©2012 THE ADVISORY BOARD COMPANY • ADVISORY.COM 5

Health Care Law Roundtable

For hospitals and health systems, reporting a potential Stark violation is a time-consuming and detailed endeavor, involving evaluation of the magnitude and scope of the issue, overpayment amounts, and possible monetary impact to the organization. However, under the Affordable Care Act and CMS’ proposed rules on reporting and refunding overpayments, providers must also be careful to meet the new, shorter deadlines. Without careful attention to these rules and effective self-disclosure avenues, an overpayment matter can quickly turn into a False Claims Act issue.

Under the new proposed rules on reporting and refunding overpayments, providers that discover any problems, including potential violations of the Stark law, have 60 days to report and refund once they have identified an overpayment. If you are on notice of a problem but have yet to identify the overpayment, you still must make a reasonable inquiry and act with “all deliberate speed” to determine the overpayment amount, if any. Among other things, you should log when the overpayment is “identified;” on that date, the 60-day clock begins running. The government has been clear that by doing nothing, you are potentially liable under the False Claims Act for knowingly avoiding an obligation to refund money to the government.

David Pursell Husch Blackwell LLP david.pursell@huschblackwell.com

Given this regulatory environment, providers that discover definitive Stark problems must choose to either refund any overpayment amounts or disclose the issue to CMS, OIG, or DOJ. Simply refunding the money to CMS’ fiscal intermediary within the 60-day deadline absolves you of your statutory requirement to “report and refund.” However, a Stark overpayment amount is usually so high that most providers balk at this approach.

Thus, you’re left with the option of self-disclosing within 60 days, which then tolls the clock on refunding. What is the best avenue for self-disclosure? None of your options are perfect, but some are definitely better than others.

• The DOJ is an agency to rule out, for the following reason: DOJ factors into its decisions—including resolution of a self-disclosure—the potential litigation risk in the particular case. DOJ hires trial lawyers, so this should not be surprising. When litigation risk is analyzed in a Stark law case, the Stark law’s strict liability mens rea requirement makes the case attractive to the DOJ.

• The next choice for disclosing a potential Stark problem is the OIG. However, since 2009, OIG has not accepted a Stark issue into its self-disclosure protocol unless there is also a colorable violation of the anti-kickback statute. To go this route, you must allege that each arrangement not only potentially violates the Stark law but also arguably violates the anti-kickback statute, which is a criminal statute. On a positive note, the OIG generally resolves matters quickly and uses creative theories of damages that may be more economically feasible for provider organizations.

• Given that the CMS’ protocol is specifically designed for Stark compliance issues, this is likely the most appropriate venue for self-disclosure. Of course, this is not without drawbacks. First, CMS has been airtight with respect to sharing its methodology for calculating settlement amounts for the thirteen cases it has settled since 2010. While it would be nice to receive more information from the agency, with the range of settlement amounts between $60 and $579,000, one can conclude that CMS is trying to be very equitable in these cases.

Another downside to disclosure through this avenue is the burdensome, lengthy, and costly requirements of reviewing each arrangement, describing in detail how the arrangement does not fit into any exception under the Stark law, and disclosing the amounts involved in each arrangement by year.

The Stark Law and Self-Disclosure What Should You Do After Discovering A Potential Stark Violation?

Brian BewleyHusch Blackwell LLP brian.bewley@huschblackwell.com

©2012 THE ADVISORY BOARD COMPANY • ADVISORY.COM 6

1) Friedman v. Sebelius, No. 11-5028 (D.C. Cir. July 27, 2012).

Health Care Law Roundtable

In the end, although not without disadvantages, CMS’ protocol is a promising venue for disclosing a potential Stark problem if you are not in a hurry to get the issue resolved. If CMS is not an option because of its long timeline, the next best option is OIG, but only if you allege a colorable kickback violation. No matter what you decide to do, keep in mind that the 60-day clock on refund or disclosure begins ticking as soon as you identify the overpayment. The government has made it abundantly clear that putting your head in the sand when you are on notice of a potential problem is not acceptable. Thus, act with “all deliberate speed,” and choose your venue wisely

not occur.” Under this powerful doctrine, a defendant may be convicted even if he or she did not participate in – or even know about – the underlying violations. The only defense, rarely employed, is if the defendant is found “powerless” to prevent or correct the violation.

Because the FDCA does not specify which job functions will be deemed ‘responsible corporate officers’, and the determination as to where on the decision-making chain liability will attach varies depending upon the circumstances of each case, all employees with managerial responsibilities should understand their potential liability in these areas. For example, in 2011, the Chairman/CEO of K-V Pharmaceuticals pleaded guilty to two misdemeanor misbranding charges, spent 17 days in jail, and paid $1.9 million in fines and forfeiture. In 2009, four executives of medical device manufacturer Snythes, Inc. pleaded guilty to a misdemeanor count of shipping an adulterated and misbranded drug, received prison sentences of between 5 and 9 months, and were eventually excluded from participating in federal healthcare programs by the Office of the Inspector General of the Health and Human Services Department (HHS-OIG).

In one of the foundational cases in this area in 2007, Purdue Frederick Company, Inc. and its CEO, general counsel, and medical director each pleaded guilty to misdemeanor misbranding of OxyContin and were fined millions of dollars and an exclusion of 12 years; on appeal a panel of the D.C. Circuit Court affirmed the agency’s ability to impose that sanction after providing its justification, and defendants have sought en banc review.1

The policy of imposing personal liability based on position within the company rather than any knowledge of wrongdoing has also been employed by HHS-OIG when exercising its authority to exclude owners, officers, or managing employees of an entity that has been excluded or convicted of certain offenses. Generally, HHS-OIG’s decision-making in this area is governed by its 2010 Guidance for Implementing Permissive Exclusion Authority, which states that even without evidence that an individual knew about the conduct, he or she may still face exclusion after consideration of: (1) circumstances of the misconduct and seriousness of the offense, (2) the individual’s role in the sanctioned entity, (3) the individual’s actions in response to the misconduct, and (4) information about the entity.

Importantly, the Exclusion Guidance may subject managing employees within health care provider organizations─including potentially hospitals and health systems─ to exposure under the RCO doctrine.

Ronaldo Rauseo-Ricupero Nixon Peabody LLP rrauseoricupero@nixonpeabody.com

The Responsible Corporate Officer Doctrine Resurgence in Health Care May Expose Executives to Criminal Liability or Exclusion

As government regulators and prosecutors have steadily increased their use of the Responsible Corporate Officer doctrine (RCO) to exclude and indict individuals on a strict liability basis, health care industry participants, from pharmaceutical manufacturers to hospital compliance officers, should take note of its impact, which has caused enforcement entities to focus more closely on attributing responsibility for violations on individual executives and managers.

Under this doctrine, an individual defendant may be convicted of a misdemeanor violation of the Food, Drug, and Cosmetic Act (“FDCA”) when there is evidence that he had, “by reason of his position in the corporation, responsibility and authority either to prevent in the first instance, or promptly to correct, the violation complained of, and that he failed to do so.” This type of liability (which was upheld by the Supreme Court in United States v. Park, 421 U.S. 658 (1975) and therefore often referred to as “Park liability”) imposes “a positive duty to seek out and remedy violations” and “a duty to implement measures that will insure that violations will