Health Law Advisor

On June 8, 2023, the New York City Council passed a bill focused on healthcare accountability, with the goal of increasing access to healthcare services for New Yorkers. Entitled the Healthcare Accountability & Consumer Protection Act (the “Act”), this legislation includes Introduction 844, which establishes an Office of Healthcare Accountability, whose work would allow patients to see through a website what they would be charged for procedures at hospitals throughout New York City. As part of the Act, this Office would also report on insurance and pharmaceutical pricing, as well as monitor the amount of money the City is spending on healthcare services. In addition, the Act includes Resolution 512, which calls on New York State to create an independent commission to oversee hospital pricing and to increase access to healthcare services. This local law, referred to as Local Law 78, was signed by Mayor Adams on June 23, 2023, and will be effective beginning on February 22, 2024.

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Summertime, for many, marks the beginning of longer days and more sunshine. As an academic medical institution, it also marks the end of one academic year and the commencement of another, and with a new academic year comes new agreements or contracts of appointment for its residents and fellows, as each are promoted to a new program year. For programs accredited by the Accreditation Council of Graduate Medical Education (“ACGME”), there are specific requirements for what can and should be included in its resident and fellow agreements. Aside from its ACGME requirements, it is also important for an institution to consider what additional contractual provisions it should include in its resident and fellow contracts. Below are ACGME’s requirements and other contract provisions that an institution should review and include in such contracts prior to the beginning of each academic year.

In this episode of the Diagnosing Health Care Podcast:  The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization one year ago overturned 50 years of legal precedent protecting the constitutional right to abortion in the United States, leaving the question of whether and how to regulate abortion to individual states.

What has happened since and what is to come?

Epstein Becker Green attorneys Amy Dow, Erin Sutton, and Jessika Tuazon examine how the Dobbs decision has impacted the legal landscape for patient access to abortion, discuss the challenges facing the health care industry, and explore how industries can manage their compliance efforts moving forward as the legal landscape continues to evolve.

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

Revisions to Ohio’s Health Care Services rules have been in the works since last September, as part of the required five-year of review Ohio Administrative Code Chapter 3701-84 by the Ohio Department of Health (ODH). Without much publicity, the finalized rules became effective on May 15, 2023. 

“Health Care Services” include: (1) adult cardiac catheterization; (2) adult open heart surgery; (3) pediatric cardiac catheterization; (4) pediatric cardiovascular surgery; (5) pediatric intensive care; (6) a linear accelerator, cobalt radiation, or gamma knife service; (7) solid organ transplant services, and (8) blood and bone marrow transplant service. The revised Health Care Services rules make changes to nearly every regulation in Chapter 3701-84, many of a substantial nature. 

Of particular interest to Ohio hospitals, changes to the adult cardiac catheterization services requirements include:

Would it surprise you if I told you that a popular and well-respected machine learning algorithm developed to predict the onset of sepsis has shown some evidence of racial bias?[1]  How can that be, you might ask, for an algorithm that is simply grounded in biology and medical data?  I’ll tell you, but I’m not going to focus on one particular algorithm.  Instead, I will use this opportunity to talk about the dozens and dozens of sepsis algorithms out there.  And frankly, because the design of these algorithms mimics many other clinical algorithms, these comments will be applicable to clinical algorithms generally.

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

On May 11, the U.S.  Senate Committee on Health, Education, Labor and Pensions (the “HELP Committee” or the “Committee”) passed a bipartisan bill to expand federal regulation of pharmacy benefit managers (“PBMs”) for group health plans.[1]  As a compromise by Health Sub-Committee Chair Bernie Sanders (I-VT) and ranking Republican Bill Cassidy (LA), the Pharmacy Benefit Manager Act (S. 1339) reflects the overarching legislative push by members from both sides of the aisle and chambers of Congress to address drug pricing issues through federal fixes to the PBM framework . Further, Congress’ efforts build on the momentum from the enactment of the high-profile Medicare prescription drug pricing provisions of the Inflation Reduction Act (the “IRA”) in 2022. [2]