Categories
Health Law Highlights

Data Broker Allegedly Selling De-Anonymized Info to Face FTC Lawsuit After All

From Ars Technica, by Ashley Belanger:

The Federal Trade Commission (FTC) has succeeded in keeping its case against geolocation data broker Kochava alive, alleging that the company has been selling vast amounts of data in violation of the FTC Act. The FTC accuses Kochava of selling data obtained from millions of mobile devices across the world, combining precise geolocation data with sensitive and identifying information without users’ informed consent.

The FTC claims Kochava’s data sales allow customers to create highly detailed profiles of individuals, which invades their privacy and increases the risk of secondary harms such as stigma, discrimination, and emotional distress. The FTC cited specific examples of consumers who have been harmed by such data sharing practices, including a Catholic priest who resigned after being tracked using mobile geolocation data.

Kochava argues that the examples of consumer harm in the FTC’s complaint are disconnected from its activities and has accused the FTC of making knowingly false allegations. However, the court found no evidence to support Kochava’s claims and refused to dismiss the FTC’s case. Kochava CEO Charles Manning maintains that the company has always complied with all rules and laws, including those specific to privacy.

The FTC has proposed that Kochava could implement safeguards to protect consumer privacy, such as blacklisting sensitive locations or removing sensitive characteristics from its data. Kochava has introduced a new feature, Privacy Block, which blocks geolocation data near sensitive locations, although this was implemented after the FTC initiated its investigation.

The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent. If the FTC wins the case against Kochava, it could trigger a wave of class-action complaints from consumers and set a precedent for future actions against data brokers.

Categories
Health Law Highlights

2024 Privacy Compliance: Are You Ready For It?

From InfoLawGroup LLP, by Justine Young Gottshall:

  • New State Privacy Laws: In 2024, Texas, Oregon, Florida, and Montana will implement new privacy laws, requiring businesses to update their policies, intake forms, and responses, and obtain opt-in consent for sensitive data collection. Similar laws will take effect in Delaware, New Hampshire, New Jersey, and Tennessee in 2025.
  • Compliance with Existing State Privacy Laws: Companies should ensure compliance with Privacy Impact Assessments (PIAs), Data Processing Agreements, Universal Opt-Out mechanisms, Web Accessibility Compliance, and conduct annual biometric reviews, especially in areas involving online advertising, use of AI, and handling of sensitive data.
  • New Health Data Laws: Washington and Nevada will introduce laws affecting companies collecting health data, requiring comprehensive compliance measures and specific authorizations. Florida’s law will apply to limited businesses with specific revenue and operational criteria.
  • Machine Learning and AI Use: The FTC is increasing scrutiny on the use of personal data in AI tools. Companies should review vendor agreements, create internal policies, and ensure responsible use of data, particularly sensitive data.
  • Data Collection from Minors: New laws and regulations affecting data collection from minors are expected. Companies should ensure compliance with existing laws and prepare for upcoming ones in Connecticut, Utah, Louisiana, and Florida. The FTC is also proposing updates to the COPPA Rule.
Categories
Health Law Highlights

Telehealth’s Roadblock: The Issue with State Licensure Requirements

From Epstein Becker Green, by Amy Cooperstein, Amy Lerman, and Kyla Portnoy:

The surge in telehealth services due to COVID-19 has highlighted regulatory challenges faced by providers. These regulations, which vary by state, govern aspects such as who can provide telehealth services, what services can be provided, and where providers must be located. A common requirement is that providers must be licensed in the state where the patient resides.

In December 2023, a lawsuit was filed challenging New Jersey’s reinstated telehealth rules, specifically the requirement for providers to be licensed in New Jersey to provide telehealth services to residents. The plaintiffs, including families requiring care from out-of-state providers and doctors licensed in other states, argue that the regulation violates the Commerce Clause, Dormant Commerce Clause, Privileges and Immunities Clause, First Amendment, and Due Process Clause. 

This case highlights a broader issue of restrictive licensure requirements that can hinder providers’ ability to offer proper care. The process of obtaining separate licenses for each state is time-consuming, costly, and can discourage expansion of telehealth services. Efforts to simplify the licensure process, such as the Interstate Medical Licensure Compact and the Nurse Licensure Compact, have been limited in their effectiveness.

The outcome of the MacDonald case could have significant implications for telehealth restrictions and could influence future regulation and access to telehealth services.

Categories
Health Law Highlights

New AI Technique Significantly Boosts Medicare Fraud Detection

From Medical Xpress, by Florida Atlantic University:

  • Medicare is frequently targeted by fraudulent insurance claims, with the estimated annual fraud amounting to over $100 billion. Traditional methods of detecting fraud, which involve manual inspection of claims by a limited number of auditors, are often insufficient due to the volume and complexity of the data.
  • A study conducted by the College of Engineering and Computer Science at Florida Atlantic University explored the use of big data and machine learning models to detect Medicare fraud. However, handling imbalanced big data and high dimensionality, where the number of features is extremely high, presents significant challenges.
  • The researchers tested two big Medicare datasets, Part B and Part D, using a method called Random Undersampling (RUS) and a novel ensemble supervised feature selection technique. RUS works by randomly removing samples from the majority class until a specific balance between the minority and majority classes is achieved.
  • The results showed that the combined use of RUS and supervised feature selection outperformed models that used all available features and data. The best performance was achieved by performing feature selection, then applying RUS. This approach led to data reduction, more explainable models, and significantly better performance.
  • The study’s findings could have substantial implications for Medicare fraud detection, offering computational advantages and enhancing the effectiveness of fraud detection systems. If properly applied, these methods could significantly reduce costs related to fraud and improve the standard of health care service.
Categories
Health Law Highlights

DOJ, FTC Looking at Roll-Up Acquisitions for Anticompetitive Acts

From The National Review, by Jessica Sprovtsoff of ArentFox Schiff LLP:

In December 2023, the White House announced plans to intensify antitrust scrutiny in the healthcare sector, focusing particularly on “roll-up” acquisitions, a practice where a company acquires several smaller entities, potentially leading to market consolidation. This strategy can potentially violate antitrust laws, but each individual acquisition often falls below the size criteria for pre-acquisition reporting to antitrust enforcement agencies.

The US Department of Justice (DOJ) and the Federal Trade Commission (FTC) have responded by planning to collaborate on data sharing to the maximum extent, aiming to detect potentially anticompetitive transactions that might not usually qualify for antitrust enforcement reviews.

Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

The Corporate Transparency Act: A Reporting Guide for Medical Groups and MSOs

From Sheppard Mullin Richter & Hampton LLP, by John Golembesky, Jordan Grushkin, Leonard Lipsky, Kathleen O’Neill, Richard Rifenbark, and Carolyn Young:

  • The Corporate Transparency Act (CTA) of 2021 mandates that any “reporting company” must submit a Beneficial Ownership Information Report (BOIR) to the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This report includes identification details of the entity’s key owners and leaders, or “beneficial owners”. The CTA primarily targets non-publicly traded entities, including medical groups and management services organizations (MSOs).
  • Entities formed or registered on or after January 1, 2024, must also report information about the individual who oversaw the preparation of the certificate of formation and the person who filed the document with the Secretary of State. However, there are several exceptions to the reporting requirement, including larger, active companies, public companies, and entities that already report to the federal government.
  • Reporting companies registered prior to January 1, 2024, must submit their BOIR by January 1, 2025. Companies registered between January 1, 2024 and January 1, 2025, have 90 days post-registration to file, and those registered after January 1, 2025, have 30 days to file.
  • The CTA’s application to common corporate structures in the healthcare industry raises questions about whether individual leaders of an MSO should be reported as “beneficial owners” of an affiliated medical group. Each reporting company should consider the facts and circumstances of its existing relationships and assess its legal duties and degree of risk tolerance.
  • The BOIR must include information about the reporting company and any beneficial owners, and for companies formed after January 1, 2024, information on company applicants. Beneficial owner information includes each individual’s full legal name, date of birth, residential address, ID number and issuing jurisdiction of a non-expired US passport, driver’s license, or other government-issued ID, and an image/photocopy of such ID.
Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Categories
Health Law Highlights

CMS Finalizes its Proposal to Advance Interoperability and Improve Prior Authorization Processes

From Sheppard Mullin Richter & Hampton LLP, by Gianfranco Spinelli and Krysten Thomas:

  • Final Rule Issued by CMS: The Centers for Medicare and Medicaid Services (CMS) issued a final rule titled “CMS Interoperability and Prior Authorization” on January 17, 2024, which aims to advance interoperability and improve prior authorization processes. This rule impacts Medicare Advantage organizations, state Medicaid and CHIP agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges, as well as MIPS eligible clinicians, and eligible hospitals and critical access hospitals.
  • Patient Access API: The final rule requires Impacted Payers to provide patients access to certain information, including claims, cost sharing data, encounter data, and a set of clinical data accessible via health applications. The implementation of this requirement is set for January 1, 2027, which is a change from the original proposed date of January 1, 2026.
  • Provider Access API and Payer-to-Payer API: The rule mandates Impacted Payers to build and maintain a Provider Access API for data sharing with in-network providers. It also requires a Payer-to-Payer API to ensure patients can maintain continuity of care and have uninterrupted access to their health data. Both these requirements are to be implemented by January 1, 2027.
  • Prior Authorization API and Process Improvements: CMS finalized the proposal to require Impacted Payers to build and maintain a Prior Authorization API, which is to be implemented by January 1, 2027. The rule also shortens the time frames for prior authorization decisions and requires Impacted Payers to provide a specific reason for denied decisions. These requirements are to be complied with by January 1, 2026.
  • Public Reporting and Electronic Prior Authorization Measure: The final rule requires Impacted Payers to publicly report certain prior authorization metrics, with the initial set of metrics to be reported by March 31, 2026. It also mandates MIPS eligible clinicians, eligible hospitals, and CAHs to report the number of prior authorizations for medical items and services requested electronically from a Prior Authorization API.
Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.