[co-author: Stephanie Hoffmann]

With 2015 in the books, we are pleased to reflect on some of the major developments over the past year in the field of health law. The year was marked by changes in Medicare payment models—from government pronouncements regarding the shift to a value-based payment system to a late year budget rider that will change the way off-campus hospital outpatient services are reimbursed—and the sustained trend of aggressive enforcement in the realm of fraud and abuse—from a smattering of significant Stark Law settlements to a Department of Justice (DOJ) warning shot about individual accountability for corporate wrongdoing. This past year also saw several court decisions with broad impact on the healthcare industry, including the Supreme Court’s rejection of a challenge to the Affordable Care Act (ACA) and the first judicial interpretation of the ACA requirement to promptly return identified overpayments.

In an effort to take stock of 2015 and brace ourselves for the challenges that lie ahead, we have compiled a list of 10 important issues that affect a broad range of healthcare industry clients.

ACA Survives Another Supreme Court Challenge

This year saw the Supreme Court’s rejection of yet another challenge to the ACA with the Court’s ruling in King v. Burwell. The case centered on the ACA’s insurance premium subsidies.

The ACA’s central feature was a three-pronged effort to increase the number of Americans covered by health insurance. First, the law required all Americans to maintain health insurance coverage (the “individual mandate” upheld by the Supreme Court in 2012). Second, the law mandated that each state create an online marketplace, or exchange, where uninsured individuals could purchase the required coverage. If a state did not create its own exchange, the ACA provided that the federal government would establish “such Exchange” for the state. Third, the law provided that those at or near the poverty level would qualify for federal subsidies to help them pay the cost of coverage if they enrolled in an insurance plan through “an Exchange established by the State.”

King v. Burwell presented a challenge from four Virginia residents who claimed they did not qualify for federal subsidies because the Commonwealth of Virginia did not create its own exchange. Like 33 other states, Virginia opted to allow the federal government to establish an exchange for its residents. The plaintiffs argued that this meant they could not enroll in an insurance plan through “an Exchange established by the State,” rendering them—and millions of Americans in other federal-exchange states—ineligible for subsidies. The Supreme Court disagreed, holding in June that federal subsidies are available through either state-based or federally created exchanges. The decision effectively averted the collapse of one central element of the law, leaving the ACA to fight another day.

Supreme Court Limits Availability of State Action Immunity from Antitrust Laws

In 2014, the North Carolina State Board of Dental Examiners petitioned the Supreme Court for review of a Fourth Circuit decision upholding an order of the Federal Trade Commission that prohibited the board from directing non-dentists to stop providing teeth-whitening services and discouraging or prohibiting the provision of those services. On February 25, 2015, the Court affirmed the Fourth Circuit’s judgment, holding that the board was a non-sovereign entity controlled by active market participants that did not receive active supervision by the state, and thus the board’s actions were not entitled to state action immunity from federal antitrust law.

The Supreme Court’s ruling affirmed that even though the board was an agency of the state, because the majority of its members were licensed, practicing dentists and active market participants, its actions still must be supervised by the state in order to enjoy antitrust immunity. Thus, the active supervision requirement—which previously only applied to private actors—now extends to state regulatory boards if a controlling number of the board’s members are also active market participants. The Court emphasized that the active supervision requirement is designed to create a “realistic assurance that a private party’s anticompetitive conduct promotes state policy, rather than merely the party’s individual interests,” and that state agencies that are controlled by active market participants pose the self-dealing risk that the active supervision requirement was intended to address. Furthermore, the Court noted that a board’s title or designation does not control whether supervision is required; instead, a board’s actual structure and the risk that active market participants will pursue their own private interests to restrain trade determine whether state supervision is required.

The Supreme Court’s ruling may result in a shift in how states structure their professional regulatory boards, and it is already making an impact in the healthcare industry. On December 14, 2015, a federal district court denied a motion by the members of the Texas Medical Board to dismiss a telehealth provider’s complaint based on a state action immunity defense. Relying on the recent Supreme Court precedent, the district court determined that the state action immunity doctrine does not apply to immunize a state professional board where the board fails to demonstrate that it is actively supervised by the state.

Medicare Access and CHIP Reauthorization Act Signed into Law

In April, President Obama signed into law the Medicare Access and CHIP Reauthorization Act (MACRA), repealing the heavily criticized Sustainable Growth Rate (SGR) formula for determining physician reimbursement rates under Medicare and replacing it with a multi-pronged approach that includes updates to the physician fee schedule, a new Merit-based Incentive Payment System (MIPS), and incentive payments to providers for participation in Alternative Payment Models (APMs).

Effective July 2015, MACRA began to move physicians away from the traditional fee-for-service approach and toward one of two paths for quality-based reimbursement: MIPS or APMs. From 2015 through 2018, all physician payment through Medicare will be increased 0.5 percent per year, with the possibility of additional payments based on performance through either the MIPS or participation in qualifying APMs beginning in 2019.

The MIPS combines several existing Medicare initiatives focused on quality into one cohesive program, which will determine physician payment based on a combination of measures. Thirty percent of payment will be established based on quality of care; 30 percent on efficient resource use; 25 percent on meaningful use of electronic health records; and 15 percent on clinical practice improvement activities. CMS will provide physicians with feedback on each of these measures in 2017 and 2018, and in 2019, physicians with particularly high scores will become eligible for bonus payments for their exceptional performance. Professionals who fall below a performance threshold will receive a negative adjustment, though downward adjustments are capped.

Some physicians may instead choose reimbursement through their participation in qualifying APMs (such as patient-centered medical homes and accountable care organizations). While the standard 0.5 percent-per-year increase will remain in place, beginning in 2019, physicians who receive a significant share of their revenue through qualifying APMs will be eligible for additional incentive payments based on the program’s performance.

MACRA also includes adjustments to other aspects of Medicare. The Act modifies Medicare’s longstanding prohibition on hospital payments to physicians for limiting beneficiary access to services, commonly known as the gainsharing portion of the Civil Monetary Penalty (CMP) Law. As amended by MACRA, the CMP Law applies only to hospital payments to physicians for limiting beneficiary access to medically necessary services (as opposed to any services). MACRA also directs the Department of Health and Human Services (HHS) to report to Congress within one year regarding potential exceptions and safe harbors for gainsharing arrangements that would otherwise be subject to the CMP Law. Many observers expect that, in light of this reporting requirement and a 2014 Office of Inspector General (OIG) proposed rule on the subject, 2016 will yield more developments in this area.

Court Weighs in on ACA 60-Day Overpayment Rule

In August, the District Court for the Southern District of New York issued the first judicial opinion addressing when a healthcare provider has “identified” a Medicare or Medicaid overpayment under the ACA’s requirement that providers return overpayments within 60 days of the date the payment is identified or face potential liability under the federal False Claims Act (FCA). In Kane ex rel. U.S. v. Healthfirst, Inc., the court found that “the sixty-day clock begins ticking when a provider is put on notice of a potential overpayment, rather than the moment when an overpayment is conclusively ascertained.” The court also stated, however, that its conclusion was consistent with CMS’s final Medicare Advantage and Part D rules, as well as its proposed Medicare Part A and B rules concerning the identification and return of overpayments. Both of these CMS rules contemplate that a period of reasonable inquiry to determine whether an overpayment exists will precede the 60-day time period for returning an overpayment after it has been identified. Because Healthfirst settled shortly after the issuance of the August opinion, a number of open questions that could have been addressed through further litigation remain unresolved, including how to reconcile the court’s statement that its conclusion on when the 60-day time period commences is consistent with existing CMS rules.

In Healthfirst, the New York Comptroller alerted the defendant to software-related billing errors that were the basis for the Medicaid claims at issue and held meetings with the defendant to address those claims. As a result of the issues raised by the New York Comptroller, the defendant tasked its employee, whistleblower Robert Kane, to analyze the scope of the potentially problematic claims. Approximately five months after the New York Comptroller alerted the defendant to the potential billing errors, Kane sent an email to several members of company management with a spreadsheet listing more than 900 claims (totaling over $1 million) that Kane believed were incorrectly billed. Kane’s email indicated that further analysis would be needed to confirm his findings. Kane was terminated four days after sending his email, and he filed a qui tam complaint 61 days after sending his email. In denying the defendant’s motion to dismiss, the court agreed with the government that the subject claims were “identified” overpayments within the meaning of the ACA after the government alerted the defendant to the billing issues and after Kane circulated his email and spreadsheet. These overpayments matured into “obligations” in violation of the FCA when they were not reported and returned by defendants within 60 days.

CMS is expected to publish its final Medicare Parts A and B overpayment rule by February 2016, which should provide additional guidance regarding the timing and mechanics of complying with the 60-day rule. For our previous coverage of the Healthfirst case, please click here .

Renewed Focus on Individual Accountability for Corporate Wrongdoing

The government released several important guidance documents in 2015 that herald a renewed emphasis on holding individual wrongdoers responsible for corporate misconduct. Driven largely by a perception that business organizations may have come to view monetary penalties and other remedies imposed by the government as merely a cost of doing business that can be handled in the normal course of operations, the DOJ and OIG have communicated their intent to focus enforcement efforts and penalties on individuals in an attempt to encourage personal responsibility and increase the deterrence effects of enforcement actions. Notably, these documents do not rely on new laws or regulations, but rather reflect a shift in priorities in the use of existing enforcement tools.

Most significantly, Deputy Attorney General Sally Quillian Yates published a memo on September 9, 2015, to DOJ attorneys entitled “Individual Accountability for Corporate Wrongdoing.” The “six key steps to strengthen [the DOJ’s] pursuit of individual corporate wrongdoing” apply to both criminal and civil matters and will be incorporated into updates to the U.S. Attorney’s Manual Principles of Federal Prosecution of Business Organizations, as well as commercial litigation provisions in the manual. These steps include conditioning cooperation credit given to corporations on providing all relevant information related to individuals responsible for the misconduct, focusing on individuals in conducting investigations, and not releasing individual wrongdoers from liability (absent extraordinary circumstances) when resolving matters with corporations.

The OIG published two documents in 2015 emphasizing individual responsibility for misconduct that may also involve business organizations. While OIG enforcement actions under the Anti-Kickback Statute have historically focused more on business organizations than on individual physicians, the OIG emphasized in a fraud alert released June 9, 2015, entitled “Physician Compensation May Result in Significant Liability,” that it has recently pursued a number of individual physicians for Anti-Kickback Statute violations involving compensation relationships with other entities and will continue to do so. In addition, on April 20, 2015, the OIG, in conjunction with the American Health Lawyers Association, the Association of Healthcare Internal Auditors, and the Health Care Compliance Association, released an educational resource to assist governing boards of healthcare organizations in carrying out their compliance plan oversight obligations. The document, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight,” concentrates heavily on the role of individuals in designing and implementing organizational compliance programs and ultimately standing accountable for compliance violations. Click here for more detail about the OIG’s guidance to governing boards.

Tuomey Saga Comes to a Close

After more than a decade of litigation, the closely watched case of Tuomey Healthcare System ended with Tuomey agreeing to pay $72.4 million in settlement with the DOJ and to sell the rural, non-profit hospital system to a multi-hospital system. The October settlement followed a July decision in which the Fourth Circuit upheld a $237.5 million FCA judgment against Tuomey arising out of violations of the Stark Law. All told, the case presents a cautionary tale for health systems regarding the risks of litigating FCA cases arising out of Stark Law violations.

The case arose from allegations that Tuomey, concerned about lost revenue from outpatient procedures migrating from its facilities to physician-owned facilities, entered into part-time employment agreements with physicians requiring them to refer their outpatient procedures to Tuomey and provided compensation exceeding fair market value. Following an earlier trial and appeal, the jury in a second trial concluded that the agreements violated the Stark Law and that Tuomey had violated the FCA by submitting claims to Medicare for services based upon referrals from the physicians. Those claims totaled approximately $39 million, and, as required by the FCA, this amount was trebled and civil penalties of $5,500 per claim were assessed, resulting in a total judgment of $237.5 million.

On appeal, the Fourth Circuit affirmed the jury verdict against Tuomey, addressing, among other issues, the Stark Law “volume or value” standard, the advice-of-counsel defense, and damages in FCA actions premised on Stark Law violations. First, the court rejected Tuomey’s argument that the compensation methodology was permitted under CMS guidance in Phase II of the Stark Law rulemaking regarding the “volume or value” standard which indicated that productivity bonuses for employed physicians could be tied to professional collections, notwithstanding the fact that corresponding hospital-facility fees would also be charged in connection with (and, implicitly, would vary with) those collections, concluding that guidance did not apply to the contracts at issue.

Second, while acknowledging the availability of the advice-of-counsel defense generally to disprove intent, the court found that the jury could reasonably have rejected it in this case, where one attorney had advised Tuomey that the agreements raised significant concerns and the later attorney who had approved the agreements had not been informed of the first attorney’s opinion. Third, the Fourth Circuit rejected Tuomey’s argument that the proper measure of damages was the difference between the amount the government paid for the claims at issue and the value of the services provided, noting that the Stark Law “expresses Congress’s judgment that all services provided in violation of that law are medically unnecessary” and the government was entitled to the “full amount of the payments.” The court also found that the damages award did not constitute an unconstitutional penalty under either the Excessive Fines Clause of the Eighth Amendment or the Due Process Clause of the Fifth Amendment. In a separate opinion, one judge bemoaned the “impenetrably complex set of laws and regulations that will result in a likely death sentence for a community hospital in an already medically underserved area,” but nevertheless concurred in the outcome. Click here for our previous coverage of the Fourth Circuit’s decision.

Post-Tuomey Settlements Highlight Hospital-Physician Relationships

In September, on the heels of the Tuomey decision, the DOJ announced a number of significant settlements of Stark Law allegations against health systems, including settlements of $25 million (and possibly as high as $35 million based upon contingent payment obligations) with Columbus Regional Health System in Columbus, Georgia, $69.5 million with North Broward Hospital District in Miami, Florida, and $119 million with Adventist Health System, a non-profit hospital operator based in Florida. The settlements with Columbus Regional Health System and North Broward Hospital District also included five-year corporate integrity agreements. While it is impossible to know the motivation for any settlement, it seems uncontroversial to suggest that, especially in the aftermath of Tuomey, the prospect of protracted litigation involving millions of dollars in direct and indirect costs, and the difficulty of prevailing in defense of FCA cases premised on Stark Law violations may have played a significant part in the defendants’ decisions to settle.

These settlements leave the healthcare community with relatively little information regarding the underlying issues beyond the complaints filed in those cases. Those complaints reveal a number of common themes. The relators argued that compensation paid to employed physicians in excess of their professional collections must be in excess of fair market value and cannot be commercially reasonable. They also contended that a compensation formula that appears, on its face, to be premised on a physician’s professional productivity actually serves as a proxy for rewarding referrals by the physicians and therefore violates the Stark Law.

The DOJ’s announcements of these settlements are also revealing, and reflect its continuing commitment to using the FCA to enforce the Stark Law. The DOJ’s press releases articulate its view that agreements in violation of the Stark Law compromise physician independence and result in treatment decisions based not on clinical judgments, but on financial incentives. The press releases also indicate that in just over five years since the formation of the Health Care Fraud Prevention and Enforcement Action Team partnership between DOJ and HHS, the DOJ has recovered over $16 billion for federal healthcare programs.

CMS Makes Significant Changes in Regulations Implementing Stark Law

Against a backdrop of aggressive enforcement, the issuance of new Stark Law regulations by CMS was seen by many as a glimmer of hope. In October, CMS unveiled final changes in the latest iteration of Stark Law rulemaking as part of the CY 2016 Medicare Physician Fee Schedule final rule (the “Final Rule”). With the stated goal of accommodating delivery and payment system reform, reducing burden, and facilitating compliance, the Final Rule made several significant changes, including adding new regulatory exceptions for the recruitment of non-physician practitioners and timeshare arrangements, making important clarifications for physician-owned hospitals, and implementing revisions to a handful of procedural requirements that are common to several oft-used Stark Law exceptions.

The portion of the Final Rule with the broadest application was the guidance concerning the documentary requirements found in a number of Stark Law exceptions. Many of the Stark Law exceptions for compensation arrangements include various procedural requirements, such as a requirement that the arrangement be documented in a signed, written agreement, in addition to substantive requirements that relate to the compensation methodology and the commercial reasonableness of the arrangement. Because compliance with all of the requirements of an applicable exception is required to avoid running afoul of the Stark Law’s prohibitions, noncompliance with these procedural requirements can give rise to the same significant risks as any other Stark Law violation. The Final Rule includes several changes to provide greater clarity and flexibility to healthcare providers, such as explicitly stating that there is no requirement that an arrangement be documented in a single, formal contract, permitting indefinite holdover periods provided that certain additional safeguards are met, and allowing parties to a contract to have 90 days to obtain required signatures, regardless of whether the failure to obtain the signature was inadvertent.

For our detailed review of the Final Rule, click here.

Budget Legislation Limits Payment to New Off-Campus Hospital Outpatient Departments

On November 2, 2015, President Obama signed the Bipartisan Budget Act of 2015 into law. While the legislation itself was no surprise, its inclusion of significant limitations in the way Medicare will reimburse hospitals for outpatient services furnished in newly created or acquired off-campus departments caught many off guard.

Section 603 of the Act excludes from the definition of Medicare-covered services most items and services furnished on or after January 1, 2017, by an “off-campus outpatient department of a provider.” The term “off-campus outpatient department of a provider” is defined by reference to the provider-based regulations to include a department of a provider that is not located on the provider’s campus or within a 250-yard radius from a remote location of a hospital. Although off-campus departments in operation prior to the date the Act was signed into law will receive “grandfathered” status and continue to be paid under the Medicare Hospital Outpatient Prospective Payment System, new off-campus departments will only be eligible for such reimbursement until January 1, 2017, at which time they will be paid under the Physician Fee Schedule or the Ambulatory Surgical Center Payment System, as applicable. In other words, new off-campus hospital outpatient departments will, beginning January 1, 2017, be paid at the same rate as if the departments were freestanding facilities unaffiliated with a hospital, a change that almost certainly will affect hospitals’ and health systems’ development strategies.

Many questions remain, including whether grandfathered off-campus departments may be relocated or repurposed and whether there will be any allowance for projects that were underway but not complete by the date of enactment. It is widely expected that CMS will issue regulations to implement the law in 2016. For more in-depth discussion of the Act’s changes, click here.

HIPAA Enforcement in 2015

The year also included a number of significant developments in the realm of health information privacy and security. Most notably, several large data breaches, headlined by the massive breach involving health insurance company Anthem, Inc. that affected an estimated 80 million people, made headlines across the country. In addition, the OIG released a report in September criticizing the efforts of the HHS Office for Civil Rights (OCR) in enforcing HIPAA. OCR also indicated that it will begin the second phase of its HIPAA audit program in early 2016.

In terms of HIPAA enforcement, OCR entered into several resolution agreements and corrective action plans in 2015, including a $3.5 million settlement with a Puerto Rico-based insurance company and several sizeable settlements with a wide variety of covered entities. Among the more noteworthy settlements were: (1) a $125,000 settlement with a small, single-location pharmacy arising out of the pharmacy’s disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients; (2) a $218,400 settlement with a teaching hospital arising from the use of an internet-based document sharing application to store documents containing the electronic PHI (ePHI) of 498 individuals; (3) a $750,000 settlement with a radiation oncology practice arising from the breach of 55,000 patients’ ePHI, which resulted from the theft of an employee’s computer equipment from the employee’s car; (4) an $850,000 settlement with a teaching hospital arising from the theft of a laptop from an unsecured treatment room that contained the ePHI of 599 individuals; and (5) a $750,000 settlement with a large academic medical center arising out of a breach of 90,000 patients’ PHI resulting from an employee downloading malicious malware contained in an email attachment.

On November 30, 2015, OCR announced a $3.5 million settlement with the insurance holding company Triple-S Management Corporation and its subsidiaries. Between November 2010 and August 2015, Triple-S reported seven breaches, five of which affected over 500 individuals. Examples of the breaches include former employees of both Triple-S and a business associate of Triple-S accessing ePHI after the end of their employment, the disclosure of PHI on pamphlets mailed to Triple-S customers by a vendor without a business associate agreement in place, the PHI of individual Triple-S customers being sent to the wrong person, and the use or disclosure of more than the minimum necessary amount of PHI.

In the wake of the OIG’s critical report, the next phase of the OCR audit program, and the number of significant settlements announced in the latter half of the year, many expect that 2016 will bring with it aggressive enforcement efforts.

* * *

The authors would like to thank Stephanie Hoffmann for her excellent assistance with this alert.