Category: Around the Web

Web tracking technology has been in the news a lot lately. Most websites use such tools to track users as they navigate through a particular site and around the web. Nothing new here. But in doing so, user data gets transferred from one site to another, or actively collected, posing privacy risks for healthcare providers.

A new study, published in Health Affairs, indicates that 99% of hospital websites use third-party tracking code on their sites, creating privacy risks for patients and legal liability for hospitals:

We found that third-party tracking is present on 98.6 percent of hospital websites, including transfers to large technology companies, social media companies, advertising firms, and data brokers. Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses. By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties. These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.

OIG has approved the use of gift cards to incentivize patients to return sample collection kits, provided there are certain safeguards in place:

• Mailing the gift cards only to those patients who return the kits by the deadline specified in the reminder letter.
• Advising patients that they may not use the gift cards on items or services provided by the requestors.
• Limiting patients to one gift card every 36 months, which is consistent with Medicare’s coverage period for the screening test.
• Implementing processes to ensure patients who received a gift card during the 36-month period do not receive another one during that period.
• Refraining from patient-focused promotional activities that advertise the availability of the gift card.
• Prohibiting advertising or marketing the proposed arrangement to healthcare providers who may order the test.
• Excluding tests ordered by healthcare providers through the requestors’ website from the proposed arrangement.

Dee Harleston, Stewart Kameen, Jinnifer Michael, and Danielle Sloane, for Bass Berry & Sims:

The U.S. Department of Health and Human Services Office of Inspector General (OIG) recently issued Advisory Opinion 23-03, approving a proposal by the manufacturer of a colorectal cancer screening test and its wholly owned laboratory to provide gift cards to certain patients to encourage them to return the sample collection kits. While limited in scope, this favorable opinion is noteworthy because OIG typically disfavors arrangements under which providers or suppliers distribute gift cards to incentivize patients to obtain federally reimbursable services. Although OIG approved the proposed arrangement at issue in Advisory Opinion 23-03, the agency also pointedly warned entities against structuring arrangements that differ from the facts of the proposed arrangement.

OIG Advisory Opinion 23-03

Jill McKeon, for Health IT Security:

Effective immediately, the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.

…

Key Medical Device Security Requirements Included in Omnibus Bill
HSCC Publishes Guidance On Managing Legacy Medical Tech Security
Outdated Operating Systems Remain Key Medical Device Security Challenge
For any submission after March 29, manufacturers must include a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA stated.

In addition, manufacturers must develop and maintain procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the postmarket stage.

Lastly, manufacturers are required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components. The FDA issued an accompanying FAQ document to help manufacturers determine their obligations.

FDA: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

From the HIPAA Journal:

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

Medication abortions typically use two drugs taken together: Mifepristone and Misoprostol. This ruling only affects Mifepristone. The other drug, Misopostol, is still available, but its use has always required the physician to prescribe it “off-label,” meaning it is not FDA-approved for abortions. It is FDA-approved only for use to prevent stomach ulcers while taking NSAIDs.

Chloe Atkins writing for NBC News:

In an unprecedented move, U.S. District Judge Matthew Kacsmaryk on Friday suspended the Food and Drug Administration’s longtime approval of key abortion pill mifepristone, though he gave the government a week to appeal his decision. If the ruling does eventually go into effect, it would curtail access to the standard regimen for medication abortion nationwide.

The FDA approved mifepristone more than 20 years ago to be used in combination with a second drug, misoprostol, to terminate pregnancies at up to 10 weeks. Over half of U.S. abortions are done by medication abortion, according to the Guttmacher Institute, a research group that supports abortion rights.

…

If the stay on the FDA’s mifepristone approval goes into effect, the drug would no longer be available anywhere in the U.S. That would leave a surgical procedure or off-label use of misoprostol on its own as the only options in states where abortion is legal.

A Fort Worth federal judge yesterday ruled that insurers cannot be compelled under the Affordable Care Act to provide preventative care free of charge to insureds. The basis of the ruling involves the U.S. Preventive Services Task Force, which is the body tasked with enforcing the ACA. The judge determined that the Task Force is unlawful because the members are not appointed by the President or confirmed by the Senate.

Julia Forrest, writing for the The Texas Tribune:

O’Connor found that preventive care recommendations issued by the panel do not have to be followed because he found their volunteer members, who are 16 medical professionals and scientists charged with issuing the recommendations, do not have to be appointed by the president nor confirmed to their posts by the Senate.

When a healthcare provider submits claims to Medicare, they are making several implied representations: 1) the service was medicaly necessary; 2) the service was performed; and 3) the service was performed by someone with the proper credentials. If any of those implied representations are not accurate, and the provider has the requisite “knowledge” of the falsity, the claims violate the civil False Claims Act.

A hospital in Iowa learned this lesson the hard way. Marty Stempniak, writing for Radiology Business:

The U.S. Attorney’s Office first filed suit against University of Iowa Health Care in 2019, accusing the institution of perpetuating a “batch signing scheme.” Through it, the Iowa City hospital would allegedly bill for radiology services rendered by residents during 12- to 15-hour on-call shifts.

However, the physician supervision and approval required by Medicare never occurred, the office alleged in its complaint. …

Rather than complete the necessary review, the office alleged, physicians instead would engage in “rapid-fire signing of dozens of reports within a matter of a minute or so, solely in order to falsely bill the government for ‘interpretations’ that never took place,” the complaint alleged.

Healthcare providers besides physicians can also violate the Anti-Kickback Statute. And, do not think that only physicians can make illegal refurrals. Paying anyone something of value for patient referrals—even a marketing company—can be illegal.

Southern District of Texas Press Release:

At the time of their pleas, they admitted that from 2014 through 2016, both obtained patient referrals by paying marketers and patients. Nwankwo further admitted to bribing a physician to authorize medically unnecessary home health services for Hefty patients.

The Corporate Practice of Medicine (CPOM) is deeply rooted in Texas law. But the Corporate Practice of Dentistry similarly provides that “a person may not practice dentistry without a valid license issued by the Texas State Board of Dental Examiners. The Texas Dental Practices Act sets forth several categories of activities that constitute the practice of dentistry. For example, a person who owns, maintains, or operates a business which engages another person to practice dentistry – under any type of contract or arrangement – may be considered as engaging in the practice of dentistry.”

Like in the medical context, DSOs are often to allow unlicensed persons to share in the revenue of the dental practice.

As Keith Lefkowitz, Hendershot Cowart, P.C. points out:

In 2015, the Texas legislature passed a law requiring Dental Support Organizations to register with the state annually and provide “the name and business address of each dentist in this state with which the dental support organization has entered into an agreement.” 

The Secretary of State shares this information with the State Board of Dental Examiners, allowing them to monitor which practices are receiving services from a DSO. 

As a result, it is imperative for licensed dentists to ensure that contracts and arrangements for business support services comply with state law and TBSDE rules and regulations, especially the Corporate Practice of Dentistry doctrine.

This type of registration system is not required for MSOs, Management (or Medical) Services Organizations. MSOs are very common in the medical industry, but, in some contexts, have been abused.

Steven G. Pine, gina L. Bertolini, with K&L Gates:

Shortly after the Dobbs decision, HHS laid out its position in a 11 July 2022 memorandum issued to state survey directors (the EMTALA memo) that asserted, among other things, that state laws purporting to limit abortion services more narrowly than provided under EMTALA are preempted.

Three days after HHS issued the EMTALA memo, the Texas Attorney General (AG) filed a federal complaint in the Texas District Court seeking a declaratory judgment that HHS had acted beyond its authority in issuing the EMTALA memo, as well as an injunction seeking to prevent enforcement of the EMTALA memo. … [T]he Texas District Court granted Texas’ request for an injunction, in part, in a preliminary order issued 23 August 2022. …

The outcome of this appeal could significantly impact how hospitals, health systems, and other providers deliver emergency abortion care across the country. HHS continues to stand behind the EMTALA memo, which has only been enjoined in the state of Texas to date, stating that it would investigate reports or complaints regarding an EMTALA violation and “will not hesitate” to refer states attempting to prohibit providers from offering emergency care consistent with EMTALA to the DOJ “to take appropriate legal action.”

I anticipate the Fifth Circuit will affirm the District Court, but other appellate courts will reach different conclusions. Ultimately it will be up to the U.S. Supreme Court to settle the scope of EMTALA preemption. Again, I think they will find there is no direct conflict between EMTALA and state law, and thus, no preemption.