Health Law Advisor

State courts continue to debate whether a state’s constitution recognizes a right to “liberty of privacy” or personal autonomy that would encompass the right to make personal health care decisions, including abortion.

In the post-Dobbs era, state supreme courts have been divided over whether state constitutions offer protections for abortion. Supreme courts in Florida and Iowa have rejected state constitutional protections for abortions, while those in Oklahoma and Montana have found or upheld certain constitutional protections for abortion. Recently, district court judges in Georgia and North Dakota have issued injunctions against their respective state’s abortion bans, finding that each state’s constitution protects a right to abortion.

On September 14, 2024, a district court judge in North Dakota enjoined North Dakota’s total prohibition on abortion, and on September 30, 2024, a superior court judge in Fulton County, Georgia, issued an injunction blocking the state’s six-week abortion ban. While the fate of the North Dakota injunction remains pending, on October 7, the Georgia Supreme Court stayed the lower court’s injunction, allowing Georgia’s six-week ban on abortion to once again take effect. One Georgia Supreme Court justice—Justice John J. Ellington—dissented in part from the decision, opining that “[t]he ‘status quo’ that should be maintained is the state of the law before the challenged law took effect.”

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing. The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.

Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.

New and Revised HIT Certification Criteria

The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:

Most months, I try to answer a well-focused question.  This month, however, I want to simply take a broad look at how FDA conducts its postmarket surveillance study program under Section 522 of the federal Food, Drug, and Cosmetic Act. FDA published a new final guidance on this topic on October 7, 2022, and the agency also made corresponding updates to its database. That gave me the chance to study the data, however incomplete they are.  More on that later.

Overview of the Guidance and the Program

Before I turn to the data, I thought it would be helpful to provide a high-level reminder of what FDA’s postmarket surveillance study program is all about.  As explained in the guidance, Section 522 provides FDA with the authority to require manufacturers to conduct postmarket surveillance at the time of approval or clearance or at any time thereafter of certain class II or class III devices.  I’ll talk more about the question of timing below.

From our Thought Leaders in Health Law video series: In today's complex and rapidly evolving health care landscape, navigating the path of expanding or selling a business requires a nuanced understanding of the intricate state and federal regulatory frameworks.

With states increasingly imposing legislative oversight to safeguard competition, care access, and quality, it's crucial for health care providers, private equity firms, and management organizations to have a strategic partner adept at handling these challenges.

States are imposing prior approval or prior review legislation to allow for more visibility regarding proposed transactions. Much of the legislation seeks to increase oversight of health care entity relationships with management companies and private equity firms.

What does this mean for you?

From our Thought Leaders in Health Law video series: The U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country.

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights published a final rule entitled the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

What are the key takeaways from the Final Rule?

California’s legislature recently passed AB 3129, and it is awaiting Governor Gavin Newsom’s signature. While AB 3129 impacts several different provider types, this article focuses on its impact on Management Service Organizations (MSOs) and Physician Practice Management Companies (PPMCs) as the historically accepted structure for purposes of complying with the prohibitions on the corporate practice of medicine (CPOM). In its initial drafts, AB 3129 seemed highly focused on MSOs and the Friendly PC models for PPMs in the state.

While much of the early language regarding MSOs seems to have been shed from the bill, some ambiguity remains regarding whether, and in what contexts, sponsored MSOs will need to give pre-transaction notice to, or obtain the consent of, the California Attorney General (AG).  A later section of the bill highlights what will likely be CPOM enforcement priorities and is worth the close attention of all MSOs operating in the state.

In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect. 

Over the next year, the following laws will become effective:

1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
5. New Hampshire Privacy Act (effective Jan. 1, 2025)
6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
7. Tennessee Information Protection Act (effective July 1, 2025)
8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements: