With the downturn of the U.S. economy over the past several years, transactional attorneys nationwide have wrung their hands over the slowdown in deal volume their practices have suffered. Notwithstanding the slowdown, mergers and acquisition activity in the health sector has remained relatively strong, and is likely to increase dramatically over the next few years. The U.S. Census Bureau recently released figures indicating that health care services and social assistance accounted for $1.2 trillion of the U.S. economy in 2002, making it one of the largest segments of the economy. Hospitals alone earned $507.2 billion in 2002, an increase of 9.7% over the prior year.1 The recent passage of the Medicare Prescription Drug and Modernization Act of 20032 is expected to increase the bottom line of some health care providers even further. This legislation, when viewed in the context of the aging baby-boomer generation (and the corresponding need for additional health services),3 makes continued growth in the health sector of the economy an incontrovertible reality.
With the growth of the health industry, comes corollary growth in health sector merger and acquisition transactions. As hospitals and other health care providers position themselves to eliminate cost redundancies and increase market share within their service areas, they must grow and keep their bottom lines strong. This business reality gives many health care companies, both for-profit and nonprofit alike, an appetite for acquisitions, and a corresponding desire to spin-off unprofitable divisions or health product lines.4
Notwithstanding what would appear to be a boom to transactional attorneys nationally, many practitioners have been reticent to take on health sector transactions. In addition to the corporate law aspects of such transactions, health transactions are subject to a bevy of federal and state regulations which make their execution a veritable mine field for health care companies and the attorneys who represent them. In an effort to allay some of these concerns, this article analyzes three of the more notable regulatory schemes that a practitioner must tackle when structuring or negotiating a health industry transaction. Specifically, this article addresses the Federal Anti-Kickback Statute, the Stark Law, and the Health Insurance Portability and Accountability Act of 1996.
I. The Anti-Kickback Statute
The Medicare/Medicaid Anti-Fraud and Abuse Statute5 (commonly referred to as the "Anti-Kickback Statute"), prohibits offering or receiving remuneration for the referral of a patient for an item or service covered by Medicare or Medicaid. The Anti-Kickback Statute also extends to remuneration intended to induce a person to arrange for or recommend the purchase, lease or order of a service or item covered by a federal health care program.6 Violation of the federal Anti-Kickback Statute is a felony, punishable by substantial fines, imprisonment, or both. In addition, the government may seek civil monetary penalties of up to $50,000 per violation and damages of up to three times the total amount of the remuneration paid.7 A health care company which has been found liable for violating the Anti-Kickback Statute also may be excluded from participation in federal health care programs.8
The subtextual concern addressed by the Anti-kickback Statute is that certain business relationships are a sham, and in fact, are designed to act as a conduit for the payment of money to induce patient referrals. While seemingly simple, the Anti-Kickback Statute has given rise to an entire body of federal regulations and case law. Federal appellate cases have held that all payments which are intended, even in part, to induce a patient referral are prohibited by the statute. This principle is referred to as the "one-purpose" rule, meaning that remuneration is illegal even if only a small portion of the overall reason for the payment was to induce referrals.9 The one-purpose rule makes the practitioner’s job more difficult in that it requires him or her to delve beneath the surface of what purports to be a legitimate business relationship and understand all of the reasons for the consummation of the business relationship.
When a practitioner is retained to assist a client in acquiring a health care company, or structuring a new venture on behalf of a health care company, due diligence of the business relationships of the client and/or or target company is critical in light of the Anti-Kickback Statute. As a starting point, it is essential to determine whether anyone who/which is in position to refer patients or sell equipment or goods to the client (in the case of a new business venture) or the target company (in the case of the acquisition) is receiving or paying any amounts to the client/target company. These payments could be in the form of lease payments, management fees, consulting fees, broker’s fees, rebates or discounts for purchases made by the client/target company, or a whole host of other seemingly benign and commonplace business relationships. If any such payments are made, the next step is to analyze each such payment under the Anti-Kickback Statute.
To give the health care community greater comfort, the federal Office of the Inspector General (the "OIG") promulgated safe harbors describing arrangements that will not be treated as a violation of the Anti-Kickback Statute, or serve as a basis for exclusion from the Medicare and Medicaid programs.10 After identifying a potentially problematic business relationship (i.e., a business relationship between a health care company and another company that is in a position to make referrals to it), a practitioner should compare the elements of the business relationship to those in the safe harbors. For example, if a company that your client is considering acquiring has entered into a management agreement with a physician practice that is the main source of patient referrals for the company, the management fee paid by the company to the third party could be viewed as an inducement for patient referrals. The safe harbor for management contracts provides that the management relationship will be deemed appropriate (and therefore, not a violation of the Anti-Kickback Statute) as long as the six requirements are met:
(1) The agreement is set forth in writing and signed by the parties;
(2) The agreement specifies the services to be provided;
(3) If the services to be provided are on a periodic or part-time basis, the agreement specifies exactly the schedule of such intervals, their precise length and the exact charges paid for those intervals;
(4) the term of the agreement is for not less than one year;
(5) The aggregate compensation paid is set in advance, is consistent with the fair market value of similar services in arm’s-length transactions, and is not determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part under a federal health care program; and
(6) The services performed under the agreement do not involve the counseling or promotion of a business arrangement or other activity that violates state or federal law.11
If the target company’s management agreement meets all of the terms of the safe harbor, there is no violation of the Anti-Kickback Statute. If, by contrast, some, but not all of the elements of the safe harbor were met, the analysis becomes more difficult. If an agreement does not fit precisely within the safe harbor, it is not per se illegal. It does, however, raise questions under the Anti-kickback Statute, particularly the further away the relationship is from the safe harbor, and the more of the elements of the safe harbor that the relationship does not meet.12
II. The Stark Law
As is often the case in health industry transactions, health care providers will participate in transactions with physicians who are in a position to refer patients to the provider. The Stark Law was designed to prevent physicians from over-utilizing health care services in which they have an ownership or other financial interest. Specifically, the Stark Law prohibits a physician from making a referral to an entity for the furnishing of a "designated health service" that may be covered by Medicare if the physician (or his/her immediate family members) has a financial/compensation relationship with the entity.13 Unlike the Anti-Kickback Statute which prohibits payments for any referral of any type of service which is covered by Medicare or Medicaid, the Stark Law is limited to "designated health services."14 These designated health services include:
(1) Clinical laboratory services;
(2) Physical therapy services (including speech-language pathology);
(3) Occupational therapy services;
(4) Radiology services and radiation therapy and supplies (such a x-rays, ultrasound or imaging services and scans, nuclear medicine and others);
(5) Durable medical equipment and supplies;
(6) Parenteral and enteral nutrients, equipment and supplies (e.g., feeding tubes);
(7) Prosthetics, orthotics, and prosethic devices and supplies;
(8) Home health services;
(9) Outpatient prescription drugs a patient could obtain from a pharmacy (with some exceptions);
(10) Inpatient hospital services; and
(11) Outpatient hospital services.
Violation of the Stark Law is subject to a civil monetary penalty of up to $15,000 for each service wrongfully billed to the Medicare Program, in addition to a refund of all amounts paid, among others. As an example, if a hospital entered into a tainted medical director agreement with a physician who referred patients to the hospital, and the relationship spanned three years, every item of service billed by the hospital to the Medicare program for each patient referred by the physician for the entire three-year period is subject to being refunded. Additionally, each time the hospital submitted a bill for any such service, an additional fine of $15,000 could be assessed. It is not hard to imagine how the amount of any recovery by the government under these circumstances could be enormous, and could have disastrous effects on the hospital.
For this reason, when structuring health industry transactions involving physicians, or acquiring a Company which has such relationships with physicians, it is essential to conduct a thorough analysis of all of the business relationships between the health care company and the physicians who refer patients to such company. From a due diligence perspective, this requires the practitioner to request and obtain a thorough explanation of such business relationships (including, for example, lease agreements, management agreements, medical director agreements, employment agreements, service agreements, etc.). Once you have a complete understanding of these relationships, the next step is to ascertain whether the physician has referred, or is in a position to refer, patients to the health care company which constitute "designated health services." If there are no such referrals being made (or there are referrals being made for something other than designated health services), the Stark Law is not implicated.15 If the physician is making referrals to the company for designated health services, the relationship must fall within one of the exceptions delineated by the Stark Law for it to be legitimate. Note, that unlike the Anti-Kickback Statute which does not require the relationships to fall within the four corners of the promulgated safe harbors, per se, a relationship under the Stark Law must fall squarely within one of the exceptions, or it will be deemed illegal.
The exceptions to the Stark Law involve situations in which the physician provides services in his own office, situations in which the physician’s ownership interest is in a public security (such as in a public company that owns the hospital to which he or she is referring), lease relationships that fall within precise guidelines, equipment rental relationships where the risk of fraud is minimized, bona fide employment relationships, and personal services arrangements for fair market value compensation, among others. As an example, if Doctor Smith referred patients to Pleasant Valley Hospital, and also leased office space from the hospital for his private practice, the lease relationship must fall within the Stark Law exception for lease relationships or all patient referrals made by Dr. Smith to Pleasant Valley Hospital would be deemed to be illegal. To meet this exception, the following facts must be true:
(1) The lease is set out in writing, signed by the parties, and specifies the premises covered by the lease;
(2) The space rented or leased does not exceed that which is reasonable and necessary for the legitimate business purposes of the lease or rental and is used exclusively by the lessee when being used by the lessee, except that the lessee may make payments for the use of space consisting of common areas if such payments do not exceed the lessee’s pro rata share of expenses for such space based upon the ratio of the space used exclusively by the lessee to the total amount of space (other than common areas) occupied by all persons using such common areas,
(3) the lease is for a term of at least one year,
(4) the rental charges over the term of the lease are set in advance, are consistent with fair market value, and are not determined in a manner that takes into account the volume or value of any referrals or other business generated between the parties,
(5) the lease would be commercially reasonable even if no referrals were made between the parties, and
(6) the lease meets such other re-quirements as the Secretary may impose by regulation as needed to protect against program or patient abuse.16
Using the previous example, if Dr. Smith’s written lease was for a three-year term, was in exchange for a flat monthly rental fee that was consistent with the fee paid by others in the building who do not refer patients to Pleasant Valley Hospital, and was limited to space which is commercially reasonable for Dr. Smith to use in his private practice, the lease is likely to be legitimate from a Stark Law perspective. If on the other hand, the lease was not set forth in writing, contained terms that appeared to be commercially unreasonable (such as, for example, giving Dr. Smith free use of support staff), or was for a month-to-month term, any one of these factors would make the lease per se illegal. If you were retained by a client to acquire Pleasant Valley Hospital, Dr. Smith’s lease relationship, along with his medial director agreement and any other agreement he might have with Pleasant Valley Hospital, are all of critical importance in assessing Pleasant Valley’s compliance with law.
The Health Insurance Portability And Accountability Act of 1996 ("HIPAA")17 is the health care industry’s version of the Y2K computer scare. Like Y2K, the requirements imposed by HIPAA led to a great deal of anxiety as health care companies upgraded their computer systems and revised their operating policies in anticipation of HIPAA’s effective date. The cost to the industry for complying with HIPAA also was similar to the costs incurred in connection with Y2K and has been widely touted as being in the billions of dollars. At its broadest level, HIPAA generally requires all health care companies to be able to transmit patient data electronically, using a standard and secure transmission medium. It also creates stringent rules pertaining to the manner in which patient medical information can be used and disseminated by health care companies. Among other things, HIPAA prohibits "protected health information" from being used or disclosed to any third party without the authorization of the patient, unless such information is being used for treatment or payment purposes or for the health care operations of the health care company that renders the service. As used in HIPAA, "protected health information" is information that: (i) includes demographic information which is collected from a patient; (ii) is created by or received from a health care provider, health plan, employer or clearinghouse; (iii) relates to a past, present or future physical or mental health condition or a past, present or future payment for the provision of health care services; (iv) identifies the individual patient or could reasonably be used to identify the individual; and (v) has been transmitted or maintained in any form or medium (electronic, paper, oral).18 If a health care company is found to have violated HIPAA, it is subject to fines of $100 per violation (up to $25,000 per person, per year, for negligent violations of each HIPAA standard).19 If a person knowingly violates HIPAA, criminal penalties can be imposed, including fines of up to $50,000 and imprisonment for up to 1 year.20 If a party violates HIPAA under false pretenses, fines can range up to $100,000 and imprisonment for up to five years.21 These fines may be increased to $250,000 and imprisonment for up to ten years if the violation is accompanied by an attempt to sell, transfer or use protected health information for commercial advantage.22
Above and beyond the general prohibition on the disclosure of protected health information, the HIPAA regulations require health care providers to be able to track and account for all disclosures of protected health information. For example, under the HIPAA privacy standards, a patient has a right to go into a hospital (or other health care facility) years after having had surgery at the hospital and request a list of all of the disclosures made by the hospital of his or her protected health information. The Hospital is required to generate a report showing all such disclosures that were made, from the radiologist that read the patient’s x-rays, to the billing service that sent the patient the bill for the services the patient received. The patient also will have an opportunity to review the information, and if the patient believes that some of the information is inaccurate, to request that the hospital correct the erroneous information. Thereafter, the Hospital is obligated to review the patient’s request, and if appropriate, make corrections to the information on its system.
In addition to these general obligations, health care companies also are required to enter into "business associate agreements" with all entities which handle or process protected health information on their behalf. These agreements generally require third party vendors, service providers and consultants to maintain systems which allow them to store, process, manipulate and transmit protected health information in a manner similar to the health care company itself.
Given the breadth and nature of the obligations HIPAA imposes on health care companies, a practitioner retained to acquire a health care company must carefully scrutinize the target company’s level of HIPAA compliance. From a legal perspective, this process starts with a review of the target company’s policies and procedures to determine whether it has taken steps to implement its HIPAA obligations. Next, the target company’s employment records should be reviewed to determine the nature and frequency of the training it has provided to its employees on HIPAA privacy issues. Lastly, a review of the company’s business associate agreements should be conducted. If the policies and procedures do not address HIPAA concerns, the target company has failed to execute the requisite business associate agreements, or it has not educated it staff on HIPAA requirements, an acquirer will be required immediately to institute dramatic operational changes following the target company’s acquisition. Given the sea-change likely to be required to implement these changes, the acquirer may think twice about moving forward with the acquisition.
Even more important than the HIPAA legal due diligence required in connection with a health care acquisition is the technical review of the target company’s computer systems. If the target company does not have software and hardware in place to comply with the electronic security standards required of HIPAA, then no amount of training will remedy the target’s company’s HIPAA compliance issues. In this case, the only solution is to incur a significant capital expenditure to replace the antiquated computer systems. Even then, however, the costs of compliance are likely to rise as the staff is trained on the new systems and the operational safeguards are put in place to ensure HIPAA compliance.
Although the three regulatory schemes discussed above represent only a small, but significant, sampling of the regulations that effect health industry transactions, each of the regulations (as well as those that are not discussed) have one thing in common: If a violation of the regulations is found, the acquirer (or the entity structuring a new transaction) has three choices available to it. First, it can choose to scrap the transaction in light of the very real regulatory risks posed by the business practices of the target company.23 Second, it can require that the offending practices be stopped prior to closing the transaction, and require the target company to indemnify it from all liabilities arising from such pre-closing practices.24 Assuming that the acquirer decides to move forward with the transaction and accept the regulatory risks associated with the problematic business relationships, the third option is to revalue the company and adjust the purchase price to account for the increased liability exposure assumed by the acquirer. On the one hand, the acquirer will desire a significant reduction in the purchase price to reflect the additional risks assumed by it in proceeding with the acquisition. The target company will resist such a reduction, and will argue that the regulatory risk is overstated, either in terms of the legal analysis, or in terms of the likely chance of the target company being prosecuted for the violation. In any event, as a predicate for assisting a client in working through these difficult issues, the practitioner must have a firm and grounded understanding of the regulatory schemes that give rise to the issues.
1 U.S. Census Bureau data.
2 Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (H.R. 1-2003).
3 According to U.S. Census Bureau data, the number of people over age sixty is expected to double to 70,000,000 within the next thirty (30) years.
4 The spin-off of certain specialty service lines has led to the growth of companies that specialize in the treatment of particular infirmities. Consequently, while some companies have grown
through geographic presence, others have succeeded by offering a highly-targeted service line that cuts across all geographic boundaries. Because the scope of their businesses is limited, they generally are not regarded as competitive threats by larger providers who otherwise dominate the delivery of health care services in a given geographic area.
5 42 U.S.C. § 1320a-7b(b).
7 42. U.S.C. § 1320a-7b(b)(1) and § 1320a-7b(b)(2).
9 See, e.g., United States v. Greber, 760 F.2d 68, 71 (3d. Cir.) cert. denied, 474 U.S. 988 (1985).
10 The entire text of the safe harbors are set forth at 42 C.F.R. § 1001.952.
12 Perhaps the most damning feature of any relationship is a variable fee that changes in correlation to the number of patient referrals made to the target facility.
13 See, 42 U.S.C. § 1395nn (60 Fed. Reg. 41914 (1995)) (effective September 13, 1995); 63 Fed. Reg. 1659 (1998); 63 Fed. Reg. 1646 (1988).
14 In addition to the Stark Law, many states have statutes that mirror the Stark Law, often expanding the scope of the designated health services which are implicated. Consequently, when restructuring or reviewing a health industry transaction, it is important to review the law of all states in which the health care company is operating to determine whether the company’s business relationships contravene any state self-referral laws. (Note that this is not an easy task when the company does business in many states.)
15 Note that, even if the referral is for something other than a designated health service (thereby making the Stark analysis moot), the relationship nevertheless must pass muster under the Anti-Kickback Statute.
16 See, supra, note 13.
17 65 Fed. Reg. 82462-82829.
19 42 U.S.C. §1176; 45 C.F.R. Part 160, Subpart C.
20 42 U.S.C. §1177.
23 This risk can be minimized, to some extent, if the assets of the target company are purchased, instead of the stock or other equity interests of the target. In addition, the acquirer must not assume the Medicare provider contract of the target, or it will, as a matter of law, assume regulatory violations that arose in the context of the billing that previously occurred under the Medicare provider number.
24 Many clients will see indemnification as a magic bullet for resolving compliance concerns. While an indemnity helps, it is only as good as the company that stands behind it. Given the large sanctions levied against health care companies for failing to comply with a variety of regulations, the financial solvency of the entity giving the indemnity must be evaluated carefully.
John M. Callahan is a partner in the Health Law Department of McDermott, Will & Emery’s Chicago Office. Mr. Callahan’s practice focuses on mergers and acquisitions, complex contracts and corporate governance. He graduated from the University of San Diego School of Law, J.D.(cum laude), 1994 and University of Notre Dame, B.A. (with honors), 1990.