Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

The Corporate Transparency Act: A Reporting Guide for Medical Groups and MSOs

From Sheppard Mullin Richter & Hampton LLP, by John Golembesky, Jordan Grushkin, Leonard Lipsky, Kathleen O’Neill, Richard Rifenbark, and Carolyn Young:

  • The Corporate Transparency Act (CTA) of 2021 mandates that any “reporting company” must submit a Beneficial Ownership Information Report (BOIR) to the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This report includes identification details of the entity’s key owners and leaders, or “beneficial owners”. The CTA primarily targets non-publicly traded entities, including medical groups and management services organizations (MSOs).
  • Entities formed or registered on or after January 1, 2024, must also report information about the individual who oversaw the preparation of the certificate of formation and the person who filed the document with the Secretary of State. However, there are several exceptions to the reporting requirement, including larger, active companies, public companies, and entities that already report to the federal government.
  • Reporting companies registered prior to January 1, 2024, must submit their BOIR by January 1, 2025. Companies registered between January 1, 2024 and January 1, 2025, have 90 days post-registration to file, and those registered after January 1, 2025, have 30 days to file.
  • The CTA’s application to common corporate structures in the healthcare industry raises questions about whether individual leaders of an MSO should be reported as “beneficial owners” of an affiliated medical group. Each reporting company should consider the facts and circumstances of its existing relationships and assess its legal duties and degree of risk tolerance.
  • The BOIR must include information about the reporting company and any beneficial owners, and for companies formed after January 1, 2024, information on company applicants. Beneficial owner information includes each individual’s full legal name, date of birth, residential address, ID number and issuing jurisdiction of a non-expired US passport, driver’s license, or other government-issued ID, and an image/photocopy of such ID.
Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Categories
Health Law Highlights

CMS Finalizes its Proposal to Advance Interoperability and Improve Prior Authorization Processes

From Sheppard Mullin Richter & Hampton LLP, by Gianfranco Spinelli and Krysten Thomas:

  • Final Rule Issued by CMS: The Centers for Medicare and Medicaid Services (CMS) issued a final rule titled “CMS Interoperability and Prior Authorization” on January 17, 2024, which aims to advance interoperability and improve prior authorization processes. This rule impacts Medicare Advantage organizations, state Medicaid and CHIP agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges, as well as MIPS eligible clinicians, and eligible hospitals and critical access hospitals.
  • Patient Access API: The final rule requires Impacted Payers to provide patients access to certain information, including claims, cost sharing data, encounter data, and a set of clinical data accessible via health applications. The implementation of this requirement is set for January 1, 2027, which is a change from the original proposed date of January 1, 2026.
  • Provider Access API and Payer-to-Payer API: The rule mandates Impacted Payers to build and maintain a Provider Access API for data sharing with in-network providers. It also requires a Payer-to-Payer API to ensure patients can maintain continuity of care and have uninterrupted access to their health data. Both these requirements are to be implemented by January 1, 2027.
  • Prior Authorization API and Process Improvements: CMS finalized the proposal to require Impacted Payers to build and maintain a Prior Authorization API, which is to be implemented by January 1, 2027. The rule also shortens the time frames for prior authorization decisions and requires Impacted Payers to provide a specific reason for denied decisions. These requirements are to be complied with by January 1, 2026.
  • Public Reporting and Electronic Prior Authorization Measure: The final rule requires Impacted Payers to publicly report certain prior authorization metrics, with the initial set of metrics to be reported by March 31, 2026. It also mandates MIPS eligible clinicians, eligible hospitals, and CAHs to report the number of prior authorizations for medical items and services requested electronically from a Prior Authorization API.
Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.
Categories
Health Law Highlights

New California Law Imposes Significant Data Management Requirements for Sensitive Health Data

From Troutman Pepper, by Brent Hoard, Emma Trivax, and Erin Whaley:

  • Effective January 1, AB 352 introduces significant changes to the management and sharing of sensitive health information in California, particularly related to reproductive health services. The bill amends the existing [[Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA)]] and several other statutes.
  • Enhanced Security Measures: By July 1, businesses that electronically store or maintain certain medical information must implement enhanced security measures, including limiting user access, preventing sharing of medical information outside of California, segregating certain medical information, and disabling access to segregated information from outside California.
  • Prohibition on Cooperation With Out-of-State Inquiries: Health care providers and related entities are prohibited from cooperating with out-of-state or federal inquiries that would identify an individual seeking or obtaining an abortion or abortion-related services, unless authorized under existing law provisions.
  • Prohibition on Disclosure of Medical Information: Entities are prohibited from knowingly disclosing information that would identify an individual related to an abortion to any individual or entity from another state, unless authorized under specific conditions. A grace period until January 31, 2026, is provided for entities working diligently and in good faith to comply with the prohibition.
  • Exclusion From Automatic Data Sharing: The bill excludes the exchange of health information related to abortion and abortion-related services from automatic sharing on the California Health and Human Services Data Exchange Framework. Entities should assess their compliance, undertake a data inventory, develop technical controls, revise procedures for individual rights requests, and incorporate these changes into training sessions.
Categories
Health Law Highlights

Recent $345 Million Settlement Underscores Critical Importance of Appropriate Physician Compensation

From Baker Donelson, by Alissa Fleming and Joseph Keillor:

  • An Indianapolis-based health system recently settled with the Department of Justice for $345 million due to allegations of Stark Law and False Claims Act violations related to its physician compensation arrangements, highlighting the importance of appropriately structuring physician compensation to avoid fraud and abuse enforcement.
  • The health system was accused of providing false information to appraisers, inflating physician salaries, and ignoring warnings about the large discrepancies between high physician compensation and moderate productivity. Additionally, it was alleged that physician compensation was dependent on the volume or value of referrals, which violates Stark Law’s restrictions.
  • The actual compensation for many specialties was either fixed guaranteed compensation or wRVU-based compensation for personally-performed services, which under the December 2020 rulemaking, should not violate the Volume/Value element.
  • The government argued that exceeding fair market value does not necessarily implicate the “indirect compensation arrangement” definition in place at the time, and that fair market value is only relevant where the parties have implicated a threshold volume/value standard.
  • The settlement emphasizes the importance of structuring physician compensation appropriately, with the health system now under a five-year corporate integrity agreement with an independent review organization and a compliance expert. Unsettled claims from the relator are still pending, and attorney’s fees relating to the settled claims may be added to the $345 million settlement.
Categories
Health Law Highlights

7 HIPAA Predictions For 2024

From Becker’s Hospital Review, by Madeline Ashley:

  • The Office for Civil Rights (OCR) is expected to increase enforcement actions for violations of HIPAA security and breach notification rules, with a predicted record number of civil monetary penalties and settlements in 2024.
  • The HIPAA right of access will continue to be a focus for OCR enforcement due to its straightforward nature and minimal resource requirement for investigations.
  • An update to the HIPAA security rule is anticipated in spring 2024, likely introducing new mandatory cybersecurity measures, including stricter access control requirements such as mandatory multi-factor authentication.
  • Following the overturning of Roe v. Wade, a new rule on reproductive health information disclosure, limiting its use to specific purposes like payment, healthcare operations, treatment, and legal investigations related to reproductive healthcare services.
  • The American Hospital Association’s lawsuit against OCR’s tracking technologies guidance could lead to the first enforcement action regarding the use of tracking technologies on hospital websites in 2024. If the lawsuit is successful, further rulemaking on tracking technology is expected to enhance patient privacy.
  • The Centers for Medicare & Medicaid Services (CMS) are projected to introduce cybersecurity requirements as a condition for participation in their programs.
  • State attorneys general are expected to increase HIPAA compliance enforcements, imposing additional financial penalties on healthcare organizations failing to meet minimum cybersecurity standards.
Categories
Health Law Highlights

Supreme Court Eyes World War II Era Doctrine for Agency Rules

From Bloomberg Law, by Kimberly Strawbridge Robinson:

  • The Supreme Court signaled its intention to replace the Chevron doctrine with the Skidmore doctrine during arguments in recent cases.
  • The Chevron doctrine, from a 1984 ruling, requires judges to defer to agency interpretations of a statute if reasonable, while the Skidmore doctrine, from a 1944 ruling, only requires deference if the interpretation is persuasive.
  • Skidmore is generally seen as less agency-friendly than Chevron. While Chevron requires courts to defer to a reasonable agency determination, Skidmore only requires that a court treat it as guidance, a much lower threshold.
  • If the Supreme Court replaces Chevron with Skidmore, it could change how courts consider challenges to agency regulations. Agencies are expected to win less under Skidmore, but the extent of this change remains uncertain, as the Supreme Court has already reduced Chevron’s influence in recent years.
  • The potential shift to Skidmore could increase pressure on agencies to provide more thorough reasoning to support their actions, possibly leading to fewer broad policy changes. However, some experts argue that agencies will still have various tools to achieve their desired results, such as enforcement actions, funding mechanisms, and exerting pressure on outside groups.
Categories
Health Law Highlights

Is Apple Pay HIPAA Compliant?

From The HIPAA Journal, by Steve Alder:

  • Apple Pay and HIPAA Compliance: Despite not being HIPAA compliant, Apple Pay can be used by healthcare providers and health plans to collect payments. The service is exempt from HIPAA under §1179 of the HIPAA Act, which applies to entities engaged in payment processing activities.
  • How Apple Pay Works: Apple Pay is a mobile payment service that uses a unique Device Account Number for each card registered in the Apple Wallet app. The service facilitates online, in-app, and contactless payments without sharing the user’s credit or debit card details with the recipient.
  • Privacy and Protected Health Information (PHI): Due to the unique way Apple Pay operates, neither the recipient nor Apple has access to information that could identify the user or their purchase details. As such, information sent through Apple Pay does not qualify as PHI.
  • Exceptions and Limitations: The HIPAA exemption only applies to the payment facilitation aspect of Apple Pay. Covered entities and business associates should not store individually identifying health information in the Apple Wallet app, as Apple will not sign a Business Associate Agreement. Any third-party integrations with Apple Pay used for payment reconciliation must be HIPAA compliant.