Categories
Health Law Highlights

Health Care Giant Comes Clean About Recent Hack and Paid Ransom

Summary of article from Ars Technica, by Dan Goodin:

Change Healthcare, a US health care services provider, was attacked by ransomware group ALPHV or BlackCat, disrupting the US prescription market for two weeks. The breach occurred due to a compromised account that lacked multifactor authentication (MFA), allowing hackers to access and exfiltrate data. The company paid a ransom of $22 million to ALPHV and spent two weeks rebuilding its IT infrastructure. The attack resulted in a cost of $872 million in the first quarter, leading to accelerated payments and no-interest, no-fee loans of over $6.5 billion to affected providers. Currently, the company’s payment processing is at 86% of its pre-incident levels.

Categories
Health Law Highlights

HHS Extends the Antidiscrimination Provisions of the Affordable Care Act to Patient Care Decision Support Tools, Including Algorithms

Summary of article from Epstein Becker Green, by Bradley Merrill Thompson:

The Office of Civil Rights (OCR) has published its final rule on algorithmic discrimination by payers and health care providers. The rule, based on section 1557 of the Affordable Care Act, prohibits discrimination on the basis of race, color, national origin, sex, age, or disability through the use of patient care decision support tools. Covered entities are required to identify and mitigate the risk of discrimination in these tools, with larger, more sophisticated organizations held to a higher compliance standard. The rule applies to both automated and non-automated tools and is set to become effective 300 days after its publication. OCR is also considering additional rulemaking to expand the scope of the regulation.

Categories
Health Law Highlights

FDA Proposes Updated Guidance Concerning Cybersecurity of Medical Devices

Summary of article from Jones Day, by Maureen Bennett, Ryan Blaney, Alexis Gilroy, Colleen Heisey, Michael McFerran, Lauren Murtagh:

The U.S. Food and Drug Administration (FDA) has proposed an updated draft Premarket Cybersecurity Guidance on March 13, 2024, to aid in meeting cybersecurity requirements for FDA medical device submissions. This guidance, under Section 524B of the Federal Food, Drug, and Cosmetic Act, applies to any submission for a “Cyber Device”, which is defined as any device containing software, with potential internet connectivity, and susceptibility to cybersecurity threats. Manufacturers are required to provide documentation that includes plans for dealing with cybersecurity vulnerabilities, assurance of device and system security, and a detailed software bill of materials. The guidance also addresses the impact of device modifications on cybersecurity and the need for a “reasonable assurance of cybersecurity” in the device’s safety and effectiveness evaluation. The FDA will finalize the draft guidance after considering comments and suggestions submitted by May 13, 2024.

Categories
Health Law Highlights

FDA Brings Lab Tests Under Federal Oversight

Summary of article from AP News, by Matthew Perrone:

The FDA has finalized a regulation that will gradually introduce oversight for new tests developed by laboratories. The rule mandates that these tests, including those for life-threatening diseases, must demonstrate accurate results within a timeframe of 3.5 to 4 years. However, existing tests will not require federal review and will be grandfathered into approval. All lab tests will need to register with the agency and report any issues. The move has been opposed by the testing industry, which argues it will limit access to critical tests, increase healthcare costs, and stifle innovation.

Categories
Health Law Highlights

Healthcare Industry Sees Increased Investment in Generative AI, LLMs

Summary of article from Health IT Analytics, by Shania Kennedy:

A recent Generative AI in Healthcare Survey reveals that healthcare and life sciences organizations are increasingly investing in generative AI projects, with larger organizations and leadership roles reporting higher adoption rates. The survey found that 35% of respondents are not actively considering generative AI, while 21% are evaluating use cases and 20% are developing these tools. The majority of organizations have significantly increased their generative AI budgets, with a focus on small, task-specific language models. The most common use cases are streamlining clinical workflows and improving patient communication. Despite the increased adoption, accuracy and potential legal and reputational risks are major roadblocks, and many generative AI projects have not been thoroughly tested for bias and explainability.

Categories
Health Law Highlights

FTC Finalizes Changes to Health Breach Notification Rule

Summary of article from Fierce Healthcare, by Heather Landi:

The Federal Trade Commission (FTC) has finalized the revised Health Breach Notification Rule (HBNR) to enhance data privacy protection for consumers using digital health apps. The rule mandates vendors managing digital health records to notify individuals, the FTC, and sometimes the media, of any breach of unsecured personally identifiable health data. The data includes traditional health information, data from fitness trackers, and “emergent health data” such as health information inferred from location data and health-related purchases. The rule also obligates third-party service providers to notify vendors of personal health records following a breach discovery. The rule will be effective 60 days after its publication in the Federal Register.

Categories
Health Law Highlights

HIPAA Update to Include Cybersecurity Requirements for Health Care Organizations

Summary of article from Renal and Urology News, by John Schieszer:

The Department of Health and Human Services (HHS) is updating the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to include new cybersecurity requirements, in light of increasing cyber threats to the healthcare sector. The HHS has issued a concept paper providing voluntary Cybersecurity Performance Goals (CPGs) to help healthcare organizations improve their cyber resilience. A significant rise in data breaches and ransomware attacks has been observed, emphasizing the need for improved cyber protection. The HHS is planning to establish two programs to aid healthcare providers in implementing these CPGs, one of which involves financial aid for high-need providers. Additionally, changes to the HIPAA Security Rule may include allowing patients more direct access to their Protected Health Information (PHI) and potential privacy concerns are being addressed.

Categories
Health Law Highlights

Let’s Make a Deal with DOJ: The Impact of the DOJ’s New Whistleblower Reward Program on Corporate Compliance

Summary of article from Husch Blackwell, by Christina Moore, Madison Rector:

The DOJ announced a new whistleblower rewards program aimed at incentivizing reports of corporate or financial misconduct. This program, allowing individuals to report violations of any federal law, particularly criminal abuses of the U.S. financial system, fills gaps not covered by existing whistleblower initiatives like the False Claims Act (FCA) or the IRS Whistleblower Program. Under the new program, whistleblowers do not need to file a lawsuit or hire an attorney, making it easier for them to report wrongdoings. This initiative could increase pressure on companies to maintain high ethical standards and prevent misconduct. To mitigate risks, compliance officers should foster a culture of openness and communication, ensuring that employees are aware of internal reporting procedures and feel safe using them.

Categories
Health Law Highlights

HHS Warns Health Care Sector of AI-Driven Phishing, Social Engineering Attacks on IT Help Desks

Summary of article from Carlton Fields, by Michael Bailey, John Clabby:

The Health Sector Cybersecurity Coordination Center (HC3) has issued an alert about advanced cybersecurity threats targeting the healthcare sector, particularly IT help desks. These threats involve the use of publicly available information and AI to impersonate healthcare employees, gaining access to email accounts and diverting payments to threat-controlled accounts. The alert also highlights the rise of “spearphishing voice” or “vishing” attacks, using AI to mimic employee voices. In response, the Department of Health and Human Services (HHS) is planning to expand its cybersecurity regulations and enforcement, including potential increases in penalties for HIPAA violations. To mitigate these threats, organizations are advised to enhance training, review cybersecurity policies, limit social media exposure, improve help desk verification procedures, and reassess multi-factor authentication methods.

Categories
Health Law Highlights

What the FTC’s Rule Banning Non-Competes Means for Healthcare

Summary of article from Nelson Mullins Riley & Scarborough LLP, by Candace Friel, Denise Gunter, Carrie Hanger:

The Federal Trade Commission (FTC) has finalized a rule banning most non-compete agreements, with the rule set to take effect 120 days after its publication in the Federal Register. The rule applies to all workers, regardless of title, job function, or compensation, excluding “Senior Executives” as per a narrowly defined term. Non-profit organizations are exempt from the rule. The rule is expected to significantly impact industries such as healthcare where non-compete agreements are common. Legal challenges to the rule have already been initiated, with the U.S. Chamber of Commerce announcing its intention to sue the FTC and a lawsuit filed on April 23, 2024.