Written by Nathaniel Lacktman, Melesa A. Freerks, Maria Gonzalez Knavel, C. Frederick Geilfuss II, Nathan Beaver, Alan Einhorn, Foley & Lardner LLP
With the ongoing transformation of the health care industry, health care lawyers are constantly faced with unique and novel issues posed by a vastly changing market. Whether attempting to understand a new or evolving technology, assessing the nuances of the latest payment methodology, or helping a client decide on the right strategic partnership, health care lawyers have no shortage of problems to solve. Below is an overview of ten industry challenges that all health care lawyers should be aware of.
1. Growth of Telemedicine: Legal and Regulatory Considerations
Although telemedicine currently constitutes a small fraction of the overall health care delivery system, it may be the most rapidly growing subsector in the industry. Analysts project that by 2017, the mHealth (mobile health) app market alone (a subset of the larger telemedicine industry) will reach $26 billion. Health care entities and entrepreneurs of all types are increasingly offering innovative telemedicine products and services, and the technological and clinical developments have far outpaced many current laws and regulations (either antiquated or non-existent). State and federal policymakers have taken note, and the legal and regulatory landscape is rapidly changing in an effort to play catch-up. Providers should not fear to embrace the business and quality of care benefits telemedicine offers, and an awareness of the primary legal and regulatory issues will help facilitate a compliant, successful telemedicine program.
Licensure is the first issue most telemedicine providers face. The key licensure statute that governs a telemedicine provider's clinical practice is the statute of the state in which the patient is located; not the state where the provider is located. Therefore, a physician based in California who provides telemedicine services to a patient located in Florida must be licensed to practice medicine in Florida (or meet an exception to licensure).
Securing proper licensure is not the only consideration for a multi-state telemedicine practice, however. Essential legal and regulatory considerations include: 1) the telemedicine business model used and type of telemedicine arrangement; 2) state fraud and abuse laws (particularly state fee-splitting and corporate practice of medicine laws); 3) state scope of practice rules (establishing valid doctor-patient relationships, examination requirements, diagnosis and treatment recommendation rules, remote prescribing rules, supervision of non-physician telemedicine practitioners); 4) telemedicine-specific operational rules (special informed consent and special recordkeeping requirements); 5) privacy, security, and telemedicine technological requirements (bandwidth, software, service levels); 6) credentialing (including Medicare's telemedicine credentialing by proxy option); and 7) payor reimbursement (Medicare, Medicaid in the 44 states that offer coverage, commercial payors, employer-sponsored arrangements, and the large telemedicine self-pay segment).
Compounding the challenge with these issues is the fact that a successful telemedicine provider or business typically operates across multiple states and is subject to the state laws of all of the places where its patients are located. Although health care providers are not strangers to high levels of regulation, with telemedicine in particular, business models and contractual arrangements that work in one state may not work in others. Still, with an appreciation for, and understanding of, the multi-dimensional (and multi-state) nature of the telemedicine business, there are countless opportunities to develop successful telemedicine arrangements.
2. Overpayments Under the 60-Day Refund Rule: Expansion of Guidance
The required reporting of self-identified overpayments continues to be a significant challenge to providers and suppliers. The 60-Day Refund Rule, enacted under the Patient Protection and Affordable Care Act of 2010 ("ACA") and codified at Section 1128J(d) of the Social Security Act, requires all Medicare or Medicaid participating providers and suppliers to report and refund known overpayments by the later of 60 days from the date the overpayment is "identified" or the date the corresponding cost report is due.
The Centers for Medicare and Medicaid Services ("CMS") published a proposed rule in February 2012, providing additional guidance as to when an overpayment is "identified," assuring providers they have an opportunity to conduct a "reasonable inquiry" (i.e., internal investigation) before the 60-day clock begins to tick (provided the inquiry is conducted with "all deliberate speed"). In January 2014, the U.S. Department of Health and Human Services HHS published a proposed rule to implement the 60-Day Refund Rule for the Medicare Part C and D programs, putting Medicare Advantage and drug benefit plans on notice that they, too, must observe and follow the self-disclosure rules providers have been wrestling with since 2010.
Regulatory interpretations aside, the 60-Day Refund Rule has imposed significant practical and operational challenges for providers. Some providers find themselves auditing, investigating and self-reporting overpayments on a monthly (if not weekly) basis due to complex and ever-changing reimbursement rules. Moreover, some federal prosecutors have expressed the view that a provider doesn't have an effective compliance program unless that provider has a track record of overpayment self-disclosures (essentially reflecting a belief that it is virtually impossible to participate in Medicare without making errors or receiving overpayments). All this puts providers, including those with the best intentions and the best compliance/billing efforts, under constant pressure to conduct reviews and self-disclosures (and to commit resources and staffing) to do the same work as the CMS audit contractors. The penalties for non-compliance are so substantial (False Claims Act liability) that providers are obliged to allocate the resources to ensure proper compliance with this statutory requirement.
3. Mandatory Compliance Programs Under the ACA
Sections 6401 and 6102 of the ACA charge CMS with issuing regulations that require all providers and suppliers, as a condition of enrollment in Medicare or Medicaid, to establish and maintain effective compliance programs. Under the ACA, skilled nursing facilities are the first provider-type required to implement mandatory compliance programs, and CMS was instructed to issue the implementing regulations no later than March 23, 2012. CMS missed that deadline, but it is only a matter of time before CMS publishes rules establishing the "core elements for a compliance program" for nursing facilities.
Irrespective of the missed deadline, nursing facilities would be well-served to start developing compliance programs now; and other providers and suppliers should also start developing compliance programs, since the ACA requires CMS to issue regulations making compliance programs mandatory for all providers and suppliers that enroll in Medicare or Medicaid.
The nursing facility compliance program regulations should offer other providers and suppliers valuable insight into what CMS expects from mandatory compliance and ethics programs. Providers and suppliers who draw on this insight can best position themselves for a smooth transition to implementing their own compliance programs.
4. Health Information Privacy and Security
Health information privacy and security issues under the Health Insurance Portability and Accountability Act ("HIPAA") are a growing concern for health care providers and lawyers as the enforcement landscape continues to evolve. The HIPAA Omnibus Rule, which became effective more than a year ago, signaled an intensification of the Office for Civil Rights ("OCR") enforcement strategies. That change, together with the Federal Trade Commission's ("FTC") recent data security enforcement activities, herald a new era in which Covered Entities (health plans, health care clearinghouses, and health care providers that engage in standard electronic HIPAA transactions, their subcontractors, medical device companies, and others face increased regulatory scrutiny and heightened liability for regulatory violations.
The most obvious risks are associated with breaches of Protected Health Information ("PHI"). The Omnibus Rule introduced a key presumption: that an incident constitutes a privacy breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised (based on the four-factor risk assessment set forth in the Omnibus Rule). Whether as a result of this new presumption, or as a result of more aggressive HIPAA compliance strategies implemented by Covered Entities and Business Associates, the number of reported breaches has increased 137.7% in 2013 compared to 2012. (Redspin, Breach Report 2013: Protected Health Information (PHI), 4 (February 2014), http://www.redspin.com/docs/Redspin-2013-Breach-Report-Protected-Health-Information-PHI.pdf. Further, according to industry analysts such as Experian, the healthcare industry will be the most susceptible to publicly disclosed and widely scrutinized data breaches. (Experian, 2014 Data Breach Industry Forecast, 3 (2014), available at http://www.experian.com/data-breach/data-breach-industry-forecast.html).
The ramifications of data breaches extend far beyond the civil monetary penalties arising from OCR enforcement of the breach. In a growing number of cases, Covered Entities must deal with breaches by their Business Associates, which, although they may not create liability for civil penalties, can result in a host of costs associated with reputational harm, mitigation strategies, and potential civil liability due to lawsuits. Business Associate Agreements that simply reiterate the regulatory requirements fall far short of protecting Covered Entities from exposure in such cases. Moreover, OCR investigations associated with major breaches may lead to discovery of additional (and in some cases unrelated) HIPAA violations.
In addition to the liability associated with breaches, Covered Entities and Business Associates may also face liability arising from findings of HIPAA non-compliance from federal audits. OCR plans to expand its audit program in late 2014. In 2011-2012, OCR audited 115 Covered Entities for HIPAA compliance in its pilot program. (Office for Civil Rights, HIPAA Privacy, Security, and Breach Notification Audit Program, at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html (last visited August 26, 2014). On February 24, 2014, OCR announced via the Federal Register its second round of nationwide HIPAA compliance audits scheduled for the fall of 2014. (Agency Information Collection Activities; Proposed Collection; Public Comment Request, 79 Fed. Reg. 10158 (Feb. 24, 2014)). Although OCR has not yet published additional information about the new round of audits, it has indicated that the audits will include Business Associates this time and will cover the new regulatory requirements that were promulgated as part of the Omnibus Rule.
Notwithstanding the fact that OCR is the federal agency responsible for HIPAA enforcement, the FTC has recently pursued independent actions against companies in the health care industry under its powers to regulate unfair and deceptive business practices in Section 5 of the FTC Act. Since December of 2013, the FTC has entered into settlement agreements with two Business Associates of Covered Entities for failure to safeguard PHI. (FTC, Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers' Personal Information, at http://www.ftc.gov/news-events/press-releases/2014/01/provider-medical-transcript-services-settles-ftc-charges-it (Jan. 31, 2014); FTC, Accretive Health Settles FTC Charges That It Failed to Adequately Protect Consumers' Personal Information at http://www.ftc.gov/news-events/press-releases/2013/12/accretive-health-settles-ftc-charges-it-failed-adequately-protect (Dec. 31, 2014). More recently, the FTC accused LabMD, a clinical laboratory that performs tests on specimen samples from consumers, of failing to reasonably protect the security of consumers' personal data, including medical information. Although LabMD challenged the FTC's right to enforce HIPAA violations, the FTC took the position that HIPAA and other statutes do not shield LabMD from the obligation to refrain from committing unfair data security practices that violate the FTC Act. (Brief for Appellee Federal Trade Commission, LabMD, Inc. v. FTC (11th Cir., July 24, 2014)(No. 14-12144), available at http://www.ftc.gov/system/files/documents/cases/1407labmd11cirbrief.pdf.
5. Provider Reimbursement: Shift to Pay-for-Performance
Historically, the reimbursement methodology for health services has been the fee-for-service model. The implementation of the ACA created several new Medicare programs designed to improve health care quality using pay-for-performance payment strategies that use financial incentives to encourage providers and suppliers to provide better, not more, care. Nongovernmental payers are also making a steady progression to quality-based reimbursement models. Although changing reimbursement methodologies are not novel to the health care industry, recent changes, coupled with recent Stark and anti-kickback enforcement activities, have proved particularly challenging to health care lawyers, whose clients must now determine how new reimbursement strategies affect their medical practices; how to accomplish increased patient engagement in the achievement of heightened quality goals; and how to achieve increasingly higher quality scores as the industry demands more cost effective care.
Health care lawyers must be more prudent in navigating the current fraud and abuse laws to ensure that newly created relationships among providers and suppliers - which may be needed to achieve higher quality and increased reimbursement - do not create illegal incentives or arrangements.
6. Increased Market Consolidation Through Mergers and Acquisitions
Consolidation has intensified across the entire health care industry. This should not be surprising given the emphasis within the industry, in recent years, on clinical integration, shared savings, and the like. After all, the thoughtful integration of health care providers is said to improve coordination of care which, in turn, is said to reduce unnecessary services and lead to better outcome for patients. Additionally, consolidation of providers can provide greater economies of scale to manage financial obligations and risks; and can increase bargaining power with payors. In the past year, numerous hospital and health systems have announced "mega-mergers", but the consolidation trend has not only included hospital-to-hospital and network-to-network mergers and acquisitions; hospital-medical group and medical group-medical group consolidations are proliferating too.
With increasing regulatory scrutiny of health care transactions, health care lawyers representing parties to merger and acquisition transactions must be mindful that the relationships they are forging do not inadvertently implicate the antitrust laws. As just one example, following FTC scrutiny of the transaction, a federal district judge sided with the FTC and ruled on June 18, 2014 in Saint Alphonsus Medical Center - Nampa, Inc. et al. v. St. Luke's Health System, Ltd. (Case No. 1:12-CV-00560-BLW) (D. Idaho June 18, 2014) that St. Luke's Health System of Boise, Idaho violated antitrust laws with its 2012 acquisition of Idaho's largest independent multi-specialty physician group. St. Luke's was ordered to fully divest the physician group and its assets.
7. Non-Ownership Collaborations
As noted above, the affiliation and consolidation trend for hospitals and other health care providers has accelerated in recent years, particularly since the passage of the ACA. Not all of those affiliations and consolidations have been in the form of mergers and acquisitions, however.
Independent and community hospitals are under particular pressure to consolidate. While many such hospitals are without substantial resources, they are faced with reimbursement reductions, technology enhancements and other capital demands, delivery system changes promoting population health, the costs associated with attracting and retaining physicians, and the increased leverage of managed care companies. Yet, many independent hospitals are resisting the urge to merge, and instead are developing strategies that are designed to allow them to remain independent and preserve local community control of their institutions. These strategies require a critical assessment of the hospital's strengths and weaknesses, and a realistic appreciation of the strategic options available.
The options that are available are several, and some that have been utilized include: forging innovative relationships with payors, including participating in narrow or tier value-based networks; structuring clinical integration organizations and participating in accountable care organizations; creating ventures with insurers to become risk ready; partnering with other hospitals in structures that are designed to ensure ongoing independence (including joint ventures, joint operating agreements, telehealth arrangements, and clinical or management service arrangements); creating one or more centers of excellence; exploring innovative arrangements with the local municipality and/or local businesses; and developing collaborative physician alignment strategies that utilize co-management and other arrangements. Partnerships with academic medical centers are another example of an arrangement that independent hospitals and hospital systems have utilized to augment their service offerings and help ensure their viability. While the affiliation trend will no doubt continue, innovative independent providers who wish to maintain control will continue to explore options that will permit them to remain independent and viable.
8. Heightened Pressure on Clinical Research
As the health care industry moves to a focus on quality based reimbursement, insurance companies and health care providers are increasing demand for drugs that demonstrate benefit over existing treatments and for therapies that help reduce the total costs of care for a patient. As such, pharmaceutical companies are under pressure to speed up clinical trials and to perform clinical trials at lower costs. Traditionally, a drug's success was dependent upon FDA approval and physician choice. Now, however, with the increasing transformation of the health care industry, the criteria for measuring the success of a drug is rapidly changing with heightened focus on the drug's real-world performance. Additionally, like other health care entities, the pharmaceutical industry has also seen a significant increase in mergers and acquisitions as struggling companies view consolidation as a method to cement their existence in the new health care market.
As a result, health care lawyers have been working with pharmaceutical clients to hurdle the various barriers posed on clinical research while facing the challenges of negotiating specific partnerships and varying payment approaches that will keep their clients afloat, all while being cognizant of federal and state regulatory laws.
9. Mental Health Parity
In November, 2013 the federal government issued final rules implementing the Mental Health Parity and Addiction Act of 2008 ("Parity Act"), which became effective July 1, 2014. The Parity Act's protections are now available to most consumers, in combination with provisions of the ACA which require mental health and substance abuse disorder benefits to be included as essential health benefits effective for policy years commencing after January 1, 2014, and that such benefits be in compliance with the Parity Act.
The Parity Act applies to fully insured and self-funded ERISA health plans, including non-grandfathered individual and group coverage. The Parity Act requires that mental health and substance abuse disorder benefits be offered in parity with, and without more restrictive limitations that apply to, medical/surgical benefits. It creates six classifications of benefits which are used to assess compliance with the parity requirements. The Parity Act also contains both quantitative measures and non-quantitative treatment limits ("NQTLs"). Quantitative measures compare such things as patient cost-share payments, out-of-pocket caps, and numerical annual or day visit limits. NQTLs assess whether a plan's processes, strategies and evidentiary standards for such things as medical management, formulary design, provider reimbursement, facility type, and network tier design, are applied on a parity basis.
The ACA expansion and Parity Act requirements have provided an added weapon for state enforcement agencies and mental health advocacy groups to utilize in seeking mental health and substance abuse disorder coverage. Litigation and enforcement actions challenging health plan policies on mental health/substance abuse disorder benefits have increased and experts expect the increase to continue. In one case, a federal district court in Vermont (C.M. v. Fletcher Allen Health Care, Inc., Case No. 5:12-CV-108) (D. Vt. April 30, 2013) concluded that an insurance plan, in applying a pre-approval requirement, a concurrent review requirement and automatic reviews after a set number of mental health visits, has the burden to justify treating mental health claims differently than medical claims. State enforcement agencies have also challenged mental health/substance abuse disorder policies involving prior authorization, medical necessity determinations, provider reimbursement rates, residential treatment options, and access to information as not being in parity with medical/surgical policies. In one enforcement action, the New York Attorney General recently obtained a $1.2 million settlement from a health plan for alleged failures to apply mental health parity requirements appropriately. ("AG Schneiderman Announces Settlement with Emblem Health for Wrongly Denying Mental Health and Substance Abuse Treatment for Thousands of New York Markets," N.Y. Attorney General Press Release, July 9, 2014)
The new Parity Act requirements promise to be an area of scrutiny and concern for fully insured and self-funded health plans in 2014 and beyond.
10. Increased Governmental Enforcement
The federal government's strategic mission of fighting fraud, waste, and abuse in the health care industry continues at full steam with assistance from qui tam relators, an army of auditors, and more sophisticated data mining. This year the government has increased HIPAA penalties and has filed an action for the failure to satisfy an overpayment within the 60-day rule. The statutory underpinning for government actions continues to be: the False Claims Act ("FCA"), the Anti-Kickback Statute, the Physician Self-Referral Law (Stark Law), the Excluded Parties regulations, and the Civil Monetary Penalties Law.
It is crucial for health care lawyers to understand the complexities and nuances of these laws and how (and to whom) they apply in order to avoid violations that could result in criminal penalties, civil fines, exclusion from the governmental health care programs, and/or loss of license. Recent examples of governmental enforcement actions include: (i) U.S. ex rel. Drakeford v. Tuomey Healthcare System, 2013 WL 5503695 (D.S.C. 2013), in which the U.S. District Court for South Carolina entered judgment against Tuomey Healthcare System for a total of $237.5 million for violating the Stark Law and the FCA, (ii) the matter of Halifax Health of Daytona Beach, FL, involving an $85 million settlement (announced on March 3, 2014), in a qui tam action with the government for Stark Law violations; and, (iii) a DaVita Health Care Partners payment of $389 million, announced by DaVita in February, 2014, to settle criminal and civil anti-kickback investigations.