eAlerts

HIPAA Business Associate Agreements: Why These Contracts Matter 

Kathryn Hickner, Esq.
Ulmer & Berne LLP, Cleveland, OH

No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily.

They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.¹ A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devasting to an organization in the event of a HIPAA breach.

The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable.

This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.

What Are HIPAA BAA s And When Are They Required?

Simply stated, HIPAA BAAs are legal contracts that are required by applicable federal law, specifically HIPAA,² under certain circumstances to further ensure that the parties will protect the privacy and security of protected health information (PHI) as defined by HIPAA.³ More specifically, HIPAA generally requires that covered entities enter BAAs when they engage a business associate to assist with healthcare activities and functions.⁴ HIPAA business associates must also enter BAAs with their subcontractors who constitute business associates. BAAs must be entered on or before the time when the business associate commences services for or on behalf of the HIPAA covered entity or business associate.

Before entering a BAA, it is important to confirm that a HIPAA business associate relationship actually exists and that the BAA is truly required. Otherwise, the parties are assuming unnecessary and undesirable liability. Healthcare attorneys are sometimes able to assist in structuring relationships to avoid implicating the BAA requirements.

HIPAA regulations require each BAA to contain certain elements. The parties often also include additional optional provisions to govern their relationship and allocate risk. These required provisions and many of the other common provisions are further described below. The federal government has promulgated language that provides a good example of typical BAA provisions.⁵

Who Are the Parties to a BAA ?

As described above, BAAs are entered between HIPAA covered entities and HIPAA business associates. They are also entered between HIPAA business associates and their subcontractors (who are also CONSULTANTSHIPAA business associates under the HIPAA regulations). Although three-party agreements are not required by the regulations, sometimes covered entities will require the subcontractors of their business associates to enter three-party agreements to create privity of contract between the covered entity, the business associate and the business associate’s subcontractor.

Definitions

For purposes of HIPAA, the terms “covered entity” and “business associate” each have a specific regulatory definition and meaning.⁶

Covered Entities

Simply stated, HIPAA covered entities are: (a) healthcare providers that electronically transmit certain transactions for which the federal government has adopted a standard, (b) health plans and (c) healthcare clearinghouses. Each of these terms is further defined in the HIPAA regulations. The federal government has promulgated a tool to assist in determining whether an organization or individual is a covered entity.⁷

Business Associates

Also broadly summarized, a “business associate” is a person who either: (a) creates, receives, maintains or transmits PHI on behalf of a covered entity for certain functions or activities such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management and repricing; or (b) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for such covered entity where the provision of the service involves the disclosure of PHI.

Subcontractors that create, receive, maintain or transmit PHI on behalf of a business associate are themselves business associates for purposes of HIPAA.

A covered entity may be a business associate of another covered entity. That being said, it is important to note that disclosure by a covered entity of PHI to a healthcare provider for treatment purposes does not result in such receiving party being a business associate of the disclosing party.

It is also important to note that the term “business associate” does not include those engaging in such activity as a member of the covered entity’s workforce. For this purpose, a covered entity’s workforce means employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate. Covered entities sometimes structure their relationships with individuals and organizations to satisfy this workforce exception and avoid HIPAA business associate requirements, including BAA requirements.

The HIPAA regulations and the OCR website also include numerous examples of entities that are or are not business associates.⁸

What Provivisions Are Required To Be Included In BAAs?

HIPAA requires that all BAAs include certain required provisions. Broadly summarized, BAAs must do each of the following:

• Permitted Uses. Establish the permitted and required uses and disclosures of PHI by the business associate. This could be done through reference to an underlying services agreement.
• Use by Business Associate. Not authorize the business associate to use or further disclose PHI in a manner that would violate the requirements of the HIPAA Privacy Rule,9 if done by the covered entity (except to the extent permitted in the BAA with respect to certain data aggregation services or certain management and administration activities).
• Limitations on Use and Disclosure. Provide that the business associate will not use or further disclose PHI other than as permitted or required by the underlying contract or as required by law.
• Safeguards. Provide that the business associate will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by its contract.
• Compliance with HIPAA Security Rule. Provide that the business associate will comply, where applicable, with the HIPAA Security Rule¹⁰ with respect to electronic PHI, to prevent use or disclosure of the information other than as provided for by its contract.
• Report of Unauthorized Uses and Disclosures. Provide that the business associate will report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware. Report of Security Incidents. Provide that the business associate will report to the covered entity any security incident of which it becomes aware.
• Report of Security Incidents. Provide that the business associate will report to the covered entity any security incident of which it becomes aware.
• Breach Notification. Provide that the business associate will timely notify the covered entity of any breaches of unsecured PHI as required by the HIPAA Breach Notification Rule.¹¹ 
• Agreements with Subcontractors. Provide that the business associate will ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions, conditions and requirements that apply to the business associate with respect to such information and agree to comply with the applicable requirements of the HIPAA Security Rule by entering into a contract or other arrangement that complies with HIPAA.
• Access to PHI. Provide that the business associate will make available PHI in accordance with the Privacy Rule.¹² 
• Amendments to PHI. Provide that the business associate will make available PHI for amendment and incorporate any amendments to PHI in accordance with the Privacy Rule.¹³
• Accounting of Disclosures. Provide that the business associate will make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule.¹⁴
• Delegation of Covered Entity’s Duties. Provide that the business associate will, to the extent the business associate is to carry out a covered entity’s obligation under the HIPAA Privacy Rule, comply with the requirements of the HIPAA Privacy Rule that apply to the covered entity in the performance of such obligation.
• Records to Secretary. Provide that the business associate will make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary of Health and Human Services for purposes of determining the covered entity’s compliance with the HIPAA Privacy Rule.
• Return or Destroy PHI at Termination. Provide that the business associate will, at termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
• Termination Provisions. Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. Note that the Agreement may provide the business associate with a reasonable opportunity to cure the breach.

What Are Some Of The Non-Required Provisions Often Incorporated Into BAAs?

In addition to provisions explicitly required by HIPAA as described above, BAAs also often include additional provisions that may or may not be desirable, including, for example, the following.

• Management and Administration. HIPAA explicitly permits BAAs to include the following three provisions, which are often very important for business associates:
  • Use for Management and Administration or Legal Responsibilities. The BAA may permit the business associate to use the PHI received by the business associate in its capacity as a business associate to the covered entity, if necessary: (a) for the proper management and administration of the business associate; or (b) to carry out the legal responsibilities of the business associate.
  • Disclosure for Management and Administration or Legal Responsibilities. The BAA may permit the business associate to disclose the PHI received by the business associate in its capacity as a business associate for the purposes described immediately above if: (a) the disclosure is required by law; or (b)(1) the business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and (2) the person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  • Data Aggregation. The BAA may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
• Indemnification. Perhaps the most heavily negotiated language of most BAAs is the indemnification language. This is because there is substantial potential liability in the event that a HIPAA breach occurs and the parties have a desire to allocate risk among themselves with respect to such potential liability in a manner that is to their advantage. In most cases, the covered entities have an interest in imposing very broad indemnification obligations on the business associate, which may include, for example, responsibility for any HIPAA security incident or breach that occurs while the PHI is in the possession or under the control of the business associate or its subcontractors, and any violation of the BAA, negligence or violation of applicable law by the business associate. The business associate has an interest in avoiding or significantly limiting any indemnification obligations. There are a wide range of potential compromise positions available to ensure that both parties are adequately and appropriately protected. Because of the potential liability exposure in this context, the parties often negotiate caps to indemnification obligations, which may be tied to insurance coverage or the revenue paid pursuant to the underlying agreement.
• Insurance Coverage. In addition to including indemnification obligations, the covered entities also often mitigate risk by requiring the business associate to procure and maintain cyberliability insurance coverage with specified limits. The covered entity also often desires the business associate to list the covered entity as an additional insured and to agree that the covered entity will receive notice prior to termination of the policies.
• Other Privacy Laws and Requirements. Many BAAs include certain state specific requirements related to PHI and other personal information as well as requirements that address other applicable federal privacy laws that may apply. HIPAA sets a minimum floor for the privacy and security of PHI but other, more stringent state and federal laws may also apply.
• Timeframes. BAAs often include provisions related to notice and timing requirements that are more stringent than those required under HIPAA. Before agreeing to proposed timeframes for taking action, it is imperative to consider whether the timeframes are actually achievable. Those negotiating BAAs should be careful not to set their organizations up for an unavoidable breach of the BAA.
• Other Miscellaneous Provisions. Numerous other provisions may also be included that are either favorable to the covered entity or favorable to the business associate. For example, a business associate may want to clarify that it can de-identify PHI, hold all ownership rights with respect to such de-identified information and use it to the extent permitted by law. A business associate may want to require the covered entities to provide the business associate with notice of limitations in the notice of privacy practices and patient restrictions. The business associate may want the covered entity to verify that the covered entity has a right to share all information that it does share with the business associate and that all necessary authorizations have been received. Covered entities may want to prohibit business associates from using PHI offshore and may want to clarify that the business associate is an independent contractor and not an agent. They may also want the business associate to adhere to the covered entity’s minimum necessary policies and procedures and provide the covered entity with certain audit and inspection rights. Whether these types of provisions are appropriate and ultimately incorporated into the BAA should depend on the specific circumstances of and relationship between the parties, and will also depend on each party’s negotiating leverage.

Because BAAs often include provisions that are unnecessary from a compliance perspective and undesirable from a legal and business perspective, organizations frequently develop standard pre-approved template BAAs for use, when required. When an organization is required to use a form other than its own template or when the other party requests changes to the template language, it is advisable to have those changes reviewed by legal counsel. This is true not only because of the technical nature of the BAA requirements, but also because of the significant legal and business risks facing healthcare providers with respect to health information data privacy and security.

As described above, although entering BAAs has become routine for many HIPAA covered entities and business associates, such contracts must be taken seriously. Paying careful attention to HIPAA BAA provisions and related compliance obligations at the commencement of a relationship can avoid substantial legal and financial challenges in the future.

---

¹ See in particular the recent settlements involving The Center for Children’s Digestive Health, Care New England Health System and Raleigh Orthopaedic Clinic, P.A. of North Carolina. https://www.hhs.gov/hipaa/newsroom/index.html?language=es.
² For purposes of this article, “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, and any amendments or implementing regulations (inclusive of the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and 164).
³ See 45 CFR 160.103 and 45 CFR 164.502.
⁴ 45 CFR 164.504.
⁵ https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
⁶ 45 CFR 160.103.
⁷ https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf
⁸ See 45 CFR 160.103. See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html and https://www.hhs.gov/hipaa/for-professionals/faq/business-associates.
⁹ Title 45, Chapter 164, Subpart E of the Code of Federal Regulations.
¹⁰ Title 45, Chapter 164, Subpart C of the Code of Federal Regulations.
¹¹ Title 45, Chapter 164, Subpart D of the Code of Federal Regulations.
¹² See 45 CFR 164.524.
¹³ See 45 CFR 164.526.
¹⁴ See 45 CFR 164.528.

---

Kathryn (Kate) Hickner, Esq, is an attorney at Ulmer & Berne LLP, where she co-chairs the firm’s Health Care Practice Group. Additional information regarding Kate’s background, experience, publications and presentations can be found at http://www.ulmer.com/attorneys/Hickner-Kathryn-E.aspx. She can be reached at (216) 583-7062 and khickner@ulmer.com.

How (Others’) Stupid Compliance Mistakes Can Save Your Life

Mark F. Weiss, JD
The Mark F. Weiss Law Firm, Dallas, TX, Los Angeles and Santa Barbara, CA

Some inner desire stronger than my willpower beckoned me to stare at them through the glass. I was nine years old. It was both titillating and embarrassing.

There were 10 photographs in gritty black and white, arrayed in order behind glass on the post office wall: The FBI’s 10 Most Wanted fugitives. Murderers, bank robbers and forgers. And not a physician among them.

My pediatrician Dr. Glazer’s office was across the street, but no one, I imagined, who wore such a heavily starched white lab coat could ever commit a crime.

How things have changed.

I’m no longer naïve. I know that, today, even the bureaucrats who run the Department of Health and Human Services have an Office of Inspector General’s 10 Most Wanted list.

Let’s keep you off of it.

One easy and schadenfreude-filled way to do that is to learn by example, specifically by example of what I call “stupid compliance mistakes.” After all, it’s more fun to read about someone else’s stupid mistakes than it is to make one yourself. And it might just save your life, financially, professionally and personally.

But first, let’s set the stage with some background on the primary regulatory scheme that tripped up these fools, the federal Anti-Kickback Statute (AKS).

The Federal Anti-Kickback Statute (and Other Criminal Traps)

Hey, sometimes life’s unfair.

Paying for a referral, or getting something back for making one, is not only a good business practice for plumbers, poultry farmers and Hollywood producers, it’s a best practice.

But for anesthesiologists and CRNAs, hospitals and ambulatory surgery centers (ASCs), and, in fact, anyone or any entity in connection with referrals of federal healthcare program patients, it’s a crime, a violation of the federal AKS.

In everyday terms, the AKS prohibits the knowing and willful remuneration—that is, the offer, solicitation, receipt or transfer of anything of value—for referrals of Medicare, Medicaid, Tricare and about a dozen other sorts of federal healthcare program patients.

Violation can lead to fines of up to $25,000 for each kickback, in addition to even greater civil penalties, plus prison time of up to five years for each kickback. So, for example, paying a kickback in connection with 10 Medicare claims can land you in prison for 50 years.

In addition, violations of the AKS can trigger other federal and state crimes. Most, perhaps all, states have some companion statute prohibiting kickbacks or “fee-splitting.” Others have laws criminalizing “commercial bribery.” The transactions and communications underlying kickback violations—for example, the exchange of emails or even electronic banking transfers of the ill-gotten gains—constitute wire fraud. And that’s just the start.

With penalties so high and with compliance so simple, it’s a wonder that the AKS is ever violated. But just as life’s sometimes unfair, the world is filled with wonder.

First Stupid Compliance Mistake: Free Drugs or Personnel

I’d have to borrow 10 or 20 readers’ hands and toes to help count the number of times that anesthesiologists and CRNAs have told me that the administrator of some ASC or its most influential surgeon had told them that their anesthesia group must pay for anesthesia drugs or for “some help” to move “your patients” into and out of the operating room.

Those ASC “requests” are darkly funny, because the ASC is already reimbursed for those expenses. They’re an inherent element of the CPT code-based system used by both federal healthcare programs and commercial payers to pay ASCs.

You’d think that both facilities and anesthesia personnel would understand that.

Yet, in August 2016, the United States, Attorney for the Middle District of Georgia, in concert with the Georgia Attorney General, announced a civil settlement with a series of anesthesia businesses, collectively known as Sweet Dreams Nurse Anesthesia (Sweet Dreams). The prosecutors alleged that Sweet Dreams engaged in a scheme of providing free anesthesia drugs to ASCs in exchange for the ASCs granting Sweet Dreams exclusive contracts.

Sweet Dreams paid $1,034,416 to the U.S. government, plus $12,078.79 to the State of Georgia, to resolve the allegations.

In fact, the allegations were broader than just free drugs: the U.S. Attorney also alleged that an affiliate of Sweet Dreams agreed to fund the construction of an ASC in exchange for Sweet Dreams’s selection as the exclusive anesthesia provider at that and other facilities. How did they miss the danger in that stupid idea?

In fairness to Sweet Dreams, which fully cooperated with the government investigation, the claims covered by the settlement were allegations only. There was no determination of, and Sweet Dreams did not admit, liability.

Yet, Sweet Dreams is out the $1,046,494.79 paid in settlement plus what one might guess is a huge amount of attorneys’ fees.

First Stupid Compliance Mistake Avoidance Tip: Don’t provide free drugs or free personnel to ASCs or other facilities. The provision of anything (whether tangible or intangible) of value in order to induce referrals of federal healthcare program patients is the same as giving cash for that same purpose. And it’s a crime.

Second Stupid Compliance Mistake: Cash

Let’s segue to a stupid compliance mistake involving money itself.

And let’s flip the receiving end around. Let’s look at a situation in which two physician partners, one a board certified anesthesiologist, received cash for their referrals.

In May 2015, Drs. John Couch and Xiulu Ruan, both pain management specialists, were arrested based on allegations that they received $115,000 in kickbacks from Insys Therapeutics, Inc., in connection with its fentanyl drug, Subsys.

At their trial, a former Insys employee testified that the company would pay the doctors “speaking fees” based on the number of prescriptions they wrote. They apparently wrote a lot of prescriptions: Another former Insys employee who plead guilty to conspiring with Drs. Couch and Ruan in the scheme testified that she was under constant pressure to schedule the doctors for speaking engagements and that if she couldn’t, or if events were cancelled, she could have her pay docked.

The allegations against Couch and Ruan expanded from there. They were also charged with duping both the federal government and private insurance companies by misleading them as to diagnoses. The prosecutors alleged that their kickback-fueled scheme generated profits of $40,000,000 for their practice and controlled pharmacy.

The wheels of justice turned all the way to trial. Drs. Couch and Ruan were found guilty. In May 2017, they were sentenced to prison for 20 and 21 years, respectively.

In case you want to ask for their advice on AKS compliance, you won’t find either of the Mobile, Alabama, physicians currently residing in the state: Dr. Couch passes (or “does”) time at the Federal Correctional Institute in Forrest City, Arkansas, while Dr. Ruan enjoys the view from behind bars at the Federal Correctional Institute in Oakdale, Louisiana.

In addition to their lengthy prison sentences, the duo was ordered to make restitution of $6,282,023.00 to Medicare, $3,649,092.97 to Blue Cross/Blue Shield of Alabama, $2,285,170.70 to Tricare, and $1,695,929.00 to United Heath Group.

Second Stupid Compliance Mistake Avoidance Tip: The AKS runs both ways: Accepting kickbacks is just as much a crime as paying them. So, too, is offering them or soliciting them. Disguised kickbacks, such as payment for phony speakers’ fees, invariably come to light, whether from whistleblowers, co-conspirators seeking to reduce their punishment or a random audit. Don’t be foolish: Just because the entity on the other side of the deal is huge and has access to in-house and outside legal counsel doesn’t mean the deal is legal.

Third Stupid Compliance Mistake: Easy Money

I scream, you scream, we all scream for . . . pain cream.

In October 2017, the first guilty plea came in connection with what the government alleges was a $100 million compounded pain and scar cream scam on Tricare.

A dozen people were charged in the scheme, said to involve the payment of kickbacks by the owners of a marketing/ compounding pharmacy business, CCMGRX, LLC, to Tricare beneficiaries, prescribing physicians and marketers.

I’ve seen a number of pain cream schemes in my own practice. In the typical scheme, the physician, often an anesthesiologist, is offered very significant payments from the organizers for prescribing, over the phone, a particular compounded pain cream to “patients” the physician has never seen, never will see and with whom he or she will never speak again.

The government alleged a similar situation in the CCMGRX case. It alleged that a physician defendant was paid to prescribe compounded drugs to Tricare beneficiaries, writing thousands of prescriptions for patients he never met in person and for whom he conducted only a cursory consultation via telephone.

Another physician defendant was alleged to have served as the “Chief Medical Officer” for the marketing company. It’s claimed that he designed a so-called “study” in which Tricare beneficiaries were paid kickbacks disguised as participation grants. According to the government, the true purpose of the “study” was to compile a list of Tricare beneficiaries who had filled prescriptions so that the defendants could calculate the amount of the kickbacks.

Perhaps because the OIG wasn’t directly involved, the FBI and the Defense Criminal Investigative Service investigated the case, and the kickback allegations were charged under the AKS-related crime of federal healthcare fraud.

The physicians and other defendants each face up to 10 years in federal prison and a $250,000 fine on each count for which they are charged. In addition, the government is seeking restitution of all illegally gained profits. It’s a safe bet to assume that the first defendant to flip, the one who plead guilty in October, will be testifying against the remaining defendants.

Third Stupid Compliance Mistake Avoidance Tip: With millions at play, it’s not hard to see how physicians with legitimate medical practice interests can become attracted to fast and easy money. But fast and easy money can quickly become long, hard time. The organizers of these schemes often approach physicians claiming that their legal counsel has vetted the deal: If that’s true, the lawyers are criminal lawyers, as in lawyers who are criminals. Run your own compliance analysis, or just run, before you’re on the run.

Some Parting Takeaways

You’re in charge of your own future.

Yes, I know that as more business moves from the hospital to the outpatient setting, many anesthesia providers are finding it harder to compete for business, and that many controlling the flow of anesthesia referrals are brazen about wanting something back.

And, yes, I know that many who control facilities, both hospitals and ambulatory facilities, don’t think (why they don’t think is another question) about the compliance issues inherent in the business relationships they propose or accept.

However, the real world impact of hospitals and ASCs (and pharmacies and clinical labs, etc.) gone wild is investigations (which cost money, lots of money, to deal with), whistleblower lawsuits (which cost money, lots of money, to deal with), and criminal prosecutions (which cost money, lots of money, to deal with plus, as Drs. Couch and Ruan have learned the hard way, decades behind bars).

If you can’t trust a hospital that claims that the arrangement has been vetted by its attorneys and is compliant (you can’t), you certainly can’t trust an outpatient facility, or your co-owners of the outpatient facility, to tell you that a stupid compliance mistake isn’t really a stupid compliance mistake.

Immediate Actionable Steps:

1. Be careful. 
2. Perform a compliance assessment of any proposed dealings with those who refer to you, or to whom you refer.
3. “Red team” (i.e., perform a simulated government investigation of) your current arrangements. It’s better to find your own weaknesses than to permit a whistleblower, the OIG or an FBI agent to find them for you.

---

Mark F. Weiss, JD, is an attorney who specializes in the business and legal issues affecting physicians and physician groups on a national basis. He served as a clinical assistant professor of anesthesiology at USC Keck School of Medicine and practices with The Mark F. Weiss Law Firm, a firm with offices in Dallas, Texas and Los Angeles and Santa Barbara, California, representing clients across the country. He can be reached by email at markweiss@advisorylawgroup.com.

Conflicts and Kickbacks: Risks for Hospital-Based Physician Groups 

Frank Carsonie, JD
Chair, Health Care & Life Sciences Practice Group Benesch, Friedlander, Coplan & Aronoff LLP, Columbus, OH

Nathan Sargent, JD
Associate, Health Care & Life Sciences Practice Group Benesch, Friedlander, Coplan & Aronoff LLP, Cleveland, OH

Hospitals and hospital-based physician groups enter various types of service contracts ranging from exclusive arrangements that span multiple sites to non-exclusive arrangements for an individual facility or location. Despite considerable variation, the contractual arrangements between these providers are associated with common risk factors. Such arrangements cover numerous specialties and services, but some of the most common—and most important for clinical, operational and budgetary reasons—are for anesthesia, emergency medicine, pathology and radiology services.

Given the regulatory environment, these types of arrangements—and those with other related entities—inherently involve a number of complex legal and compliance issues. It is critical for all parties involved to understand those risks, how and when they arise, and effective ways to minimize or eliminate them.

Hypothetical Fact Pattern

Consider the following hypothetical fact pattern:

• XYZ Anesthesia Associates, LLC (XYZ) is an independent group of anesthesiologists with an exclusive clinical services contract with Regional Health System (Regional). Regional is a non-profit health system with tax-exempt status.
• Regional is currently exploring ways to upgrade its information technology systems and capabilities to better position itself for value-based reimbursement opportunities.
• As part of its contract with Regional, XYZ has the right to participate in the evaluation of possible improvements to the anesthesia department across the health system, including technology and operational matters.
• Health-Tech Ventures (Tech) is a start-up that offers various healthcare technology solutions that Regional would like to consider implementing, including software solutions related specifically to anesthesia. Tech and its solutions are not widely known or used, so landing Regional as a client would be a huge win for Tech, its investors and future business prospects. It would also showcase Tech’s technology capabilities. As a result, Tech is willing to offer Regional a deep discount on its standard software pricing structure. Tech also plans to include other ancillary services related to implementation, training and maintenance at a reduced price (or possibly for free).
• Two of XYZ’s physician ownermembers are also among the initial investors in Tech who helped the start-up get off the ground financially. They are not involved in Tech’s day-to-day management.
• Chris Smith is a voting member of the Regional Health System Board of Directors (the Board). The Board reviews and approves key health system expenditures and projects, including updates to information technology systems. Smith is another initial investor in Tech who helped the start-up get off the ground prior to joining the Board.

The fact pattern above could have implications under the federal Anti- Kickback Statute (AKS), the federal self-referral laws (i.e., the Stark Law) and the federal civil monetary penalties, as well as the state law equivalents of each. In addition, if a conflict of interest arises and is not properly managed, there could be additional repercussions under the Physician Payments Sunshine Act or related to Regional’s tax-exempt status.

What are the Legal and Compliance Risks?

The AKS¹ imposes criminal and civil monetary penalties if any individual or entity is found to knowingly and willfully pay (or offers to pay), solicit or receive anything of value, directly or indirectly, in exchange for the referral of patients for any item or service that is covered (in whole or in part) by a federal healthcare program (e.g., Medicare, Medicaid). A violation would be considered a ”kickback.”

The Department of Health and Human Services Office of Inspector General (OIG) and the Department of Justice, both of which are responsible for oversight and enforcement of the AKS, have also cited situations where there could be a “reverse kickback.” In a reverse kickback, for example, a hospital-based physician group would make some payment or provide some benefit beyond the value of the underlying clinical arrangement. Such payment would be viewed as an inducement for the hospital providing an exclusive contract and thus locking up the franchise for applicable services. Essentially, the payment to the hospital is viewed as the price for guaranteeing exclusivity, which ensures business generation for the hospital-based physician group.

Why does this matter? A violation of the AKS is considered a felony and is punishable by criminal penalties of up to $25,000 per violation and imprisonment of up to five years. Further, a violation may result in exclusion from participation in federal healthcare programs and the imposition of civil monetary penalties equal to three times the damages plus $50,000 per violation. Such a violation may involve whistleblower claims that could also trigger sanctions under the False Claims Act.

In the fact pattern above, XYZ has an existing exclusive clinical arrangement with Regional. If the contract compensation is set at fair market value and upon commercially reasonable terms, and the contract passed legal and compliance review when executed, there is little risk of an AKS violation on the part of Regional or XYZ related to the clinical aspects of the relationship. However, given the fact that two XYZ physicians are investors in Tech, and Tech wants to provide Regional with substantial discounts or free services, Regional should consider the AKS when evaluating the offer.

Based on the facts above, there likely is no AKS violation for Tech offering Regional substantial discounts because there is no evidence that the discounts are being offered to generate or reward referrals. In short, there is no intent for inappropriate inducement. However, if Tech’s discounts were tied to or contingent upon Regional extending XYZ’s exclusive contract or other benefits to XYZ under its contract (e.g., increased subsidy), the analysis would change entirely and such facts could implicate the AKS.

Note that, for the AKS to apply, remuneration must actually be offered, paid, solicited or received. Also, many reasonable and appropriate arrangements may be covered by the scope of the AKS. As a result, the OIG has published various regulatory safe harbors,² narrowly defining business arrangements that may implicate the AKS but would be considered non-abusive to federal healthcare programs and not subject to prosecution. All elements of the applicable safe harbor must be satisfied in order for an arrangement to be protected.

In addition to the AKS, such an arrangement may involve the federal self-referral law, typically referred to as the Stark Law.³ A critical difference between the Stark Law and other federal healthcare laws: failure to satisfy an exception when the Stark Law is implicated means a per se violation. There is no room to maneuver based on surrounding facts and circumstances.

The Stark Law identifies the circumstances under which a physician may refer a Medicare patient to an entity (such as a hospital) for certain healthcare services (known as designated health services or DHS) if the physician or an immediate family member of the physician has a financial relationship with the DHS entity.

If the elements of the law are satisfied, the referral for DHS is prohibited and the entity is prohibited from billing for the DHS provided as the result of an improper referral, unless an applicable exception can be satisfied. There are a number of regulatory exceptions to the Stark Law. Similar to the AKS safe harbors, all elements of the relevant Stark exception must be met. The Stark Law is typically implicated by payment streams from DHS entities to referring physicians. However, there could likewise be a payment from a referring physician enterprise to a DHS entity.

Under Stark, a financial relationship includes both direct and indirect ownership and compensation relationships. A direct compensation arrangement exists when the DHS entity directly compensates the physician making the referral without any intervening persons or entities. An indirect compensation arrangement exists if there is an unbroken chain of persons or entities with financial relationships between the physician and DHS entity, the referring physician receives aggregate compensation from the person or entity in the chain within which the physician has a direct financial relationship that varies with the volume or value of referrals (or other business generated), and the DHS entity has such knowledge of such activity (or recklessly or deliberately disregards it).

In the fact pattern, the direct financial relationship between Regional and Tech does not implicate the Stark Law. Tech is not a physician enterprise, nor is Tech in a position to make referrals to Regional. However, Tech does have two physician investors who are also ownermembers of XYZ and in a position to make referrals based on XYZ’s clinical relationship with Regional. Regional’s relationship with Tech could potentially be considered an indirect financial relationship with the two physician investors under the Stark Law. An unbroken chain of compensation flows from Regional, through Tech, to the two physician investors. However, the aggregate compensation under the contract does not take into account the volume or value of referrals. As a result, the Stark Law would not apply.

Arrangements that violate the AKS or Stark Law could also potentially expose the involved parties to liability under the federal Civil Monetary Penalty Statute.⁴ The OIG has the authority to seek civil monetary penalties, assessments and program exclusion against an individual or entity based on a wide variety of prohibited conduct, including violation of the AKS or Stark Law. As outlined above, the repercussions can be serious—financially and criminally—based on the nature and extent of the violation.

In addition, arrangements between a hospital and hospital-based physician group could present conflicts of interest. Identifying and managing conflicts is critical due to the Physician Payments Sunshine Act (the Sunshine Act)⁵ and for IRS purposes. The Sunshine Act requires certain manufacturers and companies to disclose physician ownership and investment held in such companies to the Centers for Medicare and Medicaid Services (CMS).

The Sunshine Act also requires disclosure of other payments, benefits or reimbursement given to physicians in forms such as travel, meals and continuing medical education, among others, by entities such as teaching hospitals. There are also required disclosures related to research.

It is important to note that the reporting obligation does not fall on the individual physician; it rests with the manufacturer, company, teaching hospital or other entity. In the hypothetical, there may be reporting requirements for Tech and for Regional depending on the extent and nature of their relationships with physicians. Such requirements should be reviewed and complied with when evaluating and entering new physician arrangements.

In terms of conflicts, the IRS defines a conflict of interest as follows: When an individual’s obligation to further the organization’s purposes is at odds with his or her own financial or other personal interests. For example, a conflict of interest would occur when an officer, director or trustee votes on a contract between the organization and a business that is owned (in whole or part) by the officer, director or trustee.

In addition, related to exempt organizations, the IRS requires certain policies, procedures and reporting to ensure such entities put funds to proper use and that individuals in leadership positions act in good faith and avoid private inurement. What are the ramifications of non-compliance? If the IRS determines a conflict results in an excess benefit, it can impose significant penalties on the individual who receives it. The penalty can take the form of an excise tax as well as a required payback to the exempt organization itself.

There are multiple potential and existing conflicts in the hypothetical. Related to the physician investors in Tech, there could be a conflict if the physicians themselves approached Regional with a proposal for Tech to provide technology improvements (as opposed to Tech’s sales personnel). Also, XYZ’s exclusive arrangement with Regional allows XYZ physicians to participate in the evaluation of possible improvements to the anesthesia department across the health system, including technology and operational matters. If the two physician investors are involved in the evaluation process, the conflict is intensified. Similarly, there is a conflict involving Chris Smith. If and when the Board is required to vote on Tech’s proposal, Smith would have a clear conflict due to the nature of his investment in Tech.

Based on the facts, there is an important distinction to note: XYZ’s agreement with Regional gives them the right to participate in the evaluation of improvements. That does not necessarily mean XYZ has decision-making authority. On the other hand, Chris Smith does have a role in decision making at the Board level. As a result, there could be serious ramifications from an IRS perspective if these conflicts of interest are not properly disclosed and managed.

How to Minimize or Eliminate Risk

With the risks identified, it’s even more important to identify effective ways in which such risks can be mitigated or eliminated. The following strategies based on the fact pattern apply generally.

As a general matter, transparency is critical when evaluating contractual arrangements. This applies universally. Negotiations often require confidentiality; however, internally and among Regional and Tech, there must be transparency related to the terms, objectives and appropriate rationale for what is proposed. To ensure this level of transparency exists, there must be no direct or indirect, overt or covert, attempt to influence or induce the exchange referrals for any item or service covered by a federal healthcare program. This could include actions taken to incentivize, gain or maintain the exclusive relationship between XYZ and Regional.

To avoid inappropriate activity, Regional should clearly document and outline the rationale for entering the proposed arrangement with Tech and ensure appropriateness from a legal and compliance perspective. If the financial relationship is on preferred terms, articulating, understanding and documenting an appropriate rationale is especially important. Both Tech and Regional should be comfortable and willing to undergo legal and compliance review by a qualified, independent third party. This level of transparency must exist throughout all stages of the proposal, negotiation, analysis and ultimate decision. If an appropriate rationale for the preferred terms cannot be articulated, the parties should be prepared to revise the terms to satisfy such concern or walk away from the deal.

In addition, Regional must follow a defined conflict of interest policy and procedure related to XYZ’s involvement in the evaluation process as well as Chris Smith’s involvement at the Board level. The IRS has published a sample conflict of interest policy as guidance.6 A conflict of interest policy is intended to help ensure that when actual or potential conflicts of interest arise, a process is in place under which the affected individual or group of individuals will advise the appropriate governing body about all relevant facts concerning the situation.

A conflict of interest policy is also intended to establish procedures under which individuals or groups who have a conflict of interest will be excused from voting on such matters. Regional’s decision-makers must understand and follow all conflict policies and procedures to ensure the arrangement is appropriate and that any conflicted parties are identified and excused from the decision-making process, when and as appropriate. XYZ can still participate in the evaluation process of Tech’s proposal. The two physician investors should probably not participate or should have their participation limited in a manner that would not influence any recommendations or direction provided by XYZ to Regional. Likewise, it is important to note that XYZ does not have decision-making authority; the non-conflicted physicians serve merely in an advisory capacity. Documentation related to the selection process should confirm this limitation.

Related to the conflict of interest policy and procedure, an objective board or governing body should ultimately make the decision related to implementation of the proposed contractual arrangement. In the above facts, the Board would review and ultimately decide on the implementation of Tech’s proposal. In terms of process, the Board should look to Regional management for a recommendation and a detailed explanation of the arrangement, including the rationale for entering it, the benefits to all parties involved, and an explanation of any associated risks (especially related to legal and compliance). As noted above, Chris Smith should be excused from any and all votes related to Regional’s business dealings with Tech.

Concurrent with or in advance of the Board process, Regional should engage outside counsel to perform a comprehensive legal and compliance analysis of the proposed arrangement with Tech. This will help ensure the arrangement is reviewed and vetted objectively and with the requisite level of knowledge and expertise. Critical components of such analysis, which should be compiled in a formal legal opinion, include:

• Review and analysis of existing contractual relationships between the parties and how a new contractual relationship might affect them
• Analysis of the facts and circumstances in relation to relevant law (at minimum, the legal authority outlined above) and how such facts and circumstances may be viewed by regulatory authorities
• Determination as to whether or not the proposed contractual arrangement fits within a safe harbor or regulatory exception to any federal or state enforcement authority, as applicable
• Recommendation and/or completion of a fair-market value analysis by a qualified party to ensure the arrangement is within fair-market value and is commercially reasonable

Summary

Contractual relationships between hospitals and hospital-based physician groups vary considerably across multiple specialties. Understanding the unique facts and circumstances of each arrangement is critical—as is how such facts and circumstances would or could be viewed in relation to applicable federal and state law. Despite such considerable variation, the above mitigation strategies and processes provide an established framework for hospital administrators, physicians and other related entities to vet, approve and implement contractual arrangements and guard against healthcare fraud, waste and abuse.

---

1 42 U.S.C. §1320a-7b

2 42 C.F.R. §1001.952

3 42 U.S.C. §1395nn

4 42 U.S.C. §1320a-7a

5 42 U.S.C. §403.900, et seq.

6 See Instructions for Form 1023, Appendix A – Sample Conflict of Interest Policy, available at https://www.irs.gov/instructions/i1023

---

Frank Carsonie, JD, is chair of the Health Care & Life Sciences Practice Group at Benesch, Friedlander, Coplan & Aronoff LLP and a member of the Corporate & Securities Practice Group. He is the Columbus Office partner-in-charge as well as a member of the firm’s Executive Committee. Mr. Carsonie’s practice focuses on counseling individuals and entities engaged in the healthcare industry on business transactions and regulatory matters. Mr. Carsonie is also experienced in advising individuals and entities, including public and private for-profit and non-profit companies, on organization, reorganization, mergers and acquisitions, divestitures, strategic alliances and joint ventures, capital financings, including private equity and venture capital funding, corporate governance, negotiation, drafting and enforcement of contracts, and general business counseling. He can be reached at fcarsonie@beneschlaw.com.

Nathan Sargent, JD, is an associate in the Health Care & Life Sciences Practice Group at Benesch, Friedlander, Coplan & Aronoff LLP. Mr. Sargent’s practice is focused on healthcare business transactions and regulatory matters, including mergers, acquisitions, contract drafting, licensure, and Medicare and Medicaid program enrollment and reimbursement. Mr. Sargent also provides counsel on matters involving corporate governance and related best practices. Prior to joining Benesch, Mr. Sargent worked in multiple capacities for a northeast Ohio health system where he maintained responsibilities in board and committee governance and administration as well as physician contracting services. He can be reached at nsargent@beneschlaw.com.

Disrupting the Disruptive Physician

Will Latham, MBA
President, Latham Consulting Group, Inc., Chattanooga, TN

One would think (or hope) that by the time anesthesiologists complete their training and begin practicing, they have mastered not only their clinical field, but also the ability to work well with others and behave appropriately. If you’ve spent any time as a member of an anesthesia group, however, you know that it is rare for all of the physicians to “behave” all of the time.

Examples of disruptive behavior are easy to see: physicians putting each other down in front of CRNAs or other staff; inappropriate conversation with hospital administration; damaging comments made to those outside the group; lack of confidentiality regarding group matters; unprofessional behavior in the operating room; and beyond. In more than 25 years of consulting, we’ve either seen or heard it all.

Unfortunately, most anesthesia groups don’t know how to address or resolve such situations. However, while it is impossible to resolve all issues of interpersonal conflict or inappropriate behavior, anesthesia groups can take three important steps to improve their chances of success:

1. Develop a Code of Conduct.
2. Create a system to deal with disruptive physician behavior.
3. Conduct periodic peer evaluations.

Code of Conduct

Developing a Code of Conduct is an important first step in creating a system to deal with disruptive physician behavior. A Code of Conduct is the agreed-upon standards of behavior expected of group members. It sets out, in general terms, the reasonable standards and duties professionals are expected to observe. It is the sort of “rules of the game” that the members of the organization are required to follow.

Anesthesia groups create a Code of Conduct for the following reasons:

• As a vehicle to communicate what the group finds important about physician behavior and conduct
• As a method to improve the chances that the group will continue to have the freedom to govern itself 
• As a method to hold errant physicians in check without making them feel they are under personal attack 
• As a vehicle to remove personalities and private opinions if it becomes necessary to intervene in a situation

What should be considered in a Code of Conduct? Medical groups tend to focus on the following questions:

1. What behaviors do we expect of each other? What is acceptable to us? What is inappropriate?
2. What are some of the “unwritten rules” that guide our behavior that that we should write down so they are universally understood?
3. What are each physician’s rights and responsibilities?

In developing the answers to these questions, it can be useful to break down the answers into various categories, as shown in Exhibit 1. 

Exhibit 1

Categories for a Code of Conduct

• Relations/interactions between the physicians in the group
• Relations/interactions between the physicians and individuals outside of the group. Consider:
  • Patients
  • Surgeons
  • Hospital staff
• Patient care responsibilities 
• Participation in practice management responsibilities
• Confidentiality of practice information
• How the group makes decisions and what decisions mean
• Compliance with applicable fraud, waste and abuse laws/regulations
• Adherence to legal contracts within the group
• Support of group-established plans 
• Goals and policies

Exhibit 2 provides an example of such a document. 

Exhibit 2

Sample Code of Conduct
XYZ Anesthesia Group Code of Conduct

Preamble

Our dealings as a group are guided by our Code of Conduct. We are committed to promoting and encouraging individuality and each member’s strengths, as long as they are consistent with high-quality patient service and the group’s larger goals.

Relationships Among XYZ’s Physicians

• If an XYZ physician has a problem, conflict or issue with another physician in XYZ:
  • The XYZ physician will not complain about the situation with others inside or outside of the group, or make condescending remarks about group members to others inside or outside of the group.
  • The XYZ physician will address the issue with the other physician privately.
  • If the issue is not able to be resolved, the XYZ physician will use the Professional Practice Committee and associated process to work through the issue.
• XYZ physicians will support other physicians in the group and will not “back-stab” each other.

Relationships with Patients 

• XYZ physicians will treat patients with respect at all times. This will include:
  • Involving patients in decision making.
  • Not acting in a condescending or demeaning manner.
  • Treating the patient as a customer.
  • Respecting the patient’s privacy and confidentiality.
• XYZ physicians will present a united front to the patient. XYZ physicians will not put down other XYZ physicians or their plans to patients or others.
• XYZ physicians will support one another to patients. If an XYZ physician disagrees with another physician’s approach, they will take the issue to the physician privately.

Relationships with Other Physicians

• XYZ physicians will treat other physicians as customers.
• XYZ physicians will focus on the needs of patients.
• XYZ physicians will be diplomatic when a physician does not understand the XYZ physician’s point of view. 
• XYZ physicians will keep physicians abreast of clinical or medical issues.
• XYZ physicians will support all other XYZ physicians in their relationships with their physician colleagues. If an XYZ physician disagrees with another physician’s approach, they will take the issue to the physician privately.
• XYZ physicians are responsible for the decision making in the rooms they cover. It is up to that XYZ physician to make the final decision regarding the patient. In turn, other XYZ physicians will support the decision.

Relationships with Hospital Administration

• XYZ physicians will support the policies of the hospital or seek to change them as a group.
• Official communication with the hospital will go through XYZ’s president.

Relationships with Hospital Staff

• XYZ physicians will treat hospital staff with respect at all times.
• XYZ physicians will follow the hospital’s chain of command when dealing with issues and problems.
• XYZ physicians will not make condescending remarks about hospital staff in public.

Relationships with CRNAs

• XYZ physicians will treat CRNAs with respect at all times.
• XYZ physicians will provide the CRNAs with a chain of command, and will operate through that chain of command.
• XYZ physicians will medically direct or supervise the CRNAs.
• XYZ physicians will involve CRNAs in the anesthetic management of patients.

Relationships with XYZ Employees

• XYZ physicians will treat XYZ employees with respect at all times.
• XYZ physicians will provide XYZ employees with a chain of command, and will operate through that chain of command.

Relationships with All

• XYZ physicians will not verbally or physically assault anyone. 
• If an XYZ physician is approached by those outside the group with a problem: 
  • They will support the group to the outsider.
  • They will bring the issue back to the group for discussion.

Patient Care

• Once a patient care policy has been adopted by XYZ, all XYZ physicians will implement that policy.

Practice Management

• All XYZ physicians are expected to participate in practice management activities when asked. 
• The group will find a job for everyone.

Work Effort

• When XYZ physicians are in the hospital, they will work hard.
• If an XYZ physician is needed, they will make themselves available to work. 
• If an XYZ physician is in a position of responsibility, they will make themselves easy to be found.
• XYZ physicians will respond to pages in a timely fashion.

Confidentiality

• XYZ’s business is strictly confidential. This means:
  • All information is to be considered confidential unless the group agrees otherwise.
  • Information is not to be discussed with people outside of the group (except for spouses).
  • Information is not to be discussed where people outside the group might overhear it.

Decision making

• XYZ physicians will make practice decisions in accordance with the group’s by-laws.
• Once a decision has been made by the group, all XYZ physicians will implement it, abide by it and support it, even if they disagree with the decision.

Other

• XYZ physicians will adhere to all of the group’s legal contracts.
• XYZ physicians will comply with all applicable fraud, waste and abuse laws and/or regulations.*

While such statements may seem simple and self-evident to some, we have found that many physicians need the expected behaviors set out in black and white before they understand that they have to comply with them. If expectations are left as unwritten rules, many physicians will see them as optional.

Further, this tool gives group leaders something to hang their hat on when they must confront disruptive behavior. The matter is no longer a situation of “your opinion versus my opinion” about appropriate behavior. Instead, the discussion becomes “here is what you are doing compared to what the group has agreed to in the Code of Conduct.”

Developing a Code

What is the best way to develop a Code of Conduct? The most important step is to include all physicians in its development. If they are not involved, they will see the document as something imposed on them and will be less likely to adhere to the agreements. The best time to develop a Code of Conduct is during the group’s annual planning retreat. If physician misbehavior is particularly acute, the group might consider a separate meeting to focus on the Code of Conduct.

Dealing With Disruptive Physician Behavior

The first question often asked after development of a Code of Conduct is “What do we do if someone breaks the rules to which we have all agreed?”

There’s no doubt about it, self governance is tough. It is made even tougher when you consider that most physicians are actually conflict avoiders who take the attitude “I will not judge lest I be judged.”

However, the group must find a way to govern itself, and part of selfgovernance is being equipped to deal with disruptive physicians.

One effective method is to establish a Professional Practice Committee. This Committee exists to consider physician conflict, physician performance and quality assurance concerns for the practice. The Committee will either work to resolve issues on its own or bring matters to the attention of the Board for resolution. In most situations, this Committee does not have the power to censure or take action against a physician. Instead, it serves as an intermediary step or process to try to resolve issues before significant steps are taken.

A policy for such a Committee may be found in Exhibit 3.

Exhibit 3

Sample Policy on Professional Practice Committee

MEMBERSHIP

Three physicians elected annually by the Board in July.

QUORUM AND ACTION

Quorum is two of the three physicians.

Action on a matter may be taken on a simple majority.

In the event that a member of this Committee instigates or is subject to action by this Committee, the other two Committee members should appoint a member of the Board to serve as interim Committee member for that issue only.

MEETINGS

This Committee meets monthly to consider issues brought to its attention.

RESPONSIBILITIES

This Committee exists to consider physician conflict, physician performance and quality assurance concerns for the practice. The Committee will either work to resolve issues on its own or bring matters to the attention of the Board for resolution.

PROCESS

1. If a concerned physician has a grievance with another physician (the “physician in question”), or is concerned about quality issues related to another physician, their first step is to discuss their concerns directly with the other physician.
2. If the matter is not satisfactorily resolved in step 1, the concerned physician should handwrite their concerns and present this information to a member of the Committee.
3. At the next scheduled meeting, the Committee should discuss the issue and take one or more of the following actions:
   • Decide if the issue has merit for further action, and if not, communicate this information to the concerned physician.
   • Establish any necessary data-gathering to determine if the concern has merit and what, if any, further action should be taken.
   • Meet with the concerned physician and physician in question, together or separately, to gather information or counsel the physician.
4. If the matter is not satisfactorily resolved in step 3, the Committee should develop a recommendation to the Board for further action to resolve the issue. Such a recommendation could include discipline up to and including expulsion from the group.
   • The Board will consider such issues at its next regularly scheduled meeting.

Peer Evaluation

The third leg of the stool is for the group to conduct periodic peer evaluations.

We believe that when physicians are in a group practice, they are (or should be) accountable to each other. Many top-performing groups set up a formal peer evaluation process for all the physicians in the group, including shareholders.

A peer evaluation process can take many forms and address many issues (clinical as well as behavioral). Here are a few suggestions about how to get started:

1. If you are new to peer evaluation, or if the members of the group are hesitant, set up the first evaluation so that each physician is the only one who sees their feedback.
2. If you use a form to collect information, be sure to allow room for written comments as well as checklists.
3. Set up the system so that it is conducted annually and becomes one of the group’s standard operating practices.
4. Use an external third party to compile the responses. Consider using your accounting firm to do this as they are used to working with confidential information.
5. Check with your attorney to ensure that the information collected is not discoverable in any type of legal process.
6. Make sure that the process includes both shareholders and non-shareholders.

The Time to Act Is Now

In today’s competitive anesthesia market, groups cannot allow an individual physician’s disruptive behavior to jeopardize exclusive contracts, stipends and other arrangements. If you don’t already have them in place, now is the time to develop a Code of Conduct, a system to handle outliers, and a peer evaluation system to prevent and resolve disruptive physician situations.

* The Centers for Medicare and Medicaid Services (CMS) and the Office of Inspector General (OIG) have extensive physician compliance resources available on their respective websites. It is recommended for any provider group to use these regulatory resources to round out this section on compliance with more detail demonstrating alignment with both CMS and the OIG for physician practice management compliance.

---



Will Latham, MBA, is President of Latham Consulting Group, Inc., which helps medical group physicians make decisions, resolve conflict and move forward. For more than 25 years Mr. Latham has assisted medical groups in the areas of strategy and planning, governance and organizational effectiveness, and mergers, alliances and networks. During this time he has facilitated over 900 meetings or retreats for medical groups; helped hundreds of medical groups develop strategic plans to guide their growth and development; helped over 130 medical groups improve their governance systems and change their compensation plans; and advised and facilitated the mergers of over 120 medical practices representing over 1,200 physicians. Mr. Latham has an MBA from the University of North Carolina in Charlotte. He is a frequent speaker at local, state, national and specialty-specific healthcare conferences. Mr. Latham can be reached at (704) 365-8889 or wlatham@lathamconsulting.com.

Staying Focused in Ambiguous Times 

For Carmel Schacar and I. Glenn Cohen of Harvard Law School, writing in Health Affairs, “uncertainty” was 2017’s word of the year for health law and bioethics.¹ In many ways, that capsule summary suits a description of healthcare in general and anesthesia in particular during the past 12 months as the frenetic pace of change continued unabated and a new Administration sought to leave its mark.

Repeated attempts by a Republican Congress to dismantle the Affordable Care Act (ACA) consumed a good part of the year; the new Administration began loosening some regulatory requirements forged by the previous Administration, such as mandatory participation in some bundled payment programs; the Department of Health and Human Services lost a Secretary; the Centers for Medicare and Medicaid Services reduced anesthesia payments for several services for 2018, including screening colonoscopies; many anesthesia practices began the complex, at times confusing, transition to a value-based system through the Quality Payment Program; and pain specialists saw themselves become a focus of intensified federal agency probes into opioid-related fraud, waste and abuse.

As this issue of Communiqué is about to be published, the House and Senate passed and President Trump signed the Tax Cuts and Jobs Act of 2017. The bill’s healthcare provisions present yet more uncertainty as the legislation seeks to eliminate the individual mandate and reduce the federal support for Medicaid that were cornerstones of the ACA.

The current climate of lingering uncertainty makes it even more important for anesthesia practices to do everything that they can do to stay focused, strong and compliant with the law. It is our hope that the articles in this issue of Communiqué will support your efforts in this regard as you enter the new year.

In our lead article, Jody Locke, ABC vice president of anesthesia and pain practice management services, extols the importance of accurate, timely and relevant data in keeping your practice on track.

Quality is key, along with “a commitment to use the data for decision making,” he writes. “Data for data’s sake has little to no value. . . Ideally, data management should always be a proactive process, focused on trends and exceptions to those trends.”

Also in this issue:

• In their first article for Communiqué, Frank Carsonie, JD, and Nathan Sargent, JD, of Benesch, Friedlander, Coplan & Aronoff LLP reveal, through a hypothetical example, why hospitals and hospital-based physician groups, anesthesia groups included, must carefully consider the unique facts and circumstances of each contractual arrangement into which they enter. They highlight the importance of transparency, clear documentation of a rationale, a conflict of interest policy and procedure, an objective board or governing body, and an external legal and compliance analysis as protective measures.
• Frequent contributor Will Latham, MBA, of Latham Consulting Group, Inc., returns with solid guidance on dealing with a group member’s disruptive behavior. Rather than let one bad actor’s unprofessionalism plague the group, tarnish its reputation and jeopardize its hospital relationships, develop a system, grounded in a Code of Conduct, which delivers a swift solution, Mr. Latham urges. A Code of Conduct immediately changes the situation from one of “your opinion versus my opinion” to “here is what you are doing compared to what the group has agreed to.” Problem (more quickly and dispassionately) solved.
• Kathryn Hickner, Esq., of Ulmer & Berne LLP returns with an in-depth look at business associate agreements (BAAs). They’re easy to overlook, but as the holder of the protected health information (PHI), your group must take the lead in making sure appropriate BAAs are in place, or it can cost you. This past April, the Center for Children’s Digestive Health paid Health and Human Services $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) following initiation of an investigation of a business associate. The Center began disclosing PHI to a record storage vendor, FileFax, Inc., in 2003, but neither party could produce a signed BAA prior to October 12, 2015.
• Finally, Mark F. Weiss, JD, of The Mark F. Weiss Law Firm offers several examples of compliance errors made by others and how you can use these unfortunate mistakes to guide and inform your own learning and reduce your risk. Like Mr. Carsonie and Mr. Sargent, Mr. Weiss recommends performing a compliance assessment of any proposed dealings with those who refer to you, or to whom you refer. He also encourages performing a simulated government investigation of your current arrangements to identify problem areas before they hurt you.

We look forward to seeing many of you at the American Society of Anesthesiologists PRACTICE MANAGEMENT™ 2018 in New Orleans, January 26-28, and extend warmest wishes for a happy, healthy and productive new year.

With best wishes,

Tony Mira
President and CEO

---

1 Schacar, C. and Cohen, I.G. 2017’s Word of the Year in Health Law and Bioethics. Uncertainty. Health Affairs Blog, December 8, 2017. https://www.healthaffairs.org/do/10.1377/hblog20171206.694358/full/
1. What Is the Value of Data and What Data Has Value? Today’s Anesthesia Management Challenge