Just as entities governed by the Securities and Exchange Commission's laws are required to have compliance programs and a designated compliance officer or integrity officer, healthcare providers have similar requirements as effectuated under Sections 6401 and 6102 of the Patient Protection and Affordable Care Act. In May 2012, J.P. Morgan's move to disclose the loss of $2 billion before the assets were booked mitigated losses significantly by thwarting a whistle blower suit under the False Claims Act, which carries civil penalties of up to $11,000 per individual violation/transaction. On the bright side, in deciding to self-report and disclose, J.P. Morgan may have mitigated financial and reputational damages associated with a whistleblower suit. Section 1079A of the Dodd-Frank Act, which amended 31 U.S.C. 3730(h), includes a provision to reward "whistleblowers" — those persons who voluntarily provide the SEC with original information that leads to a successful security law enforcement action, whereby the SEC collects monetary sanctions in excessive of $1 million.
Still, from a corporate compliance standpoint, the CEO's statement that, "traders in a London unit responsible for a $2 billion loss didn’t understand the risks they were taking and weren't properly monitored" [1] gives reason to take notice. If the traders were not apprised of the potential consequences of the trades from a regulatory and financial standpoint, as long as they acted in good faith, the onus falls on the compliance officer and, ultimately, the corporation. The "control person" — those in a supervisory capacity, who are responsible for books, records and internal controls — are liable under Section 20(a) of the Exchange Act. Therefore, a bank's CIO, executives and other levels of management could ultimately bear the liability for either directing or failing to supervise other bank employees who carry out transactions, especially with counter swaps. Other legal implications could arise in the form of shareholder lawsuits and executive and director liability under the Responsible Corporate Officer's Doctrine. Hence, the take-away is not merely to establish the required compliance program, but continually monitor, audit and revise the governed activities and program to ensure the standards are being met and mitigate legal, financial and reputational liability.
Akin to the securities industry, hospitals have compliance program requirements, self-reporting duties and multiple opportunities for whistleblower (qui tam) lawsuits. Prior to the passage of the PPACA (42 U.S.C. §1395cc(j)(8)) in 2010, which mandated the adoption of compliance and ethics programs by a range of providers and suppliers, the HHS Office of the Inspector General has promoted the voluntary adoption of such programs. Moreover, mandatory contractual compliance programs imposed in the form of corporate integrity agreements have been imposed by the OIG on providers involved in civil fraud violations.
In 1998, the OIG published compliance program guidance for hospitals in the Federal Register(63 Fed. Reg. 8987 (Feb. 23, 1998)). Specifically, the guidance was "intended to assist hospitals and their agents and subproviders (referred to collectively in this document as "hospitals") develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of federal, state and private health plans." The standards set forth in 1998 are similar to 2010 regulations, which mirror the description in the U.S. Federal Sentencing Guidelines Manual. Therefore, when establishing and monitoring a compliance program, providers should include the following core elements:
By establishing ongoing compliance programs that satisfy the heightened criteria, healthcare entities can better protect themselves proactively from investigations and litigation under various federal fraud and abuse laws. False Claims Act suits now have greater application under Section 4 of the Fraud Enforcement and Recovery Act, Section 10104(j)(2) of the PPACA and Section 6402(a) of PPACA, which established section 1128J(d), "Reporting and Returning Overpayments." Therefore, just as J.P. Morgan avoided a False Claims Act suit by disclosing and taking corrective action, healthcare providers, agents and subproviders can potentially avoid similar False Claims Act actions by establishing the requisite compliance program protocols and implementing them on an ongoing basis.
Footnotes:
[1] Kopecki, D. and Mattingly, P. "Dimon Says JPMorgan ‘Let People Down’ on Credit Trades," www.bloomberg.com (June, 12, 2012).
Rachel V. Rose, JD, MBA – Attorney at Law, PLLC (Houston, TX) – publishes and presents on a variety of areas of healthcare legal and regulatory compliance. She can be reached at rvrose@rvrose.com.
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?
Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act
Still, from a corporate compliance standpoint, the CEO's statement that, "traders in a London unit responsible for a $2 billion loss didn’t understand the risks they were taking and weren't properly monitored" [1] gives reason to take notice. If the traders were not apprised of the potential consequences of the trades from a regulatory and financial standpoint, as long as they acted in good faith, the onus falls on the compliance officer and, ultimately, the corporation. The "control person" — those in a supervisory capacity, who are responsible for books, records and internal controls — are liable under Section 20(a) of the Exchange Act. Therefore, a bank's CIO, executives and other levels of management could ultimately bear the liability for either directing or failing to supervise other bank employees who carry out transactions, especially with counter swaps. Other legal implications could arise in the form of shareholder lawsuits and executive and director liability under the Responsible Corporate Officer's Doctrine. Hence, the take-away is not merely to establish the required compliance program, but continually monitor, audit and revise the governed activities and program to ensure the standards are being met and mitigate legal, financial and reputational liability.
Akin to the securities industry, hospitals have compliance program requirements, self-reporting duties and multiple opportunities for whistleblower (qui tam) lawsuits. Prior to the passage of the PPACA (42 U.S.C. §1395cc(j)(8)) in 2010, which mandated the adoption of compliance and ethics programs by a range of providers and suppliers, the HHS Office of the Inspector General has promoted the voluntary adoption of such programs. Moreover, mandatory contractual compliance programs imposed in the form of corporate integrity agreements have been imposed by the OIG on providers involved in civil fraud violations.
In 1998, the OIG published compliance program guidance for hospitals in the Federal Register(63 Fed. Reg. 8987 (Feb. 23, 1998)). Specifically, the guidance was "intended to assist hospitals and their agents and subproviders (referred to collectively in this document as "hospitals") develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of federal, state and private health plans." The standards set forth in 1998 are similar to 2010 regulations, which mirror the description in the U.S. Federal Sentencing Guidelines Manual. Therefore, when establishing and monitoring a compliance program, providers should include the following core elements:
- Seven mandatory aspects of the program that policies and procedures must cover;
- Compliance officer must be established and report to the CEO and the board;
- Increased requirements for compliance training and education, including ongoing, annual training;
- Communication requirements, must also include an internal reporting mechanism for anonymous complaints, as well as, clearly delineated lines of communication;
- New disciplinary standards;
- Enhanced conduct compliance monitoring and auditing, including the implementation of external audits; and
- Increased reference to conducting compliance investigations, responses and corrective actions.
By establishing ongoing compliance programs that satisfy the heightened criteria, healthcare entities can better protect themselves proactively from investigations and litigation under various federal fraud and abuse laws. False Claims Act suits now have greater application under Section 4 of the Fraud Enforcement and Recovery Act, Section 10104(j)(2) of the PPACA and Section 6402(a) of PPACA, which established section 1128J(d), "Reporting and Returning Overpayments." Therefore, just as J.P. Morgan avoided a False Claims Act suit by disclosing and taking corrective action, healthcare providers, agents and subproviders can potentially avoid similar False Claims Act actions by establishing the requisite compliance program protocols and implementing them on an ongoing basis.
Footnotes:
[1] Kopecki, D. and Mattingly, P. "Dimon Says JPMorgan ‘Let People Down’ on Credit Trades," www.bloomberg.com (June, 12, 2012).
Rachel V. Rose, JD, MBA – Attorney at Law, PLLC (Houston, TX) – publishes and presents on a variety of areas of healthcare legal and regulatory compliance. She can be reached at rvrose@rvrose.com.
More Articles by Rachel Rose:
The Silver Lining for Non-Profit Hospitals: Utilizing Bond Derivative Swaps to Control Costs and Generate RevenueHIPAA/HITECH Risk Assessments: Are the Standards Being Met?
Due Diligence Mitigates Liability Exposure Under HIPAA and the HITECH Act