Can non-MSSP ACOs qualify for Tax-Exempt Status?

The Internal Revenue Service (IRS) recently affirmed its decision to deny 501(c)(3) tax-exempt status to an accountable care organization (ACO) that did not participate in the Medicare Shared Savings Program (MSSP). The IRS initially denied the ACO’s request for tax exempt status in a determination letter dated August 25, 2014. While neither the determination letter nor subsequent appeal is precedential, they provide valuable guidance for ACOs operating as tax-exempt organizations or pursuing tax-exempt status.

The ACO was formed by an existing exempt 501(c)(3) organization (System). The ACO’s purported purpose was furthering the triple aim health care reform goals (Triple Aim Goals) established by the Patient Protection and Affordable Care Act (PPACA), i.e. reducing healthcare costs, improving patient access to and the quality of medical care, and improving population health and patient experience. The ACO strove to further the Triple Aim Goals by acting as the representative for its providers in the negotiation and execution of agreements with third-party payers. The ACO’s providers included physicians employed by System, independent practice groups whose physicians were employed by System, and providers unaffiliated with System. Approximately half of the physicians participating in the ACO worked for independent practices or independent hospitals unaffiliated with System.

The IRS denied the ACO tax exempt status on two separate grounds. First, the IRS determined that the ACO was not operated exclusively for exempt purposes within the meaning of the Internal Revenue Code. The IRS then determined that the ACO was also not operated primarily for a public purpose.

Operated Exclusively for Exempt Purposes:

In order to qualify for 501(c)(3) status, an organization must be organized and operated exclusively for an exempt purpose. An organization is regarded as being operated exclusively for one or more exempt purposes, if it engages primarily in activities that accomplish an exempt purpose. An organization is not operated exclusively for an exempt purpose if more than an insubstantial part of its activities is not in furtherance of an exempt purpose. Two exempt purposes recognized by the IRS are lessening the burdens of government and the promotion of health.  In its determination letter, the IRS applied both exempt purposes to the ACO, before determining that the ACO was not operated exclusively for an exempt purpose.

Lessening the Burdens of Government:

In order for an activity to lessen the burdens of government, there must be an objective manifestation that government considers the activity to be its burden. Provisions of the PPACA encourage and support ACO cost sharing arrangements. In its determination letter, the IRS acknowledged that participation in the MSSP by an ACO will generally further the exempt purpose of lessening the burdens of government. The IRS continued, however, that the government has not provided an objective manifestation that it considers the activities of ACOs that do not participate in the MSSP to be its burden, regardless of their furtherance of the Triple Aim Goals. Accordingly, the IRS determined that the ACO’s activities did not further the exempt purpose of lessening the burdens of government.

This conclusion suggests that ACOs that do not participate in the MSSP may not be able to qualify for tax-exempt status by lessening the burdens of government. Such non-MSSP ACOs may be able to lessen the burdens of government through other means, however, furthering the Triple Aim Goals of the PPACA alone appears to be insufficient. ACOs who intend to further the Triple Aim Goals, should either participate in the MSSP or establish an exempt purpose other than lessening the burdens of government.

Promoting Health:

The promotion of health has long been recognized as an exempt purpose. However, not every activity that promotes health furthers exemption under Code Section 501(c)(3). For example, selling prescription pharmaceuticals promotes health, but is not a tax-exempt activity. In its determination letter, the IRS provided that while the Triple Aim Goals generally promote health, not all activities that that support the Triple Aim Goals further the promotion of health for purposes of Code Section 501(c)(3). The ACO’s primary activity was negotiating with private insurers on behalf of its providers, many of which were unrelated to the ACO. The IRS determined that the link between negotiating with private insurers and promoting health was insufficient. Accordingly, the IRS concluded that the ACO was not operated exclusively in furtherance of the exempt purpose of promoting health.

This conclusion provides two insights. First, it indicates that an ACO whose purpose is furthering the Triple Aim Goals can qualify as being operated exclusively for the exempt purpose promoting health. This is a valuable insight for ACOs that would prefer not to participate in the MSSP, but would like to receive tax-exempt status. Second, the IRS’ determination letter indicates that negotiating with private insurers likely is not sufficiently connected to promoting health. Accordingly, the activities of ACOs that do that participate in the MSSP will require a closer nexus to promoting health, in order for such ACOs to qualify as tax-exempt organizations.

Benefiting a Public Purpose:

In addition to being organized and operated exclusively for exempt purposes, organizations seeking tax-exempt status must be organized and operated primarily for a public purpose. Organizations that primarily serve private interests instead of public interests are not eligible for tax-exempt status. Notwithstanding the foregoing, limited private benefits are permissible, when a benefit to the public cannot be achieved without necessarily benefiting private individuals and the private benefits are insubstantial to the public benefit conferred by the activity. In its determination letter, the IRS determined that the ACO conferred an impermissible private benefit.

As discussed above, the ACO’s primary activity was negotiating with private insurers on behalf of its providers. The IRS determined that the ACO’s negotiations only indirectly benefitted the community, compared to the benefit conferred to the ACO’s providers. Further, the IRS determined that the ACO’s activities were not the only means of conferring the benefit to the community. Accordingly, the IRS determined that the ACO conferred an impermissible private benefit to its providers. This example stands is reminder, that the primary benefit of an organization’s activities must flow to the public and not private interests, in order for the organization to receive tax-exempt status.

Conclusion:

The IRS’ determination letter and holding on appeal provide three valuable lessons for ACO’s operating as tax-exempt organizations or pursuing tax-exempt status. First, in the opinion of the IRS, the activities of ACOs that do not participate in the MSSP do not further the exempt purpose of lessening the burdens of government. Second, while the Triple Aim Goals generally promote health, not all activities that support the Triple Aim Goals adequately further the promotion of health. For example, negotiation with private insurers on behalf of healthcare providers is not sufficiently tied to promoting health. Third, regardless of whether an ACO is organized and operated exclusively for an exempt purpose, the primary benefit an ACO’s activities must flow to the public and not private interests.

Stolen Laptop Costs Research Institute Millions

The Feinstein Institute for Medical Research (Feinstein) recently agreed to pay, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), $3.9 million to settle allegations that Feinstein violated the HIPAA Privacy and Security Rules. This settlement confirms the OCR’s position that nonprofit research institutes are held to the same standards as all other HIPAA covered entities.

The OCR began its investigation, after Feinstein filed a breach report revealing that a laptop computer containing electronic protected health information (ePHI) had been stolen from an employee’s car. The laptop contained the ePHI of approximately 13,000 patients and research participants. The laptop was unencrypted.
In addition to the breach, OCR’s investigation determined that Feinstein failed to:

(1) conduct a risk analysis of all of the PHI held at Feinstein, including the PHI on the stolen laptop;

(2) implement policies and procedures for granting access to ePHI to workforce members;

(3) implement physical safeguards for the laptop;

(4) implement policies and procedures managing the movement of hardware that contains ePHI; and

(5) implement encryption technology or to ensure that an alternative measure to encryption was deployed to safeguard the ePHI.

HIPAA does not expressly require encryption of ePHI, however, covered entities and business associates, who do not encrypt ePHI, are required to document why encryption is not reasonable or appropriate. Covered entities and business associates that do not encrypt ePHI are also required implement measures equivalent to encryption to safeguard ePHI.

 
In addition to other violations, the OCR’s investigation revealed that Feinstein failed to document why encrypting the laptop was not reasonable or appropriate. Further, contrary to having measures equivalent to encryption for safeguarding ePHI, the OCR found that Feinstein lacked policies and procedures for the receipt and removal of laptops containing ePHI from its facilities and policies and procedures for authorizing access ePHI.

 
This settlement provides us with three lessons. First, it’s important to realize that research institutes are held to the same standards as other covered entities. To the extent a research institute maintains PHI, it is essential to develop adequate policies and procedures to protect the PHI. Failing to do so, exposes the institute to considerable risk. Second, encrypting ePHI goes a long way towards reducing liability. Had Feinstein’s laptop been encrypted to the NIST standard, Feinstein’s ePHI would have been secured and Feinstein wouldn’t have been required to report a breach. Instead, as is often the case, the OCR’s investigation revealed multiple additional HIPAA violations. By not encrypting ePHI covered entities and business associates risk not only the cost of a breach, but also the potential for added costs following an OCR investigation. Lastly, covered entities and business associates that don’t encrypt their ePHI, are required to document why encryption is not reasonable or appropriate. Failing to do so is a HIPAA violation and subjects covered entities and business associates to liability.

Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a Business Associate Agreement. Pursuant to the settlement, North Memorial agreed to pay $1,550,000. This settlement is a reminder of the importance of executing business associate agreements before sharing protected health information.

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) initiated an investigation of North Memorial following their receipt of a breach report. The report indicated that a password protected laptop had been stolen from a locked vehicle belonging to an employee of North Memorial’s business associate, Accretive Health, Inc. (“Accretive”). The laptop contained electronic protected health information on 9,497 individuals.

OCR’s investigation revealed that North Memorial failed to enter into a business associate agreement with Accretive. Pursuant to the HIPAA Privacy and Security Rules, covered entities are required to enter into business associate agreements with all business associates to whom they provide protected health information. The investigation further revealed that North Memorial failed to complete a risk analysis for the electronic protected health information that it maintained, accessed, and transmitted across its IT infrastructure. Such an analysis, may have revealed the vulnerability posed by permitting protected health information to be stored on an unencrypted laptop.

Takeaways from this settlement:

  • Do not share protected health information with business associates without a valid business associate agreement in place. A valid business associate agreement almost certainly would have reduced North Memorial’s liability in this case.
  • Covered entities and business associates should perform HIPAA security risk analyses as required under the HIPAA Privacy and Security rules. Such analyses may uncover vulnerabilities that can be easily addressed.
  • Electronic Protected Health Information should be safeguarded with encryption technology. A high percentage of all breaches stem from lost or stolen portable devices. Encryption provides strong protection to covered entities and business associates in the case of a breach.

HIPAA $239K Fine – Don’t Leave PHI with Husband

An Administrative Law Judge for the U.S. Department of Health and Human Services, recently ruled that Lincare violated the HIPAA Privacy Rule, by failing to implement policies and procedures to safeguard protected health information (PHI) and failing to protect PHI from disclosure to unauthorized persons. For such violations, the Judge imposed $239,800 in civil monetary penalties. This is only the second time the Office of Civil Rights (OCR) has pursued civil monetary penalties for violations of HIPAA, and the first time such a matter has been appealed to an Administrative Law Judge. This ruling serves as a reminder of the importance of maintaining adequate procedures and policies to safeguard PHI and prevent its unauthorized disclosure.

The OCR became aware of the violation, when the estranged husband of a Lincare Manager reported to the OCR that his wife had left documents containing PHI in his possession, though he was not authorized to see them. Lincare instructed its Center Managers to maintain copies of certain PHI “secured” in their vehicles so that employees would have access to patient contact information if a center office was destroyed or otherwise made inaccessible. As a Center Manager, she kept such PHI in her car, despite knowing that her husband had keys to the car. The wife ultimately abandoned PHI in her home and vehicle.

In reaching its conclusion, the Judge noted that Lincare did not have a written policy addressing PHI that was removed from its offices. Lincare’s privacy policy could even be read as prohibiting the removal of PHI, despite Lincare’s business model requiring employees to remove PHI from its offices. Lincare also lacked policies and procedures to monitor PHI that was moved offsite. This meant that PHI could go missing without it coming to Lincare’s attention.

In light of this ruling, covered entities and business associates, should consider whether their policies and procedures adequately protect PHI that is moved offsite. Specifically, employers should consider the circumstances in which they permit PHI to be moved offsite, what procedures and policies apply to PHI that is moved offsite, and how PHI that is moved offsite will be tracked. Employers allowing PHI to be removed from their offices should also consider options such as encryption and limiting access to PHI to virtual private networks.