The federal government’s fraud and abuse enforcement priorities are shifting in response to COVID-19. Risk managers should be ready to adapt their compliance programs in response to the changing risks.

Federal authorities are prioritizing resources to focus on COVID-19-related issues, says Melissa L. Jampol, JD, an attorney with Epstein Becker Green in New York City. This new focus includes everything from personal protective equipment (PPE) scams, identity theft, and tax issues.

“Right now, they are focusing on low hanging fruit, such as the Paycheck Protection Plan going awry and somebody buying a Lamborghini,” Jampol says. “But the enforcement efforts are going to go on for many years from now, in much the way we saw continuing enforcement after the 2008 financial crisis.”

High Alert for Fraud

There will be an evolution of enforcement activities, says Jennifer E. Michael, JD, an attorney with Epstein Becker Green in Washington, DC, who previously worked with the Department of Health and Human Services Office of Inspector General (OIG). Prosecutors will be looking for relatively easily discovered crimes, like submitting lists of employees who do not actually work for the organization to receive more aid.

“There tends to be a lag in enforcement because the bad thing has to happen, then government has to learn that the bad thing happened through qui tam suits, data analytics, audits, or a variety of ways,” Michael says. “Everyone is on high alert because there is so much money flowing so quickly. At the same time, OIG issued a message from leadership on minimizing burdens on providers, so OIG recognizes that right now there is a lot of confusion about what’s okay.”

Michael says there is some reasonable confusion about what is allowed, what is questionable, and what is outright fraud. OIG has issued guidance stating that it is balancing those concerns while continuing with its mission to prevent fraud and misuse of funds.

“OIG is first going to make sure that the beneficiaries are not being harmed, but second that the federal resources aren’t being pillaged,” Michael says. “I think OIG will be cognizant of the need to investigate and pursue enforcement against things that aren’t so egregious but are still fraudulent, for the deterrent effect. It’s important to focus on compliance, and once the dust settles, to go back and look at how you expended your CARES [Coronavirus Aid, Relief, and Economic Security] Act funds.”

If the lookback determines CARES Act funds were misused, or there was an overpayment from the government, the hospital or health system should devise an affirmative plan to repay those funds, Michael says. Do not wait for federal investigators to find the problem.

Overpayments can result from malicious intent, with healthcare organizations misrepresenting themselves on applications, but they also can happen through honest mistakes, Jampol says. Funds provided for PPE carry strict requirements, she notes, so risk managers should exercise tight control over the application process and the disbursal of those funds.

Guidance on Compliance

The Department of Justice issued new guidance for corporate compliance programs on June 1. Jampol says risk managers should study this publication closely. (The Evaluation of Corporate Compliance Programs is available online at:

“It aids prosecutors in assessing the adequacy and effectiveness of compliance programs, helping them decide if you should receive monetary penalties or a monitor,” she says. “Hopefully, you’ll never end up on the criminal side of that, but it is equally as useful if you’re looking at the administrative issues and civil liabilities. It gives you a direct window into what the Department of Justice is looking at.”

The guidance emphasizes that companies must be flexible and adaptive with the compliance programs, Jampol notes. That can be difficult now because compliance programs often are one of the first to be cut when an organization faces financial challenges.

“It’s always true that you can’t just establish a compliance program and let it run on autopilot, but especially now you have to pivot and think about where the risks are in this changing landscape,” she says. “We had one client tell us that they threw out their compliance plan and developed an entirely new one because the original plan didn’t work with all the new risks and changing environment that hit everyone this year.”

Risk managers must shift priorities within their own departments, Michael says. They must be involved with overseeing the use of CARES Act funds, although there is no single right way to structure that oversight.

“Everyone is always asking if there is a compliance template they can use. The answer is no because every company is different. It depends on the size, the complexity, the types of funds you receive — numerous factors that influence how you manage risk and implement your compliance program,” she says. “With COVID, for instance, there are additional payments for treating COVID patients. You want to make sure those billings are accurate, that you’re not overbilling and submitting yourself to False Claims Act lawsuits. The same applies to the terms and conditions for CARES Act funds, but the OIG has some relatively new administrative authority with respect to grants and contracts.”

Risk managers should assess what risks are present for the organization in light of these new conditions and pivot the compliance program accordingly, Michael says.

Traveling personnel represent another potential risk, Jampol notes. As physicians, nurses, and other healthcare workers travel to other facilities to aid in the response to COVID-19, hospitals must be careful to ensure compliance with credentialing and licensing requirements. There also is an added risk from having outsiders working in your healthcare facilities who may not follow the same processes and precautions, both clinical and compliance-related.

Michael notes that OIG is revising its work plan monthly. One new part of plan is a review of Medicare data on hospital use during the COVID-19 period. This is a signal that OIG is going to look at Medicare claims data to analyze the effects of COVID-19 on hospitalized Medicare beneficiaries and the hospital resources needed to care for them.

Jampol and Michael note that OIG is accepting inquiries regarding how it would apply its administrative enforcement authorities to arrangements made necessary by the healthcare community’s response to COVID-19. OIG acknowledges that the federal Anti-Kickback Statute and the civil monetary penalty (CMP) prohibiting inducements to beneficiaries could apply to some of these arrangements.

OIG offers guidance on applying its administrative enforcement authorities to specific arrangements through the advisory opinion process. But it says this can be a time-consuming process, and healthcare organizations need faster response to COVID-19 arrangements.

Healthcare organizations can request guidance regarding OIG’s administrative enforcement authorities by submitting questions to The responses are available online at:

“It’s kind of like a mini-advisory opinion. It allows people to submit anonymously, which the advisory opinion process does not. You can describe your arrangement, and OIG will publicly post their response saying they think it is OK or not OK,” Michael explains. “It does not offer all the protection an advisory opinion would. But because the Anti-Kickback Statute is an intent-based criminal statute, if you submit a question or there is one that is very similar to your arrangement and you follow the safeguards OIG outlines, someone is going to have a hard time proving you had the requisite intent to violate the statute.”

The OIG advice on acceptable arrangements is updated regularly. Risk managers may find examples that fit closely with a situation they are facing in their own organizations, Jampol notes. For instance, one submission asks whether staff of a home health agency (HHA) may furnish free blood draws to assisted living facility residents who are federal beneficiaries but not clients of the HHA.

OIG responded that in “the unique circumstances resulting from the COVID-19 outbreak, we believe that these facts likely would present a low risk of fraud and abuse under the federal Anti-Kickback Statute and the Beneficiary Inducements CMP,” as long as the blood draws are within the scope of practice of the HHA’s staff, limited to the period subject to the COVID-19 declaration, and not contingent on referrals for any items or services that may be reimbursable in whole or in part by a federal healthcare program.

“In the future, we are going to see an accounting of where all the money went, and OIG is going to pursue a deterrent effect. After the 2008 financial crisis, the way OIG handled the Troubled Asset Relief Program is widely viewed as the model for how they are going to address this with COVID-19 funds,” Jampol says. “Funds will be spent to help get through the crisis, but then there will be an accounting of where the money went.”


  • Melissa L. Jampol, JD, Epstein Becker Green, New York City. Phone: (212) 351-4760. Email:
  • Jennifer E. Michael, JD, Epstein Becker Green, Washington, DC. Phone: (202) 861-1831. Email: