Healthcare Empowered

Dr. Death Redux

• Dr. Raynaldo Ortiz was sentenced to 190 years in prison for injecting dangerous drugs into patient IV bags at Baylor Scott & White Surgicare North Dallas, leading to at least 12 cardiac complications and the death of a colleague. Ortiz was convicted in April after an eight-day trial on multiple counts of tampering with consumer products and drug adulteration. Surveillance footage showed Ortiz tampering with IV bags, which were later linked to severe patient reactions.

Emerging Tech

• In a randomized clinical trial published in JAMA Network Open, it was found that the use of a large language model (LLM) did not significantly enhance diagnostic reasoning performance among physicians compared to conventional resources. The study involved 50 physicians and showed that while the LLM alone outperformed both groups of physicians, its integration with physicians did not improve diagnostic reasoning. The trial highlighted the need for further development in human-computer interactions to effectively integrate LLMs into clinical practice. Despite the LLM’s potential, the study suggests that simply providing access to LLMs is insufficient to improve diagnostic reasoning in practice.

Fraud & Abuse

• A federal jury in Dallas has found Healthcare Associates of Texas, LLC (HCAT) liable for fraudulent Medicare billing practices, potentially resulting in $304 million in penalties under the False Claims Act. The case was brought by a whistleblower, a former HCAT executive, who alleged that HCAT submitted 21,844 false claims to Medicare between 2015 and 2021. The fraudulent schemes included billing for services by uncredentialed providers, splitting bills to obscure provider identities, and charging inflated rates. The jury found HCAT, its founding physicians, former CEO, and ex-Chief Compliance Officer liable for these actions. The whistleblower will receive a percentage of any recovered funds, though the specific award has not been disclosed.
• A Texas laboratory owner was charged with healthcare fraud for submitting over $79 million in fraudulent claims to Medicare and Medicaid for unnecessary respiratory pathogen panel tests. The owner allegedly used a physician’s identity without consent and falsely represented that the lab used reference laboratories to conduct the tests. The government seized over $15 million in cash and is investigating the case with multiple agencies.

Gender-Affirming Care

• Attorney General Ken Paxton has filed lawsuits against two UT Southwestern and Children’s Health physicians, alleging they provided illegal “gender transition” treatments to minors. The lawsuits claim the physicians violated Senate Bill 14, which prohibits such treatments for minors, and highlight their association with the now-closed GENECIS Clinic. The American Academy of Pediatrics supports gender-affirming care, while a conservative advocacy group, the American College of Pediatricians, opposes it.

Health Policy

• Robert F. Kennedy Jr. has expressed strong opposition to the FDA’s current practices, which he believes suppress public health advancements by limiting access to non-patentable treatments and products. He criticizes the pharmaceutical industry’s reliance on patents, suggesting that many FDA actions are designed to protect this business model. Kennedy advocates for allowing the manufacture and distribution of medical products without FDA approval, permitting broader marketing claims, and opposing regulations on raw milk and certain food additives. His stance suggests a push for more lenient FDA policies regarding unapproved medical uses and claims for “clean foods.” President-elect Trump has indicated he will nominate Kennedy as secretary of health and human services, potentially giving him oversight of the FDA.
• The Food and Drug Administration (FDA) has made it a federal requirement to inform patients about their breast density when they receive mammograms, following a policy initially enacted in Texas. Higher breast density, characterized by more glandular tissue, can obscure cancer detection on mammograms since both appear white. Patients with dense breasts are advised to undergo more comprehensive exams, such as ultrasounds or MRIs, for better cancer detection. This federal mandate follows the 2012 Texas rule, known as Henda’s Law, which was adopted by 18 other states before becoming a nationwide requirement. Breast cancer remains the most common cancer among women in Texas, with over 21,000 diagnoses expected this year and nearly 3,500 estimated deaths.

Patient Confidentiality

• The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has announced a new enforcement initiative called the Risk Analysis Initiative, aimed at ensuring compliance with the HIPAA Security Rule Risk Analysis provision. This initiative is part of OCR’s broader efforts, including its seventh enforcement action related to ransomware, to address deficiencies in how organizations assess risks to electronic protected health information (ePHI). With a reported 264% increase in large breaches involving ransomware since 2018, the initiative emphasizes the need for healthcare entities to evaluate their cybersecurity measures and resource allocation. OCR’s focus is on enhancing the identification and remediation of threats to ePHI, a critical aspect of HIPAA compliance. This initiative follows OCR’s previous enforcement strategy, the Right of Access Initiative, suggesting a continued rigorous approach to ensuring compliance.
• Elon Musk has been criticized for encouraging users of X, the platform he owns, to upload medical images to its AI tool, Grok, raising concerns about privacy and accuracy issues. Musk claims Grok is in early stages but already quite accurate, though results have been mixed, with some users reporting accurate diagnoses and others experiencing errors. Critics highlight the absence of HIPAA protections on X and ethical concerns about sharing sensitive health data on social media. The New York Times and experts like Bradley Malin emphasize the risks involved, including potential misuse of data and public trust issues. The debate underscores the need for regulation in AI-driven healthcare to prevent misuse and ensure safety.

Risk Management

• The Office of Inspector General (OIG) has released updated Industry-Specific Compliance Program Guidance (ICPG) for nursing facilities. The 2024 ICPG shifts the focus from fraud prevention to quality of care and resident safety, reflecting the interconnectedness of care quality and compliance. Nursing facilities are encouraged to review their practices, identify gaps, and implement changes to align with the new framework.
• Overpayments pose significant risks to healthcare providers, leading to financial losses and compliance issues. Statistical Sampling and Overpayment Estimation (SSOE) is a method that uses a small, representative sample of claims to estimate overpayments across a larger pool, offering a cost-effective alternative to reviewing every claim. The SSOE process involves sampling claims, identifying overpayments, and extrapolating results to provide a reliable picture of financial impact. Key data fields for accurate overpayment estimation include claim details, provider and patient information, service codes, and overpayment indicators. SSOE not only helps in compliance and reducing financial risks but also provides insights into improving billing processes and addressing financial leakage.

Taxation

• The Fifth Circuit denied tax-exempt status to the Memorial Hermann Accountable Care Organization (MHACO), a healthcare nonprofit, under Section 501(c)(4) of the Internal Revenue Code, citing substantial nonexempt purposes. This decision extends the “substantial nonexempt purpose” test, traditionally applied to 501(c)(3) entities, to 501(c)(4) organizations, potentially affecting other nonprofits with similar structures. The court found that MHACO’s activities primarily benefited private healthcare providers and commercial insurers, rather than promoting social welfare, as required for tax exemption. The ruling could impact nonprofits with private membership or financial benefit structures, possibly affecting their operations and governance. Additionally, the decision may influence politically active nonprofits by curbing activities such as political spending.

Telehealth

• The Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) have issued a third extension of telemedicine flexibilities for prescribing controlled substances, now set to expire on December 31, 2025, allowing practitioners to prescribe Schedule II-V substances without an in-person evaluation under certain conditions. This extension serves as a transitional measure from the emergency provisions of the COVID-19 pandemic to a more permanent regulatory framework, reflecting ongoing efforts to modernize healthcare delivery while ensuring patient safety. The extension maintains continuity of care, particularly for patients with chronic conditions or substance use disorders, and provides time for stakeholders to adapt to future regulations. The DEA and HHS are considering public feedback, including 38,369 comments, to develop a comprehensive set of permanent rules that balance access to care with safeguards against misuse.
• The DEA and HHS have extended COVID-era tele-prescribing flexibilities for controlled substances through December 31, 2025. This extension provides more time to finalize permanent tele-prescribing rules that balance public health, access, and diversion risks. The agencies aim for a smooth transition for patients and practitioners who have come to rely on telemedicine for controlled substance prescriptions.

Artificial Intelligence

• The Department of Homeland Security (DHS) has released a voluntary framework outlining AI responsibilities for critical infrastructure sectors. The framework, developed with industry input, addresses risks like AI-based attacks and design failures, emphasizing practical implementation for safety and security. While the future of the framework under a potential Trump administration remains uncertain, DHS highlights its own AI pilot projects and integration efforts.
• The Global Privacy Assembly’s Joint Statement emphasizes that data scraping, even of publicly accessible data, must comply with privacy laws, including obtaining consent when necessary. Relying solely on platform terms for data scraping does not guarantee compliance with data protection and AI laws.
• President-elect Trump’s return to the White House may impact the artificial intelligence (AI) industry. Trump’s alliance with tech billionaire Elon Musk and his pledge to repeal President Biden’s AI executive order suggest a focus on private sector-driven innovation and competition over regulation.
• According to a recent cybersecurity report, healthcare organizations block 17.2% of AI transactions, ranking third behind finance and insurance, and technology sectors. This is slightly below the national average of 18.5%, indicating a lag in healthcare’s efforts to secure sensitive data against AI threats. Despite being the sixth-largest user of AI and machine learning, the healthcare sector’s AI adoption is expected to grow. The most popular AI applications in healthcare include ChatGPT, Drift, OpenAI, Writer, and Intercom. Healthcare organizations are actively engaging in AI safety initiatives, with some developing in-house AI platforms, while addressing concerns about data privacy, security, and the reliability and bias of AI algorithms in patient care.
• Pieces Technologies, a Dallas-based company, uses AI to streamline physician documentation, saving time on tasks like patient summaries, discharge notes, and progress notes. The platform, now in use at hospitals nationwide, has expanded to include a mobile version and is exploring outpatient applications. Despite facing scrutiny over AI accuracy, Pieces continues to innovate and secure funding for its patient-facing technology.
• California enacted two new laws governing the use of AI in healthcare. One law requires health plans using AI in utilization review to disclose its use and ensure determinations are based on clinical information. The other law mandates providers using AI in patient communications to obtain consent and follow specific protocols.

Cybersecurity

• The Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000 for HIPAA violations, including lacking a Business Associate Agreement (BAA) and insufficient access controls. The fine reflects a 20% discount for PMI’s recognized security practices, but OCR has not publicly disclosed which practices qualify or how the discount was calculated. This marks the first time OCR has publicly acknowledged applying the discount, which was mandated by the Cybersecurity Act of 2015.
• New federal legislation called the Health Infrastructure Security and Accountability Act (HISAA) has been introduced to address cybersecurity risks in the healthcare sector, particularly for HIPAA Covered Entities and Business Associates. The Act is a response to high-profile cybersecurity incidents, such as the Change Healthcare breach, and aims to establish new security requirements, conduct annual risk assessments, and enforce audits to improve cybersecurity practices. HISAA proposes tiered penalties for noncompliance, removes statutory caps on penalties, and introduces fees to cover oversight costs. It also includes financial incentives and disincentives related to Medicare payments to encourage the adoption of enhanced cybersecurity measures. The act represents a significant shift in cybersecurity enforcement and oversight compared to existing HIPAA regulations.

Data Privacy

• The FTC published an explainer on the use of Data Clean Rooms (DCRs), cloud services that enable data exchange and analysis between companies. While DCRs can offer privacy protections when configured correctly, they are not inherently privacy-preserving and can be used to obfuscate privacy harms. Companies should not rely on DCRs to avoid legal obligations regarding data privacy and should be held accountable for any violations, regardless of the technology used.
• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.
• Texas is emerging as a significant player in privacy regulation following the implementation of the Texas Privacy and Data Security Act (TPDSA) in July 2024 and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act in September 2024. Texas Attorney General Ken Paxton has initiated a privacy and security enforcement initiative, establishing a dedicated team within the Consumer Protection Division to enforce these laws. Notable actions include a lawsuit against TikTok for allegedly violating the SCOPE Act by sharing minors’ personal information without parental consent, and a settlement with Meta under the Texas biometric law for unauthorized data capture. Additionally, over 100 companies were notified for failing to register as data brokers, and car manufacturers are under investigation for data collection practices. Businesses processing Texans’ personal information should ensure compliance with the TPDSA and other relevant privacy laws to avoid enforcement actions.

Behavioral Health

• Behavioral health is a rapidly growing area in the healthcare sector, but it faces significant operational and financial challenges as companies scale and investor interest increases. Behavioral health organizations need to adopt innovative strategies to improve operations and financial performance, often requiring external expertise to navigate these complexities. They highlight the importance of effective management, strategic planning, and maintaining a focus on patient care amidst financial pressures, such as rising costs and debt. The experts emphasize the need for organizations to communicate their mission clearly, engage employees, and ensure consistent quality of care. They also advise investors to assess management’s ability to respond to data, maintain a positive organizational culture, and manage financial metrics effectively.

Drug & Device

•  New FDA advertising rules require drugmakers to use simpler language and no distractions when explaining their medications’ risks and side effects. The FDA spent more than 15 years crafting the guidelines, which are designed to do away with industry practices that downplay or distract viewers from risk information. Many companies have already adopted the rules, which become binding Nov. 20.
• The U.S. Department of Justice (DOJ) recently published a final rule on the accessibility of medical diagnostic equipment (MDE) and other accessibility-related practices that promises to have broad impact on the health care industry. Although the rule is limited to state and local government’s healthcare practices, it is likely only a matter of time before the rule’s mandates will be imposed on the entire health care industry.

Equity & Equality

• The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published final rules implementing anti-discrimination provisions under Section 1557 of the Affordable Care Act. These rules apply to health programs receiving federal financial assistance and prohibit discrimination based on race, color, national origin, sex, age, or disability. Covered entities must meet several upcoming deadlines, including appointing a Section 1557 Coordinator by November 2, 2024, and ensuring non-discriminatory use of patient care decision support tools by May 1, 2025. By July 5, 2025, entities must post notices of language assistance services and adopt comprehensive policies and procedures to ensure compliance. The rules also require training for relevant employees on these policies within specific timeframes.

Fraud & Abuse

• Anti-Kickback Statute (AKS) enforcement is shifting away from COVID-19 pandemic-era fraud and towards unlawful marketing and referral practices. The Justice Department and HHS’ Office of Inspector General anticipate an uptick in enforcement activity, particularly against Stark law violations. Life sciences and healthcare companies should bolster compliance efforts to avoid scrutiny and potential whistleblower actions.
• The Office of Inspector General (OIG) recommends increased oversight of remote patient monitoring (RPM) services and billing in the Medicare program. The OIG report found that RPM is not being used as intended, with many enrollees not receiving all required components and concerns about fraud and abuse. The OIG also found that CMS lacks key information about RPM use, including the types of devices and health data being collected.
• The future of the Stark law is uncertain following a district court decision that a False Claims Act lawsuit could not be resolved without further briefings on the U.S. Supreme Court’s recent reversal of the Chevron deference doctrine. In July, the Supreme Court overturned Chevron deference, which had required judges to defer to federal agency interpretations in ambiguous legal cases, now mandating independent judicial interpretation. The district judge emphasized the need to interpret regulations independently, leading to the lawsuit’s dismissal due to insufficient detail in the plaintiff’s allegations. This change in judicial approach raises questions about the Stark law’s application, as it involves complex compliance requirements and exceptions.

Intellectual Property

• Companies developing cell and gene therapies face a critical decision: patenting or keeping information as a trade secret. Factors like reverse-engineering risk, patent eligibility, business model, and infringement detection influence this choice. Enforcement strategies for patents and trade secrets differ in goals, timing, pleadings, and discovery logistics, requiring careful planning.

Mergers & Acquisitions

• Behavioral health mergers and acquisitions (M&A) have recovered and stabilized, driven by factors like the emergence of mental health platforms and positive reimbursement changes. Joint venture (JV) partnerships continue to gain popularity in the mental health sector. Behavioral health providers are expanding their geographical reach by helping traditional nonprofit health systems operate more efficiently and meet the high demand for behavioral health services. Telehealth has become a common treatment method for mental health patients, with Congress extending telehealth flexibility waivers through 2024.
• The Federal Trade Commission (FTC) recently published revisions for pre-merger notification requirements under the Hart-Scott-Rodino Antitrust Act. The rule revises forms and instructions to address information gaps and ensure that transactions do not stifle competition. Entities must file information about entities and individuals influencing decision-making post-merger, non-horizontal relationships, business lines, serial acquisitions, and roll-ups.

No Surprises Act

• The Fifth Circuit Court of Appeals’ recently upheld regulations defining the qualifying payment amount (QPA) under the No Surprise Billing Rules. The QPA is a key factor in determining how much individuals and health plans must pay out-of-network providers in certain situations. The court’s decision upheld the rules governing how QPAs will be determined and the information that plans need to disclose to providers about how they determined a QPA.

Ransomware

• The healthcare industry is increasingly targeted by ransomware attacks, with notable incidents such as the Change Healthcare breach affecting nearly 100 million individuals. Healthcare organizations face complex decisions regarding whether to pay ransoms, balancing the need to minimize business disruption and protect sensitive data against the risks of legal liability, increased future targeting, and ethical concerns. Paying a ransom does not eliminate legal obligations to report breaches, and it may expose organizations to penalties if payments are made to sanctioned entities. The healthcare sector’s critical services and sensitive data make it a prime target, necessitating robust cybersecurity measures and comprehensive incident response strategies. Organizations must carefully evaluate their legal and strategic options to effectively manage ransomware risks.

Reproductive Rights

• Texas lawmakers will consider a bill that would reclassify mifepristone and misoprostol — two drugs commonly used in medication abortions — as controlled substances. This move mirrors a similar law in Louisiana, which has faced criticism from healthcare providers for potentially endangering patients’ lives. The Texas bill, if passed, would take effect in September 2025 and adds a muscle relaxant to the Schedule IV controlled substances list.

Telehealth

• States continue to modify telehealth laws and regulations, striking a balance between flexibility and quality care. While some federal telehealth flexibilities have been extended, the DEA’s remote prescribing rulemaking remains uncertain, potentially impacting providers beyond December 31, 2024. Enforcement efforts against telehealth fraud highlight the need for providers to prioritize compliance with evolving legal requirements.

Blockchain

• The integration of AI and Blockchain technologies promises to revolutionize industries by enhancing transparency, security, and efficiency. While offering significant benefits, this convergence also raises challenges related to scalability, data privacy, and regulatory compliance. Despite these obstacles, the potential applications and innovations stemming from this synergy are vast and promising.

HIPAA & Cybersecurity

• The Health Infrastructure Security and Accountability Act (HISAA) aims to establish mandatory minimum security standards for healthcare organizations to protect healthcare information. HISAA proposes annual audits and stress tests, increased accountability and penalties, and financial support for enhancements. The bill seeks to address the patchwork of healthcare data security standards and bring them under one minimum umbrella.
• Stolen credentials are a significant security risk, as evidenced the recent breach at Change Healthcare. To combat this, organizations should enforce strong passwords, monitor credential sites, and educate employees about the dangers of credential theft.
• Health data from most period-tracking apps is not protected under HIPAA, as these apps are typically not considered covered entities. While some apps claim HIPAA compliance, this is often misleading and may indicate a lack of protection.

Ransomeware

• Ransomware attacks, while slightly less frequent in H1 2024, saw a 68% increase in severity, with average losses reaching a record high. Businesses with over $100 million in revenue experienced the most significant impact, with a 140% increase in losses. While BEC attacks remained the most common cause of claims, ransomware attacks were the third most common, with exposed login panels and outdated technologies increasing the likelihood of a claim.
• A new report reveals a four-year high in ransomware attacks on healthcare organizations, with 67% reporting incidents in the past year. These attacks are increasingly complex, with longer recovery times and higher costs, averaging $2.57 million in 2024. Attackers are also targeting data backups, increasing pressure on organizations to pay ransoms.

Regulation

• The return of Donald Trump to the White House raises questions about potential changes to healthcare cybersecurity and HIPAA regulations. While some experts anticipate a reversal of the Biden administration’s reproductive health data privacy protections, others believe the Trump administration will focus on completing previously proposed HIPAA Privacy Rule changes. Cybersecurity, however, is seen as a non-partisan issue, with potential for continued focus on implementing stronger practices and potentially updating the HIPAA Security Rule.
• The California Privacy Protection Agency (CPPA) will investigate data broker compliance with registration requirements under the California Delete Act. Data brokers must register by January 31, 2025, providing information about their operations and consumer rights requests.

Tech and ACOs

• The disconnect between physical and mental healthcare in the U.S., particularly in underserved areas, is a major issue. The CMS’s ACO Primary Care Flex Model aims to address this by promoting integrated care and value-based reimbursement. Healthcare information technology plays a crucial role in enabling seamless data exchange and collaboration among providers, ultimately improving patient outcomes.

Fraud & Abuse

• Horizon Medical Center of Denton, owned by Corinth Investor Holdings, L.L.C., paid $14.2 million to settle potential violations of Medicare regulations and the Stark Law. The center self-disclosed omitting a modifier and location for services provided at off-campus facilities, as well as financial relationships with physician-owners. This settlement, along with two others, highlights the Department of Justice’s emphasis on voluntary self-disclosure and cooperation in healthcare fraud cases.
• A pharmaceutical ingredient supplier will pay $21.75 million to settle allegations of inflating Average Wholesale Prices (AWPs) for two key ingredients. A pharmacist whistleblower exposed the scheme, highlighting the critical role of whistleblowers in combating pharmaceutical fraud. The False Claims Act empowers individuals to report fraud and protects public funds from fraudulent activities.
• A Texas optometrist, agreed to pay $1 million to settle allegations of healthcare fraud. The doctor operated a network of optometry practices in Central Texas and according to the government, these practices submitted claims to TRICARE, Medicare, and Medicaid using the National Provider Identifiers (NPIs) of optometrists who did not perform the services billed. They allegedly did so “in circumstances where the optometrist who rendered services was not credentialed or enrolled in the Federal healthcare program billed.
• Oak Street Health, a CVS subsidiary, agreed to a $60 million settlement for violating the False Claims Act. The company allegedly paid kickbacks to insurance agents to recruit seniors to their clinics, resulting in false claims to Medicare. The settlement includes restitution and a whistleblower reward.

HIPAA & Cybersecurity

• The return of Donald Trump to the White House raises questions about potential changes to healthcare cybersecurity and HIPAA regulations. While some experts anticipate a reversal of the Biden administration’s reproductive health data privacy protections, others believe the Trump administration will focus on completing previously proposed HIPAA Privacy Rule changes. Cybersecurity, however, is seen as a non-partisan issue, with potential for continued focus on implementing stronger practices and potentially updating the HIPAA Security Rule.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to establish mandatory minimum security standards for healthcare organizations to protect healthcare information. HISAA proposes annual audits and stress tests, increased accountability and penalties, and financial support for enhancements. The bill seeks to address the patchwork of healthcare data security standards and bring them under one minimum umbrella.

Hospice

• Hospices are exploring palliative care programs to remain relevant in the evolving value-based care landscape. Palliative care, which focuses on managing symptoms and improving quality of life for patients with serious illnesses, is increasingly recognized for its potential to reduce healthcare costs. By partnering with Medicare Advantage plans and Accountable Care Organizations, hospices can leverage palliative care to participate in value-based reimbursement models.

Insulin Overpricing

• Insulin overpricing lawsuits allege that pharmaceutical companies and Pharmacy Benefit Managers (PBMs) have engaged in deceptive and unfair trade practices, artificially inflating insulin prices. Plaintiffs, including individuals, unions, and public entities, seek damages for losses incurred and injunctive relief to prevent future price gouging. The lawsuits allege violations of state consumer protection laws, unjust enrichment, and potentially federal RICO laws, aiming to hold these companies accountable for their actions.

Loper Bright

• The Loper Bright decision, repealing Chevron deference, leaves hundreds of healthcare regulations vulnerable to litigation. Healthcare regulation, often complex and involving multiple agencies and statutes, will face challenges in determining the “best reading” of statutes. This shift in regulatory authority could lead to increased litigation and uncertainty in the healthcare industry.

Med Spas

• A Harvard-trained spa owner allegedly injected clients with bogus Botox and skin fillers. The spa owner smuggled counterfeit injectable drugs from China and Brazil, falsely claiming to be a nurse with a degree from Harvard and a license from the state’s Estate Board.
• A former plastic surgeon who gained viral attention for posting dancing videos from the operating table, is practicing with a Texas med spa under a suspended license.

No Surprises Act

• The Fifth Circuit Court of Appeals upheld several provisions of the No Surprises Act, favoring regulators and insurers. The Act aims to protect patients from surprise medical bills by capping their liability to out-of-network providers. However, the Court’s decision will likely lead to artificially low QPAs, negatively impacting provider reimbursement rates and future contract negotiations.

Physician Fee Schedule

• The Centers for Medicare & Medicaid Services (CMS) finalized the 2025 Medicare Physician Fee Schedule, resulting in a 2.93% reduction in average payment rates. This decision has been met with strong opposition from national provider associations, who argue that the cuts, coupled with inflation, threaten the financial viability of physician practices and patient access to care. These associations urge Congress to intervene and stabilize reimbursement rates.
• The Biden administration finalized 2025 Medicare reimbursement rates, with physicians facing a 2.9% decrease and hospitals receiving a 2.9% increase for outpatient services. While hospitals argue the rates are insufficient, physician groups, particularly those operating independent practices, face more significant challenges due to rising costs and smaller profit margins. The CMS also implemented changes to the Hospital Outpatient Prospective Payment System, including maternal health and safety standards and continuous coverage requirements for children in safety-net programs.
• CMS finalized a 2.83% physician pay cut for 2025 while increasing reimbursement for ASCs meeting quality reporting requirements. The rule includes updates to coding and payment policies for various services, as well as changes to the ASC quality reporting program.

Ransomeware

• Ransomware attacks, while slightly less frequent in H1 2024, saw a 68% increase in severity, with average losses reaching a record high. Businesses with over $100 million in revenue experienced the most significant impact, with a 140% increase in losses. While BEC attacks remained the most common cause of claims, ransomware attacks were the third most common, with exposed login panels and outdated technologies increasing the likelihood of a claim.
• A new report reveals a four-year high in ransomware attacks on healthcare organizations, with 67% reporting incidents in the past year. These attacks are increasingly complex, with longer recovery times and higher costs, averaging $2.57 million in 2024. Attackers are also targeting data backups, increasing pressure on organizations to pay ransoms.

Skilled Nursing Facilities

• CMS has updated the CMS-855A form to require expanded disclosure of ownership and control interests for Skilled Nursing Facilities (SNFs). This includes disclosure from a broader class of entities, such as landlords, consultants, and managers, categorized as “additional disclosable parties” (ADPs). SNFs must report all persons and entities within the organizational structure of each ADP, and failure to comply may result in sanctions.

Access & Privacy

• A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

AI Governance

• The Chief AI Officer role in healthcare demands a unique blend of skills, including AI policy, business strategy, technology expertise, and domain knowledge. UC Davis Health sought a Chief AI Officer to enhance AI governance, accelerate adoption, and collaborate on AI initiatives. The role involves strategic planning, education, and oversight to ensure responsible AI implementation.
• AI accountability is a critical aspect of responsible AI development and deployment. Privacy professionals play a key role in ensuring AI governance aligns with data protection and privacy practices, addressing concerns about bias, transparency, and ethical responsibility. By collaborating with legal and other stakeholders, privacy teams can help organizations navigate the complexities of AI regulation and mitigate risks associated with AI systems.

AI Risk Management

• An Associated Press investigation revealed that OpenAI’s Whisper transcription tool creates fabricated text in medical and business settings despite warnings against such use. These tools are known to produce fabricated text, or “confabulations,” which can lead to serious consequences in medical settings, such as incorrect diagnoses and treatment plans. Despite OpenAI’s advice against using Whisper in high-risk domains, over 30,000 medical professionals are reportedly using it for transcriptions. The tool’s inaccuracies are attributed to its reliance on predicting likely text rather than ensuring accuracy, often filling gaps with incorrect or biased information.

Corporate Compliance

• The DOJ’s updated ECCP policy document now requires companies to assess AI risks and ensure compliance with criminal laws. Companies must also provide compliance staff with access to relevant data and utilize data analytics tools to enhance compliance efforts.

Cybersecurity

• Healthcare organizations need stronger cybersecurity measures, including identity and access management, patching, phishing training, and robust backup practices, as cyber attacks continue to rise. HIPAA guidance alone is insufficient, and organizations should consider following more rigorous standards like NIST or HITRUST. Assuming a breach will occur and having an incident response plan in place is crucial.

Growth & Innovation

• Texas tech companies are revolutionizing healthcare through telemedicine, wearable devices, biotechnology, and AI. These companies are making healthcare more accessible, affordable, and effective by developing innovative solutions that improve patient care and empower individuals. Texas is poised to remain a leader in health technology, driving advancements and shaping the future of healthcare.
• The OMB has issued guidance to agencies on responsible artificial intelligence acquisitions. The guidance emphasizes the importance of managing AI risks, promoting competition, and improving information sharing. Agencies are advised to identify AI early in the acquisition process, engage relevant equities, and include contractual requirements to manage AI risks effectively.
• CISA is focusing on eliminating risky software-building practices, such as default passwords and memory-unsafe languages, to enhance cybersecurity. The agency has secured over 230 voluntary commitments from software manufacturers to meet cybersecurity goals within a year. CISA is also pushing for software companies to prioritize security features like MFA and make them difficult for customers to remove.
• A recent survey of healthcare security professionals reveals that nearly one-third are unsatisfied with their existing security frameworks, highlighting the industry’s struggle to keep pace with evolving threats. Budget constraints and lack of executive support are significant barriers to implementing new technologies. Despite the challenges, healthcare facilities are increasingly adopting converged security solutions that blend digital identity, physical security, and cybersecurity measures.

Legislation

• The Colorado AI Act requires developers and deployers of AI systems to disclose their use to Colorado residents. Developers of high-risk AI systems must protect against algorithmic discrimination and provide detailed documentation to deployers. Deployers must implement risk management programs and conduct annual impact assessments to mitigate risks of discrimination.

Access & Privacy

• A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

Cryotheraphy

• Cryotherapy, an extreme cooling treatment, has gained popularity, leading to its incorporation into various wellness businesses. However, owners must comply with FDA regulations, which prohibit claims of treating diseases without scientific evidence. Additionally, Texas medical board rules may apply if cryotherapy services are marketed as providing health benefits.

Fraud & Abuse

• The Supreme Court’s recent denials of two certiorari petitions on the federal Anti-Kickback Statute’s willfulness standard may have profound implications for health care companies defending against AKS claims. The petitions sought to clarify whether the AKS requires defendants to know that their conduct violates the law to be found liable. The court’s decision leaves the issue unresolved, potentially leading to further appellate decisions and providing clarity on the AKS willfulness standard.

Gender-Affirming Care

• Texas Attorney General Ken Paxton is suing Dr. Hector Granados for providing gender-affirming medical care to minors, violating state law. The lawsuit alleges Granados prescribed puberty blockers and hormone therapy to over 20 minors, claiming the treatments were necessary for precocious puberty. Granados helped open El Paso’s first clinic treating transgender children and teens in 2015.

HIPAA

• Business associate agreements (BAAs) are not typically required when third parties receive protected health information (PHI) for research purposes. However, third parties may qualify as business associates if they create de-identified data sets or limited data sets on behalf of a covered entity. CEs should only require BAAs when third parties perform covered functions or services listed in the HIPAA Privacy Rule.
• The 2024 Final Privacy Rule allows covered entities to disclose protected health information (PHI) related to reproductive healthcare only to the individual or their personal representative. Covered entities may refuse to disclose PHI in permissive circumstances, such as law enforcement or judicial processes, even with an attestation form. The rule aims to protect patient privacy and strengthen access to reproductive healthcare services.
• OCR Director Melanie Fontes Rainer highlighted key priorities at the HHS-NIST conference, including an update to the HIPAA Security Rule with new cybersecurity requirements and an enforcement initiative for risk analysis compliance. OCR also emphasized the importance of engaging with the healthcare sector on cybersecurity matters and has increased outreach through webinars, videos, and newsletters.

Ransomware

• A plastic surgeon paid a $53,000 ransom to regain access to data after a ransomware attack, but faced a $500,000 HIPAA fine. The surgeon claims the government was more punitive than the hackers. A government ambulance provider also faced a $90,000 fine for failing to conduct a HIPAA security risk analysis, highlighting the importance of this requirement for compliance.

Reimbursement

• The Medicare Physician Fee Schedule final rule strengthens primary care, expands access to preventive services, and promotes whole-person care. It includes new coding and payment policies for advanced primary care management services, cardiovascular risk assessment, and behavioral health services. The rule also expands coverage for hepatitis B vaccinations, colorectal cancer screening, and PrEP to prevent HIV.

Telehealth

• State laws on clinical record ownership vary, and healthcare providers must understand these differences when practicing telehealth across state lines. HIPAA’s right-of-access rule adds complexity, specifying how and when records must be shared. Providers must comply with both state and federal regulations, with state laws taking precedence when they provide greater rights to patients.
• The DEA is expected to extend telehealth flexibilities for prescribing controlled substances for the third time. The Texas Medical Board proposed requiring physicians to hold a full Texas medical license to provide telehealth and added a rule concerning prescribing for chronic pain.

Navigating AI: A Quick Start Guide for Healthcare Professionals

To get started with AI in healthcare, clinicians should set clear goals, create a personalized learning roadmap, and identify essential resources. Understanding AI fundamentals, including programming skills, is crucial for effective collaboration and decision-making. Clinicians can enhance their knowledge and skills through formal education, online courses, and hands-on experience.

Clinician involvement in AI development is crucial, yet often inconsistent, necessitating a multidisciplinary approach to ensure trust and usability in clinical settings. Effective AI integration requires clinicians to understand AI basics, set learning goals, and engage in continuous education, including programming skills and AI model development. A structured learning approach, incorporating formal AI education into medical curricula, can enhance clinicians’ ability to innovate and apply AI tools effectively. Practical resources such as online courses, textbooks, and professional networks are essential for clinicians to gain AI proficiency.

Success in AI adoption involves setting clear milestones, leveraging low-code platforms for ease of use, and fostering collaboration with AI experts. Overall, AI offers significant opportunities for healthcare professionals to improve patient care and drive innovation through informed engagement and structured learning.

AI

• Harvard Medical School has introduced an AI in healthcare course for students in its Health Sciences and Technology track. The course covers AI’s role in medicine, including its use as an educational tool and its impact on clinical practice. The school is also exploring AI-powered tutoring bots and has established grants for AI-related projects in education, research, and administration.
• The FDA has identified ten areas of concern for regulating AI in medical products, including ensuring compatibility with global standards, keeping up with the rapid pace of change, and developing flexible approaches across the spectrum of AI models. The FDA also emphasizes the importance of AI life cycle management, robust supply chains, and maintaining a balance between big tech, start-ups, and academia. Additionally, the FDA highlights the potential uses of AI in drug development and clinical trials, such as drug target identification and participant recruitment.
• The Chief Privacy Officer (CPO) role faces an identity crisis with the rise of AI governance. Despite the challenges, CPOs are well-suited to manage AI governance due to their experience in navigating complex regulations, working cross-functionally, and holding organizations accountable. CPOs are essential for future-proofing operations, ensuring public trust, and maintaining regulatory security in the age of AI.

Blockchain

• The global “Blockchain Technology in Healthcare” market is projected to grow significantly, driven by its potential to enhance security, efficiency, and transparency in healthcare services. Blockchain technology offers secure storage of electronic health records, streamlines data management, and improves drug traceability. Recent developments highlight the ongoing integration of blockchain in healthcare, with companies like IBM and Patientory Inc. making strides in the field.

Data Breaches

• Data breaches are costly, with healthcare and finance industries facing the highest penalties due to stringent regulations. Data masking is a solution that allows businesses to comply with regulations while maintaining data usability. Organizations must implement data masking alongside encryption and PAM to protect sensitive data and avoid regulatory penalties.
• Over 940,000 Medicare beneficiaries’ protected health information was exposed due to a vulnerability in MOVEit software used by WPS. CMS and WPS are investigating the breach, offering credit monitoring and new Medicare cards to affected individuals. Healthcare organizations should review vendor contracts, conduct regular cybersecurity audits, and enhance incident response plans to safeguard against similar incidents.

Data Privacy

• The healthcare sector faces significant data leaks, with over 14,000 unique IP addresses exposing sensitive medical information. Biometrics, particularly facial recognition, is seen as a powerful tool to enhance security and streamline operations in healthcare environments. AllClear ID’s Health Bank One app aggregates health records, uses AI to curate care, and provides personalized insights for patients and healthcare providers.
• Despite political polarization, 19 states have enacted comprehensive privacy legislation with bipartisan support, providing essential safeguards for consumers. These laws empower consumers with rights to control their data, including access, correction, deletion, and opt-out options. States are also addressing sensitive data protection, data minimization, and data protection impact assessments, aligning with FTC recommendations and shaping the future of privacy standards.
• Synthetic data generated by state-of-the-art privacy-preserving methods can be used throughout the medical prognostic modeling pipeline, including exploratory data analysis and model development. These methods can adequately capture the tails of the distribution, including low prevalence conditions and ethnic minority groups. However, some synthetic data generators struggled to match the distributional characteristics of features, with notable inconsistencies amongst categorical variables and mode invention and collapse amongst key continuous variables.

Cybersecurity

• Data security posture management (DSPM) emerged as a critical component for enterprises in the cloud era, providing visibility and control over data security. As threats evolved, comprehensive data security platforms expanded beyond DSPM capabilities to address AI-specific risks and cover various environments. These platforms enhance compliance, support digital transformation, and enable organizations to innovate confidently with their data.
• HHS is working on updating the HIPAA Security Rule to address the increasing cyber threats in the healthcare sector, including ransomware attacks and data breaches. The proposed modifications may include a thorough enterprise-wide HIPAA security risk analysis. The outcome of the upcoming presidential election could impact the implementation of these regulations, with a potential shift in priorities and enforcement approaches.
• The White House is reviewing a proposed rule to update HIPAA cybersecurity protections in response to rising cyberattacks targeting electronic protected healthcare information. The updates aim to improve HIPAA Security Rule compliance and prevent unauthorized access to ePHI. Healthcare organizations must revise and implement changes to their policies and procedures to comply with the reproductive privacy modifications to HIPAA by December 23.
• Healthcare organizations must thoroughly vet AI vendors to ensure data protection and incident response plans. Experts advise reviewing data encryption, access controls, and incident response plans when evaluating AI vendors.
• Collaboration between HHS and NIST is crucial for improving healthcare cybersecurity. Accountability, financial support, and coordination to address the increasing threat of data breaches and ransomware attacks are key. HHS has taken steps to strengthen accountability, provide financial resources, and improve coordination to enhance healthcare cybersecurity.
• A SOC 2+ report expands on the SOC 2 framework by integrating additional compliance requirements, such as HIPAA or ISO, into a single report. This streamlined approach helps organizations meet multiple industry and legal standards, reducing the need for multiple audits. SOC 2+ reports are valuable for organizations in highly regulated industries, as they demonstrate data security and compliance, building trust with clients and stakeholders

Health Data

• Health and fitness apps and digital health platforms collect personal health data, but HIPAA does not apply to most of them. State-specific data privacy laws, such as California’s CMIA and Washington’s MHMDA, regulate the collection and use of consumer health data, including the right to consent, delete, and know how data is shared. Businesses must comply with these laws by requiring consent, implementing privacy policies, and ensuring data security.

Eli Lilly Targets Compounding Kits

Eli Lilly has filed a lawsuit against Pivotal Peptides, a drug vendor in Washington state, accusing them of selling do-it-yourself kits for making knockoff versions of their weight-loss and diabetes drugs, Zepbound and Mounjaro.

Pivotal Peptides allegedly sold these kits without requiring a prescription or medical consultation, labeling the ingredients as “research chemicals” not intended for human use. The company ignored a cease-and-desist letter from Lilly and continued operations under a guise, using coded language to sell their products.

The lawsuit alleges serious safety issues, as these untested and non-pharmaceutical-grade drugs could be ordered by anyone.

Lilly’s legal actions are part of a broader effort to address the sale of illicit tirzepatide versions amid ongoing legal debates over compounded drug formulations.

The FDA had previously declared a shortage of tirzepatide, allowing licensed pharmacies to legally compound the drug, but is now reconsidering this decision following lawsuits from compounding pharmacies. Eli Lilly emphasizes the significant risks posed to patient safety by the sale of these unapproved and potentially harmful drugs.

Anti-Discrimination

• The Department of Health and Human Services’ final rule implementing Section 1557 of the Affordable Care Act prohibits discrimination in healthcare and requires covered entities to appoint coordinators, post nondiscrimination notices, and implement policies and procedures by specific deadlines. Covered entities must also ensure patient care decision support tools are used non-discriminatorily and provide language assistance and auxiliary aids by May 1, 2025.

Blockchain

• The global “Blockchain Technology in Healthcare” market is projected to grow significantly, driven by its potential to enhance security, efficiency, and transparency in healthcare services. Blockchain technology offers secure storage of electronic health records, streamlines data management, and improves drug traceability. Recent developments highlight the ongoing integration of blockchain in healthcare, with companies like IBM and Patientory Inc. making strides in the field.

Data Breaches

• Data breaches are costly, with healthcare and finance industries facing the highest penalties due to stringent regulations. Data masking is a solution that allows businesses to comply with regulations while maintaining data usability. Organizations must implement data masking alongside encryption and PAM to protect sensitive data and avoid regulatory penalties.
• Over 940,000 Medicare beneficiaries’ protected health information was exposed due to a vulnerability in MOVEit software used by WPS. CMS and WPS are investigating the breach, offering credit monitoring and new Medicare cards to affected individuals. Healthcare organizations should review vendor contracts, conduct regular cybersecurity audits, and enhance incident response plans to safeguard against similar incidents.

Health Data

• Health and fitness apps and digital health platforms collect personal health data, but HIPAA does not apply to most of them. State-specific data privacy laws, such as California’s CMIA and Washington’s MHMDA, regulate the collection and use of consumer health data, including the right to consent, delete, and know how data is shared. Businesses must comply with these laws by requiring consent, implementing privacy policies, and ensuring data security.

HIPAA

• HHS is working on updating the HIPAA Security Rule to address the increasing cyber threats in the healthcare sector, including ransomware attacks and data breaches. The proposed modifications may include a thorough enterprise-wide HIPAA security risk analysis. The outcome of the upcoming presidential election could impact the implementation of these regulations, with a potential shift in priorities and enforcement approaches.
• The Office of Civil Rights (OCR) has resumed HIPAA audits after a seven-year hiatus due to a surge in data breaches and cyberattacks. Entities must strengthen their compliance programs, including conducting risk assessments, implementing safeguards, and providing detailed documentation of compliance. Non-compliance can result in financial penalties and corrective actions.
• Texas is challenging to the Biden administration’s new rule strengthening the Health Insurance Portability Act (HIPAA). The rule prohibits healthcare providers, insurers, and states from giving reproductive care information to criminal or civil investigations. Texas is fighting to access out-of-state abortion medical records, which could lead to the criminalization of abortion-seeking residents.
• BAAs are often treated as boilerplate documents, but they require careful review and negotiation to ensure compliance with HIPAA regulations. It is important to update the agreements regularly to reflect current laws. In terms of substance, counsel should ensureg clear reporting obligations, and avoid overly restrictive terms that could hinder a business associate’s operations. Failing to properly execute or update a BAA can result in severe penalties. BAAs are not “one-size-fits-all” and should be tailored to support a robust privacy compliance program.

Reproductive Health

• A Texas doctor is suing the HHS to prevent enforcement of a new HIPAA rule that strengthens reproductive health care privacy. The rule prevents HIPAA-regulated entities from disclosing reproductive health care information to law enforcement, but the doctor argues it restricts her ability to report suspected abuse. The lawsuit follows a similar suit filed by the Texas Attorney General.
• A Texas doctor sued the Biden administration over a new rule strengthening privacy protections for abortion and gender transition treatments. The doctor argues the rule prevents reporting possible abuse and violates state law. The lawsuit was filed in Amarillo, ensuring it will be heard by a conservative judge who previously suspended the approval of the abortion pill mifepristone.
• A Texas doctor is suing the Biden-Harris administration over recent changes to federal health privacy laws that restrict doctors’ ability to report suspected abuse and protect patients from the harms of abortion and gender transition. The new rule redefines “person” and “public health” to exclude unborn children and limits how doctors and law enforcement can protect patients from abuse. Alliance Defending Freedom attorneys argue that the rule exceeds government authority and undermines state laws that protect mothers and children from the harms of abortion and gender transition.

Weight Loss

• Novo Nordisk has requested the FDA to prohibit compounding pharmacies from producing unapproved versions of Ozempic and Wegovy, citing safety concerns. The FDA is reviewing the petition and will respond directly to Novo Nordisk.
• Diabetes patients face insulin shortages due to increased demand for weight loss drugs like Ozempic. The three major insulin manufacturers, Novo Nordisk, Eli Lilly, and Sanofi, are under pressure to prioritize insulin production amidst supply chain disruptions and the lucrative market for weight loss drugs. Despite price cuts, diabetes patients worry about the reliability of insulin supply, which is essential for their survival.

Legislation

• In 2024, states continued to enact sectoral privacy laws, particularly focusing on children’s data and AI regulation. The New York Child Data Protection Act and SAFE for Kids Act aim to protect children’s privacy and safety online, while the Maryland Age-Appropriate Design Code Act seeks to regulate online content for children. Other states, such as Connecticut and Colorado, have also passed amendments to their consumer data privacy laws to enhance protections for children’s data.
• In 2024, seven states passed comprehensive data privacy laws, bringing the total to 19. Maryland, Vermont, and Maine introduced more restrictive data minimization provisions, while Minnesota, New Jersey, and Rhode Island iterated on existing models. Existing laws in California, Colorado, Virginia, and New Hampshire received amendments, primarily focusing on expanding protections for children’s data.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• California’s CCPA amendment protects neural data as sensitive personal information, impacting Illinois businesses that collect or utilize this data. Illinois businesses should review their data privacy practices to ensure compliance with both state and federal laws.

Security Practices

• Healthcare workers resort to insecure password practices due to care delivery demands, leading to data breaches and compromised credentials. These breaches impact patient care, cause significant costs, and highlight the ineffectiveness of complex passwords.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.
• New York has implemented new cybersecurity regulations for general hospitals, requiring annual risk assessments, incident response plans, and multifactor authentication. The regulations aim to enhance cybersecurity standards beyond HIPAA requirements and address the increasing frequency of cyberattacks on hospitals. Hospitals have one year to comply with the new requirements, with funding available to assist with implementation costs.

LLMs

• A recent study by Apple engineers shows the fragility of mathematical reasoning in advanced large language models (LLMs) like those developed by OpenAI and Google. The research shows that LLMs struggle with minor changes to benchmark problems, resulting in performance drops of up to 9.2%. These findings suggest that LLMs rely on probabilistic pattern matching rather than genuine logical reasoning. The researchers concluded that these models’ reasoning processes have critical flaws that cannot be resolved with simple refinements.
• Google DeepMind has developed an AI model to predict key properties of potential drugs. The new Tx-LLM (Therapeutic Large Language Model) model represents a shift toward specialized artificial intelligence tools for specific industries. This targeted approach could prove more valuable than general-purpose AI in addressing complex commercial challenges.

LItigaton

• The Texas Attorney General settled allegations of false and misleading claims about the accuracy of a healthcare AI product. The company agreed to comply with specific requirements for five years, including disclosing metrics and potential harmful uses of its products. As AI use in healthcare grows, legislators and regulators are increasingly interested in AI laws and regulations, and healthcare entities should adopt AI governance programs to ensure compliance.
• Social credit scores, used by the DOJ to prosecute healthcare providers, are data-driven profiles that assess risky behavior and predict future violations. These scores, influenced by biased enforcement patterns, disproportionately target minority physicians and patients, leading to unjust prosecutions and surveillance. The widespread adoption of predictive tools like social credit scores amplifies systemic biases and entrenching the surveillance and punishment of already marginalized populations.

Online Tracking

• In St. Aubin v. Carbon Health Technologies, Inc., the United States District Court for the Northern District of California examined a claim under the California Invasion of Privacy Act (CIPA) regarding alleged interceptions of medical data by third-party tracking technologies. The court focused on the application of CIPA’s second clause, which prohibits unauthorized interception of the “contents or meaning” of communications, finding that URLs containing detailed health information could qualify as protected content. Facebook’s tracking was deemed to meet this requirement due to its real-time data interception capabilities, while Google’s tracking lacked sufficient specificity, leading the court to allow an amendment to the complaint. This case highlights the increasing judicial scrutiny of digital privacy, particularly concerning online tracking and the sharing of sensitive medical information.
• Online tracking technologies, such as cookies, can impact HIPAA compliance by potentially disclosing protected health information. Non-HIPAA-regulated businesses must comply with state laws regarding consumer health data collected through these technologies. To ensure compliance, businesses should review tracking technologies, analyze license terms, and determine applicable state and FTC rules.

Regulation

• The FDA has authorized almost 1000 AI-enabled medical devices and has received hundreds of regulatory submissions for drugs that used AI in their discovery and development. The FDA assets that effective regulation requires coordination across industries, government, and international bodies, with flexible mechanisms to keep pace with AI developments. Transparency from sponsors and proficiency in AI evaluation by regulators are crucial, alongside a life cycle management approach with ongoing postmarket performance monitoring.

Threat Vector

• There is an alarming rise in healthcare data breaches, which have increased by 187% in 2023. The surge in cyberattacks, particularly driven by ransomware and phishing, poses significant challenges to the healthcare industry. To address these challenges, healthcare organizations must prioritize regular training and thorough audits to enhance their security measures.
• Data compromises decreased by 8% in Q3 2024, with 672 incidents reported. However, the number of individuals affected fell by 77% due to a significant decrease in healthcare data breaches. Despite the decrease in data compromises, the total number of victims for the year is still above the 2023 record.
• Privacy-enhancing technologies (PETs) like fully homomorphic encryption (FHE), trusted execution environments (TEEs), and privacy-preserving federated learning (PPFL) can protect sensitive healthcare data while enabling analysis. Regulators should endorse these technologies to simplify compliance and incentivize their adoption. Post-quantum cryptography (PQC) will provide protection against emerging attacks, including those from quantum computing devices.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Opinion

• AI and precision health aim to improve patient outcomes by tailoring treatments to individual characteristics. However, challenges such as data diversity, privacy concerns, and the need for longitudinal data need to be addressed. To ensure the success of precision health, strategies like assembling large cohorts, improving diversity, and protecting data privacy are essential.