HIPAA and the Stark Law Take Center Stage in '21st Century Oncology'
The automatic stay does not prohibit a governmental entity from enforcing health-care laws against a debtor.
February 09, 2018 at 05:00 PM
9 minute read
Health care is tightly controlled by statute, regulation and regulatory guidance. A bankruptcy filing does not exempt the health-care debtor from those controls. Like other debtors, they must operate in accordance with applicable non-bankruptcy law. See 28 U.S.C. §959(b). Moreover, the automatic stay does not prohibit a governmental entity from enforcing health-care laws against a debtor. See, e.g., 11 U.S.C. §§362(b)(4) (general police powers exception) and 362(b)(28) (exclusion from federal health programs exception).
The enforcement of Health Insurance Portability & Accountability Act of 1996 (Pub. L. 104-191. Stat. 1936) (HIPAA) and two fraud and abuse laws—the Stark Law (42 U.S.C. §1395nn and the regulations promulgated thereunder), which prohibits physician self-referrals, and the False Claims Act (31 U.S.C. §§3729-33) (FCA)—took center stage in the recent health-care bankruptcy case of In re 21st Century Oncology Holdings (Bankr. S.D.N.Y. Case No. 17-22770 (RDD)). Indeed, government investigations of alleged violations of those laws by 21st Century Oncology (“21CO”), 21st Century Oncology, LLC (“21LLC”), and two other debtors, together with related civil litigation, preceded the debtors' Chapter 11 filings on May 25, 2017 (the petition date).
HIPAA and Data Breach Claims
In 2015, 21CO suffered a cyberattack pursuant to which a third party obtained unauthorized access to the protected health information (PHI) of 2,213,597 patients. The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) investigated the cyberattack and concluded that 21CO had violated HIPAA and the HIPAA Privacy and Security Rules by failing to adequately protect PHI and impermissibly disclosing PHI. Based on that conclusion, OCR asserted claims (collectively, “HIPAA Claims”) against 21CO.
Five months before the petition date, several individuals (the “data breach plaintiffs”) filed a class action alleging that 21CO had failed to adequately secure PHI under its control. During the bankruptcy case, six class claims aggregating $123.2 million and 180 individual claims, all asserting data breach claims, were filed. These data breach claims dwarfed in amount the other claims filed against the 21st Century Oncology debtors. The debtors moved to dismiss the class claims and to estimate the individual claims at $0 for plan confirmation purposes. The data breach plaintiffs cross-moved for class certification pursuant to Bankruptcy Rule 7023 or, alternatively, for relief from the automatic stay to permit the data breach action to proceed—albeit with recovery limited to insurance proceeds. Some individual creditors filed motions for the allowance of their data breach claims for voting purposes pursuant to Bankruptcy Rule 3018.
Health Care Program Claims
In March 2016, as required by an existing corporate integrity agreement, the debtors self-reported to HHS that, in violation of the FCA, a former employee of 21CO had falsely attested to certain physicians' compliance with the requirements of Medicare's “meaningful use” incentive program. Meanwhile, an individual, the “relator,” filed a qui tam action under the FCA alleging that 21LLC improperly billed Medicare for medical services that violated the Stark Law. The Office of the Inspector General (OIG) of HHS investigated both the self-reported “meaningful use” claims and the relator's claims (collectively, “health-care program claims”). Based on that investigation, the United States concluded that 21CO, 21LLC and two other debtors had violated the FCA by submitting false claims to Medicare. The United States further concluded that, pursuant to 11 U.S.C. §1141(d)(6)(A), the health-care program claims were non-dischargeable. See Bankr. S.D.N.Y. Case No. 17-22770-rdd ECF No. (“ECF”) 710, ¶9.
Impact of the HIPAA, Data Breach and Health-Care Program Claims
That the resolution of the HIPAA, data breach and health-care program claims was crucial to the debtors' successful reorganization is indisputable. The debtors themselves expressly acknowledged as much. See ECF 709, ¶6; 710, ¶¶9-10 712, ¶14. The resolution of those claims was, in fact, a condition to both the consummation of the debtors' Chapter 11 plan (ECF 915-1, §9.1(q)) and the obligation of third parties to backstop a rights-offering for which the plan provides. ECF 434, §8.1(t).
Resolution of the health-care program claims was necessary to eliminate the uncertainty, delay and expense inherent in litigating substantial and factually complex fraud and non-dischargeability issues, as well as the risks of a ruling that the claims were not, in fact, dischargeable in bankruptcy. Resolution of the HIPAA Claims was necessary to avoid the uncertainty of litigating claims that have not yet been tested by the courts. A substantial reduction in the data breach claims or, as happened in 21st Century Oncology, channeling them away from the bankruptcy estates to insurance proceeds, was necessary to allow for some meaningful distribution to the debtors' other unsecured creditors and for the debtors to avoid the risks and expense inherent in defending against a class action. Finally, significant concessions by OCR and OIG in the amount and the payment terms with respect to at least some of their claims were important to ensuring the debtors' post-confirmation liquidity.
Settlement of the HIPAA and Data Breach Claims
The HIPAA claims were resolved by means of a resolution agreement and a two-year corrective action plan (CAP). ECF 825-1, pp. 5-19. The debtors agreed to make a payment of $2.3 million to HHS on the effective date of the resolution agreement, with the payment to be made directly by the debtors' insurer. HHS agreed to release its pre-petition HIPAA claims upon the $2.3 million payment and its post-petition HIPAA claims upon 21CO's satisfaction of its obligations under the CAP. Full satisfaction of those obligations is also a necessary condition to OCR's waiver of any civil monetary penalty arising out of the HIPAA claims, and, for that reason, the resolution agreement tolls the statute of limitation for imposing such a penalty pending full compliance under the CAP.
The CAP imposes several ongoing obligations on 21CO, including: (i) conducting of HIPAA-compliant data security risk assessments; (ii) review of and revisions to HIPAA policies and procedures; (iii) adoption and distribution of revised HIPAA policies and procedures; (iv) provision to HHS a list of its business associates and copies of its business associate agreements; (v) development and implementation of a program to internally monitor its compliance with the CAP; (vi) retention of an external assessor (at 21CO's expense) to monitor 21CO's compliance with the CAP; (vii) development of internal security incident notification and response policies and procedures; and (viii) submission of annual reports (attested to by officers of 21CO) to OCR demonstrating 21CO's compliance with the CAP. All policies and procedures, the risk assessment, the identity of the external assessor, and the assessor's plan of oversight are subject to HHS review and approval. The external assessor will make reports to HHS and will have the authority to make unannounced site visits to 21CO.
Pursuant to the data breach claim settlement, the plaintiffs retain the right to litigate the data breach claims, but agree to look only to certain insurance proceeds for recovery and waive any recovery from the debtors' bankruptcy estates. Upon the approval of the data breach claim settlement, they agreed not to oppose confirmation of the debtors' plan.
Settlement of the Health-Care Program Claims
The debtors, OIG, and the relator resolved the health-care program claims through a settlement agreement and a five-year corporate integrity agreement (CIA). The debtors will pay OIG $26 million (plus interest at 2.25 percent) over five years, which represents a significant concession in the amount of the health-care program claims. The five-year payout significantly improves the debtors' post-confirmation liquidity. The relator will receive a portion of the settlement payment, as well as $51,877.84 for legal fees and expenses. The debtors conceded the non-dischargeabilty of the health-care program claims but will be released from any civil monetary penalties and from any threat to its ongoing Medicare eligibility arising from those claims upon compliance with the settlement agreement and CIA.
The purpose of the CIA is to ensure the debtors' compliance with federal health-care program requirements. To that end, the CIA requires: (i) appointment of compliance officers and a compliance committee; (ii) board of directors oversight over compliance activities; (iii) certification and reporting to OIG concerning compliance with the CIA; (iv) development of standards for compliance; (v) compliance training and education; (vi) development of procedures to ensure that contracts comply with health-care program requirements and for reporting of non-compliance with those requirements; and (vii) the retention of an independent organization to review the debtors' contracts and Medicare claims. The CIA provides OIG with extensive rights of inspection, audit and review.
Approval of the Settlements
The debtors resolved the HIPAA, data breach and health-care program claims before confirmation of their plan. The bankruptcy court granted the debtors' motions to approve those resolutions by orders dated Dec. 11, 2017. ECF 823, 824 and 825. The debtors' plan was confirmed on Jan. 9, 2018.
Takeaways from '21st Century Oncology'
Health-care debtors' restructuring strategies must be guided by their highly-regulated status. Like the debtors in 21st Century Oncology, they must be ready to formulate creative means of resolving diverse governmental claims enjoying different priorities and protections (e.g., non-dischargeability) in bankruptcy, including the creative use of assets like insurance. They must, therefore, be prepared to cooperate with regulators to ensure a successful reorganization, particularly if concessions by regulators are necessary. Moreover, that cooperation must continue after confirmation. As the health-care settlements in 21st Century Oncology demonstrate, the resolution of governmental claims will likely include extensive government oversight and trigger significant obligations and expense on the part of the reorganized debtors. Finally, the health-care debtor may gain a new partner in the form of an independent monitor or assessor.
Crapo is counsel in the Financial Restructuring & Creditors' Rights Department of Gibbons P.C. and a member of the Gibbons Healthcare Team. He holds an LLM in Health Law and Policy and is a Certified International Privacy Professional (CIPP-US).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWhen is a Package 'Received'? The Answer Can Make all the Difference
7 minute readTrending Stories
- 1NY High Court Returns Fired Priest's Discrimination Claim to State Agency
- 2Digging Deep to Mitigate Risk in Lithium Mine Venture Wins GM Legal Department of the Year Award
- 3Reminder: Court Rules and Statutes Apply to Pendente Lite Custody Decisions
- 4Consumer Cleared to Proceed With Claims Against CVS 'Non-Drowsy' Medication, Judge Says
- 5Ex-Schnader Partner Nears Settlement in Misappropriated Comp Class Action
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250