By maintaining a robust compliance program, healthcare companies are better able to identify potential red flags early and to prevent violations of fraud and abuse laws. A failure to maintain an effective compliance program may become particularly problematic for companies with business transactions on the horizon as the government increasingly incentivizes business professionals to give compliance a seat at the deal table.

On October 4, 2023, Deputy Attorney General Lisa Monaco announced a new Department of Justice (DOJ) safe harbor policy (the DOJ Announcement), which incentivizes voluntary self-disclosures by acquiring companies during or immediately after mergers and acquisitions (the M&A Safe Harbor). The DOJ Announcement stresses the importance of investing in strong compliance programs for both the buyers and sellers in business transactions. On November 6, 2023, the Department of Health and Human Services Office of Inspector General (OIG) reinforced this messaging by releasing its updated General Compliance Program Guidance (GCPG), which discusses general compliance risks and provides a valuable roadmap for what constitutes an effective compliance program.  

This blog post will provide guidance regarding: (1) how to satisfy the elements of the M&A Safe Harbor, (2) the benefits of using the GCPG as a baseline standard for all compliance programs, and (3) the use of the GCPG as a baseline for meeting the requirements of the M&A Safe Harbor.

M&A Safe Harbor Overview

The M&A Safe Harbor allows acquiring companies who voluntarily self-disclose misconduct discovered during business transactions to receive the presumption of a government declination of criminal prosecution. The government implemented the M&A Safe Harbor to ensure buyers with effective compliance programs are not discouraged from acquiring companies with less effective compliance programs. The M&A Safe Harbor protects the buyer. But absent aggravating factors within the target company, after closing, the target company may also receive a declination. Recently, the DOJ published its Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy, which provided general examples of aggravating factors, such as involvement by executive management of the company in the misconduct, egregiousness or pervasiveness of the misconduct within the company, or criminal recidivism.

To qualify for the M&A Safe Harbor, the buyer must disclose misconduct discovered at the acquired entity within six months from the date of closing, regardless of whether the misconduct was discovered pre- or post-closing. The buyer then has one year from the date of closing to remediate the misconduct. These deadlines are subject to a “reasonableness analysis,” as the DOJ recognizes that the complexity of each transaction may differ. In addition, to receive the presumption of a declination, the acquiring company must cooperate with the investigation and engage in timely and appropriate remediation, restitution, and disgorgement.

Notably, the M&A Safe Harbor acts to avoid DOJ prosecution of criminal conduct. The M&A Safe Harbor does not apply to: (1) misconduct that was otherwise required to be disclosed, (2) misconduct that was already public or known to the DOJ, or (3) civil merger enforcement (the Federal Trade Commission (FTC) and DOJ’s power under the federal antitrust laws to investigate and challenge certain mergers and acquisitions that may harm competition).

The M&A Safe Harbor also does not expressly address civil enforcement mechanisms such as the False Claims Act (FCA). However, the DOJ Announcement teased future modifications. Monaco stated that there is “more to come” as the DOJ will “continue to extend consistent, transparent application of [its] corporate enforcement policies across the [DOJ], beyond the criminal context to other enforcement resolutions.”

Although the DOJ was silent about application of the M&A Safe Harbor to civil enforcement under the FCA, other DOJ guidance emphasizes the DOJ’s willingness to provide benefits to entities and individuals who voluntarily self-disclose in the FCA context. The DOJ’s Civil Division updated its guidelines in 2019. There, the DOJ detailed the credit that it would provide to entities and individuals who “voluntarily self-disclose misconduct that could serve as the basis for [FCA] liability and/or administrative remedies, take other steps to cooperate with FCA investigations and settlements, or take adequate and effective remedial measures.” Most recently, the DOJ demonstrated a willingness to award cooperation credit for self-disclosures made by defendants in various FCA matters, including, for example, self-disclosures by a lab billing company, dermatology management company, and information technology service provider. And, self-disclosure may also serve as a public disclosure for the purposes of advocating for the Public Disclosure Bar and would provide a valuable data point for arguing against the multiplier effect of civil FCA damages.

The GCPG as a Baseline Compliance Standard

The OIG’s recent release of the updated GCPG further underscores the importance of establishing a robust compliance program. The GCPG provides voluntary, non-binding guidance to assist all individuals and entities in the healthcare industry to develop and maintain a successful compliance program. Although the GCPG is voluntary, healthcare companies should utilize it as a baseline litmus test for what the government would consider to be an appropriate compliance program.

Among other things, the GCPG details the seven elements that the OIG believes comprise a successful compliance program:

1. Written Policies and Procedures;
2. Compliance Leadership and Oversight;
3. Training and Education;
4. Effective Lines of Communication with the Compliance Officer and Disclosure Program;
5. Enforcing Standards: Consequences and Incentives;  
6. Risk Assessment, Auditing, and Monitoring; and
7. Responding to Detected Offenses and Developing Corrective Action Initiatives.

The GCPG further explains how to implement these elements. Healthcare companies should engage experienced regulatory counsel to advise about the nuances of each element as they gauge the impact that regulatory compliance may have on deal terms.

The M&A Safe Harbor is most useful if buyers perform a comprehensive regulatory due diligence prior to closing to allow sufficient time to comply with the required timeline. But robust pre-closing due diligence is not always practicable. In those instances, the buyer should conduct a post-closing compliance audit, under counsel’s direction and with the benefit of privilege, shortly after closing to identify any potential compliance gaps.

In conjunction with using the GCPG, companies should reference the DOJ’s “Evaluation of Corporate Compliance Programs,” which is customarily used to assist prosecutors in assessing whether a company’s compliance program was effective at the time of the particular misconduct.

Below are considerations regarding the elements of an effective compliance program that buyers should pay particular attention to when performing due diligence to determine if any disclosures are required under the M&A Safe Harbor, or any other disclosure requirements. Although we only focus on certain elements, all of the elements should be reviewed and addressed during due diligence or as part of a post-closing audit.

• Conduct a thorough risk assessment of seller’s compliance program. Follow the GCPG’s discussion regarding Element 6, “Risk Assessment, Auditing, and Monitoring,” to identify and quantify the organization’s risk. This section of the GCPG also references the OIG’s Measuring Compliance Program Effectiveness: A Resource Guide, which can help the buyer evaluate the effectiveness of the seller’s compliance program and identify its weaknesses.
• Determine what, if anything, must be reported. If misconduct is identified, the buyer should follow the GCPG’s discussion regarding Element 7, “Responding to Detected Offenses and Developing Corrective Action Initiatives.” This section of the GCPG explains how to conduct investigations and promptly report misconduct, which is essential for compliance with the M&A Safe Harbor.

• Once the issue has been reported, ensure proper and timely remediation in accordance with the M&A Safe Harbor’s requirements. Adherence to the GCPG’s description of Element 7, “Responding to Detected Offenses and Developing Corrective Action Initiatives,” will assist with complying with the M&A Safe Harbor’s requirement to fully remediate the misconduct. Element 7 of the GCPG provides guidance regarding: (1) refunding overpayments, (2) enforcing disciplinary policies and procedures, and (3) making any policy or procedure changes necessary to prevent a recurrence of the misconduct.

• Ensure Ongoing Compliance. Most of the remaining elements in the GCPG focus on the effective structure and use of a compliance program — e.g., written policies and procedures (Element 1), leadership and oversight (Element 2), training and education (Element 3), and internal enforcement standards (Element 5). Buyers should review the structure of compliance programs at target companies. Buyers can leave programs relatively unchanged if they are effectively structured and implemented. However, soon after closing a deal, the buyer should audit and, if necessary, revise ineffective programs to spread the culture of compliance that exists in the buyer’s organization.

Moving Forward

Both buyers and sellers may use the GCPG as a baseline standard to develop, maintain, and analyze compliance programs. Sellers that can demonstrate compliance with the GCPG will be more attractive to buyers as there will be less concern for hidden compliance issues. The M&A Safe Harbor may provide greater clarity about the magnitude of deal escrows to reserve for contingent future liabilities. Buyers that use the GCPG to perform their due diligence will have the necessary tools to satisfy the requirements of the M&A Safe Harbor timely and to properly analyze the effectiveness of a seller’s compliance program. Absent timely self-disclosure and remediation of misconduct pursuant to the safe harbor, a buyer would likely be subject to full successor liability for that misconduct. As Monaco states, “Compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.”

Akerman has a deep bench of healthcare corporate, regulatory, and litigation attorneys available to assist entities as they navigate the impact of the new M&A Safe Harbor and the GCPG, as well as the development and maintenance of robust, effective, and successful compliance programs.

[1] The authors would like to thank their former colleague, Lauren F. Gandle, for her contribution to this blog post.