The Future Is Uncertain For the Patient Protection and Affordable Care Act

by John W. Kaveney

With the election of Donald Trump to the office of President of the United States, Republicans and their supporters began implementing plans for the repeal and replacement of President Obama’s signature legislation, the Patient Protection and Affordable Care Act (“ACA”). President-Elect Trump’s selection of Representative Tom Price (R-GA) to the position of Secretary of Health and Human Services signaled the next step in those efforts.

Dr. Price, an orthopedic surgeon, has been a regular voice in opposition to the ACA and many in Congress and the media see this selection as confirmation that every effort will be made to replace the ACA. Several Democrats have already come forth indicating they plan to challenge Dr. Price’s selection as they see any threat to the ACA as a threat to thousands of patients that have only received insurance as a result of the ACA.

While a repeal of the ACA is still not guaranteed and many are already challenging whether it could even be effectuated without significant impacts on the health insurance industry and millions of Americans, it is nevertheless important to understand what a replacement program might look like. Dr. Price has previously submitted one of the more detailed Republican plans to replace the ACA. His previously proposed legislation is known as the Empowering Patients First Act.

Unlike the ACA, Dr. Price’s legislation seeks to minimize government’s role in health care. The following are five key elements of Dr. Price’s prior proposal:

  1. Fixed tax credits that rise with age so that patients can purchase their own insurance on the private market, including across state lines. The tax credits would not fluctuate based on income.
  2. Expand health savings accounts to further incentivize patients to contribute to such accounts to pay co-pays and deductibles.
  3. Preexisting conditions would continue to be excluded as a basis to deny coverage but only if the patient has had continuous insurance for eighteen months prior to selecting a new policy. If not, coverage might be denied for up to eighteen months under the new policy.
  4. Limiting the amount of money companies can deduct from their taxes for employee health insurance expenses.
  5. States would be paid federal funds to set up high risk pools to assist those with preexisting conditions that cannot afford insurance on the private market.

While Dr. Price has indicated his willingness to negotiate and compromise on what the ultimate replacement looks like, it remains to be seen how flexible he and the Republicans will be on a substitute for the ACA. Regardless of the final form, one cannot forget that as Secretary of HHS, Dr. Price would ultimately control the authoring of the enabling regulations to implement the new legislation.

It is anticipated that during President-Elect Trump’s first 100 days in office this issue will be addressed.

OCR and FTC Detail Overlapping Interests Between HIPAA and the FTC Act

by Leonardo M. Tamburello

On October 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) issued joint guidance highlighting agencies’ common interest in protecting individuals’ health information.

The health care industry is familiar with the restrictions on use and disclosure of protected health information (PHI) imposed by HIPAA.  In general, other than as required by the HIPAA Privacy Rule or for treatment, payment or health care operations, HIPAA requires a valid, signed authorization from the individual before any further use or disclosure of their PHI can occur.   This authorization must be in “plain language,” not be combined with any other type of authorization, and include specific terms and descriptions of the information sought and the proposed use or disclosure.

The FTC’s interest in the healthcare sector’s information security practices is less well known, however.  Many may be surprised by the FTC’s longstanding position that its broad power to regulate unfair and deceptive practices under Section 5 of the FTC Act includes overlapping jurisdiction with OCR concerning the privacy and security practices of HIPAA-regulated entities.

The FTC Act prohibits a contemplated use or disclosure of health information from being a “deceptive or unfair” act or practice.  Among other things, this means that individuals may not be “mislead” about how their PHI may be being used or disclosed.   The FTC therefore recommends that entities consider all of their consumer-facing messaging to ensure it is free from any deceptive or misleading statements.   Moreover, the FTC explicitly cautions against burying key facts regarding use and disclosure of health information in links to a privacy policy, terms of use, or HIPAA authorizations.  It also warns against manipulating font sizes or colors online in a manner which would make disclosure statements deceptive.  Instead, it recommends that all disclosure statements be “clear and conspicuous” from a consumer’s perspective.

OCR and the FTC have a history of collaboration and joint enforcement in the security area.  In February 2009, OCR entered into a $2.25 million settlement agreement with CVS Pharmacy, Inc. (CVS) and required implementation of a detailed corrective action plan to ensure the proper disposal of PHI.  Simultaneously, in a separate but related agreement, CVS resolved FTC charges that it failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

A year later, in July 2010, Rite Aid Corporation entered into a similar resolution agreement, paying $1 million to OCR and implementing a corrective plan of action while simultaneously settling a FTC complaint which alleged it failed to properly dispose of personal information, inadequately trained employees, did not sufficiently assess compliance with its disposal policies, and did not employ a reasonable process for discovering and remedying risks to personal information.

In addition, the FTC has not hesitated to bring enforcement actions on its own against healthcare entities.  Most notably, the FTC has doggedly pursued LabMD, a former clinical laboratory which no longer operates, for failure to protect patients’ sensitive personal information.  This resulted in a July 2016 unanimous opinion from the FTC which found LabMD’s security practices unreasonable, “lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  A motion to stay the FTC’s enforcement order has recently been filed in the Eleventh Circuit by LabMD. See, LabMD, Inc. v. FTC, 11th Cir., No. 16-16270, motion to stay filed, Oct. 7, 2016.

It remains to be seen whether this recent joint statement from OCR and FTC foreshadows a more robust collaboration between the two agencies which builds on their efforts in the CVS and Rite Aid cases and expands into the HIPAA Privacy Rule area.  Even if that does not immediately occur, the FTC remains active in pursuing cases on its own, such as LabMD.  Whatever the outcome, businesses in the healthcare sector should remain sensitive to the FTC’s mandates, along with those from OCR.

HIPAA Enforcement At All-Time High So Far in 2016

by Leonardo M. Tamburello

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

by Leonardo M. Tamburello

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

SCOTUS Broadens False Claims Act Liability Based On “Implied False Certification” Theory

by Leonardo M. Tamburello

In a June 2016 decision, the United States Supreme has held, under the False Claims Act (FCA), that (1) the so-called “implied false certification theory” may create liability when the defendant fails to disclose noncompliance with a legal requirement when submitting payment claims that make definitive representations about the services provided; and (2) liability is not contingent upon the requirements being an express condition of payment.

Yarushka Rivera, received counseling at a mental health facility. Rivera suffered an adverse reaction to medication resulting in her death. After Rivera’s death, her parents learned that most employees at the facility were not licensed to provide mental health counseling. They later discovered that only one of the five professionals treating their daughter was licensed. Respondents filed a qai tam suit alleging violations under the FCA, based on an implied false certification theory of liability; that is, they claimed that the facility submitted false claims by submitting reimbursement requests without disclosing regulatory violations regarding the staff credentialing and licensing violations.

Implied False Certification Theory

The implied false certification theory suggests that a defendant implicitly verifies all payment requirements are satisfied when submitting a claim. However, if the claim fails to disclose violations of material legal provision then a misrepresentation has been made rendering the claim false or fraudulent under the FCA. Disputes among the Court of Appeals concerning the validity of this theory prompted the Supreme Court to grant review. In its decision, the Supreme Court held the implied certification theory may create liability when two conditions are met: first, the claim does not just demand payment but makes definitive representations about the products or services provided; and second, failure to disclose noncompliance with material statutory, regulatory, or contractual provisions makes those representation deceptive half-truths.

Liability Under the FCA

The FCA imposes civil liability on “any person who…knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval.” Defendants argued that liability should only be imposed when the violations of statutory, regulatory, or contractual requirements are an express condition of payment. The Supreme Court rejected this contention, stating liability is not contingent upon the violated legal provision being an express condition of payment. In so holding, the Court noted that the FCA does not impose such a restriction.

Instead, liability is determined by the extent of the material misrepresentation. The FCA defines material as having influence or capable of influencing the payment or receipt of money or property. However, misrepresentation is not material simply because the government compels compliance with statutory, regulatory, or contractual provisions as condition of payment. Nor is materiality found if noncompliance is trivial or insubstantial. Thus, when evaluating the materiality of a misrepresentation for possible FCA violation under the implied false certification theory, that an express condition of payment is relevant but not dispositive.

The Supreme Court’s ruling on the implied false certification theory now broadens healthcare providers’ liability because plaintiffs can now bring more expansive claims under the FCA. But liability is only actionable when the misrepresentation of a legal provision is material to the government’s decision to provide payment. While a healthcare provider’s liability is broadened, the bar to sustain such claims is slightly raised by demanding nature of the materiality standard articulated by the Court.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

by Leonardo M. Tamburello

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

by Leonardo M. Tamburello

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.

CMS Brings Clarity to ACA’s 60-Day Overpayment Rule

by Marissa Koblitz-Kingman and Leonardo M. Tamburello

Part of the antifraud provisions of the Affordable Care Act (ACA) requires any person who receives an “overpayment” of Medicare or Medicaid funds to “report and return” said overpayment to HHS, the State, or another party if appropriate within sixty (60) days of the “date on which the overpayment was identified.” See, 42 U.S.C. § 1320a-7k(d)(1).  A violation of this so-called “Sixty-Day Rule” is a per se violation of the False Claims Act (FCA) which may lead to treble damages, fines of between $5,500 – $11,000 per claim, and possible imprisonment. Id. § 1320a-7k(d).   See, 31 U.S.C. § 3729(a).

Since the ACA’s enactment there have been serious questions raised by providers regarding when an “overpayment” is “identified” for purposes of starting the clock under the Sixty-Day Rule. Finally, on February 11, 2016, CMS released a final rule, effective March 14, 2016, (the “Final Rule”) which clarifies that : (1) the 60 day window for refunding overpayments is not triggered until both the fact and amount of an overpayment are known; (2) the standard for knowledge is not “actual knowledge,” but when the provider would have identified the overpayment had it exercised reasonable diligence; and (3) the manner in which the refund must be made.

Prior to this Final Rule, it was unclear when the 60-day period began to run, leaving courts to interpose their own interpretation of the ACA in this regard. As we have previously discussed on this blog, U.S. ex rel. Kane v. Continuum Health Partners, No. 11 Civ. 2325, 2015 WL 4619686 (S.D.N.Y. Aug. 3, 2015), addressed that very issue.  In Kane, three hospitals received payment for Medicaid claims that should never have been submitted.  In September 2010, auditors from the New York State Comptroller’s office raised the potential overpayments and determined that these claims were caused by a third-party’s software glitch. The glitch was fixed in December 2010.  The hospitals’ management asked relator Robert Kane to identify claims potentially implicated by the glitch. On February 4, 2011, Kane wrote an email to management attaching a spreadsheet of approximately 900 claims totaling over $1 million that had potentially been affected by the glitch.  Four days later, Kane was terminated, allegedly in retaliation.

Kane filed an FCA and wrongful termination suit on April 5, 2011, which is exactly 60 days after he provided his spreadsheet. In June 2014, the United States government and New York Attorney General intervened on Kane’s behalf, alleging that by failing to further investigate the potential overpayments identified by Kane and delaying repayment for over two years, the hospitals improperly withheld “overpayments” in violation of the Sixty-Day Rule.

The hospitals moved to dismiss, stating that Kane’s spreadsheet had not identified any overpayment for purposes of the ACA, but was merely preliminary. Further, they claimed that because the overpayments had not been definitively ascertained, the sixty-day clock did not start and that they had no obligation to begin repayment for claims until they determined with certainty that those claims had, in fact, been overpaid, and to what extent.

The District Court rejected this argument, and held that the 60-day period begins to run when a provider is put “on notice of a potential overpayment, rather than the moment when an overpayment is conclusively ascertained.” If left as precedent, this would have dramatically lowered the knowledge requirement to sustain a violation of the Sixty-Day Rule, potentially exposing Medicaid providers and suppliers to a myriad of liability under the FCA for “overpayments” not repaid within sixty days.  CMS’s Final Rule changes this, clarifying that the 60-day period for refunding overpayments is not triggered until both the fact and amount of an overpayment are known. The CMS final rule also stated that the standard for knowledge is not “actual knowledge,” but when the provider would have identified the overpayment had it exercised reasonable diligence.  While providers must act with due alacrity to investigate possible overpayments, they need not fear that mere possibility of an overpayment will lead to liability under the FCA unless it is repaid within sixty days.

Although it remains to be seen how the court will apply the Final Rule under the facts and circumstances of Kane, it seems likely that the defendants will renew their motion to dismiss armed with CMS’s new interpretation set forth in the Final Rule.

Catholic Hospital Not Covered By ERISA’S Religious Exemption

by Paul L. Croce

The U.S. Court of Appeals for the Third Circuit in Kaplan v. St. Peter’s Healthcare System, has ruled that St. Peter’s Healthcare System’s (“St. Peter’s”) pension plan is not entitled to a religious exemption under the Employee Retirement Income Security Act (“ERISA”).

In May 2013, Laurence Kaplan, a former St. Peter’s employee filed a putative class action suit against St. Peter’s alleging, among other things, that St. Peter’s pension plan was significantly underfunded. St. Peter’s moved to dismiss the Complaint arguing that it qualified under Section 4(b)(2) of ERISA for a church plan exemption and was thus not required to comply with the provisions of ERISA which Kaplan claimed it had violated. The District Court disagreed with St. Peter’s who then sought review from the Third Circuit. 

The Third Circuit acknowledged that in the last few decades various courts “have assumed that entities that are not themselves churches, but have sufficiently strong ties to churches can establish exempt church plans.” However, the Court did not find those cases to be controlling stating that the current case is part of a “new wave of litigation” which argues that the definition of church plan precludes that result. Lower courts which have addressed this current “new wave of litigation” have been split in their decisions. 

ERISA § 3(33)(A) defines a church plan as “a plan established and maintained . . . for its employees (or their beneficiaries) by a church or a convention of churches.” Section 3(33)(c)(i) further clarifies that a “plan established and maintained” by a church “includes a plan maintained by an organization . . . controlled by or associated with a church or a convention of churches.” 

St. Peter’s argued that the clarification in Section 3(33)(c)(i) annulled the requirement that a church establish a plan in order for it to qualify for an exemption. The Court, however, relying on the plain language of the statute as well as various canons of statutory construction, found that the provision merely expanded the definition of church plan to include plans maintained by other tax exempt organizations. It did not, as St. Peter’s contended, eliminate the requirement that the plan be established by a church or convention or association of churches. Accordingly, the Court found St. Peter’s could not rely upon the church plan exemption to avoid the obligations imposed by ERISA. 

This decision will have a serious impact on religious based healthcare organizations as it imposes significant reporting and funding obligations on those organizations. However, this is unlikely to be the last word on the subject. It is anticipated that St. Peter’s will seek certiorari and the same issue is currently being addressed by the Seventh Circuit in Stapleton v. Advocate Health Care Network where the Court heard argument on September 18, 2015. Should the Seventh Circuit rule contrary to the Third, there is a good possibility the matter may ultimately be decided by the United States Supreme Court.

Stark Undergoes Another Change

by John W. Kaveney and Marissa Koblitz-Kingman

The Stark Act, 42 U.S.C. § 1395nn, prohibits physicians from engaging in a “self-referral” when referring patients elsewhere for certain services. Generally, if a physician (or an immediate family member of such physician) has a financial relationship with an entity, then the physician may not make a referral to the entity for the furnishing of designated health services for which payment otherwise may be made under Medicare. For example, an orthopedist may not refer a patient for imaging to a facility in which the physician or a member of her immediate family has an interest. The entity accepting the prohibited referral may not present or cause to be presented a claim to Medicare or bill to any individual, third party payor, or other entity. If the referral entity collects payments billed in violation of this prohibition, it must refund those amounts on a timely basis, typically within 60 days of identification.

Exceptions to Stark do exist, and on November 16, 2015, the Department of Health and Human Services, Centers for Medicare and Medicaid Services, (CMS) issued a final rule revising and adding further exceptions to offer providers additional flexibility in their efforts to comply with Stark. Some of the major changes include:

1.) CMS created a new exception for assistance to compensate a non-physician practitioner. The exception permits remuneration from a hospital, federally qualified health center, or rural health clinic to a physician to recruit a non-physician practitioner (physician assistants; nurse practitioners; clinical nurse specialists; certified nurse midwives, clinical social workers and clinical psychologists) where substantially all of the services furnished by the non-physician practitioner to the patients of the physician’s patients are for primary care services or mental health care services;

2.) CMS created a new timeshare arrangement exception to cover the use of some premises, equipment, personnel, items, supplies, or services. Compensation for such arrangements must be carefully structured. Percentage compensation and per-unit services fees are prohibited; hourly or half day rates are acceptable. The arrangement cannot be conditioned upon referrals and cannot convey a possessory interest in the office space;

3.) CMS revised the temporary noncompliance with signature requirement. Previously, parties who inadvertently failed to comply with the signature requirement had 90 days to comply with others having 30 days. The revision provides a flat 90 day period to comply with this requirement, regardless of whether the failure to obtain a signature was inadvertent or not;

4.) CMS created a new, indefinite holdover provision. An expired arrangement under the office space and equipment rental exceptions and the personal service arrangements exception can now be “held over” indefinitely rather than for only six months, provided the arrangement: (a) satisfies all of the requirements [list] at the time of expiration; (b) continues on the same terms and conditions; and (c) continues to satisfy all of the enumerated requirements during the holdover;

5.) CMS clarified the writing requirement, requiring only an arrangement need be set out in writing. Although CMS recommends having one signed written contract that satisfies every requirement of the exception, this requirement may also be satisfied through a collection of documents that relate to one another and to the exact arrangement.

These are only some of the revisions and only the highlights of a very technical set of regulations. It is critical that physicians, hospitals, health care facilities and business associates ensure that they are aware and up-to-date with all of the major changes to Stark. Complying with Stark in practice can be particularly complex and thus must be closely monitored.