The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

Unitary Executive Theory Surfaces in Court: District Court Rules Qui Tam Provisions of the False Claims Act Unconstitutional

On September 30, 2024, the United States District Court for the Middle District of Florida ruled that filing claims on behalf of the government under qui tam provisions of the False Claims Act (FCA) is unconstitutional in United States of America ex rel. Clarissa Zafirov v. Florida Medical Associates, LLC, et al. The ruling, made by Judge Kathryn Mizelle, a 33-year-old Trump-appointee, declares that False Claims Act whistleblowers undermine executive power by filing qui tam lawsuits.

The Zafirov decision follows a recent dissent by Supreme Court Justice Clarence Thomas in which he questioned the constitutionality of the FCA’s qui tam provisions. It also follows a political movement pushing the Unitary Executive Theory in the United States judicial courts.

This controversial decision mischaracterizes the qui tam provisions of the FCA and will likely be appealed to the Eleventh Circuit. Should the ruling stand, however, it and other similar challenges to the constitutionality of the FCA’s qui tam provisions will cripple what has been America’s number 1 anti-fraud law. Since the False Claims Act was modernized in 1986, qui tam whistleblower cases have allowed the government to recover more than $52 billion from fraudsters, over $5 billion of which came in cases where the government chose not to intervene.

Applying the ‘Unitary Executive’ Theory to Paint Whistleblowers as ‘Self-Selected Private Bounty Hunters’

Originally passed during the Civil War, the False Claims Act contains qui tam provisions enabling whistleblowers, also known as ‘relators’, to report government contracting fraud and work directly with government investigators. Once the whistleblower brings forward the suit, the government may intervene and continue to prosecute the litigation as the plaintiff. However, in the interest of accountability, the qui tam provision of the FCA permits the whistleblower to pursue a case even if the United States declines prosecution. Whistleblowers who file successful qui tam lawsuits are eligible to receive up to 30% of recovered damages.

The question of the constitutionality of the False Claims Act’s qui tam provisions was notably raised in a dissent by Justice Clarence Thomas in the 2023 Supreme Court case U.S., ex rel. Polansky v. Executive Health Resources. While Polansky discussed the issue of a relator pursuing a lawsuit after the government declines to intervene, Thomas raised a separate issue of constitutionality in his dissent. He stated that “there are substantial arguments that the qui tam device is inconsistent with Article II and that private relators may not represent the interests of the United States in litigation.” In a one-paragraph concurrence, Justice Brett Kavanaugh, joined by Justice Amy Coney Barrett, invited challenges to the constitutionality of the FCA’s qui tam provisions, writing that “In my view, the Court should consider the competing arguments on the Article II issue in an appropriate case.”

Judge Mizelle, a former clerk of Justice Thomas, drew heavily upon Justice Thomas’ dissent in her decision. Echoing Thomas’ dissent in Polansky, JudgeMizelle concluded that the qui tam provision “directly defies the Appointments Clause by permitting unaccountable, unsworn, private actors to exercise core executive power [litigating on behalf of the government] with substantial consequences to members of the public.” The District Court thus agreed with the defendants that the FCA’s qui tam provisions indeed violates the Appointments Clause of Article II of the Constitution.

The Zafirov ruling relies upon the ‘unitary executive theory,’ a constitutional law theory that states the President of the United States has sole authority over the executive branch and that power cannot be limited by Congress.

According to then-Assistant Attorney General William Barr’s 1989 Memo Constitutionality of the Qui TamProvision of the False Claims Actwhich repeatedly cited by both the judgment and the U.S. Chamber of Commerce amicus brief, the move to enable private citizens to file on behalf of the government represents a breach of the separation of powers allowing “Congress to circumvent the Executive’s check.” Barr rebrands whistleblowers as “private bounty hunters” and claims that the 1986 amendments which reincorporated the FCA’s qui tam provisions was a tactic by Congress to override presidential powers. Barr maintains that “only a unitary executive” that is, “only the President” can “take care that the laws be faithfully executed.”

In a dissent in the 1988 Supreme Court case Morrison v OlsenJustice Antonin Scalia interpreted the ‘Unitary Executive’ to have unchecked authority to appoint and remove executive officials, claiming that the firing of an independent counsel without cause falls within the limitless power of the President over the executive.

The Middle District of Florida ruling draws on Scalia’s rationale arguing that the right to pursue a qui tam case denies the President the executive authority of appointment of the relator. Under the FCA, however, whistleblowers are granted certain rights. For example, the executive must guarantee a whistleblower the “right to continue as a party” with or without the United States intervening and wait for the relator’s approval before settling the action.

The court agrees with the defendants’ argument that the FCA therefore “den[ies] the President necessary removal authority and sufficient supervisory control over [the relator].”

The court contends that the physician-turned-whistleblower Zafirov was “an improperly appointed officer” in violation of the Appointments Clause and the Take Care and Vest Clause of the Article. According to the ruling, by filing a qui tam against Medicare fraud, Zafirov was granted “core executive power” without any “proper appointment under the Constitution.”

A Mischaracterization of Qui Tam Whistleblowing

Judge Mizelle’s decision in United States ex rel. Zafirov v. Fla. Med. Assocs. first mischaracterizes the FCA’s qui tam as a breach of presidential power instead of as a provision that strengthens checks and balances. Second, the court ignores case law outlining government prerogatives over relators such that they are not menacing to the core Executive powers.

The revived qui tam provision of 1986 was a legislative move to improve government accountability over fraud—neither expanding Congressional oversight nor the size of government—by mobilizing private citizens rather than public agents. The Florida court wrongfully elevates the status of a relator to an ‘officer’ responsible to the government. A citizen pursuing a claim on behalf of the government is not and does not pretend to be an extension of the Executive Office and, therefore not subject to administrative appointment procedure. Rather the relator is a private person, and the government is a third party to the case. The Vt. Agency of Natural Res. v. United States ex rel. Stevens majority opinion also written by Justice Scalia discussing whether relators have judicial standing under Article III, qualifies that the relator is on “partial assignment of the Government’s damages claim.” A ‘partial assignee’—to which only some rights are transferred—may “assert the injury suffered by the assignor” (the U.S.) so long as the harm done is sufficient. Scalia reiterates the ‘representational standing’ of relators and makes no remarks on its challenge to the Unitary Executive. Judge Mizelle’s reliance on Morrison v Olsen to claim that like an independent counsel, a relator should also qualify as an officer ignores the Stevens Supreme Court ruling distinguishing relators as a type of assignee.

Mizelle also raises that relators seem to enjoy unbridled authority over the Executive by initiating a qui tam suit without government intervention. While Mizelle points to 31 U.S.C. § 3730 (c) to demonstrate the unchecked power of the relator, she neglects the numerous limitations specified in § 3730 (c)(2), including the broad power of the government to dismiss the qui tam action after intervening notwithstanding any objections from the relator. She frames the government intervention as “the government’s ability to pursue a parallel action and to exert limited control [which] does not lessen a relator’s unchecked civil enforcement authority to initiate.” In truth, the statute and years of judicial history maintain the government’s absolute discretion over whether to intervene in or completely stop the case by dismissing the action.

Contrary to Judge Mizelle’s belief, relators are not free from potential government intervention even when independently pursuing the case. On the contrary, relators are not able to independently pursue any binding action on the government unimpeded by the government. While Zafirov independently pursued the claim for five years, the government could have intervened and then dismissed the claim at any time. If the government intervenes, underlined in 31 U.S.C. § 3730 (c)(2), the government is empowered to settle the action with the defendant notwithstanding any objections from the relator and to restrict their participation in the course of the litigation. The fact that the government may choose not to intervene at one point does not divest them of their ability to intervene later and exercise significant authority over the relator.

Implications: Crippling the False Claims Act

Judge Mizelle’s decision seeks to end the historic success of the qui tam provision of the FCA by declaring the government’s most effective mechanism of detecting fraud as unconstitutional. While the decision does not invalidate the FCA nationally, this case could be the first step in a series of appeals that may elevate the issue to the Supreme Court.

The government’s largest obstacle to fighting white-collar crime such as fraud is detection. The diffuse and indirect nature of fraud requires those with insider knowledge to assist the government in pursuing corruption. In terms of the effectiveness of the qui tam provision, between 1987 and 2022, the Department of Justice Civil Fraud Division recovered $22.1 billion without the help of whistleblowers versus $50.3 billion with the help of whistleblower lawsuits. Since the 1986 amendments to the FCA, whistleblowers have been the direct source of approximately 70% of civil fraud recoveries by the federal government. From the Medicare billing fraud committed in Florida Medical Associates to Russian money laundering, the United States may lose its most effective tool to fight fraud fraud if the qui tam provisions of the FCA are ruled unconstitutional.

Federal District Court in Florida Holds FCA’s Qui Tam Provisions Unconstitutional

In the Supreme Court’s 2022 decision in United States ex rel. Polansky v. Executive Health Resources, Inc., three justices expressed concern that the False Claims Act’s qui tam provisions violate Article II of the Constitution and called for a case presenting that question. Justice Clarence Thomas penned a dissent explaining that private relators wield significant executive authority yet are not appointed as “Officers of the United States” under Article II. Justice Brett Kavanaugh and Justice Amy Coney Barrett, concurring in the main opinion, agreed with Justice Thomas that this constitutional issue should be considered in an appropriate case.

Earlier this year, several defendants in a non-intervened qui tam lawsuit in the Middle District of Florida took up the challenge. The qui tam, styled United States ex rel. Zafirov v. Florida Medical Associates, LLC et al., involves allegations of Medicare Advantage coding fraud. After several years of litigation, the defendants moved for judgment on the pleadings, arguing the relator’s qui tam action was unconstitutional, citing Justice Thomas’s dissent in Polansky.

The defendants’ motion prompted a statement of interest from the United States and participation as amici by the U.S. Chamber of Commerce and the Anti-Fraud Coalition. The Court also asked for supplemental briefs on Founding-era historical evidence regarding federal qui tam enforcement.

On September 30, 2024, Judge Kathryn Kimball Mizelle granted the defendants’ motion, agreeing the relator was unconstitutionally appointed and dismissing her complaint. Judge Mizelle, who clerked for Justice Thomas, held a private FCA relator exercises significant authority that is constitutionally reserved to the executive branch, including the right to bring an enforcement action on behalf of the United States and recover money for the U.S. Treasury. In doing so, a relator chooses which claims to prosecute, which theories to raise, which defendants to sue, and which arguments to make on appeal, resulting in precedent that binds the United States. Yet, a relator is not appointed by the president, a department head, or a court of law under Article II, making the qui tam device unconstitutional.

Judge Mizelle distinguished historical qui tam statutes, which were largely abandoned early in our nation’s history, on the ground that few gave a relator the level of authority the FCA does. And while the FCA itself dates back to the Civil War, the statute largely remained dormant (aside from a flurry of use in the 1930s and 40s) until the 1986 amendments set off a new wave of qui tam litigation.

The ruling is significant for the future of the FCA. As Judge Mizelle’s opinion explains, most FCA actions are brought by relators as opposed to the government itself. If the decision is upheld on appeal, a number of outcomes are possible. If the FCA is to continue as a significant source of revenue generation for the government, the DOJ must devote more resources to bringing FCA actions directly. Congress may also consider amending the FCA’s qui tam provisions to limit relators’ authority to conduct FCA litigation, thereby maintaining the statute as a viable avenue for whistleblowing.

One thing is almost certain, however. FCA defendants across the country will likely raise similar arguments in light of Judge Mizelle’s ruling. Whether in Zafirov or another case, it appears the Supreme Court will get to decide the constitutionality of the FCA’s qui tam provisions sooner rather than later.

Texas-Sized Fraud: Corporate Relator Takes on Laboratory Referral Kickback Scheme

17 October 2024. In a qui tam whistleblower settlement, Jeffrey Madison, the former CEO of Little River Healthcare in Rockdale, Texas, has agreed to pay over $5.3 million to resolve alleged violations of the Anti-Kickback Statute. This successful whistleblower lawsuit illustrates the critical role of whistleblowers in uncovering fraudulent schemes and upholding ethical standards within the healthcare industry. The corporate whistleblower in this qui tam action, STF LLC, could be rewarded between 15-25% of the government’s recovery.

Understanding the Case

The allegations against Madison stem from violations of the False Claims Act, specifically linked to illegal payments made to physicians to induce laboratory referrals. These actions contravened the Anti-Kickback Statute, a federal law designed to ensure that medical decisions, particularly those about Medicare, Medicaid, or TRICARE beneficiaries, are based on patient welfare rather than financial incentives.

Key Allegations:

Kickback Scheme: The lawsuit alleged that between January 2015 and June 2018, Little River Healthcare, under Madison’s leadership, engaged in a scheme involving paying commissions to recruiters. These recruiters, using management service organizations (MSOs), funneled kickbacks to physicians who referred laboratory tests to Little River.

False Certifications: Madison was accused of knowingly falsely certifying compliance with the Anti-Kickback Statute in Medicare cost reports, resulting in fraudulent claims to federal healthcare programs, including Medicare, Medicaid, and TRICARE.

Disguised Payments: An additional component involved Dr. Doyce Cartrett Jr., who was allegedly paid $2,000 monthly to refer his laboratory testing business to Little River. These payments were allegedly disguised as “medical director fees” despite Dr. Cartrett rendering no medical director services.

The Importance of the Anti-Kickback Statute

Violations of the Anti-Kickback Statute can significantly harm patients by distorting medical decision-making priorities and eroding trust in healthcare providers. When healthcare decisions are influenced by financial incentives rather than patient welfare, there is a risk that unnecessary or substandard care is administered, potentially leading to adverse health outcomes. Patients may receive treatments not based on their individual needs but on the financial gains of unscrupulous providers. This not only affects the quality of care but also contributes to rising healthcare costs, ultimately burdening patients and taxpayers financially. Upholding the statute is crucial in ensuring that patient care is determined by medical necessity and clinical expertise.

This case underscores the vital role of whistleblowers in identifying and exposing fraudulent activities. By coming forward, whistleblowers not only protect taxpayer dollars but also ensure that healthcare decisions remain focused on patient care. As the Acting Special Agent in Charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Services, Southwest Field Office said about the case, “Our nation’s uniformed military service members and their families should never have to question the integrity of their healthcare providers. Medical decisions influenced by greed destroy the fundamental element of trust in patient care.” Healthcare fraud whistleblowers reporting unlawful kickback schemes under the False Claims Act can help restore that trust.

The Murky Waters of Wash Trading Digital Assets – DOJ Charges 18 Individuals and Entities

The United States Attorney’s Office for the District of Massachusetts recently unsealed what it described as the “first-ever criminal charges against financial services firms for market manipulation and ‘wash trading’ in the cryptocurrency industry.” The SEC also filed parallel civil charges alleging violations of Securities for the same alleged schemes.

The government has charged eighteen individuals and companies, including four cryptocurrency market makers, with engaging in illegal market manipulation through “wash trading” digital assets. According to the DOJ and SEC filings, although these individuals purported to offer “market making services,” they were actually engaged in offering “market-manipulations-as-a-service” by engaging in artificial trading of digital assets to give the false appearance that there was an active (and heavily traded) market for those tokens.

How this case came to the DOJ’s attention is as novel as the legal theory behind the charging documents. According to DOJ spokespeople, the investigation started with a tip from the SEC about one of the companies at issue. Further investigations into that company—along with the help of cooperating witnesses—led authorities to set up a sham crypto firm, NextFundAI, and create a token associated with the firm. Posing as NextFundAI, the government communicated with the defendants—market makers who allegedly offered to trade and manipulate the price of NextFundAI’s token by wash trading, or trading the token back-and-forth between crypto wallets they controlled.

While there may be rules against wash trading in traditional securities markets (see, e.g., 26 U.S. Code § 1091), the rules are as clear in the digital asset space. Indeed, the regulatory vacuum facing the digital asset industry makes it difficult for those in the industry to avoid eventual regulatory action, and what many have referred to as “regulation by enforcement.” This is particularly true where the technological realities of digital assets do not fit squarely within the existing legal framework. There may be disagreement about the purpose or intent behind a cryptocurrency transaction where one individual is transferring cryptocurrency between wallets that person or entity controls. But there may not be a misrepresentation or fraudulent act inherent in this type of transaction. Indeed, the transaction itself (including the wallet address of the sender and recipient) is likely immediately and accurately recorded on the public blockchain. So, according to the government, the “fraud” is the intent behind the trades – to manipulate the market by artificially generating trade volume to signal interest and activity in the token.

The government’s allegations are also interesting because in addition to the wire fraud charges (18 U.S.C. § 1343), which generally do not require proof that the digital asset at issue is a security, the government has charged the defendants with conspiracy to commit market manipulation (18 U.S.C. § 371), which requires the government to prove that the token at issue is a security. This charge is significant because it will require the DOJ to prove at trial that the tokens at issue are securities.

Although several individuals involved have already pleaded guilty, there are several defendants who appear to be testing the government’s novel theory in court. We anticipate that this will be the first of many similar investigations and enforcement actions in the digital asset space.

Is It the End of the False Claims Act As We Know It? District Court Rules Qui Tam Provisions Unconstitutional

In a first-of-its-kind ruling on 30 September 2024, Judge Kathryn Kimball Mizelle of the US District Court for the Middle District of Florida held in United States ex rel. Zafirov v. Florida Med. Assocs., LLC that the qui tam provisions of the False Claims Act (FCA) are unconstitutional. No. 19-cv-01236, 2024 WL 4349242, at *18 (M.D. Fla. Sept. 30, 2024). Specifically, Judge Mizelle found that qui tam relators in FCA actions qualify as executive branch “Officers” who are not properly appointed, thereby violating the Appointments Clause of Article II of the US Constitution.

The holding adopts Appointments Clause arguments that have been gaining traction in recent Supreme Court opinions. It also addresses some of the “serious constitutional questions” that Justice Clarence Thomas had raised regarding the FCA’s qui tam provisions in his dissent in the Supreme Court’s June 2023 decision in United States ex rel. Polansky v. Exec. Health Res., Inc., 599 U.S. 419, 449 (2024) (Thomas, J., dissenting). Notably, Judge Mizelle’s decision in Zafirov is contrary to a number of other decisions post-Polansky that rejected similar constitutional arguments.

The decision is sure to be appealed to the Eleventh Circuit and it remains to be seen whether Judge Mizelle’s rationale will withstand appellate scrutiny. In any event, for the time being, the defense bar has a new tool in its arsenal to seek dismissal of qui tam FCA actions. Moreover, if the decision stands, it will have broad ramifications on the FCA, which has provided for qui tam actions (a form of “whistleblower” activity) since the FCA’s enactment in 1863. Cases filed by qui tam relators have comprised the largest portion of overall FCA recoveries for years, accounting for 87% of FCA recoveries in the most recent fiscal year. For additional data on qui tam cases, see our firms’ recent white paper here.

Summary of the Decision

In 2019, the relator, a board-certified family care physician, filed a qui tam FCA action against her employer and several other providers, as well as Medicare Advantage Organizations (MAOs). The relator alleged that the providers acted in concert with the MAOs to artificially increase the risk adjustment scores of Medicare Advantage enrollees, in turn increasing the defendants’ capitated payments from the government.

After a lengthy procedural history involving multiple rounds of motions to dismiss, in February 2024, the defendants sought judgment on the pleadings, arguing that the FCA’s qui tam provisions violate the Appointments, Vesting, and Take Care Clauses of Article II of the US Constitution. The defendants also argued that historical practice does not cure the qui tam provisions’ constitutional defects. The United States intervened solely to defend the constitutionality of the FCA’s qui tam provisions, with several amici curiae also filing briefs.

The court did not reach the Vesting and Take Care Clause arguments but agreed with defendants that the qui tam provisions violate the Appointments Clause. Analyzing that question, the court first found that qui tam relators are “Officers of the United States” because: (1) relators exercise significant authority by possessing civil enforcement authority on behalf of the United States; and (2) relators occupy a “continuing position” established by law given that the FCA prescribes their statutory duties, powers, and compensation and the position is analogous to other temporary officials that wield core executive power, such as bank receivers and special prosecutors. Second, the court found that Article II of the US Constitution contains no qui tam exception, rejecting arguments that historical practice confirms the qui tam provisions’ constitutionality. The court stated that “[w]hen the Constitution is clear, no amount of countervailing history overcomes what the States ratified.” Third, the court found that because a relator is an Officer, the relator must be appointed by the president, the head of an executive department, or a court. Because relators are self-appointed by initiating their own FCA actions, the court held that the qui tam provisions violate the Appointments Clause and dismissed the action.

Key Takeaways

  • Although noteworthy, Zafirov is an outlier among the multiple decisions pre- and post-Polansky that have addressed the qui tam provisions’ constitutionality. The case is also expected to be appealed by both the relator and the United States to the Eleventh Circuit. Of note, the Eleventh Circuit is currently considering an appeal of a separate Appointments Clause ruling that found a special counsel was improperly appointed in United States v. Trump.
  • This issue could also make its way to the Supreme Court. In addition to Justice Thomas’ comments noted above, Justices Brett Kavanaugh and Amy Coney Barrett (in a concurrence in Polansky) acknowledged that “[t]here are substantial arguments that the qui tam device is inconsistent with Article II” and suggested that the Court consider those arguments in an “appropriate case.” Time will tell whether Zafirov is that case.
  • The anti-whistleblower holding in Zafirov stands in sharp contrast to other recent notable developments that encourage whistleblower activity, including the US Department of Justice’s Corporate Whistleblower Awards Pilot Program and similar initiatives, as well as recent US Securities and Exchange Commission enforcement actions.
  • Despite the expected appeals, the success in Zafirov raises important issues for FCA defendants and the defense bar to evaluate, and the decision may open the door to similar arguments in other FCA qui tam actions. For one, it remains to be seen what impact Zafirov should have where a defendant is considering settling in a nonintervened case and whether a conditional settlement that preserves the right to appeal the constitutional issue is appropriate. Other courts may also draw different lines, including if and how the government’s decision to intervene impacts the constitutional analysis. These will all be important issues for affected companies and FCA practitioners to consider and keep an eye on.

Our Firm’s FCA lawyers will continue to closely monitor these developments.

DOJ Announces Changes to Guidance on Corporate Compliance Programs, Updates on Whistleblower Program

In an address this week to the Society of Corporate Compliance and Ethics, Principal Deputy Assistant Attorney General Nicole M. Argentieri of the Department of Justice’s (“DOJ”) Criminal Division, highlighted several updates relevant to corporate compliance programs, including the DOJ’s new whistleblower programs and incentives.

Sufficient Compliance: Updated Areas to Consider

The Evaluation of Corporate Compliance Programs (“ECCP”) is the compass by which the DOJ measures the efficacy of a corporation’s compliance program for potential credit or mitigation in the event an organization is potentially subject to prosecution.[1] Ms. Argentieri highlighted several key updates to the ECCP that the DOJ will now consider when evaluating whether a corporation’s compliance program is “effective” and thus deserving of credit and/or mitigation of criminal penalties.

These new factors include whether:

  • the resources and technology with which a company does business are applied to its compliance program, and whether its compliance program fully considers the risks of any technologies it utilizes (such as generative AI)[2];
  • the company had a culture of “speaking up” and protecting those who report on corporate misdeeds;
  • a company’s compliance department had access to adequate resources and data to perform its job effectively; and
  • a company learned from its past mistakes—and/or the mistakes of other companies.

Encouraging Self-Reporting: Presumptive Declination and Reduced Penalties

In her remarks, Ms. Argentieri stated that the previously announced Whistleblower Awards Program[3] had so far been successful in the eyes of the DOJ, but did not point to any specific case or outcome. Likely, it is too soon for the public to see the fruits of the program, given its nascent state and the time that usually elapses between the initiation of an investigation and its resolution. The DOJ appears to be stating, though, that it is receiving and following up on whistleblower reports already.

This new policy encouraging whistleblowing through financial incentives, however, was combined with an amendment to DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy, which provides that there is a presumptive declination to prosecute should a company make a disclosure of wrongdoing within 120 days of receiving an internal report of alleged misconduct and before DOJ contacts the company regarding that matter. In short, DOJ is seeking to incentivize a “race to DOJ” to report potential misconduct – perhaps before the company can even confirm whether the allegation is credible.[4]

Organizations that opt to not take the early self-disclosure route can still reduce any criminal penalties they may face by up to half by fully cooperating with the DOJ in its investigation. Considerations DOJ will factor in when evaluating whether an organization “fully cooperates” include, among other things, how timely the cooperation was and if the company took appropriate remedial action (such as improving compliance programs and disciplining employees). The DOJ continues to emphasize the importance of clawing back compensation and/or reducing compensation and bonuses of wrong-doers (if not also terminating them).[5]

Tipping the Scales

In sum, these programs are clearly intended to materially alter the disclosure calculus of whether a company should disclose misconduct by putting quantifiable incentives on the side of timely disclosure and cooperation, namely declination. Combined with the DOJ’s updates to the ECCP, these programs attempt to bring clarity and consistency to the world of corporate criminal penalties (and possibly how to avoid them altogether). Companies are well-advised to review their existing compliance programs in light of these new incentives and guidance from the DOJ to ensure that they address the new factors enumerated by the DOJ, but also account for increased incentives for corporate whistleblowers.


FOOTNOTES

[1] The U.S. Sentencing Guidelines also define what constitutes an “effective compliance and ethics program” for credit under the guidelines. U.S.S.G. §8B2.1.

[2] This is not the first time, and unlikely to be the last, where DOJ has emphasized the use of AI to enhance corporate compliance. See Lisa Monaco, Deputy Attorney General, Department of Justice, Remarks at the University of Oxford on the Promise and Peril of AI (Feb. 14, 2024).

[3] Under the Criminal Division’s whistleblower pilot program (and like those of other U.S. Attorney’s Offices who have thus far adopted similar programs), whistleblowers are financially rewarded—through criminal forfeiture orders—for bringing forward information on specific alleged violations, so long as that person first reports the misconduct to the company and DOJ has not already learned of it. The Criminal Division’s Pilot Program on Voluntary Self-Disclosure for Individuals also provide culpable individuals who report to receive non-prosecution agreements in exchange for reporting their own conduct and the conduct of the company.

[4] The “race to DOJ” incentivized by these programs may indeed alter the corporate disclosure calculus—by moving up the date for any disclosure in light of the threat that an employee or third-party, aware of any investigation, may choose to report the matter to DOJ. Likewise, it may also change the nature of the internal investigation in ways to limit knowledge of the investigation early-on, like limiting early interviews until documents and data can be reviewed and analyzed.

[5] Indeed, DOJ will permit companies to earn a dollar-for-dollar reduction of a criminal penalty for each dollar a company successfully claws back from a wrong-doer to further incentivize companies to seek to claw back compensation paid.

Walgreens Settles for $106.8 Million Over FCA Violations

On September 13, the US Department of Justice (DOJ) announced that Walgreens Boots Alliance Inc. and Walgreen Co. (collectively, Walgreens) agreed to pay $106.8 million to resolve allegations of violating the False Claims Act (FCA) and state statutes. The allegations pertain to billing government health care programs for prescriptions that were never dispensed. The government alleged that from 2009 until 2020, Walgreens submitted claims to federal health care programs for prescriptions that were processed but never picked up by beneficiaries. This resulted in Walgreens receiving 10s of millions of dollars for prescriptions that were never actually provided to health care beneficiaries.

Under the resolution, Walgreens agreed to enhance its electronic pharmacy management system to prevent future occurrences and self-reported certain conduct. In addition, Walgreens refunded $66,314,790 related to the settled claims, which allowed Walgreens to receive credit under the DOJ’s guidelines for taking disclosure, cooperation, and remediation into account in FCA cases.

Under the settlement agreement, the federal government received $91,881,530, and the individual states received $14,933,259 through separate settlement agreements. The settlement will resolve three cases pending in the District of New Mexico, Eastern District of Texas, and Middle District of Florida under the qui tam, or whistleblower, provision of the FCA. Whistleblowers Steven Turck and Andrew Bustos, former Walgreens employees, will receive $14,918,675 and $1,620,000, respectively, for their roles in filing the suits.

The DOJ’s press release can be found here.

CVS Health Subsidiary Settles FCA Allegations for $60 Million

On September 16, Chicago company Oak Street Health, a subsidiary of CVS Health, agreed to pay $60 million to resolve allegations that it violated the FCA by paying kickbacks to third-party insurance agents in exchange for recruiting seniors to Oak Street Health’s primary care clinics from September 2020 through December 2022.

According to the DOJ, in 2020, Oak Street Health developed a program called the Client Awareness Program. Under the program, which was developed to increase patient membership, seniors who were eligible for Medicare Advantage received marketing messages designed to generate interest in Oak Street Health. Upon receipt of these messages, third-party insurance agents organized three-way phone calls with Oak Street Health employees for the interested seniors. Oak Street Health paid agents around $200 per beneficiary referred or recommended as part of this service. Instead of basing referrals and recommendations on the best interest of the seniors, these payments allegedly encouraged agents to base referrals and recommendations on Oak Street Health’s financial interests.

The DOJ’s press release can be found here.

Dunes Surgical Hospital Settles for $12.76 Million Over FCA Violations

On September 16, South Dakota companies Siouxland Surgery Center LLP, d.b.a. Dunes Surgical Hospital, United Surgical Partners International Inc. (USPI), and USP Siouxland Inc. agreed to pay approximately $12.76 million to settle FCA allegations related to improper financial relationships between Dunes and two physician groups. Since July 1, 2014, USPI has maintained partial ownership of Dunes through USP Siouxland, a wholly owned subsidiary of USPI. Following an internal investigation, Dunes and USPI disclosed the arrangements at issue to the government.

From at least 2014 through 2019, Dunes allegedly made financial contributions to a nonprofit affiliate of a physician group whose physicians referred patients to Dunes. According to the complaint, those payments allegedly funded the salaries of referring employees. Other allegations include that Dunes provided a different physician group with below-market-value clinic space, staff, and supplies. The DOJ alleged that these arrangements violated both the Anti-Kickback Statute and the Stark Law, which are “designed to ensure that decisions about patient care are based on physicians’ independent medical judgment and not their personal financial interest.”

Following Dunes’ and USPI’s internal compliance review and independent investigation, the companies promptly took remedial actions and disclosed such arrangements to the DOJ. The companies also provided the government with detailed and thorough written disclosures and cooperated throughout its investigation, resulting in cooperation credit for the companies.

Under the settlement, Dunes and USPI will pay $12.76 million to the federal government for alleged violations of the FCA, and approximately $1.37 million to South Dakota, Iowa, and Nebraska for their share of the Medicaid portion of the settlement.

The DOJ’s press release can be found here.

California Man Convicted for Paying Illegal Kickbacks for Patient Referrals to Addiction Treatment Facilities

On September 11, a federal jury convicted Casey Mahoney, 48, of Los Angeles, for paying nearly $2.9 million in illegal kickbacks for patient referrals to his addiction treatment facilities in Orange County, California. The facilities involved are Healing Path Detox LLC and Get Real Recovery Inc.

According to court documents and evidence presented at trial, Mahoney paid illegal kickbacks to “body brokers” who referred patients to his facilities. These brokers appeared to pay thousands of dollars in cash to patients to induce them to procure treatment at Mahoney’s facilities. Mahoney allegedly concealed these illegal kickbacks through sham contracts with the body brokers. The contracts purportedly required fixed payments and prohibited payments based on the volume or value of patient referrals, when in reality, payments were negotiated based on patients’ insurance reimbursements and the number of days Mahoney could bill for treatment. Mahoney also allegedly laundered the proceeds of the conspiracy through payments to the mother of one of the body brokers, falsely characterizing them as consulting fees.

The Eliminating Kickbacks in Recovery Act formed the basis of the charges against Mahoney. He was convicted of one count of conspiracy to solicit, receive, pay, or offer illegal remunerations for patient referrals, seven counts of illegal remunerations for patient referrals, and three counts of money laundering. He is scheduled to be sentenced on January 17, 2025, and faces a maximum penalty of five years in prison for the conspiracy charge, 10 years in prison for each illegal remuneration count, and 20 years in prison for each money laundering count.

The DOJ’s press release can be found here.

© 2024 ArentFox Schiff LLP

by: D. Jacques SmithRandall A. BraterMichael F. DearingtonNadia PatelHillary M. Stemple, and Rebekkah R.N. Stoeckler of ArentFox Schiff LLP

For more news on FCA Violations visit the NLR Criminal Law Business Crimes section.

George Washington’s Whisky Distillery, 21st Century Edition

You might think the laws of King Edward I of England (1239-1307), George Washington’s whisky distillery, and an 1807 “Treatise on the Law of Idiocy and Lunacy” have little to do with the federal criminal code of 2024. And you might think they have even less to do with contemporary federal regulation of cannabis. But the Supreme Court’s test for the Second Amendment right to keep and bear arms requires litigants and courts to become historians scouring the archives. So, the U.S. Court of Appeals for the Fifth Circuit recently held a federal criminal statute barring unlawful users of controlled substances from possessing firearms and ammunition, 18 U.S.C. § 922(g)(3), was unconstitutional as applied. The government’s prosecution of a “non-violent, marijuana smoking gunowner” was dismissed (United States v. Connelly, — F.4th — (5th Cir. 2024).

Those intrigued by the ins and outs of historical firearms regulations, and the back and forth between the Supreme Court and Fifth Circuit on that issue, can study the court’s opinion. The facts, however, were straightforward and seemingly commonplace. The defendant “would at times smoke marijuana as a sleep aid and for anxiety.” So do countless Americans, in full compliance with applicable state laws allowing just such uses. The defendant owned a firearm. Again, nothing remarkable there. Yet federal officials charged the defendant with violating criminal law. The Fifth Circuit put an end to the prosecution, as it did in a similar case last year, United States v. Daniels, 77 F.4th 337 (5th Cir. 2023), vacated, 144 S. Ct. 2707 (2024) (for reconsideration in the light of United States v. Rahimi, 144 S. Ct. 1889 (2024)), which we discussed last year here.

Three takeaways stand out for the industry:

1. The federal classification of cannabis does not trump constitutional rights.

Noticeably absent from the Fifth Circuit’s reasoning was any deference to the federal scheduling of cannabis as a controlled substance. That may be due to the unique historical test applicable to the Second Amendment. Still, the opinion shows the Constitution has no cannabis exception. Judicial statements like “[m]arijuana user or not,” the defendant “is a member of our political community and thus” has constitutional rights are a welcome change in emphasis. When facing an enforcement challenge, industry participants should evaluate constitutional challenges they may have. The Constitution may just win the day.

2. Analogies to regulation of alcohol carried more weight than analogies to other regulatory schemes.

The government tried to analogize cannabis users to several regulatory schemes, including a tenuous (at best) analogy to mental health. Nothing doing there. The Fifth Circuit instead analogized to alcohol regulation, concluding that both alcohol and cannabis can cause a temporary, potentially “impairing influence.” So, just as the federal government does not charge firearms owners with violating 18 U.S.C. § 922(g)(3) because they occasionally consume alcohol, the government could not prosecute the defendant because she occasionally consumed cannabis.

This decision suggests that future enforcement targets might find success in analogizing cannabis to alcohol. Subject to appropriate regulatory control and responsible personal use, alcohol consumption is an accepted part of American society. Indeed, as the Fifth Circuit took pains to note, American acceptance of alcohol consumption dates to the colonial period. Just ask George Washington. And it’s still going strong today. Manufacturers and distributors of alcoholic beverages can advertise their products widely — watch the Super Bowl — and they benefit from access to the banking system, stock market, and other financial opportunities closed to the cannabis industry. Situating the cannabis industry in that established history may help show that cannabis should follow a similar pattern. And it may call into question differential regulatory treatment of the two industries.

3. Supposed “dangerousness” cannot justify treating cannabis differently.

The Fifth Circuit declined the government’s invitations to analogize cannabis users to “dangerous” persons, like political traitors, whom the Constitution might permit disarming. That is, of course, a marked shift from the historical justification for the federal ban on cannabis — a supposed propensity to “incite[] violent crimes,” that modern medicine shows is false.

Rejecting the supposed “dangerousness” of occasional cannabis users furthers questions about whether prohibitions on cannabis serve a legitimate purpose. Recall Justice Clarence Thomas’s 2021 statement questioning the federal approach as a contradictory and unstable “half-in, half-out regime” that “strains basic principles of federalism and conceals traps for the unwary” (Standing Akimbo, LLC v. United States, 594 U.S. 2236 (2021) (Thomas, J., statement respecting denial of certiorari)). As more courts reject federal attempts to treat cannabis users differently from other citizens, future litigants may consider asserting constitutional due process or equal protection challenges to regulations. After all, as Connelly shows, courts stand ready to vindicate constitutional rights, “[m]arijunana user or not.”