I want to thank the Health Care Compliance Association, the Internet Healthcare Coalition, the American Health Lawyers Association, and the other sponsors of this Conference for the invitation to present the Justice Department's views on several important topics, particularly the prosecution of health care fraud and the protection of health care privacy on the Internet.
Why the Concern about
Fraud and Privacy on the Healthcare Internet?
The Internet and other information technologies are revolutionizing the health
care industry. Through these new technologies, we will be able to save
billions of dollars in administrative and overhead costs - money that can be
used to discover new drugs or expand coverage for the uninsured. These
same technologies also promise to dramatically improve patient care -
in the not-to-distant future, telemedicine technologies that will allow medical
specialists to "examine" and "treat" patients halfway around the world.
Perhaps most importantly, the Internet is empowering individuals to understand
- and take charge of - their own health care needs.
Unfortunately, what makes the Internet a valuable tool for improving health care - including low barriers to entry, the ability to reach millions of Internet users at little or no cost, and absence of geographic and national boundaries - also makes it an ideal tool for the commission of fraud and other online crime. The risk to public health and safety is particularly acute in the health care arena, where online fraud artists are peddling misbranded and adulterated drugs, bogus miracle cures, and other health care scams. Victims of these scams can suffer death or serious injury. And we should not forget that many individuals who face serious health crises may be desperate in their search for cures. These individuals may be particularly vulnerable to Internet-based health care scams.
Overview of Remarks
Today, I would like to discuss the Federal government's fraud, consumer protection, and privacy protection efforts as they relate to the Internet healthcare industry, particularly the role of the U.S. Department of Justice and our counterparts in other law enforcement and regulatory agencies. This will include: a discussion of our overall fraud and consumer protection programs; a brief overview of federal laws relating to health care fraud, consumer protection, and patient privacy; the application of these laws to common i-health business models; and some thoughts on the future direction of where we're heading with respect to fraud and other illegal conduct on the healthcare Internet. Finally, I want to offer some suggestions on how conscientious i-health care companies can take steps to ensure compliance with federal law, including some helpful online compliance resources.
My goal - in the next 25 minutes -- to is convince you of our commitment to safeguarding the health, safety and privacy of consumers on the healthcare Internet, to give you some appreciation of the federal laws applicable to the most common business models in the i-health industry, and to get you thinking about the need for developing effective compliance programs within your organization.
DOJ's Fraud Enforcement Program
Combating fraud and other
white-collar crimes - particularly those that target elderly and other vulnerable
consumers and those targeting taxpayer-funded health care programs - is one
of the Justice Department's highest priorities. We have developed a sophisticated,
nationwide -- and increasingly international -- program to combat all forms
of fraud and white-collar crime.
In 1993, Attorney General Janet Reno announced that combating health care fraud
would be the Department's number one white-collar crime priority. Last
year, the Department of Justice obtained almost 400 convictions for health care
fraud -- an increase of 21% over the prior year. In this same period,
we were able to collect $524 million -- more than half a-billion dollars ---
in criminal fines, civil settlements, and administrative penalties. In
addition, the HHS Office of Inspector General excluded more than 3,000 individuals
and companies from participation in the Medicare and Medicaid programs for health
care fraud and related misconduct. For health care providers - including
hospitals, doctors, HMOs, and others - who rely extensively on federal programs
for reimbursement, exclusion is the equivalent of a corporate death penalty.
And our health care fraud
enforcement efforts will increase significantly in the coming years. Under
the Health Insurance Portability and Accountability Act of 1996 (the "Kennedy-Kassebaum"
or "HIPAA" legislation), the Departments of Justice and Health and Human Services
receive dedicated - and increasing - funding for health care fraud enforcement.
This year (FY 2000), the Justice Department and HHS received $158 million.
This figure will increase to $240 million in FY 2003. Similarly, funding
for the FBI will increase from $76 million this year to $ 114 million in FY
2003 - an increase of more than 50 percent.
These increased resources mean we have more investigators, auditors, and prosecutors
focused on health care fraud than ever before - and our enforcement resources
will increase for at least the next three years. These figures
should convince even the skeptics that health care fraud will remain a high
priority for the Justice Department and our federal law enforcement partners
for the foreseeable future.
Legal and Regulatory Framework 1
Potentially more important to the i-health industry are the new medical records privacy standards under development by the U.S. Department of Health and Human Services. 8 Because Congress failed to meet its own deadline for enacting comprehensive medical records privacy legislation, the 1996 Kennedy-Kassebaum law authorized and directed the HHS Secretary to develop privacy regulations for certain electronic health care transactions. These regulations apply to health care providers, health care plans, and health care clearinghouses. Less noticed, but quite important, the Kennedy-Kassebaum legislation also required HHS to develop minimum standards for the security of electronic health information. 9 The recent cyberattacks on well-known e-commerce sites have served as a wakeup call to industry on the vulnerability of Internet-based computer networks - and the need to take steps to address information security issues.
Application of Federal Fraud and Consumer Protection Laws to the i-Health Industry
While it's important to understand the overall framework, including our criminal fraud enforcement program, my sense is that most of the people at today's conference are honest and law-abiding individuals who want to comply with the law. Thus, I want to discuss the legal and regulatory framework in a little more depth, applying it to specific business models in the i-health industry.
I-health companies also should be mindful of the prohibition on employing or contracting with individuals or entities that have been excluded from participation in Federal health care programs for misconduct. In an era of tight labor markets, and the "outsourcing" of many business operations, it is easy to overlook the need for careful screening of employees and potential business partners. For example, a health care provider - including an online pharmacy - could not hire or contract with a pharmacist who has been excluded by the HHS Office of Inspector General if the provider receives federal reimbursement for the drugs.
In the near future, the
Administration will present legislation to Congress to provide consumer protections
for Internet drug sales. The underlying goal of the legislation will be
to ensure that online pharmacies are licensed and operated under the same regulatory
system that Congress and the States have put in place for traditional "brick
and mortar" pharmacies. Therefore, the legislation will call for online
pharmacies to post information on their Web sites about their ownership, state
licensure, name of the pharmacist in charge, and a phone number where consumers
can contact the pharmacist. Online pharmacies that fail to meet these
requirements would be subject to federal civil and criminal penalties.
What Does the Future Hold?
First, the Administration does not believe that significant new substantive regulation is necessary to deal with unlawful conduct on the Internet. A working group, chaired by the Attorney General, conducted a comprehensive review of unlawful conduct on the Internet, and concluded that, generally, existing laws are adequate to address Internet crime, including fraud. The one area where additional legislation is necessary involves the sale of drugs on the Internet. Here, to maintain adequate protections for consumers, and to permit effective enforcement, the Administration believes new statutory protections are required, and we will be submitting legislation to Congress in the near future.
Second, we will be closely monitoring industry's efforts to develop comprehensive and effective privacy self-regulatory efforts, particularly the practices of the i-health industry. While the Administration has expressed its preference for industry self-regulation, I believe such a hands-off approach will be difficult to maintain absent significant improvements in industry privacy practices. Inadequate privacy efforts also will invite the states to enact online health privacy statutes.
Third, I anticipate a significant increase in Internet health care scams -- if for no other reason than that the Internet is a near-perfect medium for fraud artists. The Justice Department already is taking steps to address this growing threat, including through the creation of the FBI's Internet Fraud Complaint Center. The President's budget calls for $37 million in new funding for additional investigators and prosecutors to fight all forms of cybercrime, including online fraud. We are also cross-training existing white-collar investigators and prosecutors in how to handle online fraud cases. As a result of these and other efforts, I anticipate we will see a significant increase in prosecutions of Internet fraud in the next several years.
Fourth, we are beginning
to work with FBI, Health Care Financing Administration, the HHS Office of Inspector
General, and others to assess the potential for fraud and abuse against federal
health care programs. Because the i-health industry is still relatively
small, and has focused primarily on the business-to-consumer space, we have
not yet seen online health care scams against Medicare and Medicaid. However,
we want to take steps now - before significant taxpayer dollars are lost - to
identify any vulnerabilities and to take steps to boost program safeguards without
stifling the growth of this promising industry.
Compliance Tips
So, what can you do - individually within your companies and collectively through trade associations and other industry groups? You've taken the first step by attending this conference and learning more about the legal and regulatory framework for the i-health industry. The next step should be a comprehensive assessment of your business practices, focusing on several key areas, including privacy practices, compliance with fraud and abuse laws, and compliance with regulations governing the sale and promotion of drugs and medical devices.
We realize that the health
care industry is undergoing rapid change, and that i-health companies must operate
at Internet speeds. But it is just this type of environment - where critical
management resources are stretched thin, and back-office operations like compliance
rank far behind the need to obtain funding and get products out the door - where
companies take short cuts that can result in criminal or civil investigations
and punishment.
What Resources Are Available to Help?
There is a wealth of information available that describes the requirements of federal law and provides advice on how to comply. The Federal Trade Commission, which plays a critical role in safeguarding consumer privacy, provides very useful information on e-privacy and consumer fraud protection efforts on its Web site. Similarly, the Web site of the Department of Health and Human Services contains detailed information on the new draft medical records privacy regulations.
For advice on compliance with federal health care fraud laws, I would encourage you to visit the Web site of the HHS Office of Inspector General. This site contains detailed compliance guides, advisory opinions, special fraud alerts, and other practical information.
Finally, the Justice Department just announced a new Web site - www.cybercrime.gov - which provides information on our computer and high-tech crime enforcement efforts. The site contains speeches, testimony, information on our investigative and prosecutorial efforts, among other things. You can find a copy of the Attorney General's recent report to the President on Unlawful Conduct on the Internet, as well as Justice Department testimony on the sale of prescription drugs on the Internet.
Conclusion
I hope that I have accomplished what I set out to do 25 minutes ago - to describe our health care and Internet fraud enforcement program, to provide a quick overview of the legal and regulatory framework for the i-health industry, to apply that framework to several common business models with the goal of highlighting key legal and regulatory requirements, to offer my personal predictions on the future of our enforcement efforts, and to provide some practical advice on how to comply with federal law.
Finally, I would like to encourage you - individually and through your trade associations - to work with us on developing and enforcing fraud and privacy safeguards in a manner that protects consumers without stifling the growth and promise of the i-health industry. I would encourage the HCCA, IHC and others to take up this challenge, perhaps by broadening the outstanding work you are doing on the "ethics" front to include a detailed examination of fraud prevention and compliance issues. Because you have demonstrated your commitment by coming to Washington DC to learn more about the legal, regulatory, and ethical issues confronting your industry, I would welcome your thoughts and suggestions on how we can work together.
Thank you.
_____________________________________________________
1 This overview discusses a number of federal
laws relevant to Internet-based health care providers. This is not meant
to be an exhaustive list of the laws or regulations that might apply to specific
businesses or practices.
2 These statutes include, but are not limited to: 18 USC 669 (theft or embezzlement in connection with health care), 18 USC 1341 (mail fraud) ,18 USC 1343 (wire fraud), and 18 USC 1347 (fraud in public or private health care benefit programs).
3 See 31 USC 3729-33 (False Claims Act).
4 18 USC 1001 (false statements to a federal agency); 18 USC 1035 (false statements relating to health care matters). A related statute, 18 USC 1518, prohibits efforts to obstruct a health investigation.
5 42 USC 1320a-7b(b). Various statutory and regulatory safe harbors have been established for beneficial arrangements that might otherwise violate the statute. See 42 USC 1320a-7b(b)(3) (statutory safe harbors); 42 CFR 1001.952 (regulatory safe harbors).
6 42 USC 1395nn (codifying "Stark I" and "Stark II" statutes).
7 "FTC Reviews Privacy Issues at Health Web Sites," Wall Street Journal, Feb. 18, 2000, at B6.
8 U.S. Department of Health and Human Services, Notice of Proposed Rule Making for Standards for Individually Identifiable Health Information, 64 Fed. Reg. 59917-60065 (Oct. 23, 1999). Also available at www.hhs.gov/hottopics/healthinfo/index.htm.
9 U.S. Department of Health and Human Services, Notice of Proposed Rule Making for Security and Electronic Signature Standards, 63 Fed. Reg. 43263-69 (Aug. 12, 1998).
10 The rules governing what providers and transactions are and are not covered are necessarily complicated because of the statutory limitations under HIPAA. In authorizing and directing the HHS Secretary to issue medical records privacy regulations, Congress specifically limited such authority to certain forms of electronic transactions by health care plans, providers, and clearinghouses. In releasing the draft HHS privacy regulations, President Clinton noted the flaws in the statutory scheme and called on Congress to enact legislation to address these shortfalls.
11 See HHS Office of Inspector General, Advisory Opinion 99-14 (December 28, 1999), available at www.oig.hhs.gov/fraud/docs/advisoryopinions/1999/ao99_14.htm. Although the OIG ultimately advised the requestor that, under the unique circumstances and safeguards in place, the OIG would not impose sanctions, the OIG made clear that the provision of telemedicine equipment with the intent to induce or encourage referrals would violate the anti-kickback statute.
______________________________________________________
Go to . . . CCIPS Home Page || Justice
Department Home Page