October 2016

Group Practice: Hot Topics in Health Law
By Maja Lacevic
Radiology Today
Vol. 17 No. 10 P. 8

Health care providers increasingly practice in an environment shaped by a variety of legal and regulatory issues and oversight. Whether it is contemplating a merger or sale, complying with complex government regulations, or responding to a data breach, these issues impact how radiologists and other health care providers perform procedures and studies, report their results, and structure their practices. Although the health care field is riddled with emergent and potential legal issues, here are just three of the many trends currently being seen.

Transactions Involving Physicians
The health care industry is in a period of heightened transactional activity, and this trend is expected to continue into the future.1 Overall for 2015, the health care sector experienced a record-breaking 1,498 transactions worth approximately $563 billion.2 During 2016, there continues to be significant acquisition activity across multiple physician specialties, including anesthesia, radiology, emergency, and hospitalist services.

There are many different routes for joining forces and affiliations between health care providers. They can include all manner of transactions, including joint operating arrangements, informal clinical or administrative agreements, or full asset combinations through individual mergers or acquisitions.

Health care transactions are complex and multilayered and can often mean sacrificing some measure of organizational independence, but consolidating or affiliating may be the best option to sustain and advance an organization's mission, vision, and values. The best structure for a transaction will be the one that best manages the tradeoffs among maintaining a degree of professional independence, obtaining the full financial value of the existing practice, ensuring the future of the practice through joining a larger organization, and obtaining the other benefits that can be available in a larger organization.

At the end of the day, all parties to a transaction should be left with an organization that operates to benefit everyone involved, without sacrificing their respective missions. Careful planning and discussions with potential partners to ensure a good "fit," along with getting early advice from legal and accounting advisors that will assist in the transaction, will improve the chances that the chosen strategy will be the best for their organization.

Stepped-Up Fraud, Abuse, and Compliance Enforcement
A perpetual concern for radiology practices and other health care providers is compliance with government rules and regulations. The primary purpose of the US Department of Health and Human Services' (HHS) Office of Inspector General (OIG) is fighting fraud, waste, and abuse. As such, the health care industry has seen an increase in government scrutiny, including emphasis on payment, program integrity, and compliance.3 The federal agencies and their contractors are seeking increased damages and penalties for violations by providers, and their recent recoveries have been tremendous. Going forward, the OIG intends to build upon existing enforcement models, refine self-disclosure protocols, and use all appropriate means (including exclusions and debarments) to maximize recovery.

The OIG remains focused on occurrences of false and fraudulent billing and continues to focus on home health agencies and emergency ambulatory services. In just the first half of fiscal year 2016, the OIG's investigative receivables have already matched the $2.2 billion total investigative receivables recovered in the full 2015 fiscal year.4 The OIG's investigative receivables are on pace to surpass 2015 totals in nearly every area of enforcement, including total exclusions, total Civil Money Penalties (CMPs) assessed, and dollars received from CMPs.

According to the OIG's Work Plan for 2016, diagnostic radiology and laboratory testing will be scrutinized for health care fraud schemes.5 For radiologists, this can include the solicitation and receipt of kickbacks to or from referral sources, illegal referral arrangements between physicians and medical companies, billing for services not rendered, medically unnecessary and misrepresented services, and patient harm. Radiologists can and should avoid the appearance of billing and medical necessity irregularities by confirming that documentation in the medical record is accurate and in harmony with the coding and billing for the services rendered.

In addition, the OIG recommended that the Office for Civil Rights (OCR) strengthen its oversight of covered entities' compliance with HIPAA.6 Staying true to the OIG's recommendation, in March 2016, OCR announced a new round of HIPAA compliance audits of both covered entities and business associates. The OCR will focus on "review [of] the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules."7 These audits come at a time when OCR has also significantly increased the penalties assessed for HIPAA violations. To survive the latest audits, health care providers need to review all existing policies, update policies as necessary, and ensure that they correspond with the technology that their business is using. In addition, health care providers should regularly train and educate employees on their specific roles in maintaining HIPAA compliance.

Business associates can often be weak links in security so it is crucial to know who the business associates are and how they are handling protected health information (PHI). While a covered entity will not be responsible for their business associates' compliance, if a covered entity finds that one of their business associates is violating HIPAA, they are required to take steps to mitigate the violation. If that's not possible, the covered entity is required to terminate the business associate contract. If covered entities do not follow these steps, OCR can fine the entity for noncompliance with HIPAA as well.

Privacy and Security of Health Care Data
Breaches of electronic data have become a key problem as more health care providers switch to electronic systems. In addition, interoperability of systems is expected to produce more breaches as information is exchanged between networks. Health care providers must balance state and federal laws, such as HIPAA and the HITECH Act, in formulating a data breach response. Just one widespread data breach may set in motion the regulations of multiple states, subject to where the affected individuals reside.

HIPAA rules protect the information itself, not the record in which the information appears. In other words, information does not lose its protection simply because it is stored in or printed from a computer. The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission apply to vendors of personal health records and their third-party service providers, pursuant to the HITECH Act.

Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the secretary of HHS, and, in certain circumstances, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

Covered entities are also required to comply with certain administrative requirements, with respect to breach notification. For example, radiology practices must have in place written policies and procedures regarding what to do in the event of a breach, train employees on these policies and procedures, and develop and apply suitable sanctions against employees who do not comply with these policies and procedures.

The latest high-profile data breaches should serve as a catalyst for health care providers to develop a plan. Being prepared for a data breach, with a comprehensive plan in place, puts health care providers in the best position to respond quickly and reduce risks.

— Maja Lacevic is an attorney in the Health Care Industry Group at Trenam Law in Tampa, Florida. She assists physicians, hospitals, and other health care providers in a range of complex legal matters, including health care fraud and abuse, business transactions, and data security. She may be contacted at mlacevic@trenam.com.

References
1. 2016 1st half trends reports: healthcare industry. Berkery Noyes website. http://www.berkerynoyes.com/publication/trends/2016HY/healthcare.aspx. Published July 14, 2016.

2. Health care M&A deal volume and value exploded in 2015. Irving Levin Associates website. http://www.levinassociates.com/pr2016/pr1601mam15. Published January 27, 2016.

3. US Department of Health and Human Services, Office of Inspector General. OIG strategic plan 2014–2018. http://oig.hhs.gov/reports-and-publications/strategic-plan/files/OIG-Strategic-Plan-2014-2018.pdf

4. US Department of Health and Human Services, Office of Inspector General. Semiannual report to Congress: April 1–September 30, 2015. https://oig.hhs.gov/reports-and-publications/archives/semiannual/2015/sar-fall15.pdf

5. US Department of Health and Human Services, Office of Inspector General. Work plan: fiscal year 2016. https://oig.hhs.gov/reports-and-publications/archives/workplan/2016/oig-work-plan-2016.pdf

6. US Department of Health and Human Services, Office of Inspector General. OCR should strengthen its oversight of covered entities' compliance with the HIPAA privacy standards. https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf. Published September 2015.

7. HIPAA Privacy, Security, and Breach Notification Audit Program. US Department of Health and Human Services website. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/