Wade’s Health Law Highlights for January 14, 2025

Advanced Practice Providers

• Advanced Practice Providers (APPs), including nurse practitioners, physician assistants, and other specialists, are filling healthcare gaps caused by physician shortages and increased demand for services. Chief APPs (CAAPs) have emerged as leaders who manage APP integration within healthcare organizations. APPs can diagnose conditions, prescribe medications, conduct exams, and interpret tests, while spending more time with patients than traditional providers. The expansion of APP roles offers a solution to healthcare access issues, particularly in underserved areas, and their scope of practice continues to grow alongside the importance of CAAPs in healthcare systems.

Patient Confidentiality

• The US Court of Appeals has struck down net neutrality regulations, allowing Internet Service Providers (ISPs) to monitor, prioritize, and control Internet traffic. The ruling impacts healthcare privacy as ISPs can now track and sell patient data from telehealth sessions, mental health searches, and digital health app usage to third parties. Healthcare providers must implement stronger privacy measures, including encrypted platforms, VPNs, and HIPAA-compliant systems to protect patient information. FCC Chair Jessica Rosenworcel has called for congressional action, while healthcare professionals are urged to advocate for patient privacy through policy engagement and partnerships with privacy organizations. The decision particularly affects rural patients who rely on telehealth services and raises concerns about potential discrimination based on health-related Internet activity.
• The U.S. Department of Health and Human Services has proposed new HIPAA Security Rules, marking the first update since 2013, with publication scheduled for January 6, 2025. The proposed changes include mandatory encryption of PHI at rest and in transit, implementation of multi-factor authentication, and requirements for covered entities to review and update security policies regularly. Business associates must provide written verification of technical safeguards annually and notify covered entities within 24 hours of access changes or contingency plan activations. The rules establish specific timeframes for security compliance, including 15-day patches for critical risks and 72-hour system restoration requirements, while requiring organizations to maintain technology asset inventories and network maps with annual updates.
• Healthcare data breaches affected 184,111,469 records in 2024, representing 53% of the U.S. population, with 703 large breaches reported to OCR. The largest breach occurred at Change Healthcare, affecting 100 million individuals through a ransomware attack that caused widespread disruption to healthcare services and medication access across the U.S. healthcare system. The year saw 13 breaches involving more than 1 million healthcare records each, with 11 caused by hacking incidents and 8 involving business associates of HIPAA-covered entities. In response to these breaches, the HHS Office for Civil Rights published cybersecurity performance goals and proposed updates to the HIPAA Security Rule to mandate stronger security measures, including multifactor authentication and encryption requirements. The fate of these proposed security updates now rests with the incoming Trump administration.

Fraud & Abuse

• ASD Specialty Healthcare has agreed to pay $1.67 million to settle anti-kickback claims for providing free inventory management systems to retina practices that agreed to purchase drugs from them. The company, operating as Besse Medical and a subsidiary of Cencora, acquired the PODIS system in 2017 and offered it at no cost to physicians who signed agreements to purchase drugs, including AMD treatments, while denying access to non-customers. Two whistleblowers from Regeneron Pharmaceuticals brought forth the claims and will receive $250,705 from the settlement. Medicare spent $386 million on branded AMD drugs in 2022, with $334.4 million specifically on aflibercept. The Department of Justice has also filed a separate False Claims Act complaint against Regeneron for allegedly inflating Medicare reimbursement rates for Eylea.
• A federal grand jury in Virginia indicted Chesapeake Regional Medical Center on January 8, 2025, for healthcare fraud and conspiracy to defraud the United States. The charges stem from the hospital’s alleged involvement with a physicia who was previously sentenced to 59 years in prison for performing unnecessary surgeries and falsifying medical records, resulting in $20.8 million in fraudulent billings. The indictment claims hospital staff received two sets of documents for early deliveries – one with real dates and another with falsified dates – yet continued to allow procedures and bill Medicaid. The hospital faces decisions about pleading guilty or going to trial, with potential consequences including fines, monitoring requirements, and property forfeiture. This case establishes precedent for hospitals’ responsibility to prevent fraud and highlights how employee knowledge of illegal activities can result in criminal charges for the institution.
• The Second Circuit Court of Appeals has expanded the Anti-Kickback Statute by adopting the “at-least-one-purpose rule”, which states that a violation occurs when inducing healthcare purchases is just one purpose of a payment, rather than requiring it to be the sole purpose. The ruling emerged from a qui tam lawsuit against Novartis Pharmaceuticals, where the relator alleged the company used speaker programs to provide kickbacks to doctors who prescribed their multiple sclerosis drug Gilenya. The Second Circuit revived parts of the lawsuit on December 27, 2024, focusing on allegations of sham speaking events, excessive payments for canceled engagements, and the selection of high-prescribing physicians as speakers. The Court determined that no quid pro quo proof is required for AKS violations, joining seven other circuit courts in this interpretation. The decision creates heightened enforcement risks for healthcare companies and requires them to review their physician payment practices.

Litigation

• Aetna sues drugmakers over alleged price-fixing scheme in a lawsuit filed in Hartford, Connecticut against nearly two dozen pharmaceutical companies, including Pfizer and Teva Pharmaceuticals, for allegedly conspiring to fix generic drug prices. The lawsuit claims the companies communicated through private meetings and trade conferences to establish a “fair share” scheme, resulting in price increases of up to 1000% for certain medications. The case follows similar legal actions by state attorneys general and other insurers, with Heritage Pharmaceuticals and Apotex already settling for $49 million in fall 2024.

No Surprises Act

• The Fifth Circuit Court of Appeals has upheld key provisions of the No Surprises Act’s Qualified Payment Amount (QPA) calculations in Texas Medical Association v. U.S. Department of Health and Human Services. The court ruled that contracted rates can be included in QPA calculations regardless of claim frequency, while excluding case-specific agreements and bonus payments from these calculations. The ruling maintains the Act’s 30-day payment deadline requirement and upholds disclosure provisions about QPA calculations. The decision impacts healthcare providers by allowing “ghost rates” in QPA calculations and excluding incentive payments, which may result in lower reimbursement rates for out-of-network services. The QPA serves as the basis for determining patient cost-sharing responsibilities and plays a key role in payment dispute resolution between providers and insurers.