Categories
Health Law Highlights

Wade’s Healthcare Privacy Advisor for January 15, 2025

Confidentiality & Cybersecurity

  • The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
  • A recent report reveals that 73% of healthcare organizations still use legacy systems, which creates security vulnerabilities that cybercriminals can exploit. Healthcare IT teams must build security measures into applications from the start, ensure flexibility across platforms, and implement vendor management strategies to protect data. The modernization process requires consideration of usability factors to prevent users from circumventing security controls, while features like Pure Storage’s SafeMode Snapshots provide protection against data breaches. Organizations that implement these strategies can better protect patient data, maintain productivity, and preserve patient trust.
  • The U.S. Department of Health and Human Services Office for Civil Rights has proposed major changes to the HIPAA Security Rule that would require healthcare organizations to implement stricter cybersecurity measures by mid-2025. The changes include mandatory encryption of protected health information, multi-factor authentication, vulnerability scanning every 6 months, penetration testing annually, and notification requirements within 24 hours for certain security events. HHS estimates first-year compliance costs at $9 billion, with subsequent annual costs of $6 billion through year five. The proposal comes in response to a 950% increase in individuals affected by healthcare data breaches since 2018, though its fate remains uncertain as it transitions between administrations. The 60-day public comment period ends March 7, 2025, with compliance required 180 days after the final rule takes effect.
  • Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.
  • SOC 2 audits provide healthcare organizations with a framework for managing data security, privacy, and operational integrity. The audit process ensures protection of Protected Health Information (PHI) and Personally Identifiable Information (PII) through controls that safeguard against unauthorized access and breaches. While not legally mandated, SOC 2 complements HIPAA, HITECH, and GDPR regulations by addressing data encryption, access control, and risk management. The framework includes five trust service principles – Security, Availability, Processing Integrity, Confidentiality, and Privacy – and helps organizations manage third-party vendor risks through certification requirements. Healthcare providers can prepare for SOC 2 audits through gap analysis, control implementation, staff training, and partnership with expert consultants.

Innovation

  • OpenAI CEO Sam Altman claims his company knows how to build AGI and predicts AI agents will join the workforce in 2025. OpenAI defines AGI as systems that outperform humans at economic tasks, with a specific financial threshold of $100 billion in profits set in their agreement with Microsoft. The technology rights for AGI are excluded from OpenAI’s IP investment contracts with companies like Microsoft, marking its strategic importance. Critics, including Gary Marcus, have dismissed Altman’s claims as marketing hype. Altman acknowledges the potential economic disruption from AGI and suggests universal basic income as a solution for workforce displacement.
  • A New York University study published in Nature Medicine reveals that introducing just 0.001% of medical misinformation into LLM training data can compromise the model’s accuracy, resulting in over 7% harmful responses. The researchers tested this by injecting false information into “The Pile” database across 60 medical topics, finding that the poisoned models not only produced misinformation about targeted topics but became generally unreliable about medicine. The study demonstrates that for $100, someone could generate 40,000 articles to poison a large model like LLaMA 2, with the misinformation potentially hidden in invisible webpage text. While the researchers developed an algorithm to flag potentially false medical information, the study highlights ongoing challenges with both intentional poisoning and existing medical misinformation in training data, including outdated information in curated databases like PubMed.

Legislation

  • The Texas Legislature is considering the Texas Responsible AI Governance Act, which aims to regulate high-risk AI systems that make consequential decisions affecting areas like healthcare, housing, and employment. The Act establishes strict requirements for developers and deployers, including mandatory risk assessments, consumer disclosures, and human oversight of AI decisions. The legislation prohibits specific AI uses such as social scoring, unauthorized biometric data collection, and emotional inference without consent, while giving consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, and businesses operating in Texas would need to ensure compliance through impact assessments and updated procedures.
  • California has enacted a law prohibiting insurance companies from using AI alone to deny health insurance claims. The legislation, Senate Bill 1120 (Physicians Make Decisions Act), was signed by Governor Gavin Newsom in September 2024 in response to data showing 26% of California insurance claims were denied in 2024. The law requires human judgment in coverage decisions, sets strict deadlines for claim reviews (5 business days for standard cases, 72 hours for urgent cases, and 30 days for retrospective reviews), and gives the California Department of Managed Health Care enforcement authority with power to issue fines. The initiative has gained national attention, with 19 states considering similar legislation and congressional offices exploring federal regulations.

Regulation

  • The FDA has released new draft guidance for AI-enabled medical devices, building on its previous predetermined change control plan guidance from December 2023. The guidance, to be published in the Federal Register on January 7, provides recommendations for the total product lifecycle of AI-enabled devices, including design, development, maintenance, and documentation requirements. The FDA has authorized over 1,000 AI-enabled devices and will accept public comments on the draft guidelines through April 7, with specific focus on AI lifecycle alignment, generative AI recommendations, performance monitoring, and user information requirements. The agency will host webinars on February 18 to discuss the regulatory proposal and on January 14 regarding the final PCCPs guidance, while emphasizing the importance of addressing transparency and bias in AI medical devices. The guidance aims to ensure performance considerations across race, ethnicity, disease severity, gender, age, and geographical factors are addressed throughout device development and monitoring.
Categories
Health Law Highlights

Wade’s Health Law Highlights for January 14, 2025

Advanced Practice Providers

Patient Confidentiality

  • The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
  • The U.S. Department of Health and Human Services has proposed new HIPAA Security Rules, marking the first update since 2013, with publication scheduled for January 6, 2025. The proposed changes include mandatory encryption of PHI at rest and in transit, implementation of multi-factor authentication, and requirements for covered entities to review and update security policies regularly. Business associates must provide written verification of technical safeguards annually and notify covered entities within 24 hours of access changes or contingency plan activations. The rules establish specific timeframes for security compliance, including 15-day patches for critical risks and 72-hour system restoration requirements, while requiring organizations to maintain technology asset inventories and network maps with annual updates.
  • Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.

Fraud & Abuse

  • ASD Specialty Healthcare has agreed to pay $1.67 million to settle anti-kickback claims for providing free inventory management systems to retina practices that agreed to purchase drugs from them. The company, operating as Besse Medical and a subsidiary of Cencora, acquired the PODIS system in 2017 and offered it at no cost to physicians who signed agreements to purchase drugs, including AMD treatments, while denying access to non-customers. Two whistleblowers from Regeneron Pharmaceuticals brought forth the claims and will receive $250,705 from the settlement. Medicare spent $386 million on branded AMD drugs in 2022, with $334.4 million specifically on aflibercept. The Department of Justice has also filed a separate False Claims Act complaint against Regeneron for allegedly inflating Medicare reimbursement rates for Eylea.
  • A federal grand jury in Virginia indicted Chesapeake Regional Medical Center on January 8, 2025, for healthcare fraud and conspiracy to defraud the United States. The charges stem from the hospital’s alleged involvement with a physicia who was previously sentenced to 59 years in prison for performing unnecessary surgeries and falsifying medical records, resulting in $20.8 million in fraudulent billings. The indictment claims hospital staff received two sets of documents for early deliveries – one with real dates and another with falsified dates – yet continued to allow procedures and bill Medicaid. The hospital faces decisions about pleading guilty or going to trial, with potential consequences including fines, monitoring requirements, and property forfeiture. This case establishes precedent for hospitals’ responsibility to prevent fraud and highlights how employee knowledge of illegal activities can result in criminal charges for the institution.
  • The Second Circuit Court of Appeals has expanded the Anti-Kickback Statute by adopting the “at-least-one-purpose rule”, which states that a violation occurs when inducing healthcare purchases is just one purpose of a payment, rather than requiring it to be the sole purpose. The ruling emerged from a qui tam lawsuit against Novartis Pharmaceuticals, where the relator alleged the company used speaker programs to provide kickbacks to doctors who prescribed their multiple sclerosis drug Gilenya. The Second Circuit revived parts of the lawsuit on December 27, 2024, focusing on allegations of sham speaking events, excessive payments for canceled engagements, and the selection of high-prescribing physicians as speakers. The Court determined that no quid pro quo proof is required for AKS violations, joining seven other circuit courts in this interpretation. The decision creates heightened enforcement risks for healthcare companies and requires them to review their physician payment practices.

Litigation

  • Aetna sues drugmakers over alleged price-fixing scheme in a lawsuit filed in Hartford, Connecticut against nearly two dozen pharmaceutical companies, including Pfizer and Teva Pharmaceuticals, for allegedly conspiring to fix generic drug prices. The lawsuit claims the companies communicated through private meetings and trade conferences to establish a “fair share” scheme, resulting in price increases of up to 1000% for certain medications. The case follows similar legal actions by state attorneys general and other insurers, with Heritage Pharmaceuticals and Apotex already settling for $49 million in fall 2024.

No Surprises Act

Categories
Health Law Highlights

Wade’s Healthcare Privacy Advisor for January 8, 2025

AI Legislation

  • The Texas Legislature is considering the Texas Responsible AI Governance Act, which would establish regulations for high-risk AI systems that make consequential decisions affecting areas like employment, education, and government services. The Act requires developers and deployers to protect consumers from algorithmic discrimination, maintain oversight of AI systems, and provide detailed disclosures about AI interactions. The legislation prohibits specific AI uses including social scoring, unauthorized biometric data collection, and emotional inference without consent, while granting consumers rights to transparency and legal action. The Texas Attorney General would have enforcement authority with fines up to $100,000 per violation, making this one of the most comprehensive state-level AI regulations proposed in the U.S.

AI Implementation

  • Healthcare entities face increasing scrutiny over AI usage in patient data management, with three key areas of concern emerging: data scraping/sharing, utilization management, and discriminatory bias. Recent court cases have highlighted the importance of data anonymization in determining the validity of privacy claims, with courts generally favoring defendants when patient data is properly anonymized. Federal agencies and states are implementing regulations to limit AI’s role in medical necessity determinations, with CMS prohibiting AI-only decisions and states like California passing laws requiring specific disclosures for GenAI use in patient communications. While major litigation regarding AI discrimination hasn’t occurred yet, state attorneys general are actively investigating potential racial bias in healthcare algorithms. To mitigate risks, healthcare entities should conduct regular AI risk assessments, implement robust PHI de-identification procedures, and utilize appropriate data agreements and patient waivers.
  • Testing by medical professionals has shown AI systems like ChatGPT giving dangerous medical advice up to 20% of the time. While AI tools are being used by some healthcare providers for tasks like transcription and note-taking, even these applications have shown problems with hallucinated content and bias, such as OpenAI’s Whisper inserting false information into patient records. Medical experts warn that while AI technology shows promise, its current state risks introducing dangerous “AI slop” into patient care, requiring thorough verification that may ultimately negate any time-saving benefits.
  • Agentic AI is a new paradigm that makes independent decisions and takes actions without human intervention . The technology shows potential applications in healthcare through patient monitoring, manufacturing through production optimization, and transportation through autonomous vehicles. Major concerns include job displacement, data privacy, control issues, and safety risks in high-stakes environments.
  • A bipartisan U.S. House task force released a report on December 17 outlining AI policy recommendations for healthcare. The report identifies AI’s potential to improve healthcare efficiency through data analysis and automation while highlighting interoperability challenges between systems. It raises concerns about patient data privacy, cybersecurity risks, and the need for healthcare workforce AI training. The report also addresses unresolved issues regarding liability rules for AI-related medical errors and unclear reimbursement policies for AI implementation in healthcare systems. The task force emphasizes that payment structures and accountability frameworks for healthcare AI remain undefined, requiring further development.

Cybersecurity

  • The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed the first update to the HIPAA Security Rule since 2013, requiring healthcare organizations to implement stronger cybersecurity measures for protected health information. The new requirements include written risk assessments, network segmentation, vulnerability scanning every six months, and penetration testing every 12 months. From 2018 to 2023, healthcare data breaches increased by 102%, affecting 167 million individuals in 2023 alone. The proposed changes address the evolution of healthcare delivery, increased cyber threats, and compliance issues observed by OCR. The current Security Rule remains in effect while HHS proceeds with the rulemaking process.
  • The U.S. Department of Health and Human Services’ Office for Civil Rights has proposed a major update to HIPAA’s Security Rule, introducing new cybersecurity requirements with an estimated first-year compliance cost of $9 billion. The proposal includes mandatory implementation specifications for encryption, multifactor authentication, data backups every 48 hours, and requirements for business associates to verify compliance through expert analysis. Organizations will have 240 days to comply after the final rule is published, with the Notice of Proposed Rulemaking set for January 6, 2024, followed by a 60-day comment period. The proposal has bipartisan support and aims to modernize healthcare cybersecurity standards that haven’t been updated since 2013, though its fate may be influenced by the upcoming administration change.

Data Breaches

  • The healthcare sector faced unprecedented cyberattacks in 2024, with 677 major health data breaches affecting 182.4 million people, including a record-breaking attack on Change Healthcare that compromised 100 million Americans and resulted in a $22 million ransom payment. Business associates were involved in 212 breaches affecting 131 million individuals, while hacking/IT incidents accounted for 550 attacks impacting 166 million people. The top 10 breaches included major healthcare organizations like Kaiser Foundation Health Plan (13.4 million affected), Ascension Health (5.6 million affected), and HealthEquity (4.3 million affected). Looking ahead to 2025, experts predict continued threats from ransomware, data theft, and supply chain attacks, with emerging concerns around telehealth security, IoT medical devices, and AI in healthcare.
  • UT Southwestern Medical Center experienced a data breach in late-2024 that exposed 43,048 patients’ data through unauthorized access to a third-party calendar tool, marking their sixth breach since 2020. The exposed data included sensitive information such as names, dates of birth, Social Security numbers, medical records, diagnoses, and insurance information. UTSW’s breach occurred due to improper use of a calendar management tool without a business associate agreement. UTSW has taken remedial action, including implementing stronger security measures and notifying affected individuals.
  • A significant cyberattack on Texas Tech University Health Sciences Centre (TTUHSC) and its El Paso campus compromised sensitive data of approximately 1.4 million individuals, with the Interlock ransomware group claiming responsibility for stealing 2.1 million files totaling 2.6 terabytes. The breached data included personal information such as names, Social Security numbers, financial details, and health-related records, prompting TTUHSC to offer complimentary credit monitoring services and establish a toll-free assistance line for affected individuals. The incident follows a pattern of major healthcare sector cyberattacks in 2024, including the Change Healthcare breach affecting 100 million individuals ($22 million ransom), MediSecure in Australia, and Synnovis in London’s NHS hospitals. TTUHSC discovered the breach in mid-September, reported it to authorities, and is implementing enhanced security measures while working with cybersecurity specialists.

Litigation

  • Apple has agreed to pay $95 million to settle a lawsuit alleging that Siri recorded private conversations without consent. The settlement addresses “unintentional” recordings that occurred after the “Hey, Siri” feature was introduced in 2014, with users reporting suspiciously targeted ads following private conversations. Affected customers who purchased Siri-enabled devices between September 17, 2014, and December 31, 2024, can claim up to $20 per device for a maximum of five devices, with eligible devices including iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs. A settlement approval hearing is scheduled for February 14, after which Apple will notify affected customers and delete their recorded private conversations. While the $95 million settlement appears significant, it’s notably less than the potential $1.5 billion fine Apple could have faced under the Wiretap Act if the case had proceeded to trial.
  • The Texas Attorney General has begun enforcing the Texas Data Privacy and Security Act, which took effect on July 1, 2024. The Act grants consumers rights to access, correct, delete, and obtain copies of their personal data, while requiring businesses to implement security measures and limit data collection. The Attorney General has issued violation notices targeting inappropriate data sharing, lack of consumer consent, and deficiencies in privacy notices. The enforcement actions focus on cases where sensitive user data, including location and vehicle information, was shared without proper consent. Businesses operating in Texas must now ensure compliance with the Act’s requirements regarding data collection, processing, and consumer rights notifications.

Medical Reasoning

  • A recent research paper evaluates the performance of OpenAI’s o1-preview model, a large language model, on clinical reasoning tasks. The study conducted five experiments focusing on differential diagnosis generation, diagnostic reasoning, triage differential diagnosis, probabilistic reasoning, and management reasoning, with assessments by physician experts. The o1-preview model demonstrated significant improvements in generating differential diagnoses and in the quality of diagnostic and management reasoning compared to previous models and human physicians. However, there were no improvements in probabilistic reasoning or triage differential diagnosis compared to past models. In a battery of tests, the model correctly diagnosed 78.3% of cases, and it selected the correct next diagnostic test in 87.5% of cases. In other tests, the model outperformed GPT-4 and physicians in clinical reasoning documentation. The study concludes that the o1-preview model exhibits superhuman performance in several medical reasoning tasks, indicating potential for integration into clinical workflows to enhance decision-making and patient care.
  • A new study in European Radiology shows that GPT-4 achieved 94% accuracy in radiological diagnoses, outperforming human radiologists who scored between 73% and 89%. AI in healthcare leverages massive datasets including electronic health records, medical imaging, and clinical databases to enhance diagnostic capabilities, personalize treatment plans, and support clinical decision-making. The technology powers virtual health assistants, performs remote diagnosis through wearable devices, and accelerates drug discovery while reducing development costs. Healthcare facilities are integrating AI for medical imaging analysis and patient outcome prediction, though challenges remain in regulatory compliance, data privacy, legacy system integration, and maintaining human expertise. The implementation of AI in healthcare requires addressing concerns about patient trust, workforce adaptation, and the potential overreliance on technology.

Privacy

  • The U.S. Department of Justice published a proposed rule on October 29, 2024 that would restrict or prohibit data transactions involving sensitive personal data and government-related data between U.S. persons and entities from countries of concern including China, Russia, Iran, North Korea, Cuba, and Venezuela. The rule establishes bulk data thresholds ranging from 100 to 100,000 records and covers six categories of sensitive personal data including personal identifiers, geolocation data, biometric identifiers, genomic data, health data, and financial data. The regulations will impact various sectors including healthcare providers, financial services, insurance companies, and technology firms, requiring them to implement compliance programs and maintain transaction records for 10 years. The rule prohibits all data brokerage transactions and bulk genomic data transfers, while restricting vendor, employment, and investment agreements through cybersecurity requirements established by CISA. The DOJ emphasizes this is a national security measure aimed at preventing countries of concern from accessing data that could enhance their military and intelligence capabilities.

Ransomware

  • A new report reveals that ransomware attacks are costing U.S. healthcare organizations $1.9 million per day in downtime expenses. Since 2018, there have been 654 ransomware attacks on healthcare providers, with 2023 marking a record high of 143 incidents and compromising over 88.7 million patient records in total, of which 26.2 million were breached in 2023 alone. Healthcare organizations experience an average of 17 days of downtime per incident, with the highest disruptions averaging 27 days in 2022, leading to an estimated total loss of $21.9 billion over six years. Cybersecurity experts emphasize the need for preparation, including incident response teams, communication plans, and regular data backups, as hackers increasingly employ double-extortion tactics by both encrypting systems and stealing data.

Regulation

  • A new paper from Paragon Health Institute outlines guidelines for regulating artificial intelligence in healthcare while maintaining innovation and patient safety. The paper emphasizes that AI regulation must be specific to technology types and use contexts, as risks vary significantly between applications like diagnostic tools versus back-office functions. The FDA’s existing framework for medical device approval provides a foundation for AI oversight, with three pathways based on risk levels and the presence of predicate devices. The guidelines recommend preserving existing patient protections under HIPAA and other laws while avoiding duplicate regulations, and stress that AI systems should demonstrate safety and effectiveness comparable to human clinicians when operating autonomously.
Categories
Health Law Highlights

Wade’s Health Law Highlights for January 7, 2025

Antitrust

  • The US antitrust agencies have withdrawn the Antitrust Guidelines for Collaboration Among Competitors, directing businesses to rely on case law instead of formal guidelines. This action follows the 2023 removal of healthcare-related enforcement policy statements, creating a guidance vacuum for businesses seeking to comply with antitrust laws. The DOJ and FTC now refer companies to select court cases as examples, though these cases demonstrate wide variation in their specifics. Companies are advised to seek antitrust reviews, implement compliance policies, and conduct regular training.

Data Breaches

Fraud & Abuse

  • A Medicare fraud and kickback scheme led to the conviction of a hospice owner and marketer , with fraud totaling $3.2 million. The owner, who was previously banned from Medicare, concealed her ownership of the hospice through her daughter in 2025, created fake patient charts, and paid the marketer $6,000 monthly for patient referrals, resulting in 12 counts of healthcare fraud and 16 counts of kickback violations. While awaiting trial, the hospice owner took control of three additional hospices and submitted approximately $4.8 million in fraudulent claims. Many enrolled patients were not terminally ill or unaware of their hospice enrollment, with the marketer deliberately misrepresenting hospice eligibility requirements to prospective patients.
  • The Seventh Circuit Court of Appeals is considering a landmark case that could redefine what constitutes a “referral” under the Federal Anti-Kickback Statute (AKS). The case centers on Mark Sorensen, owner of SyMed Inc., who was convicted and sentenced to 42 months in prison, ordered to pay nearly $2 million in forfeiture, and fined $25,000 for an arrangement where his company paid marketing firms to find patients needing orthopedic braces and secure orders from healthcare providers. The government argues that non-healthcare professionals can make referrals under the AKS when steering patients to specific providers, while Sorensen’s defense contends the marketing activities were passive and administrative, similar to services like 1-800 Contacts. The court’s pending decision will have significant implications for healthcare marketing practices, potentially expanding AKS prosecution to include marketing professionals and clarifying when promotional activities cross the line into illegal referrals. The case was argued on December 4, 2024, with the Circuit Court’s opinion expected to provide crucial guidance for healthcare entities engaging in marketing activities.
  • Recent amendments to the Stark Law have introduced significant changes affecting healthcare real estate transactions. The law, which governs physician self-referral for Medicare and Medicaid patients, has been updated with new definitions of fair market value (FMV) and general market value specifically tailored to healthcare transactions. These modifications directly impact how lease and service agreements are structured under the Stark Law exceptions, while the regulations, including the Anti-Kickback Statute, continue to present operational challenges and potential pitfalls for real estate decisions in healthcare settings.

HIPAA

  • The North American EHR market is projected to reach $14.72 billion in 2024 with a 2.84% CAGR through 2030, serving 88.6% of American physicians in small practices. HIPAA, enacted in 1996, serves as the cornerstone of patient data protection in the U.S., with a clear distinction between HIPAA compliance (an ongoing legal requirement) and HIPAA certification (completion of educational courses). Healthcare organizations must prioritize partnerships with HIPAA-certified experts to ensure proper data handling and security, while focusing on meaningful metrics like script lifts rather than just impressions. The digital transformation of healthcare, while promising improved patient outcomes through AI-powered EHRs and predictive models, requires careful balance between technological advancement and maintaining patient data security.
  • The U.S. Department of Health and Human Services has finalized key information blocking exceptions . The first rule establishes the Trusted Exchange Framework and Common Agreement (TEFCA) Manner Exception, which allows participants to limit electronic health information exchange to other TEFCA members, with full implementation targeted for late 2025 into 2026. The second rule, HTI-3, finalizes the Protecting Care Access exception, which provides protection for healthcare providers when handling reproductive health information and must be implemented by December 23, 2024. The rules include provisions for privacy protection, information segmentation, and a good faith standard that does not require providers to conduct legal research to support their decisions to withhold information. Healthcare providers must now update their policies, train staff, and implement new procedures to comply with these exceptions while maintaining documentation of their application.
  • The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has proposed the first update to the HIPAA Security Rule since 2013, requiring healthcare organizations to implement stronger cybersecurity measures for protected health information. The new requirements include written risk assessments, network segmentation, vulnerability scanning every six months, and penetration testing every 12 months. From 2018 to 2023, healthcare data breaches increased by 102%, affecting 167 million individuals in 2023 alone. The proposed changes address the evolution of healthcare delivery, increased cyber threats, and compliance issues observed by OCR. The current Security Rule remains in effect while HHS proceeds with the rulemaking process.
  • A Texas federal court has issued a preliminary injunction blocking the enforcement of the 2024 HIPAA Reproductive Privacy Rule against Dr. Carmen Purl and her clinic, which was set to require compliance by December 23, 2024. The rule, which went into effect on June 24, 2024, aimed to strengthen privacy protections for reproductive health care information, but Dr. Purl and the State of Texas filed separate lawsuits challenging its validity. The court determined that the rule conflicts with child abuse reporting laws and would cause irreparable harm to the plaintiffs through compliance costs and potential violations of Texas law. The court has requested additional briefings on constitutional questions and the definition of reproductive health care, while noting that existing HIPAA rules already protect reproductive healthcare information.

Hospitals and Hospices

  • Medicare hospice utilization rebounded to 51.7% in 2023, reaching pre-pandemic levels, with total Medicare hospice payments hitting $25.7 billion and serving more than 1.7 million beneficiaries. The total number of hospice providers exceeded 6,500 in 2023, marking a 10% increase primarily driven by for-profit companies, with significant growth in Arizona, California, Nevada, Texas, and Georgia – states that have become hotspots for Medicare fraud concerns. Financial performance varied significantly between provider types, with for-profit hospices achieving 16% margins while non-profits saw only 0.3% margins. CMS implemented enhanced oversight measures in August 2023 for new hospices in four of these five states, including medical review of claims before payment. Based on the positive utilization trends and providers’ access to capital, MedPAC recommended eliminating the base payment rate increase for 2026.
  • Tweener hospitals, which are too large for critical access status but too small for financial security, face closure risks with 21 hospitals closing in 2024 and 700 rural facilities at risk. These facilities struggle with cost increases outpacing reimbursement, provider shortages affecting 66% of rural areas, third-party payer denials, loss of pandemic funding, and cybersecurity threats. The closures impact healthcare access and community economics, as these hospitals serve as major employers. Congress created the Rural Emergency Hospital designation in 2020 as a solution, with 18 states enacting legislation and 30 hospitals converting to this status.

Marketing

  • The Federal Trade Commission issued warning letters to 21 healthcare marketing companies on December 10, 2024, during the open enrollment period for healthcare plans. The letters address potential violations related to misrepresenting benefits, costs, and incentives in healthcare plan marketing, and emphasizing the need for honest marketing practices. The FTC referenced past enforcement actions against companies like Simple Health and Benefytt Technologies as examples of consequences for violations. While no specific wrongdoing was alleged, the FTC urged recipients to review their advertisements for compliance and warned of continued monitoring of the marketplace. The agency’s warning targets companies involved in marketing Affordable Care Act Marketplace insurance and healthcare-related products, including limited benefit plans and medical discount programs.

Mergers & Acquisitions

  • The DOJ’s M&A Safe Harbor policy allows companies to voluntarily disclose misconduct discovered during mergers and acquisitions within six months of closing, potentially avoiding prosecution if they remediate issues within 12 months. The policy offers benefits including reduced penalties, improved reputation, and streamlined remediation, but also carries risks such as expanded investigations, reputational damage, and increased regulatory scrutiny. Companies must evaluate several key factors when considering self-disclosure, including the nature and severity of misconduct, its widespread nature, risk of discovery, remediation feasibility, and reputational impact. Expert Amanda Johnston from Gardner Law characterizes the policy as a “double-edged sword” that requires careful consideration of specific circumstances and potential consequences. The article is part of a 5-part series focused on due diligence in FDA-regulated industries.
  • The Justice Department’s Antitrust Division and FTC withdrew their 2000 Antitrust Guidelines for Collaborations Among Competitors on December 11, 2024, citing several key reasons including outdated court precedents, reliance on withdrawn policy statements, problematic safe harbors, and failure to address modern business technologies like AI and algorithmic pricing. The withdrawal was approved by a 3-2 FTC vote, with Commissioners Holyoak and Ferguson dissenting, arguing that removing guidance without replacement leaves businesses uncertain and questioning the timing given an upcoming administration change. The withdrawal does not affect other guidance documents, such as cybersecurity information sharing policies, nor does it specify how antitrust issues will be analyzed going forward. Commissioner Ferguson was noted to have been appointed by President-Elect Trump to replace Lina Khan as FTC Chairperson.
  • A comprehensive study published in the Journal of the American College of Surgeons reveals that hospital mergers and acquisitions rarely deliver on their promised benefits. The systematic review, analyzing studies from 2000-2024, found that 77% showed either reduced quality or no improvement in care quality after integration, while 93% of cases resulted in increased hospital charges. Nearly 70% of U.S. hospitals are now part of larger health systems, yet more than half of the reviewed studies (54%) demonstrated a negative net impact on healthcare value.

OIG Advisory

  • New OIG Advisory Opinion No. 24-10 addresses a medical and dental supplies distributor’s proposed expansion of their customer loyalty program, where members earn points on dental-related purchases that can be redeemed for discounts on future purchases. The program includes a tiered membership system based on annual spending, offering benefits like priority scheduling, extended warranties, and service discounts, with points worth $0.005 each and redeemable for up to 50% of purchase prices. The program would cover approximately 200,000 dental-related products, including both federally reimbursable and non-reimbursable items, with points earned equally regardless of product type and membership available to smaller customers like dental practitioners, specialists, laboratories, and local dental service organizations. While the arrangement would technically generate prohibited remuneration under the Federal anti-kickback statute, the OIG concluded it poses low risk of fraud and abuse due to its structure, transparency, and limitations, and therefore would not impose administrative sanctions. The program includes safeguards such as points being non-transferable, having no cash value, requiring partial payment for all purchases, and maintaining transparency through a points dashboard managed by a third-party vendor.
  • New OIG Advisory Opinion No. 24-11 addresses a pharmaceutical manufacturer’s program to provide free meningococcal vaccinations to patients prescribed their drugs, which carry a high risk of meningococcal infections (1,000-2,000 times greater than healthy individuals). The program aims to remove barriers to vaccination access and includes both the vaccines themselves and administration through either a third-party vendor or healthcare providers, with Medicare Part D enrollees exempt from out-of-pocket costs for these vaccines as of January 1, 2023. While the arrangement technically constitutes remuneration under the Federal anti-kickback statute, the OIG determined the fraud risk is low since it primarily enhances safety protocol compliance rather than inducing drug purchases, and healthcare providers can only bill for a nominal administration fee (approximately $20). The OIG concluded they would not impose sanctions under the Federal anti-kickback statute or the Beneficiary Inducements CMP, as the arrangement primarily serves to address FDA safety concerns and doesn’t significantly influence provider selection or medical decision-making.
  • New OIG Advisory Opinion No. 24-12 evaluates a pharmaceutical company’s arrangement to provide free genetic testing and counseling services for patients with specific kidney-related conditions, particularly focusing on an ultra-rare genetic condition affecting only 3 in 1,000,000 people. The arrangement includes three types of genetic testing panels offered through Quest Diagnostics’ subsidiary Blueprint Genetics, along with optional genetic counseling services, all provided at no cost to eligible patients who meet specific medical criteria. The pharmaceutical company manufactures a drug approved for treating one subtype of the condition (Subtype 1), but the arrangement prohibits sharing identifiable patient data with the company and prevents any direct marketing of the drug through the program. The OIG concluded that while the arrangement technically generates prohibited remuneration under both the Federal anti-kickback statute and Beneficiary Inducements CMP, they would not impose administrative sanctions due to the low risk of fraud and abuse, given the narrow eligibility criteria, lack of marketing connection to the drug, and various safeguards in place. The arrangement includes specific limitations, such as applying only to the requesting company and requiring all material facts to be fully and accurately presented for the opinion to remain valid.
  • New OIG Advisory Opinion No. 24-13 evaluates a pharmaceutical company’s arrangement to provide financial assistance for travel, lodging, meals, and associated expenses to patients receiving a specific cell therapy product. The arrangement was intended to support patients who need to travel to specialized treatment centers for a potentially curative T-cell immunotherapy, especially those who have tried and failed other treatment options. The OIG concluded that while the arrangement could potentially be seen as providing prohibited remuneration under the Federal anti-kickback statute, it would not impose administrative sanctions. The OIG found the risk of fraud and abuse to be low because the arrangement helps remove barriers to accessing necessary medical care without promoting overutilization or inappropriate use of services. The arrangement also ensures that patients and their caregivers receive support only when other assistance is unavailable, thereby reducing the risk of it being used as a marketing tool to influence treatment decisions. Furthermore, the OIG determined that the arrangement does not violate the Beneficiary Inducements CMP because it meets the “Promotes Access to Care Exception.” This exception applies when the remuneration improves a patient’s ability to obtain medically necessary services without increasing costs or compromising patient safety and quality of care.

Pharma

  • The 340B Program in 2024 experienced major changes as pharmaceutical manufacturers introduced rebate models requiring entities to pay non-340B prices upfront and request rebates afterward, leading to legal challenges from Johnson & Johnson, Eli Lilly, and Bristol-Myers Squibb against HHS. At least 37 manufacturers continued restricting 340B pricing for contract pharmacy arrangements, while eight states enacted laws to protect contract pharmacy access, with the 8th Circuit Court upholding Arkansas’s law. The 340B SUSTAIN Act gained momentum in Congress, proposing to formalize contract pharmacy arrangements and establish a centralized clearinghouse for claims processing. HRSA issued a revised Alternative Dispute Resolution process and continued audits based on sub-regulatory guidance, despite ongoing challenges to its enforcement authority.

Real Estate and Leases

  • Letters of Intent are vital for health care leases. Though typically non-binding, the LOI serves as a roadmap for lease negotiations and should address terms including initial and renewal periods, operating expenses, assignment rights, maintenance obligations, holdover provisions, tenant improvements, exclusivity rights, and default terms. The document must include specific details about permitted use, square footage, parking rights, and signage rather than deferring details to the final lease. Senior Counsel Allison Zangrilli and Zlata Fayer from Epstein Becker Green’s Health Care and Life Sciences Group provide this guidance based on their experience in commercial lease negotiations. The article emphasizes that comprehensive LOI terms reduce negotiation time and prevent costly disputes during the lease drafting process.
  • In a significant ruling from the U.S. Bankruptcy Court for the Western District of Pennsylvania, the Guardian Elder Care case established that assisted living and nursing facilities qualify as residential properties under Section 365(d)(3) of the Bankruptcy Code, allowing more flexibility in post-petition rent payments during Chapter 11 proceedings. The court applied a “totality of circumstances” test to determine the property classification, considering factors such as long-term occupancy and the facilities’ purpose as homes for residents. The decision aligns with legislative history from 1984, which initially created the residential/nonresidential distinction primarily to protect shopping center landlords. The ruling provides relief for healthcare facilities facing financial challenges after the reduction of pandemic-era federal support, while still maintaining protections for landlords through administrative expense priority and stay relief options.

Transgender Care

  • A federal appeals court ruled that two Texas doctors lack standing to sue over the Biden administration’s transgender health discrimination policy. The unanimous decision by the 5th U.S. Circuit Court of Appeals reversed a lower court ruling, finding that doctors Susan Neese and James Hurly faced no enforcement threat under the Department of Health and Human Services’ 2021 policy interpreting the Affordable Care Act to prohibit discrimination based on gender identity. The doctors had claimed they risked losing federal funding if they refused to provide treatments they didn’t support, but the court determined they had valid, non-discriminatory reasons for their medical practices. In 2022, HHS issued a formal rule barring gender identity discrimination in healthcare, which was later put on hold amid challenges from Republican states, and the incoming Trump administration could potentially roll back these protections.
Categories
Health Law Highlights

Wade’s Healthcare Privacy Advisor for December 18, 2024

AI Implementation

Data Privacy

  • Healthcare data represents 30% of global data, with 97% currently unused, though this is changing through AI and improved accessibility. Real-world data (RWD) and evidence (RWE) are becoming crucial, with 90% of life sciences executives leveraging RWE for decision-making, while AI algorithms have improved clinical trial matching by over 40% and recruitment by 1,800%. Patient-centric healthcare organizations are achieving twice the revenue growth compared to those with lower satisfaction scores, with AI-powered clinical decision support systems saving approximately $1,000 per patient encounter. Supply chain challenges remain significant, with 80% of healthcare providers expecting issues to persist or worsen, and half of suppliers losing over 2.5% revenue due to shortages between February 2023-2024, though predictive AI systems can now identify product shortages with over 90% accuracy.
  • Even public-facing healthcare websites can present significant privacy risks through seemingly innocent features like contact forms, appointment requests, and symptom checkers. Unauthenticated pages can inadvertently capture Protected Health Information (PHI) through web forms, tracking technologies, cookies, and web beacons, which may collect user data including IP addresses and browsing history. Healthcare organizations must implement proper safeguards including data encryption, secure storage, explicit consent mechanisms, and careful evaluation of third-party tracking technologies to maintain HIPAA compliance. Organizations should consider minimizing PHI collection on public pages by providing general inquiry options instead of detailed health information forms, while maintaining clear privacy notices and readily accessible contact information for privacy-related concerns. The protection of PHI requires ongoing vigilance and consistency, as even basic data points can constitute protected health information when linked to an individual’s healthcare activities.

Data Breaches

  • The healthcare sector experienced unprecedented data breaches in 2024, with 168 million individuals affected across all reported incidents and 137 million from the top 10 breaches alone. Change Healthcare suffered the largest breach, affecting 100 million individuals due to a BlackCat/ALPHV ransomware attack that exploited an MFA-lacking Citrix portal, resulting in a $22 million ransom payment and widespread healthcare disruptions. Kaiser Foundation Health Plan (13.4M affected), HealthEquity (4.3M), and Concentra Health Services (4M) rounded out the top breaches, with most incidents involving hacking or IT incidents, particularly targeting third-party vendors. Nine out of the ten largest breaches were attributed to hacking/IT incidents, with five originating from HIPAA business associates’ network servers. The breaches highlighted ongoing cybersecurity challenges in healthcare, including ransomware threats, third-party risk management issues, and the need for enhanced security measures like MFA implementation.

Cybersecurity

  • The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program due to increasing cyberattacks on healthcare organizations, resulting from the narrow scope and ineffective oversight of previous audits conducted by the Office for Civil Rights (OCR) in 2016-2017. In response, OCR plans to resume HIPAA audits by late 2024 or early 2025, with an expanded focus on physical and technical safeguards, and the development of criteria for compliance reviews. While OCR agreed to most of OIG’s recommendations, it did not concur with the recommendation to ensure deficiencies are corrected, citing limitations in legal authority and resources. OCR also intends to define metrics for monitoring audit effectiveness and will survey past audit participants to track compliance improvements. The enforcement process for potential HIPAA violations involves reviewing complaints, investigating breaches, and potentially referring criminal violations to the Department of Justice.
  • A recent report analyzed cyberattacks on cyber-physical systems (CPS) and found significant financial impacts, with 27% of organizations experiencing losses of $1 million or more. Key contributors to these losses included lost revenue (39%), recovery costs (35%), and employee overtime (33%). Ransomware was a major factor, with 53% of respondents paying over $500,000 to regain access to encrypted systems, a problem particularly severe in the healthcare sector. Operational impacts were also significant, with 33% experiencing a full day or more of downtime and 49% taking a week or more to recover. Despite these challenges, 56% of organizations reported increased confidence in their CPS’s ability to withstand cyberattacks, and 72% expect security improvements in the coming year.

Geo-Location Data

Enforcement

Categories
Health Law Highlights

Wade’s Health Law Highlights for December 17, 2024

Centers for Medicare & Medicaid Services

  • On November 1, the Centers for Medicare & Medicaid Services (CMS) finalized an extension of virtual direct supervision through real-time audio-visual technology until December 31, 2025, and permanently for certain “incident to” services. These changes are part of the CY 2025 Medicare Physician Fee Schedule (MPFS) and Medicare Hospital Outpatient Prospective Payment System (OPPS) final rules, which revise regulations to balance patient safety and program integrity with expanded access to care. CMS has permanently extended virtual direct supervision for specific low-risk services typically performed by auxiliary personnel, such as those described by CPT code 99211. CMS is considering further expanding permanent virtual direct supervision for additional low-risk services like diagnostic tests and behavioral health. Stakeholders have generally supported the extension, though concerns about patient safety and billing barriers remain.
  • Medicaid involves a complex five-year lookback period where any unexplained transfers of assets can result in penalty periods affecting eligibility. The penalty period length is calculated by dividing the transferred asset value by the state’s determined nursing home cost, with the period beginning when the applicant is otherwise eligible for benefits while in a nursing facility. Several exemptions exist, including transfers between spouses, transfers to young or disabled children, and specific cases involving primary residence transfers to siblings or caretaker children who meet certain criteria. Applicants can avoid penalties by proving the transfer was intended for fair market value, was made for purposes other than qualifying for Medicaid, or if the transferred assets are returned. The process is particularly challenging for elderly residents with diminished cognitive function, often requiring nursing facility staff or consultants to handle the documentation and appeals process.
  • CMS Issues Final Rules for Medicare Parts A and B Overpayments: Key and Lingering Questions outlines significant changes to Medicare overpayment rules effective January 1, 2025. The Centers for Medicare & Medicaid Services released a final rule in November 2024 that modifies overpayment requirements in two key ways: allowing a 180-day suspension of the return deadline during good-faith investigations and changing the standard for identifying overpayments to align with the False Claims Act’s knowledge standard. The new rule removes the requirement to quantify overpayment amounts before identification, though CMS notes that practical considerations still require calculation within 60 days of identification. While appearing to extend timeframes for providers, the rule may actually reduce available time for identifying and returning overpayments, and leaves several critical questions unanswered regarding notice requirements and handling of incomplete investigations after the 180-day period.

Compliance Programs

  • The Office of Inspector General (OIG) issued new Industry-Specific Compliance Program Guidance (ICPG) for nursing facilities, updating its previous guidance from 2000 and 2008 to address modern compliance challenges. The guidance focuses on four main risk areas: quality of care and life, Medicare/Medicaid billing requirements, Federal Anti-Kickback Statute compliance, and other risks including HIPAA and civil rights. Quality of care issues highlighted include staffing levels, infection control, emergency preparedness, and medication use, with the OIG noting these were particularly problematic during the COVID-19 pandemic. The guidance addresses billing compliance under the prospective payment system, warning against common issues like duplicate billing and fraudulent cost reports, while also providing recommendations for avoiding kickback risks in referral arrangements with various healthcare entities. The OIG encourages nursing facilities to use this guidance to identify their own risk areas and implement appropriate compliance and quality programs to mitigate these risks.

Hospital Outpatient Practices

HIPAA

  • The U.S. Department of Health and Human Services “Reproductive Health Care Privacy Rule” becomes effective on December 23, 2024. To enhance privacy protections for reproductive health services, including abortion, the rule prohibits Covered Entities and Business Associates from disclosing protected health information (PHI) for investigations or liability related to reproductive health care if it is lawful or protected under federal law. Requests for PHI related to reproductive health care require a signed attestation confirming the information will not be used for prohibited purposes. Covered Entities must update their Notice of Privacy Practices to reflect these changes and ensure disclosures to law enforcement are only made when legally required and compliant with HIPAA. Professional organizations advise caution in disclosing PHI to prevent or lessen serious threats, recommending legal consultation for such decisions.
  • The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program due to increasing cyberattacks on healthcare organizations, resulting from the narrow scope and ineffective oversight of previous audits conducted by the Office for Civil Rights (OCR) in 2016-2017. In response, OCR plans to resume HIPAA audits by late 2024 or early 2025, with an expanded focus on physical and technical safeguards, and the development of criteria for compliance reviews. While OCR agreed to most of OIG’s recommendations, it did not concur with the recommendation to ensure deficiencies are corrected, citing limitations in legal authority and resources. OCR also intends to define metrics for monitoring audit effectiveness and will survey past audit participants to track compliance improvements. The enforcement process for potential HIPAA violations involves reviewing complaints, investigating breaches, and potentially referring criminal violations to the Department of Justice.
  • HHS-OIG anticipates recovering $7.13 billion in FY 2024 from investigations and audits, including $4 billion from activities between April and September 2024, resulting from 1,548 criminal and civil enforcement actions. The June 2024 National Health Care Fraud Enforcement Action charged 193 individuals in schemes totaling $2.75 billion in losses, while 3,234 individuals were added to the HHS-OIG exclusion list, barring them from federal healthcare programs. Notable cases included two brothers ordered to pay $424 million in restitution for DME fraud and a nurse practitioner ordered to pay $192 million, with HHS-OIG consistently achieving a $10 return on every $1 invested in investigations. The agency’s investigations revealed significant issues in durable medical equipment fraud schemes, involving telemarketing strategies and physician bribes for unnecessary equipment orders. Beyond financial recoveries, HHS-OIG identified systemic issues including states’ inability to monitor maltreatment in foster care facilities and the need to improve maternal healthcare access through MCO provider coverage requirements.
  • Even public-facing healthcare websites can present significant privacy risks through seemingly innocent features like contact forms, appointment requests, and symptom checkers. Unauthenticated pages can inadvertently capture Protected Health Information (PHI) through web forms, tracking technologies, cookies, and web beacons, which may collect user data including IP addresses and browsing history. Healthcare organizations must implement proper safeguards including data encryption, secure storage, explicit consent mechanisms, and careful evaluation of third-party tracking technologies to maintain HIPAA compliance. Organizations should consider minimizing PHI collection on public pages by providing general inquiry options instead of detailed health information forms, while maintaining clear privacy notices and readily accessible contact information for privacy-related concerns. The protection of PHI requires ongoing vigilance and consistency, as even basic data points can constitute protected health information when linked to an individual’s healthcare activities.

OIG Fraud Alert

GLP-1 Drugs

Insurance Coverage

  • A federal judge blocked a Biden administration rule allowing DACA recipients to enroll in health insurance through the Affordable Care Act, siding with 19 state attorneys general who argued it violated a law against providing public benefits to those without legal immigration status. This ruling affects DACA recipients in the 19 states that filed the lawsuit, leaving the rule in effect elsewhere. The decision prevents thousands of DACA recipients in those states from accessing subsidized health coverage, forcing many to rely on employer-provided insurance, state programs, or remain uninsured. The Kansas Attorney General, who led the legal challenge, praised the ruling as upholding the rule of law.

Physician Compensation

  • It is vital to use nationally published compensation and productivity survey data correctly to set provider compensation at fair market value (FMV). Misconceptions about using survey data for FMV provider compensation are common, including the belief that compensation under the 75th percentile is always FMV or that compensation above the 90th percentile is impermissible. Relying solely on productivity ratios like compensation per wRVU or compensation-to-collections can also be misleading, as they don’t fully capture the complexity of provider compensation. To ensure FMV compensation, organizations should analyze individual arrangements, consider regional variations, and seek expert guidance from valuation firms like VMG Health.

Fraud & Abuse

Medicare Advantage Organizations

  • The U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a special fraud alert on December 11, 2024, focusing on potentially abusive marketing arrangements between Medicare Advantage Organizations (MAOs), healthcare professionals (HCPs), and brokers/agents. The alert specifically addresses two concerning arrangements: MAOs providing payments to HCPs for patient referrals, and HCPs paying agents/brokers for patient recommendations, both of which could violate the federal anti-kickback statute and other laws. OIG identified several suspect characteristics that may indicate fraud risk, including payments contingent on patient demographics or health status, and remuneration that varies with referral numbers. Following recent settlements with MCS Advantage ($4.2 million) and Oak Street Health ($60 million), this alert emphasizes the need for careful structuring of relationships between MAOs, HCPs, and brokers/agents to ensure compliance with federal laws and prevent improper steering, inappropriate enrollments, and anticompetitive conduct. The guidance aims to protect Medicare Advantage beneficiaries from enrolling in unsuitable plans or choosing inappropriate healthcare providers based on financially motivated recommendations rather than their actual healthcare needs.
  • The Centers for Medicare and Medicaid Services released a 240-page Proposed Rule on December 10, 2024, introducing significant changes to Medicare Advantage (MA), Medicare Part D, Medicaid, Medicare cost plans, and PACE programs. Key changes include stricter requirements for medical loss ratio (MLR) reporting, requiring incentives and bonuses to be tied to measurable clinical or quality improvement standards, and new regulations for quality improvement activity expenses. The rule proposes new guidelines for supplemental benefits administered through debit cards, including restrictions on usage and marketing, while expanding the definition of “marketing” under MA and Part D regulations to enable stronger CMS oversight. Additional proposals include enhanced agent/broker disclosure obligations, new pharmacy network contracting requirements including mandatory notification deadlines and reciprocal termination rights, and required pharmacy enrollment in the Medicare Transaction Facilitator Data Module. The proposals aim to improve transparency, reduce excessive spending, and enhance beneficiary protections across Medicare programs.

Unlicensed Practice of Medicine

  • Texas Attorney General Ken Paxton has filed a lawsuit accusing a New York doctor of prescribing abortion drugs to a Texas resident in violation of state law. The lawsuit targets Dr. Margaret Carpenter, who allegedly mailed abortion pills to a 20-year-old woman in Collin County, Texas, when she was nine weeks pregnant, with Paxton seeking $100,000 for each violation of Texas’ near-total abortion ban. The case represents the first test of conflicting state abortion laws, with New York’s shield law protecting providers from out-of-state investigations while Texas vows to pursue such cases regardless. Dr. Carpenter, who is not licensed in Texas, founded the Abortion Coalition for Telemedicine and works with organizations that help provide telemedicine consultations and abortion pills to patients in states with abortion bans. Legal experts are divided on the outcome, with New York’s shield law designed to prevent Texas from bringing New York providers into Texas courts, potentially leaving Texas without a defendant to prosecute.

Categories
Health Law Highlights

Wade’s Healthcare Privacy Advisor for December 11, 2024

AI Governance

  • At the HLTH health innovation conference, a panel of AI experts expressed skepticism about appointing a chief AI officer in health organizations, advocating instead for improving AI literacy across the board. Some providers have established an AI oversight committee and an AI Enablement Center to democratize AI governance and ensure responsible integration of AI technologies. The widespread use of AI in radiology for diagnostic support and the growing adoption of ambient AI scribes have significantly reduced administrative burdens for physicians. The use of AI in administrative tasks, such as drafting patient communications, has shown positive results, with patients reportedly preferring AI-generated responses for their empathetic tone. Nevertheless, it is important to maintain a human element in AI applications, ensuring that AI supports rather than replaces clinical decision-making.
  • The FDA has issued final guidance on regulating changes to AI-enabled medical devices through pre-determined change control plans (PCCPs), allowing for post-market modifications while maintaining safety and effectiveness. PCCPs, first introduced in 2019, enable performance enhancements by outlining specific, verifiable modifications and include a description of planned changes, a modification protocol, and an impact assessment. The guidance, consistent with a 2023 draft, now includes a section on version control and maintenance. While no adaptive AI-enabled devices have been authorized yet, PCCPs have been approved for devices through various regulatory pathways. Modifications under a PCCP must stay within the device’s intended use, and significant changes, such as altering a device’s user base or core functionalities, require new marketing submissions.
  • The rapid evolution of AI in healthcare presents challenges for physicians and legal compliance, with shifting regulations and emerging laws at both federal and state levels. A federal rule effective July 2024 requires healthcare providers to comply with anti-discrimination regulations by May 2025, while various state bills focus on transparency, bias elimination, and AI limitations. Organizations like HIMSS and the AMA provide guidance on AI implementation, emphasizing human oversight and ethical considerations to enhance patient care and reduce costs. Legal risks associated with AI, such as data privacy, potential bias, and the unlicensed practice of medicine, necessitate legal expertise for healthcare providers. Despite these challenges, AI has the potential to generate actionable insights and improve healthcare operations, provided it is used responsibly and with appropriate legal guidance.
  • A recent study published in npj Digital Medicine outlines comprehensive guidelines for the responsible integration of AI into healthcare, developed by a team from Harvard Medical School and the Mass General Brigham AI Governance Committee. The study emphasizes nine principles, including fairness, robustness, and accountability, and highlights the need for diverse training datasets and regular equity evaluations to reduce bias. A pilot study and shadow deployment were conducted to assess AI systems, focusing on privacy, security, and usability in clinical workflows. The study also stresses the importance of transparent communication regarding AI systems’ FDA status and a risk-based monitoring approach. Future efforts will expand testing to ensure AI systems remain equitable and effective across diverse healthcare settings.

Medical Judgment

Employment

Data Privacy

HIPAA Penalties

Quantum Computing

Categories
Health Law Highlights

Wade’s Health Law Highlights for December 10, 2024

Centers for Medicare & Medicaid Services

Emerging Technology

Fraud & Abuse

HIPAA Penalties

Mental Health and Substance Use

Pharmacy Benefit Managers

Private Equity

Categories
Health Law Highlights

Wade’s Healthcare Privacy Advisor for December 4, 2024

Artificial Intelligence

Bias & Equity

Cybersecurity

  • The HHS Office of Inspector General (OIG) report criticized the Office for Civil Rights (OCR) for its narrow HIPAA audit program, which assessed only eight out of 180 requirements, failing to adequately improve cybersecurity at healthcare organizations. The audits did not evaluate physical or technical safeguards, leaving potential vulnerabilities unaddressed. The OIG recommended expanding the audit scope, enforcing corrective measures, and establishing evaluation metrics, but the OCR cited budget constraints and a lack of resources as barriers to implementing these changes. From fiscal years 2018 to 2020, the OCR’s budget remained at $38 million, while complaints and data breach reports increased, and investigative staff numbers decreased by 30% since 2010. Despite agreeing with most recommendations, the OCR disagreed with requiring corrective measures, emphasizing that HIPAA allows for civil penalties instead, and audits are intended to offer technical assistance.
  • The continued success of telehealth hinges on its accessibility, but challenges remain, such as digital inequalities and the need for inclusive design for diverse populations. Security is a critical concern as telehealth platforms handle sensitive patient data, necessitating robust measures like encryption, multi-factor authentication, and compliance with privacy laws. The inherent tension between accessibility and security requires a balance to prevent vulnerabilities without deterring patients from using these services. Emerging technologies like AI and blockchain may enhance both security and accessibility, but a collective effort from healthcare providers, developers, policymakers, and patients is essential to ensure telehealth remains safe and inclusive.

Data Privacy

Categories
Health Law Highlights

Wade’s Health Law Highlights for December 3, 2024

Elderly & Aging

  • Older adults increasingly require more clinical care and social services, which places a significant burden on an already strained healthcare system. The integration of data analytics in senior care can enhance patient-centered care by enabling predictive analytics for proactive health interventions and personalized treatment plans tailored to individual needs. This approach improves health outcomes and optimizes resource allocation, ensuring efficient use of staff and financial resources. The future of senior care is data-driven, with advancements in artificial intelligence and real-time health monitoring promising further improvements in care delivery. However, challenges such as ensuring data privacy and training staff to use these technologies effectively must be addressed.

Emerging Technologies

Fraud & Abuse

HIPAA

Medicare Expansion

Mental Health & Substance Use

OIG

  • The Office of Inspector General (OIG) issued Advisory Opinion No. 24-09 in response to a request from a municipal corporation about a proposal to charge insurance for treatment-in-place (TIP) emergency medical services without ambulance transport, while waiving patient cost-sharing amounts. The OIG assessed whether this proposal would violate the Federal anti-kickback statute or the Beneficiary Inducements Civil Monetary Penalty (CMP) provisions. Although the arrangement could potentially generate prohibited remuneration under these statutes, the OIG concluded that it would not impose administrative sanctions due to the low risk of fraud and abuse associated with the proposal.
  • On November 20, 2024, the Office of Inspector General (OIG) released new compliance guidelines for nursing facilities, which is the first industry-specific guidance since the 2023 General Compliance Program Guidance. The guidance emphasizes best practices for nursing facilities, covering topics such as quality of care, Medicare and Medicaid billing requirements, and the federal Anti-Kickback Statute. Additionally, an OIG report published on November 12, 2024, found that Medicare overpaid acute-care hospitals an estimated $190 million over five years for outpatient services to hospice enrollees, and the OIG recommended improvements to prevent future overpayments.
  • The HHS Office of Inspector General (OIG) report criticized the Office for Civil Rights (OCR) for its narrow HIPAA audit program, which assessed only eight out of 180 requirements, failing to adequately improve cybersecurity at healthcare organizations. The audits did not evaluate physical or technical safeguards, leaving potential vulnerabilities unaddressed. The OIG recommended expanding the audit scope, enforcing corrective measures, and establishing evaluation metrics, but the OCR cited budget constraints and a lack of resources as barriers to implementing these changes. From fiscal years 2018 to 2020, the OCR’s budget remained at $38 million, while complaints and data breach reports increased, and investigative staff numbers decreased by 30% since 2010. Despite agreeing with most recommendations, the OCR disagreed with requiring corrective measures, emphasizing that HIPAA allows for civil penalties instead, and audits are intended to offer technical assistance. See report here.