Joelle Duval comments on the implications of the reopening of the Health Information Technology for Economic and Clinical Health (HITECH) audit program and a new round of audits of HIPAA-regulated entities.

Healthcare Risk Management | July 2024

The Health and Human Services Office for Civil Rights (HHS OCR) has reopened the Health Information Technology for Economic and Clinical Health (HITECH) audit program and will begin audits of HIPAA-regulated entities later in 2024, according to public statements by OCR Director Melanie Fontes Rainer. The audits will focus on the Security Rule, particularly the requirements for security risk analyses and risk management.

The audits will be accompanied by other enhancements intended to promote better compliance with HIPAA. These changes will put more pressure on covered entities and require work ahead of time to avoid penalties.

The impending audits may be more of a threat to smaller institutions, says John W. Leardi, JD, attorney with the Buttaci Leardi & Werner law firm in Princeton, NJ.

“I think most institutional or large providers probably, because of how resource-intensive they are compared to others, are probably fine, right? Or at least if they’re not, there’s no excuse for it,” he says. “My concern here in terms of vulnerability is going to be medium to small practices and independent practices, not part of a health system, not part of a larger institutional system.”

Leardi notes that the HIPAA Security Rule is about 20 years old now, and OCR probably is looking to update it. The audits may provide some guidance, he says.

“Some of it has become dated. The landscape of how we maintain health information is dramatically different now than it was 20 years ago,” Leardi says. “A substantial portion of the industry now has adopted electronically based storage as opposed to maintaining manila folders in the office. There has been some chatter that it needs to be revisited and, perhaps, updated to closely align with where we are in the industry. It’s not surprising that maybe these audits are designed as much about enforcement as they may be gathering data to determine the touch points in industry that are most in need of focus in any proposed rulemaking or adjustments.”

Many covered entities will not be ready for the audits, says Jeffery P. Drummond, JD, partner with the Jackson Walker law firm in Dallas.

“I think it’s going to catch people by surprise because nobody knows what we’re being tested on. There’s no study guide,” he says. “A more explicit message from OCR saying there are 10 things here that are listed, a list of possible bad things that can happen to you, would be helpful. They haven’t really done something that explicitly. It would be better for them to say we’re going to re-audit in two years and here are the things we’re going to be looking for, here is a list of things you need to do.”

No More Checking the Box

With the announcement of the return of the OCR HIPAA audit program the days of the “check the box” risk assessments and HIPAA compliance program evaluations may be gone for good, or at least until OCR pauses the program again, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. It has long been understood that HIPAA requires covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), he says.

“But, notwithstanding entities that have fallen victim to some form of cybersecurity incident, most entities have taken this requirement as merely a quick review and response to a privacy and security questionnaire to ensure that all the requirements of the security and privacy rules are attested to for documentation purposes,” he says. “Often, this means that there is no validation of the required controls to ensure that they are operating as they should and do not need attention.”

Howard says he often has seen entities that have allowed the value of the risk assessment process to take a back seat while they focus on more seemingly pressing business matters. This is understandable to a point, he says, but clearly is not what was intended by the Rule when it was made. The announcement of the return of the federal audit should change this, he says. Howard suggests that covered entities and business associates should, at least, do the following to prepare for a potential audit by OCR:

• Review past risk assessment results and ensure any findings were addressed or plans have been put in place to do so.
• Conduct new risk assessments that look for validation of compliance measures being in place through pen testing, vulnerability scans, employee interviews, configuration validations, and access and control sweeps.
• Clearly document any findings, remedial measures, and plans for moving forward based on criticality if issues are found.
• Clearly identify any cybersecurity framework being relied on and how it has been implemented.
• Make sure appropriate leadership is kept aware of the state of the entity’s HIPAA compliance activities.

“These are necessary basic steps that I see missed over and over again that apply to risk assessment and risk management requirements under HIPAA. It is important that these also apply equally to the security and privacy side of the house,” Howard says. “Don’t forget to review the processes and procedures for responding to patient rights requests and making sure an entity’s privacy practices are clearly communicated. This applies to privacy practices between an entity and its patients, business partners, affiliates, and vendors.”

Structured relationships are necessary to ensure compliance along the entire service chain where
(e)PHI is involved, he says. It also will be important for covered entities and business associates to remember that HIPAA requires technical and nontechnical evaluations of an entity’s policies and procedures to make sure they are compliant with HIPAA’s various requirements, he says. This is completely separate from the risk assessment requirements and can be more closely equated to a HIPAA compliance program review, Howard notes. The output of this evaluation can be used to create an audit book that can be a great resource when the auditors come knocking.

“Overall, the return of the OCR audit program returning is a good signal that it is time for regulated entities to start putting processes in place now to identify any compliance gaps they may have and develop plans for resolving the more pressing issues found through risk assessments and program evaluations,” Howard says.

OCR Sending Survey

OCR indicated in a notice published in the Federal Register that it will send an online survey consisting of 39 questions to the 207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA audits, explains Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. OCR specifically asks for information regarding subsequent HIPAA compliance actions taken by the survey recipients as a result of the previous audits to evaluate the effectiveness of the audits and the counseling the organizations obtained from OCR in response to the audits, she says. Presumably the information gathered will be used to develop an updated audit program for future use, she says, adding that OCR has not expressly stated that the audit program will return or provide information on when audits will resume or what will be different. Because the requirements for covered entities and business associates have not substantially changed since the 2016-2017 OCR HIPAA audits, if there is a next phase of audits, OCR likely will focus on the same requirements, she says.

However, there may be an increased scrutiny on cyber performance, given the proliferation of cybersecurity incidents in the healthcare industry and OCR’s focus on technological security preparedness and resiliency, she says.

While OCR has not provided details on a new audit program, it is likely that the selection process will mimic the audits in 2016 and 2017, she says. OCR identified organizations that represented a wide range of covered entities; its sampling criteria included size, affiliations, location, and whether an entity was public or private.

The audited covered entities submitted lists of all their business associates, which OCR combined to create a pool of business associates, she says. OCR randomly selected business associates from the pool to audit.

“OCR has stated that the audit program is used to identify best practices gleaned through the audit process and to inform guidance targeted to identified compliance challenges,” Rush says. “Since the last audits, OCR has routinely published sub-regulatory guidance to covered entities on different aspects of the HIPAA privacy and security rules.”

In conjunction with the previous audits, OCR also published a comprehensive audit tool that covered entities and business associates could use to gauge compliance with HIPAA, Rush notes. The prospect of an audit and the availability of the tool resulted in many organizations reviewing their compliance posture and making positive changes, she says, and the same industry response is likely if the audit program is re-instituted.

The HITECH Act requires OCR to periodically audit covered entities and business associates for HIPAA compliance, so OCR’s failure to continue the audit program is in derogation to the requirements of the HITECH Act, Rush notes. OCR may be gearing up for another phase of audits to ensure it is complying with legal directives, she says.

“Another potential driver is the increase in security-related breaches that result from cybercrime. The audits may be a piece of the overall goal of seeing covered entities and business associates strengthen their protection of PHI,” she says. Rush notes that HHS also has recently launched new Healthcare and Public Health Cybersecurity Performance Goals to provide healthcare delivery organizations with practices that will “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”

“It is likely that only a few organizations will be selected for audit if the program is reconstituted, but organizations that have not utilized the OCR audit protocol should consider such a review in anticipation of OCR resuming the program,” Rush says. “Covered entities should review the OCR audit protocol in anticipation of the return of the audit program. Further, covered entities should ensure that they have conducted a recent security risk assessment, instituted a risk mitigation plan in response to the assessment, and developed policies and procedures for compliance with the HIPAA Rules.”

OCR Sending Survey

The audits should not strike too much fear in the hearts of covered entities that are making a good faith effort to comply with HIPAA, says Joelle Duval, JD, an attorney with the Coffey Modica law firm in White Plains, NY. “While it goes without saying that nobody likes to be audited, least of all by the United States government through HHS or the IRS (Internal Revenue Service), covered entities that have complied, or made a valiant and demonstrable attempt to comply with the myriad of regulations and protections mandated by HIPAA, should take comfort that their efforts will shield them from violations, or substantially reduce the crushing fines that HHS is known to give for violations of protected health information,” she says.

Duval suggests that these covered entities should even be proud to be among those selected for audit by HHS to demonstrate to other comparable covered entities that compliance is possible and slip-ups forgivable to a large degree — “even if, just like the one student that always sat in the front row of the class and raised his/her hand for every question, they are ‘hated’ for passing the course and always knowing the answer.”

For those entities that have not made the effort, the audits will be problematic. “Those covered entities who have ignored the regulations, by choice or necessity, such as perhaps lacking resources to keep up with the privacy and security rule regulations, sadly there is little advice to give them other than to say that the dice they have been rolling have just hit snake eyes,” Duval says. “Quite simply, there are few excuses covered entities can have that HHS would likely accept as mitigation to identifying violations and breaches during an audit. In fact, I cannot think of one viable excuse to suggest. Even a comet crashing to earth and knocking out the power grid would have HHS asking the covered entity about what safeguards were in place should there be a complete loss of power.”

HIPAA and its privacy and security rules have been in effect too long, and reports of data breaches, identity theft, and data ransoms are too widespread to the general population for a covered entity to be unprepared to stand up to HHS scrutiny, Duval says.

Whistleblowers Encouraged?

An unexpected effect from the reemergence of random HIPAA audits may be the encouragement of whistleblowers, she says. Covered entities often maintain a smiling public face touting their lack of any tolerance for HIPAA violations, Duval says, proclaiming “if you see something, say something” or “report and you will be supported” or “HIPAA violations will not be tolerated here.” But the actual internal practice is really one of punitive retaliation against employees reporting violations, she says. It is surprisingly common but seldom recognized, Duval says, that some of the largest private and public covered entities are the most punitive to those internal personnel voicing legitimate concerns regarding negligent data practices and the routine practice of turning a blind eye.

“HIPAA violations happen, most often inadvertently, but at times negligently. HHS recognizes this reality, and covered entities facing violations or breaches can mitigate their damages,” she says. “But, regardless of how an adverse event happens, covered entities who have made it a regular practice to bury their heads in the sand or sweep violations and reporters under the rug rather than acknowledge — by reporting when obligated to do so — and attempt to rectify the situation will find themselves in a much deeper hole than underneath the sand.”

Therefore, covered entities should be prepared for HHS to come knocking at their door by not only examining its compliance practices under HIPAA, but also looking at its actual internal practices of compliance, including how employees are received when they voice legitimate concerns to protect HIPAA, and the covered entity, Duval says.

“It should not be surprising, therefore, for a random audit by HHS to stir up unrecognized and illegal state and federal employment practices,” she says. “And those covered entities [that] have taken a punitive approach or turned a deliberate blind eye to employees reporting actual or suspected HIPAA violations may find themselves under the dual scrutiny from both HHS; state and federal Departments of Labor; and, most frightening, plaintiff attorneys.”

Weak Risk Analysis?

A crucial element of the HIPAA Security Rule is conducting risk analysis, something that historically has been a weakness for many organizations, notes Michael Parisi, head of client acquisition with Schellman, an information technology compliance and cybersecurity firm in Tampa, FL.

“Poor risk analysis practices are major contributors to the increase in breaches we’ve seen in past years,” he says. “In fact, more than 90% of the OCR HIPAA settlement actions regarding ePHI breaches involved an insufficient risk analysis or risk management program.”

With the news that OCR is reinvigorating its HIPAA audits, it is important for organizations to take a look at when their last risk assessment was — if ever — and what actions they have taken since then, Parisi says. From there, they need to identify if they acted on making the appropriate security updates to address identified vulnerabilities and whether they have maintained those practices.

Parisi highlights these pitfalls many organizations face when it comes to HIPAA risk analysis and risk management:

• Skipping the step of threat analysis, which should happen even before the risk assessment. Organizations need to look through all potential existing threats, identify which are relevant to them, and have those threats reflected in the risk assessment.
• Not including all systems that touch ePHI in the risk analysis/management program and what threats are relevant to the organization. Overlooking these places leaves them vulnerable to attack and vulnerable to penalties.
• Inadequate risk analysis. Organizations should look to existing resources like the OCR Guidance on Risk Analysis Requirement or NIST SP 800-30 Guide for Conducting Risk Assessments for help when conducting analysis.
• Neglecting to reassess on a specified basis and not performing updated analyses when a change in the environment introduces new risks.

Being caught out of compliance can mean significant financial penalties, as well as reputational damage, Parisi says. Prioritizing these risk requirements not only preserves HIPAA compliance, but also mitigates risk for a breach or cyberattack.

One suggestion is for organizations to package up their “‘HIPAA story,” he says. Instead of having a risk assessment in one place and policies and procedures in another, it behooves the company to pull everything together with a cover page that tells the story of their HIPAA compliance journey and gives OCR everything they need in an easy to access bundle, he says.

“This movement of bringing back HIPAA audits is a step in the right direction from OCR in the efforts for a more secure healthcare system,” Parisi says. “It is, however, just a first step, and I think we can anticipate seeing continued movement from the OCR and HHS to implement additional standards and requirements beyond HIPAA, especially in light of recent breaches.”

Coffey Modica partner Paul Golden provided expert insight on the halted Graceland foreclosure sale in a recent article from The Associated Press.

(The article has been syndicated across the AP network, appearing in CT Insider, the Atlanta Journal-Constitution and Yahoo News, among others.)

BY  ADRIAN SAINZ, May 22, 2024

MEMPHIS, Tenn. (AP) — A judge on Wednesday said Elvis Presley’s estate could be successful in arguing that a company’s attempt to auction Graceland is fraudulent as he halted a foreclosure sale of the beloved Memphis tourist attraction.

Later Wednesday, a statement from someone who appeared to be a representative of the company said it would drop its claim, which the Presley estate has argued is based on fake documents. Online court records did not immediately show any legal filings suggesting the claim had been dropped.

Shelby County Chancellor JoeDae Jenkins issued a temporary injunction against the proposed auction that had been scheduled for Thursday in Memphis, where the king of rock ‘n’ roll’s former home is located. Jenkins’ injunction essentially keeps in place a previous restraining order issued at the request of Presley’s granddaughter Riley Keough.

“Graceland is a part of this community, well-loved by this community and indeed around the world,” the judge said.

A public notice for a foreclosure sale of the 13-acre estate posted earlier in May said Promenade Trust, which controls the Graceland museum, owes $3.8 million after failing to repay a 2018 loan. Keough, an actor, inherited the trust and ownership of the home after the death of her mother, Lisa Marie Presley, last year.

Naussany Investments and Private Lending said Lisa Marie Presley had used Graceland as collateral for the loan, according to the foreclosure sale notice. A lawsuit filed last week by Keough alleged that Naussany presented fraudulent documents regarding the loan in September 2023.

“Lisa Maria Presley never borrowed money from Naussany Investments and never gave a deed of trust to Naussany Investments,” Keough’s lawyer wrote in a lawsuit.

Neither Keough nor lawyers for Naussany Investments were in court Wednesday. Keough’s attorney, Jeff Germany, said outside of court that he has not had direct contact with representatives from Naussany.

Naussany did file an unsuccessful motion asking the judge to deny the estate’s request for an injunction.

A statement emailed to The Associated Press after Wednesday’s ruling said Naussany would not proceed because a key document in the case and the loan were recorded and obtained in a different state, meaning that “legal action would have to be filed in multiple states.” The statement, which was sent from an email address listed in court documents, did not specify the other state.

“The company will be withdrawing all claims with prejudice,” the statement said.

Kimberly Philbrick, the notary whose name is listed on Naussany’s documents, indicated that she never met Lisa Marie Presley nor notarized any documents for her, according to the estate’s lawsuit. The judge said the notary’s affidavit included in the lawsuit brings into question “the authenticity of the signature.”

Paul Golden, a lawyer for New York-based Coffey Modica who handles real estate litigation but is not directly involved in the case, said that affidavit and other inconsistencies in the company’s paperwork appeared to be “extremely strong evidence” to support the Presley estate’s position.

Graceland opened as a museum and tourist attraction in 1982 as a tribute to Elvis Presley, the singer and actor who died in August 1977 at age 42. It draws hundreds of thousands of visitors each year. A large Presley-themed entertainment complex across the street from the museum is owned by Elvis Presley Enterprises.

“Graceland will continue to operate as it has for the past 42 years, ensuring that Elvis fans from around the world can continue to have the best in class experience when visiting his iconic home,” Elvis Presley Enterprises said in a statement.

Coffey Modica partner Paul Golden lends his legal expertise to Newsweek to explain the latest developments in Trump’s civil fraud trial.

May 11, 2024 | Sean O’Driscoll, Senior Crime and Courts Reporter

Donald Trump’s lawyers did not object to Stormy Daniels’ “explicit” testimony because they did not want the jury to believe the former president had “something to hide,” a senior attorney has said.

Juan Merchan, the judge overseeing Trump’s hush-money trial, repeatedly expressed his surprise that Trump’s legal team did not put in more objections to Daniels’ graphic evidence.

Merchan said on Thursday that he was especially surprised that Trump’s lawyer, Susan Necheles, did not object when Daniels claimed Trump did not wear a condom during sex. Trump has denied ever being sexually involved with Daniels.

“But for the life of me, I don’t know why Ms. Necheles didn’t object,” Merchan said during a hearing on a motion for a mistrial from Trump’s legal team. “Why on earth she wouldn’t object to a mention of a condom, I don’t understand.”

Paul Golden, author of Litigating Adverse Possession Cases: Pirates v. Zombies and a partner at the New York law firm Coffey Modica, told Newsweek that in the moments when Trump’s lawyers did object, Merchan largely agreed and upheld their objections.

“When Trump’s team objected, for the most part, Judge Merchan sustained those objections. However, apparently, Hon. Merchan noted that he was surprised that there were not more objections,” he said.

Trump, the presumptive Republican presidential nominee for 2024, is the first former president in U.S. history to stand trial in a criminal case. He has pleaded not guilty to 34 counts of falsifying business records. He has continually said that this case and other criminal and civil challenges involving him are politically motivated.

The prosecution seeks to prove that before the 2016 presidential election, Trump paid or discussed paying two women—adult film star Stormy Daniels and former Playboy model Karen McDougal—to not disclose his alleged affairs with them. He denies affairs with both women.

Daniels completed her evidence on Thursday after an occasionally heated cross-examination with Trump’s attorney.

Newsweek has contacted Trump’s attorney for comment outside of normal working hours.

After Daniels finished giving evidence, Merchan refused the Trump team’s motion for a mistrial.

He agreed that some of Daniels’ more graphic details should not have come out, but said that was the fault of the Trump team for not objecting.

“I agree, that shouldn’t have come out. I wish those questions hadn’t been asked, and I wish those answers hadn’t been given,” Merchan said.

Golden said that the Trump team, like any trial attorneys, are involved in a “balancing act” while objecting to testimony.

He said that if an attorney “objects too much to testimony, it may make it appear to the jury that his client has something to hide.”

“But if he does not object at the right times, then there is a danger that irrelevant and prejudicial evidence will be admitted, and an appellate court may rule that the particular issue is not preserved for appeal,” he said. “That’s because an appellate court will not consider an appeal based on a witness’ testimony unless an objection was first raised with the trial judge.

“In many cases, if an attorney does not object to testimony, and waits until the appeal to claim that the testimony was inadmissible, the appellate court will decide that it will not even address that particular issue.”

Golden said: “Are the explicit details Ms. Daniels testified about, concerning the alleged sexual encounter, of the kind that would prejudice the jury’s view of Trump to the degree that, essentially, they will be unable to fairly consider the relevant evidence? Would a typical juror in Manhattan be so outraged or distracted by such details that it would prevent that juror from being fair? These are some of the factors Judge Merchan undoubtedly considered.”

Coffey Modica’s Joelle Duval shares valuable insights in the May issue of Healthcare Risk Management about the U.S. Supreme Court’s June 2023 decision in United States ex rel. Schutte v. SuperValu Inc., which affected healthcare compliance.

May 2024, Vol. 46, No. 5; p. 49-60

A Supreme Court ruling is changing how a defendant’s knowledge of wrongdoing and intent to commit fraud is viewed in civil cases. The ruling has significant implications for healthcare cases in which the False Claims Act (FCA) is involved.

The decision in U.S. ex rel. Schutte v. SuperValu Inc. unanimously held that liability under the FCA depends on a defendant’s subjective belief regarding whether a claim was false. Before this landmark ruling, it was unclear whether the standard for determining knowledge in an FCA claim was objective or subjective.1

The Supreme Court held a defendant can be held liable for “knowingly” submitting a false claim by demonstrating that the defendant knew or suspected the submission was false, even if an objectively reasonable person would not have known the claim was false. The decision means the healthcare industry is now grappling with the FCA’s “scienter” test, says George B. Breen, JD, an attorney with Epstein Becker Green in Washington, DC. “Scienter” is a legal term involving a culpable state of mind or a defendant’s knowledge that an act or conduct is wrongful and commits the act, anyway.

In Schutte, private parties sued retail pharmacies, claiming violations of the FCA through alleged fraud on Medicare and Medicaid, Breen says. Those government programs provide prescription drug coverage to their beneficiaries and usually limit the reimbursement to the pharmacy’s “usual and customary” charge to the public. However, the respondent pharmacies reported their higher retail prices to Medicare and Medicaid — as opposed to the lower discounted prices they offered customers through programs such as price matching, Breen explains.

The U.S. District Court for the Central District of Illinois held that the pharmacies’ “usual and customary” prices were its discounted prices, as opposed to the higher retail prices, and concluded that the pharmacies submitted false claims on that basis, Breen says. The district court held pharmacies could not have acted “knowingly” under the statute.

Breen notes that the two essential elements of an FCA violation are the falsity of the claim and the defendant’s knowledge of the falsity or scienter. The U.S. Court of Appeals for the Seventh Circuit affirmed in August 2021, finding that “there is no statutory indication that Congress meant its usage of ‘knowingly,’ or the scienter definitions it encompasses, to bear a different meaning than its common law definition,” Breen explains. “The Supreme Court, however, held in Schutte that the FCA’s scienter element refers to the defendant’s knowledge and subjective beliefs — not to what an objectively reasonable person may have known or believed. While the FCA clearly imposes liability on those who purposely intend to defraud the government, other cases might involve, by way of example, doctors who honestly mistake what ‘customary’ means — or who might correctly understand ‘customary’ but submit inaccurate claims, anyway.”

Justice Clarence Thomas wrote for the Supreme Court as it vacated and remanded the case to the Seventh Circuit that, “What matters for an FCA case is whether the defendant knew the claim was false. Thus, if respondents correctly interpreted the relevant phrase and believed their claims were false, then they could have known their claims were false.”1

In Schutte, the qui tam petitioners presented evidence that the companies believed that their “usual and customary” prices were their discounted prices — and took steps to prevent regulators and contractors from finding out about those discounted prices, Breen explains. For example, a pharmacy might charge $10 for a drug under a pricematch program but report $108 to the government for reimbursement. This kind of evidence could eventually help establish the scienter requirement for an FCA violation on remand.

“Schutte is a disappointing decision for the defense bar, and one likely to impact the ability to secure dismissal at the early stages of litigation. Healthcare providers must understand that the obligation of a relator or the government to show scienter is not dead as a result of Schutte,” he explains. “Recklessness means defendants being ‘conscious of a substantial and unjustifiable risk that their claims are false but submit[ing] the claims anyway.’ The focus will be on how providers can demonstrate their understanding at the time of claims submission and show that they were not acting with reckless disregard.”

This also might mean more scrutiny of attorney guidance on those complex, significant regulatory issues upon which FCA claims are based and the real-time documentation of a defendant’s understanding at the time of claims submission, Breen says.

Smoking Gun Is Rare

In the context of litigation, it is somewhat unusual that a healthcare provider or healthcare organization that knowingly, ignorantly, or recklessly submits false claims will all face the same liability and consequences, says Joelle Duval, JD, an attorney with Coffey Modica in White Plains, NY.

The practitioner or organization that knowingly submits false and excessive claims for monetary gain, the practitioner/organization that deliberately ignores or turns a blind eye to illegal practices occurring within its billing practices, and the practitioner/organization that with reckless disregard continues using an accounting service that is known to file false and misleading bills to insurance companies will all be charged with having the requisite scienter, Duval says.

“In the law, the state of mind of the defendant is generally important in considering not only liability or culpability but also the appropriate level of punishment or damages,” she says. “But with scienter, this appears not to be the case.”

While a healthcare practitioner or organization will be held liable regardless of the intent, Duval contrasts that with three individuals charged with murder. One defendant killed with deliberate premeditation, garnering the highest available punishment. The second defendant remained a bystander, neither participating in nor taking steps to stop a killing by members of his group, perhaps out of fear, which may mitigate the level of punishment. A third defendant who took a life after running a red light due to reckless but wholly unintentional and out of character conduct may be further mitigated to a minimum or alternative punishment.

“The bottom line is that healthcare providers and healthcare organizations should strive to always bill patients, private insurance companies, and government insurance programs fairly and honestly and in a way that a provider can justify the amount being billed if asked to do so,” Duval says. “Period. End of story.”

The Department of Justice’s (DOJ’s) recent announcement of the latest FCA settlements suggests that healthcare organizations were waiting to see how the Supreme Court ruled, says Brett W. Johnson, JD, partner with Snell & Wilmer in Los Angeles.

“One of the reasons why the settlements were so high was that a lot of companies were waiting for that opinion to come down to determine which way they were going to go — settlement, or do we have grounds to argue it,” Johnson says. “They realized when the Supreme Court issued its opinion that it was going to be changing the standard that had been more recently applied.”

Discovery costs related to the FCA cases are so extreme that it is often cheaper and more expedient to resolve them with a settlement, Johnson notes. “These cases sometimes take two to four years to process, and then all of a sudden you saw this pretty big spike in settlements. The ruling is a significant win for the whistleblower community because it allows for them to have more discovery, and that forced folks into settlement for the healthcare industry,” he says. “They also always have to worry about their licensure, and with that kind of threat hanging out over their heads, there is always more willingness in the healthcare world to settle.”

Knowing Right and Wrong

The Schutte decision hinged on whether the defendant knew it was wrong. That can be a complex question for healthcare organizations, says Jonathan A. Porter, JD, partner with Husch Blackwell in Washington, DC.

“When it comes to companies, there is all sorts of evidence that you can find that suggests someone should have known something. It gets really, really complicated, and then the problem with knowledge is it’s very rarely going to be one of those issues where there is a clear answer,” Porter says. “There are always going to be shades of gray when it comes to knowledge, especially when you live in what someone should have known, which by definition is part of the knowledge inquiry under the False Claims Act. It’s reckless disregard as well as actual knowledge.”

That type of fact inquiry can be difficult for a court to figure out on summary judgment, so these cases can end up going to trial. “That’s where healthcare providers are in pretty bad spot,” Porter says. “Even if they are confident they did no wrong, they can end up settling because the False Claims Act has some astronomical penalties for going to trial.”

The FCA implications of Schutte are important, but Patric Hooper, JD, partner with Hooper, Lundy & Bookman in Los Angeles, points out that the underlying case also holds compliance lessons. The moral of the story is that if you are a compliance officer or risk manager and find out that the company is submitting claims that it knows are false — in this case, because the price charged to the government was higher than the usual and customary charge — the submissions must be stopped immediately, Hooper says. If false claims have been submitted, the company must immediately disclose that fact to the government to head off an FCA investigation prompted by a whistleblower.

“That would be a rare smoking gun in one of these cases where someone finds some internal document or some employee says, ‘Yeah, we looked at this issue and realized we were charging higher than the usual and customary charge, but we did it anyway,” Hooper says. “Not only could that be potential liability under the False Claims Act, but that could be a criminal act.”

The Schutte decision can be seen as a good result for healthcare organizations, says Sean B. O’Connell, JD, an attorney with Baker Donelson in Washington, DC.

“The big takeaway of the case is that willfulness and knowledge matter. What you intended matters when it comes to violating the False Claims Act — and that’s a win,” O’Connell says. “That’s absolutely a win for people in the industry, because it requires you to know that you’re doing something that was wrong or have a reckless disregard for whether it was wrong in order to violate the statute.”

That is a pretty big hurdle, O’Connell notes. It means that the FCA is no longer a negligence statute or a strict liability statute.

“This is a statute that requires some level of knowledge to violate it, and the burden of proof is going to be either the government or a relator that has to prove that,” O’Connell says. “It can’t just rely on, ‘Well, other people are doing it this way,’ or ‘They should have known that they were doing something wrong.’”

REFERENCE

1. U.S. ex rel. Schutte v. SuperValu Inc. Decided June 1, 2023. https://www.supremecourt.gov/ opinions/22pdf/21-1326_6jfl.pdf

Coffey Modica partner Paul Golden spoke exclusively to The US Sun about the two options open to New Yorkers looking to evict squatters.

SQUAT A JOKE: Squatters can win triple damages if they’re pushed from your house, expert warns – but alternative is months-long wait

Two real-life stories reflecting the risks related to both eviction methods

Emma Crabtree, Freelance US reporter
Published: 12:00 ET, Apr 27 2024

HOMEOWNERS have been warned about taking the law into their own hands when removing squatters as they risk harsh consequences.

Paul Golden, a New York real estate attorney from Coffey Modica LLP, has released a new book diving into the world of squatter’s rights and legal advice.

Golden’s book, Litigating Adverse Possession Cases: Pirates v Zombies, was released earlier this month when stories of squatters taking over propertiesstarted making headlines.

The U.S. Sun spoke exclusively to Golden whose book will help lawyers defend and prosecute in adverse possession cases.

Squatters are defined as people who move into a space that they do not own without permission or as current tenants who overstay their welcome, such as a tenant staying after their lease has expired.

However, he warns property owners in New York that the law “is a patchwork” regarding landowners and squatters.

Other than calling the police and hoping they remove the unwelcome guests, Golden detailed two actions landowners can take when it comes to removing squatters.

However, the attorney warned that one method could see them charged “triple damages” while the other could be a long drawn-out process.

‘SELF-HELP’

Engaging in the “self-help” method is approved by at least one New York court, Golden explained, though only “in certain circumstances.”

This is for owners to “just physically remove a squatter,” but there are huge risks despite the effectiveness of this method.

“In New York, there is a statute (RPAPL 853) which indicates that if a person is put out of real property ‘in a forcible or unlawful manner,’ then the person who has been ejected can sue the person who ejected him and win not only damages but potentially triple the damages,” the author explained.

“In other words, in New York, the public policy is not to have people take the law into their own hands” but at least one court in the state allows owners to do so under certain circumstances.

Taking an example to the extreme, Golden said that if someone was living on their own property and a stranger came in and said they were living there “any normal homeowner’s reaction would be to just push the person out.”

“In such a case, then so long as the squatter was uninjured, no sane judge in the world would award damages against that homeowner, no matter how the statute might appear,” he explained.

As well as potentially paying damages for injury, Golden noted another New York statute that could come into play and cause issues with the self-help method.

The statute “indicates that it is unlawful to attempt to evict, through non-judicial methods, ‘an occupant of a dwelling unit who has lawfully occupied the dwelling unit for thirty consecutive days or longer.'”

Golden warned that those who fall foul of this statute “could be subject to a civil penalty, and be guilty of a misdemeanor.”

“However, a clever attorney can argue that a squatter is not an occupant who ‘lawfully’ occupies a dwelling unit,” he added.

COURT FILING

Meanwhile, the other option open to owners is to go to court to file a summary proceeding after issuing a 10-day notice to the people occupying their property.

However, Golden warned that “in New York City, it could take months before the court would finally issue a warrant.”

It may then take even longer for a date to be set for the city marshal to visit the property and force the squatter out.

In addition to these methods of eviction, property owners need to keep an eye on the calendar or they risk losing possession rights to their home.

People can become adverse possessors when they have lived on the property for a notable length of time in the same manner an owner would.

“In New York, that period of time is generally 10 years,” Golden explained.

I’m really fearful that these people are going to get away with stealing my home.

Adele Andaloro Homeowner With Squatters In Her Property

“In such a case, the occupant can, in certain cases, eventually become deemed the owner of the property.”

However, a squatter is “unlikely to eventually become a true adverse possessor,” he said.

“This is for many reasons, but the most obvious is that one would not expect such a person to last so many years in such a premises, without the true owner eventually interrupting the use.”

‘ENRAGING’

The U.S. Sun has previously reported on landowners who have been struggling to evict their squatters and their stories represent both sides of the dilemma set out by Goldman.

Adele Andaloro from Queens, New York, was arrested after squatters moved into the family home she inherited and changed the locks on the door.

While she was in the process of selling the $1 million property, Andaloro noticed that the entire front door and locks had been changed.

Squatters had moved into the vacant home and refused to leave.

“I’m really fearful that these people are going to get away with stealing my home,” the homeowner told local ABC news affiliate WABC.

“It’s enraging. It’s not fair that I, as the homeowner, have to be going through this.”

Andaloro took matters into her own hands by entering the property with the deed and calling a locksmith.

However, she was arrested for illegal eviction for changing the locks on her own property.

Meanwhile, neighbors in Georgia complained after a group of squatters moved into a vacant rental home in their neighborhood.

The rental company, Progress Residential, spoke out at the time that removing the individuals was difficult due to the laws in place.

As Golden warned, it took the police months to remove the squatters as they “can’t do anything.”

NTD News, an international news station that reaches over 60 million homes on cable and satellite in the U.S. and abroad, recently spoke with Coffey Modica’s Paul Golden about adverse possession.

By Chris Beers | April 15, 2024 | NTD News Today

Paul Golden shares further insights with Newsweek on the latest developments in Trump’s civil fraud trial.

Apr 15, 2024 | By Sean O’Driscoll Senior Crime and Courts Reporter

The New York attorney general may start seizing Donald Trump’s assets if he fails to post a $175 million bond on Monday.

Trump posted a $175 million bond on April 1 to prevent Attorney General Letitia James from seizing his assets while he appeals a civil fraud judgment against him, but this was rejected by a New York court.

Paul Golden, author of Litigating Constructive Trusts and a partner at New York law firm Coffey Modica, told Newsweek that either Trump or a bond company must file a motion on Monday, April 15.

He said that it comes after James objected to deficiencies in a bond Trump previously filed.

“The online records for the case indicate that on April 1, Trump filed a bond and specifically indicated that if the Trump defendants are ultimately obligated to pay a judgment, then the Knight Specialty Insurance Company [KSIC] can cover the sum—up to $175 million.”

“Trump provided this bond as a means of avoiding the Attorney General’s collection efforts pending the full resolution of the appeal—which may take many months or longer,” Golden said.

“Three days later, on April 4, the Attorney General filed what is called a Notice Of Exception To Surety. The Attorney General noted that there was no certificate of qualification.”

The statute the attorney general cited outlines how New York can issue a certificate of qualification indicating that “the insurer is solvent, responsible and otherwise qualified to make policies or contracts of the kind required.”

“Presumably, the Attorney General determined that no certificate of qualification exists,” Golden said.

New York Judge Arthur Engoron previously found Trump, his adult sons Donald Jr. and Eric, and The Trump Organization liable for a scheme in which the value of Trump’s net worth and assets were unlawfully inflated to obtain more favorable business deals. Trump, the presumptive 2024 GOP presidential nominee, has maintained his innocence.

Trump was hit with a penalty that came to around $454 million after interest, and would have had to pay a bond slightly higher than that amount to stave off the state from seizing assets, such as his many real estate holdings, to cover the penalty. An appeals court later ruled that he could instead pay a lower bond of $175 million.

The bond was then rejected by the court’s filing system shortly after it was posted.

Golden said that Trump or KSIC will have to file a motion in court on Monday to show that they have the $175 million in place.

“Unless another insurer can be found, then likely Trump or KSIC will indeed file a motion in court, attempting to prove that KSIC does have sufficient assets,” Golden said.

“Presumably, if the motion fails, the Attorney General will take the position that the bond is without effect, and that the Attorney General may start to take collection efforts,” Golden said.

However, Trump could seek a stay while he yet again tries to amend the bond, Golden added.

“Trump may ask either the lower court or the appellate court (or both) to provide him with a new temporary stay, and an extension of time to find a new bonding company that is more likely to pass muster,” he said.

Newsweek sought email comment from Knight Specialty Insurance and Trump’s attorney on Monday.

Golden said that the 10-day deadline ended on Sunday, when the courts are closed, and can therefore continue on to Monday.

Monday is a major day for Trump. It is also the start of his Stormy Daniels hush money case—the first time in U.S. history that a former president has gone on criminal trial.

The prosecution will try to prove that, before the 2016 presidential election, Trump paid, or discussed paying, two women—adult film star Daniels and former Playboy model Karen McDougal—not to reveal his alleged affairs with them. He is also accused of making payments to a former Trump Tower doorman who claimed to know that Trump allegedly fathered a child with another woman.

Trump has pleaded not guilty to all charges and denies the affairs took place.

In this recent Newsweek article, our own Paul Golden shares further insights on the most recent developments in Donald Trump’s court cases.

Published Apr 09, 2024 | By Sean O’Driscoll, Senior Crime and Courts Reporter

The New York Attorney General may start collecting Trump assets if he fails to post a bond by next Monday, a leading real estate lawyer has said.

Paul Golden, author of Litigating Constructive Trusts and a partner at New York law firm Coffey Modica, told Newsweek that either Trump or a bond company must file a motion by Monday stating they have a $175 million bond in place.

“Presumably, if the motion fails, the Attorney General will take the position that the bond is without effect and that the Attorney General may start to take collection efforts,” Golden said.

“Of course, if for whatever reason a court rules the bond is without effect, then Trump would likely appeal that decision as well, and possibly seek a stay in the context of that separate appeal too,” he said.

Trump posted the $175 million bond on April 1 to prevent James from seizing his assets while he attempts to appeal the civil fraud ruling against him. New York Judge Arthur Engoron previously found Trump, his adult sons Donald Jr. and Eric, and The Trump Organization liable for a scheme in which the value of Trump’s net worth and assets were unlawfully inflated to obtain more favorable business deals. Trump, the presumptive 2024 GOP presidential nominee, has maintained his innocence in the matter.

Trump was hit with a penalty that came to around $454 million after interest and would have had to pay a bond slightly higher than that amount to stave off the state from seizing assets, such as his many real estate holdings, to cover the penalty. An appeals court later ruled that he could instead pay a lower bond of $175 million.The bond was then rejected by the court’s filing system shortly after it was posted due to missing paperwork, including a “current financial statement.” James, whose office led the fraud case against Trump, later raised questions about the “sufficiency” of the bond and noted that the surety backing it, Knight Specialty Insurance Company (KSIC), is not admitted in New York, meaning it’s ineligible to obtain a certificate of qualification from the Department of Financial Services. KSIC has refiled its paperwork as a result in an effort to get the process moving again.

Newsweek sought email comment from Knight Specialty Insurance and Trump’s attorney on Tuesday.

Golden said James cited a statute “which indicates that within ten days (that is—by April 15, as April 14 is a Sunday) either Trump or the KNIC must file a motion in court to ‘justify the surety.’ If not, then pursuant to statute, the bond shall ‘be without effect’.”
Golden said it is difficult to read how the situation will play out.

“There is little case law on this particular subject, so it becomes hard to predict what factors a court would consider when deciding if KNIC was truly solvent, and could ultimately afford to pay off $175 million,” he said.

Engoran has already scheduled an in-person hearing in this case for April 22, 2024, in the courtroom at 10 a.m.

“The official court records do not seem to indicate what precisely will occur on that date, but news reports indicate that Hon. Engoran will be discussing bond issues,” Golden said.