In this episode of the Diagnosing Health Care Podcast:  We’re beginning to see how mergers and acquisitions in the hospital industry are being impacted by President Biden’s executive order promoting competition in the American economy. The Federal Trade Commission recently announced policy changes, and the Department of Justice has been asked to consider policy changes, that boards of directors and C-suite officers must take into account when weighing transactions.

Special guest Dr. Subramaniam (Subbu) Ramanarayanan, Managing Director at NERA Economic Consulting, and Epstein Becker Green attorneys John SterenPatricia Wagner, and Dan Fahey discuss what leaders need to know about the government’s heightened antitrust scrutiny in the hospital market.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

Interest in, and acceptance of, telehealth services continues to grow. Federal and state legislators are under pressure to codify the flexibilities granted in response to the COVID-19 pandemic that increased access to telehealth services. Meanwhile, increased use of telehealth has put a much greater focus on the potential for fraudulent behavior and increased enforcement activity as a result. Telehealth providers should continue to monitor developments in federal and state laws, regulations, and policies to capitalize on telehealth opportunities while at the same time making investments in compliance infrastructures in order to operate in accordance with applicable laws.

Since 2016, Epstein Becker Green has researched, compiled, and analyzed state-specific content relating to the regulatory requirements for professional mental/behavioral health practitioners and stakeholders seeking to provide telehealth-focused services. We are pleased to release our 2021 Telemental Health Laws app, featuring the latest and most comprehensive compilation of state telehealth laws, regulations, and policies within the mental/behavioral health practice disciplines.

The survey’s complete findings are available to download for free as an app for iPhone, iPad, and Android devices. Download the app now and instantly have access to information about:

  • The increased recognition of telehealth benefits
  • The growing focus on telehealth fraud and enforcement
  • General telemental/telebehavioral provisions across the 50 states plus the District of Columbia and Puerto Rico
  • COVID-19’s impact on telehealth at the state and federal levels

Please contact Amy Lerman or Francesca Ozinal with questions.

Other Resources:
Watch our instructional video.
Read our full announcement.

As featured on the Diagnosing Health Care Podcast:  As 2021 nears a close, acute care hospitals and health systems are facing a host of financial, regulatory, and legislative challenges. In this special episode of Diagnosing Health CareRick Pollack, President and CEO of the American Hospital Association, and Epstein Becker Green’s Ted Kennedy, Jr., discuss the ways in which the industry is working with the Biden administration and Congress to shape policy around critical issues, such as surprise billing, coverage expansion, value-based care, and telehealth.

Rick and Ted look at how these policy issues relate to broader market trends. They also dive into the short- and long-term solutions that will affect acute care hospitals into the future.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

While this column typically uses data visualizations you’ve probably seen before, I want to introduce one that perhaps you have not.  This is in the realm of text analysis.  When looking at FDA data, there are numerous places where the most interesting information is not in a data field that can be easily quantified, but rather in narrative text.  Take, for example, Medical Device Reports of adverse events, or “MDRs.”  While we can do statistical analysis of MDRs showing, for example, which product categories have the most, the really interesting information is in the descriptions of the events.

Why do we care?  Those focused on product quality want to learn from history, and how better than from everyone’s history, not just your own.  We can use the MDR data to find out product experiences with broad or narrow product categories.  In the year 2020, for example, there were over 1.5 million such reports.

In this month’s column, I’m going to focus on cardiovascular devices.  I could just as easily focus on software, or all implants or orthopedic devices or any other term that might cover a broad range of products.  Because this stuff isn’t common, I’m going to include the methodology first, and then the visualization.


I’m using what is known in data science as topic modeling to extract information from the event descriptions in MDRs.  Topic modeling is an approach that allows us to see the big picture from a long list of documents.  Essentially, topic modeling seeks to identify common topics discussed in a corpus of records.

While the output sort of looks like English, it also sort of does not.  The algorithm is looking for words that are used together frequently.  The algorithm strings those words together based on statistical importance, not based on how an English major would write them.  Further, to help the algorithm recognize that the word “implant,” “implanted,” “implants,” and “implantation” are all pretty similar, we reduce each word to its stem.  In the chart, you will see all variations of the word valve as “valv”.  It takes some getting used to.

In addition, because context is usually important to understand how words are used, we look for phrases, in this case two words that are typically strung together.  We could use however as many words in a phrase as we want, but more words means a lot more computer resources.  In this case, two-word phrases seems to work adequately.

This exercise is a blend of art and science, and one of the judgments to make is the number of topics to consider.  We typically make that decision based on what we refer to as coherence, which is a statistical measure of what is a logical principle: how well the words go together.  We want to find topics that are meaningful to humans.  Another area for using judgment is getting rid of words we don’t care about because they are too common and uninformative.  I removed words such as “complaint” and “patient,” because they were in many of the event descriptions and didn’t add any particularly useful information.

From a technical standpoint, for those interested, I’m using a specific technique called Latent Dirichlet Allocation, a form of unsupervised learning, implemented through the Python library genism.

For cardiovascular devices, I thought it might be interesting to compare the topics that MDRs included in 2010 with those from 2020.  I wanted to see how much change there might be over time.  In the year 2010, there were over 45,000 MDRs for cardiovascular devices, and in 2020, there were almost 85,000.


A word about reading these charts.  These are what are referred to as heat maps.  The colors correspond with the intensity or value of a particular word, in this case to the topic.  The darker the color, the more important the word in characterizing the meaning of the topic.


An expert in cardiovascular devices will undoubtedly be able to offer much greater insights into what these data mean, but it’s actually interesting that over the course of 10 years, the software found what turned out to be many very similar topics.  The order changed.  But many of the topics seem to be pretty similar.  For those in the industry, that may be a bit depressing as it suggests a lack of progress in fixing common problems.

Balloons rupturing still seems to be an issue.  Guidewire tips still seem to be an issue.  Battery problems still seem to be an issue.  But we also have some new issues, such as problems with a surface cooling device (Arctic Sun®) for therapeutic hypothermia following cardiac arrest.

This technique of topic modeling can be applied as broadly or as narrowly as we wish.  It can be very helpful when doing trend analysis where the valuable underlying data is in large volumes of text rather than structured data.  In future columns, I will dig into other sources of regulatory text to see what information we can mine.

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The FTC’s policy statement, entitled “On Breaches by Health Apps and Other Connected Devices,” attempts to clarify the Rule by stating that mobile health applications and interactive tools used by organizations that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are regulated by the Rule.[1] Significantly, the FTC’s guidance broadly deems developers of health care apps or connected devices to be “health care providers” subject to the Rule because they “furnish health care services or supplies.” It also clarifies that health apps that collect non-health data (such as calendar dates) are within the scope of the Rule. In the wake of the FTC’s statement, any organization that is not covered by HIPAA, but provides or uses mobile or web-based health apps to collect personal health information, should evaluate their coverage under the Rule.

The FTC’s recent expansive view of this Rule—which was initially passed pursuant to the 2009 American Recovery and Reinvestment Act—covers many popular mobile health and fitness related applications and wearables on the market. For example, the FTC explained that any application that “collects information directly from consumers” and has the “technical capacity to draw information through an API [application programming interface] that enables syncing with a consumer’s fitness tracker” is covered under its interpretation of the Rule. The FTC further stated that “an app that draws information from multiple sources is covered, even if the health app comes from only one source.” For example, an application that monitors blood sugar and also takes non-health information from a consumer’s phone’s calendar (i.e., dates) would also be covered. The FTC specifically called attention to “apps and other technologies [that] track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” The FTC press release noted that the increased use of COVID-19 related health applications impacted its policy statement. Entities subject to the Rule may be required to provide notice, including in certain circumstances to the media, in the event of a cybersecurity breach or even in the case of “sharing of covered information without an individual’s authorization.”

The Rule contains statutory definitions that should now be read in light of the policy guidance, applying its provisions to (i) vendors of personal health records (“PHR”); (ii) “PHR related entities”; and (iii) “third party service providers.” The Rule generally requires “vendors of personal health records”, and PHR-related entities to provide notice to affected individuals and the FTC within 60 calendar days after the discovery of a “breach of security.” A provider must notify the vendor or PHR related entity of a breach.

A violation is treated as an unfair and deceptive act or practice under the FTC Act which may carry steep civil penalties of up to $43,792 per violation per day. As of the date of the FTC’s policy statement, however, the FTC has not yet enforced the Rule, and, according to the remarks of FTC Commissioner Rohit Chopra, the FTC and the public have been notified only four times about a breach under the Rule since February 2010.

It is also important to note that there remains a dispute about the scope of the Rule even among the FTC’s commissioners, especially because it has not been interpreted in the context of an FTC enforcement action. For example, Commissioner Christine Wilson wrote, in her dissenting statement, that the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor. In response to the FTC’s use of the moniker “health care provider” when referring to mobile health applications, Ms. Wilson asked: “How broadly does the Commission intend to read this language?” Similarly, Commissioner Noah Joshua Phillips argued in his dissenting statement that the FTC’s majority goes beyond the text of the Rule in interpreting the definition of “breach of security” to include the unauthorized sharing.

The FTC’s policy statement also comes during the ongoing rulemaking process by the FTC concerning the Rule and the Department of Health and Human Services’ ongoing rulemaking concerning the application of the HIPAA Privacy Rule to mobile health applications. As such, vendors of PHRs should monitor these ongoing rulemaking efforts, which could impact the FTC’s current interpretation of the Rule. Nevertheless, companies subject to the Rule under the current interpretation, can still take proactive measures to avoid a violation by, among other things, assessing the categories of its stored data, undertaking a cybersecurity risk assessment and comprehensive review of privacy policies, and ensuring the existence of a robust security incident response protocol. Notably, the breach notification requirement under the Rule generally only applies to a breach of unsecured PHR identifiable health information. In addition, such entities may have notification obligations under applicable state laws. You can reach out to Epstein Becker Green for further guidance as we will be monitoring the FTC’s enforcement activity closely moving forward.


[1] 16 C.F.R. §318.1 provides, the rule “applies to foreign and domestic vendors of personal health records, PHI related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission Act (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” HIPAA covered entities and business associates must instead comply with HHS’s breach notification rule. See Dissenting Statement of Commissioner Christine S. Wilson.

Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.

On September 30, 2021, the Provider Reimbursement Review Board (the “Board”) issued a revised set of rules that become effective November 1, 2021. These new and revised rules affect all new and some pending Medicare Part A provider appeals. These rules clarify several aspects of Board appeals and simplify some of the Board’s complex procedures.

The most significant change is the requirement that all submissions to the Board must be made electronically through the Office of Hearings Case and Document Management System (“OH-CDMS”) unless the provider or representative submits a request to the Board for an exemption and the Board grants that request. If an exemption is necessary, a provider or representative may communicate with the Board at a new email address (   In order to file documents electronically, providers or their representatives should register with OH-CDMS in advance of any filing date.

In addition to the shift to electronic filing, the Board adopted several changes that are intended to simplify the appeals process and promote greater disclosure.  The most significant changes are summarized below.

  • If a provider designates a representative, it must do so in a letter on the provider’s letterhead. However, if the provider is under the ownership or control of a parent entity, then the representation letter must be on the parent organization’s letterhead and signed by an authorized official of the parent organization.
  • Similarly, a new rule requires that if a provider is owned or controlled by a parent organization, the appeal request must identify the name and address of the parent organization for the year under appeal. This is a departure from past practice, which identified only the legal entity that had been granted a Medicare provider number.
  • The Board clarified the requirements for appeals of self-disallowed and protested costs, and now requires that the provider specify the disputed item in its cost report in order to preserve the claim for review.
  • A new rule obligates the Medicare Administrative Contractor (“MAC”) to ensure that any evidence the MAC, CMS, or the Secretary considered in making its determination is included in the case record. This new rule may reduce the necessity for discovery requests and delays in resolving appeals.
  • For group appeals, the Board added a new requirement that a group representative must report to the Board that a group is either complete or provide reasons why the group should be held open.
  • A new rule that applies to appeals filed after August 29, 2018 would give providers the option of relying on their preliminary position paper and waive the filing of a final position paper. Providers would have to submit all of their arguments and exhibits with the preliminary position paper, and could elect to submit a rebuttal to the MAC’s position paper. This step would avoid duplicating arguments, and may reduce the number of appeals dismissed based on a failure to file a timely final position paper.
  • The new rules also revise the Board procedures when a party requests expedited judicial review (“EJR”) that involves a challenge to a statute, regulation, or CMS ruling. If a MAC opposes a provider’s request for EJR, then it must now file any jurisdictional challenge within five days of the date that the EJR request is filed.
  • The Board revised its rules governing substantive claim challenges to specify that when any party questions whether a cost report included an appropriate claim for reimbursement, that challenge must be filed no later than the filing deadline for the MAC’s preliminary position paper. If the matter involves a request for EJR, then any substantive claim challenge must be filed within five business days of the EJR request. This would allow for better coordination of proceedings before the Board before any decision to allow the provider to bypass the Board and seek judicial review.

The changes made by the Board in this version of its procedural rules continue the trend of requiring additional specificity and clarity when providers prepare their cost reports, and obligate the MACs to disclose more information earlier in the appeal process. With the adoption of these new rules, providers must plan and consider potential appeal issues during the cost report filing stage to ensure that their appeal rights are protected.

In this column, in the coming months we are going to dig into the data regarding FDA regulation of medical products, deeper than the averages that FDA publishes in connection with its user fee obligations.  For many averages, there’s a high degree of variability, and it’s important for industry to have a deeper understanding.  In each case, we will offer a few preliminary observations on the data, but we would encourage a conversation around what others see in the data.


This is an interactive chart that you can explore by clicking on the colors in the legend to see how specific therapeutic areas stack up against the average.


We want to understand FDA’s performance generally with regard to review times associated with 510(k)s across all medical devices.  Using data available from openFDA, we selected the data for the last almost 12 years, from January 1, 2010 until September 1, 2021, based on the date FDA receives the premarket notification.  Data older than that are probably not terribly relevant.  We further filtered for traditional 510(k)s because special and abbreviated submissions have different review processes, and likewise we removed any that had received expedited review.  We then removed any product codes that had three or fewer submissions during that time.  We wanted to get rid of anything that was simply too anecdotal, too noisy.  That sorting left us with just over 25,000 submissions, and 852 pro codes used.

To calculate the review time, we used the difference between date received and date decided, although we realize that FDA has additional data that it uses to calculate its actual review time in a more nuanced way, differentiating between time at FDA and time where the clock is turned off because the manufacturer is supposed to be doing something.  We calculated averages for each individual pro code.  The x-axis in the graph is simply all of the product codes sorted by average review time from the quickest to the longest.

We wanted to add in an average, and the most natural probably would’ve been the average of the pro code averages included in the graphic.  But that ignores the fact that some pro codes have lots more products than others.  The average of the pro code averages was 176.5 days.  The average of all the 25,000 submissions was 163.5 days.  It’s apparently lower because some of the quicker pro codes apparently have more devices in them.  In the chart, we went with the simple average of submissions, as that is most akin to the data that FDA typically publishes.


We would note that we aren’t entirely sure the range of factors that drive review times.  Certainly it would seem that higher risk and complexity would be likely to lead to higher review times.  But in the years that we’ve been doing this work, those are not by themselves reliable predictors of how long a review will take.  Novelty is also important, although novelty is less of a factor in the 510(k) process because the process is based on a substantial equivalence claim.  But it’s also pretty obvious that a lot of administrative circumstances impact review times, such as high reviewer turnover in a branch.  At any rate, this data does not give us information on why certain product codes would have higher review times.  We will leave that to future inquiry.  Here we just want to tease apart the variance.

Big Picture

At each end of the graph, we see sharp nonlinear growth, presumably for what are in a sense outliers.  On the left-hand side, we have rapid acceleration from the quickest reviews of about 50 days up to about 100.  At the other side, we have a quick increase from 300 to the very top at over 500 days.  But in between those two extremes, from about a review time of 100 days to about 300, it’s a pretty steady linear climb.  That’s a bit surprising, and it reveals that really there is no such thing as an average.  There is no plateau among the review times around the mathematical average.  Indeed, we don’t see any plateaus at all.  Apparently, it really does matter what product we are talking about when trying to predict a review time.

Therapeutic Areas

Remember that in FDA’s organizational chart, reviews within the Office of Device Evaluation (“ODE”) are organized by therapeutic area.  That makes sense, as you want the same people generally with therapeutic expertise reviewing devices in that therapeutic area.  In this graph, product codes are assigned to an applicable therapeutic area.

Notice that really none of the product codes in a given therapeutic areas are extremely clustered, either low or high.  That suggests that no particular therapeutic review branch is substantially quicker than the rest.  But within that general observation, there are definitely some small clusters of review times for product codes within the different therapeutic areas.

It would actually be pretty remarkable if an organization the size of ODE could achieve uniformity of review times across all review branches.  But this is unexpectedly evenhanded.

In this episode of the Diagnosing Health Care Podcast:  On December 27, 2020, President Trump signed into law the No Surprises Act as part of the $2.3 billion Consolidated Appropriations Act. Recently, the Biden administration issued its first interim final rule in order to implement this act, which will go into effect on January 1, 2022. While the goal is to protect patients from surprise billing, the law will also impose significant compliance burdens on plans, providers, and facilities.

Epstein Becker Green attorneys Helaine FingoldBob Hearn, and Alexis Boaz discuss the key areas health care companies need to keep in mind as they prepare to comply with the No Surprises Act.

Visit Epstein Becker Green’s No Surprises Act page for ongoing coverage.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

Starting in 2022, Ohio will require owners of tax-exempt real property to notify the county auditor if the exempt property ceases to qualify for exemption.

This is a substantial departure from current law, which had left the role of monitoring changes in exempt properties’ uses to the county auditors or Ohio’s tax commissioner; under the new law, health care entities that own property in the state must determine whether or not their property continues to qualify for exemption.

Ohio’s recent Budget Bill – House Bill 110 – created the new reporting requirement, which will be codified at section 5713.083 of the Ohio Revised Code.  The change will require those who own real estate that is exempt from property tax to notify the county auditor by December 31 of the year in which the property ceases to qualify for exemption.

Property owners who do not comply with this new requirement will face a monetary penalty equivalent to up to five years of tax savings that they received while the property was treated as exempt, even though it had ceased to qualify for exemption. The five-year look-back will be limited to years in which the current owner held title to the property.

It is still unclear what test property owners are supposed to use to determine whether their properties have ceased to qualify for exemption.  In Ohio, property owners must apply to receive exemption for their property, and the Ohio Tax Commissioner is typically the official who grants exemption to real estate.  Ohio law does not require owners to disclose changes in use, or leases of property, so property owners may struggle to determine whether or not their exempt property’s qualification for exemption has ended. It is also unclear how the county auditors across Ohio are going to review the existing exempt properties in order to enforce the monetary penalties.  The Ohio Tax Commissioner will promulgate forms that property owners can use to attempt to comply with the law, but those forms are not yet available.

While that form remains in the works, prudent property owners may wish to review their inventory of exempt real estate, and to compare their current uses of those properties with the use of the property when they applied for and received exemption.

On September 15, 2021, CMS published a proposed rule that would repeal a final rule that created an expedited pathway for Medicare coverage of breakthrough devices and established formal criteria for applying the “reasonable and necessary” standard for coverage in Section 1862(a)(1)(A) of the Social Security Act, which has been the basic standard for coverage since the inception of the Medicare program.[1]  CMS has set a short period for comments, and interested parties must submit comments by October 15, 2021.

The new proposed rule reflects a significant policy change.  Where the initial rule focused on expanding access to new innovations, the current approach focuses more on Medicare program goals and outcomes data. Continue Reading CMS Proposes to Reverse Course and Repeal Its Final Rule Expediting Medicare Coverage of Breakthrough Devices and Defining the Medicare “Reasonable and Necessary” Coverage Standard