Any attorney? Or a healthcare attorney?
We hear it all the time, usually when things have already gone sideways. "I had my business/contract/real estate attorney review my agreement." Or, "Well, I skimmed the agreement and it seemed ok, so I just signed it." And the worst of all - "I just pulled a template off the internet."
Healthcare has now surpassed nuclear power and financial services as the most highly regulated industry in the U.S. - and for good reason. The health, safety, and privacy of individual patients and the public at large is at stake. So is the health of our economy. Healthcare costs account for nearly one-fifth of the U.S. GDP, and unchecked, these costs could be devastating to the country.
For better or for worse, there exists a complex web of local, state, and federal laws and regulations that govern the businesses of healthcare providers and healthcare companies - from patient safety and privacy protections, to corporate transactions and contractual relationships. Navigating this complicated landscape requires a deep understanding of the risks and opportunities inherent in the healthcare industry—namely, it requires an experienced healthcare attorney.
We often explain to clients that business arrangements that make perfect sense in most industries can quite literally land you in jail if you’re in the healthcare industry. Failure to adhere to regulatory compliance requirements can result in extraordinary fines and enforcement actions that can destroy a healthcare company in the blink of an eye. Below, we shed some light on trouble that can be averted by hiring an experienced healthcare attorney.
Healthcare Fraud and Abuse Laws
General corporate, contract, or business attorneys typically lack a full understanding of the healthcare fraud and abuse laws. These include state physician self-referral and fee splitting laws, and the federal False Claims Act (FCA), Civil Monetary Penalties Law (CMPL), the Exclusion Authorities, and the Anti-Kickback Statute (AKS). One or more of these laws may be implicated in even the simplest business arrangements involving healthcare providers—for example, a physician renting office space in a building owned by other healthcare providers.
The following is an example of a business arrangement involving healthcare providers that appeared to make smart business sense to a general corporate attorney who reviewed the deal, but which ran afoul of the fraud and abuse laws, exposing both parties to significant risk.
The physician owners of a medical practice decided to expand their practice by employing a number of new physicians. The non-physician parents of the practice owners happen to own a clinical laboratory. The physicians want to incentivize their employed physicians to utilize that clinical lab by offering annual bonuses based in part on the volume of lab specimens they send to that lab. While such an incentive arrangement is common in the general business world, it is absolutely illegal - and, in fact, a criminal offense - in the healthcare industry. Any business arrangement that involves perceived incentives from one party to another for the provision of reimbursable healthcare services should be viewed through the lens of the fraud and abuse laws, and analyzed accordingly by an experienced healthcare lawyer.
Corporate Practice of Medicine
Many entrepreneurs come to us having already created their formal business entity on their own. Especially for single-owner companies, this process is quick, easy, and inexpensive. However, for those forming companies that will be providing medical care, failing to take into account the Corporate Practice of Medicine (CPoM) Doctrine can create major risk and expense. The CPoM Doctrine was developed by the American Medical Association (“AMA”), and its purpose is to make sure that decisions regarding patient care and the practice of medicine are made by physicians, rather than corporations or their shareholders. In states that follow the CPoM Doctrine, unlicensed persons or entities may not practice medicine or interfere with a licensed healthcare provider’s clinical judgment. Practically, this means that, in some states, an unlicensed individual or entity is not permitted to own a medical practice. Creating a business entity without understanding a particular state's requirements under the Doctrine may mean having to unwind the business and starting over as a new entity, while potentially being subject to monetary penalties associated with the former entity.
For example, a physician and her non-physician spouse start a telehealth company, with the goal of expanding into numerous states over the coming years. They are bootstrapping this new company and want to keep expenses low, so they go to Legal Zoom and pull up template documents to form a corporate entity in California, completing and filing the documents with the State with the two of them as co-owners. Unfortunately, what Legal Zoom didn't tell them was that, under California law, a non-physician may not have an ownership interest in a practice providing healthcare services. So, the entity they had formed and were operating as a telehealth practice ran afoul of the Corporate Practice of Medicine Doctrine in California. The result, once the issue was discovered by a healthcare attorney brought in on another issue? A costly and burdensome unwind and subsequent creation of a new corporate structure that complied with California law and gave them the flexibility to expand into other states and seek investment from non-physician investors for that expansion.
Healthcare Data Privacy and Security
These days, it’s rare to encounter a healthcare provider or digital health company founder that hasn’t heard of the Health Insurance Portability and Accountability Act (HIPAA), first passed in 1996. More recently, the EU’s General Data Protection Regulation (GDPR) went into effect, imposing additional requirements on medical practices, hospitals, health IT and digital health companies that control and process healthcare data belonging to EU data subjects. As healthcare data breaches are becoming more prevalent in the news, and government fines for breaches are increasing, savvy entrepreneurs and business leaders in healthcare are, as a general matter, devoting more resources to ensuring that they are adequately protecting the privacy and security of their patients’ and customers’ data.
What they often don't realize is that HIPAA's requirements are actually quite complex. The nature of the data they use, maintain, and disclose, the parties to and between whom the data flows, and how federal, state, and international law regarding healthcare data isprotected are all critical considerations to take into account as part of a data privacy and security analysis.
One of the most common misconceptions for our digital healthcare clients—even those most mature clients—is that stripping the healthcare-related content (i.e., diagnoses, medications, treatment plans) from an individual’s records means that the records are no longer subject to HIPAA. This is certainly understandable from an intuitive standpoint, but it is incorrect under the statute. Such misunderstandings expose clients to unnecessary contractual and regulatory risks.
We’ve also had clients in the healthcare technology space who come to us after they’ve built their system’s infrastructure, only to find out that it’s not compatible with the security controls required to comply with federal and international regulations. Believe us – it is not a pleasant experience to deliver such news to a client, and it’s even less pleasant for that client to inform their Board and investors of the mistake.
Another common misperception is that the template HIPAA Business Associate Agreements (BAAs) you can find on the internet are a one-size-fits-all, fill-in-the-blank solution. (Spoiler alert: they are typically one-size-fits-none.) For instance, a BAA between a hospital and its EMR vendor will look completely different from the BAA between the EMR vendor and its cloud storage provider. The data flow in a particular arrangement really matters in drafting or reviewing a BAA, and using a template document that doesn't accurately contemplate that arrangement can leave your company exposed to serious risk.
Getting it right the first time
There are certainly situations where the expertise of a specific type of attorney is relevant to a matter in the healthcare industry. For example, we frequently affiliate with patent/intellectual property attorneys to help protect our healthcare clients' IP, and we often work with real estate attorneys when helping a client negotiate a lease. There may also be situations in the healthcare industry in which calling on a general business attorney for assistance is perfectly appropriate. But more often than not, there are nuances in the laws and regulations governing healthcare that attorneys who do not focus in healthcare simply don't realize exist. Unfortunately, as healthcare lawyers, we frequently find ourselves in the position of having to undo or fix something that a client has mistakenly put in place, either with the guidance of a well-meaning attorney without healthcare expertise, or with the "guidance" obtained through an internet search. These mistakes are costly from both a financial and a risk perspective. Our goal is to help all of our clients get it right the first time, creating a strong foundation for compliance from the outset. Contact us to learn more about how we can help you do the same.