Category: Health Law Highlights

Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.
Categories
Health Law Highlights

New California Law Imposes Significant Data Management Requirements for Sensitive Health Data

From Troutman Pepper, by Brent Hoard, Emma Trivax, and Erin Whaley:

  • Effective January 1, AB 352 introduces significant changes to the management and sharing of sensitive health information in California, particularly related to reproductive health services. The bill amends the existing [[Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA)]] and several other statutes.
  • Enhanced Security Measures: By July 1, businesses that electronically store or maintain certain medical information must implement enhanced security measures, including limiting user access, preventing sharing of medical information outside of California, segregating certain medical information, and disabling access to segregated information from outside California.
  • Prohibition on Cooperation With Out-of-State Inquiries: Health care providers and related entities are prohibited from cooperating with out-of-state or federal inquiries that would identify an individual seeking or obtaining an abortion or abortion-related services, unless authorized under existing law provisions.
  • Prohibition on Disclosure of Medical Information: Entities are prohibited from knowingly disclosing information that would identify an individual related to an abortion to any individual or entity from another state, unless authorized under specific conditions. A grace period until January 31, 2026, is provided for entities working diligently and in good faith to comply with the prohibition.
  • Exclusion From Automatic Data Sharing: The bill excludes the exchange of health information related to abortion and abortion-related services from automatic sharing on the California Health and Human Services Data Exchange Framework. Entities should assess their compliance, undertake a data inventory, develop technical controls, revise procedures for individual rights requests, and incorporate these changes into training sessions.
Categories
Health Law Highlights

Recent $345 Million Settlement Underscores Critical Importance of Appropriate Physician Compensation

From Baker Donelson, by Alissa Fleming and Joseph Keillor:

  • An Indianapolis-based health system recently settled with the Department of Justice for $345 million due to allegations of Stark Law and False Claims Act violations related to its physician compensation arrangements, highlighting the importance of appropriately structuring physician compensation to avoid fraud and abuse enforcement.
  • The health system was accused of providing false information to appraisers, inflating physician salaries, and ignoring warnings about the large discrepancies between high physician compensation and moderate productivity. Additionally, it was alleged that physician compensation was dependent on the volume or value of referrals, which violates Stark Law’s restrictions.
  • The actual compensation for many specialties was either fixed guaranteed compensation or wRVU-based compensation for personally-performed services, which under the December 2020 rulemaking, should not violate the Volume/Value element.
  • The government argued that exceeding fair market value does not necessarily implicate the “indirect compensation arrangement” definition in place at the time, and that fair market value is only relevant where the parties have implicated a threshold volume/value standard.
  • The settlement emphasizes the importance of structuring physician compensation appropriately, with the health system now under a five-year corporate integrity agreement with an independent review organization and a compliance expert. Unsettled claims from the relator are still pending, and attorney’s fees relating to the settled claims may be added to the $345 million settlement.
Categories
Health Law Highlights

7 HIPAA Predictions For 2024

From Becker’s Hospital Review, by Madeline Ashley:

  • The Office for Civil Rights (OCR) is expected to increase enforcement actions for violations of HIPAA security and breach notification rules, with a predicted record number of civil monetary penalties and settlements in 2024.
  • The HIPAA right of access will continue to be a focus for OCR enforcement due to its straightforward nature and minimal resource requirement for investigations.
  • An update to the HIPAA security rule is anticipated in spring 2024, likely introducing new mandatory cybersecurity measures, including stricter access control requirements such as mandatory multi-factor authentication.
  • Following the overturning of Roe v. Wade, a new rule on reproductive health information disclosure, limiting its use to specific purposes like payment, healthcare operations, treatment, and legal investigations related to reproductive healthcare services.
  • The American Hospital Association’s lawsuit against OCR’s tracking technologies guidance could lead to the first enforcement action regarding the use of tracking technologies on hospital websites in 2024. If the lawsuit is successful, further rulemaking on tracking technology is expected to enhance patient privacy.
  • The Centers for Medicare & Medicaid Services (CMS) are projected to introduce cybersecurity requirements as a condition for participation in their programs.
  • State attorneys general are expected to increase HIPAA compliance enforcements, imposing additional financial penalties on healthcare organizations failing to meet minimum cybersecurity standards.
Categories
Health Law Highlights

Supreme Court Eyes World War II Era Doctrine for Agency Rules

From Bloomberg Law, by Kimberly Strawbridge Robinson:

  • The Supreme Court signaled its intention to replace the Chevron doctrine with the Skidmore doctrine during arguments in recent cases.
  • The Chevron doctrine, from a 1984 ruling, requires judges to defer to agency interpretations of a statute if reasonable, while the Skidmore doctrine, from a 1944 ruling, only requires deference if the interpretation is persuasive.
  • Skidmore is generally seen as less agency-friendly than Chevron. While Chevron requires courts to defer to a reasonable agency determination, Skidmore only requires that a court treat it as guidance, a much lower threshold.
  • If the Supreme Court replaces Chevron with Skidmore, it could change how courts consider challenges to agency regulations. Agencies are expected to win less under Skidmore, but the extent of this change remains uncertain, as the Supreme Court has already reduced Chevron’s influence in recent years.
  • The potential shift to Skidmore could increase pressure on agencies to provide more thorough reasoning to support their actions, possibly leading to fewer broad policy changes. However, some experts argue that agencies will still have various tools to achieve their desired results, such as enforcement actions, funding mechanisms, and exerting pressure on outside groups.
Categories
Health Law Highlights

Is Apple Pay HIPAA Compliant?

From The HIPAA Journal, by Steve Alder:

  • Apple Pay and HIPAA Compliance: Despite not being HIPAA compliant, Apple Pay can be used by healthcare providers and health plans to collect payments. The service is exempt from HIPAA under §1179 of the HIPAA Act, which applies to entities engaged in payment processing activities.
  • How Apple Pay Works: Apple Pay is a mobile payment service that uses a unique Device Account Number for each card registered in the Apple Wallet app. The service facilitates online, in-app, and contactless payments without sharing the user’s credit or debit card details with the recipient.
  • Privacy and Protected Health Information (PHI): Due to the unique way Apple Pay operates, neither the recipient nor Apple has access to information that could identify the user or their purchase details. As such, information sent through Apple Pay does not qualify as PHI.
  • Exceptions and Limitations: The HIPAA exemption only applies to the payment facilitation aspect of Apple Pay. Covered entities and business associates should not store individually identifying health information in the Apple Wallet app, as Apple will not sign a Business Associate Agreement. Any third-party integrations with Apple Pay used for payment reconciliation must be HIPAA compliant.
Categories
Health Law Highlights

Hospitals Owned by Private Equity Are Harming Patients, Reports Find

From Ars Technica, by Beth Mole:

  • Private equity firms, particularly Apollo Global Management, are increasingly acquiring hospitals across the US, a trend that has led to a decline in the quality of care, according to reports by the Private Equity Stakeholder Project (PESP) and a study in JAMA
  • Apollo Global Management, through Lifepoint and ScionHealth, operates 220 hospitals in 36 states. The PESP report found that some of these hospitals rank among the worst in their states, with an average rating of 2.8 stars, compared to the national average of 3.2 stars, on the Center for Medicare and Medicaid Services’ system.
  • The JAMA study discovered a rise in serious medical errors and health complications among patients in the first few years after private equity firms take over, including a 25% increase in hospital-acquired conditions and a doubling of surgical site infections.
  • Both reports highlight a pattern of cost-cutting measures and staff layoffs following private equity acquisition, leading to reduced services and underpaid staff. Apollo’s hospitals, for example, saw a reduction of $166 million in annual salary and benefit costs and $54 million in supply costs in 2020.
  • The reports also noted that Apollo’s hospitals carry substantial debt, with ScionHealth and Lifepoint having 5.8 and 7.9 times more debt than income, respectively. Additionally, Apollo has profited from sale-leaseback transactions, which involve selling the land under the hospitals and then leasing it back, further straining the financial resources of these institutions.
Categories
Health Law Highlights

Overlooking Executive Comp Packages Puts M&A Deals at Risk

From Bloomberg Law, by Ian Sherwin (Reed Smith):

  • Compensation and Motivation: Understanding the compensation structures and philosophies of a target company is crucial in M&A transactions. This includes executive compensation, which can be a significant cost, involving base salary, bonuses, severance entitlements, and health and welfare programs. It’s also subject to various tax, securities, corporate, and employment-related rules and regulations.
  • Transaction Structures: The nature of the transaction, whether it’s an acquisition or a merger, impacts compensation-related decisions. For private companies, disclosure concerns are minimal, but public companies have significant disclosure obligations. For carve-outs, considerations include potential employment termination and re-hiring by the acquirer, who bears the cost of severance, and the form of consideration for equity awards.
  • Severance and Bonuses: Severance protections can help maintain employee performance during a transaction. The value and duration of severance can vary based on seniority and job level. Transaction and retention bonuses can also be used to motivate and retain key employees. The former encourages employees to complete the transaction, while the latter incentivizes them to stay through certain milestones.
  • Covenants: Buyers often set restrictions on what the target can do between the signing and closing of a transaction. These include changes to benefit plans, compensation, hiring or termination of employees, and equity awards. Targets often seek post-closing employment-related covenants, such as guaranteed compensation and benefit levels, and continued participation in severance programs.
  • Sections 280G and 4999: Golden parachute rules (Sections 280G and 4999 of the Internal Revenue Code) are a major focus in most transactions. If triggered, a 20% excise tax could apply to certain service providers, and the target may lose a compensatory tax deduction. Mitigation strategies can include reasonable compensation analyses, valuing non-competition agreements, and shifting compensation to the current tax year. Private companies may opt for a shareholder cleansing vote to avoid these issues.
Categories
Health Law Highlights

What Do Threads, Mastodon, and Hospital Records Have in Common?

From Ars Technica, by Fintan Burke:

  • The concept of “federated learning”, inspired by the privacy-focused structure of new social media platforms, is being adopted by medical researchers to train AI in spotting disease trends. In this approach, user data is hosted on independent servers instead of a single corporate entity, which promotes data privacy and enables selective sharing of information.
  • Instead of pooling patient data from various hospitals into one database, which raises privacy concerns and legal complications, researchers send their AI models to individual hospitals. These models can then analyze the data within the hospital’s firewall, maintaining the privacy of sensitive patient information.
  • The training process involves doctors identifying eligible patients, selecting necessary clinical data, and organizing it on a local database. The AI software then uses this data to identify disease trends. The trained model is periodically sent to a central server, where it is combined with models from other hospitals to update the original model.
  • The updated “consensus model” is sent back to each hospital to be trained further, and this cycle continues until the final model is deemed accurate enough. This process ensures data privacy, as the information sent back to the central server is anonymized and remains within the hospital’s firewall.
  • Federated learning has seen significant growth in medical research. For instance, in 2021, a study successfully used this method to predict diabetes from CT scans of abdomens, potentially identifying at-risk patients up to seven years prior to their diagnosis.
Categories
Health Law Highlights

Up and Up and Up: Accounting for Supply Cost Inflation in Due Diligence

From VMG Health, by Johnny Zizzi, CPA, and Melissa Hoelting, CPA:

  • Inflation-Adjusted Financial Analysis: In periods of high inflation, traditional financial metrics may not accurately depict a company’s performance. It is essential to adjust financial analysis for inflation, especially in the healthcare sector where supply costs have been significantly rising. Businesses must assess their ability to maintain profitability and manage costs in the face of these increases.
  • Cash to Accrual Impacts: Converting financial statements from cash to accrual accounting can significantly impact the quality of earnings, particularly when dealing with supply cost inflation. This process becomes more complex with rising costs, necessitating a financial due diligence team to ensure accurate and comprehensive analysis.
  • Robust Forecasting and Scenario Analysis: Given the uncertainties around inflation and supply chain disruptions, robust forecasting and scenario analysis are crucial for businesses to proactively manage the financial impact of rising costs. This approach can help companies adjust pricing strategies, negotiate better contracts, and implement cost-cutting measures to maintain profitability.
  • Net Working Capital Analysis: High inflation impacts a company’s balance sheet, affecting both assets and liabilities. Advisors must align the timing of cash flows associated with assets and liabilities to mitigate liquidity risks stemming from supply cost inflation. Transactions may shift towards a shorter lookback period to set the price/earnings-to-growth (PEG) in times of rising prices.
  • Conclusion: In the dynamic world of healthcare M&A, understanding historical spend normalization, cash-to-accrual conversions, and the impact of supply cost inflation is critical. The rise in inflation places a significant level of complexity on financial due diligence, highlighting the need for inflation-adjusted financial analysis, transition from cash to accrual accounting, robust forecasting, and vigilant net working capital management.