Additionally, the civil False Claims Act prohibits knowingly presenting or causing the presentation of a false, fictitious or fraudulent claim for payment to the U.S. government. Actions under the False Claims Act may be brought by the Attorney General or as a qui tam action by a private individual in the name of the government. Violations of the False Claims Act can result in very significant monetary penalties, including $11,181-$22,363 (adjusted annually for inflation) for each false claim and treble the amount of the government’s damages. The federal government continues to use the False Claims Act, and the accompanying threat of significant liability, in its investigations and prosecutions of pharmaceutical and biotechnology companies throughout the U.S. Such investigations and prosecutions frequently involve, for example, the alleged promotion of products for unapproved uses and other sales and marketing practices. The government has obtained multi-million and multi-billion dollar settlements under the False Claims Act in addition to individual criminal convictions under applicable criminal statutes. Given the significant size of actual and potential settlements, it is expected that the government will continue to devote substantial resources to investigating healthcare providers’ and manufacturers’ compliance with the False Claims Act and other applicable fraud and abuse laws.
The U.S. federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, includes a fraud and abuse provision referred to as the HIPAA All-Payor Fraud Law, which imposes criminal and civil liability for executing a scheme to defraud any healthcare benefit program, or knowingly and willfully falsifying, concealing or covering up a material fact or making any materially false statement in connection with the delivery of or payment for healthcare benefits, items or services. Similar to the federal Anti-Kickback Statute, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation.
We may also be subject to data privacy and security regulation by both the federal government and the states in which we conduct our business. HIPAA, as amended by HITECH, and its implementing regulations, including the final omnibus rule published on January 25, 2013, imposes certain requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s privacy and security standards directly applicable to “business associates,” defined as independent contractors or agents of covered entities that create, receive, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity. HITECH also increased the civil and criminal penalties that may be imposed against covered entities, business associates and possibly other persons, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorney’s fees and costs associated with pursuing federal civil actions. Penalties include up to $55,910 per violation (with a maximum fine of $1,677,299 per per violation category per year) (adjusted for inflation) and ten years in prison.
We may also be subject to federal transparency laws, including the federal Physician Payment Sunshine Act, which was part of the ACA and requires manufacturers of certain drugs and biologics, among others, to track and disclose payments and other transfers of value they make to U.S. physicians and teaching hospitals, as well as physician ownership and investment interests in the manufacturer. This information is subsequently made publicly available in a searchable format on a CMS website. Failure to disclose required information may result in civil monetary penalties of up to an aggregate of $165,786 per year (or up to an aggregate of $1,105,241 per year for “knowing failures”) (adjusted for inflation), for all payments, transfers of value or ownership or investment interests that are not timely, accurately and completely reported in an annual submission. Certain states also mandate implementation of compliance programs, impose restrictions on drug manufacturer marketing practices and/or require the tracking and reporting of gifts, compensation and other remuneration to physicians and/or other healthcare providers.
Finally, as noted above, analogous state laws and regulations, such as, state anti-kickback and false claims laws may apply to sales or marketing arrangements and claims involving healthcare items or services reimbursed by non-governmental third-party payors, including private insurers. Some state laws require pharmaceutical companies to comply with the pharmaceutical industry’s voluntary compliance guidelines and the relevant compliance guidance promulgated by the federal government in addition to requiring drug manufacturers to report information related to payments to physicians and other healthcare providers or marketing expenditures. Similarly, many states also have laws governing the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts.