HAPPY NEW YEAR! We are pleased to provide you with our 16th annual Healthcare Law Year in Review. The 2024 Year in Review highlights some of the most important issues and developments in healthcare law, both nationally and in New Jersey, over the past 12 months.
As we approach the conclusion of another transformative year, we are excited to present our comprehensive year-end Review, shedding light on the trends shaping the healthcare market in 2024. Our team’s keen insights and dedication to staying at the forefront of developments allow us to provide a perspective on the intricate dynamics influencing healthcare today.
Among the issues covered in this year’s edition are:
• Scrutiny of Private Equity in Healthcare Industry
• Hospital bankruptcy
• Medical Debt Relief Legislation
• Extension of Telemedicine Flexibilities
• Corporate Transparency Act Developments
• HIPAA Developments
In 2025, we are looking forward to Brach Eichler’s New Jersey Healthcare Market Review (NJHMR) on April 3rd & 4th at The Borgata Hotel and Casino in Atlantic City, New Jersey. NJHMR provides a unique opportunity to connect with over 200 attendees comprised of hospital and ASC executives and stakeholders, physicians, practice owners and managers, and healthcare administrators. During this two-day event, industry experts will discuss timely topics and trends in the healthcare and legal space ranging from legislative issues to operating and business strategies for greater profitability. Register now as early bird prices end by January 10, 2025.
As always, Brach Eichler’s healthcare law attorneys are available to provide guidance and assist with mergers and acquisitions, labor and employment, contracts and agreements, litigation and dispute resolution, and any other legal matters. If you have any questions or would like additional information regarding any of the articles contained in the 2024 Healthcare Law Year in Review, please do not hesitate contact us. Thank you for your continued support.
JOHN D. FANBURG, ESQ.
Managing Member & Chair, Healthcare Law
Brach Eichler LLC
973.403.3107
jfanburg@bracheichler.com
ED HILZENRATH, ESQ.
Member, HLU Editor
Brach Eichler LLC
973.403.3114
ehilzenrath@bracheichler.com
On November 3, 2024, CarePoint Health System filed for Chapter 11 bankruptcy in the District of Delaware. CarePoint, which includes Bayonne Medical Center, Hoboken University Medical Center and Christ Hospital in Jersey City, provides care to sixty percent of Hudson County’s population, the majority of whom are uninsured or underinsured. CarePoint stated that the decision to file for Chapter 11 was driven by the dramatic increase in direct costs of operating the hospitals after the COVID-19 pandemic and insufficient state funding and persistent reimbursement challenges that hospitals across the country have been facing. Chapter 11 bankruptcy will allow CarePoint to reorganize its finances and continue operating. CarePoint has obtained $67 Million in funding to continue its operations and ensure that the three CarePoint hospitals remain open during the bankruptcy proceedings with no interruptions in patient care. Just days before the bankruptcy filing, CarePoint and Hudson Regional Hospital in Secaucus announced that they will merge to form a new healthcare system.
On July 22, 2024, Governor Phil Murphy signed the Louisa Carman Medical Debt Relief Act into law. The Act prohibits medical creditors and medical debt collectors from reporting any medical debt to a consumer reporting agency, such as Experian or TransUnion, for healthcare services. “Medical creditor” is defined in the Act as any person or entity that provides health care services and to whom a patient owes money for health care services. This would include virtually all health care providers, including physician practices, ambulatory surgical centers, and hospitals. “Medical debt” is defined as debt arising from the receipt of health care services.
Effective July 22, 2025, the Act will further prohibit medical creditors and medical debt collectors from:
• Charging an interest rate on medical debt of more than 3 percent per annum;
• Garnishing the wages of a patient with annual income less than 600 percent of the federal poverty level; and
• Beginning collection actions until 120 days after the first bill for medical debt was sent and the patient has been offered a “reasonable payment plan.”
A “reasonable payment plan” is defined as a structured repayment arrangement that satisfies the following criteria:
1. Monthly payment amounts set at a level that the patient can reasonably afford;
2. A duration that allows the patient to repay the debt in full within a reasonable timeframe;
3. The terms of the payment plan are documented in a written agreement provided to the patient;
4. Provisions for adjusting the payment amounts and duration in response to changes in the patient’s financial circumstances;
5. A grace period of at least 60 days for late payments; and
6. The plan cannot charge an interest rate of more than 3 percent per annum.
Any communication made by a medical creditor or medical debt collector to a patient in the course of trying to collect a medical debt must include a statement that the medical creditor or medical debt collector has not reported the debt to a consumer reporting agency, and that any debt reported is void.
On October 30, 2024, New Jersey Governor Murphy signed into law Assembly Bill 4447, which expands the permissible exceptions for a health care practitioner to self-refer. The Codey Law prohibits healthcare practitioners from referring patients for a health care service in which the practitioner or the practitioner’s immediate family has a significant beneficial interest. This new exception to the Codey Law allows oncology practitioners with a financial interest in a pharmacy integrated with their practice to refer patients to that pharmacy, as long as the pharmacy:
• dispenses medications exclusively to the practice’s patients;
• has direct access to the practice’s medical records;
• communicates with each patient in person or via telemedicine to review the prescription instructions and assesses the patient for interactions with other drugs and food;
• synchronously consults with the treating physicians as needed; and
• complies with the State Board of Pharmacy requirements for timely delivery of medications, hours of operation, and recordkeeping.
In August 2024, Shore Memorial Health System Inc., based in Atlantic County, New Jersey, and an affiliated medical practice agreed to a settlement with the United States Department of Justice to resolve allegations that it violated the False Claims Act by obtaining a Paycheck Protection Program (PPP) loan that it was not entitled to receive. The PPP loan program was established in March 2020 under the Coronavirus Aid, Relief, and Economic Security (CARES) Act to provide financial support to small businesses impacted by the COVID-19 pandemic through forgivable loans to cover payroll and essential expenses.
Shore Memorial Physicians’ Group (SPG), an affiliate of the Health System, applied for and was granted a $2.78 million PPP loan. SPG later sought and obtained forgiveness for the entire loan amount. However, SPG was ineligible for the loan due to its affiliation with the Health System, which disqualified it from being classified as a small business under the PPP loan program. In accordance with the terms of the settlement, the Health System and SPG agreed to pay the United States $3.15 million.
In August, 2024, the Heath Care Association of New Jersey (HCA), a trade group representing New Jersey nursing homes, together with several nursing homes, filed a lawsuit against the New Jersey Department of Health seeking to void a 2020 New Jersey law that sets minimum staffing requirements for New Jersey nursing homes, arguing that staffing shortages make the law an “unworkable and impossible mandate.” The law requires New Jersey licensed nursing homes to maintain certain staff to resident ratios for both day and night shifts. The law was adopted in response to the COVID-19 pandemic, during which New Jersey nursing homes saw high death tolls and infection rates.
The HCA’s lawsuit seeks to void and delay enforcement of the staffing ratio law on the grounds that it is unconstitutional and impossible for nursing homes to comply with. The HCA claims that the fines being assessed by the DOH for failure to comply, which by statute amount to $1,000.00 per day of noncompliance, are excessive and violate the New Jersey Constitution. The lawsuit also argues that the law was adopted notwithstanding a State study that found that New Jersey’s direct care workforce is shrinking and cannot meet the needs of the State’s growing elderly population.
On July 17, 2024, a New York appellate court found that an earnout based on future practice earnings that was negotiated as part of a practice sale violated New York’s fee-splitting prohibition. In 2015, the plaintiff, a dental practice, entered into an asset purchase agreement to sell certain assets to the defendant, a dentist who retained his own separate practice. The purchase agreement specified that part of the purchase price would be paid by the purchaser to the seller as a percentage of the monthly revenue generated by the practice assets that the seller sold to the purchaser.
In March 2020, the seller filed a lawsuit against the purchaser alleging breach of contract and unjust enrichment as a result of the purchaser’s failure to pay the earnout portion of the purchase price to the seller. The purchaser filed a motion to dismiss, arguing that the arrangement violated the provisions of New York’s Education Law that prohibits fee-splitting. The trial court denied the motion to dismiss. On appeal, the appellate court overturned the trial court’s decision to deny the purchaser’s motion to dismiss, finding that the earnout constituted a voluntary prospective arrangement for the splitting of fees in violation of New York law, and “a party to an illegal contract cannot ask a court of law to help him or her carry out his or her illegal object.”
In a decision that reverses the rulings of two separate appellate courts, the New Jersey Supreme Court ruled on August 5, 2024 that healthcare facilities may only withhold incident reports and associated documents as privileged under the New Jersey Patient Safety Act (PSA) if the facility performs their self-critical analysis of the incident in procedural compliance with the PSA and its implementing regulations. The PSA confers an absolute privilege on documents, materials and information developed as part of a healthcare facility’s self-critical analysis. In the two cases before the Supreme Court, the defendant healthcare facilities refused to produce documents such as incident reports and other documents related to patient incidents because they claimed they were privileged under the PSA.
In both cases, an appellate court reversed the trial courts’ determinations that the incident reports were not privileged under the PSA, finding that the defendants procedurally complied with the requirements of the PSA and that the documents were privileged. The Supreme Court reversed the appellate court decisions, finding that, in both cases, the facilities failed to follow proper procedures because their quality assurance and improvement committees also operated as patient safety committees, and in order for the PSA privilege to apply, a facility’s patient safety committee must operate independently from any other committee of the facility.
A 2024 mediation produced a settlement for a deceased patient’s estate which was twice the amount that the defendant anesthesia provider’s malpractice carrier would cover. The patient underwent anesthesia for the removal of an intrauterine device at a New Jersey outpatient surgery center. During the procedure, the patient experienced a drop in blood pressure and oxygenation and never regained consciousness. The plaintiff’s counsel alleged that the anesthesiologist failed to stop the surgery when the patient presented with signs of distress. Prior to trial, the parties sought mediation with a former New Jersey Superior Court judge. Initially, the defendant offered a settlement of $2,000,000, the coverage limit on their malpractice policy. The plaintiff refused this offer and the parties continued to mediate until a settlement of $4.2 Million was reached.
On June 25, 2024, Atlantic Health System (Atlantic) announced that it entered into a definitive agreement with Saint Peter’s Healthcare System (St. Peter’s) to expand their strategic partnership to integrate the two health care systems. This announcement marks the next step in the collaboration between the non-profit organizations, which began with the signing a letter of intent earlier in 2024.
Upon regulatory approval, Atlantic will invest significantly in St. Peter’s and its service area, to help St. Peter’s evolve into a comprehensive healthcare system serving central New Jersey communities. The proposed transaction will provide St. Peter’s with enhanced integrated clinical services, a robust physician network, and assist St. Peter’s transition to Atlantic’s electronic medical record system. The patients in the communities served by Saint Peter’s will benefit from Atlantic’s years of experience in improving patient care and outcomes, accessibility and affordability, and Saint Peter’s physicians will be given the opportunity to join Atlantic Health’s physician group practices and programs.
Under the terms of the agreement, Atlantic will join Saint Peter’s as its sole corporate member. St. Peter’s will maintain its Catholic mission and continue to abide by the Ethical and Religious Directives for Catholic Health Care Services. Additionally, the new venture would expand the organizations’ existing partnership in the Healthcare Transformation Consortium, to offer broader, more affordable health insurance options to New Jersey employees.
On November 15, 2024, the United States Drug Enforcement Administration (DEA) and the Department of Health and Human Services (HHS) announced that they have extended the current telemedicine flexibilities for the prescription of controlled medications through December 31, 2025. The extension means that DEA registered practitioners will continue to be able to prescribe controlled substances via telemedicine without having to conduct an in-person medical evaluation of the patient so long as certain conditions are met. The full text of the extension, entitled the “Third Temporary Extension of Covid-19 Telemedicine Flexibilities for Prescription of Controlled Medications”, can be found here. The extension provides the DEA and HHS time to promulgate proposed and final regulations that are consistent with public health and safety, and that also effectively mitigate the risk of possible diversion. Furthermore, the extension provides additional time for providers to come into compliance with any new standards or safeguards eventually adopted in a final set of regulations.
On December 3, 2024, the U.S. District Court for the Eastern District of Texas issued a preliminary injunction halting the federal government’s enforcement of the Corporate Transparency Act (CTA) and its enforcement regulations nationwide. The CTA requires certain business entities to file beneficial ownership information with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), and is intended to provide law enforcement with access to a federal database of corporate beneficial ownership information that can be used for detecting, preventing and punishing terrorism, money laundering and other misconduct. The initial reporting requirements for most entities were set to go into effect on January 1, 2025.
In issuing the preliminary injunction, the Court ruled that the CTA was likely unconstitutional, finding that the CTA was not authorized under the Commerce Clause of the U.S. Constitution and “[u]pholding the CTA would require the Court to rubber-stamp what appears to be a substantial expansion of commerce power.” The Court also found that the CTA was not authorized under the Constitution’s Necessary and Proper Clause, noting that “[t]here is simply no enumerated power the Government can identify that would justify the CTA.” In addition, the Court determined that the CTA improperly permits the federal government to monitor corporate entities that are governed by state law, and also ends a fundamental feature of corporate formation – anonymity.
FinCEN responded to the Court’s decision by posting an alert on its website stating that “reporting companies are not currently required to file their beneficial ownership information with FinCEN and will not be subject to liability if they fail to do so while the preliminary injunction remains in effect,” but noted that reporting companies may continue to file beneficial ownership information reports voluntarily. On December 5, 2024, the federal government filed an appeal of the Court’s ruling with the United States Court of Appeals for the Fifth Circuit. The Court of Appeals upheld the District Court’s preliminary
injunction and is set to hear oral arguments on the merits of the litigation in March of 2025. In the meantime, on December 31, 2024 the U.S. Solicitor General filed an application with the U.S. Supreme Court to stay the preliminary injunction. The Supreme Court has not taken any action on this application yet.
On December 11, 2024, the U.S. Department of Health and Human Services Office of Inspector General (OIG) published a Special Fraud Alert titled “Suspect Payments in Marketing Arrangements Related to Medicare Advantage and Providers.” In the Alert, the OIG warns Medicare Advantage Organizations (MAOs) and healthcare providers about certain fraud and abuse risks associated with marketing Medicare Advantage (MA) plans. The Alert discusses the OIG’s concerns with these arrangements and provides a list of suspect characteristics that may suggest an arrangement presents a heightened risk of fraud and abuse.
The first arrangement that the Alert focuses on is payments from MAOs to providers. The OIG explains that while providers are permitted to do a limited amount of marketing for MAOs, compensation is not permitted. The second arrangement the Alert focuses on is payments from providers to agents or brokers of MA plans. The OIG explains that this practice can mislead enrollees into selecting providers and/or MA plans that do not fit their needs and can lead to unfair competition. Both arrangements can trigger the federal anti-kickback statute.
The Alert identifies a list of suspect characteristics that may indicate a heightened risk of fraud and abuse, including for example:
• MAOs, agents, brokers, or any other individual or entity offering or paying providers remuneration (such as bonuses or gift cards) in exchange for referring or recommending patients to a particular MAO or MA plan.
• Providers paying remuneration to an agent, broker, or other third party that is contingent upon or varies based on the demographics or health status of individuals enrolled or referred for enrollment in an MA plan.
The OIG recommends that MAOs and providers scrutinize these relationships to ensure they do not implicate fraud and abuse laws.
The Centers for Medicare & Medicaid Services (CMS) recently published the calendar year (CY) 2025 Physician Fee Schedule (PFS) final rule, finalizing changes for Medicare payments under the PFS and other policies related to Medicare Part B reimbursement. Under the new rule, average reimbursement rates under the PFS will be reduced by 2.93%, which incorporates a 0% overall update to PFS reimbursement rates as required by statute, the expiration of a temporary 2.93% increase in payment rates for CY 2024 that was required by statute, and a 0.02% adjustment to reimbursement rates that is necessary to account for changes in work relative value units for some services. According to CMS, the CY 2025 PFS final rule is one of several final rules that reflect a broader strategy of the Biden Administration to create a more equitable health care system that results in better accessibility, quality, affordability, empowerment and innovation for all Medicare beneficiaries.
Under the final rule, CMS has established new coding and payment rules for several categories of services, including caregiving training and services, behavioral management and modification training, wound care and infection control. The final rule also expands Medicare reimbursement of telehealth services to include PrEP counseling and caregiving training services, and expands the categories of modalities that may be used to provide telehealth services to include two-way, real-time, audio-only communication technology. CMS has also modified the reimbursement rules for outpatient evaluation and management (E&M) visits to allow providers to include certain complexity add-ons when the provider provides certain add-on services on the same day that the provider provides an annual wellness visit, vaccine administration or any Medicare Part B preventative service in an office or outpatient setting.
The Centers for Medicare & Medicaid Services (CMS) recently published the calendar year 2025 Hospital Outpatient Prospective Payment System and Ambulatory Surgery Center (ASC) Payment System final rule. Under the new rule, CMS will increase payment rates by 2.9% for ASCs and for hospitals that meet certain quality reporting requirements. According to CMS, the final rule includes policies that align with several key goals of the Biden Administration, including responding to the
maternal health crisis, addressing health disparities, expanding access to behavioral health care, improving transparency in the health system and promoting patient-centered care. In addition, the final rule advances CMS’s commitment to strengthening Medicare, and applies lessons learned from the COVID-19 pandemic to inform the approach to quality measurement, focusing on changes that help address health inequities.
In addition to updating reimbursement rates, the final rule requires hospitals to meet new quality standards for obstetrical care, including new staffing and training requirements, standards to ensure that basic obstetrics equipment is readily available, and requirements related to the hospital’s readiness to provide emergency services. CMS has also finalized rules for implementing certain provisions of the Consolidated Appropriations Act of 2023 that provide temporary additional payments for certain non-opioid treatments for pain relief in the hospital outpatient department and ASC settings through December 31, 2027. The final rule also provides updates to Medicare payment rates for intensive outpatient program services and partial hospitalization program services furnished in hospital outpatient departments and Community Mental Health Centers.
The “Eyeglass Rule” became effective September 24, 2024, pursuant to the Ophthalmic Practice Rules issued by the Federal Trade Commission. Per the final rule, ophthalmologists and optometrists must comply with the following requirements:
• Provide patients with a copy of their prescription immediately following a refractive eye exam, before products for sale are offered to the patient.
• If using a paper prescription, patients need to acknowledge receipt of their prescription and prescribers must maintain such acknowledgement for three years.
• If using a digital prescription, patients must consent to the method of delivery (email, portal, text message, etc.) before the prescription is sent, and prescribers must maintain confirmation that the prescription was sent for three years.
These requirements do not apply to prescribers who do not have a financial interest in the sale of eye wear, or to prescribers who are employed by any federal, state, or local government.
On October 2, 2024, the Centers for Medicare & Medicaid Services (CMS) released final guidance on the process for the second cycle of negotiations under the Medicare Drug Price Negotiation Program. CMS had previously set prices for the first ten drugs covered under the Program, to be effective starting January 1, 2026, marking the beginning of CMS’s efforts to reduce drug costs for Medicare beneficiaries. CMS will announce the selection of up to fifteen additional drugs covered by Part D for the second cycle of negotiations by February 1, 2025. This second cycle of negotiations with participating drug companies will occur during 2025, and any negotiated prices for this second set of drugs will be effective starting January 1, 2027. The guidance also outlines requirements and parameters for how participating drug companies must ensure that eligible beneficiaries with Medicare prescription drug coverage will have access to the negotiated prices for 2026 and 2027, including procedures that apply to Medicare Part D plans, pharmacies, mail order services, and other entities that dispense drugs covered under Medicare Part D.
On August 20, 2024, a federal district court in Texas issued a nationwide injunction prohibiting the FTC from enforcing its non-compete rule. The rule, adopted by the FTC on April 23, 2024, had been scheduled to go into effect on September 4, 2024. The Texas court found that the FTC did not have the authority to adopt any substantive rule about competition and that the rule which it did adopt was arbitrary and capricious. Another federal district court, in Pennsylvania, had concluded only a few weeks prior that the FTC had the authority to adopt the rule. On October 18, 2024 the FTC appealed the Texas court’s decision.
On November 1, 2024, the Centers for Medicare and Medicaid Services (CMS) issued the 2025 Medicare Physician Fee Schedule Final Rule (Final Rule), which included highly anticipated guidance regarding identifying, reporting, and returning Medicare overpayments. The Final Rule was published on December 9, 2024 and becomes effective on January 1, 2025.
Under the Final Rule, CMS revised when a Medicare overpayment is “identified.” Previously, an overpayment was identified when “the person has, or should have through the exercise of reasonable diligence, determined that the person received an overpayment and quantified the amount of the overpayment.” Under the Final Rule, an overpayment is now identified when “the person knowingly receives or retains an overpayment.”. In addition, the Final Rule provides more time for providers to investigate and calculate overpayments. Once an overpayment has been identified, the 60-day period for reporting and returning the overpayment is suspended for purposes of conducting a good-faith investigation to uncover any related overpayments. This suspension will last until the earlier of either: (i) the completion of the investigation and calculation of the initial and any related overpayments or (ii) 180 days from the initial identification of the overpayment.
CMS provided the following example of how the suspension of the deadline will operate: If a provider identifies an overpayment and suspects additional related overpayments, the provider will have up to 180 days from discovery of the initial overpayment to conduct a good-faith investigation. This period may be extended further under certain conditions, such as making voluntary submissions to CMS. However, if the provider decides not to investigate further, the overpayment must be reported and returned within 60 days of the initial discovery.
On April 22, 2024, the Centers for Medicare & Medicaid Services issued a final rule that, among other things, establishes a national minimum staffing requirement for nursing homes participating in Medicare and Medicaid. As a result, nursing homes will be required to follow designated nurse staffing standards, including the following:
• Provide residents with nursing care for a minimum of 3.48 hours per resident day (HPRD), including at least 0.55 HPRD from registered nurses and 2.45 HPRD from nurse aides.
• Have a registered nurse on site 24 hours per day, seven days per week, to help mitigate against preventable safety events and deliver critical care to residents at any time.
• Conduct an enhanced annual facility assessment to improve the planning and identification of the resources and supports needed to care for residents based on their acuity during both normal operations and emergencies.
• Develop a staffing plan to maximize recruitment and retention.
Compliance with the staffing requirements in the final rule will be staggered over a period of up to 5 years for rural facilities and 3 years for non-rural facilities. The final rule also provides for exemptions if certain criteria are met, such as a good faith effort by the facility to hire and retain staff.
In February 2024, hospitals in New York and Florida filed complaints against affiliates of North American Partners in Anesthesia (NAPA) alleging that the anesthesia provider’s non-compete agreements were unenforceable. The claims made by the hospitals largely mirror the claims made in the summer of 2022 by RWJBarnabas Health against the NAPA affiliate in New Jersey.
Specifically, the hospitals allege that NAPA failed to properly staff their anesthesia departments and failed to share in the risk of excessive costs. Instead, NAPA simply demanded that the nonprofit hospitals continue to pay increased costs for diminishing services. In response, the hospitals attempted to negotiate a separation from
the anesthesia provider. NAPA, in turn, demanded millions of dollars to waive underlying noncompete agreements. The hospitals took action and sued NAPA challenging the enforceability of NAPA’s noncompete agreements.
On March 19, 2024, a New York District Court denied NAPA’s application seeking temporary enforcement of the noncompete agreement during the pendency of the lawsuit. The Court found that NAPA failed to establish (1) that it would be irreparably harmed if the noncompete agreements were not enforced and (2) that NAPA had a likelihood of success on the merits. In its opinion, the Court noted that this is not a dispute between physicians; rather, this is a dispute between a hospital and an anesthesia management company.
These cases are significant, because they challenge the enforceability of noncompete agreements held by unlicensed management companies against licensed professionals.
On March 5, 2024, the Federal Trade Commission (FTC), Justice Department, and Department of Health and Human Services (the Agencies) jointly initiated a call for public comments regarding small acquisitions by private equity companies in the U.S. healthcare industry. While the parties of mergers valued at more than $119.5 million must notify federal antitrust authorities and adhere to a minimum 30-day waiting period before closing, transactions below this threshold do not require reporting. This exemption has raised concerns about potential adverse effects on workers and patients alike, prompting regulatory scrutiny.
The heightened interest in private equity transactions, particularly “roll-ups” where firms make initial acquisitions and proceed to acquire multiple businesses in the same sector, is drawing attention at multiple levels. Regulatory bodies are also investigating the influence private equity firms wield over corporate boards across various industries. Of particular concern are instances where board directors, often associated with private equity firms, hold seats on rival firms within the same sector. The fear is that such cross pollination of board memberships could diminish competitive dynamics in the marketplace.
In April of this year, the Department of Health & Human Services, Office for Civil Rights (OCR) published a final rule, titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy, to strengthen privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a HIPAA covered entity or a business associate, for either of the following activities:
• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;
or
• The identification of any person for the purpose of conducting such investigation or imposing such liability.
The prohibitions of the final rule apply when the covered entity or business associate reasonably determines that certain conditions exist, as described in the rule. More information can be found in the HHS OCR Fact Sheet.
The Change Healthcare data breach in February 2024 reportedly has been the largest healthcare data breach ever reported to federal regulators. The OCR has stated that approximately 100 million individual notices have been sent to individuals regarding the breach. The effects of the data breach have been far-reaching, including disruption to business operations of healthcare providers, barriers to healthcare claims submissions, delayed payment by insurance companies, and lost revenue due to a need to increase staffing and resources and delayed payments. Resultingly, providers have experienced financial strain and hardship and patients have suffered delays and disruption to their healthcare. The breach also brought heightened awareness and scrutiny of the security practices of HIPAA covered entities and their business associates, as discussed below.
In response to the Change Healthcare data breach as well as other high-profile cybersecurity incidents affecting the healthcare industry, in September of this year, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced a federal bill, the Health Infrastructure Security and Accountability Act which, if passed into law, would amend the HIPAA Security Rule and impose mandatory minimum cybersecurity practices on HIPAA covered entities and their business associates. If passed into law, affected health care providers and business associates will need to evaluate, and likely revise and enhance, existing security protections and practices to come into compliance.
This year, OCR has continued its focus on cyber-attacks, following its first-ever settlement involving a ransomware
attack in October 2023 and other settlements relating to breaches resulting from successful phishing schemes. In the second half of this year, OCR settled its third ($950,000), fourth ($250,000), fifth ($240,000), sixth ($500,000), and seventh ($90,000) investigations relating to ransomware attacks, the last of which marked OCR’s first enforcement action in its Risk Analysis Initiative. The goal of OCR’s initiative is to “increase the number of completed investigations and highlight the need for more attention and better compliance with [the] Security Rule requirement” to conduct periodic risk analyses, according to OCR Director Melanie Fontes Rainer.
The takeaway is that we can expect continued OCR and other governmental agency focus on enhancing cybersecurity protections and practices and the imposition of penalties for breaches resulting from violations of the HIPAA Security Rule.
Attorney Advertising: This publication is designed to provide Brach Eichler LLC clients and
contacts with information they can use to more effectively manage their businesses. The contents
of this publication are for informational purposes only. Neither this publication nor the lawyers who
authored it are rendering legal or other professional advice or opinions on specific facts or matters.
Brach Eichler LLC assumes no liability in connection with the use of this publication.
Lani M. Dornfeld | 973.403.3136 | ldornfeld@bracheichler.com
John D. Fanburg, Chair | 973.403.3107 | jfanburg@bracheichler.com
Joseph A. Ferino | 973.364.8351 | jferino@bracheichler.com
Joseph M. Gorrell | 973.403.3112 | jgorrell@bracheichler.com
Carol Grelecki | 973.403.3140 | cgrelecki@bracheichler.com
Keith J. Roberts | 973.364.5201 | kroberts@bracheichler.com
Richard B. Robins | 973.447.9663 | rrobins@bracheichler.com
Jonathan J. Walzman | 973.403.3120 | jwalzman@bracheichler.com
Edward J. Yun | 973.364.5229 | eyun@bracheichler.com
Debra W. Levine | 973.403.3142 | dlevine@bracheichler.com
Cynthia J. Liba | 973.403.3106 | cliba@bracheichler.com
Tracy Miller | 973.403.3102 | tmiller@bracheichler.com
Rebecca T. Falk | 973.364.8393 | rfalk@bracheichler.com
Roseland, NJ | New York, NY | West Palm Beach, FL | www.bracheichler.com | 973.228.5700