Skip to Main Content

May 26, 2021

The U.S. Government’s Enterprise-Wide Approach to the Public Health Emergency and Related Enforcement Will Require Stakeholders to Address Enterprise-Wide Risk and Compliance Issues

This Bulletin is brought to you by AHLA’s Enterprise Risk Management Task Force.
  • May 26, 2021
  • Stewart Kameen , Bass Berry & Sims PLC
  • Lisa Rivera , Bass Berry Sims PLC

Not unlike the Troubled Asset Relief Fund (TARP)—the nearly half-trillion-dollar program administered by the U.S. Treasury to stabilize the economy in the wake of the 2008 financial crisis—the U.S. Government was swift to provide needed funding to individuals and entities in response to the historic public health emergency known as COVID-19 (the PHE). And, not unlike the Special Inspector General for TARP, which has recovered more than $11 billion in its oversight of TARP over the past decade, a cross-agency enforcement mechanism related to the use and misuse of PHE-related funds and other technical violations of various terms, conditions, and reporting obligations, will linger for years beyond the pandemic era. Chief among the enforcement team is the Pandemic Response Accountability Committee (PRAC), a product of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that provided the initial round of funding.

Indeed, in a recent Joint Memorandum from the White House and the PRAC,[1] the Office of Management and Budget (OMB) noted that the PHE has required “a swift Government-wide response,” highlighting that “[a]ccountability and transparency of Federal Government spending and achieving results are necessary for effective stewardship of these funds.” As part of this effort, OMB has committed to working with the PRAC and agency Inspectors General (IGs) to strengthen payment integrity and minimize fraud, waste, and abuse, and the intense coordination at the federal, state, and local levels is unprecedented. This U.S. Government-wide approach to providing swift funding along with comprehensive inter-agency oversight warrants an equal approach within health care organizations. Enterprise risk management associated with the PHE should be well under way, and now is the time to bolster compliance measures to ensure that enterprise use and management of PHE-related funds is consistent with the myriad requirements.

Investigations stemming from PHE-related funding and other COVID-19 programs will subject targets to enterprise-wide scrutiny, well beyond regulators’ traditional focus on a particular issue, arrangement, or relationship. Initial eligibility for, and use of, these funds will be analyzed anew, missteps and inaccurate attestations will require interviews and intense scrutiny of documentation and emails, and the litany of terms and conditions required for continued use of the funds presents opportunities for the Department of Justice (DOJ), PRAC, and agency IGs, to probe throughout an organization. Further, companies’ arguable intentional misconduct associated with COVID-19 could result in aggressive, example-making resolutions with the government, further strengthening regulators’ efforts.


The CARES Act and other PHE relief programs, such as the American Rescue Plan (ARP), now total more than $5 trillion in government relief funding associated with COVID-19. Aid includes the Paycheck Protection Program, Economic Injury Disaster Loans, and the Provider Relief Fund, among other programs. The Provider Relief Fund, through which the Department of Health and Human Services (HHS) is distributing more than $170 billion to hospitals and other providers, comes with numerous attestations, various terms and conditions, and other reporting requirements for any party that retains the funds. Even the most basic of the required certifications could provide ample room for government enforcement and whistleblower activity throughout an organization. For instance, certain providers must certify that the funds “will only be used to prevent, prepare for, and respond to coronavirus,” and that funds are used “only for health care related expenses or lost revenues that are attributable to coronavirus.”[2] Certain violations of this certification will be apparent and easy to detect—indeed, DOJ has already targeted blatant fraudsters in this space. More likely, however, a whistleblower or government agent may need to carefully scrutinize an entire organizations’ use—and the reasons behind such use—of PHE-related funds, which will require far-reaching investigative tactics. Determining whether an action is “attributable to coronavirus” injects considerable discretion and subjectivity into the analysis. Documentation, board minutes, and compliance materials that demonstrate why the various actors within an organization believe the funding satisfies this requirement, may be required by regulators. Without such documentation, investigators will be forced to interview subjects and targets at length, including some who may have left the organization years earlier.

Beyond the unprecedented federal funding, the health care sector has seen historic waivers and other flexibilities associated with traditional fraud and abuse laws, such as the Physician Self-Referral Law (the Stark Law) and the Anti-Kickback Statute. The Center for Medicare & Medicaid Services, for instance, issued broad waivers under the Stark Law for various remuneration exchanged between DHS entities and physician referral sources, and the HHS Office of Inspector General (OIG) followed suit with largely overlapping guidance. OIG has maintained a COVID-19 FAQ mechanism on its COVID-19 portal, allowing stakeholders to submit questions about OIG’s enforcement authorities during the PHE. OIG has issued a number of answers regarding its enforcement discretion related to remuneration between referral sources—including patients—tied to the duration of the PHE. Those waivers and discretion will come to an end and providers will need to revise their practices quickly. Moreover, parties relying on OIG’s FAQ guidance to provide remuneration beyond that which is specifically accounted for in an FAQ response, may face heightened scrutiny—without the protection of an advisory opinion, a safe harbor, or specific COVID-19 guidance, an enterprise may face regulators or whistleblowers on questions of intent for years.

What to Expect from the PRAC

Among other things, the CARES Act created the PRAC, a committee of the Council of the Inspectors General on Integrity and Efficiency. Its purpose is to promote transparency and oversight of CARES Act and other PHE funding (such as the ARP), and PRAC has a five-year strategic plan for implementing this mission. Included in this plan, perhaps chief among its goals and objectives, is preventing and detecting fraud, waste, abuse, and mismanagement. PRAC’s plan specifically highlights “mitigat[ing] major risks that cut across program and agency boundaries,” and “hold[ing] wrongdoers accountable.”[3] In essence, PRAC and the broader community of IGs and enforcement agencies are tasked with addressing and mitigating PHE risks across the entire federal government enterprise. This unmatched approach to enforcement necessitates unmatched enterprise preparedness.

The Acting Chair of PRAC, and current DOJ Inspector General, signaled an intent to leverage partnerships and collaborate with federal, state, and local oversight entities to achieve these goals and promote transparency.

PRAC intends to identify “cross-cutting risks by using data analytics and risk assessments,” targeting criminal fraud schemes and accounting for disbursement of covered funds. PRAC also makes it easier for individuals and entities to report suspected wrongdoing to various agencies.

Meanwhile, DOJ’s Fraud Section already is investigating and prosecuting fraud, false statements, and money laundering related to CARES Act funding, and has already charged over a hundred defendants for PPP and other fraud. Many agencies have supplemented their hotlines for reporting fraud with COVID-specific outlets, further emboldening whistleblowers. All U. S. Attorney’s Offices have a designated COVID fraud enforcement leader working with other federal and state agency partners, and supported by increased resources and shared COVID funding data.

With government-wide enforcement just ramping up, now is the time for enterprise-wide compliance measures to prepare for the post-PHE enforcement environment.