PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and
Compliance
OIG Audit Scrutinizes Hospital Compliance with Price Transparency Rule
By Michael Lisitano, Conor Duffy & Guest Contributor on
*This post was co-authored by Paul Palma, legal intern at Robinson+Cole. Paul is not admitted to practice law.
In November 2024, the Department of Health and Human Services Office of Inspector General (OIG) published the results of its audit assessing hospital compliance with the federal Hospital Price Transparency Rule (HPT Rule). OIG determined that 37…
Forecasting the Integration of AI into Health Care Compliance Programs
By Kathleen Healy & Guest Contributor on
This post was co-authored by Josh Yoo, legal intern at Robinson+Cole. Josh is not admitted to practice law.
Health care entities maintain compliance programs in order to comply with the myriad, changing laws and regulations that apply to the health care industry. Although laws and regulations specific to the use of artificial intelligence (AI) are limited at this time and in the early stages of development, current law and pending legislation offer a forecast of standards that may become applicable to AI. Health care entities may want to begin to monitor the evolving guidance applicable to AI and start to integrate AI standards into their compliance programs in order to manage and minimize this emerging area of legal risk.
Executive Branch: Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Following Executive Order 13960 and the Blueprint for an AI Bill of Rights, Executive Order No. 14110 (EO) amplifies the current key principles and directives that will guide federal agency oversight of AI. While still largely aspirational, these principles have already begun to reshape regulatory obligations for health care entities. For example, the Department of Health and Human Services (HHS) has established an AI Task Force to regulate AI in accordance with the EO’s principles by 2025. Health care entities would be well-served to monitor federal priorities and begin to formally integrate AI standards into their corporate compliance plans.
- Confidentiality and Security: Federal scrutiny of the privacy and security of entrusted information extends to AI’s interactions with data as a core obligation. This general principle also manifests in more specific directives throughout the EO. The EO also orders the HHS AI Task Force to incorporate “measures to address AI-enhanced cybersecurity threats in the health and human services sector.”
- Transparency: The principle of transparency refers to an AI user’s ability to understand the technology’s uses, processes, and risks. Health care entities will likely be expected to understand how their AI tools collect, process, and predict data. The EO envisions labelling requirements that will flag AI-generated content for consumers as well.
- Governance: Governance applies to an organization’s control over deployed AI tools. Internal mechanical controls, such as evaluations, policies, and institutions, may ensure continuous control throughout the AI’s life cycle. The EO also emphasizes the importance of human oversight. Responsibility for AI implementation, review, and maintenance can be clearly identified and assigned to appropriate employees and specialists.
- Non-Discrimination: AI must also abide by standards that protect against unlawful discrimination. For example, the HHS AI Task force will be responsible for ensuring that health care entities continuously monitor and mitigate algorithmic processes that could contribute to discriminatory outcomes. It will be important to permit internal and external stakeholders to have access to equitable participation in the development and use of AI.
Continue Reading Forecasting the Integration of AI into Health Care Compliance Programs
Compliance Corner—The End of the Public Health Emergency: What’s Next for Telehealth?
By Conor Duffy, Kathleen Healy & Guest Contributor on
Below is an excerpt of an article published in the May 2023 issue of Health Law Connections, the member magazine of the American Health Law Association. Kate and Conor were assisted on this article by Health Law Group intern Paul Sevigny.
COVID-19 has driven increased telehealth access and technology-based health care services.
OIG Compliance Updates
The Office of Inspector General (OIG) recently issued two notable compliance updates, of which health care organizations should take note as the COVID-19 public health emergency ends and regulatory compliance activities ramp up.Continue Reading OIG Compliance Updates
Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations
On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.
Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).
Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations
Seeking to Incentivize Self-Disclosures, DOJ Issues Guidance on Credit for Cooperation with FCA Investigations
On May 7, 2019, the U.S. Department of Justice (DOJ) provided important new guidance addressing cooperation credit that may be available to defendants in False Claims Act (FCA) investigations (Guidance). The Guidance – issued in the form of an update to DOJ’s Justice Manual – explains how defendants in an FCA investigation may be awarded credit by DOJ for certain disclosures, cooperation, and remedial activities.
The Guidance is intended to incentivize companies and individuals to (i) be forthcoming with the government upon discovery of potential FCA violations, (ii) aid ongoing FCA investigations, and (iii) undertake appropriate remedial actions in response to misconduct. The Guidance provides examples of actions that FCA defendants may be able to take to reduce potential penalties under the FCA. As discussed below, DOJ’s examples appear to re-emphasize DOJ’s focus on individual accountability for corporate wrongdoing.
Continue Reading Seeking to Incentivize Self-Disclosures, DOJ Issues Guidance on Credit for Cooperation with FCA Investigations
FDA Provides Guidance on Postmarketing Safety Reporting for Combination Products
By Robinson+Cole's Health Law Group on
On March 21, 2018, the Food and Drug Administration (FDA) published two guidance documents addressing postmarketing safety reporting requirements (PMSR) for combination products. The FDA had previously issued a Final Rule on PMSR for combination products on December 20, 2016 (PMSR Final Rule).
By way of background, combination products are therapeutic and diagnostic products that combine drugs, devices, and/or biological products. Because PMSR regulations for medical products in different categories are individualized (for example, PMSR are different for drugs than they are for medical devices and biological products), the two new guidance documents clarify the PMSR requirements that apply when a product is comprised of multiple medical categories. According to the FDA, these documents were issued in an effort to further interpret the Final Rule by ensuring consistent and complete reporting while simultaneously avoiding duplication in reports.
Continue Reading FDA Provides Guidance on Postmarketing Safety Reporting for Combination Products
Escobar Compels Florida District Court to Overturn $350 Million Jury Verdict Arising from Claims of Inadequate Documentation
Last month, a U.S. District Court in the Middle District of Florida overturned judgments totaling $347,864,285 returned by a jury under the federal False Claims Act (FCA) and Florida’s state equivalent against the owners and operators of 53 specialized nursing facilities in Florida, determining that the plaintiffs’ allegations failed to satisfy the “demanding” and “rigorous” materiality standard endorsed by the Supreme Court in its 2016 Escobar decision. In an order released January 11, 2018, the District Court reversed the jury’s conclusions and granted the defendants judgment as a matter of law.
Continue Reading Escobar Compels Florida District Court to Overturn $350 Million Jury Verdict Arising from Claims of Inadequate Documentation