ObamaCare Survives Judicial Death Threat: Impact Of Supreme Court Decision On Offshoring And Outsourcing
June 29, 2012 by Bierce & Kenerson, P.C.
The U.S. Supreme Court’s historic 5-4 decision approved the constitutionality of the entire Patient Protection and Affordable Care Act, P.L. 111-148 (March 23, 2010) [“ObamaCare”]. Nat’l Fed. of Indep. Businesses v. Sebelius, 567 U.S. ____ (June 28, 2012).
How will this law impact the global services industry? Will it favor offshoring? Will it create new outsourcing business models? What opportunities arise for new forms of outsourcing services and, indeed, for global entrepreneurship? Here’s our view on the impact, followed by a brief legal summary for those who study constitutional law in the United States.
Impact of the ObamaCare Decision upon Outsourcing and Offshoring. The most important aspect of this law is its complexity (over 900 pages, with new regulations to follow). For the outsourcing industry, the decision is highly positive for process managers seeking to develop service offerings in the administration of healthcare insurance, healthcare funding and corporate human resources.
- In general, new consulting advisory services will develop tech-enabled decision analsyis and recommendations. They will identify how to enable small businesses to choose whether, and how, to provide insurance plans for employees. For large busineses, they will help direct how to manage internally, or externally, a huge healthcare bureaucracy for the employer.
- For small businesses, new consulting advisory services (and related process automation and outsourced services) may develop to stay below the threshold of a “large” employer to avoid ObamaCare’s mandatory coverage requirements for “large” employers.
- For insurers and health plans, the pressures for cost containment, regulatory compliance and operational efficiencies will offer opportunities for both consulting and outsourcing, and even offshored teleservices by U.S. qualified medical professionals.
U.S. Health Insurance Model. Unlike other countries, the U.S. has not nationalized healthcare. Instead, since 1965, it has provided nationalized healthcare to seniors (aged 65 and over) under Medicare. Historically, it has also provided Medicaid to younger, but more needy persons in limited categories.
New Class Warfare; New U.S. Business Models . The ObamaCare legislation creates a “class warfare” between “small” businesses and “large” businesses. ACA exempts “small employers” from the duty to carry health insurance for their employees. “Large employers” (with more than 200 full-time employees who perform at least 2,080 hours of service per year subject to vacations and statutory exceptions) must automatically enroll all new full-time employees in one of the plans offered and continue the enrolment of current empoloyees in a health benefits plan offered through the employer.
We offer some predictions on the future of employment in the United States.
- Business Models. New business models will arise, based on outsourcing, virtualization and avoidance of the 200-employee limit.
- Accelerated Offshoring and Outsourcing. The costs, complexity, bureaucratic burdens and overhead, and proliferation of employment litigation associated with mandatory healthcare rules will inspire entrepreneurs to outsource and offshore everything possible. ObamaCare will accelerate the offshoring of both low-level functions (such as non-voice customer relationship management, credit card claims processing, mortgage origination and administration, and other routine business functions) and high-level functions (such as R&D, market research, accounting and tax administration, cash management, etc.).
- “Small is Beautiful.” A wave of new incorporations and new LLC’s will be the new norm for establishing rapid-growth organizations.
- Networked Virtual Organizations. “Small employers” will stay under 200 FTE’s in the U.S., but will partner with other small employers in the U.S. and with outsourcing service providers wherever possible.
- Compliance, but with Cutbacks. Large global corporations will devote more costs and management time to compliance with new regulations. Entrepreneurial leaders at large organizations will consider leaving to form new “small employer” organizations based on a virtualized, global, partnered (outsourced, offshored and allianced) business model.
New HITO: Healthcare IT Outsourcing (New Software Platforms and Service Solutions). Like the Employee Retirement Income Security Act of 1974 (“ERISA”), the Affordable Care Act creates complex new rules governing human resource administration. Like ERISA, ACA delegates extensive authority to bureaucracies to review mandatory disclosure reports by employers in order to ensure employers are not discriminating in favor of highly compensated individuals and includes enforcement mechanisms. The ACA imposes both civil and criminal penalties for non-compliance.
In addition, ACA already has adopted healthcare IT mandates including subsidies for electronic medical records (EMR). Secretary of Health and Human Services (“HHS”) has adopted regulations for developing interoperable and secure standards and protocols that facilitate enrollment of individuals in Federal and State health and human services programs. Sec. 3021(a). “Third party service providers” are identified as having a legislatively approved role to facilitate enrollment in covered insurance plans.
New Security and Compliance Requirements. The outsourcing industry was born out of “boring,” repetitive “standard” business processes. ACA creates a “perfect storm” for outsourcing of many new “boring” processes in human resources administration.
IT-Enabled Healthcare. ACA also delegates authority for administrative regulations under HHS to develop standards and protocols for electronic enrollment in Federal and State healthcare programs. Sec. 3021(b).
(1) Electronic matching against existing Federal and State data, including vital records, employment history, enrollment systems, tax records, and other data determined appropriate by the Secretary to serve as evidence of eligibility and in lieu of paper-based documentation.
(2) Simplification and submission of electronic documentation, digitization of documents, and systems verification of eligibility.
(3) Reuse of stored eligibility information (including documentation) to assist with retention of eligible individuals.
(4) Capability for individuals to apply, recertify and manage their eligibility information online, including at home, at points of service, and other community-based locations.
(5) Ability to expand the enrollment system to integrate new programs, rules, and functionalities, to operate at increased volume, and to apply streamlined verification and eligibility processes to other Federal and State programs, as appropriate.
(6) Notification of eligibility, recertification, and other needed communication regarding eligibility, which may include communication via email and cellular phones.
(7) Other functionalities necessary to provide eligibles with streamlined enrollment process.
New Training Mandates. Since the law is new, it requires obligatory trainings. The corporate education markets will expand.
More Litigation under New Civil Rights and Whistleblower Protections. ACA is good for e-discovery and Legal Practice Outsourcing. It creates new entitlements and protected classes of employees. This will result in new costly litigations. The plaintiff’s class action lawyers will reap big rewards for mistakes or disputes that need to be settled just to avoid distractions, uncertainty and costs.
First, it creates new civil rights, which can be enforced by plaintiff’s contingency-fee lawyers using class actions. Employees may not be excluded from participation in, be denied the benefits of, or be subjected to discrimination under, any health program or activity, any part of which is receiving Federal financial assistance, including credits, subsidies, or contracts of insurance, or under any program or activity that is administered by an Executive Agency or any entity established under ACA. Sec. 1557, extending civil rights under title VI of the Civil Rights Act of 1964 (42 U.S.C. 2000d et seq.), title IX of the Education Amendments of 1972 (20 U.S.C. 1681 et seq.), the Age Discrimination Act of 1975 (42 U.S.C. 6101 et seq.), or section 504 of the Act of 1973 (29 U.S.C. 794).
Second, in addition to substantive healthcare civil rights, the ACA adds a “whistleblower” protection for employees who report to their employer, the federal government or a State Attorney General, any violation of, or act or omission that the employee reasonably believes to be a violation of, the ACA. Similar protection is granted for an employee’s right to object to, or refuse to participate in, any activity, policy, practice or assigned task that is or is reasonably believed to be such a violation. ACA, Sec. 1558.
The Legal Decision on Constitutionality.
Judicial Restraint. A minority of four justices would have invalidated the entire law. Writing for the majority, Chief Justice Roberts chose to uphold the law as a “tax” (even though it is not said to be a tax) and pushed the debate back into the political arena of the November 2012 Presidential elections: “It is not our job [as a Supreme Court] to protect the people from the consequences of their political choices” of legislation enacted by an elected Congress.
Two Key Issues. The judicial decision focused on narrow constitutional principles of limited federal legislative powers as enumerated under the federal Constitution. It addressed two technicalities: the “individual mandate” to either get health insurance coverage or pay a federal health tax, and the expansion of scope of Medicaid in such a manner that the States would have to subsidize a new class of individuals in order to continue to enjoy federal funding for a 50 year old Medicaid program with limited costs and scope.
Individual Mandate: the “Shared Responsibility Payment.” On the “individual mandate,” the decision confirmed that Congress may impose a penalty (called a “shared responsibility payment” but treated judicially as a tax) on individuals who choose not to obtain insurance coverage, even though the tax is on doing nothing. Justice Roberts, the swing vote, noted that the individual health care tax is not confiscatory or punitive, and imposes no other restraint than the payment of the tax. The decision represents an expansion of federal legislative power to tax individuals for doing nothing by relying upon the Taxing Clause of the Constitution and not the sweeping Commerce Clause
Medicaid Expansion. The Court struck down the “Medicaid expansion” that would, if enacted, have coercively and unconstitutionally forced the States to raise taxes to cover 10% of new insurance programs covering virtually an entire subclass of individuals earning family income at 133% or less of the federal “poverty level,” far more than the pre-existing Medicaid scope and costs. So the law was upheld, but it will have a shortfall in revenue where States choose not to “opt in” to provide such new medical coverage for that class of individuals. Hence, a State may elect to continue the existing Medicaid program (which covers the most needy: pregnant women, children, needy families, the blind, the elderly and the disabled.
The Coming Federal Health IT Monopoly: Electronic Health Records and Health Privacy Rules under the American Recovery and Reinvestment Act of 2009
February 26, 2009 by Bierce & Kenerson, P.C.
Buried in the Obama administration’s economic stimulus bill (American Recovery and Reinvestment Act of 2009, or ARRA) is the “HITECH Act”, a major revision to the healthcare industry technology, promoting universal electronic health records (defined in the laws as “EHR”, which some call e-medical records, or “EMR”). The stimulus law lays the groundwork for socialized medicine by 2016. It’s consistent with Obanomics policies of more regulation and eventual federalization of health care. Third party administrators, SAAS-based healthcare software companies and other “business associates” of “covered entities” (health care providers, health plans and health insurance carriers) face new statutory liability for breach of protected health records. The HITECH Act also applies to data vendors.
The HITECH Act brings outsourcing data processors, data vendors and others not previously covered under the HIPAA and new federal data breach notification rules.
A new bureaucracy is established. For the HITECH Act Regulatory Organizational chart, click here.
The Regulators of Health Care Information Technology.
The management (including data processing and outsourcing) of protected health information under HIPAA will get a new boost (with new security rules) under the chapter called “Health Information Technology for Economic and Clinical Health Act” (acronym: “HITECH Act”). See H.R. 1 (111 th Cong., 1 st Sess.), amending the Public Health Service Act (42 U.S.C. 201 et seq.) by adopting 42 U.S.C. 13001 et seq. A new National Coordinator will update the existing Federal Health IT Strategic Plan to include specific objectives, milestones and metrics for managing electronic health records (“EHR”). Targeting the use of certified EHR’s covering all persons in the United States by 2014, the strategic plan will cover the electronic exchange and use of health information, integration of “enterprises” into an electronic exchange, new privacy and security protections for individually identifiable health information and adoption of specifications for encryption.
Unlike Canada and the EU, the U.S. does not have a general law on the right of electronic privacy. This new EHR regime under the HITECH Act builds on the rules of privacy and security under HIPAA by adding encryption and “data stewardship” and designating a National Coordinator for Health IT (“HIT”). The standards for HIT will include specifications for named standards, architectures and software schemes for authentication and security of individually identifiable health information (and other information needed to ensure common solutions across disparate entities). Such standards will likely become de facto the standards for other personally identifiable information.
Individuals will have access to reviews and correct their EHR’s, similar to the regime for credit reporting agencies for consumers of financial services.
Adoption of National Standards of Health Information Technology (“HIT”).
The regulation of electronic health records of U.S. residents will include national standards (adopted with the National Institute of Standards and Technology) and a voluntary certification program. As a practical matter, it is safe to predict that the certification will become required for anyone handling EHR, including third-party IT service providers. The government (as payer under Medicaid and Medicare), employers, insurers, health services providers and patients will want the comfort of such certification. The HIT Standards Committee will include health care providers, ancillary health workers, federal agencies, health plans, technology vendors (including “outsourcers”), researchers and individuals with technical expertise on health care quality, privacy, security and on the electronic exchange and use of health information. The Federal Advisory Committee Act, 5 U.S.C. App. (other than Section 14) will apply to the HIT Standards Committee.
The new EHR standards are intended to comply with the privacy and data security rules under HIPAA governing personal health information. See Health Insurance Portability and Accountability Act of 1996, Section 264, and related regulations.
Adoption of EHR HIT technology standards will be compulsory for each federal agency administering or sponsoring health care programs. Agencies will be required to use, when available, such standards in their direct exchange of individually identifiable health information with non-Federal entities. The President is directed to ensure that, within 3 years after a standard is adopted,, all federal activities involving the broad collection and submission of health information are consistent with such standard.
Implementation by the private sector will be rolled out over time. Federal agencies administering or sponsoring health care programs are required to require in contracts or agreements with health care providers, health plans, or health insurance issuers that such private sector operations adopt the new HIT standards, when available, upon acquisition, implementation or upgrade of health information technology.
Impact of National Standards on Competition.
Will mandatory standards for IT architecture and data limit competition? Will it promote innovation? There are conflicting views.
- Regulation Stifles Competition and Innovation. Some think a new federal bureaucracy to manage IT architecture and standards will slow down the flow of information and defeat private enterprise efforts at development of data bases and inter-operable data types. Under this thinking, the government will adopt the lowest common denominator in technology to achieve universality.
- Regulation Promotes Innovation. Others think that, by setting minimal security standards for access control and/or encryption, the government will enable future improvements on basic IT records management standards. This is a question of timing.
The answer will probably lie in between these extremes. Software developers with the most robust security and encryption will likely seek a role in the design of the new federal standards. Others will lobby to broaden the rules so that their own flavors of security will be covered by regulation. Ultimately, the outcome depends on the National Coordinator for HIT and the Secretary of Health and Human Services.
Economic Stimulus.
Council on Comparative Effectiveness. The ARRA stimulus law contains $400 million “to accelerate the development and dissemination of research assessing the comparative effectiveness of health care treatments and strategies, through efforts that:
- (1) conduct, support, or synthesize research that compares the clinical outcomes, effectiveness, and appropriateness of items, services, and procedures that are used to prevent, diagnose, or treat diseases, disorders, and other health conditions; and
- (2) encourage the development and use of clinical registries, clinical data networks, and other forms of electronic health data that can used to generate or obtain outcomes data.”
To implement this program, the ARRA stimulus law establishes a Federal Coordinating Council for Comparative Effectiveness Research (the “Council”) to “foster optimum coordination of comparative effectiveness and related health services research conducted or supported by relevant Federal departments and agencies, with the goal of reducing duplicative efforts and encouraging coordinated and complementary use of resources.” For the moment, the Council will have no role in directing outcomes: “Nothing in this section shall be construed to permit the Council to mandate coverage, reimbursement, or other policies for any public or private payer.” HITECH Act, Sec. 804(g).
Office of National Coordinator for Heath Information Technology. Within the Department Of Health And Human Services, the ARRA stimulus law creates a new Office of the National Coordinator for Health Information Technology, with a $2.0 billion budget till the money is spent. From this budget, $20 million goes to the Director of the National Institute of Standards and Technology in the Department of Commerce for “continued work on advancing health care information enterprise integration through activities such as technical standards analysis and establishment of conformance testing infrastructure.” A further $40 million of such funds will cover the Commissioner of Social Security for “health information technology research and activities to facilitate the adoption of electronic medical records in disability claims.”
The National Coordinator will be responsible for developing a national health IT infrastructure that allows for the electronic use and exchange of information and that:
- improves health care quality, reduces medical errors, reduces health disparities, and advances the delivery of patient-centered medical care;
- reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information;
- provides appropriate information to help guide medical decisions at the time and place of care;
- ensures the inclusion of meaningful public input in such development of such infrastructure;
- improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information;
- improves public health activities and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
- facilitates health and clinical research and health care quality;
- promotes early detection, prevention, and management of chronic diseases;
- promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and
- improves efforts to reduce health disparities.
These goals may result in new conflicts between patients, covered entities, business associates and non-HIPAA outsourcing service providers.
Medicare and Medicaid. The ARRA stimulus law also appropriates $17 billion in Medicare and Medicaid funding for health IT.
Data Breach.
The HITECH Act portion of the ARRA stimulus bill adopts a broad federal definition of “breach” of private data, with a suite of notification rules in case a breach occurs. A “breach “ the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person.” By definition, no “breach” occurs in cases of “any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent.” 42 U.S.C. 13400.
Business Associates” Now Have Extended Obligations on Data Security and “Breach” Notification.
The HITECH Act contemplates a secure supply chain of data processing in health care data. Any “business associate” (such as a third-party administrator or data processing service provider) that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses “unsecured protected health information” must report security breaches to their customers (“covered entities”). Business associates will henceforth have direct statutory liability for breach of data privacy and may be sued by federal and state prosecutors even if their enterprise customers (the “covered entities”) are not pursued. The Hitech Act:
- Extends the security provisions of HIPAA (under 45 CFR 164.308, 164.310, 164.312, and 164.316) to a business associate of a covered entity in the same manner that such sections apply to the “covered entity
- Requires that “business associates” undertake, in the business associate agreement between the business associate and the covered entity, to comply with the new security obligations applicable to covered entities.
- Applies to a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) the same criminal and civil liability that now apply to a covered entity that violates such security provision.
- Extends the responsibilities of data processors and other “business associates” of health care providers for breaches of security of unencrypted data.
- Requires each “business associate” of a covered entity to disclose to the covered entity any data breach of “unsecured” protected health information, where the business associate “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.” 42 U.S.C. 13402(b).
- Treats breaches as being “discovered” when first known (or when the covered entity or its business associate “should reasonably have known” of the breach, and conduct the notification process “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.”
- Requires use of first-class mail or (where the individual has expressed a preference for e-mail) e-mail to notify affected individuals, or use alternative methods (such as websites, broadcast and print media, with contact telephone numbers) if there are 10 or more individuals with insufficient or out-of-date contact information. Postings on websites must be on the home page of the covered entity or business associate. Notices by broadcast media in a “State or jurisdiction” must be given if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Notifications must include notices to the Secretary of Health and Human Services, with a log book to be maintained. Immediate notice is required if 500 individuals are affected. The HHS Secretary then posts the notices on its website. Notification may be delayed it it would “impede a criminal investigation or cause damage to national security” under existing regulations.” 45 C.F.R. 164.528(a)(2).
- Specifies that the content of the notice of a brhttp://www.outsourcing-law.com/2010/07/the-coming-federal-health-it-monopoly/each must include, to the extent possible, the following:
-
- a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
- The steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
Protected Health Data.
The HITECH Act part of the ARRA stimulus law extends special breach notification requirements to “unprotected” protected health data. “Unsecured Protected Health Information” protected health information that is not secured through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued” within 60 days after enactment. If the Secretary fails to issues such “guidance,” then, as a default, the term `unsecured protected health information’ shall mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” The Secretary is directed to promulgate interim final regulations within 180 days of the February 17, 2009 enactment date.
Obligations of Outsourcers Other Than Business Associates.
The HITECH Act of 2009 adds special breach notification requirements for vendors of personal health records (“PHR”) and their service providers that are not covered by HIPAA as a “business associate” or “covered entity.” Thus, each vendor of personal health records and its third-party service providers must notify the U.S. citizen or U.S. resident individuals affected and the Federal Trade Commission in case of security breach. Outsourcing service providers covered under this rule, 42 USC 13407, include each service provider that offers or maintains “a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.” Violations of such notification procedures become “unfair and deceptive” trade practices enforceable by the Federal Trade Commission.
In conclusion, the HITECH Act offers a broad plan for new users of IT In health care. Service providers and enterprise customers and other sectors should take note and address the emergency of new federal standards on data protection, privacy and IT security. Compliance and risk management issues may require some changes in the contracting process and in service delivery of outsourced data processing. (For key definitions, click here.)