Urgent message: “Winning” a lawsuit in which you’re the defendant runs a distant second to avoiding lawsuits altogether—never mind if you’re on the losing end and have to pay a judgment. Understanding relevant regulations and laws is the best way to stay out of court.
Today’s healthcare providers must carefully navigate their way around complex laws and regulations which regulate, restrict, and impact their practices. Urgent care providers who fail to navigate within these laws may find themselves on the wrong side of a lawsuit or regulatory action. Here are some tips to help you avoid these legal icebergs.
HIPAA/HITECH and Data Privacy
Like all healthcare providers, urgent care centers collect “attractive” data from patients—names, addresses, telephone numbers, Social Security numbers, and birthdates (as part of routine intake forms)—along with payment data (which can include credit or bank card numbers for copayments, as well as payer information). It is therefore not surprising that healthcare is both one of the most regulated industries with respect to data, but also the top industry impacted by data breaches. Data from the Ponemon Institute show that in the past 2 years, about 90% of healthcare entities have been the subject of a data breach. Because healthcare providers are at an increased risk for ransomware and other cyberattacks, it is important for them to comply with federal (and state law) privacy requirements and be prepared to respond to a data security incident.
The Health Insurance Portability and Accountability Act of 1996 includes three important rules: the privacy rule, the security rule, and the breach notification rule. Each has a different application and set of standards with which healthcare providers must comply. In particular, urgent care centers should be aware of and avoid the most common compliance problems under HIPAA:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Use or disclosure of more than the minimum necessary protected health information
- Lack of administrative safeguards of electronic protected health information
Urgent care centers should be sure to take the following actions to minimize the risk of HIPAA noncompliance: 1) Review and adopt a compliant notice of privacy practices and HIPAA policies and procedures; 2) Ensure that third-party vendors sign compliant business associate agreements in instances where the vendor will have access to protected health information (including EHR vendors); 3) Conduct periodic employee training (this is not only required, but will help educate and keep your [potentially] changing staff up-to-date on important protocols for interacting with patients and maintaining the privacy and security of data; 4) Understand and appropriately respond to requests from patients for health information; and 5) Implement appropriate safeguards to secure data and take steps to prepare for a cybersecurity incident (including breach response preparedness, cyberliability insurance, and appropriate provisions in vendor agreements—particularly EHR vendors).
Collective Negotiation by Providers/IPAs
Working with other providers to combine forces and negotiate with payers for better fee schedules may make some business sense—but from a legal perspective, there can be significant risks to these collective negotiations. The Federal Trade Commission and the United States Department of Justice have repeatedly investigated collective negotiations through independent practice associations, treating these collaborations as “inherently suspect” business practices.
In order to avoid violating the antitrust rules, providers and independent practice associations (IPAs) who form collaborations to collectively negotiate with payers or health plans must be financially or clinically integrated. Financial integration requires the sharing of substantial financial risk, including losses and profits. Clinical integration requires mechanisms to control utilization of healthcare services, designed to make care delivery more efficient, control costs, and assure quality of care. Clinical integration will also require the selection of network physicians who will further these efficiency objectives, and a significant investment of capital (both financial and human) to build the necessary infrastructure and capability to make the efficiency objectives a reality.
The analyses used by the FTC and the DOJ in reviewing these cases is complex. Urgent care centers should be sure to consult with experienced legal counsel to carefully analyze any collective negotiation arrangements or proposed IPAs to ensure that they are in compliance.
In most states, physicians (and perhaps other professionals) are subject to “fee-splitting” limitations which restrict their ability to allow nonprofessionals to share in the fees for professional services. These rules may limit the impact the business arrangements between an urgent care center and third parties. One example of fee-splitting arises in the not-unusual context of a series of urgent care physician practices that operates several sites (perhaps in several states), under a management services arrangement with a management services organization (MSO), where the MSO’s fee is based on revenue generated.
Many states have implemented exceptions to their fee-splitting restrictions to allow certain percentage- or revenue-based compensation formulas; these exceptions fluctuate from state to state. New York, on the other hand, has been holding off on this for years; even there, however, legislation has been proposed (but not passed) which would allow healthcare professionals operating in the state to structure their practice management and billing services on a percentage basis.
While the fee-splitting restriction is not new, it is often overlooked when structuring professional practice-MSO relationships. Urgent care centers working with an MSO should be sure to check the restrictions of each state they are operating in to make sure practice‒MSO compensation is allowed under existing law. (It should also be considered when formulating incentive payments for nonprofessional employees.)
Stark and Antikickback
There are important differences between the physician self-referral (“Stark”) and antikickback rules both on a state and federal level with respect to application, liability standards, exceptions, and penalties. Discussion of these laws fills many volumes and shelves in law libraries—and while a full colloquium is outside the scope of this article, it would be remiss not to include a mention of these oft-violated laws.
State and federal Stark laws (often, but not always, aligned) prohibit the referral by a physician, for a designated health service, payable by Medicare (and other payers, depending on interpretation and state law), when the physician or his family have an ownership or compensation interest in the entity that will perform the designated health service. There are exceptions to this rule, which must be fully complied with (different from the safe harbors under the antikickback laws). It doesn’t matter if there was an intent to violate the law or a simple mistake—Stark is a strict liability law. State laws may also provide for certain patient notifications and disclosures to be made. There are significant civil penalties for a violation of the federal Stark law, including the possibility of exclusion from Medicare and Medicaid.
The state and federal versions of the antikickback laws do not allow knowing and willful receipt or payment of any remuneration, directly or indirectly, in exchange for a referral for a service or the purchase of a service covered under a federal healthcare program. Unlike the Stark law, there are no express exceptions; rather, there are safe harbors which identify certain transactions and arrangements which do not violate the law. However, there could be other transactions or arrangements which are not included in a safe harbor and which do not violate the law. Generally, the violation must be knowing and willful (although this could vary under state law). There are significant criminal and civil penalties for violations.
Given the breadth of these prohibitions, and the extensive (and complicated) exceptions and safe harbors, urgent care centers should carefully review referral arrangements with physicians, particularly as they relate to productivity payments and payments for services such as physical therapy, occupational therapy, laboratory tests, or radiology and imaging services.
Corporate Practice Issues
The laws of all states provide for professional licenses to be given only to individuals, which means that only these individuals may practice that profession. This restriction is commonly referred to as “corporate practice.” For an organization to provide medical services, it must fall within an exception, which may include a professional entity (PC, PLLC, etc.) or a licensed clinic. Relationships between professional entities with nonphysician management companies should be carefully structured to keep within the limits of administrative services that are allowed to be subbed out (which are sometimes not so obvious), and to leave the retention of professionals and the decisions relating to professional services to the professional entity.
Violations of the above rules not only result in expensive lawsuits, but can also involve costly administrative proceedings, penalties, and reputational harm. An ounce of prevention certainly will cost less than a pound of cure.
Frank J. Fanshawe, Esq and Rosemary Weaver McKenna, Esq