Blessings in Disguise: Strategies to Uncover the Hidden
Opportunities for Healthcare Bankruptcies
On September 14, Carolyn "CJ" Johnsen (Member, Phoenix)
and Peter Domas (Of Counsel, Troy) will co-present this webinar on
leveraging opportunities with distressed healthcare entities. Key
takeaways include identifying risks and opportunities over the next
3 to 5 years facing healthcare entities, learning the strategies
available to distressed healthcare entities seeking to regain
sustainability, and understanding and mitigating risks unique to
acquiring distressed healthcare entities. The event will begin at
2:00 EDT. Register at here.
Where is your PHI Data Traveling Today?
by Craig A. Phillips, MemberGrand Rapids Office
616.336.1030
cphillips@dickinsonwright.com
With most vendors offering and pushing cloud computing solutions
and offsite data backup, or guaranteeing offsite backup of data
they process for you, many HIPAA covered entities and business
associates are questioning whether and how they can take advantage
of cloud computing while complying with regulations protecting the
privacy and security of electronic protected health information. At
the same time, the rise of offshore IT services, including
distributed storage, by cloud data providers creates issues that
most healthcare providers have not yet realized. Even if some of
the issues are realized, many covered entities and their business
associates do not know where their data is currently being
processed, stored, or backed up. In fact, storage or processing of
personal health information ("PHI") overseas may or may
not be permitted or at least require additional resources, such as
additional or more detailed risk assessments.
There currently are no federal regulations or statutes that prevent
storing or processing PHI offshore or overseas; however, the
Centers for Medicare and Medicaid Services ("CMS"), the
U.S. Department of Health and Human Services ("HHS"), and
the U.S. Office of Civil Rights ("OCR") within the HHS,
have all issued regulations or provided guidance that restrict
storing or processing PHI offshore. In addition, there are four
states that ban any Medicaid data from being stored or processed
overseas (Arizona, Alaska, Ohio and Wisconsin), two more that only
allow offshore contracts under extremely limited circumstances, and
nine more that have specific requirements that must be met before
any offshore processing or storage of Medicaid data is allowed.
Even if a healthcare provider is not located in one of the above
states, if the provider has treated a patient of those states,
state regulators may argue that the healthcare provider must comply
with their laws, regulations, and guidance, as applied to the
resident of their state. Even more concerning is that even though
Delaware does not have any laws or statutes banning offshore
processing or data storage, Delaware recently started adding
provisions to all of their contracts (similar to Wisconsin) that
the State (Delaware) will not permit project work to be done
offshore. There may be additional states adding these prohibitions
to their contracts in the future.
If extra regulatory burden and potential state law bans were not
enough by themselves, any PHI stored offshore likely will be
subject to local law of the country in which it is stored.
Furthermore, these local laws may allow for actions or even access
to the data that directly conflicts with requirements on healthcare
providers under HIPAA/HITECH, even if the vendor signed a BAA. Due
to the issues in enforcing HIPAA and HITECH, and even a BAA against
an overseas vendor, HHS has basically stated that it is the duty of
the healthcare provider or vendor for deciding how to vet data
services vendors and comply with expected additional requirements
when conducting a risk assessment on overseas providers.
At this point, most healthcare providers question if any offshore
or offsite data storage or processing is worth any potential cost
savings, or if OCR has any further guidance. In the fall of 2016,
OCR prepared guidance that explained how federal health information
privacy and data security rules apply to cloud services. In
summary, this guidance helped data service companies, but at the
expense of covered entities by primarily placing the burden on the
covered entities, specifically hospitals, insurers, doctors, and
other healthcare providers. In looking at data service vendors, OCR
decided that data service subcontractors of the covered
entities' business associates are actually business
associations of the business associates. According to the OCR,
covered entities must assess the cloud services providers' or
offshore providers' data security efforts, but HIPAA does not
require the cloud services providers to allow covered entities
audit them. As such, covered entities are required to determine how
well a cloud services provider handles system reliability, data
security, and data backup and recovery, without the ability to
perform an audit. While this is problematic when dealing with
domestic cloud service providers, it creates additional issues when
dealing with overseas cloud service providers.
While OCR allows use of overseas providers, as of right now the
rules of HIPAA and HITECH fail to address any international
aspects, leaving no requirements but also no protections for
covered entities. If you select a domestic provider, the laws and
regulations regarding PHI apply to both parties, but if an overseas
provider is selected, HIPAA and HITECH will not apply, unless they
contractually agreed to comply with such laws and regulations. If
there is a breach and the overseas provider refuses to defend
against or pay any fines or fees levied related to the breach, the
covered entity may be liable for paying. It is also important to
note that while an international provider may agree to sign a BAA,
many international providers do not understand the requirements of
HIPAA and HITECH, while most domestic providers have a greater
understanding.
Even if you know where the company with whom you are contracting
is located, do you know where they send the backup data? Do they
send data for processing or backup to other agents, subcontractors,
vendors, or other data providers overseas? You may not realize your
data is regularly taking international trips, and may be better
traveled than you are. In addition, if a relationship is terminated
with an international provider, how will you ensure that the data
is wiped from the system? Healthcare providers generally must
require a certificate of destruction when terminating data
services, and will you be able to comply with this provision with
an offshore provider?
In contract with cloud service providers, including backup
providers, e-mail providers, and other processing entities, covered
entities and their BAAs must determine where their data is located,
and if it is offshore, they must analyze if any of the information
is prohibited from being exported by any state or local
regulations. If not, next it must be determined if there is an
extra compliance burden associated with the data being offshore,
and if that extra compliance burden and the associated risk of
being offshore are worth any cost savings by using the offshore
provider. If an entity knows that some of its data may be banned
from being exported overseas, or would raise too much risk or
compliance burden, then language banning such exports should be
placed in the agreements, including any BAAs.
High Court Unanimously Upholds ERISA Exemption For Church-Affiliated Pension Plans
by Kimberly J. Ruppel , Member
Troy Office
248.433.7291
kruppel@dickinsonwright.com
Advocate Health Care Network et al v. Stapleton et al, 581 U.S. __ (2017)
In one of the recent opinions rendered by the United States Supreme Court, it was found that pension plans maintained by religiously affiliated pension plan committees were exempt from certain provisions of the Employee Retirement Income Security Act of 1974, 29 U.S.C. § 1001, et seq. (as amended) ("ERISA").
Why is this of interest? ERISA obligates employers to follow a set of rules designed to ensure plan solvency and protect plan participants. Some of these rules, particularly rules regarding pension plan design and funding, may seem more burdensome to employers than protective of employees. The outcome of this case was a blow to those seeking to hold church affiliated hospitals accountable to the same ERISA requirements as their secular counterparts.
The original ERISA statute provided an exemption for
"church plans", defined as "a plan established and
maintained . . . for its employees . . . by a church." 29
U.S.C. §1002(33)(A). Congress amended the statute in 1980 in
part to add a section that formed the basis of the dispute before
the Court as follows: "A plan established and maintained . . .
by a church . . . includes a plan maintained by an organization . .
the principal purpose . . . of which is the administration of
funding of [such] plan . . . for the employees of a church . . . ,
if such organization is controlled by or associated with a
church." 29 U.S.C. §1002(33)(C)(i). The Court condensed
this description as a plan maintained by a "principal purpose
organization".
For decades, the IRS, Department of Labor and the Pension Benefit
Guaranty Corporation, which are the three federal agencies
responsible for administering ERISA, have read the two definitional
sections together and allowed pension plans of church affiliated
hospitals, such as the parties in these three consolidated
disputes, to be exempt from ERISA.
Recently, three separate class actions were filed by current and
former hospital employees to challenge their employers' pension
plan exempt status. The Courts of Appeals for the Third, Seventh
and Ninth Circuits agreed with the employees' argument that a
pension plan must be established by a church to be exempt. The High
Court granted certiorari in these similar disputes to
resolve the question of whether a church affiliated hospital
employee benefit plan that was maintained by internal benefit
committees but not established by a church
satisfied the exemption definition.
In the opinion, Justice Kagan explained that the use of the word
"include" in the amended definition indicated that a
different type of plan should receive the same exemption benefit as
the original definition. Accordingly, since Congress deemed the
category of plans "established and maintained by a
church" to "include" plans maintained by a principal
purpose organization, all such plans are exempt from ERISA's
requirements.
It is important to note that hospital plans may still be subject to
attack under state law theories of liability with respect to
allegations of underfunding or other irregularities. However,
church based hospital plans, maintained by an internal benefit
committee but not established by a church such as those in these
consolidated disputes remain exempt from ERISA's funding
reporting and design requirements.
Recent Case Serves as Reminder to Take Care in Structuring Sales of Physician Practices
by Ralph Levy, Of CounselNashville Office
615.620.1733
rlevy@dickinsonwright.com
Over the past few years, hospitals, health systems and practice
management companies have increased their efforts to acquire
physician practices. Moreover, physician groups are increasingly
interested in selling their practices to these interested
purchasers. The primary reasons for this trend are varied but in
general are prompted by an increased focus on the delivery of
medicine in a seamless integrated system by all healthcare
providers.
For physicians or other healthcare providers that are considering
practice sales, care should be taken in structuring the sale to
minimize the federal taxes payable as a result of the sale. In
general, there are two choices to structure the practice sale:
- Stock sale - Under this sale structure, which works only if the practice is incorporated, the physicians sell stock in their professional corporation or professional association to the interested purchaser
- Asset sale - Under this sale method, the practice itself sells its tangible and intangible assets to the purchaser
In addition to these two choices, the sale can be structured as
a hybrid using a combination of these sales methods. A final and
much less common option would be for a portion of the sale
consideration to be paid by the purchaser to one or more selling
physicians and characterized as a sale of personal goodwill.
For both tax and non-tax reasons, from the seller(s)'
perspective, the preferential method for a practice sale would be
Option 1 (sale of stock). Under present tax law, a stock sale
generates capital gains to the selling physicians. For physician
practices organized as "C" corporations, the tax savings
from a stock sale as opposed to an asset sale are much greater due
to federal taxes that will be payable by the incorporated practice
and by its shareholders on liquidation of the corporation and the
resulting distribution of the net after tax proceeds of the
sale.
In addition to taking care in structuring the sale using these
available options, physicians should make certain that the sale
documents accurately reflect the structure agreed to by the
seller(s) and the buyer. This latter issue was addressed in a
recent Fifth Circuit Court of Appeals case in which the sellers of
a business tried to restructure the sale when they became unhappy
with the tax consequences that arose from the sale under the
documents that they had executed. In Makric Enterprises,
Incorporated v. Comm'r, 119 AFTR 2d ¶2017-580 (5th
Cir. 2017), the Court of Appeals for the Fifth Circuit affirmed a
finding of the Tax Court that no mutual mistake was made in the
sale of a closely held company's stock that would require a
reformation of the transaction. At issue was whether a sale of
stock owned by a holding company in its wholly owned subsidiary
should be recharacterized as a sale by the holding company's
shareholders of their stock in the holding company. The
shareholders contended that they believed that they were selling
stock in the holding company; however, the sale documents indicated
otherwise. The Fifth Circuit rejected the taxpayer's argument
on appeal that there was a mutual mistake in the sale documents
that would require reformation of the sale structure in the manner
sought by the taxpayer.
The lesson to be learned from the Makric decision is that
even if physicians who are contemplating a sale of their practice
group decide after consultation with their advisors that a sale
should be structured in a certain way to minimize federal tax
consequences, they should carefully review the sale documents to
verify that the documents accurately reflect the desired structure
of the sale.
Although the tax differences of the various sale options will
decrease if tax reform is enacted as has been proposed by President
Trump, this tax legislation will reduce but not eliminate the tax
differences from the two different sale options.
Moreover, state law (for example, in those states that have the
so-called "corporate practice of medicine" doctrine) may
drive how practice sales can be legally structured in which case,
the legal aspects of the sale may limit the options to structure
the sale. As a result, in those states, the asset sale structure
may be the only option. If so, the asset sale will generally result
in a higher tax bite against the sale proceeds.
This article appeared in the March/April 2017 issue of the
Journal of Health Care Compliance and is being reproduced here with
permission. Additional information about this publication can be
found at https://lrus.wolterskluwer.com/store/products/journal-health-care-compliance-prod-000000000010029001/internet-item-1-000000000010029001
Keeping Pace in Clinical Research: The Common Rule Picks up Speed
by Billee Lightvoet Ward, Esq., Of CounselGrand Rapids Office
616.336.1008
bward@dickinsonwright.com
In recent years, the world of human subjects research has expanded not only with regard to the number of clinical research trials being conducted and the array of drugs and devices being tested, but also with respect to the technology employed to conduct the research and the nature of the research itself. As one example, increasing reliance on repositories of human biospecimens or individually identifiable health information has changed the research landscape and the associated risks and benefits. Until recently, applicable federal regulations have failed to keep pace.
The Common Rule
Despite the expansion and modernization of clinical research, the principle federal regulations governing protection of human subjects and ethical conduct in federally supported clinical research (the Federal Policy for the Protection of Human Subjects, generally known as the "Common Rule"), have remained largely unchanged since they went into effect in 1991. However, on September 8, 2015, sixteen federal agencies issued a Notice of Proposed Rulemaking (the "NPRM") with the intent of clarifying the regulations and making them less burdensome on the research community while maintaining protections for clinical trial participants. The NPRM was in follow-up to an Advance Notice of Proposed Rulemaking issued in 2011 which solicited public comment on the notion of updating the Common Rule. On January 19, 2017, after fielding over 2100 comments on the NPRM, the agencies issued a final rule approving long-awaited updates to the Common Rule (referred to herein as the "Final Rule") to be effective, with limited exception, on January 19, 2018.
Key Updates
Below is a summary of some of the key changes contained in the
Final Rule.
Definitions. The Final Rule updates certain
definitions that existed under the Common Rule and adds others.
Although various changes that were proposed under the NPRM were
included in the Final Rule, there were several proposed changes the
agencies declined to adopt. One notable example was the
agencies' refusal to change the definition of "human
subject" to include "non-identifiable biospecimens."
Such a change would've been a significant departure from the
Common Rule and would've had the effect of requiring informed
consent for research on non-identifiable biospecimens. As it
stands, and will remain under the Final Rule, informed consent is
not required for secondary research involving non-identifiable
biospecimens.
Consent. The Final Rule updates various provisions
relating to informed consent in the clinical research setting
including the following:
- To ensure that potential research subjects are informed of the information they need to make an educated decision about whether or not to participate in a research trial, the informed consent form must now contain a concise summary of key information relating to the research (including the purpose(s), risks, benefits, alternatives, and other information required to be addressed in more detail throughout the form) at the beginning of the form.
- The Final Rule adds the following four elements to the existing informed consent requirements: (i) whether biospecimens collected as part of the research will be used or distributed for future research; (ii) whether specific technology determined to be capable of generating identifiable information or identifiable biospecimens will be used; (iii) a statement that biospecimens may be used for commercial profit and whether the subject will share in such profit; and (iv) whether clinically relevant research results will be disclosed to subjects.
- Under the Final Rule, researchers may obtain a broad consent to store, maintain and use identifiable data or biospecimens. There are various requirements and caveats associated with these provisions, but they afford researchers greater flexibility with respect to informed consent for certain future research. As outlined above, consent is not required to conduct secondary research using non-identifiable biospecimens.
- Consent forms for certain federally-funded trials must be posted on a public website (to be created) at any time after the study is closed to recruitment, but no later than 60 days after the last study visit of any study subject.
Oversight. The Final Rule makes various changes relating to IRB oversight of human subjects research including the following:
- Multi-site research studies ("cooperative studies") must be reviewed by a single IRB unless review by multiple IRBs is required by law. This is a significant change to the Common Rule as it previously existed and, given the practical complexities involved in implementing this change, the effective date for compliance is delayed until January 19, 2020.
- The Final Rule relaxes the requirements for IRB oversight in relation to "low-risk" studies in several ways. First, the Final Rule revises and expands the Common Rule's previously existing concept of "exempt" research. Additionally, during the standard of care follow-up and data analysis phases of clinical studies when research subjects are no longer at risk, continued IRB oversight and review is no longer required. Finally, unless otherwise required by the IRB or requested by the researcher, studies under expedited review do not require continued IRB review and oversight.
Compliance
Researchers, institutions and IRBs should ready themselves to comply with the Final Rule as of January 19, 2018. Compliance efforts should include revising policies, procedures and forms, and educating research staff on the new requirements. Clinical studies that have been approved or determined to be exempt prior to January 19, 2018 may continue to operate under the Common Rule as it currently exists, but research institutions may choose to apply the Final Rule to such research through a formal determination with the responsible IRB.
If you would like a printable version of this Healthcare Newsletter, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.