Health Law Advisor

In response to several high-profile cybersecurity incidents affecting hospitals and other health care providers, including the Change Healthcare breach, new federal legislation was recently introduced by Senators Ron Wyden (D-OR) and Mark Warner (R-VA). The health care industry has received intense criticism for perceived weaknesses in cybersecurity protections.   As stated in a summary of HISAA prepared by the Senate Finance Committee: 

According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security. Despite these high stakes, health care has some of the weakest cybersecurity rules of any federally regulated industry.

The new legislation, the Health Infrastructure Security and Accountability Act (HISAA), would create significant new security requirements applicable to HIPAA Covered Entities and Business Associates designed to address cybersecurity risks, require ongoing risk assessments and audits related cybersecurity practices, establish new penalties for noncompliance with these requirements and remove HIPAA statutory caps on such penalties, and create funding incentives and Medicare payment reduction disincentives for entities subject to these requirements.  

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance ...

On November 7, 2023, the citizens of the state of Ohio voted to codify reproductive rights, including the right to abortion, in the state constitution.

In 2019, Ohio banned nearly all abortions once fetal cardiac activity was detected (typically around six weeks’ gestation) through its “Heartbeat Law.” Challenges to Ohio’s Heartbeat Law  under Roe v. Wade and Planned Parenthood v. Casey prevented it from taking effect until the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization repealed those cases. After Dobbs, Ohio’s “Heartbeat ...

Revisions to Ohio’s Health Care Services rules have been in the works since last September, as part of the required five-year of review Ohio Administrative Code Chapter 3701-84 by the Ohio Department of Health (ODH). Without much publicity, the finalized rules became effective on May 15, 2023. 

“Health Care Services” include: (1) adult cardiac catheterization; (2) adult open heart surgery; (3) pediatric cardiac catheterization; (4) pediatric cardiovascular surgery; (5) pediatric intensive care; (6) a linear accelerator, cobalt radiation, or gamma knife service; (7) solid organ transplant services, and (8) blood and bone marrow transplant service. The revised Health Care Services rules make changes to nearly every regulation in Chapter 3701-84, many of a substantial nature. 

Of particular interest to Ohio hospitals, changes to the adult cardiac catheterization services requirements include:

On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023. 

The Joint Commission, one of the leading accrediting organizations of health care entities, recently announced significant updates to require that health care organizations invest in their health equity promotion infrastructure and The Joint Commission’s intention to acknowledge those organizations with more robust health equity initiatives and programs.

Effective January 1, 2023, The Joint Commission implemented new and revised standards for hospitals, ambulatory health care organizations, and behavioral health care organizations aimed at reducing health care disparities.

Most significantly, The Joint Commission added a new standard, LD.04.03.08, to the Leadership (LD) chapter. This standard provides: “Reducing health care disparities for the [organization’s] [patients] is a quality and safety priority.”[1] The new standard, which applies to all hospitals and certain ambulatory health care organizations and behavioral health care organizations, has the following six elements of performance:

Announced in the Consolidated Appropriations Act of 2021, Rural Emergency Hospitals (REHs) will be a new type of Medicare provider starting January 1, 2023.  REHs are meant to help address the stressed health care system of rural providers by providing an option to closure for distressed critical access hospitals (CAHs) and small rural hospitals.

Existing CAHs and rural hospitals with fewer than 50 beds will be eligible to convert to an REH.  CMS is streamlining this process so that this conversion to be an REH can be accomplished through a change of information on an existing Medicare 855A enrollment rather than through a new provider application, which carries potentially significant delays and potential gaps in payment.  REHs are designed to provide primarily emergency department, observation, and outpatient services.  Because REHs will not provide inpatient care, an area that often creates a significant financial and operational burden on CAHs and small rural hospitals, REHs will allow locally-delivered healthcare to continue to be furnished by existing providers.

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

In two recent memoranda, the Centers for Medicare and Medicaid Services (CMS) made changes to previously issued survey guidance related to COVID-19 vaccination issues.

On April 7, 2022, the Centers for Medicare and Medicaid Services (CMS) issued guidance terminating numerous blanket waivers applicable to skilled nursing facilities (SNFs), inpatient hospices, intermediate care facilities for individuals with intellectual disabilities (ICF/IIDs), and end stage renal disease (ESRD) facilities.  The amount of blanket waivers ending is notable; while there have been terminations of waivers previously, these were usually limited to a single waiver.

CMS expressed concern “about how residents’ health and safety has been impacted by the regulations that have been waived, and the length of time for which they have been waived.” CMS reported that findings from onsite surveys at these facilities “revealed significant concerns with resident care that are unrelated to infection control.” Accordingly, CMS is acting to remove certain operational flexibilities not directly related to infection control.

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

On February 4, 2022, the Centers for Medicare and Medicaid Services (CMS) issued important updated guidance in a memo (QSO-21-08-NLTC) regarding how acute and continuing care facilities—including hospitals, ambulatory surgical centers, end-stage renal disease facilities, home health agencies, and hospices—manage infection control procedures in light of the COVID-19 public health emergency.

Reversing its prior position, CMS announced on December 28, 2021, that it would begin enforcement of the COVID-19 vaccine requirement, established by the interim final rule, published November 05, 2021, in 25 states and the District of Columbia[1] in a phased approach beginning January 27, 2022. With the announcement CMS issued guidance for surveyors regarding enforcement in S&C Memo QSO 22-07-ALL (“Memo”), describing how CMS will enforce the rule and how facilities that are non-compliant may avoid enforcement action if meeting certain threshold criteria during periods up to 90 days after issuance of the Memo as follows:

Important guidance regarding COVID-19 testing in the workplace was recently issued by the Centers for Medicare & Medicaid Services (“CMS”) in the form of Frequently Asked Questions regarding Over the Counter (“OTC”) Home Testing and CLIA Applicability.

CMS regulates clinical laboratory testing pursuant to the federal Clinical Laboratory Improvement Act (“CLIA”). Generally, a laboratory or clinical setting (such as a physician’s office) must obtain CLIA certification to perform laboratory testing. Some OTC tests, however, are approved by the Food and Drug Administration (“FDA”) for home use and the new FAQs address the use of OTC home tests in the workplace.