Categories
Health Law Highlights

The Most Critical Elements of the FTC’s Health Breach Rulemaking

From Lawfare, by Justin Sherman and Devan Desai,

  • The Federal Trade Commission (FTC) is considering modifications to its Health Breach Notification Rule (HBNR), which governs how non-HIPAA-covered entities handle health data breaches. The proposed changes aim to keep up with technological advancements and trends in the health tech and data landscapes.
  • The FTC’s proposal comes amid a greater focus on health data privacy, following enforcement actions against prescription drug provider GoodRx and fertility tracking app Premom, both of which allegedly violated the HBNR by sharing sensitive health data without proper disclosures.
  • The proposed changes aim to expand federal health data breach regulations to reflect the evolving role of health tech apps, telehealth services, data brokers, and digital advertisers in collecting, aggregating, identifying, sharing, and selling Americans’ health information.
  • The FTC is looking to expand and clarify the definition of personal health record identifiable information, formally expand the definition of a breach to include unauthorized data disclosures, and clarify how the HBNR applies to mobile apps and health tech companies.
  • While the proposed changes largely serve to clarify existing policies and practices, they are viewed as crucial in improving privacy regulation, aligning with state-level health data regulations, and addressing harmful practices such as selling sensitive health data without consumers’ consent.
Categories
Health Law Highlights

HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack

From Hall Benefits Law, by Anne Tyler Hall:

  • The U.S. Department of Health and Human Services (HHS) reached a settlement with a Massachusetts-based medical management company for alleged violations of HIPAA’s Privacy and Security Rules. The company, a HIPAA business associate, will pay $100,000 and comply with a three-year corrective action plan (CAP).
  • The investigation began in 2019, following the company’s notification to HHS about a Gandcrab ransomware attack that had occurred two years prior. The attack, discovered 18 months after it happened, affected the electronic Protected Health Information (ePHI) of over 206,000 individuals.
  • HHS found that the company violated HIPAA rules by disclosing individuals’ ePHI without authorization and failing to perform a thorough risk analysis, regularly review information system activity, and establish compliant security policies and procedures.
  • The CAP requires the company to revise its HIPAA policies and procedures, addressing issues like security awareness, training, and regular review of information system activities. The company must distribute these revised policies to all workers who use or disclose ePHI, and promptly report any noncompliance to HHS.
  • The CAP also mandates that the company conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system for storing ePHI. The company must document its security measures, adopt a risk management plan, and submit annual reports to HHS throughout the three-year duration of the CAP.
Categories
Health Law Highlights

Ownership Transparency: The New Normal in Healthcare?

From Davis Wright Tremain, LLP, by Megan Leonard and Robert G. Homchick,

  • On November 17, 2023, the U.S. Department of Health and Human Services published a final rule requiring Medicare and Medicaid nursing facilities to provide more detailed ownership and managerial information on the Medicare Enrollment Application Form CMS-855A.
  • Private equity’s role in the healthcare sector has been under scrutiny, with increased transparency and oversight measures being implemented at both the federal and state levels.
  • The Final Rule was issued in response to studies linking private equity ownership to a decline in quality of care in nursing homes and SNFs.
  • The Final Rule will be effective January 16, 2024 and will require disclosure of ownership and managerial information upon initial enrollment, revalidation, and change of ownership.
  • The Final Rule requires nursing homes to disclose information on their governing body, officers, directors, and additional disclosable parties, as well as the organizational structure and relationships of these parties. This information must be reported upon initial enrollment, revalidation, and every five years.
Categories
Health Law Highlights

US Enforcement of Emergency Abortion Rule Halted in Texas

From Bloomberg Law, by Mary Anne Pazanowski and Ian Lopez:

  • The Fifth Circuit has ruled that the Biden administration’s guidance document, intended to protect abortion access nationwide, cannot be enforced due to a failure to follow proper rulemaking procedures.
  • The guidance document added new obligations under the Emergency Medical Treatment and Labor Act, rather than simply restating existing requirements.
  • The court’s decision limits the government’s ability to ensure that clinicians can provide necessary care, including abortion, in emergency situations.
  • The case highlights a conflict between the Biden administration’s pro-abortion stance and Texas law, which largely bans the procedure.
  • The decision has been met with concern from advocates for reproductive justice, who fear that access to abortion services will be further restricted.
Categories
Health Law Highlights

OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

  • On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
  • This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
  • These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
  • In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
  • The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.
Categories
Health Law Highlights

FDA Warns Against Unauthorized Fat-Melting Injection Treatments

From NBC News, by Berkeley Lovelace Jr.:

  • The FDA has issued a warning about the dangers of using unauthorized versions of fat-dissolving injections, citing reports of severe side effects such as scarring, infections, and skin deformities.
  • These injections, also known as lipolysis injections, are typically used in problem areas such as the chin, legs, upper arms, and abdomen.
  • While the FDA has approved one injection, Kybella, from Kythera Biopharmaceuticals, there are many unapproved versions being sold at clinics and med spas, as well as online.
  • Common ingredients in these unapproved injections, such as phosphatidylcholine and sodium deoxycholate, have not been approved by the FDA.
  • The FDA advises against purchasing fat-dissolving products from websites, as they may be ineffective and carry a risk of severe side effects. If experiencing side effects from these injections, it is recommended to see a healthcare provider.
Categories
Health Law Highlights

FTC Seeks to Put Private Equity Roll-Up Strategies to Sleep With its Case Against U.S. Anesthesia Partners

From Winston & Strawn, by Neely Agin and Hannah Gallagher, writing for AHLA (Subscription):

  • FTC and DOJ have increased regulatory scrutiny on the health care industry, particularly private equity investors.
  • FTC Chairwoman Lina Khan has expressed concern over “roll-up” or consolidation strategies in the health care industry, citing potential negative effects on quality of care and costs for patients.
  • In its recent complaint against Welsh Carson and USAP, the FTC alleges a “multi-year anticompetitive scheme” to consolidate anesthesiology practices in Texas and drive up prices.
  • The complaint also includes claims against Welsh Carson, the private equity firm, and not just the portfolio company.
  • This lawsuit serves as a reminder to private equity firms to carefully consider potential antitrust risks in their investments and post-consummation behavior.
Categories
Health Law Highlights

Private Investors and Digital Health Attracting Oig Attention: General Compliance Program Guidance to Watch

From McDermott, Will & Emery, by Tony Maida, Dale C. Van Demark, Monica Wallace:

  • The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has published the General Compliance Program Guidance (GCPG) as a revised reference guide for the healthcare compliance community and other stakeholders.
  • The GCPG specifically references technology companies and the growing prominence of private equity and other forms of private investment in the healthcare sector.
  • The GCPG covers various risk areas, including quality and patient safety, new entrants in the industry, financial incentives and arrangements, and the role of private investors in compliance oversight.
  • OIG’s concern about new entrants and private investment signals increased scrutiny in the healthcare marketplace and its private ownership foundation.
  • Healthcare organizations should take steps to ensure their board members and executives are trained on healthcare legal and regulatory landscape, maintain an effective compliance program, and monitor further OIG guidance and enforcement actions.
  • Private investors should also take note of OIG’s statements and the recent CMS rule requiring detailed ownership disclosure.
Categories
Health Law Highlights

HHS Finalizes Regulation of Certain AI

From Manatt, Phelps & Phillips, LLP, by Alex Dworkowitz, Alice Leiter, and Randi Seigel:

  • The U.S. Department of Health and Human Services (HHS) has finalized a rule to regulate the use of artificial intelligence (AI) in health care.
  • The rule applies to predictive algorithms used in electronic health record (EHR) systems. It requires transparency in the use of AI, including information about the purpose, funding sources, training data, fairness measures, and validation process.
  • The rule aims to promote the development of fair, valid, and safe algorithms and address concerns about biased decision-making.
  • The regulation currently applies to developers of certified EHR software and may foreshadow future regulations for health care providers.
  • The rule also includes updates to the ONC Health IT Certification Program and provisions to improve interoperability and secure exchange of health information.
Categories
Health Law Highlights

FDA’s Final Rule on Direct-to-Consumer Advertising – Presentation of Risk Information

From Foley & Lardner, LLP, by Kyle Gaget and Jordan Smiley:

  • The FDA has released a final rule regarding direct-to-consumer (DTC) advertising for prescription drugs and biologics.
  • The rule requires that DTC ads include the most important risks associated with the drug or biologic being advertised.
  • The FDA has also clarified that companies can include a “major statement” in their ads to fulfill this requirement.
  • The final rule also addresses the use of alternative media for DTC ads, such as social media and online platforms.
  • Companies are encouraged to review and update their DTC advertising practices to ensure compliance with the new rule.