Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

HAPPY NEW YEAR! We are pleased to provide you with our 15th annual Healthcare Law Year in Review. The 2023 Year in Review highlights some of the most important issues and developments in healthcare, both nationally and in New Jersey, over the past 12 months.

Among the topics covered in this year’s Review are:
• Health Care Antitrust Enforcement
• Fraud and Abuse Issues
• Prescription Drug Pricing
• Safe Harbor Policy Updates
• Stark and Anti-Kickback Reform
• HIPAA Highlights

One highlight of 2023 not covered in the Review was Brach Eichler’s New Jersey Healthcare Market Review (NJHMR) conference in September 2023 which covered vital and timely healthcare topics, including Private Equity and Hospital Transactions, Practice Management, Real Estate Strategy for Physicians, Cyber Liability, Value-Based Care’s Influence on Specialty Dealmaking, Physician Burnout, Medical Spa Aesthetics, and the Regulatory and Business Environment of Ambulatory Surgery Centers. If you are interested in learning more about any of these topics, the Conference presentations can be accessed here.

As always, Brach Eichler’s healthcare law attorneys are available to provide transactional, regulatory and litigation counsel, including guidance and assistance with mergers and acquisitions, labor and employment issues, real estate matters, and any other legal matters. If you have any questions or would like additional information regarding any of the articles contained in the 2023 Healthcare Law Year in Review, please do not hesitate to contact us. Thank you for your continued support!

Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

Managing Member & Chair, Healthcare Law
Brach Eichler LLC

Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

Member, HLU Editor
Brach Eichler LLC


Healthcare Law Update - Year In Review - December 2023 - Brach Eichler
Bill Introduced to Eliminate Intraoperative Monitoring Exception to the Codey Law

On November 30, 2023, Assembly Bill No. 5790 was introduced to amend New Jersey’s law regulating patient referrals, otherwise known as the Codey Law. The Codey Law prohibits a practitioner from referring a patient for a medical procedure to a health care service in which the practitioner or the practitioner’s immediate family has a significant beneficial interest. Certain medical procedures are exempt from this prohibition, including medically necessary intraoperative monitoring services rendered during a neurosurgical, neurological, or neuro-radiological surgical procedure that is performed in a hospital. The Bill would eliminate the intraoperative monitoring exemption. The timing of the Bill is interesting given the Federal Office of Inspector General’s (OIG) Advisory Opinion from August 18, 2023 which held that an intraoperative monitoring arrangement where the referring providers would own in a newly created intraoperative monitoring company would generate prohibited remuneration. A summary of the OIG’s Advisory Opinion can be found later in the Healthcare Law Year in Review.

Attorney Generals Sue Vascular Care Provider for Allegedly Performing Unnecessary Surgeries

On October 2, 2023, Attorney Generals in New Jersey, New York, and Georgia filed a complaint against Fresenius Vascular Care, Inc., one of its New York based executives, and several of its affiliates for allegedly performing medically unnecessary and potentially dangerous vascular interventions on Medicare and Medicaid recipients with end stage renal disease (ESRD).

The defendants own, operate, and control a network of outpatient vascular care and ambulatory surgery centers in New Jersey, New York, and Georgia. For their own financial gain, they allegedly scheduled patients for appointments every three to four months to preserve their dialysis sites despite the defendants knowing that such procedures were not medically necessary. The patients were sedated and invasive procedures were performed on their veins and arteries. ESRD patients are often elderly people, people of color, and low-income individuals.

The defendants allegedly executed this scheme by ignoring medical records and falsifying patient records and referrals to justify the medically unnecessary procedures. In addition, they created contests to incentivize staff to increase the amount of procedures performed. They then submitted and/or caused to be submitted false claims for payment to Medicare and the States’ respective Medicaid programs. The States are seeking to recover treble damages and civil penalties under the States’ respective false claims acts and other monetary relief pursuant to the States’ statutes.

Appellate Court Rules that Physician Can be Sued for Failure to Report Child Abuse

On August 30, 2023, a New Jersey appellate court held that a physician can be sued for failing to report information indicating that another physician was sexually assaulting female patients. The case involved allegations against a pediatrician who was accused of neglecting to report information indicating inappropriate behavior by a pediatric gastroenterologist toward female patients who were treated by both physicians. A lower court dismissed the claim against the pediatrician, finding that the plaintiff should have presented an affidavit of merit by a qualified medical expert setting forth the standard of care applicable to the pediatrician regarding the pediatrician’s duty to the patient under New Jersey’s child abuse, abandonment, cruelty, and neglect laws. The appellate court reversed the lower court’s ruling to dismiss the case, finding that under New Jersey law, any person, whether or not they are a physician, has a statutory duty to report suspected child abuse, and therefore the plaintiff was not required to submit an affidavit of merit, which would typically only be required to establish the applicable standard of care in professional negligence cases. The appellate court stressed that its reversal is limited to the affidavit of merit requirement, which was the lower court’s basis for dismissal in favor of the pediatrician, and the court expressed no opinion as to whether the plaintiff has a viable cause of action against the pediatrician based on the pediatrician’s purported failure to report the pediatric gastroenterologist.


New Jersey Oncologist Pleads Guilty to Unlawfully Selling Medication for Profit - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler
New Jersey Oncologist Pleads Guilty to Unlawfully Selling Medication for Profit

On May 31, 2023, a New Jersey oncologist pleaded guilty to unlawfully selling prescription medication. The oncologist was recruited by a business person who owned a pharmacy and two wholesale drug distribution companies. In exchange for $5,000 per month, the oncologist used her medical license and allowed others to use her medical license to purchase prescription drugs typically used to treat cancers, macular degeneration, and autoimmune diseases. These individuals were able to purchase these drugs that they would not otherwise have been permitted to purchase and then sell these drugs for a profit. They made false and misleading representations to the pharmaceutical manufacturers and authorized distributors when purchasing the drugs by representing that the medications purchased would be used to treat the oncologist’s patients and that the drugs would not be resold. Through the scheme, the individuals purchased millions of dollars of prescription drugs in the oncologist’s name.

New Jersey Court Opines on Disabled Physician Owner’s Right to Profits

The New Jersey Appellate Division issued an unpublished opinion regarding a dispute between physician owners of a medical practice involving the interpretation of the medical practice’s governing documents. The dispute centered around one of the owner’s permanent disability and his entitlement to the net profits of the practice until the completion of his contractual buy-out. As a result of the disability, the physician was no longer able to provide services under

the applicable agreements. The disabled physician argued that he was entitled to his share of the profits of the practice, even though he was not providing services, until that contractual buy-out was completed. The court found that a strict interpretation of the documents and the parties’ course of dealing did not support his claim to profits because he did not comply with the expectations and obligations of practice owners while disabled. Additionally, the court noted that the agreements did not require the practice to pay a permanently disabled member any profits pending a resolution of the buy-out of the member’s interest. As such, the court held that the disabled physician was not entitled to receive his share of the net profits of the practice during the time period of his disability before the completion of his buy-out.

DOJ Unveils New Safe Harbor Policy for Voluntary Self-Disclosure in M&A Transactions

The Department of Justice (DOJ) recently announced a new safe harbor policy for voluntary self-disclosures made in connection with mergers and acquisitions. Under the new policy, companies that timely and voluntarily self-disclose criminal misconduct uncovered during pre-acquisition due diligence or during the integration of a newly acquired business will receive the presumption of a declination of prosecution from the DOJ. To qualify under the new policy, acquiring companies must self-disclose criminal misconduct within six months from the closing date, cooperate with any DOJ investigation, and undertake full remediation of the misconduct within one year from the closing date, which may include restitution and disgorgement payments where applicable.

The new safe harbor policy serves as a means for acquiring companies to mitigate transactional risks and avoid potential legal liabilities, provided they maintain robust due diligence processes to swiftly uncover and report any misconduct to the DOJ. The policy is limited to misconduct within “bona fide, arms-length M&A transactions” and does not cover conduct that is already public, known to the DOJ, or otherwise requiring disclosure. The policy also does not impact civil merger enforcement. The presence of aggravating factors at the acquired company will not affect the acquiring company’s ability to receive a declination under the


new policy. The DOJ may, upon request, extend the filing and remediation deadlines depending on the facts, circumstances and complexity of a particular transaction. The DOJ stressed that companies should not delay self-disclosure, particularly when national security implications are involved.

OIG Issues Unfavorable Advisory Opinion Regarding Free Hearing Aids

On October 25, 2023, the Office of Inspector General (OIG) issued Advisory Opinion (AO) 23-08 in response to a cochlear implant manufacturer’s proposal to offer a “hearing bundle” and provide a free compatible hearing aid to eligible patients. Under the proposed arrangement, the hearing bundle would be purchased, the cochlear implant device would be implanted at a hospital or surgical center, and the free hearing aid

OIG Issues Unfavorable Advisory Opinion Regarding Free Hearing Aids - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

would later be programmed and fitted by an audiologist. Receipt of the free hearing aid would be conditioned upon purchasing the cochlear implant device.

The OIG determined that the proposed arrangement would implicate the federal Anti-Kickback Statute because the free hearing aid offered to patients may induce them to order and purchase the cochlear implant, which is reimbursable by federal healthcare programs. The OIG has longstanding and continuing concerns regarding free items because they can result in unfair competition with other manufacturers who may not be in a position to offer a similar benefit.

CMS Releases 2024 Final Rule for Medicare Hospital Outpatient Prospective Payment System and Ambulatory Surgical Center Payment System

The Centers for Medicare & Medicaid Services (CMS) recently published a final rule to update the Medicare Hospital Outpatient Prospective Payment System (OPPS) and Ambulatory Surgical Center (ASC) payment system for calendar year 2024 (CY 2024). This rule sets payment rates and introduces policy changes that will affect services provided in hospital outpatient and ASC settings during CY 2024.

Under the final rule, CMS is implementing an overall 3.1% increase in OPPS and ASC payment rates, factoring in productivity adjustments. CMS estimates that total payments to OPPS and ASC providers for CY 2024 will be approximately $88.9 billion and $7.1 billion, respectively, taking into account factors such as beneficiary cost-sharing and anticipated changes in enrollment, utilization, and case mix. Goals of the final rule include promoting health equity, expanding access to behavioral health care, improving transparency in the health system, and fostering safe, effective, and patient-centered care.

The final rule places emphasis on quality reporting program requirements, with non-compliance potentially resulting in a 2% reduction in the CY 2024 fee schedule increase factor. Additionally, the final rule encompasses various policy changes, such as enhanced hospital price transparency requirements, the implementation of the intensive outpatient program benefit, and the inclusion of dental codes and procedures in the ASC-covered procedures list.

OIG Opines that Physician Bonuses May be Tied to ASC Facility Fees

On October 10, 2023, the Department of Health and Human Services Office of Inspector General (OIG) issued Advisory Opinion No. 23-07, concluding that a medical practice may pay bonuses to physician employees that are tied to profits from facility fees attributable to procedures performed by the employed physicians at an ambulatory surgical center (ASC) owned by the medical practice. The requestor of the Advisory Opinion is the operator of a multi-specialty medical practice with 11 physician employees that owns and operates two


OIG Opines that Physician Bonuses May be Tied to ASC Facility Fees - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

ASCs. The requestor proposed a bonus system whereby physician employees of the medical practice would receive a bonus equal to 30% of the medical practice’s net profits from facility fees collected by the medical practice attributable to surgical procedures performed by the employed physicians at one of the medical practice’s ASCs. The medical practice certified that the physician employees were bona fide employees of the medical practice within the definition of “employee” under Federal law.

The OIG determined that while payment structures connecting compensation to profits from patient referrals may be problematic under the Federal Anti-Kickback Statute (AKS), since the physician employees are bona fide employees of the medical practice, the bonus compensation in this case is protected by the statutory exception and regulatory safe harbor for employees under the AKS and therefore would not constitute prohibited remuneration under the AKS, notwithstanding the potential risks of fraud and abuse these types of compensation arrangements may generally present. The OIG noted that similar arrangements involving bonus payments to independent contractors or other non-employees, or under a different corporate structure, might raise fraud and abuse concerns. The OIG also noted that the medical practice certified that the proposed arrangement did not implicate the Federal physician self-referral law, known as the Stark Law, and therefore the OIG was not offering any opinion regarding whether the proposed arrangement violates the Stark Law.

FTC Sues Anesthesia Group and Its Private Equity Backers for Anticompetitive Practices

On September 21, 2023, the Federal Trade Commission (FTC) sued U.S. Anesthesia Partners, Inc. (USAP) and its private equity owner, Welsh, Carson, Anderson & Stowe (Welsh Carson), alleging the two engaged in an anticompetitive scheme to monopolize the Texas anesthesiology market.

The complaint details that over the course of a decade, USAP and Welsh Carson engaged in a three part strategy to eliminate competition and generate profits. First, USAP and Welsh Carson executed a roll-up scheme where they would consolidate small, competing anesthesiology practices in Texas, resulting in USAP becoming the dominant anesthesia provider in the market. Second, USAP and Welsh Carson increased Texas anesthesia prices through price setting agreements with the remaining independent anesthesia practices. Third, USAP eliminated a significant competitor by entering into an agreement where that competitor would refrain from providing services in USAP’s territory. The FTC estimates that this strategy has cost Texans “tens of millions of dollars” more each year for anesthesia services than before USAP was created in 2012. The FTC alleges that USAP and Welsh Carson’s conduct amounts to unlawful monopolization, unlawful acquisitions, a conspiracy to monopolize, unfair methods of competition, and unlawful restraints of trade in violation of the FTC Act (15 U.S.C. § 53(b)) and the Clayton Act (15 U.S.C. § 18).

CMS Announces First List of Drugs Subject to Price Negotiation

The Centers for Medicare and Medicaid Services (CMS) recently announced the first ten drugs that will be subject to price negotiation under Medicare Part D. The Inflation Reduction Act, signed by President Biden on August 16, 2022, authorizes CMS to negotiate drug prices. The Act primarily aims to lower drug costs, increase access to life-saving treatments, provide financial relief for seniors, encourage innovation, and ultimately lead to lower healthcare costs. In 2022, Medicare enrollees paid $3.4 billion out-of-pocket for these ten drugs.

Price negotiations are scheduled for 2023 and 2024 with


CMS Announces First List of Drugs Subject to Price Negotiation - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler

negotiated prices taking effect in 2026. Negotiations will consider the drug’s clinical benefits, unmet medical needs, and costs associated with research and production. The drugs selected for negotiation are:

• Eliquis; • Enbrel;
• Jardiance; • Imbruvica;
• Xarelto; • Stelara; and
• Januvia; • Fiasp; Fiasp FlexTouch;
• Farxiga; Fiasp PenFill; NovoLog; NovoLog
• Entresto; FlexPen; NovoLog PenFill.

By September 1, 2024, CMS will publish the negotiated prices, which will become effective on January 1, 2026. CMS plans to negotiate prices for up to 15 additional drugs in 2027, 15 additional drugs in 2028, and more annually.

OIG Releases Unfavorable Advisory Opinion on Intraoperative Neuromonitoring Arrangement

On August 18, 2023, the Department of Health and Human Services Office of Inspector General (OIG) issued an unfavorable Advisory Opinion regarding an intraoperative neuromonitoring (IONM) arrangement. The OIG reviewed a proposed arrangement between an existing IONM provider (the Requestor), a physician practice which provides neurology services (the Practice) and surgeons who require IONM services for their

patients (the Surgeons), where the Surgeons would establish, own, and operate a new company to provide IONM services (NewCo). The Requestor would assist the Surgeons in establishing and operating NewCo, but neither the Requestor nor the Practice would have an ownership interest in NewCo.

Under the existing arrangement between the Requestor and the Surgeons, when the Surgeons perform surgeries requiring IONM services, they engage the Requestor to provide those services. The Requestor bills for the technical component of the IONM services and the Practice bills for the professional component of the IONM services. Under the proposed arrangement, when the Surgeons perform surgeries requiring IONM services, they would refer the patients to NewCo to provide those services. The Requestor would provide NewCo with billing and other administrative services pursuant to a billing services agreement between NewCo and the Requestor and the Practice would provide neurologists and neurophysiologists (leased by the Requestor to the Practice) pursuant to a personal services agreement between Newco and the Practice. The Requestor would attempt to ensure that no referrals to NewCo would be made for patients enrolled in Federal health care programs in order to abide by the Federal Anti-Kickback Statute (AKS).

The OIG found that the proposed arrangement would generate prohibited remuneration under the AKS and thus be grounds for sanctions if the requisite intent is present. The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce, or in return for, the referral of an individual to a person for the furnishing of, or arranging for the furnishing of, any item or service reimbursable under a Federal health care program. The AKS has established safe harbor exceptions which allow for certain arrangements even though they would on their face violate the AKS. The OIG determined that the proposed arrangement involves remuneration which would induce the Surgeons to make referrals to NewCo when payment could be made by a Federal health care program. Furthermore, the OIG found that the proposed arrangement does not fit squarely within any of the safe harbor exceptions.

In particular, the OIG found the proposed arrangement problematic under the AKS because it enables the Surgeons and the Requestor to do indirectly what they


could not do directly: pay the Surgeons a share of the profits from their referrals for IONM services that could be reimbursable by a Federal health care program. The OIG emphasized that the proposed arrangement exhibits many attributes of problematic contractual joint ventures, about which the OIG has expressed longstanding and continuing concerns.

Changes to the Stark Law and Anti-Kickback Statute Address Physician Mental Health

The federal Stark Law and Anti-Kickback Statute (AKS), which prohibit physician self-referrals and kickbacks, changed in 2023. Notably, there was a new Stark Law exception and an AKS safe harbor for healthcare entities offering mental health programs to physicians, which includes counseling, mental health services, suicide prevention, and substance use disorder programs. The new Stark Law exception for physician-focused mental health programs requires a written policy and must be offered by a healthcare entity with a formal medical staff to all physicians in the geographic area served by the entity and without regard to the volume or value of referrals or other business generated by a physician for the entity. The new AKS safe harbor is similar to the Stark Law exception. However, the new AKS safe harbor also applies to non-physician clinicians, thereby permitting healthcare entities to provide mental health and behavioral health improvement or maintenance programs to physicians and other clinicians.

Changes to the Stark Law and Anti-Kickback Statute Address Physician Mental Health - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler
Ophthalmology Provider Settles Co-Management Kickback Allegations - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler
Ophthalmology Provider Settles Co-Management Kickback Allegations

On March 23, 2023, the Department of Justice announced that a Texas-based ophthalmology provider group, Kleiman Evangelista Eye Centers (KE), agreed to pay $2,902,505 to resolve allegations that it offered and paid kickbacks to optometrists to induce referrals of patients who were candidates for cataract surgery in violation of the False Claims Act and Anti-Kickback Statute.

The claims against KE related to its co-management arrangements with referring optometrists. Co-management of cataract surgery patients is a common practice between optometrists and the ophthalmologists to whom they refer patients. Although such arrangements are permissible, to the extent they provide either party with financial benefits in exchange for referrals, they can pose a liability to the parties under the Anti-Kickback Statute, which prohibits offering, paying, soliciting, or receiving remuneration to induce referrals of items or services covered by Medicare, Medicaid, and other federally funded programs.

In this case, the government accused KE of providing unlawful remuneration to referring optometrists by paying the optometrists additional fees for referring cataract patients who received premium intraocular lenses or laser-assisted cataract surgery (in addition to the reimbursement already received by the optometrists from Medicare and Medicaid for performing post-operative cataract care). Additionally, KE is accused of guaranteeing the automatic return of referred patients, providing the optometrists free continuing education courses, rewarding top referring optometrists with expensive dinners, and inviting referring optometrists,


their families, and staff to major-league baseball games at the company suite.

FDA Mandates Breast Density Information with Mammography Results

On March 9, 2023, the United States Food and Drug Administration (FDA) issued a final rule amending the Mammography Quality Standards Act (MQSA) of 1992 to require mammogram providers to notify women if they have dense breast tissue and recommend that they consult with a doctor about whether they need additional screening. Mammogram providers will be required to implement the new standards within 18 months.

Dense breasts have been identified as a risk factor for developing breast cancer and can make cancers more difficult to detect on a mammogram. Approximately half of the women over the age of 40 in the United States have dense breast tissue.

New Jersey implemented a similar law in 2014 which requires mammogram providers to notify patients if they have dense breast tissue. New Jersey also requires insurers to cover breast follow-up evaluations, such as ultrasounds in women with dense breast tissue.

DEA and HHS Extend Telehealth Prescribing Flexibilities Again

On October 10, 2023, the Drug Enforcement Administration (DEA) and the Department of Health and Human Services (DHHS) issued a second temporary extension of existing temporary flexibilities allowing providers to prescribe controlled substances via telehealth. This extension is a continuation of a policy that was initially implemented in 2020 in response to the COVID-19 pandemic, which temporarily exempted providers from federal rules requiring an in-person evaluation before prescribing controlled substances. Under the new extension, these flexibilities will remain in place until December 31, 2024.

The DEA and DHHS issued the first temporary extension on May 10, 2023, allowing providers to prescribe controlled substances through telehealth to new patients until November 11, 2023, and to established patients until November 11, 2024, despite the conclusion of the COVID-19 public health emergency. The recently adopted second extension applies to both new and established

patients, and was adopted in order to facilitate a smooth transition for patients and practitioners who rely on telemedicine for controlled substance prescriptions.

UPMC and Surgeon to Pay $8.5 Million to Settle Concurrent Surgeries Lawsuit

The U.S. government has finalized a settlement agreement totaling $8.5 million with the University of Pittsburgh Medical Center (UPMC), University of Pittsburgh Physicians (UPP), and one of their affiliated surgeons regarding a false claims lawsuit alleging that the surgeon violated Medicare and Medicaid rules by scheduling multiple surgeries at the same time. The practice of scheduling concurrent surgeries, which is commonly referred to as “running two rooms” and has been standard in many teaching hospitals, typically involves a senior attending surgeon who delegates trainees, usually residents or fellows, to perform parts of one surgery while the attending surgeon works on a patient in another operating room. According to the government’s complaint, the physician, a cardiothoracic surgeon, would schedule simultaneous surgeries in two interconnected operating suites along with a third surgery in a different room. The surgeon would perform each of the surgeries in the adjoining rooms up to a certain point, leave to do the third, and then come back to finish the first two.

Both Centers for Medicare and Medicaid Services guidelines and federal regulations applicable to teaching hospitals like UPMC require a surgeon to be present or immediately available for all of the critical parts of an operation, including the “time out” before the start of a procedure for final checks. According to the government’s complaint, the double and sometimes triple booking employed by UPMC and the surgeon violated these rules and should have prevented the surgeon and the hospital from billing government health plans for these services. In addition to the regulations, the process implemented by UPMC also creates patient care issues, including keeping patients under anesthesia for prolonged periods and leaving residents or fellows to perform surgeries without supervision. In addition to the financial component of the settlement, UPMC and the surgeon agreed to create and put into effect a corrective action plan for the surgeon and to submit to a year-long third-party audit of the surgeon’s fee services billing to Medicare. UPMC, UPP, and the surgeon did not admit to liability as part of the settlement.


Federal Trade Commission Proposes Ban on Non-Compete Clauses

On January 5, 2023, the Federal Trade Commission (FTC) proposed a new rule that would ban employers from imposing non-compete clauses on workers. Specifically, the new rule would make it illegal for employers to enter into or attempt to enter into a non-compete clause with a worker, maintain a non-compete clause with a worker, or represent to a worker that the worker is subject to an enforceable non-compete clause. In addition, the new rule would require employers to rescind existing non-compete clauses and inform workers that such non-compete clauses are no longer in effect. The compliance date for the rescission of existing non-compete clauses is proposed to be 180 days after the publication of the final rule. The proposed rule covers both traditional non-compete clauses as well as “de facto” non-competes which have the effect of prohibiting a worker from seeking or accepting employment with a person or operating a business after the conclusion of the worker’s employment with the employer.

If this rule is adopted in its current form, it could have significant consequences regarding physician employment agreements. The FTC is expected to vote on the final version of the proposed rule in April 2024.

Federal Trade Commission Proposes Ban on Non-Compete Clauses - Healthcare Law Update - Year In Review - December 2023 - Brach Eichler
2023 HIPAA Highlights

The U.S. Department of Health and Human Services (DHHS) Enforcement Highlights as of October 31, 2023 reveal that, from the initial HIPAA compliance date in April 2023 to the present, the compliance issues most often alleged in complaints received by the DHHS Office for Civil Rights (OCR), the federal HIPAA enforcement agency, include, in order of frequency:

• Impermissible uses and disclosures of protected health information (PHI);
• Lack of safeguards of PHI;
• Lack of patient access to their PHI;

• Lack of administrative safeguards of electronic PHI; and
• Use or disclosure of more than the minimum necessary PHI.

The most common types of covered entities alleged to have committed HIPAA violations, in order of frequency, are:

• General Hospitals;
• Private Practices and Physicians;
• Pharmacies;
• Outpatient Facilities; and
• Community Health Centers.

The takeaway is that the most frequent HIPAA complaints received by the OCR are largely preventable by having in place a robust HIPAA compliance program, one or more competently-trained HIPAA officials, reasonable security safeguards, and frequent and meaningful staff training.

With the ever-increasing number of cyber-criminals and types of cyber-attacks, the OCR also has largely focused its efforts on security breach investigations. In October of this year, Cybersecurity Awareness Month, the OCR settled its first ransomware cyber-attack investigation. The incident involved a medical management company (a HIPAA business associate) that provides various management services to medical providers, including medical billing and payor credentialing. The vendor was the subject of a GrandCrab ransomware attack that caused a breach of the PHI of 206,695 individuals. Among the violations alleged by the OCR were the failure of the management company to conduct risk analysis to determine potential risks and vulnerabilities to electronic PHI, insufficient monitoring of the vendor’s health information system activity to protect against cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule. The settlement included a payment of $100,000 and a corrective action plan.

This past year, the DHHS largely has focused on publishing cybersecurity resources, including through the HHS 405(d) website, such as Knowledge on Demand, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition), and Hospital Cyber Resiliency Initiative Landscape Analysis. “These efforts are a key part of the Administration’s work to secure all of our Nation’s critical infrastructure from cyber threats.”


Attorney Advertising: This publication is designed to provide Brach Eichler LLC clients and
contacts with information they can use to more effectively manage their businesses. The contents
of this publication are for informational purposes only. Neither this publication nor the lawyers who
authored it are rendering legal or other professional advice or opinions on specific facts or matters.
Brach Eichler LLC assumes no liability in connection with the use of this publication.

Isabelle Bibet-Kalinyak | 973.403.3131 |
Shannon Carroll | 973.403.3126 |
Riza I. Dagli | 973.403.3103 |
Lani M. Dornfeld | 973.403.3136 |
John D. Fanburg, Chair | 973.403.3107 |
Joseph M. Gorrell | 973.403.3112 |
Carol Grelecki | 973.403.3140 |
Edward Hilzenrath, HLU Editor | 973.403.3114 |
Caroline J. Patterson | 973.403.3141 |
Keith J. Roberts | 973.364.5201 |
Richard B. Robins | 973.447.9663 |
Jonathan J. Walzman | 973.403.3120 |
Edward J. Yun | 973.364.5229 |
Colleen Buontempo, CPC | 973.364.5210 |
Michael C. Foster | 973.403.3102 |
Debra W. Levine | 973.403.3142 |
Vanessa Coleman | 973.364.5208 |
Paul J. DeMartino, Jr. | 973.364.5228 |
Emily J. Harris | 973.364.5205 |
Cynthia J. Liba | 973.403.3106 |
Erika R. Marshall | 973.364.5236 |
Harshita Rathore | 973.364.8393 |

Roseland, NJ | New York, NY | West Palm Beach, FL | | 973.228.5700

STAY CONNECTED! FOLLOW US Follow us on FacebookFollow us on XFollow us on LinkedInFollow us on InstagramSubscribe to our YouTube