In a prior blog post, we noted the trend of states enacting legislation implementing reporting requirements for certain healthcare transactions. On March 13, 2024, Indiana joined this trend as Indiana Governor Eric Holcomb enacted Senate Enrolled Act No. 9 (the Act). The Act mandates that, effective July 1, 2024, Indiana health care entities involved in a merger or acquisition with another health care entity with total assets of at least ten million dollars ($10,000,000) must notify the Office of the Indiana Attorney General of the transaction at least ninety (90) days prior to closing. Indiana joins several other states with previously passed notice laws, including California, Colorado, Connecticut, Hawaii, Illinois, Massachusetts, Minnesota, Nevada, New York, Oregon, Rhode Island, and Washington.

However, the Act’s scope is broader than similar legislation recently enacted in other states. For example, the ten-million-dollar ($10,000,000) threshold is lower than the threshold included in legislation from other states, and the definition of “health care entity” applies to a wide array of entities. The definition of “health care entity” within the Act includes “any organization or business that provides diagnostic, medical, surgical, dental treatment, or rehabilitative care” and also includes various types of insurers. The term “health care entity” additionally encompasses private equity partnerships seeking to enter into a merger or acquisition with an Indiana health care entity regardless of where the private equity partnership is located.

The notice required by the Act must include the following information from each health care entity: business address and federal tax number, name and contact information of a representative of the health care entity concerning the merger or acquisition, description of the health care entity, description of the merger or acquisition, including the anticipated timeline, and a copy of any materials that have been submitted to a federal or state agency concerning the merger or acquisition. The notice submitted must be certified before a notary public.

Not later than forty-five (45) days from the submission of notice, the Office of the Indiana Attorney General is required to review the information submitted with the notice and may analyze any antitrust concerns in writing. The Office of the Indiana Attorney General is granted the authority to issue a civil investigative demand for additional information as needed and is required to keep confidential all nonpublic information that is submitted.

The Act also contains strict penalties for noncompliance. If a health care entity fails to comply with a written demand, the Act grants the Office of the Indiana Attorney General authority to file an order to enforce the demand. If an entity fails to comply with a final order or an order imposing sanctions, the court may hold the person in contempt. Additionally, if a court finds that a party has acted in bad faith in resisting the demand, it may order that person to pay the other parties’ reasonable expenses including attorney’s fees.

In the face of this growing trend of increased transaction oversight of healthcare transactions, it is essential for healthcare entities to continue to closely monitor these developments in various states and ensure subsequent compliance. We will continue to monitor developments across the country regarding additional states adopting such laws as well as changes to those laws already adopted.

The Health Sector Cybersecurity Coordination Center (HC3) recently issued an Alert warning that “threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations” have been on the rise.

The social engineering scheme starts with a telephone call to the IT help desk from “an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles). The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches. The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.”

After the threat actor gains access, login information related to payer websites is targeted, and they submit a form to make ACH changes for payer accounts. “Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”

IC3 provides numerous mitigations to assist with the prevention of these vishing schemes, which are outlined in the Alert.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

This post was co-authored by Josh Yoo, legal intern at Robinson+Cole. Josh is not admitted to practice law.

Health care entities maintain compliance programs in order to comply with the myriad, changing laws and regulations that apply to the health care industry. Although laws and regulations specific to the use of artificial intelligence (AI) are limited at this time and in the early stages of development, current law and pending legislation offer a forecast of standards that may become applicable to AI. Health care entities may want to begin to monitor the evolving guidance applicable to AI and start to integrate AI standards into their compliance programs in order to manage and minimize this emerging area of legal risk.

Executive Branch: Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

Following Executive Order 13960 and the Blueprint for an AI Bill of Rights, Executive Order No. 14110 (EO) amplifies the current key principles and directives that will guide federal agency oversight of AI. While still largely aspirational, these principles have already begun to reshape regulatory obligations for health care entities. For example, the Department of Health and Human Services (HHS) has established an AI Task Force to regulate AI in accordance with the EO’s principles by 2025. Health care entities would be well-served to monitor federal priorities and begin to formally integrate AI standards into their corporate compliance plans.

  • Transparency: The principle of transparency refers to an AI user’s ability to understand the technology’s uses, processes, and risks. Health care entities will likely be expected to understand how their AI tools collect, process, and predict data. The EO envisions labelling requirements that will flag AI-generated content for consumers as well.
  • Governance: Governance applies to an organization’s control over deployed AI tools. Internal mechanical controls, such as evaluations, policies, and institutions, may ensure continuous control throughout the AI’s life cycle. The EO also emphasizes the importance of human oversight. Responsibility for AI implementation, review, and maintenance can be clearly identified and assigned to appropriate employees and specialists.
  • Non-Discrimination: AI must also abide by standards that protect against unlawful discrimination. For example, the HHS AI Task force will be responsible for ensuring that health care entities continuously monitor and mitigate algorithmic processes that could contribute to discriminatory outcomes. It will be important to permit internal and external stakeholders to have access to equitable participation in the development and use of AI.
Continue Reading Forecasting the Integration of AI into Health Care Compliance Programs

Below is an excerpt of an article published in the American Bar Association Health Law Section’s March 2024 Health eSource issue.

In recent years, there has been a significant increase in the use of digital technologies and innovative solutions in healthcare, including the increased use of remote patient monitoring (RPM) services. Telehealth and other digital therapies proliferated during the COVID-19 pandemic, particularly as entities took advantage of the relaxation of telehealth rules and the need to provide patient care remotely. Rules have adapted and changed over the years to accommodate the growing field. In addition, the increased utilization of telehealth and digital technologies to treat patients has been followed by a robust government response.

This article discusses RPM topics and key takeaways RPM providers must know about the 2024 Physician Fee Schedule Final Rule, including various billing requirements, recent RPM Department of Justice (DOJ) enforcement actions, related Department of Health and Human Services (HHS) Office of Inspector General (OIG) consumer alerts, and guidance regarding how providers can avoid compliance issues when providing RPM services. In this time of continuous technological development, it is especially important for providers to stay up to date on the various legal requirements and guidance in this area in order to ensure adherence to the latest compliance standards. Read the full article.

Below is an excerpt of an article published in American Health Law Association’s Regulation, Accreditation, and Payment Practice Group on March 21, 2024.

The 340B program, as established under Section 340B to the Public Health Service Act (PHSA), Pub. L. No. 78-410, 58 Stat. 682 (1944) (“340B Statute”),[1] has experienced significant legal challenges over the last few years propelled by certain Medicare underpayments and drug manufacturer litigation. The following is a brief summary of the current status of these developments.

  1. 340B Payment Remediation

On November 2, 2023, the Department of Health and Human Services (HHS) issued a Final Rule to remediate certain underpayments to 340B hospitals for 340B drugs from CY2018 through September 27, 2022.[2] This Final Rule was issued following SCOTUS’ unanimous ruling that HHS’ reduced payment rate to certain 340B covered entity hospitals during this period constituted an unlawful payment cut.[3] On remand to the district court, the U.S. District Court for the District of Columbia vacated the differential payments to 340B covered entity hospitals prospectively as of the date of the ruling on September 28, 2022, and remanded to HHS to remediate the underpayments.[4] Following the Court’s decision, HHS found itself in the unfavorable position of trying to retrospectively untangle payments which were and continue to be subject to budget neutrality requirements.[5]

In the Final Rule, HHS determines the most administratively feasible solution is to provide a one-time lump sum payment to each affected 340B covered entity hospital based on the difference in amount they would have received, rather than to reprocess all claims for 340B drugs during this period.[6] The Final Rule sets forth the payment amount to each of the approximately 1,700 affected 340B covered entity hospitals.[7] In the Final Rule, HHS makes the remedy payments pursuant to its equitable adjustment authority, which would “not be 340B drug payments subject to beneficiary copayments” and “do not authorize providers to seek additional beneficiary copayments.”[8]

Further, owing to statutory budget neutrality requirements, HHS will implement a prospective offset to the higher payments for non-340B drugs and services that were paid under the same outpatient prospective payment system (“OPPS”) during the applicable time period (CY2018 through September 27, 2022).[9] Under the Final Rule, in order to make up the $7.8 billion overpayment for non-340B drugs and services, while minimizing the financial burden on impacted hospitals, HHS will reduce future payments of non-340B drugs and services by an annual .5% conversion factor, to be paid out over an estimated 16 years.[10] This payment reduction will begin in CY2026 to avoid overburdening hospitals that may still be dealing with the lingering effects of COVID-19 workforce and supply shortages, and resulting inflation.[11] This adjustment will not apply to hospitals enrolled in Medicare on or after January 1, 2018, which would not have fully benefited from the increased payments for non-340B drugs and service during the full affected time period.[12] Read the full article.

[1] Public Health Service Act, § 340B (PHSA) (codified at 42 U.S.C. § 256b).

[2] See Dept. Health & Human Servs., Final Rule, Medicare Program; Hospital Outpatient Prospective Payment System: Remedy for the 340B-Acquired Drug Payment Policy for Calendar Years 2018–2022, 88 Fed. Reg. 77150, 77186 (Nov. 8, 2023); CMS.gov, Fact Sheet, CY 2024 Medicare Hospital Outpatient Prospective Payment System and Ambulatory Surgical Center Payment System Final Rule (CMS 1786-FC) (Nov. 2, 2023), https://www.cms.gov/newsroom/fact-sheets/cy-2024-medicare-hospital-outpatient-prospective-payment-system-and-ambulatory-surgical-center-0.

[3] See Am. Hosp. Assn v. Becerra, 142 S. Ct. 1896 (2022).

[4] See Am. Hosp. Ass’n v. Becerra, No. 18-cv-2084, 2022 WL 4534617 (D.D.C. Sept. 28, 2022) (ruling on plaintiff’s first motion to vacate the 340B payment rate for the remainder of 2022); Am. Hosp. Assn. v. Becerra, No. 1:18-cv-02084-RC (D.D.C. Jan. 10, 2023) (ruling on plaintiff’s second motion to remand to HHS to establish remedial payments for CY2018 through CY2022).

[5] Id.; 88 Fed. Reg. 77150, 77151-52 (Nov. 8, 2023).

[6] 88 Fed. Reg. 77150, 77154-56 (Nov. 8, 2023) (“We acknowledged that reprocessing every single claim might be a potential approach to remedy this situation if it were administratively achievable.”).

[7] Id. at 77164 (setting forth individual payments to hospitals in Addendum AAA to the Final Rule).

[8] Id. at 77164-65.

[9] Id. at 77170, 77181.

[10] Id.

[11] Id. at 77172, 77180.

[12] Id. at 77182-83.

Below is an excerpt of an article co-authored by Government Enforcement and White-Collar Defense Team co-chair  Seth Orkand, published in G2 Intelligence on March 25, 2024 .

Recent enforcement actions have made clear that fraud, waste, and abuse is a continual concern of regulating agencies for the healthcare space, including for clinical laboratories. Reports by the U.S. Department of Health and Human and Services (HHS), the Office of Inspector General (OIG) and the U.S. Department of Justice (DOJ) in late 2023 highlighted their continued focus on clinical laboratories. Read the article.

On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) updated its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Guidance). OCR’s Guidance was first published on December 1, 2022, and is the subject of a lawsuit brought by the American Hospitals Association challenging OCR’s authority to issue it.

The Guidance is aimed at third-party online tracking technologies such as cookies, pixels, web beacons and software development kits, which are deployed on the websites of HIPAA-covered entities and business associates (collectively, regulated entities) and which collect information from visitors to those websites related to how the visitors interact with the website. Information collected can include visitors’ IP addresses and other potentially identifiable information. Under the original Guidance, OCR outlined circumstances in which a regulated entity’s use of third-party tracking technologies can result in an impermissible disclosure of protected health information (PHI) to that third-party technology vendor under HIPAA, particularly because many such third parties are unwilling to enter into business associate agreements with regulated entities. In response to the original Guidance, many regulated entities, including hospitals and health systems, significantly modified their use of third-party tracking technologies but also continued to have concerns about the scope of the Guidance and its impact on their businesses (due to the ubiquity of tracking technologies across the internet and web-based applications).

While OCR retained much of the original Guidance, the agency made several meaningful revisions, including the following:

  • OCR specifically mentions beneficial uses of tracking technologies, including the use of these technologies to analyze the number of IP addresses that access portions of a regulated entity’s website. Notably, OCR does not expressly state that theuse of tracking technologies in this manner is acceptable under HIPAA.
  • The Guidance allows for the possibility that IP addresses are not always PHI (or Individually Identifiable Health Information (IIHI)) under HIPAA. Specifically, the Guidance states that:

But the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care. (Emphasis added).

  • OCR provides several examples in the Guidance of circumstances in which information collected by tracking technologies may or may not be PHI: 
    • Transmission to a tracking technology vendor of a user’s IP address or other identifying information related to the user’s visit to a regulated entity’s job postings or visiting hours webpages would not involve a PHI disclosure, even if there is a reasonable basis to believe the information could identify the user, because such information does not relate to an individual’s health care.
    • If a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because such information is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present and/or future health.
  • OCR clarifies that a third-party tracking technology’s collection of identifying information, such as an email address, on appointment scheduling pages and symptom-checker tools may constitute an impermissible disclosure of PHI by the regulated entity even if such features are available on unauthenticated webpages (i.e., pages that do not require a user to log in).
  • Notably, in the prior Guidance, OCR stated that tracking technologies “generally” do not have access to PHI on unauthenticated webpages and further stated that such unauthenticated webpages include pages describing services provided by regulated entities. Under this new Guidance, OCR has backtracked and removed such service description webpages from its examples of unauthenticated pages. This change, combined with the oncology webpage example described above, suggests that OCR will look to the intent of a website visitor in determining whether identifiable information is PHI. It is unclear how this will be enforced.   
  • In a new section of the Guidance, OCR outlines its enforcement priorities with respect to tracking technologies. OCR states that its primary interest is in ensuring that tracking technologies are addressed in regulated entities’ HIPAA risk assessments and that the risks associated with such technologies have been identified, assessed, and mitigated. OCR is also interested in confirming that regulated entities have appropriately implemented HIPAA security rule requirements related to the confidentiality, integrity, and availability of electronic PHI. Lastly, OCR provides a reminder that all of its investigations are fact-specific, and that OCR will consider all available evidence when assessing a regulated entity’s compliance with HIPAA.

Although the updated Guidance provides additional information for regulated entities to consider in their use of tracking technologies, many questions remain unanswered and confusion on this Guidance is likely to persist. Regardless, regulated entities would be well-served to review their use of third-party tracking technologies on their websites and mobile apps to ensure compliance with their obligations under HIPAA.   

Below is an excerpt of a Robinson+Cole legal update co-authored by Government Enforcement and White-Collar Defense Team co-chair  Seth Orkand and member David Carney.

On March 7, 2024, Deputy Attorney General (DAG) Lisa Monaco announced the contours of a new Department of Justice (DOJ) pilot program (Pilot) offering financial incentives to individual whistleblowers who report certain criminal conduct to the DOJ. This significant announcement came in a speech that emphasized individual accountability for corporate conduct, more significant sanctions for recidivist corporations, expansion of credit for voluntary self-disclosures (VSDs), and a focus on prosecution of misconduct aided by artificial intelligence. (Acting Assistant Attorney General (AAG) Nicole M. Argentieri expanded on DAG Monaco’s comments on March 8, 2024.) As with corporate VSDs, after satisfying other prerequisites, the Pilot—designed to formalize the DOJ’s previously ad hoc approach with something more akin to the whistleblower compensation programs arising from the Dodd-Frank Act—rewards only the first reporter of misconduct, further setting the table for a race to the DOJ. As DAG Monaco said, “When everyone needs to be first in the door, no one wants to be second.”

The Pilot springs from the impact of extant programs, such as the hundreds of millions of dollars in rewards associated with billions of dollars in disgorgement under a similar Securities and Exchange Commission (SEC) program. DAG Monaco highlighted the Dodd-Frank whistleblower programs at the SEC and the Commodity Futures Trading Commission, similar programs at the Internal Revenue Services and the Financial Crimes Enforcement Network, and qui tam actions. However she noted that each of these has limitations, resulting in “a patchwork quilt that doesn’t cover the whole bed.” The DOJ will cover the rest of the bed with a program that “address[es] the full range of corporate and financial misconduct that the Department prosecutes.” Read more.

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a quality standard memorandum (QSO Memo) updating and revising a memorandum it issued on January 5, 2018, to now permit the texting of patient orders among members of the patient’s health care team. CMS’s 2018 memorandum clarified CMS’s then-current position that texting of patient orders did not comply with the hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) regarding medical records. Among other things, the applicable CoPs require hospitals and CAHs to retain medical records in a manner that retains author identification information and protects the security of the records. The CoPs also require that records are promptly completed and filed. In 2018, CMS believed that few hospitals and CAHs had the technological capability to integrate text messages into a patient’s medical record in a manner compliant with the CoPs and the Health Insurance Portability and Accountability Act (HIPAA). As a result, CMS stated that orders should either be handwritten into the medical record or transmitted via computerized provider order entry (CPOE) and placed into the medical record.

In reversing its 2018 guidance, CMS now recognizes advances in technology, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) can enable hospitals and CAHs to comply with the CoPs through the texting of patient orders. CMS cautions hospitals and CAHs that permit texting of orders to ensure that they use secure, encrypted platforms, maintain the integrity of author identification and comply with HIPAA, including the HIPAA security rule. Texted orders must also be promptly filed in the EHR. The CMS expects that hospitals and CAHs will regularly review the security and integrity of their texting platforms.  

While CMS still prefers the use of CPOEs when providers submit patient orders, the QSO Memo allows hospitals and CAHs additional flexibility, subject to the conditions of the QSO Memo, including HIPAA compliance.

On February 8, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule (Final Rule) updating federal “Part 2” regulations to more closely align the requirements applicable to substance use disorder (SUD) treatment records with the HIPAA privacy rule, and to make certain other changes. The regulations at 42 CFR Part 2 have long set forth strict rules governing the uses and disclosures of medical records of certain SUD treatment facilities and programs. HHS is now proposing to scale back those rules slightly, in accordance with statutory changes to federal law governing the privacy of SUD records in the 2020 “CARES Act” legislation enacted in response to COVID-19.[i] This Final Rule follows a proposed rule issued by HHS on December 2, 2022, which we previously analyzed here.

The Final Rule is anticipated to take effect on April 16, 2024 (60 days from the anticipated publication date of February 16). The compliance date by which individuals and entities must comply with the Final Rule’s requirements is February 16, 2026 (except as specifically tolled in the Final Rule).

Below we provide a high-level summary of the changes included in the Final Rule.  We will supplement this analysis in the coming days with additional detailed reviews of certain of these changes referenced below. 

The key updates in the Final Rule include:

  • Consent: A long-standing tenet of the Part 2 regulations was that SUD records could not be used or disclosed without specific patient consent, except in very narrow circumstances.  The Final Rule updates this regulation to allow a patient to give a single, broad consent that covers all future uses and disclosures of Part 2 records for treatment, payment, and health care operations purposes (as defined under the HIPAA privacy rule), subject to certain exceptions (hereinafter, “TPO Consent”). This alignment with the HIPAA privacy rule is an important development to streamline compliance with the previously incongruent consent regimens under the Part 2 and HIPAA regulations across health systems and Part 2 programs (as defined under the Part 2 regulations).
  • TPO Consent Elements: The Final Rule indicates that a valid TPO Consent must have all of the required elements of a valid HIPAA authorization.
  • Redisclosures: The Final Rule newly allows Part 2 programs, as well as HIPAA-covered entities and business associates, who have received Part 2 records in accordance with TPO Consent, to “redisclose the records as permitted by the HIPAA regulations” except in proceedings against a patient requiring a court order or specific written consent, or until the patient revokes the consent.
  • SUD Counseling Notes: The Final Rule revises the definition of “SUD counseling notes” under the Part 2 regulations “to parallel the HIPAA psychotherapy note provisions,” which are subject to heightened confidentiality restrictions under Part 2 and HIPAA, respectively.
  • Segregation/Segmentation of Part 2 Records: The Final Rule states that a Part 2 program, or HIPAA-covered entity or business associate, which receives Part 2 records based on a single TPO Consent, is “not required to segregate or segment such records.” This may be an important clarification for health systems and other entities that rely on integrated and unified electronic health records.
  • Part 2 Record Breaches: Extends applicability of breach notification requirements consistent with those under HIPAA to breaches of Part 2 records.
  • Civil and Criminal Enforcement: The Final Rule incorporates HIPAA’s criminal and civil enforcement authorities into the Part 2 regulations, allowing for imposition of civil money penalties and other sanctions available under HIPAA for Part 2 violations.
  • Accounting of Disclosures: The Final Rule grants patients a new right to request an accounting of disclosures made by a Part 2 program based on a consent, for up to 3 years prior to the date of the accounting. However, the compliance date for this provision is tolled by HHS in the Final Rule until HHS revises the HIPAA privacy rule’s accounting for disclosures regulation to address disclosures through an electronic health record.

The Final Rule represents the latest in a series of efforts by HHS to more closely align HIPAA and Part 2 requirements and processes, in recognition of industry shifts to more integrated and coordinated medical, behavioral health, and SUD care. Health care organizations will need to assess the various provisions of the Final Rule closely to determine their compliance obligations and any necessary operational changes.

We will continue to monitor and track developments related to the Part 2 requirements and implications of this Final Rule.

[i] Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat 281 (27 March 2020) (CARES Act) – https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.pdf (codified in pertinent part at 42 U.S.C. 290dd–2).