Lessons Learned from Recent DOJ Healthcare Settlements

Today, I want to examine lessons learned from two recent U.S. Department of Justice (DOJ) press releases.

First, what do Martha Stewart, Rod Blagojevich, and Scooter Libby have in common? If you said all of them were convicted of lying to the government, you’d be right. 18 USC section 1001 makes it a crime to knowingly and willfully make false statements to many government entities, under a wide range of circumstances.

This is not something most healthcare providers often think much about. But a recent case reminds us that we are subject to this regulation. This month, a North Carolina pediatrician whose license is now suspended was sentenced in the Southern District of South Dakota for making false statements on an employment application for a position with the Indian Health Service.

The details are salacious and sensational. In short, the pediatrician had a sexual relationship with a patient. This, predictably, resulted in an investigation by the North Carolina board. Failure to disclose the ongoing investigation was sufficient to sustain the 1001 charge. She was convicted, and this month she was sentenced to time served, followed by one year of supervised release, and ordered to pay a special assessment and $22,000 in restitution. That doesn’t sound like a lot, but she’s unlikely to ever practice medicine again.

This is a very specific case. But every Medicare provider has completed a form 855. When signing the form, providers are certifying compliance with a wide range of statutes and regulations. One of the acknowledgements is that providers remain responsible of the accuracy of claims submitted by contractors. Violations of this will also support 1001 charges, in addition to a false claim charge.

Speaking of false claims, in a second case, the DOJ and ASRC Federal Data Solutions LLC agreed to resolve False Claims Act allegations in connection with unsecured personally identifiable information. I thought this was an unusual application of false claims. In reviewing the terms of the settlement, ASRC pays about $300,000 in restitution.

The parties shared screenshots containing personally identifiable data. These screenshots were stored using disk-level encryption that protected files from some unauthorized access, but the files were not individually encrypted. The government contends that the storing of unencrypted screenshots violates U.S. Department of Health and Human Services (HHS) cybersecurity requirements. When the server was breached, the files were compromised.

Something that struck me about this settlement is the frequency with which organizations seem to share screenshots. These are rarely individually encrypted, and may be shared internally or with contractors. Even when an email is encrypted, few organizations provide for file-level encryption. Screenshots are often stored on individual workstations, which may have disk-level encryption. Based on this case, though, these practices are probably inadequate.

So, what conclusions can we draw?

• The first, and most obvious, is to read what you’re signing. It’s easy to say “I have no choice” and just sign a document. But that document may have material omissions. As the South Dakota case shows, these omissions may be actionable.
• Second, make sure your organization has policies and procedures in place to assure the security of all files stored in all locations – and that these practices meet applicable governmental and contractual requirements.
• Last, if you think you need to lie, you clearly need a lawyer.