Health Law Advisor

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

The federal government’s announcement that the COVID-19 public health emergency (“PHE”) declaration would end on May 11, 2023 marked the end of various federal mandates and benefits. The Centers for Disease Control’s authorizations to collect certain types of public health data expired, as did the requirement that insurance providers waive costs or provide free COVID-19 tests. However, the Biden Administration announced that COVID-19 hospital admissions, deaths, emergency department visits, test positivity and results of wastewater surveillance will continue to be reported, although the sources of some of this information will change.

On June 22, 2023, the Centers for Medicare & Medicaid Services (CMS) announced its proposed “Transitional Coverage for Technologies” (TCET) pathway—the Biden administration’s highly anticipated take on a mechanism to expedite coverage for certain devices designated by the U.S. Food and Drug Administration (FDA) as breakthrough devices.[1]

As described in the notice with comment period (the “Procedural Notice”), the voluntary TCET pathway aims to streamline efforts between CMS, the FDA, and manufacturers of certain FDA-designated breakthrough devices to more efficiently advance breakthrough devices through the CMS coverage determination processes using a “coverage with evidence development” (CED) approach.

Under the proposed three-phase framework, manufacturers of breakthrough devices accepted into the TCET pathway would enter a period of transitional coverage through a TCET national coverage determination (NCD), during which the device’s manufacturer would be able to generate evidence for CMS to use to determine the breakthrough devices’ post-TCET final coverage status.

Notably, CMS stated that the agency only anticipates accepting five candidates to participate in the TCET pathway each year.[2] Stakeholders must submit comments on the TCET pathway by August 28, 2023.

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

New York recently enacted new legislation that will amend Article 45-A of the New York Public Health Law, entitled “Disclosure of Material Transactions”.  Although the legislation, as enacted, contains no description of legislative intent, the budget bill language originally proposed referenced concerns with the “proliferation of large physician practices being managed by entities that are investor-backed” (e.g., private equity platforms) and which are otherwise unregulated by the state outside of the licensure of the individual practitioners.

Effective August 1, 2023, the new legislation requires thirty (30) days advance notice to the New York State Department of Health (“Department”) of any “material transactions” involving “health care entities” that provide administrative or management services for physician practices, provider-sponsored organizations, health insurance plans, “or any other kind of health care facility, organization, or plan providing health care services. . . .”   

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

This post explores how bias can creep into word embeddings like word2vec, and I thought it might make it more fun (for me, at least) if I analyze a model trained on what you, my readers (all three of you), might have written.

Often when we talk about bias in word embeddings, we are talking about such things as bias against race or sex.  But I’m going to talk about bias a little bit more generally to explore attitudes we have that are manifest in the words we use about any number of topics.

Throughout the course of the pandemic, the Health Resources and Services Administration (HRSA) distributed $178 billion in Provider Relief Funds (PRF) to hospitals and health care providers.  The Public Health Emergency has ended, and HRSA is now turning an eye to how the money was spent, and whether it was spent properly. 

PRF funds were distributed with nearly no-strings-attached; hospitals and providers had to simply agree to a few terms and conditions.  Yet a number of facilities and providers have received one of two types of letters from HRSA: (1) a Final Repayment Notice stating the money must be returned, or (2) a letter stating that HRSA will be conducting an audit.  

Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.