Health Care

Washington greatly expanded the protection for consumers’ identifiable health information by enacting the “My Health My Data Act” (MHMDA), in an effort to close the gap between HIPAA protections and the laws protecting the privacy and security of other consumer health care data. While MHMDA resembles the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA), it broadly applies to health information outside of traditional health care settings. Regulated Entities should consider undertaking additional steps that we outline now to prepare for the March 31, 2024, and June 30, 2024 (small businesses) compliance deadlines.

On May 3, 2023, New York joined Connecticut, Delaware, Massachusetts, Nevada, New Jersey, Oregon, Rhode Island, Washington, and California in enacting legislation that increases oversight over certain health care transactions. Governor Kathy Hochul signed the Fiscal Year 2024 New York State Executive Budget (FY 24 Executive Budget) into law which enacted the final version of Article 45-A of the New York Public Health Law (PHL) titled “Disclosure of Material Transactions.” The law takes effect on August 1, 2023.

As we previously covered, in March 2023, the Drug Enforcement Agency (DEA) announced a proposed rule on prescribing controlled substances via telehealth, aimed at addressing the “telehealth cliff” that was expected to occur once the COVID-19 Public Health Emergency (PHE) ends on May 11, 2023. The proposed rule provided some flexibility, but required a much more restrictive framework for prescribing controlled substances via telehealth compared to the flexibilities available during the PHE. During the 30-day comment period following the announcement of the proposed rule, the DEA received over 38,000 comments, which the agency says it is closely reviewing. Many commentators across the health care industry criticized the proposed rule because the in-person examination requirement would limit access to care. The DEA, working with the Department of Health and Human Services, is also considering revisions to the proposed rule. 

Governor Gavin Newsom signed multiple pieces of mental health treatment-related legislation into law in 2022 that have or will begin to go into effect this year. These laws address mental health commitment timing and hearing rights, involuntary mental health treatment, the CARE program, and substance use disorder treatment client rights. This is a good time for relevant facilities and groups to audit the effectiveness of updated policies and evaluate and address any operational issues that may have cropped up during implementation.

The Department of Health and Human Services’ Office of Inspector General (OIG) announced on April 24, 2023 that it will soon issue long overdue updates to its compliance program guidance documents (CPGs).  First introduced in 1998, the CPGs are a series of voluntary guidance documents, each tailored to a specific segment of the health care industry. While the CPGs include important insights on specific risk areas and how to apply the seven elements of an effective compliance program to particular types of health care entities, they are ripe for modernizing. OIG will publish a General CPG (GCPG) applicable to all individuals and entities involved in the health care industry by the end of 2023, followed by industry-specific CPGs (ICPGs) in 2024. Of note, the OIG announced that its first two ICPGs will address Medicare Advantage and Skilled Nursing Facilities (SNFs), perhaps signaling the OIG’s priorities. The OIG’s updates to the CPGs are part of the OIG’s Modernization Initiative first announced in September 2022.

On April 25, 2023, the Senate Health, Education, Labor, and Pensions Committee Chairman Bernie Sanders and Ranking Member Bill Cassidy introduced a package of legislation aimed at lowering prescription drug prices. The package includes four bills, each proposing changes that would address a different piece of the pharmaceutical supply chain. This post focuses on the Pharmacy Benefit Manager Reform Act (PBM Reform Act), which proposes to increase oversight of entities providing pharmacy benefit manager (PBM) services to group health plans and health insurance issuers (i.e., employer-based health insurance coverage).

In April, 2020, in an effort to facilitate a national pivot to telehealth in light of the COVID-19 Public Health Emergency (PHE), the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a policy of Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement discretion for regulated health care providers (Covered Entities) implementing communications technologies that weren’t fully compliant with HIPAA or using those technologies in a manner that didn’t comply with HIPAA. Examples of flexibilities included allowing technology providers access to protected health information (PHI) without a HIPAA Business Associate Agreement (BAA). OCR’s enforcement discretion enabled Covered Entities to minimize the need for in-person visits for all kinds of health care services, not just COVID-19 related care. OCR also implemented flexibilities to promote public health during the COVID-19 pandemic; for example, it allowed for Business Associates to share COVID-19 data with government agencies for such purposes without specific authority to do so under BAAs.  

Since the late December 2022 seismic shift in the legal landscape for cosmetic companies – when Congress passed and President Biden signed the Modernization of Cosmetics Regulation Act, or MOCRA, into law (see our prior post here) – the Food and Drug Administration (FDA) has been relatively subdued in providing guidance to the affected industries regarding questions around “what happens next.” The most significant public announcements made by FDA since the law was passed are arguably that: (1) the voluntary cosmetic establishment registration program would be shuttered in favor of the yet-to-be-explained mandatory registration and listing system for cosmetic facilities; and (2) cosmetic manufacturers that want to report adverse events to the agency now should do so via the existing MedWatch program, which is currently used for drugs, biologics, and medical devices.

With less than two weeks left until the end of the federal COVID-19 Public Health Emergency (PHE), which is set to expire on May 11, 2023, the Department of Health and Human Services (HHS) is preparing to transition certain COVID-19 flexibilities. On February 9, 2023, HHS released a COVID-19 PHE Transition Roadmap, which provides guidance on what to expect beyond the emergency phase of the COVID-19 pandemic. While many of the relaxed rules and regulations that helped facilitate an efficient and timely response during the PHE have been permanently signed into law, others, some of which are discussed below, will soon expire.

On March 22, 2023, the Centers for Medicare & Medicaid Services (CMS) issued updated guidance for home dialysis services performed in a skilled nursing facility or nursing home (the Updated Guidance). CMS first issued guidance addressing home dialysis services provided to nursing home residents on April 17, 2018 (the Original Guidance). The Updated Guidance incorporates responses to comments, questions, and feedback received during the ensuing five years from state survey agencies, dialysis providers, and other stakeholders, and current models of home dialysis care of a nursing home resident.

In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of such PHI being weaponized by states and used against patients, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has proposed amendments to the HIPAA Privacy Rule to protect that information.

The Centers for Medicare & Medicaid Services (CMS) recently published the Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule (Prior Authorization Proposed Rule), and, if certain components are finalized, impacted payors will be required to be in compliance by January 1, 2026. The Prior Authorization Proposed Rule is meant to build upon the CMS Interoperability and Patient Access Final Rule (Patient Access Final Rule) and includes five proposals aimed at, according to CMS, increasing efficiency, reducing overall payor and provider burden, and improving patient access to electronic health information (EHI). Impacted health care payors include Medicare Advantage (MA) Organizations, Medicaid Managed Care Plans and Children’s Health Insurance Program (CHIP) Managed Care Entities, State Medicaid and CHIP Fee-for-Service (FFS) Programs, and Qualified Health Plan (QHP) Issuers on the Federally Facilitated Exchanges (FFEs). Among the more significant changes in the rule was the inclusion of MA Organizations as impacted payors.

The Office of Inspector General for the Department of Health and Human Services (OIG) recently issued yet another favorable Advisory Opinion on the use of gift cards to motivate patients to receive medically necessary or preventive care services. The proposed arrangement involves an in-home colorectal cancer screening company’s proposal to provide gift cards of up to $75 to encourage patients to return their samples for their colorectal cancer screening. Though the OIG noted that the gift cards implicate the federal Anti-Kickback Statute (AKS) and the Beneficiary Inducements CMP because they would influence patients to receive reimbursable services from the requestor, the OIG concluded that the arrangement presented a minimal level of risk.  

One of the new Food and Drug Omnibus Reform Act requirements is that developers of “cyber devices” design and implement plans to “monitor, identify and address” cybersecurity vulnerabilities of marketed devices and to submit those plans to FDA as part of every new product application for a cyber device. The amended law defines a “cyber device” as one that includes software, connects to the internet, and contains any technological features that could be vulnerable to cybersecurity threats.

On March 15, 2023, Massachusetts Governor Maura Healey and Lieutenant Governor Kim Driscoll announced that the state’s COVID-19 public health emergency would end on May 11, 2023, in conjunction with the federal government’s end date for the public health emergency. This announcement by the Healey-Driscoll administration puts state organizations on notice, as required by law, at least 45 days ahead of the changes. As part of this announcement, Governor Healey also announced that she will be (i) rescinding Executive Order 595 which required state employees to be vaccinated against COVID-19, and (ii) proposing new legislation that allows for further flexibility in health care settings.

The information age in which we live is reaching a new milestone with the development and ready access to conversational artificial intelligence based on advanced transformer algorithms, or AI chatbots, including their upcoming integration into multiple Internet search engines. This development creates exciting opportunities and potentially terrifying risks in the health care space. Inevitably, people will ask AI chatbot-enabled search engines for information on diseases, conditions, medicines, or medical devices and use the response in some way to make certain medical decisions. But what happens when the AI chatbot’s response is inaccurate or even provides advice that may lead to harm if the user follows it? Can AI chatbots be regulated by the U.S. Food and Drug Administration (FDA)? What are the liability implications if a user is harmed? We provide some initial thoughts on such legal issues in this post.

The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI).