How could alleged kickbacks threaten to render insolvent a publicly traded company with assets (taken from its latest SEC filing) in excess of $43 billion? The answer stems from a recent decision by the United States District Court for the District of Massachusetts. In its ruling denying the motion for summary judgment filed by defendants Teva Pharmaceuticals USA, Inc. and Teva Neuroscience, Inc. (collectively Teva) and granting the government’s partial summary judgment motion, the court ruled that
OCR and FTC Issue Warning to Hospital Systems and Telehealth Providers about Tracking Technologies
Posted in Health Care Providers, HIPAA, Privacy, and Data Security, TechnologyOn July 20, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) announced they were sending a joint letter to approximately 130 unidentified hospital systems and telehealth providers highlighting the agencies’ concerns about the use of tracking technologies on websites and mobile apps in violation of HIPAA. While the joint letter was directed to a small number of recipients, in the announcement OCR and the FTC encouraged all companies they regulate to review their data-tracking practices and ensure that their tracking technologies are not impermissibly disclosing consumers’ sensitive personal health data to third parties. The letter — and the decision to publicly announce its existence — suggests that OCR and the FTC are likely to prioritize the enforcement of HIPAA and other laws against those entities that the agencies believe are impermissibly using tracking technologies.
OIG Issues Information Blocking Penalties Final Rule: Health IT Developers and Health Information Exchanges/Networks Have a Million Reasons to Care
Posted in Electronic Health Records & Medical Records, Fraud & Abuse & False Claims Act, TechnologyOn June 27, 2023, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued its long-anticipated final rule amending the OIG’s civil monetary penalty (CMP) regulations as they relate to information blocking (CMP Final Rule or Rule). The CMP Final Rule was published in the Federal Register on July 3, 2023. The Rule applies to entities that develop or offer certified health IT (collectively, Developers) and health information networks and health information exchanges (collectively, HIN/HIEs). Those subject to the CMP Final Rule should consider prioritizing their compliance efforts because the OIG will begin enforcing the Rule on September 1, 2023. Below we discuss the applicability of the CMP Final Rule, the assessment of penalties under the Rule, and the OIG’s enforcement priorities moving forward.
The Supreme Court Clarifies the Government’s FCA Dismissal Power and Invites Constitutional Challenge to the FCA’s Qui Tam Provision
Posted in Fraud & Abuse & False Claims ActFor the second time this month, the United States Supreme Court addressed a circuit split involving the False Claims Act (FCA, 31 U.S.C. §§ 3729 – 3733). Earlier, in the SuperValu decision (discussed in a recent Health Law Rx Blog), the Court clarified that subjective intent is relevant in determining whether an objectively reasonable (but incorrect) interpretation of a rule or regulation could negate the FCA’s scienter element (U.S. ex rel. Schutte v. SuperValu Inc., 143 S.Ct. 1391, 1401 (U.S. 2023)). Last week, in U.S. ex rel. Polansky v. Executive Health Resources, Inc., the Court held that, despite declining to intervene at the outset of a case, the Government retains the authority to intervene later, including for the purposes of seeking dismissal pursuant to and consistent with Federal Rule 41(a) (U.S. ex rel. Polansky v. Exec. Health Res., Inc., No. 21-1052, 2023 WL 4034314, at *2 (U.S. June 16, 2023)).
Health Apps Beware: FTC Clarifies Health Breach Notification Rule with Significant Proposed Changes
Posted in Health Care Providers, HIPAA, Privacy, and Data Security, Pharmacy, Drugs, Medical Devices & Equipment, TechnologyDirect-to-consumer health and wellness applications are forewarned: the Federal Trade Commission (FTC) is proposing changes to the Health Breach Notification Rule (HBNR), 16 C.F.R. part 318, that, if finalized, would cement the HBNR’s applicability to a broad swath of direct-to-consumer health and wellness applications (apps) and confirm that a breach of security includes not only data security incidents, but also unauthorized disclosures of personal health information. The FTC issued the Notice of Proposed Rulemaking on May 18, 2023, and comments are due 60 days after publication in the Federal Register. We have prepared a comparison document illustrating the proposed changes, which can be found here.
SafeCo No More: The Changing Landscape of Scienter under the False Claims Act
Posted in Fraud & Abuse & False Claims Act, Healthcare LitigationYesterday, the United States Supreme Court held that a False Claims Act (FCA) defendant cannot rely on an objectively reasonable interpretation of a law, regulation, or rule to negate the scienter element of the FCA. In United States ex rel. Schutte v. SuperValu Inc., the Court emphasized the importance of a defendant’s subjective belief in resolving the scienter element. [1] In so doing, the Court has removed a valuable argument from the FCA defense toolkit.
OCR’s Proposed Rule Finds Fertile Ground for Enhanced Reproductive Privacy Protection
Posted in Health Plans, Healthcare Law, HIPAA, Privacy, and Data Security, Hospitals & Health Systems, PhysiciansThe Department of Health and Human Services Office for Civil Rights (OCR) issued a proposed rule on April 17, 2023, to amend provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to strengthen privacy protections for individuals’ protected health information (PHI) related to reproductive healthcare (the Proposed Rule). The Proposed Rule would prohibit covered entities and business associates (collectively “regulated entities”) from using and disclosing PHI for criminal, civil, or administrative investigations or proceedings against individuals for seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which it is provided. Comments on the Proposed Rule are due on or before June 16, 2023.
New Florida Law Will Impose A Third-Party Administrator Licensing Requirement for Pharmacy Benefit Managers
Posted in Government Affairs, Licensure & Regulatory, Healthcare Law, Pharmacy, Drugs, Medical Devices & EquipmentOn May 3, 2023, the Florida governor signed a comprehensive law (SB 1550) regarding pharmacy benefit managers (PBMs). This new law imposes significant new requirements on PBMs. This article discusses only one of these new requirements: a PBM must obtain a license, called a certificate of authority, to act as an insurance administrator, which is commonly referred to as a third-party administrator, or TPA.
All Good Things Must Come to an End: The Expiration of OCR’s Enforcement Discretion
Posted in UncategorizedOn April 11, 2023, the Department of Health and Human Services’ Office for Civil Rights (OCR) confirmed that four notifications of enforcement discretion regarding enforcement of the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA rules) during the COVID-19 public health emergency (PHE) will expire at the end of the PHE.1 The notifications, which address (i) telehealth services, (ii) COVID-19 community-based testing sites, (iii) business associate disclosures of COVID-19 data to public health and health oversight agencies, and (iv) web-based scheduling applications for vaccinations, will expire at 11:59 pm on May 11, 2023.2 After that date, OCR will no longer rely on the notifications to exercise enforcement discretion with respect to the HIPAA violations addressed in each notification.
The FTC Sends Another Warning to Digital Healthcare Platforms About Use of Tracking Pixels
Posted in Health Care Providers, HIPAA, Privacy, and Data Security, Pharmacy, Drugs, Medical Devices & Equipment, TechnologyThe Federal Trade Commission (FTC) continues to prioritize the protection of consumers’ digital health information. The agency has demonstrated this commitment through enforcement actions against GoodRx and BetterHelp for sharing consumer health information for advertising purposes (see our blog posts on each respective action here and here), and in a post published by the FTC Office of Technology on March 16, 2023, titled “Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking.” The FTC post provides a deep dive on the technical aspects of the GoodRx and BetterHelp enforcement actions, including a primer on pixel tracking technology and how it works to collect data and personal information of website visitors and users of mobile apps. The post also confirms that the GoodRx and BetterHelp enforcement actions arose from the companies’ sharing of consumers’ health information with tracking technology vendors. In light of these recent developments, digital healthcare platforms must understand how they collect, use, and share consumer health information.