Health Law Advisor

Interest in and acceptance of telehealth services continues to grow. In 2023, a key focus by the states has been addressing questions about how to modify existing regulatory infrastructures sustaining the provision of telehealth services to support the continued use of these services in a post-public health emergency world.

However, modifications to telehealth services also increases the potential for fraudulent behavior and enforcement activity. Providers should continue to monitor developments in federal and state laws, regulations, and policies to capitalize on ...

On October 18, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is tasked with enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), issued two new guidance documents pertaining to privacy and security risks associated with the use of telehealth services. One guidance document, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” is aimed at health care providers (the ...

On Friday, October 6, 2023, the Drug Enforcement Administration (“DEA”) and Department of Health and Human Services (“HHS”) filed a Second Temporary Extension of the COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications (“Second Temporary Rule”), extending the full set of telemedicine flexibilities adopted during the COVID-19 public health emergency (“PHE”) through December 31, 2024. The Second Temporary Rule is scheduled for publication in the Federal Register today (October 10, 2023) and scheduled to take effect on November ...

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

Interest in and acceptance of telehealth services continues to grow. Recent events, like the COVID-19 pandemic and the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women's Health Organization, have put more pressure than ever on federal and state legislators to promote access to telehealth services.

However, the greater use of telehealth services also increases the potential for fraudulent behavior and enforcement activity. Providers should continue to monitor developments in federal and state laws, regulations, and policies to capitalize on telehealth opportunities while staying compliant with applicable laws.

Since 2016, Epstein Becker Green has researched, compiled, and analyzed state-specific content relating to the regulatory requirements for professional mental/behavioral health practitioners and stakeholders seeking to provide telehealth-focused services. We are pleased to release our latest compilation of state telehealth laws, regulations, and policies within the mental/behavioral health practice disciplines.

Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and ...

On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting written comments from the public on these proposed revisions to the regulations until October 28, 2020 at 5:00 p.m. PST.

Notable changes in these regulations include:

• A requirement for ...

On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:

The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU).  Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework.  The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers.  Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.  This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.  The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.

On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]

While providers struggle to provide health care to their patients amid the coronavirus contagion concerns, recent regulatory and reimbursement changes will help ease the path to the provision of healthcare via telehealth.

On March 6, 2020, President Donald Trump signed into law an $8.3 billion emergency coronavirus disease 2019 (“COVID-19”) response funding package. In addition to providing funding for the development of treatments and public health funding for prevention, preparedness, and response, the bill authorizes the U.S. Secretary of Health and Human Services, Alex Azar (referred to herein as the “Secretary”), to waive Medicare restrictions on the provision of services via telehealth during this public health emergency.

Greater utilization of telehealth during the COVID-19 outbreak will reduce providers’ and patients’ exposure to the virus in health care facilities. Telehealth is especially useful for mild cases of illness that can be managed at the patient’s home, thereby decreasing the volume of individuals seeking care in facilities. To further facilitate the increased utilization of telehealth, the Centers for Disease Control’s interim guidance for healthcare facilities notes that healthcare providers can communicate with patients by telephone if formal telehealth systems are not available. This allows providers to have greater flexibility when telehealth technology providers lack the bandwidth to accommodate this increase in telehealth utilization or are otherwise unavailable.

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  

On October 22, 2019, the Centers for Medicare and Medicaid Services (“CMS”) issued a Request for Information (“RFI”) to obtain input on how CMS can utilize Artificial Intelligence (“AI”) and other new technologies to improve its operations.  CMS’ objectives to leverage AI chiefly include identifying and preventing fraud, waste, and abuse.  The RFI specifically states CMS’ aim “to ensure proper claims payment, reduce provider burden, and overall, conduct program integrity activities in a more efficient manner.”  The RFI follows last month’s White House ...

On July 11, 2019, a Federal judge for the U.S. District Court for Maryland ruled that manufacturers and importers of products such as e-cigarettes and other electronic nicotine delivery systems (“ENDS”) have ten months to submit applications for marketing to the U.S. Food and Drug Administration (“FDA”). The ten-month deadline is applicable to new tobacco products on the market as of the August 8, 2016 deeming rule that extended FDA’s regulatory jurisdiction to include all tobacco products. Accordingly, manufacturers of e-cigarettes now have until May 2020 to submit ...

On February 27, 2019, Tennessee-based holding company Vanguard Healthcare, LLC (“Vanguard”), agreed to pay over $18 million to settle a False Claims Act (“FCA”) action brought by the United States and the state of Tennessee for “grossly substandard nursing home services.” The settlement stems from allegations that five Vanguard-operated facilities failed to do the following: (1) administer medications as prescribed, (2) provide standard infection control resulting in urinary tract and wound infections, (3) attend to the basic nutrition and hygiene ...

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA ...

On November 26, 2018, the U.S. Food and Drug Administration (“FDA”) announced the process for clearing most medical devices for marketing is being updated to incorporate changes the FDA laid out in an April draft guidance. For over forty years, most medical devices have entered the United States market through the 510(k) clearance process. The 510(k) process offers an expedited approval process available only for products that are substantially equivalent to products already on the market (known as predicate devices). The FDA is considering no longer allowing sponsors to ...

On October 24, 2018, President Trump signed sweeping bipartisan legislation to combat the opioid epidemic. The Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act, or the SUPPORT for Patients and Communities Act (“H.R. 6” or “the Law”), aims to “reduce access to the supply of opioids by expanding access to prevention, treatment, and recovery services.”[1] Congress has already appropriated $8.5 billion to implement this “landmark legislation” in 2018 and 2019.

In a series of Client Alerts, Epstein ...

On October 10, 2018, President Donald Trump signed into law the “Know the Lowest Price Act” and the “Patients’ Right to Know Drug Prices Act,” which aim to improve consumer access to drug price information by banning gag clauses. The Trump administration previously announced its intention to enact this legislation in its May 2018 Blueprint to Lower Drug Prices and Reduce Out-of-Pocket Costs and will likely point to these new federal laws as affirmation of its commitment to drug pricing reform that favors patients and consumers.

These bills—one of which applies to ...