Health Law Advisor

The HIPAA Security Rule was originally promulgated over 20 years ago. While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of prescriptiveness, combined with advances in technology and evolution of the cybersecurity landscape, increasingly indicate the HIPAA Security Rule neither reflects cybersecurity best practices nor effectively mitigates the proliferation of cyber risks in today’s interconnected digital world.  On December 27, 2024, the HHS Office of Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking, including significant changes to strengthen the HIPAA Security Rule (the “Proposed Rule”).  In its announcement, OCR stated that the Proposed Rule seeks to “strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”  One key aim of the Proposed Rule is to provide a much clearer roadmap to achieve Security Rule compliance.

The Proposed Rule contains significant textual modifications to the current HIPAA Security Rule.  While the actual redline changes may appear daunting, the proposed new requirements are aimed at aligning with current cybersecurity best practices as reflected across risk management frameworks, including NIST’s Cybersecurity Framework.  For organizations that have already adopted these “best practices”, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented.  Indeed, for such organizations, the biggest challenge will be to comply with the new administrative requirements, which will involve policy updates, updates to business associate agreements, increased documentation rules (including mapping requirements), and the need for additional vendor management.  For organizations that are still trying to meaningfully comply with the existing HIPAA Security Rule, or that seek to extend the Rule’s application to new technologies and systems handling PHI, the Proposed Rule will likely require significant investment of human and financial resources to meet the new requirements.

What may have seemed like an out-of-the-blue question to the casual observer was no surprise to those who represent individuals and entities in the health care and life sciences industries: U.S. Attorney General (AG) nominee Pam Bondi was asked to share her thoughts on the constitutionality of the False Claims Act (FCA) and its qui tam provisions during her January 15, 2025, confirmation hearings.

Senator Chuck Grassley (R-IA) prefaced his questioning by noting that the FCA is “central to fighting government waste and fraud.” And since 1986—when Grassley authored amendments that modernized and strengthened the Civil War-era statute—he has been a fierce defender. Since the 1986 amendments, the FCA has brought in $78 billion for the federal government, with more than $2.9 billion recovered in fiscal year (FY) 2024. 

“Most of that is due to patriotic whistleblowers who found the fraud and brought the cases forward at their own risk,” Grassley said.

On January 20, 2025, a new administration took control of the Executive Branch of the federal government, and it has signaled that it will make aggressive use of executive orders.  This would be a good time to review the scope of executive orders and how they may affect employers and health care organizations.

Executive orders are not mentioned in the Constitution, but they have been around since the time of George Washington. Executive orders are signed, written, and published orders from the President of the United States that manage and direct the Executive Branch and are binding on Executive Branch agencies.  Executive orders can be used to implement or clarify existing federal law or policies and can direct and manage the way federal agencies interact with private entities.   However, executive orders are not a substitute for either statutes or regulations.

The current procedure for implementing executive orders was set out in a 1962 executive order that requires that all such orders must be published in the Federal Register, the same publication where executive agencies publish proposed and final rules. Once published, any executive order can be revoked or modified simply by issuing a new executive order.  In addition, Congress can ratify an existing executive order in cases where the authority may be ambiguous.

Remote prescribing via telemedicine continues to be a huge area of interest among prescribers and other health care providers.

After publishing a Notice of Proposed Rulemaking (“NPRM”) in March 2023 on the prescribing of controlled substances via telemedicine that was widely criticized for being far more restrictive than temporary waivers then in place under the COVID-19 public health emergency, the Drug Enforcement Administration (“DEA”) went back to the drawing board.

Additional time and a new year has brought renewed focus. Published January 17 in the Federal Register as one NPRM and two final rules (collectively referred to herein as the “DEA’s 2025 Rules”), the DEA’s 2025 Rules seek, as DEA indicates in its press release, to “focus[] on the patient to ensure telemedicine is accessible for medical care.”

On January 6, 2025, the U.S. District Court for the District of Massachusetts granted a defendant laboratory’s motion for summary judgment in a False Claims Act (FCA)/Anti-Kickback Statute (AKS) case brought by a physician objecting to the lab’s testing practices and its use of independent contractors paid on commission. Judge Patti B. Saris held that plaintiffs in FCA cases must establish that “but for” the payment of illegal remuneration in violation of the AKS, the claim would not have been submitted. Applying the “but-for” standard, Judge Saris dismissed OMNI Healthcare Inc. v. MD Spine Solutions LLC, et al. because the record did not support that the independent contractor status of some of the lab’s sales representatives or their conduct unduly influenced any provider’s decision to purchase the product.

Adoption of “But-For” Causation in FCA Cases

There is a circuit split regarding whether FCA plaintiffs must prove that “but for” the AKS violation, a claim would not have been submitted. Requiring “but-for” causation poses a significantly greater burden for plaintiffs seeking to advance FCA claims because they must show the kickback actually affected what good, item, or service was provided.

In the U.S. Courts of Appeals for the Sixth and Eighth Circuits, the heightened “but-for” causation must be established. The Third Circuit has adopted a less rigorous standard, requiring only a showing that at least one of the claims sought reimbursement for medical care that was provided in violation of the AKS. Plaintiffs in circuits with no clear precedent often argue for the application of the more plaintiff-friendly standards of the Third Circuit and use that ambiguity as leverage in negotiating settlement agreements.

On January 15, 2025, the U.S. Department of Justice (DOJ) issued a press release announcing its fiscal year (FY) 2024 False Claims Act (FCA) recoveries and reported that settlements and judgments exceeded $2.9 billion in 2024—up from $2.68 billion in FY 2023.

Recoveries from entities in the health care and life sciences industries continue to represent the lion’s share of the dollars. However, health care recoveries have dropped year over year, and 2024 saw a decrease in the number of cases pursued by the DOJ on its own. What does the future hold as we look forward to a new administration? History might provide some interesting guidance.

Overview of the Statistics

While the 423 FCA cases filed by the DOJ in FY 2024 represented a marked decrease from the 505 FCA cases filed the previous year, FY 2024 saw the highest number of qui tam actions filed in history. FY 2024, coincidentally, ended on the same day (September 30, 2024) that a Florida judge ruled in U.S. ex rel. Zafirov v. Florida Medical Associates that the qui tam provisions of the FCA were unconstitutional.

As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.

OIG Report on OCR’s HIPAA Audit Program

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).

Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.

On January 8, 2025, Massachusetts Governor Maura Healey signed into law House Bill No. 5159, “An Act enhancing the health care market review process” (“H. 5159”), which was passed by the Massachusetts legislature in the last few days of 2024. The bill, which takes effect April 8, will implement greater scrutiny of certain health care entities and affiliated companies—including private equity sponsors, significant equity investors, health care real estate investment trusts (“REITs”), and management services organizations (“MSOs”)—as well as pharmaceutical companies and pharmacy benefit management companies (“PBMs”) in the Commonwealth. 

The passage of H. 5159 follows debate between the House and Senate earlier in 2024 over similar bills, which failed to pass during the summer legislative session. Notably, similar bills included debt limitations on certain private investor-backed entities and bans of certain private equity investments, as well as significant restrictions on the MSO business model. However, these restrictions (among various others) were stripped from H. 5159.

Although H. 5159 has widespread implications for health care entities in the Commonwealth, a significant portion of the bill is clearly aimed at increasing regulatory oversight of for-profit-backed health care organizations through increased regulatory oversight of certain health care transactions and expanded reporting obligations. The bill also seeks to contain health care costs, including by increasing oversight of pharmaceutical company and PBM arrangements.

On December 27, 2024, the U.S. Court of Appeals for the Second Circuit held in U.S. ex rel. Camburn v. Novartis Pharmaceuticals Corporation that a relator adequately pleads a False Claims Act (“FCA”) cause of action premised on violation of the Anti-Kickback Statute (“AKS”) by alleging, with sufficient particularity under Federal Rule of Civil Procedure 9(b) (“Rule 9(b)”), that at least one purpose (rather than the sole or primary purpose) of the alleged kickback scheme was to induce the purchase of federally reimbursable health care products or services.^[1] In doing so, the Second Circuit joins seven other Circuit Courts—the First, Third, Fourth, Fifth, Seventh, Ninth, and Tenth Circuits—in adopting the “at least one purpose” rule. This ruling lowers the bar in the Second Circuit for relators pleading AKS-based FCA claims. 

Interplay Between FCA and AKS Violations

Under the AKS, “a claim that includes items or services resulting from a violation [of the AKS] … constitutes a false or fraudulent claim” under the FCA.^[2]

The AKS prohibits persons from, among other things, “knowingly and willfully” soliciting or receiving “any remuneration (including any kickback, bribe, or rebate) directly or indirectly, overtly or covertly, in cash or in kind—

Background

On December 10, 2024, the Supreme Court of Ohio issued its decision in Stull v. Summa, a medical negligence case in which the defendants argued that Ohio’s statutory peer-review privilege protected from discovery the file the hospital maintained on a resident physician, which included, among other things, quality reviews and assessments of the resident’s clinical competency and professional conduct. The Supreme Court of Ohio decided one issue: Does the peer-review privilege in R.C. 2305.252 apply to a health care entity’s files about resident physicians?

This case arose from the medical treatment of head injuries that the patient sustained during a car crash. The patient and his guardians filed a medical negligence lawsuit against the hospital and its employed health care professionals, including a resident physician who participated in the patient’s care. The plaintiffs alleged that the resident improperly intubated the patient, causing the patient to sustain a brain injury.