New England Biz Law Update
Every business lawyer needs to know health law basics when representing health care clients or handling business transactions relating to health care. This article aims to provide a basic “checklist” for general business lawyers in Massachusetts of issues that commonly arise.
Business lawyers should be aware that health care is highly regulated — often in unexpected ways — under both federal and Massachusetts law. If you review a contract or advise on a transaction for a physician, or represent a high-tech startup in the health field, there may be significant health law issues.
Likewise, health law issues can arise when clinics or other health care providers buy, sell or market items or services, or provide or accept discounts, or engage in a variety of other transactions, or anytime a patient’s medical information is shared or conveyed, and these are just a few examples.
Licenses, permits and certifications
Generally, physical sites in Massachusetts where health care services are provided must be licensed (or specifically exempt from licensure). In addition, many health care providers must be licensed, permitted, accredited and/or certified by various governmental or private organizations, and are likely to be enrolled to participate in the Medicare and Medicaid (MassHealth in Massachusetts) programs.
Common mistakes made by lawyers who are not immersed in health care regulations include overlooking applicable licensure and certification requirements in the context of an acquisition. The regulatory “change of ownership” process can be complex and time-consuming, and can significantly impact the way transactions are structured and the timing of closing a deal.
In fact, many health care transactions are structured to limit the complexity of the regulatory process. For example, one common error is mistakenly believing that the sale of a health care business can permissibly include a sale, transfer or assignment of one or more licenses, permits, accreditations, certifications, or a Medicare or MassHealth provider number.
For the sake of convenience, or to avoid disruption in revenue, the acquiror or transferee may continue billing Medicare, MassHealth and/or commercial health plans using the seller’s license, permit, provider number, or even using the seller’s name, after the closing date.
However, review of each applicable license and permit is required to determine whether the applicable government agency requires an application for a new license, permit or certification, or whether advance approval or pre- or post-acquisition notice is otherwise required.
Medicare provider numbers, for instance, cannot be transferred. See, e.g., 42 C.F.R. §424.550(a). Attempting to sell them, or having a buyer use the seller’s provider numbers, can lead to regulatory violations, potential exposure to claims of insurance fraud, federal or state false claims act violations, and even criminal charges in extreme cases.
To avoid these pitfalls, it is essential to understand the applicable regulations regarding whether notice or approval is required, and the corresponding submission requirements. The submission of any inaccurate information (even if it might seem relatively unimportant) when securing a license, permit or enrollment can effectively “build in” compliance problems that taint all subsequent claims for payment that the applicant submits.
Determination of Need
In Massachusetts, certain projects involving health care facilities require advance approval through the commonwealth’s Determination of Need program, including for original licensure, transfer of ownership, or adding certain new services or equipment.
In addition to submission of a detailed application, the public is provided notice and an opportunity to comment.
The Determination of Need application process can be time-consuming, and an applicant must provide sufficient evidence that the proposed project “is superior to alternative and substitute methods” for meeting existing patient needs. See 105 CMR Chapter 100.000.
Health Policy Commission
Massachusetts has long been a leader in state-level health care policy, one outgrowth of which is the Massachusetts Health Policy Commission, an independent state agency that develops policy to reduce health care costs while improving the quality of patient care.
Pursuant to CMR Title 958, different types of Massachusetts health care providers and provider organizations must satisfy several requirements. For instance, at a high level the HPC requires the registration of provider organizations (a broadly defined term) that received $25 million in net patient service revenue in the prior year, as well as risk-bearing provider organizations (as defined in CMR Title 958).
In addition, under certain circumstances, providers and provider organizations must notify the HPC and state attorney general of any material change, which is defined broadly to include certain mergers, acquisitions, affiliations, joint ventures, partnerships and other arrangements.
Hospitals that meet threshold requirements with respect to assets and payor mix must pay a one-time assessment to the HPC, which money is then used to support health care reform efforts in Massachusetts and distressed hospitals.
The HPC can also require provider organizations to draft and implement a performance improvement plan if the provider organization is identified as “an entity whose increase in … medical expense is considered excessive and … threatens the ability of the state to meet the health care cost growth benchmark” established under G.L.c. 6D, §9.
Anti-kickback and fee-splitting laws
Subject to certain exceptions, both federal and Massachusetts laws prohibit any type of payments to or from physicians, and others, that are intended to induce or reward referrals, and prohibit fee-splitting by physicians and others (i.e., sharing part of their fees in exchange for referrals).
The closest cousin of the federal anti-kickback statute, 42 U.S.C. §1320a-7b(b), under Massachusetts law is G.L.c. 175H, §3, which makes it a felony to solicit or receive any remuneration, directly or indirectly, “for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering of any good, facility, service or item for which payment is or may be made in whole or in part by a health care insurer.”
Other statutes, located at G.L.c. 118E, §§36-46A, specifically apply to MassHealth and other Massachusetts public health benefit programs, and address various sources of liability related to health care fraud.
Parties accused of violating these laws could face civil monetary penalties, criminal prosecution, and/or exclusion from the Medicare and Medicaid programs — a death sentence for many health care facilities in today’s market.
Those prohibitions might not seem surprising. However, the way these statutes are applied is not always obvious. Unlike the federal anti-kickback statute, the Massachusetts law defines a “health care insurer” as “any insurance company authorized to provide health insurance in this state or any legal entity which is self-insured and providing health care benefits to its employees.”
This means that Massachusetts-based companies that choose to self-insure instead of using an insurance carrier are subject to liability under this statute.
These laws could also come into play when vendors offer discounts or rebates to physician practices or other health care providers or businesses in order to secure sales.
Likewise, typical “business courtesies,” such as taking a prospect out for a meal or for entertainment, or buying a birthday or holiday gift, can implicate these laws and pose grave risks to the parties involved if the parties do not understand where the lines are drawn in the health care field, even where such practices may be commonplace in other fields.
These laws also apply when online or e-health companies want to serve as intermediaries between members of the general public and a network of providers or practitioners. Given our booming biomedical and health care technology sectors, this is of particular concern to Massachusetts attorneys.
If online or e-health companies charge providers based on the volume or value of the patients secured through the online or e-health company that connected the patient with the provider, such charges potentially could be characterized as kickbacks to the e-health companies for referring patients or customers to the providers.
These laws also may be implicated if the online or e-health companies charge patients dues or subscription amounts in exchange for directing or referring them to practitioners or providers.
The health care regulatory scheme … is broad and deep, and often entails great complexity, especially for the uninitiated.
Physician self-referral laws
Physician self-referral laws have a similar purpose to that of the anti-kickback laws discussed above, but take a different conceptual approach.
Instead of prohibiting payments intended to induce or reward referrals, these laws disregard intent and instead take a “strict liability” approach — prohibiting all referrals by a physician for certain types of health care services if the physician (or any immediate family member of the physician) has a financial relationship (including ownership or compensation, whether direct or indirect) with the entity receiving the referral, unless an exception is available.
Further, the entity that receives prohibited referrals may not bill patients or payors for the resulting services.
The federal physician self-referral prohibition, 42 U.S.C. §1395nn, widely known as the “Stark Law” in reference to its sponsor, former U.S. Rep. Fortney “Pete” Stark, represents the main source of liability in this area, although Massachusetts has similar provisions in place that address the type of conduct contemplated by the Stark Law.
For example, Massachusetts enacted legislation in 2014 specifically to combat self-referral arrangements between clinical laboratories and individuals with direct or indirect ownership interests in such laboratories. G.L.c. 111D, §8.
The breadth of these self-referral laws means that the referral prohibition may apply whenever a physician has any financial relationship with a provider of clinical laboratory services, physical therapy, occupational therapy, radiology services, radiation therapy services and supplies, durable medical equipment and supplies, parenteral and enteral nutrients, equipment and supplies, prosthetics, orthotics, and prosthetic devices and supplies, home health services, outpatient prescription drugs, inpatient and outpatient hospital services, and outpatient speech-language pathology services.
If a business lawyer identifies any financial relationship between a physician (or any of the physician’s immediate family members) and a provider of any of these services, then care must be taken to ensure the arrangement fits neatly within an exception.
Somewhat counterintuitively, physician self-referral laws also apply to a physician’s “financial relationship” with his own medical practice. If the physician provides any of these services as part of his own medical practice, then the physician and the practice must navigate a detailed set of highly proscriptive rules to avoid violation of the applicable laws.
Corporate practice of medicine prohibition
Many states, including Massachusetts, prohibit a general business corporation from practicing medicine (as well as the practice of dentistry and certain other health care professions), which is generally referred to as the “corporate practice of medicine.”
The purpose of the prohibition is to ensure that commercial enterprises do not control or influence medical practices, and that commercial interests do not interfere with a medical professional’s independent judgment. See, e.g., McMurdo v. Getter (1937) 298 Mass. 363, 368 (holding that a licensed practitioner may not lawfully practice his profession “as the servant of an unlicensed person or a corporation,” noting the concern that a licensee’s “primary allegiance and obedience” would be to the employer, not patients).
However, under certain conditions, a licensed physician may practice medicine through certain types of entities, including professional corporations, limited liability companies, partnerships, nonprofit organizations, or similar organizations organized in other states (notably, general business corporations are not included in this list). 243 CMR 2.07(22); G.L.c. 156A §3 & G.L.c. 156C, §6.
These restrictions also do not prohibit a licensed physician from practicing as an employee of a licensed health care facility.
Many business models potentially implicate this prohibition, such as when online or e-health companies offer the general public access to a network of providers in exchange for fees, or when lay entities contract with health plans on behalf of providers.
Such arrangements could be viewed, depending on how they are structured, as the lay company impermissibly holding itself out as providing professional services or impermissibly profiting from the practice of medicine.
The economics of these arrangements can also come under scrutiny. For example, in the context of optometry, the Supreme Judicial Court of Massachusetts has stated that “fee sharing is seen as an indirect method an unlicensed person may attempt improperly to use to charge and collect fees for the practice of optometry.” Bronstein v. Board of Registration in Optometry (1988), 403 Mass. 621, 624.
Lawyers should carefully analyze financial terms of arrangements between lay entities and licensed physicians, and be wary of terms tantamount to the lay entity sharing in profits from the physician’s practice of medicine.
Patient privacy
Business lawyers are generally aware that various laws protect the privacy of a patient’s medical records, but are often surprised by the scope and reach of these laws.
The best known federal law governing this area is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).
These laws dictate when and how “covered entities,” as defined under HIPAA, must obtain signed authorizations from patients to release their health care information, and when such information can be used or disclosed without authorization. See 45 C.F.R. 164.506-164.514.
To comply with these laws, most health care providers (and their “business associates,” as discussed below) must implement reasonable and appropriate administrative, physical and technical safeguards to protect the security of such information.
HIPAA also requires health care providers to have privacy and security policies and procedures governing the handling of patient information.
Furthermore, covered entities must notify affected individuals, the U.S. Department of Health and Human Services, and, under certain circumstances, the media, following a “breach,” as defined under 45 C.F.R. 164.402.
This definition is broad, and examples that may constitute a breach (depending on the circumstances) include an unencrypted laptop containing a patient’s health information being lost or stolen, a letter with a patient’s health information being sent to the wrong address, or a workforce member posting a patient’s health information on social media.
Business lawyers should also note that additional requirements apply if a health care provider subject to HIPAA provides access to patient information to another person (including a law firm or the legal department of another organization), where the other person provides services on behalf of the provider as a “business associate,” as defined pursuant to 45 C.F.R. 160.103.
The health care provider must enter into a “business associate agreement” with the other party (see 45 C.F.R. 164.504(e)). Business associates themselves may also be held directly liable under HIPAA for failure to meet certain requirements. See, e.g., Section 13401 of HITECH.
Various Massachusetts laws also govern the disclosure of health information by health care providers. In some cases such laws are more stringent than HIPAA, and a preemption analysis is required to determine whether patient information may be used or disclosed.
For example, Massachusetts law is more restrictive regarding patient records maintained by substance abuse treatment facilities (as are federal regulations located at 42 C.F.R. Part 2). G.L.c. 111E, §18.
As another example, when addressing disclosure of a minor’s records to a personal representative, HIPAA references applicable state law. 45 C.F.R. §164.502(g); G.L.c. 112, §12F. A list of some of the key applicable laws in Massachusetts is provided here.
In addition, businesses must have a comprehensive information security program to protect a consumer’s personal information, which requires certain safeguards be in place at a minimum, including encryption of data, to the extent technically feasible. 201 CMR Chapter 17.00. Massachusetts also has a general breach notification law that requires reporting to affected residents and state regulators. G.L.c. 93H.
Summary
The health care regulatory scheme under Massachusetts and federal law is broad and deep, and often entails great complexity, especially for the uninitiated.
This complexity is aggravated by the fact that in numerous ways, Massachusetts and federal laws on the same topics are slightly different, and the requirements of both sets of laws must be satisfied.
Therefore, it is important to note that while this checklist is a high-level overview of some major issues for business attorneys working in the health care field to consider, it represents only the “tip of the iceberg” regarding the complexity of our health care system’s legal framework.
Amy M. Joseph and Jeremy D. Sherer practice in the Boston office of Hooper, Lundy & Bookman, which represents health care providers and suppliers. Charles B. Oppenheim is based in the firm’s Los Angeles office.
