Randi E. Seigel (rseigel@manatt.com) is a Partner in the New York City office and Christopher C. Rundell (crundell@manatt.com) is an Associate in the Chicago office of Manatt, Phelps & Phillips LLP (Manatt Health).
As providers and payers increasingly align to offer integrated products, the bright line that once existed between the two has blurred. While there are considerable benefits to integration, integration presents novel compliance challenges as the parties design and operate their communal ventures. Various federal statutes, regulations, and guidance pose myriad issues for the unwary; as integrated provider-payers share risk, exchange data, produce collaborative marketing, and internally refer beneficiaries, the parties must stay aware of and manage the risks unique to such partnerships.
Payers and providers both see benefits in partnership
Provider-payer partnerships are increasingly common.[1] Major health insurance carriers already have these arrangements. The partnerships have increased across all market segments: commercial, Medicare, and Medicaid/Children’s Health Insurance Program. The converse is true as well: as of 2016, nearly 52% of insurance products were represented through plans owned by major health systems.[2]
For payers, integrating with provider practices is a means to improve health outcomes and control cost through care coordination, increased access to care, and incentivizing quality over quantity.
For providers, as payers increasingly transition from fee-for-service to value-based payment (VBP) models, providers must accept risk for the quality of their care. By partnering with payers or creating their own insurance product, providers can increase margins by cutting out insurer overhead costs and profits, giving the providers greater control over their revenue stream.
The shared benefits are also significant: the parties can increase their market strength; together, they can leverage existing experience, infrastructure, data, and resources, including membership base and reach. The parties also can establish new lines of business and experiment with innovative delivery and financing strategies.
With new benefits come novel risks
As providers or payers enter new markets, they must be aware of the regulatory framework in which the other party operates. For instance, generally, payers must meet licensure requirements, financial solvency requirements, and network access and adequacy standards. Medicaid managed care providers often are subject to procurement procedures and contract termination provisions. Many of these arrangements require significant investment in care management services and information technology. In addition, partnership requires committed alignment, cooperation, and integration over an extended period of time. To achieve this, the parties must be willing to integrate decision-making rights. Also, business leaders may need to be educated regarding the new risks and compliance obligations associated with entering into these arrangements.
The focus of compliance for provider-payer partnerships
Providers and payers that partner must focus on a different group of compliance risks than each would focus on if operating alone, particularly as they implement value-based models. The major healthcare fraud and abuse laws and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) remain at the core of compliance efforts, but the specific focus is on certain risks, including risk sharing, hospital-physician relationships, use, patient inducement, data integrity, and marketing.
-
The Stark Law. The Stark Law prohibits a physician from referring a patient for inpatient, outpatient, or other “designated health services” covered by Medicare to a hospital or other entity with which the physician has a financial relationship, unless the relationship satisfies a Stark exception.[3]
-
The Anti-Kickback Statute (AKS). The AKS makes it illegal for any person to knowingly and willfully exchange remuneration for the referral of a patient for items or services covered by a federal healthcare program.[4]
-
The Civil Monetary Penalties Law (CMPL): Gainsharing. CMPL prohibits a hospital from knowingly making any payment to induce a physician to reduce or limit medically necessary services covered by Medicare or Medicaid.[5]
-
CMPL: Beneficiary inducement. CMPL prohibits a person from providing remuneration that they know is likely to influence a patient’s selection of a provider or supplier for services covered by Medicare or Medicaid.[6]
Risk-sharing Stark exceptions and AKS safe harbors
Provider-payers should ensure that their risk-sharing arrangements fall within a Stark Law exception (if the Stark Law applies) and AKS safe harbor(s). The Stark Law explicitly includes a risk-sharing arrangement exception, and the AKS covers most arrangements via the managed care and health plan discount safe harbors.
The Stark Law risk-sharing exception[7] covers any “risk-sharing arrangement” between a managed care organization or an independent practice association and a physician (either directly or through an intermediary such as a hospital) for services provided to enrollees of a health plan. This exception should protect shared savings or similar risk-sharing payments from a VBP entity to physicians, but each provider-payer must assess its arrangement. However, the exception does not protect VBP investment relationships or care management fees.
The AKS managed care safe harbor[8] protects payments made by a Medicare Advantage (MA) or Medicaid managed care contractor (such as a hospital or an independent practice association) to providers for delivering or arranging healthcare items and services. This does not protect: (1) commercial plan payments; (2) marketing or payments, or pre-enrollment activities; or (3) VBP investment relationships.
The AKS health plan discount safe harbor[9] shelters discounts on fees offered to plans or contracting intermediaries, but only when offered by providers. This does not protect shared savings or similar risk-sharing payments or VBP investment relationships or care management fees.
Therefore, it is important to review all the payment arrangements between the payer and the provider to ensure each type of payment is covered. For instance, if a payer is paying a provider for marketing, those payments may need to meet another AKS safe harbor. If a safe harbor is not available, then the parties must evaluate the circumstances to determine whether the arrangement poses a risk of violating the AKS.
Furthermore, if the proposed revisions to the Stark Law and AKS are finalized, there will be additional exceptions and safe harbors available to protect these arrangements.
Gainsharing underutilization risks
Gainsharing arrangements also pose a risk to provider-payers under CMPL by providing financial incentives to hospitals which in turn incentivize physicians to reduce or limit medically necessary services covered by Medicare or Medicaid.[10] Where the total cost of care is tied to shared savings and losses, physicians may be encouraged to reduce medically necessary hospital admissions (to avoid hospital readmissions), lab tests, imaging services, and specialty referrals. Bundled payment arrangements, such as Bundled Payments for Care Improvement,[11] could cause improper discharge of patients to home rather than to a skilled nursing facility. Similarly, hospital-physician gainsharing can lead to medically inappropriate early discharges of patients by physicians.
Provider-payers should review the Department of Health & Human Services Office of Inspector General (OIG) gainsharing advisory opinions for guidance on structuring gainsharing arrangements to avoid violating the CMPL (e.g., OIG Advisory Opinion No. 17-09 of December 29, 2017, or OIG Advisory Opinion No. 07-22 of December 28, 2007). Generally, such arrangements should set out specific actions to be taken, tie remuneration to the actual cost savings attributable to the arrangements, and include specific safeguards against patient and program abuse. Safeguards may include ensuring incentive payments are made to physicians on a per capita basis, capping potential savings based on defined criteria that take into account historical and clinical measures, and clearly and separately identifying specific cost-saving actions.
Addressing SDOH and beneficiary inducement
When providers and payers integrate and share risk, they are further incentivized to address the social determinants of health (SDOH) that affect health outcomes and associated costs of care. SDOH are conditions in the environments in which people are born, live, learn, work, play, worship, and age that affect a wide range of health, functioning, and quality-of-life outcomes and risks. Socioeconomic factors, physical environments, and health behaviors collectively drive health outcomes more than medical care and are SDOH considerations. The importance of addressing SDOH in quality-of-care and value-based payment models is clear. According to a 2018 Change Healthcare survey, 80% of payers aim to address SDOH.[12] Integrated provider-payers are uniquely situated to address SDOH, as providers and payers each have different tools and flexibilities available. However, providers must remain cognizant of the CMPL prohibition on beneficiary inducements, and plans must remain compliant with marketing limitations imposed by any applicable federal or state regulations or guidance.
Providers may use several beneficiary inducement exceptions to address SDOH
They may provide items or services of nominal value (a retail value of no more than $15 per item or $75 in the aggregate per patient on an annualized basis).[13] They can also offer incentives to promote the delivery of preventive care services[14] where the delivery of such services is not directly or indirectly tied to the provision of other covered services that are reimbursed in whole or in part by a federal healthcare program.[15]
In addition, under the financial hardship exception, the offer or transfer of items or services for free or less than fair market value does not constitute “remuneration” under the beneficiary inducement rules if:
-
“The items or services are not offered as part of any advertisement or solicitation;[16]
-
“The items or services are not tied to the provision of other services reimbursed in whole or in part by” Medicare or Medicaid;
-
“There is a reasonable connection between the items or services and the medical care of the individual; and”
-
The provider determines in good faith that the individual is in financial need.
The OIG has clarified that for remuneration to be “reasonably connected” to medical care, it must be reasonable from a medical perspective and reasonable from a financial perspective.[17] The financial hardship determination requires an individualized assessment of the patient’s financial need made in good faith and on a case-by-case basis.
Provider-payers also generally may give incentives to individuals to promote access to care and that pose a low risk of harm. To pose a low risk of harm, these incentives must be unlikely to interfere with, or skew, clinical decision-making, be unlikely to increase costs to federal healthcare programs or beneficiaries through overutilization or inappropriate use, and not raise patient safety or quality-of-care concerns. With regard to this general exception, the OIG has recognized the importance of addressing SDOH: “Our interpretation of items or services that ‘promote access to care’ encompasses giving patients the tools they need to remove those barriers.”[18]
Provider-payers may have additional flexibilities to address SDOH if the currently proposed AKS and CMPL rule changes are made final
A proposed new safe harbor would allow participants of value-based enterprises (VBEs) to provide appropriate patient engagement tools and supports to patients in a target patient population.[19] VBEs may include integrated payer-providers that use certain value-based models. The safe harbor would permit VBEs to provide such patients “in-kind, preventive items, goods, or services, or items, goods, or services such as health-related technology, patient health-related monitoring tools and services, or supports and services designed to identify and address a patient’s social determinants of health, that have a direct connection to the coordination and management of care of the target patient population.”
Beginning in 2020, payers have additional tools to address SDOH
Plans already have some flexibilities in offering items exceeding $15 to enrolled members. Starting in 2020, MA plans may offer supplemental benefits that address SDOH.[20] This would include, for example, offering air filters to persons with asthma. Also, an MA plan may create rewards and incentive programs that provide rewards and incentives to enrollees in connection with participation in activities that focus on promoting improved health, preventing injuries and illness, and promoting efficient use of healthcare resources.[21] These flexibilities may also apply to Medicaid managed care plans.
Therefore, integrated provider-payers may be able to leverage the flexibilities afforded them to address a greater number of SDOH for a patient/member.
Integrated provider-payer data sharing and HIPAA
Provider-payers can benefit from sharing data, but such activities are restricted by HIPAA. There are limits on what data can be shared and how data can be shared between plans and payers under HIPAA and 42 C.F.R. § 2 . In general, HIPAA prohibits the sharing of protected health information (PHI) between a provider and a plan, except for payment and healthcare operations. Healthcare operations include the following activities to the extent they are related to covered functions:[22]
-
Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing healthcare costs, case management and care coordination, informing providers and patients about treatment alternatives;
-
Reviewing, educating, licensing, and credentialing providers;
-
Except for the use of genetic information, “underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;”
-
“Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;”
-
“Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including…development or improvement of methods of payment or coverage policies; and
-
Business management and general administrative activities of the entity.”
However, providers and payers may facilitate sharing for other reasons by the following methods.
-
Patient authorization. Providers and payers may request patients’ authorization to use and disclose the patients’ PHI between the entities for purposes that are not for payment or healthcare operations. An authorization must be obtained from each patient and must specifically describe the information to be used or disclosed, the identification of the person(s) authorized to make the requested use or disclosure, the identification of the person(s) to whom the payer or provider may make the requested use or disclosure, and a description of each purpose of the requested use or disclosure.[23] In addition, the patient must sign and date the authorization.
-
Business associate agreement. If a plan is performing a function on behalf of a provider, such as creating a de-identified data set, the provider can enter into a business associate agreement with the plan for this purpose.[24] This would require the plan to return the PHI after the task is completed.
-
Organized health care arrangements (OHCAs). OHCAs involve clinical or operational integration among legally separate covered entities in which it is often necessary to share PHI for the joint management and operations of the arrangement.[25] OHCA participants may disclose PHI about an individual to another covered entity that participates in the OHCA for any healthcare operations activities of the OHCA, rather than just those related to shared patients.[26] An operationally integrated provider-payer therefore may find it useful to form an OHCA.
-
Affiliated covered entity (ACE). Legally separate covered entities that are under common ownership or control and are affiliated may designate themselves as a single covered entity for purposes of HIPAA privacy and security.[27] The owner-entity must also be a covered entity, which often makes integrated providers ineligible to designate themselves as an ACE. Covered entities that designate as ACEs may share PHI among all components of the ACE as if they were only a single covered entity; this is considered a use and not a disclosure of PHI. Providers and payers may wish to designate as ACEs so that they may share PHI as if they were one covered entity.
Provider-payers also must be aware that data related to substance use disorder (SUD) services provided to a patient by certain providers (a Part 2 program) are subject to Part 2. Part 2 program is any organization that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment and receives federal assistance. Whether Part 2 applies to a provider or payer is significant because it is a strict privacy regulation that generally requires a patient’s written consent prior to disclosing Part 2 data for payment or healthcare operations. Therefore, it is important for integrated provider-payers to assess whether they are subject to Part 2 to determine whether they must seek written patient consent to share between themselves any PHI that is considered SUD data.
Integrated provider-payer marketing and HIPAA
Provider-payers will want to market their integration or product offering but must be careful not to run afoul of the various laws and regulations that govern marketing by each of the parties.
-
HIPAA. With limited exception, HIPAA prohibits marketing using PHI without a written authorization from the individual. Many of the activities that an integrated payer-provider wishes to engage in, such as announcing the partnership between the two or added benefits under a health plan, is likely permitted as an exception to the definition of marketing. However, other types of marketing activities, and anywhere a payment is being made for PHI, are prohibited without a written authorization.
-
Provider licensure rules. Many states regulate how licensed professionals market and advertise.
-
MA marketing guidance. MA plan marketing material is subject to the requirements and limitations set forth in the Medicare Communications and Marketing Guideline—for instance, providers generally may not market on behalf of MA plans. MA plans may use or allow providers to distribute or have available MA marketing materials so long as the providers make materials available about all plans with which they contract at each plan’s request.
-
AKS. Marketing activities potentially implicate the AKS because the provider and Medicare and Medicaid plans are in a position to make referrals to each other for covered items and services. If a plan promotes a provider through advertisements or other activities in a manner that is not solely designed to market the plan and which appears to market the provider as a separate organization, there is a risk such marketing could be seen as violating the AKS. In these situations, the promotion of the provider could be viewed as remuneration to the provider, and there is a risk that the OIG or a court would conclude that one of the purposes of the remuneration was to encourage the provider to refer its patients to the plan for enrollment (e.g., OIG Advisory Opinion No. 06-16, finding durable medical equipment manufacturer’s offer to cover the cost of its supplier’s advertisements to be remuneration that created a “substantial risk of driving overutilization and increasing program costs”). The converse is true as well; if the plan is marketing on behalf of the plan without being paid by the plan, or the plan is covering the costs of the marketing, there is a risk that the OIG or a court could conclude that one of the purposes of the free marketing was to encourage the plan to steer members to the provider.
Conclusion
Compliance professionals who are part of an organization that already is or will become an integrated provider-payer organization should be involved early in discussions regarding a payer-provider integration (whatever the form) to ensure that the arrangement is being designed in compliance with all of the laws and regulations discussed above. Compliance personnel must ask questions such as:
-
Does the risk-sharing arrangement or VBP implicate the Stark Law? If yes, does it meet the risk-sharing arrangement exception?
-
Does the risk-sharing arrangement or VBP meet some or all of the factors in the AKS managed care and health plan discount safe harbors?
-
Are gainsharing arrangements used? If yes, what safeguards are in place to protect against overutilization by providers due to financial incentives under the arrangement?
-
What tools does the organization use to address SDOH? Do these fit within the various beneficiary inducement exceptions?
-
How do the provider and payer share data?
-
Does the organization cross-market and internally refer beneficiaries? Do these activities comply with HIPAA, AKS, Medicare managed care or Medicaid managed care regulations, and licensure laws?
Takeaways
-
The integration of providers and payers is becoming more common as the industry continues to move toward value-based payment models.
-
Risk-sharing arrangements and value-based payments may implicate the Stark Law exception, the Anti-Kickback Statute, and the gainsharing and beneficiary inducement prohibitions of the Civil Monetary Penalties Law.
-
Integrated provider-payers have greater flexibility and more tools to address social determinants of health, which is important for managing costs in value-based models.
-
Provider-payers must review beneficiary inducement exceptions with a careful eye to ensure that social determinants of health programs do not violate beneficiary inducement rules.
-
Integrated provider-payers can benefit from data sharing and cross-marketing but must be wary of federal and state regulations restricting these activities.