WHITE COLLAR UPDATE:
HEALTH CARE PROSECUTIONS, SARBANES-OXLEY & THE PERFECT
By Ronald H. Levine, Esq.
Post & Schell, P.C.
PLUS Medical PL Symposium
March 31, 2004
RONALD H. LEVINE, ESQUIRE
Mr. Levine is a partner at the Philadelphia-based law firm of Post & Schell, P.C., heading
its White Collar Defense, Corporate Compliance and Risk Management Group. He has received
a B.S. in economics summa cum laude from the University of Pennsylvania Wharton School
(1974), an M.Phil. in sociology from Oxford University (1976) and a J.D. cum laude from
Harvard Law School (1981).
Mr. Levine concentrates his practice on assisting corporations and other enterprises that
are potential victims of economic crime or subject to government regulation and potential
investigation. He coordinates and conducts internal corporate investigations of alleged
misconduct, abuse or fraud, assists in the formulation of compliance plans, and helps track and
respond to government investigations. Mr. Levine also advises and defends enterprises,
directors, officers and other professionals accused of misconduct at criminal or civil trials and on
Prior to joining Post & Schell, Mr. Levine was Chief of the 80-prosecutor Criminal
Division of the United States Attorney’s Office for the Eastern District of Pennsylvania where he
prosecuted and supervised prosecutions of fraud involving health care, tax, securities, insurance,
government contractors, financial institutions and computers as well as prosecutions of public
corruption and domestic terrorism.
Familiar with a wide range of law enforcement agencies, including the FBI, IRS, SEC, Postal
Inspection Service and Offices of Inspector General, Mr. Levine has taught or lectured on white
collar crime, criminal procedure or trial advocacy at Temple University School of Law, the
University of Pennsylvania Law School, the Wharton School and at CLE programs hosted by the
ABA White Collar Crime Section, AHLA-HCCA Fraud & Compliance Forum, Institute on
Federal Program Fraud and Philadelphia Bar Association . He has written for AHLA Members
Briefing, Corporate Compliance Officer, Business Crimes Bulletin (editorial advisory board),
Strategies for Corporate Compliance, Briefings On Long Term Care Regulations, Attorney-CPA
Update, and Transport Topics and appeared on the "Law Journal" and Comcast SportsNet
Mr. Levine is an appointed member of the Homeland Security Advisory Committee to the
Pennsylvania Commission on Crime and Delinquency. He also serves on the AHLA Sarbanes-
Oxley Act Task Force and recently co-authored the AHLA’s member briefing on “A New Day
for Healthcare Organizations: Sarbanes-Oxley Certification Requirements, Compliance and
Mr. Levine can be reached at 215-587-1071 or RLevine@PostSchell.com.
For potential white collar defendants, the conditions
for a perfect storm exist: heightened public
attention, stiffer and more expansive criminal laws,
more severe sentencing guidelines, more stringent
appellate review, and the Department of Justice
emphasizing a “get tough” attitude through its
practices and policies.1
I. THE SARBANES-OXLEY ACT OF 2002
On July 30, 2002, after a spate of corporate scandals, President Bush signed the Sarbanes-Oxley
Act (SOA).2 Ostensibly aimed at publicly owned corporations, one of the primary goals of the
SOA is to increase the financial transparency and accountability.
Many provisions of the SOA, including its financial certification provisions, specifically apply to
public corporations which would include, of course, publicly traded healthcare providers,
pharmaceutical manufacturers, managed cared organizations, and the like. Some provisions of
the SOA, however, also apply to privately owned entities, including not-for-profit healthcare
corporations. These include SOA criminal provisions concerning obstruction of justice3 and
whistleblower retaliation.4 SOA provisions also include new conflict of interest restrictions for
public accounting firms5 and oblige the SEC to promulgate standards for auditing an
organization’s internal financial controls.6 These firms may also audit or perform work for non-
publicly traded healthcare organizations, so these SOA regulations will also impact private
Other governance provisions of the SOA inevitably will be applied de facto, due to market
pressures, or de jure, due to enhanced state regulation, to not-for-profit healthcare institutions.
Indeed, the Attorneys General for New York and Massachusetts already have proposed state
legislation that adopts SOA-type requirements regarding audits, related party disclosures,
financial and internal controls certifications, audit committees and whistleblower retaliation.7
A. Healthcare and the SOA
The healthcare industry has long had a role in the corporate governance debate.
See Levine, R. and Short, J., A New Day for Healthcare Organizations: Sarbanes-Oxley Certification
Requirements, Compliance, and Exposures at 32, AHLA Members Briefing (Jan. 2004).
The Sarbanes-Oxley Act of 2002, H.R. 3763, 107th Cong. (2002).
18 U.S.C. §§ 1519 (SOA § 802).
18 U.S.C. § 1513(e) (SOA § 1107); see also 18 U.S.C. § 1514A (SOA § 806–civil whistleblower protection
15 U.S.C. § 78j-1(g) (SOA § 201).
15 U.S.C. § 7262 (SOA § 404). .
See, e.g., New York Attorney General Spitzer’s proposal, available at:
The Caremark case, as well two subsequent major accounting scandals in the healthcare sector,
actually arose between 1995 and 2000. This was well before Enron et al. were even a gleam in
the eye of the fed’s Corporate Fraud Task Force.8
Caremark International, Inc. provided alternative site healthcare services (e.g., home infusion)
and operated a managed-care prescription drug program. In 1994, Caremark was indicted on
charges of violating the Medicare Anti-Kickback Statute. The company eventually pleaded guilty
to a single count of mail fraud. The well-known Caremark opinion arose out of a motion to the
Court of Chancery of Delaware to approve a settlement of a parallel shareholder derivative suit
involving claims that Caremark’s board of directors had breached its fiduciary duty to the
In assessing the proposed settlement, the court noted that in theory a board could be held liable
for a failure to monitor. The court found that a corporate board must exercise good faith
judgment and assure itself that “the corporation’s information and reporting system is in concept
and design adequate to assure the board that appropriate information will come to its attention in
a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.”9
Thus the concept of adequate internal control and reporting systems, and the board’s
responsibilities in that regard, were highlighted by the Caremark case. The opinion has had a
broad influence on corporate board governance both within and outside the healthcare sector.
Two subsequent healthcare accounting scandals concerned the collapse of the not-for-profit
Allegheny Health, Education and Research Foundation (AHERF) hospital system, and the
mammoth earnings restatements of the publicly traded Rite Aid Corporation.
In 1997, AHERF was the largest not-for-profit healthcare organization in Pennsylvania. In July
of 1998, AHERF filed for bankruptcy protection with over $1 billion in liabilities. Allegations of
misrepresentations of income in financial statements quickly surfaced.10 In April of 2000,
AHERF’s CEO was prosecuted criminally by the Pennsylvania Attorney General, pleaded no
contest to the charge of misappropriating entrusted property, and was sentenced to 11½ to 23
months in prison.11 A month later, without admission of liability, AHERF’s CFO and other
senior AHERF officials settled civil fraud allegations with the SEC regarding AHERF’s financial
statements and disclosures.12
The Corporate Fraud Task Force, created by Executive Order #13271 on July 9, 2002, combines the efforts of the
Departments of Justice and Treasury, the SEC, and other agencies, and takes credit for over 250 corporate fraud
convictions. Task Force achievements are available at: http://www.usdoj.gov/dag/cftf/cases.html.
In re Caremark International, Inc., 698 A.2d 959, 970 (Del. Ch. 1996).
See Weinstein, S., “Speech by SEC Staff: Understanding AHERF: Observations on the Recent Settlement
Involving Allegheny Health, Education and Research Foundation,” (Aug. 1, 2000), available at: www.sec.gov/news/
Commonwealth of Pennsylvania v. Abdelhak, Misc. Docket. No. 406 (Allegh. Co. Crim. Div. April, 2000).
3. Rite Aid
In the summer of 2000, Pennsylvania-based Rite Aid Corporation, a large retail pharmacy chain,
restated its earnings by $1.6 billion, then the largest earnings restatement in United States history
(later topped by WorldCom and others). Ensuing federal prosecutions of Rite Aid senior
management related to, among other things, allegedly fraudulent disclosures to the SEC and
obstruction of justice.13 This investigation has resulted in the convictions of Rite Aid’s former
CEO, CFO, CLO, and other managers. They await sentencing.
B. Post-SOA Healthcare Prosecutions
Federal enforcement activity after the SOA’s enactment indicate that healthcare institutions–and
the executives that manage them–fall within the corporate governance spotlight and are not
immune from criminal prosecution.
1. United Memorial Hospital
In January of 2003, the not-for-profit United Memorial Hospital in Michigan signed a federal
guilty plea agreement, admitting to fraud in connection with the alleged over utilization of pain
management surgical procedures, one of which resulted in the death of a patient. Sentencing has
been deferred. It is possible that United Memorial’s guilty plea will be expunged in the future.14
However, the allegations contained in United Memorial’s plea agreement15 read like a primer on
corporate governance “not-tos” from the board on down. Systems for information reporting,
internal audit and investigation, conflict of interest disclosure, and responding to complaints all
were called into question.
2. Alvarado Medical Center
In July of 2003, the for-profit Alvarado Hospital Medical Center, Inc., along with Alvarado’s
parent system and its CEO, were indicted on federal criminal charges concerning alleged
violations of the Medicare Anti-Kickback Act in connection with alleged physician recruitment
policies.16 The transparency of the hospital’s recruitment practices and the board’s role, if any, in
sanctioning such practices no doubt will surface as issues, as this case progresses through the
criminal justice system. The merits of the case are as yet unresolved, and the defendants must be
presumed innocent. However, this prosecution reaffirms that the Department of Justice will
prosecute entities and their officers and directors in what it deems to be appropriate cases.
See SEC v. McConnell and Morrison, CA No. 00-CV-2261 (E.D. Pa., May 2, 2000); In re Adamczak, CPA,
Exchange Act Release No. 42743 (May 2, 2000); In re Spargo, CPA, Exchange Act Release No. 42742 (May 2,
United States v. Grass, Bergonzi, Brown, Sorkin, 1:Cr-02-146-01 (W.D. Pa., June 21, 2002).
A $1.05 million fine levied on United Memorial, however, will not be expunged. By virtue of an October, 2003,
settlement agreement, $500,000 will be directed to fund indigent care programs, and the remainder will be paid to
the government over two years. BNA Highlights, Oct. 8, 2003; Oct. 8, 2003, telephone conversation with United
States Attorney’s Office (W.D. Mich).
United States v. United Memorial Hospital, No. 1:01-CR-238 (W.D. Mich., Jan. 8, 2003).
United States v. Tenet HealthSystem Hospitals, Inc., Crim. No. 03-CR-1587 (S.D. Cal., July 17, 2003).
The federal criminal investigation of HealthSouth, one of the nation’s largest healthcare services
providers, operating hospitals and outpatient surgery, diagnostic imaging, and rehabilitative
facilities nationwide, is ongoing. The investigation is focused on allegations that, in an effort to
“manage earnings” to meet the earnings-per-share expectations of Wall Street analysts,
HealthSouth management conspired to inflate assets and overstate earnings by $2.7 billion17
through false and delayed accounting entries and bogus transactions.18
To date, federal criminal charges have been filed against sixteen former HealthSouth
executives,19 including HealthSouth’s former CEO and chairman of its board.20 For the very first
time, the government has brought criminal charges based on the SOA financial statement
certification provision.21 HealthSouth’s former CEO and three former CFOs have been charged
with, among other things, certifying to materially inaccurate reports of financial conditions and
results of operations contained in HealthSouth quarterly reports (Form 10-Q) to the SEC.22
Fifteen executives charged to date have pleaded guilty, including all five of the CFOs in the
history of HealthSouth. Sentences have been imposed on some relatively lower level executives
ranging from probation with fines and restitution to five months in jail. The CEO’s trial presently
is schedule to commence later this year. Whether this criminal probe will stop in the higher
reaches of HealthSouth’s former management or extend even further into the board room is
In June of 2003, AstraZeneca Pharmaceuticals LP of Wilmington, Del., agreed to pay a $355
million fine to resolve criminal charges and civil liabilities stemming from an alleged illegal
marketing and pricing scheme involving a drug to treat prostate cancer, Zoladex. The case arose
out of a qui tam law suit and was prosecuted by the United States Attorney’s Office for the
District of Delaware.
As part of a plea agreement, AstraZeneca Pharmaceuticals agreed to pay a fines: for violating the
Prescription Drug Marketing Act as a result of the provision of free drug samples which were
Note that to the extent any alleged fraudulent activity affected the books and records of individual HealthSouth
facilities, the veracity of the Medicare and Medicaid cost reports submitted by these facilities may also be
implicated. To date, however, no criminal Medicare or Medicaid fraud-related charges have been filed.
See, e.g., United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003).
The HealthSouth investigation can be tracked on the Web site of the U.S. Attorney’s Office for the Northern
District of Alabama, available at: http://www.usdoj.gov/usao/aln/.
United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003). The government is seeking
$278 million in forfeiture from the defendant. The SEC also has filed a civil suit against HealthSouth’s former CEO
and board chairman alleging a scheme to inflate profits. SEC v. HealthSouth and Scrushy, CA No. CV-03-J-0615-S
(N.D. Ala. 2003).
18 U.S.C. § 1350 (SOA § 906).
See United States v. Scrushy, Crim. No. CR-03-BE-0530-S (N.D. Ala., Oct. 29, 2003); United States v. McVay,
Crim. No. 03-CR-195 (N.D. Ala., April 23, 2003); United States v. Owens, Crim. No. 03-CR-131 (N.D. Ala., Mar.
26, 2003); United States v. Smith, Crim. No. 03-CR-126 (N.D. Ala., Mar. 19, 2003).
billed to medicare; to resolve charges that it caused false claims to be filed with the Medicare,
TriCare, Department of Defense, and Railroad Retirement Board programs as a result of its
fraudulent pricing and marketing of Zoladex; to the state governments to settle civil claims that it
failed to provide state Medicaid programs with its best price for its drug, as required by law; and
for inflating the price of Zoladex reported to Medicare as a basis for reimbursement, while
"deeply discounting” the actual price charged to the physicians.
The settlement also resolved civil allegations that AstraZeneca offered other improper
inducements to doctors, such as educational grants, travel and entertainment, consulting services,
business assistance grants, and honoraria. AstraZeneca also agreed to the terms of a Corporate
Integrity Agreement (CIA), which provides for close scrutiny of its marketing and sales practices
for five years.
In December of 2003, the United States Attorney for the Eastern District of Pennsylvania filed an
amended complaint under the False Claims Act and Anti-kickback Statute against Merck-Medco
Managed Care L.L.C., Medco Health Solutions, Inc. and several executives.23 The complaint
alleges a variety of misconduct conduct on the part of its mail order pharmacies including
favoring more expensive Merck drugs, “shorting” pill quantities, and cancelling prescriptions to
avoid delay penalties. Again, this matter was initiated by a qui tam filing.
6. Ernst & Young
In January of 2004, the United States Attorney for the Eastern District of Pennsylvania filed a
complaint against the accounting firm of Ernst & Young, L.L.P. under the False Claims Act and
under unjust enrichment and payment by mistake theories.24 According to the complaint, nine
hospitals paid Ernst & Young for billing advice – advice which allegedly later caused the
submission of false claims to the Medicare program. The complaint alleges that 200,000 claims
for payment for outpatient clinical laboratory tests were billed to Medicare. The government
seeks to recover more than $900,000 in damages resulting from laboratory payments improperly
claimed and received by the nine hospitals.
This suit is notable for two reasons. First, it attacks a so-called “gatekeeper” – a CPA consultant
ostensibly hired to look into a client’s behavior and advise it on a course of action. Second, as
regards the government’s expected proof of “state of mind,” it charges the gatekeeper with
keeping itself “deliberately ignorant” of the facts.
United States v. Merck-Medco Managed Care, L.L.C. et al., No. 00-CV-737 (E.D.Pa. Dec. 9, 2003).
United States v. Ernst & Young, L.L.P., (E.D.Pa. Jan. 5, 2004).
II. SARBANES-OXLEY ACT: RIPPLE EFFECTS
A. Obstruction of Justice
The SOA significantly expands the government’s ability to charge obstruction of justice for
actions committed after July 30, 2002.25 Most importantly, the broad wording of Section 1519 of
Title 18 does not appear to require that a federal investigation actually be pending, known about,
or even expected at the time of the alleged obstruction. Rather, the knowing destruction or
alteration of documents “in contemplation of” the “proper administration of any matter” before
“any” federal agency can constitute obstruction. Of course, the “administration of a matter”
before a federal agency can occur long before a civil or criminal investigation commences.
B. Whistleblower Retaliation26
Less well known is the sweeping, criminal SOA whistleblower law, located in the obstruction of
justice chapter of Title 18, as well as a related SOA civil anti-retaliation statute. The new
criminal statute provides:
Whoever knowingly, with the intent to retaliate, takes any action harmful to any person,
including interference with the lawful employment or livelihood of any person, for
providing to a law enforcement officer any truthful information relating to the
commission or possible commission of any Federal offense, shall be fined under this title
[$250,000] or imprisoned for not more than 10 years, or both.27
Consider the sweep of this criminal statute which, incidentally, also constitutes a predicate act
for criminal and civil RICO. On its face, it applies to: (a) any harmful action; (b) targeting any
person; (c) who provides any quantum of truthful information to law enforcement; (d) about the
possible commission; (e) of any federal crime.
Physical harm to a witness or an informant has long been the subject of a criminal retaliation
statute.28 Yet short of physical harm, retaliation and employment issues usually have been the
stuff of civil, not criminal, remedies. Moreover, anti-retaliation statutes usually have been
confined to persons blowing the whistle on particular types of suspect activity, particular sectors
of the economy or government employees. The SOA provision covers anybody in any sector of
the economy, public or private.
The False Claims Act (FCA) already provides that employees discriminated against for assisting
a qui tam investigation or litigation can bring a civil action and “shall” be “made whole” via
18 U.S.C. § 1519.
For a more complete discussion of this issue, see Levine, R. and Ostrelich, M., Whistleblower Retaliation Under
Sarbanes-Oxley: It’s A Crime!, 10 BUSINESS CRIMES BULLETIN 4 (May 2003).
18 U.S.C. § 1513(e) (italics added); see 18 U.S.C. §§ 3571(b)(3), (c)(3) ($500,000 fine for a corporation).
18 U.S.C. § 1513.
reinstatement, double back pay, special damages and attorneys’ fees.29 Since the FCA has a
criminal counterpart (18 U.S.C. § 287) a qui tam relator’s information arguably relates to the
possible commission of a federal crime as well. Thus the relator, and the government, now have
additional leverage. They can claim that an adverse employer action amounts to Section 1513(e)
C. Financial and Internal Controls Certification
The government has long been able to prosecute financial fraud under the criminal false
statements statute, and under the mail, wire, bank, healthcare, and securities fraud statutes.
individual liability within a corporation, however, is not easy to prove. Good faith reliance on
others–subordinates, peers, accountants, and lawyers–can negate the knowledge, intent to
defraud, willfulness, or scienter necessary to prove most of these crimes.
The SOA financial statement certification provisions30 are important for several reasons. They
act to put CEOs and CFOs on notice of the importance of assuring the integrity of the entity’s
financial reporting mechanisms. As a result, the provisions can give regulators, agents, and
prosecutors a more direct way of reaching a CEO and CFO who might otherwise be insulated
Plainly, a true mistake would not rise to the level of a knowing certification, much less one
submitted willfully. Similarly, if one truly is misled about material facts as to which a
certification later is submitted, then he or she cannot have the requisite knowledge to sustain a
conviction. Finally, good faith reliance on an expert, to whom all relevant facts have been
disclosed, may still be a defense to a false certification charge.31
However, by requiring CEOs and CFOs to certify to the adequacy of financial and disclosure
controls, as well as to certify to the material fairness and accuracy of financial statements and
reports of operations, Congress may have been seeking to undercut traditional white collar
defenses centering on an executive’s mistake, insulation from the alleged bad acts of
subordinates, or reliance on others, including experts.
It has long been the law that reckless disregard of the truth or conscious avoidance of the truth
can make out the knowledge necessary to sustain a criminal conviction.32 The SOA’s implicit
due diligence requirements in combination with the doctrine of reckless disregard makes all of
those knowledge and state of mind defenses that much harder to sustain. To the extent corporate
officers do not make a concerted effort to ask the right questions and to document that those
questions were asked and how they were answered, they may find themselves the subject of a
reckless disregard allegation.
31 U.S.C. § 3730(h).
18 U.S.C. § 1350; 15 U.S.C. § 7241.
See, e.g., United States v. Johnson, 730 F.2d 683 (11th Cir.), cert. denied, 469 U.S. 857 (1984) (§ 1001 false
See, e.g., United States v. Puente, 982 F.2d 156 (5th Cir.), cert. denied, 508 U.S. 962 (1993) (§ 1001 false
D. Tax Exempt Bond-Related Disclosure Fraud
Congress has exempted municipal securities offerings from the registration requirements of the
Securities Act of 1933 and from the reporting requirements of the Securities Exchange Act of
1934.33 Thus, the SOA certification provisions are not directly applicable to municipal bond
issuers and obligated entities.34 However, municipal securities transactions are still subject to the
prohibitions of general commercial anti-fraud statutes as well as to the anti-fraud provisions of
the 1933 and the 1934 Securities Acts.35
Not-for-profit entities, and occasionally for-profit affiliates, in the healthcare sector sometimes
become involved in tax-exempt financings as the users of bond proceeds and the source of
repayment, e.g., AHERF. These are referred to as “conduit bonds” or “conduit financings,”
defined as “municipal securities [that] are issued by a state or local government for the benefit of
a private corporation or other entity that is ultimately obligated to pay such bonds.”36 The
obligation to provide full and honest financial disclosure by the third party healthcare entity to
bond issuers and brokers can create a basis for allegations of fraud, both at the point of initial
offering and in the secondary market.
In 1995, the SEC amended its municipal securities disclosure securities rule, Rule 15c2-12, to
effectively require, with some exceptions, hospital systems and other organizations borrowing
the proceeds of tax-exempt debt, and obligated on that debt, to make annual disclosures37 of
financial statements and significant events available to bondholders and potential investors.38
Materially false representations in these Rule 15c2-12 disclosures expose the entity to a Rule
10b(5) prosecution for fraud and deceit in connection with the sale of securities or to prosecution
under more general fraud statutes.39
See 15 U.S.C. §§ 77c(a)(2), 78(a)(29).
See Peregrine, M., Horton, W., & Libby, J., The New Corporate Responsibility Law: How it Affects Health Care,
11 BNA HEALTH LAW REPORTER 34 at 1231 n.3 (Aug. 22, 2002).
See S. Weinstein, “Understanding AHERF: Observations on the Recent Settlements Involving Allegheny Health,
Education and Research Foundation” at 4 (Aug. 1, 2000), available at: www.sec.gov/news/speech/spch406.htm.
SEC Release Nos. 33-7049, 34-33741 at 17 (Mar. 9, 1994) (quoting Government Finance Officers Association
Disclosures are made to four Nationally Recognized Municipal Securities Information Repositories (MSIRs).
Three states, Texas, Michigan, and Ohio, have their own repositories. Lists and addresses are available at:
17 C.F.R. § 240.15c2-12(b)(5); for background, see SEC Release No. 34-34961 (Nov. 10, 1994).
See, e.g., In the Matter of the City of Miami, Securities Act of 1933, Rel. No. 8213 and Securities Act of 1934,
Rel. No. 47552 (March 21, 2003), Admin. Proc. File No. 3-10022.
Privately held or not-for-profit healthcare companies no doubt will be touched by the ripples of
SOA. Pressure for due diligence, if not outright certification, will result in similar obligations in
the private sphere. The pressure is likely to come from a variety of sources:
• Board members, more conscious of their own potential exposures, are pushing CEOs and
CFOs for tighter internal compliance regimes and certifications.
• State attorneys general and legislatures are recognizing that the policies served by the SOA
apply to all organizations, whether they are profit-driven or mission-driven.
• Bond dealers, investment banks, lenders, and bond rating services are demanding that SOA-
type standards be put in place to protect and to help accurately gauge the risk of investments.
• Underwriting requirements from Directors and Officers (D&O) liability insurers are
becoming more demanding and tracking SOA standards in order to minimize insurers’ risk of
• Auditors are seeking more stringent SOA-related representations and warranties from
management in order to limit their gatekeeper liability.
• A sensitized IRS40 likely will look to enforce more strictly intermediate sanctions41 to hold
tax exempt organizations to SOA-type standards of behavior.
See IRS Exempt Organizations Office To Boost Compliance Efforts in 2004, 8 BNA HEALTH CARE DAILY REPORT
241, Dec. 16, 2003.
26 U.S.C. § 4958.
III. HIPAA “DATA TRADE”42
HIPAA essentially makes “protected health information” contraband in much the same way as
information protected by statutes aimed at insider information, computer hacking, identity theft,
credit/debit card fraud, trade secret theft and economic espionage.
Found in Title 42, this provision of the HIPAA statute provides that:
A person who knowingly and in violation of this part --
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information
relating to an individual; or
(3) discloses individually identifiable health information to
another person,…shall be…fined not more than $50,000,
imprisoned not more than 1 year, or both…43
“Individually identifiable health information” (protected health information or PHI for short)
includes demographic and other information collected from an individual by a health care
provider or plan that relates to the “health, condition, care, or payment for care of that individual
and which either identifies that individual or from which there is a reasonable basis to believe
that individual can be identified.”
If the crime is committed under false pretenses, maximum penalties increase to five years in jail
and a $100,000 fine. If committed with the intent to “sell, transfer, or use individually
identifiable health information for commercial advantage” or “personal gain,” maximum
penalties are further upped to ten years in jail and a $250,000 fine.
A relatively lenient civil enforcement provision also was enacted. It imposes a $100 penalty per
violation, capped at $25,000 for identical violations during a calendar year.44 The civil provision
also exempts those who did not reasonably know that they had violated the Act and those who
failed to comply due to a reasonable cause and who promptly cure.
A. The “Data Trade”
Huge amounts of computerized patient health care information is created by health care
providers and health benefit plans. Providers and plans in turn do business with data
clearinghouses, pharmacy benefits managers (PBMs) and commercial claims processors. The
acquisition from one or more of these “downstream” data handlers of large amounts of patient
health information, which is then aggregated, stored, analyzed and held for commercial sale
For a more complete discussion of this issue, see Levine, R., HIPAA: Data Trade Prosecutions on the Horizon?,
10 Business Crimes Bulletin 9 (Oct. 2003).
42 U.S.C. § 1320d-6.
42 U.S.C. § 1320d-5(a)(1).
constitutes the “data trade.” Buyers of this aggregated data use it for everything from research or
marketing to insurance underwriting.
Business associates may receive PHI from HIPAA-covered entities (CE) solely for the purpose
of providing processing, actuarial, data aggregation or other services to or on behalf of that CE.45
In the case of a business associate providing “data aggregation” services, HHS intends that the
business associate receive PHI from several CEs with which it has relationships “in order to
permit the creation of data for analyses [e.g., quality assurance and comparative analysis] that
relate to the health care operations of the respective covered entities.”46 In other words, HHS
may take the position that data aggregation by a business associate must be of some use or relate
to the CE.
A carelessly drafted business associate contract, or reckless disregard of what the business
associate actually is doing with PHI, could expose the covered health care entity to criminal (or
65 Fed. Reg. 82642, 82475 (Dec. 28, 2000).
65 Fed. Reg. 82642, 82475 (Dec. 28, 2000) (emphasis added).
IV. FEDERAL SENTENCING GUIDELINES
The federal sentencing guidelines create a matrix of imprisonment ranges with an “offense level”
(based on specified offense characteristics) on one axis and an offender criminal history score on
the other. Sentences must fall within the specified guideline range absent unusual factors, which
justify upward or downward departures from that range. For the fraud guideline, the driving
offense factor is actual or intended loss caused by the crime.47
The fraud sentencing guidelines were not exactly lenient pre-SOA. White collar offenders
constituted about 17.5% (10,471 individuals) of all the federal offenders sentenced in 2001,48 and
the average length of imprisonment for federal fraud offenses was 18.7 months.49 Nonetheless,
the SOA mandated that the United States Sentencing Commission review the guidelines for
obstruction of justice, accounting and financial fraud, and penalties for organizations.50
The Commission responded with “emergency” Guideline amendments effective January 25,
2003, and additional amendments that became effective on November 1, 2003. The fraud
guidelines have been boosted dramatically for offenses occurring after the effective date of the
particular guideline amendment. For example, the base offense level for fraud and false
certifications has been raised one level to an offense level seven, if the underlying crime has a
maximum prison penalty of twenty years or more.51 This will reach the new SOA crimes of
securities fraud, 18 U.S.C. §§ 1348, and willful false SOA § 906 certifications, 18 U.S.C. § 1350.
The effect of this seemingly small amendment is to narrow the availability of a pure “Zone A”
probation sentence, assuming a two-level credit for acceptance of responsibility, to frauds
causing losses of $10,000 or less rather than $30,000 or less as was previously the case.52
Similarly, a “Zone D” sentence of incarceration now is mandated if the fraud loss is more than
$70,000, whereas previously the fraud loss had to exceed $120,000 for a similar result.53
This revised fraud guideline also contains new offense level enhancements pegged to the number
of victims (over 10, 50, or 250)54 and to whether the solvency or financial security of a publicly
traded organization, or of one hundred or more victims, is substantially endangered.55 Note that
even in a “no loss” case, the Application Note to the fraud guideline encourages judicial and
prosecutorial consideration of “upward departures” from the offense level determined under that
guideline, where the level “substantially understates the seriousness of the offense.”56
U.S.S.G. at § 2B1.1(b).
United States Sentencing Commission, Office of Policy Analysis, 2001 Datafile, OPAFY01.
28 U.S.C. § 994 (Note) (SOA §§ 805, 994, 1104).
U.S.S.G. § 2B1.1(a) (eff. Nov. 1, 2003).
U.S.S.G. § 5B1.1(a).
U.S.S.G. § 5C1.1.
Id. at § 2B1.1(b)(2) (eff. Jan. 25, 2003).
Id. at § 2B1.1(b)(12) (eff. Nov. 1, 2003).
Id. at § 2B1.1, App. Note 16 (eff. Jan. 25, 2003).
At the same time that fraud guidelines are being boosted, guideline downward adjustments and
downward departures that once were available to white collar defendants are being cut back,
more stringent appellate review of such departures has been mandated, and the government’s
charging and plea bargaining policies have been made more restrictive:
(1) By direct Congressional amendment of the guidelines via the PROTECT Act,57 effective
April 30, 2003, and by Commission guideline amendments effective October 27, 2003, made
in response to the directives of that Act, a number of grounds for sentencing guideline
downward departures now are prohibited: “super-acceptance” of responsibility, minor role in
offense, gambling addiction, and repayment of legally required restitution. In addition, the
availability of departures based on family ties and responsibilities and on aberrant behavior
are limited.58 Defense counsel must be alert to ex post facto arguments based on the effective
date of the particular amendment at issue.
(2) On April 30, 2003, provisions of the PROTECT Act59 changed the applicable standard of
review on aspects of appeals from departures from the sentencing guidelines, including, of
course, government appeals from downward departures granted to white collar defendants.
The courts of appeals now are to review de novo a sentencing court’s application of the
guidelines to the facts to ensure that a downward departure is authorized under the law and
justified by the facts of the case.60 This is a big change from the prior “abuse of discretion”
standard.61 Courts have already begun to reverse downward departures in healthcare fraud
prosecutions that previously might have been upheld.62 Defense counsel should seek to pose
the issue on appeal as a finding of fact still subject to a clearly erroneous standard.63
(3) The Attorney General recently has directed federal prosecutors, with limited exceptions,
to charge, and accept guilty plea agreements to, only the most serious and readily provable
offense. In other words, there can be no charge bargaining;64 no fact bargaining with
defendants about issues affecting guideline offense level enhancements, e.g., amount of loss;
and prosecutors should rarely acquiesce in downward departures from the guideline range
other than for substantial assistance in the investigation and prosecution of another person.65
Therefore, if conviction seems likely, it behooves defense counsel to “get in early” to
negotiate a guilty plea agreement and guideline offense characteristics like loss, before what
See Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today (PROTECT) Act of 2003,
Pub. L. No. 108-21, 117 Stat. 650.
U.S.S.G. Amendments effective October 27, 2003, available at: www.ussc.gov/departure/draft_depart6.pdf.
PROTECT Act at § 401, Pub. L. No. 108-21, 117 Stat. 650; 18 U.S.C. § 3742(e) (amended eff. April 30, 2003).
18 U.S.C. § 3742(e) (amended eff. April 30, 2003).
Koon v. United States, 518 U.S. 81 (1996).
See, e.g., United States v. Thurston, 338 F.3d 50 (1st Cir. 2003) (reversing a downward departure to healthcare
fraud defendant that had been granted on grounds including extraordinary charitable and community service).
18 U.S.C. § 3742(e)(3)(C).
Memorandum from Attorney General Ashcroft, Department Policy Concerning Charging Criminal Offenses,
Disposition of Charges, and Sentencing (Sept. 22, 2003).
Memorandum from Attorney General Ashcroft, Department Policies and Procedures Concerning Sentencing
Recommendations and Sentencing Appeals (July 28, 2003).
is readily provable hardens into evidence that the prosecutor may not ignore. The dilemma is
that sometimes it is difficult to assess the risk of indictment and conviction in the early stages
of a government investigation.
A. Sentencing Organizations
The sentencing of corporations and other entities is also governed by the federal sentencing
guidelines.66 For fraud offenses, the court calculates the offense level as it would for an
individual defendant.67 A “base fine” would then be the greater of that called for by this offense
level calculation, the pecuniary gain to the organization, or the pecuniary loss caused by the
offense.68 A “culpability score” based on aggravating and mitigating factors is then calculated in
order to find “multipliers” to be applied to the base fine to generate the minimum and maximum
of the guideline fine range.69
Of note is that this culpability score is reduced if the defendant corporation had in place an
“effective program to prevent and detect violations of law” so long as high-level or compliance
personnel were not involved in the charged offense and the corporation did not unreasonably
delay reporting the offense to the government.70 An “effective program to prevent and detect
violations of the law” requires “at a minimum” that the organization exercise due diligence by
taking the following steps:
1. establish compliance standards and procedures,
2. assign high-level personnel to oversee compliance,
3. ensure that discretionary authority is not delegated to individuals with a propensity
for illegal activity (background screening),
4. effectively communicate to employees about compliance standards and procedures
5. take reasonable steps to ensure compliance with standards through monitoring,
auditing and reporting systems,
6. adequately and consistently enforce standards, including, as appropriate, discipline
for offenders, and
7. respond to infractions and take steps to prevent subsequent occurrences.71
U.S.S.G., Ch. 8 (eff. Nov. 1, 2002).
U.S.S.G. §§ 8C2.1(a), 8C2.3 (eff. Nov. 1, 2002).
U.S.S.G. § 8C2.4 (eff. Nov. 1, 2002).
U.S.S.G. §§ 8C2.5-8C2.8 (eff. Nov. 1, 2002).
U.S.S.G. § 8C2.5(f) (eff. Nov. 1, 2002).
U.S.S.G. § 8A1.2, App. Note 3(k)(1)-(7). These principles have become the foundation for the OIG Compliance
Guidance issued for various types of healthcare providers.
“The precise actions necessary for an effective program” will depend on factors including the
size of the organization, the risks attendant to the particular nature of the business, the
organization’s history, and applicable industry practice and government regulation.72
Further culpability score reductions are available for corporate self-reporting, cooperation, and
acceptance of responsibility.73 Conversely, as a condition of probation for recidivist entities or
those without compliance plans, the court may order the entity to develop and submit to the court
a program to prevent and detect violations of law, including a schedule for implementation,
communication to employees and shareholders, and unannounced site inspections.74
This emphasis on corporate compliance programs will not likely abate. Note that an ad hoc
advisory group to the federal Sentencing Commission recently issued a report recommending,
among other things, a separate guideline to define with more precision the components of an
“effective” compliance program, with an emphasis on organizational culture, leadership
responsibilities, compliance staff and resources, training and periodic evaluation, and ongoing
Id. at App. Note 3(k)(i)-(iii).
U.S.S.G. § 8C2.5(g) (eff. Nov. 1, 2002).
U.S.S.G. § 8D1.4(c) (eff. Nov. 1, 2002).
Report of the Ad Hoc Advisory Group on the Organizational Guidelines (Oct. 7, 2003), available at:
V. DOJ’s REVISED PROSECUTION POLICY
Whether or not a corporation will be charged federally is a judgment made by the prosecutor.
Federal prosecutors are guided in this decision by the DOJ’s recently revised policy directive on
“Federal Prosecution of Business Organizations.”76 This policy lists and explains nine factors
that are to go into the decision of whether or not to charge a corporation:
1. the nature and seriousness of the offense,
2. the pervasiveness of the wrongdoing within the corporation,
3. history of similar conduct including prior criminal, civil or regulatory actions,
4. timely and voluntary disclosure of wrongdoing to, and cooperation with, the
5. the adequacy of the corporation’s compliance program,
6. the corporation’s remedial actions,
7. collateral consequences of prosecution, e.g., to employees,
8. the adequacy of individual prosecutions, and
9. the adequacy of civil or regulatory remedies.77
Several points stand out. First, the government routinely expects voluntary disclosure and
cooperation. The government defines cooperation to include “if necessary, waiver of attorney-
client and work product protection” as to “the factual internal investigation and any
contemporaneous advice given to the corporation concerning the conduct at issue.”78 While a
waiver to be an “absolute requirement” of cooperation, it is “one factor in evaluating the
corporation’s cooperation” and thus in deciding whether to charge the entity.79 (Another factor in
the government’s evaluation of cooperation is whether or not the company is indemnifying target
individuals or is otherwise seen to be protecting culpable employees.80)
Second, the existence and adequacy of a corporate compliance plan is paramount. The DOJ
policy cites the Caremark case and goes on to provide:
Prosecutors should . . . attempt to determine whether a corporation’s compliance
program is merely a “paper program” or whether it was designed and
implemented in an effective manner . . . . [P]rosecutors should determine whether
the corporation has provided for a staff sufficient to audit, document, analyze, and
utilize the results of the corporation’s compliance effort. In addition, prosecutors
Department of Justice, Federal Prosecution of Business Organizations, Criminal Resource Manual § 162 (Jan. 20,
2003), available at: www.usdoj.gov/dag/cftf/corporate_guidelines.htm.
Id. at § II (A).
Id. at §§ II(A)(6), VI(B) n.3.
Id. at § VI(B).
Id. at §VI(B). Some states by law require corporations to pay the legal fees of officers and directors prior to a
formal determination of guilt. Compliance with such laws is not to be considered a failure to cooperate. Id. at n.4.
should determine whether the corporation’s employees are adequately informed
about the compliance program and are convinced of the corporation’s
commitment to it.81
Of course, compliance plans neither absolve the corporation of respondeat superior liability nor
guarantee immunity from prosecution. However, as a DOJ official stated recently, a company
that does not have a compliance program is “a little like conducting your business without
Id. at § VII(B).
Levine, R., Health Care and Compliance After 9/11, CORPORATE COMPLIANCE OFFICER, July 2002, at 9 (quoting
Michael Chertoff, then Chief of the DOJ Criminal Division).
The last eighteen months have seen an unprecedented confluence of events, and reactions by the
executive, legislative and judicial branches, which have increased white collar risks and
exposures for healthcare organizations. The corporate governance spotlight and the prosecution
of fraud now may reach to the upper spheres of management and even to the board. Moreover,
governance failures can also spill back over more traditional healthcare compliance laws, such as
the Anti-kickback Statute and the False Claims Act, to create the evidence of intent necessary to
prosecute under those statutes as well.