The Coronavirus Aid, Relief, and Economic Security ("CARES") Act (P.L. 116-136) was passed by Congress and signed into law by President Trump on March 27, 2020. The CARES Act provides over $2 trillion of economic relief in order to protect the American people from the public health and economic impacts of COVID-19. Throughout its more than 300 pages, the CARES Act implements many initiatives targeted at various industries and economic sectors that are designed to stimulate cash flow and provide security for those at-risk.
The most notable provisions of the CARES Act impact individuals directly and include an expansion of unemployment benefits and direct payments to individuals under a certain income threshold. The CARES Act also provides protections for both large and small businesses, including $500 billion allotted for distressed industries, as well as $376 billion to small business in the form of various lending programs. The CARES Act also appropriates $100 billion to establish the "CARES Act Provider Relief Fund" for the benefit of hospitals and other eligible health care providers for health care related expenses or lost revenues due to COVID-19, which was further supplemented in April 2020 with an additional $75 billion under the Paycheck Protection Program and Health Care Enhancement Act ("PPP Act"). In addition, the CARES Act authorizes relief to federal contractors and subcontractors for paid sick leave incurred to keep workers in a ready-state. In order for businesses to take advantage of these funds, they are required to complete applications and make representations as to eligibility to receive the appropriated funds.
While such a massive infusion of cash into the US economy is welcome by individuals and businesses impacted by COVID-19, such payouts come with complex strings attached, and therefore present opportunities for companies and individuals to run afoul of federal law. Moreover, businesses and health care entities that receive such funds become attractive targets for whistleblowers and government auditors. The CARES Act recognizes this risk by establishing a framework of oversight mechanisms to ensure the funding is disbursed to eligible recipients and used for its intended purpose. In addition, the government already has a variety of laws in place to enforce any fraudulent activity involving the funds. This article focuses on (1) the oversight mechanisms set up to ensure the proper dissemination of CARES Act funds; (2) a review of the civil False Claims Act; (3) the risks companies in various sectors face when making affirmative representations to obtain CARES Act funding; and (4) and basic compliance measures companies can implement to prevent running afoul of the government rules.
- CARES Act oversight mechanisms
- False Claims Act
- Areas of risk for CARES Act funds recipients
- Compliance initiatives to minimize FCA risk
The CARES Act establishes three oversight mechanisms to ensure the funds are disseminated appropriately: (1) it provides for the appointment of a Special Inspector General; (2) it establishes the Pandemic Response Accountability Committee to oversee the funds made available under the Act; and (3) it establishes a Congressional oversight committee.
Special Inspector General
Many federal agencies empower an Office of Inspector General ("OIG") tasked with identifying, auditing, and investigating fraud, waste, abuse, embezzlement, and mismanagement of any kind within the executive department. CARES Act § 4018 creates a "Special Inspector General for Pandemic Recovery" ("SIGPR") within the Treasury Department. Pursuant to § 4018, the SIGPR is provided with $25 million in funding in order to "conduct, supervise, and coordinate audits and investigations of the making, purchase, management, and sale of loans, loan guarantees, and other investments made by the Treasury Secretary under this Title." Thus, the SIGPR is tasked with collecting and documenting information related to loans and investments made under the Act, and reporting the details of the loan and investment activity to Congress on a quarterly basis.
The SIGPR is allotted the same powers as agency Inspector Generals under the Inspector General Act of 1978. Thus, the SIGPR has the power to investigate the administration of CARES Act programs, create reports, subpoena records, and take testimony under oath. In addition, the SIGPR is authorized to make arrests and execute warrants for the search and seizure of property. Furthermore, the SIGPR is required to report to the Attorney General whenever the SIGPR reasonably believes there has been a violation of federal criminal law. Thus, like any agency Inspector General, agencies are required to provide assistance or furnish information to the SIGPR upon request.
Pandemic Response Accountability Committee
CARES Act § 15010 creates the Pandemic Response Accountability Committee ("PRAC) which is charged with promoting transparency and conducting oversight of "covered funds" made available for the COVID-19 response, including funds from the CARES Act, the Coronavirus Preparedness and Response Supplemental Appropriations Act of 2020 (P.L. 116-123), and the Families First Coronavirus Response Act (P.L. 116-127). The PRAC is tasked with preventing and detecting fraud, waste, and abuse of covered funds. Like the SIGPR, the PRAC has the ability to conduct independent investigations, audits, and reviews relating to covered funds, the authority to subpoena documents and testimony, and hold public hearings.
Congressional Oversight Commission
CARES Act § 4020 creates a Congressional Oversight Commission to oversee implementation of the Act, and submit reports to Congress on the implementation and the effectiveness of the loans and investments made under the Act. The Congressional Oversight Commission is empowered to hold hearings, take testimony, and procure information from federal departments and agencies.
The COVID-19 Whistleblower Protection Act was introduced to address the misuse of federal funds spent in combatting COVID-19 by instituting strong whistleblower protections for employees or former employees of recipients of funds under the CARES Act. Specifically, the whistleblower bill protects disclosures related to gross mismanagement, danger to public health or safety, abuse of authority, or violation of laws, rules or regulations. It also creates a legal framework providing administrative relief, giving the US Department of Labor the ability to investigate whistleblower retaliation claims from non-federal employees or contractors.
This measure was included in the larger Coronavirus Oversight and Recovery Ethics ("CORE") Act, which was introduced to add extra oversight, accountability and transparency to the federal government's COVID-19 relief efforts. In particular, the CORE Act addresses and eliminates conflicts of interest in the selection of contractors and advisors, and in the distribution of relief grants and loans. It also protects inspectors general from being removed from their posts without good cause and gives the Congressional Oversight Commission subpoena authority.
In addition to the specific mechanisms established related to COVID-19, the federal government already has a variety of criminal, civil, and administrative tools at its disposal to address procurement fraud. Perhaps the most potent weapon in the government's arsenal for combatting fraud is the civil False Claims Act ("FCA"), 31 U.S.C.A. § 3729. The FCA was originally passed in response to rampant fraud perpetrated against the United States military during the Civil War. The FCA takes two forms—criminal and civil. Under the civil FCA, the government may recover treble damages and penalties for the submission of false claims to any federal agency using federal funds to pay such claims. Individuals and businesses may be liable if they violate any one of the seven elements of the civil FCA. The most common violation that results in civil FCA litigation is where a company or individual "knowingly presents, or causes to be presented, to a Government official a false or fraudulent claim for payment or approval." 31 U.S.C.A. § 3729(a)(1)(A). This is typically triggered upon submission of a false or incorrect invoice to the government for work performed but can be triggered under a variety of other scenarios as well.
The primary differences between the civil and criminal false claim statutes are the level of intent required, the burden of proof, and the penalties. The civil FCA defines "knowingly" to include reckless conduct or conduct in deliberate ignorance of the truth—no specific intent to defraud the government is required. This is distinct from the criminal FCA which requires the government to prove that the defendant knew the claim was false, fictitious, or fraudulent. The government's burden in proving a civil FCA violation—a preponderance of the evidence—is significantly lower than the criminal FCA's "beyond a reasonable doubt" threshold. The penalties for violation of the FCA include (1) a fine between $11,181 to $22,363 for each false claim, (2) an amount equal to three times the amount of damages of the false claim caused the government, and (3) the cost of prosecution.
Most notably, penalties are assessed per claim, which generally is defined as any attempt to get money from the government. Therefore, each time a company submits an invoice to the government, it is deemed to be making a "claim." And if every invoice is submitted under the guise of some previously false representation made to the government, the penalties can mount quickly.
Unique to the civil FCA is its "qui tam" provisions, which permit private individuals—i.e whistleblowers—to bring actions on behalf of the government. Whistleblowers (also called Relators) are incentivized to bring qui tam lawsuits because they are permitted to keep a share of the government's recovery—typically between 15% and 25% of the proceeds. Frequently, qui tam lawsuits are brought by disgruntled employees. In FY 2019, the total amount of settlements and judgments resulting from qui tam cases was $2.2 billion.
The FCA has the most impact in the health care and procurement communities. Of the $3 billion in settlements and judgments recovered by the Department of Justice ("DOJ") in FY 2019, $2.6 billion involved the health care industry, including drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians. In addition to combatting health care fraud, the False Claims Act serves as the government's primary civil remedy to address false claims in government procurement, ranging from defense and national security contracts to import tariffs and small business programs.
In order to obtain CARES Act funds, individuals and business are required to make certain certifications and representations—either express or implied—as to their eligibility to receive those funds. Such a situation should raise a heightened awareness with regard to potential false claims risk, as the FCA recognizes both express and implied certifications as a cognizable theory of recovery. Below are some examples of potential sectors of the economy where false claims risk could present itself.
The CARES Act provides expanded loan programs through the Small Business Association. Businesses who use the loans for designated purposes—payroll, mortgage interest, rent, employee health care—can have those loans forgiven tax free up to $10,000,000 per business. The relevant provisions of the CARES Act related to small business are found in Sections 1102 and 1106. Section 1102 establishes the Paycheck Protection Program ("PPP"), and Section 1106 addresses the forgiveness of certain portions of loans taken out under Section 1102. As part of the application process for obtaining a PPP loan requires the borrower to expressly certify that "[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant." Borrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business.
Such an express certification is different from an implied certification, which is one where the borrower implicitly represents that it is in compliance with all applicable statues and regulations at the time it makes its request. To the extent small business borrowers expressly or implicitly certify that they qualify for these funds, they place themselves at risk of potential false claims violations if those certifications were incorrect or misleading.
In addition to certifying eligibility for PPP funding, the company must also certify that the funds are used for the purposes specified. Thus, it is of critical importance that small business comply with the various constraints on use of those funds. For example, the PPP imposes certification requirements relating to restrictions on executive pay, dividends, and stock buybacks, as well as the maintenance of employment levels through September 30, 2020. Applicants are responsible for ensuring the accuracy and compliance with these certifications in order to avoid audit and false claims risk.
Provider Relief Fund moneys under the CARES and PPP Acts are available to pay for harm across the health care system due to the stoppage of elective procedures, as well as the direct economic impact of caring for COVID-19 patients. The Act authorizes the Secretary of the US Department of Health and Human Services ("HHS") to make prospective payments of these funds, as well as retrospective payments of the funds. Eligible health care providers1 that receive funds are required to keep documentation specified by the Secretary, and to submit an application to the HHS justifying the need for funding, and the HHS will review the applications.
Among areas of potential FCA hazard, Provider Relief Fund moneys may not be used to reimburse expenses or losses that have reimbursed from other sources or that other sources are obligated to reimburse. The funding is available for reimbursement for health care-related expenses and lost revenues attributable to COVID-19, including payments for medical supplies and equipment (including personal protective equipment); expansion of hospital space (including building or construction of temporary structures, leasing properties, retrofitting existing facilities, and surge capacity); and increased employee headcounts and worker trainings. In all cases, a provider would be required to present evidence that the expenses and/or lost revenues are indeed the result of COVID-19. For example, under the required attestation the provider must represent that "[t]he Recipient certifies that the Payment will only be used to prevent, prepare for, and respond to coronavirus, and that the Payment shall reimburse the Recipient only for health care related expenses or lost revenues that are attributable to coronavirus."
Additionally, as is typical for such documents, the attestation list a number of un-related legal provisions that must be followed, but further provides that it "is not an exhaustive list and you must comply with any other relevant statutes and regulations, as applicable." General compliance attestations such as this one frequently become the basis for FCA and/or other health care fraud allegations.
Section 3610 of the CARES Act authorizes agencies to use any available funds to modify the terms and conditions of covered contracts, without consideration, to reimburse any paid leave, including sick leave, a contractor or subcontractor provides to keep its employees in a ready state, including to protect the life and safety of government and contractor personnel. Covered contractors are those contractors (1) whom the Contracting Officer has deemed, in writing, to be an affected contractor; and (2) whose employees or subcontractor employees either (a) cannot perform work on a government-owned, government-leased, contractor owned, or contractor-leased facility or site approved by the federal government for contract performance, due to closures or other restrictions, and (b) are unable to telework because their job duties cannot be performed remotely due to COVID-19.
The Department of Defense issued a Class Deviation requiring Contracting Officers to use a new cost principle—DFARS 231.205-79—as a framework for implementing Section 3610. This cost principle outlines what types of costs are allowable cost that can be recovered. The costs of paid leave (including sick leave), are allowable at the "appropriate rates under the contract for up to an average of 40 hours per week." Profit and fee are excluded from recovery, and must be adjusted out of the "rate" depending on the contract type.
Contractors are responsible for supporting any claimed costs, including claimed leave costs for their employees, with appropriate documentation and for identifying credits that may reduce reimbursement under section 3610. To effectuate this, contractors should first set up new accounts to accumulate COVID-19 related costs, and then apply an allocation methodology whereby those costs are allocated to the various contract types. This will allow contractors to claim the maximum recovery against Section 3610. It is likely that the Defense Contract Audit Agency ("DCAA") will eventually audit the chosen allocation methodology and the incurred cost schedules for these cost submissions. Among the things DCAA will look for include identification of the employees for whom the contractor is seeking reimbursement, documentation showing they were unable to work remotely, the contracts on which those employees were performing, the dates of leave taken, among other things. Thus, contractors should be careful in identifying, segregating, and allocating these costs to avoid misrepresenting amounts being sought which could potentially invoke false claims risk.
A strong compliance program is a necessity for any business in any sector handling federal dollars. A review of the basic tenants of a compliance program is therefore appropriate. Having the basic framework of an effective compliance program will go a long way in minimizing false claims risk. The specifics of a compliance plan will depend on the nature of the business involved and the specific regulatory risks associated with that business.
Corporate code of ethics
At the center of an effective compliance program is a written corporate code of ethics. Although the code of ethics will vary from contractor to contractor, there are several critical foundational components to a code of ethics. For instance, it must emphasize the company's commitment to compliance and corporate integrity. For procurement contractors, this includes commitment to complying with all procurement laws and regulations and to requiring strict compliance by your employees with the policies and procedures included in your compliance program.
In addition to a company's commitment to compliance, the code of ethics must provide clear notice that you will immediately discipline any employee or officer whose conduct violates applicable laws, regulations, or basic tenets of business integrity. Accompanying this policy goal will be a set of procedures designed to require immediate reporting of potential violations followed by investigations of those violations.
Corporate policies & procedures
Accompanying the corporate code of ethics should be a set of written policies and procedures that ensure conformance with specific government requirements. For instance, with regard to CARES Act funds, written procedures should be prepared which address how those funds are to be obtained and expended. Other procedures should cover areas such as time and expense charging, quality assurance reviews, bid and proposal preparation, and conflicts of interest.
On June 1, 2020, the DOJ Criminal Division issued an updated guidance document for white-collar prosecutors on the evaluation of corporate compliance programs. The document, entitled "The Evaluation of Corporate Compliance Programs," updates a prior versions and seeks to better harmonize the guidance with other DOJ guidance and standards while providing additional context to the multifactor analysis of a company's compliance program. The guidance refers prosecutors to the three foundational questions: (1) is the program well-designed?; (2) is the program effectively implemented?; and (3) does the compliance program actually work in practice? Companies should instantly be applying this framework to their own compliance programs.
Also at the core of any effective compliance program is the corporate compliance officer or committee, responsible for ensuring that the compliance program is implemented and updated. The compliance officer should work with management and human resources personnel to institute a comprehensive compliance program that creates an atmosphere enhancing compliance and instilling in your employees the understanding that management takes ethics and compliance seriously. Companies applying for CARES Act relief should consider appointing an individual or committee to oversee the company's process for seeking relief. These people should be well-versed in the process and procedures for seeking relief under the CARES Act.
Companies are strongly encouraged to set up an internal hotline for reporting suspected misconduct. The company hotline program should include a mechanism for documenting all reports made to the hotline, whether via call or email. The compliance officer or committee should be delegated responsibility to document and act on any allegations or reports of misconduct by employees. Contractors should publicize the hotline widely as an effective alternative to normal reporting channels, and that reports are completely anonymous.
Audits & investigations
Your compliance program should include detailed internal audit and investigation policies and procedures that articulate your intention to investigate every allegation of misconduct and provide resources adequate for completing that task. The compliance audit is the vehicle by which you can best ensure that your corporate practices and procedures conform to federal procurement laws and rules and that your employees adhere to those practices and procedures.
You should establish a framework for disciplining employees who engage in misconduct. The specific disciplinary procedures and actions that will be taken should not only be consistent but should be clearly conveyed to your employees. The procedures should be fair and objective and flexible enough to distinguish violations that are merely technical, inadvertent, or the result of negligence from more serious violations.
Reporting violations to the government
You should also establish a framework and process for how you will report misconduct to the government. How a company handles reporting of misconduct could greatly impact any eventual penalties imposed by the government. DOJ recently issued formal guidance to its False Claims Act litigators and updated the Justice Manual.2 These guidelines identify factors that will be considered and the credit that will be provided by DOJ attorneys when entities or individuals voluntarily self-disclose misconduct that could serve as the basis for False Claims Act liability and/or administrative remedies.
Cooperating during government investigations
Similar to your process for self-reporting misconduct, the government will view your cooperation during the investigation as an essential indicator of corporate integrity. Thus. you should be prepared to cooperate fully with government investigators. You should adopt policies and procedures that explicitly implement your commitment to cooperate with the government and satisfy all reasonable investigative requests.
Education & training
You should implement a comprehensive training program for your personnel, particularly those who will be involved preparing any documents or information for relief under the CARES Act. As a general matter, your training program should include (1) practical advice for specific situations likely to be encountered by your employees, (2) ethics and integrity training, and (3) training on particular policies and procedures in substantive areas relevant to that employee. You must also adequately disseminate each element of the compliance program and are encouraged to request that your employees certify that they have reviewed and understand the ethics code and all relevant policies and procedures, and that they have completed the designated training sessions.
Given the size of the funds being disbursed under the CARES Act and PPP Act, all recipients should be mindful that they may invite the scrutiny of government auditors and/or qui tam relators. Vibrant compliance programs are the critical mechanism to avoid such scrutiny. Should such scrutiny nonetheless materialize, funds recipients are advised to respond decisively through internal investigations, correction of any compliance, and, where appropriate, careful and strategic engagement with government investigators and prosecutors.
1. Eligible health care providers are public entities, Medicare or Medicaid enrolled suppliers and providers, and other non-profit and for-profit entities specified by the Secretary of the Department of Health and Human Services ("HHS"), in each case within the United States, that diagnose, test or care for individuals with possible or actual cases of COVID-19. Each applicant for funding must have a tax identification number.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.