A $17 million payment to settle alleged violations of the federal Anti-Kickback Statute. A class-action lawsuit filed on behalf of 3.5 million eye-care patients after an electronic medical records (EMR) system provider sustains a cybersecurity breach. A $500,000 payment to settle a cataract surgery patient’s claim of medical malpractice.

Cases like these in recent years have drawn attention to the financial pain and potential reputational injury that can afflict ophthalmic ambulatory surgery centers (ASCs) for willfully or accidentally neglecting to follow regulations governing the safe and ethical use of medicine. To avoid such costly litigation, it is important for ASCs to implement effective compliance and training programs, as well as secure sufficient insurance in the event they find themselves in legal trouble.

The Stark Law and Anti-Kickback Statute

Many people, including medical professionals, sometimes conflate two pieces of legislation: the Physician Self-Referral Law (commonly known as the Stark Law) and the Anti-Kickback Statute. While both are federal regulations, that’s where the similarity ends.

The Stark Law is section 1877 of the Social Security Act, which governs Medicare and Medicaid. This civil regulation prohibits physicians from referring Medicare patients for certain designated health services to entities in which the physician has a financial relationship.

“The Stark Law aims to prevent self-referral arrangements that could lead to overutilization of certain designated services,” explains Skip Pleninger, president of the Medical Insurance Division of Paris-Kirwan Associates Inc., an insurance services firm with locations in Rochester, New York, and in New York City. ASCs for the most part don’t fall under its jurisdiction because ophthalmic surgery is not considered one of these services.

The Anti-Kickback Statute, on the other hand, has a broader scope and covers a wider range of healthcare providers and entities, including ASCs. The statute makes it illegal for medical professionals to knowingly and willfully offer, pay, solicit, or receive any remuneration in exchange for referrals of patients for services covered by federal healthcare programs like Medicare and Medicaid.

Remuneration doesn’t necessarily have to consist of cash, says Allison Shuren, an attorney and partner with the Arnold & Porter Law Firm in Washington, D.C. “Allowing a physician to rent hospital space for less than fair market value could be seen as a kickback, because the value comes in the way of a cheaper lease,” Ms. Shuren says. “We’ve also seen this in some recent co-management cases where the government alleges that by allowing optometrists to bill for co-management in an improper way, it could be a problem under the Anti-Kickback Statute.”

Violations of the Anti-Kickback Statute are often uncovered by an ASC’s own compliance officer during an audit of its practices or by whistleblowers. “Someone in the hospital knows that they’re offering physicians lower rents in return for referrals and tell the government [because] they can earn a bounty, quite frankly, for being a whistleblower,” says Shuren. “And there are lots of people that have a stake in making sure things are done on a fair and level playing ground.”

Expensive Punishment

Penalties for violating the Stark Law or the Anti-Kickback Statute can be severe and may include civil monetary penalties, exclusion from federal healthcare programs, and even criminal charges, Pleninger says, adding that ASCs and their staff can be held liable corporately and individually, depending on their involvement.

The Stark Law is primarily enforced through civil monetary penalties that can be as high as $24,426 per violation, with each improper referral or claim being considered a separate violation, potentially leading to millions of dollars in fines in cases of widespread noncompliance.

Arrangements that violate the Stark Law might also be problematic under the Anti-Kickback Statute, depending on the facts and circumstances. Violations of the Anti-Kickback Statute may include fines of up to $100,000 and imprisonment for up to 10 years. Civil penalties can reach up to $50,000 per violation, plus additional fines of up to three times the amount of remuneration involved in the prohibited arrangement, Pleninger says.

In May of 2023, SouthEast Eye Specialists and SouthEast Eye Surgery Center in Madison, Tennessee, along with the Eye Surgery Center of Chattanooga, Tennessee, agreed to pay $17 million to settle a lawsuit claiming violations of the Anti-Kickback Statute. The organizations allegedly offered primary care physicians financial payments in return for patient referrals for cataract surgeries reimbursed by Medicare and TennCare (the state of Tennessee’s Medicaid program). The defendants were also accused of allegedly offering free meals, tickets to sporting events, and inappropriate co-management agreements to recruit physicians for referrals. The settlement was the result of a lawsuit brought by two whistleblowers under another federal statute, the False Claims Act, which allows private citizens to bring cases against government contractors charged with fraud. The False Claims Act provides that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government’s damages plus a penalty. The ASCs did not have to admit wrongdoing as part of the settlement.¹

Shuren says most states have their own version of the Anti-Kickback Statute. Some are drawn narrowly, focusing only on Medicaid payments, for example, while others also prohibit kickbacks regardless of the payer, even patients paying 100 percent of the bill out of pocket.

“If you’re bringing a referral source to a fancy dinner with the hope that person’s going to send you cases, then you should have your sixth sense saying, ‘This could be a problem. I shouldn’t do this.’ The environment is very competitive, and when you have some in a community who don’t play by the rules, it makes it harder for those who want to play by the rules,” she says.

The Health Insurance Portability and Accountability Act (HIPAA)

The 1996 Health Insurance Portability and Accountability Act (HIPAA) includes stringent measures to protect the privacy of patients and their protected health information (PHI).

“Criminal penalties can apply for wrongful disclosure of PHI, with fines ranging from $50,000 to $250,000 and imprisonment ranging from one to ten years,” says Pleninger. “It’s crucial to note that these penalties can vary based on the specific circumstances of each case and may be subject to updates and changes by relevant authorities.” It is imperative that ASC’s review their Cyber and Security Breach coverages to see how they respond not only to HIPAA violations but also to other related coverages within their policy.

The internet era has introduced a new level of complexity to HIPAA enforcement as ransomware, electronic health record data breaches, and other malicious activities rise in frequency. In a recent survey by AT&T, almost 64 percent of healthcare organizations ranked attacks against server/data at the network edge as cyber threats of highest concern. Nearly as many said attacks against associated cloud workloads were some of the riskiest future attacks against them.

In March 2022, North Carolina–based Eye Care Leaders, an EMR system provider, experienced a hacking incident affecting approximately 3.6 million patients from 41 ophthalmic care providers, including several ASCs. Facilities impacted by the breach included Summit Eye Associates in Tennessee, Allied Eye Physicians and Surgeons in Ohio, Regional Eye Associates in West Virginia, and many others. Eye Care Leaders is now the target of a class action lawsuit filed in January 2023 on behalf of patients impacted by the breach.²

Medical Malpractice

Medical malpractice claims involving ASCs arise from any number of sources, including surgical errors, medication mistakes, postoperative complications, and inadequate patient care. Such was the case in May 2020, when New Jersey ophthalmologist Milton Kahn, MD, and Advanced Eye Care and Surgery Center in Westfield, New Jersey, settled a medical malpractice lawsuit for $500,000. The suit was filed by a patient who experienced tearing, blurry vision, and other symptoms five weeks after undergoing cataract surgery. Dr. Khan diagnosed her with corneal edema and prescribed topical anti-inflammatory medications. However, the patient’s condition worsened, and another physician diagnosed her with endophthalmitis.

The patient’s attorneys argued that a more thorough examination would have uncovered the infection and enabled her to start treatment sooner. The defense countered that the infection would have affected her vision regardless and that Dr. Khan acted within the standard of care. The settlement was reached before going to trial.

Protect Against Lawsuits with Compliance, Policy, and Education

Shuren and Pleninger both say protecting an ASC and its personnel against litigation involving all these areas comes down to three key components: Compliance, policies, and staff education. “ASCs should invest in an effective compliance program,” Shuren says. “They should have effective policies and procedures. They should have staff training auditing themselves against high-risk areas.”

She recommends that ASC compliance officers regularly review adherence to the regulations, as well as various aspects of the compliance and training programs themselves, for potential issues and updating. “Maybe once a year you say, ‘I’m going to look at any time that someone on staff has paid for a referral source’s lunch and determine if it met our policy.’ These are the kinds of self-checks the government expects you to do,” Shuren says.

“Regularly review and update your HIPAA policies and train all your staff members on HIPAA regulations. Implement technical safeguards to secure your data,” Pleninger adds, noting that such practices could potentially impact the severity of penalties for violations. For example, in the event of a potential Anti-Kickback Statute violation, the government is likely to ask for copies of written policies and a compliance program relating to the statute.

“If you don’t have one, the penalties could be reflected in that,” Pleninger says. “If they think that you’re just out there randomly operating without any compliance, then I could see that the fines and penalties are going to be much worse.” He says most insurance providers also request evidence of a compliance program as part of their underwriting process.

“Sometimes they ask for it, depending on the size of the organization, and if you answer no to that, then in most cases you’re not going to get the insurance until you do have a compliance program,” he says.

When All Else Fails: Insurance

No ASC is immune to lawsuits; even the best-run ASC is likely to face litigation of some kind at some point. Therefore, adequate insurance that addresses all of these areas is essential. At the top of the list is regulatory compliance insurance. Premiums for this insurance can amount to $5,000 to $10,000 per year based on the facility’s number of providers, annual revenues, and claims history. In return, these policies typically cover the cost of defending the ASC against accusations of violating the False Claims Act, Stark Law, Anti-Kickback Statute, whistleblower claims, HIPAA violations and any other applicable state or federal regulations.

“The defense costs can sometimes exceed even the actual dollar amounts that [the government] wants to recoup,” Pleninger says. “We pay for the defense; we pay the cost of performing forensics. In the event of civil monetary penalties, we will pay those as well.”

Regulatory compliance insurance will not pay for restitution required by the government. “We don’t pay for the restitution because that’s against public policy,” Pleninger says. “As long as these cases stay civil and don’t go to a fraudulent standpoint, the policy will pay up to the policy limit. Regulatory compliance insurance coverage limits can range anywhere from $1 million for a private practice to $5 million for a small to medium-sized ASC to $10 to $15 million for large ASC groups.”

Regulatory compliance insurance also extends to HIPAA regulations, with policies typically covering the fines and penalties associated with violations. However, coverage for cybersecurity-related breaches of protected health information is typically an add-on, Pleninger says. In cases of ransomware attacks, for example, a cybersecurity policy covers the cost of the ransom and of credit monitoring for affected individuals, as well as business losses.

“Let’s say [hackers] lock up your data system for ransom. That breach could put you out of business for a month,” Pleninger says. “There are even public relations costs built into these policies to [overcome] the public’s potential perception that the organization isn’t doing the right thing.”

According to Pleninger, “58 percent of cybersecurity breaches are due to employee error. It’s not that the employee did anything blatantly deliberate. They just clicked on something they shouldn’t have, and they didn’t have the proper training.”

Malpractice Insurance Coverage

Malpractice insurance policies come in two basic types; one for ASCs that employ all their surgeons, and one for ASCs that utilize independent surgeons. In the first case, the policy is taken out in the ASC’s name and all the employed providers are scheduled with their own limits of liability. For example, the ASC may carry a policy liability limit of $3 million per occurrence and $5 million aggregate for the vicarious acts of its employees. In addition, each employed provider carries their own limits of liability; a cataract surgeon, for instance, might require liability limits of $2 million per occurrence, $4 million aggregate, while an optometrist might carry coverage of $500,000 per occurrence, $1 million aggregate.

“Not only does the entity have coverage, but then each of the providers has their own separate coverage. In the event that employee gets sued, the vicarious liability insurance automatically kicks up to the entity,” Pleninger says.

Ambulatory surgery centers that utilize independent surgeons, however, not only carry their own liability coverage, but also require that the facility itself be included in the policies of each surgeon.

“You’re almost transferring the risk to the doctor, but you’re also getting duplicate coverage in a sense. In the event that something falls through the cracks and that provider doesn’t do what they should, the facility [could] still be at risk,” Pleninger says.

Malpractice insurance premiums and coverage can vary by region, he says, noting that Florida doesn’t mandate malpractice insurance for physicians.

“In New York, the typical limit is $1.3 million per claim with a $3.9 million aggregate,” Pleninger says. Premiums for identical policies also vary by region; the cost of a policy for ASCs in New York County (Manhattan) can be as much as $25,000 per year, while the same policy in Rochester County, New York, might cost only about $6,000 per year.

“You would probably see the same thing nationally across multiple states. There are just certain territories that somehow bring more litigation,” Pleninger says.

Prevention Is the Best (Legal) Medicine

No ASC welcomes the prospect of being sued or charged with breaking civil or criminal laws. But as Benjamin Franklin wisely observed, “an ounce of prevention is worth a pound of cure.” Franklin was using the analogy to advise his fellow Philadelphians that preventing house fires is better than fighting them. But the co-founder of the nation’s first hospital could just as well have been addressing the medicolegal issues facing ASCs.

“The more investing you do in good policies and procedures, the better off you are in the long run,” says Shuren. “It’s very costly to be under investigation, even if you win.” ■

REFERENCES

1. Newitt P. Two ophthalmology ASCs to pay $17M to settle alleged anti-kickback violations. Becker’s ASC Review. May 1, 2023. Accessed August 21, 2023. https://www.beckersasc.com/ophthalmology/2-ophthalmology-ascs-to-pay-17m-to-settle-alleged-anti-kickback-violations.html
2. Alder S. $3 million settlement proposed to resolve 20/20 Eye Care Network data breach lawsuit. The HIPAA Journal. February 13, 2023. Accessed August 23, 2023. https://www.hipaajournal.com/3-million-settlement-proposed-to-resolve-20-20-eye-care-network-data-breach-lawsuit