2024 Regulatory, Compliance, and Enforcement Predictions for Life Sciences Companies

The year 2023 was a busy one for regulatory, compliance, and enforcement developments in the healthcare and life sciences industries, and 2024 promises to be even busier. We tapped MoFo’s Life Sciences + Healthcare Compliance and Enforcement Group for a 2024 preview, and here is what our team of former government officials from the U.S. Department of Justice (DOJ), Food and Drug Administration (FDA), and Department of Health and Human Services (HHS), former in-house compliance counsel, privacy lawyers, and veteran defense attorneys have offered up.

Stay tuned for a series of podcasts and webcasts from our team throughout 2024, where they will dive deep into each of the following predictions. To receive regular thought leadership and relevant event invitations, subscribe to our life sciences and healthcare mailing list.

Anti-Kickback Statute (AKS)/False Claims Act (FCA) Enforcement – Adam Braverman, Kate Driscoll, and Nate Mendell

The False Claims Act will remain a leading source of recoveries for DOJ in 2024, and most FCA enforcement activity will be in the healthcare industry. But what else do we see coming this year?

Artificial intelligence-guided decision-making has arrived in the healthcare industry, with the promise of improving patient care and safety while reducing inefficiencies and costs. However, artificial intelligence or “AI” can also be used to guide decision-making in less laudable ways and with insufficient regard to medical necessity. Enforcers are paying attention, and 2024 will see their first forays into this new part of healthcare service. Already insurers relying on AI determinations are being accused of wrongly denying insurance coverage over the medical judgment of physicians, and some medical professionals say AI is jeopardizing patient care and safety. With stakes this high, government scrutiny and enforcement are sure to follow. DOJ is likely to pursue theories under its familiar and effective tools: the AKS, and relatedly, the FCA. Expect the government to investigate whether AI is being used to steer clinical decision-making and improperly induce or reward activity, for example. The 2020 Practice Fusion prosecution provides a template for such investigations, as it was a “first of its kind” criminal action against an electronic health records vendor accused of manipulating algorithms and medical decision-making.

DOJ’s Cyber Fraud Initiative significantly raised the profile of cyber security in 2023 by using the False Claims Act to police the adequacy of cybersecurity in services provided to the government. Expect DOJ to expand this enforcement activity in 2024, particularly as data breaches and ransomware attacks proliferate. Compliance officers in the healthcare industry should pay particular attention to HHS’s recent General Compliance Program Guidance, which includes a thorough discussion of a compliance officer’s responsibilities.

DOJ will continue to focus its efforts on fraud and abuse in the Medicaid Program and Medicare Advantage, including unnecessary services, substandard care, and improper drug pricing. DOJ was particularly active investigating kickback cases in 2023, and 2024 will see intense scrutiny of speaker programs, rebates and discounts, and other activities that can be swept in under the broad reading of “remuneration” applied by both DOJ and HHS.

FDA Regulatory Litigation and Enforcement – Stacy Cline Amin and Brigid Bondoc

In 2023, FDA proposed a rule to regulate laboratory-developed in vitro diagnostic tests as medical devices. FDA has committed to finalizing that rule—which has the potential to bring about the most significant litigation FDA has seen since the legal fight over the regulation of tobacco products in the 1990s—in 2024. The litigation is almost certain to raise significant questions, for example, over the scope of FDA’s medical device authority, whether courts should defer to FDA on questions of that authority, the extent to which the industry should be able to rely on past enforcement discretion, and the evidentiary burden to change its approach. These are fundamental questions about how FDA regulates that will have lasting impacts across the agency and across product areas.

In another significant development that industry should be watching, overall enforcement related to promotional violations appears to be increasing. In 2023, FDA’s Office of Prescription Drug Promotion (OPDP) significantly stepped up its enforcement of communications many in industry considered safe and acceptable. OPDP issued a Warning Letter and several Untitled Letters for alleged false or misleading risk presentation and false or misleading claims about efficacy. FDA’s Center for Devices and Radiological Health (CDRH) also sent multiple warning letters for devices allegedly advertising uses outside of an approved 510(k) or 510(k) exemption, representing the most recent activity in an uptick of similar enforcement from CDRH. This will be an important area to watch in 2024 to see how FDA further develops its new jurisprudence around advertising and promotion, whether DOJ will pursue any cases related to advertising and promotion, and whether this signals a revival of off-label promotion cases. As a DOJ official recently stated at the Food and Drug Law Institute annual conference, “Off label cases and fraud on the FDA are alive and well. If the Department sees a good case, we’re going to pursue it.”

Securities Enforcement – Edward Imperatore

In 2024, the U.S. Securities and Exchange Commission (SEC) and DOJ will continue to pursue enforcement actions for insider trading and accounting/disclosure fraud involving healthcare and life sciences companies. The closing months of 2023 saw a wave of actions involving allegations of insider trading and accounting and disclosure fraud in this area, and all indications are that the government will continue its aggressive scrutiny. We expect the government to rely on both familiar and novel theories this year.

SEC and DOJ will continue to charge executives at healthcare and life sciences companies with insider trading based on trades placed pursuant to Rule 10b5-1 trading plans. We expect the government will continue to focus on enforcement actions for insider trading involving misappropriation of confidential business information in remote or “hybrid” working environments. In addition, SEC is increasingly using data to monitor suspicious trading activity and what SEC views as “earnings management” by public companies. The government’s earnings management enforcement actions are focused on instances in which a company reaches its revenue or earnings guidance or consensus estimates by slim margins, quarter after quarter, including by making discretionary, post-closing accounting adjustments. In 2024, we expect to continue to see the government using novel theories in enforcement actions involving healthcare and life science companies, including the use of a little-known statute passed as part of the Sarbanes-Oxley Act, which criminalizes “improper influence on the conduct of audits,” or making materially false statements or omissions to internal accountants or outside auditors conducting an annual audit or quarterly review.

The SEC issued a new Cybersecurity rule in 2023—to much fanfare. Healthcare companies will need to pay special attention to the rule, as they are the industry most frequently targeted for ransomware attacks and other events that could be reportable under the SEC’s new rule. The rule requires public companies to: (1) disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material, and (2) periodically disclose their processes for assessing, identifying, and managing material risks from material cybersecurity threats in their annual reports. Healthcare organizations should ensure they have a streamlined incident reporting approach in place that has been tested through tabletop exercises, as only a narrow set of circumstances qualifies for delaying the report of material cybersecurity instances, which will likely be difficult to obtain.

FCPA + Global Anti-Corruption – James Koukios

Although 2023 was relatively light in terms of settled enforcement actions involving the U.S. Foreign Corrupt Practices Act (FCPA), it is typical for the number of such actions and penalty amounts to vary year over year, and we expect that healthcare and life sciences companies will continue to be under FCPA scrutiny in 2024.

Given heavy government involvement in the healthcare systems in many countries, it should not be a surprise that healthcare and life sciences have been among industries with the highest risk from an FCPA perspective. Indeed, since the first life sciences-related FCPA enforcement action in 2002, healthcare and life sciences companies have paid more than $1.5 billion in FCPA-related penalties and disgorgement. The trend of healthcare and life sciences-related FCPA enforcement actions continued in 2023. In May, SEC announced that Koninklijke Philips N.V. had agreed to pay more than $62 million to resolve allegations that it violated the FCPA’s accounting provisions related to its sales of medical diagnostic equipment in China. SEC alleged that the company’s Chinese subsidiaries used special price discounts with distributors that created a risk that excessive distributor margins could be used to fund improper payments to officials of public hospitals to influence public tenders. SEC further alleged that the company and its agents improperly prepared bids to sell medical equipment to government-owned hospitals to meet the minimum bids requirement under Chinese public tender laws.

State + Local Government Enforcement – Nathan Reilly

We expect data security in the healthcare and life sciences industries to continue to be a focal point for the enforcement efforts of state attorneys general (State AGs) in 2024, as individual states continue to pass and implement state-specific data privacy laws, and as bad actors continue to target healthcare entities for cyberattacks. State AGs brought numerous enforcement actions in 2023, asserting a broad mandate to protect individual consumers applied to healthcare entities; that is sure to continue in 2024. State AGs throughout the nation also repeatedly sought monetary penalties and injunctive relief from healthcare entities that had been the victims of ransomware attacks and large data breaches, and neither ransomware nor cyberattacks are stopping anytime soon. The pressure to address these problems at the state level strongly suggests continued enforcement pressure here, too.

State AGs are also likely to continue to band together to address cross-border data privacy issues in 2024, given the nature of the issues and the results they achieved in settlements like the Immediata Technologies, LLC resolution reached in late 2023. A coalition of 33 State AGs investigated that matter and negotiated the settlement of claims stemming from the alleged disclosure of 1.5 million patients’ sensitive private health information in several states. Multistate State AG involvement adds an additional layer of complexity to an already complicated state regulatory complex, so regional and national healthcare companies should be prepared to coordinate breach notifications and compliance efforts across state regimes.

Antitrust Enforcement – Megan Gerking

In 2023, antitrust enforcers demonstrated their focus on deals in the healthcare and life sciences sectors, bringing ambitious cases grounded in novel and revived theories. For example, the Federal Trade Commission (FTC) resolved its challenge to Amgen’s acquisition of Horizon Therapeutics—which alleged that the deal would allow Amgen to “leverage” its broad portfolio of products to protect the monopoly status of certain Horizon products treating rare conditions—with a consent decree prohibiting Amgen from bundling or issuing conditional rebates on certain acquired products and requiring the imposition of a corporate monitor to report on the company’s compliance with the decree. In addition, in December, Sanofi abandoned its proposed exclusive licensing agreement with Maze Therapeutics after the FTC sought to challenge the proposed “killer acquisition.” While the FTC has brought similar potential competition cases in other sectors (most notably tech, e.g., Meta/Within), this challenge is considered the first of its kind and raises the prospect of other similar challenges to deals involving pipeline drugs. We expect antitrust scrutiny to increase in 2024, as the Biden administration announced new efforts at the end of 2023 to study and curb anticompetitive mergers and practices in healthcare markets, such as private equity “roll-up” strategies.

In addition, companies will no longer be able to rely on “safe harbors” that previously protected certain exchanges of information and data after DOJ and FTC withdrew four relevant guidelines. We also predict that in 2024, we will find out what happens with the letters issued by the FTC to 10 brand-name drug manufacturers asserting that the companies improperly listed over 100 patents in the FDA’s Orange Book.