Health Update - November 2016

by Manatt, Phelps & Phillips, LLP
Contact

Manatt, Phelps & Phillips, LLP

In This Issue:
  • Post-Election Analysis: Healthcare Antitrust in a Trump Administration
  • States and Health Reform: Successes and Challenges
  • Final MACRA Rule Implements MIPS and Advanced APMs
  • Mexican Secretary of Health Presents to Senate Health Commission
  • Marketing, Privacy and Data Security Enforcement
  • The FTC Act and HIPAA: What Covered Entities Need to Know
  • IRC § 501(r) Developments and the Importance of Compliance Programs

Post-Election Analysis: Healthcare Antitrust in a Trump Administration

By Lisl Dunlop, Partner, Antitrust and Competition

In a Republican sweep of all the elected branches of the federal government, Donald Trump won the presidential election and Republicans retained control of the House and Senate. What does this mean for antitrust enforcement in the healthcare industry? Although the breadcrumbs are few and far between, we attempt to make some predictions.

Antitrust Generally

Although in a typical Republican administration we would expect to see a more "pro-business" approach to antitrust and a focus on avoiding overenforcement, there is nothing typical about this Republican presidential candidate. The Trump campaign did not release an antitrust policy, and Trump made few comments about antitrust enforcement on the campaign trail.

The comments Trump did make suggest that he will want to continue an active antitrust enforcement program, at least in the media and technology sectors. For example, in May 2016 he commented that Jeff Bezos of Amazon had "a huge antitrust problem, because he's controlling so much, Amazon is controlling so much of what they are doing."1

Following the announcement of AT&T's planned takeover of Time Warner, Trump declared that it was "a deal we will not approve in my administration because it's too much concentration of power in the hands of too few." In the same speech, he also complained about Comcast's 2011 purchase of NBCUniversal, saying that it "should never ever have been approved in the first place."2

It remains to be seen whether these statements carry through to actual enforcement action against Amazon or the AT&T/Time Warner deal, or inform Trump's approach to antitrust generally. Given the limited attention paid to antitrust in the campaign, a better barometer of the direction of antitrust enforcement policy will likely be Trump's choice of Attorney General and Assistant Attorney General for Antitrust, as well as his Federal Trade Commission (FTC) Chair and Commissioner appointments. If Trump appoints strong enforcers to these positions—and his attitude toward litigation suggests that he might—we would expect to see a continuance of existing antitrust enforcement policy, with a willingness to litigate and push the boundaries on difficult cases.

Healthcare Goals and Insurance Competition

One of the major campaign issues was the direction of healthcare in the U.S. and in particular the future of the Affordable Care Act (ACA). Consistent with Republicans' repeated attacks on the ACA since its inception, Trump promised to "repeal and replace" it. But the Trump Healthcare Policy states that healthcare under his administration will operate "[b]y following free market principles and working together to create sound public policy that will broaden healthcare access, make healthcare more affordable and improve the quality of the care available to all Americans."3 If this sounds remarkably like the "triple aim," which is the framework for major provisions of the ACA, that is likely because the underlying issues that led to the introduction of the ACA—an aging population, the need to reduce costs, and the migration toward a system based on value rather than a traditional fee-for-service model—have not gone away.

In statements made after the election, Trump suggested that his "repeal" of the ACA might not be as extensive as first thought: He expressed a desire to maintain popular provisions such as allowing parents to keep children up to age 26 on their healthcare plans, and preventing insurance companies from denying coverage because of preexisting conditions.

Trump ostensibly plans to achieve his healthcare goals by focusing on increasing competition in insurance markets. The theory is that by allowing the sale of health insurance across state lines and eliminating other restrictions on competition, such as the antitrust exemption in the McCarran-Ferguson Act, more insurance plans will compete for subscribers, resulting in lower prices and better-quality coverage.

In addition, Trump believes that eliminating healthcare for illegal immigrants will relieve healthcare cost pressures, and allowing tax deductions for health insurance premiums will incentivize consumers to buy insurance. But, without a mandate and subsidies, it is unclear whether these measures will be enough to keep healthy patients in insurance plans, or if they could prevent skyrocketing premiums in the face of the high-risk patient pool that will result from the preexisting condition waiver.

Healthcare Antitrust

The preliminary Republican plans for healthcare suggest that Trump Administration antitrust enforcers will focus heavily on insurance company competition. Since much of the policy depends on competitive insurance markets providing multiple options for consumers, with the impact of competition keeping premiums down, we can expect significant concentration in insurer markets to be viewed with skepticism.

Although nothing has been said to date about provider concentration, the underlying drivers of the healthcare industry will remain intact, so incentives for hospitals and other providers to merge will remain. The significant body of economic evidence indicating that hospital mergers have historically led to increased prices and the continuing focus on cost will likely lead a Republican administration to encourage the existing FTC approach to hospital mergers. Less concentrative collaborations—such as accountable care organizations—are likely to continue to be favored by the antitrust regulators as the best means to address cost and quality issues while maintaining competition.

The recent news that former Republican FTC Commissioner Professor Joshua Wright will lead Trump's transition team on the FTC reinforces the view that the agency will continue its focus on healthcare antitrust. While Wright was notable for dissents in several cases, as well as for his focus on having a solid economics basis for agency decision-making, there were few opportunities for dissent in hospital merger cases.4 One area in which he has written that could have consequences for healthcare transactions is the FTC's assessment of efficiencies in the merger review process: in a non-healthcare case, he dissented from the Commission's enforcement action on the basis that the benefits to consumers flowing from the expected efficiencies from the transaction would outweigh the potential anticompetitive effects.5 Several of the transactions reviewed by the Commission in recent years, in particular the Advocate-NorthShore merger, had strong efficiency claims that were not credited by the FTC in bringing enforcement action. Perhaps these cases would be viewed differently by a Wright-led Commission.

Trump has also pledged to "drain the swamp" by eliminating federal agencies and reducing overall the amount of federal government intervention in markets and state government. Depending on how far this goes, it is possible that more healthcare policy and enforcement may shift to the states. Several states have already attempted to more closely manage their healthcare markets and bring healthcare antitrust enforcement "in house" through Certificate of Public Advantage (COPA) laws. COPA laws provide immunity from the federal antitrust laws in return for monitoring and supervision by the state. Although the FTC has consistently opposed such laws as shielding potentially anticompetitive conduct, proponents argue that the states are best placed to understand the needs of their communities and to regulate and manage provider relationships on an ongoing basis.

Conclusion

Although there is little conclusive evidence to go on at this point, it is likely that a Trump Administration will continue with an active antitrust enforcement program and focus strongly on supporting competition among insurance companies, as well as other actors in the healthcare industry. If Trump lives up to his campaign promises around reducing the federal government's part in policy and enforcement, we also may see the states taking on a more significant role in these areas.

1.Fox News interview, May 12, 2016, reported by CNBC: http://www.cnbc.com/2016/05/13/trump-says-amazon-has-a-huge-antitrust-problem.html.

2.Speech at rally in Gettysburg, PA, October 22, 2016, reported in WSJ: http://www.wsj.com/articles/trump-says-he-would-block-at-t-time-warner-deal-1477162214.

3."Healthcare Reform to Make America Great Again," available at https://www.donaldjtrump.com/positions/healthcare-reform.

4.The complaint in the FTC's case against St. Luke's and Salzer Medical Center in Idaho was voted out prior to Commissioner Wright's tenure. He left the Commission in August 2015, before the three merger challenges voted out at the end of 2015.

5.Dissenting Statement of Commissioner Joshua D. Wright, In the Matter of Ardagh Group S.A., Saint-Gobain Containers, Inc., and Compagnie de Saint-Gobain, File No. 131-0087 (April 11, 2014), available at: http://www.ftc.gov/system/files/documents/cases/140411araghstmt.pdf.

States and Health Reform: Successes and Challenges

By Joel Ario, Managing Director, Manatt Health

Editor's Note: In a guest appearance on The Diane Rehm Show, an affiliate of National Public Radio (NPR), Manatt Health's Joel Ario discussed the future of Obamacare under a new administration. Since then, the election of Donald Trump certainly puts that future in doubt. Joel's remarks, however, which focused on the states' role in driving health reform, still provide valuable insights. If attempts at federal reform don't happen or fail, state experimentation could be a central force for change. Joel's comments are summarized below. To listen to the full discussion—moderated by Susan Page of USA Today and also featuring Julie Rovner, senior correspondent at Kaiser Health News; Ron Pollack, Executive Director of Families USA; and Avik Roy, president of the Foundation for Research on Equal Opportunity—click here.

__________________________________________________

The important thing to highlight about the Affordable Care Act (ACA) is that we now have 20 million new people covered. Though we still have the challenge of stabilizing premiums, we also have important new benefits. For example, people with preexisting conditions now can get insurance—and children can continue their coverage under their parents' plans until age 26.

Of course there are still important issues to deal with, particularly the high rate increases this year. Some states have been addressing the rate issue very successfully and can serve as a model for others.

Alaska and the Reinsurance Solution

Alaska was looking at rate increases in excess of 40 percent in a market that already was the highest priced in the country. Its high costs were driven by a spread-out delivery system across a big state with relatively few people—and an increase that size would have been crushing.

To avoid that huge increase, the insurance commission worked with the legislature and passed a reinsurance program. The federal government had offered this type of program for the first three years of the ACA to help carriers share the cost of the most expensive cases. The fact that the program has now run out as we go into the fourth year is one of the reasons we are seeing the surging prices.

The Alaska legislature picked up the program at the state level, passing a bill to put $55 million into a reinsurance fund based on taxing the insurance companies. As a result, the rate increase plummeted from the low 40s to the single digits—just around 8 percent.

That's good for consumers, for the state and for the federal government—because when premiums go down, the government's costs go down as well. Why? The government, rather than consumers, really is bearing most of the increasing premium costs for people receiving subsidies. For that reason, Alaska is asking the federal government to pass the savings it is realizing back to the state, and the government is considering that idea. The details are still being worked out, but Alaska is an excellent model for other states to follow.

Minnesota Explores the Public Option

Minnesota is another state dealing with soaring rate increases. Its governor, who has been a strong supporter of the ACA, has made it clear that the 50 percent rate increase in his state is not acceptable. He's calling on his legislature to provide short-term aid to people who simply can't afford the higher rates. He also has put a task force in place to explore longer-term solutions, including a public option.

Minnesota would like to extend its program for the low-income population—Minnesota Care—to a larger number of people. It also would like to allow people who don't need financial assistance to buy into the program at full cost, which would require a 1332 waiver from the federal government. (Known as innovation waivers, 1332 waivers allow states to modify parts of the ACA.)

While most people say a public option does not have much chance of passing at the federal level, why not let states experiment? Minnesota always has been a healthcare leader, so it might be the right time to try a public option there, based on the program the state already has and extending it beyond the low-income population.

The Link Between States' Approaches and Their Level of Success

While some governors and legislatures have embraced the ACA, others have been resistant, having their citizens participate in the federal exchange rather than setting up a state exchange. We have seen a relationship between the approaches states took to adopting the ACA and their ultimate level of success.

None of the states that are left now with only one or two insurers have state-based exchanges. Conversely, where states have put in the effort, they are enjoying successful marketplaces, with California being the best example. States that have really dug in and worked with insurers have seen positive results. Those that have tried to resist are experiencing more problems.

Conclusion

Overall, the ACA, so far, has earned a "B" for its performance. It's clearly reached critical mass—but it's not excellent yet.

Final MACRA Rule Implements MIPS and Advanced APMs

By Annemarie Wouters, Senior Advisor, Manatt Health | Brenda Pawlak, Managing Director, Manatt Health | Wes Joines, Manager, Manatt Health | Adam Striar, Consultant, Manatt Health

Editor's Note: On October 7, 2016, the Centers for Medicare and Medicaid Services (CMS) issued a final rule implementing the Merit-based Incentive Payment System (MIPS) and Advanced Alternative Payment Model (Advanced APM), as required under the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). Based on comments from more than 4,000 stakeholders, the final rule was published in the Federal Register on November 4, 2016, with final comments due no later than 5:00 p.m. on December 19. Below are some key takeaways. Manatt also has prepared a detailed summary, available as part of our subscription-based regulatory summary series. To learn more about subscribing to the series or to discuss any questions your organization has around MIPS and Advanced APMs, please contact Edith Coakley Stowe at estowe@manatt.com, Brenda Pawlak at bpawlak@manatt.com or Annemarie Wouters at awouters@manatt.com.

The authors would like to thank Jonah Frohlich, Edith Coakley Stowe and Jennifer Eder for their contributions to the final MACRA rule summary.

__________________________________________________

Background

MACRA was signed into law on April 16, 2015, permanently repealing the flawed Sustained Growth Rate (SGR) formula, which linked Medicare annual payment updates for physicians and other professionals to prior-year spending and gross domestic product (GDP) growth. MACRA replaced the SGR formula with a stable Medicare payment system that rewards physicians for providing high-quality, high-value healthcare. In place of the SGR formula, MACRA Section 101 implements positive rate increases for 4.5 years and a long-term Medicare value-based payment approach.

Under MACRA, healthcare professionals reimbursed through the Medicare Physician Fee Schedule (MPFS) will be guaranteed a 0.5 percent update from July 2015 through 2019. From January 2020 through 2025, the law includes a zero percent update—i.e., the rates will remain at the 2019 level, but eligible clinicians (ECs) will be subject to adjustment through one of two mechanisms, depending on whether the clinician chooses to participate in an APM or the MIPS.

APMs are payment approaches developed in partnership with the clinician community that provide added incentives for delivering high-quality, cost-efficient care. MIPS is a new program for certain Medicare-enrolled practitioners that consolidates components of three existing programs: the Physician Quality Reporting System (PQRS), the Physician Value-Based Payment Modifier (VM), and the Medicare Electronic Health Record (EHR) Incentive Program for Eligible Professionals. The MIPS will continue the focus on quality, cost and certified EHR technology in a cohesive program that avoids redundancies.

Key Takeaways

The final rule significantly reduces the complexity of the MIPS that was included in the proposed rule by softening measure-reporting requirements, adding flexibility to performance scoring and reducing performance thresholds. CMS wants to give healthcare professionals more time to prepare for pay-for-performance. Anticipating that most ECs will fall into the MIPS in the first year of implementation, CMS makes only modest changes to pay-for-performance through Advanced APMs. In addition, the rule maintains for now the proposed list of Advanced APM models. (The agency will provide a final list of Advanced APMs by January 2017.)

Key takeaways from the final rule include:

  • CMS is establishing 2017 as a transitional year, meaning that some policies are transitional and open for comment. Additionally, for 2017, the MIPS performance threshold for receiving a positive payment adjustment will be lower.
  • ECs will have three flexible options to submit data to MIPS and a fourth option to join Advanced APMs, each of which would ensure they do not receive a negative adjustment in 2019.

    1. Option 1—maximize opportunity to qualify for a positive MIPS adjustment: Report under MIPS for a full 90-day period (ideally one year).
    2. Option 2—avoid a negative MIPS adjustment and possibly receive a positive adjustment: Report under MIPS for a full 90-day period at a minimum, and report more than one quality measure, more than one improvement activity, or more than the required measures in the advancing care information (ACI) performance category.
    3. Option 3—avoid a negative MIPS adjustment: Report one quality measure, one clinical improvement activity, or the required measures of the ACI.
    4. Option 4—5 percent bonus: Participate in Advanced APM.
  • The cost performance threshold will have a zero weight for the transition year (CY 2017). Starting in performance year CY 2018, the weight for the cost category will increase from 0 to 30 percent by 2021.
  • CMS will collect information on cost measures through claims data and report the following information back to ECs for the CY 2017 performance period:

    1. Medicare spending per beneficiary
    2. Total per capita costs for all attributed beneficiaries
    3. Ten episode-based measures (mastectomy; aortic/mitral valve surgery; coronary artery bypass surgery; hip/femur fracture or dislocation treatment [inpatient-based]; cholecystectomy and common duct exploration; colonoscopy and biopsy; transurethral resection of the prostate for benign prostatic hyperplasia; lens and cataract procedures; hip replacement or repair; and knee arthroplasty)
  • CMS will continue to "investigate ways to account for the costs of drugs under Medicare Part D in the cost measures in the future, as feasible and applicable." CMS recognizes that Part D costs are a growing component of the overall costs for Medicare beneficiaries; however, not all patients covered by Medicare Parts A and B are covered under a Medicare Part D plan. "In addition, Medicare Part D is provided through private plans which independently negotiate payment rates for certain drugs or drugs within a particular class."
  • In 2017, ECs may earn a 5 percent incentive payment through sufficient participation in the following Advanced APMs: Comprehensive End Stage Renal Disease (ESRD) Model (Large Dialysis Organization (LDO)), Comprehensive ESRD Care Model (non-LDO arrangement), Comprehensive Primary Care Plus (CPC+) Model, Medicare Shared Savings Program (Tracks 2 or 3), Next Generation ACO Model, and the Oncology Care Model (two-sided risk arrangement).
  • CMS also finalizes requirements to qualify as an "Other Payer Advanced APM" which is a payment arrangement with a payer (e.g., a Medicaid commercial payer).

Click here to download copies of the following CMS documents related to the final rule, for your reference: the CMS Executive Summary, the CMS List of APMs, and the CMS List of Clinical Improvement Activities.

Mexican Secretary of Health Presents to Senate Health Commission

By Andrew Rudman, Managing Director, ManattJones Global Strategies | Andrea Cabrera, Director, ManattJones Global Strategies | Carolina Zimmerman, Senior Business Analyst, ManattJones Global Strategies

Editor's Note: On Tuesday, October 11, the Mexican Secretary of Health, Doctor José Narro, spoke to the Mexican Senate's Health Commission as part of the annual presidential report to Congress. Below, ManattJones Global Strategies summarizes key points from Dr. Narro's presentation. For more information on the Mexican healthcare system, landscape and market, see our article in the October issue of Health Update, "Mexico's Healthcare Opportunities: Growing Demand for Private Sector Alternatives."

__________________________________________________

In his presentation to the Mexican Senate's Health Commission, Secretary of Health Doctor José Narro highlighted significant advancements and challenges in the public healthcare sector. He pointed out Mexico's opportunities to increase and improve productivity, to promote inclusion in education and in the workforce, and to strengthen public confidence in institutions. He also pushed for action on healthcare in the legislative agenda.

Public Concerns Around Inclusion and Confidence in Institutions

Dr. Narro addressed public concerns regarding inclusion and confidence in institutions by affirming Mexico's commitment to including a wider scope of the population in the country's productive sectors. Specifically, he noted that work needs to be done to achieve greater inclusion in education, as well as to provide increased opportunities for job training and employment. He emphasized that engaging more people in a broader range of productive roles promises to improve government efficiency and increase public confidence in institutions. As a result, there would be higher levels of transparency and social participation. He further stressed that without health there can be no development, progress or individual welfare.

Notable Healthcare Achievements

Dr. Narro outlined several notable achievements in the public healthcare sector. He lauded the successful vaccination program, an investment of around 21 billion pesos (roughly $1 billion USD) that provided over 300 million vaccinations during the Peña Nieto Administration (2012–present). During this time, both infant mortality and traffic-related mortality decreased. In addition, social and government efforts to increase research into chronic degenerative diseases have begun to deliver results.

Another major improvement that Dr. Narro cited was Congress's approval of reforms aimed at improving fiscal management of federal institutions, including those related to health. As a result, 65,000 additional workers were registered with Mexico's Social Security Institute (IMSS) which provides healthcare for the formal sector. (The formal sector consists of businesses, enterprises and economic activities that are monitored, protected and taxed by government. The informal sector is comprised of workers and businesses that are not under government regulation.)

Furthermore, infrastructure developments have materialized, including more than 40 billion pesos (about $2 billion USD) invested to promote the development of both generic and innovative medicines. IMSS also has coordinated a pooled purchases mechanism for non-patented drugs that has generated savings of about 10.8 billion pesos (roughly $500 million USD) in a traditionally problematic drug supply chain for public institutions. In addition, IMSS opened bidding for around 50 billion pesos (roughly $2.5 billion USD) for drugs and materials used in healthcare units.

Dr. Narro concluded his delineation of notable achievements by spotlighting Mexico's huge advances in palliative care, pain management and terminal patient care. He also emphasized the continuing need for a high quality of care among public health institutions and high-caliber outpatient units.

Continuing Challenges and Concerns

In spite of Mexico's significant accomplishments, Dr. Narro noted that there are still tough challenges within Mexico's health sector and stressed the importance of both better financing and universalization of health services. He cited diabetes, obesity, HIV/AIDS, substance abuse, renal failure, violent deaths, sickness among young people, and teenage pregnancy as major continued health concerns for Mexico's population. Additionally, Mexico's health sector still suffers from incomplete coverage and duplication in the system.

Legislative Initiatives

As part of a legislative agenda moving forward, Dr. Narro expressed interest in pursuing an initiative in the Senate that proposes to investigate the scientific and therapeutic use of essential derivatives of marijuana. He also highlighted an initiative pending approval in the House of Representatives that would establish a regulatory agency to monitor healthcare establishments and services.

Marketing, Privacy and Data Security Enforcement

By Richard Lawson, Partner, Consumer Protection | Jill DeGraff Thorpe, Partner, Manatt Health

Editor's Note: During a recent webinar, Manatt Health explored the latest social media advances in the context of the Health Insurance Portability and Accountability Act (HIPAA) and other consumer protection and privacy statutes. In a two-part series, Manatt Health summarizes the important information shared during the session. In part 1, which appeared in our October newsletter, we reviewed emerging technology trends, the critical role of legal and compliance teams and next steps. In part 2, below, we look at marketing, privacy and data security enforcement by the Federal Trade Commission (FTC) and attorneys general. Click here to view the webinar free, on demand—and here to download a free copy of the presentation. (Please see the next article to learn more about new guidance from the FTC and the Department of Health and Human Services Office for Civil Rights (OCR) on HIPAA and the FTC Act.)

__________________________________________________

Data is the coin of the realm in digital advertising. The two sides of this coin involve the use of the data and its security, and both are governed by the consumer protection laws regarding unfair and deceptive business practices. The Federal Trade Commission Act (FTCA) prohibits "unfair and deceptive business practices." Most states have adopted similar statutes, and while the FTC enforces the FTCA, most states have vested enforcement power of their "Little FTC Acts" in their attorneys general.

Unfair acts are ones that involve substantial harm, can't be avoided by the consumer, and for which there are no meaningful business reasons. Deception is much more straightforward, of course, and essentially addresses deceptive practices that deceive a reasonable consumer acting in a reasonable manner.

The Key Areas of Consumer Protection

The key areas of consumer protection include substantiation, endorsements and disclosures.

Claims substantiation has three core concerns—the claims in the ad must be accurate, the backup must exist before the ad is circulated, and reasonable ambiguities in the claim will be construed against the advertiser. In the context of healthcare providers, legal challenges have arisen around substantiation for wait times in emergency departments and rankings for doctors and hospitals.

For endorsements, advertisers must disclose to consumers that the ad they are seeing is, in fact, an ad. Material disclosures beyond endorsements—such as costs, fees, etc.—can be tricky given the limitations some channels impose, such as the limited space on a mobile screen or Twitter's 140 character restriction. Nevertheless, the FTC requires compliance with disclosures and mandates the development of a social media policy, if an advertiser chooses to use endorsements.

Collecting Data for Marketing Purposes

When collecting data for marketing purposes, organizations must give consumers notice and choice. The FTC brought a recent action wherein a company working with a healthcare provider asked consumers to provide data about their treatment. The company, however, failed to disclose to the consumers that their responses would be publicly posted, and the consumers eventually found some of their extremely sensitive and personal information publicly disclosed.

Data Security Concerns

Beyond issues around collecting data, there are additional consumer protection concerns regarding the security of data. In a major development this past summer, the FTC issued an opinion in a case involving a data breach with LabMD. (See our article in the August "Health Update" for more information on the LabMD decision and its implications.)

The issue in LabMD was whether the unauthorized disclosure of sensitive data could constitute "harm" under the unfairness analysis of the FTC Act. The FTC held that the "unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury" under the FTCA. Accordingly, security of data is an issue that can bring about the scrutiny of consumer protection regulators. This can add insult to injury in many circumstances, as the company which finds itself first the subject of a criminal hack is now being targeted for having negligently secured a consumer's data.

Of particular note is that this decision by the FTC is in contrast to recent developments in the ability of private plaintiffs to bring actions regarding data breaches. Courts now hold private litigants to strict requirements about identifying quantifiable harm. For the FTC and state attorneys general, now operating under this LabMD analysis, there is no such requirement.

Conclusion

In summary, when it comes to marketing, remember that claims must be backed up by data, and paid endorsements and other material terms must be disclosed. In addition, when collecting data for any use other than treatment, make sure always to disclose the purpose and keep the data secure.

The FTC Act and HIPAA: What Covered Entities Need to Know

By Jill DeGraff Thorpe, Partner, Manatt Health | Richard Lawson, Partner, Consumer Protection

Editor's Note: The Federal Trade Commission (FTC) and Department of Health and Human Services Office for Civil Rights (OCR) have announced new guidance on the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Act. Key points are summarized below. Manatt Health explored the latest social media advances in the context of HIPAA and other consumer protection and privacy statutes in a recent webinar. If you missed the program, click here to view it free, on demand—and here to download a free copy of the presentation. You also can read part 1 of our webinar summary in our October issue of "Health Update" and part 2 in the previous article.

__________________________________________________

The new guidance from the FTC and OCR reminds businesses that their obligations to protect consumer health data do not stop with HIPAA but extend to the FTC Act, which prohibits false or misleading advertising. Organizations collecting and sharing consumer health information not only need to be sure they are complying with HIPAA, but they also must be careful that their disclosure statements are not deceptive under the FTC Act.

HIPAA: Protecting Privacy and Security

The HIPAA Privacy Rule requires both covered entities and their business associates to protect the privacy and security of health information. It is critical to remember that consumers must give written permission through a valid HIPAA authorization before their health information can be used or disclosed for commercial activities besides treatment, payment, healthcare operations or other uses and disclosures permitted by the Privacy Rule.

An authorization is a detailed document that gives covered entities permission to use protected health information (PHI) for specified purposes or to disclose PHI to a third party that the individual specifies. The authorization must contain a number of elements, including a description of the PHI, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, the expiration date, and the purpose for which the information may be used or disclosed.

The authorization must be in plain, understandable language—and it must include specific terms and descriptions. For example, to gain authorization to share consumers' health information, organizations must tell them specifically how that information will be used.

Business associates have an important extra step. They must first gain explicit permission through a HIPAA business associate contract to use or disclose health information. A business associate cannot ask a consumer to sign a HIPAA authorization unless its contract includes express permission to do so.

The FTC Act: Prohibiting Deceptive or Misleading Information

Covered entities and their business associates must go beyond meeting the requirements of a HIPAA-compliant authorization. They also must ensure that the information surrounding the authorization is not deceptive or misleading or they will violate the FTC Act. To comply with the FTC Act:

  • Review the entire user interface. Evaluate the size, color and graphics of disclosure statements to be sure they are clear and conspicuous. Don't bury key facts in links or require consumers to "click" to access pertinent information, such as who will be able to access his or her PHI.
  • Consider the different devices consumers may use to view disclosure claims. Consumers should not have to scroll to find information that is relevant to providing informed consent.
  • Tell consumers the full story before asking them to make a material decision. Eliminate contradictions and omissions to ensure clarity and consistency.
  • The same requirements apply to paper disclosures. Whatever medium is being used, information should be easy to find and to understand.

For additional guidance on creating effective disclosures, reference the FTC's .com Disclosures document.

IRC § 501(r) Developments and the Importance of Compliance Programs

By Harvey Rochman, Partner, Litigation | Steve Chiu, Associate, Manatt Health

The Internal Revenue Service (IRS) has moved aggressively to ensure that tax-exempt hospitals are complying with financial assistance, billing and collection requirements under the Affordable Care Act (ACA). The IRS reported earlier this year that it had trained auditors, commenced compliance reviews of thousands of tax-exempt hospitals and initiated field examinations where it found evidence of noncompliance. Accordingly, tax-exempt hospitals should take stock of their efforts to comply with Section 501(r) with an emphasis on the sufficiency of their practices and procedures to ensure compliance. These practices and procedures are the key to avoiding, and reducing the significance of, violations which will inevitably occur in complex revenue cycle operations.

What Is Section 501(r) of the Internal Revenue Code (IRC)?

Enacted as part of the ACA, Section 501(r) of the Internal Revenue Code (IRC) establishes a national scheme governing the financial assistance, billing and collection practices of hospitals exempt from taxation under IRC § 501(c)(3), including government hospitals with dual tax-exempt status. Although Section 501(r) contains only a few broad and apparently simple provisions, the associated regulations first proposed by the IRS in 2012 and finalized on December 31, 2014, establish a detailed and far-reaching legal framework requiring new policies and procedures, many changes to common revenue cycle practices and substantial new compliance obligations.

The significance of the obligations imposed by Section 501(r) has been underestimated. For example, the final regulations not only require new policies and procedures, but also require hospital organizations to identify, correct and in many cases publicly disclose errors implementing the law and hospital policies. This includes the errors of revenue cycle vendors and subvendors for which the hospital is responsible. Failure to comply may result in audits, investigation, required corrections, public disclosure of violations and potentially loss of a hospital's tax-exempt status. Moreover, in order to receive credit for correcting and disclosing a violation, which can reduce the seriousness of the violation, the violation must be identified and the correction and disclosure process started before the IRS itself discovers the violation.

These federal laws do not displace other federal laws, such as the Fair Debt Collection Practices Act, or preempt existing state laws, such as California's Hospital Fair Pricing Policies and New York's Patient's Financial Aid Law. Rather, tax-exempt hospitals must develop policies and procedures that mesh federal and state laws, and they must comply with the strictest applicable legal requirements.

The IRS Continues to Prioritize ACA Oversight and Compliance with Section 501(r).

While some have hoped that the IRS would retract or reduce the impact of the litany of specific requirements laid out by the regulations or further delay compliance deadlines, that has not happened.1 To the contrary, in 2016:

  • The IRS has failed to extend compliance deadlines associated with its Section 501(r) regulations—which have now passed for virtually all tax-exempt hospitals.
  • In February, even before many of the compliance deadlines mentioned above, the IRS announced that it had assembled a list of hospitals that appear to be out of compliance, based on reviews of hospital policies (which must be posted on hospital websites) and hospital tax filings on Schedule H to IRS Form 990. It also announced that it was beginning to train roughly 30 agents to conduct in-depth hospital field examinations and would soon begin these examinations.
  • In June, the IRS reported to Senator Grassley that it had completed 2,482 compliance reviews for 2014-2016 and had referred 163 hospital organizations for field examinations, some of which were under way at that time.
  • In September, the IRS Tax Exempt and Government Entities Division issued its fiscal year 2017 Work Plan which continued to emphasize that ACA oversight and compliance with Section 501(r) would be a significant priority.

Notably, a hospital review also may be instigated by a consumer complaint through the IRS's established process for submission of complaints about tax-exempt organizations. In February, the IRS noted that it would take into consideration any complaints it receives in connection with its decision to refer hospitals for field examinations.

Hospitals Must Ensure They Have Robust Compliance Programs.

Given the extensive regulatory framework, the significant ramp-up in enforcement activity, and the significant work required to establish a legally sufficient compliance program, tax-exempt hospitals should now confirm that they are in compliance with the key provisions of 501(r),2 but even more importantly, they must ensure that they have a robust compliance program including procedures that (i) are reasonably designed to promote and facilitate compliance with Section 501(r) and (ii) will allow hospitals to identify, correct and disclose violations of Section 501(r) and the hospital policies adopted to comply with Section 501(r).

The 501(r) regulations make clear that, in addition to helping prevent violations, strong compliance practices and procedures are essential to reducing the legal impact of violations that will inevitably occur in complex revenue cycle operations. Under the 501(r) framework, there are three types of violations: (1) minor omissions or errors requiring correction, but not disclosure; (2) excusable failures that must be corrected and disclosed to the IRS; and (3) inexcusable failures that must be corrected and disclosed but also threaten a hospital organization's tax-exempt status. The regulations make it clear that procedures designed to ensure compliance and a compliance program that allows for the identification, correction and disclosure of errors before the IRS discovers any issues are critical to establishing that any errors are minor or excusable and thus central to avoiding the serious consequences of inexcusable failures.

The Distinction Between Minor and Serious Violations Depends Largely on Compliance Practices.

The relatively few examples provided by the IRS in the final regulations and related revenue procedures establish that the category of "minor" violations is fairly limited (e.g., a required posting falling off a hospital wall and being rehung) and that many violations will fall into the more serious categories which require both correction and disclosure. More importantly, in the absence of intentionally wrongful conduct, the crucial distinction between these violation types depends largely on the organization's compliance practices and procedures.

For example, the IRS regulations state that the existence of meaningful procedures reasonably designed to promote and facilitate compliance with Section 501(r) is a key factor in determining that a violation constitutes a "minor omission or error" that must be corrected but need not be disclosed. Additionally, the IRS decision to classify a failure as "excusable" versus "inexcusable" is also based significantly on whether a facility has established 501(r) compliance practices and procedures and whether those practices and procedures were routinely followed. In fact, of the nine factors that the IRS has stated that it will consider when deciding whether a failure to meet 501(r) requirements justifies revocation of a hospital organization's tax exemption, eight either expressly require a hospital organization to maintain an established compliance program or involve examination of the functions of such program (e.g., early detection and correction of violations, measures to prevent recurrence of compliance errors).

The legal consequences of noncompliance can be severe. For inexcusable failures, the IRS may revoke a hospital or hospital organization's tax-exempt status. Even for excusable failures (i.e., those failures that are not willful or egregious), a hospital organization will be required to correct and publicly disclose such failure to the IRS, which may review, conduct intensive field examinations (during which the IRS may investigate any compliance errors, even if unrelated to the 501(r) failure at issue), and require further corrective actions. Additionally, the scrutiny on a hospital that arises from disclosure may lead to media inquiries, government investigations and, potentially, litigation from consumer attorneys.

Conclusion

Given the IRS's current actions and the complex obligations established by Section 501(r), hospitals should ensure that they have a robust compliance program in place which will allow the hospital to limit violations, identify them when they occur, and provide the hospital with the resources to appropriately correct and disclose the violations. Hospitals must also ensure that their contracts with billing and collection vendors include essential terms prescribed by the 501(r) regulations and provide the hospitals with the rights and resources necessary to comply with Section 501(r).

1.Unlike other provisions of the ACA that drew strident objections from Republican lawmakers, the ACA provisions enacting Section 501(r) were coauthored by Republican Senator Charles Grassley and did not appear in the most recent Republican attempt to repeal portions of the ACA (H.R. 3762—114th Congress (2015-2016)).

2.These include provisions related to Community Health Needs Assessments and associated implementation strategies, the establishment of financial assistance and emergency medical care policies, numerous publication and notice requirements related to such policies, calculation methodologies limiting maximum charges to those eligible for financial assistance, billing and collection timelines, reasonable efforts to determine whether a patient is eligible for financial assistance, and restrictions on extraordinary collection actions taken by hospitals to collect patient debt.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.