Wade’s Health Law Highlights for November 5, 2024

Access & Privacy

A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

Cryotherapy, an extreme cooling treatment, has gained popularity, leading to its incorporation into various wellness businesses. However, owners must comply with FDA regulations, which prohibit claims of treating diseases without scientific evidence. Additionally, Texas medical board rules may apply if cryotherapy services are marketed as providing health benefits.

The Supreme Court’s recent denials of two certiorari petitions on the federal Anti-Kickback Statute’s willfulness standard may have profound implications for health care companies defending against AKS claims. The petitions sought to clarify whether the AKS requires defendants to know that their conduct violates the law to be found liable. The court’s decision leaves the issue unresolved, potentially leading to further appellate decisions and providing clarity on the AKS willfulness standard.

Texas Attorney General Ken Paxton is suing Dr. Hector Granados for providing gender-affirming medical care to minors, violating state law. The lawsuit alleges Granados prescribed puberty blockers and hormone therapy to over 20 minors, claiming the treatments were necessary for precocious puberty. Granados helped open El Paso’s first clinic treating transgender children and teens in 2015.

Business associate agreements (BAAs) are not typically required when third parties receive protected health information (PHI) for research purposes. However, third parties may qualify as business associates if they create de-identified data sets or limited data sets on behalf of a covered entity. CEs should only require BAAs when third parties perform covered functions or services listed in the HIPAA Privacy Rule.
The 2024 Final Privacy Rule allows covered entities to disclose protected health information (PHI) related to reproductive healthcare only to the individual or their personal representative. Covered entities may refuse to disclose PHI in permissive circumstances, such as law enforcement or judicial processes, even with an attestation form. The rule aims to protect patient privacy and strengthen access to reproductive healthcare services.
OCR Director Melanie Fontes Rainer highlighted key priorities at the HHS-NIST conference, including an update to the HIPAA Security Rule with new cybersecurity requirements and an enforcement initiative for risk analysis compliance. OCR also emphasized the importance of engaging with the healthcare sector on cybersecurity matters and has increased outreach through webinars, videos, and newsletters.

A plastic surgeon paid a $53,000 ransom to regain access to data after a ransomware attack, but faced a $500,000 HIPAA fine. The surgeon claims the government was more punitive than the hackers. A government ambulance provider also faced a $90,000 fine for failing to conduct a HIPAA security risk analysis, highlighting the importance of this requirement for compliance.

The Medicare Physician Fee Schedule final rule strengthens primary care, expands access to preventive services, and promotes whole-person care. It includes new coding and payment policies for advanced primary care management services, cardiovascular risk assessment, and behavioral health services. The rule also expands coverage for hepatitis B vaccinations, colorectal cancer screening, and PrEP to prevent HIV.

State laws on clinical record ownership vary, and healthcare providers must understand these differences when practicing telehealth across state lines. HIPAA’s right-of-access rule adds complexity, specifying how and when records must be shared. Providers must comply with both state and federal regulations, with state laws taking precedence when they provide greater rights to patients.
The DEA is expected to extend telehealth flexibilities for prescribing controlled substances for the third time. The Texas Medical Board proposed requiring physicians to hold a full Texas medical license to provide telehealth and added a rule concerning prescribing for chronic pain.