Health Law Advisor

On March 22, 2022, the Occupational Safety and Health Administration (OSHA) announced that it had partially reopened the comment period for its permanent standard to protect health care and health care support workers from exposure to COVID-19 in the workplace.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

In this episode of the Diagnosing Health Care Podcast:  The interoperability and information-blocking rules have imposed new regulations and requirements on health information exchanges (HIEs). How are HIEs responding to these new regulations in a space they have been in for decades? In this episode of our special series on interoperability, hear from Dan Paoletti, CEO of the Ohio Health Information Partnership.

From our Thought Leaders in Health Law video series:  The U.S. Department of Justice (DOJ) collected $5.6 billion in False Claims Act recoveries in fiscal year (FY) 2021.

That is over twice as much as 2020, and a record 90 percent of the total was collected from the health care and life sciences industries.

I recommend against relying on any data I provide in today’s post.  I hope the data are at least somewhat accurate.  But they are not nearly as accurate as they should be, or as they could be, if FDA just released a key bit of information they have been promising to share for years.

One of the ways data scientists can provide insights is by grafting together data from different sources that paint a picture not seen elsewhere.  What I want to do is join the clinical trial data at www.clinicaltrials.gov with the data maintained by FDA of approved drugs, called drugs@FDA.  But I can’t, at least not with much accuracy.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

On February 23, 2022, in the case captioned Texas Med. Ass'n v. U.S. Dep't of Health & Human Servs., No. 6:21-cv-00425-JDK (E.D. Tex.), the U.S. District Court for the Eastern District of Texas issued the first major judicial decision addressing implementation of the new federal No Surprises Act, which went into effect nationally on January 1, 2022.  The Court’s decision significantly alters the landscape for claims qualifying for the No Surprises Act’s Federal Independent Dispute Resolution Process (IDRP), an arbitration process designed to resolve certain reimbursement disputes between commercial payors and out-of-network health care providers or emergency facilities.

New from the Diagnosing Health Care Podcast:  One of the long-term goals of the interoperability and information-blocking rules is to give health care providers a much more comprehensive view of a patient’s entire continuum of care.

In this episode of the Diagnosing Health Care Podcast:  This term, the Supreme Court of the United States is set to rule in a Medicare reimbursement case that has sparked a fresh look at the historical deference often granted to agencies and whether it should remain, be modified, or even be overruled.

Attorneys Stuart Gerson, Robert Wanerman, and Megan Robertson discuss why Chevron deference matters to health care industry stakeholders and what aspects of deference arguments should be in focus as these cases progress.

The Diagnosing Health Care podcast series examines the ...