News / Resources

Welcome to this week's edition of the Health Law Update. Topics covered today include:

• Physician Sunshine Payment Rule Finalized; Let the Sun Shine In; Payment Reports Flow 
• HIPAA, Gun Control and the President's Executive Actions -- What You Need to Know 
• False Claims Act -- Health System Settles Allegations Related to Payments to Physician Advisors 
• Stark Exception for ESRD Not Recognized in Florida 
• 10 Fraud and Abuse Enforcement Trends You Can't Afford to Ignore in 2013 
• Events Calendar

We hope you find this information helpful. Please contact any member of BakerHostetler's Healthcare Team with questions.

PHYSICIAN PAYMENT SUNSHINE RULE FINALIZED; LET THE SUN SHINE IN; PAYMENT REPORTS FLOW

The Centers for Medicare and Medicaid Services (CMS) recently published the final rule implementing the Physician Payment Sunshine Act (Sunshine Act) that requires most manufacturers of drugs, devices, biologics or medical supplies to annually report payments and other remuneration to physicians and teaching hospitals (Final Rule). The Sunshine Act also requires these manufacturers, as well as group purchasing organizations (GPOs), to disclose physician (including immediate family members) ownership or investment interests. The data collection period begins August 1, 2013, with reporting slated to begin March 31, 2014. CMS will release the data on a public website by September 30, 2014.

Compliance with the reporting obligations under the Sunshine Act, however, will not exempt payers or recipients of covered payments from potential liability under the anti-kickback statute and/or the federal False Claims Act.

Remuneration and Covered Recipients

Manufacturers generally are required to disclose direct and indirect payments or other transfers of value to covered recipients, including payments to a third party "at the request of or designated by the applicable manufacturer on behalf of a covered recipient."

A covered recipient includes any physician, except for a physician who is a bona fide employee of the manufacturer that is reporting the payment. Physicians generally will be tracked through their NPIs. CMS's definition was designed to prevent manufacturers from attempting to circumvent the reporting requirements by styling a physician as an employee and not reporting payments made. CMS will analyze case specific facts to determine whether board members, medical directors and retirees are exempt under the bona fide employee definition.

Teaching hospitals also are deemed to be covered recipients. A "teaching hospital" includes any hospital that receives indirect medical education (IME), direct graduate medical education or psychiatric hospital IME. CMS stated that it will publish a list of teaching hospitals at least 90 days before August 1, 2013.

A "payment or transfer of value" is defined to include a transfer of anything of value. Contrary to definitions under the anti-kickback and Stark laws, a product for purposes of the Sunshine Act has "value" only if it has "discernible economic value on the open market."

Who Is a Manufacturer?

The definition of a manufacturer excludes (1) distributors and wholesalers that do not hold title to a covered drug, device, biologic or medical supply and (2) entities that manufacture a covered product solely for internal use or for use by their patients (e.g., hospitals, hospital-based pharmacies and laboratories).

However, an entity under common ownership (of at least a five percent interest) with a manufacturer also is deemed to be a manufacturer under the Sunshine Act.

Reporting Obligations

Manufacturers must annually report for each payment or transfer of value: (1) the form of each payment (e.g., cash, in-kind items or services, stock or other ownership interest, dividends or similar return on investment); (2) the nature of each payment (a description of the purpose of the payment under one of 17 categories established by CMS, such as consulting, research or charitable contributions); and (3) the identity of up to five related covered products. There are special rules for reporting research payments and for the delayed publication of research or development related payments.

If a payment is made to a group practice, the manufacturer or GPO is required to assign the remuneration to the individual physicians who requested the payment, on whose behalf the payment was made, or who were intended to benefit from the remuneration. Thus, the payment need not be reported in the name of all members of a practice.

Manufacturers and GPOs also must annually report all ownership and investment interests held by physicians or immediate family members of physicians during the preceding year in the manufacturer or GPO. Ownership and investment interests are defined as they are under the Stark Law. Manufacturers and GPOs do not have to report indirect ownership or investment interests held by physicians or immediate family members of physicians if they do not know the identity of the indirect owner.

Finally, GPOs must report direct and indirect payments or transfers of value to physicians with an ownership or investment interest in the GPO. The Final Rule, however, does not require the reporting of ownership or investment interests held by teaching hospitals.

Payments Excluded From Reporting and/or Tracking

Payments excluded from reporting and/or tracking include:

• Payments to residents in medicine, osteopathy, dentistry, podiatry, optometry and chiropractic.
• Certain payments by manufacturers that are not related to a drug, device, biologic and medical supply, including: (1) small covered product manufacturers -- gross revenues from covered products were less than ten percent of total (gross) revenues during the applicable fiscal year; (2) entities related to a manufacturer by common ownership -- must only report payments related to a covered drug, device, biologic or medical supply for which they provided assistance or support to the producing manufacturer; and (3) separate operating divisions of a manufacturer -- if the division does not produce any covered products, it must only report payments to covered recipients related to a covered drug, device, biologic or medical supply.
• De minimis payments of less than $10 (to be CPI adjusted) unless payments to a covered recipient exceed $100 annually.
• Trinkets and event food. Manufacturers need not track (1) incidental items worth less than $10 (e.g., logo items) provided at large events or (2) food or drinks generally made available at large events where it is difficult to identify who consumed the food and drink.
• Educational materials intended to be used by or with patients.
• Samples intended for patient use, including coupons and vouchers.
• Certain payments related to speaking at certain accredited or certified CME programs.
• Discounts and rebates.

Access to Books and Records

Under the Final Rule, the U.S. Department of Health and Human Services (HHS), CMS and the HHS Office of Inspector General (OIG) have the right to audit and inspect any books and records of manufacturers and GPOs related to their compliance with the Sunshine Act.

Review and Correction of Reported Information

CMS will provide covered recipients at least 45 days to review and dispute the information that was submitted by a manufacturer or GPO related to payments to the covered recipient. CMS will notify the covered recipients when the information is available for review. Disputes regarding the accuracy of a report, however, must be resolved between the covered recipient and the manufacturer or GPO.

Penalties

Manufacturers or GPOs who fail to "timely, accurately, or completely" report the required information can be subject to a civil monetary penalty (CMP) of up to $10,000 for each improperly reported payment or transfer of value, or ownership or investment interest. For knowing failure to report, the penalties range from $10,000 to $100,000 for each failure to report. The Final Rule also imposes aggregate limits of $150,000 for unintentional violations and $1,000,000 for knowing violations. However, if an error is corrected during the review and correction period, penalties will not be imposed if the original submission was made in good faith.

For more information, please contact Robert M. Wolin, or 713.646.1327.

top of page

HIPAA, GUN CONTROL AND THE PRESIDENT'S EXECUTIVE ACTIONS -- WHAT YOU NEED TO KNOW

All of the excitement surrounding the publication of the HIPAA Omnibus Final Rule may have overshadowed another very important development in health information privacy. On January 16, 2013, the Obama Administration released its comprehensive plan to reduce the nation's gun violence by banning military-style assault weapons and high capacity magazines, increasing access to mental health services, improving school security and strengthening the background check system. In addition to calling on Congress to pass appropriate gun control legislation, the plan includes 23 Gun Violence Reduction Executive Actions that outline how the Administration intends to implement the plan unilaterally. One of these Executive Actions states the following:

"[T]he Administration will . . . 2. Address unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the background check system."

According to the plan, "some states have cited concerns about restrictions under [HIPAA] as a reason not to share relevant information on people prohibited from gun ownership for mental health reasons. The Administration will begin the regulatory process to remove any needless barriers, starting by gathering information about the scope and extent of the problem."

Prior to the Obama Administration's announcement, Leon Rodriguez, Director of the Office for Civil Rights (OCR), published a letter entitled "Message to Our Nation's Health Care Providers" advising providers that the HIPAA Privacy Rule would not prevent providers from disclosing necessary information about a patient to law enforcement, family members of the patient or other persons when the patient presents a serious danger to himself or other people.

What Does All of This Mean?

The protections of the HIPAA Privacy Rule intersect with the Administration's gun control plan in two important contexts: (1) use and disclosure of patient information without the patient's authorization in order to prevent imminent gun violence; and (2) use and disclosure of mental health information without the patient's authorization for background check purposes.

1. Use and Disclosure to Prevent Imminent Gun Violence. As Director Rodriguez's letter makes clear, under 45 C.F.R. § 164.512(j), protected health information (PHI) may be used or disclosed without patient authorization by a healthcare provider who believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. Furthermore, the provider is presumed to have a good faith belief when that belief is based on the provider's interaction with the patient or in reliance on credible representations from a person with apparent knowledge or authority. Accordingly, HIPAA does not present a legal barrier to using or disclosing PHI without patient authorization to prevent imminent gun violence.
    
   However, some state laws could make this analysis slightly more complex. For example, under Section 611.004(4) of the Texas Health and Safety Code, providers are prohibited from disclosing certain "confidential information," including the diagnosis or identity of a patient in relation to treatment or evaluation for any mental or emotional condition or disorder, unless, among other things, the disclosure is made to medical or law enforcement personnel when the provider determines that there is a probability of imminent physical injury to the patient or others, or the disclosure is made to a person who has the written consent of the patient. Unlike HIPAA's good faith belief exception, which essentially permits any use or disclosure to any individual or entity reasonably necessary to prevent threats to public safety, Texas law restricts permissible disclosures to a limited class of individuals and entities, such as medical personnel, law enforcement and individuals who have received the patient's consent. As this provision is not contrary to HIPAA and appears to be more stringent than its federal counterpart, it is unlikely that it would be preempted under HIPAA's preemption rules and could therefore affect a provider's ability to directly notify specific individuals who may be in danger if the threat is not imminent.
    
2. Use and Disclosure for Background Check Purposes. According to the Administration's plan, the current firearm background check system is incomplete and should be supplemented with additional information, specifically mental health information, in order to accurately identify dangerous people who should not be permitted to obtain firearms. However, providers have not been consistently disclosing patient mental health information to state authorities responsible for reporting the information to the federal background check system, as doing so without the patient's authorization and absent a threat of imminent harm could be considered an impermissible use or disclosure of PHI under both the HIPAA Privacy Rule and applicable state laws. These concerns may be justified, as the use or disclosure of mental health information for background check purposes does not appear to precisely fit any of the narrow exceptions to the HIPAA Privacy Rule that would permit use or disclosure of this information without the patient's authorization. Further, state prohibitions on the disclosure of mental health information, such as the Texas law discussed above, may present additional legal barriers to such disclosure unless the disclosure were to be expressly required or authorized by law.

Precisely how the Administration plans to address these legal barriers remains unclear, as the Administration has promised only to "begin the regulatory process" by "gathering information about the scope and extent of the problem." Political hedging aside, it appears as though further revisions to HIPAA could be just around the corner.

Public comment to proposed revisions could have a significant impact on the direction of this debate. For more information about this and other related topics, please contact Lynn Sessions at or 713.646.1352. Authorship credit to Cory J. Fox at or 713.646.1358.

top of page

FALSE CLAIMS ACT - HEALTH SYSTEM SETTLES ALLEGATIONS RELATED TO PAYMENTS TO PHYSICIAN ADVISORS

The U.S. Department of Justice (DOJ) recently issued a press release related to a settlement agreement between the U.S. Attorney's Office for the District of New Jersey, the state of New Jersey and the Cooper Health System (Cooper) that was unsealed on January 24, 2013 (the Agreement). According to the DOJ, Cooper has agreed to pay a total of $12.6 million to the U.S. and New Jersey to resolve allegations that it violated the federal and New Jersey civil false claims acts by submitting claims for cardiology services that resulted from improper payments to cardiologists.

The DOJ alleges that from October 2004 through December 2010, Cooper paid outside physicians approximately $18,000 per year to serve on the Cooper Heart Institute Advisory Board (CHIAB). The CHIAB physicians' duties reportedly involved only minimal effort, including attendance at four meetings per year. According to the DOJ, Cooper intended for the payments to induce the physicians to refer patients to Cooper, and such referrals were realized as a result of the payments. Thus, Cooper allegedly violated the federal and New Jersey anti-kickback and physician self-referral laws, and subsequently, the federal and state false claims acts by submitting claims to the Medicare and Medicaid programs for services resulting from the tainted referrals. The case was initiated by a physician whistleblower who was approached by Cooper to serve on the CHIAB but declined to do so. While Cooper has denied any wrongdoing in this matter, the DOJ press release indicates that Cooper has implemented internal changes to address such misconduct and prevent future issues.

This settlement underscores recent efforts by federal and state government to seriously pursue allegations of false claims violations predicated on conduct that violates the anti-kickback and physician self-referral laws. If you need assistance evaluating arrangements involving physicians that may implicate these laws, please contact Donna S. Clark at or 713.646.1302 or Darby C. Allen at or 713.646.1311.

top of page

STARK EXCEPTION FOR ESRD NOT RECOGNIZED IN FLORIDA

On January 10, 2013, the U.S. Court of Appeals for the Eleventh Circuit ruled in Fresenius Medical Care Holdings, Inc. v. Tucker, that an arrangement can violate Section 456.053 of the Florida Statutes, also known as Florida's "Patient Self-Referral Act of 1992" (Florida Act) even though the arrangement complies with federal Stark Law.

In the Fresenius case, out-of-state corporations (Appellants) provide renal dialysis services in Florida, both directly and through subsidiary corporations, to patients suffering from end-stage renal disease (ESRD). The Appellants sought to use a vertically integrated business model in Florida so they can refer all of their ESRD patients' blood work to associated laboratories after providing the patients dialysis treatment at their clinics. This arrangement, however, would create a violation of the Florida Act, even though it was permissible under Stark Law.

The Stark Law prohibits physicians from referring their Medicare and Medicaid patients to business entities for designated health services in which the physicians or their immediate family members have a financial interest. However, in promulgating the regulations to implement Stark, the Secretary of HHS created an exception that allows physician referrals to associated entities for clinical laboratory services related to the treatment of ESRD, in addition to several other exceptions. Originally, the Florida Act, like the Stark Law, exempted physicians in the renal dialysis industry from the self-referral prohibition, but this exemption subsequently was repealed by the Florida Legislature in 2002.

The Appellants in Fresenius challenged the Florida Act since the proposed arrangement would be permissible under the Stark Law, claiming that the Florida Act was unconstitutional because (1) it was preempted by federal law; (2) it violated the dormant Commerce Clause; and (3) it violated substantive due process. However, the Eleventh Circuit Court of Appeals did not agree. As a result, the Florida Act remains valid, despite the fact that it prohibits conduct allowed under Stark Law.

There are other differences between Stark Law and the Florida Act beyond the ESRD exception. Therefore, when considering an arrangement involving physicians in Florida, it is important to evaluate whether the arrangement complies with both federal and state law.

For more information, please contact David L. Schick at or 407.649.4084 or Jessica Captain Novick at or 407.649.4025.

top of page

10 FRAUD AND ABUSE ENFORCEMENT TRENDS YOU CAN'T AFFORD TO IGNORE IN 2013

To paraphrase a famous quote, "Those who do not learn from history are doomed to repeat it," and providers who ignore the significance of the federal government's healthcare fraud enforcements efforts in 2012 do so at their own peril. As expected, 2012 saw an increase in the number of criminal, civil and administrative enforcement cases, fueled by additional funding and enforcement tools provided by the Affordable Care Act (ACA) and other regulatory overhauls that are fundamentally reshaping the healthcare industry. But 2012 also included unexpected and unprecedented developments that could serve as important indicators of what's to come in 2013. Using lessons from 2012, we have compiled a list of the ten fraud and abuse enforcement trends that providers simply cannot afford to ignore in 2013:

1. Hospitals beware: Increased enforcement activity may be headed your way.
    
   In 2012, large pharmaceutical companies frequently were targeted in enforcement actions. Many of the pharmaceutical industry's biggest players, including Abbott, GlaxoSmithKline (GSK) and Pfizer, settled allegations of off-label promotion and improper sales conduct by paying millions and, in some cases, billions of dollars to the federal government. However, now that most of these large pharmaceutical companies have resolved their fraud and abuse liability, the federal government appears to be shifting its enforcement focus to hospitals. The year 2012 saw a general increase in the number of settlements involving hospitals, with many settlements focusing on allegations that the hospitals were admitting patients for the performance of services, such as kyphoplasty services, that should have been performed on an outpatient basis. These settlements involved some large and well-known hospital systems and resulted in substantial recoveries for the federal government. Hospitals can expect more of this enforcement activity in 2013.
    
2. When it comes to HIPAA/HITECH enforcement, the gloves are off.
    
   The HHS OCR published an unprecedented number of settlements stemming from breaches of unsecured electronic health information under HIPAA/HITECH in 2012. In doing so, OCR sent a strong message to the healthcare industry: the time for education is over -- the time for enforcement is now. For example, the OCR published the first ever settlement agreement stemming from a breach affecting less than 500 individuals in 2013, further demonstrating its zero tolerance approach towards HIPAA/HITECH violations. In addition, the long-awaited HIPAA Omnibus Final Rule finally has been released, increasing the penalties noncompliant providers could face. In light of the Final Rule, we can expect record-breaking levels of HIPAA/HITECH enforcement activity to continue in 2013.
    
3. More individuals, including C-suite executives, are being held personally accountable.
    
   The federal government has demonstrated a willingness to supplement the deterrent effect of monetary penalties against noncompliant corporations by holding individuals, including corporate officers and executives, personally accountable for the actions of their corporation. This strategy was readily apparent in Friedman v. Sebelius (D.C. Cir., No. 11-5028, July 27, 2012). In Friedman, Purdue Frederick Company's president, executive vice president, chief legal officer and vice president of medical affairs each pleaded guilty to misdemeanor misbranding charges under the Responsible Corporate Officer (RCO) doctrine in connection with fraudulent marketing practices. Under the RCO, the government did not need to prove that the executives intended to violate the law -- just that they failed to prevent violations occurring within the company.
   
   But the federal government's efforts to hold these individual's accountable did not stop with the criminal prosecution. The HHS OIG also moved to exclude the Purdue executives from participation in federal healthcare programs for a period of 20 years. While the length of these exclusions was eventually reduced, Friedman sent a clear message that fraud and abuse will be addressed at the individual as well as the corporate level.
   
   Two other 2012 cases further demonstrated this approach. In its plea agreements with GSK and Abbott Pharmaceuticals, the DOJ required the president of GSK's North American Pharma Division and Abbott's CEO to personally certify, under penalty of perjury, that their respective companies had satisfied the government's compliance requirements under the agreement. Such Sarbanes-Oxley-type certification requirements underscore the government's focus on deterring fraud and abuse by holding individuals, including corporate officers and executives, personally accountable. As 2013 promises to bring more of the same, C-suite executives should be aware that failing to be actively involved in their organization's compliance efforts could result in personal liability.
    
4. OIG's broadly interpreted permissive exclusion authority for misdemeanor conduct "related to fraud" may make some executives think twice about pleading guilty.
    
   In addition to revealing the federal government's intention to hold corporate officers and executives personally accountable, Friedman also may have affected the strategy by which individuals charged with criminal healthcare fraud offenses choose to resolve their case. Recall that in Friedman, the Purdue executives pleaded guilty in a criminal case to a misdemeanor charge of off-label promotion of drugs. This charge did not require any proof or admission by the defendants that they had engaged in fraudulent or intentional misconduct. Nonetheless, the OIG exercised its permissive exclusion authority against the executives on the basis that a conviction for misbranding of a drug constituted a misdemeanor "relating to fraud" under 42 U.S.C. § 1320a-7(b). In upholding the exclusion, the D.C. Circuit Court of Appeals reasoned that the exclusion statute was intended to apply broadly to any conviction that has a "factual connection" to fraudulent conduct, even if the offense charged does not require proof of fraud. In light of Friedman, individuals should consider the consequences of pleading guilty to misdemeanor charges in an effort to resolve a case that could include felony charges, as doing so could result in exclusion if the OIG finds that the misdemeanor has a factual connection to fraudulent conduct.
    
5. Plea agreements may be used more frequently as a compliance tool.
    
   The DOJ has demonstrated that it was not opposed to placing offending companies under its own compliance supervision via a plea agreement, which could include more severe consequences for noncompliance than those typically found in a corporate integrity agreement. The GSK and Abbott plea agreements each included numerous compliance mandates that, if violated, could unravel the plea agreement and result in new criminal charges being filed, in addition to significant monetary sanctions. These plea agreements, as discussed above, also imposed certification obligations, under penalty of perjury, on each company's corporate executives. While these plea agreements do not necessarily indicate a formal shift in the DOJ's healthcare fraud prosecution policies, organizations should be aware of the DOJ's inclination to use plea agreements as an additional compliance tool.
    
6. Expect government action to address alleged fraud related to electronic health records.
    
   On September 24, 2012, HHS and the DOJ sent a letter to the country's leading hospital associations discussing their concern that electronic health records (EHRs) were being used "to game the system" in furtherance of fraud and abuse in the nation's healthcare programs. The letter did not include any guidance to providers, but it did indicate that "appropriate steps" would be taken to combat fraud and abuse related to EHRs. The letter indicated that action could include administrative payment suspensions and/or criminal prosecutions.
    
7. Employment of excluded individuals will continue to be an enforcement priority.
    
   Of all the actions in which OIG has assessed CMPs against a provider, either based on the provider's self-disclosure or another source, 57 percent of the CMPs were imposed for employing excluded individuals. A long-standing concern by the federal government, the employment of excluded individuals will remain a major enforcement priority in 2013 that healthcare providers must address by implementing effective screening processes.
    
8. More regulations are on the way.
    
   In addition to the HIPAA Omnibus Final Rule, several other rules and regulations, many of which are required under the ACA, have been published or are slated for publication in 2013. For example, the recently issued Physician Payment Sunshine Act Final Rule will require mandatory disclosure of payments between manufacturers and physicians. Additionally, rules regarding mandatory compliance programs and overpayment refunds also are expected in 2013. These rulemakings could have a dramatic impact on the healthcare industry, and we will continue to monitor these issues.
    
9. Healthcare fraud and abuse enforcement is big business, involving big dollars, and will only continue to expand.
    
   In a recent speech, HHS Inspector General Daniel Levinson opined that 20-30 percent of all healthcare spending was waste and abuse. Pursuant to this position, in 2012 the federal government continued to aggressively pursue recovery of these funds by securing substantial settlement payments, including multiple billion dollar settlement payments, from noncompliant providers. States also are getting in on the act. For example, the Texas attorney general's office recently reported a new state record of $1 billion in Medicaid fraud recoveries over the last ten years; $400 million of which was returned to the state's coffers. Because fraud and abuse enforcement and recovery efforts tend to be well received on both sides of the political aisle, expect continued expansion of fraud and abuse enforcement activity by federal and state government in 2013 and beyond.
    
10. Providers should think outside the box when developing and/or improving their compliance programs.
     
    While BakerHostetler has had much success in defending against the enforcement activity described above, the first step in mitigating or avoiding enforcement is an organization's commitment to compliance with federal and state healthcare laws and regulations, including the anti-kickback statute, Stark and physician self-referral laws, billing compliance and HIPAA and privacy breach regulations, among other risk areas. BakerHostetler routinely designs and assists healthcare providers with the implementation of corporate compliance programs, which memorialize an organization's commitment to compliance and allow for early detection of possible fraud and abuse issues.

For more information on any of the above issues, please contact Gregory S. Saikin, or 713.646.1399 or Cory J. Fox, or 713.646.1358.

top of page

EVENTS CALENDAR

February 12

Houston counsel Gregory S. Saikin will speak on "Identifying Organized Health Care Fraud Rings," at the 15th Annual Fraud Conference sponsored by the Texas Department of Insurance in Austin, Texas.

February 28

Cleveland counsel John S. Mulhollan will speak on "HIPAA/HITECH Changes: What They Mean to Your Medical Group and What Steps You Can Take to Comply" at a webinar sponsored by the Ohio Medical Group Management Association.

March 10

Cleveland counsel Thomas S. Campanella will speak on "Hot Topics in Healthcare Policy" at the Annual Conference of the North Central Academy of Podiatric Medicine in Cleveland, Ohio.

top of page

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2013 Baker & Hostetler LLP