Categories
Health Law Highlights

HHS and FBI Release Joint Cybersecurity Advisory Statement for Healthcare Providers

Summary of article from Morgan Lewis, by Amy M. Magnano, Michael J. Madderra, Roshni Edalur:

The Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert healthcare providers about phishing attacks and the associated tactics used by threat actors. The advisory emphasizes the importance of updating security measures, including the implementation of multi-factor authentication and enhanced IT Help Desk training to combat social engineering attacks. It also recommends securing remote access tools and testing security programs against outlined threat behaviors. The CSA provides specific indicators of compromise and suggests proactive steps to mitigate risks. Morgan Lewis offers guidance and best practices to help healthcare entities navigate these cybersecurity challenges.

Categories
Health Law Highlights

Court Strikes Down HHS “Guidance” Regarding Online Tracking Technologies and HIPAA: Implications for Healthcare Providers

Summary of article from Health Law Attorney Blog:

In a recent decision, the United States District Court for the Northern District of Texas partially granted summary judgment to the plaintiffs, striking down the HHS rule that expanded the definition of “Individually Identifiable Health Information” (IIHI) to include the combination of an individual’s IP address and their visits to healthcare providers’ websites. The Court ruled that HHS exceeded its statutory authority under HIPAA and imposed new legal obligations without proper rulemaking procedures. This decision relieves healthcare providers from the significant compliance burdens associated with the now-invalidated rule. Providers should review their use of tracking technologies to ensure compliance with the ruling and stay informed about any new guidance from HHS. This case underscores the necessity for clear, consistent regulatory guidance aligned with statutory definitions and procedural norms.

Categories
Health Law Highlights

Is Your Compliance House In Order? Tips for Ensuring Private Equity and Portfolio Company Compliance

Summary of article from Bass, Berry & Sims PLC, by Angela Humphreys, Jennifer Michael:

The recent Request for Information by federal agencies highlights the need for private equity (PE) firms to have robust compliance programs for their healthcare sector investments. Such programs should align with the Office of Inspector General’s General Compliance Program Guidance, and include written policies, procedures, risk analyses, and audits. PE firms need to understand their role and risk profile in the portfolio company’s structure, including their involvement in executive hiring, business program implementation, and potential antitrust issues. Equity incentive awards should comply with both the Stark Law and the federal Anti-Kickback Statute. Lastly, PE firms should ensure attorney-client privilege is maintained in their interactions with both the portfolio company and outside counsel.

Categories
Alert

Feds Launch Website for Reporting of Health Care Anticompetitive Practices

On April 18, 2024, the Federal Trade Commission (FTC), U.S. Department of Justice (DOJ), and U.S. Department of Health and Human Services (HHS) launched a public web portal for reporting anticompetitive practices in the health care sector. The portal, www.healthycompetition.gov, allows anyone to submit complaints about potential anticompetitive conduct in the healthcare industry. The portal provides information about federal laws ensuring healthy competition and examples of conduct that can harm competition in healthcare. The agencies have not limited the sources of reports, implying a wide scope for potential informants, from the general public to industry insiders. The launch of this portal necessitates increased vigilance from healthcare entities, as any information could potentially trigger an investigation by the FTC or DOJ.

Categories
Article

Updated: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

From U.S. Department of Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.

The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.

Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.

Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.

Categories
Highlight

Enhanced Nursing Home Ownership Data Required by Biden HHS

From Bloomberg Law, by Tony Pugh:

  • The Biden administration finalized a rule requiring nursing homes to provide more detailed information about their ownership structure, including whether they are owned by private equity firms or real estate investment trusts (REITs). 
  • The additional data collected will be made public to allow families to make more informed choices about facilities and allow outside researchers to study the impact of different ownership models on quality of care.
  • Previous research has found that private equity ownership is associated with higher mortality rates for Medicare patients in nursing homes and increased taxpayer costs per resident. 
  • The private equity industry argues that its investments help strengthen struggling nursing homes by providing capital. 
  • The new rule implements requirements under the Affordable Care Act to increase transparency around nursing home ownership and oversight structures.
Categories
Alert

HHS Renews Public Health Emergency Declaration through January 20, 2021

On Friday, October 2, the U.S. Department of Health & Human Services (HHS) announced that the Public Health Emergency (PHE) declaration for COVID‑19 will be renewed for another 90 days, beginning on October 23 (the date the PHE was previously scheduled to expire) and extending through January 20, 2021.

Source: Renewal of Determination That A Public Health Emergency Exists