United States: Healthcare Legal News: Volume 7, Number 2

Blessings in Disguise: Strategies to Uncover the Hidden Opportunities for Healthcare Bankruptcies

On September 14, Carolyn "CJ" Johnsen (Member, Phoenix) and Peter Domas (Of Counsel, Troy) will co-present this webinar on leveraging opportunities with distressed healthcare entities. Key takeaways include identifying risks and opportunities over the next 3 to 5 years facing healthcare entities, learning the strategies available to distressed healthcare entities seeking to regain sustainability, and understanding and mitigating risks unique to acquiring distressed healthcare entities. The event will begin at 2:00 EDT. Register at here.

Where is your PHI Data Traveling Today?

by Craig A. Phillips, Member
Grand Rapids Office
616.336.1030 
cphillips@dickinsonwright.com


With most vendors offering and pushing cloud computing solutions and offsite data backup, or guaranteeing offsite backup of data they process for you, many HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information. At the same time, the rise of offshore IT services, including distributed storage, by cloud data providers creates issues that most healthcare providers have not yet realized. Even if some of the issues are realized, many covered entities and their business associates do not know where their data is currently being processed, stored, or backed up. In fact, storage or processing of personal health information ("PHI") overseas may or may not be permitted or at least require additional resources, such as additional or more detailed risk assessments.

There currently are no federal regulations or statutes that prevent storing or processing PHI offshore or overseas; however, the Centers for Medicare and Medicaid Services ("CMS"), the U.S. Department of Health and Human Services ("HHS"), and the U.S. Office of Civil Rights ("OCR") within the HHS, have all issued regulations or provided guidance that restrict storing or processing PHI offshore. In addition, there are four states that ban any Medicaid data from being stored or processed overseas (Arizona, Alaska, Ohio and Wisconsin), two more that only allow offshore contracts under extremely limited circumstances, and nine more that have specific requirements that must be met before any offshore processing or storage of Medicaid data is allowed. Even if a healthcare provider is not located in one of the above states, if the provider has treated a patient of those states, state regulators may argue that the healthcare provider must comply with their laws, regulations, and guidance, as applied to the resident of their state. Even more concerning is that even though Delaware does not have any laws or statutes banning offshore processing or data storage, Delaware recently started adding provisions to all of their contracts (similar to Wisconsin) that the State (Delaware) will not permit project work to be done offshore. There may be additional states adding these prohibitions to their contracts in the future.

If extra regulatory burden and potential state law bans were not enough by themselves, any PHI stored offshore likely will be subject to local law of the country in which it is stored. Furthermore, these local laws may allow for actions or even access to the data that directly conflicts with requirements on healthcare providers under HIPAA/HITECH, even if the vendor signed a BAA. Due to the issues in enforcing HIPAA and HITECH, and even a BAA against an overseas vendor, HHS has basically stated that it is the duty of the healthcare provider or vendor for deciding how to vet data services vendors and comply with expected additional requirements when conducting a risk assessment on overseas providers.

At this point, most healthcare providers question if any offshore or offsite data storage or processing is worth any potential cost savings, or if OCR has any further guidance. In the fall of 2016, OCR prepared guidance that explained how federal health information privacy and data security rules apply to cloud services. In summary, this guidance helped data service companies, but at the expense of covered entities by primarily placing the burden on the covered entities, specifically hospitals, insurers, doctors, and other healthcare providers. In looking at data service vendors, OCR decided that data service subcontractors of the covered entities' business associates are actually business associations of the business associates. According to the OCR, covered entities must assess the cloud services providers' or offshore providers' data security efforts, but HIPAA does not require the cloud services providers to allow covered entities audit them. As such, covered entities are required to determine how well a cloud services provider handles system reliability, data security, and data backup and recovery, without the ability to perform an audit. While this is problematic when dealing with domestic cloud service providers, it creates additional issues when dealing with overseas cloud service providers.

While OCR allows use of overseas providers, as of right now the rules of HIPAA and HITECH fail to address any international aspects, leaving no requirements but also no protections for covered entities. If you select a domestic provider, the laws and regulations regarding PHI apply to both parties, but if an overseas provider is selected, HIPAA and HITECH will not apply, unless they contractually agreed to comply with such laws and regulations. If there is a breach and the overseas provider refuses to defend against or pay any fines or fees levied related to the breach, the covered entity may be liable for paying. It is also important to note that while an international provider may agree to sign a BAA, many international providers do not understand the requirements of HIPAA and HITECH, while most domestic providers have a greater understanding.

Even if you know where the company with whom you are contracting is located, do you know where they send the backup data? Do they send data for processing or backup to other agents, subcontractors, vendors, or other data providers overseas? You may not realize your data is regularly taking international trips, and may be better traveled than you are. In addition, if a relationship is terminated with an international provider, how will you ensure that the data is wiped from the system? Healthcare providers generally must require a certificate of destruction when terminating data services, and will you be able to comply with this provision with an offshore provider?

In contract with cloud service providers, including backup providers, e-mail providers, and other processing entities, covered entities and their BAAs must determine where their data is located, and if it is offshore, they must analyze if any of the information is prohibited from being exported by any state or local regulations. If not, next it must be determined if there is an extra compliance burden associated with the data being offshore, and if that extra compliance burden and the associated risk of being offshore are worth any cost savings by using the offshore provider. If an entity knows that some of its data may be banned from being exported overseas, or would raise too much risk or compliance burden, then language banning such exports should be placed in the agreements, including any BAAs.

High Court Unanimously Upholds ERISA Exemption For Church-Affiliated Pension Plans

by Kimberly J. Ruppel , Member
Troy Office
248.433.7291
kruppel@dickinsonwright.com

Advocate Health Care Network et al v. Stapleton et al, 581 U.S. __ (2017)

In one of the recent opinions rendered by the United States Supreme Court, it was found that pension plans maintained by religiously affiliated pension plan committees were exempt from certain provisions of the Employee Retirement Income Security Act of 1974, 29 U.S.C. § 1001, et seq. (as amended) ("ERISA").

Why is this of interest? ERISA obligates employers to follow a set of rules designed to ensure plan solvency and protect plan participants. Some of these rules, particularly rules regarding pension plan design and funding, may seem more burdensome to employers than protective of employees. The outcome of this case was a blow to those seeking to hold church affiliated hospitals accountable to the same ERISA requirements as their secular counterparts.

The original ERISA statute provided an exemption for "church plans", defined as "a plan established and maintained . . . for its employees . . . by a church." 29 U.S.C. §1002(33)(A). Congress amended the statute in 1980 in part to add a section that formed the basis of the dispute before the Court as follows: "A plan established and maintained . . . by a church . . . includes a plan maintained by an organization . . the principal purpose . . . of which is the administration of funding of [such] plan . . . for the employees of a church . . . , if such organization is controlled by or associated with a church." 29 U.S.C. §1002(33)(C)(i). The Court condensed this description as a plan maintained by a "principal purpose organization".

For decades, the IRS, Department of Labor and the Pension Benefit Guaranty Corporation, which are the three federal agencies responsible for administering ERISA, have read the two definitional sections together and allowed pension plans of church affiliated hospitals, such as the parties in these three consolidated disputes, to be exempt from ERISA.

Recently, three separate class actions were filed by current and former hospital employees to challenge their employers' pension plan exempt status. The Courts of Appeals for the Third, Seventh and Ninth Circuits agreed with the employees' argument that a pension plan must be established by a church to be exempt. The High Court granted certiorari in these similar disputes to resolve the question of whether a church affiliated hospital employee benefit plan that was maintained by internal benefit committees but not established by a church satisfied the exemption definition.

In the opinion, Justice Kagan explained that the use of the word "include" in the amended definition indicated that a different type of plan should receive the same exemption benefit as the original definition. Accordingly, since Congress deemed the category of plans "established and maintained by a church" to "include" plans maintained by a principal purpose organization, all such plans are exempt from ERISA's requirements.

It is important to note that hospital plans may still be subject to attack under state law theories of liability with respect to allegations of underfunding or other irregularities. However, church based hospital plans, maintained by an internal benefit committee but not established by a church such as those in these consolidated disputes remain exempt from ERISA's funding reporting and design requirements.

Recent Case Serves as Reminder to Take Care in Structuring Sales of Physician Practices

by Ralph Levy, Of Counsel
Nashville Office
615.620.1733
rlevy@dickinsonwright.com


Over the past few years, hospitals, health systems and practice management companies have increased their efforts to acquire physician practices. Moreover, physician groups are increasingly interested in selling their practices to these interested purchasers. The primary reasons for this trend are varied but in general are prompted by an increased focus on the delivery of medicine in a seamless integrated system by all healthcare providers.
For physicians or other healthcare providers that are considering practice sales, care should be taken in structuring the sale to minimize the federal taxes payable as a result of the sale. In general, there are two choices to structure the practice sale:

  • Stock sale - Under this sale structure, which works only if the practice is incorporated, the physicians sell stock in their professional corporation or professional association to the interested purchaser
  • Asset sale - Under this sale method, the practice itself sells its tangible and intangible assets to the purchaser

In addition to these two choices, the sale can be structured as a hybrid using a combination of these sales methods. A final and much less common option would be for a portion of the sale consideration to be paid by the purchaser to one or more selling physicians and characterized as a sale of personal goodwill.

For both tax and non-tax reasons, from the seller(s)' perspective, the preferential method for a practice sale would be Option 1 (sale of stock). Under present tax law, a stock sale generates capital gains to the selling physicians. For physician practices organized as "C" corporations, the tax savings from a stock sale as opposed to an asset sale are much greater due to federal taxes that will be payable by the incorporated practice and by its shareholders on liquidation of the corporation and the resulting distribution of the net after tax proceeds of the sale.

In addition to taking care in structuring the sale using these available options, physicians should make certain that the sale documents accurately reflect the structure agreed to by the seller(s) and the buyer. This latter issue was addressed in a recent Fifth Circuit Court of Appeals case in which the sellers of a business tried to restructure the sale when they became unhappy with the tax consequences that arose from the sale under the documents that they had executed. In Makric Enterprises, Incorporated v. Comm'r, 119 AFTR 2d ¶2017-580 (5th Cir. 2017), the Court of Appeals for the Fifth Circuit affirmed a finding of the Tax Court that no mutual mistake was made in the sale of a closely held company's stock that would require a reformation of the transaction. At issue was whether a sale of stock owned by a holding company in its wholly owned subsidiary should be recharacterized as a sale by the holding company's shareholders of their stock in the holding company. The shareholders contended that they believed that they were selling stock in the holding company; however, the sale documents indicated otherwise. The Fifth Circuit rejected the taxpayer's argument on appeal that there was a mutual mistake in the sale documents that would require reformation of the sale structure in the manner sought by the taxpayer.

The lesson to be learned from the Makric decision is that even if physicians who are contemplating a sale of their practice group decide after consultation with their advisors that a sale should be structured in a certain way to minimize federal tax consequences, they should carefully review the sale documents to verify that the documents accurately reflect the desired structure of the sale.

Although the tax differences of the various sale options will decrease if tax reform is enacted as has been proposed by President Trump, this tax legislation will reduce but not eliminate the tax differences from the two different sale options.

Moreover, state law (for example, in those states that have the so-called "corporate practice of medicine" doctrine) may drive how practice sales can be legally structured in which case, the legal aspects of the sale may limit the options to structure the sale. As a result, in those states, the asset sale structure may be the only option. If so, the asset sale will generally result in a higher tax bite against the sale proceeds.

This article appeared in the March/April 2017 issue of the Journal of Health Care Compliance and is being reproduced here with permission. Additional information about this publication can be found at https://lrus.wolterskluwer.com/store/products/journal-health-care-compliance-prod-000000000010029001/internet-item-1-000000000010029001

Keeping Pace in Clinical Research: The Common Rule Picks up Speed

by Billee Lightvoet Ward, Esq., Of Counsel
Grand Rapids Office
616.336.1008
bward@dickinsonwright.com


In recent years, the world of human subjects research has expanded not only with regard to the number of clinical research trials being conducted and the array of drugs and devices being tested, but also with respect to the technology employed to conduct the research and the nature of the research itself. As one example, increasing reliance on repositories of human biospecimens or individually identifiable health information has changed the research landscape and the associated risks and benefits. Until recently, applicable federal regulations have failed to keep pace.

The Common Rule

Despite the expansion and modernization of clinical research, the principle federal regulations governing protection of human subjects and ethical conduct in federally supported clinical research (the Federal Policy for the Protection of Human Subjects, generally known as the "Common Rule"), have remained largely unchanged since they went into effect in 1991. However, on September 8, 2015, sixteen federal agencies issued a Notice of Proposed Rulemaking (the "NPRM") with the intent of clarifying the regulations and making them less burdensome on the research community while maintaining protections for clinical trial participants. The NPRM was in follow-up to an Advance Notice of Proposed Rulemaking issued in 2011 which solicited public comment on the notion of updating the Common Rule. On January 19, 2017, after fielding over 2100 comments on the NPRM, the agencies issued a final rule approving long-awaited updates to the Common Rule (referred to herein as the "Final Rule") to be effective, with limited exception, on January 19, 2018.

Key Updates

Below is a summary of some of the key changes contained in the Final Rule.

Definitions. The Final Rule updates certain definitions that existed under the Common Rule and adds others. Although various changes that were proposed under the NPRM were included in the Final Rule, there were several proposed changes the agencies declined to adopt. One notable example was the agencies' refusal to change the definition of "human subject" to include "non-identifiable biospecimens." Such a change would've been a significant departure from the Common Rule and would've had the effect of requiring informed consent for research on non-identifiable biospecimens. As it stands, and will remain under the Final Rule, informed consent is not required for secondary research involving non-identifiable biospecimens.

Consent. The Final Rule updates various provisions relating to informed consent in the clinical research setting including the following:

  1. To ensure that potential research subjects are informed of the information they need to make an educated decision about whether or not to participate in a research trial, the informed consent form must now contain a concise summary of key information relating to the research (including the purpose(s), risks, benefits, alternatives, and other information required to be addressed in more detail throughout the form) at the beginning of the form.
  2. The Final Rule adds the following four elements to the existing informed consent requirements: (i) whether biospecimens collected as part of the research will be used or distributed for future research; (ii) whether specific technology determined to be capable of generating identifiable information or identifiable biospecimens will be used; (iii) a statement that biospecimens may be used for commercial profit and whether the subject will share in such profit; and (iv) whether clinically relevant research results will be disclosed to subjects.
  3. Under the Final Rule, researchers may obtain a broad consent to store, maintain and use identifiable data or biospecimens. There are various requirements and caveats associated with these provisions, but they afford researchers greater flexibility with respect to informed consent for certain future research. As outlined above, consent is not required to conduct secondary research using non-identifiable biospecimens.
  4. Consent forms for certain federally-funded trials must be posted on a public website (to be created) at any time after the study is closed to recruitment, but no later than 60 days after the last study visit of any study subject.

Oversight. The Final Rule makes various changes relating to IRB oversight of human subjects research including the following:

  1. Multi-site research studies ("cooperative studies") must be reviewed by a single IRB unless review by multiple IRBs is required by law. This is a significant change to the Common Rule as it previously existed and, given the practical complexities involved in implementing this change, the effective date for compliance is delayed until January 19, 2020.
  2. The Final Rule relaxes the requirements for IRB oversight in relation to "low-risk" studies in several ways. First, the Final Rule revises and expands the Common Rule's previously existing concept of "exempt" research. Additionally, during the standard of care follow-up and data analysis phases of clinical studies when research subjects are no longer at risk, continued IRB oversight and review is no longer required. Finally, unless otherwise required by the IRB or requested by the researcher, studies under expedited review do not require continued IRB review and oversight.

Compliance

Researchers, institutions and IRBs should ready themselves to comply with the Final Rule as of January 19, 2018. Compliance efforts should include revising policies, procedures and forms, and educating research staff on the new requirements. Clinical studies that have been approved or determined to be exempt prior to January 19, 2018 may continue to operate under the Common Rule as it currently exists, but research institutions may choose to apply the Final Rule to such research through a formal determination with the responsible IRB.

If you would like a printable version of this Healthcare Newsletter, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Kimberly J. Ruppel
Ralph Levy, Jr.
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.