Putative Class Action Underscores Need for HIPAA Covered Entities to Diligence Business Associates

Seth Goldberg
Seth Goldberg

Last week, in a putative class action, the Eastern District of Wisconsin in Dusterhoft v. OneTouchPoint Corp., 2024 U.S. Dist. LEXIS 170993 (ED WI 2024), issued a decision denying a motion to dismiss, in part, that underscores the importance for healthcare entities of strong privacy compliance, including due diligence and auditing with respect to HIPAA-protected information provided to “business associates.”

OneTouchPoint provides brand management, marketing, printing, and supply chain logistics to healthcare providers. In connection with those services, “OneTouchPoint collects and maintains names, addresses, Social Security numbers (SSNs), member IDs, dates of birth, health insurance information, and other medical information provided during health assessments.” OneTouchPoint discovered that its servers had been improperly accessed causing a breach of 2.6 million individuals’ data, including patients of nearly 40 health insurers and healthcare service providers.

After receiving letters from OneTouchPoint advising them of the breach, nine named plaintiffs from Arizona, Georgia, Maine, Minnesota, South Carolina, and Wisconsin claimed that they provided information to OneTouchPoint clients, who in turn provided to OneTouchPoint their HIPAA-protected information that was disseminated in the breach. Pertinent to this article, the only injuries alleged by five of the named plaintiffs is spending time and money combatting the effects of the breach, such as calling banks, credit card companies, etc., and dimunition in the value of their information.

The Court held the dimunition in value claim was insufficient to establish standing, but he time the named plaintiffs spent mitigating the effects of the breach was an injury sufficient to establish standing. The Court further held that the complaint sufficiently alleged a claim for negligence because, as alleged damages, the mitigation efforts were not too speculative, and could be shown to be causally related to the breach.

Importantly, the Court rejected OneTouchPoint’s assertion that HIPAA and Section 5 of the FTC Act do not create a private right of action to assert a claim for negligence per se, i.e., a violation of those Acts’ requirements with respect to protected information, explaining that statutory intent should dictate whether a claim for negligence per se can be asserted, and the parties did not brief that issue sufficiently. This argument, held the Court, could be raised again on summary judgment.

That the named plaintiffs will be able to proceed on their negligence and negligence per se claims, at least until a dispositive motion is filed, highlights the importance of a “Covered Entity,” like a hospital or medical practice, sufficiently understanding how a Business Associate will secure protected information. OneTouchPoint may now have to incur the significant expense of class discovery, which could lead to a settlement-leveraging class certification motion. Given that a HIPAA “Covered Entity” can be liable under HIPAA for failing to properly diligence a Business Associate, one can envision negligence and negligence per se claims being brought against a Covered Entity for a Business Associate’s data breach. Consequently, a Covered Entity should be vigilant when it diligences a Business Associate, and insist on indemnification for any claims that result from the Business Associate’s data breach.

Duane Morris attorneys are experienced in advising clients with respect to HIPAA’s privacy and security requirements.

Health Insurance Reimbursement Price-Fixing MDL Formed

Seth Goldberg
Seth Goldberg

I recently reported that Multiplan and certain insurers in its network were accused of being a “cartel” that has agreed to underprice out-of-network reimbursement paid to providers in the Multiplan network in violation of federal antitrust laws. in the matter styled Live Well Chiropractic PLLC, et al. v. Multiplan, Inc., et al., (D. IL Civ. No. 1:24-cv–3680).  That antitrust action, along with six other similar actions, were consolidated for pre-trial proceedings by the Joint Panel on Multi-District Litigation (JPML) into a multi-district litigation in the Northern District of Illinois before The Honorable Matthew Kennelly.  See JPML Transfer Order.

While defendants in certain of the actions sought transfer of the MDL to the Northern District of California, and others hoped transfer would not occur until a motion to dismiss in an action in New York District Ct. was heard, the JPML ruled that ” the Northern District of Illinois is an appropriate transferee district for this litigation” because “six actions are pending in that district, which has the support of both some plaintiffs and all defendants.  Two defendants are headquartered in Illinois, and several others are located nearby. Judge Matthew F. Kennelly is well-versed in the nuances of complex and multidistrict litigation, and we are confident he will steer this litigation on a prudent course.”

The price-fixing claims assert that Multiplan uses an algorithm that Multiplan claims “reprices” OON services based on historical reimbursements to providers providing the same services, and then “overrides” that amount to pay lower rates agreed upon by Multiplan and the insurers.   The insurers, who are allegedly horizontal competitors, are claimed to provide competitively sensitive information about their reimbursement that they would not provide in a competitive market, and many serve on a Multiplan advisory board that meets in furtherance of the conspiracy to fix prices.

 

Another Stark Law Action

Seth Goldberg
Seth Goldberg

I recently wrote about what appears to be a surge in Stark Law enforcement by the DOJ, and just days later the DOJ announced another Stark Law enforcement action.   The Stark Law, or Physician Self-Referral Law, 42 U.S.C. § 1395nn, which is a strict liability statute that prohibits physicians from referring patients to an entity for “designated health services,” such as inpatient hospital, laboratory, or radiology services, in which the physician has a financial relationship, such as an ownership interest or compensation arrangements where the remuneration exceeds fair market value.

On July 26, 2024, the DOJ filed a Complaint against Murphy Medical Center, Inc. doing business as Erlanger Western Carolina Hospital and Chattanooga-Hamilton County Hospital Authority doing business as Erlanger Health System and Erlanger Medical Center (collectively, Erlanger) in the U.S. District Court for the Western District of North Carolina, alleging that Erlanger violated the Stark Law and thereby violated the False Claims Act, which permits the government to recover treble damages, among other relied.

The Complaint alleges, based on information provided by two qui tam relators, or whistleblowers, who worked for Erlanger as Chief Compliance Officer and Chief Financial Officer, that Erlanger developed a strategy to drive business to it by knowingly paying physicians large salaries and bonuses without regard to whether work was actually performed.  Consequently, the Complaint alleges, Erlanger was paying more than fair market value in violation of the Stark Law.   The Complaint notes instances where Erlanger should have been on notice of the disproportionate payment, but lacked or ignored internal controls and warning signs that could have resulted in a correction.  The Complaint also notes that Erlanger had previously settled DOJ claims of Stark Law violations, agreeing to pay $40 million in 2005.

The Complaint provides specific examples of services provided by ten physicians who were compensated by Erlanger in amounts exceeding fair market value.  Because those services, among others, billed to Medicare allegedly violated the Stark Law, the government asserted claims against Erlanger under the False Claims Act and for common law unjust enrichment and payment by mistake.  The DOJ seeks damages against Erlanger of approximately $27.8 million.

The Erlanger action and the others I previously wrote about should remind hospitals and health systems to be vigilant about physician compensation structures, as the fair market value assessment may result in subtle disparities that nonetheless raise the specter of Stark Law violations.   This is an area of compliance to be particularly mindful about.

 

DOJ Enforcing Stark Law Violations Through False Claims Act

Seth Goldberg
Seth Goldberg

The Stark Law, or Physician Self-Referral Law, 42 U.S.C. § 1395nn, prohibits physicians from referring patients to an entity for “designated health services,” such as inpatient hospital, laboratory, or radiology services, in which the physician has a financial relationship, such as an ownership interest or compensation arrangements where the remuneration exceeds fair market value.  Although there is no private right of action under the Stark Law, an alleged Stark Law violation can provide the basis for a civil qui tam or whistleblower action under the False Claims Act.

For example, in March 2024, in United States ex rel. Lisa Parker v. Mohammad Athari M.D., et al. (4:20-cv-02056), the DOJ intervened and settled a claim for Stark Law violations where the qui tam relator asserted that a Houston-based physician had allegedly referred neurology patients to a diagnostic imaging center the physician owned.  The settlement also resolved allegations that the physician falsely billed for medically unnecessary services under Medicare Part B.  The whistleblower received 18% of the $1.8 millon settlement.  Similarly, in October 2023, the DOJ intervened and settled the qui tam action styled U.S. ex rel. Pinto v. Cardiac Imaging, Inc., et al., No. 18-cv-2674 (S.D. Tex.), where the defendant, Cardiac Imaging Inc. and its owner, paid referring cardiologists fees exceeding fair market value for their referrals.  The settlement value totaled $85,480,000.

While the anti-kickback laws are often the vehicle for claims under the False Claims Act, healthcare providers and entities doing business with them should be aware of the potential for Stark Law claims arising out of compensation arrangements for services and be focused on compliance accordingly.

 

 

Health Insurance Price-Fixing Cartel Alleged Against Multiplan and Insurers

Seth Goldberg
Seth Goldberg

Providers in a putative class action filed on May 7, 2024, claim that Multiplan and certain named insurers in its network are a “cartel” that has agreed to underprice out-of-network reimbursement paid to providers in the Multiplan network in violation of federal antitrust laws.  The Complaint, filed in the District of Illinois as Live Well Chiropractic PLLC, et al. v. Multiplan, Inc., et al., (D. IL Civ. No. 1:24-cv–3680), alleges that Multiplan uses an algorithm that Multiplan clams “reprices” OON services based on historical reimbursements to providers providing the same services, and then “overrides” that amount to pay lower rates agreed upon by Multiplan and the insurers.   According to the Complaint the insurers, who are allegedly horizontal competitors, provide competitively sensitive information about their reimbursement that they would not provide in a competitive market, and many serve on a Multiplan advisory board that meets in furtherance of the conspiracy to fix prices.  A key component of the alleged price-fixing is Multiplan’s requirement that providers in its network agree not to balance bill patients for payments not made by the insurers.  The Complaint alleges that Multiplan and the insurers have made billions off the alleged anticompetitive conduct, and seeks damages and injunctive relief.  

Does Multiplan Contract Leave Providers Exposed?

Seth Goldberg
Seth Goldberg

In the matter styled The Plastic Surgery Center, P.A., v. Cigna Health and Life Insurance, et al., (3d Cir. No. 23-1096), the Third Circuit Court of Appeals affirmed the District of New Jersey’s decision that the plaintiff provider, TPSC, could not recover against Multiplan for Cigna’s underpayment for breast reconstruction surgery under the commercial contract between TPSC and Multiplan.

Under that contract, TPSC agreed to become a member of Multiplan’s network of healthcare providers, and Multiplan agreed to use reasonable efforts to market to TPSC to payors who, like Cigna, contract with Multiplan to pay for services provided to Cigna’s insured’s by providers in Multiplan’s network. Under the TPSC/Multiplan contract, Multiplan agrees that provider will be paid 85% of charges, less deductibles, co-payments, and co-insurance. Cigna reimbursed TPSC approximately $2000 for a procedure for which TPSC charged approximately $158,000, and TPSC sued Cigna and Multiplan for the difference claiming Multiplan promised TPSC would be paid 85% of charges. In affirming the dismissal of that claim under basic principles of contract law, the Third Circuit determined that nothing in the TPSC/Multiplan contract guaranteed TPSC would be paid 85% of charges. The claims against Cigna had been dismissed by the trial court without appeal on the basis that the denial of any additional reimbursement was not arbitrary or capricious.

This may be an important to decision for the thousands of providers who have similar contracts with Multiplan, as payors may use it as a backstop for underpaying.  This decision may be used to argue that a contract between the provider and Multiplan does not give a provider recourse to the payor for any underpayments or obligate Multiplan for them.  However, the Third Circuit noted that TPSC did not claim the Multiplan contract was illusory.

Private Equity Driven Healthcare Market Consolidation Scrutinized

Seth Goldberg
Seth Goldberg

Earlier this month, the Antitrust Division of the DOJ, the Department of Health and Human Services, and the Federal Trade Commission announced a joint cross-government inquiry into the control over health care by private equity firms and other corporate owners, and, in conjunction with that announcement, released a Request for Information seeking public comment from stakeholders, including patients, consumer advocates, doctors, nurses, health care administrators, employers,  private insurers, PBMs, GPOs, nursing homes, hospices, home health agencies, hospitals, and other health care providers, facilities, providers of and entities that provide ancillary health care products or services, on how mergers and acquisitions have effected them, and what actions, if any, should be taken by the federal government to address adverse impacts that might result from market consolidation or corporate control issues.  In a related press release, the FTC explained: 

Private equity firms and other corporate owners are increasingly involved in health care system transactions, and, at times, those transactions may lead to a maximizing of profits at the expense of quality care. The cross-government inquiry seeks to understand how certain health care market transactions may increase consolidation and generate profits for firms while threatening patients’ health, workers’ safety, quality of care, and affordable health care for patients and taxpayers.

The public comment period will end on May 6, 2024.   

Healthcare False Claims Act Judgments/Settlements Lead Way in 2023

Seth Goldberg
Seth Goldberg

The DOJ recently reported that two-thirds of the $2.68 billion in False Claims Act judgments and settlements in 2023, or $1.8 billion, came from the healthcare industry.  2023 also marked the highest number of FCA settlements and judgments in a year, totaling 543.

The treble damages that result from FCA violations provide a powerful tool to the federal government to root out fraudsters who knowingly defraud the U.S. or fail to pay money owed to the U.S.  As Principal Deputy Assistant Attorney General Boynton, head of the Justice Department’s Civil Division, stated, “the record-breaking number of recoveries reflects, those who seek to defraud the government will pay a high price.”

Healthcare FCA settlements and judgments spanned the industry, including managed care providers, hospitals, pharmacies, laboratories, long-term acute care facilities, and physicians.  FCA claims settled or decided included charges against providers for overbilling and medically unnecessary billing, and charges against insurers for submitting inaccurate information, such as diagnosis codes, in order to increase reimbursement.  Kickbacks and lab testing fraud were also the subject of FCA settlements and judgments.

 

Federal and State Antitrust Enforcers Reiterate Focus on Healthcare

Federal and state antitrust enforcers are keenly focused on potential anticompetitive conduct in the healthcare space.

Federal Trade Commission Chair Lina Kahn recently noted that “the FTC is squarely focused on tackling illegal business practices that deprive Americans of access to affordable and innovative healthcare” in a speech to the American Medical Association’s national advocacy conference.  According to Chair Kahn, medical professional consistently express frustration to the FTC “about how the business of healthcare today forces many [medical providers] to subordinate [their] own medical judgment to corporate decision-makers at the expense of patient health.” In response to those complaints, Chair Khan highlighted a few recent enforcement efforts, including scrutiny of group purchasing organizations, drug wholesalers, and pharmacy benefit managers; tackling unlawful consolidation in healthcare markets and roll-ups of healthcare providers. She also touted the FTC’s work protecting healthcare workers, tackling unlawful practices by pharmaceutical companies, including suits to block two major pharmaceutical mergers, and protecting patient privacy and data.

Continue reading “Federal and State Antitrust Enforcers Reiterate Focus on Healthcare”

EMR Software Utilizing AI Targeted for Fraud and Abuse

 

Seth Goldberg
Seth Goldberg

Artificial intelligence (AI) can enhance efficiencies in providing healthcare in many ways, one of which is by utilizing algorithms to read medical records and thereby assist providers in better understanding their patients and treatments that may be available. Increasingly, electronic medical review (EMR) software companies are utilizing AI to boost their products, offering hospitals, healthcare facilities, and physicians powerful tools that can enhance their decision-making as to operations and treatment.  Recently, it was reported that DOJ has subpoenaed the records of digital health companies and pharmaceutical companies in investigating whether AI may be used to steer treatment decisions, resulting in medically unnecessary anti-kickback and false claims violations.  Given the speed at which AI creates information and then expands upon it with compounding effect, determining whether AI is the subject of and resulting in fraud may not be straightforward.  However, AI related healthcare fraud and abuse actions are clearly on DOJ’s radar and will likely become increasingly common.  Hospitals, healthcare facilities, and physicians should be aware of the possibility that ERM systems could be the subject of AI fraud, and be careful not to turn a blind eye where it curiously seems to be generating results disproportionately in favor of one treatment or drug over or another.


© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress