Federal False Claims Act (FCA) investigations that seek to delve into healthcare companies’ patient specific billing and other confidential, private data show no signs of abating.1 Underscoring the government’s continued pursuit of allegations of healthcare fraud, the Department of Justice (DOJ) recently declared that it “will not hesitate to hold accountable both the companies and the individuals who order or perform excessive, non-patient specific tests and provide inducements to physicians that lead to unnecessary costs being imposed upon our nation’s health care programs.”2 Through enforcement actions under the FCA, the DOJ has recovered $27.1 billion since 2009, of which more than $17.1 billion came from cases involving federal healthcare fraud.3 Healthcare providers can expect to remain in the bull’s eye for FCA investigations, and must be prepared to respond carefully to subpoenas and other demands for information from federal investigators, as these demands may implicate protected, sensitive patient information.4
The False Claims Act and Healthcare Fraud
Under the FCA,5 a private party – formally called a “relator” and colloquially referred to as a “whistleblower” – can bring a qui tam civil action by filing a complaint under seal and serving a copy on the government. Thereafter, the local United States Attorney’s Office must determine whether it will intervene and proceed with the action.6 If the government declines to intervene, the individual relator may nevertheless proceed with the lawsuit independently.7 Accordingly, when presented with a complaint alleging FCA violations, the government often conducts an investigation to test the strength of the relator’s allegations, to seek additional evidence, and to make a decision about whether to intervene.8
When an FCA complaint arises out of allegations of healthcare fraud, it is highly likely that the government will seek to obtain and scrutinize patient protected health information (PHI) in the course of its investigation. The Health Insurance Portability and Accountability Act (HIPAA) defines PHI as “individually identifiable health information,” which includes demographic information collected from an individual, and is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse and relates to the past, present or future physical or mental health or condition of an individual.9 HIPAA strictly controls the circumstances and manner in which PHI can be shared.10 When healthcare entities receive a request for information from the government, they must understand the extent to which the government may obtain PHI, and whether the government can then disclose PHI it has obtained during the course of an FCA investigation to third parties, including the relator.
Civil Investigative Demands and HIPAA Subpoenas
Two of the major investigative tools employed by the DOJ in the conduct of FCA investigations are the civil investigative demand (CID) and the HIPAA subpoena. A United States Attorney’s Office may issue a CID to any individual or entity that is believed to possess information relevant to an FCA investigation.11 Similarly, a United States Attorney’s Office can issue HIPAA subpoenas in investigations relating to “any act or activity involving a federal healthcare offense.”12 Both CIDs and HIPAA subpoenas may be used to obtain documentary evidence such as billing records and claims data, which the government can use to help it build a case and to determine whether to bring or to intervene in an FCA matter.
A critical distinction between HIPAA subpoenas and CIDs is the extent to which the government can share the information gathered with third parties. Importantly, CIDs benefit from an express statutory grant allowing the information obtained to be shared not only with other DOJ attorneys for use in other proceedings, but also with the individual, private relators who initiated the FCA case.13 By contrast, information procured by means of a HIPAA subpoena does not receive the same authorization to be shared with external third parties.14 Accordingly, although both tools may be utilized to obtain similar information, the government has no statutory authority to share information obtained by HIPAA subpoena, and privacy or confidentiality limits that are attached to the information remain intact.
Awareness of this distinction between CIDs and HIPAA subpoenas is particularly important with regard to PHI. In FCA investigations, both CIDs and HIPAA subpoenas will often target PHI because the government’s investigation of alleged wrongdoing is seeking patient-specific information at the claims level. To survive a motion to dismiss, FCA claims must be pled with sufficient particularity, which commonly means that the government (or the relator, standing in its shoes) must identify individual claims that were materially false in some fashion.15 Accordingly, healthcare entities under investigation are likely to receive a CID or HIPAA subpoena that seeks patient specific billing information, which will likely include information relating to the patient’s diagnosis, condition, and treatment.
A CID or HIPAA subpoena that seeks this type of patient specific information triggers the protections established by the HIPAA Privacy Rule, which mandates that PHI must be safeguarded and only disclosed to the extent permitted by law.16 Moreover, in the event of a request or demand for PHI, HIPAA requires that the disclosing entity “make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”17 However, HIPAA does explicitly allow the government to request PHI for use in judicial and administrative proceedings and for law enforcement purposes.18
Responding to CIDs and HIPAA Subpoenas
When faced with a client in receipt of a CID or HIPAA subpoena, there are several practical steps that should be taken to keep the scope of disclosure as small as possible. First, the HIPAA Privacy Rule gives healthcare providers and other entities in possession of PHI some flexibility and discretion in responding to government requests for production of such information. Unlike a grand jury subpoena or other court-ordered demand, which require strict compliance and disclosure, a CID or a HIPAA subpoena affords the responsive party some opportunity to object. Indeed, the HIPAA Privacy Rule sets forth that disclosure of PHI in response to a CID or HIPAA subpoena is permitted only upon proof by the issuing party that “(1) The information sought is relevant and material to a legitimate law enforcement inquiry; (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used.”19 Therefore, it is reasonable and appropriate for counsel for an entity receiving a CID or HIPAA subpoena to ask the government attorney issuing the request whether these requirements have been met and to engage in a dialogue to try to narrow the scope of the request. Once the scope of the request has been fixed, any production of materials in response to a CID or HIPAA subpoena that includes PHI should be done in a secure fashion, with appropriate password protection and data encryption to prevent any inadvertent disclosure.
When PHI is produced to the government in an FCA investigation, it is important to consider the possibility that the government may seek to share that information with the relator or other third parties. As mentioned above, depending on the means by which the PHI was obtained, the government’s authorization to share the information is different depending on which tool it used to obtain the PHI. To ensure compliance with its obligation to safeguard PHI,20 a healthcare provider in receipt of a CID or HIPAA subpoena should send a letter notifying the government that PHI is being produced, and instructing the government to take all necessary precautions to limit the use of such PHI to the minimum necessary to accomplish the intended purpose and to protect it from disclosure to third parties. If the government seeks information by means of a CID, sharing information with a relator or other DOJ attorneys is permissible, but it is good practice for the entity producing the information to request in writing that the government notify the producing entity prior to sharing PHI with any third party, including the relator. If the government instead uses a HIPAA subpoena, there is no statutory or regulatory authority for sharing information, and the producing entity should state in writing that PHI should not be shared with any third party, including any relator. The producing entity should also request notification if any information will or has been shared.
Finally, if the government decides not to intervene in an FCA matter, the entity that produced the PHI should send another letter demanding that the government either return or destroy any PHI produced in response to the CID or HIPAA subpoena. This practice ensures compliance with the HIPAA Privacy Rule’s express directive requiring “the return to the covered entity or destruction of the protected health information . . . at the end of the litigation or proceeding.”21 The government’s access to PHI is strictly limited to the litigation or proceeding for which it was sought, so any collateral or subsequent uses would directly violate the provisions of the HIPAA Privacy Rule. Such a demand is also consistent with the United States Attorneys’ Manual under which PHI “should be maintained securely and access to such information should be limited to those persons with a legitimate need for access” and “should either be destroyed, or returned to the entity which originally disclosed it” as soon as the need for the information has ended.22 The DOJ’s compliance with HIPAA’s mandates also was underscored by a memorandum issued by then-Deputy Attorney General Eric Holder on October 15, 1998 which stated that “[a]ll practicable steps to protect the privacy of individuals and the confidentiality of individually identifiable health information must be taken.”23
As demonstrated by the recent DOJ press release, investigation of healthcare fraud under the FCA continues to be a central – and lucrative – endeavor for the federal government.24 In its pursuit of such cases, the government will exercise its robust investigatory power by serving CIDs and HIPAA subpoenas, and consequently, it will often seek to gain access to individually identifiable health information. Given the nature of the FCA, where the government frequently operates as a co-party to the individual qui tam relators responsible for bringing the action, there is a substantial risk that PHI will be shared with relators and their counsel. Even in cases where the government does not itself ultimately intervene, it may seek to hand patient-specific claims data over to the relator to support the relator’s allegations. Healthcare providers in receipt of CIDs or HIPAA subpoenas should therefore affirmatively demand that the government make its demands as narrow as possible, that the government provide notice before disclosing PHI to any third party, and to return or to destroy the PHI as soon as the government’s involvement in the FCA matter ends.
Ingrid Martin is a partner at Collora LLP in Boston where she focuses her practice on the intersection between healthcare and criminal law. She represents healthcare providers in all types of state and federal government investigations as well as audits, licensing matters, and other administrative proceedings. She may be reached at email@example.com.
Timothy Wadman is a law clerk at Collora LLP and a third-year law student at Suffolk University Law School, where he serves as the Managing Editor on the Journal of Health & Biomedical Law. He may be reached at firstname.lastname@example.org.