VSD Policy Language That Raises Questions for Healthcare Organizations
“When it becomes aware”
Many, if not most, large healthcare organizations already have whistleblower hotlines in place. Those companies might get dozens, or even hundreds, of hotline calls that lead to no action being taken, whether the company conducts an in-house investigation of the call or retains outside counsel to do so. This raises an important question regarding how the DOJ will interpret the VSD policy’s requirement that companies report “when they become aware” of misconduct. Will the DOJ, for example, interpret that requirement to mean “when the first call comes in to the company’s internal whistleblower hotline?” And, if so, does that mean that companies investigating calls rather than immediately making self-disclosures will be considered ineligible for credit under the policy? For healthcare providers, for example, such a strict interpretation would interfere with the well-established six-month reasonable diligence period for investigation of potential Medicare overpayments, before the 60-day repayment window provided by Section 1128J(d)2) of the Social Security Act begins.
If the DOJ adopts such an interpretation of the timeliness requirement, it would likely prove unworkable for most large healthcare companies. For healthcare providers receiving Medicare funds, in particular, it would directly conflict with the Department of Health and Human Services (HHS) OIG Health Care Fraud Self-Disclosure Protocol (SDP), which specifically contemplates that a reporting party conduct an internal investigation and report its findings to OIG before it can be considered for admission into the SDP. Similarly, the CMS Voluntary Self-Referral Disclosure Protocol (SRDP) contemplates that the reporting party will conduct a “reasonable assessment” and identify actual or potential violations prior to self-disclosure. The uncertainty on this point obscures the VSD policy’s potential impact and might result in healthcare companies, in particular, having to question whether their disclosure, if not made immediately upon receipt of a whistleblower call, will be deemed timely by the DOJ.
In addition, it is not difficult to imagine a scenario in which a healthcare organization or provider decides to conduct an internal investigation to ascertain whether an internally reported complaint has any viability, only to learn during the pendency of the investigation that the whistleblower has alerted the government, either personally or through counsel. In such a scenario, would the company be precluded from taking advantage of the DOJ VSD policy if it subsequently discloses the results of its investigation to the DOJ immediately upon its conclusion? The policy leaves this critical question open.
“Otherwise known to the DOJ”
Of greater uncertainty is the interaction of DOJ’s VSD policy with the self-disclosure protocols of other agencies. Healthcare organizations are subject to several other self-disclosure procedures, including the OIG’s SDP and CMS’ SRDP. Under these protocols, the OIG and CMS will often notify the DOJ of a disclosed actual or potential fraud and abuse violation. As a coordinating agency, the DOJ is then able to elect whether it will participate in the settlement process. In fact, the OIG SDP makes clear that if the DOJ decides to get involved, the “DOJ determines the approach in cases in which it is involved. OIG also coordinates with DOJ on disclosures involving potential criminal conduct. OIG’s Office of Investigations investigates criminal matters, and any disclosure of criminal conduct through the SDP will be referred to DOJ for resolution.”
However, the VSD policy dictates that a healthcare organization must disclose misconduct before it is “otherwise known to the DOJ.” But what if the DOJ is made aware of the conduct due to the healthcare organization’s self-disclosure to the OIG or CMS? Must any disclosure to the OIG or CMS be simultaneously made to the DOJ (or made to the DOJ beforehand), even if the DOJ may ultimately elect not to participate in the settlement? It is certainly within the realm of possibility that a healthcare organization or provider conducting an internal investigation of Medicare overbilling allegations, for example, in an effort to attempt to take advantage of the OIG SDP or CMS SRDP, may be precluded from taking advantage of the DOJ VSD safe harbor if the DOJ deems the disclosure to be already known to the DOJ.
“Misconduct by employees or agents”
In addition to the timeliness requirement discussed above, the VSD policy requires self-disclosure of a broad scope of information, namely, any “misconduct by employees or agents.” This phrase is, again, undefined. Left open to interpretation, it could mean almost anything. For example, must a healthcare organization or provider report to the DOJ everything and anything, anytime it gets even a whiff of any sort of employee misconduct? Is there any sort of de minimis threshold of “misconduct” that must be exceeded to trigger the requirement?
Similarly, does the VSD policy rely on the strict application of employment and agency law? This question is particularly germane in the healthcare industry. For example, many, if not all, hospitals grant certain hospital privileges to members of its medical staff who are not “employees,” and many likewise utilize per diem and travel nurses who are typically deemed independent contractors for tax purposes. Another example can be found in the utilization of dental support organizations (DSOs), which is on the rise. Dental practices will contract with DSOs to manage the administrative, marketing, and business sides of the practice, including the processing of insurance claims. Where should these healthcare organizations and practices draw the line between “employees or agents” and independent contractors or service providers? And does it matter the capacity in which the individual was acting during the conduct in question? If a per diem nurse’s conduct was, for example, beyond the scope of his/her contracted-for relationship, must a hospital still report it? Because the VSD policy does not provide answers to these questions, healthcare organizations and companies will be left to make these decisions for themselves and, candidly, guess how the DOJ would come down in any given circumstance.
“All relevant facts”
The VSD policy also requires disclosure of “all relevant facts.” For members of the legal community, the issue this language presents is glaring: determining precisely which facts are “relevant” is about as easy as seating a jury of twelve “reasonable persons.” How should companies go about determining “relevance,” particularly those companies operating in the healthcare industry? Does the DOJ expect them to apply the broadest possible interpretation of the word—for example, the “relevance” standard in civil discovery—or does the concept of “relevance” depend on the specific circumstances of the potential misconduct being disclosed, thereby making the term more comparable to a “materiality” threshold? How can companies protect themselves, but not inadvertently disclose more than is necessary or required to reap the new policy’s benefits? Are there any exceptions to the “all relevant facts” requirement, for example, for confidential or protected health information? The concern that a company’s disclosure, even one made in the utmost good faith, might not be deemed a full disclosure of “all relevant facts” raises further uncertainty about the DOJ’s new policy’s implementation and might well serve as an obstacle for companies’ adherence to it.
“In a timely fashion”
The issue of timeliness the new policy’s language raises is certainly tied into the uncertainty raised by the phrase “when it becomes aware.” Unlike the DOJ’s Criminal Division’s recently updated Corporate Enforcement and Voluntary Self-Disclosure Policy—which specifically requires self-disclosure “at the earliest possible time,” even if a company has not completed its internal investigation—the new VSD policy is silent on the issue. How is the DOJ likely to interpret the term “timely” under the VSD policy? Is it “as soon as humanly possible,” or is disclosure “within a reasonable time” satisfactory?
In practice, one would expect that the DOJ would assess timeliness similarly under both the Criminal Division policy and the VSD policy. For example, healthcare providers faced with potential overbilling issues have historically operated under the HHS OIG SDP and CMS SRDP timetable and will generally conduct internal investigations to ascertain whether there was overbilling before facing the 60-day time crunch. The VSD policy adds a new wrinkle: Does the provider now have to choose between the DOJ VSD policy and the applicable HHS OIG SDP/CMS SRDP? Will an internal investigation conducted with reasonable diligence serve to “toll” the VSD policy’s definition of “timely” much the way it tolls the running of the 60-day overpayment repayment obligation? Ultimately, it will most likely depend on the specific facts and circumstances of each case, including information reported to the company, information the company reveals itself through an internal investigation, and the chronology of events. All in all, the burden will almost certainly remain on the company to demonstrate the disclosure was “timely.” It is simply not practical for a large company to immediately run to the DOJ and disclose every complaint it receives from its whistleblower hotline. In reality, most companies will need—and want—to investigate complaints to weed out those that have no merit before even considering notifying the DOJ or another agency about the potential misconduct. Yet the language of the new DOJ VSD policy fails to give adequate guidance as to whether such a normally prudent course of action will entitle the company to the safe harbor the policy intends to offer.
The Policy Creates Incentives For Strong Internal Investigation Capabilities
The potential benefits the new DOJ VSD policy dangles in front of healthcare organizations and companies are designed to drive more self-disclosures despite the uncertainty regarding the DOJ’s interpretation and implementation of the policy. Avoiding criminal prosecution—by obtaining what white-collar practitioners refer to as a “non-pros” or “NPA” (non-prosecution agreement)—has a powerful allure. So, too, does the ability of a company to obtain a reduced fine. One of the few things that does appear certain is that these carrots will incentivize compliance and internal investigation activities. The policy should absolutely encourage healthcare organizations and providers that do not already have strong compliance programs to develop and implement such programs promptly. The policy should also motivate all healthcare companies to encourage internal reporting and to quickly undertake internal investigations (whether using in-house attorneys or outside counsel) in the hopes of identifying serious issues before the government gets involved. Only by doing so can the company preserve its ability to potentially take advantage of the new policy’s benefits.
Conducting internal investigations in this manner is particularly important for healthcare organizations. Given the sheer volume of legal and regulatory requirements imposed in the healthcare industry, only by completing prompt investigation can companies make informed decisions about whether to voluntarily self-disclose violations to the DOJ. Without having proactive tools and approaches already in place (e.g., compliance programs, internal reporting mechanisms, investigation protocols, etc.), companies will likely find themselves unable to even consider whether to make voluntary self-disclosures that might be deemed to fall within the new policy’s requirements.
While it remains to be seen how the DOJ will interpret the new policy’s language and how often NPAs will be given, it is nevertheless more important now than ever before that healthcare organizations develop, implement, and abide by robust compliance programs, including, most importantly, quick investigations of internally reported allegations of misconduct. The use of experienced outside counsel to facilitate the development and implementation of these proactive tools is something companies should strongly consider, particularly when the allegations are serious or maintaining the attorney-client privilege is critical. Given the demonstrated uncertainties with the interpretation and application of the policy, and the lack of certainty as to whether disclosure will result in an NPA, there exists a very real risk that the scope of a disclosure could serve as a veritable roadmap for the USAO to draft charges. The engagement of outside counsel experienced in dealing with DOJ and the relevant USAO can certainly help healthcare organizations address these concerns through the submission of a finely tailored disclosure that maximizes the likelihood of obtaining an NPA and minimizes the indictment road-map risk.