Podcast: COVID-19: Public Disclosure: Data Analytics and DOJ Enforcement in Light of the Pandemic
In this episode of Ropes & Gray’s False Claims Act podcast series, Public Disclosure, litigation partner Kirsten Mayer and her guests consider how the Department of Justice will approach FCA enforcement in light of COVID-19, and the role data and data analytics will play. Kirsten talks with Jim Dowden, head of Ropes & Gray’s white collar practice, as well as Matt Bedan and Neil Goradia of Forensic Risk Alliance. The group explores what data the government is likely to mine, including data outside of the health care space. They also provide insight into what in-house compliance functions should be doing now to mitigate risk (hint: it involves using their own data).
Kirsten Mayer: Welcome to Public Disclosure, our podcast series about the False Claims Act. I'm Kirsten Mayer, a litigation partner at Ropes & Gray, and your host for today's episode. The False Claims Act is a whistleblower statute. At its most basic, it prohibits submitting false or fraudulent claims for payment to the government, and rewards whistleblowers who come forward with evidence of fraud. Although most False Claims Act investigations start with a whistleblower complaint, the Department of Justice has become increasingly sophisticated in its use of data and data analytics to identify and pursue suspected fraud. With a price tag for the federal government's response to the COVID-19 crisis in the trillions of dollars already, the Department of Justice will bring the full force of these tools to bear to exercise oversight and to trigger enforcement. Our guests today recently published an article addressing these issues, the risks that companies face and the compliance strategies to mitigate those risks. Welcome to Public Disclosure, Jim Dowden, Matt Bedan and Neil Goradia.
Kirsten Mayer: Matt, to kick us off, could you tell us a little bit about the risk landscape under the False Claims Act right now as you see it, focusing on the response to COVID and how that ties to potential False Claims Act risk?
Matt Bedan: I think there are a couple key factors here that are worth considering and that we're seeing generally play out. The first is the sheer scale of the expenditure of funds by the government that we've seen in response to COVID. As you mentioned earlier, we're counting over $2.2 trillion so far, more maybe to come. When we get into the trillions of dollars, it's a number that most of us aren't able to comprehend outside the abstract, let alone put in context. Adjusted for inflation in today's money, you could pay for about 15 Apollo moon programs with that money. The sheer scale of it starts to paint a picture about the amount of opportunity that's going to be out there for fraudsters. The second piece which I think is relevant is the speed with which CARES was enacted, which is a piece of legislation that under normal circumstances would've taken certainly months, maybe years for Congress to consider, revise, draft and then ultimately pass, but under the current circumstances, it was done in something like ten days. There wasn't much opportunity to build controls or guardrails around the expenditure of those funds. It's difficult to detect and prevent fraud under normal circumstances, but in this context, I think it's going to be all the more difficult.
Kirsten Mayer: Jim, given your experience as a prosecutor with the Department of Justice, how do you think the DOJ will approach FCA enforcement in the coming months and years, and what role do you think data will play?
Jim Dowden: Let's just be clear, this isn't the government's first rodeo in this space. The False Claims Act was enacted right around the Civil War, a similar time of large government expenditure. In the 100 and almost 50 years since then, they've had a couple cracks of the apple to look at these major government expenditures to see how they could enforce against fraud. They have learned lessons from prior programs, and those lessons have taught them to be coordinated. So what I think we can see here now is that U.S. attorneys' offices, local offices, and Main Justice will want to take a coordinated approach, designating specific personnel to handle this crisis, and to do it in a disciplined matter. "How do you boil the ocean?" is a tough question, and I think the DOJ will look at data specifically to help them boil that ocean, to marshal rare government resources in order to get to the crux of the problem quickly.
Kirsten Mayer: Jim, does the government have the resources and expertise needed in order to effectively use the data that it has access to, to identify and pursue investigations?'
Jim Dowden: I think that's a great question. In the last several years, the DOJ has gotten smart on data – they realized that in a world where there is so much data, it is a very useful enforcement tool. The opioid crisis is one specific example where the government has learned that they can take specific enforcement steps looking at data. Is it perfect? No. Do they realize that they need to hire the resources to mine the data? Yes. When programs start rolling out in terms of the enforcement, we can anticipate additional perhaps hiring of qualified individuals to help mine the data.
Kirsten Mayer: Matt, what kind of data does the government have access to that's going to be relevant in terms of the oversight and enforcement around the stimulus money that's come out through the CARES Act and other COVID-19 stimulus programs?
Matt Bedan: I think what you're going to see is that government is going to leverage its access to health care data, specifically Medicare and Medicaid data. I think that will be the crux behind quite a bit of the data mining and private relator efforts in the wake of CARES. The DOJ and other parties who are interested in this data have quite a bit of experience in mining CMS audit-related and other types of publicly available data – this is a source of information that just grows as time goes by. CMS recently announced that they were launching a program to improve access to electronic health records of patients under government programs, where they may be able to mine data directly out of electronic health records. That brings a potential for analytics capabilities to directly correlate data in a patient's health record to the ultimate payor and reimbursement data. Traditionally, that's where most of the False Claims Act enforcement has stemmed from, although I should say that I don't expect and I don't think most people expect that it's going to be solely limited to health care data. There are a number of industries that could potentially be impacted by the data mining that Jim touched on that aren't necessarily used to the scrutiny that might come in the coming months and years.
Kirsten Mayer: Jim, what about risk outside the health care space?
Jim Dowden: The COVID expenditures in the CARES Act are expanding federal funds beyond traditional sources of federal funding in Medicare and other places – it's spreading federal funds across broad swaths of the economy. In light of that, I think one trend we can anticipate is coordination among other law enforcement agencies who have historically not been involved in False Claims enforcement. So, for example, the IRS or the FCC have tons of experience in data mining, and perhaps we might see some increased law enforcement coordination amongst those agencies when we look for data mining and enforcement priorities across industries outside of the health care space. The SEC regularly looks at disclosures, regularly looks at stock prices, regularly looks at footnotes that are talking about material changes in both revenue, expenditures, and other related parties, transactions and the like. It's a pretty sophisticated organization that can look at data mining, particularly around stock price. Similarly, the IRS historically has had very sophisticated data mining to help select the audit potential for potential targets based on trends in revenue and income.
Kirsten Mayer: Neil, have you seen examples of this kind of coordination?
Neil Goradia: I think, on May 5, when the Department of Justice brought its first charges against a couple of individuals as it relates to the Paycheck Protection Program. They were very upfront about saying that not only was there coordination between the SEC, the DOJ and FBI, but they had also worked with the Federal Deposit Insurance Corporation, the inspector general for the Small Business Association and the Internal Revenue Service.
Kirsten Mayer: Turning to companies and their ability to monitor and mitigate risk in this data-rich environment, is COVID-19 affecting companies and their operational infrastructure? What impact is it having on companies' ability to manage risk around False Claims Act actions?
Neil Goradia: COVID-19 is having a tremendous impact on companies' ability to manage and monitor risk. Organizations have had to set up, or at the very least, enhance remote technology infrastructures so that pretty much all of their workforce can work remotely. A lot of the corresponding compliance functions have not been set up to work well in a near 100% remote environment. When you add to that an economic downturn, there is a lot of pressure on companies to make critical decisions to keep their businesses going and profitability up, and they're having to do this without the same level of transparency for their compliance organizations. A lot of organizations have reduced labor, and this is due to a lot of circumstances: things like sickness, social distancing, furloughs or even layoffs. Companies are having to make tough decisions as to how to deploy the resources that they have.
Kirsten Mayer: How does this environment affect compliance and risk mitigation strategies?
Neil Goradia: A lot of times in situations like this, risk mitigation and compliance are going to take a backseat to running business on a day-to-day basis. At the same time, we've already started seeing more instances of people trying to sidestep or even ignore controls that were set up for a different environment, because they're not working efficiently and therefore not allowing people to do their jobs at the end of the day. Organizations are creating or taking in new types of data that, frankly, they just don't know how to handle or analyze at the end of the day.
Jim Dowden: I would add that hindsight's 20/20, right? Historically we have seen, and I've seen as a former prosecutor, that times of crisis are not times to let the foot off the gas of compliance because after the crisis, people aren't going to remember the difficulties in adapting to a new compliance environment. Rather, I think we can expect particularly whistleblowers to allege, "You are on notice of a heightened expenditure of funds. You should take a risk-based approach to compliance, and that risk-based approach says in this particular unique time, you should double down on compliance." Whether that's realistic is another question, but I think it's something that we will probably hear in future litigation.
Kirsten Mayer: You guys have articulated the problem effectively. How does a company deal with that if they've all of a sudden been thrown into a remote environment, had to furlough a chunk of their people and find ways to operate their business remotely that are a little bit MacGyver, kind of boots and suspenders on the fly? If you're global head of compliance or director in charge of compliance for a division of the company that is now doing business in a fundamentally different way, what do you need to do right now to handle the situation?
Jim Dowden: I can start with that. If I was the director of compliance of a major global company right now, two things I would make sure I was doing. One, if there are necessary deviations that you have had to take because of the current environment, I think it's really important to document the reasons why those deviations occurred and to ensure that other compliance-type procedures were still applied. Two, I think it's really important, to the extent you have limited compliance resources, to devote those resources to ongoing monitoring. Ongoing monitoring around the expenditure of funds is going to be critical to avoid second-guessing down the road.
Kirsten Mayer: Neil, from your perspective, what should companies focus on?
Neil Goradia: Kirsten, it's more and more difficult these days for humans to be in the same place; therefore, technology and data-driven monitoring controls are going to be more important. I see this as a good thing because regulators have been urging businesses to move in this direction for a very long time, so this is a change that companies, if they haven't done already, they'll be moving in a positive direction. That being said, this is a new economic setting, and therefore, it's creating different data – transactions are being carried out differently. Therefore, the existing data science models or analytics that have been used to detect noncompliance and fraud will need to be recalibrated for this new environment. Human supervision and reviews are still going to be necessary. Depending on an organization's business, they're going to have to find the right balance at the end of the day.
Kirsten Mayer: Matt, you've mentioned that in the health care industry, claims data provide the rich source of information for relators and DOJ to analyze and use to pursue potential fraud claims. In this post-COVID environment where some of the regulations designed to prevent fraud have been relaxed, where there have been signals that some of the enforcers will use enforcement discretion to allow certain types of transactions to occur during the crisis that would normally be prohibited, how does the relaxation of these regulations, albeit on a temporary basis, complicate the overall data picture that we are all going to be dealing with in the coming years?'
Matt Bedan: The short answer is that it's going to create new types of data that a lot of these organizations aren't necessarily set up to handle and process, and build controls around from a compliance perspective. For example, we've recently seen the relaxation or elimination of different types of controls that were in place to prevent fraud, waste, abuse in the health care space, such as the Stark Law. We saw an expansion of the range of reimbursable treatments or types of technology that are allowed to be built, and a significant expansion of the availability of telehealth facilities or telehealth practices – this was an area that was always viewed with a degree of skepticism by CMS and by other fraud watchdogs. From a data perspective, this is going to be logistically a process that many organizations are not set up to monitor and review.
Kirsten Mayer: How much of the data that DOJ can mine for outliers or potential patterns that might signal misconduct is accessible to companies in the private sector, so that if they were to build out a more sophisticated, data-driven compliance function, they could access it? Or is what DOJ has access to largely barred from the public?
Jim Dowden: Let's start with the health care industry, which has historically had the most data, both on the government side and on the industry side. The government has detailed individual claims data that many of our health care clients just simply do not have. But what our clients do often have is data on sales, for example, to distributors, and other types of data along those lines. They have already been able to start mining that data to understand outliers and expenditures, costs, in terms of overhead for distributors, and some of that could be a useful tool today to also think about where those expenditures are going.
Neil Goradia: The expectation of the DOJ and prosecutors is that if the government can identify noncompliance and anomalies, they expect that companies could be able to do so too. That definitely will be a topic of conversation, if there is any kind of action that is brought down.
Kirsten Mayer: What questions should companies be asking to determine whether they are using their data appropriately?
Neil Goradia: The first piece of this, which is a huge piece, is not really around analytics and monitoring, it’s really about understanding your data and knowing how to use it. One, do you know where your data is coming from, and therefore who owns it and who maintains it? Two, can you trust that data? Or another way I like to look at it is, do you know its strengths and weaknesses, and therefore do you know what it can and cannot be used for? And then, finally, do you know where it is and how to access it? This is becoming more and more important these days with data privacy and other data regulations, cross border and things like that. This seems kind of basic, but especially for large multinational corporations, especially those that have grown through acquisitions, this can be a real challenge at the end of the day. A lot of organizations spend a lot of money on data governance, or maintaining data governance for a good reason, because without this foundational piece, you're really not able to do any kind of value-add monitoring and surveillance.
Kirsten Mayer: Once you understand your data, what's the next step?
Neil Goradia: Documenting your anomalies and obligations – you need to know how to look at your data through the lens of your regulatory obligations. To do this, you have to know how to translate those obligations into either rules or tests, or some other analytics that you can apply to your data that will facilitate the monitoring of those obligations at the end of the day. To do that effectively, you need to be leveraging all of the relevant data within your organization – I'll give an example here. Almost every organization has accounting data and has operational data, and so whenever you're taking money from the government, whether it be CARES Act or anything else, you may want to adjust your chart of accounts or your cost center so that you are able to report on where that money is and how you've used it at a very detailed level. However, just knowing where that money is, or where it's gone, or even how it was used is not good enough. You also need to be using your operational data because your operational data is what tells you if the processes and procedures that you have set up in utilizing and dispensing that money are in line with your obligations tied to accepting that money in the first place. And I think Matt mentioned this earlier, but the final step to at least this beginning portion is then saying, "Okay, what are usually disparate datasets (your operational data, financial, accounting), they really need to be talking to each other, and painting a consistent and compliant picture at the end of the day. If you can do all of those things effectively, then you're definitely off to a very good start.
Matt Bedan: It's important for organizations to make sure that they take the extra step of effectively integrating all of these monitoring and analytics processes into the actual decision-making process of the organization. Sometimes we see companies work hard on building up beautiful analytics and monitoring programs, but then they drop the ball in the last critical piece of actually integrating the program and tying it to the decision-making processes of key people within the business. If your well-designed monitoring and analytics programs aren't elevating risk, then your expensive, well-designed program is probably going to end up being more of a liability than an asset to the organization.
Kirsten Mayer: You used the word “expensive” more than once. Does how much data you need to get and how much you need to work with it depend on the size and scale of the company? What we've discussed so far sounds great for a pretty sophisticated far-flung enterprise, but what if you're a small company, closer to the startup phase or in early round of financing, maybe running up to a marketed product, or you're a smaller-scale provider? Is the need to be sophisticated and accurate with data, data mining and data monitoring equally important in a smaller company as in a larger, more complex organization?
Jim Dowden: I would say that in smaller companies with limited compliance resources in terms of personnel, data harnessing is one basic step that regulators would expect you would take – that you have some basic component of mining that data as part of your compliance system. So, I don't think you get a pass if you're a smaller company, but rather, I think that there might be some increased expectations that you're leveraging data in places where you don't have human personnel.
Matt Bedan: I encourage companies not to be dissuaded by some of the terminology that gets tossed around. I mean, you don't need advanced data analytics, algorithms, data mining capabilities, artificial intelligent solutions, that sort of thing, to just understand and harness the general data that you're bringing into your organization. If you're a small or midsize regional hospital group, for example, you don't need a massive, expensive monitoring program to just check your phone bills and make sure that telehealth services that you billed align to calls that were actually made from the doctor to whatever number on whatever date. That's a simple, basic monitoring process that would probably reduce quite a bit of risk for your organization – that's just one example. Your data analysis should be proportionate to your risk and the types of data that are available to you.
Jim Dowden: I would just underscore that compliance programs today are already starting to leverage this data, and there are tools within existing frameworks that you can leverage to enhance that. Most SAP programs have modules that are add-ons that could be used to help harness that data. There are off-the-shelf products that companies can purchase to help mine that data. It doesn't need to be overly complicated.
Neil Goradia: At the end of the day, the analytics, the monitoring and the compliance is great, but the key point of this is really understanding what your obligations are, and setting up whatever processes or controls you need to in order to make sure that you are adhering to those obligations.
Kirsten Mayer: Jim, you mentioned in the beginning of our discussion that this isn't DOJ's first time at the rodeo, that there have been other points in recent history where the government has pushed a lot of stimulus or aid out on the economy, and we've seen an uptick in False Claims Act enforcement after the fact. Can you tell us a little bit about what lessons DOJ has learned from the most recent wave of stimulus activity and follow-on enforcement with the TARP program in 2008 and 2009?
Jim Dowden: Yes, Kirsten, I think that's a really good question. I, in fact, was a federal prosecutor during the TARP program. I think that the DOJ tried to organize around the TARP program to try to make sure that fraud and abuse was being monitored and prosecuted, but I do think that the DOJ faced significant criticism about using its resources to make sure it was focusing on the right targets. Was the government focusing on the appropriate targets of alleged fraud? I think we can anticipate on a going forward basis the government will think very hard about who are the right targets for enforcement here. Are they the large multinationals? Are they the smaller businesses? I think the government will have immense pressure to focus on larger scale enterprises to make sure that there was no abuse of stimulus funds.
Kirsten Mayer: Jim, Matt and Neil, thank you for joining me today. And thank you to our listeners. For more information about our False Claims Act practice, please visit www.ropesgray.com/falseclaimsact. We'd love to hear from you about our podcast as well – you can email us at firstname.lastname@example.org. Upcoming episodes will take on kickbacks and causation. Be sure to tune in – you won't want to miss it. You can subscribe to our Public Disclosure podcast series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thanks again for listening.