By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
It should be well known and understand that the healthcare industry is subject to a variety of laws and regulations that can make operating in the space trickier than other industries. To give both new and experienced individuals a taste of that complexity, three primary laws are often cited as the top priorities to keep in mind. Those three laws are: (i) the Stark Law, (ii) the Anti-Kickback Statute (AKS), and (iii) HIPAA. Most healthcare lawyers will start a discussion about impacts on a business with those laws because they can have arguably the broadest influence on what a business can or should do.
The Triumvirate
The Stark Law. Starting with the Stark Law and the AKS, those two laws are to a large degree complementary pieces. The Stark Law is a civil law that, starting from an overly simplified view, does not like referral relationships between providers. As a baseline, the Stark Law frowns upon a referral relationship if the physician making the referral has a financial relationship with the receiving entity. As noted, that is the starting point.
Now getting under the first layer or two, the Stark Law only applies to “designated health services” or “DHS,” which is a term specifically defined under the Stark Law. Generally speaking, designated health services cover a large swath of healthcare services that can be provided to patients, but the term is not all-encompassing. Any analysis of a referral relationship should start with the question of whether the services involved are DHS. If not, then the Stark analysis can likely stop there.
If DHS are involved and Stark applies, then it gets fun. Despite the baseline approach of not liking referral relationships, the statute and regulations contain a whole host of exceptions that make a relationship acceptable. The exceptions break down into the following categories: (i) service-based, (ii) ownership or investment interests, and (iii) compensation arrangements. The list of exceptions, mostly the compensation arrangements ones, keeps growing. Additionally, the specific requirements for the exceptions can change as interpretations change or the requirements are tweaked. Given that evolution, it is essential to stay on top of the current text of the regulations.
Knowing the exact text of the regulations is important because the Stark Law is a strict liability law. Strict liability means that if an organization does not comply with the requirements as set out, then a violation has happened. The violation exists regardless of whether an intent to violate the law exists. The analysis only looks at what is in place and not whether the parties did their best to meet the requirements or didn’t mean to miss the mark.
The AKS. The Anti-Kickback Statute is a criminal companion to the Stark Law. Going into what it means to be a criminal law first, there needs to be an intent to violate for a problem to arise. However, what constitutes intent can vary to a pretty large degree with various developments over time making it easier to find an improper intent. There is also a standard referred to as the one purpose standard for finding intent. What the standard means is that so long as one reason for the proposed relationship is improper then the whole relationship can be tainted.
Beyond the intent, the AKS has a number of safe harbors that can make an otherwise improper relationship acceptable. The safe harbors under the AKS overlap to a large degree with the Stark exceptions. A significant difference from the Stark Law is that it is not strictly necessary to meet all of the requirements of a safe harbor to be ok. Since an intent must exist to violate the AKS, it is possible for a relationship to still not create a violation even if all of the elements of the safe harbor are not met. If a safe harbor is not fully satisfied, then there can be varying degrees of risk associated with the relationship.
HIPAA. The third member of the triumvirate is HIPAA, everyone’s seemingly favorite law to not fully understand in healthcare. For purposes of concern, the areas of HIPAA to focus on are the Privacy Rule, Security Rule, and Breach Notification Rule. The bulk of HIPAA addresses transactions and data interchange, which is not what drives the confusion and concern.
Overall, HIPAA looks at how protected health information can be used and disclosed along with how to protect that information. The rules are relatively permissive when actually parsed through because the rules do not interfere with regular business operations in healthcare. To the contrary, the rules promote regular operation and really seek to limit the flow of data outside of the healthcare system.
On the security side, HIPAA establishes a decent framework from which to build an actually comprehensive and functional security platform. When the HIPAA Security Rule is viewed as the framework on which to build the actual security house that can meet or exceed industry standard, then it makes a bit more sense.
While the overview of the three big laws is decidedly brief and extremely high level, it is also important to note that it is just the start of the story.
Expanding the Picture
Depending on the nature of the business, a healthcare organization will need to consider a lot of other laws and regulations too. The laws and regulations are a mix of federal and state considerations, but each is certainly important in its own right.
Given the myriad of laws to potentially consider, the aim now is to only flag some of them to big the eye-opening process that there are layers upon layers of issues within healthcare.
A big factor impacting operations will be the rules and regulations for participating in Medicare and/or Medicaid. For Medicare, there are baseline regulations for participation and then nuances that are introduced (and changed) every year through the fee schedule process. The conditions are quite detailed and get into some of the minutiae of how to operate.
While Medicare is standardized, Medicaid has unique characteristics in each state because it is a joint federal and state program. Since each state has a say in how Medicaid runs in its jurisdiction, there will be differences in terms of what services are covered, how payment may be made, and other distinctions. It all means that an organization may have a relatively easier time if it only operates in one state, but will need to get up to speed on differentiators to the extent the organization participates in Medicaid in more than one state.
While mostly applicable to hospitals, another federal law, one that has been getting more attention recently, is the Emergency Medical Treatment and Labor Act (EMTALA). The basic premise of EMTALA is that an emergency room is supposed to triage and stabilize every presenting patient, unless some very specific circumstances are present. The purpose is to avoid instances of patient dumping or only picking patients with insurance coverage that is perceived as more favorable.
Moving to the states, the biggest issue was already flagged, namely the state by state variations in the implementation of Medicaid. However, many states also have unique iterations of the AKS and/or Stark Law. The state level anti-kickback statutes can mirror the AKS to a large degree, though the safe harbors may be missing, which adds in a different set of challenges. The state mini-Stark laws can also differ in the specifics as well. In many instances, the state fraud and abuse laws will expand beyond just federal payor programs and apply to commercial insurance arrangements as well. The global coverage arguably makes compliance easier because there is no potential differentiation operation, but it is something to consider.
The growth in states enacting comprehensive privacy schemes also add a compliance wrinkle. The comprehensive privacy schemes usually carve out information already subject to HIPAA, but may organizations hold information beyond that. For the non-HIPAA information, it is necessary to know when compliance becomes applicable and what to do.
The Maze
While Stark, AKS, and HIPAA deservedly get a lot of popular attention, real world operation needs to consider all of the intersecting and sometimes arguably conflicting laws. Operating in healthcare really is like being in a neverending maze. Understanding that baseline for involvement is important. Attempting to ignore the complexity or push through without giving the complexity its due is a pretty sure way to end up in a lot of trouble. Take the time to be considerate and be willing to bob and weave as necessary.
On top of that, it is necessary to offer a final caveat that the summary offered here barely scratches the surface of the various laws, regulations, and rules. Before going too far down any path, take the time to assess what could apply to that path and vet it out.
This article was originally published on The Pulse blog and is republished here with permission.