As the health-care industry grows and splinters into sub-specialties, and as the regulatory environment becomes increasingly complex, challenges for health-care companies and their counsel will only increase. Understandably, companies often turn to consultants for expert help in dealing with these issues. While that is a laudable goal, those very consultants pose potential landmines of their own with respect to government enforcement.

Consider the recent announcement by the Department of Justice of the $26 million settlement with Florida-based Shands Healthcare. The allegations were fairly ordinary: The government claimed that several of Shands’s facilities submitted false claims by virtue of billing for inpatient services that should have billed as outpatient services. But the way the case came about was not so ordinary: In 2006, Shands engaged a consulting firm to review various billing issues at its facilities. The consultant later found what it believed to be were billing errors and other compliance issues, such as lack of documentation for medical necessity, excessive billing for observation and inadequate case management.

According to the complaint, the consultant reported its findings to Shands, which then developed a plan to address the issues. But there was no indication the alleged overpayments had been refunded. A follow up audit in 2007 revealed that the results had worsened, not improved, on the previously identified issues. According to the complaint, notwithstanding the problems, Shands declined to have the consultant do any additional follow-up work.

A year later in April 2008, the president of the consulting company filed a qui tam complaint against Shands, alleging that it had defrauded the federal government and state of Florida through its false claims. Over five years later, that complaint resulted in $26 million settlement in which Shands admitted no liability.

The Shands case raises some disconcerting issues for in-house counsel and compliance officers trying to limit litigation risk and comply with government regulations. And while Shands is unique because the consultant became the actual whistleblower, the potential dangers consultants pose arise in more mundane situations. Consider a consultant who does an audit that results in some negative or potentially negative findings (as nearly any audit of a health care provider is likely to do). Regardless of the company’s response to that audit, the audit findings now are potentially damaging evidence if the government investigates, particularly if those findings are taken out of context. Depending on the terms of the engagement, the consultant may be forced to turn them over in response to a government subpoena – and may even do so without notice to the provider. The ironic result? A provider with the foresight and responsibility to hire a consultant to review for billing errors may end up more exposed than a derelict provider that does not.

So what lessons can be learned from Shands and related scenarios?

First is the most obvious: Make sure your compliance plan is current, that your compliance department investigates and handles issues diligently, and that your employees are appropriately trained. Unfortunately, compliance isn’t a stationary target. For example, providers have just recently had to consider new HIPAA requirements that went into effect and continue to grapple with regulatory ambiguities such as those in the proposed rule related to the 60-day overpayment provision in the Affordable Care Act. But regardless of the issue, compliance plans and efforts must be monitored to ensure they are tracking with evolving regulations.

Second is the practical issue of how to engage consultants. Despite the potential for perverse incentives noted above, companies should be encouraged to engage in proactive self-review. The question is how to do it without unnecessarily and unfairly exposing your company to risk. Companies should carefully consider how to engage consultants, including doings so through counsel to attempt to have their work cloaked in the attorney-client and work-product privileges. Confidentiality issues should also be addressed in the consultant’s contract. While a government non-disclosure provision is likely unenforceable, provisions mandating notice of subpoena requests and setting forth confidentiality expectations are appropriate.

Finally, counsel should be aware of their jurisdiction’s prevailing law on privileges, including the compliance-officer privilege and the scope of the attorney-client privilege applicable to consultants as agents. Because those rules vary, the individual jurisdiction will inform the content of your agreement with the consultant (and perhaps the choice of law provision as well). See, for example, U.S. v. Austin Radiological Assocs., Inc. from the Western District of Texas (refusing to find a statutory “compliance officer privilege”) or Geller v. North Shore Long Island Jewish Health Sys. from the Eastern District of New York (after counsel hired, compliance officer acted as counsel’s agent in investigation and therefore investigation protected by attorney-client and work-product privileges.) As in healthcare itself, an ounce of compliance prevention may be worth a pound of financial cure.