Dear Health Law Section Members:

The Section website has been updated with the June-July 2016 articles on significant developments in the health law arena that may be of interest to you in your practice. These summaries are presented to Section members for general information only and do not constitute legal advice from The Florida Bar, its Health Law Section, or the authors of these summaries. You will note that there are two summaries regarding the U.S. Supreme Court opinion in United Health Services v. United States ex rel. Escobar, No. 157, slip op. (U.S. June 16, 2016). Considering the significance of this opinion, we have chosen to publish both summaries.

HLS thanks the following volunteers who have generously donated their time to prepare these summaries for our members:

Lindsay Dosen, Esq.

Jaime B. Gelfman, Esq.

Matt Henderson, Esq.

Rodney Johnson, Esq.

Jeffrey Mustari, Esq.

Anelia Shaheed, Esq.

Michael L. Smith, Esq

Thank you.

Malinda Lugo, Esq.

Kimberly Sullivan, Esq.

Download copies of the June-July 2016 Updates at the following link:

June July 2016 Updates (PDF)

June July 2016 Updates (DOCX)

COMPLIANCE

Supreme Court Recognizes Implied Certification Theory of Liability Under the False Claims Act

On Thursday, June 16, 2016, the United States Supreme Court finally issued its decision as to whether it would recognize the validity of the implied certification theory of liability under the False Claims Act (“FCA”), in United Health Services v. United States ex rel. Escobar, No. 157, slip op. (U.S. June 16, 2016).

Under the implied certification theory, a party may be held liable for violating the FCA where that party has made a request for payment notwithstanding its noncompliance with applicable statutes, regulations or contract provisions that are material requisites to such payment. In other words, when a provider submits a claim for reimbursement, he or she is implicitly representing that no prerequisites for payment have been violated. As such, if a provider fails to disclose an underlying violation, the claim for reimbursement is rendered “false” under the FCA.

The precursor to Escobar was a result of a circuit split with respect to the application of the implied certification theory, as some circuits rejected the theory, holding that only express falsehoods can render a claim false or fraudulent, while other circuits adopted the theory, but applied the theory inconsistently. Specifically, with respect to the circuits that accept the theory, there is a differing in opinion as to whether a “condition of payment” must be expressly identified as such, or whether a statute, regulation or contractual provision can be “condition of payment” even if it does not state that payment is conditioned on compliance. See Petition for Writ of Certiorari at *3, Universal Health Servs., Inc.v. U.S., No. 15-7 (U.S. June 30, 2015), 2015 WL 4035937.

In Escobar, the Court reached a decision resolving the circuit split, holding that the implied certification theory of liability is a viable basis for imposing FCA liability. However, the Court held that the theory is only viable when two conditions are met: (1) the defendant, in requesting payment, makes specific representations about the goods or services provided, and (2) the defendant knowingly failed to disclose noncompliance with material statutory, regulatory, or contractual requirements, rendering those representations “misleading half-truths.” In other words, the noncompliance must be misleading and material to the Government’s decision to reimburse the claim.

The Court also noted that not every regulatory or contractual violation renders a claim false. Instead, the Court held that a statute, regulation or contract term must be a material prerequisite to payment, and a condition is not material merely because the plaintiff designates the condition as material. Instead, the plaintiff has the burden of affirmatively pleading facts to support allegations of materiality.

The Court’s decision has an enormous impact on future FCA cases going forward, as the ruling widens the scope of potential liability for defendants across the nation, especially as all circuits now have to accept and apply the theory. In addition, this most likely means that more FCA cases will survive motions to dismiss, given the factual inquiry that will be required in examining materiality.

Submitted by: Jamie B. Gelfman, Esq.

FRAUD & ABUSE

US Supreme Court Rules on Implied Certification FCA Case

On June 16, 2016, the US Supreme court reached a unanimous decision in a Medicaid implied certification False Claims Act (“FCA”) case, Universal Health Services, Inc. v. United States ex rel. Escobar. The Court confirmed that the implied certification theory is a valid theory of liability, which resolves a split among the federal circuit courts of appeal regarding the theory’s viability.

The implied certification theory is that a False Claims Act violation can occur for reasons beyond just making a false statement in a request to the government for payment or in the express language of a certification to the government. The implied certification theory means a party can potentially be liable simply for seeking government payment while knowingly violating a regulation or contract provision, regardless of whether there is an express certification of compliance with that standard. The concept focuses on the party impliedlycertifying that it is complying with all applicable laws, regulations and contractual provisions simply by seeking payment from the government.

The Court’s decision clarified the implied certification theory for FCA liability and specified two preconditions when applying the theory. The first precondition occurs when a party submits a claim for payment making specific representations about the goods or services provided. Next, the party fails to disclose non-compliance with material statutory, regulatory, or contractual requirements that make those representations misleading. The Court went on to specify that liability under the FCA for failing to disclose violations of legal requirements does not turn upon whether those requirements were expressly designated as conditions of payment.

In Escobar, aqui tam lawsuit under the FCA was filed alleging that improperly licensed or supervised staff members at a mental health clinic were treating a patient in violation of state health regulations and submitting requests for payment through Medicaid. The contention was that even though the provider did not expressly certify compliance with specific state health regulations in its requests for payment, the provider could still be liable under the FCA for impliedly certifying that it was following mental health service regulations within the state.

This case amplifies the careful measures that health care providers must take in today’s healthcare marketplace in order to minimize potential exposure for FCA violations. In fact, it only took six days for the U.S. Department of Justice to file its first Notice of Supplemental Authority in another pending FCA case explaining the Department’s official position as it relates to the “Escobar” decision and this expansion of potential FCA liability.

Read the full “Escobar” opinion here: https://www.supremecourt.gov/opinions/15pdf/15-7_a074.pdf

Submitted by: Jeffrey Mustari, Esq.

PROFESSIONAL AND FACILITY LICENSURE

1Licensed Health Care Clinic Liable for Medical Director’s Failure to Fulfill Statutory Duties

Health Care Clinics are liable for their Medical Director’s failure to fulfill their statutory duties. Allstate Ins. Co. et al. v. Vizcay, M.D., No. 14-13947 (11th Cir. June 23, 2016). The plaintiff insurance companies filed suit in the U.S. District Court for the Middle District of Florida alleging multiple claims against several licensed Health Care Clinics, and their medical director, Dr. Vizcay. The jury found the clinics liable to the insurance companies for fraud, negligent misrepresentation, and unjust enrichment because Dr. Vizcay failed to systematically review the clinics’ billings. Id. The trial court also granted the insurance companies declaratory relief removing any obligation the insurance companies had to pay outstanding claims for the time when the clinics were operating in violation of the Health Care Clinic Act. Id.

The clinics argued on appeal that the clinics could not be held liable when a medical director failed to fulfill the medical director’s statutory duties. The Court disagreed because under the Health Care Clinic Act, the medical director accepted legal responsibility for the medical director’s duties on behalf of the clinic. The Health Care Clinic Act requires medical directors to accept legal responsibility for specific duties enumerated in the Act on behalf of the licensed clinic. Section 400.9935(1), Fla. Stat. (2016).

Attorneys with licensed Health Care Clinic clients may want to remind their clients that the medical directors’ duties enumerated in the Health Care Clinic Act are not merely elements to include in the written contract. The medical director is required to fulfill those duties.

Submitted by Michael L. Smith, Esq.

In re Bayou Shores

A three-judge panel of the Florida 11th U.S. Circuit Court of Appeals ruled in July that a bankruptcy court does not have the requisite power to stop health officials from removing a Florida nursing home’s Medicare and Medicaid payments for allegedly violating patient-care regulations. In siding with the U.S. Department of Health and Human Services (“HHS”) and the Florida Agency for Health Care Administration (“AHCA”) in the case against Bayou Shores SNF LLC, a Florida nursing home operator (“Bayou Shores”), the court signaled that health officials ultimately have the power to cut off federal healthcare reimbursement in the face of alternative determinations by a bankruptcy court.

The background of the case is as follows: in 2014, state inspectors cited a Bayou Shores operated nursing home in St. Petersburg for certain violations including threats to patient health and safety and informed Bayou Shores that they were terminating Bayou Shores’ Medicare payments (and potentially termination of Medicaid payments among other licensure implications). Bayou Shores then filed for bankruptcy protection under Chapter 11 and requested that the bankruptcy court intervene to block the agencies from terminating such agreements. The bankruptcy judge indeed blocked the termination of the payments, which led HHS and AHCA to appeal to U.S. District Court, where the district judge ruled that the bankruptcy court did not have such jurisdiction. This prompted a further appeal by Bayou Shores to the 11 th U.S. Circuit Court of Appeals, where the aforementioned three-judge panel issued a detailed ruling on July 11, 2016 upholding the district court’s decision.  

The 11 th Circuit’s opinion (authored by Circuit Judge Clevenger) rules that HHS has been the body tasked by Congress with administering the Medicare Act and regulating Medicare providers such as Bayou Shores. The opinion articulates that the bankruptcy court, by blocking such termination of payments, impermissibly frustrated the statutory directive from Congress for HHS and AHCA to take such action, that can include termination of provider agreements, when there is evidence that the condition of a particular entity “immediately jeopardize(s) the health or safety of its residents.” Additionally, the court stated that bankruptcy courts are simply devoid of the “institutional competence or technical expertise of HHS” to oversee such a vast and complex program as Medicare or to address the issues of nursing home patients and reimbursement/licensure regulations of providers.

The decision can be read here: http://media.ca11.uscourts.gov/opinions/pub/files/201513731.pdf

Submitted by Matthew J. Friendly

HEALTH INFORMATION TECHNOLOGY AND PRIVACY

Ransomware and HIPAA- HHS Issues Guidance

Ransomware is a type of malicious software (or “malware”) that is used to hold a user’s data hostage until a ransom is paid. Although ransomware can take different forms, it typically encrypts the user’s data, with payment of the ransom resulting in delivery of the decryption key. As IT systems have become critical to healthcare, healthcare entities have become high profile targets for ransomware attacks. On July 11, 2016, the U.S. Department of Health and Human Services Office for Civil Rights issued guidance in a Fact Sheet titled “Ransomware and HIPAA.” According to the guidance, ransomware attacks are on the rise, with approximately 4,000 ransomware attacks each day since early 2016. The guidance, among other things, addresses whether the presence of ransomware results in a security incident and a breach under HIPAA.

Security Incident

The guidance clarifies that the presence of ransomware on a computer system of a covered entity or a business associate is a security incident under the HIPAA Security Rule, triggering initiation of an entity’s security incident procedures under 45 C.F.R. § 164.308(a)(6). With respect to a security incident response, the guidance directs users to NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, and provides that a response should begin with an initial analysis to determine the scope of the incident, its origination, whether it is finished, and how it occurred. The guidance also provides that subsequent incident activities should include containing the impact of the ransomware, eradication and mitigation of the ransomware, data recovery, deeper analysis (including regulatory, contractual, and other obligations), and incorporating lessons learned into the entity’s security management process.

Breach

The guidance provides that “whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.” The guidance clarifies, however, that when electronic PHI is encrypted by ransomware, a breach is presumed to have occurred because unauthorized individuals have taken control of the information, resulting in a “disclosure” that is not permitted under the HIPAA Privacy Rule. The presumption may be rebutted if the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised pursuant to a risk assessment that considers at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

  2. The unauthorized person who used the PHI or tom whom the disclosure was made;

  3. Whether the PHI was actually acquired or viewed; and

  4. The extent to which the risk to the PHI has been mitigated.

No such risk assessment is required, however, if the PHI is encrypted consistent with HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, because it would no longer be “unsecured PHI.” The guidance does clarify that even for encrypted PHI, additional analysis may be required because, for example, ransomware may be able to access the PHI in a decrypted format through an authenticated user, in which case it would again be “unsecured PHI.”

Submitted by Matt Henderson, Esq.

PUBLIC HEALTH

Public Health Competency Model: Version 1.0. PHLP’s competency model provides a framework for the knowledge, skills, and abilities expected of entry-level, supervisory, and executive-level public health practitioners in public health law. The model is for attorneys, public health practitioners, legal educators, and policy makers seeking a benchmark for satisfactory or exemplary public health law understanding and performance. For more information, please cut and paste the following link into your browser: http://www.cdc.gov/phlp/docs/phlcm-v1.pdf

2016 Public Health Law Conference. The Public Health Law Conference will take place September 15–17, 2016, in Washington, DC. The conference, hosted by the Network for Public Health Law, is for public health lawyers, practitioners, officials, policy makers, researchers, and advocates. Conference attendees will learn about laws and policies affecting critical public health issues, such as disease prevention, drug overdose, health data sharing, and access to care. Early bird registration ends August 16, 2016. A preliminary agenda is available now. For more information please copy and paste the following link into your browser: https://www.networkforphl.org/2016_conference/phlc16/

Electronic Health Record Toolkit. Through a collaboration with CDC’s Division for Healthcare Quality Promotion, the Association for State and Territorial Health Officials, and the Keystone Center, PHLP examined the use of law and legal tools to improve access to electronic health record (EHR) systems in healthcare facilities during outbreaks. This toolkit can help health department professionals work with healthcare facilities during outbreaks (including outbreaks of healthcare-associated infections) to secure access to EHR systems and facilitate outbreak investigations. For more information, please go to: http://www.astho.org/Toolkit/Improving-Access-to-EHRs-During-Outbreaks/

Vermont Governor Shumlin makes Vermont first state to require Rx drug price transparency. Vermont Biz (06/03/2016) For a link to the Vermont bill, which was signed into law by Vermont Governor Peter Shumlin, please copy and paste the following link:

http://legislature.vermont.gov/assets/Documents/2016/Docs/BILLS/S-0216/S-0216%20As%20Passed%20by%20Both%20House%20and%20Senate%20Official.pdf

Epinephrine Stocking Laws. In the United States, about 15 million Americans have food allergies; one in every 13 children has this potentially deadly condition. A food allergy reaction sends a patient to the emergency department every three minutes, totaling over 200,000 visits per year. Epinephrine is the first-line treatment for severe or life-threatening allergic reactions, or anaphylaxis. In recent years, a growing number of states have adopted epinephrine entity stocking laws. These laws allow authorized entities like restaurants, amusement parks and sports arenas to obtain and store auto-injectable epinephrine, or EpiPens, and administer the drug to individuals experiencing anaphylaxis. This issue brief and 50-State Survey examine epinephrine stocking laws across the U.S.. More information can be found at:

https://www.networkforphl.org/resources_collection/2016/05/18/778/issue_brief_epinephrine_entity_stocking_laws/?utm_source=Network+Report+5-26-16&utm_campaign=Network+Report+5-26-16&utm_medium=email&utm_content=214

Submitted by Rodney Johnson, Esq.

THIRD PARTY PAYORS

Cigna ordered to Pay $13M in decision regarding overpayment requests and denied claims.

In early June 2016, A Texas Federal judge issued a landmark decision in favor of a physician-owned hospital and ordered that more than 13 million in unpaid and/or denied claims by Cigna be paid by the insurer. This case, an initial ERISA matter which related to Cigna pursuing an overpayment demand based on alleged fraud in discounted charges and/or failure to collect patient responsibility ultimately led to Cigna bearing the burden of paying claims it failed to properly adjudicate pursuant to ERISA and state law.

This case marks one of the first decisions in which Cigna’s practice of ceasing to process any type of claim, from the date of the issuance of notice of a Special Investigations Unit audit to a provider, has been challenged and successfully litigated against with the court giving no credence to Cigna’s refusal to process claims when argued that evidence of fraud existed. Connecticut General Life Insurance Co. et al. v. Humble Surgical Hospital LLC, No.4:13-cv-03291, in the U.S. District Court for the Southern District of Texas.

A similar case, based on the same sets of facts and circumstances has recently settled in the U.S. District Court for the Southern District of Florida, TGWC Associates LLC v. CIGNA Health and Life Insurance Company et al, No.1:15-cv-2479.

Submitted by Anelia Shaheed, Esq.