Health Law Update—January 23, 2014

Alerts / January 24, 2014

Welcome to this week's edition of the Health Law Update. Topics covered today include:

We hope you find this information helpful. Please contact any member of BakerHostetler's Healthcare Team with questions.


The Accountable Care Organization (ACO) offers the promise of shared savings when the ACO delivers high-quality healthcare more cost effectively. Without question, ACOs will change the way healthcare providers do business. For the employer with a unionized workforce, however, the promise of the ACO will wither if the employer is unable to implement necessary operating changes. And for nonunion employers, ACOs may create new vulnerability to union organizing. The purpose of this article is to anticipate potential trouble spots and prescribe preventive treatment as healthcare employers enter the ACO world.

Tell Me Where it Hurts

The premise underlying ACOs is that by joining forces, healthcare providers can reduce cost and improve outcomes. So, for example, a hospital may coordinate the delivery of care with home healthcare providers to ensure that elderly patients with chronic but manageable conditions take medications as prescribed and engage in a healthy lifestyle. Or, a hospital and a physician group may be jointly accountable for outpatient, non-emergent services at a lower cost. If the ACO is successful, then it may be entitled to share in the savings with Medicare.

The following are examples of potential labor relations trouble spots for ACOs:

  • A unionized hospital may want to provide direction to employees of its nonunion partner in the ACO. Does that make the nonunion partner's employees hospital employees (i.e., potentially part of the bargaining unit)?
  • If the hospital and the ACO have employees who do similar work and the hospital sends patients to the ACO for lower-cost services, is that subcontracting of bargaining unit work?
  • The hospital may change job descriptions or may wish to have more flexible job descriptions to allow for more efficient staffing. Will that constitute a negotiable change in employee working conditions?
  • The union may demand wage increases or bonuses that allow union employees to participate in the Medicare shared savings program. The employer may want to move away from the classic compensation structure--step increases, lock-step compensation and shift differentials--to reward better patient outcomes and/or collaboration across job classifications. Can these interests be accommodated?
  • Employees of the hospital's partners may be vulnerable to organizing through more frequent interactions with unionized hospital employees.

Rx: Preventive Care

For all of these potential ills, preventive care is the best course of treatment.

For union employers, changes in employees' wages, hours and other conditions of employment (such as employee evaluations and discipline) generally are within the scope of bargaining. Whether the employer has a duty to bargain with the union before it makes a decision, or only over the effects of the decision, or both, depend on the particular facts and circumstances. For example, what is driving the change? And what does the collective bargaining agreement (CBA) say about the employer's unilateral right to make the change?

Employers should anticipate demands to bargain and have a strategy ready before giving notice to the union. For example, if employees will be required to perform new duties as a consequence of a change in operations, the decision to change duties might not be negotiable, but the union will have the right to demand to bargain over employee evaluations or discipline related to the new duties. The employer might want to offer a grace, or "ramping up" period, or additional training for employees, and should build enough time into its implementation timetable to allow this to happen.

In addition, as CBAs open for negotiation, employers may bargain for broader management rights, greater latitude in adopting work rules or modifying job descriptions and the ability to subcontract bargaining unit work. With such language in a CBA, the union can waive its right to bargain over decisions that might otherwise be within the scope of bargaining. Thus, for example, the employer may ask for the right to change qualifications for a job classification or increase productivity standards without having to negotiate with the union. Instead, the employer may offer to "meet and discuss" with the union. One caveat is that a waiver of the right to bargain over a decision may not absolve the employer of the obligation to bargain over the effects of the decision.

Hospital employers also may want to depart from the classic compensation structure, which rewards longevity and often places heavy financial burdens on the hospital for practices intended to allow staffing levels to follow fluctuations in patient census. Hospital employers also may need to renegotiate layoff language, so that they retain the right to keep more qualified employees, or employees with special skills, without regard to seniority. These changes will need to be paid for in some manner; the union will want some trade-off to justify what the rank-and-file would surely consider tremendous "take aways." This is where the potential increased revenue offered by the ACO model can be useful. Sharing some of this revenue with employees is less risky to the employer than automatic step increases, or on-call or call-off pay, which must be paid whether or not the hospital is profitable.

ACOs may create opportunities for increased unionization in healthcare. Nonunion employees may be introduced to unions representing employees of their ACO partners. Unions also may conduct corporate campaigns, exerting pressure on nonunion ACO partners to agree to neutrality/card check agreements. Finally, it is widely suspected that the National Labor Relations Board (NLRB) may make it easier for unions to organize, in a single bargaining unit, employees of a principal employer and a subcontractor. See Miller & Anderson Inc. Case 05-RC-079249; Bergman Brothers Staffing Inc. Case 05-RC-105509. Such a step could allow unions to try to organize multiple ACO partners or to expand existing bargaining units through accretion.

Employers should be proactive, maintaining healthy employee relations practices that will discourage organizing efforts. Good and timely communication with employees, transparent policies and fair and consistent treatment of employees are essential. Employers also should review employee handbooks and personnel policies to ensure that they comply with the latest NLRB decisions. This will reduce the risk of successful unfair labor practice charges, always good fodder for union organizing.

Call Me in Two Weeks

While the ACO is in its relative infancy, we already are seeing new variants on current models and creative means of improving healthcare outcomes at reduced cost. Managing the labor relations aspects of ACOs thus will require regular check-ups--periodic review of job descriptions, pay policies and staffing strategies and assessment of labor relations strategy to ensure that it can support the continued health of the organization.

For more information, please contact Ellen Shadur Gross, or 310.442.8816.


Founders Pavilion, Inc., a skilled nursing facility, sent prospective employees for preemployment physicals. As part of the physicals, an independent physician requested the prospective employee's family medical history as part of the physician's post-offer, preemployment medical exams protocol. However, the Genetic Information Nondiscrimination Act (GINA) prohibits employers from requesting genetic information or making employment decisions based on genetic information. Genetic information includes family history questions.

The EEOC filed suit against the facility for these and other violations. Founders agreed to pay $370,000 to settle the EEOC discrimination lawsuit.

Provider employers must educate physicians providing employee health services to assure that they understand the limitations of GINA and the differences between the employment services paradigm, collecting information to ascertain whether a person can currently perform job tasks and their normal paradigm of medical treatment. While family history may be relevant to medical treatment, it generally cannot be collected or used in the employment context. Physicians should be instructed not to request genetic information, including family medical histories in performing services for an employer.
GINA has a discretionary safe harbor notice employers can provide when seeking medical information from employees or employees' medical providers and a mandatory notice employers must provide when seeking medical information from their own doctors. The safe harbor notice states that GINA:

"...prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. 'Genetic information,' as defined by GINA, includes an individual's family medical history, the results of an individual's or family member's genetic tests, the fact that an individual or an individual's family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual's family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services."

When an employer requests medical information from the employer's physician, such as for a fitness-for-duty examination, the employer must tell the doctor not to collect genetic information. Each time an assessment is requested, employers should include a GINA Safe Harbor notice directing the physician not to ask about the person's family history or other genetic information, and not to disclose genetic information that may be in the doctor's records, if the physician has previously seen the person.

For more information, please contact Robert M. Wolin, or 713.646.1327.


On January 8, 2014, the U.S. district judge in the Halifax Hospital Medical Center (Hospital) case pending in the Middle District of Florida granted the Hospital's motion to dismiss all of the relator's anti-kickback law claims. This False Claims Act case is partially predicated on alleged violations of the Stark Law and the anti-kickback law arising from financial relationships with physicians. In November, the court granted partial summary judgment in favor of the government, finding that the Hospital's compensation arrangement with employed oncologists violated the Stark Law. See the December 12, 2013 issue of the Health Law Update.

The government had elected not to intervene in the anti-kickback law claims, which turned out to be a wise decision as the district judge held the bona fide employment exception to the anti-kickback law protected the arrangements with the physicians despite the physicians being employed by a separate legal entity, Halifax Staffing. Noting that Halifax Staffing was an instrumentality and alter ego of the Hospital, the district judge applied the common law agency test and determined that the relator failed to establish that the physicians actually were controlled by Halifax Staffing rather than the Hospital or that the physicians otherwise were independent contractors of the Hospital. As a result, the compensation paid to the physicians was protected under the bona fide employment exception to the anti-kickback law, which notably does not contain a fair market value standard or prohibit compensation that is based on the volume or value of the physicians' referrals.
The court also granted the Hospital's motion to dismiss the relator's claim that the Hospital violated the Stark Law by entering into an unprotected medical director arrangement with a physician because the relator did not identify any prohibited referrals to the Hospital by the medical director. The Hospital was unsuccessful in obtaining dismissal of claims advanced as to two employed psychiatrists because it admitted in discovery that the psychiatrists had made referrals to the Hospital for designated health services. Because the psychiatrists' compensation included a fixed salary and a productivity bonus equaling 100 percent of the hospital's gross collections less billing and collection costs and their salaries, the court held that the physicians' compensation varied with the volume or value of referrals. As a result, the Stark Law's employee exception was inapplicable.

The court also allowed the relator's False Claims Act claims predicated on medically unnecessary inpatient services, commonly called "short stays," and conspiracy claims related to the False Claims Act violations to survive the Hospital's motion for summary judgment.

We will continue to monitor this and other high-stakes cases across the country that demonstrate the government's increased focus on enforcement of federal healthcare fraud and abuse laws. If you need assistance in designing or analyzing relationships with referring physicians to ensure compliance with these laws, please contact Donna S. Clark, or 713.646.1302; or Darby C. Allen, or 713.646.1311.


As the final days of 2013 passed and the sunset of the Stark Law exception and anti-kickback law safe harbor for electronic health record (EHR) donations loomed nearer, the U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) issued last-minute final regulations to extend the expiration date of the provisions through 2021, subject to certain exclusions. CMS cited as its reason for extending the sunset date that the adoption of interoperable EHR technology remains an important goal of HHS.

CMS and OIG each limited the categories of protected donors of EHR technology in the final rule in an effort to curb potential fraud and abuse identified by commenters arising from such arrangements. Specifically, CMS and OIG excluded laboratories from the list of protected donors due to reports of labs conditioning donations of EHR on physicians' referrals. CMS stated it was concerned that such abusive arrangements may impact patient care if physicians make referral decisions based on the donation of EHR technology rather than the quality of services provided by a lab. Laboratories that are departments of a hospital and billed under the hospital's provider number will continue to qualify as protected donors. CMS and OIG also clarified that any action taken by a donor or any person on behalf of the donor, including the EHR vendor or the physician recipient, to limit the use of the donated items or services would not be protected under the exception and safe harbor. The agencies specifically stated that a vendor that charges high interface fees to nonrecipient providers or the donor's competitors may pose concerns that parties were improperly locking in referrals. The final rules also updated the interoperability deeming provision and removed the electronic prescribing capability requirement.

If you need assistance in creating or maintaining an EHR donation arrangement that is in compliance with the Stark Law and anti-kickback law, please call Donna S. Clark, or 713.646.1302; or Darby C. Allen, or 713.646.1311.


On January 25, 2013, the HHS Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. Under the Final Rule, business associates and subcontractors are directly liable to OCR for compliance with the Privacy and Security Rules and may be assessed civil monetary penalties (CMPs) for violations. The Final Rule also expands the definition of the term business associate and requires business associates to execute sub-business associate agreements with subcontractors. The Final Rule also includes important changes to the standard for determining whether a breach of protected health information (PHI) has occurred such that affected individuals must be notified. Specifically, the Final Rule has replaced the previous standard, which required a subjective analysis of whether a breach posed a significant risk of financial, reputation or other harm to affected individuals, with what OCR calls a more objective standard that presumes a breach has occurred, unless the covered entity can demonstrate a low probability that PHI has been compromised based on an analysis of the following four factors: (1) the nature and extent of the PHI; (2) the unauthorized person involved; (3) whether the PHI actually was acquired or viewed; and (4) the extent to which the harm has been mitigated. In addition, the Final Rule alters HIPAA's marketing and fundraising provisions, requiring valid authorization for marketing communications made in exchange for financial remuneration and a clear and conspicuous opportunity for individuals to opt out of receiving fundraising communications. The Final Rule also prohibits the use of genetic information by health plans for underwriting purposes, limits disclosures to health plans where a patient has paid for services out-of-pocket, and requires a covered entity to provide requested records in electronic form where possible.

OCR issued a total of six resolution agreements in 2013, with settlement terms ranging from $50,000 to $1.7M in CMPs, and corrective action plans ranging from 60 days to two years. The 2013 resolution agreements are representative of OCR's focus on two primary types of action/inaction: (1) ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) unforgivable disclosures. In January 2013, OCR announced its first settlement agreement stemming from a breach involving less than 500 patients reported by Hospice of North Idaho in its annual report to OCR regarding a June 2013 theft of an unencrypted laptop. OCR found failures to conduct a risk analysis regarding PHI on portable electronic devices, to implement appropriate security measures to address potential risks and to document rationale for decisions as required by the Security Rule. In May 2013, OCR continued its focus on identifying and mitigating security risks by announcing its settlement agreement with Idaho State University regarding an August 2011 incident where PHI was left unsecured for at least ten months due to the disabling of firewall protections on servers. In June 2013, OCR announced a settlement agreement with Shasta Regional Medical Center (SRMC) stemming from January 2012 improper disclosures of patient information by SRMC leaders to various media outlets. Soon thereafter, in July 2013, OCR announced its resolution agreement, and largest CMP of the year—$1.7M with WellPoint, Inc. regarding security weaknesses in WellPoint's online application database over five months during 2009-2010, which left ePHI accessible to unauthorized individuals over the Internet. OCR focused on WellPoint's failure to assess security risks, including during a software upgrade which would affect the security of ePHI maintained in its web-based application database. OCR's fifth resolution agreement of the year, announced in August 2013, again focused on the failure of an organization, Affinity Health Plan, Inc. (Affinity), to assess and identify the security risks and vulnerabilities associated with ePHI. OCR's investigation focused on Affinity's impermissible disclosure of ePHI when it failed to properly erase photocopier hard drives prior to sending the photocopiers to a leasing company. To end 2013, HHS OCR issued its sixth resolution agreement with Adult & Pediatric Dermatology, P.C. (APDerm), a private practice delivering dermatology services in Massachusetts and New Hampshire. OCR focused on APDerm's lack of policies and procedures addressing the breach notification provisions of the HITECH Act.

As the 2013 OCR resolution agreements demonstrate, organizations of all sizes and types must continue to determine how to best ensure patient access to PHI while also adequately safeguarding PHI into 2014. Enforcement activity is likely to increase in 2014 given OIG's November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. Based on the 2013 resolution agreements, covered entities and their business associates must continue to analyze risk, conduct ongoing risk management and review routine information systems as part of an effective HIPAA security compliance program.

In addition to the resolution agreements discussed above, we continued to see healthcare entities respond to data breach incidents throughout 2013. Covered entities reported close to 145 incidents affecting 500 or more individuals, with a large portion of these incidents attributable to lost or stolen unencrypted electronic devices and a number of incidents still arising from paper records. From the 2013 incidents, covered entities continued to learn that breach response does not stop at notification. Plaintiffs in class action litigation continue to assert various causes of action, including under state and federal laws, in an attempt to recover damages due to the alleged failure of a covered entity to protect patient information. In addition to class action litigation, we continue to see OCR and state attorneys general involved in data breach response and investigation. These regulators have not limited their work to covered entities, but also have pursued action against the business associates of such entities. Thus, in the coming year, we anticipate many covered entities and business associates revisiting their business associate agreements, analyzing and allocating risk and implementing new privacy and security measures to better comply with applicable law.

For more information, please contact Lynn Sessions, or 713.646.1352; Kimberly M. Wong, or 212.271.2028; Cory J. Fox, or 713.646.1358 or Anne Foster, or 216.861.7258.


Congratulations to the BakerHostetler Privacy and Data Protection Team for being named by Law360 as a "Practice Group of the Year" in the area of Privacy Law. Groups were chosen by a panel of Law360 editors who reviewed roughly 675 submissions from 130 law firms and chose 154 groups from 69 firms to honor this year.

Late last year, Privacy and Data Protection Team Co-Leader Theodore J. Kobus III was individually named as a "Privacy MVP" by Law360.

"I am tremendously proud of this recognition as a premier Privacy and Data Protection Group. We pride ourselves on being at the forefront of this ever-changing area of law and are very proud to be named as a leader," said Privacy and Data Protection Team Co-Leader Gerald Ferguson. Privacy and Data Protection Team Co-Leader Theodore J. Kobus added, "We have a very collaborative team dedicated to client service, and this has helped us attract some of the most talented lawyers practicing privacy, including Pamela Jones Harbour who joined us this week."

Read more about BakerHostetler's Privacy and Data Protection Team.


Join BakerHostetler antitrust attorneys for an in-depth look at FTC investigations into hospital and physician transactions. The webinar will take place on Wednesday, February 26, 2014, from 12:30 p.m. - 1:30 p.m. ET. Topics will include:

  • Insights from a former FTC Commissioner involved in nearly 30 healthcare enforcement actions while at the Commission
  • Latest statistics on FTC investigations of, and challenges to, hospital transactions
  • Factors that may trigger an investigation by the FTC
  • What may bring about a direct challenge from the FTC
  • Steps and strategies healthcare providers can employ when contemplating a transaction to minimize the likelihood of an FTC investigation or challenge

Click HERE to register for this free webinar.


As an enhancement to the highly successful, biweekly Health Law Update e-mail newsletter, the Healthcare Industry team launched the Health Law Update blog this month to provide timely news and updates on health law and policy to the healthcare industry. The blog will serve as an added resource for clients, while cementing the reputation of team members as thought leaders in the field. Targeting the hospital industry and physician practices, suppliers and pharmaceutical companies and specialized niche providers, it will feature late-breaking news, developments in health law and policy changes in the industry.

"Our goal is to build on our reputation as a well-known and trusted resource in the healthcare industry--where providers and other organizations turn when they need guidance," said Healthcare Policy Analyst and Blog Editor Kathleen Rubinstein.
Potential topics include Medicare, Medicaid, the State Children's Health Insurance Program, the Affordable Care Act, the False Claims Act, Stark Law, anti-kickback law, regulatory compliance and enforcement issues, reimbursement matters and disputes, physician and hospital relationships, HIPAA/HITECH, medical privacy, managed care, children's healthcare, pharmaceuticals, biologics and medical devices.


January 25-26

Washington, D.C. counsel Lee Rosebush will speak on "Glass Half Full, Glass Half Empty? ACA Brings Opportunities, Challenges for Pharmacists" at the Florida Pharmacy Association's Regulatory and Law Conference in Destin, Florida.

January 29

Houston partner Lynn Sessions will speak on "Where Do I Put My Stuff?" during a presentation for Data Security Week at Rice University in Houston, Texas.

February 18

Houston partner Lynn Sessions will speak on "Enterprise Risk Management: Back to Basics" during a webinar series sponsored by the American Health Lawyers Association.

March 7

Houston partner Lynn Sessions will speak on "Regulation Overload: Defending Against Privacy and Data Breaches to Mitigate Penalties" at the Advanced Forum on Healthcare Provider Disputes sponsored by the American Conference Institute in Miami, Florida.

April 3

Houston partner Lynn Sessions will speak on "HIPAA/HITECH: The Final Rule" at a Healthcare Educational Workshop sponsored by Beazley in Los Angeles, CA.

April 8

Houston partner Lynn Sessions will speak on "Cyber Liability" at the 2014 Higher Education Risk Management Conference sponsored by The University of Texas System in Lost Pines, Texas.

April 10

Houston partner Scott McBride will speak on "The New Age of Health Care False Claims Act Enforcement" at the 26th Annual Health Law Conference sponsored by The University of Texas School of Law in Houston, Texas.

April 11

Houston partner Susan Feigin Harris will speak on "Status of the Affordable Care Act" at the 26th Annual Health Law Conference sponsored by the University of Texas School of Law in Houston, Texas.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Industries