The healthcare market in the United States is massive, with total spending in excess of $3 trillion. Federal government incentives for the adoption of electronic health records has resulted in an increasingly interoperable foundation for exchange of health information and the availability of data for healthcare business intelligence. And with average per capita spending on health care in excess of $9,500, there is a pressing need for technologies that can reduce cost while increasing the quality of care and patient satisfaction. Given the good reputations enjoyed by German technology and manufacturing, and there are tremendous opportunities for savvy German healthcare IT companies to enter the United States market.
At the same time, laws surrounding healthcare IT companies are complex. The good news is that German companies, as their U.S. competitors do, can manage these risks. In particular, timely attention to certain key areas can prevent legal problems from impeding success. This article reviews those key areas and suggests topics for discussion among management and their U.S. legal counsel who are considering a move into or expansion of presence in the U.S. healthcare market.
- Structure of Business/Choice of Entity. Which business structure best suits the German company’s current business objectives? In order to protect the German parent from legal risk including product liability, and to avoid non-compliant transfer of healthcare data to and from the EU, we do not recommend that the German parent supply product or services directly into the U.S. market. Other options for entering the market, each with certain benefits and drawbacks, include working through a U.S. distributor, acquiring an existing U.S. entity with an established reputation and presence, setting up a joint venture or other strategic collaboration, or forming a U.S. subsidiary. Which particular variety of U.S. entity (corporation, limited liability company, or partnership, for example) will depend on tax and efficiency considerations. With any U.S. entity, the corporate formalities must be observed to avoid any claims of parent company liability based on “veil piercing.”
- Global Mobility/Employment. How will U.S. operations be staffed? In today’s global market there are multiple options that can and should be considered. If home country management or other employees will be working here, you must plan for the often complex process of evaluating eligibility and securing the appropriate temporary and permanent visas. Also, the employment law landscape in the United States is different in numerous respects from what German companies are used to. Thus, it is important to understand employee workforce issues from a U.S. perspective – from hiring and continued employment, to protecting confidential information and trade secrets, to employee departure or termination. Putting appropriate employment agreements and policies in place, including in the form of employment handbooks, permits the company to stay both competitive and compliant.
- Contract Risk Mitigation. Optimally, both customer and supplier contracts should be with a U.S. entity, not the German parent company. Robust and detailed U.S. forms of contracts – which differ quite dramatically from contracts typically used in civil law jurisdictions like Germany – offer multiple opportunities to mitigate risk. What are the key contractual provisions to include in agreements with the U.S. healthcare providers or consumers your company serves? Which provisions (for example, acceptance periods, parameters of support, contract termination, and indemnification or limitation of liability) are most important to negotiate? Which shall be included in a set of U.S. terms and conditions of sale.
Also consider operational issues: If you are implementing systems that need to interact with legacy systems or other solutions, how do you protect against problems with interoperability with those other systems? Do you have an obligation to transition data to a new vendor upon a client’s request? How do you handle updates, upgrades, and the potential conclusion of the product life? If there are data quality problems that were unforeseen and outside of your control, how is your company protected? What insurance policies may be available or can be negotiated to address?
- Intellectual Property. Especially in the fast-moving U.S. healthcare IT market, having a means to defend the company’s technology is critical. Is the company thinking long-term about its intellectual property strategy, including how to best protect the innovation it has created from use by competitors? Are trade secrets properly secured and the subject of reasonable security measures? Should you consider patent or copyright protection for software, or trademark registration for your company’s logo or other branding? Do you have the appropriate non-disclosure, confidentiality, and invention assignment agreements with employees involved in developing or handling confidential information? What legal action plan has the company developed to prevent critical technology from “walking out the door” with key employee departures, and to deal with such a scenario if it occurs?
- Data Privacy and Security. Another key, highly regulated area is data privacy and security, and healthcare IT organizations are part of a data supply chain that includes protected health information (PHI) and other personally identifiable information about consumers or patients. That personal data must be handled with care and in compliance with federal and state regulations, and a violation of any of them can be very costly and have other serious repercussions for the organization. By U.S. statute (HIPAA) and associated regulations, the company must have appropriate business associate agreements in place with all downstream business associates in the healthcare data supply chain. It should analyze privacy and security provisions applicable in each of the individual state jurisdictions in which the company will be doing business. And the company compliance plan — including relevant, current training for all applicable employees – should be up-to-date.
In terms of data security, has your organization completed a current risk assessment? Does it have a security plan in place, including regular training and system audits? Are the appropriate security and non-disclosure agreements in place with any business partners who might be handling your data or your customer’s data to ensure responsibility and accountability?
Reasonable security training and systems, along with regular review, help to ensure the company is prepared to appropriately respond when a data breach occurs. Have employees been trained to recognize a breach (or likely breach) and to respond appropriately? Do contracts clearly allocate responsibility and seek to mitigate risk to the largest extent possible? Do the right people in the organization understand the notification requirements in the event of a breach, and the special requirements that are implicated when a breach involves PHI?
- Insurance Coverage. With respect to any U.S. operations, the German company should secure United States insurance coverage, particularly to address litigation risks in the areas of product liability and director and officer (“D&O”) liability and risks particular to healthcare and healthcare IT like data breach liability. The right insurance broker can, in consultation with counsel and the management team, ensure appropriate and cost-effective coverage and make sure that U.S. insurance coverage harmonizes with home country coverage.
- Medical Devices and Mobile Apps. The Food and Drug Administration (FDA) is another key regulator. For manufacturers of devices with health IT functions and mobile medical application developers, you must know how your product is classified and regulated, if at all, by FDA. Is your product required to go through an FDA clearance or approval process? What disclosure is required, and what requirements exist for company labeling and advertising? Fear of or uncertainty about regulation should not stifle your company’s innovation.
- Planning for Financing and Site Selection Incentives. Rapid expansion often requires securing outside funding. If the parent company will not be the only funder, what options exist in securing lending and credit facilities to limit liability to the foreign parent? What negotiating points and contract provisions are most important in discussions with your lender? Also, what incentives might be available from state and local governments? There is robust competition in the United States for quality German businesses, especially ones bringing new job opportunities to the community. Available incentives include cash grants, subsidized site acquisition and construction financing, tax abatements, assistance in employee hiring and training, and reductions in utility costs. In our home state of Georgia, for example, more than three hundred German businesses are active and the state maintains an international investment team dedicated to facilitating the process of obtaining these incentives and setting up business in the State.