Categories
Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.

Categories
Health Law Highlights

How Post-Transaction Physician Compensation Structure Affects Fair Market Value of Physician Practices

From VMG Health, by Dylan Alexander, CVA and Gerrit Elzinga, CVA:

As of January 2024, there are over 338,000 physician group practices in the U.S. The compensation structure for shareholder physicians, which often changes during business transactions, plays a significant role in the valuation of a practice. Higher post-transaction physician compensation typically results in a lower valuation for the practice due to less available earnings. 

Physician compensation can take multiple forms, including salaries, benefits and payroll taxes, discretionary expenses, and other forms of compensation such as profit sharing and distributions. The compensation levels vary from practice to practice and are a vital factor in determining the earnings available for transactions.

The profitability of a practice, which influences the available compensation, is determined by factors such as physician productivity, reimbursement rates, ancillary service offerings, and effective use of mid-level providers. Expense management is also critical, as practices with high operating expenses are less profitable.

Three main valuation methods are used for physician practices: income approach, market approach, and cost approach. Both the income and market approaches are sensitive to the level and structure of physician compensation. Lower compensation levels can increase projected free cash flows and the earnings multiple, thus increasing the practice’s valuation. However, compensation should align with market levels to avoid sustainability risks.

Physician practices have the autonomy to determine their service offerings, providers, and compensation structures. Understanding the relationship between post-transaction physician compensation and the fair market value of a practice is crucial for both buyers and sellers, as it significantly impacts the practice’s valuation.

Categories
Health Law Highlights

Ozempic, Wegovy, and the New Compliance Risks for Providers

From Dentons, by Susan Freed:

Increase in Prescription of Diabetes and Obesity Drugs: There has been a significant rise in the popularity of diabetes and obesity drugs like Ozempic and Wegovy, with U.S healthcare providers writing over 9 million prescriptions in the last three months of 2022. This is a 300% increase from 2020, with almost half of the users potentially taking these medications for weight loss.

Supply and Cost Challenges: The demand for these medications has outpaced supply, making them increasingly difficult to access, especially for new patients. The high costs, ranging from $900 to $1300 per month, also limit patient access, making health insurance coverage crucial.

Compliance Risks for Providers: The popularity of these drugs, coupled with access issues, presents new compliance risks for providers. There’s a need for increased education, monitoring, and vigilance, especially in documenting medical necessity and other criteria required by insurers.

Risk Mitigation Strategies: Compliance officers should consider providing increased education to practitioners about these medications and insurance coverage requirements, implementing processes to track insurer coverage criteria, reviewing and responding to insurer requests for documentation, and monitoring prescribing habits of practitioners. If outliers are identified, a more in-depth review should be coordinated.

Drug Diversion and Theft Risks: As access to these medications becomes more difficult, the risk of drug diversion and theft increases. Healthcare providers should ensure proper safeguarding measures are in place, especially for drug samples and drug sample closets.

Categories
Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From Telehealth.org, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

From Orrick, Herrington & Sutcliffe LLP, by Thora Johnson, Kyle Kessler, Cosmas Robless:

The U.S. Department of Health & Human Services (HHS) has updated the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2) to align with HIPAA and HITECH, aiming to improve care coordination while protecting patient privacy. Notably, patient consent for disclosure of SUD treatment records has been simplified, allowing a single consent for all future uses and disclosures related to treatment, payment, and health care operations.

The Rule permits redisclosure of SUD records by HIPAA-covered entities without additional patient consent, promoting coordinated care. The Rule also introduces a definition for SUD counseling notes, mirroring the HIPAA protections for psychotherapy notes, which require separate written consent for use or disclosure.

The Rule establishes two new patient rights: the right to receive an accounting of any disclosures of their SUD records in the three years prior to their request, and the right to request restrictions on disclosures of their records for treatment, payment, and health care operations.

The Rule expands patient privacy in legal proceedings, extending the prohibition of the use and disclosure of SUD records to all criminal, civil, administrative, and legislative proceedings against a patient. It also authorizes civil penalties, in addition to criminal ones, for Part 2 violations, aligning with the value of civil penalties under HIPAA.

The Rule applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part Providers must notify affected individuals, the Secretary of HHS, and in some cases the media in the event of a breach. The Rule will become effective 60 days after its publication in the Federal Register on February 16, 2024, with compliance required by February 16, 202

Categories
Health Law Highlights

Now in Effect: Texas Ends Surprise Bills for Ambulance Rides

From D Magazine, by Will Maddox:

Surprise medical billing has largely been eliminated due to federal and state legislative efforts, but ambulance billing was not included in these regulations. A new Texas law now prevents surprise bills for ambulance services for those with state health insurance plans.

Emergency physicians and anesthesiologists were the most common sources of surprise bills, with research indicating that one in four ambulance rides results in a surprise bill. Approximately 60% of ambulance providers, both private and public, are out of network.

Bipartisan State Bill 2476 prohibits out-of-network ambulance providers from sending patients surprise bills, requiring insurers to cover costs based on local rates set by counties and cities. If no local ambulance rate exists, insurers will pay the lesser of 325% of the Medicare reimbursement rate or the full billed charge.

The new bill simplifies the initial surprise bill process, which had led to numerous lawsuits filed by the Texas Medical Association challenging the process for settling a surprise bill as directed by the federal No Surprises Act.

The new rules only cover those on state healthcare plans, including state employees and teachers, approximately one in three Texans.

Categories
Health Law Highlights

New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper

From Shutts & Bowen LLP, by Kurtis Hutson, Timothy Monaghan, Ella Shenhav:

Updates to HIPAA Security Rule: The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) plan to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and propose new cybersecurity requirements in Spring 2024. These changes aim to shift the cybersecurity burden from end users to the owners and operators of technologies in critical infrastructure sectors, including healthcare.

Impact on Healthcare Companies: The new requirements could significantly expand the enforcement capabilities of regulators, impacting all entities involved in the healthcare industry. This includes manufacturers, sellers, service providers, healthcare providers, and payors who access, process, transmit, or store electronic protected health information (ePHI).

Voluntary Cybersecurity Performance Goals: HHS is developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Although termed “voluntary”, these will be used by CMS to propose new cybersecurity requirements for hospitals and participants in Medicare and Medicaid programs, and will influence the update to the HIPAA Security Rule.

Need for Proactive Measures: Healthcare organizations are advised not to adopt a “wait and see” approach, but to ensure they can demonstrate the implementation of Recognized Security Practices (RSPs). The HITECH Act amendment of January 2021 provides a safe harbor that could lead to reduced fines or termination of HIPAA-related investigations for organizations that can prove they had RSPs in place for at least the previous twelve months.

Categories
Health Law Highlights

The Corporate Transparency Act: Key Considerations for Health Systems and Practice Management Companies (MSOs/DSOs

From Proskauer – Health Care Law Brief, by Andrew Bettwy, Jeffrey Horwitz, David Manko, Jonian Rafti, Elanit Sno, Yuval Tal:

The Corporate Transparency Act (CTA), effective January 1, 2024, mandates the creation of a national registry of “beneficial owners” and “company applicants” of entities across the U.S. to counter illicit activities such as money laundering and terrorism financing. Reporting companies must disclose key information about these individuals, including legal name, date of birth, address, and government-issued identification details.

The CTA presents a compliance challenge for large healthcare enterprises due to their complex contractual arrangements with physician practices and facilities. Entities like health systems, practice management companies, and national telehealth companies, which may have numerous joint ventures and management agreements, need to determine the beneficial owners of their associated practices.

Several exemptions exist for healthcare entities under the CTA, including the Non-Profit Exemption, Large Operating Company Exemption, Subsidiary of Exempt Entity Exemption, and Inactive Entity Exemption. The applicability of these exemptions depends on factors such as tax status, employee count, gross receipts, and control over ownership interests.

A beneficial owner is defined as an individual who exercises substantial control over a company or owns or controls at least 25% of the company’s ownership interests. This could include senior officers, individuals with authority over appointments, and those with substantial influence over company decisions.

Non-compliance with the CTA can lead to significant penalties, including civil penalties of up to $500 per day and criminal penalties, including fines of up to $10,000 or imprisonment for up to two years. Federal and state law enforcement agencies may access reported information for law enforcement activities, including civil and criminal investigations and actions.

Categories
Health Law Highlights

CMS Updates Guidance to Allow Texting of Patient Orders

From Robinson & Cole, by Nathaniel Arden:

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) updated its 2018 memorandum to now allow the texting of patient orders among a patient’s healthcare team.

The 2018 memorandum stated that texting of patient orders did not comply with hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) due to potential issues with record security, author identification, and HIPAA compliance.

The updated guidance recognizes technological advancements, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) that can ensure compliance with CoPs through the texting of patient orders.

CMS advises hospitals and CAHs using text orders to ensure they use secure, encrypted platforms, maintain author identification integrity, comply with HIPAA, and promptly file texted orders in the EHR.

Categories
Health Law Highlights

Telehealth and the Evolving Landscape of Medicare Requirements

From Verrill, by Amanda Beauregard, Andrew Ferrer:

Telehealth Importance and Changes Post-Pandemic: Telehealth has been crucial during the COVID-19 pandemic, especially for behavioral and mental health services. The U.S. Department of Health & Human Services (HHS) facilitated its expanded use by easing Medicare regulations. Key changes included recognizing a patient’s home as an “originating site” and allowing telehealth without an initial or periodic in-person visit. However, with the end of the Public Health Emergency (PHE), Medicare rules for telehealth services are changing.

Permanent Telehealth Flexibilities: Some telehealth flexibilities will remain post-PHE, including Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) serving as “distant site” providers for behavioral/mental telehealth services, no geographic restrictions for these services, and the allowance of audio-only communication platforms. 

Temporary Telehealth Flexibilities: Many telehealth flexibilities are set to expire after December 31, 202These include FQHCs and RHCs serving as a distant site provider for non-behavioral/mental telehealth services, no geographic restrictions for an “originating site” for non-behavioral/mental telehealth services, and using audio-only communication platforms for non-behavioral/mental telehealth services.

Advocacy Efforts for Permanent Telehealth Flexibilities: Several trade associations and lawmakers are advocating for making all Medicare telehealth flexibilities permanent. They aim to ensure equitable payment for FQHCs and RHCs, remove geographic and “originating site” restrictions, eliminate the periodic “in-person” rules, maintain coverage for audio-only treatment, and expand the list of eligible Medicare providers.

Legislation Introduced for Telehealth: Several bills have been introduced to further these goals, including the CONNECT for Health Act, Telemental Health Care Access Act, Telehealth Expansion Act, Telehealth Benefit Expansion for Workers Act of 2023, and TREATS Act. These proposed laws aim to remove geographic requirements, add homes as “originating sites,” remove in-person evaluation requirements, and extend exemptions for telehealth services, among other things.