Photo of Vicki Tankle

Late on Wednesday June 18, Judge Matthew J. Kacsmaryk of the U.S. District Court for the Northern District of Texas issued an order vacating almost the entirety of HHS’s 2024amendments to the HIPAA Privacy Rule that created special protections for reproductive health care information (the “Reproductive Health Privacy Rule”). The order was issued in a

On May 5, the Trump Administration issued a pair of executive orders that could signal big changes for the drug industry and health research efforts in the United States. The orders, in part, direct federal agencies to take actions by this fall to curtail certain pharmaceutical manufacturing and health research activities performed outside the United States. The orders are among the first of many that are anticipated to initiate federal restrictions on offshore health care and life sciences activities and incentivize domestic operations in the industry.

Executive Order 14293 Regulatory Relief To Promote Domestic Production of Critical Medicines (E.O. 14293) restores an effort that was started during the first Trump administration and continued under the Biden administration to attempt to assist companies to bring pharmaceutical manufacturing capacity back to the United States. As with E.O. 14292, this order directs federal agencies to take the next 90 to 180 days to review and offer changes to regulations and subregulatory guidance to help increase American manufacturing capacity for pharmaceuticals.

Executive Order 14292, Improving the Safety and Security of Biological Research (E.O. 14292) seeks to regulate and eliminate “gain of function research” which has been identified by some as the genesis of the novel coronavirus responsible for COVID-19. On top of suspending federal funding for gain-of-function research both in and outside of the United States, the order broadly suspends funding for “other life-science research” that is occurring in countries of concern or foreign countries where there is not adequate oversight. The order also directs federal agencies to revise the framework for oversight and managing risks in biological research.

Both of these executive orders could signal massive changes to the production and importation of drugs as well as the research process behind those drugs. As a result, pharmaceutical manufacturers, research institutions, and health care institutions that dispense, distribute, or otherwise rely on these offshore activities should carefully watch upcoming actions by the various elements of the Department of Health and Human Services (HHS) as well as the Environmental Protection Agency (EPA) for guidance on how these changes will be implemented.Continue Reading Trump Executive Orders seek to encourage reshoring of pharmaceutical manufacturing and research

In a significant ruling among the first to analyze the application of information blocking regulations, the U.S. Court of Appeals for the Fourth Circuit affirmed a preliminary injunction against an EHR company in favor of a diagnostic analytics services company. The injunction grants the analytics company access to patient data, enabling the company to provide its analytics services to nursing facility customers who use the EHR vendor’s services.

The case, Real Time Medical Systems, Inc. v. PointClickCare Technologies, Inc., No. 24-1773 (4th Cir. 3/12/25), arises out of claims by Real Time Medical Systems, Inc. (“Real Time”) that PointClickCare Technologies, Inc. (“PCC”) implemented a technical protocol that cut-off Real Time’s appropriate access to its customers’ electronic health information (“EHI”) and that PCC did not implement this protocol for legitimate security or performance reasons as PCC claimed, but rather to interfere with Real Time’s business so that PCC could capture Real Time’s market share with its own competing analytics products.Continue Reading Information blocking victory in favor of access to health data

The California Attorney General’s Office (AG) unsurprisingly takes an expansive view of how the development, sale, and use of artificial intelligence technology (AI) in healthcare could lead to potential violations of existing California laws. In a recent legal advisory the AG highlights specific areas healthcare organizations should focus on as they develop, train, improve, and deploy AI in connection with patients, plan members, and their data.

In particular, the advisory identifies AI risk hot spots that may trigger certain state consumer protection, anti-discrimination, and privacy/autonomy laws, as described further below.Continue Reading California AG Explains How Laws May Apply to AI in Healthcare

In an era where cyberattacks on the health care industry have become alarmingly frequent and catastrophic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken a bold step forward. The recently issued Notice of Proposed Rulemaking (NPRM) is OCR’s direct response to the escalation of cyber threats and

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) will start to enforce compliance later this month with new special protections for individuals’ reproductive health information as required by a recently finalized HIPAA Privacy Rule, as we noted in an earlier blog post. While the incoming Trump Administration may change enforcement priorities or even rescind that rule, a settlement from OCR that pre-dated implementation of that rule indicates that OCR already affords this information protection.

The settlement marks OCR’s first enforcement action and settlement against a health care provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the existing Privacy Rule standards. In other words, regardless of whether the incoming administration rescinds or revises the new protections for reproductive health information, OCR has demonstrated that it considers reproductive health information as highly sensitive and will take enforcement action accordingly under the HIPAA Privacy Rule as it is today.

Organizations would be well advised to take the remaining time before the December 23 compliance date to update existing policies to define the scope of reproductive health care-related protected health information (PHI) within the organization and set forth standards and procedures for how the organization will implement compliance with the new requirements including, for example, how the organization will assess and respond to third-party requests for reproductive health care-related PHI, including situations in which an attestation is required.Continue Reading OCR Sets Precedent with Settlement Over Impermissible Disclosure of Reproductive Health Information

The Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) have released a final rule establishing “disincentives” (i.e., penalties) for health care providers that participate in certain Medicare payment programs who have engaged in information blocking, as determined by the HHS Office of Inspector General (“OIG”).

The rule continues to signal the federal government’s commitment to encouraging permitted access to and exchange of electronic health information. The rule summarizes elements of the June 2023 OIG final rule, which established penalties for information blocking for certified health IT developers, health information networks, and health information exchanges. The rule also details the procedures that OIG will follow when investigating potential health care provider information blocking claims. There is a wide range of health care providers subject to the rule including, hospitals, physicians, nursing facilities, group practices, pharmacies, and certain eligible professionals participating in Medicare and Medicaid programs, among others, and disincentives are not limited to HIPAA-regulated entities or to healthcare providers who use ONC-certified health IT.Continue Reading HHS Finalizes Rule on Health Care Provider Information Blocking Penalties

In the two years since the Dobbs v. Jackson Women’s Health decision from the Supreme Court, state legislatures and courts have attempted to define the new post-Roe landscape in health care. That effort includes actions by states to enact health data privacy laws or to amend existing privacy laws to protect consumer health data

Three years after the Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) issued a final rule that defined and clarified the scope of the information blocking provisions of the 21st Century Cures Act (the Information Blocking Rule), the HHS Office of Inspector General (OIG) has now published its own final rule implementing penalties for violations of the Information Blocking Rule by certain regulated actors (the OIG Final Rule). 

The OIG Final Rule (i) implements OIG’s authority to impose civil money penalties (CMP) related to violations of the Information Blocking Rule; (ii) explains OIG’s approach to enforcement of its information blocking CMP authority; and (iii) codifies the CMP amounts at 42 C.F.R. part 1003, conforming with the Civil Monetary Penalties Law as amended by the Bipartisan Budget Act of 2018.

The OIG Final Rule is effective August 2, 2023, however, enforcement of the information blocking penalties will begin on September 1, 2023. Importantly, OIG will not impose information blocking CMPs for conduct occurring prior to September 1, 2023.Continue Reading OIG Finalizes Information Blocking Penalties

Note: This is Part 1 in a series of blog posts on developments from the U.S. Food and Drug Administration (“FDA”) regarding its commitments set forth under the Prescription Drug Under Fee Act Reauthorization Performance Goals and Clinical Trial Diversity and Modernization mandates established by Congress under the Food and Drug Omnibus Reform Act of 2022 (FDORA), including developments on the intersection and use of digital health technology in clinical trials and clinical trial diversity.

The Food and Drug Omnibus Reform Act of 2022 (FDORA) signed by President Biden on December 29, 2022, introduced significant changes to the way in which FDA will provide oversight for clinical trials as it pertains to “Clinical Trial Diversity and Modernization.” Under FDORA, among other things, FDA is required to issue guidance on decentralized clinical trials (which is a clinical trial in which some or all trial-related activities occur at a location separate from the investigator’s location) and to provide clarification on the use of digital health technologies (DHTs) in clinical trials.

Prior to the passage of FDORA, FDA set its sights on DHTs in the Prescription Drug User Fee Act (PDUFA) VII Commitment Letter, acknowledging the increased use of DHTs in drug development and the need for appropriate internal expertise and external guidance for their use and evaluation.Continue Reading New Opportunities, New Challenges: FDA Elaborates on use of Digital Health in Drug and Biological Product Development

The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023

For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.

As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations. Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.

To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.

In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for careContinue Reading HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies 

In its latest effort to increase transparency and improve patient access to information about their health care providers the U.S. Department Health and Human Services Centers for Medicare & Medicaid Services (CMS) published a Request for Information (RFI) on October 7, 2022, seeking input on creation of a national provider directory for use by patients, regulators, and insurers.  

According to the announcement, the RFI was prompted by inefficiencies arising from “the fragmentation of current provider directories” maintained by providers, insurers and/or third-party sources that CMS believes could be remedied by a federal provider directory containing “digital contact information containing the most accurate, up-to-date, and validated . . . data in a publicly accessible index.”

The stated goal of the RFI is to examine the feasibility and requirements for a proposed National Directory of Healthcare Providers and Service (NDH). Responses to the RFI are due by December 6, 2022, and stakeholder comments already are being submitted.Continue Reading CMS Considers National Directory of Healthcare Providers and Services

The Department of Health and Human Services Office of Inspector General (HHS-OIG) recently published a Special Fraud Alert warning health care providers (e.g., prescribers, pharmacies, durable medical equipment providers, clinical laboratories) to steer clear of certain telemedicine arrangements and outlining seven “suspect” characteristics that may present heightened risk of fraud and abuse.

The alert coincides with a third round of criminal “telemedicine takedowns” announced by the Department of Justice (DOJ)  in the last several years, reflecting DOJ’s continued focus on identifying and dismantling fraudulent arrangements that exploit telemedicine technologies and related regulatory flexibilities in the wake of the COVID-19 pandemic.

Telemedicine technologies have created a multitude of opportunities for growth and innovation within the health care industry and are well-positioned to become an ongoing cornerstone of our health care delivery system. However, given the increased level of regulatory scrutiny of telemedicine arrangements, providers and telehealth technology companies, including drug and device manufacturers that offer telemedicine technologies (e.g., platforms, mobile applications) for prescribers and patients that facilitate virtual care,  should carefully plan and closely evaluate existing arrangements to ensure compliance with applicable state and federal laws and avoid implication amongst the recent uptick in enforcement.Continue Reading Telehealth Under Scrutiny: OIG Special Fraud Alert and DOJ Enforcement Highlights Suspect Characteristics Associated with High-Risk Telemedicine Arrangements

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.Continue Reading ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Health Care Organizations

CMS recently issued updated Open Payments Frequently Asked Questions (FAQs). The FAQs are revised periodically to reflect the most up to date program requirements. This latest revision both added and removed FAQs, and also included some general edits.

The following FAQs were added: #2014, #2015, #2016, #2017, #2018, #2019, #2020, #2021 and #2022. Each new FAQ is reproduced in full below. They provide additional guidance regarding topics such as archived reporting years, salaries paid to covered recipients, reporting of device identifiers, valuing long-term device loans, debt forgiveness, and the definition of Nurse Practitioner.

Additionally, the following FAQs have been removed from the FAQ document “due to being no longer applicable, redundant with another FAQ, or of low utility” (according to CMS):
Continue Reading CMS Issues Updated Open Payments FAQs

The Department of Health and Human Services’ Office of Inspector General (“OIG”) recently issued a favorable advisory opinion to a digital health company that offers direct monetary incentives to patients as part of a technology-enabled contingency management program for patients with substance use disorders.

Contingency management, also known as motivational incentives, is a treatment approach that utilizes tangible rewards to reinforce positive behaviors (e.g., abstinence from opioids) and to motivate and sustain behavioral health efforts (e.g., treatment adherence) in patients who suffer from substance use disorders. Because these monetary incentives are an integral part of the protocol-driven and evidenced-based program, the OIG concluded that it would not impose sanctions under the federal Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty (“CMP”) provision, notwithstanding the involvement of federal health care program beneficiaries, providers/suppliers, and reimbursable services.

Nevertheless, the mitigating facts that motivated the OIG’s favorable treatment of the program here—namely, the clinical nature and independence of the program—could likely trigger compliance with other federal and state regulatory frameworks.
Continue Reading OIG blesses digital health substance use disorder treatment program paid for by providers and suppliers

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes

Just two business days before the first of many critical components of the new 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) were set to take effect, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC)