Government investigations may come in many forms, but criminal matters involving potential jail time, mandatory exclusion, loss of licensure, and reputational harm are the most severe and scary scenarios that anyone can face. Unfortunately, it often is not clear, particularly at the outset, whether an investigation involves criminal violations or what your status might be in the investigation. For example, our clients might be informed that the FBI is interviewing patients, or that their partners have received subpoenas. The uncertainty that results from these types of events is particularly difficult for our clients to manage, and typically involves sleepless nights, loss of appetite, anxiety and potential depression.

Our experienced healthcare defense attorneys understand what clients are going through, and focus on providing them with insight into the government’s investigation and how best to defend it. There are a variety of potential outcomes, many of them involving far less severe ramifications than might be contemplated. Indeed, in healthcare, parallel criminal, civil, and administrative laws provide an opportunity for potential resolution of government investigations under terms that do not involve loss of liberty or livelihood. The range of outcomes that might be available depends on the evidence available to the government, but cases involving patient harm typically receive more focus from a criminal perspective than run-of-the-mill billing irregularities, particularly when the federal government is involved.

That said, there are several notable exceptions. At Health Law Alliance, our healthcare defense attorneys have decades of federal and state prosecutorial experience, and we rely on that background to highlight areas of increased risk. In particular, the below agencies focus on the prosecution of criminal healthcare fraud.

The Medicare Fraud Strike Force, operated by the U.S. Department of Justice (DOJ) in regions across the country, is particularly adept at prosecuting healthcare fraud criminal matters. Medicare Fraud Strike Force Teams harness data analytics and the combined resources of federal, state, and local law enforcement entities to prevent and combat healthcare fraud, waste, and abuse. More specifically, the Strike Force uses advanced data analysis techniques to identify aberrant billing levels in healthcare fraud “hot spots” – cities with high levels of billing fraud – combined with traditional investigative techniques to target suspicious billing patterns in addition to emerging schemes and fraudulent practices that move from one location to another.

First established in March 2007, prosecutors operate in 16 Strike Forces, including the National Rapid Response Strike Force based in Washington, DC. The Strike Force Model centers on a cross-agency collaborative approach, bringing together the investigative and analytical resources of DOJ’s Fraud Section, the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG), the Centers for Medicare & Medicaid Services (CMS), Drug Enforcement Administration (DEA), Defense Criminal Investigative Service (DCIS), Federal Deposit Insurance Corporation Office of the Inspector General (FDIC-OIG), Internal Revenue Service (IRS), Department of Labor-OIG, United States Postal Service – Office of the Inspector General (USPS-OIG), Veterans Administration – Office of the Inspector General (VA-OIG), and other agencies. Strike Force Health Care Fraud and Prescription Opioid teams are located across the country, as depicted by the chart below:

The Medicare Strike Force has filed thousands of criminal actions and indictments and recovered billions of dollars in assets resulting from healthcare fraud. The Strike Force teams bring together the Office of Inspector General (OIG), the Department of Justice (DOJ), Offices of the United States Attorneys (USAOs), the Federal Bureau of Investigation (FBI), local law enforcement, and others. These attorneys and investigators have a proven record of success in analyzing data and investigative intelligence to quickly identify fraud and bring prosecutions. The interagency collaboration also enhances the effectiveness of the Strike Force model. For example, OIG refers credible allegations of fraud to the Centers for Medicare & Medicaid Services (CMS) so that it can suspend payments to the alleged healthcare fraud perpetrators, thereby preventing losses to federal programs. Finally, the Medicare Strike Force does not focus exclusively on healthcare fraud but also prosecutes wire fraud, mail fraud, bank fraud, money laundering offenses, violations of the Anti-Kickback Statute (AKS), false statements offenses, Title 42 offenses, Title 26 offenses, and Title 21 offenses, in the highest intensity regions.

The Medicare Strike Force is a specialized department within the DOJ’s Health Care Fraud Unit, based in Washington, D.C., with operations across the country. DOJ’s Health Care Fraud Unit is led by over 80 experienced white-collar prosecutors who focus solely on prosecuting the nation’s most complicated healthcare fraud matters and the illegal prescription, distribution, and diversion of opioids and other controlled substances. The Health Care Fraud Unit’s mission is to protect the public treasury from wide-scale healthcare fraud, protect patients from significant fraudulent schemes that result in patient harm, and to detect, limit, and deter fraud and illegal prescription, distribution, and diversion of controlled substance offenses. The Health Care Fraud Unit endeavors to prosecute defendants who orchestrate schemes that result in the loss of hundreds of millions or billions of dollars, the distribution of tens of millions of opioids or controlled substances, and complex money laundering, tax, and other financial crime offenses.

The Health Care Fraud Unit prides itself on conducting the most trials of any DOJ component, including the U.S. Attorney's Offices. DOJ prosecutors, referred to as “Trial Attorneys,” have participated in the largest and most complex healthcare fraud and opioid distribution trials in the country. Notably, the Health Care Fraud Unit is a leader in using advanced data analytics and algorithmic methods to identify newly emerging healthcare fraud schemes and to target the most egregious fraudsters. The Health Care Fraud Unit’s team of dedicated data analysts works with prosecutors to identify, investigate, and prosecute cases using data analytics. At the Health Law Alliance, our healthcare defense attorneys have extensive experience in the use of data analytics to identify potential fraud, waste, and abuse, having served as the Chief Compliance Officer and Executive Leadership Team member for UnitedHealth Group, with oversight of Optum and UnitedHealthcare, including Special Investigative Units (SIUs) within those platforms.

The Health Care Fraud Unit’s cases are complex and wide-reaching. In particular, the National Rapid Response Strike Force was created in 2020 to investigate and prosecute fraud cases involving major healthcare providers that operate in multiple jurisdictions. The National Rapid Response Strike Force coordinates with the Civil Division’s Fraud Section and Consumer Protection Branch, U.S. Attorneys’ Offices across the country, state Medicaid Fraud Control Units (MFCUs), the FBI, HHS-OIG, and other agency partners to investigate and prosecute multi-jurisdictional and corporate healthcare fraud. The National Rapid Response Strike Force’s recent successes include the conviction of owners of a multi-state network of rural hospitals in a $1 billion billing fraud matter; the $500 million global resolution with Tenet Healthcare Corporation and related individual prosecutions for a hospital kickback scheme; the prosecution of billions of dollars in telemedicine fraud; prosecution of over $1 billion in fraudulent addiction rehabilitation facility fraud as part of the Sober Homes Initiative; and leadership of the Unit’s efforts to prosecute those seeking to criminally exploit the COVID-19 pandemic, including the conviction at trial of the President of a Silicon Valley technology company for healthcare fraud, illegal kickback, and securities fraud related to the announcement of purportedly revolutionary testing for COVID-19 using only a few drops of blood, i.e., Elizabeth Holmes and associates.

In addition, in 2022, the DOJ Criminal Division announced the formation of the New England Prescription Opioid (NEPO) Strike Force, a joint law enforcement effort to investigate and prosecute healthcare fraud schemes in the New England region, and to prosecute individuals involved in the illegal distribution of prescription opioids and other controlled substances. NEPO leverages the success of the October 2018 formation of the Appalachian Regional Prescription Opioid (ARPO) Strike Force, a joint effort between DOJ, FBI, HHS-OIG, DEA, and state and local law enforcement to combat healthcare fraud and the opioid epidemic in locations that have been harmed significantly by addiction. ARPO has partnered with federal and state law enforcement and U.S. Attorneys’ Offices throughout Alabama, Kentucky, Ohio, Virginia, Tennessee, and West Virginia to prosecute medical professionals involved in the illegal prescription and distribution of opioids.

In addition to DOJ’s Strike Forces and Health Care Fraud Units, all of the U.S. Attorneys’ Offices are staffed by federal prosecutors, referred to as Assistant United States Attorneys (AUSAs), who investigate and prosecute healthcare fraud crimes in their respective jurisdictions. There are 93 U.S. Attorneys’ Offices in the country, and the U.S. Attorney in each district is the chief federal law enforcement officer, reporting to the Attorney General of the United States. The U.S. Attorneys’ Offices are coordinated by the Executive Office for U.S. Attorneys, which oversees the DOJ’s Health Care Fraud and Abuse Act Program, established as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To most, HIPAA is better known for privacy and nondiscrimination rules, but the statute also created a number of healthcare offenses and enforcement tools, including the “HIPAA subpoena,” and mandated that the DOJ and HHS-OIG coordinate to support efforts to investigate and prosecute healthcare fraud.

To this end, HIPAA provided a funding source, specifically requiring that amounts equaling recoveries from healthcare fraud investigations be deposited in or transferred to the Federal Hospital Insurance Trust Fund. Recoveries are then appropriated from the Trust Fund to the Health Care Fraud and Abuse Control Account in an amount the Attorney General and HHS Secretary certify annually are necessary to finance healthcare fraud enforcement activities. Appropriations from the Control Account fund attorneys, investigators, and litigation support to combat healthcare fraud. Since 1997, over $57 billion has been collected by the DOJ and HHS. Of that, nearly $40 billion has been returned to the Medicare Trust Funds, an average of approximately $1.5 billion per year, and Medicaid, Tricare, the Veteran’s Administration, among others. In the same period, 13,628 defendants have been convicted of healthcare fraud offenses, an average of 545 every year. These numbers are startling, to be sure.

All states also operate Medicaid Fraud Control Units (MFCUs), typically within the State Attorney General’s Office, to investigate and prosecute Medicaid-related fraud. The Social Security Act (SSA) requires each state to effectively operate an MFCU unless the Secretary of Health and Human Services (HHS) determines that (1) the operation of a Unit would not be cost-effective because minimal Medicaid fraud exists in a particular state; and (2) the state has other adequate safeguards to protect enrollees from abuse or neglect. MFCUs are funded jointly by the federal and state governments. Each Unit receives a federal grant award equivalent to 90 percent of total expenditures for new Units and 75 percent for all other Units.

MFCU cases often begin as referrals from external sources or are generated from data mining. MFCU staff review referrals of possible fraud to determine the potential for criminal prosecution or civil action. If the Unit accepts a referral, the case may result in various outcomes. Criminal prosecutions may result in convictions; civil actions may result in civil settlements. Both criminal prosecutions and civil actions routinely include the assessment of monetary recoveries. The approach of the MFCUs varies state-by-state, with some offices, such as Pennsylvania’s MFCU, that pursue criminal cases exclusively. In other words, the Pennsylvania MFCU will either bring a criminal case or decline the matter completely; that office does not interpret its enabling statutes to permit the resolution of investigations on civil terms. Other state MFCUs, however, investigate and prosecute both criminal and civil cases. The OIG has the authority to exclude convicted individuals and entities from any federally funded healthcare program, such as Medicaid, on the basis of convictions referred from MFCUs. In addition to achieving these outcomes, MFCUs may also make recommendations to their state governments to strengthen program integrity.

To design an effective PBM audit response strategy, providers must understand the chain of events both prior to the initiation of a PBM audit and afterwards. For example, Special Investigative Units (SIUs) are often the genesis of a pharmacy audit, and the presence or absence of "audit risk factors" is informative on potentially broader exposure beyond the claims under audit. Any decision to resolve an audit should be informed and result in a full and final settlement of all liability, but PBM audit settlements need to be structured carefully to achieve this goal.

CVS Caremark, OptumRx, and Express Scripts, control at least 80% of the market, making them the three biggest PBMs. Humana also ranks among the largest. In addition, these PBMs regulate access to networks for smaller competitors, such as ESI's partnership with Prime. Plan sponsors, such as United Health, Cigna and Aetna, are vertically integrated with these PBMs, increasing audit risk for pharmacies because network sanctions are more likely to affect a significant aspect of a pharmacy's business across both government and commercial claims.

PBMs and payors use artificial intelligence and data mining across medical and pharmacy claims to identify areas of potential inquiry. Among other areas, these inquiries typically involve high-reimbursing medicines, brand/generic substitution, inventory discrepancies, co-payment collection, prior authorization, and telehealth relations. Separately, DEA conducts audits and inspections for compliance to controlled substance regulations.  

Common types of PBM audits include desk audits; on-site audits; invoice audits; and prescription audits. Irrespective of the type of PBM audit, all interactions with PBMs should be taken extremely seriously and can lead to severe consequences if not handled appropriately. For example, there has been a sharp increase in the federal prosecution of pharmacists for audit-related conduct, including answering PBM questions incorrectly. Accordingly, pharmacies should consider using outside audit counsel to avoid these pitfalls.

Pharmacies can take various steps to prepare to meet PBM audits, including routine self-audits. In fact, the government publishes comprehensive guidance and a checklist to assist pharmacies in their audit planning, including self-audits around prescribing practices, controlled substance management, invoice management, and billing practices. If you need assistance designing or implementing an audit protection plan, please do not hesitate to contact us.

Defending against a PBM audit requires comprehensive knowledge of the rights, responsibilities, and intricacies of pharmacies and their laws and regulations.  If your pharmacy has been identified for a PBM audit, there are a number of potential defenses available to you. The first defense against a PBM audit is to be proactive, and audit planning can lessen the chance of unfavorable findings. That said, it is often necessary to involve an attorney to hold PBMs to their obligations under law and provider agreements. For this reason, national audit services and pharmacy audit consultants are often ineffective.

Audit discrepancies and findings can be appealed based on the specific procedures outlined in the provider manuals. It is important to follow these requirements exactly, within the timeframes established, or your appeal rights could be lost and further review denied. In an appeal, it is critically important to make a complete record of why the audit findings or sanctions should be reversed, including through documentation, legal arguments, and corrective actions, if any. Depending on the outcome of the appeal, you may have further legal recourse against the PBM.

PBM audits can have severe repercussions depending on the results of the pharmacy audit, including recoupments, network sanctions, and criminal, civil and administrative investigations involving jail time, significant fines, and license revocation or exclusion. We publish a 10-part PBM Audit Guide that discusses the overlap between PBM audits and government investigations and how to successfully manage audit risk. This resource is complimentary to subscribers HERE.