You are a hospital CEO, spending a quiet afternoon in your office when a disgruntled member of a local medical practice barges in and begins complaining that he is being treated unfairly. He tells you that he is not getting the same amount of time in the Cardiac Cath Lab as other physicians, that another physician got a better sign-on bonus than he did, and that the space that he rents from the hospital is smaller than a neighboring practice's space. Inwardly, you sigh, while outwardly you listen attentively. In the back of your mind you are hoping that maybe this will all blow over by next week. However, because you are conscientious, you report "Dr. Smith's" complaint to the Board of Directors at their next meeting. Together, you and the Board discuss whether and how to investigate his complaint. Everyone hopes that Dr. Smith will let things go. The allegations are meritless. He is just unhappy. Other matters rise to the Board's attention and weeks later, Dr. Smith's complaints remain largely ignored.
What potential jeopardy does the Board face by the organization's failure to investigate? Ignoring complaints can create a trap for unwary board members and executives. What if Dr. Smith has really identified a Stark1 problem?
The National Whistleblower's Center reports that 89.7 percent of all employees who eventually file a civil action against their employers initially reported their concerns internally and filed suit only after the employee perceived that he or she would not attain satisfaction through employer channels. In our example, Dr. Smith may not be a hospital employee but the same risk of a civil suit against the hospital and individual executives applies. The risk of ignoring Dr. Smith is that, as a complainant, he is much more likely to file a qui tam action under the False Claims Act if hospital management or board members fail to take action. Under the False Claims Act, Dr. Smith may bring an action for treble damages and $5,500 to $11,000 in penalties for each claim, as well as seek attorney's fees and costs.2
Under the Responsible Corporate Officer Doctrine (RCO), executives and board members may be held liable for the illegal acts of the organization even though an executive or board member had no role in, or awareness of, the underlying violation. Although civil actions under the Responsible Corporate Officer theory, also known as the Park Doctrine,3 have been mainly focused on violations under the Federal Food Drug and Cosmetic Act, the potential for personal jeopardy should cause the Board and management to think carefully about the failure to investigate complaints; especially Stark allegations. RCO-based enforcement theories create significant fiduciary liability and compliance risks for officers, directors and key employees of hospitals and health care systems. The government has increased resources for investigating allegations of health care fraud and has enhanced permissive exclusion authority. Recent statements by the government reflect that the time continues to be ripe for prosecuting individuals for corporate noncompliance, either through direct proof of knowledge of questionable or illegal practices or through a strict liability standard (i.e., by virtue of their authority in the corporate hierarchy).4 Board members need to listen carefully when complaints come to their attention and identify the most effective way to carefully investigate the complaints and react appropriately.
The recent case of Wal-Mart de Mexico is a good example of the dangers of ignoring allegations that need to be internally investigated and the need to adequately react to and remediate any wrongdoing uncovered. Wal-Mart Stores Inc., CEO Mike Duke and Chairman of the Board Robin Walton recently announced at Wal-Mart's annual meeting that the company was "committed to compliance." Their statements followed an April 2012 New York Times article alleging that the world's largest retailer failed to notify law enforcement after finding evidence that Wal-Mart managers had authorized millions in bribes to Mexican officials in order to secure building permits, and a regulatory filing that several executives, including Duke and Walton, are the targets of shareholder derivative suits seeking to change corporate governance. The lawsuits charge that the executives neglected their responsibilities in handling the alleged bribery scandal.5
The Board has a duty of care to make a reasonable inquiry when confronted with information about a possible risk. In other words, directors should make inquiries of management to obtain the information necessary to satisfy this duty. "A director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards."6 The organization may be at risk, and in extreme circumstances, the directors may also be at risk if they fail to reasonably oversee the organization's compliance program or merely act as passive recipients of information.7 This makes ignoring potential Stark violations very risky.
Thus, when the Board is provided with information that someone is complaining about a matter that may have Stark or False Claims Act implications, the first question that the Board should ask is whether there are processes in place to ensure that such complaints are fully investigated. The second question should be whether those processes are being followed by the individual(s) charged with investigating complaints. The third question should be if wrongdoing is uncovered, does the organization have mechanisms in place to ensure appropriate reaction to and remediation of the wrongdoing. Finally, do the processes in place ensure that the Board will have notice about developments as the matter unfolds?
An organization's compliance policies and processes should include an investigative policy. This policy should outline the circumstances under which an internal investigation will be conducted, who will conduct it (internal counsel v. outside counsel), and how the investigation's findings and conclusions will be reported to the Board. Including an investigative policy in the organization's compliance policies protects the Board by clearly outlining the organization's processes in place to receive complaints, such as a hotline and the adoption of whistleblower protections. The Board should fully understand and be comfortable with management's process for evaluating and responding to identified violations of organizational policies, as well as applicable state and federal laws.
Boards should use their compliance programs as value-added propositions when fulfilling their duties. In order to strengthen a Board's ability to assess ongoing or emerging risks, the substance of any complaint may be reviewed in the context of the larger organization. This should be done under attorney-client privilege by outside counsel. The root causes of any compliance breach can then be addressed, and controls woven back into compliance policies and procedures to prevent further risk to the organization and its Board members.
1 The Stark Law prohibits physician referrals of Medicare patients for certain "designated health services" to any entity in which the physician has a financial relationship. 42 U.S.C. § 1395nn. A financial relationship is defined as a "direct or indirect ownership or investment interest" or a direct or indirect "compensation arrangement" that includes the physician's personal financial relationship. The Stark Law is a strict liability statute, meaning that if a financial relationship does not meet the elements of a specified exception, see, e.g., 42 U.S.C. § 1395nn(b)–(e), a hospital that violates the statute could be subject to civil sanctions including payment denials, mandated returns of payments received as a result of the tainted relationship, civil monetary penalties and exclusion from participation in Medicare. See, e.g., 42 U.S.C.§ 1395nn(g)(1)–(g)(5).
2 National Whistleblowers Center, Impact of Qui Tam Laws on Internal Compliance, 4 (Dec. 17, 2010) available at www.whistleblowers.org/storage/whistleblowers/documents/DoddFrank/nwcreporttosecfinal.pdf.
3 See 31 U.S.C. § 3729(a)(1)–(7). In addition, Stark violations may serve as predicates for government and qui tam actions brought under the False Claims Act and the retention of payments received for services provided via a Stark-related referral will support liability under the False Claims Act. See, e.g., 31 U.S.C. § 3729(a)(1)(G).
4 United States v. Park, 421 U.S. 658 (1975) is viewed as the seminal case upholding the propriety of the Responsible Corporate Officer Doctrine.
5 Press Release, U.S. Department of Justice, Former Drug Company Executive Pleads Guilty in Oversized Drug Tablets Case, wherein Assistant Attorney General Tony West stated "We will hold corporate executives responsible when company profits are pursued at the expense of consumer safety."
6 David Barstow, Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle, N.Y. Times, Apr. 21, 2012, available at: www.nytimes.com/2012/04/22/business/at-wal-mart-in-mexico-a-bribe-inquiry-silenced.html?smid=pl-share
7 Anne D'Innocenzio, Wal-Mart CEO Says Co. Committed to Compliance, BusinessWeek, June 1, 2012, available at: www.businessweek.com/ap/2012-06/D9V4GTBO3.htm.
8 In re Caremark Int'l, Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
9 Dep't of Health and Hum. Serv. Off. of Inspector Gen. and Am. Health Law. Ass'n, Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors, § I, available at: oig.hhs.gov/fraud/docs/complianceguidance/040203corpresprsceguide.pdf.