HEALTH LAW PERSPECTIVES
Newsletter
Volume 16, No. 10
November 2014
New Health Plan Policies May Allow Non-Participating
Providers to Challenge UCR Underpayments in Court
Without Filing Administrative Appeals
Certain health plans recently announced new appeal processes for non-participating providers. For
instance, Anthem has sent letters to non-participating
providers stating that Anthem is no longer willing to
entertain appeals regarding usual, customary, and reasonable (UCR) pricing: “An appeal for Usual, Customary and Reasonable Pricing is not a benefit issue and
cannot be appealed. Our claims processing system is
set up to apply the correct UCR pricing based on the
services being rendered and the geographic location.”
We have seen similar policies from Aetna.
These new policies are inconsistent with California
law, including provisions of the Knox-Keene Act and
the Insurance Code. However, the greatest potential
impact of these policies is for employer-sponsored plans
subject to regulation under the Employee Retirement
Income Security Act of 1974 (ERISA).
In disputes with non-participating providers, health
plans often argue that providers cannot sue in court
because they have failed to file administrative appeals.
However, ERISA requires health plans to provide a reasonable opportunity for “a full and fair review” every
time they make an “adverse benefit determination,” i.e.,
whenever they pay less than the entire bill. This includes low UCR pricing.
The upshot of policies like Anthem’s is that providers should not be required to go through the administrative appeal process when challenging UCR decisions
prior to filing an action to recover benefits in court.
That is because, under ERISA, where plans do not es-
tablish or follow proper claims procedures, claimants
are deemed to have exhausted administrative remedies
under the plan. Under these circumstances, courts may
also consider administrative appeals to be “futile” and
therefore unnecessary. Notwithstanding this, we continue to recommend that providers file appeals of adverse UCR decisions, even where there is no legal obligation to do so.
On a related note, Anthem and other health plans
have continued to press the position that non-participating providers do not have appeal rights. These plans
often insists that the non-participating provider execute
special authorized representative forms. Yet courts have
explained that a provider with a valid assignment of benefits from the patient “steps into the shoes” of the patient, and that there is consequently no need to fill out
an authorized benefit form. Nevertheless, we recom-
In This
Issue
• CA Data Breach Report Emphasizes
Importance of Encryption
• Spinedex Decision Clarifies PayorProvider Dispute Issues
• Potential Opportunities for Providers
to take UCR Underpayments Directly
to Court
Hooper, Lundy & Bookman, PC
H e a lt h C a r e L aw y e r s & A d v i s o r s
mend that non-participating providers have patients sign
assignment of benefits forms that also incorporate language appointing the provider as an authorized representative. In any case, an important component in designing
and implementing an effective appeal process continues to
be making sure that the provider’s assignment of benefit
form is properly drafted. Please contact us if you would
like model language.
Finally, we do not agree with Anthem’s contention
that it is correctly pricing out-of-network claims. We
have challenged Anthem’s UCR pricing methodology in a
number of cases. For additional information, please contact Daron Tooch or Peter Brachman in Los Angeles at
310.551.8111.
Spinedex Decision Addresses
Payor-Provider Dispute Issues
On November 5, 2014, the Ninth Circuit Court of
Appeals issued a ruling in Spinedex Physical Therapy USA
Incorporated v. United Healthcare of Arizona, Inc., 2014
WL 5651325 (Nov. 5, 2014). The decision clarifies a
number of important issues relating to payor-provider disputes over health benefit plans governed by the Employee
Retirement Income Security Act of 1974 (ERISA).
Background
Plaintiff Spinedex provided physical therapy services
to members of a number of United-administered plans,
including both self-funded and fully insured plans. The
patients signed several documents in connection with their
treatment, including an assignment of benefits form that
assigned the patients’ “rights and benefits” under the plans,
and an “Enrollment Form” that included a statement in
which patients acknowledged that they were liable for all
costs of the services rendered. The patients also signed
a “Financial Policy” providing, among other things, that
patients would be responsible for any treatment costs not
covered by their health plan.
Spinedex sued United and United-administered plans
(Defendants) for failure to pay ERISA plan benefits. Defendants’ primary excuse for nonpayment was Spinedex’s
failure to bill and collect copayment and coinsurance
amounts from the patients.
2
Providers Do Not Have To Bill Patients To Have Standing
The court first considered whether Spinedex had suffered “injury-in-fact” sufficient to have standing to sue
under Article III of the United States Constitution.
Defendants argued that, because Spinedex had not
sought payment from its assigning patients, the patients
had suffered no monetary injury. Under ERISA, providers
who obtain assignments of benefits “stand in the shoes”
of the patients who assigned the benefits. Defendants
therefore argued that Spinedex, as the assignee, could have
no greater injury than the patients, and therefore suffered
no injury-in-fact. The Ninth Circuit rejected this argument, finding that Spinedex did not have to bill patients
anything in order for Spinedex to sue for payment of
amounts due under the patients’ ERISA plans. The court
reasoned: “The fact that Spinedex has chosen not to seek
payment from its assignors, despite its contractual right to
do so, does not mean that Spinedex had no right to recover
benefits under the Plans from Defendants. It only means
that Spinedex has decided not to pursue its legal rights
against the assignors.” Therefore, the court confirmed that
providers who have been underpaid by ERISA plans do
not need to bill patients as a prerequisite to filing suit for
recovery of amounts owed.
Procedural Defenses, Including Anti-Assignment Clauses,
Can Be Waived
The opinion also confirms that a plan administrator
cannot raise an anti-assignment clause for the first time in
litigation when a provider previously “requested payment
pursuant to a clear and unambiguous assignment.” The
Ninth Circuit did not address whether the standardized
billing forms (such as the assignment of benefits certification in field 53 of the UB-04) may provide the requisite
notice of assignment. But other federal courts have suggested that this form is sufficient notice.
Also, crucially, the Spinedex opinion expressly affirms
that the principle set forth in Harlick v. Blue Shield of
California, 686 F.3d 699 (9th Cir. 2012) that “an administrator may not hold in reserve a known or reasonably
knowable reason for denying a claim,” and applied that
principle to an anti-assignment defense. Health plans
have argued that only substantive coverage limitations can
be waived by the plan -- i.e., a medical necessity defense
-- but that procedural defenses supposedly could not be
waived. The Ninth Circuit has come out squarely on the
side of providers and rejected the plan argument on this
issue.
Health Law Perspectives
Hooper, Lundy & Bookman, PC
H e a lt h C a r e L aw y e r s & A d v i s o r s
Third Party Claims Administrators Are Proper ERISA
Defendants
In Spinedex, the Ninth Circuit also confirmed that
providers may sue any entity that causes improper denial of benefits, rather than just the formally designated
“plan administrator.” The court explained that “proper
defendants under § 1132(a)(1)(B) for improper denial of
benefits at least include ERISA plans, formally designated
plan administrators, insurers or other entities responsible
for payment of benefits, and de facto plan administrators
that improperly deny or cause improper denial of benefits.” Thus, administrators such as United cannot avoid
liability for improper benefit denials on the basis that they
are merely “claims” administrators, rather than formally
designated “plan” administrators, in plan documents.
Plans Generally Must Strictly Follow Claims Handling
Regulations
ERISA requires plans to provide a “full and fair review”
of claims, pursuant to Section 503 of ERISA, 29 U.S.C.
Section 1133. The Department of Labor (DOL) has promulgated detailed claims handling regulations that define
the minimum requirements of a “full and fair review” process, including, among other things, notice of the specific
reason for denial, the plan provision upon which the decision was based, and a description of the plan’s review procedure and the time limits applicable to such procedure.
Some courts have found that “substantial compliance”
with these requirements is sufficient. In Spinedex, the
Ninth Circuit rejected this standard, instead siding with
the DOL’s view that strict compliance is necessary, and
that only de minimis errors will be excused. Thus, plans
must now strictly comply with the DOL regulations, or
the administrative process will be “deemed exhausted,”
and provider plaintiffs can proceed directly to court without going through an administrative appeal.
Importantly, this ruling has implications beyond just
ERISA plans, because the DOL’s claims handling regulations were adopted by the federal government as requirements that health plans governed by the Affordable Care
Act (ACA) also must follow. As a result, while ERISA itself
does not apply to non-ERISA plans, the payers often will
be required to follow ERISA claims handling regulations
even for non-ERISA plans. This includes, without limitation, non-grandfathered plans issued both on and off
federal and state public health exchanges, and other health
plans now subject to ACA.
Current Litigation
Hooper, Lundy and Bookman is representing many
providers who are challenging underpayments and recoupments by health plans, plan administrators, and claims administrators that are governed by the ERISA claims handling regulations, in which these and other issues are being
litigated, arbitrated and mediated.
If you have any questions about these issues, please contact Peter Brachman, Michael Houske, or Daron Tooch in
Los Angeles at 310.551.8111; or Jennifer Hansen or Joseph
LaMagna in San Diego at 619.744.7300.
HLB Briefs
Peter Brachman and Eric Chan have authored Underpaid on Out of Network Reimbursement? Keep ERISA
in Mind, Published by BNA Health Law Reporter. (See: http://www.health-law.com/media/news/274_23_
hlr_1435.pdf).
Jennifer Hansen and Katherine Dru have authored Weighing Options of Appointing Non-Physician Practitioners to the Medical Staff, Published by AHLA. (See: http://www.health-law.com/media/pubadvisory/273_Med
Staff News November 2014 newsletter.pdf).
Health Law Perspectives
3
Hooper, Lundy & Bookman, PC
H e a lt h C a r e L aw y e r s & A d v i s o r s
California Data Breach
Report Emphasizes
Importance of Encryption
for Health Care Industry
By Amy M. Joseph
The California Attorney General recently released
its California Data Breach Report 1 (the Report) which
presents findings and recommendations based on a review of reported breaches in recent years. The California
Attorney General is responsible for enforcing the California consumer data breach notification law, California
Civil Code Section 1798.82 (Section 1798.82), which
requires reports of breaches of electronic consumer records, including health records, to the individual California residents affected, and to the Attorney General if
more than 500 individuals are affected. In 2012, the
Attorney General’s office formed a Privacy Enforcement
and Protection Unit2 to, among other things, enforce
Section 1798.82 and other state and federal privacy laws.
The Report states that the Attorney General’s office
received reports of 167 data breaches that each affected
over 500 California residents, involving, in the aggregate,
records with personal information for more than 18.5
million California residents.3 The retail industry reported twenty-six percent of the total breaches, followed by
finance and insurance (twenty percent) and health care
(fifteen percent). The Report further provides that although “[h]ealth care breaches were second to retail in
the number of records affected . . . [i]f the Target and
LivingSocial breaches were removed from the data set,
health care breaches would rank first in the number of
records affected.”
Interestingly, although malware and hacking constituted the majority of breaches across industry sectors, a
closer look at the health care sector in particular reveals a
different result. Seventy percent of reported health care
breaches resulted from lost or stolen hardware or portable media involving unencrypted digital data. Breaking the numbers down further, of the health care sector’s
thirty-one physical breaches reported in 2012 and 2013,
twenty-four resulted from stolen hardware, five from lost
media and two from stolen documents.
4
Based on the data, the Attorney General makes the
following recommendations specific to the health care
sector:
• The health care sector should use full disk encryption to protect medical information on laptops
and other portable devices, and should consider
doing so for desktop computers as well. The Attorney General emphasizes that the majority of health
care breaches appear to be preventable. The Attorney
General also notes that nearly half of the reported
health care breaches resulted from theft of laptop or
desktop computers from the workplace, as opposed
to an employee’s car or home, and recommends encryption for desktop computers in the office. Lastly,
the Attorney General states that encryption is an affordable, widely available solution, and one that “[e]
ven small practices that lack full-time information
security and IT staff ” can implement.
Section 1798.82 requires notification of a breach only
where the breach involved an individual’s “unencrypted personal information.” Similarly, under the HIPAA
Breach Notification Rule,4 notification is required only if
a breach involved “unsecured protected health information,” which excludes encrypted data.5 In addition, encryption is an addressable implementation feature under
the HIPAA Security Rule, at 45 C.F.R. § 164.312(a)(iv).
However, currently there is no specific legal requirement
to use encryption for data at rest.
The Attorney General also makes the following recommendations for all industry sectors: 6
• Organizations should conduct risk assessments at
least annually. The Report notes that regular risk
assessments are recommended due to development of
new technologies, new business practices, and evolving cybercrime.
• Organizations should use encryption to protect
personal information in transit. The Attorney
General recommends amending California law to require the use of encryption to protect personal information on portable devices and media, and in e-mail.
• Organizations should improve the readability of
their breach notices. The Attorney General states
Health Law Perspectives
Hooper, Lundy & Bookman, PC
H e a lt h C a r e L aw y e r s & A d v i s o r s
that breach notices are often written at the college
level, above the average reading level for adults, and
recommends that organizations make breach notices
more user friendly. Sample breach notices previously submitted to the Attorney General can be viewed
at http://oag.ca.gov/ecrime/databreach/list. Lastly,
the Attorney General recommends that the California legislature consider legislation to: (1) “amend the
breach notice law to strengthen the substitute notice
procedure, clarify the roles and responsibilities of
data owners and data maintainers and require a final
breach report to the Attorney General”; and (2) provide funding to small California retailers to support
system upgrades.
It is likely that the California legislature will consider
implementing some, if not all, of the Attorney General
recommendations, based on the prior track record. The
Attorney General notes that of its five specific recommendations from a previous data breach report, two have
since been enacted as amendments to the data breach
law. For example, and as detailed further in one of HLB’s
prior blog posts ,7 AB 1710 was recently enacted, which
requires the source of a data breach to offer identity theft
protection and mitigation services effective January 1,
2015. The Report notes that the Attorney General has
previously recommended requiring encryption to protect
personal information, and although an early version of
AB 1710 included such a requirement, AB 1710 as enacted did not.
For more information, please contact: in Los Angeles, Amy Joseph or Hope Levy-Biehl in Los Angeles at 310.
551.8111; Paul Smith, Steve Phillips or Clark Stanton in
San Francisco at 415. 875.8500; Stanton Stock in San
Diego at (619) 744-7313; Bob Roth in Washington, D.C.
at 202.580.7700.
See http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf ?)
See http://oag.ca.gov/privacy
3
The Report notes that the 2013 data is skewed due to two large breach incidents (Target and LivingSocial). If those incidents were excluded, the number
of records affected would be 3.5 million, a 35 percent increase in breaches as compared to 2012.
4
45 C.F.R. § 164.400 et seq.
5
See U.S. Department of Health & Human Services guidance on encryption at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
6
The Attorney General also recommends a number of best practices for the retail industry, which are not addressed here.
7
See: http://www.hlbhitblog.com/offer-of-free-identity-theft-and-mitigation-services-for-certain-breaches-under-california-law/)
1
2
CALENDAR
November 10
CAHF Annual Conference, Palm Springs
Jennifer Hansen presented Staffing Audits: Best Practices for Audit Success
November 18
HLB Webinar: Technology Contracts: From Negotiation to Litigation
with Your HIT Vendor
Michael Houske and Eric Chan presented
November 20
Southern California HFMA Winter Program, Culver City, CA
Lloyd Bookman, Tracy Jessner Hale and Nina Adatia Marsden presented
Legislative Update: PRRB Appeals, Major Decisions, Future Implications
Health Law Perspectives
5
1875 Century Park East, Suite 1600
Los Angeles, California 90067-2799
CALENDAR
December 2
(CON’T )
HFMA San Diego Program, Del Mar
John Hellow presents Federal Legislative and Regulatory Update
December 8,9
ABA Health Law Section 12th Annual Washington Health Law Summit, Washington, D.C.
Robert Roth presents And Now it’s Time for New Rules - What’s in he Medicare
2015 Hospital IPPS Final Rule
January 7-11
2015 National CLE Conference Health Law Program, Vail, CO
Robert Roth presents Report from the Capitol – Reflections on a Gridlocked Year
and Prospects for 2015
March 31, 2015
Medtrade Spring Convention, Las Vegas
Felicia Sze presents Managed Care Contracting: Cutting Through the Legalese
and Managing the Managed Care Relationship: Enforcing Your Contracts with Plans
Copyright 2014 by Hooper, Lundy & Bookman, PC Reproduction with attribution is permitted. To request addition to or removal from our mailing list contact
Sharon Lee at Hooper, Lundy & Bookman, PC, 1875 Century Park East, Suite 1600, Los Angeles, CA 90067, phone (310) 551-8152. Health Law Perspectives is produced
monthly, 10 times per year and is provided as an educational service only to assist readers in recognizing potential problems in their health care matters. It does not
attempt to offer solutions to individual problems but rather to provide information about current developments in California and federal health care law. Readers
in need of legal assistance should retain the services of competent counsel. Los Angeles: 310.551.8111; San Francisco: 415.875.8500; San Diego: 619.744.7300;
Washington, D.C. 202.580.7700