logo - Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations.

Guide to Selecting an Independent Review Organization (IRO) for Your Corporate Integrity Agreement (CIA)

Download PDF


Pierce the Corporate Veil — Are You Personally Liable for a UPIC Overpayment?

Download PDF

Can the Government Pierce the Corporate Veil?(Updated January 9, 2021): Owners of healthcare companies often wonder whether the government can pierce the corporate veil and try to hold the owners personally liable for overpayment claims when facing a program integrity audit by a Unified Program Integrity Contractor (UPIC). [1] This rarely happens, but assuming that a provider does not prevail in the administrative appeal process, one way for the government to try and collect monies owed by a bankrupt health care entity would be to try and pierce the corporate veil.  A health care entity is usually owned by one or more individual owners. These owners often organize the company into an entity such as a corporation or Limited Liability Company (LLC). This is specifically done to limit each individual owner’s personal liability. Owners of incorporated health care providers can only be found personally liable for their companies’ debts to the Centers for Medicare & Medicaid Services (CMS) in certain very narrow circumstances, one of which is piercing the corporate veil.

I.  Will the Government Seek to Pierce the Corporate Veil?

The legal doctrine of piercing the corporate veil allows creditors to reach through the corporate structure and collect their debts from shareholders or similar owners. This doctrine is not unique to healthcare. In fact it is a potential way for all creditors to collect debts from individual entity owners.

CMS and its contractors rarely seek to pierce the corporate veil, and courts also tend to disfavor the practice. Veil piercing depends on facts that by their nature are difficult to prove in court. The burden of proving the facts is always on the creditor. Even though it may be difficult for a creditor to prove these facts exist, it is still important to know how a creditor could pierce a healthcare corporation’s “veil” to prevent individual owner liability. Creditors must prove specific factors to justify imposing liability on owners for a provider’s debts to CMS, including the following:

  1. Defective Incorporation: If the legal statutory requirements for organizing the corporation or LLC are not met, no corporation exists to shield owners from liability.

  2. Ignoring the Separateness of the Corporation: Entering into contracts and otherwise transacting business variously in a corporate name and an individual name can justify piercing the corporate veil. Commingling corporate and individual assets, transferring assets between the provider and an owner without formalities, or transferring assets between the provider and a sister company, can also suggest the owners did not respect the separate nature of the entity, potentially allowing CMS to pierce the corporate veil.

  3. Significant Undercapitalization: A corporation must have a reasonably sufficient amount of capital to pay its expected debts. Undercapitalization is grounds to impose liability on the owners.

  4. Excessive Dividends or Other Payments to Owners: When owners are actually working for a corporation, they can usually pay themselves fair compensation, as long as it is clearly characterized as salary or wages. However, additional dividends and other non-compensation distributions can only be safely taken out by an owner to the extent the distributions reflect profits. If an owner takes non-compensation distributions exceeding profits, these distributions constitute a return of capital and can give rise to an undercapitalization claim by a corporate creditor. If such distributions are made when the corporation is insolvent, the creditors’ claims against the owner will be almost impossible to defend.

  5. Misrepresentation and other Unfair Dealings with Creditors: Deceptive practices such as dishonesty, false statements to corporate creditors, and asset concealment can make owners liable for corporate debts.

  6. Absence or Inaccuracy of Records: If corporate records are missing or inaccurate, this can form a basis to pierce the corporate veil, especially if they hinder a creditor’s collection efforts against the provider.

  7. Failure to Maintain Ongoing Legal Requirements: Each state’s statutes impose annual franchise fees and report-filing requirements on corporations and similar entities. These usually have grace periods and cure provisions, but if they are neglected long enough the corporation or LLC will legally cease to exist, resulting in owner liability.

II.  Case Example Where the Government Sought to Pierce the Corporate Veil of a Home Health Agency:

In United States v. Bridle Path Enterprises, Inc., a Massachusetts Federal district court held the owners of a home health agency personally liable for the provider’s Medicare overpayment debt. The provider, Bridle Path, made payments toward the overpayment until they sold all of their assets to another provider. At the time of the sale, $64,807.84 was outstanding on the overpayment liability. The United States sought to hold Bridle Path’s owners personally liable for the Medicare overpayment, using the piercing the corporate veil doctrine. Due to the number of checks Bridle Path wrote to its owners, their home health agency, and their real-estate holding company, the court found that the owners did not treat Bridle Path as a separate corporate entity and pierced the corporate veil to hold the owners liable for the Medicare debt.

 III.  Final Remarks:

If any of the factors above exist, CMS and its Medicare contractors can seek to pierce the corporate veil of a healthcare provider’s company and collect debts from the provider’s owners. These circumstances are not typical for health care providers and are easily avoided by maintaining personal owner dealings separate from all entity business.  Do your practice’s day-to-day operations expose you to unnecessary liability?  If your business was assessed a huge fine and forced into bankruptcy, are you 100% confident that you, as the owner, will be free of individual liability? If you have any questions about this or any other health law issue, call 1 (800) 475-1906 for a complimentary consultation.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.The attorneys at Liles Parker, Attorneys & Counselors at Law represent health care suppliers and providers around the country. We specialize in regulatory compliance reviews, UPIC audits of Medicare and Medicaid claims, and the defense of proposed State Medical Board disciplinary actions. Need help?  Call Robert Liles for a free consultation:  1 (800) 475-1906.


[1] For a detailed discussion of the Unified Program Integrity Contractor (UPIC) audits and investigations currently being conducted, please see our page titled: “A UPIC Audit is Serious Business — Is Your Office Prepared?” 

AbilityOne OIG Audits are Ramping-Up! Is Your Nonprofit Agency Ready for an Audit?

Download PDF

(November 11, 2020):  If you run a nonprofit company that contracts with the federal government through the AbilityOne Program, then you should be aware that inadequate compliance policies could put your nonprofit in danger of facing allegations of waste, fraud, abuse, and mismanagement, onerous audits and investigations, and even civil liability.   Under the AbilityOne Program, the federal government assigns contracts for the procurement of goods and services to qualified nonprofit agencies that meet designated requirements for direct labor performed by blind and other severely disabled individuals. The AbilityOne Program is intended to advantage the disabled by giving them the opportunity of a living wage while also reducing expenditures otherwise devoted to transfer payments for unemployed disabled persons. The AbilityOne Program is in fact designed to generate additional tax revenue by increasing the taxable income of the disabled through wages paid out under program contracts.

I.  Background of the AbilityOne Program:

The AbilityOne Program traces its origins to the New Deal era when Congress passed the Wagner-O’Day Act in 1938, which established the Committee on Blind-Made Products for overseeing the procurement of goods made in part using the labor of blind persons. The Javitz-Wagner-O’Day Act of 1971 (JWOD) expanded upon the original legislation by extending its coverage not only to the blind but other severely disabled individuals as well. The legislation also authorized the federal government to utilize AbilityOne program contracts for the procurement of services in addition to goods.

AbilityOne works with a group of special nonprofit organizations that assist in the distribution of AbilityOne contracts. In its formative years, the AbilityOne Committee relied on the National Industries for the Blind (NIB) to help administer the program. Today the NIB has been joined by SourceAmerica and the American Federation for the Blind (AFB) in a collaborative oversight role with AbilityOne. These organizations are designated as central nonprofit agencies (CNAs) that help monitor qualified nonprofits receiving contracts from the procurement list and otherwise facilitate AbilityOne’s distribution of product and service orders at a fair market price. [1]

The AbilityOne program, which has since been reconstituted as a Commission with independent agency oversight, now serves as the nation’s largest indirect employer of disabled individuals through its contracts with hundreds of qualified nonprofit agencies. Its contracts are in the aggregate worth up to $3 billion, and they provide employment and training opportunities to some 45,000 disabled individuals. [2]

II.  Rise of the AbilityOne Commission OIG:

On December 18, 2015, the Consolidated Appropriations Act of 2016 (P.L. 114-113) was passed.  Among its various provisions, Title IV, Section 401 of the legislation amended the the 1978 Inspector General Act and established a new Office of Inspector General (OIG) at AbilityOne as a designated federal entity.  As an independent agency, the AbilityOne Commission has been vested with investigatory and audit authority for the purpose of detecting waste, fraud, abuse, and mismanagement involving agency programs. The statute mandates that the Inspector General have access to all records, reports, audits, documents, and other materials relating to the inspector general’s responsibilities while further empowering the inspector general to issue subpoenas and administer oaths, affirmations, and affidavits. [3]

To safeguard against audits, investigations, and even potential lawsuits, nonprofit agencies must adhere to the full range of compliance mechanisms available to AbilityOne. These mechanisms serve two ends, that AbilityOne programs both help the federal government fulfill its procurement orders and encourage employment and training of blind and severely disabled individuals. The AbilityOne oversight framework centers upon rules regarding direct labor hours performed by disabled individuals. The JWOD implementing regulation requires that nonprofits maintain direct labor hour records for each employee, whether disabled or not, as well as separate files on the visual acuity and normal competitive employment viability of blind workers. [4] Maintaining records of direct labor hours for each employee helps to fulfill one of the most important provisions in the AbilityOne oversight framework, which is the ratio of overall direct labor hours (ODLH) of disabled to non-disabled employees. Nonprofit agencies must ensure that blind or other severely disabled individuals perform at least 75% of all ODLH per fiscal year. A NPA with disabled employees working fewer than 75% of direct labor hours contravenes the purpose of the AbilityOne program and may face probation or even exclusion from the program. [5]  The AbilityOne OIG is equipped with a number of tools at its disposal to ensure compliance in addition to those powers granted under the IG Statute.  Recent enforcement efforts taken by the AbilityOne OIG have included:

  • Issuing policy guidance highlighting the importance of regulatory compliance.
  • Conducting site inspections of nonprofit agencies funded, in part, by AbilityOne programs.
  • Reviewing annual certifications submitted by nonprofit agencies.
  • Providing training to nonprofit agencies on their obligations as a federal contractor / agency receiving federal funding.

As discussed in its Fiscal Year 2019 report on the top management and performance challenges facing AbilityOne, the OIG stated that it would need additional resources to carry out these oversight functions, an indication that in the future the OIG could, with enough funding, even more aggressively utilize these tools to target uniform compliance across the Commission’s entire contracting network. [6]  What does this mean?  In the short run, it means that this relatively new enforcement branch is working through its outstanding audit and investigative duties.  In the long run, it means that nonprofit agencies participating in the AbilityOne program should expect to be audited and may be facing significant penalties if they are not in compliance with their program obligations.

III.  The AbilityOne OIG is Actively Making False Claims Act Referrals to the U.S. Department of Justice (DOJ):

As we have recently seen the AbilityOne OIG is actively making referrals to Department of Justice (DOJ) prosecutors around the country.  Importantly, a number of the referrals being made are for alleged violations of the civil False Claims Act.[7] The civil False Claims Act is the primary civil fraud enforcement tool utilized by the federal government.  It is an extraordinarily useful statute for government prosecutors, both in terms of ease of use and in terms of the damages that may be recovered by the government.   Under Section 3729 of the civil False Claims Act, a person or entity may be in violation of the statute if the individual or entity:

“(1) Knowingly presents or causes to be presented, to an officer or employee of the United States Government or a member of the Armed Forces of the United States a false or fraudulent claim for payment or approval;

 (2) Knowingly makes, uses or causes to be made or used, a false record or statement to get a false or fraudulent claim paid or approved by the Government;

 (3) Conspires to defraud the Government by getting a false or fraudulent claim allowed or paid;

 (4) Has possession, custody or control of property or money used or to be used, by the Government and, intending to defraud the Government or willfully to conceal the property, delivers or causes to be delivered, less property than the amount for which the person receives a certificate or receipt;

 (5) Authorized to make or deliver a document certifying receipt of property used or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true;

 (6) Knowingly buys or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government or a member of the Armed Forces, who lawfully may not sell or pledge the property; or

 (7) Knowingly makes, uses or causes to be made or used, a false record or statement to conceal, avoid or decrease an obligation to pay or transmit money or property to the Government, is liable to the United States Government . . .”

False Claims Act cases are prosecuted by the DOJ Civil Division in Washington, D.C. and by “Affirmative Civil Enforcement” (ACE) Coordinators appointed in each of the 94 U.S. Attorney’s Offices around the country. It is essential to keep in mind that the civil False Claims Act does not cover mistakes, accidents or mere negligence 

Unfortunately, the line separating a “mistake” from a non-intentional wrongful claim that could give rise to an action under the False Claims Act is not always easy to discern.  A person or entity found to have violated this statute may be liable for both civil penalties and treble damages. The amount of civil penalties that may be imposed for each false claim depends on when each was made:

  • For claims or statements made on or after August 1, 2016, but before January 1, 2017, the minimum penalty which may be assessed under 31 U.S.C. 3729 is $10,781 and the maximum penalty is $21,563.

  • For claims or statement made on or after January 15, 2017, but before June 19, 2020, the new minimum was raised to $11,181 to the maximum penalty is raised to $22,363.

  • For claims or statement made on or after June 19, 2020, the new minimum was raised to $11,665 and the maximum penalty was raised to $23,331

IV.  Is Your Nonprofit Agency Facing an AbilityOne-Related  False Claims Act Investigation?

Federal prosecutors are actively employing the False Claims Act to target nonprofit agencies that purportedly misrepresent their overall direct labor hours (ODLH) associated with AbilityOne-related set-aside contracts for the employment of blind workers. These lawsuits can result in settlements costing nonprofits hundreds of thousands or even millions of dollars.  Notably, False Claims Act liability isn’t limited only to alleged misrepresentations in annual ODLH certifications.  In one recent case, the Justice Department recovered almost $2 million in a settlement with a nonprofit agency over allegations that it misrepresented its ratio of disabled to non-disabled employees in order to attract AbilityOne contracts. [8]

Nonprofit agencies that contract with AbilityOne must be aware of their potential liability under the False Claims Act if their actual direct labor hours or other specified employee allocation ratios fail to match up with annual certifications or prior agreements and communications made with AbilityOne. The agencies most vulnerable to lawsuit are therefore not always what the legislative nomenclature characterizes as “at risk agencies.” An “at risk” agency is classified as one with ODLH below 75%, while a high risk agency has ODLH below 60%. [9] At risk or high risk agencies do not necessarily misrepresent underlying deficiencies in their ODLH compliance. Agencies alleged to have engaged in fraud or other misconduct, by contrast, do tend to have known, deliberately ignored or been recklessly ignorant of their failure to comply with ODLH requirements.  This failure may be reflected in the nonprofit agencies periodic ODLH compliance certification sheets. Nonprofit agencies not engaged in fraud but still prone to deficient compliance, such as those with below required ODLH, can still be subject to probation or even debarment from the government’s procurement list

V.  Conclusion — Moving Forward with Your AbilityOne Compliance Obligations:

Management at nonprofit agencies should be mindful of their AbilityOne-related contractual obligations with respect to the reporting of work hours and the employment of blind workers.  An organization’s failure to meet these contractual obligation actions could conceivably result in the loss of funding, the assessment of penalties and damages, and the organization being debarred from doing business with the federal government. Additionally, nonprofit agency executives signing false certification statements may face personal liability for their role in any false statements and / or misrepresentations made to the government that resulted in wrongful claims being submitted to the government for payment.  Nonprofit agency management officials should also be mindful that additional expressions of commitment made to AbilityOne for purposes of securing contracts, such as direct labor hours or employee ratios even higher than the statutory mandates, might also expose the nonprofit to fraud claims if the nonprofit fails to meet those commitments and then additionally fails to fully disclose this to AbilityOne.  Finally, nonprofit management team members must ensure that their policies and procedures will facilitate an agency’s compliance with its contractual obligations, duties and responsibilities as a participating agency in AbilityOne-related funding and blind worker employment programs.  One of the first signs that your nonprofit agency is being investigated for possible violations of the False Claims Act is the receipt of Civil Investigative Demand (CID) from the government.  As discussed in one of our other articles, a CID, it is important that you retain experienced legal counsel if your agencies is ever targeted by the government under the False Claims Act.  Our attorneys have extensive experience handling False Claims Act matters and cases.  For a free consultation, give us a call:  (202) 298-8750.  We represent individuals and entities nationwide in these types of cases and others brought under the False Claims Act.

Robert W. Liles represents nonprofit agencies in AbilityOne OIG Audits Is your nonprofit agency being audited by AbilityOne OIG?  If so, give us a call.  We can help.  For a free consultation, call:  1 (800) 475-1906.   

[1] 41 U.S.C. § 8503. The statute further mandates that the Committee maintain a procurement list for both products and services from which it assigns orders to qualified nonprofits. These nonprofits are in turn grouped into two categories, those that employ the blind and those that employ the other severely disabled. As with other agencies, the Committee is charged with issuing regulations in furtherance of its responsibilities under the statute.

[2] AbilityOne Commission. “Ability One – Milestones.”

[3] 5 U.S.C. § 6. The IG Statute enumerates additional powers, including the requesting of assistance or information from other government agencies and entering contracts with outside parties to carry out its audit and investigatory functions. These powers uniformly apply to all agency IGs, including that for AbilityOne OIG.

[4] 41 C.F.R. § 51-4.3. The direct labor hours reporting rules and additional review requirements for blind individuals represent only a few of the compliance standards imposed on nonprofit agencies. The regulation includes additional requirements, such as those concerning the compensation, employment, and occupational health and safety standards prescribed by the Secretary of Labor, as well as placement programs in coordination with community services.

[5] Some exceptions for below 75% ODLH do apply, depending on the circumstances and at the discretion of the Commission. The Commission is more tolerant of relaxing the requirement if doing so still encourages the employment of disabled persons for specialized projects while also permitting the federal government to meet its procurement orders.

[6] AbilityOne OIG.  Top Management and Performance Challenges Report. December 2, 2019.

[7] 31 U.S.C. § 3729.

[8] See Department of Justice. U.S. Attorney’s Office for the Eastern District of Wisconsin Press Release titled: “Wisconsin-Based Nonprofit to Pay $1.9 Million To Settle Allegations of False Claims and Kickbacks On Federal Contracts for Blind Workers.” September 30, 2020.  In an earlier 2019 case out of the Western District of Tennessee, the government settled another False Claims Act against a different defendant for $150,000. The Press Release announcing this settlement is titled: “Memphis Goodwill Industries, Inc. will pay $150,000 to the United States for claims that were in violation of the False Claims Act.” June 19, 2019.

[9] U.S. AbilityOne Commission. “Nonprofit Agencies Out of Compliance with Commission Regulations.” Policy 51.403. March 22, 2013.

Have You Received a Civil Investigative Demand (CID)? How Should a Health Care Provider or Supplier Respond When Receiving a Civil Investigative Demand?

Download PDF

Have you received a Civil Investigative Demand? Call Liles Parker for assistance. 1 (800) 475-1906.(March 3, 2020):  In recent years, Federal prosecutors around the country have increasingly relied on Civil Investigative Demands when investigating civil False Claims Act matters and cases.[1]  It’s easy to see why the government has continued to focus its civil enforcement efforts on alleged violations of the False Claims Act. Let’s look at the numbers — it’s been another banner year for the civil False Claims Act.  According to the Department of Justice (DOJ), the government secured more than $3 billion in settlements and judgments in False Claims Act cases for Fiscal Year ending September 30, 2019.  More than $2.6 billion of this $3 billion is related to health care matters and cases.  As DOJ notes, this is the tenth consecutive year that health care False Claims Act settlements and judgments have exceeded $2 billion.  As these statistics show, health care providers and suppliers are the primary targets of both whistleblower and government-initiated actions under the False Claims Act.[2] To investigate alleged violations of the False Claims Act, Federal prosecutors have been increasingly relying on Civil Investigative Demands as a pre-litigation discovery tool.  This article examines the government’s current use of Civil Investigative Demands in health care False Claims Act matters and cases and discusses the steps you should take if you are the recipient of one of these administrative subpoenas.

I.  What is a Civil Investigative Demand?

A Civil Investigative Demand is a formal administrative subpoena that is issued by an Assistant U.S. Attorney (or a DOJ Civil Division Trial Attorney) in connection with the government’s investigation of a False Claims Act matter or case.  In the context of a government-initiated False Claims Act investigation, this discovery tool by prosecutors to assist them in deciding whether or not to file suit under the statute.[3]  Alternatively, if a False Claims Act case has already been filed by a whistleblower, DOJ prosecutors may choose to issue one or more Civil Investigative Demands to gather additional information that may be necessary to decide whether or not to intervene in the qui tam[4] case that has been filed.  Under 31 U.S.C. § 3729-3733(1)(A)-(D), the government can use a Civil Investigative Demand to require a person:

(A) to produce such documentary material inspection and copying,

(B) to answer in writing written interrogatories with respect to such documentary material or information,

(C) to give oral testimony concerning such documentary material  or information, or

(D) to furnish any combination of such material, answers, or testimony.

 II.  The Evolution of Civil Investigative Demands:

  • False Claims Amendments of 1986.

With the passage of the “False Claims Amendments of 1986,” [5] the Attorney General of the United States was given the authority to issue Civil Investigative Demands in connection with the investigation of civil False Claims Act matters. Unfortunately, this discovery tool was only infrequently utilized by DOJ due to the fact that the Attorney General had to personally authorize a Civil Investigative Demand before it could be issued.  From a practical standpoint, this restriction made it very difficult for line prosecutors to utilize this discovery tool.  In order to do so, an Assistant U.S. Attorney would have to traverse multiple levels of DOJ management in order to even present a Civil Investigative Demand request for the consideration of the Attorney General.  Not surprisingly, only significant, large-dollar loss False Claims Act matters typically made it to this level and resulted in the issuance of a Civil Investigative Demand.

  • Fraud Enforcement and Recovery Act of 2009, P.L.111-21 (FERA).

On May 20, 2009, the “Fraud Enforcement and Recovery Act of 2009”[6] was signed into law by President Obama. Among its provisions, FERA greatly modified the rules under which Civil Investigative Demands could be issued.  Under FERA:

Delegation of Civil Investigative Demand Issuance Authority – Under FERA, the Attorney General can delegate his / her authority to Issue Civil Investigative Demands in False Claims Act matters and cases. In practice, the authority to issue a Civil Investigative Demand has now been delegated to Assistant U.S. Attorneys investigating alleged violations of the False Claims Act.

Sharing of Information Obtained Using a Civil Investigative Demand with a Qui Tam Relator – FERA permitted the Attorney General (or Designee) to share information obtained using a Civil Investigative Demand with a qui tam relator if the Attorney General (or Designee) determines it is necessary to do so as part of any False Claims Act investigation.[7]

The redelegation of authority to issue Civil Investigative Demands from the Attorney General to a designee was immediately met with opposition from a variety of industry groups.  By letter dated July 13, 2009, several dozen national associations and large corporate entities (ranging from the American Hospital Association to Exxon Mobile Corporation), wrote to Attorney General Eric Holder to express their concerns that the redelegation of issuance authority may lead to problems with:

“consistency, coordination, institutional memory, and a variety of other issues that overbroad delegation would raise.”[8]

Ultimately, the Attorney General did, in fact, choose to delegate the authority to issue Civil Investigative Demands to U.S. Attorneys around the country.[9] U.S. Attorneys have further redelegated this authority to Assistant U.S. Attorneys in their offices.

III.  Can Information Obtained Through a Civil Investigative Demand be Shared with Criminal Prosecutors?

The short answer is “Yes,” documentary materials, answers to interrogatories and transcripts of oral testimony obtained under a Civil Investigative Demand can be shared with criminal prosecutors.   In fact, all of the information gathered through a Civil Investigative Demand can be used for “official use” in “furtherance of a Department of Justice investigation or prosecution of a case.”[10]

A common concern expressed by defendants in a case is that perhaps the government is using the civil investigative process (such as the issuance of a Civil Investigative Demand) as a “stalking horse” to obtain information, answers to interrogatories and civil testimony in a case that would be unavailable (or not easily obtainable) if the case were pursued criminally.  Unless a defendant is able to show that a civil action has been brought solely to obtain evidence for a criminal prosecution, courts have not been sympathetic to the stalking horse argument.[11]

For additional guidance on the risks presented when dealing with parallel civil and criminal investigations, you may wish to review our article titled A Civil Investigative Demand Issued to You or Your Medical Practice is Serious Business. Understand Your Level of Risk Before Responding to the Government’s Investigation.”

IV.  How Should a Health Care Provider or Supplier Respond When Receiving a Civil Investigative Demand?

Upon receipt of a Civil Investigative Demand, you should immediately contact experienced legal counsel to guide you in your response.  When selecting legal counsel, it is essential that that ensure that the attorney representing you is both experienced and knowledgeable with respect to the use of the Civil Investigative Demands and the government’s use of the False Claims Act.  For example, is the attorney a former Assistant U.S. Attorney?  Is the attorney an experienced False Claims Act lawyer?  Has the attorney recently represented physicians and other health care providers in responding to a Civil Investigative Demand? Does the attorney have experience managing large, complex document productions in a cost-effective fashion? Has the attorney provided a thorough explanation of the subpoena response process?  Once you have selected a qualified, experienced attorney to represent your interests, legal counsel will likely take the following actions:

  • Instruct you to refrain from engaging in any document destruction activities until the full scope of the government’s inquiry can be determined. You want to avoid taking any action that could be misconstrued as obstruction of justice.
  • Carefully review the specifications of the Civil Investigative Demand and work with you to determine where responsive documents, electronic records and other materials may be located.
  • Contact the issuing Assistant U.S. Attorney and obtain an extension (if necessary) so that you can comply with the government’s requests. Your legal counsel may also be successful in getting the government to narrow the scope of documents being sought and may be able to learn how the government views your role (and potential exposure) in the current False Claims Act case. For instance, does the government view you as a target,   a subject or a witness of their investigation. 
  • Conduct a privileged, internal review of your business arrangements, medical records, coding and billing practices (the nature of the internal review will depend in large part on the focus of the government’s investigation as reflected by the specification of the Civil Investigative Demand). To the extent that you do, in fact, have a problem, your attorney will likely want to obtain a clear picture of the nature and scope of any overpayment or improper conduct so that remedial action can be taken.
  • Depending on the internal review findings, is there potential criminal exposure in this case?

Liles Parker attorneys have extensive experience representing health care providers and suppliers in government audits and investigations. Several of our attorneys are former prosecutors and are highly experienced handling False Claims Act matters and cases.  If you are the recipient of a Civil Investigative demand it is imperative that you immediately contact qualified, experienced counsel to represent you when responding to this administrative subpoena.  For a free consultation, please give us a call at:  1 (800) 475-1906.

Civil Investigative Demand Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with False Claims Act issues and investigations.  Are you the recipient of a Civil Investigative Demand?  If so, we can help.  For a free initial consultation regarding your situation, call Robert at: 1 (800) 475-1906.

[1] 31 U.S.C. § 3729-3733.

[2] Notably, most of these False Claims Act recoveries were generated by whistleblower actions.  A total of 633 new whistleblower cases were filed in FY 2019.  In contrast, the government filed 146 new False Claims Act cases in FY 2019 (where no whistleblower was involved).

[3] A Civil Investigative Demand can only be issued by a Federal prosecutor prior to the government filing of a False Claims Act case or making a decision whether to intervene or not intervene in a case.  After a case is filed or an election is made, the government may only utilize traditional civil litigation discovery tools.

[4] In a “Qui Tam” action, a private party, referred to as a “Relator” (or more commonly as a “Whistleblower”) files a case under the civil False Claims Act on behalf of the government.  If a qui tam action is successful, the Relator can receive up to 25% of the recovery (in an intervened case) or up to 30% of the recovery (in a non-intervened case).

[5] Public Law 99-562, 100 Stat. 3153 (October 27, 1986), reprinted in, 10A USCCAN (December 1986). A copy of the False Claims Act Amendments of 1986 can be found at: https://www.govinfo.gov/content/pkg/STATUTE-100/pdf/STATUTE-100-Pg3153.pdf

[6] Public Law 111-21, 123 Stat. 1616 (May 20, 2009).  A copy of the Fraud Enforcement and Recovery Act of 2009 can be found at: https://www.congress.gov/bill/111th-congress/senate-bill/386/text

[7] Prior to the passage of FERA, the Attorney General was only able to share information obtained using a Civil Investigation Demand after obtaining authorization to do so from a U.S. District Court, after showing “substantial need” that the sharing of the information was in “furtherance of its statutory duties.”

[8] Letter from associations and industry representatives to Attorney Eric Holder, dated July 13, 2009.  https://www.nacdl.org/getattachment/746c7dca-6386-4e47-a980-717132ee21e0/cidscoalitionletter.pdf

[9] 28 C.F.R. Part 0, Subpart Y and Appendix.  https://www.law.cornell.edu/cfr/text/28/appendix-to_subpart_Y_of_part_0

[10] 31 U.S.C. § 3733(l)(8).

[11] See United States v. Kordel, 397 U.S. 1, 11 (1970).  Also see United States v. Stringer, No. 06-30100 (9th Cir. Apr. 4, 2008). In the Stringer case, the 9th Circuit reversed a lower court decision to dismiss a criminal indictment based on the government’s alleged violation of the defendant’s due process rights resulting from improper behavior when conducting a parallel civil / criminal investigation.

A Disruptive Conduct Conviction Can Result in a Medicare Exclusion.

Download PDF

A Disruptive Conduct Conviction Can Have Serious Adverse Consequences(January 6, 2020):  For almost 40 years, the Department of Health and Human Services (HHS), Office of Inspector General (OIG) has been delegated responsibility for pursuing exclusion actions against individuals and entities that have been convicted of one or more enumerated crimes, engaged in certain improper conduct or have been subjected to an adverse licensure action. Depending on the nature of the specific adverse action taken against an individual or entity, the OIG may or may not be required by law to exercise its exclusion authority.  Exclusion is the most severe administrative sanction that may be taken against an individual or entity.  If you are excluded from participation in the Medicare, Medicaid and other federal health benefit programs you are effectively prohibited from being paid by for any items or services that you furnish, order or prescribe.  Equally important, you may not be employed or contract with an individual or entity that participates in one or more federal health benefits programs.  This article examines a recent state based, non-felony disruptive conduct conviction that resulted in an individual’s exclusion from federal health benefit programs.

I.  Factual Basis for the Disruptive Conduct Conviction:

In a recent case out of New York, a licensed practical nurse (LPN) was employed by a long-term care facility providing rehabilitation and nursing home services.  It was alleged that in September 2015, a resident of the facility had received the wrong medications and that the LPN had failed to advise a transporting ambulance service of medication error.  Ultimately, the patient’s ingestion of the wrong medications contributed to her death.  After an investigation of the conduct by New York’s Medicaid Fraud Control Unit, a New York state grand jury indicted the LPN for:

  • Two Counts — Endangering the Welfare of an Incompetent or Physically Disabled Person in the First Degree, a Class E Felony, in violation of Penal Law § 260.25; and

  • Two Counts — Willful Violation of Health Laws, in violation of Public Health Law § 12?b(2), an unclassified misdemeanor.

In December 2018, the LPN pleaded guilty to a single amended count of Disorderly Conduct (in violation of section 240.20(7) of the N.Y. Penal Law, an unclassified misdemeanor).  As set out under the state statute, under N.Y. Penal Law § 240.20(7):

“[a] person is guilty of disorderly conduct when, with intent to cause public inconvenience, annoyance or alarm, or recklessly creating a risk thereof . . . [sh]e creates a hazardous or physically offensive condition by any act which serves no legitimate purpose.”[1]

As part of her plea agreement, the LPN stated that she recklessly created a risk of a hazardous condition by not providing adequate care to [the nursing home resident].” Based on the LPN’s guilty plea, a New York state court sentenced her to a one-year conditional discharge and assessed fees of $95.00.

II.  Can a Disruptive Conduct Conviction be a Basis for a Medicare Exclusion Action?

In October 2019, the OIG notified the LPN that based on her New York disruptive conduct conviction, she was being excluded from participation in Medicare, Medicaid, and other federal health programs under section 1128(a)(2) of the Social Security Act (Act) (42 U.S.C. § 1320a-7(a)(2)) for the minimum statutory period of five years. As 42 U.S.C. § 1320a-7(a)(2)[2] provides:

“(2) Conviction relating to patient abuse.  Any individual or entity that has been convicted, under Federal or State law, of a criminal offense relating to neglect or abuse of patients in connection with the delivery of a health care item or service.”  (emphasis added).

In response to the proposed exclusion action, the LPN filed a timely appeal and sought review of the action by an Administrative Law Judge (ALJ).  In her arguments, she reasonably argued that a disruptive conduct conviction was considered to be a violation NOT a crimeunder New York state law.  In support of her position, she submitted written statements from several lawyers that concluded that her violation[3] was not considered to be a criminal offense under New York state law.

Moreover, in its pleadings, the OIG acknowledged that “the disorderly conduct statute under which Petitioner pled guilty does not, on its face, specifically encompass neglect of a patient. . .”  Nevertheless, the OIG argued that the “allegations forming the basis of [LPN’s] guilty plea establish that her conduct clearly relates to neglect.”

In deciding this case, the ALJ examined both the “criminal offense” and “patient neglect” issues discussed above to determine whether OIG was mandatorily obligated to exclude the LPN from participation in federal health care programs pursuant to 42 U.S.C. § 1320a-7(a)(2)).  As the ALJ decision found:

Pursuant to section 1128(i) of the Act (42 U.S.C. § 1320a-7(i)), an individual is convicted of a criminal offense when:  (1) a judgment of conviction has been entered against him or her in a federal, state, or local court, regardless of whether an appeal is pending or whether the record of the conviction is expunged; (2) there is a finding of guilt by a court; (3) a plea of guilty or no contest is accepted by a court; or (4) the individual has entered into any arrangement or program where judgment of conviction is withheld.” (emphasis added).

Based on 42 U.S.C. § 1320a-7(i)(3), the ALJ ruled that the action against the LPN did, in fact, meet the federal definition of a “conviction” of a criminal offense, even though the ultimate plea (to an “Information”) would not be considered a criminal offense under New York state law.  Furthermore, since the LPN’s disruptive conduct conviction resulted from her failure to report a medication error (which contributed to the death of a resident), the conviction took place in connection with the delivery of a health care item or service.  As such, the action required that the LPN be mandatorily excluded from federal health benefits programs for a minimum statutory period of five years under 42 U.S.C. § 1320a-7(a)(2).  For additional information on the impact of “exclusion” on a health care provider’s ability to seek payment for services provided to individuals covered by a federal health benefit program, we recommend that you review the following linked article.

III.  Recommendations:

As this case reflects, for the purposes of making an exclusion action determination, the definition of what constitutes a criminal offense under federal law is broadly defined and is not subject contradictory definitions under state law.  As a result, a New York state conviction that constitutes a mere violation and is not considered to qualify as a criminal offense still triggered the imposition of a mandatory exclusion from federal health benefit programs.

This case illustrates one of the many unexpected adverse consequences that a health care provider or supplier may face when accepting a plea deal in a criminal case.  Although the imposition of a mere violation by the state of New York was a likely viewed as a significant victory by both the defendant and her legal counsel, it ultimately resulted in the LPN’s exclusion from participation in federal health care programs for a period of five years.  From a practical standpoint, being excluded from the Medicare and Medicaid programs will make it extremely difficult for the LPN to find employment.

How should you respond in a case like this?  First and foremost, you need to fully be advised of the various implications you may face if you accept a plea deal from the state that results in a misdemeanor or felony conviction.  Although on its face a plea deal may appear to be a significant “win” for a defendant, the implications of accepting such a plea may effectively derail a health care provider’s career for many years.

Are you a health care provider or supplier currently considering a plea agreement? We recommend that you seek the advice of experienced legal counsel before taking a plea.  You need to fully understand the administrative consequences that are likely to be triggered as a result of your plea.  For a free initial consultation, please contact Robert Liles at 1 (800) 475-1906.  

Robert W. Liles represents physicians in disruptive conduct conviction cases. Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with audits, investigations and prosecutions.  Are you considering a possible plea agreement?  Have you fully considered the possible administrative consequences of entering into a plea agreement? Are you facing a proposed exclusion action? [4] Give us a call.  For a free initial consultation regarding your situation, call Robert at: 1 (800) 475-1906.

[1] https://www.nysenate.gov/legislation/laws/PEN/240.20

[2] https://www.law.cornell.edu/uscode/text/42/1320a-7

[3] A similar case where the OIG addressed the impact of a conviction to an “Information,”  please see the article titled “A State Conviction for “Patient Neglect” Will Result in Mandatory Exclusion from Participation in Federal Health Benefit Programs.” 

[4] For an overview of the administrative exclusion process, please see our page titled “OIG Exclusion Actions — Mandatory and Permissive Exclusion Authorities.”


A Civil Investigative Demand Issued to You or Your Medical Practice is Serious Business. Understand Your Level of Risk Before Responding to the Government’s Investigation

Download PDF

(September 17, 2019): The False Claims Act (31 U.S.C. §§ 3729-3733) is the primary civil enforcement tool relied on by the Federal government. It has a long and storied history, going back all the way to the Civil War.[1]  Prior to 1986, the statute was only infrequently utilized by law enforcement. That changed with the enactment of the “False Claims Amendments Act of 1986.”[2]  Among its many changes, the 1986 Amendments Act authorized the Attorney General to issue Civil Investigative Demands in connection with the investigation of False Claims Act cases.  Over the years, Civil Investigative Demands have greatly bolstered the effectiveness of the government’s ability to examine alleged violations of the False Claims Act.[3]

In 2009, Congress further expanded the use of Civil Investigative Demands when it passed the “Fraud Enforcement and Recovery Act of 2009”[4] (FERA).  Among its various provisions, FERA authorized the Attorney General to delegate his authority to issue Civil Investigative Demands to other Department of Justice (DOJ) officials. The Attorney General subsequently issued a directive in 2010 which delegated his authority to issue Civil Investigative Demands to the Assistant Attorney General for the Civil Division.  This directive also permitted the Assistant Attorney General for the Civil Division to redelegate the authority to issue Civil Investigative Demands to other DOJ Officials, including United States Attorneys.[5]

From a practical standpoint, the redelegation of authority to issue Civil Investigative Demands from the Office of the Attorney General to the 94 United States Attorneys Offices has greatly expanded the issuance of Civil Investigative Demands around the country.  This article examines the government’s use of Civil Investigative Demands as an investigative tool and discusses the steps you should take if the government issues one to you or your health care organization.

[For additional guidance on the risks presented when dealing with parallel civil and criminal investigations, you may wish to review our article titled “Have You Received a Civil Investigative Demand (CID)? How Should a Health Care Provider or Supplier Respond When Receiving a Civil Investigative Demand?]

I.  What is a Civil Investigative Demand?

A Civil Investigative Demand is essentially a judicially enforceable administrative subpoena[6] that can be issued by a Federal prosecutor to obtain documentary materials and other information that may be in your possession, custody or control that the government believes may be relevant to an investigation of possible violations of the False Claims Act.  A Civil Investigative Demand is only issued in connection with an ongoing False Claims Act investigation.

When issued to you or your medical practice, this investigative tool can be used to require that the subject (recipient individual or entity) of a Civil Investigative Demand:

  • Produce such documentary material for inspection and copying,
  • Answer in writing written interrogatories with respect to such documentary material or information,
  • Give oral testimony concerning such documentary material or information,[7] or
  • Furnish any combination of such material, answers, or testimony.

II.  Are You or Your Medical Practice the Target of False Claims Act Investigation?

If you are sent a Civil Investigative Demand, it doesn’t necessarily mean that you are believed to have violated the False Claims Act. It’s possible that a Federal prosecutor believes that you are a mere witness or a custodian of the records or other information that is relevant to the government’s False Claims Act investigation.  If you are the subject or target of a False Claims Act investigation, it is quite common for the Assistant U.S. Attorney handing the matter to clearly identify you or your medical practice as such when issuing a Civil Investigative Demand. While the language utilized by the government may vary from case to case, letters sent to physicians and other health care providers / suppliers will typically state something along the lines of:

“This False Claims Act investigation concerns allegations that you, your medical practice, your employees, contractors, and agents, as well as other individuals or entities violated or conspired to violate the False Claims Act by submitting claims to Federal health benefit program for which you were not entitled to receive payment.”

After investigating suspected violations of the False Claims Act, the Attorney General (through his or her designee) may either bring a civil suit for violations of the False Claims Act OR elect to intervene in a qui tam case that has been brought by a private party.   Importantly, once the government either files a False Claims Act complaint or intervenes in a qui tam that has been filed, it loses its authority to issue a Civil Investigative Demand.[8]

III.  Do I have to Comply with the Requirements Set Out in a Civil Investigative Demand?

The evidence sought by a Civil Investigative Demand may be quite extensive and will likely include demands for documentary materials, electronic records and written responses to interrogatories.  Unfortunately, it may be quite costly and time-consuming for you to assemble the information requested and fully comply with the specifications set out in a Civil Investigative Demand.  Should you fail to comply with a Civil Investigative Demand, the government will likely file a petition in Federal District Court seeking judicial enforcement of the request.[9] As the government’s utilization of Civil Investigative Demands has increased, we have seen a number of challenges raised by recipients.

In one recent case, Federal prosecutors issued a Civil Investigative Demand in connection with their investigation of whether a physician had violated the Anti-Kickback Statute and Stark (which, depending on the facts, may also constitute a violation of the civil False Claims Act).[10]  The respondent recipient of the Civil Investigative Demand, a California-based orthopaedic surgeon, refused to comply with the government’s request, arguing that the DOJ lacked the authority to enforce the Civil Investigative Demand due to the fact that the government’s had allegedly entered into settlement communications with a related party.  Essentially, the respondent argued that the government’s settlement discussions with a related party constituted a determination that a basis for the physician respondent’s liability was present.  Therefore, the respondent physician took the position that the government had an obligation to move forward with litigation rather than continue to investigate.  In this case, since the government had not yet initiated a civil action and had not made an election related to actual qui tam litigation, the District Court that the Civil Investigative Demand should be enforced.

IV.  Risks Presented in Parallel Civil and Criminal Investigations of Your Conduct:

Although the issuance of a Civil Investigative Demand is reflective of the fact that a civil False Claims Act investigation is underway, it is important to keep in mind that the government may also have an open, ongoing criminal investigation related to the conduct that is under review. In recent years, this has become quite common, due in large part to more effective coordination efforts between civil litigators and criminal prosecutors in U.S. Attorneys Offices around the country.

It is the policy of the DOJ that its components (including U.S. Attorney’s Offices) employ a coordinated approach to litigating affirmative matters from the initial intake, throughout the investigation and to resolution.[11] DOJ requires “early, effective and regular communication” between all of its litigating components in order that it considers all potential remedies. Consultation between the Department’s civil and criminal attorneys, together with agency attorneys, are promoted to permit consideration of the fullest range of the government’s potential remedies and promotes the most thorough and appropriate resolution in each case. (criminal, civil, regulatory or administrative).

In some instances, concurrent criminal and civil investigations of individual misconduct are pursued. When this occurs, it is DOJ policy for the litigating components to coordinate the investigation and potential resolutions among themselves and with other stakeholders to the extent that the law permits. For example, criminal Assistant U.S. Attorneys are encouraged to use Administrative Investigative Demand (AID) subpoenas instead of Grand Jury subpoenas so that information obtained can be freely shared with their civil counterparts.  Similarly, civil Assistant U.S. Attorneys are required to share the information they obtain in response to Civil Investigative Demands and / or qui tam investigation with their criminal colleagues. Coordination is extended to all aspects of the investigation including consideration as to the apportionment of fines, penalties and/or forfeitures and the avoidance of the duplicative fines, penalties and/or forfeiture in its resolution. Parallel actions are also intended to facilitate the Department’s efforts to hold individuals as well as corporations accountable for malfeasance.

As earlier discussed, the fact that you are the recipient of a Civil Investigative Demand does not necessarily mean that you are the target of a government False Claims Act investigation. Instead, you may be considered a subject of the government’s False Claims Act investigation. Finally, you may be a mere witness.  Ultimately, a Federal prosecutor may choose to issue a Civil Investigative Demand if he or she believes that you have documentation or other materials that are relevant to the government’s investigation of possible violations of the False Claims Act.

A Civil Investigative Demand cannot be issued to investigation allegations that are solely criminal in nature (for example, the fraudulent billing of health care services to a private payor).  However, if a bona fide investigation of possible civil false claims is present, this tool can be used to investigation potential False Claims Act violations and other conduct that may constitute a violation of criminal law. In light of the nature of parallel proceedings, there are a number of risks that you should take into account when responding to a Civil Investigative Demand.  Several of these risks include:

  • Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b(b)).  The Federal Anti-Kickback Statute[12] makes it a crime to knowingly and willfully offer, pay, solicit, or receive remuneration, directly or indirectly, overtly or covertly, in cash or in kind, to purposefully induce or reward referrals of items or services payable by a federal health care program. Simply put, it is against the law to pay or provide anything of value in an effort to induce referrals or business related to a federal health care program.  While for many years the Federal Anti-Kickback Statute and the civil False Claims Act were long viewed as separate and distinct enforcement tools, over the past 20 years, the enforcement landscape has slowly changed. Starting in the early 1990’s, whistleblowers began asserting violations of the False Claims Act in cases that would typically be pursued as a criminal anti-kickback violation.  These cases often involved fact patterns where a party was alleged to have violated the Anti-Kickback Statute and, in the process, billed for services that were allegedly medically unnecessary (or, in some instances, worthless) and made a false express and / or implied certification to the Medicare or Medicaid program.  The 2010 passage of the Affordable Care Act (ACA) obviated the need to bootstrap a violation of the Anti-Kickback Statute into a violation of the civil False Claims Act.  Under the ACA, a claim submitted in violation of the Federal Anti-Kickback Statute now automatically constitutes a false claim for purposes of the civil False Claims Act.   Providers need to keep in mind that even though a kickback violation may also be pursued under the False Claims Act, that does not preclude the government from prosecuting individuals and entities for violations of the Anti-Kickback Statute.
  • False Statements Involving Health Care Programs (18 U.S.C. § 1035). Several examples we have seen have involved the (a) the misrepresentation of the provider of a medical service, (b) the misrepresentation of a non-covered service, and / or (c) the billing of services performed by unlicensed staff. Each of these examples may give rise to criminal and / or may also be pursued under the civil False Claims Act:
  • Misrepresentation of the Provider of a Service. This improper billing practice is still commonly found in both medical and dental practices around the country. In the cases we have seen, “fraud” wasn’t the reason for the underlying misrepresentation on the CMS 1500 Claims form. In most instances, it was merely a matter of a credentialing delay.  Although we have not seen a misrepresentation case of this type referred for criminal prosecution, it is important to remember that both CMS 1500s and ADA Dental Claim Forms Claims forms are typically electronically submitted to the health plan for payment.  Depending on the facts, an aggressive prosecutor could argue that such conduct constitutes a criminal false statement under 18 U.S.C. § 1035 or even wire fraud under 18 U.S.C. §1343.
  • Misrepresentation of a Non-Coverage Service. This type of improper billing practices occurs when a medical or dental practice has mischaracterizes a non-covered service as a covered service. Keep in mind, the definition of a non-covered service varies from payor to payor. Additionally, the list of non-covered services under a specific payor’s policy may change from year-to-year.  In any event, it is important that health care providers regularly check to ensure that the services being provided qualify for coverage and payment.
  • Billing for Medical or Dental Services Performed by Unlicensed Staff. Perhaps the quickest way to get into trouble with both law enforcement and your State Medical Board or State Dental Board is to allow non-licensed individuals to provide care that may only be administered by qualified, licensed personnel. Earlier this year, the New York Attorney General’s Office announced the indictment, arrest and arraignment of a health care provider and four unlicensed individuals that the provider was permitting to perform medical related procedures on more than 100 Medicaid patients. From a false claims perspective, the billing of Medicare and / or Medicaid services by unlicensed staff would constitute the misrepresentation of the credentials of the staff member at issue and would not qualify for reimbursement.

These are only a few of the risks that you face when a government investigation of your business arrangements, and billing / coding practices is initiated. When responding to a Civil Investigative Demand, it isn’t merely sufficient to produce the information requested. A careful analysis of your practices needs to be conducted on the front end so that any problematic conduct can be identified and assessed. Experienced health care legal counsel can then more effectively represent you and your practice.

V.  How Should You Respond to a Civil Investigative Demand?

For the reasons set out above, we strongly recommend that you engage counsel as soon as you receive a Civil Investigative Demand.  Your attorney can then take the lead and contact the Assistant U.S. Attorney[13] handling the False Claims Act investigation. Additional steps you should take include, but are not limited to:

  • Determine the nature of your involvement in the government’s investigation. Does the government consider you or your practice to be a target, a subject or a witness?  Are both civil and criminal allegations present?  If the possibility of criminal culpability has been identified, it is essential that your legal counsel advise you on any steps needed to properly safeguard your interests.
  • Don’t turn what may be a civil problem into a criminal case. Steps should immediately be taken to ensure that no documentation (either paper or electronic) is destroyed, deleted or over-written. Your attorney can guide you in this document preservation process. The last thing you want to do is take an action in a civil False Claims Act investigation that might constitute a separate criminal violation (such as obstruction of justice).  Once the proverbial fog lifts, your attorney will likely be able advise you whether it is permissible to resume getting rid of documents that have no bearing on the government’s case.
  • Have experienced health law counsel handle scope and timing negotiations with the government. Civil Investigative Demands are often excessively broad in scope and typically request large numbers of medical or dental records and claims information.  Moreover, under the statute you have very little time to produce the materials being sought by a Civil Investigative Demand. Your attorney will likely try and work with the government attorney handling the investigation to obtain an extension of time in which to submit the requested documents.[14]  Your attorney will also try and work with the government attorney to see if the scope can be narrowed (at least at first).  Finally, your attorney will want to try negotiate for the documents and information to be produced to be submitted on a “rolling” basis.
  • Diligently work to identify and address the government’s concerns. It has been our experience that most Assistant U.S. Attorneys are willing to engage (at least in a limited fashion) in a discussion regarding the nature of the government’s concerns. This information can be crucial in assessing the conduct, responding to the government’s concerns, and, if necessary, preparing your defense(s) in the case. Keep in mind, at this point, the government hasn’t filed a False Claims Act complaint and hasn’t intervened in the whistleblower’s case (to the extent that one exists).  Now is the time to do your very best to analyze the facts and respond to the allegations presented.
  • Take care before “Certifying” your responses under the Civil Investigative Demand. As required under 31 U.S.C. § 3733(f)(1), when you produce documentary materials in response to a Civil Investigative Demand, it must be made under a “Sworn Certificate.”  31 U.S.C. § 3733(f)(1), The Sworn Certificate is required to state that:

“. . . all of the documentary material required by the demand and in the possession, custody, or control of the person to whom the demand is directed has been produced and made available to the false claims law investigator identified in the demand.”[15]

As with any certification made to the government, you must exercise caution when making the representations required under 31 U.S.C. § 3733(f)(1).  Should your responses to the Civil Investigative Demand be false or misleading, the government may assert that you have made a false statement (assuming that the requisite level of intent can be shown).

As reflected by the risks discussed above, if you or your practice are the recipient of a Civil Investigative Demand, you should immediately contact a qualified health lawyer.  The issuance of a Civil Investigative Demand raises a number of complex regulatory questions that must be fully vetted.  Have you received a Civil Investigative Demand?  Give us a call for a free consultation.  1 (800) 475-1906.


Robert W. Liles Healthcare LawyerRobert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers in connection with False Claims Act issues and investigations.  Have you received a Civil Investigative Demand?  If so, we can help.  For a free initial consultation regarding your situation, call Robert at: 1 (800) 475-1906.

[1] For additional background information on the False Claims Act, see False Claims Act Matters and Cases — An Overview.”  

[2] Public Law 99-562.  October 27, 1986.  Senator Charles Grassley (R-Iowa) and Representative Howard Berman (C-California) led the drive to have these amendments passed. Several of the significant changes to the statute included, but were not limited to the following:

  • Permitted the government to seek treble damages.
  • Revised the statute’s qui tam provisions by increasing the incentives to whistleblowers disclosing allegations of fraud under the False Claims Act.
  • Conferred authority upon the Attorney General to issue Civil Investigative Demands (CIDs) in connection with the investigation of False Claims Act investigations.

[3] Last Fiscal Year (FY 2018), the Federal government won or negotiated more than $2.8 billion in judgments and settlements under the False Claims Act. Of the $2.8 billion in settlements and judgments recovered by the Department of Justice this past fiscal year, $2.5 billion involved the health care industry.  Although the gross recoveries were almost $600 less than what was collected in FY 2017, it is worth noting that an additional $329 million was collected in health care related cases than last year.  During FY 2018, 645 qui tam (whistleblower) cases were filed. About 87% of all new FCA matters pursued against entities involved in the healthcare industry were brought by relators.

[4] P.L.111-21 (FERA).  FERA also permitted Federal prosecutors to share information obtained under a Civil Investigative Demand with “any person” (most typically a qui tam relator)(See 31 U.S.C. § 3733(a)(1) and with Federal prosecutors conducting criminal investigations if the Attorney General or designee has reason to believe that such person may be in possession, custody, or control of any documentary material or information relevant to a False Claims law investigation.

[5] In 2010, the Attorney General signed Order No. 3134-2010 (January 15, 2010).

[6] See United States v. Markwood, 48 F.3d 969, 975-76 (6th Cir. 1995) (finding FCA CIDs are administrative subpoenas); FTC v. Invention Submission Corp., 965 F.2d 1086, 1087 (D.C. Cir. 1992) (treating FTC CID as administrative subpoena), cert. denied, 507 U.S. 910 (1993); United States v. ASG Solutions Corp., No. 17-cv-1224, 2018 WL 1418023, 2018 U.S. District LEXIS 47716 (S.D. Cal., March 22, 2018) (Report and Recommendation of Magistrate Judge) (enforcement of FCA CID governed by standards for administrative subpoenas), adopted in full, 2018 WL 3471405, 2018 U.S. Dist. LEXIS 121013 (S.D. Cal., July 18, 2018).

[7] Under a Civil Investigative Demand, the government may seek oral testimony concerning the documents and / or information that you are producing. The oral testimony is handled like a deposition, the deponent is placed under oath and a stenographic record of the proceeding is kept.

[8] For example, in the case United States v. Kernan Hospital, No. RDB-11-2961, 2012 WL 5879133, 2012 U.S. Dist. LEXIS 165688 (D. Md., Nov. 20, 2012), the district court denied the government’s Petition for Summary Enforcement based on the fact that the United States had already filed an FCA complaint in the caseThe District Court took this position even though the case had been dismissed (for failure to plead the alleged fraud with particularity) at the time the Civil Investigative Demand was issued.

[9] The scope of judicial review that is conducted by a District Court Judge when the government seeks to enforce a Civil Investigative Demand is very narrow.  As the Ninth Circuit has stated:

 “[t]he scope of the judicial inquiry in . . . any . . . agency subpoena enforcement proceeding is quite narrow. The critical questions are: (1) whether Congress has granted the authority to investigate; (2) whether procedural requirements have been followed; and (3) whether the evidence is relevant and material to the investigation.” EEOC v. Fed. Express Corp., 558 F.3d 842, 848 (9th Cir. 2009) (quoting EEOC v. Karuk Tribe Hous. Auth., 260 F.3d 1071, 1076 (9th Cir. 2001)).

[10] United States v. Picetti, No. 2:19-cv-00049 KJM AC (E.D. California)(April 29, 2019).

[11] Justice Manual Chapter 1-12.000; updated in November 2018, See also, Memorandum entitled “Coordination of Parallel Criminal, Civil, Regulatory and Administrative Proceedings, from the Attorney General to all Litigating Divisions and All Trial Attorneys, dated January 30, 2012, found as Civil Resource Manual 228 and Criminal Resource Manual 2464.

[12] Under the Bipartisan Budget Act of 2018 (effective February 9, 2018), Criminal penalties for acts involving Federal health care programs under 42 U.S.C. § 1320a–7b, including but not limited to the Anti-Kickback Statute, were increased from $25,000 to $100,000. Additionally, the maximum sentences for felonies involving Federal health care program fraud and abuse under 42 U.S.C. § 1320a–7b, including but not limited to the Anti-Kickback Statute, were increased from five to ten years.

[13] Infrequently, we have seen prosecutors from the State Attorney General’s Office issue a CID.

[14] Pursuant to 31 U.S.C. §3733, you will only have twenty days in which to respond to a Civil Instigative Demand, unless an extension is granted by the government.  Additionally, if a request for oral testimony is being sought, you may have as little as seven days within which to respond.

[15]31 U.S.C. § 3733(f)(1)(B).

Recent Changes to DOJ’s “Justice Manual” Addressing De-Facto Regulations and Agency Guidance Documents

Download PDF

Guidance Documents and De-Facto Regulations not Supported by Existing Statutes and Regulations are Not Binding(December 27, 2018):  On November 16, 2017, Attorney General Jeff Sessions issued a memorandum[1] (Sessions Memo) implementing the principles set out in President Trump’s Executive Order 13777.[2]  The Sessions Memo was addressed to all components of the U.S. Department of Justice (DOJ) and noted the fact that in the past, some DOJ guidance documents had not gone through the rulemaking process but had still been issued and used to bind private parties.  As the memorandum further noted:

“Effective immediately, Department components may not issue guidance documents that purport to create rights or obligations binding on persons or entities outside the Executive Branch (including state, local, and tribal governments).”

The purpose of this memorandum was fairly straight-forward.  Regulated parties should be able to rely on statutory and regulatory requirements that have been implemented in accordance with the legislative and rulemaking process. Guidance documents that have not gone through this formal process shouldn’t be used to establish obligations or rights with respect to regulated private parties. The Sessions Memo was intended to prevent DOJ components from “evading required rulemaking processes by using guidance memos to create de facto regulations.”[3] (emphasis added).

Several months after the issuance of Attorney General’s memorandum, Associate Attorney General Rachel Brand issued a related memorandum (Brand Memo) addressing this issue.[4]  The Brand Memo made it clear that the principles set out in the Attorney General’s memorandum should also be used by DOJ prosecutors when determining whether guidance documents issued by other federal agencies should be considered “binding” when the requirements set out in the guidance documents are not supported by existing statutes and / or regulations.  As the Brand Memo states:

“. . . the Department should not treat a party’s noncompliance with an agency guidance document as presumptively or conclusively establishing that the party violated the applicable statute or regulation.  That a party fails to comply with agency guidance expanding upon statutory or regulatory requirements does not mean that the party violated those underlying legal requirements; agency guidance documents cannot create any additional legal obligations.”   (emphasis added).

Although the Brand Memo was directed at the use of guidance documents in False Claims Act and other affirmative civil enforcement cases,[5]  as we will discuss in the sections below, the principles set out in the memorandum should also applicable to criminal enforcement actions.

Not surprisingly, the role of agency guidance when assessing a health care provider’s obligations under the law have been debated ever since the Sessions and Brand memoranda were first issued. Almost a year after the Brand Memo was released, the DOJ has recently expanded upon these principles in its revised issuance of the “Justice Manual.”[6]  This article reviews these new provisions and discusses how DOJ’s guidance may impact fraud cases brought against health care providers and suppliers.

I. Impact of the DOJ’s Position in Civil and Criminal Health Care Fraud Cases:

At this point, you may be thinking “Why should I care about these directives? As discussed below, the possible impact of the Sessions and Brand memos on health care providers and suppliers can be substantial.  Moreover, depending on the facts in your particular case, DOJ’s consideration of agency guidance (that is not based on an existing regulation or statute) may make, or break the government’s fraud case against a health care provider or supplier.  On or about December 18, 2018, the DOJ published its latest guidance in the Justice Manual (§§ 1-19.000[7] and 1-20.000[8]) on the limitations of issuance and use of agency guidance documents.  These Justice Manual provisions are discussed in more detail below.

II. Justice Manual, § 1-19.000 – Limitation on Issuance of Guidance Documents:

As § 1-19.000 of the Justice Manual provides, when issuing non-binding guidance documents, DOJ components should expressly identify the documents as guidance that does not carry the force or effect of law.  Moreover, DOJ components should clearly state that noncompliance with these voluntary standards will not, in itself, result in any enforcement action.”  It is important to note that DOJ components may still issue guidance documents that are intended as voluntary guidelines or standards for private entities to consider and follow.  However, such guidance documents must make it clear that the instructions set out in the guidance is not legally binding and may be beyond an entity’s legal obligations under existing statutes and regulations.

What constitutes an agency guidance document? Great question. As § 1-19.000 reflects, the term “guidance document” does not include:

  • Decisions, orders, or other documents issued in adjudicatory actions that do not purport to or have the effect of binding anyone beyond the parties to the adjudication. 
  • Documents informing the public of the agency’s enforcement priorities or factors the agency considers in exercising its prosecutorial discretion. 
  • Internal directives, memoranda, legal and strategy monographs, or training materials for agency personnel directing them on how to carry out their duties, positions taken by an agency in litigation, or legal advice provided by the Department.

III.  Justice Manual § 1-20.000 – Limitation on Use of Guidance Documents in Litigation:

In contrast to § 1-19.000 (which covers the ISSUANCE of guidance documents by DOJ components), § 1-20.000 of the Justice Manual focuses on the USE of guidance documents issued by other federal agencies in litigation.  As § 1-20.100 of the manual provides:

“Criminal and civil enforcement actions brought by the Department must be based on violations of applicable legal requirements, not mere noncompliance with guidance documents issued by federal agencies, because guidance documents cannot by themselves create binding requirements that do not already exist by statute or regulation.” (emphasis added).

Justice Manual § 1-20.201 notes that if an agency guidance document describes a statutory or regulatory provision, federal prosecutors are still permitted to use and rely on agency guidance documents to argue that a party’s awareness of the guidance document shows that the party had the requisite notice or knowledge of the law.  Justice Manual § 1-20.202 further provides that an agency guidance document can be used as probative evidence that:

“. . . a party has satisfied, or failed to satisfy, professional or industry standards or practices relating to applicable statutory or regulatory requirements.”[9]

This section of the Justice Manual further notes that this rationale applies “broadly” in the healthcare arena and expressly cites guidance documents issued by the Centers for Medicare and Medicaid Services (CMS) such as the agency’s Medicare Benefit Policy Manual and Local Coverage Determinations (LCDs) as relevant evidence that procedures may (or may not) be medically reasonable and necessary.[10] For example:

“. . . if a primary care physician writes prescriptions in excess of the CDC Guideline for Prescribing Opioids for Chronic Pain, which contain medical recommendations for primary care physicians, that fact may be offered as evidence that the prescriptions were made and opioids dispensed without any “legitimate medical purpose” and outside “the usual course of professional practice,” 21 C.F.R. § 1306.04(a), in violation of the Controlled Substances Act.”                                    ‘ 

Justice Manual § 1-20.204 further notes that DOJ may cite an agency guidance document “where a party’s compliance, or failure to comply, with the agency guidance is itself relevant to the claims at issue.”  For example, if a health care provider falsely certifies compliance with a guidance document AND the certification is material to a decision by CMS (including its contractors) to pay a claim, the false certification may be offered by DOJ prosecutors to establish the elements of falsity, materiality and knowledge. As the section further provides:

“. . . when a government contract or provider agreement requires compliance with some agency guidance document, it is the contract—not the agency guidance itself—that makes the agency guidance pertinent and, in these cases, violations of that guidance undertaken with the requisite mental state may expose individuals to liability.” 

IV. Conclusion:

From a practical standpoint, the Sessions and Brand memoranda and the recent updates to the Justice Manual will likely only come into play if the DOJ is directly involved in a case, either before or after a civil or criminal case has been filed.  Having said that, the DOJ is not the only government entity tasked with complying with Executive Order 13777.  All federal agencies, including those of the Department of Health and Human Services (such as the Centers for Medicare and Medicaid Services(CMS)) are required to identify and repeal existing guidance documents that are outdated, unnecessary, inconsistent with existing law, or otherwise improper.

In light of this mandate, CMS published its Proposed Rule entitled “Medicare and Medicaid Programs; Regulatory Provisions to Promote Program Efficiency, Transparency, and Burden Reduction,”[11] on September 20, 2018.  To its credit, CMS has issued a number of proposals that are intended to alleviate the regulatory burden on Ambulatory Surgical Centers, Hospices, Home Health Agencies, Hospitals, Transplant Centers, Community Mental Health Centers, Rural Health Clinics and various other types of health care provider and suppliers.

Unfortunately, almost all of the proposed changes have been aimed at specific types of health care providers and suppliers.  For the most part, CMS’s Proposed Rule does not touch upon the quasi-legal obligations that have been imposed on health care providers and suppliers in the form of National Coverage Determination rules (NCDs), Local Coverage Determination rules (LCDs), manual provisions (such as the Medicare Program Integrity Manual (PIM), Medicare Claims Processing Manual (MCPM), and Medicare Benefit Policy Manual (MBPM)), along with practically countless issuances of policy guidance memoranda and other documents.  Although some of this guidance is, in fact, based on already existing statutory and regulatory requirements that have been properly vetted through the rule-making process, much of this information would undoubtedly qualify as “de facto regulations” that are not statutorily based.       

Unless CMS takes further action in this regard, all health care providers and suppliers participating in Medicare, Medicaid and / or other federal health benefits providers should continue to comply with all applicable guidance that has been issued by federal or state sponsored health plans (or their contractors, such as Medicare Administrative Contractors) which set out the specific requirements that must be met in order for a health care service or item to qualify for coverage and payment.  These requirements include, but are not limited to specific guidance regarding the medical necessity of certain services, frequency and dosage restrictions, documentation mandates and billing / coding requirements.

Robert W. Liles represents health care providers and suppliers in UPIC and ZPIC audits of claims. Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with UPIC audits, ZPIC audits, OIG audits and DOJ investigations of Medicare / Medicaid False Claims Act allegations.  Are your Medicare or Medicaid claims currently being audited or under investigation?  We can help.  For a free initial consultation regarding your situation, call Robert at:  1 (800) 475-1906.

[1] Memorandum dated November 16, 2017, titled Prohibition on Improper Guidance Documents.”

[2] On March 21, 2017, President Trump signed Executive Order 13777.  Simply put, pursuant to Executive Order 13777, federal agencies are required to identify and repeal existing guidance documents that are outdated, unnecessary, inconsistent with existing law, or other improper.  Citing Executive Order 13777  and the Sessions Memo, on December 21, 2018, Acting Attorney General Matthew Whitaker announced in a Press Release that the DOJ was rescinding an additional 69 guidance documents that were either “unnecessary, outdated, inconsistent with existing law, or otherwise improper.”  The Regulatory Task Force established by the DOJ pursuant to Executive Order 13777 has been active in its efforts to rescind guidance documents that have been determined to be unnecessary, inconsistent with existing law, or improper.  In December 2017, DOJ’s Regulatory Task Force identified 25 guidance documents to be repealed. The Task Force subsequently identified 24 additional guidance documents to be repealed in July 2018.

[3] See Press Release titled “Attorney General Sessions Ends the Department’s Practice of Regulation by Guidance” issued November 17, 2017.

[4] Memorandum dated January 25, 2018, titled “Limiting Use of Agency Guidance Documents in Affirmative Civil Enforcement Cases.

[5] The term “Affirmative Civil Enforcement” refers to the filing of “civil lawsuits on behalf of the United States. The purpose of these civil actions is to recover government money lost to fraud or other misconduct or to impose penalties for violations of Federal health, safety, civil rights or environmental laws.”

[6] The Justice Manual was previously known as the United States Attorneys’ Manual.  It was revised and renamed the Justice Manual in 2018.

[7] Justice Manual § 1-19.000 can be found at this link.

[8] Justice Manual § 1-20.000 can be found at this link.

[9] See Justice Manual § 1-20.202.

[10] As set out in United States ex rel Polukoff v. St. Mark’s Hospital, No. 17-4014, at 14-15 (10th Cir. July 7, 2017), the use of agency guidance documents “does not give these documents the force of law, but rather aids in demonstrating that the standards in the relevant statutory and regulatory requirements have been or have not been satisfied.”   

[11] Medicare and Medicaid Programs; Regulatory Provisions to Promote Program Efficiency, Transparency, and Burden Reduction,” September 20, 2018. 83 FR 47686.

Is ePHI Encryption Required? The Failure to Properly Protect ePHI Can be Quite Costly

Download PDF

ePHI Encryption(June 27, 2018):  Violations of the Health Insurance Portability and Accountability Act (HIPAA), where a Covered Entity[3] has failed to utilize ePHI encryption can be quite costly. The loss of unencrypted electronic media containing Protected Health Information (PHI)[1] can result in big fines as one Texas medical center has recently learned the hard way.  As a case ruling issued earlier this month reflects, the University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million for their loss of two unencrypted USB drives and theft of an unencrypted laptop.  This article examines this case in more detail and discusses your obligations to protect electronic PHI (ePHI) from improper disclosure or access by unauthorized persons.

I.  Is ePHI Encryption Required by Covered Entities?

The Department of Health and Human Services (HHS) oversees compliance and enforces HIPAA’s sanctions for noncompliance through its Office for Civil Rights (OCR).  In cases involving possible criminal conduct, the OCR works with the Department of Justice (DOJ).

The HIPAA Omnibus Rule has changed the enforcement provisions.[2] Previously, the agency had discretion in choosing whether to investigate complaints or potential violation in cases where the Agency’s preliminary review reveals a possible violation due to willful neglect.  Now, the agency is required to initiate a formal investigation when a party appears to have exhibited willful neglect.  If an investigation is performed, it may include a review of pertinent policies, procedures, or practices of the Covered Entity and the circumstances of the alleged violation.  Documentation and evidence of compliance are key to ensuring no penalties are assessed by OCR.

Notably, the HIPAA Omnibus Rule modified HIPAA’s Privacy, Security and Enforcement Rules in order to implement the statutory amendments set out under the Health Information Technology for Economic and Clinical Health Act (HITECH).  Under HITECH, a Covered Entity is required to conduct a comprehensive “security risk analysis” of the administrative, physical, technical and operational aspects of your organization.  For each category, the Security Rule establishes both required and addressable implementation specifications.

Implementation specifications that are identified as required must be fulfilled by a Covered Entity.  The failure to implement required specifications will be automatically deemed to be a failure to fully comply with the requirements of the HIPAA Security Rule.  In contrast, specifications that are identified as addressable must only be implemented if, after a risk assessment, the Covered Entity has concluded that compliance with the specification is a reasonable and appropriate security risk safeguard for handling PHI and ePHI.

Contrary to popular belief, Covered Entities are not mandated by law to encrypt ePHI.  As the security risk assessment implementation specification covering encryption is expressly noted as an addressable specification, it is not required.  As 45 C.F.R. §164.312(a)(2)(iv)[4] expressly provides:

 “(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Clear as mud?  If you are still confused as to your obligations, you aren’t alone.  Although you may determine that it would be reasonable for you to NOT encrypt a certain set of ePHI, you need to keep in mind that if there is a potential breach (through loss, theft, negligence, etc.) the OCR will be second-guessing your decision-making in this regard.

II.  The Encryption “Safe Harbor”:

Section 13402 of HITECH extended the privacy provisions of HIPAA by requiring that Covered Entities and their business associates notify affected individuals after discovering breaches of unsecured PHI.[5] Breach, in this case, means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.[6] Generally, incidents within the Covered Entity (between employees) or unintentional disclosure to a business associate are not breaches. Thus, if an employee sends an email inappropriately but in good faith containing PHI to a co-worker and neither employee shares it with others, it is not a breach. If the email goes to someone who is not an employee of the entity or a business associate, it may well be.

Furthermore, the breach notification requirements apply only to “unsecured PHI— meaning PHI that is not secured through the use of technology or methodology specified by the Secretary, such as encryption or destruction that renders the paper unusable, unreadable, or indecipherable.[7]  Therefore, if a Covered Entity encrypts information to comply with the Security Rule and subsequently discovers a breach of that information (through loss, theft, accidental delivery to the wrong person, etc.), the Covered Entity is not required to provide notice of the breach.  If the information is protected through a firewall or some other means not approved by the Secretary, then notification would be required for a breach.  To ensure encryption keys are not breached, they should be kept on a separate device from the data to which they apply.

III.  The MD Anderson Case:

In the MD Anderson case, the cancer center supposedly lost two unencrypted flash drives and experienced the theft of an unencrypted laptop.  Collectively, the devices were estimated to have contained the PHI of approximately 33,500 patients. The OCR alleged that the cancer center did not comply with regulatory requirements by:

“(1) failing to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed. “

Pursuant to 45 C.F.R. pt. 160 and 45 C.F.R. pt. 164, subpts. A, C, D, and E, Covered Entities are generally required to:

“ensure the confidentiality, integrity, and availability of all ePHI that the entities create, receive, maintain, or transmit; protect such information against any reasonably anticipated threats or hazards to its security; protect ePHI against any reasonably anticipated impermissible uses and disclosures; and ensure compliance with these requirements by their workforces.”

While the cancer center had policies and procedures for maintaining the safety of ePHI, it was alleged that they did not implement those as required by 45 C.F.R. § 164.312(a)(1).  MD Anderson argued that they satisfied this regulation because there were technically policies and procedures put in place to allow PHI to be encrypted.  MD Anderson’s procedures for protecting ePHI included:

  1. Password protection of all computers and portable computing devices accessing potentially confidential information;
  2. A requirement that confidential or protected data stored on portable computing devices must be encrypted and backed up to a network server in the event of a disaster or loss of information;
  3. Annual employee training event that provided its employees with training in areas that included ePHI transmission and proper disposal; a prohibition against password sharing; a discussion of password necessity and integrity; an explanation of authorized and proper use of information systems, and training about information security resources.

Unfortunately, MD Anderson’s policies and procedures in this regard were shown to be incompletely or ineffectively implemented. The laptop and two USB drives in question were not encrypted as required by the cancer center’s policies and procedures.  MD Anderson’s attempts to ensure implementation of its ePHI protection policies and procedures were characterized as “half-hearted” by the ALJ handling the case.  MD Anderson was found to have delayed the encryption of devices and, after years, only proceeded slowly with the implementation of the encryption policy claiming financial issues were to blame.

The laptop in question was being used by a telecommuting employee as work computer and it was neither encrypted nor password protected. The laptop was stolen from the home of the employee and the ePHI was vulnerable although no breeches in the security of the patients concerned in the PHI resulted.  The first USB concerned was lost by a trainee while on an employee shuttle bus. The second USB was lost by a visiting researcher.

The OCR considered the theft of the laptop and the losses of the USB flash drives to be unlawful disclosures of ePHI because these actions constituted the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

IV.  Defenses Raised by MD Anderson:

In its defense, the cancer center raised a number of arguments before the ALJ, several of which are outlined below.

  • As a State Entity, MD Anderson is Not a “Person” as Defined Under HIPAA.  In addition to arguing that the Secretary, HHS had acted beyond the authority of the position, MD Anderson also argued that as an entity of the State of Texas, it did not constitute a “person” and was therefore not covered under HIPAA.  The ALJ disagreed.
  • The Penalties Assessed by the Secretary Were Excessive.  Secondly, MD Anderson argued that any penalties assessed should be capped at $100,000 per year.  The cancer center also cited 45 C.F.R. § 160.546(b) and asked that the ALJ reduce the assessed penalties to below the statutory cap.  Notably, the ALJ refused to lower the penalties imposed by the Secretary, HHS, claiming that doing so would “constitute an end run around the Secretary’s intent as expressed in the regulation.”[8] The ALJ also cited 45 CFR 160.408 which allows aggravating factors such as the general pursuit of justice to dictate fine amounts.  Additionally, MD Anderson also claimed that the high penalties imposed were a violation of the excessive fines provision outlined in the 8th Amendment.  Not surprisingly, the ALJ responded that it did not have the authority to consider the constitutionality of the ruling.  Each of MD Anderson’s arguments were addressed in the ALJ’s decision.
  • The Theft and Loss of Devices Do Not Constitute a “Disclosure” Under HIPAA. MD Anderson further argued that stolen or lost property cannot constitute a “disclosure” of sensitive material mainly because there is no evidence the PHI was viewed by anyone. However, the mere fact that the PHI was compromised and rendered vulnerable to viewing by an unauthorized person was deemed enough to constitute a disclosure in violation of HIPAA. Finally, the cancer center argued that the behavior of the individuals who lost USB drives was unsanctioned along with the actions of the thief.  Therefore, there was no basis to hold MD Anderson responsible for these unauthorized acts.  Not surprisingly, the ALJ disagreed, holding that although the employees may have disobeyed MD Anderson’s policies, the actions of transporting the data were within the scope of their official duties.
  • The OCR Has Failed to Apply HIPAA’s Regulations Consistently.  Among concern by the Texas Cancer Center that their key arguments were not seriously considered, there was also concern that the OCR’s enforcement of HIPAA regulations is not transparent or consistent[9]. With the Texas Cancer Center’s fine being the 4th largest ever upheld, there seems to be merit to the claim that regulations are not being consistently or fairly enforced. For example, in a 2010 case involving Rite Aid, the large national drug store chain agreed to pay $1 million to settle HIPAA privacy violations after several of its pharmacies were videotaped disposing of prescription pill bottle labels which contained identifying information into dumpsters with public access[10]. It seems odd when comparing the two cases that one of the nation’s largest drug store chains was fined less than one quarter of the amount of fines assessed against MD Anderson for the violations discussed above.

V.  Next Steps for MD Anderson:

MD Anderson Cancer Center has expressed plans to appeal the ALJ’s ruling[11]. The cancer center feels not only that the $4.3 million in fines is too much but that the ruling does not take into account the policy and procedure the center had already created. At the end of the day, however, it isn’t the availability of a mechanism to keep ePHI safe that matters but that strong efforts are made to ensure ePHI is actually being protected. Failing to carry out policy and procedure can bring serious fines.

VI.  Steps You Can Take to Comply with Your Obligations Under HIPAA and HITECH:

  • Compliance Officer. Appoint a Compliance Officer for your organization.
  • Breach Insurance. Review your options for purchasing insurance to cover any damages and penalties that may result from an unintentional breach or unauthorized disclosure.
  • Notice of Privacy Practices. Ensure that an updated Notice of Privacy Practices is in place.
  • Patient Consent Form. Ensure that an appropriate “Patient Consent Form” is in place.
  • Business Associate Agreements. Ensure that an appropriate “Business Associate Agreement” is in place with each of the outside entities with whom you use or disclose PHI. Additionally, check with your business associates and verify that they understand their obligations and will only provide any subcontractors access to your ePHI with your permission. Will you require that your business associate obtain breach insurance?
  • Policies and Procedures. Review and update all of your policies and procedures required to meet your obligations under HIPAA and HITECH to comply with the law and implement safeguards to protect the integrity of the individually identifiable health information under your control:
    • Privacy Rule;
    • Security Rule;
    • Enforcement Rule;
    • As mandated in connection with your Security Risk Analysis;
    • Other policies and procedures needed to address risks involving social media, using your own cell phones, telecommuting, etc.
  • ePHI Encryption. Review your operational practices to ensure that ePHI is encrypted to prevent improper use or disclosure. Although encryption may not be mandated, it is essential if you are trying to reduce your organization’s level of risk.
  • Backup Procedures.  Review your backup procedures and ensure that in the event of a disaster or other unforeseen event, a complete encrypted copy of your patient’s ePHI is safely maintained.
  • Security Risk Analysis. Perform / update the Security Risk Analysis of your organization and assess any outstanding specifications that still need to be met. Additionally, review the risks and vulnerabilities of a potential breach and / or the wrongful disclosure of ePHI.
  • Employee Training. Ensure that all of your staff is trained on their obligations to comply with HIPAA’s requirements under the law.  Furthermore, ensure that all new members of your staff are trained on their obligations under the law within 30 days of entering on duty.
  • Minimum Necessary. Review your use and disclosure practices to ensure that the minimum necessary standard is being met.
  • Breach Response Plan. Develop a breach response plan (including, but not limited to breach notification when needed, analysis of the cause of the breach, remedial steps and any additional staff training that may be needed), to better ensure that your organization can effectively respond to a breach incident.

Robert W. Liles Healthcare Attorney Robert W. Liles serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Is your organization dealing with a potential HIPAA breach or unauthorized disclosure?  For a free initial consultation, contact Robert or one of the other attorneys at Liles Parker.  1 (800) 475-1906.


[1] The term “Protected Health Information” (PHI) covers individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. The rules do not include “de-identified information,” individually identifiable information where all 18 identifiers have been removed.  Such information can be used without restriction or patient authorization. The following table describes the identifiers that must be removed in order to qualify as de-identified information.

18 Individual Identifiers
1Names10Account numbers
2All geographic subdivisions smaller than a state, except for the initial three digits of a ZIP code if the geographic unit formed by combining all ZIP Codes with the same 3 digits contains more than 20,000 people. 


 Certificate or license numbers

All elements of dates, except year, and all ages over 89 or elements indicative of such age

12Vehicle identifiers or serial numbers, including license plates
4Telephone numbers13Device identifiers and serial numbers
5Fax numbers14URLs
6E-mail addresses15IP addresses
7Social Security numbers16Biometric identifiers, like voice and fingerprints
8Medical record numbers17Fullface photography or comparable images

Health plan beneficiary numbers



Any other unique, identifying number, characteristic, or code, excepted as permitted for re-identification in the Privacy Rule


[2] 78 Fed. Reg 5566 (Jan. 25, 2013), available at https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed June 2018).
[3] A “Covered Entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a standard transaction
[4] 45 C.F.R. §164.312(a)(2)(iv). https://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-312.pdf
[5] For additional information, see the Breach Notification Final Rule Update, available at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html (last accessed April 2018).
[6] 45 C.F.R. § 164.404.
[7] 45 C.F.R. § 164.402.
[8] https://www.hhs.gov/sites/default/files/alj-cr5111.pdf
[9] https://www.beckershospitalreview.com/cybersecurity/md-anderson-slapped-with-4-3m-penalty-for-hipaa-violations.html
[10] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/rite-aid/index.html
[11] http://www.modernhealthcare.com/article/20180619/NEWS/180619897


What is Civil Fraud?

Download PDF

What is Civil Fraud? How Does it Differ from "Criminal Fraud"?(Updated June 18, 2018):  According to the Association of Certified Fraud Examiners, money lost due to fraud costs businesses and private parties over $3.5 trillion per year. This information, coupled with their assertion that instances of fraud have been dramatically increasing within the last few years, offers an eye-opening revelation not only for business, but all citizens of the United States. Individuals, businesses, and health care providers alike must become more informed on what fraud constitutes. This article intends to help inform readers regarding the irregularity of definition, differences in governmental levels, and the distinguishing characteristics between civil and criminal fraud.

Civil fraud cases are complex and can have substantial effects on your business and on your personal assets. This, however, becomes concerning news upon learning that civil fraud does not have a strictly uniform definition. Generally, fraud is founded upon a willful misrepresentation of past or present fact. Courts have defined fraud as trickery, deceit, intentional misrepresentation, concealment, or nondisclosure for the purpose of inducing another to part with something of value. It also includes false representation of a matter of fact by words or conduct or by the concealment of what should have been disclosed that deceives or is intended to deceive another so he shall act upon it to his legal injury. See In re E.P., 185 S.W.3d 908 (Tex. App. Austin 2006).

I.  Common Elements of Civil Fraud:

These elements found in Texas legislation represent most legal definitions of fraud:

  1. There was a material representation made that was false;
  2. The person who made the representation knew the representation was false or made it recklessly as a positive assertion without any knowledge of its truth;
  3. The person who made the representation intended to induce another to act upon the representation; and
  4. The person to whom the material representation was made actually and justifiably relied on the representation, which caused the injury.

          See Ernst & Young, L.L.P. v. Pac. Mut. Life Ins. Co., 51 S.W.3d 573, 577 (Tex. 2001).

Similarly, Virginia offers much of the same structure:

A party alleging fraud must prove by clear and convincing evidence(1) a false representation, (2) of a present, material fact, (3) made intentionally and knowingly, (4) with intent to mislead, (5) reasonable reliance by the party misled, and (6) resulting damage to him. See Thompson v. Bacon, 245 Va. 107, 111 (1993.)

II.  Civil Fraud at the State Level:

Nevertheless, courts have broadly defined the elements of civil fraud in various situations and there is no single definition that covers civil fraud entirely.  There are laws passed by the legislature that define fraud.  Courts of law have provided common law definitions of fraud. There are actions for negligent misrepresentation, a cause of action which is similar to fraud. It then becomes pertinent to mention that fraud by itself is not a fact, but rather a conclusion that is reached after the facts of the relationship or transaction complained of have been reviewed.

It is also important to note that fraud and legislation concerning fraud often vary from state to state. That is to say, certain jurisdictions give way to different interpretations regarding what exactly constitutes civil fraud, such as certain requisites that qualify committed acts as fraud or various burdens of proof needed in a given case. Texas and Virginia (both mentioned above), are both Common Law states, and share similarities in the make-up of their legislation. However, one might observe differences, for example, in Louisiana, where the governing body is guided by Napoleonic code. While certainly not vastly different in content and structure, less uniformity certainly can lead to more room for interpretation, as has been the status quo regarding civil fraud. Though most state legislatures can agree on the above elements of fraud as they apply specifically to the civil sphere, it is vital to recognize that state legislation can indeed vary.

III.  Civil Fraud at the Federal Level:

As previously discussed, civil suits regarding fraud centrally focus on restitution on behalf of the victim. At the federal level, the victim is the United States government, and one of the primary methods through which civil suits are filed is through the False Claims Act (FCA). The False Claims Act was enacted by Congress in 1863. Though concerned with the fraudulent practices of suppliers to the Union Army in the Civil War, the FCA is still heavily utilized today and provides relevant information regarding the definition of Civil Fraud holistically. The Department of Justice states:

A person does not violate the False Claims Act by submitting a false claim to the government; to violate the FCA a person must have submitted, or caused the submission of, the false claim (or made a false statement or record) with knowledge of the falsity. In § 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information (DOJ).

This definition sheds light on the similarities of civil fraud at all governmental levels with the unifying factor being the knowledge of the falsehood of an individual’s own statements, claims, etc. The FCA describes the seven types of conduct that result in liability and appear in the act as follows:

(a) LIABILITY FOR CERTAIN ACTS. (1) IN GENERAL.—Subject to paragraph (2), any person who—

 (A) knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval;

 (B) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent;

 (C) conspires to commit a violation of subparagraph (A), (B), (D), (E), (F), or (G)

(D) has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property;

 (E) is authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true;

 (F) knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge property; or

 (G) knowingly makes, uses, or causes to be made or used, a false record or statement material to an obligation to pay or transmit money or property to the Government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the Government,

 is liable to the United States Government for a civil penalty of not less than $5,000 and not more than $10,000 … plus 3 times the amount of damages which the Government sustains because of the act of that person

See 31 U.S.C. §§ 3729 – 3733

As previously mentioned, the False Claims Act is one of the most effective tools used by the government to combat fraud. It should come as no surprise then that the FCA is primarily targeted at health care providers. In fact, over 80% of the recoveries derived by the FCA come directly from the health care industry. Notably, the private right of action, or qui tam, provisions of the FCA make it one of the most widely used and accessible tools, because private individuals are, such as employees and patients, can bring suit on behalf of the government. FCA litigation is highly complex, with many technical and pleading requirements.  For a detailed discussion on the FCA, please see our page titled “Overview of the False Claims Act.”

IV.  Differences Between Civil Fraud and Criminal Fraud:

Perhaps the most confounding aspect of fraud, distinguishing between civil claims and criminal proceedings offers deeper understanding into how fraud cases are dealt in all variations of government. The following aspects help identify whether a fraud case is civil or criminal, and the accompanying actions that follow both activities.

  • Origins of Civil and Criminal Fraud Cases.

The first distinguishing aspects to notice are the manners in which civil and criminal cases are brought about. In Civil fraud cases, claims are often private party disputes. In other words, if an individual is suspected of committing fraud, the alleging party initiates and pursues the case. In the criminal realm, proceedings are brought about by regulatory authorities, the government or extensions of the government, and are tried criminally. Criminal cases can be tried by local, state, or federal prosecutors.

  • Level of Success Required for Conviction for Civil and Criminal Fraud.

One key difference between both types of fraud is that damage must actually occur to the victim in a civil fraud case. The alleging party must be able to demonstrate that they suffered damage as a result of their reliance upon the false representation. In contrast, criminal cases only require that fraudulent activity has occurred with the intent to harm another party. In other words, fraudsters need not succeed in damaging another party, prosecutors only need to establish their intent in doing so.

  • Differing Burdens of Proof for Civil and Criminal Fraud.

The most important difference between Civil and Criminal fraud contends primarily with the amount of proof needed to convict within each individual case. As we know, criminal proceedings require prosecutors to prove guilt “beyond a reasonable doubt”. Civil cases however, require a much lower standard to prove an individual’s guilt. In civil law, the burden of proof in trial is known as the “balance of probabilities” or the “preponderance of evidence”. In this scenario, one party’s case only needs to be stronger than the other side. In essence, the alleging party need only cross the fifty percent threshold in order to succeed in conviction.

  • Severity of Punishment for Civil and Criminal Fraud.

As one could guess, the outcome of civil and criminal cases produces significantly different results. Civil claims focus largely on recovering monetary compensation on behalf of the victim. Civil claims often do not reach completion within the litigation process due to negotiation from both parties’ counsel. As for criminal proceedings, prosecutors pursue alleged fraudsters on behalf of the state. In other words, those convicted of criminal fraud are subject to incarceration, fines paid to the state, as well as financial compensation to victims. Referencing our previous discussion regarding variations in legislation at the state level, citizens of different states may be subject to harsher penalties based upon where they live. That is to say, the punishment for both civil and criminal fraud offenses is subject to state statutes. The nature of the penalty will often depend on the severity of the crime committed.

V. Conclusion:

With the inherent costly and expensive nature of fraud, along with the continued growth of instances of fraud within the United States, it is important not to overlook where and when fraud can occur. State legislation can offer different judicial interpretations based upon the state in which you reside. Beyond the non-uniformity regarding the legal definition of fraud in the United States, fraud cases are complex and can result in significant penalties. This culminates in a difficult area of practice that requires a firm that understands the nuances of state laws concerning fraud and the role of the False Claims Act at the federal level.

Are you or your practice facing allegations of civil fraud or criminal fraud?  Call the experienced health care lawyers at Liles Parker for a free consultation.  1 (800) 475-1906. 

Sexual Harassment: Cases Against Texas Physicians in 2017

Download PDF

Sexual Harassment(January 26, 2018): From Churches to Congress, sexual harassment and assault charges have plagued many of the institutions that our society holds dear. As revelations of sexual misconduct continue to surface, we continue to learn of the many abuses of those in powerful positions; those whom we once revered.  The rise of the #MeToo Movement (“Movement”) in late 2017 has brought about a national conversation over sexual assault and harassment. Women and men from all industries have been revealing tragic stories of sexual assault and harassment. Not surprisingly, healthcare practices and organizations haven’t been immune to this societal crisis.  In fact, it now appears that sexual assault and harassment may be far more prevalent in medicine than has been previously acknowledged. Recent studies have exposed that sexual misconduct by physicians is not only more common than previously thought, but also poorly disciplined when acknowledged. 

In this article, we have collected data on disciplinary actions for sexual misconduct by physicians in Texas throughout 2017.[1] This article breaks down the 2017 disciplinary actions into (1) the different forms of sexual misconduct cited, (2) the physician specialties involved, (3) the time frame of the disciplinary actions, and (4) the severity of the disciplinary action taken by the Texas Medical Board (“Board”) against the subject physician. Prior to examining the data, let’s delve into the #MeToo Movement and the prevalence and discipline of sexual misconduct in medicine. 

I. What is the #MeToo Movement?

The #MeToo Movement as we know it today emerged out of the revelations last October of sexual abuse by powerful men in the Hollywood and entertainment industry.[2] Since the first allegations surfaced, more and more powerful people, particularly men, have been exposed and alleged to have committed various types of sexual assault, harassment or other improper conduct. To many, the sheer volume of sexual misconduct allegations exposed has come as a great shock. The #MeToo Movement has showed us that perpetrators of sexual misconduct can be practically anyone. Celebrities, athletes, government officials, and otherwise seemingly ordinary individuals have all been named as wrongdoers.  To the extent that there is one, the silver lining of the #MeToo Movement is that it has empowered women to stand up for their rights and it has initiated a national self-evaluation on what is (and isn’t) appropriate interpersonal conduct between adults in the workplace.  Ultimately, we will all benefit from this conversation.

II. An Overview of the Problem

At present, 1 in 5 women in the United States will be raped in their lifetime and nearly 1 in 2 women in the United States will be victims of sexual misconduct other than rape.[3] In accordance with the later statistic, 13% of women in the United States will be sexually coerced, 27.2% will be sexually assaulted, and 33.7% will be sexually harassed.[4] Despite the alarming prevalence, rape and sexual assault is the lowest reported crime, with an estimated 67% of victims not reporting their crime to the police.[5] In the workplace, the Equal Employment Opportunity Commission (EEOC) estimates that 75% of sexual harassment goes unreported.[6] This is often attributed to the stigma and lack of support that victims face in society. However, through raising awareness of the prevalence of this issue, the #MeToo Movement is expected to ignite social progress towards supporting victims and taking action against perpetrators. It is reasonably expected that this Movement will continue to empower many more victims to report to various authorities, whom will be expected to take further action to prevent and stop sexual misconduct.

III. What Constitutes Sexual Harassment / Sexual Misconduct? 

As you can imagine, there is no single definition of the terms “sexual harassment” or “sexual misconduct.” Moreover, there isn’t even agreement on when one of these specific terms should apply. Rather than get bogged down in semantics or spend all day comparing and contrasting how different courts have defined these terms, for the purposes of this article, we intend to utilize the terms interchangeably.

The term, “sexual harassment.” is defined at by the EEOC as the harassment of:

[A] person… because of that person’s sex. Harassment can include “sexual harassment” or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature… Both victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex.”[7]  (emphasis added).

In contrast, the Federation of State Medical Boards has adopted a more specific definition of the term that is focused on the physician-patient relationship.  The Federation of State Medical Boards defines physician sexual misconduct as:

“[B]ehavior that exploits the physician-patient relationship in a sexual way. Sexual behavior between a physician and a patient is never diagnostic or therapeutic. This behavior may be verbal or physical, and may include expressions of thoughts and feelings or gestures that are sexual or that reasonably may be construed by a patient or patient’s surrogate as sexual.[8] (emphasis added).

According to sections 22.011 and 22.021 of Chapter 22 of the Texas Penal Code, sexual assault includes all physical contact of a sexual nature in which consent was not or could not be given.  Sexual misconduct is most often predicated on a power dynamic between the perpetrator and the victim.[9] In medicine, the physician holds power over their patients and subordinates. Thus, this power dynamic between perpetrator and victim makes it such that consent is not a defense for physicians.[10] The Texas Penal Code specifically addresses this dynamic in Chapter 22, Section 22.011 (b)(9), which states that the act is not consensual if:

[T]he actor is a mental health services provider or a health care services provider who causes the other person, who is a patient or former patient of the actor, to submit or participate by exploiting the other person’s emotional dependency on the actor;” (emphasis added).

How does your health care practice or organization define sexual harassment or sexual misconduct?  Regardless of the definition ultimately adopted, there are a number of examples of conduct that are generally recognized as problematic.  These include, but are limited to:

  • Sexual jokes, pranks or teasing. This conduct can expressly allude to sexual matter or can refer to sex by innuendo.  It can be made in person, over the phone by e-mail, or by some other method of communication.
  • Touching, grabbing or making pretend motions or gestures of a sexual nature.
  • Verbally engaging in sexually discussions or making sexually charged comments at the workplace.
  • Repeatedly standing too close to a person, brushing up against them or otherwise getting in their personal space and making them uncomfortable.
  • Showing or otherwise posting sexually demeaning or offensive pictures, cartoons, comments or other materials in the workplace.
  • Repeatedly asking someone to socialize during off-duty hours when he or she has already that he / she is not interested in engaging in social activities.
  • Giving gifts or leaving objects that are unwanted, regardless of whether they are sexually suggestive.
  • Asking about someone’s sexual experiences or preferences and / or discussing your own sexual experiences, activities and / or preferences.

IV. Generally Speaking, how Common is Sexual Misconduct in Medicine?

As an elite profession, physicians are revered and given an elevated status. As far back as Ancient Greece, physicians have sworn oaths that forbade engaging in any form of sexual misconduct.[11] Despite moral and ethical oaths, this “elite” status is easily manipulated by perpetrators, especially against patients. In a 2016 report, the Atlanta Journal-Constitution uncovered that hidden and pervasive nature of sexual misconduct in medicine. Since 1999, more than 3,100 physicians have been formally accused of sexual misconduct, with at least 2,400 of those physicians engaging in sexual misconduct with patients. It is important to note that this makes up an extreme minority within the over 950,000 physicians practicing in the United States. However, akin to prior sexual misconduct scandals, one perpetrator is capable of routinely victimizing patients. In one particular case, a pediatrician sexually assaulted at least 1,200 children over 15 years.[12] However, most of the 3,100 perpetrators did not target children, but rather young women.

In all, the actual details on the prevalence of sexual misconduct are difficult to accurately unearth for a multitude of reasons. Doctors are viewed as educated and credible, giving way to a predisposition by authorities to believe the word of the physician over an alleged victim. Additionally, most states do not post rather detailed public records related to sexual misconduct.[13] The details of allegations are often left out or obscured, leaving the public with little knowledge of what any given physician may have done. Some state medical boards choose not to publicly release information about a first-time offense. Additionally, when the evidence is discovered through a peer-review at the medical institution, state laws often prohibit that information from being shared. To make matters worse, inadequate screening procedures prevent some state medical boards from discovering prior allegations made against physicians, allowing some perpetrators to move to a new location and continue to victimize patients and coworkers.

V. How is Sexual Harassment and Misconduct Disciplined in Medicine?

While state medical boards claim to take sexual misconduct seriously, the Atlanta Journal-Constitution seems to tell another tale. Of the 3,100 physicians disciplined for sexual misconduct since 1999, 2/3 were permitted to continue practicing.[14] In the case of some serial predators, this meant they could continue to victimize their patients and coworkers with no serious repercussions. The report found that cases were obscured as were disciplines. Not all cases of sexual assault and harassment were labeled as such, many were marked in general terms such as crossing “boundaries” or having a “sexual relationship” with a patient. In most states, state medical boards and healthcare institutions choose to make compromises with the physician in order to avoid protracted legal battles. This is because state medical boards can only operate within the statutory authority given by that state’s legislature. Thus, patient protection may be a priority for state medical boards, but they can only work within the framework provided to them. In addition, some state medical boards view the physicians as a scarce public health resource. In some rural areas, state medical boards have weighed the implications of removing a physician’s license on the ability of the populace to seek out a physician.

The actual disciplinary actions taken seem to echo past sexual misconduct scandals. Disciplinary actions are overwhelmingly aimed at rehabilitation rather than punishment. Physicians are frequently seen not as criminals, but rather as individuals suffering from mental illness. These disciplinary actions aimed at educating physicians on sexual misconduct, legal repercussions, and their “boundaries” with patients and coworkers. Many have been sent to “treatment,” as state medical boards seek to salvage the value they see in physicians. Many are even given the restriction of a required chaperone while they are seeing patients of the opposite sex. Not all disciplinary actions are as bleak for patient protection. Many of these perpetrators have been fined, publicly reprimanded, had their license suspended or restricted, or lost their license all together. Voluntary surrender does unfortunately offer perpetrators the ability to avoid further investigation. However, some state medical boards have also adopted the policy of revoking a medical license if that individual surrenders their license in another state in lieu of sexual misconduct allegations.

VI. How Well Does Texas Protect its Patients?

In conjunction with their damning report, the Atlanta Journal-Constitution also created a “report card” for how well each state protects its patient from sexual misconduct by physicians. Each state received a numerical score from 0-100, averaged from a similar scale judging the state’s transparency, duty-to-report laws, board composition, criminal acts, and discipline laws. The best state was Delaware, while the worst state was Mississippi. Since our research focused on the Texas Medical Board, we will examine the Texas State Report Card.

The good news is that Texas ranked second, with an overall rating of 80. Texas ranked as the most transparent state, with a score of 90. Though hospital sanctions are not listed, the Texas Medical Board maintains an accessible public record for all Board orders that provides details as to why Board orders were taken.

Unfortunately, the “duty-to-report” laws in Texas were not adjudged by Atlanta Journal-Constitution to be quite as superb. Texas was given a score of only 52 due to insufficient reporting laws. Hospitals are required to report the details of a peer review that results in a more than 30-day suspension, or when a physician surrenders their clinical privileges in exchange for not conducting an investigation. However, if a physician is disciplined for 30 or fewer days, the details are not required to be released. Additionally, there is no deadline for how long a hospital can wait to report, nor are there legally established repercussions for a failure to do so. Courts are not required to notify the Board of criminal convictions. Fellow physicians, however, are required by law to report any behavior by peers that may pose a threat to the public welfare.

The Board composition score was slightly better, at 70. It is comprised of 19 total individuals including  7 consumers with no immediate or marital relation to medicine and 12 physicians. Only 3 of the 19 board members are female.

The criminal acts score for Texas is remarkably high, at 96. This is primarily because the Texas Medical Board requires a thorough background check for applicants, then continues to periodically monitor criminal records of licensed physicians. Additionally, state law requires that the board report criminal conduct to police. As mentioned earlier, Texas has also criminalized sexual misconduct by physicians by removing consent as a legal defense.

Lastly, Texas tied Delaware and Alaska for the highest score for discipline laws with a score of 90. As per state law, the Board must revoke any license for a felony conviction or a deferred adjudication involving sexual abuse of a child. However, this revocation is not permanent unless the physician agrees to that stipulation or permanently surrenders their license in lieu of further investigation. State law also requires that an applicant cannot be licensed if their license elsewhere is currently restricted, cancelled, suspended, or revoked. State law also prohibits licensing any applicant that is being prosecuted for a crime that, if prosecuted in Texas, would be felony or misdemeanor involving moral turpitude. In addition, the board may subpoena hospitals for peer review records and the standard of proof for board action is only a preponderance of evidence.

Overall, the Texas Medical Board is amongst the best in the nation at handling formally submitted complaints of sexual misconduct by physicians. However, that bar is still too low. Finding records of allegations remains difficult in Texas. Additionally, anonymous reporting is not permitted, likely contributing to some victims deciding not to report.

VII. Texas Medical Board Disciplinary Actions for Sexual Conduct in 2017:

In 2017, the Texas Medical Board took 18 total disciplinary actions against 17 physicians for sexual misconduct. Six physicians were disciplined for sexual assault, with 2 of the 6 also being disciplined for sexual harassment. The disciplinary action imposed by the Board in each of these actions except for one, was a suspension of the physician’s medical license. The one outlier was a physician who voluntarily surrendered his  license in lieu of investigation; this physician’s license had previously been suspended earlier in 2017 for sexual assault. Only one physician was disciplined for sexual harassment alone, which resulted in sanctions which including taking a medical jurisprudence exam and multiple educational courses. Two physicians were disciplined for sexual misconduct, though both actions were a result of actions by other institutions. In the first case, the Board found that one physician failed to report disciplinary action by his alma mater for sexual misconduct. This resulted in a fine and mandatory educational courses. The second case involved a physician licensed in Texas but practicing in Oklahoma. This individual’s license was revoked in Texas following the voluntary surrender of his license in Oklahoma due to pending sexual assault charges. The remaining sexual misconduct-related disciplinary actions were referred to as having a “sexual relationship with a patient.” All but one of these cases resulted in a punishment that included mandatory continuing education. Five of these disciplinary actions resulted in public reprimands. Other forms of disciplinary action taken in these cases included fines, chaperones while with female patients, a medical jurisprudence exam, psychiatric treatment, and a temporary license restriction.[15]

Sexual HarassmentFigure 1: Allegations that resulted in disciplinary actions taken by the Texas Medical Board in 2017.[16]

Sexual HarassmentTable 1: Types of disciplinary actions taken by the Texas Medical Board in 2017 for each type of allegation.[17]

There did not appear to be any large trends within the type of physician specialty. The most common specialty was internal medicine, with a total of 5 internists out of 17 total disciplined physicians. No significant geographical trend was observed, with the cases largely spread out amongst relatively populated areas of Texas. Over 50% of the disciplinary actions occurred in the first half of the year. Surprisingly, there was no particular increase in disciplinary actions following the rise of the #MeToo Movement in October 2017.

Sexual Harassment Table 2: Allegations that resulted in disciplinary action by physician specialty.[18]

Sexual HarassmentFigure 2: Sexual misconduct-related disciplinary actions taken each month by the Texas Medical Board in 2017.[19]

VIII. The Texas Medical Board Weighs In on Sexual Harassment Complaints:

In the January 2018 Texas Medical Board Bulletin, two interesting topics appear on Page 3 and 4: the use of chaperones and duty to report impairment. Each bulletin published offers news and reminders relevant to hot topics. Most bulletins in the last 5 years have covered topics related to prescription drugs, but none of those bulletins have covered either of these topics. It is worth noting that this is the first bulletin to be published since the #MeToo campaign began.

The first of the seemingly relevant topics is the use of chaperones. This section seeks to remind physicians that there are many ways to make patients feel comfortable during their visit,” highlighting the use of a chaperone as one particularly ethical method of doing so, in addition to providing gowns and using drapes. The second seemingly relevant topic was the duty to report impairment. As addressed earlier in this article, state medical boards frequently view perpetrators of sexual misconduct as mentally ill rather than criminals. This section of the January 2018 bulletin seems to echo that narrative, reminding physicians that they may report themselves and fellow physicians that pose a continuing threat to the public welfare. Additionally, it highlights that in certain circumstances, civil liability may be lifted from the reporting party.

While this was not a direct response to the #MeToo Movement, it does appear relevant, and perhaps anticipatory. This bulletin appears to remind physicians that patient comfort and safety is an ethical priority in medicine. Impairment does not automatically indicate sexual misconduct, though sexual misconduct has certainly been attributed to impairment by the board in the past.[20] Through this bulletin, it is plausible to say that the Board may be anticipating, and perhaps encouraging, more reports of sexual misconduct by physicians in the near future.

The #MeToo Movement seems to have struck a chord with the American public. It seems that society may finally begin to address the pervasive nature of sexual misconduct. All of this comes as we learn of tragic stories of abuses and cover ups. Like many other industries, medicine appears to have a dark past of turning a blind eye to physicians who abused patients and coworkers. While the number of physicians engaging in sexual misconduct may be far and few between, their actions have harmed, at the least, thousands of patients and coworkers. As the #MeToo Movement carries into 2018, perhaps we will learn more about the true scale of sexual misconduct in medicine as more victims come forward.

While no state medical board appears to be perfect at addressing sexual misconduct, the Texas Medical Board is currently one of the best. Their 2017 data shows that sexual misconduct appears to be rare amongst physicians in Texas, at least on the surface. Considering how Board investigations into these matters can take months, it is plausible that the 2017 does not reflect the societal shifts in reporting since the beginning of the #MeToo Movement. The Movement may have effectively changed the national environment that felt hostile to most victims. Some have likened its energy of the #MeToo Movement to that of the civil rights movement, hoping that the social media campaign will result in coordinated efforts to achieve legal and cultural reform.[21] With more victims feeling supported, it is almost certainly expected that reports of sexual misconduct will rise across.

If the Movement does translate to more reports of sexual misconduct generally, it is plausible that a better portrait of sexual misconduct in medicine may emerge. Thus, we will conduct this same assessment of the Texas Medical Board’s disciplinary actions against sexual misconduct at the conclusion of 2018. It is likely that more physicians are guilty of sexual misconduct than the Board is aware of or has taken action against. In comparing the 2018 and 2017 results, we will be able to determine how the #MeToo campaign has impacted medicine. We can expect to see more disciplinary action by the Board in 2018. The causes of the disciplinary actions may become less vague and the punishments more severe. For the time being, this is only speculation. Only time will tell how the #MeToo Movement will impact sexual misconduct in medicine.

IX. Healthcare Organizations Need to Conduct a Top-Down Review of Their Policies and Procedures:

Even as state medical boards enact stronger policies against sexual misconduct, it is important to note that the organizations and individuals who failed to adequately prevent, stop, or report sexual misconduct by a physician have been held liable, and will likely continue to be held liable into the future. In the case of the pediatrician who sexually assaulted hundreds of children, the hospital he sometimes worked for, a medical society, and doctors that referred patients to this physician were sued, which was resolved through a final settlement of $122 million for the defendant’s former patients.[22] Therefore, it is important for any organization hoping to avoid liability to create detailed policies and procedures on sexual harassment and sexual misconduct. In doing so, health care organizations should ensure that they are preemptively educating both patients and employees on what constitutes sexual harassment and sexual misconduct and what the ramifications are not only for perpetrators, but also bystanders who do not report. Health care organizations should require reporting such that allegations are not covered up nor overlooked.  A low-cost, comprehensive, anonymous reporting system such as that provided by ComplianceHotline.com can provide your practice or other health care organization with a full range of reporting options that can be made available to patients and employees alike if they are concerned about sexual harassment or misconduct.[23] Moreover, this anonymous hotline tracks the recommended steps recommended by HHS-OIG in its recent guidance, “Measuring Compliance Program Effectiveness: A Resource Guide.”  The bottom line is straightforward — encouraging the early reporting of sexual misconduct can significantly reduce your health care entity’s level of regulatory risk and improve the quality of work life for your staff.

Unfortunately, drafting the proper Policies and Procedures to be used in your health care organization can be tricky.  You need to take both federal and state requirements into account. Please feel free to contact us for assistance with both the policies and with staff training on these important issues.

Ashley Morgan Healthcare AttorneyAshley Morgan, J.D., serves as Senior Associate Attorney at Liles Parker, PLLC.  Liles Parker is a health law firm health care providers and suppliers around the country in connection with compliance-related matters and Medicare / Medicaid / Private Payor audits.  For a complimentary consultation, give Ashley a call at: (202) 298-8750.



[1] Specifically, we reviewed Texas Medical Board Bulletins posted in April 2017, September 2017, and April 2017.


[3] https://www.nsvrc.org/sites/default/files/nsvrc_one_pager_0.pdf

[4] https://www.cdc.gov/ViolencePrevention/pdf/NISVS_Report2010-a.pdf

[5] https://www.bjs.gov/content/pub/pdf/rsarp00.pdf


[7] https://www.eeoc.gov/laws/types/sexual_harassment.cfm



[10] http://doctors.ajc.com/doctors_sex_abuse/

[11] http://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html


[13] http://doctors.ajc.com/states_discipline_sex_abuse/

[14] http://doctors.ajc.com/doctors_sex_abuse/?ecmp=doctorssexabuse_microsite_nav

[15] http://www.tmb.state.tx.us/dl/A1BB2B98-02FD-3A3C-9022-D99248F0EEBF;



[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] https://www.documentcloud.org/documents/2940026-combined-164-pdf.html

[21] http://www.cnn.com/2017/10/30/health/metoo-legacy/index.html


[23] Paul Weidenfeld and Robert W. Liles established www.compliancehotline.com to provide health care providers and suppliers with a comprehensive anonymous complaint reporting system that could be incorporated into their overall Compliance Program.

Next Page »