Category: Criminal Law

Unlike a Fine Wine, Tax Issues Do Not Get Better with Age

In a recent decision, the New York State Tax Appeals Tribunal (“Tribunal”) upheld notices of deficiency issued by the New York State Department of Taxation and Finance (the “Department”) totaling approximately $15 million in additional tax, plus interest and penalties for tax years dating as far back as 2002. In the Matter of the Petition of Cushlin Limited, DTA No. 829939 (TAT Oct. 10, 2024). The notices of deficiency came on the heels of an audit that lasted a decade and at the end of which the Department computed additional corporation franchise tax due “based on the information it had available” inasmuch as the information provided by the company over the 10-year audit was “incomplete and/or unsubstantiated.” This case is a cautionary tale for taxpayers and a reminder that tax issues do not get better with age, and delaying or putting off addressing known issues only makes the situation worse in the end.

The company was a corporation organized under the laws of The Isle of Man and was in the business of acquiring and refurbishing three- and four-star hotels. The company also owned equity interests in 13 limited liability companies (“LLCs”) that were doing business in New York. In 2008, the Department began an audit of one of the LLCs and discovered that it had sold real property in New York but did not file a New York State partnership tax return. As a result of its ownership interest in the LLCs, the Department determined that the company was required to file New York corporation franchise tax returns on which it was required to report the gains and losses of the LLCs. The audit of the company initially covered the tax years 2002 through 2006 and was later expanded to include 2007 through 2009.

From 2010 through 2013, the company and the Department communicated multiple times, and the company repeatedly stated that it was preparing tax returns for the audit years for the LLCs and the company and that it required more time to prepare those returns. In 2013, the company provided the Department with draft tax returns for the company and the LLCs. In May 2016, after another three years passed without final tax returns being filed, the Department informed the company that it was assessing additional corporation franchise tax computed based on the amounts in the draft returns plus interest and penalties. In June 2016, the company filed final tax returns for all of the audit years, and the final returns reflected income and deductions that were larger than the amounts previously included in the draft returns.

The Department then issued three information document requests over the next two years that requested information substantiating the deductions claimed on the filed returns. In response to these requests, the Tribunal found that the company “provided only partial responses that lacked any externally verifiable substantiation” and repeated Department requests were “met with partial, inconclusive responses.” Finally, in 2018, the Department issued the notices of deficiency that assessed the amount of additional corporation franchise tax that the Department had previously computed using the company’s draft returns plus updated additional interest and penalties. The company appealed and the Administrative Law Judge (“ALJ”) sustained the notices finding: (1) that the company had failed to meet its burden of proving that the notices were incorrect; and (2) that penalties were properly imposed as the company also failed to demonstrate that its failure to file timely returns was a result of reasonable cause and not willful neglect.

The Tribunal agreed with the ALJ, concluding that there was a rational basis for the notices because “[w]orking without returns or supporting documentation more than six years after it began, the [Department] used the available information provided by petitioner, verified by other information contained in the [Department’s] own database, to arrive at a computation of tax due from petitioner.” Moreover, the Tribunal reasoned, the Department provided the company with numerous opportunities to substantiate the amounts that the company reported on its filed returns and the company’s failure to provide substantiating information left the Department with “little choice” but to “use another method to arrive at a determination of tax liability.” Finally, the Tribunal concluded that the ALJ correctly determined that penalties were properly imposed as the company did not meet its burden to demonstrate reasonable cause.

© 2024 Blank Rome LLP
For more on Deficiencies, visit the NLR Tax section

Shorter Path to Green Card: New USCIS Guidance for EB-1 Eligibility for Foreign Nationals With Extraordinary Ability

For foreign nationals with “extraordinary ability” in the sciences, arts, education, business or athletics, the path to a green card normally has a much shorter route. The EB-1 extraordinary ability category is a type of employment-based, first-preference visa that has several advantages for a “small percentage of individuals” positioned to prove their expertise within a specific area. As indicated by the elite immigrant visa category, an extraordinary amount of documentation is required to meet the high threshold for EB-1 eligibility.

To provide an example of the evidentiary criteria, this category reserved for individuals with extraordinary ability requires that individuals demonstrate extraordinary ability through sustained national or international acclaim. To do so, applicants must meet at least three of the 10 criteria, or provide evidence of a major one-time achievement, such as a Pulitzer Prize, Oscar, or Olympic medal. In addition, applicants must provide evidence showing that they will continue to work in the area of expertise.

More specifically, the applicant must provide evidence of at least three of the following:

  • Receipt of lesser nationally or internationally recognized prizes or awards for excellence
  • Membership in associations in the field which demand outstanding achievement of their members
  • Published material about the candidate in professional or major trade publications or other major media
  • Judgment of the work of others, either individually or on a panel
  • Original scientific, scholarly, artistic, athletic, or business-related contributions of major significance to the field
  • Authorship of scholarly articles in professional or major trade publications or other major media
  • Display of work at artistic exhibitions or showcases
  • Performance of a leading or critical role in distinguished organizations
  • Command of a high salary or other significantly high remuneration in relation to others in the field
  • Commercial successes in the performing arts

While U.S. Citizenship and Immigration Services (USCIS) has been consistent in detailing the criteria to be demonstrated, the specific evidence deemed acceptable has evolved over the lifetime of this visa category. Last September, USCIS updated its policy manual on employment-based first-preference (EB-1) immigrant petitions in the Extraordinary Ability classification. Specifically, USCIS provided examples of comparable evidence and the way in which USCIS will “consider any potentially relevant evidence.”

To further clarify the acceptable types of evidence, USCIS issued another policy manual update on Oct. 2. The most recent update provided additional clarification, stating:

  • “Confirms that we consider a person’s receipt of team awards under the criterion for lesser nationally or internationally recognized prizes or awards for excellence in the field of endeavor;
  • Clarifies that we consider past memberships under the membership criterion;
  • Removes language suggesting published material must demonstrate the value of the person’s work and contributions to satisfy the published material criterion; and
  • Explains that while the dictionary defines an “exhibition” as a public showing not limited to art, the relevant regulation expressly modifies that term with “artistic,” such that we will only consider non-artistic exhibitions as part of a properly supported claim of comparable evidence.

These clarifications likely will provide more consistency in the adjudication process.

This article was co-authored by Tieranny Cutler, independent contract attorney.

© 2024 BARNES & THORNBURG LLP
For more on EB-1, visit the NLR Immigration section

You See Health, Whistleblower Saw Fraud: Uncovering a $23 Million Healthcare Fraud Scheme

A whistleblower’s vigilance has led to the revelation of alleged Medicare and TRICARE fraud involving UCHealth, a healthcare system with locations throughout the state of Colorado. University of Colorado Health agreed to a $23 million settlement to resolve allegations of improper coding for emergency room visits subsequently billed to government-funded healthcare programs. The qui tam provisions of the False Claims Act empower whistleblowers—individuals with non-public knowledge of fraud against the government—to file a lawsuit on behalf of the government. The qui tam whistleblower in this case will receive $3.91 million or 17% of the settlement.

Summary of the Allegations

According to court documents, from November 1, 2017, through March 31, 2021, certain UCHealth hospitals allegedly engaged in a fraudulent practice concerning Evaluation & Management (E/M) emergency department facility claims. These claims, submitted to both Medicare and TRICARE, are intended to compensate hospitals for resources associated with patient visits, including medical evaluations and management.

UCHealth’s alleged fraudulent activity centered around the misuse of Current Procedural Terminology (CPT) codes, specifically CPT 99285. This code represents the “highest level of severity” in emergency department visits and requires comprehensive medical evaluations and examinations, and high-complexity decision-making. However, UCHealth reportedly manipulated the coding process by automatically assigning the highest severity code, CPT 99285, based on the frequency of vital sign monitoring rather than the actual severity of the patient’s condition or resource utilization. According to the settlement agreement, employees had complained about the overuse of the highest severity code, and the hospital system had been flagged by the Centers for Medicare & Medicaid Services (CMS) as being a “High Outlier” for that CPT code as well.

Upcoding Fraud Scheme

Upcoding and improper billing to Medicare and TRICARE are forms of healthcare fraud that involve misrepresenting the services provided to obtain higher reimbursements than justified. Upcoding occurs when a healthcare provider submits claims for more expensive services or procedures than were actually performed, such as billing for a comprehensive exam when only a basic consultation was provided. Improper billing includes practices such as double billing for the same service, billing for services not rendered, or charging for medically unnecessary procedures. These fraudulent activities exploit government-funded programs, increasing costs for taxpayers and undermining the integrity of healthcare systems.

The Whistleblower’s Journey

The case began when Timothy Sanders, a concerned individual, filed a qui tam lawsuit on April 28, 2021, under the False Claims Act. This legal action initiated an investigation into UCHealth’s billing practices. Whistleblowers are integral in exposing fraudulent activities within healthcare systems, as they possess insider knowledge that can lead to substantial recoveries for the government. By filing a qui tam lawsuit, individuals, such as the healthcare fraud whistleblower in this case, can bring fraudulent activities to light, potentially leading to significant financial repercussions for the involved parties. With whistleblowers, as the Principal Deputy Assistant Attorney General said, “We will pursue health care providers that defraud the taxpayers by knowingly submitting inflated or unsupported claims.”

© 2024 by Tycko & Zavareei LLP
For more on Fraud, visit the NLR Criminal Law Business Crimes section

SEC Enforcement Director Highlights Increased Penalties for Violations of Whistleblower Rule

Recently, the U.S. Securities and Exchange Commission (SEC) has increased enforcement efforts around the whistleblower protection rule Rule 21F-17(a) which prohibits companies from impeding the ability of individuals to blow the whistle on potential securities law violations to the Commission. Most notably, the rule prohibits overly broad non-disclosure agreements and other employment agreements which restrict whistleblowing.

In remarks delivered November 6 at Securities Enforcement Forum D.C. 2024, Sanjay Wadhwa, the SEC’s Acting Director of the Division of Enforcement noted the importance of these enforcement efforts and highlighted the increased penalties levied by the Commission in Rule 21F-17(a) cases.

“The SEC’s whistleblower program plays a critical role in our ability to effectively detect wrongdoing, protect investors and the marketplace, and hold violators accountable.” Wadhwa said. “But that program only works if whistleblowers have unfettered ability to share with the SEC information about possible securities law violations. However, all too often we have seen, for example, confidentiality agreements and employment agreements by various advisory firms and public companies that impede that ability, including by limiting customers’ ability to voluntarily contact the SEC or by requiring employees to waive the right to a monetary award for participating in a government investigation. So this past fiscal year, and the year prior, the Commission brought a series of enforcement actions to address widespread violations.”

“There was a similar series of actions addressing this issue some years back,” Wadhwa continued. “And I think for a while there was better compliance, but then things slipped and we’re back here. So, this time around the Commission authorized what I view to be fittingly robust remedies, including the largest penalty on record for a standalone violation of the whistleblower protection rule. It is my hope that these enforcement actions will have a significant deterrent effect and will lead to greater and sustained proactive compliance.”

The record penalty referenced by Wadhwa was an $18 million penalty levied against J.P. Morgan in January. According to the SEC, J.P. Morgan regularly had retail clients sign confidential release agreements which did not permit clients to voluntarily contact the SEC.

In enforcing Rule 21F-17(a), the SEC has found illegal language in severance or separation agreements, employee contracts, settlement agreements and compliance manuals. Language in the various types of contracts found to violate Rule 21F-17(a) has included requiring the prior consent of the company before disclosing confidential information to regulators, preventing the employee from initiating contact with regulators, requiring the employee to waive their right to awards from whistleblowing award programs, including a “non-disparagement clause” that specifically included the SEC as a party the employee could not “disparage” the company to, and requiring the employee to inform the company soon after reporting information to the SEC.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

The CTA Filing Deadline is Approaching. Is Your BOIR Filed Yet?

The clock is ticking—just 49 days remain until the one-year filing deadline for the Corporate Transparency Act (CTA)! Entities established before January 1, 2024, must submit a beneficial owner information report (BOIR) by December 31, 2024.

The CTA is a new reporting requirement that came into effect on January 1, 2024. The CTA requires any entity created by or registered to do business by the filing of a document with a secretary of state, or another similar office, to report its information and its beneficial owners to the Financial Crimes Enforcement Network (FinCEN), which is a bureau of the United States Treasury. The goal is to decrease money laundering and fraud.

We previously published advisories on the general application of the CTA and its specific application to entities created for estate planning purposes. The rules and guidelines about which we previously reported are largely unchanged. A reporting company still needs to report its legal name, all trades and d/b/a names, address, and beneficial owners. Beneficial owners are those with substantial control or who own or control 25% or more of the reporting company, directly or indirectly. The reporting company needs to report each beneficial owner’s name, date of birth, residential address, and an identifying number and image from one of four acceptable identification documents.

Although the CTA was declared unconstitutional by a federal district court in Alabama, the ruling only prevents the CTA’s enforcement on the parties directly involved in the case. The court did not issue a nationwide ruling to prevent the law from being enforced. Thus, other companies are expected to continue filing BOIRs. The Alabama case is currently on appeal and oral arguments were held at the end of September 2024.

FinCEN has been periodically updating its Frequently Asked Questions to provide some clarification since the CTA became effective. We outline the most relevant guidance below:

General Updates:

  1. Entities that are created before January 1, 2024, even if dissolved sometime in 2024 before the December 31, 2024, deadline, must still report their information and beneficial owners by December 31, 2024.
  2. Entities that are created in 2024 have 90 days to file the BOIR. Entities created on or after January 1, 2025, will have 30 days to file the BOIR. Entities that are created in 2024 but are wound up, dissolved, or otherwise cease to exist must still file the BOIR with FinCEN.
  3. Beneficial ownership is determined in the aggregate. This means that companies need to analyze each beneficial owner to determine if he or she indirectly/directly substantially controls or owns 25% or more of a reporting company. For example, Individual X owns 10% of Company Y. Individual X is also trustee of a trust that owns 20% of Company Y. Individual X needs to be reported as a beneficial owner because he owns an aggregate 30% of the company.
  4. Beneficial owners may now apply for a FinCEN Identifier here. This allows the beneficial owners to report their information to FinCEN directly, obtain an Identifier number, and simply provide the Identifier to those reporting companies of which he or she is a beneficial owner. This prevents a beneficial owner from having to share personal and sensitive information with a company. This also streamlines the process for any change in the beneficial owner’s information. Each beneficial owner can log into FinCEN and simply update the information within 30 days of the change rather than first providing it to the reporting company and then the company filing a new BOIR to update the information.

a. In order to create a FinCEN Identifier, an individual will have to create a login.gov account. This is the account that the federal government is using to streamline many of its services, such as, global entry and applying for federal jobs.

5. Reporting companies may complete and submit a BOIR online here. A company could also submit a PDF of the report at the same link if it chose to complete a paper copy. There is no fee to submit online. There are also many vendors offering a service to assist with the process and submit the report for a fee.

Real Estate/Corporate Updates:

6.FinCEN clarified that the subsidiary exemption applies when a subsidiary’s ownership interests are entirely controlled or wholly owned, directly, or indirectly, by any of the following types of exempt entities: (1) Securities reporting issuer; (2) Governmental authority; (3) Bank; (4) Credit union; (5) Depository institution holding company; (6) Broker or dealer in securities; (7) Other Exchange Act registered entity; (8) Investment company or investment adviser; (9) Venture capital fund adviser; (10) Insurance company; (11) State-licensed insurance producer; (12) Commodity Exchange Act registered entity; (13) Accounting firm; (14) Public utility; (15) Financial market utility; (16) Tax-exempt entity; or (17) Large operating company. Further, if a reporting company’s ownership interests are controlled or wholly owned by more than one exempt entity, the reporting company may still qualify for the subsidiary exemption if the entities are unaffiliated; however, every controlling or owning entity must itself be an exempt entity in order for the reporting company to qualify for the subsidiary exemption.

Trusts and Estates Updates:

7.If there is a corporate trustee, the reporting company will be reporting those individual beneficial owners that indirectly own or control at least 25% of the ownership interests of the reporting company through the ownership in the corporate trustee. This will be determined by multiplying the percentage of ownership of the corporate trustee with the trust’s ownership/control of the reporting company. For example, if Individual A owns 70% of the corporate trustee of a trust, and that trust holds 30% of the reporting company, Individual A holds or controls 21% of the reporting company (70% x 30 = 21). If Individual A owned 90% of the corporate trustee, then it would own/control 27% of the reporting company (90% x 30 = 27) and the company must report Individual A as a beneficial owner. There may be other beneficial owners if someone else at the corporate trustee exercises substantial control over the reporting company.

A reporting company may submit the corporate trustee’s information in lieu of each beneficial owner’s information only if all of these conditions are met:

a. The corporate entity is an exempt entity from the reporting requirements.

b. The individual owns or controls 25% of the reporting company only through the corporate trustee.

c. The individual does not exercise substantial control over the reporting company.

A company can obtain its own FinCEN Identifier when it submits an initial BOIR for its beneficial owner(s). This way, such company may be reported as a beneficial owner, such as a corporate trustee that meets the above requirements. For example, when LLC A reports Individual A as its beneficial owner, LLC A has the option of clicking a button to obtain its own FinCEN Identifier.

8. An individual who has the power to remove a trustee, remove and replace a trustee, and/or appoint an additional trustee is deemed to have substantial control through the power to change the person who makes decisions for the trust, and thereby, the reporting company. While this is not explicit in the Frequently Asked Questions, it is consistent with FinCEN’s position that someone who has the power to remove a senior officer of a reporting company is a beneficial owner.

While this is an extensive list, it is by no means an exhaustive list, and various circumstances not discussed above may change how the CTA applies in a particular case.

Copyright 2024 Goulston & Storrs PC.
For more on the CTA, visit the NLR Corporate Business Organizations section

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

© 2024 by Tycko & Zavareei LLP
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

Unitary Executive Theory Surfaces in Court: District Court Rules Qui Tam Provisions of the False Claims Act Unconstitutional

On September 30, 2024, the United States District Court for the Middle District of Florida ruled that filing claims on behalf of the government under qui tam provisions of the False Claims Act (FCA) is unconstitutional in United States of America ex rel. Clarissa Zafirov v. Florida Medical Associates, LLC, et al. The ruling, made by Judge Kathryn Mizelle, a 33-year-old Trump-appointee, declares that False Claims Act whistleblowers undermine executive power by filing qui tam lawsuits.

The Zafirov decision follows a recent dissent by Supreme Court Justice Clarence Thomas in which he questioned the constitutionality of the FCA’s qui tam provisions. It also follows a political movement pushing the Unitary Executive Theory in the United States judicial courts.

This controversial decision mischaracterizes the qui tam provisions of the FCA and will likely be appealed to the Eleventh Circuit. Should the ruling stand, however, it and other similar challenges to the constitutionality of the FCA’s qui tam provisions will cripple what has been America’s number 1 anti-fraud law. Since the False Claims Act was modernized in 1986, qui tam whistleblower cases have allowed the government to recover more than $52 billion from fraudsters, over $5 billion of which came in cases where the government chose not to intervene.

Applying the ‘Unitary Executive’ Theory to Paint Whistleblowers as ‘Self-Selected Private Bounty Hunters’

Originally passed during the Civil War, the False Claims Act contains qui tam provisions enabling whistleblowers, also known as ‘relators’, to report government contracting fraud and work directly with government investigators. Once the whistleblower brings forward the suit, the government may intervene and continue to prosecute the litigation as the plaintiff. However, in the interest of accountability, the qui tam provision of the FCA permits the whistleblower to pursue a case even if the United States declines prosecution. Whistleblowers who file successful qui tam lawsuits are eligible to receive up to 30% of recovered damages.

The question of the constitutionality of the False Claims Act’s qui tam provisions was notably raised in a dissent by Justice Clarence Thomas in the 2023 Supreme Court case U.S., ex rel. Polansky v. Executive Health Resources. While Polansky discussed the issue of a relator pursuing a lawsuit after the government declines to intervene, Thomas raised a separate issue of constitutionality in his dissent. He stated that “there are substantial arguments that the qui tam device is inconsistent with Article II and that private relators may not represent the interests of the United States in litigation.” In a one-paragraph concurrence, Justice Brett Kavanaugh, joined by Justice Amy Coney Barrett, invited challenges to the constitutionality of the FCA’s qui tam provisions, writing that “In my view, the Court should consider the competing arguments on the Article II issue in an appropriate case.”

Judge Mizelle, a former clerk of Justice Thomas, drew heavily upon Justice Thomas’ dissent in her decision. Echoing Thomas’ dissent in Polansky, JudgeMizelle concluded that the qui tam provision “directly defies the Appointments Clause by permitting unaccountable, unsworn, private actors to exercise core executive power [litigating on behalf of the government] with substantial consequences to members of the public.” The District Court thus agreed with the defendants that the FCA’s qui tam provisions indeed violates the Appointments Clause of Article II of the Constitution.

The Zafirov ruling relies upon the ‘unitary executive theory,’ a constitutional law theory that states the President of the United States has sole authority over the executive branch and that power cannot be limited by Congress.

According to then-Assistant Attorney General William Barr’s 1989 Memo Constitutionality of the Qui TamProvision of the False Claims Actwhich repeatedly cited by both the judgment and the U.S. Chamber of Commerce amicus brief, the move to enable private citizens to file on behalf of the government represents a breach of the separation of powers allowing “Congress to circumvent the Executive’s check.” Barr rebrands whistleblowers as “private bounty hunters” and claims that the 1986 amendments which reincorporated the FCA’s qui tam provisions was a tactic by Congress to override presidential powers. Barr maintains that “only a unitary executive” that is, “only the President” can “take care that the laws be faithfully executed.”

In a dissent in the 1988 Supreme Court case Morrison v OlsenJustice Antonin Scalia interpreted the ‘Unitary Executive’ to have unchecked authority to appoint and remove executive officials, claiming that the firing of an independent counsel without cause falls within the limitless power of the President over the executive.

The Middle District of Florida ruling draws on Scalia’s rationale arguing that the right to pursue a qui tam case denies the President the executive authority of appointment of the relator. Under the FCA, however, whistleblowers are granted certain rights. For example, the executive must guarantee a whistleblower the “right to continue as a party” with or without the United States intervening and wait for the relator’s approval before settling the action.

The court agrees with the defendants’ argument that the FCA therefore “den[ies] the President necessary removal authority and sufficient supervisory control over [the relator].”

The court contends that the physician-turned-whistleblower Zafirov was “an improperly appointed officer” in violation of the Appointments Clause and the Take Care and Vest Clause of the Article. According to the ruling, by filing a qui tam against Medicare fraud, Zafirov was granted “core executive power” without any “proper appointment under the Constitution.”

A Mischaracterization of Qui Tam Whistleblowing

Judge Mizelle’s decision in United States ex rel. Zafirov v. Fla. Med. Assocs. first mischaracterizes the FCA’s qui tam as a breach of presidential power instead of as a provision that strengthens checks and balances. Second, the court ignores case law outlining government prerogatives over relators such that they are not menacing to the core Executive powers.

The revived qui tam provision of 1986 was a legislative move to improve government accountability over fraud—neither expanding Congressional oversight nor the size of government—by mobilizing private citizens rather than public agents. The Florida court wrongfully elevates the status of a relator to an ‘officer’ responsible to the government. A citizen pursuing a claim on behalf of the government is not and does not pretend to be an extension of the Executive Office and, therefore not subject to administrative appointment procedure. Rather the relator is a private person, and the government is a third party to the case. The Vt. Agency of Natural Res. v. United States ex rel. Stevens majority opinion also written by Justice Scalia discussing whether relators have judicial standing under Article III, qualifies that the relator is on “partial assignment of the Government’s damages claim.” A ‘partial assignee’—to which only some rights are transferred—may “assert the injury suffered by the assignor” (the U.S.) so long as the harm done is sufficient. Scalia reiterates the ‘representational standing’ of relators and makes no remarks on its challenge to the Unitary Executive. Judge Mizelle’s reliance on Morrison v Olsen to claim that like an independent counsel, a relator should also qualify as an officer ignores the Stevens Supreme Court ruling distinguishing relators as a type of assignee.

Mizelle also raises that relators seem to enjoy unbridled authority over the Executive by initiating a qui tam suit without government intervention. While Mizelle points to 31 U.S.C. § 3730 (c) to demonstrate the unchecked power of the relator, she neglects the numerous limitations specified in § 3730 (c)(2), including the broad power of the government to dismiss the qui tam action after intervening notwithstanding any objections from the relator. She frames the government intervention as “the government’s ability to pursue a parallel action and to exert limited control [which] does not lessen a relator’s unchecked civil enforcement authority to initiate.” In truth, the statute and years of judicial history maintain the government’s absolute discretion over whether to intervene in or completely stop the case by dismissing the action.

Contrary to Judge Mizelle’s belief, relators are not free from potential government intervention even when independently pursuing the case. On the contrary, relators are not able to independently pursue any binding action on the government unimpeded by the government. While Zafirov independently pursued the claim for five years, the government could have intervened and then dismissed the claim at any time. If the government intervenes, underlined in 31 U.S.C. § 3730 (c)(2), the government is empowered to settle the action with the defendant notwithstanding any objections from the relator and to restrict their participation in the course of the litigation. The fact that the government may choose not to intervene at one point does not divest them of their ability to intervene later and exercise significant authority over the relator.

Implications: Crippling the False Claims Act

Judge Mizelle’s decision seeks to end the historic success of the qui tam provision of the FCA by declaring the government’s most effective mechanism of detecting fraud as unconstitutional. While the decision does not invalidate the FCA nationally, this case could be the first step in a series of appeals that may elevate the issue to the Supreme Court.

The government’s largest obstacle to fighting white-collar crime such as fraud is detection. The diffuse and indirect nature of fraud requires those with insider knowledge to assist the government in pursuing corruption. In terms of the effectiveness of the qui tam provision, between 1987 and 2022, the Department of Justice Civil Fraud Division recovered $22.1 billion without the help of whistleblowers versus $50.3 billion with the help of whistleblower lawsuits. Since the 1986 amendments to the FCA, whistleblowers have been the direct source of approximately 70% of civil fraud recoveries by the federal government. From the Medicare billing fraud committed in Florida Medical Associates to Russian money laundering, the United States may lose its most effective tool to fight fraud fraud if the qui tam provisions of the FCA are ruled unconstitutional.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

Federal District Court in Florida Holds FCA’s Qui Tam Provisions Unconstitutional

In the Supreme Court’s 2022 decision in United States ex rel. Polansky v. Executive Health Resources, Inc., three justices expressed concern that the False Claims Act’s qui tam provisions violate Article II of the Constitution and called for a case presenting that question. Justice Clarence Thomas penned a dissent explaining that private relators wield significant executive authority yet are not appointed as “Officers of the United States” under Article II. Justice Brett Kavanaugh and Justice Amy Coney Barrett, concurring in the main opinion, agreed with Justice Thomas that this constitutional issue should be considered in an appropriate case.

Earlier this year, several defendants in a non-intervened qui tam lawsuit in the Middle District of Florida took up the challenge. The qui tam, styled United States ex rel. Zafirov v. Florida Medical Associates, LLC et al., involves allegations of Medicare Advantage coding fraud. After several years of litigation, the defendants moved for judgment on the pleadings, arguing the relator’s qui tam action was unconstitutional, citing Justice Thomas’s dissent in Polansky.

The defendants’ motion prompted a statement of interest from the United States and participation as amici by the U.S. Chamber of Commerce and the Anti-Fraud Coalition. The Court also asked for supplemental briefs on Founding-era historical evidence regarding federal qui tam enforcement.

On September 30, 2024, Judge Kathryn Kimball Mizelle granted the defendants’ motion, agreeing the relator was unconstitutionally appointed and dismissing her complaint. Judge Mizelle, who clerked for Justice Thomas, held a private FCA relator exercises significant authority that is constitutionally reserved to the executive branch, including the right to bring an enforcement action on behalf of the United States and recover money for the U.S. Treasury. In doing so, a relator chooses which claims to prosecute, which theories to raise, which defendants to sue, and which arguments to make on appeal, resulting in precedent that binds the United States. Yet, a relator is not appointed by the president, a department head, or a court of law under Article II, making the qui tam device unconstitutional.

Judge Mizelle distinguished historical qui tam statutes, which were largely abandoned early in our nation’s history, on the ground that few gave a relator the level of authority the FCA does. And while the FCA itself dates back to the Civil War, the statute largely remained dormant (aside from a flurry of use in the 1930s and 40s) until the 1986 amendments set off a new wave of qui tam litigation.

The ruling is significant for the future of the FCA. As Judge Mizelle’s opinion explains, most FCA actions are brought by relators as opposed to the government itself. If the decision is upheld on appeal, a number of outcomes are possible. If the FCA is to continue as a significant source of revenue generation for the government, the DOJ must devote more resources to bringing FCA actions directly. Congress may also consider amending the FCA’s qui tam provisions to limit relators’ authority to conduct FCA litigation, thereby maintaining the statute as a viable avenue for whistleblowing.

One thing is almost certain, however. FCA defendants across the country will likely raise similar arguments in light of Judge Mizelle’s ruling. Whether in Zafirov or another case, it appears the Supreme Court will get to decide the constitutionality of the FCA’s qui tam provisions sooner rather than later.

© 2024 Bradley Arant Boult Cummings LLP
For more on Qui Tam Provisions, visit the NLR Criminal Law Business Crimes section.

Texas-Sized Fraud: Corporate Relator Takes on Laboratory Referral Kickback Scheme

17 October 2024. In a qui tam whistleblower settlement, Jeffrey Madison, the former CEO of Little River Healthcare in Rockdale, Texas, has agreed to pay over $5.3 million to resolve alleged violations of the Anti-Kickback Statute. This successful whistleblower lawsuit illustrates the critical role of whistleblowers in uncovering fraudulent schemes and upholding ethical standards within the healthcare industry. The corporate whistleblower in this qui tam action, STF LLC, could be rewarded between 15-25% of the government’s recovery.

Understanding the Case

The allegations against Madison stem from violations of the False Claims Act, specifically linked to illegal payments made to physicians to induce laboratory referrals. These actions contravened the Anti-Kickback Statute, a federal law designed to ensure that medical decisions, particularly those about Medicare, Medicaid, or TRICARE beneficiaries, are based on patient welfare rather than financial incentives.

Key Allegations:

Kickback Scheme: The lawsuit alleged that between January 2015 and June 2018, Little River Healthcare, under Madison’s leadership, engaged in a scheme involving paying commissions to recruiters. These recruiters, using management service organizations (MSOs), funneled kickbacks to physicians who referred laboratory tests to Little River.

False Certifications: Madison was accused of knowingly falsely certifying compliance with the Anti-Kickback Statute in Medicare cost reports, resulting in fraudulent claims to federal healthcare programs, including Medicare, Medicaid, and TRICARE.

Disguised Payments: An additional component involved Dr. Doyce Cartrett Jr., who was allegedly paid $2,000 monthly to refer his laboratory testing business to Little River. These payments were allegedly disguised as “medical director fees” despite Dr. Cartrett rendering no medical director services.

The Importance of the Anti-Kickback Statute

Violations of the Anti-Kickback Statute can significantly harm patients by distorting medical decision-making priorities and eroding trust in healthcare providers. When healthcare decisions are influenced by financial incentives rather than patient welfare, there is a risk that unnecessary or substandard care is administered, potentially leading to adverse health outcomes. Patients may receive treatments not based on their individual needs but on the financial gains of unscrupulous providers. This not only affects the quality of care but also contributes to rising healthcare costs, ultimately burdening patients and taxpayers financially. Upholding the statute is crucial in ensuring that patient care is determined by medical necessity and clinical expertise.

This case underscores the vital role of whistleblowers in identifying and exposing fraudulent activities. By coming forward, whistleblowers not only protect taxpayer dollars but also ensure that healthcare decisions remain focused on patient care. As the Acting Special Agent in Charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Services, Southwest Field Office said about the case, “Our nation’s uniformed military service members and their families should never have to question the integrity of their healthcare providers. Medical decisions influenced by greed destroy the fundamental element of trust in patient care.” Healthcare fraud whistleblowers reporting unlawful kickback schemes under the False Claims Act can help restore that trust.

© 2024 by Tycko & Zavareei LLP
For more news on Kickback Fraud Settlements, visit the NLR Criminal Law & Business Crimes section.