Health Law Informer

On April 6, 2015, the Centers for Medicare & Medicaid Services (“CMS”) released a proposed rule that would extend provisions of the Mental Health Parity and Addiction Equity Act of 2008 (the “Mental Health Parity Act”) to Medicaid managed care organizations (“MCOs”) and the Children’s Health Insurance Program (“CHIP”). The Mental Health Parity Act requires health plans that provide mental health and substance abuse disorder benefits to ensure that any financial requirements (e.g., co-pays, deductibles) and treatment limitations (e.g., limitations on visits) applicable to those benefits are no more restrictive than the requirements or limitations applied to medical/surgical benefits. The proposed rule was published in the Federal Register on April 10, 2015 at 80 Federal Register 19418. (Proposed rule). Comments to the proposed rule are due on June 9, 2015.

The proposed rule was drafted to ensure that all Medicaid beneficiaries who receive benefits through MCOs or under alternative benefit plans would have access to mental health and substance use disorders benefits regardless of whether they received those benefits through an MCO or another system. In addition, the proposed rule would also apply to CHIP, whether the care is provided through an MCO or a fee-for-service program.

Presently, a number of states that provide medical benefits through Medicaid MCOs carve out mental health and substance abuse services through other arrangements, which can include prepaid inpatient health plans (“PIHPs”), prepaid ambulatory health plans (“PAHPs”), or even fee-for-service. Under the proposed rule, states would continue to have flexibility in selecting different delivery systems to provide services to Medicaid beneficiaries, but would have to ensure that enrollees of a Medicaid MCOs receive the benefit of mental health and substance abuse parity when provided through these alternative models. States, for example, would be required under the proposed rule to include contract provisions requiring compliance with the Mental Health Parity Act in all applicable contracts with Medicaid MCOs and entities providing services through alternative arrangements such as PIHPs and PAHPs. Further, states would have to provide CMS with evidence of compliance with the Mental Health Parity Act in their provision of mental health and substance services to Medicaid beneficiaries.

In addition, the proposed rule would require Medicaid, MCOs, PIHPs, PAHPs and other alternative benefit plans to make their medical necessity criteria for mental health and substance abuse disorder benefits available to any enrollee or contracted provider upon request. Such Medicaid plans must also make available to enrollees the reason for any denial of reimbursement for services related to mental health and substance use disorder benefits.
For further information contact the author Gregory M. Fliszar (Philadelphia, PA) or other members of Cozen O’Connor’s healthcare team.

Health Law Informer Author

More Posts

Nearly four years after the Federal Trade Commission (“FTC”) first challenged the combination of the only two hospitals in Albany, Georgia, the FTC, Phoebe Putney Health Systems, Inc. (“Phoebe Putney”), Hospital Authority of Albany – Dougherty County (“Hospital Authority”) and HCA, Inc. (“HCA”) agreed to enter into a Consent Agreement. The FTC’s vote finalizing the Consent Agreement was 3-0-2, with Commissioners Joshua D. Wright and Terrell McSweeny not participating.  The Phoebe Putney litigation illustrates the challenges that the FTC and entities attempting to consummate a deal face in the merger process.  In Phoebe Putney, the FTC lost in two federal lower courts, won at the U.S. Supreme Court but ultimately was unable to unscramble a hospital merger that was found to be (1) anti-competitive and (2) a monopoly for inpatient general acute-care.

In addition to the Consent Agreement, a Statement was issued by Chairwoman Ramirez on March 31, 2015 summarizing the extensive procedural history of the litigation, the reasons the FTC challenged the merger, why the FTC did not require a divestiture and an explanation of the obligations that Phoebe Putney must meet under the Consent Agreement.  The March 31^st Statement may provide insights into the FTC’s strategies when challenging future hospital mergers.  As explained below in the practice pointers, we anticipate the FTC citing Phoebe Putney in support of their preliminary injunctions and also citing to state certificate of need [CON] laws as evidence of barriers to entry for hospital competitors.

By way of background, since 1890 federal laws have supported national policies in favor of competition.  In Parker v. Brown, a 1943 U.S. Supreme Court decision, the state action doctrine provided that state governments have immunity from federal antitrust laws when they authorize economic activity that normally would be anticompetitive and illegal.  In 1941, Albany, Georgia and surrounding Dougherty County set up the Hospital Authority.  The Hospital Authority acquired an existing hospital, Phoebe Putney Memorial Hospital.  Two miles away Palmyra Medical Center was operated separately by HCA, Inc., one of the largest health care providers in the United States.  Palmyra and Phoebe Putney merged with the Hospital Authority as the buyer of Palmyra with the funds coming from Phoebe Putney.  Palmyra hospital was leased to Putney for $1 a year.  The Hospital Authority approved the merger in December 2010 but was not involved in the merger talks or management of the hospital.

The FTC and the State of Georgia filed a preliminary injunction in federal court to block the transaction but the federal district judge held that the state action doctrine applied and refused to stop the merger.  The FTC appealed to the 11^th Circuit, which also found that the merger was insulated from antitrust inquiry under state action immunity concluding that harm to competition was the “foreseeable result” of the legislature’s establishment of the Hospital Authority.

The 11^th Circuit decision dissolved the injunction pending appeal and on December 15, 2011 the merger was finalized.  The FTC appealed the 11^th Circuit’s decision to the U.S. Supreme Court.  The two issues were: (1) whether the legislature had expressed its intentions clearly enough in allowing hospital proxies to operate in anti-competitive ways, and (2) whether the local hospital arrangement did not have immunity because the hospital authority had not played a large enough role in the merger.

The Supreme Court unanimously answered the first question, ruling that the state legislature had “not clearly articulated and affirmatively expressed a policy to allow hospital authorities to make acquisitions that substantially lessen competition.”  Following the Supreme Court decision, the FTC proceeded with the administrative litigation and proposed a 2013 consent agreement.  However, the 2013 consent agreement was withdrawn after a newly formed health care entity, North Albany Medical Center LLC, expressed interest in Palmyra hospital and sought clarification on Georgia’s CON laws.

In October 2014, the Georgia Department of Community Health (“DCH”) Hearing Officer issued a written finding that the CON laws would preclude Phoebe North from purchasing Palmyra since the Albany region was deemed “over-bedded.”  Given the DCH’s decision, the FTC determined that divestiture of Palmyra – Phoebe Putney was impossible.

The March 31^st Settlement is very similar to the one proposed in 2013.  The Settlement requires:

• Phoebe Putney and the Hospital Authority to notify the FTC in advance of acquiring any part of a hospital or a controlling interest in other health care providers in Albany for the next 10 years.
• Phoebe Putney and the Hospital Authority cannot object to regulatory applications made by potential new hospital providers in the same region for 5 years.
• Phoebe Putney and the Hospital Authority stipulate that the transaction was anti-competitive.

Practice Points:

• The FTC’s March 31^st Statement by Chairwoman Ramirez emphasizes the importance of the FTC and private plaintiffs in obtaining preliminary injunctive relief prior to a transaction closing. The health care industry should anticipate the FTC citing the Phoebe Putney case as supporting authority for why there will be irremediable harm if a hospital transaction closes before all appeals are exhausted.
• We also anticipate that the FTC will use the Phoebe Putney case in support of arguments that state CON laws are additional barriers for entry of potential competitors and should be significant factor when analyzing proposed mergers.

For further information contact the author Ryan P. Blaney (Washington, DC) or other members of Cozen O’Connor’s healthcare antitrust team, R. Christopher Raphaely (Philadelphia, PA), Melissa H. Maxman (Washington, DC) and Jonathan Grossman (Washington, DC).

Health Law Informer Author

More Posts

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Health Law Informer Author

More Posts

In a historic bipartisan moment, the U.S. House of Representatives passed a nearly 300-page bill that is intended to “repeal the Medicare sustainable growth rate [“SGR”] and strengthen Medicare access by improving physician payments and making other improvements.” The legislation, titled the Medicare Access and CHIP Reauthorization Act of 2015, which is referred to as the Medicare “doc fix”, is the result of ongoing bipartisan efforts to resolve an unpopular physician reimbursement system that if not overridden each year would cut Medicare doctor’s pay by a notable percentage. The annual reimbursement cut would occur as required under the federal Balanced Budget Act of 1997 (the “BBA”), if not for the annual fixes set into motion by Congress. In a March 25, 2015 letter from the Congressional Budget Office (“CBO”) to House Speaker Boehner, the CBO explained that the BBA established the SGR formula “to ensure that real—that is, adjusted for inflation—spending per [Medicare] beneficiary for physicians’ services would grow on average at a rate of increase in gross domestic protect per capita minus the expected rate of increase in productivity for the economy as a whole.”

According to news outlets and press conferences, President Obama is ready to sign the bill once the Senate passes it. In the CBO’s letter to House Speaker Boehner, it estimated that this bill will increase:

• The federal budget deficits by $141 billion;
• Direct spending by approximately $145 billon; and
• Revenues by approximately $4 billion.

Under the Bill, Medicare’s payment rates for services on the physician fee schedule would increase by 0.5 percent a year for services furnished through 2019.  From 2019 through 2025 payments will remain the same but Medicare doctors will be eligible for merit-based bonus payments consistent with Medicare initiatives such as care models that shift away from fee for services.

Many expected the Bill to pass the Senate on Friday, March 27th but the Bill was not put up for a vote and Senate Minority Leader Harry Reid and Majority Leader Mitch McConnell said the bill will not get a vote until mid-April when the Senate returns from its recess.  CMS has provided notice that they will be able to hold payment for 14 calendar days to avoid a rate cut.

For further information contact Cozen O’Connor’s health care team.  We will continue to monitor and provide updates.

Health Law Informer Author

More Posts

The FDA released draft guidelines (“Guidelines”) on Monday, March 9, 2015 establishing recommendations on the use of e-media and processes to obtain informed consent for clinical investigations (trials) of medical products including human drug and biological products, medical devices and combinations. The Guidelines provide useful insight for how the FDA recommends clinical investigators, sponsors and institutional review boards (“IRB”) should use e-informed consent for a clinical trial.

The FDA defines e-informed consent as “using electronic systems and processes that may employ multiple electronic media (e.g., text, graphics, audio, video, podcasts and interactive Web sites, biological recognition devices, and card readers) to convey information related to the study and to obtain and document informed consent.” The FDA reminds clinical investigators and sponsors that informed consent is more than just a subject’s signature.  Informed consent – whether completed electronically or in paper form – includes providing prospective clinical trial participants with enough information regarding the research to enable them to make an informed decision regarding whether to participate in the study. The subjects must have “adequate information” about the research.  Clinical investigators and sponsors may use video conferencing (i.e. Skype) to answer a subject’s questions about the clinical trial.

The Guidelines also include a question and answer section containing 14 inquires such as:

• How information in an e-informed consent should be presented to subjects;
• How/where e-informed consent processes should be conducted; and
• How/when questions from subjects should be answered.

Similar to CMS and states recognizing the authenticity of e-signatures, this guidance demonstrates the FDA’s desire to digitize health care and respond to the increased patient access to clinical trials in states passing “right-to-try” bills.  Right-to-try bills generally permit doctors and terminally ill patients to negotiate directly with drug companies to obtain experimental drugs that have passed Phase-I trials. Stay tuned for a forthcoming Health Law Informer blog announcing the FDA’s release of the e-informed consent final guidelines, which clinical investigators, sponsors and IRBs will want to consider implementing.

For further information contact the Cozen O’Connor’s health care team or the authors Ryan P. Blaney (Washington, DC) and J. Nicole Martin (Philadelphia, PA).

Health Law Informer Author

More Posts

Non-profit hospitals, and other owners of tax exempt properties in Philadelphia, must certify as to their eligibility for continued property tax exemption with Philadelphia’s Office of Property Assessment (OPA) by March 31, 2015.  Click here to view a Tax Alert on this issue.  With its deep experience in state and local tax issues, Cozen O’Connor is ready to help affected organizations navigate the complexities of the certification process.

Health Law Informer Author

More Posts

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29^th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at gfliszar@cozen.com.

Health Law Informer Author

More Posts

The New Year started out with a bang in the healthcare antitrust circles with ProMedica Health Systems Inc.’s (“ProMedica”) well-publicized petition to the US Supreme Court and the American Hospital Association’s (AHA) amicus brief in support of ProMedica.  ProMedica hopes that the Supreme Court will hear the case and overturn a Sixth Circuit ruling requiring ProMedica to divest St. Luke’s Hospital, a non-profit hospital in Toledo, Ohio.  As evidence of the complexity and the lengthy litigation challenges between ProMedica and the Federal Trade Commission (“FTC”) this merger occurred almost five years ago in 2010.  The FTC and the Ohio Attorney General had sued to dissolve the deal because they considered it anti-competitive; arguing that ProMedica would control 60% of the hospitals in the greater Toledo area. The FTC ordered ProMedica to divest St. Luke’s (21 HLR 467, 3/29/12).  The Sixth Circuit agreed with the FTC on the grounds that the merger would likely result in higher prices for payors and consumers and lead to unintended precedent for future hospital mergers.

ProMedica’s petition argues that this case is “a rare and uniquely apt vehicle for consideration of the [merger law] issues based on a fully-developed record.”  Hospital merger cases rarely are litigated through appeal and this case is an opportunity for the Supreme Court to clarify fundamental aspects of merger law nearly 40 years after the United States v. General Dynamics Corp., 415 U.S. 486 (1974) decision.  ProMedica argues that over the last 40 years confusion has developed over the FTC’s unilateral-effects theory and consolidation pressures have increased with the passage of the Affordable Care Act and other federal regulations.

ProMedica’s petition focuses on three merger law questions that the lower courts are divided on as the primary reasons why the Supreme Court should hear the case:

1. How the FTC defines relevant market product for a merger analysis and whether the FTC can base it on supply-side considerations. ProMedica argued that the FTC should have either analyzed hospital services market by market because one kind of surgery is not a substitute for another or the FTC should have considered all four levels of hospital services as a package-deal market.
2. Where the FTC relies exclusively on a unilateral-effects theory in challenging a merger may a court adopt a strong presumption of anti-competitive harm based solely on market-share statistics?
3. Can the FTC rely on market-share statistics to preclude consideration of the merger target’s financial weakness to rebut a presumption of harm based on market-share statistics in unilateral-effects cases?

The unilateral effects analysis is the degree to which the merging hospitals are substitutes for each other.  The higher the substitutability between two merging hospitals, the greater the competition among them and the greater the power.  Here, ProMedica argues that Mercy Hospital, not St. Luke’s, is the closest substitute in the Toledo area.

ProMedica received support from the American Hospital Association (“AHA”) on the third issue, the “weakened competitor” doctrine.  On January 21, 2015, AHA filed an amicus brief asking the US Supreme Court to review the Sixth Circuit decision and the lower court’s characterization that the “weakened competitor” argument is a “Hail Mary” that deserves credence only in rare situations.  AHA argues that the Sixth Circuit’s erosion of the “weakened competitor” doctrine leaves the “viability of many small and stand-alone hospitals in jeopardy.”  AHA also argues that there are conflicting interpretations by the lower courts on how to read the General Dynamics decision.  Clarity is needed from the Supreme Court especially in the context of health care mergers.  Hospitals should not have to wait until they are on the edge of bankruptcy to merge.  AHA believes that the Sixth Circuit errored when it did not apply the General Dynamics weakened competitor analysis to the ProMedica acquisition.

The case is ProMedica Health System Inc. v. Federal Trade Commission, case number 14-762, in the Supreme Court of the United States.  The FTC has until March 2, 2015 to file a response.  It is unknown when the Supreme Court will decide about hearing the case.

For further information contact Ryan P. Blaney, Washington, DC, at rblaney@cozen.com.

Health Law Informer Author

More Posts

Justice Clarence Thomas and a unanimous US Supreme Court decided to vacate a Sixth Circuit decision and hold that the federal courts cannot assume from silence in a union’s collective bargain agreement that retiree group health insurance benefits continue indefinitely.  The Supreme Court found that collective bargain agreements should be treated the same as other contracts when the principles are consistent with federal labor policy.

The Court rejected the UAW-Yard Man decision and accompanying long standing principle called the Yard-Man Rule which provided that in the absence of clear contractual language a collective bargain agreement vested retirees with lifetime benefits. The Supreme Court’s M&G Polymers v. Tackett USA decision is attached here.

Check back for more in-depth analysis and coverage on this decision and its impact on employee benefits litigation or feel free to contact Cozen O’Connor’s Health Law and Employee Benefits Teams.

Health Law Informer Author

More Posts

This month, Governor Chris Christie signed into law a New Jersey bill requiring health insurance carriers (e.g., insurance companies, health service corporations, hospital service corporations, medical service corporations, HMOs that issue health benefits plans in New Jersey) to encrypt or otherwise secure  computerized records of personal information (e.g., SSN, address, identifiable health information, driver’s license number) (“Bill”). The Bill provides an alternative to encryption if the carrier uses, a “method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” However, password protection for computer programs, which is commonly used in the industry, is inadequate under the Bill if “the program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.”

The Bill does not address the ramifications for insurance carriers that fail to adhere to its requirements. However, in a statement by the Bill’s sponsors, the lawmakers explained that health insurance carriers that violate the Bill would be subject to penalties under the New Jersey consumer fraud statute, such as a monetary penalty up to $10,000 for an initial offense, and no more than $20,000 for each subsequent offense(s). Lawmakers further explained that “a violation can result in cease and desist orders issued by the Attorney General and the awarding of treble damages and costs to the injured party.”

Interestingly, this Bill only applies to health insurance carriers and not to healthcare providers, such as hospitals or physician group practices. However, it is anticipated that New Jersey will follow the industry enforcement trend that although encryption is not technically required under HIPAA it is considered a “reasonable” technical safeguard and therefore becoming an industry standard best practice. The timing of the Bill is also interesting as President Obama and the Federal Government discuss potential Federal legislation on cybersecurity, student privacy, and a national breach standard.  Tune back in to the Health Law Informer for future blogs on these issues.

Health Law Informer Author

More Posts