HIPAA and the Stark Law Take Center Stage in 21st Century Oncology


New Jersey Law Journal

February 12, 2018

Health care is tightly controlled by statute, regulation and regulatory guidance. A bankruptcy filing does not exempt the health-care debtor from those controls. Like other debtors, they must operate in accordance with applicable non-bankruptcy law. See 28 U.S.C. §959(b). Moreover, the automatic stay does not prohibit a governmental entity from enforcing health-care laws against a debtor. See, e.g., 11 U.S.C. §§362(b)(4) (general police powers exception) and 362(b)(28) (exclusion from federal health programs exception).

The enforcement of Health Insurance Portability & Accountability Act of 1996 (Pub. L. 104-191. Stat. 1936) (HIPAA) and two fraud and abuse laws—the Stark Law (42 U.S.C. §1395nn and the regulations promulgated thereunder), which prohibits physician self-referrals, and the False Claims Act (31 U.S.C. §§3729-33) (FCA)—took center stage in the recent health-care bankruptcy case of In re 21st Century Oncology Holdings (Bankr. S.D.N.Y. Case No. 17-22770 (RDD)). Indeed, government investigations of alleged violations of those laws by 21st Century Oncology (“21CO”), 21st Century Oncology, LLC (“21LLC”), and two other debtors, together with related civil litigation, preceded the debtors’ Chapter 11 filings on May 25, 2017 (the petition date).

HIPAA and Data Breach Claims

In 2015, 21CO suffered a cyberattack pursuant to which a third party obtained unauthorized access to the protected health information (PHI) of 2,213,597 patients. The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) investigated the cyberattack and concluded that 21CO had violated HIPAA and the HIPAA Privacy and Security Rules by failing to adequately protect PHI and impermissibly disclosing PHI. Based on that conclusion, OCR asserted claims (collectively, “HIPAA Claims”) against 21CO.

Five months before the petition date, several individuals (the “data breach plaintiffs”) filed a class action alleging that 21CO had failed to adequately secure PHI under its control. During the bankruptcy case, six class claims aggregating $123.2 million and 180 individual claims, all asserting data breach claims, were filed. These data breach claims dwarfed in amount the other claims filed against the 21st Century Oncology debtors. The debtors moved to dismiss the class claims and to estimate the individual claims at $0 for plan confirmation purposes. The data breach plaintiffs cross-moved for class certification pursuant to Bankruptcy Rule 7023 or, alternatively, for relief from the automatic stay to permit the data breach action to proceed—albeit with recovery limited to insurance proceeds. Some individual creditors filed motions for the allowance of their data breach claims for voting purposes pursuant to Bankruptcy Rule 3018.

Health Care Program Claims

In March 2016, as required by an existing corporate integrity agreement, the debtors self-reported to HHS that, in violation of the FCA, a former employee of 21CO had falsely attested to certain physicians’ compliance with the requirements of Medicare’s “meaningful use” incentive program. Meanwhile, an individual, the “relator,” filed a qui tam action under the FCA alleging that 21LLC improperly billed Medicare for medical services that violated the Stark Law. The Office of the Inspector General (OIG) of HHS investigated both the self-reported “meaningful use” claims and the relator’s claims (collectively, “health-care program claims”). Based on that investigation, the United States concluded that 21CO, 21LLC and two other debtors had violated the FCA by submitting false claims to Medicare. The United States further concluded that, pursuant to 11 U.S.C. §1141(d)(6)(A), the health-care program claims were non-dischargeable. See Bankr. S.D.N.Y. Case No. 17-22770-rdd ECF No. (“ECF”) 710, ¶9.

Impact of the HIPAA, Data Breach and Health-Care Program Claims

That the resolution of the HIPAA, data breach and health-care program claims was crucial to the debtors’ successful reorganization is indisputable. The debtors themselves expressly acknowledged as much. See ECF 709, ¶6; 710, ¶¶9-10 712, ¶14. The resolution of those claims was, in fact, a condition to both the consummation of the debtors’ Chapter 11 plan (ECF 915-1, §9.1(q)) and the obligation of third parties to backstop a rights-offering for which the plan provides. ECF 434, §8.1(t).

Resolution of the health-care program claims was necessary to eliminate the uncertainty, delay and expense inherent in litigating substantial and factually complex fraud and non-dischargeability issues, as well as the risks of a ruling that the claims were not, in fact, dischargeable in bankruptcy. Resolution of the HIPAA Claims was necessary to avoid the uncertainty of litigating claims that have not yet been tested by the courts. A substantial reduction in the data breach claims or, as happened in 21st Century Oncology, channeling them away from the bankruptcy estates to insurance proceeds, was necessary to allow for some meaningful distribution to the debtors’ other unsecured creditors and for the debtors to avoid the risks and expense inherent in defending against a class action. Finally, significant concessions by OCR and OIG in the amount and the payment terms with respect to at least some of their claims were important to ensuring the debtors’ post-confirmation liquidity.

Settlement of the HIPAA and Data Breach Claims

The HIPAA claims were resolved by means of a resolution agreement and a two-year corrective action plan (CAP). ECF 825-1, pp. 5-19. The debtors agreed to make a payment of $2.3 million to HHS on the effective date of the resolution agreement, with the payment to be made directly by the debtors’ insurer. HHS agreed to release its pre-petition HIPAA claims upon the $2.3 million payment and its post-petition HIPAA claims upon 21CO’s satisfaction of its obligations under the CAP. Full satisfaction of those obligations is also a necessary condition to OCR’s waiver of any civil monetary penalty arising out of the HIPAA claims, and, for that reason, the resolution agreement tolls the statute of limitation for imposing such a penalty pending full compliance under the CAP.

The CAP imposes several ongoing obligations on 21CO, including: (i) conducting of HIPAA-compliant data security risk assessments; (ii) review of and revisions to HIPAA policies and procedures; (iii) adoption and distribution of revised HIPAA policies and procedures; (iv) provision to HHS a list of its business associates and copies of its business associate agreements; (v) development and implementation of a program to internally monitor its compliance with the CAP; (vi) retention of an external assessor (at 21CO’s expense) to monitor 21CO’s compliance with the CAP; (vii) development of internal security incident notification and response policies and procedures; and (viii) submission of annual reports (attested to by officers of 21CO) to OCR demonstrating 21CO’s compliance with the CAP. All policies and procedures, the risk assessment, the identity of the external assessor, and the assessor’s plan of oversight are subject to HHS review and approval. The external assessor will make reports to HHS and will have the authority to make unannounced site visits to 21CO.

Pursuant to the data breach claim settlement, the plaintiffs retain the right to litigate the data breach claims, but agree to look only to certain insurance proceeds for recovery and waive any recovery from the debtors’ bankruptcy estates. Upon the approval of the data breach claim settlement, they agreed not to oppose confirmation of the debtors’ plan.

Settlement of the Health-Care Program Claims

The debtors, OIG, and the relator resolved the health-care program claims through a settlement agreement and a five-year corporate integrity agreement (CIA). The debtors will pay OIG $26 million (plus interest at 2.25 percent) over five years, which represents a significant concession in the amount of the health-care program claims. The five-year payout significantly improves the debtors’ post-confirmation liquidity. The relator will receive a portion of the settlement payment, as well as $51,877.84 for legal fees and expenses. The debtors conceded the non-dischargeabilty of the health-care program claims but will be released from any civil monetary penalties and from any threat to its ongoing Medicare eligibility arising from those claims upon compliance with the settlement agreement and CIA.

The purpose of the CIA is to ensure the debtors’ compliance with federal health-care program requirements. To that end, the CIA requires: (i) appointment of compliance officers and a compliance committee; (ii) board of directors oversight over compliance activities; (iii) certification and reporting to OIG concerning compliance with the CIA; (iv) development of standards for compliance; (v) compliance training and education; (vi) development of procedures to ensure that contracts comply with health-care program requirements and for reporting of non-compliance with those requirements; and (vii) the retention of an independent organization to review the debtors’ contracts and Medicare claims. The CIA provides OIG with extensive rights of inspection, audit and review.

Approval of the Settlements

The debtors resolved the HIPAA, data breach and health-care program claims before confirmation of their plan. The bankruptcy court granted the debtors’ motions to approve those resolutions by orders dated Dec. 11, 2017. ECF 823, 824 and 825. The debtors’ plan was confirmed on Jan. 9, 2018.

Takeaways from ‘21st Century Oncology’

Health-care debtors’ restructuring strategies must be guided by their highly-regulated status. Like the debtors in 21st Century Oncology, they must be ready to formulate creative means of resolving diverse governmental claims enjoying different priorities and protections (e.g., non-dischargeability) in bankruptcy, including the creative use of assets like insurance. They must, therefore, be prepared to cooperate with regulators to ensure a successful reorganization, particularly if concessions by regulators are necessary. Moreover, that cooperation must continue after confirmation. As the health-care settlements in 21st Century Oncology demonstrate, the resolution of governmental claims will likely include extensive government oversight and trigger significant obligations and expense on the part of the reorganized debtors. Finally, the health-care debtor may gain a new partner in the form of an independent monitor or assessor.

Reprinted with permission from the February 12, 2018 issue of the New Jersey Law Journal. © 2018 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.