United States: Healthcare Legal News: Volume 7, Number 2

Blessings in Disguise: Strategies to Uncover the Hidden Opportunities for Healthcare Bankruptcies

On September 14, Carolyn "CJ" Johnsen (Member, Phoenix) and Peter Domas (Of Counsel, Troy) will co-present this webinar on leveraging opportunities with distressed healthcare entities. Key takeaways include identifying risks and opportunities over the next 3 to 5 years facing healthcare entities, learning the strategies available to distressed healthcare entities seeking to regain sustainability, and understanding and mitigating risks unique to acquiring distressed healthcare entities. The event will begin at 2:00 EDT. Register at here.

Where is your PHI Data Traveling Today?

With most vendors offering and pushing cloud computing solutions and offsite data backup, or guaranteeing offsite backup of data they process for you, many HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information. At the same time, the rise of offshore IT services, including distributed storage, by cloud data providers creates issues that most healthcare providers have not yet realized. Even if some of the issues are realized, many covered entities and their business associates do not know where their data is currently being processed, stored, or backed up. In fact, storage or processing of personal health information ("PHI") overseas may or may not be permitted or at least require additional resources, such as additional or more detailed risk assessments.

There currently are no federal regulations or statutes that prevent storing or processing PHI offshore or overseas; however, the Centers for Medicare and Medicaid Services ("CMS"), the U.S. Department of Health and Human Services ("HHS"), and the U.S. Office of Civil Rights ("OCR") within the HHS, have all issued regulations or provided guidance that restrict storing or processing PHI offshore. In addition, there are four states that ban any Medicaid data from being stored or processed overseas (Arizona, Alaska, Ohio and Wisconsin), two more that only allow offshore contracts under extremely limited circumstances, and nine more that have specific requirements that must be met before any offshore processing or storage of Medicaid data is allowed. Even if a healthcare provider is not located in one of the above states, if the provider has treated a patient of those states, state regulators may argue that the healthcare provider must comply with their laws, regulations, and guidance, as applied to the resident of their state. Even more concerning is that even though Delaware does not have any laws or statutes banning offshore processing or data storage, Delaware recently started adding provisions to all of their contracts (similar to Wisconsin) that the State (Delaware) will not permit project work to be done offshore. There may be additional states adding these prohibitions to their contracts in the future.

If extra regulatory burden and potential state law bans were not enough by themselves, any PHI stored offshore likely will be subject to local law of the country in which it is stored. Furthermore, these local laws may allow for actions or even access to the data that directly conflicts with requirements on healthcare providers under HIPAA/HITECH, even if the vendor signed a BAA. Due to the issues in enforcing HIPAA and HITECH, and even a BAA against an overseas vendor, HHS has basically stated that it is the duty of the healthcare provider or vendor for deciding how to vet data services vendors and comply with expected additional requirements when conducting a risk assessment on overseas providers.

At this point, most healthcare providers question if any offshore or offsite data storage or processing is worth any potential cost savings, or if OCR has any further guidance. In the fall of 2016, OCR prepared guidance that explained how federal health information privacy and data security rules apply to cloud services. In summary, this guidance helped data service companies, but at the expense of covered entities by primarily placing the burden on the covered entities, specifically hospitals, insurers, doctors, and other healthcare providers. In looking at data service vendors, OCR decided that data service subcontractors of the covered entities' business associates are actually business associations of the business associates. According to the OCR, covered entities must assess the cloud services providers' or offshore providers' data security efforts, but HIPAA does not require the cloud services providers to allow covered entities audit them. As such, covered entities are required to determine how well a cloud services provider handles system reliability, data security, and data backup and recovery, without the ability to perform an audit. While this is problematic when dealing with domestic cloud service providers, it creates additional issues when dealing with overseas cloud service providers.

While OCR allows use of overseas providers, as of right now the rules of HIPAA and HITECH fail to address any international aspects, leaving no requirements but also no protections for covered entities. If you select a domestic provider, the laws and regulations regarding PHI apply to both parties, but if an overseas provider is selected, HIPAA and HITECH will not apply, unless they contractually agreed to comply with such laws and regulations. If there is a breach and the overseas provider refuses to defend against or pay any fines or fees levied related to the breach, the covered entity may be liable for paying. It is also important to note that while an international provider may agree to sign a BAA, many international providers do not understand the requirements of HIPAA and HITECH, while most domestic providers have a greater understanding.

Even if you know where the company with whom you are contracting is located, do you know where they send the backup data? Do they send data for processing or backup to other agents, subcontractors, vendors, or other data providers overseas? You may not realize your data is regularly taking international trips, and may be better traveled than you are. In addition, if a relationship is terminated with an international provider, how will you ensure that the data is wiped from the system? Healthcare providers generally must require a certificate of destruction when terminating data services, and will you be able to comply with this provision with an offshore provider?

In contract with cloud service providers, including backup providers, e-mail providers, and other processing entities, covered entities and their BAAs must determine where their data is located, and if it is offshore, they must analyze if any of the information is prohibited from being exported by any state or local regulations. If not, next it must be determined if there is an extra compliance burden associated with the data being offshore, and if that extra compliance burden and the associated risk of being offshore are worth any cost savings by using the offshore provider. If an entity knows that some of its data may be banned from being exported overseas, or would raise too much risk or compliance burden, then language banning such exports should be placed in the agreements, including any BAAs.

High Court Unanimously Upholds ERISA Exemption For Church-Affiliated Pension Plans

by Kimberly J. Ruppel , Member
Troy Office
248.433.7291
kruppel@dickinsonwright.com

Advocate Health Care Network et al v. Stapleton et al, 581 U.S. __ (2017)

In one of the recent opinions rendered by the United States Supreme Court, it was found that pension plans maintained by religiously affiliated pension plan committees were exempt from certain provisions of the Employee Retirement Income Security Act of 1974, 29 U.S.C. § 1001, et seq. (as amended) ("ERISA").

Why is this of interest? ERISA obligates employers to follow a set of rules designed to ensure plan solvency and protect plan participants. Some of these rules, particularly rules regarding pension plan design and funding, may seem more burdensome to employers than protective of employees. The outcome of this case was a blow to those seeking to hold church affiliated hospitals accountable to the same ERISA requirements as their secular counterparts.

The original ERISA statute provided an exemption for "church plans", defined as "a plan established and maintained . . . for its employees . . . by a church." 29 U.S.C. §1002(33)(A). Congress amended the statute in 1980 in part to add a section that formed the basis of the dispute before the Court as follows: "A plan established and maintained . . . by a church . . . includes a plan maintained by an organization . . the principal purpose . . . of which is the administration of funding of [such] plan . . . for the employees of a church . . . , if such organization is controlled by or associated with a church." 29 U.S.C. §1002(33)(C)(i). The Court condensed this description as a plan maintained by a "principal purpose organization".

For decades, the IRS, Department of Labor and the Pension Benefit Guaranty Corporation, which are the three federal agencies responsible for administering ERISA, have read the two definitional sections together and allowed pension plans of church affiliated hospitals, such as the parties in these three consolidated disputes, to be exempt from ERISA.

Recently, three separate class actions were filed by current and former hospital employees to challenge their employers' pension plan exempt status. The Courts of Appeals for the Third, Seventh and Ninth Circuits agreed with the employees' argument that a pension plan must be established by a church to be exempt. The High Court granted certiorari in these similar disputes to resolve the question of whether a church affiliated hospital employee benefit plan that was maintained by internal benefit committees but not established by a church satisfied the exemption definition.

In the opinion, Justice Kagan explained that the use of the word "include" in the amended definition indicated that a different type of plan should receive the same exemption benefit as the original definition. Accordingly, since Congress deemed the category of plans "established and maintained by a church" to "include" plans maintained by a principal purpose organization, all such plans are exempt from ERISA's requirements.

It is important to note that hospital plans may still be subject to attack under state law theories of liability with respect to allegations of underfunding or other irregularities. However, church based hospital plans, maintained by an internal benefit committee but not established by a church such as those in these consolidated disputes remain exempt from ERISA's funding reporting and design requirements.

Recent Case Serves as Reminder to Take Care in Structuring Sales of Physician Practices

Over the past few years, hospitals, health systems and practice management companies have increased their efforts to acquire physician practices. Moreover, physician groups are increasingly interested in selling their practices to these interested purchasers. The primary reasons for this trend are varied but in general are prompted by an increased focus on the delivery of medicine in a seamless integrated system by all healthcare providers.
For physicians or other healthcare providers that are considering practice sales, care should be taken in structuring the sale to minimize the federal taxes payable as a result of the sale. In general, there are two choices to structure the practice sale:

• Stock sale - Under this sale structure, which works only if the practice is incorporated, the physicians sell stock in their professional corporation or professional association to the interested purchaser
• Asset sale - Under this sale method, the practice itself sells its tangible and intangible assets to the purchaser

In addition to these two choices, the sale can be structured as a hybrid using a combination of these sales methods. A final and much less common option would be for a portion of the sale consideration to be paid by the purchaser to one or more selling physicians and characterized as a sale of personal goodwill.

For both tax and non-tax reasons, from the seller(s)' perspective, the preferential method for a practice sale would be Option 1 (sale of stock). Under present tax law, a stock sale generates capital gains to the selling physicians. For physician practices organized as "C" corporations, the tax savings from a stock sale as opposed to an asset sale are much greater due to federal taxes that will be payable by the incorporated practice and by its shareholders on liquidation of the corporation and the resulting distribution of the net after tax proceeds of the sale.

In addition to taking care in structuring the sale using these available options, physicians should make certain that the sale documents accurately reflect the structure agreed to by the seller(s) and the buyer. This latter issue was addressed in a recent Fifth Circuit Court of Appeals case in which the sellers of a business tried to restructure the sale when they became unhappy with the tax consequences that arose from the sale under the documents that they had executed. In Makric Enterprises, Incorporated v. Comm'r, 119 AFTR 2d ¶2017-580 (5th Cir. 2017), the Court of Appeals for the Fifth Circuit affirmed a finding of the Tax Court that no mutual mistake was made in the sale of a closely held company's stock that would require a reformation of the transaction. At issue was whether a sale of stock owned by a holding company in its wholly owned subsidiary should be recharacterized as a sale by the holding company's shareholders of their stock in the holding company. The shareholders contended that they believed that they were selling stock in the holding company; however, the sale documents indicated otherwise. The Fifth Circuit rejected the taxpayer's argument on appeal that there was a mutual mistake in the sale documents that would require reformation of the sale structure in the manner sought by the taxpayer.

The lesson to be learned from the Makric decision is that even if physicians who are contemplating a sale of their practice group decide after consultation with their advisors that a sale should be structured in a certain way to minimize federal tax consequences, they should carefully review the sale documents to verify that the documents accurately reflect the desired structure of the sale.

Although the tax differences of the various sale options will decrease if tax reform is enacted as has been proposed by President Trump, this tax legislation will reduce but not eliminate the tax differences from the two different sale options.

Moreover, state law (for example, in those states that have the so-called "corporate practice of medicine" doctrine) may drive how practice sales can be legally structured in which case, the legal aspects of the sale may limit the options to structure the sale. As a result, in those states, the asset sale structure may be the only option. If so, the asset sale will generally result in a higher tax bite against the sale proceeds.

This article appeared in the March/April 2017 issue of the Journal of Health Care Compliance and is being reproduced here with permission. Additional information about this publication can be found at https://lrus.wolterskluwer.com/store/products/journal-health-care-compliance-prod-000000000010029001/internet-item-1-000000000010029001

Keeping Pace in Clinical Research: The Common Rule Picks up Speed

In recent years, the world of human subjects research has expanded not only with regard to the number of clinical research trials being conducted and the array of drugs and devices being tested, but also with respect to the technology employed to conduct the research and the nature of the research itself. As one example, increasing reliance on repositories of human biospecimens or individually identifiable health information has changed the research landscape and the associated risks and benefits. Until recently, applicable federal regulations have failed to keep pace.

The Common Rule

Despite the expansion and modernization of clinical research, the principle federal regulations governing protection of human subjects and ethical conduct in federally supported clinical research (the Federal Policy for the Protection of Human Subjects, generally known as the "Common Rule"), have remained largely unchanged since they went into effect in 1991. However, on September 8, 2015, sixteen federal agencies issued a Notice of Proposed Rulemaking (the "NPRM") with the intent of clarifying the regulations and making them less burdensome on the research community while maintaining protections for clinical trial participants. The NPRM was in follow-up to an Advance Notice of Proposed Rulemaking issued in 2011 which solicited public comment on the notion of updating the Common Rule. On January 19, 2017, after fielding over 2100 comments on the NPRM, the agencies issued a final rule approving long-awaited updates to the Common Rule (referred to herein as the "Final Rule") to be effective, with limited exception, on January 19, 2018.

Key Updates

Below is a summary of some of the key changes contained in the Final Rule.

Definitions. The Final Rule updates certain definitions that existed under the Common Rule and adds others. Although various changes that were proposed under the NPRM were included in the Final Rule, there were several proposed changes the agencies declined to adopt. One notable example was the agencies' refusal to change the definition of "human subject" to include "non-identifiable biospecimens." Such a change would've been a significant departure from the Common Rule and would've had the effect of requiring informed consent for research on non-identifiable biospecimens. As it stands, and will remain under the Final Rule, informed consent is not required for secondary research involving non-identifiable biospecimens.

Consent. The Final Rule updates various provisions relating to informed consent in the clinical research setting including the following:

1. To ensure that potential research subjects are informed of the information they need to make an educated decision about whether or not to participate in a research trial, the informed consent form must now contain a concise summary of key information relating to the research (including the purpose(s), risks, benefits, alternatives, and other information required to be addressed in more detail throughout the form) at the beginning of the form.
2. The Final Rule adds the following four elements to the existing informed consent requirements: (i) whether biospecimens collected as part of the research will be used or distributed for future research; (ii) whether specific technology determined to be capable of generating identifiable information or identifiable biospecimens will be used; (iii) a statement that biospecimens may be used for commercial profit and whether the subject will share in such profit; and (iv) whether clinically relevant research results will be disclosed to subjects.
3. Under the Final Rule, researchers may obtain a broad consent to store, maintain and use identifiable data or biospecimens. There are various requirements and caveats associated with these provisions, but they afford researchers greater flexibility with respect to informed consent for certain future research. As outlined above, consent is not required to conduct secondary research using non-identifiable biospecimens.
4. Consent forms for certain federally-funded trials must be posted on a public website (to be created) at any time after the study is closed to recruitment, but no later than 60 days after the last study visit of any study subject.

Oversight. The Final Rule makes various changes relating to IRB oversight of human subjects research including the following:

1. Multi-site research studies ("cooperative studies") must be reviewed by a single IRB unless review by multiple IRBs is required by law. This is a significant change to the Common Rule as it previously existed and, given the practical complexities involved in implementing this change, the effective date for compliance is delayed until January 19, 2020.
2. The Final Rule relaxes the requirements for IRB oversight in relation to "low-risk" studies in several ways. First, the Final Rule revises and expands the Common Rule's previously existing concept of "exempt" research. Additionally, during the standard of care follow-up and data analysis phases of clinical studies when research subjects are no longer at risk, continued IRB oversight and review is no longer required. Finally, unless otherwise required by the IRB or requested by the researcher, studies under expedited review do not require continued IRB review and oversight.

Compliance

Researchers, institutions and IRBs should ready themselves to comply with the Final Rule as of January 19, 2018. Compliance efforts should include revising policies, procedures and forms, and educating research staff on the new requirements. Clinical studies that have been approved or determined to be exempt prior to January 19, 2018 may continue to operate under the Common Rule as it currently exists, but research institutions may choose to apply the Final Rule to such research through a formal determination with the responsible IRB.

If you would like a printable version of this Healthcare Newsletter, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.