Health Law Advisor

On Friday, November 15, 2024, the Drug Enforcement Administration (“DEA”) and Department of Health and Human Services (“HHS”) filed a Third Temporary Extension of the COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications (“Third Temporary Extension”), extending the full set of telemedicine flexibilities adopted during the COVID-19 public health emergency (“PHE”) through December 31, 2025. The Third Temporary Extension is scheduled for publication in the Federal Register on November 19, 2024.

This means the DEA will continue to allow DEA registered practitioners (“Practitioners”) to prescribe controlled substances via telemedicine without having previously conducted an in-person patient examination. Likewise, and of particular interest to telemedicine providers that practice in multiple states, Practitioners may continue prescribing via telemedicine to patients physically located in any state in which the Practitioners are licensed to practice medicine, without needing to have a separate DEA registration in each such state, subject to compliance with state prescribing requirements.

The Centers for Medicare and Medicaid Services (CMS) is issuing, what will amount to be, very significant Risk Adjustment Data Validation (RADV) Audit notices for PY2018 to Medicare Advantage Organizations (MAOs).

These notices follow the issuance of CMS’s final rule (88 Fed. Reg. 6643 (Feb. 1, 2023), amending 42 C.F.R. 422.310(e). Pursuant to the rule, CMS has the authority to extrapolate audit findings for PY2018 and beyond. CMS has noted that the extrapolation methodology it adopts for RADV audits will be focused on MAO contracts that, through statistical modeling ...

As the dust from the public health emergency (PHE) continues to settle and the PHE-era flexibilities expire, telehealth providers are bracing themselves for the changes soon to come.

These providers will inevitably face certain legal and regulatory complexities as federal and state lawmakers and regulators consider adopting further temporary or permanent policy changes impacting telehealth. Federal-level changes—particularly the Drug Enforcement Administration’s (DEA’s) remote prescribing rulemaking—may further compound these complexities and trigger a wave of changes in laws, regulations, and policies at the state and board levels.

Telehealth providers should continue to monitor these developments, capitalize on current and upcoming telehealth opportunities, and make investments in compliance infrastructures to operate in accordance with applicable federal and state laws, regulations, and policies.

Since 2016, Epstein Becker Green has researched, compiled, and analyzed state-specific content relating to the regulatory requirements for professional mental/behavioral health practitioners and stakeholders seeking to provide telehealth-focused services. 

We are pleased to once again release our latest update to our Telemental Health Laws app, an extensive compilation of laws, policies, and other state guidance for practitioners supporting the mental/behavioral health practice disciplines.

In response to several high-profile cybersecurity incidents affecting hospitals and other health care providers, including the Change Healthcare breach, new federal legislation was recently introduced by Senators Ron Wyden (D-OR) and Mark Warner (R-VA). The health care industry has received intense criticism for perceived weaknesses in cybersecurity protections.   As stated in a summary of HISAA prepared by the Senate Finance Committee: 

According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security. Despite these high stakes, health care has some of the weakest cybersecurity rules of any federally regulated industry.

The new legislation, the Health Infrastructure Security and Accountability Act (HISAA), would create significant new security requirements applicable to HIPAA Covered Entities and Business Associates designed to address cybersecurity risks, require ongoing risk assessments and audits related cybersecurity practices, establish new penalties for noncompliance with these requirements and remove HIPAA statutory caps on such penalties, and create funding incentives and Medicare payment reduction disincentives for entities subject to these requirements.  

As much of the Southeastern U.S. continues to recover from the aftermath of Hurricanes Helene and Milton, health care providers should be aware of, and consider the extent upon which they rely upon, the flexibilities that the Centers for Medicare & Medicaid Services (CMS) extended to assist with the Public Health Emergencies (PHEs) in the affected states. As a result of Hurricanes Helene and Milton, CMS extended additional resources to Medicare providers and certain health care facilities in Florida, Georgia, North Carolina, South Carolina, and Tennessee.

As background, during a PHE, the Secretary of the U.S. Department of Health and Human Services (HHS) may temporarily waive certain HIPAA Privacy Rule requirements for hospitals.

During the recent PHE, HHS issued HIPAA-related waivers lasting up to seventy-two (72) hours to hospitals located in the declared emergency that had activated their disaster protocol, including waivers for: the distribution of HIPAA privacy notices; patient rights to request privacy restrictions and confidential communications; communications with family or friends involved in care; and, opting out of facility directories. Health Information Privacy PHE responses can be found here.

For decades, FDA’s Center for Devices and Radiological Health (CDRH) has been recognizing standards that can be referenced in premarket medical device submissions.  Congress broadly directed federal agencies to begin relying on standards in 1996, through the National Technology Transfer and Advancement Act, but the informal practice dates back to the 1970s.  Congress specifically directed FDA to begin using standards for medical device submissions through the Food and Drug Administration Modernization Act of 1997 (FDAMA). 

Being a curious person, I wanted to see what FDA has done with that authority by looking at the CDRH database for Recognized Consensus Standards: Medical Devices.  My main takeaway is that CDRH is not yet investing enough time and energy in recognizing standards that support digital health and AI.

Findings

I downloaded the data set on September 20, 2024, and looked when standards were recognized by FDA and to which therapeutic or functional areas they related.

New from the Diagnosing Health Care Podcast: One year ago, on October 30, 2023, President Joe Biden signed an executive order laying the groundwork both for how federal agencies should responsibly incorporate artificial intelligence (AI) within their workflows and how each agency should regulate the use of AI in the industries it oversees.

What has happened in the past year, and how might things change in the next?

On this episode, Epstein Becker Green attorneys Lynn Shapiro Snyder, Eleanor Chung, and Rachel Snyder Good reflect on what is new in health care AI as a result of the 2023 executive order and discuss what industry stakeholders should be doing to comply and prepare for future federal regulation of AI in health care.

The U.S. Supreme Court recently denied two certiorari petitions relating to the willfulness standard of the federal Anti-Kickback Statute, 42 U.S.C. § 1320a-7b (AKS), an issue with profound implications for health care companies and providers defending against AKS allegations.    

On October 7, 2024, the Supreme Court denied the petition for certiorari in U.S. ex rel. Hart v. McKesson Corporation, and on October 15, 2024, denied the cert petition in Sayeed v. Stop Illinois Health Care Fraud, LLC.^[1]

“Knowingly and Willfully”

 The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—

A. in return for referring an individual to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under a federal health care program, or

B. in return for purchasing, leasing, ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under a Federal health care program[.]”

In our ongoing series of blog posts, we have examined key negotiating points for tenants in triple net health care leases. We also have offered suggestions for certain lease provisions designed to protect tenants from overreaching and unfair expenses, overly burdensome obligations, and ambiguous terms with respect to the rights and responsibilities of the parties. These suggestions are intended to result in efficient lease negotiations and favorable lease terms from a tenant’s perspective. In our previous blog posts, we considered the importance of negotiating initial terms and renewal terms, operating expense provisions, assignment and subletting terms, maintenance and repair obligations, holdover provisions and surrender terms, and tenant improvement allowances. This latest blog post focuses on negotiating lease terms governing exclusivity, expansion and relocation.  A tenant should carefully negotiate these terms in order to protect its interest in the leased premises during the term.

Exclusivity provisions protect a tenant’s interest in leased premises by restricting landlords from leasing space in the same building or shopping center as tenant’s space for a similar permitted use. These provisions are not only important for retail tenants but should be negotiated for by healthcare tenants as well. For example, a tenant that operates a dermatology practice in a shopping center may want to restrict landlord form leasing space to other tenants who provide many of the same services. It is also important to define what tenant’s recourse is if landlord breaches the exclusivity or if another tenant operates outside of its permitted use in violation of the exclusivity provision. This may include a reduction in rent for a certain period of time while landlord attempts to resolve the violation, and eventually a termination right if landlord is unable to cause the rogue tenant to cease the violation.

Expansion provisions allow tenants the flexibility to expand into additional space that may become available for lease by landlord during the lease term, usually contiguous space or other space in the same building. Tenants should push for a right of first offer if such space should become available, even if the tenant is uncertain of what its future needs may be during the term.  Negotiated rent and coterminous terms should be included in the lease.

In September 2024, a group of Washington, D.C., legislators introduced the Certificate of Need (CON) Improvement Act of 2024, B25-0948. If passed, the measure will reform the requirements and process for health establishments in the District to obtain CONs from D.C.’s State Health Planning and Development Agency (SHPDA).

Background

D.C.’s CON requirements were originally established in 1980 to ensure that access to health care services is available to all D.C. residents and to contain the costs of such health care services. D.C. regulators have more recently argued that D.C. was experiencing an overabundance of primary care providers, which has led regulators to apply the CON process in an overly broad manner to prevent a doctor on every block.^[1] The CON requirements have been applied in an inconsistent manner such that similarly situated providers may or may not have a CON depending on enforcement by regulators. Stakeholders within the D.C. community have contested the overly broad interpretation and enforcement of the CON law in D.C. and have argued that such interpretations are in fact creating provider shortages, increasing health care costs, and decreasing access to care.

In addition, the time and expense of complying with the CON requirements is enough of a barrier to potentially send independent physician practices across the border into Maryland and Virginia.^[2] Stakeholders have asserted that rather than decrease health care costs and increase access to care, the CON laws have had the opposite effect.

Lastly, the current requirements for institutional and physician providers to apply for a CON for even routine projects or activities is unnecessary and overly burdensome. For example, hospitals must wait months to a year following the CON process to get non-patient improvements like heating, ventilation, and air conditioning (HVAC). Furthermore, under the current interpretation by regulators, a physician group could subject itself to requiring a CON simply by hiring a non-owner physician or maintain a separate room to perform non-surgical procedures.