans to businesses that met certain criteria. COVID relief fund fraud has been a focus of the Department of Justice since the various programs’ inception.  

In May 2021, the Department established the COVID-19 Fraud Enforcement Task Force to investigate claims of fraud against these programs. While the government has eased health-related precautionary policies related to COVID-19, such as the wearing of masks, the government’s focus on enforcement of COVID-19 fraud continues. Such continued enforcement should not be surprising. In 2022, Kevin Chambers, Chief Prosecutor for the COVID-19 Fraud Enforcement Task Force, vowed to aggressively pursue and prosecute those who illegally obtained funds from PPP loans and other pandemic relief benefits. The U.S. Department of Justice’s recent press release further evidences its continued enforcement efforts.

On August 9, 2022, the DOJ announced that three individuals were charged for their roles in an alleged scheme to fraudulently obtain and misuse PPP loans. The individuals are accused of falsifying information and submitting fraudulent documents to obtain PPP loans for several fictitious companies in 2021. Over $2.4 million in COVID-19 relief funds was obtained in the scheme. 

Two of the defendants (Khadijah Chapman and Eric O’Neil) are charged with one count of bank fraud. And defendant Daniel Labrum was charged with five counts of bank fraud and one count of engaging in a monetary transaction with the proceeds from a criminal act. Each bank fraud count carries up to 30 years in prison. The charge of engaging in monetary transactions with criminally deprived proceeds carries up to 10 years in prison. The DOJ also reiterated that the indictments are only allegations, and the defendants are presumed innocent. If convicted, the defendant(s) will be sentenced after the Judge considers, amongst other factors, the U.S. Sentencing Guidelines.

President Biden Signs Bills Extending the Statute of Limitations for PPP and EIDL Fraud to Ten Years

On August 5, President Biden signed two bills into law that extend to ten years the statute of limitations for civil and criminal enforcement actions for fraud on the PPP and Economic Injury Disaster Loans (EIDL).

Since September 2021, in addition to the matter discussed above, the DOJ has made several announcements regarding prosecuting defendants for defrauding COVID-19 relief programs. In previous articles, CG attorneys have discussed the prosecution of such cases. For example, in December of 2021, CG attorneys discussed a former NFL player who was sentenced to federal prison for his involvement in a scheme to defraud the PPP by using false information and falsified documents to obtain a loan of $1,246,565 for his company.

Most federal criminal statutes carry a five-year statute of limitations. The civil FCA typically has a six year statute of limitations. However, President Biden has now signed two bills that will expand the window of time for federal prosecutors to charge fraud in connection with the distribution of relief funds during the COVID-19 pandemic. The PPP bill (HR 7352) includes all PPP-related fraud, while the EIDL bill (HR 7334) includes both the initial EIDL advances as well as the targeted advances. This legislation comes in response to the estimated $80 billion spent on fraudulent PPP and EIDL loans and the scrutiny that SBA has received from Congress.

“My message to those cheats out there is this: You can’t hide. We’re going to find you. We’re going to make you pay back what you stole and hold you accountable under the law,” exclaimed President Biden at a press conference.

Because PPP fraud can now be investigated and prosecuted into 2031, and COVID-19 EIDL fraud can be investigated and prosecuted into 2032, it is imperative that companies and individuals who received government-sponsored pandemic relief, maintain detailed, organized, and accurate records related to such loans. Moreover, if such loan recipients have not conducted due diligence to ensure compliance in receiving and using those funds, now is the time to do so.

North Carolina Woman Faces up to 120 Years in Prison for Role in $34 Million Health Care Fraud Scheme

The DOJ announced the conviction of, Jaroslava Ruiz, for her role in a scheme that defrauded private health insurers of approximately $34.6 million. Ruiz, of Chapel Hill, was convicted of one count of conspiracy to commit health care fraud and wire fraud and 10 counts of health care fraud.

According to the evidence presented at trial, Ruiz and her co-conspirators submitted over $34 million in false and fraudulent physical therapy services claims. Specifically, they provided kickbacks to patient recruiters, and patients, in exchange for allowing four Miami physical therapy clinics to submit bills for fraudulent medical services. Ruiz and her co-conspirators falsified medical records in furtherance of their scheme to make their services appear medically necessary and prescribed by a doctor. However, according to trial evidence, nearly all services billed for were not provided. Ruiz and her co-conspirators were paid approximately $7.7 million for the false and fraudulent claims they submitted to private insurers. 

Ruiz is scheduled to be sentenced on October 26, 2022. She faces up to 120 years in federal prison— up to 20 years on the conspiracy count and up to 10 years on each health care fraud count. The FBI is still investigating this matter.

"It is not wisdom but Authority that makes a law."

Thomas Hobbes



HHS Issues a Special Fraud Alert to the Telehealth Industry

The U.S. Department of Health and Human Services issued a special fraud alert on July 20, 2022, relating to potential fraud concerns in the telehealth industry. Special fraud alerts are rare—this newest alert is only the fourth issued in the last decade. A special fraud alert notifies industry players that there are potentially fraudulent and abusive health care practices that the government has identified and intends to investigate and prosecute. The purpose of the alert is to notify the relevant players of the issue and encourage providers to review their own practices and take immediate actions to improve compliance if necessary.

The telehealth industry has grown exponentially in recent years, especially due to the COVID-19 pandemic. The new special fraud alert identified several suspect characteristics that may be indicative of fraud or abuse:

• The purported patients for whom the practitioner orders or prescribes items or services were identified or recruited by the telemedicine company, telemarketing company, sales agent, recruiter, call center, health fair, or through internet, television or social media advertising for free or low out-of-pocket cost items or services.
• The practitioner does not have sufficient contact with or information from the purported patient to meaningfully assess the medical necessity of the items or services ordered or prescribed.
• The telemedicine company compensates the practitioner based on the volume of items or services ordered or prescribed, which may be characterized to the practitioner as compensation based on the number of purported medical records that the practitioner reviewed.
• The telemedicine company only furnishes items and services to federal health care program beneficiaries and does not accept insurance from any other payor.
• The telemedicine company claims to only furnish items and services to individuals who are not federal health care program beneficiaries but may in fact bill federal health care programs.
• The telemedicine company only furnishes one product or a single class of products (e.g., durable medical equipment, genetic testing, diabetic supplies or various prescription creams), potentially restricting a practitioner’s treating options to a predetermined course of treatment.
• The telemedicine company does not expect clinicians to follow up with purported patients nor does it provide clinicians with the information required to follow up with purported patients (e.g., the telemedicine company does not require practitioners to discuss genetic testing results with each purported patient).

According to the government, some telehealth companies appear to believe that they can skirt federal enforcement by operating on a cash-pay basis, as some federal statutes require payment to a federal healthcare program as an element of a claim, such as the False Claims Act or Anti-Kickback Statute. However, other federal laws, such as the Travel Act, potentially apply to commercial payors, and some states have anti-kickback and self-referral laws that apply to cash-pay models as well. This notice will also draw the attention of state attorneys general, insurance commissioners, and other agencies. 

Considering the rarity and seriousness of a special fraud alert, all players in the telehealth industry should undertake to review internal practices and procedures now in order to ensure compliance with all relevant laws.

Government Announces Charges in Billion Dollar Health Care Fraud Scheme (Again)

For several years, the U.S. Department of Justice has announced a large nationwide enforcement action or take down involving alleged health care fraud. These enforcement actions often involve coordination between federal, state, and local government agencies across the nation and result in several arrests. In 2019, Chilivis Grubman attorneys discussed the Appalachia Opioid Takedown that resulted in sixty people in seven states throughout Appalachia being criminally charged for allegations related to the prescription and distribution of opioids and other controlled substances. In 2020, CG attorneys discussed the record-breaking takedown involving 345 defendants and $6 billion in alleged fraud losses. Coordinated enforcement actions continue to crack down on billion-dollar schemes – as evidenced by the DOJ’s most recent announcement. 

On July 20, 2022, the DOJ announced a nationwide enforcement action that resulted in 36 defendants being criminally charged for their involvement in various healthcare-related fraud schemes valued at more than $1.2 billion. The charges arose out of 13 federal districts across the nation and included company owners and executives. The DOJ announcement also noted that government agencies (CMS and Center for Program Integrity) took adverse administrative actions against 52 providers involved in similar schemes.

The alleged schemes involved areas in the healthcare industry that have faced increased scrutiny by the government: telemedicine, genetic testing, and durable medical equipment. Specifically, the government noted that it “primarily targeted alleged schemes involving the payment of illegal kickbacks and bribes by laboratory owners and operators in exchange for the referral of patients by medical professionals working with fraudulent telemedicine and digital medical technology companies.” The government explained that some telemarketing networks controlled by some defendants were (based domestically and abroad) allegedly used deceptive tactics to lure elderly and/or disabled patients into the scheme. The scheme arranged for providers to order expensive tests and DME often based on little-to-no patient interaction, based on the press release.

Takeaways:

1. Coordinated Enforcement Actions. The federal government continues to demonstrate that it is willing and able to coordinate with other federal, state, and local agencies to enforce the nation’s laws. Providers must continue efforts to comply with rules and laws at every level. The enforcement of fraud, waste, and abuse laws is not a siloed event and providers should assume that every agency is communicating with every agency.

2. Corporate Veil. While legal minds understand that a corporate entity cannot shield an owner and execute from criminal charges, many individuals still make this improper assumption. Fortunately, the publication of executives and company owners being criminally charged appears to be increasing. Compliance champions should acknowledge this point and use the increased publicity to obtain buy-in from corporate executives, owners, and providers for compliance purposes.

3. Consequential Administrative Actions. The DOJ highlighted the criminal charges and the dollar value of the schemes. It briefly mentioned that 52 providers faced administrative actions. It should be noted that administrative actions are significant and often include overpayment determinations, suspension, revocation, or exclusion from Medicaid or Medicare. Sometimes, administrative actions can be comparable to “nuclear verdicts” with an extraordinarily difficult administrative appeal process (when available) and consequences providers rarely expect. These consequences may include reporting to several agencies and companies, loss of privileges at medical institutions, exclusion from private payor networks, Board investigations, etc. Adverse administrative actions should be taken seriously.

4. Telemedicine. Since the beginning of the COVID-19 pandemic, telemedicine and telehealth services have skyrocketed. While telehealth and telemedicine provide exciting and convenient opportunities for the provision of medical care, it is fraught with fraud-and-abuse-related peril. Healthcare providers who avail themselves of the opportunities that telehealth and telemedicine provide must remain vigilant with potential fraud and abuse concerns. Healthcare providers should also ensure compliance with Board rules where they are licensed, where they are practicing, and where their patients are located. Providers should ensure compliance with documentation requirements and other compliance-related rules at the local, state, and federal levels. Compliance failures can result in severe administrative consequences in addition to fraud, waste, and abuse enforcement actions.

There is an increasing trend of large-scale takedowns by the DOJ. Many of these schemes are elaborate and ensnare unsuspecting providers and patients. Providers and healthcare companies should take substantive steps in compliance, obtain buy-in from employees and contractors at all levels, and be wary of opportunities that seem too good to be true. The consequences of non-compliance and/or fraud, waste, and abuse culpability can be life-altering. And defending against enforcement actions is complex, multifaceted, and often requires expending significant resources.

Federal Jury Convicts Doctor of Medicare/Medicaid Fraud

A New York federal jury just convicted Harold Bendelstein, 71, of one count of health care fraud and one count of making a false claim. Bendelstein was one of thirteen healthcare professionals indicted in 2018 as part of a National Healthcare Fraud Takedown led by the Medicare Fraud Strike Force.

Bendelstein focused his practice on the area of otolaryngology—the study of diseases of the ear and throat. He practiced out of three offices in the state of New York and many of his patients were residents of assisted living facilities in Brooklyn and Queens. According to evidence presented at trial, Bendelstein billed Medicare and Medicaid approximately $585,000 for surgical procedures he never performed. From January 2014 to February 2018, Bendelstein billed hundreds of patients for an incision procedure of the external ear when, in fact, he only performed ear exams and/or ear wax removal. According to Medicare and Medicaid, Bendelstein was the highest biller in the state of New York for the foregoing procedure. He was paid approximately $191,000 in connection with his scheme.

Bendelstein is scheduled to be sentenced on November 7th, and he faces a maximum of 15 years in federal prison. In June 2022, one doctor and two healthcare professionals also indicted as part of the above-mentioned National Healthcare Fraud Takedown were acquitted of fraudulently billing Medicare for approximately $85 million. In 2019, Hal Abrahamson, another doctor indicted as part of this National Healthcare Fraud Takedown, pleaded guilty to health care fraud, and was sentenced to one year and one day in federal prison.

Ex-Theranos COO Found Guilty of Fraud

On July 7, 2022, a jury convicted ex-Theranos COO, Ramesh “Sunny” Balwani, of two counts of conspiracy and 10 counts of fraud for defrauding investors and paying patients with false claims relating to the blood-testing technology start-up. This conviction follows the trial of Elizabeth Holmes, the former CEO of Theranos.

Interestingly, in Holmes’s trial, she was cleared of charges that she defrauded patients, while a jury found Balwani guilty of the same actions. Holmes testified in her defense and received a partial acquittal, while Balwani did not testify in his defense and was convicted on all counts. The difference in verdicts will likely lead to combative sentencing hearings and appeals. 

Some legal experts believe that federal prosecutors likely benefitted from trying the case against a different Theranos executive a second time, which allowed them to streamline and refine their evidence and argument, resulting in a tighter case against Balwani. Further, Balwani’s age, experience, and personality may have played a role in his conviction, as he had decades of experience working for Silicon Valley Technology tech companies and was 38 years old at the time he met Holmes, who was then an 18-year-old college student and may have received some sympathy from the jury. There was also testimony that he was difficult to work with, creating an unsympathetic defendant. 

His conviction on all counts and refusal to accept responsibility for the fraud may result in a tough prison sentence, and it will likely be longer than Holmes’s sentence. But Balwani’s lawyers are already teeing up for an appeal, including on evidentiary and jury instructions issues. What is clear is that this saga will continue to play out for the foreseeable future.

Former Louisiana Police Chief and City Council member Admit to Buying Votes

Two small town city officials could face prison after pleading guilty to federal charges in a vote buying scheme. The Department of Justice (DOJ) announced, Jerry Trabona, 72, the former Chief of Police in Amite City, LA and Kristian Hart, 49, a current Amite City Councilmember, pleaded guilty to conspiring to pay and offering to pay voters residing in Tangipahoa Parish, Louisiana, for voting in the 2016 open primary election and the 2016 open general election. 

Trabona and Hart admitted to agreeing with each other and others to pay or offer to pay voters during elections in which the defendants were candidates, and in which federal candidates appeared on the same ballot. 

Trabona purportedly gave a $500 check from his campaign to one of the six conspirators, identified in the indictment only as persons A, B, C, D, E, F and G. According to the indictment, Person A met Trabona at his Amite Police Department office to exchange the check. Trabona also had Person B meet him at the police department where, according to court records, Trabona recruited person B to work for his campaign. Evidence showed Trabona wrote a $500 check to a family member of Person B; funds which were allocated to paying voters. When Person B went back to Trabona about working for his campaign, Trabona reportedly told Person B that Hart was now “handling everything” for his campaign. 

The court records show the two accused men allegedly spent at least $2,400 to buy votes in the 2016 election. Hart won reelection to the council in 2016 and again in 2020. Trabona ran for mayor and loss to Walter Daniels, who won outright in the primary election.

In addition to the conspiracy with Trabona, Hart pleaded guilty to three counts of paying and offering to pay voters during both the 2016 and 2020 elections. In both elections, Hart was running for a seat on the Amite City Council, which is the position he currently holds. Both defendants are scheduled to be sentenced on Nov. 1 and face up to five years in prison on each count. 

“The Department of Justice is committed to ensuring that illegal voting, including vote buying, has no place in our nation’s electoral system,” Assistant Attorney General Kenneth A. Polite said Thursday after the plea deal was reached in federal court in New Orleans.