Healthcare Regulatory Triumvirate: Only the Start

It should be well known and understand that the healthcare industry is subject to a variety of laws and regulations that can make operating in the space trickier than other industries. To give both new and experienced individuals a taste of that complexity, three primary laws are often cited as the top priorities to keep in mind. Those three laws are: (i) the Stark Law, (ii) the Anti-Kickback Statute (“AKS”), and (iii) HIPAA. Most healthcare lawyers will start a discussion about impacts on a business with those laws because they can have arguably the broadest influence on what a business can or should do.

The Triumvirate

The Stark Law. Starting with the Stark Law and the AKS, those two laws are to a large degree complementary pieces. The Stark Law is a civil law that, starting from an overly simplified view, does not like referral relationships between providers. As a baseline, the Stark Law frowns upon a referral relationship if the physician making the referral has a financial relationship with the receiving entity. As noted, that is the starting point.

Now getting under the first layer or two, the Stark Law only applies to “designated health services” or “DHS,” which is a term specifically defined under the Stark Law. Generally speaking, designated health services cover a large swath of healthcare services that can be provided to patients, but the term is not all-encompassing. Any analysis of a referral relationship should start with the question of whether the services involved are DHS. If not, then the Stark analysis can likely stop there.

If DHS are involved and Stark applies, then it gets fun. Despite the baseline approach of not liking referral relationships, the statute and regulations contain a whole host of exceptions that make a relationship acceptable. The exceptions break down into the following categories: (i) service-based, (ii) ownership or investment interests, and (iii) compensation arrangements. The list of exceptions, mostly the compensation arrangements ones, keeps growing. Additionally, the specific requirements for the exceptions can change as interpretations change or the requirements are tweaked. Given that evolution, it is essential to stay on top of the current text of the regulations.

Knowing the exact text of the regulations is important because the Stark Law is a strict liability law. Strict liability means that if an organization does not comply with the requirements as set out, then a violation has happened. The violation exists regardless of whether an intent to violate the law exists. The analysis only looks at what is in place and not whether the parties did their best to meet the requirements or didn’t mean to miss the mark.

The AKS. The Anti-Kickback Statute is a criminal companion to the Stark Law. Going into what it means to be a criminal law first, there needs to be an intent to violate for a problem to arise. However, what constitutes intent can vary to a pretty large degree with various developments over time making it easier to find an improper intent. There is also a standard referred to as the one purpose standard for finding intent. What the standard means is that so long as one reason for the proposed relationship is improper then the whole relationship can be tainted.

Beyond the intent, the AKS has a number of safe harbors that can make an otherwise improper relationship acceptable. The safe harbors under the AKS overlap to a large degree with the Stark exceptions. A significant difference from the Stark Law is that it is not strictly necessary to meet all of the requirements of a safe harbor to be ok. Since an intent must exist to violate the AKS, it is possible for a relationship to still not create a violation even if all of the elements of the safe harbor are not met. If a safe harbor is not fully satisfied, then there can be varying degrees of risk associated with the relationship.

HIPAA. The third member of the triumvirate is HIPAA, everyone’s seemingly favorite law to not fully understand in healthcare. For purposes of concern, the areas of HIPAA to focus on are the Privacy Rule, Security Rule, and Breach Notification Rule. The bulk of HIPAA addresses transactions and data interchange, which is not what drives the confusion and concern.

Overall, HIPAA looks at how protected health information can be used and disclosed along with how to protect that information. The rules are relatively permissive when actually parsed through because the rules do not interfere with regular business operations in healthcare. To the contrary, the rules promote regular operation and really seek to limit the flow of data outside of the healthcare system.

On the security side, HIPAA establishes a decent framework from which to build an actually comprehensive and functional security platform. When the HIPAA Security Rule is viewed as the framework on which to build the actual security house that can meet or exceed industry standard, then it makes a bit more sense.

While the overview of the three big laws is decidedly brief and extremely high level, it is also important to note that it is just the start of the story.

Expanding the Picture

Depending on the nature of the business, a healthcare organization will need to consider a lot of other laws and regulations too. The laws and regulations are a mix of federal and state considerations, but each is certainly important in its own right.

Given the myriad of laws to potentially consider, the aim now is to only flag some of them to big the eye-opening process that there are layers upon layers of issues within healthcare.

A big factor impacting operations will be the rules and regulations for participating in Medicare and/or Medicaid. For Medicare, there are baseline regulations for participation and then nuances that are introduced (and changed) every year through the fee schedule process. The conditions are quite detailed and get into some of the minutiae of how to operate.

While Medicare is standardized, Medicaid has unique characteristics in each state because it is a joint federal and state program. Since each state has a say in how Medicaid runs in its jurisdiction, there will be differences in terms of what services are covered, how payment may be made, and other distinctions. It all means that an organization may have a relatively easier time if it only operates in one state, but will need to get up to speed on differentiators to the extent the organization participates in Medicaid in more than one state.

While mostly applicable to hospitals, another federal law, one that has been getting more attention recently, is the Emergency Medical Treatment and Labor Act (“EMTALA”). The basic premise of EMTALA is that an emergency room is supposed to triage and stabilize every presenting patient, unless some very specific circumstances are present. The purpose is to avoid instances of patient dumping or only picking patients with insurance coverage that is perceived as more favorable.

Moving to the states, the biggest issue was already flagged, namely the state by state variations in the implementation of Medicaid. However, many states also have unique iterations of the AKS and/or Stark Law. The state level anti-kickback statutes can mirror the AKS to a large degree, though the safe harbors may be missing, which adds in a different set of challenges. The state mini-Stark laws can also differ in the specifics as well. In many instances, the state fraud and abuse laws will expand beyond just federal payor programs and apply to commercial insurance arrangements as well. The global coverage arguably makes compliance easier because there is no potential differentiation operation, but it is something to consider.

The growth in states enacting comprehensive privacy schemes also add a compliance wrinkle. The comprehensive privacy schemes usually carve out information already subject to HIPAA, but may organizations hold information beyond that. For the non-HIPAA information, it is necessary to know when compliance becomes applicable and what to do.

The Maze

While Stark, AKS, and HIPAA deservedly get a lot of popular attention, real world operation needs to consider all of the intersecting and sometimes arguably conflicting laws. Operating in healthcare really is like being in a neverending maze. Understanding that baseline for involvement is important. Attempting to ignore the complexity or push through without giving the complexity its due is a pretty sure way to end up in a lot of trouble. Take the time to be considerate and be willing to bob and weave as necessary.

On top of that, it is necessary to offer a final caveat that the summary offered here barely scratches the surface of the various laws, regulations, and rules. Before going too far down any path, take the time to assess what could apply to that path and vet it out.

COVID Waivers: Preparing for the End

How many people remember how healthcare fully operated prior to the onset of the COVID-19 driven pandemic? The question is only somewhat facetious as the delivery of care and running of organizations along with so many other components of the healthcare industry have changed to a large degree. Telehealth is an obvious area that expanded, but relationships and compliance have been impacted too.

Public Health Emergency Declaration

Back in March 2020 when COVID emerged and disrupted the world, the United States declared a public health emergency (“PHE”). The PHE was also noticed by the Department of Health and Human Services (“HHS”). The HHS PHE opened the door for the Secretary of HHS (through all of the subagencies and offices) to issue waivers or notices of non-enforcement of many regulations impacting the healthcare industry. The changes will broadly be referenced as waivers, even though from a technical legal standpoint not all waive an obligation or requirement.

A quick, non-comprehensive review of the waivers will give a bit of a reminder of just how many changes occurred. HIPAA experienced enforcement discretion to enable the rollout of telehealth tools that may not meet all HIPAA privacy or security protections. While not ever tool was given a free pass (think public facing interactive tools like Facebook Live), a whole host of tools were enabled, which ignored that so many easy to acquire compliant tools were available. While healthcare organizations are moving to mature the telehealth and virtual care offerings, it is not clearly known what posture has been adopted by all organizations. There are likely a large number of organizations still relying on free tools that don’t take the effort to meet HIPAA requirements.

Foregoing cost sharing requirements, such as copays or coinsurances, is another change that swept across the healthcare landscape. While many commercial insurance plans already stopped the cost sharing waivers, Medicare still arguably lets waivers occur without needing to go through a financial hardship or other analysis. Some waivers were more clearly enacted by emergency legislation to address cost sharing related to COVID-19 care, but guidance form the Office of the Inspector General also broadly addresses cost sharing for Medicare. Normally cost sharing waivers should only occur on a limited basis and after conducting a financial hardship assessment. Those requirements were thrown out the window as a result of the COVID-19 impact and lack of cost sharing has let enabled certain services to thrive. Those certain services include a number of virtual care services that are driving better patient outcomes, but will come with a monthly patient financial responsibility that could impact ongoing participation.

Reimbursement coding also experienced a constantly changing environment early in the pandemic. While the pace of changes slowed down after a few months, a number of modifiers and new codes to reflect newly adopted services. Workflows have been adjusted and systems changed to ensure that appropriate codes and supplements are included. Going back to scrub all of those changes out will be another issue to pile on top of already busy operations.

New arrangements connected to delivery of COVID-19 services, or potentially more expansive deals, benefited from the waiver of fraud and abuse regulatory requirements. The fraud and abuse regulations are very technical, detailed, and full of traps. Not having to keep those front and center while arrangements were often established on the fly means that a whole host of contracts likely need to be rewritten or potentially terminated altogether. Reviewing and confirming compliance of all of the impacted contracts could result in potential disruption of services or the ending of certain beneficial relationships.

Where Can be Done?

Even with the PHE remaining in place, the current waning of pressing COVID issues offers an opportunity to get in front of any formal termination of the PHE. Competing concerns will always be grabbing attention, but refreshing memories as to the full scope of changes from the PHE and comparing to action taken to permanently encode changes is necessary. If an organization does not remember what modifications to procedures were put into place because of the PHE, unwinding where necessary becomes impossible. A collective effort will be necessary to tease apart all of the interconnected threads related to PHE changes.

At the same time, assessing what changes should still be permanently encoded will also help. Full relaxation of regulatory requirements is clearly not a realistic possibility or even preferred outcome, but some of the changes do need to stay. Assessing impact and developing evidence as to the good and bad of all changes can appropriately inform future action.

The current key though is to get prepared now. Waiting until the PHE expires from non-renewal will unnecessarily stress operations, which means individuals across all organizations. A proactive approach (which mirrors the trend for delivery of care) will set organizations up to continue succeeding and delivering care, which is the real goal.

The End of the PHE?

The PHE was last renewed in January 2022 and would currently expire in April. That time will be here before anyone knows it or is really ready for it. Get going now to avoid an unpleasant surprise.

Mitigate Pandemic Risks: Track Government Guidance

The COVID-19 pandemic has brought about numerous changes to the healthcare industry, most notably on the regulatory front. When the pandemic reached emergency levels in the mid-March time period, the order officially declaring a state of emergency was quickly followed by many regulatory waivers, announcements of enforcement discretion, or outright changes to the regulations. Those changes along with the interpretive guidance came out on what felt like a daily or even more frequent basis. The flurry of changes meant that all, whether the government agencies, hospitals, physicians, and others, were all scrambling to figure out what to do.

Telehealth is one area that went from extremely low utilization to the predominant means of delivering healthcare services. The Centers for Medicare and Medicaid Services started that trend by providing reimbursement equal to in-person visits for telehealth along with not paying attention to location or patient relationship requirements, among other areas. Further, the scope of who could provide services by telehealth was expanded over time, some of which came in response to pushes from particular industry groups. While the types of services that can be delivered and the types of clinicians that could bill may have received more general attention, the detail of how to file a claim and how to fill in billing documentation became very complex. At times, guidance could be completely altered from one announcement to another.

The changing ground rules on the reimbursement front are not relegated solely to telehealth. A lot of new services specifically connected to COVID-19 were rolled out, such as testing for the virus and care related to the virus for those infected. The exact billing codes and modifiers changed as new paradigms were established.

On top of the expansion of services, the government also recognized that individuals needing care may not be able to afford out of pockets costs given the cratering that occurred to the economy. To mitigate those impacts, the government permitted a lot of individual financial responsibility to be waived or otherwise not collected. Indiscriminately not collecting patient financial responsibility is a relatively significant departure from the norm, since waiving financial responsibility for all patients or even a decent number without determining need would be viewed as a form of fraud.

Other programs rolled out to benefit physicians were various funding initiatives to direct money to physician groups to make up for the lack of revenue caused by patients not coming in. At times money would just show up in individual physicians’ bank accounts or the accounts of practices. However, none of that money came free of strings. Instead, the money would be followed by lengthy attestation documents that, in brief, had physicians certifying to the government that the funds would be used for the appropriately designated purposes and that operations within the practice fit within the eligibility criteria identified by the government. Submission of the attestation was official and binding confirmation.

As already suggested though, each and every change under went at least a couple of iterations that would all come with its own guidelines for implementation. Given the fast pace of changes, how many practices or individuals could realistically state that each and every claim or attestation was submitted correctly? Likely none. Further, it is possible that a “correct” action one day could be incorrect the next. What can be done in that regard? Document, document, and document some more.

While The federal Department of Health and Human Services does have a single landing page to find all COVID-19 related documents, will that page always be there? Can the desired guidance or announcement be found? If there is skepticism about being able to locate everything resource in the future, how can documentation be achieved? Aside from what should be the standard practice of having appropriate support for claims, it may be advisable to maintain a copy of all guidance, announcements, and other statements that informed why a particular course of action was followed. Having copies of all documentation may be helpful in the event an adverse action is attempted to be taken down the road, even in spite of many statements that no fraud or abuse recoveries will be attempted absent clear indicia of fraud.

Individual maintenance of documents from the government may provide a necessary defense if things go a little haywire. Considering the need for the documentation may also push even more attention to all of the changes since collecting the documents may offer the needed push to dig a little deeper or confirm an understanding. While most are clearly trying to do the right thing and just survive with a practice still intact following the pandemic, preparing for all possible outcomes (even an optimistically unlikely worst case one) can be more fruitful from the start than trying to prove a negative in the future.