Health Law Advisor

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while also assuring that privacy interests are protected is among an organization’s highest priorities. Our security and privacy team at Epstein Becker & Green has written extensively about the guidance and best practices issued by federal and state regulatory and enforcement agencies. Execution, monitoring and continually updating these preventive practices define an organization’s first line of defense. But what happens in the event that an organization actually suffers a breach? Is there guidance that might be available, particularly to healthcare organizations, to deal with continuity and disaster planning (BC/DR) directed towards assuring resilience and recovery in the event of a potentially-disastrous cyberattack?

The success of an artificial intelligence (AI) algorithm depends in large part upon trust, yet many AI technologies function as opaque ‘black boxes.’ Indeed, some are intentionally designed that way. This charts a mistaken course.

On the evening of Wednesday, December 22, 2021, the Supreme Court of the United States announced that it will hold a special session on January 7, 2022, to hear oral argument in cases concerning whether two Biden administration vaccine mandates should be stayed. One is an interim final rule promulgated by the Centers for Medicare and Medicaid Services (“CMS”); the other is an Emergency Temporary Standard (“ETS”) issued by the U.S. Department of Labor’s Occupational Safety and Health Administration (“OSHA”). The CMS interim final rule, presently stayed in 24 states, would require COVID-19 vaccination for staff employed at Medicare and Medicaid certified providers and suppliers. The OSHA ETS, which requires businesses with 100 or more employees to ensure that workers are vaccinated against the coronavirus or otherwise to undergo weekly COVID-19 testing, was allowed to take effect when a divided panel of the United States Court of Appeals for the Sixth Circuit, to which the consolidated challenges had been assigned by the Judicial Panel on Multidistrict Litigation issued a ruling, on December 17, 2021, lifting a stay that had been previously entered by the Fifth Circuit. Multiple private sector litigants and states immediately challenged the decision.

Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures.

As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays.

On December 13, 2021, the Supreme Court of the United States rejected the petition of New York health care workers seeking to stop the State from enforcing regulations requiring covered personnel of hospitals, nursing homes, public health centers, and other health care entities to be fully vaccinated against COVID-19 as a condition of continued employment, subject to narrow exceptions. The Supreme Court’s unsigned order allows the continuing enforcement of the regulations, as litigation of the multiple lawsuits challenging the statewide vaccine mandate for health care workers issued last August continues.

Our colleagues Alaap Shah and Stuart Gerson of Epstein Becker Green have written an Expert Analysis on Law360 that will be of interest to our readers: "Health Cos. Must Prepare for Growing Ransomware Threat."

The following is an excerpt (see below to download the full version in PDF format):

Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.

As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in ...

Our colleagues Stuart Gerson and Daniel Fundakowski of Epstein Becker Green have a new post on SCOTUS Today that will be of interest to our readers: "Court Declines Resolving Circuit Split on What Constitutes a 'False' Claim, but Will Consider Legality of Trump Abortion Gag Rule."

The following is an excerpt:

While this blog usually is confined to the analysis of the published opinions of the Supreme Court, several of this morning’s orders are worthy of discussion because of their importance to health care lawyers and policy experts. Guest editor Dan Fundakowski joins me in ...

The U.S. Supreme Court decision today in Maine Community Health Options v. United States, is a major decision affecting healthcare and resolving a significant Obamacare dispute. The Affordable Care Act famously established online exchanges where insurers could sell their healthcare plans. It included the now-expired “Risk Corridors” program aimed to limit the plans’ profits and losses during the exchanges’ first three years (2014-16). The Act contained a formula for computing a plan’s gains or losses at the end of each year, providing that eligible profitable plans “shall pay” the Secretary of the Department of Health and Human Services (HHS), while the Secretary “shall pay” eligible unprofitable plans. But the Act did not appropriate funds that the Secretary could dispense or cap the amounts that the Secretary would pay to unprofitable plans. Nor was there any budget neutrality stated in the Act. The program was something less than a great success and, after three years, in which unprofitable plans outnumbered those that were profitable, the net deficit was more than $12 billion. But the Centers for Medicare and Medicaid Services (CMS) couldn't make any payments to unprofitable plans because, each year, its budget appropriation included a rider preventing CMS from using the funds for Risk Corridors payments. Four unprofitable plans brought suit against the government under the Tucker Act, alleging that the ACA obligated the government to pay the full amount of their negative deficit. With Justice Sotomayor writing for seven other Justices (Alito, J. dissented, and Thomas, J. and Gorsuch, J. did not join one section of the majority opinion), the Court agreed with the plans and reversed the Federal Circuit's holding that while the ACA initially created an initial obligation, the subsequent riders vitiated it.

Tuesday’s decision by Judge Richard Leon of the U.S. District Court for the District of Columbia categorically approving the merger of AT&T and Time Warner, without imposing any conditions or limitations and rejecting granting a stay for appeal purposes, will, unless blocked if there is an appeal, open the way for a series of pending vertical merger deals.

A “vertical merger” is a merger of two companies that do not compete and that are at different levels of the product or service-provision process. Such mergers do not reduce the number of competitors in a given market and, by ...

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related ...

Last week's "WannaCry" worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick ...

Surprisingly amidst the Federal Bureau of Investigation (FBI) uproar, President Trump today signed an executive order addressing cybersecurity for the federal government and critical infrastructure, along with international coordination and cyber deterrence. The substance of the order, which is about to be made public, comes from various press releases and interviews with administration officials. The order is composed of three sections on cybersecurity and IT modernization within the federal government, protecting critical infrastructure, and establishing a cyber ...

Executive Order Delay Trumps Administration Policy Development

President Trump's first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration's cyber policy – but that doesn't mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming ...

Both the Department of Justice and the Department of Health and Human Services Inspector General have long urged (and in many cases, mandated through settlements that include Corporate Integrity Agreements and through court judgments) that health care organizations have "top-down" compliance programs with vigorous board of directors implementation and oversight. Governmental reach only increased with the publication by DoJ of the so-called Yates Memorandum, which focused government enforcers on potential individual liability for corporate management and directors in ...

Frequently, parties in both civil and criminal cases where fraud or corporate misconduct is being alleged attempt to defend themselves by arguing that they lacked unlawful intent because they relied upon the advice of counsel. Such an assertion instantly raises two fundamental questions:  1) what advice did the party's attorney actually give?;  and 2) what facts and circumstances did the party disclose, or fail to disclose, in order to obtain that opinion?  It is well understood that raising an advice of counsel defense consequently waives attorney/client privilege.  Moreover ...

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities. Therefore, in advising their companies ...

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies ...

The U.S. Supreme Court has rendered a unanimous decision in the hotly-awaited False Claims Act case of Universal Health Services v. United States ex rel. Escobar.  This case squarely presented the issue of whether liability may be based on the so-called "implied false certification" theory.  Universal Health Service's ("UHS) problem originated when it was discovered that its contractor's employees who were providing mental health services and medication were not actually licensed to do so. The relator and government alleged that UHS had filed false claims for payment because ...

[caption id="attachment_1416" align="alignright" width="113"] Stuart Gerson[/caption]

Today, the U.S. Supreme Court decided (6-2, with Kennedy writing for the majority and  Ginsburg and Sotomayor dissenting) the case of Gobeille v. Liberty Mutual Insurance Co.  The matter before the Court involved Vermont law requiring certain entities, including health insurers, to report payments relating to health care claims and other information relating to health care services to a state agency for compilation in an all-inclusive health care database. 

In an important victory ...

With the untimely passing of Supreme Court Justice Antonin Scalia, perhaps the best known and most controversial Justice on the Court, commentators, including this one, have been called upon to assess his legacy – both immediate and long term – in various areas of the law.

Justice Scalia was not known primarily as an antitrust judge and scholar. Indeed, in his confirmation hearing for the Court, he joked about what he saw as the incoherent nature of much of antitrust analysis. What he was best known for, of course, is his method of analysis of statutes and the Constitution: a literal ...

On November 24, 2015, in United States ex rel. Purcell v. MWI Corp., No. 14-5210, slip op. (D.C. Cir. Nov. 24, 2015), the District of Columbia Circuit Court of Appeals ruled that federal False Claims Act ("FCA") liability cannot attach to a defendant's objectively reasonable interpretation of an ambiguous regulatory provision. While outside of the health care arena, this decision has implications for all industries exposed to liability under the FCA.

In Purcell, the government alleged that false claims had been submitted as a result of certifications made by defendant MWI ...

In a split decision announced today, June 25, the U.S. Supreme Court, in King v. Burwell, ruled in upholding the tax credits to individuals in all states, including those with only a federal exchange.  In a 6-3 decision, Chief Justice Roberts delivered the opinion of the Court.

"Congress passed the Affordable Care Act to improve health insurance markets, not to destroy them. If at all possible, we must interpret the Act in a way that is consistent with the former, and avoids the latter. Section 36B can fairly be read consistent with what we see as Congress's plan, and that is the reading we ...

In a unanimous decision announced May 26, the U.S. Supreme Court, in Kellogg Brown & Root Services, Inc. v. United States ex rel. Carter, 2015 BL 163948, U.S., No. 12-1497, 5/26/15, ruled that the Wartime Suspension of Limitations Act ("WSLA") applied only to criminal charges and not underlying civil claims in times of war. Thus, the WSLA – which suspends the statute of limitations when the offense is committed against the Government - cannot be used to extend the statute of limitations in cases such as those brought under the False Claims Act ("FCA"). This ruling reversed a decision of ...

On March 31, 2015, the Supreme Court of the United States decided Armstrong v. Exceptional Child Center, Inc. The Court handed down a hodgepodge of opinions but, in the end, five Justices concurred in the judgment that the Constitution's Supremacy Clause does not confer a private right of action, and that Medicaid providers, therefore, cannot sue for an injunction requiring compliance with the reimbursement laws.  This ruling will adversely affect at least those health care companies that have contemplated suing on the basis that the reimbursement they are getting is less than what ...

On December 15, 2014, the Supreme Court of the United States decided Dart Cherokee Basin Operating Co. v. Owens, a class action removal case.

In short, the Dart case is welcome news to employers. Standards for removing a case from state to federal court have been an abiding point of concern for employers faced with "home town" class actions. In more recent times, this problem has become a point of interest to employers in health care and other industries that are beset by cybersecurity and data breach cases originating in state courts but calling for the application of federal privacy ...

Only last week, we informed you of the Supreme Court's somewhat surprising grant of cert. in the Fourth Circuit case of King v. Burwell, in which the court of appeals had upheld the government's view that the Affordable Care Act makes federal premium tax credits available to taxpayers in all states, even where the federal government, not the state, has set up an exchange.

The Administration has taken something of a PR buffeting in the week following, after its principal ACA technical advisor's comments on this issue were made public.

In any event, we suggested that the scheduled DC ...

In something of a surprise, the Supreme Court today granted certiorari in the Fourth Circuit case of King v. Burwell, in which the court of appeals had upheld the government's view that the Affordable Care Act makes federal premium tax credits available to taxpayers in all states, even where the federal government, not the state, has set up an exchange. In doing so, the Supreme Court rebuffed the Solicitor General's request that the Court decline cert. as various cases worked their way through the Courts of Appeals.

It was only a few days ago that the government had filed a brief in ...

As you may recall, a DC Circuit panel held that the Affordable Care Act makes federal premium tax credits available to taxpayers only in States where the State has established an exchange – which is what the ACA literally provides. On the same day, the Fourth Circuit issued a contrary decision in King v. Burwell, accepting the government's argument that where HHS sets up an exchange in a State, that is a State exchange. The same argument is being made by the appellant (the government lost in District Court) in Oklahoma ex rel. Scott Pruitt v. Burwell, which is pending before the 10th ...

By Stuart Gerson

The September 30, 2014 decision of a United States District Judge for Eastern District of Oklahoma in the case of State v. Burwell  adds an interesting wrinkle to the debate over whether the provision in the Affordable Care Act that authorizes federal subsidies (tax credits) applies to individuals who are covered by  a qualified health plan that is enrolled through an Exchange established by the Federal government, not a State.  An IRS Rule (26 C.F.R.§ 1.36B-1(k)) allows this, while the ACA itself bases eligibility on participation in a plan that was "enrolled in ...

By Stuart Gerson

As we noted in our various blogs and communications on the subject (HEAL Advisory and HEAL Blog), the United States Court of Appeals for the District of Columbia Circuit's action today, to rehear in December the Halbig case (Halbig v. Burwell, D.C. Cir., No. 14-508 ), challenging  Obamacare subsidies in the federal health exchange, is not unexpected given the current makeup of the Court. This development now makes it more likely that the Supreme Court will not take action on the King cert petition (King v. Burwell, U.S. 4th Circuit , No. 14-1158) until after the DC ...

By Stuart Gerson

In this blog and subsequently in an article on the subject under the aegis  of the American Health Lawyers Association that can be found at http://www.lexology.com/library/detail.aspx?g=b68c51ae-2bdb-490e-ac3d-02c351a19310 EBG analyzed the DC Circuit's decision  in  In re Kellogg Brown & Root, 2014 U.S. App. LEXIS 12115 (D.C. Cir. 2014).  The DC Circuit's holding reinforces the protections established by the Supreme Court 30 years ago in Upjohn Co. v. United States, 449 U.S. 383 (1981), that afford privilege to confidential employee communications ...

By Stuart Gerson

In the wake of the Hobby Lobby ruling with respect to the Affordable Care Act's contraceptive coverage mandate, the Administration (which already has taken steps to fund contraception for employees affected by their employers' exemption) is attempting also to deal with the issue by a recently-published DHHS regulation setting forth the procedures that "religious" employers might follow to gain exemption from having to provide contraceptive coverage in their sponsored health plans. The proposed rule covers both religious not-for-profits and closely held ...

By Adam C. Solander, Kara M. Maciel, Mark M. Trapp, and Stuart M. Gerson

Yesterday, the U.S. Court of Appeals for the District of Columbia and the U.S. Court of Appeals for the Fourth Circuit sent shockwaves through the country when they issued conflicting opinions on a key aspect of the ACA.  The cases are Halbig v. Burwell, D.C. Cir., No. 14-508 and King v. Burwell, 4^th Cir., No. 14-1158.  The question at issue in both cases was whether the IRS has the authority to administer subsidies in federally facilitated exchanges when the statute itself specifically authorizes subsides only in ...

I was recently quoted in an article titled "4th Circuit Upholds ACA's Employer Mandate, Says Insurance Regulation Within Commerce," by Mary Anne Pazanowski, in Bloomberg BNA's Health Care Daily Report. Following is an excerpt:

A unanimous U.S. Court of Appeals for the Fourth Circuit July 11 declared the Affordable Care Act's employer mandate a valid exercise of Congress's power to regulate commerce under the U.S. Constitution's Commerce Clause (Liberty University Inc. v. Lew, 4th Cir., No. 10-2347, 7/11/13).

In an opinion co-authored by Judges Diana Gribbon Motz, James A. Wynn ...

By Stuart M. Gerson

By now, every American who pays any attention to the news is aware that the Supreme Court of the United States has upheld essentially all of the Obama administration's Affordable Care Act. We have posted a copy of the lengthy opinion, concurrence, and dissent on our website. For now, we should be focusing on what the case of National Federation of Independent Business v. Sebelius actually will cause to occur.

Read the full alert here

By Stuart M. Gerson

The three days of arguments about the constitutionality of the Patient Protection and Affordable Care Act are complete. The Justices of the Supreme Court of the United States have conducted their post-argument conference and are now turning their attention to the drafting and the discussions that will lead to a majority opinion and, likely, several dissents and concurrences. The Court's decision should be issued before the end of June. Health care companies and employers, like the rest of the population, await the ultimate decision. However, there are several ...