Other Healthcare Laws
In addition to FDA restrictions on marketing of pharmaceutical and biological products, other healthcare regulatory laws restrict business practices in the biotechnology industry, which include, but are not limited to, anti-kickback, false claims, physician payment and pricing transparency and data privacy and security laws. The federal Anti-Kickback Statute prohibits the offer, receipt, or payment of remuneration in exchange for or to induce the referral of patients or the use of products or services that would be paid for in whole or part by Medicare, Medicaid or other federal healthcare programs. Remuneration has been broadly interpreted to include anything of value, including cash, improper discounts and free or reduced-price items and services. The government has enforced the Anti-Kickback Statute to reach large settlements with healthcare companies based on sham research or consulting and other financial arrangements with physicians. Further, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it to have committed a violation. In addition, the government may assert that a claim including items or services resulting from a violation of the Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the False Claims Act (discussed below). Many states have similar laws that apply to their state healthcare programs as well as private payors.
The federal false claims and civil monetary penalties laws, including the False Claims Act, or FCA, impose liability on persons who, among other things, knowingly present or cause to be presented, a false, fictitious or fraudulent claim for payment to, or approval by, the federal government, knowingly make, use, or cause to be made or used a false record or statement material to a false or fraudulent claim to the federal government, or knowingly make a false statement to avoid, decrease or conceal an obligation to pay money to the U.S. federal government. The FCA has been used to prosecute persons submitting claims for payment that are inaccurate or fraudulent, that are for services not provided as claimed, or for services that are not medically necessary. Actions under the FCA may be brought by the Attorney General or as a qui tam action by a private individual in the name of the government. Violations of the FCA can result in significant monetary penalties and treble damages. The federal government is using the FCA, and the accompanying threat of significant liability, in its investigation and prosecution of pharmaceutical and biotechnology companies throughout the country, for example, in connection with the promotion of products for unapproved uses and other sales and marketing practices. The government has obtained multi-million and multi–billion-dollar settlements under the FCA in addition to individual criminal convictions under applicable criminal statutes. In addition, companies have been forced to implement extensive corrective action plans and have often become subject to consent decrees or corporate integrity agreements, severely restricting the manner in which they conduct their business. Given the significant size of actual and potential settlements, it is expected that the government authorities will continue to devote substantial resources to investigating healthcare providers’ and manufacturers’ compliance with applicable fraud and abuse laws.
The federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, created additional federal criminal statutes that prohibit, among other actions, knowingly and willfully executing, or attempting to execute, a scheme to defraud any healthcare benefit program, including private third-party payors, knowingly and willfully embezzling or stealing from a healthcare benefit program, willfully obstructing a criminal investigation of a healthcare offense, and knowingly and willfully falsifying, concealing or covering up a material fact or making any materially false, fictitious or fraudulent statement in connection with the delivery of or payment for healthcare benefits, items or services. Similar to the federal Anti-Kickback Statute, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation.
We may also be subject to data privacy and security regulation by both the federal government and the states in which we conduct our business. HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, and their respective implementing regulations, which impose specified requirements relating to the privacy, security and transmission of individually identifiable health information. Among other things, HITECH makes HIPAA’s privacy and security standards directly applicable to “business associates,” defined as independent contractors or agents of covered entities that create, receive, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity. HITECH also increased the civil and criminal penalties that may be imposed against covered entities, business associates and possibly other persons, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorney’s fees and costs associated with pursuing federal civil actions. In addition, state laws govern the privacy and security of health information in certain circumstances, many of which differ from each other in significant ways and may not have the same requirements, thus complicating compliance efforts.
In addition, there has been a recent trend of increased federal and state regulation of payments made to physicians and other healthcare providers. The ACA, among other things, imposed new reporting requirements through the Physician Payments Sunshine Act on certain manufacturers of drugs covered by a federal healthcare program for payments made by them to physicians and teaching hospitals, as well as ownership and investment interests held by physicians, certain other healthcare professionals and their immediate family members. Failure to submit required information may result in civil monetary penalties for all payments, transfers of value or ownership or investment interests that are not timely, accurately and completely reported in an annual submission. Manufacturers must submit reports by the 90th day of each calendar year. Certain states also mandate implementation of compliance programs, impose restrictions on drug manufacturer marketing practices and/or require the tracking and reporting of gifts, compensation and other remuneration to physicians, and pricing information and marketing expenditures.