Categories
Ask the Health Lawyer

The Colorado AI Act: What You Need to Know

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The Colorado AI Act, the first U.S. cross-sector AI governance law, was signed into law on May 17, 2024, with key provisions effective from Feb. 2026. The law focuses on high-risk AI systems, defined as those making consequential decisions, and introduces stringent requirements to prevent algorithmic discrimination. The Act imposes responsibilities on both developers and deployers of AI systems, requiring them to use reasonable care to avoid algorithmic discrimination and mandating comprehensive documentation and impact assessments. The law also requires incident reporting, public disclosure of risk management, and direct consumer notifications. The law exempts entities covered by HIPAA if they provide AI-generated recommendations that require a health care provider to take action to implement that recommendation. Enforcement of the law, which treats violations as breaches of Colorado’s general consumer protection statute, will be carried out by the Colorado attorney general starting 1 Feb. 2026.

Categories
Health Law Highlights

New Practical Guidance for Balancing Fairness, Privacy

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The tension between achieving fairness and maintaining privacy in the operation of advanced AI and machine learning systems is a major challenge for digital governance teams. To test for bias and ensure equity, demographic data is often needed, potentially infringing on privacy rights. A report by the Center for Democracy and Technology AI Governance Lab offers best practices for navigating this issue, such as gathering data responsibly, pseudonymization, encryption, and conducting privacy impact assessments. Legislation, like the upcoming Colorado bill, may balance these issues by requiring fairness and bias testing in AI systems. Transparency and clear communication of methodologies are essential to build trust and uniform benchmarks in AI governance.

Categories
Health Law Highlights

Second Circuit Defines “Willful” under Anti-Kickback Statute

Summary of article from Policy & Medicine, by Thomas Sullivan:

The United States Court of Appeals for the Second Circuit recently ruled that for a defendant to be considered “willful” under the federal Anti-Kickback Statute (AKS), they must be aware that their actions are somehow unlawful. This decision came from a qui tam case against McKesson Corp, which was accused of offering free access to business tools to oncology practices in return for using McKesson as their primary drug supplier. The court upheld the dismissal of the case, finding the evidence insufficient to prove that McKesson acted with wrongful intent. The court’s interpretation of “willful” under the AKS protects those who unintentionally engage in prohibited conduct. Despite this, the case was sent back for review of potential violations of state anti-kickback laws, which may have less stringent requirements.

Categories
Health Law Highlights

Five Key Analyses for Healthcare Financial Due Diligence

Summary of article from VMG Health, by Grayson Terrell, CPA:

In the complex landscape of healthcare mergers and acquisitions (M&A), informed decision-making and financial due diligence (FDD) are crucial for both buyers and sellers. FDD involves a detailed investigation of a company’s financial information to validate its true operating potential, with the purchase price usually based on a multiple of the company’s EBITDA. Five key aspects of FDD include Quality of Earnings, Quality of Revenue, Pro Forma Considerations, Net Working Capital, and Debt and Debt-Like Items. These elements help normalize earnings, convert revenues, project future business directions, determine necessary operating capital, and understand a company’s debts and liabilities. Overall, FDD is a necessary step for achieving successful, lucrative transactions in the healthcare sector.

Categories
Health Law Highlights

Implementing AI and Mitigating Compliance Risks – Part II

Summary of article from Dentons, by Susan Freed:

With the increasing role of generative AI in the healthcare industry, there is a growing need for a clear, consistent approach to its implementation. To mitigate compliance risks, organization must have an AI strategy, identify current uses of generative AI, update relevant policies, and create a process for evaluating new AI technology. It is important to training users, implement regular reporting strategies, and conduct periodic reviews of the AI technology in use. Providers should develop governance processes now and be flexible to enough to adapt to new technologies and regulations.

Categories
Alert

New Telehealth Rule for Speech-Language Pathologists and Audiologists

The Texas Department of Licensing and Regulation adopted a rule for speech-language pathologists and audiologists confirming that direct and indirect supervision may be performed through tele-supervision and that in-person supervision is not required. This rule also allows a licensee providing telehealth services to provide proof of licensure to a requestor through the department’s online license search.

Categories
Alert

Profound Medical Wins FDA Nod for AI in Prostate Cancer Procedure

Summary of article from MassDevice, by Sean Whooley:

Profound Medical has received FDA 510(k) clearance for its second AI model, the Contouring Assistant, designed to treat prostate cancer. The Contouring Assistant is part of the company’s TULSA-Pro system, which uses transurethral ultrasound ablation (TULSA) to ablate diseased tissue in patients with various stages of prostate cancer, benign prostatic hyperplasia (BPH), or those requiring salvage therapy. The TULSA procedure uses real-time magnetic resonance guidance to preserve urinary continence and sexual function while targeting cancerous tissue. The newly cleared AI module uses machine learning to segment the prostate, aiding in the delineation of the target ablation volume. Profound Medical is also developing another TULSA-AI module, TULSA BPH, with more details expected later in 2024.

Categories
Health Law Highlights

Health Plan Services Firm Notifying 2.4 Million of PHI Theft

Summary of article from GovInfo Security, by Marianne Kolbasuk McGee:

Texas-based health plan administration services firm, WebTPA, is notifying over 2.4 million individuals about a hacking incident that occurred in 2023, which was detected in December of the same year. The breach potentially compromised personal data including names, contact information, birthdates, Social Security numbers, and insurance details. WebTPA has offered two years of free identity and credit monitoring services to those affected and has bolstered its network security. The delay in identifying and responding to the breach highlights the challenges organizations face in incident response and breach analysis. This incident is the third-largest breach reported in 2024 and emphasizes the increasing targeting of business associates that provide administrative services to health plans and other healthcare sector entities.

Categories
Health Law Highlights

Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation

Summary of article from Wyrick Robbins Yates & Ponton LLP, by Lynn Percival IV:

In December 2021, the Federal Trade Commission (FTC) began a rulemaking process to update the Health Breach Notification Rule (HBNR), which mandates notice following a security breach of unsecured personal health records. The FTC has now finalized these updates, expanding the definition of a “breach of security” to include unauthorized uses and disclosures of health information. The updated rule also broadens the terms “personal health records” and “PHR identifiable health information,” potentially encompassing more websites, apps, and data repositories. The definition of “PHR related entity” has also been clarified, expanding the types of organizations subject to the rule. The updated rule will be effective 60 days after its publication in the Federal Register, with violations potentially resulting in significant civil penalties.

Categories
Health Law Highlights

Telehealth: Regulatory Questions Amid Legislative Uncertainty

Summary of article from McDermott+Consulting, by Jeffrey Davis, Rachel Stauffer:

The article discusses the potential expiration of temporary Medicare waivers for telehealth services, which were instated during the COVID-19 pandemic and are set to expire by the end of 2024. Without further action from Congress, Medicare telehealth will revert to a rural-only benefit from 2025, and patients will have to visit an “originating” site to receive services. Congress is currently considering another extension, but the uncertainty is causing confusion among patients and providers. The Centers for Medicare & Medicaid Services (CMS) must establish payment policies for 2025, but the legislative uncertainty makes it challenging. Key issues include determining which telehealth services will be added to the Medicare list, the reimbursement rates for these services, the adoption of new telehealth codes, and decisions about other telehealth flexibilities.