Categories
Health Law Highlights

Ransomware Attack on Texas Ophthalmology Practice Exposes Data of 80,000 Patients

Summary of article from The HIPAA Journal, by Steve Adler:

A Texas-based ophthalmology practice, encompassing Victoria Surgery Center, Victoria Eye Center, and Victoria Vision Center, was hit by a ransomware attack on March 21, 2024, compromising the personal and health data of 80,122 patients. The attack encrypted files, making certain systems inaccessible, and an investigation confirmed unauthorized access to patient data. Names, addresses, and medical identification details were among the compromised information. Affected individuals have been notified and offered a year of credit monitoring and identity theft protection services. In another incident, Texas Panhandle Centers, a Certified Community Behavioral Health Clinic, disclosed an unauthorized access to its systems in October 2023, potentially exposing the data of 16,394 patients.

Categories
Health Law Highlights

Is Your Texas Data Protection Assessment Started?

Summary of article from Data Protection Report, by By David Kessler, Annmarie Giblin, Joe McClendon, Susan Ross:

The Texas Data Privacy and Security Act (TDPSA), effective from July 1, 2024, applies to companies conducting business in Texas, processing personal data, and not classified as small businesses. Unlike other state laws, TDPSA requires companies to provide an opt-out option for automated profiling that could significantly impact consumers, such as employment opportunities. The Act mandates “controllers” to conduct a data protection assessment for specific uses of personal data, including sensitive data and profiling activities that pose a risk to consumers. The assessment, which must be available to the Texas Attorney General upon request, should balance benefits against potential risks to consumer rights. Only the Attorney General can enforce the TDPSA, and violations can result in civil penalties up to $7,500 per violation.

Categories
Ask the Health Lawyer

Epic Releases Open-Source AI Validation Tool for Health Systems

Summary of article from Fierce Healthcare, by Heather Landi:

Epic has launched an open-source tool to help healthcare organizations test and monitor artificial intelligence (AI) models. Available for free on GitHub, the AI validation software suite can be integrated with electronic health record (EHR) systems and used to validate AI models from various sources. The tool automates data collection and mapping, providing near real-time metrics and analysis. However, it currently does not validate generative AI models, although Epic plans to expand its capabilities in the future. The Health AI Partnership (HAIP), which includes Duke Health, Mayo Clinic, and Kaiser Permanente, intends to use the tool for local AI model validation.

Categories
Health Law Highlights

HHS Agency Launches Program to Improve Cyber Resiliency in Hospitals

Summary of article from The HIPAA Journal, by Steve Adler:

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, has initiated a cybersecurity program aimed at enhancing and automating cybersecurity in U.S. hospitals. The program, called Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE), will invest over $50 million to develop software tools to bolster network defenses against cyberattacks. The software will help identify and mitigate vulnerabilities in hospital systems, intending to reduce the time devices remain vulnerable from several months to a few days. ARPA-H is seeking proposals for the creation of a vulnerability mitigation platform, development of digital twins of hospital equipment, and methods for auto-detecting vulnerabilities and auto-developing defenses. The UPGRADE program is part of HHS’s broader strategy to improve cyber resilience across the healthcare sector.

Categories
Health Law Highlights

Twin Brothers Plead Guilty to $45 Million Healthcare Fraud

Summary of article from D Magazine, by Will Maddox:

Drs. Desi and Deno Barroga have admitted to a healthcare fraud scheme involving false claims for steroid injections that were never provided, defrauding insurers including Blue Cross Blue Shield, Cigna, and United Healthcare. The scheme involved monthly office visits for patients on addictive drugs, where they fraudulently claimed to perform costly treatments. Manipulated medical records and coerced patient statements were used to validate the fraudulent claims, leading to the doctors billing insurance for $45 million and receiving $9 million. Both doctors have a history of disciplinary actions from the Texas Medical Board related to improper prescribing and inadequate record-keeping. The brothers now face a maximum of 10 years in federal prison.

Categories
Ask the Health Lawyer

The Colorado AI Act: What You Need to Know

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The Colorado AI Act, the first U.S. cross-sector AI governance law, was signed into law on May 17, 2024, with key provisions effective from Feb. 2026. The law focuses on high-risk AI systems, defined as those making consequential decisions, and introduces stringent requirements to prevent algorithmic discrimination. The Act imposes responsibilities on both developers and deployers of AI systems, requiring them to use reasonable care to avoid algorithmic discrimination and mandating comprehensive documentation and impact assessments. The law also requires incident reporting, public disclosure of risk management, and direct consumer notifications. The law exempts entities covered by HIPAA if they provide AI-generated recommendations that require a health care provider to take action to implement that recommendation. Enforcement of the law, which treats violations as breaches of Colorado’s general consumer protection statute, will be carried out by the Colorado attorney general starting 1 Feb. 2026.

Categories
Health Law Highlights

New Practical Guidance for Balancing Fairness, Privacy

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The tension between achieving fairness and maintaining privacy in the operation of advanced AI and machine learning systems is a major challenge for digital governance teams. To test for bias and ensure equity, demographic data is often needed, potentially infringing on privacy rights. A report by the Center for Democracy and Technology AI Governance Lab offers best practices for navigating this issue, such as gathering data responsibly, pseudonymization, encryption, and conducting privacy impact assessments. Legislation, like the upcoming Colorado bill, may balance these issues by requiring fairness and bias testing in AI systems. Transparency and clear communication of methodologies are essential to build trust and uniform benchmarks in AI governance.

Categories
Health Law Highlights

Second Circuit Defines “Willful” under Anti-Kickback Statute

Summary of article from Policy & Medicine, by Thomas Sullivan:

The United States Court of Appeals for the Second Circuit recently ruled that for a defendant to be considered “willful” under the federal Anti-Kickback Statute (AKS), they must be aware that their actions are somehow unlawful. This decision came from a qui tam case against McKesson Corp, which was accused of offering free access to business tools to oncology practices in return for using McKesson as their primary drug supplier. The court upheld the dismissal of the case, finding the evidence insufficient to prove that McKesson acted with wrongful intent. The court’s interpretation of “willful” under the AKS protects those who unintentionally engage in prohibited conduct. Despite this, the case was sent back for review of potential violations of state anti-kickback laws, which may have less stringent requirements.

Categories
Health Law Highlights

Five Key Analyses for Healthcare Financial Due Diligence

Summary of article from VMG Health, by Grayson Terrell, CPA:

In the complex landscape of healthcare mergers and acquisitions (M&A), informed decision-making and financial due diligence (FDD) are crucial for both buyers and sellers. FDD involves a detailed investigation of a company’s financial information to validate its true operating potential, with the purchase price usually based on a multiple of the company’s EBITDA. Five key aspects of FDD include Quality of Earnings, Quality of Revenue, Pro Forma Considerations, Net Working Capital, and Debt and Debt-Like Items. These elements help normalize earnings, convert revenues, project future business directions, determine necessary operating capital, and understand a company’s debts and liabilities. Overall, FDD is a necessary step for achieving successful, lucrative transactions in the healthcare sector.

Categories
Health Law Highlights

Implementing AI and Mitigating Compliance Risks – Part II

Summary of article from Dentons, by Susan Freed:

With the increasing role of generative AI in the healthcare industry, there is a growing need for a clear, consistent approach to its implementation. To mitigate compliance risks, organization must have an AI strategy, identify current uses of generative AI, update relevant policies, and create a process for evaluating new AI technology. It is important to training users, implement regular reporting strategies, and conduct periodic reviews of the AI technology in use. Providers should develop governance processes now and be flexible to enough to adapt to new technologies and regulations.