Preparing for Primetime: Why Healthtech Companies Should Diligence Their Own Healthcare Fraud and Abuse Compliance Before their Potential Investors or Customers Do

By Donielle McCutcheon and Corbin T. Santo

Healthcare technology (healthtech) companies are pushing new frontiers in the development of disruptive technologies to improve patient health and enhance the efficient delivery of healthcare items and services. Their efforts are fueling interest among investors and others seeking to capitalize on solutions to the healthcare industry’s most vexing challenges. However, in their quest to speed novel products and services to market, early-stage healthtech companies often overlook critical legal and compliance considerations. These shortcomings, once discovered, can impact the companies’ ability to secure investors and customers, risking their valuation and, potentially, their future viability. 

Healthtech company executives are often surprised to learn of the myriad federal and state laws, regulations, and guidelines to which their company may be subject, particularly where the company does not have a patient-facing product or solution. However, even healthtech companies that market items or services that are not used in direct patient care and/or that do not directly submit claims for payment to healthcare payors, such as Medicare, Medicaid, and commercial insurers, are often still within the purview of the healthcare fraud and abuse laws. As such, companies that assume they are not subject to these laws and, as a result, do not take steps to comply, take on potentially significant legal risk, which can deter investors and potential customers. By contrast, companies that proactively address their compliance with healthcare fraud and abuse laws can strengthen their competitive position. 

Key Federal Healthcare Fraud and Abuse Laws that May Apply to Healthtech Companies

While a number of healthcare laws can apply to a company, depending on the technology, healthtech company executives should be familiar with two key federal fraud and abuse statutes at a minimum. The first is the federal Anti-Kickback Statute (AKS), a criminal anti-bribery statute that makes it illegal for any person to knowingly offer or accept anything of value in return for referring or recommending any items or services that may be reimbursed by Medicare, Medicaid, or another federally-funded healthcare program. Violations of the AKS are punishable by imprisonment and/or fines and can result in exclusion of an entity or individual from participating in the federal healthcare programs. Exclusion effectively prohibits an individual or entity from doing business with (including receiving payment from) any federal healthcare program. Since federal healthcare programs like Medicare and Medicaid are significant payers in the U.S. healthcare market, exclusion can often amount to a death sentence for a company. Healthcare providers that employ or contract with excluded individuals or entities can be subject to civil monetary penalties, which can cause potential customers to refuse to contract with an excluded company, or a company that fails to adequately screen its personnel, out of concern that an arrangement may present legal risk to the customer under applicable federal healthcare program and/or contractual requirements.  

The second statute is the federal False Claims Act (FCA). The FCA penalizes any person who knowingly submits, or causes the submission of, a false claim for payment or approval to the federal government. FCA violations may result in significant per-claim civil penalties (up to $22,363 per claim submitted), plus up to three times the actual damages sustained by the government as a result of a violation. Like the AKS, FCA violations can also result in exclusion from participation in the federal healthcare programs. In addition, any items or services “resulting from” a violation of the AKS constitute “false or fraudulent claims” that can form the basis for an action under the FCA. Many states have also enacted statutes similar to the AKS and FCA, which may be broader than the federal laws and provide independent bases for potential liability.

These laws are very broad. In the case of the AKS, the government has taken the expansive position that the AKS applies to arrangements involving products and services whose costs are claimed, directly or indirectly, on any federal healthcare program cost report or claim, even as overhead expenses.^[1] Thus, under the government’s theory, healthtech companies whose products and services are sold to customers that submit Medicare cost reports (including most hospitals) are subject to the AKS. Examples of products and services whose costs could be claimed on a Medicare cost report include, among many others, software solutions marketed to hospitals that leverage data to improve operational efficiencies or that facilitate compliance with quality improvement, patient safety, or other regulatory requirements.

While AKS violations can result in liability under the FCA, healthtech companies should also be sensitive to the risk of direct FCA exposure. For example, healthtech companies can face FCA risk because of direct contractual arrangements with the federal government (such as vendor pricing agreements with the Department of Veterans Affairs or the Department of Defense). Similarly, FCA liability can arise if companies are viewed as “causing” a customer or other person to submit false claims for payment by the federal government by, among other actions, misrepresenting the capabilities of their products and services. In fact, the U.S. Department of Justice has entered into several FCA settlements with healthtech companies in recent years.^[2]

Proactively Addressing Healthcare Fraud and Abuse Compliance Can Give Companies a Competitive Edge

In today’s competitive healthcare marketplace, it is critical that healthtech executives can demonstrate their company’s value to prospective investors and customers. A critical component of that value proposition, particularly for investors, is the company’s ability to successfully market its products and services in compliance with applicable healthcare fraud and abuse laws. Likewise, customers have an interest in ensuring that contractual arrangements with healthtech companies do not present undue compliance risk to their organizations.

Unfortunately, compliance shortcomings can sometimes surface at critical junctures in the life cycle of a healthtech company. For investors, learning of unknown compliance risks during due diligence can sow doubt about the company’s ability to meet financial projections and can ultimately thwart the deal. Potential customers may express similar reservations about contracting with a company if they learn it is ill equipped to satisfy common contractual and other compliance obligations because it lacks core compliance capabilities. In these situations, healthtech companies risk damaging their attractiveness to potential investors and customers, which can have untoward effects on the companies’ financial performance and long-term viability.

Strategies to Reduce Risk and Increase Future Viability 

A healthtech company’s strategic plan should include evaluating and addressing healthcare fraud and abuse compliance. To have the greatest impact, healthtech executives should consider employing the following strategies early in the company’s life cycle. Doing so as part of a broader effort to ensure their company has an appropriate handle on compliance can have a differentiating impact on the company’s ability to demonstrate to investors and customers alike that it can thrive in the heavily regulated healthcare marketplace.

1. Conduct a risk assessment to determine the healthcare fraud and abuse laws to which the company may be subject. Healthtech companies should understand whether and, if so, how their products and services are reimbursed by payors, including federal healthcare programs, such as Medicare and Medicaid, as third-party coverage and reimbursement is the hook for the applicability of most healthcare fraud and abuse laws. This analysis may require the company to engage a consultant and/or legal counsel to analyze applicable federal healthcare program coverage and reimbursement requirements. The company may also consider surveying customers (including prospective customers) to understand whether and, if so, how the costs of its products and services may be reported to federal healthcare programs. Using this information, the company should identify applicable healthcare laws and stratify potential compliance risks. 

2. Develop an effective corporate compliance program tailored to address the company’s specific compliance risks under applicable healthcare laws. Guided by the results of the risk assessment, the company should develop and implement a corporate compliance program, tailored to address the company’s compliance with applicable healthcare laws. The Department of Health and Human Services, Office of Inspector General, the government agency responsible for enforcing the AKS, has published compliance program guidance that is a helpful resource to companies in the healthcare industry.^[3]

3. Ensure that the company’s contractual arrangements with customers, vendors and consultants include key terms to address compliance with applicable healthcare laws. Based on the results of its risk assessment, the company should review its existing customer, vendor and consultant contracts and consider amendments to ensure compliance with applicable healthcare laws. As a proactive compliance practice, the company should also regularly review and update such agreements, as necessary, to comply with evolving legal requirements. 

This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not reflect the views of the firm.