Health Law Highlights

The FDA and the Future of AI Oversight

From Manatt, Phelps & Phillips, LLP, by Nicholas Bath Jr., Rachel Sher, Daniel Weinstein:

The U.S. Government Accountability Office (GAO) issued a report in January 2024 highlighting challenges faced by the U.S. Food and Drug Administration (FDA) in effectively regulating artificial intelligence (AI) and machine learning (ML) in medical devices and other emerging health care technologies. The report emphasized the need for clear regulations that balance safety, transparency, consumer protection, and innovation, especially considering the rapid evolution of AI/ML technology and its potential applications and risks.

Over the past five years, federal regulation of AI/ML has increased, particularly in the health care sector. In 2023, the FDA issued its first-ever AI/ML device draft guidance, aiming to provide a forward-thinking approach to the development of machine learning-enabled device software functions.

Despite the FDA’s efforts, the approach to AI/ML regulation has been criticized as uncoordinated and overly broad, potentially hindering technology development and rollout, and causing confusion among stakeholders. State legislators, regulators, and medical boards are beginning to introduce state-level policy, adding to the regulatory complexity.

Given the legislative gridlock, some stakeholders have proposed a novel approach to ensure the safety and effectiveness of AI/ML-enabled medical devices through public-private assurance laboratory partnerships. These labs would be testing grounds to validate and monitor AI/ML in medical devices. The proposal, while controversial, is expected to garner more attention in the coming months as the Congressional Bipartisan AI Task Force develops its comprehensive report and policy proposals to bolster the federal government’s ability to regulate AI/ML.

Health Law Highlights

Cyberattack Shuts Down Pharmacies Across the US

From Brew Healthcare, by Quinn Sental:

Change Healthcare, a prominent health tech firm owned by UnitedHealth Group, suffered a cyberattack, disrupting patient payments and prescription processing across the US. The company, part of Optum, handles 15 billion healthcare transactions annually.

The cyberattack was first noticed as disruptions in the company’s applications, later identified as “enterprise-wide connectivity issues”, and eventually confirmed as a cybersecurity issue. In response, Change Healthcare disconnected its systems to prevent further spread.

The incident has affected pharmacies nationwide, preventing them from processing prescription orders. Some pharmacies could accept prescriptions but were unable to process them through patients’ insurance.

Change Healthcare said the disruption is expected to last at least a day and is specific to their systems, with all other UnitedHealth Group systems remaining operational.

Health Law Highlights

Ten Physicians and Local Execs Indicted in Pharmacy Kickback Scheme

From D Magazine, by Will Maddox:

A pharmaceutical kickback scheme in the Northern District of Texas has led to the indictment of 14 people, including several podiatrists, local businessmen, and executives at Next Health, a healthcare holding company. The scheme involved physicians receiving bribes and kickbacks from pharmacies for referring prescriptions to be filled at those pharmacies, with payments being proportional to the number of prescriptions received.

The scheme, which began in 2014, was concealed through complex business arrangements and involved multiple entities. Payments were funneled through management service organizations (MSOs) and a company called Med Left, which was used to conceal and funnel bribes from the pharmacies to the physicians.

The kickbacks were often disguised as legitimate returns on investments in the pharmacies. Physicians would purchase a percentage of the pharmacy for a nominal fee and were required to refer prescriptions to the pharmacy for ownership. The profits from these prescriptions were then shared with the prescribing doctors.

The owners of Next Health, Andrew Hillman and Semyon Narosov, previously pleaded guilty to charges connected with the scheme in 2018 and were sentenced to several years in prison. Ten physicians, including podiatrists, orthopedic surgeons, and a gastroenterologist, have been indicted for referring prescriptions to Next Health’s pharmacies and receiving kickbacks.

Health Law Highlights

The Risk of Criminal Charges in Hospice Fraud Cases

From Hospice News, by Holly Vossel:

Hospice providers face significant regulatory risks related to False Claims Act (FCA) violations, with potential criminal charges in instances of suspected fraud, waste and abuse. While most FCA cases don’t result in criminal charges, the resolution process can be complex and challenging for providers.

The burden of proof in most civil hospice fraud cases is relatively low, making it easier for the government to establish evidence of wrongdoing. However, the burden of proof in federal criminal fraud investigations is higher, requiring evidence of intent to defraud and willfulness.

Fraud cases can result in severe penalties for hospice owners, including prison sentences, heavy fines, revocation of Medicare certification, and being barred from the industry. An example is the case of Dr. Shiva Akula, former owner of Canon Healthcare, who was convicted for FCA violations totaling nearly $47 million.

Regulatory oversight of the hospice industry has increased due to concerns about fraud, waste, and abuse. This has been driven by the proliferation of new hospices and fraudulent billing practices. The Centers for Medicare & Medicaid Services (CMS) has implemented a “36-month” rule forbidding any change in majority ownership during the 36 months after initial Medicare enrollment.

The hospice industry is experiencing a surge in audit activity, with providers focusing more on documentation to prove patient eligibility and medical necessity of services. While increased audits do not necessarily indicate fraud, a high prevalence of billing errors can signal potential wrongdoing to regulators.

Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.

Health Law Highlights

How Post-Transaction Physician Compensation Structure Affects Fair Market Value of Physician Practices

From VMG Health, by Dylan Alexander, CVA and Gerrit Elzinga, CVA:

As of January 2024, there are over 338,000 physician group practices in the U.S. The compensation structure for shareholder physicians, which often changes during business transactions, plays a significant role in the valuation of a practice. Higher post-transaction physician compensation typically results in a lower valuation for the practice due to less available earnings. 

Physician compensation can take multiple forms, including salaries, benefits and payroll taxes, discretionary expenses, and other forms of compensation such as profit sharing and distributions. The compensation levels vary from practice to practice and are a vital factor in determining the earnings available for transactions.

The profitability of a practice, which influences the available compensation, is determined by factors such as physician productivity, reimbursement rates, ancillary service offerings, and effective use of mid-level providers. Expense management is also critical, as practices with high operating expenses are less profitable.

Three main valuation methods are used for physician practices: income approach, market approach, and cost approach. Both the income and market approaches are sensitive to the level and structure of physician compensation. Lower compensation levels can increase projected free cash flows and the earnings multiple, thus increasing the practice’s valuation. However, compensation should align with market levels to avoid sustainability risks.

Physician practices have the autonomy to determine their service offerings, providers, and compensation structures. Understanding the relationship between post-transaction physician compensation and the fair market value of a practice is crucial for both buyers and sellers, as it significantly impacts the practice’s valuation.


HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.

Health Law Highlights

Ozempic, Wegovy, and the New Compliance Risks for Providers

From Dentons, by Susan Freed:

Increase in Prescription of Diabetes and Obesity Drugs: There has been a significant rise in the popularity of diabetes and obesity drugs like Ozempic and Wegovy, with U.S healthcare providers writing over 9 million prescriptions in the last three months of 2022. This is a 300% increase from 2020, with almost half of the users potentially taking these medications for weight loss.

Supply and Cost Challenges: The demand for these medications has outpaced supply, making them increasingly difficult to access, especially for new patients. The high costs, ranging from $900 to $1300 per month, also limit patient access, making health insurance coverage crucial.

Compliance Risks for Providers: The popularity of these drugs, coupled with access issues, presents new compliance risks for providers. There’s a need for increased education, monitoring, and vigilance, especially in documenting medical necessity and other criteria required by insurers.

Risk Mitigation Strategies: Compliance officers should consider providing increased education to practitioners about these medications and insurance coverage requirements, implementing processes to track insurer coverage criteria, reviewing and responding to insurer requests for documentation, and monitoring prescribing habits of practitioners. If outliers are identified, a more in-depth review should be coordinated.

Drug Diversion and Theft Risks: As access to these medications becomes more difficult, the risk of drug diversion and theft increases. Healthcare providers should ensure proper safeguarding measures are in place, especially for drug samples and drug sample closets.

Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Health Law Highlights

Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

From Orrick, Herrington & Sutcliffe LLP, by Thora Johnson, Kyle Kessler, Cosmas Robless:

The U.S. Department of Health & Human Services (HHS) has updated the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2) to align with HIPAA and HITECH, aiming to improve care coordination while protecting patient privacy. Notably, patient consent for disclosure of SUD treatment records has been simplified, allowing a single consent for all future uses and disclosures related to treatment, payment, and health care operations.

The Rule permits redisclosure of SUD records by HIPAA-covered entities without additional patient consent, promoting coordinated care. The Rule also introduces a definition for SUD counseling notes, mirroring the HIPAA protections for psychotherapy notes, which require separate written consent for use or disclosure.

The Rule establishes two new patient rights: the right to receive an accounting of any disclosures of their SUD records in the three years prior to their request, and the right to request restrictions on disclosures of their records for treatment, payment, and health care operations.

The Rule expands patient privacy in legal proceedings, extending the prohibition of the use and disclosure of SUD records to all criminal, civil, administrative, and legislative proceedings against a patient. It also authorizes civil penalties, in addition to criminal ones, for Part 2 violations, aligning with the value of civil penalties under HIPAA.

The Rule applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part Providers must notify affected individuals, the Secretary of HHS, and in some cases the media in the event of a breach. The Rule will become effective 60 days after its publication in the Federal Register on February 16, 2024, with compliance required by February 16, 202