In response to the shifting legal landscape around reproductive health care, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) finalized amendments to the HIPAA Privacy Rule to strengthen privacy protections for highly sensitive protected health information (PHI) related (or potentially related) to reproductive health care. OCR announced the final rule on HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule) on April 22, 2024, which became effective on June 25, 2024. The privacy limitations outlined in this post directly apply to all “Regulated Entities,” meaning that both covered entities and business associates must comply with the HIPAA requirements for PHI pertaining to reproductive health care set forth in the Final Rule.[1] Regulated Entities must comply with most of the Final Rule’s requirements by December 23, 2024. The deadline to comply with requirements pertaining to relevant updates to regulated entities’ the Notice of Privacy Practices is February 16, 2026.
Mental Health Parity and Addiction Equity Act Final Rules (“Final Rules”) Are Released: Plans and Issuers Must Prepare for January 1, 2025 Effective Date (US)
The long-awaited Final Rules amending the Mental Health Parity and Addiction Equity Act (“MHPAEA”) were released on September 9, 2024, with the bulk of the requirements going into effect on January 1, 2025. As we previously reported here, in August 2023, the Departments of Labor, Health and Human Services (“HHS”) and Treasury (together, the “Departments”) published proposed rules further regulating insurance coverage for treatment for mental health and substance use disorders. Although the Final Rules appear less burdensome than the proposed rules, they do impose significant changes to the obligations of group health plans and health insurance issuers with a short time to achieve compliance. The key provisions are summarized below.
Key Changes in the Final Rules
The Final Rules’ stated intent is to “strengthen consumer protections consistent with MHPAEA’s fundamental purpose,” which includes reducing burdens on access to benefits for individuals in group health plans or with group or individual health insurance coverage seeking treatment for mental health and substance use disorders (“MH/SUD”) as compared to accessing benefits for the treatment of medical/surgical (“M/S”) conditions.
The Final Rules purport to achieve that goal through four key changes to the MHPAEA:
- Mandating content requirements for performing a comparative analysis of the design and application of each non-quantitative treatment limitation (“NQTL”) applicable to MH/SUD benefits.
- Setting forth design and application requirements and relevant data evaluation requirements to ensure compliance with NQTL rules.
- Increasing scrutiny of network adequacy for MH/SUD benefits.
- Introducing core treatment coverage requirements to the meaningful benefit standard.
Texas Attorney General Settles with Healthcare AI Firm Over False Claims on Product Accuracy and Safety
The Office of the Attorney General of Texas (“OAG”) announced a “first-of-its-kind healthcare generative AI” settlement with Pieces Technology, Inc. (“Pieces”). The settlement related to the Texas OAG allegations that Piece’s advertising and marketing claims about the accuracy of its generative artificial intelligence (GenAI) products in violation of the Texas Deceptive Trade Practices – Consumer Protection Act (“DTPA”), Tex. Bus. & Com. Code Ann. § 17.58. The Texas OAG states in its press release that the Piece’s investigation is a “First-of-its-Kind Healthcare Generative AI Investigation.” Squire Patton Boggs attorneys Julia Jacobson and Gicel Tomimbang discuss the OAG’s action and settlement on our Privacy World Blog, which you can read here.
Stark Law & Mailing Physician-Dispensed Prescriptions: From COVID-19 Waivers to Federal Legislative Action
In August 2024, a federal district court dismissed a lawsuit filed by the Community Oncology Alliance (“COA”), holding that the “in-office ancillary services” exception to the Stark Law does not permit physicians to dispense medications through the physician’s office and then mail prescriptions to the patient’s home. COA v. Becerra, Case No. 23-cv-2168, Doc. 40, United States District Court for the District of Columbia (Aug. 30, 2024).
COA sued the Secretary of Health and Human Services (the “Secretary”) and CMS challenging the policies presented under certain of CMS’s Stark Law “Frequently Asked Questions” (“FAQs”) as violating the Medicare Act and Administrative Procedure Act. COA alleged that prior to the COVID-19 pandemic, the regulations regarding the “in-office ancillary services” exception permitted mailing prescription drugs to patients. In September 2021 and May 2023, CMS published FAQs taking the position that the “in-office ancillary services” exception does not apply when a patient receives an item outside the physician’s office, including prescriptions delivered by mail, as the prescription would not be dispensed to the patient in the physician’s office. COA argued the FAQs violated the Administrative Procedure Act by not following required rule-making procedures. COA also alleged that if physicians are prohibited from mailing prescriptions to patients such regulation would violate the Tenth Amendment of the U.S. Constitution by preventing states from regulating how physicians may dispense cancer drugs to patients.
The Changing Labor Landscape for Healthcare Employers
In 2024, healthcare employers have faced several new challenges and developments regarding traditional labor obligations. Unions are becoming more prominent in healthcare, including by unionizing doctors at unprecedented rates and by becoming more involved in government-funded projects. At the same time, federal agencies are imposing significant new labor obligations on healthcare employers, regardless of whether or not they have unions representing their employees. While the Federal Trade Commission’s non-compete rule has garnered major attention (as we discussed further here and here), the National Labor Relations Board has its own new positions on restrictive covenants which arguably impact healthcare employers even more than the FTC rule.
These issues are covered further below. For those interested in more detail, Squire Patton Boggs’ Healthcare Industry Group and Labor and Employment Practice Group will be discussing these developments at two upcoming webinars in October. Those interested in a healthcare-focused employment law update should join us on October 22 for our webinar entitled Emerging Issues in the Healthcare Industry: What Healthcare Employers Need to Know by clicking this registration link. Those interested in more detail specifically about labor law and labor union developments should attend our webinar on October 8 entitled Labor Law’s New Landscape: How Another Year of Groundbreaking Changes Will Affect Non-Union and Unionized Employers at this registration link.
FTC Non-Compete Ban Set Aside Nationwide
On August 20, 2024, a Texas federal judge permanently barred the implementation of a controversial Federal Trade Commission (FTC) regulation that would have invalidated tens of millions of existing non-compete agreements and precluded the adoption of new covenants. We discussed the FTC’s non-compete regulation earlier this year. The decision comes as a relief to employers that feared the FTC’s regulation would have made it nearly impossible to prevent unfair competition and protect employers’ investment in its employees and against the misappropriation of confidential and proprietary information. Squire Patton Boggs attorney Laura Lawless discusses the decision and its implications on our Employment Law Worldview Blog, which you can read here.
Singapore Issues Game-Changing Synthetic Data Guide for AI
On July 15, 2024, Singapore’s Personal Data Protection Commission Singapore (PDPC) released a Proposed Guide on Synthetic Data Generation (Guide). The Guide is a resource within the Privacy Enhancing Technology (PET) Sandbox which aims to assist organisations in understanding the techniques and potential applications of Synthetic Data generation, particularly in the context of artificial intelligence (AI) without compromising sensitive data.
In healthcare, where patient privacy and data accessibility are critical concerns, synthetic data presents a promising solution. For instance, it:
- Preserves privacy: With strict privacy and confidentiality necessary to protect highly sensitive and data, these rules often make data sharing difficult, slowing down research and innovation. Synthetic data offers a way around these challenges by mimicking the trends of real healthcare data without linking to actual patients. This allows healthcare organisations to avoid the complexities of data sharing agreements and privacy restrictions, thereby accelerating research and development while staying compliant.
- Improves treatments: By simulating patient data, healthcare providers can evaluate the effectiveness and safety of treatments and tools without compromising patient privacy. This not only improves the accuracy of medical tools but also helps identify potential issues before they are used in clinical settings.
- Enhances research and development: Synthetic data enhances the training and validation of machine learning models, particularly in medical imaging. This provides the ability to augment datasets with diverse and realistic images where real data is limited, thereby reducing costs and labour associated with annotating real images and allowing researchers to refine their models more effectively.
- Enables predictive analytics and personalised medicine: Synthetic data is a valuable tool in predictive analytics which is crucial for personalised medicine. Machine learning models trained on synthetic data can more accurately predict how patients will respond to treatments, leading to more personalised and effective care strategies.
- Reduces risks of data breaches: By mimicking real data without including personal information, synthetic data offers a secure alternative for organisations relying on data for insights.
- Expands data use in education and research: Synthetic data’s benefits extend beyond its primary applications. It can be used for educational purposes, allowing students and professionals to practice on realistic scenarios without compromising patient confidentiality.
To learn more about Singapore’s Guide, please see our original blog post on our Privacy World blog.
Singapore Consults on Cybersecurity Guidelines for AI Systems
As a digital technologies hub in the Asia Pacific region, Singapore is making a big push to advance Artificial Intelligence (AI) technologies across various sectors, including healthcare.
The promise of AI in managing Singapore’s ageing population and enhancing patient care and treatment more broadly cannot be overstated. This spans the ability to better predict and diagnose diseases, enable personalised medicine, and improve remote patient monitoring.
With that said, the threat of cyber-attacks and other threats pose very real risks to these AI-driven outcomes being fulfilled.
To address this issue, the Cybersecurity Agency of Singapore has published for public consultation, two proposed sets of guidelines for securing AI systems. The consultation closes on September 15, 2024.
To read more about this development in Singapore, please see our original blog post on our Privacy World blog.
Medicare Part D Preemption: Supreme Court Review Uncertain
On July 29, 2024, Pharmaceutical Care Management Association (“PCMA”) filed an opposition to Oklahoma’s petition for writ of certiorari in the United States Supreme Court, seeking review of the Tenth Circuit decision PCMA v. Mulready, 78 F.4th 1183 (10th Cir. 2023). Oklahoma seeks review of both ERISA and Medicare Part D preemption.[1]
Mulready held that Medicare preempted Oklahoma’s Any Willing Pharmacy provision (“Challenged AWP”), which requires a Pharmacy Benefit Manager (“PBM”) to allow the participation of pharmacies into preferred pharmacy networks.[2] Mulready reasoned that Medicare Part D preemption is akin to field preemption and does not require an overlapping federal and state standard to conclude that the state law is preempted.[3] Applying field preemption, Mulready concluded that the Challenged AWP “detracts from the integrated scheme of [Medicare] regulations” by regulating Part D plans above what Medicare laws and regulations require, and as the state law did not concern licensing or plan solvency, it was preempted.
Mulready could have stopped there but doesn’t. Mulready further held that under a conflict preemption standard, the Challenged AWP would still be preempted for Medicare Part D plans because Medicare has its own Any Willing Pharmacy provision (“Medicare AWP”),[4] and other regulations[5] that require Medicare Part D plans (and associated PBM) to allow pharmacies to participate in standard pharmacy networks but does not require participation in preferred networks.
In Purdue Pharma, the Supreme Court Fires a Canon of Construction Through Non-Consensual Third-Party Releases (US)
On June 27, 2024, the Supreme Court ruled in a 5-4 decision that a bankruptcy court does not have the statutory authority to discharge creditors’ claims against a non-debtor without the creditors’ consent (except in asbestos cases). The decision in Harrington v. Purdue Pharma settles a long-standing dispute in the bankruptcy world that will have significant impact on Purdue Pharma and its hundreds of thousands of creditors, and more generally on the bankruptcy practice itself. Squire Patton Boggs attorney Justin Cloyd discusses the case in detail on our Restructuring GlobalView blog, which you can read here.