DOJ Seal
REMARKS OF JOHN T. BENTIVOGLIO
SPECIAL COUNSEL FOR HEALTH CARE FRAUD AND
CHIEF PRIVACY OFFICER
U.S. DEPARTMENT OF JUSTICE
 
  SYMPOSIUM ON HEALTHCARE INTERNET AND E-COMMERCE:
LEGAL, REGULATORY AND ETHICAL ISSUES
 
 WASHINGTON, D.C. -- MARCH 27, 2000
 

I want to thank the Health Care Compliance Association, the Internet Healthcare Coalition, the American Health Lawyers Association, and the other sponsors of this Conference for the invitation to present the Justice Department’s views on several important topics, particularly the prosecution of health care fraud and the protection of health care privacy on the Internet.

Why the Concern about Fraud and Privacy on the Healthcare Internet?
 
The Internet and other information technologies are revolutionizing the health care industry.  Through these new technologies, we will be able to save billions of dollars in administrative and overhead costs – money that can be used to discover new drugs or expand coverage for the uninsured.  These same technologies also promise to dramatically  improve patient care – in the not-to-distant future, telemedicine technologies that will allow medical specialists to "examine" and "treat" patients halfway around the world.  Perhaps most importantly, the Internet is empowering individuals to understand – and take charge of – their own health care needs.

Unfortunately, what makes the Internet a valuable tool for improving health care – including low barriers to entry, the ability to reach millions of Internet users at little or no cost, and absence of geographic and national boundaries – also makes it an ideal tool for the commission of fraud and other online crime.  The risk to public health and safety is particularly acute in the health care arena, where online fraud artists are peddling misbranded and adulterated drugs, bogus miracle cures, and other health care scams.  Victims of these scams can suffer death or serious injury.  And we should not forget that many individuals who face serious health crises may be desperate in their search for cures.  These individuals may be particularly vulnerable to Internet-based health care scams.

Overview of Remarks

Today, I would like to discuss the Federal government’s fraud, consumer protection, and privacy protection efforts as they relate to the Internet healthcare industry, particularly the role of the U.S. Department of Justice and our counterparts in other law enforcement and regulatory agencies.  This will include: a discussion of our overall fraud and consumer protection programs;  a brief overview of federal laws relating to health care fraud, consumer protection, and patient privacy; the application of these laws to common i-health business models; and some thoughts on the future direction of where we’re heading with respect to fraud and other illegal conduct on the healthcare Internet.   Finally, I want to offer some suggestions on how conscientious i-health care companies can take steps to ensure compliance with federal law, including some helpful online compliance resources.

My goal – in the next 25 minutes -- to is convince you of our commitment to safeguarding the health, safety and privacy of consumers on the healthcare Internet, to give you some appreciation of the federal laws applicable to the most common business models in the i-health industry, and to get you thinking about the need for developing effective compliance programs within your organization.

DOJ’s Fraud Enforcement Program

Combating fraud and other white-collar crimes – particularly those that target elderly and other vulnerable consumers and those targeting taxpayer-funded health care programs – is one of the Justice Department’s highest priorities.  We have developed a sophisticated, nationwide -- and increasingly international -- program to combat all forms of fraud and white-collar crime.
 
In 1993, Attorney General Janet Reno announced that combating health care fraud would be the Department’s number one white-collar crime priority.  Last year, the Department of Justice obtained almost 400 convictions for health care fraud -- an increase of 21% over the prior year.  In this same period, we were able to collect $524 million -- more than half a-billion dollars --- in criminal fines, civil settlements, and administrative penalties.  In addition, the HHS Office of Inspector General excluded more than 3,000 individuals and companies from participation in the Medicare and Medicaid programs for health care fraud and related misconduct.  For health care providers – including hospitals, doctors, HMOs, and others – who rely extensively on federal programs for reimbursement, exclusion is the equivalent of a corporate death penalty.

And our health care fraud enforcement efforts will increase significantly in the coming years.  Under the Health Insurance Portability and Accountability Act of 1996 (the "Kennedy-Kassebaum" or "HIPAA" legislation), the Departments of Justice and Health and Human Services receive dedicated – and increasing – funding for health care fraud enforcement.  This year (FY 2000), the Justice Department and HHS received $158 million.  This figure will increase to $240 million in FY 2003.  Similarly, funding for the FBI will increase from $76 million this year to $ 114 million in FY 2003 – an increase of more than 50 percent.
 
These increased resources mean we have more investigators, auditors, and prosecutors focused on health care fraud than ever before – and our enforcement resources will increase for at least the next three years.  These figures should convince even the skeptics that health care fraud will remain a high priority for the Justice Department and our federal law enforcement partners for the foreseeable future.

Legal and Regulatory Framework 1

A number of federal criminal laws prohibit a wide range of fraudulent conduct, which can roughly be described as any scheme designed to obtain money or something of value under false pretenses. 2   Civil fraud remedies also are available where the federal government is the victim of fraud. 3  Federal law also prohibits making false statements to federal agencies, including statements made to obtain payment from the federal government or in connection with information provided to regulatory agencies, such as the Food and Drug Administration or the Health Care Financing Administration. 4   Thus, if your company submits information to the federal government, either in the course of compliance with a regulatory program or in order to obtain reimbursement, it is essential that you take steps to ensure the data is accurate.
  Health care companies providing services to federal health care programs also need to be mindful of federal laws that prohibit kickbacks and self-referrals. The federal anti-kickback statute makes it a crime, punishable by up to five years in prison, to provide any thing of value, money or otherwise, directly or indirectly, with the intent to induce a referral of a patient or a health care service. 5  Significantly, liability attaches to both parties to the transaction -- the entity or individual providing the prohibited remuneration and the entity or individual receiving it.  Federal law also prohibits so-called physicians and other health care providers from referring beneficiaries in federal health care programs to clinics or other facilities in which the physician or health care provider has an interest. 6  These practices – kickbacks and self-referrals – are prohibited under federal law because they tend to corrupt the exercise of a medical professional’s independent judgment.  The U.S. healthcare industry relies extensively on physicians, hospital discharge planners, and other health care providers to allocate scarce health care resources based on what’s in the best interest of patients.  Federal law contains broad prohibitions – backed up by stiff criminal and civil penalties – for arrangements that tend to corrupt that judgment and put the provider’s bottom line ahead of the patient’s well being.
  The Federal Food, Drug and Cosmetic Act (FDCA) prohibits the unauthorized distribution of drugs or medical devices.  Federal criminal penalties are available for knowing and intentional violations of the FDCA.  The manufacture and distribution of controlled substances is governed by the Controlled Substances Act, which is enforced by the Drug Enforcement Administration, a component of the U.S. Department of Justice.  The requirements of the FDCA and CSA apply to online as well as bricks-and-mortar pharmacies.
  Although there are a number of federal laws that protect the privacy of individuals, I want to highlight two that are particularly important to the i-health industry.  First, the Federal Trade Commission Act prohibits businesses engaged in interstate commerce from engaging in a broad range of unfair or deceptive trade practices.  According to the FTC, collecting or disclosing personal information in violation of a Web site’s written privacy policy may constitute an unfair or deceptive trade practice.  The FTC has announced that it has launched an investigation into the privacy practices of a number of health care Web sites, prompted in part by the California Healthcare Foundation study that found several well-known sites were violating their own posted privacy policies. 7

Potentially more important to the i-health industry are the new medical records privacy standards under development by the U.S. Department of Health and Human Services. 8  Because Congress failed to meet its own deadline for enacting comprehensive medical records privacy legislation, the 1996 Kennedy-Kassebaum law authorized and directed the HHS Secretary to develop privacy regulations for certain electronic health care transactions.  These regulations apply to health care providers, health care plans, and health care clearinghouses.  Less noticed, but quite important, the Kennedy-Kassebaum legislation also required HHS to develop minimum standards for the security of electronic health information. 9  The recent cyberattacks on well-known e-commerce sites have served as a wakeup call to industry on the vulnerability of Internet-based computer networks – and the need to take steps to address information security issues.

Application of Federal Fraud and Consumer Protection Laws to the i-Health Industry

While it’s important to understand the overall framework, including our criminal fraud enforcement program, my sense is that most of the people at today’s conference are honest and law-abiding individuals who want to comply with the law.  Thus, I want to discuss the legal and regulatory framework in a little more depth, applying it to specific business models in the i-health industry.

For i-health companies that simply provide information to consumers, without charging consumers or third-party payors for services, a key concern should be ensuring that the Web site’s actual privacy practices are consistent with any stated privacy polices.  The FTC has announced investigations into a number of healthcare Web sites that collected and/or distributed personal information in violation of the site’s posted privacy policy. In addition to complying with the broad prohibition against unfair and deceptive trade practices, the new draft HHS privacy regulations will impose significant privacy safeguards on  healthcare providers, plans or clearinghouses that engage in certain electronic transactions, including health claims, health care payment and remittance advice, and referral certification or authorization. 10  For example, where a physician practice submits claims electronically to a third-party insurance company, both the physician practice and the insurance company are required to comply with the HIPAA privacy regulations.  Online pharmacies also will need to comply with these privacy regulations.  Significantly, once the draft regulations are finalized, violations may result in civil fines and, in more serious cases, criminal prosecution. I-health companies that provide goods or services to beneficiaries of federal health care programs, including Medicare and Medicaid -- or that contract with such companies -- must be mindful of the full range of anti-fraud safeguards in federal law.  For example, the HHS Office of Inspector General has stated that it would be illegal for a hospital to provide a health care provider with telemedicine equipment with intent to encourage that provider to consult with specialists at the hospital where such consultations were reimbursed by a federal health care program. 11  Similarly, the Stark self-referral laws also attach to situations where health care goods or services are reimbursed by federal health care programs – whether online or off-line.  I emphasize this business model because at least one market analyst expects the business-to-business side of the i-health industry to reach $370 billion by 2004.  Given that the federal government pays for a substantial percentage of all health care goods and services consumed in the United States, I think it’s fair to assume that some of the b-to-b market will involve goods and services reimbursed by federal health care programs.  I-health companies in this space need to be mindful of the full range of federal anti-fraud safeguards – and take steps to ensure compliance.

I-health companies also should be mindful of the prohibition on employing or contracting with individuals or entities that have been excluded from participation in Federal health care programs for misconduct.  In an era of tight labor markets, and the "outsourcing" of many business operations, it is easy to overlook the need for careful screening of employees and potential business partners.  For example, a health care provider – including an online pharmacy – could not hire or contract with a pharmacist who has been excluded by the HHS Office of Inspector General if the provider receives federal reimbursement for the drugs.

I-health companies that sell or promote drugs or medical devices must be aware of the comprehensive federal regulatory framework that safeguards patient health and safety.  The FDA and FTC regulate advertising of drugs and medical devices, whether on- or off-line.  Similarly, online pharmacies and other i-health companies engaged in the sale of prescription drugs must comply with the Food, Drug and Cosmetic Act.  More stringent safeguards are imposed on the manufacture, sale and promotion of controlled substances – and more serious criminal and civil penalties attach for violations of the federal Controlled Substances Act.  The FDA’s Office of Criminal Investigations has initiated 134 Internet-related investigations, including 88 open criminal investigations and 46 preliminary investigations.  Of these 134 investigations, 54 involve sites selling prescription drugs, while 80 cases are related to various types of health fraud or unapproved drug products such as GHB.  To date, 36 arrests and 17 convictions have resulted from FDA investigations into the illegal sale of drugs or medical products over the Internet.

In the near future, the Administration will present legislation to Congress to provide consumer protections for Internet drug sales.  The underlying goal of the legislation will be to ensure that online pharmacies are licensed and operated under the same regulatory system that Congress and the States have put in place for traditional "brick and mortar" pharmacies.  Therefore, the legislation will call for online pharmacies to post information on their Web sites about their ownership, state licensure, name of the pharmacist in charge, and a phone number where consumers can contact the pharmacist.  Online pharmacies that fail to meet these requirements would be subject to federal civil and criminal penalties.
 
What Does the Future Hold?

First, the Administration does not believe that significant new substantive regulation is necessary to deal with unlawful conduct on the Internet.   A working group, chaired by the Attorney General, conducted a comprehensive review of unlawful conduct on the Internet, and concluded that, generally, existing laws are adequate to address Internet crime, including fraud.  The one area where additional legislation is necessary involves the sale of drugs on the Internet. Here, to maintain adequate protections for consumers, and to permit effective enforcement, the Administration believes new statutory protections are required, and we will be submitting legislation to Congress in the near future.

Second, we will be closely monitoring industry’s efforts to develop comprehensive and effective privacy self-regulatory efforts, particularly the practices of the i-health industry.  While the Administration has expressed its preference for industry self-regulation, I believe such a hands-off approach will be difficult to maintain absent significant improvements in industry privacy practices.  Inadequate privacy efforts also will invite the states to enact online health privacy statutes.

Third, I anticipate a significant increase in Internet health care scams -- if for no other reason than that the Internet is a near-perfect medium for fraud artists.   The Justice Department already is taking steps to address this growing threat, including through the creation of the FBI’s Internet Fraud Complaint Center.  The President’s budget calls for $37 million in new funding for additional investigators and prosecutors to fight all forms of cybercrime, including online fraud.  We are also cross-training existing white-collar investigators and prosecutors in how to handle online fraud cases.  As a result of these and other efforts, I anticipate we will see a significant increase in prosecutions of Internet fraud in the next several years.

Fourth, we are beginning to work with FBI, Health Care Financing Administration, the HHS Office of Inspector General, and others to assess the potential for fraud and abuse against federal health care programs.  Because the i-health industry is still relatively small, and has focused primarily on the business-to-consumer space, we have not yet seen online health care scams against Medicare and Medicaid.  However, we want to take steps now – before significant taxpayer dollars are lost – to identify any vulnerabilities and to take steps to boost program safeguards without stifling the growth of this promising industry.
 
Compliance Tips

So, what can you do – individually within your companies and collectively through trade associations and other industry groups?  You’ve taken the first step by attending this conference and learning more about the legal and regulatory framework for the i-health industry.  The next step should be a comprehensive assessment of your business practices, focusing on several key areas, including privacy practices, compliance with fraud and abuse laws, and compliance with regulations governing the sale and promotion of drugs and medical devices.

For i-health businesses who will rely, in whole or in part, on reimbursement from federal health care programs, I would encourage you to develop compliance programs that contain, at a minimum, the several components identified by the HHS Office of Inspector General in model compliance guides for various segments of the health care industry.  These elements include: (1) written policies and procedures; (2) designation of a compliance officer and compliance committee; (3) education and training of management and employees; (4) establishment of lines of communication (including employee hotlines); (5) auditing and monitoring; (6) enforcing standards through disciplinary procedures and practices; and (7) responding to detected offenses and developing effective correction plans.

We realize that the health care industry is undergoing rapid change, and that i-health companies must operate at Internet speeds.  But it is just this type of environment – where critical management resources are stretched thin, and back-office operations like compliance rank far behind the need to obtain funding and get products out the door – where companies take short cuts that can result in criminal or civil investigations and punishment.
 
What Resources Are Available to Help?

There is a wealth of information available that describes the requirements of federal law and provides advice on how to comply.  The Federal Trade Commission, which plays a critical role in safeguarding consumer privacy, provides very useful information on e-privacy and consumer fraud protection efforts on its Web site.  Similarly, the Web site of the Department of Health and Human Services contains detailed information on the new draft medical records privacy regulations.

For advice on compliance with federal health care fraud laws, I would encourage you to visit the Web site of the HHS Office of Inspector General.  This site contains detailed compliance guides, advisory opinions, special fraud alerts, and other practical information.

Finally, the Justice Department just announced a new Web site – www.cybercrime.gov – which provides information on our computer and high-tech crime enforcement efforts.  The site contains speeches, testimony, information on our investigative and prosecutorial efforts, among other things.  You can find a copy of the Attorney General’s recent report to the President on Unlawful Conduct on the Internet, as well as Justice Department testimony on the sale of prescription drugs on the Internet.

Conclusion

I hope that I have accomplished what I set out to do 25 minutes ago – to describe our health care and Internet fraud enforcement program, to provide a quick overview of the legal and regulatory framework for the i-health industry, to apply that framework to several common business models with the goal of highlighting key legal and regulatory requirements, to offer my personal predictions on the future of our enforcement efforts, and to provide some practical advice on how to comply with federal law.

Finally, I would like to encourage you – individually and through your trade associations – to work with us on developing and enforcing fraud and privacy safeguards in a manner that protects consumers without stifling the growth and promise of the i-health industry.  I would encourage the HCCA, IHC and others to take up this challenge, perhaps by broadening the outstanding work you are doing on the "ethics" front to include a detailed examination of fraud prevention and compliance issues.  Because you have demonstrated your commitment by coming to Washington DC to learn more about the legal, regulatory, and ethical issues confronting your industry, I would welcome your thoughts and suggestions on how we can work together.

Thank you.

_____________________________________________________
    1 This overview discusses a number of federal laws relevant to Internet-based health care providers.  This is not meant to be an exhaustive list of the laws or regulations that might apply to specific businesses or practices.

    2 These statutes include, but are not limited to: 18 USC 669 (theft or embezzlement in connection with health care), 18 USC 1341 (mail fraud) ,18 USC 1343 (wire fraud), and 18 USC 1347 (fraud in public or private health care benefit programs).

    3 See 31 USC 3729-33 (False Claims Act).

    4 18 USC 1001 (false statements to a federal agency); 18 USC 1035 (false statements relating to health care matters).  A related statute, 18 USC 1518, prohibits efforts to obstruct a health investigation.

    5 42 USC 1320a-7b(b).  Various statutory and regulatory safe harbors have been established for beneficial arrangements that might otherwise violate the statute.  See 42 USC 1320a-7b(b)(3) (statutory safe harbors); 42 CFR 1001.952 (regulatory safe harbors).

    6 42 USC 1395nn (codifying “Stark I” and “Stark II” statutes).

    7 “FTC Reviews Privacy Issues at Health Web Sites,” Wall Street Journal, Feb. 18, 2000, at B6.

    8 U.S. Department of Health and Human Services, Notice of Proposed Rule Making for Standards for Individually Identifiable Health Information, 64 Fed. Reg. 59917-60065 (Oct. 23, 1999).  Also available at www.hhs.gov/hottopics/healthinfo/index.htm.

    9 U.S. Department of Health and Human Services, Notice of Proposed Rule Making for Security and Electronic Signature Standards, 63 Fed. Reg. 43263-69 (Aug. 12, 1998).

    10 The rules governing what providers and transactions are and are not covered are necessarily complicated because of the statutory limitations under HIPAA.  In authorizing and directing the HHS Secretary to issue medical records privacy regulations, Congress specifically limited such authority to certain forms of electronic transactions by health care plans, providers, and clearinghouses.  In releasing the draft HHS privacy regulations, President Clinton noted the flaws in the statutory scheme and called on Congress to enact legislation to address these shortfalls.

    11 See HHS Office of Inspector General, Advisory Opinion 99-14 (December 28, 1999), available at www.oig.hhs.gov/fraud/docs/advisoryopinions/1999/ao99_14.htm.   Although the OIG ultimately advised the requestor that, under the unique circumstances and safeguards in place, the OIG would not impose sanctions, the OIG made clear that the provision of telemedicine equipment with the intent to induce or encourage referrals would violate the anti-kickback statute.

______________________________________________________
 

 

Go to . . . CCIPS Home Page  || Justice Department Home Page

Updated page July 19, 2004
usdoj-crm/mis/sj