Each year brings significant changes and challenges in the laws governing the health care industry, and 2014 proved to be no exception. What the year may have lacked in the high drama that accompanies comprehensive health reform legislation (2010), high court review of such legislation (2012), or bungled implementation of a central component of the same (2013), it made up for in high-profile cyber-security attacks, significant developments in False Claims Act litigation and HIPAA enforcement, and an ongoing public health challenge that has prompted providers to consider essential operational issues and reinvigorated debate on key health policy issues. The year also included the promise that the fate of the Affordable Care Act will again be in our next year-end review, as the Supreme Court agreed to consider an appeal regarding the provision of subsidies to individuals who purchase health insurance through an exchange established by the federal government.

We have compiled a list of 10 important issues that affect a broad range of health care industry clients. If you would like to learn more about these or other health law issues, please contact any of the attorneys in the Health Care practice group at Bradley Arant Boult Cummings LLP.

Closely Watched Case Involving Stark Law Allegations Settles

In March, Halifax Hospital Medical Center agreed to pay $85 million to settle allegations that it entered into certain arrangements with medical oncologists and neurosurgeons in violation of the Stark Law, resulting in the submission of false claims under the federal False Claims Act (FCA). The government alleged that Halifax knowingly violated the Stark Law by executing contracts with six medical oncologists that provided an incentive bonus that improperly included the value of prescription drugs and tests that the oncologists ordered and Halifax billed to Medicare. The government also alleged that Halifax knowingly violated the Stark Law by paying three neurosurgeons more than the fair market value of their work. As part of the settlement, Halifax also executed a five-year corporate integrity agreement which requires the hiring of two independent compliance experts to monitor all future arrangements with physicians. Halifax settled those FCA claims in which the government did not intervene in July for an additional $1 million.

The settlement leaves in place a number of trial court rulings on a number of key issues, including the court’s conclusion that a violation of the Stark Law can lead to FCA liability for claims covered by Medicaid, that the Stark Law exceptions are affirmative defenses in FCA cases on which the defendant bears the burden of proof (rather than elements of the FCA cause of action on which the government bears the burden of proof), that damages can be proved through health care providers’ own claim forms rather than by detailed claim-by-claim proof based upon review of medical records, and that the attorney-client privilege provides only limited protection for communications between health care providers and their attorneys regarding the financial arrangements at issue in Stark Law cases. For our previous coverage of this case, read our article, “Florida Hospital to Settle Stark Law Case for $85 Million.”

HIPAA Enforcement Developments

The Office for Civil Rights (OCR) entered into several resolution agreements and corrective action plans in 2014. Covered entities and their business associates should take note of these matters as they enter into the new year and remain vigilant in their compliance efforts to help avoid similar costly pitfalls. For example, in the largest HIPAA settlement to date, New York and Presbyterian Hospital and Columbia University, collectively, paid the government $4.8 million after electronic protected health information of 6,800 individuals inadvertently became accessible on internet search engines. In OCR’s first settlement with a county government, Skagit County, Washington, agreed to a $215,000 settlement after electronic protected health information of 1,581 individuals found its way onto a publicly accessible county server. Anchorage Community Mental Health Services will pay $150,000 after the electronic protected health information of 2,743 individuals became compromised after malware attacked its information technology systems. These are only three examples of OCR in action in 2014, but covered entities and business associates can expect greater scrutiny leading into 2015 and beyond. In 2013, the latest year for which such information is available, OCR received 12,915 complaints, a 23.5% increase over 2012. Furthermore, in 2013, OCR resolved 14,300 complaints, which represents a significant 52% increase over 2012. It remains to be seen whether 2013 was an aberration or evidence of an uptick in the government’s HIPAA enforcement efforts. Read more about the incidents described herein and other actions taken by OCR against covered entities in 2014, as well as OCR’s historical HIPAA enforcement data.

Rise in Cyber-Security Breaches

As demonstrated by a number of high-profile examples in 2014, data-driven industries face an increasing number of external threats. Companies that possess consumer data, including health care companies, have become prime targets for hackers. Recent victims have included such companies as Staples, The Home Depot, Target, and eBay—and millions of their customers. In 2015, covered entities and business associates would be wise to revisit their compliance with the HIPAA Security Rule and to gauge any risks associated with new and emerging cyber threats. As these types of events garner greater attention, we may see enhanced efforts by the federal and state governments to help protect patient and consumer information in 2015 and beyond.

Ebola Outbreak Renews Discussion of Key Legal Issues

The devastating outbreak of the Ebola virus in West Africa dominated headlines in 2014. The outbreak renewed discussion of critical public health and political issues, and resulted in a flurry of activity by health care providers to assess their capacity to handle potentially exposed individuals. Beyond reviewing infection control plans and performing quarantine drills, health care providers grappled with a wide variety of related issues, including the potential for supply chain disruption and workforce shortages, health information privacy issues, and employment law considerations. The outbreak also prompted OCR to issue a bulletin regarding HIPAA privacy requirements in the context of emergency situations. The thrust of the bulletin was to remind covered entities and their business associates that, although HIPAA requirements are not suspended during a public health emergency, they permit disclosure of limited information in the interest of protecting the public in certain contexts. Read OCR’s bulletin onHIPAA Privacy in Emergency Situations.

CMS Makes Settlement Offer for Hospital Inpatient Status Appeals

In August, the Centers for Medicare and Medicaid Services (CMS) announced its offer of an administrative agreement to certain hospitals willing to withdraw their pending patient status appeals in exchange for partial payment. The offer was made to more quickly reduce the volume of short-stay inpatient claim denials pending in the appeals process—as was noted by the Office of Medicare Hearings and Appeals earlier in the year, “the unprecedented growth in claim appeals continues to exceed the available adjudication resources to address [such] appeals.” Under the terms of the offer, any acute care or critical access hospital that elects the administrative agreement option to resolve their pending appeals will receive a partial payment equal to 68 percent of the net payable amount. The appeals covered by the offer are limited to those related to claims for inpatient status with dates of admission prior to October 1, 2013 that were denied on the basis that the services should have been provided under outpatient status. The deadline for hospitals to request settlement was October 31, 2014. Learn more from CMS about the settlement process.

FCA Liability for Failure to Return Overpayments in 60 Days

In U.S. ex rel. Kane v. Continuum Health Partners, Inc., a case pending in the Southern District of New York, the Department of Justice has for the first time intervened in an FCA action based on a provider’s failure to return an alleged Medicaid overpayment. The Affordable Care Act requires the report and return of any federal health care program overpayment by the later of 60 days after the overpayment is “identified” or the date the corresponding cost report is due, if applicable. If not repaid within the allotted time, the overpayment becomes an “obligation,” the knowing avoidance of which triggers liability under the FCA. In Kane, a whistleblower filed a FCA action under seal in 2011, 60 days after emailing his managers a spreadsheet naming 900 allegedly erroneous claims. Even though Continuum had repaid all 900 claims by early 2013, the Department of Justice intervened in the whistleblower’s FCA suit in June 2014. In its currently pending motion to dismiss, Continuum argues that the whistleblower’s email is not sufficient by itself to “identify” overpayments and trigger the 60-day window because the company first had to investigate and corroborate his allegations. The government has responded that Continuum’s interpretation of when overpayments are “identified” would allow companies to retain overpayments indefinitely as long as they have not been confirmed. The court’s opinion is expected in 2015.

Extrapolating FCA Liability

The Department of Justice has begun aggressively pursuing the ability to expand FCA liability against health care providers by extrapolating evidence from a sample set of claims to a larger universe of unidentified, unexamined claims. 2014 saw several courts touching on the concept of using statistical extrapolation to prove FCA claims, with the most expansive discussion coming from the United States ex rel. Martin v. Life Care Centers of America case in the Eastern District of Tennessee.

In Martin, the government alleged that Life Care, which operates a chain of skilled nursing service providers, submitted fraudulent claims to Medicare as part of a nationwide scheme to provide medically unnecessary services. Life Care moved for partial summary judgment in light of the fact that the government planned to present specific evidence only as to a sample of 400 patient admissions and then extrapolate both liability and damages to an additional universe of 54,396 unidentified patient admissions, constituting 154,621 claims total. Life Care argued that the government could not satisfy its burden of proving knowing falsity as to the unidentified claims merely by extrapolation and that allowing it to do so would violate Life Care’s right to due process. The court reviewed the voluminous case law on extrapolation cited by both sides and found no case to be determinative of the issue of using statistical sampling in an FCA action involving Medicare overpayment, noting that “using extrapolation to establish damages when liability has been proven is different than using extrapolation to establish liability.”

The court rejected Life Care’s motion, allowing extrapolation analysis to be used as evidence in this instance and noting that “the Government could specify in detail the specific claims for which it alleges are false, but in order to do so, it would require the devotion of more time and resources than would be practicable for any single case.” While the court acknowledged that unique factors will determine the individual type and amount of therapy received by a patient, it found that such unique factors did not necessarily preclude the use of extrapolation as evidence. Instead, the court highlighted that the defendant could challenge the extrapolation through cross examination and competing witness testimony at trial and that the jury will ultimately decide how much weight to give the evidence.

OIG Proposes Expanding Anti-Kickback Statute Safe Harbors and Revising CMP Rules

In October, the Department of Health and Human Services Office of Inspector General (OIG) released a proposed rule that, if finalized, would amend regulations implementing the federal Anti-Kickback Statute and the federal Civil Monetary Penalties (CMP) law. While it remains to be seen whether and to what extent the OIG will finalize its proposals (there is no particular time frame within which the OIG must act), the proposed rule covers a wide variety of health care arrangements and evinces the OIG’s efforts to strike a balance between guarding against abusive conduct and avoiding stifling innovative arrangements intended to improve access to care. With respect to the Anti-Kickback Statute, the proposed rule would extend safe harbor protection under certain conditions to cost-sharing waivers by pharmacies and for emergency ambulance services, remuneration between Medicare Advantage organizations and federally qualified health centers, drug discounts under the Medicare Coverage Gap Discount Program, and free or discounted local transportation services. As for the CMP authorities, the proposed rule would add additional exceptions to the definition of “remuneration” under the CMP prohibition on beneficiary inducement and add new regulations to interpret the statutory language of the CMP prohibition on gainsharing. Click the following link for a copy of the OIG’s proposed rule.

Supreme Court to Review Affordable Care Act Subsidies

One of the biggest developments of 2014 involves a court decision that will not likely be made until the summer of 2015. In November, the U.S. Supreme Court agreed to consider an appeal in King v. Burwell, a case decided by the U.S. Court of Appeals for the Fourth Circuit in July. At issue in the case is whether individuals who purchase health insurance through an exchange established by the federal government, as opposed to one set up by a state, are eligible to receive tax credits from the federal government to cover some or all of the cost of purchasing that insurance. The potential ramifications of the Supreme Court’s decision are far-reaching, including not only the loss of subsidies for millions of individuals who purchased insurance through federal exchanges and a concomitant decrease in the number who maintain coverage through the Affordable Care Act (or, for that matter, through any means), but a significant threat to the ongoing viability of the health insurance exchange model, a cornerstone of the law.

CMS Proposes Changes to Medicare Shared Savings Program

In December, CMS published a long-awaited proposed rule that, if finalized, would make a number of changes to the regulations that were promulgated in 2011 to implement the Medicare Shared Savings Program (MSSP), a key component of the Medicare delivery system reform initiatives included in the Affordable Care Act. Under the MSSP, providers of services and suppliers that participate in an accountable care organization (ACO) continue to receive traditional Medicare fee-for-service payments under Parts A and B, but the ACO may be eligible to receive a shared savings payment if it meets specified quality and savings requirements. Among other things, the proposed rule would permit lower-performing ACOs that already participate in the MSSP to extend the period of time during which they can participate without assuming any financial risk. In addition, the proposed rule would offer higher-performing ACOs larger shared savings payments in exchange for assuming more risk. Comments on the proposed rule are due February 6, 2015. Click the following link for a copy of CMS’s proposed rule regarding the Medicare Shared Savings Program.