Health Care

On November 22, 2021, the Office of Inspector General for the Department of Health and Human Services (OIG) posted a negative Advisory Opinion regarding a proposed joint venture (JV) for the provision of therapy services (Proposed Arrangement) between an existing therapy services provider (Therapy Services Provider) and the owner of long-term care facilities (LTC Owner). This Advisory Opinion is yet another example of OIG guidance reiterating its view that joint ventures formed between entities in the position to provide health care items or services and entities in the position to refer business can present risk under the federal Anti-Kickback Statute (AKS).

On November 8, 2021, Governor Hochul signed legislation to permanently amend the New York Business Corporation Law and New York Not-for-Profit Corporation Law. Under the new law, for profit and not-for-profit corporations are permitted to hold their shareholder or member meetings solely through virtual means, unless such virtual meetings are prohibited by a corporation’s articles of organization or bylaws.

For over a year now, there has been speculation about how the Biden Administration would handle the chronically vexing regulatory issues associated with laboratory-developed tests (LDTs). On November 15, 2021 we finally got our answer when the August 2020 policy put in place by the Trump Administration was officially withdrawn. The Food and Drug Administration (FDA) also released corresponding updates to various guidelines related to the testing response to the ongoing public health emergency. Before summarizing all of these critically important developments, we’ll provide some quick history of what has been going on with LDTs since the pandemic began.

Over the course of 2020, the Food and Drug Administration (FDA) released numerous guidance documents covering diverse areas and aimed at increasing the availability of various medical products to prevent, treat, and diagnose COVID-19. Some of our prior blog posts on those pandemic response activities implemented by FDA can be found here and here. In all of those actions, FDA made clear that the agency’s enforcement discretion policy was temporary, or that an emergency use authorization (EUA) was being granted pursuant to statutory criteria that include a requirement that there be “no adequate, approved, and available alternative to the product,” which by definition renders the EUA temporary, as well. Accordingly, several EUAs granted to diagnostic tests, therapeutic products, and medical devices have been revoked based on a determination that all of the criteria necessary to support emergency authorization under the statute can no longer be met. And although the public health emergency is not over even as 2021 comes to a close, FDA has kept its promise to continually reassess circumstances and needs on the ground in the United States and to modify policies and emergency authorizations as necessary.

Last week, CMS announced its final Physician Fee Schedule Payment Policies (the “Final Rule”), which will become effective January 1, 2022. The Final Rule included several updates to Medicare coverage of telehealth services, including a number of COVID-19 related changes that will be extended or be made permanent. As previously covered, while temporary orders allowing expanded use of telehealth have increased access to care across the country during the public health emergency (“PHE”), the regulatory environment for telehealth has always been somewhat unsettled. The changes in the Final Rule described below signal a move towards increased access to telehealth for Medicare beneficiaries as regulators acknowledge the potential benefits of these alternate methods of delivering care.

For the first time since April 2013, the Department of Health and Human Services’ Office of Inspector General (OIG) revised the Provider Self-Disclosure Protocol (SDP) on November 8, 2021. The SDP allows providers and other entities to voluntarily disclose and resolve instances of potential fraud involving federal health care programs, including potential overpayments and Anti-Kickback Statute (AKS) violations. The OIG originally published the SDP in 1998, and has since modified the SDP several times generally to make the SDP a more appealing option for providers and other health care entities.

In the weeks leading up to FDA’s October 14, 2021 Transparency of AI/ML Enabled Medical Devices Workshop (Workshop) we took a brief look at the history of FDA’s regulation of medical device software and the agency’s more recent efforts in regulating digital health. In this post, we will provide an overview of the topics discussed at the Workshop and our impressions of the agency’s likely next steps.

Our previous blog post on pending California privacy legislation included a prediction that has since materialized: Governor Newsom signed the Genetic Information Privacy Act (“GIPA”) on October 6, 2021, and the law will go into effect on January 1, 2022. GIPA establishes a number of mechanisms to close the existing gap in the protection of genetic information under the current framework of federal and state privacy laws. As discussed in our earlier post, GIPA contains a robust penalty structure, but it includes a number of carve-outs and does not apply to entities already subject to regulation under other health information privacy laws. Notably, GIPA does not reduce or eliminate obligations under other laws, including California’s more broadly applicable consumer privacy laws, such as the CCPA and breach notification statute, as recently amended by AB 825. Given Governor Newsom’s former concern about GIPA’s interference with mandatory COVID-19 testing reporting, the law also does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease.

By now, businesses operating in the over-the-counter (OTC) drug product space should all be familiar with the changes made by Congress to the regulatory system with the final OTC Monograph reform bill, which was included as part of the Coronavirus Aid, Relief, and Economic Security Act that was signed on March 27, 2020 (see our prior posts here and here).

As we’ve reported previously, at the end of 2020, the Office of Non-Prescription Drugs (ONP) of the Food and Drug Administration (FDA), launched a webpage for its brand new user Over-The-Counter Monograph User Fee Program (OMUFA) – available here – published programmatic fee rates for Fiscal 2021 (which ended on September 30, 2021), and subsequently posted a public arrears list of facilities that did not make their FY2021 facility payments as was required to be done by May 10, 2021. Drugs produced by those in-arrears facilities are considered misbranded under the law.

In our last post, we took a brief look back through history at FDA’s approach to regulating medical device software and found that there is little distinction from the agency’s approach to hardware devices. Recently, however, FDA has announced several digital health initiatives aimed at improving the agency’s resources and policies governing software and data systems (including its own internal data systems) and changing the way the agency handles pre-market reviews of and compliance activities for software as a medical device (SaMD) and SaMD manufacturers. In this post, we will review FDA’s digital health improvement highlights from the past few years and take a quick look at the agenda for the transparency of AI/ML-enabled medical devices workshop scheduled for October 14, 2021.

October 10th was the last day for Governor Newsom to sign or veto laws that were passed by the legislature this year. 2021 was a busy year for California legislators, who put forth hundreds of health-related bills in the wake of the COVID-19 pandemic. Unsurprisingly, not all of the bills became law (although some of them may be revisited next year). This blog post provides a summary of a few of the new health care laws that were signed into law by Governor Newsom, covering a wide range of health care providers.   

At the end of September, the Departments of Health and Human Services (HHS), Labor, and Treasury (collectively, the Departments), along with the Office of Personnel Management (OPM), released Part II of its regulations implementing the No Surprise Act (the “Act”). The “Requirements Related to Surprise Billing; Part II” interim final rule (IFR) sets forth the Federal independent dispute resolution (IDR) process to determine the out-of-network payment rates. Major provider associations have released statements criticizing the IDR process and methodology for determining payment.

In anticipation of FDA’s virtual public workshop on transparency of artificial intelligence/machine learning (AI/ML)-enabled medical devices scheduled for October 14, 2021, we will be posting a series detailing the history behind FDA’s regulation of software and then reporting our impressions of FDA’s presentations and statements from various attending stakeholders following meeting. In this part, we briefly summarize FDA’s traditional approach to regulating software and how software development quickly revealed the limitations of the original regulatory framework established in the 1976 Medical Device Amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act).

Last week, the HHS Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) hosted a webinar on the HIPAA Security Risk Assessment Tool (SRA Tool).  The webinar provided a guided tour of the SRA Tool, answered frequently asked questions, and gave updates on upcoming enhancements to the SRA Tool.  Most importantly, the webinar serves as yet another reminder for entities subject to HIPAA of their obligation to perform a security risk assessment and to update that assessment on a periodic basis and in response to new business processes, operations, and threats.

As our colleagues predicted, the Supreme Court’s decision in Rutledge v. Pharmaceutical Care Management Association (PCMA) encouraged state efforts to expand regulation of pharmacy benefit managers (PBM) and related practices. And as expected, this year has already seen an aggressive round of state legislation that aims to expand regulation in this area.

The U.S. Department of Justice (DOJ) recently announced its latest national enforcement action related to health care fraud (National Enforcement Action) in which DOJ filed criminal charges against 142 defendants. The National Enforcement Action, which alleges losses of $1.4 billion due to false or fraudulent billings, follows similar DOJ “take downs” over the last several years in that it focuses on telemedicine providers and the opioid crisis. This post provides five takeaways from the National Enforcement Action.

As we’ve previously covered, the COVID-19 pandemic has brought about a major increase in the prevalence of telehealth services, due in large part to regulatory flexibilities at the federal and state levels. Beginning in March 2020, state Medicaid programs across the country loosened requirements for coverage of telehealth services provided to Medicaid beneficiaries, reducing barriers by allowing audio-only services and covering a broader scope of services delivered via telehealth. The increase in telehealth has resulted in improved access to behavioral health services in particular, but according to an OIG report issued earlier this week, state Medicaid programs will need to increase their oversight of these services if the telehealth flexibilities become permanent.

When it comes to the privacy of health information, California belongs to the select group of states that have implemented broad consumer privacy protections above and beyond those provided by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This year, the state’s ongoing legislative efforts to protect the health information of its residents included: Assembly Bill 1436 (AB 1436) which if enacted would have revised California’s existing Confidentiality of Medical Information Act (CMIA), and Senate Bill 41 (SB 41), which if enacted will create the new Genetic Information Privacy Act (GIPA). As further discussed below, only SB 41 is moving forward, and if signed by Governor Newsom GIPA will go into effect on January 1, 2022.

On September 15, 2021, in response to the “proliferation of apps and connected devices that capture sensitive health data” the Federal Trade Commission (FTC) issued a Policy Statement ( the Statement) offering guidance on the scope of the FTC’s Health Breach Notification Rule (Breach Rule). According to the Statement, the Breach Rule applies outside of the traditional health care context (e.g. health care involving diagnosis and treatment by a licensed health care provider) and the FTC intends to bring enforcement actions for noncompliance involving up to $43,792 in civil penalties per violation, per day.

On September 15, 2021, the Office of Inspector General for the Department of Health and Human Services (OIG) issued a favorable Advisory Opinion regarding a hospital’s proposal to implement a program through which patients who experience complications after specific joint replacement procedures can receive free items and services to treat the complications. The OIG likened the program to a warranty for joint replacement procedures.