Health Update

How to Prepare for "Phase Two" HIPAA Compliance Audits: Tips on Getting Ready for Scrutiny

Author: Robert Belfort, Partner, Healthcare

Editor's Note: Now that the Department of Health and Human Services (HHS) has announced that it is beginning the next round of Health Insurance Portability and Accountability Act (HIPAA) compliance audits, organizations need to take specific steps to prepare, in case they are chosen for scrutiny. "Phase two" of the HIPAA compliance audits is expected to involve about 200 remote desk audits of covered entities (CEs) and business associates (BAs) that will be conducted by December 2016. After that, it's anticipated that the Office of Civil Rights (OCR) will conduct a smaller number of more comprehensive on-site audits.

In a new podcast for HealthcareInfoSecurity, summarized below, Manatt Health's Robert Belfort shares how CEs and BAs should prepare for a possible HIPAA compliance audit. He also discusses the possibility of OCR resolution agreements and settlements containing financial penalties for some auditees, the differences between what OCR will likely inspect during remote desk audits vs. more comprehensive on-site audits, and the likelihood that OCR will launch a permanent HIPAA compliance audit program. Click here to listen free to the full podcast.

___________________________________

What Should Organizations Do Now to Prepare for a Possible HIPAA Compliance Audit?

There are a few different steps that organizations can and should be taking to prepare for a possible audit. The first is that there should be an internal gap analysis conducted of the organization's HIPAA compliance program. The analysis should include comparing the organization's existing policies, procedures and practices against HIPAA requirements. Looking back at the audit tools that were used several years ago when a small number of HIPAA audits were conducted provides a helpful starting point for developing an effective gap analysis. If there are gaps identified, it's important to fill those quickly, before an audit commences.

Second, from an organizational standpoint, there should be clear lines of responsibility in terms of who is designated to handle an audit. There should always be one point person given the authority to interface with OCR. That person should have access to other staff who may be necessary to respond to the audit request. The infrastructure should be in place before the audit request comes in, because OCR has suggested that there may be a relatively short turnaround time for producing documents.

What Will OCR Look for During Remote Desk Audits?

Given OCR's resource constraints, audits will likely be targeted to the areas that OCR deems most important. One criterion for choosing auditees may be whether the organization has recently performed a security risk analysis that is sufficient to meet HIPAA requirements. OCR is going to want security analyses that have been conducted in the last year or two and that have the scope and the breadth to cover all the necessary issues.

On the privacy side, OCR will likely be looking at policies that govern the use and disclosure of information to make sure that those policies are in writing and track HIPAA requirements. OCR also will be determining whether the organization has policies and procedures in place to give patients access to their records, provide copies of patient records in a timely way, and ensure there are no obstacles to access.

In addition, OCR may target a few issues that have been sore spots with breaches in the past. For example, OCR is frustrated with the fact that there continue to be breaches involving lost or stolen laptops with unencrypted data on them. OCR believes that every organization should have addressed those kinds of issues a while ago, given the ease of encrypting laptops and the risks associated with mobile devices.

How Will On-Site Audits Differ from Remote Audits?

A desk audit is going to be focused on paper reviews. An organization should do reasonably well on a desk audit if it has the right documentation in place.

A desk audit, however, may not be that effective at getting underneath the policies and looking at how decisions are made on a day-to-day basis and whether there's compliance with the written policies. With an on-site audit, there's a lot more opportunity to get underneath the policies and look at actual operations. OCR will probably interview people within the organization and ask questions about how policies have been implemented, as well as how uses and disclosures are treated. OCR may even access an organization's information system to see how it functions. Overall, on-site audits provide a more intensive review of what's really going on in practice, while desk audits are more about documentation.

How Can CEs and BAs Avoid Triggers That Could Lead to More Comprehensive Compliance Reviews and OCR Investigations?

There are certainly areas of HIPAA compliance that are ambiguous. When it comes to interpretations of the rule, particularly on the security side, that involve judgment calls by providers, OCR is saying that it's looking to understand industry practice, to educate providers about expectations, and to provide some benchmarks that the industry can look to as to what's reasonable. On those types of judgment call issues, OCR is taking primarily an educational and corrective action type of approach.

There are certain hard-and-fast requirements, however, that OCR will look at from an enforcement standpoint. For example, if OCR discovers that an organization has never done a risk analysis, has never issued privacy notices to patients, or has no policies in place to handle patient requests for records, that could push the audit to the enforcement side.

Could Enforcement Activities Coming from Audits Involve Financial Penalties or Resolution Agreements or Settlements?

It depends on what OCR finds. There have been penalties imposed in breach notification cases that are linked to clear violations, such as unencrypted laptops, failure to have ever performed a risk analysis, or absence of business associate agreements with vendors who have access to significant amounts of protected health information. The agency could take the view that since it's imposed penalties for these kinds of violations when there's been a breach, if it finds organizations in clear violation of the rule, it could choose to impose penalties, even if no breaches have been reported.

How Likely Is It That a Permanent Audit Program Will Be Launched?

Whether or not a permanent audit program will be launched is, ultimately, a funding question. When HIPAA was first enacted, the agency had a cooperative mindset. Rather than aggressive enforcement, it wanted to give the industry time to work with the rules and come into compliance, and it viewed itself as a partner in that activity.

It's now been 13 years since the privacy rule became effective, however. Within the government, there is most likely the perspective now that the trial period has ended, and the industry should know the rule's requirements and be compliant with them. Recent penalties and settlements have shown that when the agency discovers noncompliance, it will impose multimillion-dollar penalties, particularly on larger organizations that can afford to pay them.

The main obstacle to a permanent audit program has been the lack of resources to fund auditors. As much as OCR may want to establish a permanent program and as much as high-tech obligates the agency to perform audits, an audit program can't happen if there is no funding.

The government tends to fund auditing activity that it believes will return funds back to the government. It considers auditing an investment and funds audits that will deliver a return on that investment. For example, the government has an extensive Medicare and Medicaid audit program because it more than pays for itself. So the dynamic probably will only shift if an approach is taken where penalties are sufficient to cover the cost of the auditing program.

back to top

Flurry of Regulatory Activity Helps Frame Privacy and Data Security Priorities for Health Tech Innovators

Authors: Jill DeGraff Thorpe, Partner, Healthcare | Marc Roth, Partner, Advertising, Marketing and Media | Jared Augenstein, Manager, Manatt Health

As the frequency of cyberattacks against healthcare entities increases, multiple government regulatory and enforcement agencies are actively coordinating their privacy protection and data security guidance for health technology vendors and Health Insurance Portability and Accountability Act (HIPAA) covered entities. Most recently, the Federal Trade Commission (FTC) released a web-based tool targeting mobile app developers. According to its April 5, 2016 announcement, the FTC developed the tool in collaboration with the Department of Health and Human Services' Office of National Coordinator (ONC), Office of Civil Rights (OCR) and Food and Drug Administration (FDA).

The apparent aim of the tool is to make it easier for mobile app developers to understand when they are a HIPAA business associate, when their app or companion devices exceed the FDA's threshold for exercising enforcement discretion for mobile medical apps, and how the FTC will regulate mobile health apps when HIPAA or FDA regulations do not apply. The tool is structured as a series of survey questions that can be answered either "yes" or "no," yielding answers supported by brief legal explanations explaining why FTC, OCR and/or FDA jurisdiction is implicated.

As an example, a mobile app collecting individually identifiable health information is subject to HIPAA if it is intended for a wellness program offered by an employer-sponsored health plan, but likely subject to FTC jurisdiction if the app is offered through a wellness program offered directly by an employer. Beyond privacy protections and data security, the tool also encodes the legal reasoning supporting FTC regulatory authority concerning breach notification even when HIPAA rules do not apply.

It also exposes the commonality of other basic legal parameters regardless of regulatory jurisdiction, such as the obligation not to make unsubstantiated claims in advertising an app. By easily allowing developers to adjust their answers and see the resulting explanations, the tool provides much-needed clarity for health technology innovators, and should advance efforts to demystify the interplay of HIPAA, FDA and FTC regulatory frameworks.

While the FTC's tool is not on its face addressing the rising threat of ransomware and other types of cyberattacks directed at healthcare organizations, it reflects regulators' recognition of the need to reconcile two significant aims: on the one hand, making sensitive personal data more accessible over mobile and other wireless devices, and on the other hand, reducing the industry's data vulnerabilities as cyberthreats become more prevalent and sophisticated. One could argue that the regulators are rejecting commonly heard tropes such as "consumers are willing to trade off privacy for more convenience" in favor of raising cyberprotection as a core professional competency across the technology industry. Raising that competency begins with education.

The mHealth Developer Portal—and OCR's Response

Another example of regulators' recent efforts to educate mobile app developers is OCR's release in October 2015 of an mHealth Developer Portal, a community-based portal where developers can post their HIPAA-related questions. The portal itself is innovative (for a government agency) in that it provides an informal online community that enables users to read and "like" questions posted by others. In February 2016, OCR posted its first guidance responding to these questions, by means of a composite set of Health App Use Scenarios based on some of the questions it received. The scenarios clarify situations in which an app developer is a HIPAA business associate, but are likely to be followed up with further guidance on other areas of interest to the mHealth app community. To illustrate, here is one of the published scenarios:

Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. Healthcare provider and app developer have entered into an interoperability arrangement at the consumer's request that facilitates secure exchange of consumer information between the provider's electronic health record (EHR) and the app. The consumer populates information on the app and directs the app to transmit the information to the provider's EHR. The consumer is able to access test results from the provider through the app.

Developer is not a business associate (BA) because it is not creating, receiving, maintaining or transmitting PHI for a covered entity or other business associate. The interoperability arrangement alone does not create a BA relationship because the arrangement exists to facilitate access initiated by the consumer. The app developer is providing a service to the consumer, at the consumer's request and on her behalf. The app developer is transmitting data on behalf of the consumer to and from the provider; this activity does not create a BA relationship with the covered entity.

Contrast the reasoning above to a slightly adjusted fact pattern illustrated in OCR's guidance:

At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patient's food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.

Developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting PHI on behalf of the covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting protected health information (PHI), and the app is a means of providing those services.

Crosswalk Between HIPAA and NIST Standards

Another way that regulatory agencies are raising cyberdefense as a professional competency in the health technology community is through the release in February 2016 of a crosswalk between HIPAA and NIST standards. The document identifies specific technical standards developed by independent standards-making bodies such as IEEE, ISO/IEC and COBIT that concern protection, security and integrity of data.

OCR developed the crosswalk in collaboration with the ONC and the National Institute of Standards and Technology (NIST) to demonstrate the technical standards implicated by each facet of the HIPAA Security Rule. It follows the "Cybersecurity Framework for Improving Critical Infrastructure" released two years earlier by NIST as part of wider governmental efforts to strengthen cyberdefenses of government, defense and critical infrastructure networks. In similar fashion, the FDA issued guidance in January 2016 on postmarket management of cybersecurity in medical devices that aligns with the NIST cybersecurity framework.

Following the crosswalk and the technical standards it identifies could enhance the overall standard of products and services developed by health technology innovators. Developers and covered entities should expect to see more crosswalking of these competencies in job descriptions, professional development activities and performance expectations of tech developers. In all likelihood, there will be more attention placed on concepts of "privacy by design" in health tech applications to ensure they reflect best practices across the public and private sectors.

To an increasing degree, consultants are likely to cross-reference to these independent technical standards when conducting health security risk assessments. One caution, however, for developers, customers and investors: Because many of the technical standards have certification requirements and copyright restrictions, adhering to these standards could increase R&D costs.

Determining Industry Best Practices

While the efforts described above aim to disseminate information to the health tech community, regulators are also engaging the industry more proactively to determine best practices in cybersecurity and privacy. For example, in connection with OCR's recent launch of phase 2 of its HIPAA Audit Program, OCR declared: "Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches," adding that it would "evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program." Manatt is actively counseling and educating clients about OCR's phase 2 audit program as well.

Furthermore, in March 2016, the U.S. Department of Health and Human Services announced the launch of a Healthcare Industry Cybersecurity Task Force, whose members include chief information security and privacy officers of leading health systems, commercial health plans, medical schools, medical device makers, clinical laboratories and tech security companies, as well as representatives from HHS, the U.S. Departments of Defense and Homeland Security, and NIST. Formed as required by the budget reconciliation signed into law last December 2015, the task force is charged with developing policy recommendations to address cybersecurity in healthcare while enabling patients and providers to easily and securely access electronic health information, including by mobile and other wireless devices.

As a whole, these regulatory activities acknowledge that privacy protection and data security cannot be eroded for the sole purpose of making data more convenient or accessible to consumers. Regulators are providing constructive guidance and have positioned themselves to learn more about industry practices, which could lead to more relevant, timely and appropriate regulation and enforcement in the future.

back to top

Sharing Behavioral Health Information in Massachusetts: Obstacles and Potential Solutions

Authors: Robert Belfort, Partner, Healthcare | Alex Dworkowitz, Associate, Healthcare

Editor's Note: Due in part to the stigma that is sometimes associated with behavioral healthcare, information relating to mental health or substance use disorders is given greater protection under both federal and state law than most other types of health records. In a new report for the Blue Cross Blue Shield of Massachusetts Foundation, summarized below, Manatt Health reviews the primary Massachusetts and federal privacy laws relevant to the exchange of information among physical and behavioral health providers. The report also assesses the technological and operational challenges that providers face in seeking to integrate care through enhanced data exchange. To download a free copy of the full report, click here.

_____________________________________________

The efforts of providers to share information to facilitate behavioral health integration are in tension with multiple federal and Massachusetts laws that were developed in an era that predates electronic information exchange and robust care coordination. These laws can make it difficult for providers to share records even when patients want their healthcare professionals to have greater access to their information. But the laws reflect the reality that behavioral healthcare treatments may still carry greater stigma than other types of healthcare, and, therefore, greater privacy protections in this area may be necessary.

The benefit of added protection is that it keeps potentially sensitive information private and, therefore, may encourage patients to seek treatment. In addition, there is evidence that individuals with a behavioral health condition may experience differential medical treatment, as a result of the stigma attached to their behavioral health diagnosis. The greater protection of behavioral health information may help mitigate this issue, but these laws also may limit the ability of providers to share information regarding patients who are jointly under their care, thereby impeding care coordination and possibly worsening health outcomes. These obstacles to information sharing are at odds with the growing array of behavioral health initiatives that are designed to encourage behavioral and physical healthcare providers to work collaboratively to provide better care to patients.

The Need to Change the Siloed Treatment Model

There is growing recognition that the siloed treatment model restricting regular communication between physical and behavioral healthcare providers must change. The Institute of Medicine has highlighted the need for better care coordination among behavioral and physical healthcare providers. Providers in both the behavioral and physical health fields now feel strongly that high-quality care requires care integration and coordination. Patients suffering from severe mental illness and addiction often have complex medical problems that cannot be properly addressed in isolation from their behavioral health needs.

Conclusions

A review of the primary Massachusetts and federal privacy laws relevant to the exchange of information among physical and behavioral healthcare providers and an assessment of the technological and operational challenges of integrating care through enhanced data exchange yields the following conclusions:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule does not create substantial barriers to information exchange among physical and behavioral healthcare providers for routine treatment, care management and quality improvement purposes.
  • The main legal barriers to data exchange arise under federal regulations governing substance use disorder treatment programs—42 C.F.R. Part 2—and Massachusetts laws governing mental health information. The Part 2 rules require patient consent for most disclosures for treatment purposes, and the Massachusetts law could be interpreted as imposing a similar limitation.
  • In addition to legal barriers, the primary obstacles to information sharing include variable adoption of electronic health records across behavioral healthcare providers, the absence of true interoperability between the electronic health record systems maintained by different providers, and the failure of electronic health systems to segregate records subject to heightened privacy restrictions.
  • The impact of the current regulatory obstacles could be mitigated to some degree if:
    • 1. Massachusetts provided clarifying guidance on the interpretation of ambiguous mental health regulations;
    • 2. Providers adopted procedures for exchanging data, such as a "consent to access" model, that align with existing legal restrictions; and
    • 3. The government promoted beneficial technological developments, such as more widespread electronic health record acquisition, stricter interoperability standards, and enhanced data segmentation capabilities.
  • More effective behavioral health information exchange among all of a patient's treating providers will require changes to current laws and regulations. Key changes could include revisions to the Part 2 regulations to simplify the patient consent process and broader treatment exceptions under the Massachusetts mental health information laws.

Working with the behavioral health community, Massachusetts policymakers can take steps to further promote the sharing of behavioral health information. Nevertheless, given the need to continually balance patient privacy with integration efforts, addressing challenges in this area is likely to require ongoing engagement and continued discussions among all stakeholders.

back to top

The Unintended Uninsured: The Affordable Care Act's Coverage Gap

Author: Julian Polaris, Associate, Healthcare

Editor's Note: In a new article for the Harvard Law and Policy Review blog, Manatt Health associate Julian Polaris examines the coverage gap, a crack in the Affordable Care Act (ACA) created by the Supreme Court in the 2012 NFIB v. Sebelius decision that allowed each state to determine whether or not to expand Medicaid. The article, summarized below, details the collateral damage for low-income populations in the 19 non-expansion states, explores ways the gap could be addressed at either the state or federal level, and discusses how the Obama Administration is making expansion even more attractive for reluctant states. To read the full article, click here.

____________________________

In 2015 more than 90% of Americans had health coverage, the highest insurance rate in the 50 years the federal government has collected insurance data. This astonishing progress is due in large part to the ACA. The victory is bittersweet, however, due to the coverage gap—a crack in the ACA so wide that 3 million low-income people have fallen through it.

The ACA, as originally passed, aimed to increase access to health coverage in two ways. First, the Act expanded and standardized Medicaid, the public health plan for low-income people. Second, the ACA established insurance exchanges, portals in each state where consumers can shop for standardized plans that aren't tied to a particular employer.

These overlapping reforms created a seamless continuum of coverage for low-income Americans. Everyone earning less than 138% of the Federal Poverty Level (FPL) is eligible for Medicaid, and subsidized coverage is available to those earning from 100% to 400% of the FPL.

Then came the Supreme Court's 2012 decision in NFIB v. Sebelius, which upheld the ACA's central requirement that all Americans secure comprehensive health coverage or pay a penalty. The Court, however, prohibited the federal government from instituting a nationwide eligibility standard and instead allowed each state to choose whether or not to expand Medicaid. Nineteen states so far have rejected expansion, leaving 3 million people trapped in a regulatory no-man's-land between Medicaid and the exchanges.

Addressing the Coverage Gap

Congress could close the coverage gap, but it's extremely unlikely that will happen, Since the ACA was enacted, Congress has prioritized attempts at repeal over attempts at repair. Therefore, all eyes are on the states. Medicaid expansion not only allows more individuals to enjoy the benefits of health coverage, it also benefits the states in the form of reduced costs and new revenues. (Click here to read Manatt's new issue brief, "States Expanding Medicaid See Significant Budget Savings and Revenue Gains.")

The Obama Administration has gone to great lengths to make the expansion deal more attractive for reluctant states. The Centers for Medicare and Medicaid Services (CMS) has granted waivers allowing states to modify their Medicaid expansions to fit their states' political environment. CMS recently announced that the federal government will fund 100% of healthcare costs for American Indians and Alaskan Natives who qualify for Medicaid, a powerful incentive for states with large tribal populations. (Click here to read Manatt's new issue brief, "Medicaid and the Indian Health Service: New Guidance Explains How States May Secure Additional Federal Funds.") In the President's 2017 budget proposal, he also extended additional federal funding to holdout states that agree to expand their Medicaid programs (though Congress is not likely to approve that). Yet 19 states remain unconvinced.

Meanwhile, 3 million people are stuck in the coverage gap, accounting for 10% of America's remaining uninsured population. Here's hoping we can bridge the gap and restore the ACA's promise of affordable coverage for all Americans.

back to top

What Are the Top 10 Medicaid Trends to Watch in 2016—and Beyond?

Find Out at a New Webinar from Manatt Health and Bloomberg BNA. Click Here to Register Free and Earn CLE.

Medicaid continues to gain scale and importance nationally—as the leading source of coverage for Americans and a change agent within the healthcare marketplace. With the number of Americans obtaining health coverage through Medicaid at an all-time high and mounting evidence of the benefits of Medicaid expansion—to people, providers and states—the coming year is expected to bring continued growth and change.

In a new webinar for Bloomberg BNA, Manatt Health will reveal the top 10 Medicaid trends to watch in 2016—and beyond. Join us on May 4 from 1:00 p.m. to 2:30 p.m. ET, and you will:

  • Discover the 10 major trends transforming Medicaid—and what new forces are emerging.
  • Gain key insights into each trend's evolution—from its current status to its anticipated impact.
  • Explore how the 10 trends will affect the full spectrum of healthcare audiences—including states, providers, plans, pharmaceutical manufacturers and patients.
  • Find out what State Innovation Waivers have to do with Medicaid—and how they intersect with 1115 waivers.
  • Understand the reasons behind the growing interest in redefining permissible payment parameters under Medicaid.
  • Learn what real-world data is showing about the economic impact of Medicaid expansion in "early adopter" states.

From the continued innovations in Medicaid managed care to the emerging opportunities for improving behavioral health to the building momentum for reforming long-term services and supports (LTSS), the session will take an in-depth look at the 10 most powerful trends today—and their implications for the future of Medicaid and the full U.S. healthcare system. Even if you can't make the original airing on May 4, sign up now and receive a link to view the program on demand. Click here to register free—and earn CLE.

Presenters:

Deborah Bachrach, Partner, Healthcare

Patricia Boozang, Senior Managing Director, Manatt Health

Melinda Dutton, Partner, Healthcare

Cindy Mann, Partner, Healthcare

back to top

Arbitration and Network Leasing Arrangements: UFCW & Employers Benefits Trust v. Sutter Health

Author: Sarah Gettings, Associate, Litigation

If a healthcare plan and provider agree to arbitrate disputes under a provider contract, can the provider compel arbitration against third-party payers that access those same contract rates?

Provider networks are a key component of the managed healthcare system. Health plans frequently operate as network vendors and lease access to their networks to third-party payers, allowing those payers to use discounted rates guaranteed under the plans' contracts. In such arrangements, however, there is no direct contract between the provider and third-party payer. So, in a dispute between a third-party payer and provider, the question becomes whether the payer is required to arbitrate and/or is entitled to compel the provider to do so under the provider's contract with the health plan.

In a recently published case, UFCW & Employers Benefits Trust v. Sutter Health, 241 Cal. App. 4th 909 (2015), the California Court of Appeal said no, rejecting Sutter Health's estoppel and statutory arguments that it was entitled to enforce the arbitration provision in its health plan provider contract against a self-funded employee benefit plan that accessed the negotiated contract rates through a separate contract with the health plan. Of particular note was the provider's reliance on California Health & Safety Code Section 1375.7, known as the "Healthcare Providers' Bill of Rights," intended to protect providers from undisclosed contract terms in these types of network leasing arrangements.

Between the late 1990s and the early 2000s, providers routinely complained that they were unaware when third-party payers accessed their discounted rates and, when problems arose, there was no mechanism to govern their disputes with third-party payers. In 2002 the California Legislature passed A.B. 2907, Stats. 2002, ch. 925, which enacted Section 1375.7 of the Health & Safety Code and provides, among other things, that in a network leasing arrangement a provider cannot be held liable for contract terms that differ from its underlying contract: "When a contracting agent sells, leases, or transfers a health provider's contract to a payer, the rights and obligations of the provider shall be governed by the underlying contract between the healthcare provider and the contracting agent." Cal. Health & Saf. Code § 1375.7(d)(1). The statute then invalidates any offending contract terms: "Any contract provision that violates subdivision . . . (d) shall be void, unlawful, and unenforceable." Cal. Health & Saf. Code § 1375.7(e).

In UFCW, the question presented to the Court of Appeal was whether Section 1375.7(d) bound third-party payers to the terms of the underlying provider contracts, or instead prohibited them from accessing discounted rates on terms that differed from the underlying contracts. The Court of Appeal held the latter interpretation was the correct one. Before UFCW, there were no published cases in California discussing or interpreting Section 1375.7, making UFCW's ruling one of first impression.

The facts underlying UFCW were fairly typical. Sutter Health entered into a provider contract with a health plan for negotiated rates. That contract contained an arbitration provision and, importantly, a confidentiality provision. The health plan then entered into an administrative services organization (ASO) agreement with UFCW & Employers Benefit Trust (UEBT), an ERISA-governed employee benefits trust, which allowed UEBT to access the discounted rates. UEBT, however, never signed the underlying provider contract that contained the arbitration provision. In fact, in the ASO agreement with the health plan, UEBT expressly agreed to litigate, rather than arbitrate, disputes in California courts. Further, UEBT had never seen the underlying provider contract, because of its confidentiality provision. So Sutter Health was in the position of arguing UEBT should be held to contract terms it not only did not sign but also had never seen.

In arguing UEBT must arbitrate its claims, Sutter Health took a broad view of the Healthcare Providers' Bill of Rights, arguing the statute gave it the same rights and obligations against third-party payer UEBT as against the contracting health plan. The Court of Appeal agreed the statute applied: the health plan was a "contracting agent," Sutter Health was a "healthcare provider," and UEBT was a "payer" under Section 1375.7(d). The question remained, however, whether Section 1375.7 created contract terms, or prohibited them. The Court of Appeal held the statute, which was intended to protect providers from undisclosed contract terms, could not be used to force undisclosed terms on payers. The Court also rejected Sutter Health's estoppel theory, finding that to the extent UEBT benefited from discounted rates the plan negotiated with providers, that benefit was too indirect to compel arbitration based on equitable estoppel.

Ultimately, with respect to Section 1375.7, the Court was swayed by proposed language that never made it into the bill, which highlighted the impossibility of imposing contract terms in third-party payer arrangements through state law. Many third-party payers are employer trusts governed by ERISA. Accordingly, Section 1375.7 cannot create contract terms by operation of law for such trusts, because they are preempted from state regulation.

The complexity of networking leasing arrangements, and the application of state and federal law to separate parts of them, means that if providers want to enforce negotiated terms in their provider contracts against third-party payers, they need a direct contractual relationship or an assignment of rights. The question is whether providers and plans are willing to forgo the typical confidentiality provisions in their provider agreements to that end.

On January 13, 2016, the California Supreme Court denied Sutter Health's petition for review and request for depublication, rendering the decision both final and binding precedent.

back to top

Conspiracy Within a Hospital Network: Federal Appeals Court Decision Amplifies Risks for Healthcare Joint Ventures

Authors: Lisl Dunlop, Partner, Litigation | Ashley Antler, Associate, Healthcare | Shoshana Speiser, Associate, Litigation

A recent decision of the United States Court of Appeals for the Sixth Circuit signals that hospitals collaborating under joint operating agreements may face increased exposure to antitrust challenges. Last month a divided panel ruled in The Medical Center at Elizabeth Place, LLC v. Atrium Health System that four hospitals operating as a single network and sharing revenues and losses under a joint operating agreement might be viewed as economically distinct actors capable of conspiring with each other for purposes of considering a competitor's antitrust claims.1 The Sixth Circuit consequently reversed a summary judgment and returned the case to the trial court for determination.

Elizabeth Suit Against Premier Hospital System

The Medical Center at Elizabeth Place (Elizabeth), a 26-bed, physician-owned, for-profit hospital in Dayton, Ohio, sued Premier Health Partners (Premier), which operates four Dayton-area hospitals under a joint operating agreement (JOA). Under the JOA, the hospitals share revenues and losses pursuant to a mutually agreed-upon formula, but the hospitals remain distinct legal entities.2 Each hospital maintains a separate corporate identity, with its own assets, tax returns, CEO and Board of Directors. Premier does not provide healthcare services, but operates the hospitals and handles certain joint financial responsibilities, including negotiating managed care contracts for each of the participating hospitals.

Elizabeth claimed that Premier and its member hospitals conspired to keep Elizabeth from competing in the Dayton-area hospital market through its contracts with insurers and physicians. The alleged anticompetitive conduct included:

  • Coercing commercial health insurers covering approximately 70% of the area's consumers to refuse to contract with hospitals outside of Premier's network, thereby preventing Elizabeth from addressing a large part of the Dayton market;
  • Threatening physicians who affiliate with Elizabeth, including by terminating physicians' office space leases and by withholding referrals; and
  • Threatening punitive measures or financial incentives to persuade physicians to refuse to admit patients to Elizabeth.

If engaged in by competing entities, the conduct alleged by Elizabeth could be a group boycott, which is a per se violation of the antitrust laws.3 The antitrust laws are generally more accepting of vertical restraints, such as exclusivity provisions and incentives to steer business, and such conduct will be judged under the more fact-intensive "rule of reason." Therefore, whether Premier was a single entity or a collaboration of competitors was important in how the case would proceed and in the burden of proof carried by Elizabeth.

Single Entity or Colluding Competitors?

Under the longstanding Supreme Court Copperweld precedent,4 a parent and its wholly owned subsidiary are incapable of conspiring with each other to unlawfully restrict competition because they have a "complete unity of interest" and are not separate economic actors. As such, they are viewed as a "single entity" under the antitrust laws. This principle is not limited to a parent and its wholly owned subsidiary: More recently, in American Needle, Inc. v. National Football League, the Supreme Court applied the Copperweld doctrine to address whether parties to a joint venture were a single entity.5 In that case, the Court held that the NFL was not a single entity, because it joined together entities (football teams) that previously made independent decisions and had individual financial interests that diverged from the joint venture's interests.

Relying heavily on American Needle, the Sixth Circuit considered whether Premier functioned as a single entity for antitrust purposes. This requires courts to "look beyond labels to recognize underlying collusion among competitors,"6 so that where a single legal entity is controlled by a group of competitors and functions as a vehicle for concerted activity, it may be illegal. As both the federal antitrust agencies have cautioned and courts have held, simply labeling a combination of competitors a "joint venture" will not automatically insulate anticompetitive conduct from scrutiny.7

The district court had held that Premier was a single entity incapable of conspiring, and dismissed Elizabeth's antitrust claims. On appeal, the Sixth Circuit reversed, finding that the Premier hospitals did not function as a single entity, but instead maintained separate identities under the JOA and were capable of acting as competitors colluding to eliminate another competitor. The Sixth Circuit remanded the case to the lower court to decide whether the hospitals in fact engaged in illegal collusion.

The Sixth Circuit's decision is surprising given the degree of financial integration and the negotiation of managed care contracts by Premier on behalf of the participating hospitals. The Court appears to have been strongly influenced by evidence that the Premier hospitals viewed themselves as competitors. Instead of entirely coordinating their interests, the Court found that the hospitals continued to act as independent entities that incorporated separately, held assets separately, and competed with each other for patients. Notably, the Court cited findings and interview statements from a consulting firm retained by Premier as evidence that the hospitals pursued individual goals and continued to compete after entering into the JOA.8 These statements included:

  • "[Premier] does not think of itself as an integrated organization";
  • "[Premier] Partners compete with each other for market share"; and
  • "[t]he brand is the hospital, not [Premier]."9

The Court also gave considerable weight to evidence that health insurers boycotted Elizabeth due to provisions negotiated into each of the individual managed care contracts that prevented insurers from adding new hospitals to their networks—conduct that the Court declared anticompetitive on its face. Elizabeth also provided evidence that each insurer knew that other insurers' contracts included these provisions, and monitored each other's compliance with them.

Takeaways

With the significant increase in antitrust scrutiny of provider mergers over recent years,10 joint venture vehicles provide an opportunity to achieve efficiencies without the risk of a merger challenge. Prior to the Sixth Circuit's decision, many healthcare market participants have taken comfort in the idea that a joint operating agreement with sufficiently centralized control and financial integration will provide collaborating entities with a good degree of protection against antitrust challenges by third parties, such as that in the Premier case. The Sixth Circuit's decision, however, suggests that the analysis may be more complex.

The Premier case also highlights the importance of how collaborating entities view themselves vis-à-vis a joint venture, and the creation of documents that reflect these views. Joint venture participants and their advisers should be careful that internal documents or other materials do not suggest positions inconsistent with the common purpose of the venture.

It remains to be seen whether the Sixth Circuit's approach will be adopted by other circuits, or whether other courts will take a different view. Nonetheless, this opinion sends a warning that entities collaborating under a joint agreement should not assume that the agreement alone will provide shelter from antitrust scrutiny.

1No. 14-4166, 2016 WL 1105023 (6th Cir. Mar. 22, 2016).

2 The hospitals formed a joint venture instead of merging because one of the hospitals was a Catholic entity prohibited from merging with non-Catholic entities.

3 Per se violations do not require a plaintiff to prove actual competitive effects, merely that the conduct took place.

4Copperweld Corp. v. Independence Tube Corp., 467 U.S. 752 (1984).

5 560 U.S. 183 (2010).

6Id. at *4.

7See, e.g., Fed'l Trade Comm'n & U.S. Dep't of Justice, Antitrust Guidelines for Collaborations Among Competitors 9 (2000); Am. Needle, Inc. v. Nat'l Football League, 560 U.S. 183 (2010).

8 The trial court had excluded these consultant reports as hearsay, but the Sixth Circuit reversed, finding that the statements fall within the hearsay exception for party-opponent admissions.

9Medical Center at Elizabeth Place, 2016 WL 1105023 at *8.

10 For example, the FTC has recently brought court challenges against mergers of Advocate Health Care Network and NorthShore University HealthSystem in the North Shore area of Chicago, Cabell Huntington Hospital and St. Mary's Medical Center in the Huntington, West Virginia area, and Penn State Hershey Medical Center and Pinnacle Health System in the Harrisburg, Pennsylvania area.

back to top

Now You Have a Second Chance to Benefit from "ACA-Driven Litigation: Cases to Watch (and What's Next)."

Click Here to View the Webinar Free on Demand—and Here to Download the Presentation Free.

At a recent webinar for Bloomberg BNA, Manatt Health revealed the areas of the ACA that are fueling litigation, the implications of decisions already handed down, and the potentially game-changing cases to watch in 2016. If you or anyone on your team missed this important session—or want to view it again—click here to access it free on demand. To download a free PDF of the presentation for your continued reference, click here.

The webinar takes a detailed look at ACA implementation and the lawsuits that it's driving. During the program, you have the opportunity to:

  • Get an update on the ACA today, with a progress report on key facets of the law.
  • Identify the issues arising out of ACA implementation that are driving litigation.
  • Gain insights into rulings, cases and implications in four ACA-related litigation areas:
    • 1. Exchanges
    • 2. Employer/employee challenges
    • 3. Medicaid
    • 4. Privacy and security

If you have any questions about the program or would like to discuss issues specific to your organization, please contact our presenters:

back to top

Now You Have a Second Chance to Benefit from "What Does the Medicare Part B Drug Payment Model Mean for Hospitals, Physicians and Biopharmaceutical Companies?"

Click Here to View the Program Free, on Demand—and Here to Download the Presentation Free.

Manatt's recent webinar reveals what the proposed Medicare Part B Drug Payment Model will mean for hospitals, physicians and biopharmaceutical companies. The program provides a valuable guide to what's in the new proposal, if and when it will be implemented, and how it will change the landscape for drug reimbursement. And we don't want you to miss this important information!

To view the program at your convenience, click here to access it free, on demand. To download a free copy of the webinar presentation for your continued reference, click here.

The program shares how the proposal will affect the key healthcare stakeholders. During the session, you will:

  • Learn the motivations behind this proposal.
  • Understand the legal basis for the proposal and how that will impact whether and how it is implemented.
  • Explore what the proposal's changes could mean.
  • Discover how the proposal could impact different providers and drug types.
  • Find out how various constituencies are reacting to the proposal.
  • Hear projections on what may happen to the plan in this highly political year.

If you have any questions—or issues specific to your organization that you'd like to discuss—please contact the webinar presenters:

back to top