Health care fraud is big business. As much as $100 billion is siphoned out of the system by fraudsters each year, with Uncle Sam the single largest victim. Federal investigators and prosecutors have prioritized health care cases for years, and that effort will only intensify as the Patient Protection and Affordable Care Act (PPACA) phases in over the next few years.

The sprawling PPACA, the health care reform law President Obama signed in March, significantly expands criminal liability and increases key health care fraud sentencing guidelines by 20 to 50 percent. Companies are scrambling to assimilate the changes.

“The industry is reeling,” says Larry Vernaglia, chair of the Health Care Industry Practice at Foley & Lardner. “PPACA is 1,000 pages long, and each page has something unbelievably important on it. If this thing had trickled out over a period of a year, it still would have been difficult for the industry to digest.”

The new law tweaks several existing criminal statutes to make prosecutions easier and penalties larger–and creates new reporting responsibilities as well. While the changes are primarily intended to snare the dedicated crooks and criminal organizations that methodically fleece the system, health care providers, hospitals, and pharmaceutical and medical device companies face substantially increased risk as well.

“Everybody's got a compliance program,” says Donna Thiel, co-chair of the Drug, Device and Life Sciences Industry Group at Baker Donelson. “Now they have to get that book off the shelf, update the policies and really engage in a consistent effort to make sure that they don't have problems. The penalties are much more severe, and there's going to be a lot more people looking.”

FCA Facilitated

The False Claims Act is the favorite tool of health care fraud prosecutors because the cases just walk in their door. The law's qui tam provisions encourage whistleblowers to bring in violations on a silver platter, and PPACA will make it easier.

“The big FCA change is a weakening of the public disclosure bar,” Vernaglia says.

Qui tam relators can't bring cases using information that has been publicly disclosed. The new law, however, narrows the scope of what is considered public disclosure, and expands the definition of what can be considered an original source of incriminating information.

“That, in practical effect, allows more people to bring more cases,” Vernaglia says. “It will also, we believe, create a whole new industry of lawyers and other consultants who will mine data, which is public and previously excluded under the public disclosure bar, in order to try to build a False Claims Act case.”

The new provisions also make the prompt return of overpayments–previously something of a gray area–absolutely mandatory.

Among the millions of transactions with federal health care payors, hospitals and health plans inevitably receive payments in error. PPACA creates an affirmative obligation to return any overpayment to the government within 60 days, under penalty of an FCA violation.

Couple that with qui tam liability and the risk to companies is obvious. And it appears to be effective immediately, even though the government hasn't released implementation regulations.

“What's freaking people out about this particular provision is that it went into effect apparently with the passage of the law,” Thiel says.

Kicking Back

The federal anti-kickback statute prohibits payments (or offers or solicitations of payments) in exchange for referring patients that might get paid by Medicare or Medicaid. Violations, however, were difficult to prove.

Previously, prosecutors had to show that defendants had knowledge of the law and a specific intent to violate it. PPACA essentially removes that requirement.

“They've lightened the knowledge standard,” Thiel says. “Now they're saying you have an obligation to know what the law is, and prosecutors do not have to prove that as a specific element of a crime. That's a very significant lightening of the load, and any time that you lighten the load for a prosecutor, it means that you have to be more careful.”

In addition, under PPACA, payment of a kickback automatically constitutes a false claim.

“So not only would you be convicted of a kickback but also an FCA violation,” Thiel says. “It's a double-whammy.”

Sunshine Stipulations

Starting in 2012, pharmaceutical and medical device companies will be required to record any payments made to doctors and hospitals, with the initial disclosure due in 2013. Several states already have similar regulations–Massachusetts' being notably strict–that allow patients access to information about their doctors' financial relationships. Called Sunshine Laws, the provisions are geared to expose conflicts of interest.

“If you want to go to Doctor X., you can go online and see whether XYZ pharmaceutical company has them on their payroll, or is giving them money for being a speaker or doing research,” says Michele Adelman, counsel at Foley Hoag and a former prosecutor.

In addition to civil penalties for errors in required reporting, there will be criminal penalties if a provider intentionally makes false statements. But the more troubling aspect for companies is the new data category it hands to investigators.

“It opens up a whole new avenue,” Adelman says. “It could possibly be a springboard for investigations under the False Claims Act and other traditional health care fraud investigations.”

Previously, investigators had to subpoena such data, and crunch it to reveal improper payments. That process can almost be automated under a Sunshine Law.

“You're going to see efforts to computerize the fraud control process, so that it's not a matter of having to go and get medical records, and look at files or at a lot of elaborate financial records,” Thiel says. “They're going to push buttons that link a physician to a referral to a hospital to the product to be ordered. [Investigators and prosecutors] will be able to do a data analysis and find problems without engaging in some of the elaborate discovery that has always characterized health care investigations.”

The bottom line is that under PPACA data will be more readily available to prosecutors than ever, criminal thresholds lower and penalties markedly higher. The compliance message to corporate counsel is unequivocal.

“The government is going to use these fraud and enforcement mechanisms as a revenue generation tool, and your best defense is increased attention on the front end,” Vernaglia says. “It's significantly more cost effective to have good compliance infrastructure in place in advance of a problem, as compared to paying lawyers to defend you after the problem arises.”