Category: Health Law Highlights

Categories
Health Law Highlights

OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

  • On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
  • This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
  • These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
  • In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
  • The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.
Categories
Health Law Highlights

FDA Warns Against Unauthorized Fat-Melting Injection Treatments

From NBC News, by Berkeley Lovelace Jr.:

  • The FDA has issued a warning about the dangers of using unauthorized versions of fat-dissolving injections, citing reports of severe side effects such as scarring, infections, and skin deformities.
  • These injections, also known as lipolysis injections, are typically used in problem areas such as the chin, legs, upper arms, and abdomen.
  • While the FDA has approved one injection, Kybella, from Kythera Biopharmaceuticals, there are many unapproved versions being sold at clinics and med spas, as well as online.
  • Common ingredients in these unapproved injections, such as phosphatidylcholine and sodium deoxycholate, have not been approved by the FDA.
  • The FDA advises against purchasing fat-dissolving products from websites, as they may be ineffective and carry a risk of severe side effects. If experiencing side effects from these injections, it is recommended to see a healthcare provider.
Categories
Health Law Highlights

FTC Seeks to Put Private Equity Roll-Up Strategies to Sleep With its Case Against U.S. Anesthesia Partners

From Winston & Strawn, by Neely Agin and Hannah Gallagher, writing for AHLA (Subscription):

  • FTC and DOJ have increased regulatory scrutiny on the health care industry, particularly private equity investors.
  • FTC Chairwoman Lina Khan has expressed concern over “roll-up” or consolidation strategies in the health care industry, citing potential negative effects on quality of care and costs for patients.
  • In its recent complaint against Welsh Carson and USAP, the FTC alleges a “multi-year anticompetitive scheme” to consolidate anesthesiology practices in Texas and drive up prices.
  • The complaint also includes claims against Welsh Carson, the private equity firm, and not just the portfolio company.
  • This lawsuit serves as a reminder to private equity firms to carefully consider potential antitrust risks in their investments and post-consummation behavior.
Categories
Health Law Highlights

Private Investors and Digital Health Attracting Oig Attention: General Compliance Program Guidance to Watch

From McDermott, Will & Emery, by Tony Maida, Dale C. Van Demark, Monica Wallace:

  • The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has published the General Compliance Program Guidance (GCPG) as a revised reference guide for the healthcare compliance community and other stakeholders.
  • The GCPG specifically references technology companies and the growing prominence of private equity and other forms of private investment in the healthcare sector.
  • The GCPG covers various risk areas, including quality and patient safety, new entrants in the industry, financial incentives and arrangements, and the role of private investors in compliance oversight.
  • OIG’s concern about new entrants and private investment signals increased scrutiny in the healthcare marketplace and its private ownership foundation.
  • Healthcare organizations should take steps to ensure their board members and executives are trained on healthcare legal and regulatory landscape, maintain an effective compliance program, and monitor further OIG guidance and enforcement actions.
  • Private investors should also take note of OIG’s statements and the recent CMS rule requiring detailed ownership disclosure.
Categories
Health Law Highlights

HHS Finalizes Regulation of Certain AI

From Manatt, Phelps & Phillips, LLP, by Alex Dworkowitz, Alice Leiter, and Randi Seigel:

  • The U.S. Department of Health and Human Services (HHS) has finalized a rule to regulate the use of artificial intelligence (AI) in health care.
  • The rule applies to predictive algorithms used in electronic health record (EHR) systems. It requires transparency in the use of AI, including information about the purpose, funding sources, training data, fairness measures, and validation process.
  • The rule aims to promote the development of fair, valid, and safe algorithms and address concerns about biased decision-making.
  • The regulation currently applies to developers of certified EHR software and may foreshadow future regulations for health care providers.
  • The rule also includes updates to the ONC Health IT Certification Program and provisions to improve interoperability and secure exchange of health information.
Categories
Health Law Highlights

FDA’s Final Rule on Direct-to-Consumer Advertising – Presentation of Risk Information

From Foley & Lardner, LLP, by Kyle Gaget and Jordan Smiley:

  • The FDA has released a final rule regarding direct-to-consumer (DTC) advertising for prescription drugs and biologics.
  • The rule requires that DTC ads include the most important risks associated with the drug or biologic being advertised.
  • The FDA has also clarified that companies can include a “major statement” in their ads to fulfill this requirement.
  • The final rule also addresses the use of alternative media for DTC ads, such as social media and online platforms.
  • Companies are encouraged to review and update their DTC advertising practices to ensure compliance with the new rule.
Categories
Health Law Highlights

Feds Levy First-Ever HIPAA Fine for a Phishing Breach

From Govinfo Security, by Marianne Colbasuk McGee:

  • The Department of Health and Human Services has issued the first ever HIPAA fine for a phishing breach, highlighting the importance of cybersecurity in the healthcare industry.
  • The fine was imposed on a medical practice that failed to adequately protect the sensitive information of its patients, resulting in a phishing attack that compromised over 17,000 individuals’ data.
  • The incident serves as a reminder for healthcare organizations to implement strong security measures, including employee training and robust email security protocols, to prevent similar breaches from occurring.
  • The HHS Office for Civil Rights (OCR) has emphasized the need for healthcare entities to conduct regular risk assessments and implement appropriate safeguards to protect patient data.
  • This case also highlights the OCR’s commitment to enforcing HIPAA regulations and holding organizations accountable for their failure to secure sensitive information.
Categories
Health Law Highlights

The Growing Causal Divide: But-For Causation in AKS/FCA Actions

From McGuireWoods, by Renee Kumon, Timothy Fry and Brett Barnett:

  • The District of Massachusetts Court recently joined the Sixth and Eighth Circuits in requiring the government to show a direct tie between kickbacks and referrals that proximately caused claims to federal healthcare programs to prevail in Anti-Kickback Statute (AKS) and False Claims Act (FCA) actions.
  • The District Court’s ruling contributes to the growing split between the Third Circuit, which requires a mere causal connection between kickbacks and referrals, and the Sixth and Eighth Circuits, which require but-for causation between the kickback and the federal claim.
  • This split relates to the per se fraud clause added to the AKS in 2010, which provides “a claim that includes items or services resulting from a violation of this section constitutes a false or fraudulent claim” for purposes of the FCA.
Categories
Health Law Highlights

FDA Issues Revised Off-Label Communications Guidance

From Jones Day, by Anthony Dick, Harrison Farmer, Colleen Heisey, Laura Laemmle-Weidenfeld, Rebecca Martin:

  • The FDA has issued a revised draft guidance on the sharing of scientific information with healthcare providers (HCPs) regarding unapproved uses of approved/cleared medical products.
  • The 2023 Guidance expands the scope of recommendations to include independent clinical practice resources and firm-generated presentations of scientific information.
  • It introduces a new evidentiary standard for source publications and emphasizes the importance of truthful, non-misleading, factual, and unbiased communications.
  • The guidance also provides presentational considerations, such as clear disclosures, avoidance of persuasive marketing techniques, and the use of plain language.
  • Comments on the guidance can be submitted until January 5, 2024.
Categories
Health Law Highlights

CMS Issues Interim Rule in Response to State Medicaid Disenrollment Trend

From Nelson Mullins Riley & Scarborough LLP, by Shane Duer, Knicole Emanuel, Cara Ludwig:

  • The Centers for Medicare & Medicaid Services (CMS) has issued an interim rule in response to the trend of states disenrolling recipients from the Medicaid program.
  • The rule aims to limit the removal of recipients from the program for procedural reasons rather than eligibility considerations.
  • States that fail to comply with the rule may face enforcement actions, including submitting a corrective action plan and paying civil money penalties.
  • The rule also requires states to submit reports on their eligibility redetermination activities, which will be made public.
  • The regulations became effective on December 6, 2023.