*This post was co-authored by Lily Denslow, legal intern at Robinson+Cole. Lily is not admitted to practice law.

In April, the Federal Trade Commission (FTC) promulgated a new rule banning non-competes (the Rule); the FTC adopted the Rule to prohibit employers from entering into or enforcing non-compete clauses with workers and senior executives. Several lawsuits were quickly filed challenging the rules. Separate parties filed in Texas (in which cases were consolidated), and ATS Tree Services, LLC, filed an action in Pennsylvania.

On July 23, 2024, the U.S. District Court for the Eastern District of Pennsylvania issued a ruling denying ATS Tree Services’ motion for a stay and a preliminary injunction against the Rule. ATS Tree Services, LLC v FTC, No: 2:24-cv-01743-KBH, at p.18 (E.D. Pa. July 23, 2024). The Court held that ATS had not demonstrated the irreparable harm necessary to justify the issuance of a preliminary injunction and also held that ATS failed to establish a reasonable likelihood of success on the merits of its action.

The ruling is diametrically opposed to the July 3, 2024, ruling from the U.S. District Court for the Northern District of Texas, which preliminarily enjoined the Rule and postponed its effective date in Ryan, LLC v. U.S., No. 3:24-CV-00986-E, 2024 (N.D. Tex. July 3, 2024). However, the district court declined to issue a universal injunction, making its ruling applicable only to the Ryan plaintiffs.

The Decisions

In ATS Tree Services, the court first held that nonrecoverable costs of compliance do not rise to the level of irreparable harm, in that “monetary loss and business expenses alone are insufficient bases for injunctive relief.” ATS Tree Services at p.18. Additionally, the court held that the claimed loss of contractual benefits was too speculative. Id. 20-21.

Even though the court found that ATS failed to establish irreparable harm, it added an analysis of ATS’s likelihood of success on the merits, spending the majority of its decision assessing (just as the Ryan Court had) whether “[s]ection 6(g) empowers the FTC with the authority to make substantive rules related to unfair methods of competition in or affecting commerce, or whether the rulemaking authority therein is limited to procedural rules relating to adjudications of unfair methods of competition in or affecting commerce.” ATS Tree Services, at p.8. Notably, the Court relied upon the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244, 2263 (2024) to “independently interpret the statute and effectuate the will of Congress subject to constitutional limits.” Id. at 25. In doing so, the Court harmonized sections 5 and 6 of the FTC Act, concluding:

When taken in the context of the goal of the Act and the FTC’s purpose, the Court finds it clear that the FTC is empowered to make both procedural and substantive rules as is necessary to prevent unfair methods of competition. Thus, the Court rejects ATS’s argument that it should read the word “procedural” but not the word “substantive” into the statutory text defining the FTC’s rulemaking authority. This argument is inherently inconsistent and therefore untenable. Id. at 26.

This was directly contrary to the Ryan decision where the court found under section 6(g) that the FTC lacks the authority to create substantive rules because the Act is only a “housekeeping statute” that allows the FTC to promulgate general “rules of agency organization procedure or practice,” not “substantive rules.” Ryan at *15 (citing Chrysler Corp. v. Brown, 441 U.S. 281, 310 (1979)).

The court in ATS Tree Services went on to address the FTC’s mandate to “prevent prohibited ‘unfair methods of competition’” under section 5, thereby acknowledging Congress’s terms were “intended to act prophylactically to stop ‘incipient’ threats of unfair methods of competition, not solely responsively through adjudications, as courts interpreting the statute have confirmed.” ATS Tree Services, at p. 28. In addition, the court found that the FTC’s rulemaking authority had been confirmed by other circuit courts. Finally, in the rest of the decision, the Court disposed of the other alternative challenges made by ATS. This was contrary to the Ryan decision, where the Texas court had held that the FTC acted arbitrarily and capriciously, because the Rule was “unreasonably broad without a reasonable explanation” and did not sufficiently address alternatives to issuing the Rule. 

 Key Takeaways

The two courts have issued opinions with conflicting analyses. While Texas has issued a preliminary injunction specific to the Ryan plaintiffs, the court did indicate it intends to make a final determination on the merits by August 30, 2024, prior to the Rule’s effective date. The Ryan Court will have the opportunity to vacate the Rule in its entirety as unlawful and issue a permanent injunction, with the scope of the relief ordered yet to be decided. This new ruling sets up the potential for an appeal to the U.S. Court of Appeals for the Fifth Circuit and possibly seek direct relief from the U.S. Supreme Court.

As we inch closer to the final date, businesses and health care entities should remain aware of litigation developments regarding the Rule and the potential for extended litigation. We will continue to monitor and update on any developments.

*This post was co-authored by Lily Denslow, legal intern at Robinson+Cole. Lily is not admitted to practice law.

On June 27, 2024, the Department of Justice (DOJ) announced its 2024 National Health Care Fraud Enforcement Action, which resulted in criminal charges against 193 defendants for alleged participation in various health care fraud schemes alleged to have resulted in approximately $2.75 billion in losses for Medicare. The takedown spans 32 federal districts, and charges were brought in 145 cases. 

The DOJ charged 36 of these defendants in connection with the submission of over $1.1 billion in fraudulent claims to Medicare, which resulted from schemes involving telemedicine clinical laboratories. The below discusses only a few of the cases, but the general themes run throughout and provide insight into the Government’s concerns in these prosecutions.

In one of these cases, the DOJ charged a Georgia woman with one count of conspiracy to commit health care fraud and one count of conspiracy to violate the Anti-Kickback Statute (AKS). In this case, the defendant allegedly engaged in a scheme in which she and her co-conspirators owned, operated, and had a financial interest in various companies, including durable medical equipment companies, where she would provide qualified leads to clinical laboratories regardless of medical necessity. In addition, she had a company that she used to ship out Cancer Genomic Screening (CGx) test kits to beneficiaries regardless of whether the beneficiaries wanted them or needed them. In return, she submitted invoices to the lab to be paid. The case is pending in the District of New Jersey, and the defendant faces potential criminal liability.

In another case charged as part of this action, the DOJ charged a Texas man with one count of conspiracy to defraud the United States and to pay and receive health care kickbacks, five counts of paying health care kickbacks, and three counts of money laundering. The defendant in this case was the owner of two clinical laboratories and allegedly offered and paid kickbacks to marketers in exchange for referrals for testing. The defendant also allegedly signed doctor’s orders authorizing medically unnecessary testing. Allegedly, Medicare paid the laboratories approximately $54 million as a result of kickback-tainted claims. The case is pending in the Northern District of Texas, and the defendant faces potential criminal liability.

In another case charged as part of this action, two Tennessee men were charged with conspiracy to commit health care fraud, health care fraud, conspiracy to defraud the United States and to pay and receive health care kickbacks and paying and receiving health care kickbacks. These charges resulted from the defendants’ alleged role in selling doctor’s orders for medically unnecessary genetic tests, medications, and durable medical equipment (DME) to laboratories, pharmacies, and DME companies. Allegedly, the defendants obtained orders for their DME companies by paying kickbacks and bribes to purported telemedicine companies and in exchange for doctors signing orders for DME. This scheme allegedly caused the submission of $6 million in false and fraudulent claims to Medicare. Further, Medicare paid $2 million dollars to the defendants’ DME companies on these allegedly false claims. The case is pending in the Middle District of Tennessee, and the defendants face potential criminal liability.

This widespread enforcement action by the DOJ demonstrates the government’s commitment to rooting out healthcare fraud and abuse, especially in the telemedicine and clinical laboratory spaces. This is a timely warning to telemedicine providers and clinical laboratories of the need to ensure compliance with fraud and abuse laws.

This post is co-authored by Seth Orkand, co-chair of Robinson+Cole’s Government Enforcement and White-Collar Defense Team.

On April 29, 2024, the Department of Justice (DOJ) announced a $1.3 million settlement (Settlement) with a South Carolina clinical laboratory marketer and his marketing company, and three physicians and their medical practices in North Carolina, to resolve alleged violations of the False Claim Act (FCA) arising from kickbacks in violation of the Anti-Kickback Statute (AKS).

The DOJ alleged that a marketer and his marketing company offered kickbacks to physicians on behalf of a South Carolina laboratory and that the physicians and their medical practices received kickbacks from the laboratory in exchange for laboratory referrals. These kickbacks resulted in the submission of false claims to Medicare and TRICARE in violation of the FCA. This Settlement follows previous settlements by physicians in South Carolina and Texas to resolve similar allegations with respect to the same clinical laboratory.

The marketer and his marketing company agreed to pay $400,000 to resolve allegations that disguised thousands of dollars in kickbacks to doctors by entering into purported office space rental agreements and phlebotomy payments when the real purpose was to induce them to order laboratory testing from the South Carolina laboratory. In addition, the laboratory paid the marketers on a commission basis even though they were independent contractors and, as such, fell out of the safe harbor for the AKS due to payment that is based on the volume and value of the referrals.

Three doctors and their medical practices agreed to pay a total of $973,400 to resolve allegations that they received a variety of kickbacks in exchange for laboratory referrals, including thousands of dollars in remuneration disguised as purported office space rental, phlebotomy payments, and also for purported payments for used laboratory equipment.  One physician and his practice received credit under the DOJ’s guidelines for cooperation. 

This Settlement highlights the government’s continued scrutiny of compensation arrangements between laboratories and physicians, particularly with respect to remuneration that may appear legitimate on its face but is actually made with the intent to induce referrals and compensation to independent marketers based on the volume or value of the laboratory tests they cause medical providers to refer.  It is also a timely warning to laboratory marketers, physicians, and physician practices of the need to ensure compliance with federal fraud and abuse laws.

State Law Permitting Dispensation of Emergency Contraception by Vending Machines

Legislation passed in 2022 in Massachusetts and in 2023 in Connecticut removes barriers for college students trying to obtain emergency contraception pills like Plan B One-Step. In light of uncertainty around abortion protections following the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization, emergency contraception pills—which are not abortion medication—provide an important option for preventing an unwanted pregnancy. Several states have passed or are considering similar legislation, and colleges and universities in at least 17 states have begun installing vending machines that dispense emergency contraception.

In July of 2022, an amendment to M.G.L. c.272 § 21A went into effect in Massachusetts, which clarified that the prohibition on the sale or dispensing of contraceptives via vending machine is limited to only those that must be prescribed. Because Plan B One-Step is available over the counter, it can now be sold in vending machines. Following the passage of this amendment, several colleges and universities around the Commonwealth installed vending machines to dispense Plan B, reportedly selling Plan B or one of its generic equivalents for between $7 and $15.

In May of 2023, Public Act No. 23-52 (“the Act”) passed in Connecticut, which similarly allows colleges and universities in the state to sell and dispense emergency contraceptives via vending machines, so long as they have obtained a permit to do so from the state. The Act also allows any business to obtain a permit to operate a vending machine for emergency contraceptives and other non-prescription drugs in an effort to expand their availability across a wide range of settings. The Act outlines important flexibilities for institutions and businesses seeking to install such vending machines, including allowing multiple vending machines on a single campus under one permit and an alternative permitting process for an operator who is not licensed as a pharmacy. The Act also includes several consumer protections provisions, such as a stipulation that the products inside the vending machine must not be subject to unsafe temperatures or humidity, a prohibition on other products or medications being sold in the same vending machine, and a number for consumers to call in case of product tampering or expiration.

Federal Law Considerations to Contraceptives in Vending Machines

FDA guidance confirms that the FDA does not prohibit the sale of over-the-counter drugs in vending machines, as long as the drugs comply with mandatory labeling requirements, stating:

The [Food, Drug, and Cosmetic] Act requires that certain mandatory labeling information must appear prominently, with such conspicuousness (as compared with other words, statements, designs or devices in the labeling) and in such terms as to render it likely to be read and understood by the ordinary individual under customary conditions of purchase and use. This means that the prospective purchaser must have an opportunity to read and take such information into consideration in reaching a decision whether or not to make the purchase. The vending machine should, therefore, bear a complete copy of the required labeling for the article being offered for sale, or the article should be displayed in such a manner that the mandatory labeling can be viewed by the prospective purchaser.

Colleges and universities rolling out Plan B vending machines must ensure these labeling requirements are met, including that a complete copy of the drug label is displayed on the vending machine so that purchasers have an opportunity to read it prior to making their purchase.

Other State Based Reproductive Health Protections

In addition to emergency contraception offered in vending machines, some states have enacted laws requiring medication abortion to be made available to college students. In Massachusetts, a bill passed in 2022 included a provision requiring student health services at all public universities and community colleges across the state to either dispense medication abortion pills or make referrals for such care. While this provision only applies to public institutions, efforts have been made from within private universities in the state to get medication abortion onto private campuses as well. In 2019, California was the first state to enact a law of this kind, requiring student health clinics at campuses of two large public university networks in the state (CSU and UC campuses) to offer medication abortion on campus starting January 1, 2023. In New York, Governor Kathy Hochul signed a bill on May 2, 2023, which similarly requires SUNY and CUNY campuses to offer prescriptions for medication abortion. The bill went into effect on August 1, 2023. Connecticut does not currently require public universities to offer medication abortion on campus, but does require public universities to establish, not later than January 1, 2024, and update as necessary, a reproductive health access plan, including abortion access, in place for students who need such services.

Implications of State-Level Bans on Reproductive Health Services

Laws protecting medication abortion and those permitting emergency contraception offered in vending machines stand in stark contrast to ongoing state-level bans and other restrictions on providing, or facilitating access to, reproductive health care services. Such restrictions have created a ripple effect outside the state of their adoption as some do not specify a geographic limit on liability, resulting in unpredictability for reproductive health care services that occur out-of-state.

Importantly, such state-level bans and other restrictions may distinguish abortion from contraception. For example, the Texas law restricting abortion expressly excludes birth control devices or oral contraceptives from the definition of abortion, and would not implicate the use of contraception, even if the law otherwise reached out-of-state abortions.

Such restrictions have also prompted a wave of proposed or enacted laws shielding patients and providers from out-of-state legal action, investigation, and liability. For example, one category of laws protects patient health records through prohibitions on their disclosure. Massachusetts prohibits courts within the Commonwealth from ordering an individual to produce documents or records for use in another state’s legal proceedings if they concern “legally-protected health care activity,” including reproductive health services. Laws in both Delaware and Connecticut prohibit the disclosure of health records related to reproductive health services in a civil proceeding, unless the patient or a representative expressly authorizes it. Notably, the U.S. Department of Health & Human Services released a Final Rule that amends the Health Insurance Portability and Accountability Act (HIPAA) to strengthen safeguards on reproductive health care information, which may overlap with or complement state laws in this category, but only with respect to information constituting Protected Health Information subject to HIPAA.

Colleges and universities should be aware of new avenues for making emergency contraception available to their students, given the overall legal uncertainty with respect to reproductive health care services. We will continue to monitor this and related legislation and its effects on campuses in Massachusetts and Connecticut.

*This post was co-authored by Ivy Miller, legal intern at Robinson+Cole. Ivy is not admitted to practice law.

On May 9, 2024, Connecticut Governor Ned Lamont signed into law Public Act No. 24-4, “An Act Concerning Emergency Department Crowding,” (The Act). The Act requires all Connecticut hospitals with an emergency department to, no later than January 1, 2025, and annually thereafter until January 1, 2029, analyze certain data with the goals of:

  1. Developing policies to reduce emergency department and admission wait times.
  2. Developing methods to improve admission efficiencies.
  3. Examining causes for delays in admission times.

Hospitals with emergency departments must on their own, or in consultation with a hospital association in the state, review the following emergency department data points from the preceding calendar year in formulating these goals:

  1. The number of patients who received treatment in the emergency department.
  2. The number of emergency department patients who were admitted to the hospital.
  3. The average length of time from the patient’s first presentation to the emergency department until the patient’s admission to the hospital (for those who were admitted).
  4. The percentage of patients who were admitted to the hospital after presenting to the emergency department but were transferred to an available bed located in a physical location other than the emergency department more than four hours after an admitting order for the patient was completed.

The Act also requires hospitals to submit a report to the joint standing committee for public health of the General Assembly no later than March 1, 2025, and annually thereafter until March 1, 2029. The report must include the hospital’s findings and any recommendations for achieving the above referenced goals. The Act is effective from passage.

On May 9, 2024, Connecticut Governor Ned Lamont signed into law Public Act No. 24-6, “An Act Concerning the Reporting of Medical Debt,” (The Act). The Act prohibits health care providers from reporting medical debt to credit rating agencies and makes various updates to existing laws regarding the reporting of medical debt already applicable to hospitals and collection agents.

The Act defines health care providers by cross referencing the peer review statute definition at C.G.S. § 19a-17b which includes “any person, corporation, limited liability company, facility or institution operated, owned or licensed by this state to provide health care or professional services, or an officer, employee or agent thereof acting in the course and scope of his employment.” Under the Act, such health care providers are prohibited from reporting any portion of a medical debt to a credit rating agency for use in a credit report. Notably, many non-profit hospitals are subject to existing IRS extraordinary collection actions and regulations that, among other things, restrict their ability to report adverse information about an individual to a credit agency. Additionally, health care providers must include a clause in every contract entered into with a collection entity for the collection of medical debt on or after July 1, 2024, that prohibits reporting any portion of medical debt to a credit rating agency. Any medical debt reported in violation of the Act is void. Medical debt is any obligation to pay an amount related to the receipt of health care goods or services. Importantly, the term “health care goods” is broadly defined as “goods, including, but not limited to, products, devices, durable medical equipment and prescription drugs.” However, medical debt does not include debt charged to credit cards unless the credit card is issued under an open-end or closed-end credit plan offered specifically for the payment of charges related to health care goods or health care services.

Additionally, the Act makes changes to existing Connecticut law that prohibits hospitals, entities owned or affiliated with hospitals, and collection agents for such entities from reporting any individual patient to credit rating agencies for one year beginning on the date the patient first receives a bill. Beginning July 1, 2024, hospitals, entities owned or affiliated with hospitals, and collection agents are prohibited from reporting any individual patient to a credit rating agency, regardless of when the patient was billed.

All sections of the Act are effective July 1, 2024.

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive Order 14076, where President Biden directed HHS to take actions to protect reproductive health information following Dobbs v. Jackson Women’s Health Organization and the following restrictive state laws enacted on abortion services.

The Final Rule strengthens privacy protections of reproductive health information by prohibiting the access, use, or disclosure of the information by a covered entity or business associate for the following activities:

  • To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

Covered entities or business associates who receive a request for reproductive health information are required to obtain a signed attestation from the individual/entity requesting protected health information (PHI) “potentially related to reproductive health care” that the request and associated disclosure is not for one of the prohibited purposes. The attestation will be required when the request is for PHI for any of the following:

  • Health oversight activities.
  • Judicial and administrative proceedings.
  • Law enforcement purposes.
  • Disclosures to coroners and medical examiners.

Compliance with the Final Rule may be tricky for covered entities and business associates. In particular, medical records custodians must be vigilant when receiving requests for PHI to determine whether the request could be for a prohibited purpose and request the signed attestation before the records are released. A process for assessing whether a request for PHI falls into one of the four categories above and whether it relates to reproductive health care information, as well as obtaining an attestation before the release of the records, will be necessary. In addition, the Final Rule requires covered entities to update their Notice of Privacy Practices to include protections on the use and disclosure of reproductive health information. Remember that the Notice of Privacy Practices must also be posted on the organization’s website.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

On March 12, 2024, the U.S. Court of Appeals for the Second Circuit issued an important decision interpreting the “willfulness” standard necessary to find a violation of the federal Anti-Kickback Statute (AKS). The decision provides important guidance for health care and pharmaceutical organizations on what constitutes a knowing violation of the AKS and for counsel to such organizations on defending clients in AKS and False Claims Act (FCA) cases.

Overview of AKS Allegations and FCA Claims

In U.S. ex rel Hart v. McKesson, a former employee of the defendant (a pharmaceutical distributor) filed a qui tam lawsuit under the federal FCA – and certain state FCA analogues – premised on alleged violations of the AKS by the defendant. According to the Second Circuit’s opinion, the relator alleged that the defendant:

  1. Offered business management tools to providers that allowed the providers to select certain specialty drugs based on maximizing the potential revenue to the provider (which in turn increased costs for insurers, including the Medicare and Medicaid programs); and
  2. Offered free access to these valuable business management tools to customers who selected the defendant as “their primary wholesale supplier of branded and generic drugs,” but refused to provide free access to providers who only purchased individual drugs without such a commitment.

The relator accordingly alleged that (i) the provision of free access contingent upon the commitment constituted an illegal inducement under the AKS, and therefore, (ii) claims submitted by providers who received free access to the tools were tainted by the alleged kickback and constituted false claims under the FCA.

District Court Dismissal

A district court granted a motion to dismiss on the basis that the relator failed to plausibly show that the defendant acted willfully, and therefore failed to show that the defendant acted with the requisite scienter for an FCA violation. That court dismissed the federal FCA claim, as well as the state law analogues.

Second Circuit Analysis of Willfulness under AKS

On appeal, the Second Circuit assessed the “primary issue” of what constitutes acting “willfully” under the AKS. The court first noted that it had addressed a similar question in its 2022 Pfizer decision (which we previously analyzed here), where the court observed that a defendant can “willfully” violate the AKS if the defendant “knows that his conduct is illegal” even if unaware of the “exact statutory provision that his conduct violates.”

The court analyzed the history of the AKS legislation and nationwide jurisprudence interpreting the willfulness – or mens rea – standard and determined that the term should be interpreted as consistent with federal criminal law. The court, therefore, held that in order to be subject to criminal prosecution under the AKS for acting willfully, a defendant “must act with knowledge that his conduct was unlawful” under the AKS or another law. However, the court also cautioned that this does not require that a defendant “know of the AKS specifically or intended to violate that statute” in order to be subject to liability thereunder. Instead, a person may have criminal liability under the AKS without being aware of that statute if there is evidence that the person “acts with knowledge that [their] conduct is, in some way, unlawful.” In reaching this conclusion, the court indicates that it intends to protect “those (and only those) who innocently and inadvertently engage in prohibited conduct.”

In a footnote, the court also explained that its holding was, in its view, “consistent with the scienter requirement for health care fraud” under federal criminal law at 18 U.S.C. § 1347.

In response to the specific FCA case in front of the court, the court determined that neither of the relator’s two proposed willfulness interpretations were consistent with the court’s conclusion, described above. The court then analyzed the relator’s claims and determined that “none” of the allegations “alone or together gives rise to a plausible inference” that the defendant acted willfully. It accordingly upheld the district court’s dismissal of the relator’s federal FCA claim, although it reversed the district court’s dismissal of the relator’s remaining claims brought under state (and the District of Columbia) FCAs.

Takeaways

Health care organizations and defense counsel will want to study this opinion closely when considering exposure to potential FCA and AKS claims. Notably, the court’s analysis of alternative potential interpretations and recent decisions in other circuits may provide additional guidance for distinguishing claims and/or defenses.

In a prior blog post, we noted the trend of states enacting legislation implementing reporting requirements for certain healthcare transactions. On March 13, 2024, Indiana joined this trend as Indiana Governor Eric Holcomb enacted Senate Enrolled Act No. 9 (the Act). The Act mandates that, effective July 1, 2024, Indiana health care entities involved in a merger or acquisition with another health care entity with total assets of at least ten million dollars ($10,000,000) must notify the Office of the Indiana Attorney General of the transaction at least ninety (90) days prior to closing. Indiana joins several other states with previously passed notice laws, including California, Colorado, Connecticut, Hawaii, Illinois, Massachusetts, Minnesota, Nevada, New York, Oregon, Rhode Island, and Washington.

However, the Act’s scope is broader than similar legislation recently enacted in other states. For example, the ten-million-dollar ($10,000,000) threshold is lower than the threshold included in legislation from other states, and the definition of “health care entity” applies to a wide array of entities. The definition of “health care entity” within the Act includes “any organization or business that provides diagnostic, medical, surgical, dental treatment, or rehabilitative care” and also includes various types of insurers. The term “health care entity” additionally encompasses private equity partnerships seeking to enter into a merger or acquisition with an Indiana health care entity regardless of where the private equity partnership is located.

The notice required by the Act must include the following information from each health care entity: business address and federal tax number, name and contact information of a representative of the health care entity concerning the merger or acquisition, description of the health care entity, description of the merger or acquisition, including the anticipated timeline, and a copy of any materials that have been submitted to a federal or state agency concerning the merger or acquisition. The notice submitted must be certified before a notary public.

Not later than forty-five (45) days from the submission of notice, the Office of the Indiana Attorney General is required to review the information submitted with the notice and may analyze any antitrust concerns in writing. The Office of the Indiana Attorney General is granted the authority to issue a civil investigative demand for additional information as needed and is required to keep confidential all nonpublic information that is submitted.

The Act also contains strict penalties for noncompliance. If a health care entity fails to comply with a written demand, the Act grants the Office of the Indiana Attorney General authority to file an order to enforce the demand. If an entity fails to comply with a final order or an order imposing sanctions, the court may hold the person in contempt. Additionally, if a court finds that a party has acted in bad faith in resisting the demand, it may order that person to pay the other parties’ reasonable expenses including attorney’s fees.

In the face of this growing trend of increased transaction oversight of healthcare transactions, it is essential for healthcare entities to continue to closely monitor these developments in various states and ensure subsequent compliance. We will continue to monitor developments across the country regarding additional states adopting such laws as well as changes to those laws already adopted.

The Health Sector Cybersecurity Coordination Center (HC3) recently issued an Alert warning that “threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations” have been on the rise.

The social engineering scheme starts with a telephone call to the IT help desk from “an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles). The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches. The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.”

After the threat actor gains access, login information related to payer websites is targeted, and they submit a form to make ACH changes for payer accounts. “Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).”

IC3 provides numerous mitigations to assist with the prevention of these vishing schemes, which are outlined in the Alert.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.