Health Law Advisor

From our Thought Leaders in Health Law video series: In today's complex and rapidly evolving health care landscape, navigating the path of expanding or selling a business requires a nuanced understanding of the intricate state and federal regulatory frameworks.

With states increasingly imposing legislative oversight to safeguard competition, care access, and quality, it's crucial for health care providers, private equity firms, and management organizations to have a strategic partner adept at handling these challenges.

States are imposing prior approval or prior review legislation to allow for more visibility regarding proposed transactions. Much of the legislation seeks to increase oversight of health care entity relationships with management companies and private equity firms.

What does this mean for you?

From our Thought Leaders in Health Law video series: The U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country.

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights published a final rule entitled the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

What are the key takeaways from the Final Rule?

California’s legislature recently passed AB 3129, and it is awaiting Governor Gavin Newsom’s signature. While AB 3129 impacts several different provider types, this article focuses on its impact on Management Service Organizations (MSOs) and Physician Practice Management Companies (PPMCs) as the historically accepted structure for purposes of complying with the prohibitions on the corporate practice of medicine (CPOM). In its initial drafts, AB 3129 seemed highly focused on MSOs and the Friendly PC models for PPMs in the state.

While much of the early language regarding MSOs seems to have been shed from the bill, some ambiguity remains regarding whether, and in what contexts, sponsored MSOs will need to give pre-transaction notice to, or obtain the consent of, the California Attorney General (AG).  A later section of the bill highlights what will likely be CPOM enforcement priorities and is worth the close attention of all MSOs operating in the state.

In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect. 

Over the next year, the following laws will become effective:

1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
5. New Hampshire Privacy Act (effective Jan. 1, 2025)
6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
7. Tennessee Information Protection Act (effective July 1, 2025)
8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

New from the Diagnosing Health Care Podcast: Workplace violence in health care settings is on the rise, capturing the attention of both state and federal lawmakers.

As awareness grows, so too does legal scrutiny and the push for new regulations and enforcement. In these seemingly critical times, what should health care employers be thinking about and incorporating into their comprehensive strategies to prevent and address workplace violence?

On this episode, Epstein Becker Green attorneys Sharon Peters, Eric Neiman, and Avery Schumacher dissect the legal landscape surrounding health care workplace violence, examining the steps being taken at various levels of government and what they mean for health care providers and institutions. Join us as we explore the legal frameworks, emerging policies, and broader compliance implications for health care employers.

Global hospital budgets, where hospitals receive a fixed amount of revenue for the upcoming year for a specific patient population (e.g., Medicare and/or Medicaid), are the opposite of fee for service reimbursement.

The Center for Medicare and Medicaid Services (CMS) and state Medicaid programs have taken interest in global hospital budgets and hospitals in impacted states will need to prepare.  This article summarizes two of these programs: the federal Advancing All-Payer Health Equity Approaches and Development (AHEAD) model and New York’s Health Equity Reform 1115 Medicaid Waiver.

In our ongoing series of blog posts, we have examined key negotiating points for tenants in triple net health care leases. We also have offered suggestions for certain lease provisions designed to protect tenants from overreaching and unfair expenses, overly burdensome obligations, and ambiguous terms with respect to the rights and responsibilities of the parties. These suggestions are intended to result in efficient lease negotiations and favorable lease terms from a tenant’s perspective.

In our previous blog posts, we considered the importance of negotiating initial terms and renewal terms, operating expense provisions, assignment and subletting terms, maintenance and repair obligations, holdover provisions and surrender terms. This latest blog post focuses on negotiating lease terms governing tenant improvement allowances. A tenant should negotiate for landlord to provide a tenant improvement allowance to prepare the leased premises for the tenant’s occupancy and should consider important factors including the amount of the tenant improvement allowance, whether tenant or landlord will complete the work, and how and when the tenant improvement allowance will be paid.

New from the Diagnosing Health Care Podcast: The game has changed—are you positioned to adapt? Over the past 12 months, the federal government has been heavily regulating private investment in health care entities.

Simultaneously, multiple states have enacted or introduced new laws restricting or requiring approval of such investments. The question arises: What do you do if you already have investments in these health care entities?

On this episode, Leslie Norwalk, Strategic Counsel at Epstein Becker Green (EBG), joins EBG attorneys Josh Freemire, Tim Murphy, and Ted Kennedy, Jr., to discuss how health care entities, investors, and board members should be responding to an evolving political and regulatory environment that has increased the scrutiny of private investment in health care entities.