On this episode of Ropes & Gray’s podcast series Controlling Opinions, Josh Oyster, a partner in the life sciences regulatory and compliance practice group, is joined by colleagues Andrew O’Connor, a litigation and enforcement partner, and Beth Weinman, life sciences regulatory and compliance counsel. Together, they delve into the complexities of DEA diversion investigations and how health care entities can prepare for these challenging situations. They discuss the risks involved, the various players in these investigations, and the enforcement consequences that can result. They also provide practical advice on navigating DEA audits and share insights from recent enforcement matters.
Transcript:
At a glance: Click the links below to advance directly to the corresponding sections of the transcript:
[00:00] Introduction
Josh Oyster: Hi, I’m Josh Oyster, a partner in the life sciences regulatory and compliance practice group in Ropes & Gray’s Washington, D.C. office. Welcome to our latest episode of Controlling Opinions, a podcast series focused on current trends and developments related to controlled substances that affect the health care and life sciences industries. I’m joined today by my colleagues Andrew O’Connor, a litigation and enforcement partner in our Boston office, and Beth Weinman, a D.C.-based counsel from our life sciences regulatory and compliance practice.
Today, we’re going to talk about DEA diversion investigations and how health care entities can be prepared for when the unfortunate, but all too common, situation arises in which an employee of a hospital, medical clinic, pharmacy, or other health care facility is believed to have diverted controlled substances and the DEA and other authorities start to investigate.
Unfortunately, while the opioid epidemic continues to get significant attention, and all levels of government and the private sector have been working to fight it, we continue to see health care institutions make headlines when allegations arise that an employee has stolen or tampered with patient medications like oxycodone, fentanyl, or morphine. Sometimes, these scenarios lead to significant patient harm—whether in the form of ineffective pain relief, contaminated IVs, an employee overdose, or other problematic outcomes.
In these types of situations, there are many risks for a health care facility to navigate. Beth, before we dive into those specific risks, can you give us a little bit of a lay of the land, and what we’re dealing with in these situations?
[01:35] Overview of risks
Beth Weinman: Sure. To start, instances of employee diversion or any significant loss or diversion has to be reported by the health care facility to DEA as part of the entity’s obligation as a registrant. These reports often lead DEA to investigate. When DEA comes knocking in the context of a possible or confirmed diversion situation, they are on a fact-finding mission. While investigating the employee or employees who are involved in an alleged diversion—and that may be the initial primary focus—enforcement is obviously front of mind, and there may be multiple federal and state players involved in looking for evidence of different violations that may not be limited just to that employee or those employees who are thought to be responsible for the alleged diversion.
Josh Oyster: Right. And so, who are the different players that are involved? I feel like that’s often overlooked. People think of DEA, but there are others, too, right?
Beth Weinman: Yes. DEA will come on site, and they’ll be focused on looking for evidence of diversion in the context of the violation of controls the health care entity is required to have in place, or they might be looking for other civil or criminal violations of the Controlled Substances Act (“CSA”). They’ll assess, whether in light of the events that occurred, the health care facility has the right controls and procedures in place. DOJ prosecutors are often lurking in the background, but other agents, for example, FDA’s Office of Criminal Investigations, may be looking to investigate potential violations of the Federal Food, Drug, and Cosmetic Act or the Federal Anti-Tampering Act. And DOJ is always looking for evidence of fraud or conspiracy—and the U.S. Attorney’s office would be the ones to bring an action like that. State regulatory authorities may also have representatives looking for criminal or regulatory violations of state drug laws. State professional health care licensing entities can be in the background as well, because facts found during these investigations could implicate licensing.
Josh Oyster: Thanks, Beth. Turning now to the risks that can arise from a diversion investigation, what can DEA, or DOJ, in particular, do? Can you talk about some of the enforcement remedies that can apply?
Beth Weinman: Sure. On the administrative side, DEA can institute proceedings in administrative court to seek to revoke or modify a DEA registration. Revoking a registration is devastating for a health care facility. This type of remedy you’ll see only when an investigation uncovers pervasive, significant regulatory violations on the part of a registrant. DEA can order a party to appear at a hearing, to show cause as to why they shouldn’t refer a case to the local U.S. Attorney’s office to take civil or criminal action. They can use this threat to push the entity into entering a memorandum of agreement (“MOA”)—agreeing to various compliance provisions. In the context of less significant violations, it can issue a letter of admonition. The U.S. Attorney’s offices can seek civil penalties in federal court. In the diversion context, regulatory violations often lead to these types of actions that can run in the millions of dollars, and these are also typically accompanied by agreements with required compliance provisions.
DOJ can pursue a civil injunction, and DOJ can initiate criminal enforcement. I’ll note that while we’ve seen criminal enforcement actions against physicians and pharmacies, and pharmacists involved in diversion, we haven’t really seen criminal charges brought against a hospital system for regulatory violations—at least not yet. Of course, that doesn’t mean there haven’t been criminal investigations. For example, in 2022, a hospital system entered into not only a multi-million-dollar civil settlement, but also a non-prosecution agreement with DOJ to resolve potential civil and criminal liability under the Controlled Substances Act. And, again, like I mentioned before, facts found can ultimately find their way into state regulatory or license suspension actions, civil litigation, and criminal Controlled Substances Act prosecutions outside of the pure regulatory context as well.
Administrative actions we discussed earlier can proceed or be initiated in lieu of, or in parallel with, federal civil and criminal actions. For example, we’ve seen a two-year investigation into prescriptions filled by a pharmacy resulting in the parent paying $500,000 in a civil settlement and agreeing to register its DEA registration in a parallel proceeding.
[06:25] Things DEA may find when they start poking around
Josh Oyster: Thanks, Beth. I think one of the things that can often come up in these investigations is the regulatory violations that DEA or others find initially are directly related to the diversion incident that triggered the investigation. For example, DEA may find that there was a lack of adequate security controls and things of that nature that led to diversion occurring. But there can be instances where DEA starts poking around in a diversion audit and finds regulatory violations that are less directly related to the diversion, and that DEA likely wouldn’t have uncovered had the initial diversion not occurred and triggered such an investigation. And evidence of those regulatory violations has led to adverse action against health care facilities in numerous contexts. To give a few examples of issues facilities should be focused on when they’re dealing with the diversion issue and preparing for a potential visit by DEA or other authorities:
- First issue: inventories. Have appropriate and complete biennial inventories been conducted and documented? And do those inventories include all controlled substances under the registrant’s control? For example, sometimes, we’ve encountered situations where a hospital’s formal inventory records only included the main hospital pharmacy—what’s in the vault in the pharmacy—and did not include the other locations in the hospital where controlled substances were stored, like automated dispensing cabinets located throughout the hospital on the treatment floors.
- The second issue is generally recordkeeping. How are your records kept, generally? How easily retrievable are they? And have the relevant teams in the pharmacy and the hospital—wherever the controlled substances are being stored—practiced producing records for an audit? Mock audits can be a really important and invaluable exercise for giving staff experience responding to audit requests and for identifying potential pain points in an organization’s recordkeeping, so that you don’t just discover them when DEA shows up and they start asking for documents that your facility is not able to produce either at all, or in a timely manner.
- Third issue: facilities should be thinking about any adjacent or nearby clinics or buildings for which they are supplying controlled substances. This is especially important for hospitals and other larger health care institutions. Is the facility taking the position that these adjacent buildings are part of the same, contiguous campus, and therefore, covered by the same facility’s existing DEA registration? Or is this a scenario where DEA might allege that the facility is transferring controlled substances to a separate location that should have its own DEA registration but doesn’t? Different field offices of the DEA take different approaches to this issue and exactly what counts as a campus and what doesn’t, but it’s something that can cause a lot of headaches if it’s not adequately considered. Like I said, it arises a lot with hospitals supplying controlled substances to ambulatory care facilities and other clinics located near a hospital. This sort of issue was a major part of a multi-million-dollar hospital system settlement with DEA in 2018. In that case, DEA’s investigation into certain diversion issues ultimately uncovered that the health system had failed to obtain DEA registrations for more than a dozen off-site ambulatory care locations that were being supplied with controlled substances by the main hospital pharmacy.
- A fourth issue: large health care systems and academic medical centers that are conducting research with controlled substances should think about their oversight of those research programs, and whether diversion issues on a research project might cause headaches for the broader organization. In general, an individual researcher conducting research with a controlled substance—rather than the broader health care organization—is responsible for obtaining the appropriate DEA researcher registration, and for complying with DEA requirements. But individual researchers may not fully understand their responsibilities or may not appreciate that the controlled substances used in research need to be treated separately from other controlled substances in a hospital or health care facility.
The only other point I want to mention on this particular topic is that facilities should always be taking into account both DEA and analogous state requirements that may apply, as Beth alluded to earlier. State requirements can be different from or more restrictive than DEA requirements. For example, you may have a state requirement for reporting diversion-related incidents that’s broader than DEA’s requirement to report thefts and significant losses.
Andrew, switching gears a bit, can you talk through some recent enforcement matters we’ve seen, and discuss why they may have been resolved the way that they were?
Andrew O’Connor: Sure, Josh. As Beth mentioned earlier, there was a non-prosecution agreement (“NPA”) a couple of years back out of the Western District of Virginia that involved a regional health care system—they settled for $4.36 million. It was brought by the same office that pursued the case against Purdue more than a decade ago. DEA began investigating the health system after a couple of employees allegedly diverted large quantities of controlled substances over the course of three years—both those individuals were charged and convicted. And based on that investigation, the government alleged that the diversion was, at least in part, a result of the system’s non-compliance with the CSA. Among other issues, the government claimed that the facility staff filled orders for controlled substances without appropriate procedures, around suspicious orders, and failed to maintain readily retrievable controlled substances record. Now, one of the interesting aspects of this NPA was that it imposed additional obligations that are not specifically included in the regs or statutes, right down to installation of cameras, to a mandatory drug testing program and other specific provisions that were designed to prevent a repeat of the issues that had occurred there.
Now, more recently, as Beth pointed out, we don’t see a lot of criminal enforcement, although we certainly do see criminal investigations. In terms of settlements, just this summer, there was a civil settlement that was to resolve allegations against a hospital that entered into a memorandum of agreement imposing additional measures around the securing of controlled substances. And another hospital in that same settlement agreed to pay $300,000 and got credit for taking “significant steps” to improve controls and procedures around theft and diversion. Just last month, the Western District of Michigan imposed a $1,000,000 civil penalty and entered a consent decree against a behavioral health program—an addiction treatment services network—and two of its executives. They alleged repeated violations of the CSA around dispensing and recordkeeping. And the government alleged that the DEA investigations highlighted regulatory violations at several of the company’s facilities. Now, under the terms of the consent decree, defendants must comply with a number of injunctive provisions, including hiring an independent monitor to inspect the facilities for CSA compliance, and conducting a review of all the policies and procedures around controlled substances.
One interesting thing about all of these compliance provisions that we hear about, whether it be in the NPA or a consent decree, or much more commonly in a memorandum of agreement with the DEA, is what DEA’s expectations are going to be for other registrants. As folks who have tried to divine the rules in this space know, the regulations themselves are pretty sparse, and DEA has been reluctant to provide much guidance as to what registrants actually have to do when it comes to things like suspicious order monitoring and effective controls against diversion. And one thing we might see down the line is DEA expecting other registrants who are not subject to these MOAs and other compliance terms to be looking to them for guidance as to how to structure their controlled substance compliance programs, and what additional steps that might not be clear in the regulations DEA believes that registrants ought to be taking.
[15:00] Navigating a for-cause audit to mitigate risks
Josh Oyster: Thanks so much, Andrew—very helpful. I want to talk about actually navigating a DEA audit as part of a diversion investigation. Beth, what are some common questions you get from clients when DEA shows up on site and the client is figuring out what to do?
Beth Weinman: Some of them include questions like, “Do I have to give DEA all the documents they’re looking for when they don’t seem to be within the scope of the type of documents that, under the regulations, the system needs to keep to fulfill their regulatory obligations?” And the answer I give is—no. You don’t have to give them these documents if they don’t give you a subpoena. But they can easily give you a subpoena. And DEA agents often come with a subpoena in their back pocket if you say “no.” But I’ll just note, I always tell clients, it’s really critical to make copies, or take really good notes of everything the agents ask for, and that they provide. That’s obviously going to be important as further action may be on the horizon, and you’ll want to know what evidence they have in hand.
Josh Oyster: And, Andrew, why do you think it is that DEA doesn’t always come knocking with the subpoena already in hand?
Andrew O’Connor: Sometimes, they do—and other times, the registrants know that the administrative subpoena process is pretty straightforward. DEA can easily issue a subpoena for documents, and they find that being cooperative during the inspection is often easier. Same with inspections themselves. In theory, a registrant could require the DEA to get an administrative inspection warrant in certain circumstances, but most consent to the inspection because, again, the standard for obtaining these sorts of formal processes, while perhaps a little bit annoying to the agency, is not subject to the same kinds of high bar that you might be used to under a search warrant standard, for example. So, these things are pretty easy to come by, and I think most registrants recognize that and find more benefit in being cooperative with the diversion investigators on the ground.
Beth Weinman: We also get questions about whether and how much to push back in a situation where DEA is being really aggressive. I’ll give you an example: DEA shows up at a hospital and insists on speaking to a critical care nurse immediately, but that nurse is on a work shift, and the hospital doesn’t have sufficient staff to let her or him leave the shift to go talk to DEA. So, what do you do in that situation? Obviously, you want to be cooperative, but it would put patients at risk to leave a hospital floor or an ICU unit understaffed. So, there are times you’re going to have to push back and just explain the risks of acceding to DEA’s request at that moment, and in certain circumstances the inappropriateness of the request. You’ll have to ask the DEA agent to wait until the shift ends, or until the hospital can call in coverage, or offer an appointment for another day.
We also get questions all the time as to what to do when there seems to be a real time crunch, and the DEA agent wants to speak to employees immediately, but before an attorney is available to represent an individual if they want that representation. The question sometimes comes up, “Is in-house counsel good enough to represent somebody who wants representation, or does it make sense to delay the interview until an outside counsel can be brought in if that’s what the employee wants?” I think the answer in our mind is you really want to advise, and you really want to push back to have the interview with a lawyer present, especially if that’s really what the employee wants. An individual can insist on not speaking without a lawyer—the potential exposure is just too great for a DEA agent to sit alone with an employee without any idea of what’s happening there and without having somebody available to intercede if an agent is acting inappropriately. If you’re going to push back, or if the employee is going to push back, it should be respectful. You don’t want to unnecessarily upset an agent, and you don’t want to be seen as delaying access to people.
As to in-house versus outside counsel, I guess it depends on the skill set of the lawyers that are available. One important purpose of having a lawyer around is to make sure there’s a good record of what was discussed. Another is to have a lawyer who knows the boundaries of what the DEA agent can ask about, and what might be protected by privilege—and if inside counsel can do that, and feels comfortable speaking up when necessary, that’s great. An experienced DEA counsel probably has more experience navigating difficult situations and knowing how to strike the right tone, may be more attuned to privilege issues and feel more comfortable pushing back, and they may be better able to prevent a situation from spiraling into accusations of a company or an employee getting in the way of the DEA agent’s work. But in-house counsel might have the right skill set. And outside counsel that doesn’t have experience in DEA matters is unlikely to be more helpful than a sophisticated in-house lawyer.
[20:05] Closing
Josh Oyster: Thanks, Andrew. Thanks, Beth. I think that’s all the time we have for today’s episode. Thanks also to our listeners for tuning in. If you have any questions regarding DEA audits or diversion investigations, please don’t hesitate to contact any one of us—we’ll be happy to help you through what can oftentimes be a fraught experience. And as a reminder, you can listen to Controlling Opinions and other RopesTalk podcasts through our ropesgray.com website or you can subscribe wherever you listen to podcasts, including on Apple and Spotify. Thanks again for listening.
