Data Privacy
Summary of article from Vinson & Elkins LLP, by Maggie Eller, Briana Falcon, Jeffrey Johnston, Michael Kurzer:
The Texas Data Privacy and Security Act (TDPSA), effective from July 1, 2024, mandates compliance from businesses operating in Texas or providing products/services to Texas residents, excluding small businesses and specific entities like state agencies and nonprofits. It defines consumer rights, responsibilities for data controllers and processors, and includes stringent requirements for handling personal and sensitive data. Sensitive data encompasses information such as race, health diagnoses, and biometric data, while certain healthcare and employment-related data are exempt. Organizations must conduct data protection assessments, update privacy policies, and establish systems for consumer rights compliance. Ensuring data security through administrative, technical, and physical measures is also emphasized.
Drug & Device
Summary of article from Ars Technica, by Beth Mole:
The FDA has issued a warning about overdoses related to off-brand versions of the weight-loss drug semaglutide, commonly known as Wegovy and Ozempic. Due to high costs and supply shortages, patients are turning to compounded versions, which lack standardized dosing and safety assurances. These compounded drugs often come with unclear instructions and improper syringe sizes, leading to significant dosing errors—sometimes up to 20 times the intended amount. Such overdoses have resulted in severe health issues, including nausea, vomiting, and pancreatitis. The FDA emphasizes that compounded drugs carry higher risks and should only be used when absolutely necessary. The agency also noted that healthcare providers have made dosage calculation errors, further exacerbating the problem.
Fraud & Abuse
Summary of article from MSN, by Brian New:
CBS News Texas’ investigation into alleged Medicare fraud uncovered over $200 million in fraudulent activities linked to several companies, prompting numerous viewers to report their own experiences with Medicare fraud. A subsequent report identified 11 additional Texas-based medical supply companies potentially involved in fraudulent practices. Many of these companies, such as Lone Star Medlab Laboratories and Peak Health Diagnostics, were found to have vacated their offices and disconnected their contact numbers. Aids for Recovery faced numerous complaints for fraudulent billing and had abandoned their office, leaving behind unopened Medicare correspondence. The Centers for Medicare & Medicaid Services (CMS) confirmed ongoing investigations into these companies, suspected of nearly $3 billion in fraudulent catheter billing.
Summary of article from King & Spalding, by Doug Comin:
On July 8, 2024, the Office of Inspector General (OIG) updated its Frequently Asked Questions regarding fraud and abuse authorities, adding four new questions and answers. The updates address the legality and conditions under which hospitals may waive cost-sharing charges for patients under financial assistance or charity care policies without violating the federal anti-kickback statute (AKS) or the Civil Monetary Penalty Law (CMP Law). OIG clarifies that waivers for uninsured or commercially insured patients generally do not violate these laws, but waivers for Federal health care program enrollees could be problematic unless they fall under specific safe harbors or exceptions. Hospitals can inform patients about financial assistance policies, provided such information is not advertised or solicited in a manner that could be construed as inducement. Additionally, offering free care to uninsured or commercially insured patients and advertising this care does not violate AKS or CMP Law. Finally, hospitals may disseminate information about financial assistance policies through various channels, ensuring the communication is compliant and low-risk under the relevant statutes. The full FAQs can be accessed on the OIG website.
HIPAA
Summary of article from Holland & Hart, by Leslie Thomson:
The Department of Health and Human Services has issued the 2024 Privacy Rule, amending HIPAA privacy regulations to restrict the use or disclosure of an individual’s Protected Health Information (PHI) related to reproductive healthcare for certain non-healthcare purposes. This rule aims to protect individual privacy and trust in healthcare providers by prohibiting the use of PHI for criminal, civil, or administrative investigations or liabilities concerning lawful reproductive healthcare activities. Covered entities must update workforce training, HIPAA policies, procedures, and business associate agreements by December 23, 2024. Additionally, the Notice of Privacy Practices must be revised by February 16, 2026, to reflect these changes and address proposals related to the Confidentiality of Substance Use Disorder (SUD) Patient Records.
Summary of article from The HIPAA Journal, by Steve Adler:
HIPAA does not apply to veterinarians because they do not conduct electronic healthcare transactions for which the Department of Health and Human Services has adopted standards, thus not qualifying as HIPAA covered entities. However, veterinarians are subject to various state-level data privacy and breach notification laws that resemble HIPAA regulations. For instance, California law prohibits the unauthorized disclosure of information concerning animal patients and their owners, with specific exceptions. Additionally, veterinarians handling data of EU citizens must comply with the GDPR. The American Veterinary Medical Association (AVMA) provides guidelines to help veterinarians navigate these diverse data privacy regulations.
Summary of article from IAPP, by John Haskell:
Misconceptions persist about the use of online tracking technologies (OTTs) for marketing under HIPAA compliance. HIPAA mandates that covered entities must obtain explicit authorization from individuals before using or disclosing their personal health information (PHI) for marketing purposes. Simply signing a Business Associate Agreement (BAA) does not ensure compliance, particularly when PHI is involved. The U.S. Department of Health and Human Services (HHS) has clarified that disclosures of PHI to tracking technology vendors without proper authorizations are impermissible. Additionally, business associates are prohibited from using PHI for their own purposes, such as marketing campaigns. Compliance with HIPAA requires obtaining valid authorizations and adhering to specific guidelines, rather than relying solely on BAAs. Understanding these requirements is crucial to avoid regulatory issues.
Internet of Things
Summary of article from Edge Industry Review, by Gilad David Maayan:
Releasing a medical IoT device involves a detailed process to ensure its effectiveness, compliance, and market viability. The first step is conducting market research to assess demand, compare with competitors, and evaluate market size and acceptance, guiding stakeholders on investment decisions. Regulatory planning is crucial, requiring familiarity with laws like the EU MDR and FDA regulations to define the device’s use and ensure compliance.
Design controls must be documented throughout development, adhering to standards such as ISO 13485 to maintain product quality. Establishing a tailored Quality Management System (QMS) addresses design, risk, and supply chain management, ensuring compliance with relevant standards. Clinical evaluation demonstrates the device’s safety and efficacy through trials or literature review, summarizing risks and benefits.
Postmarket surveillance is essential for ongoing monitoring of the device’s performance, ensuring long-term safety and effectiveness, and complying with stringent regulations. Edge computing enhances medical IoT devices by enabling local data processing, which speeds up analysis and response times, reduces reliance on internet connectivity, and ensures functionality in remote areas. Key considerations include hardware capabilities, data security, interoperability, and processing speed, all vital for timely healthcare decisions.
The Internet of Medical Things (IoMT) is transforming healthcare by providing personalized, detailed treatment outside hospitals. Despite the complexity of development and regulatory approval, these devices offer significant potential for improved patient outcomes and profitability.
Litigation
Summary of article from The HIPAA Journal, by Steve Adler:
The National Community Pharmacists Association (NCPA) and over 40 healthcare providers from 22 states are suing Change Healthcare, Optum, and UnitedHealth Group following a February 2024 ransomware attack. This Blackcat ransomware incident resulted in significant disruptions, as Change Healthcare’s critical systems were taken offline, affecting claims processing and revenue management for numerous providers nationwide. The plaintiffs argue that the defendants failed to implement adequate security measures and did not provide timely guidance or support, exacerbating financial hardships for healthcare providers. The lawsuit, which spans 140 pages, includes claims of negligence, breach of contract, and violations of various state consumer protection laws. It seeks permanent injunctive relief, enhanced security measures, and various forms of damages.
Medicare & Medicaid
Summary of article from Nelson Mullins, by Gabriel Imperato, Hannah Kays, Melissa Scott:
Medicaid overpayment audits ensure program integrity but can be challenging for medical providers. Auditors review medical records and billing documents, typically involving notification, document submission, preliminary findings, appeals, and final determination. Common audit triggers include high claim volumes, unusual billing patterns, frequent adjustments, specific service types, and high rates of new patient claims. Providers can mitigate risks by maintaining accurate documentation, conducting regular internal audits, training staff, implementing compliance programs, and staying updated on regulations. Legal strategies include timely responses, thorough documentation reviews, expert consultations, and utilizing the appeal process to address discrepancies. Engaging knowledgeable healthcare attorneys can help protect practices and efficiently resolve disputes. Understanding the audit process and adhering to best practices can aid providers in managing Medicaid audits effectively.
Summary of article from CMS Press Release:
The Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS), has released the final part two guidance for the Medicare Prescription Payment Plan under the Inflation Reduction Act. This plan, effective in 2025, allows Medicare beneficiaries to spread their prescription drug costs over the calendar year, rather than paying upfront at the pharmacy. Additionally, annual out-of-pocket prescription drug costs will be capped at $2,000, providing significant financial relief. The guidance also includes educational outreach efforts to ensure beneficiaries are informed about this new option. This initiative is part of broader measures to reduce prescription drug costs, including capping monthly insulin costs at $35 and providing free ACIP-recommended vaccines. The final part two guidance updates and finalizes the draft released in February 2024, and CMS has provided model materials for Part D plans to communicate these changes to enrollees.
Mergers & Acquisitions
Summary of article from Foley & Lardner LLP, by Antoinette F. Konski:
Key findings include a reversal of the 2023 decline in Healthtech investments, stable Med Device investments driven by first-financing deals, and a notable 35% increase in Biopharma investments with significant private deals. The Dx/Tools sector saw a decline in first-financing deals but benefited from growth investors for companies nearing commercialization. Overall, the report highlights increased investment activity across all sectors, with heightened IPO interest and significant private M&A deals in Biopharma.
Reimbursement
Summary of article from Burr & Forman, by Catherine Kirkland:
“Incident to” billing allows physician practices to bill Medicare for non-physician practitioners (NPPs) under a supervising physician’s provider number at the full physician rate, enhancing productivity and reducing appointment wait times. However, this arrangement carries significant compliance risks, requiring specific conditions such as the physician initiating treatment, ongoing management, and direct supervision. Violations can result in substantial financial penalties, as seen in recent cases where practices paid hefty settlements for non-compliance. Intentional breaches may even lead to federal criminal charges, highlighting the need for strict adherence to regulations. Practices must also recognize that “incident to” billing requirements differ among payors, necessitating tailored billing policies for each. Legal guidance should be sought if inadvertent violations occur, with self-reporting to the Office of Inspector General (OIG) as appropriate. Understanding and complying with both Medicare and individual payor guidelines is crucial for lawful “incident to” billing.