In April 2020, Congress enacted the first significant legislation that provided federal funding to individuals, organizations, and businesses impacted by the COVID-19 pandemic. This statute, the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act” or “the Act”) and the subsequent Paycheck Protection Program and Health Care Enhancement Act (“PPPHCEA”) infused an unprecedented $2.2 trillion into the American economy to assist those impacted by the COVID-19 pandemic.
Each relief program within the CARES Act required recipients to take prudent steps in complying with the Terms and Conditions attached to such funds. The CARES Act legislation also authorized oversight bodies to scrutinize funds distributed under the CARES Act and other related COVID-19 legislation. Specifically, the CARES Act created three oversight organizations charged with monitoring the distribution of the stimulus funds: the Office of the Special Inspector General for Pandemic Recovery, Department of the Treasury; the Pandemic Response Accountability Committee; and the Congressional Oversight Commission. Beyond the actions and activities of these oversight organizations, the U.S. Department of Justice (DOJ) has taken the position that failing to adhere to eligibility rules as well as subsequent Terms and Conditions of the CARES Act funding can result in government enforcement actions, including returning the funds, debarment and exclusion from eligibility for future federal funding, all the way up to civil and criminal sanctions.
And DOJ has backed up this viewpoint with significant enforcement activity even though we are only just a year after COVID-19 hit our shores. Since the CARES Act’s enactment, DOJ has criminally prosecuted individuals across the country and successfully settled a False Claims Act (“FCA”) case under that law. As highly regulated organizations subject to stringent federal regulatory oversight regimes, healthcare entities should be no stranger to the importance of programmatic compliance.
As the government continues to use criminal and civil remedies to root out fraud and abuse involving COVID-19 relief government funds, healthcare entities should remain appraised on the current enforcement environment for CARES Act programs. It is also critical for healthcare entities receiving pandemic relief funds to always keep an eye on compliance basics such as longstanding financial management rules on use and documentation of such funds.
A. Current Paycheck Protection Program enforcement activity efforts by the federal government
One of the signature elements of the CARES Act was the Paycheck Protection Program (PPP). The PPP authorized billions of dollars in forgivable loans to small businesses, nonprofits, and certain tribal entities, as well as emergency grants to eligible small and mid-sized businesses. The PPP provides (1) loans to eligible small businesses for payroll and other fixed obligations; (2) a mechanism for loan forgiveness where the small business can demonstrate that the loan proceeds were used for payroll and certain other costs; and when forgiven, (3) the ability to not recognize the forgiven loan as revenue for tax purposes.
Importantly, applications for PPP loans require applicants to make specific certifications regarding their business. From the start, the Small Business Administration (SBA) put applicants on notice that it would rely upon applicants’ self-certification to verify eligibility for funding. These self-certifications were made under penalty of perjury pursuant to 28 U.S.C. §1746 and included the following:
- certifying that current economic uncertainty makes this loan request necessary to support the ongoing operations of the applicant;
- certifying that the loan funds will be used to retain workers and maintain payroll or make mortgage interest payments, lease payments, and utility payments, as specified under the PPP rules; and
- certifying that the applicant understands that if the funds are knowingly used for unauthorized purposes, the federal government may hold the applicant legally liable, including for criminal fraud violations.
Because PPP applicants must certify their eligibility for loan funds to the government, it is the applicants’ responsibility to ensure, in good faith, eligibility before making these certifications. As is standard for borrower application forms for federal programs of this nature, the certifications warn applicants of potential criminal exposure for knowingly making a false statement. For example, making a false statement to obtain a guaranteed loan from the SBA could result in criminal liability under 18 U.S.C. §1001 (false statements to the government generally), 15 U.S.C. § 645 (SBA related offenses and penalties), or 18 U.S.C. §1014 (loan and credit application penalties). Since the CARES Act enactment, the federal government has actively pursued civil and criminal actions against individuals and organizations that have violated these laws.
On January 12, 2021, the US Department of Justice (DOJ) announced its first-ever civil settlement of alleged False Claims Act (FCA) violations with a borrower of a PPP loan. According to the US Attorney’s Office for the Eastern District of California, SlideBelts, Inc., a California-based internet retailer and debtor in bankruptcy, and its president and CEO, agreed to pay a combined $100,000 in damages and penalties to resolve alleged violations of the FCA and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). As part of the settlement, SlideBelts and its president admitted that they made false statements to banks to obtain PPP funds.
Beyond FCA liability, the federal government has taken an aggressive approach to prosecuting PPP fraud criminally. DOJ has charged more than 100 defendants in more than 70 criminal cases related to the PPP, seizing millions in cash proceeds derived from fraudulently obtained PPP funds, as well as numerous real estate properties and luxury items purchased with such proceeds. The underlying criminal activity follows a unifying theme – each defendant made intentional misrepresentations concerning the defendant’s eligibility to receive PPP funds and then used the federal funds illicitly. So far, these are the easy cases involving brazen misconduct, including falsified documents, false statements, or misuse of loan proceeds to buy things like cars, homes, or jewelry and have resulted in criminal charges such as bank fraud, false statements to a financial institution, and money laundering.
It is important to note that PPP investigations are often not conducted in isolation – these investigations comprise just one type of potential governmental inquiry. For example, many PPP fraud criminal targets were also subject to open civil and criminal investigations involving healthcare fraud.
B. Compliance best practices for healthcare organizations participating in the Provider Relief Fund Program
The CARES Act and the PPPHCEA provided $175 billion for a Provider Relief Fund (PRF) to prevent, prepare for, and respond to COVID-19, domestically or internationally, for necessary expenses to reimburse eligible health care providers for healthcare-related expenses or lost revenues that are attributable to the virus. In 2020, the Provider Relief Fund distributed almost $117 billion in payments to approximately 428,000 unique healthcare providers, including hospitals in areas especially hard-hit by the virus, federally qualified health centers, safety-net hospitals, rural health clinics, and Critical Access Hospitals, nursing homes, and other residential care facilities, and more. The US Department of Health and Human Services’ Health Services’ (HHS) Health Resources and Administration (HRSA) was designated to administer the PRF program.
Akin to the recipients of PPP funding, PRF funding recipients are required to attest to the Terms and Conditions of the PRF within 90 days. Those that did not were “deemed to have accepted” the Terms and Conditions. The Terms and Conditions contain compliance reporting requirements and enumerate specific permitted uses of the PRF such as preventing, preparing for, and responding to COVID-19 and reimbursement of healthcare-related losses attributable to COVID-19.
Specifically, recipients are required to sign an attestation certifying the funds “will only be used to prevent, prepare for, and respond to [the] coronavirus,” and that the funds “shall reimburse the [r]ecipient only for health care related expenses or lost revenues that are attributable to [the] coronavirus.” Further, the attestation requires the recipient to certify that it will not use the funds “to reimburse expenses or losses that have been reimbursed from other sources or that other sources are obligated to reimburse.”
The attestation also states the recipient “must comply with any other relevant statutes and regulations” and must ensure the accuracy and completeness of any submissions to HHS associated with the relief funds. If the recipient retains the funds “for at least 90 days without contacting HHS regarding remittance of those funds,” even if the attestation is not completed, it will be deemed that the recipient has accepted all of the terms and conditions contained in the attestation, including that the recipient certifies the accuracy and completeness of future reports and other documentation to be submitted to HHS. The certifications and Terms and Conditions contained in the attestation may become the basis for FCA liability.
Considering this, healthcare organizations should take care to follow the extensive HHS guidance to recipients of PRF payments on reporting compliance requirements. While the Terms and Conditions specify noncompliance would be grounds to recoup some or all payments made from the Provider Relief Fund, knowing violations may also subject entities to enforcement under the FCA.
As many healthcare organizations have already experienced, HHS has initiated audits to ascertain organizations’ compliance with the PRF program’s requirements over the latter half of 2020 and well into 2021. Although no civil or criminal litigation arising from the PRF program has been publicly reported by DOJ, the HHS’ Office of Inspector General (OIG) has initiated its planned audit of the first “general distribution” of $50 billion to hospitals and other providers under the PRF program.
As these OIG audits continue in 2021, healthcare organizations should consider adopting some of the following compliance practices:
- To limit exposure, providers who received funds through either the general or targeted PRF distributions should carefully review and, if the amounts received are large enough, retain legal and accounting help to review the accuracy of information submitted to HHS and, possibly, notify HHS of any necessary corrections that should be made. This may require returning funds received, depending on the severity of the submission error.
- Providers receiving PRF funds should deposit such funds into readily accessible cash accounts with no downside risk and treat interest earned thereon as funds in which the government retains a primary interest until directed otherwise by HHS. Recipients should diligently track grant funds from the moment of receipt and document a nexus between COVID-19, the expense or loss of revenue, and the use of PRF funds to ensure that no such funds are directed to non-COVID-19-related (e., non-permitted) uses.
- One of the Terms and Conditions for receipt of PRF was compliance with the financial management standards under the Uniform Guidance. Those standards require tracking, in a nutshell, what funds paid for what? Accordingly, tracking expenses by payor, provider type, and service line is a good starting point as this information will become necessary in the management and distribution of PRF funds. Providers should establish appropriate cost centers or “cost objectives” to track and account for the use of PRF as well as other federal funds. Additionally, if providers have pre-existing debt obligations that become due during the public health pandemic, PRF funds used to reimburse for lost revenues attributable to COVID-19 should be backed out of the calculation of funds available for principal debt payments.
- Providers who receive funds from the PRF and also receive funds from other sources to cover similar expenses should meticulously document which funding stream is used to pay for each aspect of the relevant expense to avoid concerns over “double-dipping” and subsequent liability that may attach. In this regard, a key provision of PRF is that these funds are not available to reimburse costs that have already been reimbursed or for which another funding source is “obligated to reimburse” the provider for the costs. While these terms have not been defined, at a minimum, providers should employ a consistent interpretation to this and all other PRF requirements.
- To ensure compliance with the PRF Terms and Conditions, recipients should be judicious in providing “extra” compensation for providers and executives. These funds are subject to the long-standing cap of “Executive Level II” of the federal pay scale for HHS cost-reimbursement grants and contracts. That cap currently is $197,300 meaning, PRF cannot fund compensation above this amount. Audits of PRF funds will include, undoubtedly, a focus on highly compensated individuals, and any PRF used to make payments over the salary cap will need to be returned at a minimum.
Healthcare organizations must remain vigilant to minimize the risk of finding themselves the target of FCA investigations, criminal prosecutions. Considering the American Rescue Plan Act of 2021, a $1.9 trillion pandemic support relief package currently pending before Congress, governmental enforcement activities targeted at rooting out fraud and abuse will inevitably increase in the coming year. Following common sense compliance practices, ensuring appropriate internal controls and oversight over these programs, and remaining vigilant to avoid misappropriation is critical for healthcare entities in this regulatory environment.
 The loan applications and the required certifications can be found through the PPP Borrower Application Form and www.sba.gov/coronavirus.