2017 – The Health Law Year in Review
Uncertain. What better word to describe a year in which a new administration came to power and began to chart a new course for health policy, the fate of the Affordable Care Act (ACA) hung in the balance, and courts grappled with the meaning of a momentous decision involving the federal False Claims Act (FCA)? 2017 was marked by significant changes that have left many wondering what’s next. What will come of the federal health insurance exchanges without the individual mandate? How will the Centers for Medicare and Medicaid Services (CMS) manage the migration to value-based payment under new leadership? Will healthcare deal activity—both horizontal and vertical—sustain the same torrid pace?
In an effort to take stock of the year that was and prepare for the challenges that lie ahead, we have compiled a list of 10 important issues that affect a broad range of healthcare industry clients. If you would like to learn more about these or other health law issues, please contact any of the attorneys in the Healthcare Practice Group at Bradley Arant Boult Cummings LLP.
Affordable Care Act Takes a Beating in 2017
The ACA faced several challenges in 2017, from the continued exodus of major insurers from the health insurance exchanges established under the law, to Congress’ attempts to repeal and replace it, to the announcement of executive orders designed to weaken its implementation, to the elimination of the individual mandate in the final tax bill. While the ACA technically remains the law of the land, its foundation has clearly weakened.
President Trump began the year with an executive order issued on January 20 instructing the U.S. Department of Health and Human Services (HHS) and other relevant agencies to “exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the [ACA] that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.” While the breadth of the order left agencies conflicted regarding how to implement it, the measure set the tone for how the ACA would be carried out under the new administration.
Buoyed by President Trump’s stated desire to overturn the ACA, Congressional Republicans mounted several efforts to repeal and replace the law throughout the year. In March, the House released a proposed repeal-and-replace bill; after extensive mark-ups, the bill was pulled before a vote on March 24. Two months later, the House passed a revised version of the measure and sent it to the Senate on May 4. In response, the Senate proposed three separate amendments to the House bill, including the so-called “Skinny Repeal,” which was defeated in a 51/49 vote in the wee hours of the morning on July 28. The Senate proposed its own repeal bill in mid-September, but the measure died shortly thereafter.
In light of Congress’s failed efforts to pass repeal-and-replace legislation, the Trump administration responded with two measures of its own. On October 12, the White House issued a statement that it planned to discontinue the ACA cost-sharing subsidies paid by the federal government to insurers on behalf of low-income enrollees. When the ACA originally passed in 2010, it contained two provisions intended to motivate uninsured individuals to obtain coverage through the exchanges: subsidy payments from the federal government to insurers to underwrite the cost of coverage for low-income individuals (the carrot) and a tax penalty levied against individuals who failed to maintain health insurance coverage throughout the year (the so-called “individual mandate,” or the stick). While it is unclear when the federal government’s payment of the subsidies will end, insurers are required under the law to continue providing the discounts to lower-income enrollees. Insurers have already warned that the decision will increase premiums on coverage in 2018 as they scramble to cover the difference.
Also on October 12, President Trump issued his second ACA-related executive order, this time directing the HHS, as well as the Departments of Labor and Treasury, to consider proposing regulations or revised guidance in furtherance of three goals: expanding access to association health plans through which employers may join together across state lines to negotiate health insurance coverage; expanding access to short-term, limited-duration insurance policies for the working uninsured; and expanding access to health reimbursement arrangements (i.e., health savings accounts). The order has already generated results: On January 4, 2018, the Department of Labor published a proposed rule to broaden the criteria for when employers may join together in an association health plan.
Finally, on December 15, Congress passed the GOP’s tax bill, the final version of which repealed the ACA’s individual mandate. Beginning in 2019, Americans will no longer face a tax penalty if they fail to maintain health insurance coverage throughout the year. The Congressional Budget Office estimates that between 2019 and 2029, the measure will increase insurance premiums as younger, healthier individuals avoid purchasing coverage, increase the number of uninsured individuals in the country by roughly 13 million, and reduce government spending by more than $300 billion over the course of the decade. The full impact of the move remains to be seen, but the combined elimination of both the cost-sharing subsidies and the individual mandate leave the ACA with more uncertainty in 2018 than it has faced since its enactment.
Courts Interpret the False Claims Act Post-Escobar
Since the Supreme Court issued its watershed FCA opinion in Universal Health Services v. U.S. ex rel. Escobar, lower courts have wrestled with its holdings. In 2017, two key questions emerged from these debates: (1) is there a mandatory two-part test for implied false certification claims, and (2) how should the new “rigorous” and “demanding” standard for materiality be applied in practice?
Implied false certification—i.e., the theory that a claim can be false if the submitter is not in compliance with statutes and regulations material to payment—lies at the heart of the Escobar ruling. In its opinion, the court stated that the theory is viable “at least where two conditions are satisfied”: First, the claim makes a specific representation about the goods or services provided and, second, the failure to disclose noncompliance makes the representation a misleading half-truth. By the end of 2017, numerous courts had interpreted whether this passage establishes a “necessary” test or merely a “sufficient” test to plead implied false certification. Some courts, including the Ninth Circuit and the Southern District of New York, have found the two-prong test necessary, dismissing claims that fail to plead a specific representation in the claim. Other courts, including the District of D.C., have found the test merely sufficient, allowing other possible avenues for proving implied false certification.
Many cases this year have also grappled with Escobar’s emphasis on the demanding nature of the materiality standard and the relevance of the government’s actual practices in paying claims when it knows of an alleged violation. In cases where the government actually declined payment for other claimants with the same violation, courts were more likely to find a violation material. On the other hand, in cases where the government continued paying for or continued requesting goods or services despite knowledge of a violation, courts were more likely to find that violation immaterial. The Third and Fourth Circuits even found the government’s decision whether or not to intervene in the FCA litigation relevant to the question of whether the alleged noncompliance in the litigation was material. Other courts have looked beyond the government’s actions in their materiality analysis to consider whether the alleged noncompliance spoke to “the essence of the bargain” between the government and the defendant.
For our annual review of FCA developments, click here.
Update on Department of Justice Initiatives
Focus on Opioids. In 2017, the Department of Justice (DOJ) announced a program to redouble its efforts to combat the country’s opioid problem. The DOJ’s new Opioid Fraud and Abuse Detection Unit will work to identify and prosecute healthcare fraud related to the opioid epidemic. Twelve Assistant U.S. Attorneys in selected districts—including the Eastern District of Tennessee, the Northern District of Alabama, and the Middle District of Florida—are spending a three-year term focusing solely on these cases. The program uses data analytics to find signs of fraud, including pharmacies and prescribers that may be unlawfully diverting opioids or dispensing them for illegitimate purposes.
Individual Liability for Corporate Wrongdoing. The DOJ’s implementation of the Yates memo—the September 2015 internal DOJ guidance shifting the focus of prosecutions to individual defendants—continued to take form in 2017, with a number of civil and criminal cases brought against executives, employees, and physicians. In some cases, individuals agreed to be held jointly and severally liable with their corporations for settlement payments—including multimillion-dollar settlements with eClinicalWorks, Life Care Centers of America, and Medstar Ambulance Inc. In other cases, the DOJ pursued settlements or convictions against individuals separately from their corporate entities—including the owner of a home health company, owners and managers of a hospice company, several urologists, and a pain management physician. Though examples of these actions against individuals have been less than frequent, they have occurred more regularly in the healthcare arena than any other industry.
Dismissing Baseless FCA Suits. In a speech during the Health Care Compliance Association’s Health Care Enforcement Compliance Institute in October, the Director of the DOJ’s Civil Fraud section indicated that the DOJ would move to dismiss cases brought under the FCA if it concluded that the cases were baseless. While the DOJ has always had the ability to move to dismiss these cases, it has done so very sparingly in the statute’s 35-year history. The DOJ later clarified that this statement was not announcing a more aggressive approach toward dismissing cases, but was merely acknowledging the agency’s policy of maximizing the use of the government’s limited resources. It remains to be seen whether there will be any notable change in the DOJ’s practices.
OIG Publishes New Tool for Assessing Compliance Program Effectiveness
In March, the HHS Office of Inspector General (OIG) released a resource document in conjunction with the Health Care Compliance Association to help healthcare organizations measure the effectiveness of their compliance programs. While the OIG has encouraged healthcare organizations to develop effective compliance programs for decades, it had not previously provided much guidance on how to determine whether compliance programs are, in fact, effective. The new guide, titled Measuring Compliance Program Effectiveness: A Resource Guide, was created through a roundtable discussion involving OIG staff and compliance professionals. Participants discussed the oft-cited seven elements of an effective compliance program, with the aim of developing metrics for measuring compliance program effectiveness that would be helpful to a wide range of healthcare organizations differing in size, operational complexity, industry sectors, and resources.
The stated purpose of the Resource Guide is to give healthcare organizations as many ideas as possible for measuring the effectiveness of their compliance programs, be broad enough to help any type of organization, and let an organization choose which metrics best suit its needs. While the Resource Guide lists over 400 individual compliance program metrics, its authors emphasize that it is not meant to be a checklist or applied in its entirety. In fact, using all of the measurement tools—or even a large number of them—is “impractical and not recommended.” Rather, healthcare organizations should treat the Resource Guide as an idea bank from which they can select those metrics most suited to their needs, resources, and risks. The Resource Guide represents the most thorough presentation of the OIG’s thinking on compliance program evaluations to date and offers a far-reaching toolkit that may reduce the amount of effort required to prepare an assessment tool for measuring compliance program effectiveness.
For our in-depth alert on the Resource Guide, click here.
Small but Potentially Significant Stark Law Developments
While 2017 did not bring many headline-grabbing cases and settlements involving alleged violations of the federal physician self-referral prohibition commonly known as the Stark Law, the year did include its share of small but potentially significant Stark Law developments.
There were a few noteworthy actions from CMS itself. In late March, the agency finalized a revised version of its Voluntary Self-Referral Disclosure Protocol (SRDP) in an effort to streamline and standardize the self-disclosure process. CMS also revised and consolidated its frequently asked questions into two documents posted to its website: one regarding the SRDP and the other covering the Stark Law generally. In addition, CMS issued an advisory opinion in September—its first on a topic other than physician-owned hospitals in nearly four years. The opinion concerned whether a diagnostic testing company’s provision of certain lab test alerts to referring physicians who use the company’s web portal would constitute “remuneration” for Stark Law purposes. The agency concluded it would not.
The year also included some notable legislative activity. Legislation was introduced in both the House (H.R. 1156) and Senate (S. 1133) that would repeal the provisions of the ACA that prevent the construction of new physician-owned hospitals and the expansion of grandfathered physician-owned hospitals. The Senate bill was referred to the Senate Finance Committee, which, under the leadership of Sen. Orrin Hatch, held a hearing and released a whitepaper in 2016 outlining suggestions to reform the Stark Law in light of changing payment models. Draft legislation designed to address many of the issues identified by the committee made the rounds on Capitol Hill and among various trade associations, but its fate remains unclear, particularly in view of the departure of the committee’s longtime Chief Oversight Counsel in August 2017.
Lastly, there were a number of significant enforcement actions, including a $42 million settlement with a Los Angeles hospital that allegedly paid above-market rates to rent office space in physicians’ offices and had improper marketing arrangements for the benefit of independent physician practices. The year also saw a $26 million settlement with an operator of cancer centers accused of paying physicians excessive compensation in violation of the Stark Law, a claim based in part on assertions that the physicians were paid in excess of their personal collections.
One of the year’s more interesting cases was U.S. ex rel. Emanuele v. Medicor Associates, Inc., in which a physician alleged that arrangements between the physician’s former medical practice and a medical center violated the Stark Law because the arrangements failed to meet the signed writing requirement of an applicable exception (the complaint also questioned the bona fides of the arrangements). The DOJ declined to intervene in the case, but the relator pressed forward. On cross-motions for summary judgment, the court found that no reasonable jury could find that two of the arrangements met the signed writing requirement. The court also rejected the defendants’ argument that the relator could not meet the materiality requirement of the FCA, concluding that the Stark Law’s signed writing requirement is not “minor or insubstantial” and goes “to the very ‘essence of the bargain’ between the government and health care providers with respect to Stark [Law] compliance.” In November, one day before jury selection was set to begin, the defendants agreed to settle the case for over $20 million.
CMS Innovation Center Pivots from Mandatory Alternative Payment Models
Stakeholders watching CMS’s Center for Medicare & Medicaid Innovation (the Innovation Center) saw the agency do an about-face in 2017, from implementing new mandatory alternative payment models in January to reducing and even cancelling several mandatory models by year’s end.
The Innovation Center is responsible for developing and testing new and innovative Medicare payment and service delivery models, including a variety of accountable care organization programs. Heading into 2017, most of these models were entirely voluntary for providers, though a mandatory payment model for joint replacement procedures had been established for acute care hospitals in certain metropolitan areas. However, on January 3, 2017, CMS published a final rule implementing new mandatory alternative payment models covering certain cardiac and orthopedic procedures. These new models were similar to the existing joint replacement model in that they featured retrospective reconciliations of actual Medicare reimbursement to target reimbursement for episodes of care. Under the final rule, the new models would be mandatory for most acute care hospitals in select metropolitan areas effective July 1, 2017.
However, even before January’s final rule was issued, the inauguration of President Trump and subsequent appointment of Tom Price as HHS Secretary raised questions about the future of the new alternative payment models. In 2016, while still in Congress, Price and other lawmakers had sent CMS a letter asking the agency to “stop experimenting with American’s health, and cease all current and future planned mandatory initiatives.” After the change in administration, CMS delayed the start date for the new payment models twice—once in March and again in July. By mid-August, CMS had released a proposed rule to cancel the new payment models and roll back the joint replacement model to voluntary status. While Price resigned in September 2017, the final rule cancelling the new mandatory models and making others voluntary was published on November 30, 2017. At the time, CMS indicated that it was doing so in part so that it could focus on new and additional voluntary alternative models. On January 11, 2018, the agency announced the BPCI Advanced program, a new voluntary model that will test bundled payments for 32 clinical episodes from October 2018 through December 2023. Whether additional voluntary programs will be announced in 2018 leaves onlookers with much to ponder.
For additional coverage of CMS’s decision to limit mandatory participation in alternative payment models, click here.
Meaningful Use in the Spotlight
Meaningful use payments under CMS’s electronic health record (EHR) incentive payment programs came under fire from several quarters this year. Begun in 2011 as a way to encourage provider adoption and integration of EHRs to better serve patients, the programs require hospitals and other eligible providers to attest each year that they have meaningfully used EHR in their practices. As part of this attestation, providers must also submit data demonstrating they have met CMS’s meaningful use objectives and measures. Meaningful use payments made to providers who did not, in fact, comply with the program requirements are considered Medicare and Medicaid overpayments under the FCA. While the payments have been the subject of scrutiny since the programs’ inception, 2017 revealed several new weaknesses for CMS to tackle.
In May, the DOJ reached its first settlement against an EHR vendor for falsely certifying that its software complied with meaningful use standards. The $155 million settlement against eClinicalWorks—the second most popular vendor of EHR software among providers—sent a clear message that EHR vendors are also subject to FCA liability for providers’ meaningful use attestations. In its complaint, the DOJ alleged that eClinicalWorks had specifically designed its EHR to pass CMS’s certification tests, but did not actually implement the operational measures the certification tests were designed to verify. As a result, the company passed tests even as providers using its software were unknowingly sending and receiving patient records with inaccurately coded diagnoses and prescriptions. Further, the DOJ claimed, eClinicalWorks knew that its software had significant performance issues, but left them unaddressed. Under the government’s theory, eClinicalWorks’ gaming of certification testing and failure to address problems with its software caused its provider customers to submit false information in their meaningful use attestations to CMS, thus violating the FCA. Less than three weeks after the DOJ filed its complaint, the parties settled for $155 million. Shortly thereafter, CMS announced that it would not conduct an audit to determine whether providers relied on the flawed software for their attestations.
In June, the OIG released a report estimating that between 2011 and 2014, CMS inappropriately paid over $700 million to eligible providers who had not met the meaningful use requirements. After conducting documentation audits on 100 randomly selected providers, the OIG found that 14 had not met one or more of the basic meaningful use requirements. The OIG also carried out a targeted review of providers who had switched between the Medicare and Medicaid EHR incentive payment programs, and found that CMS’s software for tracking providers’ progress did not properly account for switches between programs, resulting in significant overpayments. OIG recommended CMS audit all past attestations for similar issues and implement new auditing efforts going forward, educate providers on proper documentation under the program, and adjust its online system to accurately track physician movement from one program to the next.
Finally, in December, the Northern District of Indiana unsealed a qui tam complaint against more than 60 hospitals alleging that the facilities had submitted inaccurate data in their meaningful use attestations regarding patient and third-party requests for medical records. Among the measures hospitals must meet under the meaningful use requirements is the use of their EHR system to respond to medical records requests in a timely fashion. In the complaint, the relators contrasted personal experiences requesting medical records with the meaningful use data submitted by the hospitals, concluding that the hospitals had submitted false information to CMS under the program. While the government has declined to intervene in the case, the complaint illustrates the breadth of potential liability providers face in making meaningful use attestations to CMS.
Despite the developments of 2017, providers still have plenty to look forward to as 2018 gets underway. Under the Medicare Access and CHIP Reauthorization Act (also known as “MACRA”), individual practitioners will see EHR meaningful use requirements incorporated into the quality measures impacting physician payment when those measures go into full effect. In addition, the OIG has indicated that it plans to release its findings regarding EHR incentive payments made to hospitals in past years, providing a more complete picture of CMS’s oversight of compliance and payments since the program’s inception in 2011.
HIPAA Comes of Age
2017 marked the 21st anniversary of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As HIPAA comes of age, digital health applications have exploded, and industry advances in artificial intelligence, big data, genetic information, and personalized medicine are well under way. But these developments are taking place in an era where the volume, level, and scope of cybersecurity threats have exploded exponentially.
Against this backdrop, the biggest HIPAA development this year was repetition: These threats materialized time and time again for healthcare providers, health plans, and their business associates. In 2017, the number of breaches reported to the HHS Office for Civil Rights (OCR) affecting 500 or more individuals reached 294—almost three times the number of similar “big breaches” reported in 2016. As in years past, most of these breaches resulted from theft, hacking, and other IT incidents.
On the enforcement side, OCR followed its banner year in 2016 with a flurry of actions in 2017, entering 10 resolution agreements to recover approximately $20 million, nine of which required corrective action plans. While down from 2016 recoveries, the agency pursued these actions in the midst of a transition to new administration and departure of key OCR staff. Despite the changes happening behind the scenes, OCR investigators continue to focus on whether an entity has reasonable and sufficient organizational cybersecurity risk management to detect and remediate its security risks.
HHS concluded the year by issuing industry guidance and publishing requests for comment on a multitude of health IT issues, including proposals to reduce the regulatory burdens and barriers to data sharing while hardening cyber defenses. As the new administration implements the 21st Century Cures Act, we can expect final changes to Food and Drug Administration policy on medical software, a glide path to accelerate interoperability via standards-based exchange of core patient data, and more dialogue on the types of industry practices deemed to be unreasonable information blocking.
CMS Finalizes Major Cuts to 340B Program, Stirring Industry and Government Response
2017 proved to be an eventful year for CMS’s 340B drug discount program, which requires drug manufacturers to provide outpatient medications to covered entities at discounted rates. The program provides a critical subsidy for many hospitals, particularly safety-net hospitals in rural areas. On November 1, CMS finalized a policy changing the payment rate for certain non-pass-through drugs and biologicals purchased through the program from the average sale price plus 6 percent to the average sales price minus 22.5 percent. CMS estimates the change will save the program approximately $1.6 billion in 2018—money that will be redirected to pay for other outpatient medications under Medicare.
Shortly thereafter, two competing bipartisan bills addressing the 340B program were introduced in Congress. One bill, released on November 15, proposed to block the payment cuts and nullify the relevant provisions of CMS’s final rule. The other bill, introduced on December 21, proposed to stop new disproportionate share hospitals and their satellites from enrolling in the program and impose new reporting requirements on certain entities covered by the program.
At the same time, three trade groups—the American Hospital Association, the Association of American Medical Colleges, and America’s Essential Hospitals—joined forces to sue CMS over the payment cut. The lawsuit, filed November 13, requested a preliminary injunction against the change in 340B drug payments. However, on December 29, 2017, the District Court of D.C. granted the government’s motion to dismiss the lawsuit, and the payment cuts took effect as planned on January 1, 2018. Of note, the court did not address the merits of the trade groups’ case; instead, it dismissed the plaintiffs’ claims on procedural grounds. The trade groups—and others—still have an opportunity to appeal the payment cuts now that they have taken effect.
Hospital Consolidation Trends Continue
By many accounts, hospital deal activity sustained the same torrid pace in 2017 that it has for the past several years. Increasing reimbursement pressure, changing payment methodologies, and continuing uncertainty regarding the health insurance marketplace forced many hospitals and health systems to consider a range of affiliation transactions, from traditional mergers and acquisitions to emerging alternative partnerships, such as the development of clinically integrated networks.
Changes in how—and in how much—hospitals are paid continued to put pressure on the bottom line. Among other things, changes in disproportionate share hospital payments, 340B program payments, and various site-neutral payment initiatives (undertaken by both governmental and commercial payors) prompted many hospitals to consider their options. In addition, a March 2017 MedPAC report showed weakness in hospitals’ aggregate Medicare margin (i.e., the amount by which payment exceeds allowable costs) and predicted further decline to roughly negative 10 percent by the end of 2017. Many hospitals, particularly those with large Medicare and Medicaid populations, are feeling the pinch.
In all likelihood, hospital consolidation will continue to be a major theme in the year ahead. While traditional merger and acquisition activity is expected by many industry analysts to remain robust, alternative structures likely will constitute an increasingly large portion of the hospital consolidation landscape. In particular, hospitals may pursue clinical affiliations, management agreements, or the development of regional networks in an effort to brace for expected changes in payment policy while retaining a degree of independence.