How Will I Know? an Auditing Privilege and Health Care Compliance

How Will I Know? An Auditing Privilege and Health Care Compliance

Caitlin Pardue

The current complexities of the False Claims Act and the Affordable Care Act have impacted the rise of government enforcement of fraud and abuse laws within health care entities. Yet this rise in enforcement does not adequately address efforts focused on preventing unintentional violations from occurring. For this reason, the current health care regulation landscape calls for an additional strategy to reduce fraud and abuse violations: establishing a compliance audit privilege.

This Comment analyzes the peer review privilege established in the Patient Safety Quality Improvement Act of 2005 (PSQIA), which established a privilege for data collected to improve patient safety, and suggests that a compliance audit privilege fulfills a similar goal. Although there are several differences between patient safety data and compliance audit data, this Comment argues that such differences should not preclude Congress from enacting a compliance audit privilege because compliance and patient safety have compelling similarities. The PSQIA and compliance audits both aim to improve quality and compliance through proactive efforts collecting data, performing ongoing root cause analyses, and encouraging a culture of openness within a health care entity. Because of these similarities, the benefits seen from the PSQIA privilege are likely to be experienced in improved compliance if a compliance audit privilege is recognized.

[Page 1140]

Health care in America is in a state of transformation. The rise of technology is transforming the doctor-patient relationship,¹ the Affordable Care Act is transforming the way health care is provided and paid for,² and the focus on quality of care is transforming the way health care is measured.³ However, throughout this time of change, the desire to create an efficient, affordable, and effective health care system has remained constant.

One way to improve efficiency, affordability, and quality in our health care system is to ensure all health care entities⁴ have robust compliance programs. Compliance with federal regulations promotes efficiency and affordability because it protects against wasteful or fraudulent spending; compliance also improves quality by streamlining disease management systems, reducing medical malpractice incidents, and improving data privacy.⁵ One crucial component to compliance programs is compliance audits; auditing provides a comprehensive review of a health care entity's compliance program, including evaluation of compliance policies, identifying and managing risk, and recognizing areas for additional personnel training.⁶

However, the recent rise of False Claims Act (FCA) enforcement has stifled efforts to promote robust internal compliance audits because health care entities fear these types of audits are discoverable in potential future litigation.⁷ This Comment argues that the current lack of privilege for compliance audits creates an unnecessary barrier to improving health care costs and quality. Because the predicted quality improvements facilitated by a privilege outweigh

[Page 1141]

the need for the information to be discoverable in potential future litigation, Congress should legislate a privilege for compliance auditing.

Health care entities have much to fear in potential future litigation due to the government's zealous enforcement of the FCA.⁸ The FCA was enacted after the Civil War and creates liability for anyone who submits a fraudulent payment claim to the government.⁹ Since that time, the FCA has grown in complexity and has been utilized to enforce multi-million dollar penalties and settlements against health care entities for submitting such fraudulent payment claims.¹⁰

For most FCA violations, actual knowledge of a violation is not required to establish liability.¹¹ While intentional fraud continues to occur, the government¹² is also aggressively enforcing the FCA against unintentional mistakes that result in FCA liability.¹³ As a result, a hospital entity may be subjected to enormous penalties for a violation it had no knowledge of, regardless of good faith efforts to comply with the complex array of regulations.¹⁴

Unintentional violations are distinctly different from intentional fraud because unintentional violations are often the result of negligence, confusion in

[Page 1142]

a statute's application, or simply a difference in interpreting a regulation.¹⁵ Because of these complexities, compliance programs provide important ongoing oversight to reduce negligence and confusion, as well as to identify areas of problematic interpretation.

While the threat of liability is a powerful incentive for health care entities to avoid both intentional and unintentional violations, aggressive enforcement and huge penalties are unlikely to be as effective for unintentional mistakes as for intentional fraud.¹⁶ Unlike intentional fraud, unintentional acts are likely to be conducted by entities already trying to comply with the law.¹⁷ Without ongoing compliance oversight, it is likely that unintentional FCA violations will continue to occur, costing the government and ultimately the taxpayer.¹⁸

However, while it is critical for health care entities to institute robust compliance programs, the current adversarial relationship between the regulated entities and the government regulators impedes this goal. Although health care entities already spend significant resources on compliance programs,¹⁹ health care providers remain fearful of reporting potential violations to compliance officers because health care providers continue to view such officers as adversaries.²⁰ Therefore, efforts to lessen fear and create a more cooperative relationship between the government and health care entities have become a necessary reality.²¹ This Comment will explore the

[Page 1143]

establishment of a privilege for compliance auditing, which is but one tool to promote such openness and cooperation.

This Comment is divided into five parts. Part I describes recent FCA violations within the health care context and explores the recent increase of government enforcement of these violations. Part II then illustrates several ways that compliance auditing is likely to identify current FCA violations and to prevent future FCA violations from occurring; it then discusses potential conflicts with discoverability of audit reporting. Part III describes existing privileges in FCA actions, concluding that existing privileges are unlikely to provide meaningful protection to compliance audits. Part IV explores a current federal privilege for patient-safety data under the Patient Safety and Quality Improvement Act. Part V discusses the differences and similarities between patient-safety efforts and compliance, and concludes that the benefits associated with the patient-safety privilege are likely to benefit compliance in a similar way. Finally, Part VI explores challenges unique to compliance and concludes that, while unlikely to solve all fraud and abuse problems, such a privilege will significantly decrease FCA violations and improve overall compliance for health care entities.

This Part will describe the False Claims Act and recent trends in government enforcement of the Act. This Part will then discuss the differences between intentional and unintentional acts that result in FCA violations and suggest that fear of liability may not be an effective deterrent for unintentional mistakes. This Part concludes with an analysis of two especially complex fraud and abuse laws, the Stark Law and the Anti-Kickback Statute, and an analysis of how the Affordable Care Act has impacted these laws.

The FCA is a federal statute that imposes liability on a person or entity that submits false or fraudulent payment claims to the government.²² In the health care context, a program that bills the Centers for Medicare & Medicaid Services (CMS)²³ for any services not permitted by CMS regulations is in

[Page 1144]

violation of the FCA.²⁴ This includes billing for services not actually provided, misrepresenting services or treatments provided, or services or treatments that are defined by CMS as not medically necessary.²⁵

A. Current Government FCA Enforcement Methods Risk Regulatory Disorder

The government enforces FCA violations in two ways: the government may bring a FCA action against an entity or individual, or it may intervene in a private individual's case against an entity or individual.²⁶ A private individual, called a relator or whistleblower, may bring a civil action against an entity or individual for violating the FCA on behalf of the United States under the FCA's qui tam provisions.²⁷ The United States can intervene in such an action and assume primary responsibility, or the relator may proceed with the action if the government declines to intervene.²⁸ Private individuals have a strong financial incentive to file qui tam actions; if the government intervenes, a relator may share in 15%-25% of the award and may receive 25%-30% of the award if the government does not intervene.²⁹ This incentive has been touted as

[Page 1145]

an important tool for government enforcement, but it may also result in excessive enforcement.³⁰ When considering the incentives and the optimal quantity of litigation from a law and economics analysis, excessive enforcement occurs when the costs of controlling socially undesirable acts—in this case, violating the FCA—is greater than the social benefits associated with reducing the undesirable act from occurring.³¹ Said another way, excessive enforcement occurs "when the violator of a legal rule suffers excessive harm—or more harm than is necessary for optimal deterrence—from the actual implementation of that rule."³² Excessive enforcement is a concern because it risks...