Categories
Health Law Highlights

HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know

From Foley & Lardner LLP, by Jane Blaney, Jennifer J. Hennessy, Aaron T. Maguregui:

Part 2 Final Rule Implementation: The U.S. Department of Health & Human Services (HHS) issued the Part 2 Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. This rule, effective 60 days post-publication, implements provisions of the 2020 CARES Act and includes modifications proposed in the November 2022 Notice of Proposed Rulemaking and additional changes based on public comments.

Patient Consent Changes: The rule allows SUD programs to obtain a single patient consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO), as per HIPAA regulations. This consent can be revoked by the patient in writing. The rule also permits HIPAA-covered entities and business associates to redisclose records under this consent, barring use in legal proceedings against the patient without specific consent or court order.

Patient Notice and Rights: The rule aligns Part 2’s patient notice requirements more closely with the HIPAA Notice of Privacy Practices. It also provides patients with additional rights, such as requesting restrictions of disclosures to health plans for services paid in full or for purposes of TPO, obtaining an accounting of disclosures, and opting out of fundraising communications.

Breach Notification and Counseling Notes: The rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs. It also includes a definition of SUD counseling notes similar to the HIPAA definition of psychotherapy notes, requiring specific consent from the individual for their disclosure.

Data Segregation and Penalties: The rule removes the requirement for segregation or segmentation of Part 2 records but maintains their protection. Violations of Part 2 will be subject to the same civil and criminal penalties as HIPAA violations, and patients can file complaints with HHS for violations of Part 

Categories
Health Law Highlights

Corporate Transparency Act and Health Care Providers

From AHLA, by Christopher Conn and Patrick Dunbar:

The Corporate Transparency Act (CTA), effective from January 1, 2024, mandates domestic and foreign legal entities operating in the U.S. to report beneficial ownership information to the Financial Crimes Enforcement Network (FinCEN), with certain exemptions. This is to regulate “shell” companies often associated with illicit activities. Health care providers, unless exempt, will also need to comply with these disclosure requirements.

Two types of reporting companies exist under the CTA: domestic and foreign. Domestic entities are those created by filing organizational documents with a secretary of state, while foreign entities are organized under foreign laws but conduct business in the U.S. Health care providers organized as partnerships, sole proprietorships, or other entities not typically required to file with state governments may avoid being classified as a reporting company.

If classified as a reporting company, health care providers must identify their “beneficial owners” and report this information to FinCEN. A beneficial owner under the CTA is a person or entity that exercises substantial control over a reporting company or owns or controls at least 25% of the ownership interests of the reporting company.

Non-exempt reporting companies must file beneficial ownership information (BOI) reports with FinCEN, containing specific information about the company, its beneficial owners, and its applicants. Timing requirements for these disclosures vary based on the date of entity formation and changes to previously disclosed information.

The CTA imposes civil and criminal penalties for willful failure to report, or intentionally providing false or fraudulent BOI. Health care providers must ensure disclosure consistency across multiple regulatory and licensing bodies. They should also be aware of the administrative challenges posed by the CTA, including determining beneficial ownership and timely reporting of BOI updates.

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Records Now More Closely Aligned With HIPAA

From Fox Rothschild, by Elizabeth G. Litten:

Part 2 records may be disclosed pursuant to the patient’s written consent, which may be a single consent for all future uses and disclosures for treatment, payment, and health care operations (as such terms are defined under HIPAA)

Part 2 records may be disclosed to a public health authority without patient consent if the records are de-identified (as defined and set forth under HIPAA)

Part 2 records are subject to HIPAA’s breach notification requirements

Part 2 SUD providers must provide HIPAA Notice of Privacy Practices-type notices to patients

Patients have the right to complain to HHS regarding alleged violations of Part 2

Categories
Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.

Categories
Health Law Highlights

Rx for Safety: Workplace Violence Policies in Healthcare Settings

From Akerman, LLP, by Emily C. Ayvazian and Danielle C. Gordet:

Healthcare workers are five times more likely to experience workplace violence than workers in other industries, according to the U.S. Bureau of Labor Statistics, a trend that has been exacerbated by the COVID-19 pandemic. The Occupational Safety and Health Administration (OSHA) has identified this as a significant occupational risk, prompting many states to mandate workplace violence standards for the healthcare industry.

Despite no federal law protecting workers from workplace violence, employers are obligated to provide a safe working environment under the Occupational Safety and Health Act. OSHA is also in the early stages of developing a standard for preventing workplace violence in healthcare and social assistance. Key components of an effective workplace violence prevention program include management commitment, worker participation, worksite analysis, hazard prevention and control, safety training, and recordkeeping and program evaluation.

Several states, including California and Texas, have implemented laws to curb workplace violence against healthcare workers. These laws mandate that healthcare employers create and implement workplace violence prevention plans, with specific requirements that must be reviewed annually. The laws also require that workplace violence incidents be logged and investigated and that workers participate in creating their employers’ workplace violence prevention plans.

Healthcare facilities should establish comprehensive workplace violence policies, which include a zero-tolerance policy, clear directives on reporting workplace hazards or safety concerns, and measures to ensure no worker faces retaliation for reporting incidents of workplace violence. The policy should also account for each location’s specific worksite and varying risk levels.

Effective training regarding workplace violence policy is crucial. Employers must ensure all workers know the policy and understand how to adhere to it. Specialized training should be provided for supervisors and security personnel, and the training should be evaluated annually to determine if updates are needed.

Categories
Health Law Highlights

Data Broker Allegedly Selling De-Anonymized Info to Face FTC Lawsuit After All

From Ars Technica, by Ashley Belanger:

The Federal Trade Commission (FTC) has succeeded in keeping its case against geolocation data broker Kochava alive, alleging that the company has been selling vast amounts of data in violation of the FTC Act. The FTC accuses Kochava of selling data obtained from millions of mobile devices across the world, combining precise geolocation data with sensitive and identifying information without users’ informed consent.

The FTC claims Kochava’s data sales allow customers to create highly detailed profiles of individuals, which invades their privacy and increases the risk of secondary harms such as stigma, discrimination, and emotional distress. The FTC cited specific examples of consumers who have been harmed by such data sharing practices, including a Catholic priest who resigned after being tracked using mobile geolocation data.

Kochava argues that the examples of consumer harm in the FTC’s complaint are disconnected from its activities and has accused the FTC of making knowingly false allegations. However, the court found no evidence to support Kochava’s claims and refused to dismiss the FTC’s case. Kochava CEO Charles Manning maintains that the company has always complied with all rules and laws, including those specific to privacy.

The FTC has proposed that Kochava could implement safeguards to protect consumer privacy, such as blacklisting sensitive locations or removing sensitive characteristics from its data. Kochava has introduced a new feature, Privacy Block, which blocks geolocation data near sensitive locations, although this was implemented after the FTC initiated its investigation.

The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent. If the FTC wins the case against Kochava, it could trigger a wave of class-action complaints from consumers and set a precedent for future actions against data brokers.

Categories
Health Law Highlights

2024 Privacy Compliance: Are You Ready For It?

From InfoLawGroup LLP, by Justine Young Gottshall:

  • New State Privacy Laws: In 2024, Texas, Oregon, Florida, and Montana will implement new privacy laws, requiring businesses to update their policies, intake forms, and responses, and obtain opt-in consent for sensitive data collection. Similar laws will take effect in Delaware, New Hampshire, New Jersey, and Tennessee in 2025.
  • Compliance with Existing State Privacy Laws: Companies should ensure compliance with Privacy Impact Assessments (PIAs), Data Processing Agreements, Universal Opt-Out mechanisms, Web Accessibility Compliance, and conduct annual biometric reviews, especially in areas involving online advertising, use of AI, and handling of sensitive data.
  • New Health Data Laws: Washington and Nevada will introduce laws affecting companies collecting health data, requiring comprehensive compliance measures and specific authorizations. Florida’s law will apply to limited businesses with specific revenue and operational criteria.
  • Machine Learning and AI Use: The FTC is increasing scrutiny on the use of personal data in AI tools. Companies should review vendor agreements, create internal policies, and ensure responsible use of data, particularly sensitive data.
  • Data Collection from Minors: New laws and regulations affecting data collection from minors are expected. Companies should ensure compliance with existing laws and prepare for upcoming ones in Connecticut, Utah, Louisiana, and Florida. The FTC is also proposing updates to the COPPA Rule.
Categories
Health Law Highlights

Telehealth’s Roadblock: The Issue with State Licensure Requirements

From Epstein Becker Green, by Amy Cooperstein, Amy Lerman, and Kyla Portnoy:

The surge in telehealth services due to COVID-19 has highlighted regulatory challenges faced by providers. These regulations, which vary by state, govern aspects such as who can provide telehealth services, what services can be provided, and where providers must be located. A common requirement is that providers must be licensed in the state where the patient resides.

In December 2023, a lawsuit was filed challenging New Jersey’s reinstated telehealth rules, specifically the requirement for providers to be licensed in New Jersey to provide telehealth services to residents. The plaintiffs, including families requiring care from out-of-state providers and doctors licensed in other states, argue that the regulation violates the Commerce Clause, Dormant Commerce Clause, Privileges and Immunities Clause, First Amendment, and Due Process Clause. 

This case highlights a broader issue of restrictive licensure requirements that can hinder providers’ ability to offer proper care. The process of obtaining separate licenses for each state is time-consuming, costly, and can discourage expansion of telehealth services. Efforts to simplify the licensure process, such as the Interstate Medical Licensure Compact and the Nurse Licensure Compact, have been limited in their effectiveness.

The outcome of the MacDonald case could have significant implications for telehealth restrictions and could influence future regulation and access to telehealth services.

Categories
Health Law Highlights

New AI Technique Significantly Boosts Medicare Fraud Detection

From Medical Xpress, by Florida Atlantic University:

  • Medicare is frequently targeted by fraudulent insurance claims, with the estimated annual fraud amounting to over $100 billion. Traditional methods of detecting fraud, which involve manual inspection of claims by a limited number of auditors, are often insufficient due to the volume and complexity of the data.
  • A study conducted by the College of Engineering and Computer Science at Florida Atlantic University explored the use of big data and machine learning models to detect Medicare fraud. However, handling imbalanced big data and high dimensionality, where the number of features is extremely high, presents significant challenges.
  • The researchers tested two big Medicare datasets, Part B and Part D, using a method called Random Undersampling (RUS) and a novel ensemble supervised feature selection technique. RUS works by randomly removing samples from the majority class until a specific balance between the minority and majority classes is achieved.
  • The results showed that the combined use of RUS and supervised feature selection outperformed models that used all available features and data. The best performance was achieved by performing feature selection, then applying RUS. This approach led to data reduction, more explainable models, and significantly better performance.
  • The study’s findings could have substantial implications for Medicare fraud detection, offering computational advantages and enhancing the effectiveness of fraud detection systems. If properly applied, these methods could significantly reduce costs related to fraud and improve the standard of health care service.
Categories
Health Law Highlights

DOJ, FTC Looking at Roll-Up Acquisitions for Anticompetitive Acts

From The National Review, by Jessica Sprovtsoff of ArentFox Schiff LLP:

In December 2023, the White House announced plans to intensify antitrust scrutiny in the healthcare sector, focusing particularly on “roll-up” acquisitions, a practice where a company acquires several smaller entities, potentially leading to market consolidation. This strategy can potentially violate antitrust laws, but each individual acquisition often falls below the size criteria for pre-acquisition reporting to antitrust enforcement agencies.

The US Department of Justice (DOJ) and the Federal Trade Commission (FTC) have responded by planning to collaborate on data sharing to the maximum extent, aiming to detect potentially anticompetitive transactions that might not usually qualify for antitrust enforcement reviews.