Healthcare Empowered

Artificial Intelligence

• The Department of Homeland Security (DHS) has released a voluntary framework outlining AI responsibilities for critical infrastructure sectors. The framework, developed with industry input, addresses risks like AI-based attacks and design failures, emphasizing practical implementation for safety and security. While the future of the framework under a potential Trump administration remains uncertain, DHS highlights its own AI pilot projects and integration efforts.
• The Global Privacy Assembly’s Joint Statement emphasizes that data scraping, even of publicly accessible data, must comply with privacy laws, including obtaining consent when necessary. Relying solely on platform terms for data scraping does not guarantee compliance with data protection and AI laws.
• President-elect Trump’s return to the White House may impact the artificial intelligence (AI) industry. Trump’s alliance with tech billionaire Elon Musk and his pledge to repeal President Biden’s AI executive order suggest a focus on private sector-driven innovation and competition over regulation.
• According to a recent cybersecurity report, healthcare organizations block 17.2% of AI transactions, ranking third behind finance and insurance, and technology sectors. This is slightly below the national average of 18.5%, indicating a lag in healthcare’s efforts to secure sensitive data against AI threats. Despite being the sixth-largest user of AI and machine learning, the healthcare sector’s AI adoption is expected to grow. The most popular AI applications in healthcare include ChatGPT, Drift, OpenAI, Writer, and Intercom. Healthcare organizations are actively engaging in AI safety initiatives, with some developing in-house AI platforms, while addressing concerns about data privacy, security, and the reliability and bias of AI algorithms in patient care.
• Pieces Technologies, a Dallas-based company, uses AI to streamline physician documentation, saving time on tasks like patient summaries, discharge notes, and progress notes. The platform, now in use at hospitals nationwide, has expanded to include a mobile version and is exploring outpatient applications. Despite facing scrutiny over AI accuracy, Pieces continues to innovate and secure funding for its patient-facing technology.
• California enacted two new laws governing the use of AI in healthcare. One law requires health plans using AI in utilization review to disclose its use and ensure determinations are based on clinical information. The other law mandates providers using AI in patient communications to obtain consent and follow specific protocols.

Cybersecurity

• The Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000 for HIPAA violations, including lacking a Business Associate Agreement (BAA) and insufficient access controls. The fine reflects a 20% discount for PMI’s recognized security practices, but OCR has not publicly disclosed which practices qualify or how the discount was calculated. This marks the first time OCR has publicly acknowledged applying the discount, which was mandated by the Cybersecurity Act of 2015.
• New federal legislation called the Health Infrastructure Security and Accountability Act (HISAA) has been introduced to address cybersecurity risks in the healthcare sector, particularly for HIPAA Covered Entities and Business Associates. The Act is a response to high-profile cybersecurity incidents, such as the Change Healthcare breach, and aims to establish new security requirements, conduct annual risk assessments, and enforce audits to improve cybersecurity practices. HISAA proposes tiered penalties for noncompliance, removes statutory caps on penalties, and introduces fees to cover oversight costs. It also includes financial incentives and disincentives related to Medicare payments to encourage the adoption of enhanced cybersecurity measures. The act represents a significant shift in cybersecurity enforcement and oversight compared to existing HIPAA regulations.

Data Privacy

• The FTC published an explainer on the use of Data Clean Rooms (DCRs), cloud services that enable data exchange and analysis between companies. While DCRs can offer privacy protections when configured correctly, they are not inherently privacy-preserving and can be used to obfuscate privacy harms. Companies should not rely on DCRs to avoid legal obligations regarding data privacy and should be held accountable for any violations, regardless of the technology used.
• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.
• Texas is emerging as a significant player in privacy regulation following the implementation of the Texas Privacy and Data Security Act (TPDSA) in July 2024 and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act in September 2024. Texas Attorney General Ken Paxton has initiated a privacy and security enforcement initiative, establishing a dedicated team within the Consumer Protection Division to enforce these laws. Notable actions include a lawsuit against TikTok for allegedly violating the SCOPE Act by sharing minors’ personal information without parental consent, and a settlement with Meta under the Texas biometric law for unauthorized data capture. Additionally, over 100 companies were notified for failing to register as data brokers, and car manufacturers are under investigation for data collection practices. Businesses processing Texans’ personal information should ensure compliance with the TPDSA and other relevant privacy laws to avoid enforcement actions.

Behavioral Health

• Behavioral health is a rapidly growing area in the healthcare sector, but it faces significant operational and financial challenges as companies scale and investor interest increases. Behavioral health organizations need to adopt innovative strategies to improve operations and financial performance, often requiring external expertise to navigate these complexities. They highlight the importance of effective management, strategic planning, and maintaining a focus on patient care amidst financial pressures, such as rising costs and debt. The experts emphasize the need for organizations to communicate their mission clearly, engage employees, and ensure consistent quality of care. They also advise investors to assess management’s ability to respond to data, maintain a positive organizational culture, and manage financial metrics effectively.

Drug & Device

•  New FDA advertising rules require drugmakers to use simpler language and no distractions when explaining their medications’ risks and side effects. The FDA spent more than 15 years crafting the guidelines, which are designed to do away with industry practices that downplay or distract viewers from risk information. Many companies have already adopted the rules, which become binding Nov. 20.
• The U.S. Department of Justice (DOJ) recently published a final rule on the accessibility of medical diagnostic equipment (MDE) and other accessibility-related practices that promises to have broad impact on the health care industry. Although the rule is limited to state and local government’s healthcare practices, it is likely only a matter of time before the rule’s mandates will be imposed on the entire health care industry.

Equity & Equality

• The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published final rules implementing anti-discrimination provisions under Section 1557 of the Affordable Care Act. These rules apply to health programs receiving federal financial assistance and prohibit discrimination based on race, color, national origin, sex, age, or disability. Covered entities must meet several upcoming deadlines, including appointing a Section 1557 Coordinator by November 2, 2024, and ensuring non-discriminatory use of patient care decision support tools by May 1, 2025. By July 5, 2025, entities must post notices of language assistance services and adopt comprehensive policies and procedures to ensure compliance. The rules also require training for relevant employees on these policies within specific timeframes.

Fraud & Abuse

• Anti-Kickback Statute (AKS) enforcement is shifting away from COVID-19 pandemic-era fraud and towards unlawful marketing and referral practices. The Justice Department and HHS’ Office of Inspector General anticipate an uptick in enforcement activity, particularly against Stark law violations. Life sciences and healthcare companies should bolster compliance efforts to avoid scrutiny and potential whistleblower actions.
• The Office of Inspector General (OIG) recommends increased oversight of remote patient monitoring (RPM) services and billing in the Medicare program. The OIG report found that RPM is not being used as intended, with many enrollees not receiving all required components and concerns about fraud and abuse. The OIG also found that CMS lacks key information about RPM use, including the types of devices and health data being collected.
• The future of the Stark law is uncertain following a district court decision that a False Claims Act lawsuit could not be resolved without further briefings on the U.S. Supreme Court’s recent reversal of the Chevron deference doctrine. In July, the Supreme Court overturned Chevron deference, which had required judges to defer to federal agency interpretations in ambiguous legal cases, now mandating independent judicial interpretation. The district judge emphasized the need to interpret regulations independently, leading to the lawsuit’s dismissal due to insufficient detail in the plaintiff’s allegations. This change in judicial approach raises questions about the Stark law’s application, as it involves complex compliance requirements and exceptions.

Intellectual Property

• Companies developing cell and gene therapies face a critical decision: patenting or keeping information as a trade secret. Factors like reverse-engineering risk, patent eligibility, business model, and infringement detection influence this choice. Enforcement strategies for patents and trade secrets differ in goals, timing, pleadings, and discovery logistics, requiring careful planning.

Mergers & Acquisitions

• Behavioral health mergers and acquisitions (M&A) have recovered and stabilized, driven by factors like the emergence of mental health platforms and positive reimbursement changes. Joint venture (JV) partnerships continue to gain popularity in the mental health sector. Behavioral health providers are expanding their geographical reach by helping traditional nonprofit health systems operate more efficiently and meet the high demand for behavioral health services. Telehealth has become a common treatment method for mental health patients, with Congress extending telehealth flexibility waivers through 2024.
• The Federal Trade Commission (FTC) recently published revisions for pre-merger notification requirements under the Hart-Scott-Rodino Antitrust Act. The rule revises forms and instructions to address information gaps and ensure that transactions do not stifle competition. Entities must file information about entities and individuals influencing decision-making post-merger, non-horizontal relationships, business lines, serial acquisitions, and roll-ups.

No Surprises Act

• The Fifth Circuit Court of Appeals’ recently upheld regulations defining the qualifying payment amount (QPA) under the No Surprise Billing Rules. The QPA is a key factor in determining how much individuals and health plans must pay out-of-network providers in certain situations. The court’s decision upheld the rules governing how QPAs will be determined and the information that plans need to disclose to providers about how they determined a QPA.

Ransomware

• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.

Reproductive Rights

• Texas lawmakers will consider a bill that would reclassify mifepristone and misoprostol — two drugs commonly used in medication abortions — as controlled substances. This move mirrors a similar law in Louisiana, which has faced criticism from healthcare providers for potentially endangering patients’ lives. The Texas bill, if passed, would take effect in September 2025 and adds a muscle relaxant to the Schedule IV controlled substances list.

Telehealth

• States continue to modify telehealth laws and regulations, striking a balance between flexibility and quality care. While some federal telehealth flexibilities have been extended, the DEA’s remote prescribing rulemaking remains uncertain, potentially impacting providers beyond December 31, 2024. Enforcement efforts against telehealth fraud highlight the need for providers to prioritize compliance with evolving legal requirements.

Blockchain

• The integration of AI and Blockchain technologies promises to revolutionize industries by enhancing transparency, security, and efficiency. While offering significant benefits, this convergence also raises challenges related to scalability, data privacy, and regulatory compliance. Despite these obstacles, the potential applications and innovations stemming from this synergy are vast and promising.

HIPAA & Cybersecurity

• The Health Infrastructure Security and Accountability Act (HISAA) aims to establish mandatory minimum security standards for healthcare organizations to protect healthcare information. HISAA proposes annual audits and stress tests, increased accountability and penalties, and financial support for enhancements. The bill seeks to address the patchwork of healthcare data security standards and bring them under one minimum umbrella.
• Stolen credentials are a significant security risk, as evidenced the recent breach at Change Healthcare. To combat this, organizations should enforce strong passwords, monitor credential sites, and educate employees about the dangers of credential theft.
• Health data from most period-tracking apps is not protected under HIPAA, as these apps are typically not considered covered entities. While some apps claim HIPAA compliance, this is often misleading and may indicate a lack of protection.

Ransomeware

• Ransomware attacks, while slightly less frequent in H1 2024, saw a 68% increase in severity, with average losses reaching a record high. Businesses with over $100 million in revenue experienced the most significant impact, with a 140% increase in losses. While BEC attacks remained the most common cause of claims, ransomware attacks were the third most common, with exposed login panels and outdated technologies increasing the likelihood of a claim.
• A new report reveals a four-year high in ransomware attacks on healthcare organizations, with 67% reporting incidents in the past year. These attacks are increasingly complex, with longer recovery times and higher costs, averaging $2.57 million in 2024. Attackers are also targeting data backups, increasing pressure on organizations to pay ransoms.

Regulation

• The return of Donald Trump to the White House raises questions about potential changes to healthcare cybersecurity and HIPAA regulations. While some experts anticipate a reversal of the Biden administration’s reproductive health data privacy protections, others believe the Trump administration will focus on completing previously proposed HIPAA Privacy Rule changes. Cybersecurity, however, is seen as a non-partisan issue, with potential for continued focus on implementing stronger practices and potentially updating the HIPAA Security Rule.
• The California Privacy Protection Agency (CPPA) will investigate data broker compliance with registration requirements under the California Delete Act. Data brokers must register by January 31, 2025, providing information about their operations and consumer rights requests.

Tech and ACOs

• The disconnect between physical and mental healthcare in the U.S., particularly in underserved areas, is a major issue. The CMS’s ACO Primary Care Flex Model aims to address this by promoting integrated care and value-based reimbursement. Healthcare information technology plays a crucial role in enabling seamless data exchange and collaboration among providers, ultimately improving patient outcomes.

Fraud & Abuse

• Horizon Medical Center of Denton, owned by Corinth Investor Holdings, L.L.C., paid $14.2 million to settle potential violations of Medicare regulations and the Stark Law. The center self-disclosed omitting a modifier and location for services provided at off-campus facilities, as well as financial relationships with physician-owners. This settlement, along with two others, highlights the Department of Justice’s emphasis on voluntary self-disclosure and cooperation in healthcare fraud cases.
• A pharmaceutical ingredient supplier will pay $21.75 million to settle allegations of inflating Average Wholesale Prices (AWPs) for two key ingredients. A pharmacist whistleblower exposed the scheme, highlighting the critical role of whistleblowers in combating pharmaceutical fraud. The False Claims Act empowers individuals to report fraud and protects public funds from fraudulent activities.
• A Texas optometrist, agreed to pay $1 million to settle allegations of healthcare fraud. The doctor operated a network of optometry practices in Central Texas and according to the government, these practices submitted claims to TRICARE, Medicare, and Medicaid using the National Provider Identifiers (NPIs) of optometrists who did not perform the services billed. They allegedly did so “in circumstances where the optometrist who rendered services was not credentialed or enrolled in the Federal healthcare program billed.
• Oak Street Health, a CVS subsidiary, agreed to a $60 million settlement for violating the False Claims Act. The company allegedly paid kickbacks to insurance agents to recruit seniors to their clinics, resulting in false claims to Medicare. The settlement includes restitution and a whistleblower reward.

HIPAA & Cybersecurity

• The return of Donald Trump to the White House raises questions about potential changes to healthcare cybersecurity and HIPAA regulations. While some experts anticipate a reversal of the Biden administration’s reproductive health data privacy protections, others believe the Trump administration will focus on completing previously proposed HIPAA Privacy Rule changes. Cybersecurity, however, is seen as a non-partisan issue, with potential for continued focus on implementing stronger practices and potentially updating the HIPAA Security Rule.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to establish mandatory minimum security standards for healthcare organizations to protect healthcare information. HISAA proposes annual audits and stress tests, increased accountability and penalties, and financial support for enhancements. The bill seeks to address the patchwork of healthcare data security standards and bring them under one minimum umbrella.

Hospice

• Hospices are exploring palliative care programs to remain relevant in the evolving value-based care landscape. Palliative care, which focuses on managing symptoms and improving quality of life for patients with serious illnesses, is increasingly recognized for its potential to reduce healthcare costs. By partnering with Medicare Advantage plans and Accountable Care Organizations, hospices can leverage palliative care to participate in value-based reimbursement models.

Insulin Overpricing

• Insulin overpricing lawsuits allege that pharmaceutical companies and Pharmacy Benefit Managers (PBMs) have engaged in deceptive and unfair trade practices, artificially inflating insulin prices. Plaintiffs, including individuals, unions, and public entities, seek damages for losses incurred and injunctive relief to prevent future price gouging. The lawsuits allege violations of state consumer protection laws, unjust enrichment, and potentially federal RICO laws, aiming to hold these companies accountable for their actions.

Loper Bright

• The Loper Bright decision, repealing Chevron deference, leaves hundreds of healthcare regulations vulnerable to litigation. Healthcare regulation, often complex and involving multiple agencies and statutes, will face challenges in determining the “best reading” of statutes. This shift in regulatory authority could lead to increased litigation and uncertainty in the healthcare industry.

Med Spas

• A Harvard-trained spa owner allegedly injected clients with bogus Botox and skin fillers. The spa owner smuggled counterfeit injectable drugs from China and Brazil, falsely claiming to be a nurse with a degree from Harvard and a license from the state’s Estate Board.
• A former plastic surgeon who gained viral attention for posting dancing videos from the operating table, is practicing with a Texas med spa under a suspended license.

No Surprises Act

• The Fifth Circuit Court of Appeals upheld several provisions of the No Surprises Act, favoring regulators and insurers. The Act aims to protect patients from surprise medical bills by capping their liability to out-of-network providers. However, the Court’s decision will likely lead to artificially low QPAs, negatively impacting provider reimbursement rates and future contract negotiations.

Physician Fee Schedule

• The Centers for Medicare & Medicaid Services (CMS) finalized the 2025 Medicare Physician Fee Schedule, resulting in a 2.93% reduction in average payment rates. This decision has been met with strong opposition from national provider associations, who argue that the cuts, coupled with inflation, threaten the financial viability of physician practices and patient access to care. These associations urge Congress to intervene and stabilize reimbursement rates.
• The Biden administration finalized 2025 Medicare reimbursement rates, with physicians facing a 2.9% decrease and hospitals receiving a 2.9% increase for outpatient services. While hospitals argue the rates are insufficient, physician groups, particularly those operating independent practices, face more significant challenges due to rising costs and smaller profit margins. The CMS also implemented changes to the Hospital Outpatient Prospective Payment System, including maternal health and safety standards and continuous coverage requirements for children in safety-net programs.
• CMS finalized a 2.83% physician pay cut for 2025 while increasing reimbursement for ASCs meeting quality reporting requirements. The rule includes updates to coding and payment policies for various services, as well as changes to the ASC quality reporting program.

Ransomeware

• Ransomware attacks, while slightly less frequent in H1 2024, saw a 68% increase in severity, with average losses reaching a record high. Businesses with over $100 million in revenue experienced the most significant impact, with a 140% increase in losses. While BEC attacks remained the most common cause of claims, ransomware attacks were the third most common, with exposed login panels and outdated technologies increasing the likelihood of a claim.
• A new report reveals a four-year high in ransomware attacks on healthcare organizations, with 67% reporting incidents in the past year. These attacks are increasingly complex, with longer recovery times and higher costs, averaging $2.57 million in 2024. Attackers are also targeting data backups, increasing pressure on organizations to pay ransoms.

Skilled Nursing Facilities

• CMS has updated the CMS-855A form to require expanded disclosure of ownership and control interests for Skilled Nursing Facilities (SNFs). This includes disclosure from a broader class of entities, such as landlords, consultants, and managers, categorized as “additional disclosable parties” (ADPs). SNFs must report all persons and entities within the organizational structure of each ADP, and failure to comply may result in sanctions.

Access & Privacy

• A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

AI Governance

• The Chief AI Officer role in healthcare demands a unique blend of skills, including AI policy, business strategy, technology expertise, and domain knowledge. UC Davis Health sought a Chief AI Officer to enhance AI governance, accelerate adoption, and collaborate on AI initiatives. The role involves strategic planning, education, and oversight to ensure responsible AI implementation.
• AI accountability is a critical aspect of responsible AI development and deployment. Privacy professionals play a key role in ensuring AI governance aligns with data protection and privacy practices, addressing concerns about bias, transparency, and ethical responsibility. By collaborating with legal and other stakeholders, privacy teams can help organizations navigate the complexities of AI regulation and mitigate risks associated with AI systems.

AI Risk Management

• An Associated Press investigation revealed that OpenAI’s Whisper transcription tool creates fabricated text in medical and business settings despite warnings against such use. These tools are known to produce fabricated text, or “confabulations,” which can lead to serious consequences in medical settings, such as incorrect diagnoses and treatment plans. Despite OpenAI’s advice against using Whisper in high-risk domains, over 30,000 medical professionals are reportedly using it for transcriptions. The tool’s inaccuracies are attributed to its reliance on predicting likely text rather than ensuring accuracy, often filling gaps with incorrect or biased information.

Corporate Compliance

• The DOJ’s updated ECCP policy document now requires companies to assess AI risks and ensure compliance with criminal laws. Companies must also provide compliance staff with access to relevant data and utilize data analytics tools to enhance compliance efforts.

Cybersecurity

• Healthcare organizations need stronger cybersecurity measures, including identity and access management, patching, phishing training, and robust backup practices, as cyber attacks continue to rise. HIPAA guidance alone is insufficient, and organizations should consider following more rigorous standards like NIST or HITRUST. Assuming a breach will occur and having an incident response plan in place is crucial.

Growth & Innovation

• Texas tech companies are revolutionizing healthcare through telemedicine, wearable devices, biotechnology, and AI. These companies are making healthcare more accessible, affordable, and effective by developing innovative solutions that improve patient care and empower individuals. Texas is poised to remain a leader in health technology, driving advancements and shaping the future of healthcare.
• The OMB has issued guidance to agencies on responsible artificial intelligence acquisitions. The guidance emphasizes the importance of managing AI risks, promoting competition, and improving information sharing. Agencies are advised to identify AI early in the acquisition process, engage relevant equities, and include contractual requirements to manage AI risks effectively.
• CISA is focusing on eliminating risky software-building practices, such as default passwords and memory-unsafe languages, to enhance cybersecurity. The agency has secured over 230 voluntary commitments from software manufacturers to meet cybersecurity goals within a year. CISA is also pushing for software companies to prioritize security features like MFA and make them difficult for customers to remove.
• A recent survey of healthcare security professionals reveals that nearly one-third are unsatisfied with their existing security frameworks, highlighting the industry’s struggle to keep pace with evolving threats. Budget constraints and lack of executive support are significant barriers to implementing new technologies. Despite the challenges, healthcare facilities are increasingly adopting converged security solutions that blend digital identity, physical security, and cybersecurity measures.

Legislation

• The Colorado AI Act requires developers and deployers of AI systems to disclose their use to Colorado residents. Developers of high-risk AI systems must protect against algorithmic discrimination and provide detailed documentation to deployers. Deployers must implement risk management programs and conduct annual impact assessments to mitigate risks of discrimination.

Access & Privacy

• A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

Cryotheraphy

• Cryotherapy, an extreme cooling treatment, has gained popularity, leading to its incorporation into various wellness businesses. However, owners must comply with FDA regulations, which prohibit claims of treating diseases without scientific evidence. Additionally, Texas medical board rules may apply if cryotherapy services are marketed as providing health benefits.

Fraud & Abuse

• The Supreme Court’s recent denials of two certiorari petitions on the federal Anti-Kickback Statute’s willfulness standard may have profound implications for health care companies defending against AKS claims. The petitions sought to clarify whether the AKS requires defendants to know that their conduct violates the law to be found liable. The court’s decision leaves the issue unresolved, potentially leading to further appellate decisions and providing clarity on the AKS willfulness standard.

Gender-Affirming Care

• Texas Attorney General Ken Paxton is suing Dr. Hector Granados for providing gender-affirming medical care to minors, violating state law. The lawsuit alleges Granados prescribed puberty blockers and hormone therapy to over 20 minors, claiming the treatments were necessary for precocious puberty. Granados helped open El Paso’s first clinic treating transgender children and teens in 2015.

HIPAA

• Business associate agreements (BAAs) are not typically required when third parties receive protected health information (PHI) for research purposes. However, third parties may qualify as business associates if they create de-identified data sets or limited data sets on behalf of a covered entity. CEs should only require BAAs when third parties perform covered functions or services listed in the HIPAA Privacy Rule.
• The 2024 Final Privacy Rule allows covered entities to disclose protected health information (PHI) related to reproductive healthcare only to the individual or their personal representative. Covered entities may refuse to disclose PHI in permissive circumstances, such as law enforcement or judicial processes, even with an attestation form. The rule aims to protect patient privacy and strengthen access to reproductive healthcare services.
• OCR Director Melanie Fontes Rainer highlighted key priorities at the HHS-NIST conference, including an update to the HIPAA Security Rule with new cybersecurity requirements and an enforcement initiative for risk analysis compliance. OCR also emphasized the importance of engaging with the healthcare sector on cybersecurity matters and has increased outreach through webinars, videos, and newsletters.

Ransomware

• A plastic surgeon paid a $53,000 ransom to regain access to data after a ransomware attack, but faced a $500,000 HIPAA fine. The surgeon claims the government was more punitive than the hackers. A government ambulance provider also faced a $90,000 fine for failing to conduct a HIPAA security risk analysis, highlighting the importance of this requirement for compliance.

Reimbursement

• The Medicare Physician Fee Schedule final rule strengthens primary care, expands access to preventive services, and promotes whole-person care. It includes new coding and payment policies for advanced primary care management services, cardiovascular risk assessment, and behavioral health services. The rule also expands coverage for hepatitis B vaccinations, colorectal cancer screening, and PrEP to prevent HIV.

Telehealth

• State laws on clinical record ownership vary, and healthcare providers must understand these differences when practicing telehealth across state lines. HIPAA’s right-of-access rule adds complexity, specifying how and when records must be shared. Providers must comply with both state and federal regulations, with state laws taking precedence when they provide greater rights to patients.
• The DEA is expected to extend telehealth flexibilities for prescribing controlled substances for the third time. The Texas Medical Board proposed requiring physicians to hold a full Texas medical license to provide telehealth and added a rule concerning prescribing for chronic pain.

Navigating AI: A Quick Start Guide for Healthcare Professionals

To get started with AI in healthcare, clinicians should set clear goals, create a personalized learning roadmap, and identify essential resources. Understanding AI fundamentals, including programming skills, is crucial for effective collaboration and decision-making. Clinicians can enhance their knowledge and skills through formal education, online courses, and hands-on experience.

Clinician involvement in AI development is crucial, yet often inconsistent, necessitating a multidisciplinary approach to ensure trust and usability in clinical settings. Effective AI integration requires clinicians to understand AI basics, set learning goals, and engage in continuous education, including programming skills and AI model development. A structured learning approach, incorporating formal AI education into medical curricula, can enhance clinicians’ ability to innovate and apply AI tools effectively. Practical resources such as online courses, textbooks, and professional networks are essential for clinicians to gain AI proficiency.

Success in AI adoption involves setting clear milestones, leveraging low-code platforms for ease of use, and fostering collaboration with AI experts. Overall, AI offers significant opportunities for healthcare professionals to improve patient care and drive innovation through informed engagement and structured learning.

AI

• Harvard Medical School has introduced an AI in healthcare course for students in its Health Sciences and Technology track. The course covers AI’s role in medicine, including its use as an educational tool and its impact on clinical practice. The school is also exploring AI-powered tutoring bots and has established grants for AI-related projects in education, research, and administration.
• The FDA has identified ten areas of concern for regulating AI in medical products, including ensuring compatibility with global standards, keeping up with the rapid pace of change, and developing flexible approaches across the spectrum of AI models. The FDA also emphasizes the importance of AI life cycle management, robust supply chains, and maintaining a balance between big tech, start-ups, and academia. Additionally, the FDA highlights the potential uses of AI in drug development and clinical trials, such as drug target identification and participant recruitment.
• The Chief Privacy Officer (CPO) role faces an identity crisis with the rise of AI governance. Despite the challenges, CPOs are well-suited to manage AI governance due to their experience in navigating complex regulations, working cross-functionally, and holding organizations accountable. CPOs are essential for future-proofing operations, ensuring public trust, and maintaining regulatory security in the age of AI.

Blockchain

• The global “Blockchain Technology in Healthcare” market is projected to grow significantly, driven by its potential to enhance security, efficiency, and transparency in healthcare services. Blockchain technology offers secure storage of electronic health records, streamlines data management, and improves drug traceability. Recent developments highlight the ongoing integration of blockchain in healthcare, with companies like IBM and Patientory Inc. making strides in the field.

Data Breaches

• Data breaches are costly, with healthcare and finance industries facing the highest penalties due to stringent regulations. Data masking is a solution that allows businesses to comply with regulations while maintaining data usability. Organizations must implement data masking alongside encryption and PAM to protect sensitive data and avoid regulatory penalties.
• Over 940,000 Medicare beneficiaries’ protected health information was exposed due to a vulnerability in MOVEit software used by WPS. CMS and WPS are investigating the breach, offering credit monitoring and new Medicare cards to affected individuals. Healthcare organizations should review vendor contracts, conduct regular cybersecurity audits, and enhance incident response plans to safeguard against similar incidents.

Data Privacy

• The healthcare sector faces significant data leaks, with over 14,000 unique IP addresses exposing sensitive medical information. Biometrics, particularly facial recognition, is seen as a powerful tool to enhance security and streamline operations in healthcare environments. AllClear ID’s Health Bank One app aggregates health records, uses AI to curate care, and provides personalized insights for patients and healthcare providers.
• Despite political polarization, 19 states have enacted comprehensive privacy legislation with bipartisan support, providing essential safeguards for consumers. These laws empower consumers with rights to control their data, including access, correction, deletion, and opt-out options. States are also addressing sensitive data protection, data minimization, and data protection impact assessments, aligning with FTC recommendations and shaping the future of privacy standards.
• Synthetic data generated by state-of-the-art privacy-preserving methods can be used throughout the medical prognostic modeling pipeline, including exploratory data analysis and model development. These methods can adequately capture the tails of the distribution, including low prevalence conditions and ethnic minority groups. However, some synthetic data generators struggled to match the distributional characteristics of features, with notable inconsistencies amongst categorical variables and mode invention and collapse amongst key continuous variables.

Cybersecurity

• Data security posture management (DSPM) emerged as a critical component for enterprises in the cloud era, providing visibility and control over data security. As threats evolved, comprehensive data security platforms expanded beyond DSPM capabilities to address AI-specific risks and cover various environments. These platforms enhance compliance, support digital transformation, and enable organizations to innovate confidently with their data.
• HHS is working on updating the HIPAA Security Rule to address the increasing cyber threats in the healthcare sector, including ransomware attacks and data breaches. The proposed modifications may include a thorough enterprise-wide HIPAA security risk analysis. The outcome of the upcoming presidential election could impact the implementation of these regulations, with a potential shift in priorities and enforcement approaches.
• The White House is reviewing a proposed rule to update HIPAA cybersecurity protections in response to rising cyberattacks targeting electronic protected healthcare information. The updates aim to improve HIPAA Security Rule compliance and prevent unauthorized access to ePHI. Healthcare organizations must revise and implement changes to their policies and procedures to comply with the reproductive privacy modifications to HIPAA by December 23.
• Healthcare organizations must thoroughly vet AI vendors to ensure data protection and incident response plans. Experts advise reviewing data encryption, access controls, and incident response plans when evaluating AI vendors.
• Collaboration between HHS and NIST is crucial for improving healthcare cybersecurity. Accountability, financial support, and coordination to address the increasing threat of data breaches and ransomware attacks are key. HHS has taken steps to strengthen accountability, provide financial resources, and improve coordination to enhance healthcare cybersecurity.
• A SOC 2+ report expands on the SOC 2 framework by integrating additional compliance requirements, such as HIPAA or ISO, into a single report. This streamlined approach helps organizations meet multiple industry and legal standards, reducing the need for multiple audits. SOC 2+ reports are valuable for organizations in highly regulated industries, as they demonstrate data security and compliance, building trust with clients and stakeholders

Health Data

• Health and fitness apps and digital health platforms collect personal health data, but HIPAA does not apply to most of them. State-specific data privacy laws, such as California’s CMIA and Washington’s MHMDA, regulate the collection and use of consumer health data, including the right to consent, delete, and know how data is shared. Businesses must comply with these laws by requiring consent, implementing privacy policies, and ensuring data security.

Eli Lilly Targets Compounding Kits

Eli Lilly has filed a lawsuit against Pivotal Peptides, a drug vendor in Washington state, accusing them of selling do-it-yourself kits for making knockoff versions of their weight-loss and diabetes drugs, Zepbound and Mounjaro.

Pivotal Peptides allegedly sold these kits without requiring a prescription or medical consultation, labeling the ingredients as “research chemicals” not intended for human use. The company ignored a cease-and-desist letter from Lilly and continued operations under a guise, using coded language to sell their products.

The lawsuit alleges serious safety issues, as these untested and non-pharmaceutical-grade drugs could be ordered by anyone.

Lilly’s legal actions are part of a broader effort to address the sale of illicit tirzepatide versions amid ongoing legal debates over compounded drug formulations.

The FDA had previously declared a shortage of tirzepatide, allowing licensed pharmacies to legally compound the drug, but is now reconsidering this decision following lawsuits from compounding pharmacies. Eli Lilly emphasizes the significant risks posed to patient safety by the sale of these unapproved and potentially harmful drugs.

Anti-Discrimination

• The Department of Health and Human Services’ final rule implementing Section 1557 of the Affordable Care Act prohibits discrimination in healthcare and requires covered entities to appoint coordinators, post nondiscrimination notices, and implement policies and procedures by specific deadlines. Covered entities must also ensure patient care decision support tools are used non-discriminatorily and provide language assistance and auxiliary aids by May 1, 2025.

Blockchain

• The global “Blockchain Technology in Healthcare” market is projected to grow significantly, driven by its potential to enhance security, efficiency, and transparency in healthcare services. Blockchain technology offers secure storage of electronic health records, streamlines data management, and improves drug traceability. Recent developments highlight the ongoing integration of blockchain in healthcare, with companies like IBM and Patientory Inc. making strides in the field.

Data Breaches

• Data breaches are costly, with healthcare and finance industries facing the highest penalties due to stringent regulations. Data masking is a solution that allows businesses to comply with regulations while maintaining data usability. Organizations must implement data masking alongside encryption and PAM to protect sensitive data and avoid regulatory penalties.
• Over 940,000 Medicare beneficiaries’ protected health information was exposed due to a vulnerability in MOVEit software used by WPS. CMS and WPS are investigating the breach, offering credit monitoring and new Medicare cards to affected individuals. Healthcare organizations should review vendor contracts, conduct regular cybersecurity audits, and enhance incident response plans to safeguard against similar incidents.

Health Data

• Health and fitness apps and digital health platforms collect personal health data, but HIPAA does not apply to most of them. State-specific data privacy laws, such as California’s CMIA and Washington’s MHMDA, regulate the collection and use of consumer health data, including the right to consent, delete, and know how data is shared. Businesses must comply with these laws by requiring consent, implementing privacy policies, and ensuring data security.

HIPAA

• HHS is working on updating the HIPAA Security Rule to address the increasing cyber threats in the healthcare sector, including ransomware attacks and data breaches. The proposed modifications may include a thorough enterprise-wide HIPAA security risk analysis. The outcome of the upcoming presidential election could impact the implementation of these regulations, with a potential shift in priorities and enforcement approaches.
• The Office of Civil Rights (OCR) has resumed HIPAA audits after a seven-year hiatus due to a surge in data breaches and cyberattacks. Entities must strengthen their compliance programs, including conducting risk assessments, implementing safeguards, and providing detailed documentation of compliance. Non-compliance can result in financial penalties and corrective actions.
• Texas is challenging to the Biden administration’s new rule strengthening the Health Insurance Portability Act (HIPAA). The rule prohibits healthcare providers, insurers, and states from giving reproductive care information to criminal or civil investigations. Texas is fighting to access out-of-state abortion medical records, which could lead to the criminalization of abortion-seeking residents.
• BAAs are often treated as boilerplate documents, but they require careful review and negotiation to ensure compliance with HIPAA regulations. It is important to update the agreements regularly to reflect current laws. In terms of substance, counsel should ensureg clear reporting obligations, and avoid overly restrictive terms that could hinder a business associate’s operations. Failing to properly execute or update a BAA can result in severe penalties. BAAs are not “one-size-fits-all” and should be tailored to support a robust privacy compliance program.

Reproductive Health

• A Texas doctor is suing the HHS to prevent enforcement of a new HIPAA rule that strengthens reproductive health care privacy. The rule prevents HIPAA-regulated entities from disclosing reproductive health care information to law enforcement, but the doctor argues it restricts her ability to report suspected abuse. The lawsuit follows a similar suit filed by the Texas Attorney General.
• A Texas doctor sued the Biden administration over a new rule strengthening privacy protections for abortion and gender transition treatments. The doctor argues the rule prevents reporting possible abuse and violates state law. The lawsuit was filed in Amarillo, ensuring it will be heard by a conservative judge who previously suspended the approval of the abortion pill mifepristone.
• A Texas doctor is suing the Biden-Harris administration over recent changes to federal health privacy laws that restrict doctors’ ability to report suspected abuse and protect patients from the harms of abortion and gender transition. The new rule redefines “person” and “public health” to exclude unborn children and limits how doctors and law enforcement can protect patients from abuse. Alliance Defending Freedom attorneys argue that the rule exceeds government authority and undermines state laws that protect mothers and children from the harms of abortion and gender transition.

Weight Loss

• Novo Nordisk has requested the FDA to prohibit compounding pharmacies from producing unapproved versions of Ozempic and Wegovy, citing safety concerns. The FDA is reviewing the petition and will respond directly to Novo Nordisk.
• Diabetes patients face insulin shortages due to increased demand for weight loss drugs like Ozempic. The three major insulin manufacturers, Novo Nordisk, Eli Lilly, and Sanofi, are under pressure to prioritize insulin production amidst supply chain disruptions and the lucrative market for weight loss drugs. Despite price cuts, diabetes patients worry about the reliability of insulin supply, which is essential for their survival.

Legislation

• In 2024, states continued to enact sectoral privacy laws, particularly focusing on children’s data and AI regulation. The New York Child Data Protection Act and SAFE for Kids Act aim to protect children’s privacy and safety online, while the Maryland Age-Appropriate Design Code Act seeks to regulate online content for children. Other states, such as Connecticut and Colorado, have also passed amendments to their consumer data privacy laws to enhance protections for children’s data.
• In 2024, seven states passed comprehensive data privacy laws, bringing the total to 19. Maryland, Vermont, and Maine introduced more restrictive data minimization provisions, while Minnesota, New Jersey, and Rhode Island iterated on existing models. Existing laws in California, Colorado, Virginia, and New Hampshire received amendments, primarily focusing on expanding protections for children’s data.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• California’s CCPA amendment protects neural data as sensitive personal information, impacting Illinois businesses that collect or utilize this data. Illinois businesses should review their data privacy practices to ensure compliance with both state and federal laws.

Security Practices

• Healthcare workers resort to insecure password practices due to care delivery demands, leading to data breaches and compromised credentials. These breaches impact patient care, cause significant costs, and highlight the ineffectiveness of complex passwords.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.
• New York has implemented new cybersecurity regulations for general hospitals, requiring annual risk assessments, incident response plans, and multifactor authentication. The regulations aim to enhance cybersecurity standards beyond HIPAA requirements and address the increasing frequency of cyberattacks on hospitals. Hospitals have one year to comply with the new requirements, with funding available to assist with implementation costs.

LLMs

• A recent study by Apple engineers shows the fragility of mathematical reasoning in advanced large language models (LLMs) like those developed by OpenAI and Google. The research shows that LLMs struggle with minor changes to benchmark problems, resulting in performance drops of up to 9.2%. These findings suggest that LLMs rely on probabilistic pattern matching rather than genuine logical reasoning. The researchers concluded that these models’ reasoning processes have critical flaws that cannot be resolved with simple refinements.
• Google DeepMind has developed an AI model to predict key properties of potential drugs. The new Tx-LLM (Therapeutic Large Language Model) model represents a shift toward specialized artificial intelligence tools for specific industries. This targeted approach could prove more valuable than general-purpose AI in addressing complex commercial challenges.

LItigaton

• The Texas Attorney General settled allegations of false and misleading claims about the accuracy of a healthcare AI product. The company agreed to comply with specific requirements for five years, including disclosing metrics and potential harmful uses of its products. As AI use in healthcare grows, legislators and regulators are increasingly interested in AI laws and regulations, and healthcare entities should adopt AI governance programs to ensure compliance.
• Social credit scores, used by the DOJ to prosecute healthcare providers, are data-driven profiles that assess risky behavior and predict future violations. These scores, influenced by biased enforcement patterns, disproportionately target minority physicians and patients, leading to unjust prosecutions and surveillance. The widespread adoption of predictive tools like social credit scores amplifies systemic biases and entrenching the surveillance and punishment of already marginalized populations.

Online Tracking

• In St. Aubin v. Carbon Health Technologies, Inc., the United States District Court for the Northern District of California examined a claim under the California Invasion of Privacy Act (CIPA) regarding alleged interceptions of medical data by third-party tracking technologies. The court focused on the application of CIPA’s second clause, which prohibits unauthorized interception of the “contents or meaning” of communications, finding that URLs containing detailed health information could qualify as protected content. Facebook’s tracking was deemed to meet this requirement due to its real-time data interception capabilities, while Google’s tracking lacked sufficient specificity, leading the court to allow an amendment to the complaint. This case highlights the increasing judicial scrutiny of digital privacy, particularly concerning online tracking and the sharing of sensitive medical information.
• Online tracking technologies, such as cookies, can impact HIPAA compliance by potentially disclosing protected health information. Non-HIPAA-regulated businesses must comply with state laws regarding consumer health data collected through these technologies. To ensure compliance, businesses should review tracking technologies, analyze license terms, and determine applicable state and FTC rules.

Regulation

• The FDA has authorized almost 1000 AI-enabled medical devices and has received hundreds of regulatory submissions for drugs that used AI in their discovery and development. The FDA assets that effective regulation requires coordination across industries, government, and international bodies, with flexible mechanisms to keep pace with AI developments. Transparency from sponsors and proficiency in AI evaluation by regulators are crucial, alongside a life cycle management approach with ongoing postmarket performance monitoring.

Threat Vector

• There is an alarming rise in healthcare data breaches, which have increased by 187% in 2023. The surge in cyberattacks, particularly driven by ransomware and phishing, poses significant challenges to the healthcare industry. To address these challenges, healthcare organizations must prioritize regular training and thorough audits to enhance their security measures.
• Data compromises decreased by 8% in Q3 2024, with 672 incidents reported. However, the number of individuals affected fell by 77% due to a significant decrease in healthcare data breaches. Despite the decrease in data compromises, the total number of victims for the year is still above the 2023 record.
• Privacy-enhancing technologies (PETs) like fully homomorphic encryption (FHE), trusted execution environments (TEEs), and privacy-preserving federated learning (PPFL) can protect sensitive healthcare data while enabling analysis. Regulators should endorse these technologies to simplify compliance and incentivize their adoption. Post-quantum cryptography (PQC) will provide protection against emerging attacks, including those from quantum computing devices.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Opinion

• AI and precision health aim to improve patient outcomes by tailoring treatments to individual characteristics. However, challenges such as data diversity, privacy concerns, and the need for longitudinal data need to be addressed. To ensure the success of precision health, strategies like assembling large cohorts, improving diversity, and protecting data privacy are essential.

Litigation

• Texas Attorney General Ken Paxton sued a Dallas doctor for providing gender-affirming treatments to minors, violating a state ban. The lawsuit alleges the doctor used false diagnoses and billing codes to mask the care. The doctor practices at UT Southwestern and Children’s Health, both affiliated with the state.
• The FTC appealed a Texas ruling that invalidated its nationwide ban on employment noncompete agreements. The FTC’s noncompete ban, which aimed to prohibit noncompete agreements between employers and employees, faces legal challenges and may eventually reach the Supreme Court. Employers are advised to comply with state laws regarding restrictive covenants.

Security Standards

• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.

Quality of Care

• The Outpatient and Ambulatory Surgery Consumer Assessment of Healthcare Providers and Systems (OAS CAHPS) survey, which evaluates patient satisfaction in outpatient healthcare facilities, will become mandatory for ASCs and HOPDs in January 2025. ASCs should prepare by aligning operations with OAS CAHPS guidelines and engaging a CMS-approved vendor to administer the survey. Participation in the survey is essential for compliance and can impact public perception and reimbursement rates.

Fraud & Abuse

• The former owner of 4M Pharmaceutics was convicted of defrauding Medicare out of $160 million by submitting claims for medically unnecessary drugs using illegally obtained patient information. Mokbel faces decades in prison and millions in restitution and fines. Prosecutors argued that Mokbel’s scheme involved using diabetes testing equipment as a ruse to send patients topical creams and Omega-3 pills they didn’t need, while Mokbel’s defense claimed he acted within the bounds of the law.

Out-of-Network

• A Louisiana court awarded $421 million to an out-of-network provider in a dispute with Blue Cross Blue Shield of Louisiana over underpayment for services rendered. This verdict, along with similar cases, highlights the need for fair reimbursement for healthcare providers. Insurance companies may face increased scrutiny and potential financial consequences for underpaying or denying payment to out-of-network providers.

Ransomware

• UMC Health System in Lubbock, Texas, has restored its electronic medical record (EHR) system after a ransomware attack in September. The divert for emergency patients has been lifted, but some patient-facing systems are still being restored. The investigation into the attack is ongoing.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Telemedicine

• The Texas Medical Board has proposed new telemedicine regulations. The new rules would require a full license to provide telemedicine services, reaffirms that telemedicine services be performed in compliance with the Texas Occupations Code and the Medical Practice Act, and establishes requirements for prescribing for chronic pain via telemedicine.
• The DEA is expected to extend telemedicine prescribing flexibilities for controlled substances through 2025, following pressure from Congress and the White House. Without an extension, the flexibilities that have increased access to healthcare for rural and underserved communities will expire, potentially leaving thousands of patients without access to critical medications. Stakeholders are urging the DEA to extend the flexibilities and create a taskforce to provide feedback on a new proposed rule for telemedicine prescribing of controlled substances.

CMS

• CMS proposed a rule to amend the Medicare Overpayment Rule, extending the deadline for providers to investigate overpayments from 60 to 180 days. The rule also seeks to replace the “reasonable diligence” standard with the FCA’s knowledge standard.

M&A

• The FTC’s final rule for premerger notifications expands disclosure requirements, particularly for healthcare transactions. It aims to address gaps in enforcement by requiring more extensive data and information on corporate structure, transaction details, competition, and prior acquisitions. The rule is expected to increase compliance time and may lead to more scrutiny of healthcare mergers and acquisitions.