FEPA: the New Tool in the DOJ’s Fight Against Corruption

Members of our Government Investigations & White Collar team recently presented a timely webinar on the new Foreign Extortion Prevention Act (FEPA).  The Act, which has been referred to as  “the most consequential anti-foreign-bribery law passed in almost 50 years,” allows the DOJ to prosecute foreign officials who demand or accept a bribe from a U.S. citizen or company. Understanding FEPA is critical for US companies with international business interactions and other companies whose business subjects them to US jurisdiction. Read on at the link below for an outline of FEPA’s core provisions and relevant enforcement considerations for companies, international organizations and foreign governments.

FEPA: the New Tool in the DOJ’s Fight Against Corruption | Global Investigations & Compliance Review

The End of “Chevron” or Its Rebirth?

Fishermen in the small town of Cape May, New Jersey, are at the epicenter of a legal challenge that could reshape the landscape of agency authority. The fishermen are challenging the entrenched “Chevron” doctrine, which for years has afforded deference to government agencies with respect to reasonable interpretation of ambiguous statutes. Once again, the US Supreme Court is in the spotlight as it hears pivotal cases – Relentless v. Department of Commerce and Loper Bright Enterprises v. Raimondo, which may presage the dismantling of “Chevron”. Squire Patton Boggs attorneys Keith Bradley, Peter Gould, Rebekah Singh, and Austin Harrison discuss the Court’s review and possible implications in a recent article, available here.

Beware the Ides of March: Four Questions and Answers to Guide Your Organization’s Preparation for the Upcoming Appropriations Process

Federal appropriations provide annual discretionary funding for our government to carry out its mission and, in turn, spur various healthcare organizations towards efficiencies and achievements. Whether you serve an entity interested in the government’s work in disease research or a nonprofit hospital requesting community project funding for infrastructure needs, it is important for those seeking funding provided through Congress’ annual appropriations cycle to understand the process and current legislative landscape.

This year more than most, the process is complex – with timelines that abut and potentially overlap. Fiscal Year (FY) 2024 began on October 1, 2023; in the absence of completed spending bills, government programs are currently being funded via a series of short-term stop-gap funding bills. Lawmakers are still negotiating FY 2024 funding levels, which will expire on September 30. FY 2025 begins on October 1, and the process for determining appropriations for the upcoming fiscal year will begin shortly. 

Continue Reading

Webinar:  The New Foreign Extortion Prevention Act – What It Means for US Companies

On Tuesday January 30, we hope you will join a seasoned team of former Department of Justice (DOJ) prosecutors for what will certainly be a robust a discussion on “the most consequential anti-foreign-bribery law passed in almost 50 years”: the Foreign Extortion Prevention Act (FEPA). Passed as part of the National Defense Authorization Act (NDAA), FEPA allows the DOJ to prosecute foreign officials who demand or accept a bribe from a U.S. citizen or company.   For any entity doing business abroad, understanding FEPA is critical.

Tom Firestone, a key player in drafting the legislation, will be joined by  Kathleen McGovern, former senior deputy chief of the Fraud Section supervising FCPA Unit and former FCPA prosecutor, and Jerrob Duffy, former chief of the DOJ Fraud Section’s Litigation Unit and senior FCPA prosecutor – for a lively and informative discussion. 

Tuesday January 30, 2024

Noon – 1 p.m. ET

Details and registration

Additional insights on FEPA (subscription may be required):

US Antitrust Agencies Release 2023 Merger Guidelines

On December 18, 2023, the US Department of Justice (DOJ) and Federal Trade Commission (FTC) (collectively, the “government”) released the final 2023 Merger Guidelines (the “Guidelines”) which set forth factors and frameworks the government will use when assessing mergers and acquisitions. While the Guidelines are not legally binding, they provide important guidance on how the government may view certain transactions, including those involving healthcare entities. The Guidelines also reflect the Biden Administration’s aggressive stance on merger enforcement. Squire Patton Boggs attorneys Barry Pupkin, Christopher Gordon, Martin Mackowski and Kaitlin Rittgers provide a discussion of the Guidelines and present key takeaways, available here.

Starting this Month, California Health Care Entities Will Need to Provide State Notice of Mergers Set to Close on or After April 1, 2024

In 2022, the state of California passed into law the California Health Care Quality and Affordability Act which requires that health care entities give the state 90-day notice of certain mergers, acquisitions, or other transactions projected to close on or after April 1, 2024.  Review of these transactions began on January 1, 2024.  Health care entities subject to this obligation include payers, fully integrated delivery systems, and providers, including large physician organizations, that meet certain thresholds.  Captured transactions are those that involve the sale of a material amount of assets of a California health care entity or the transfer of control of a California health care entity.  Transactions involving an out-of-state entity may also be captured if a California entity is involved.  Entities already required to file a federal merger control notice pursuant to the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended (the “HSR Act”), are not exempt from this notification requirement.

Notified transactions will be subject to robust and in-depth review by the state.  For any transaction that may raise competition concerns, the state will conduct a cost and market impact assessment and will issue a public report regarding its preliminary findings for public comment.  After receiving public input, the state will issue a final report, and may refer its findings to the state Attorney General for additional review if needed.  The Attorney General may then sue to block any mergers of concern.

California health care entities wishing to merge with or acquire another health care entity should anticipate, at minimum, a three-month long review by the state before closing.  Entities should also be aware of the possibility that any filed notification will become publicly known and available due to the public comment requirement and a separate online posting requirement.  There are limited exceptions in the law, which is broadly written to apply to a wide range of health care entities.  California’s Office of Health Care Affordability (“OHCA”), which is tasked with review of the pre-merger notifications, released regulations in December that broadened the definition of health care entities even further to include pharmacy benefit managers and “any parent, affiliates or subsidiaries that act in California on behalf of a payer” and meets certain criteria regarding control and responsibility.

California joins a growing number of states requiring state-specific notice for health care transactions, including many types of transactions that would not be subject to federal review under the HSR Act.  In May 2023, New York passed a law requiring health care entities to provide the state 30-day notice before closing any transactions.  In August 2023, Illinois passed a similar law that became effective on January 1, 2024.  Ten other states have pre-merger notification requirements for health care entities – Colorado, Connecticut, Hawaii, Massachusetts, Minnesota, Nevada, Oregon, Rhode Island, Vermont, and Washington.  Similar legislation was introduced in Florida, Maine, and North Carolina.  Based on this trend, it is likely several more states will expand health care transaction oversight in 2024. 

Singapore Consults on Groundbreaking Health Information Bill

On December 11, 2023, Singapore’s Ministry of Health launched a public consultation exercise on a proposed Health Information Bill (Bill), with a draft expected to be tabled in Parliament in the first half of 2024.

Whilst extensive industry consultations have been conducted on the proposed provisions of the Bill involving 39 focus groups and over 1,000 stakeholders, this is the first time that the general public at large (including patients) can submit comments.

The Bill will introduce a slew of changes that will have significant impact on healthcare in Singapore.

Mandatory participation by all licensed healthcare providers in the National Electronic Health Records (NEHR)

First and foremost, the Bill will mandate participation by private healthcare providers in a centralized database of patient health records, known as the NEHR.

The policy objective of the NEHR is to achieve more seamless care delivery in Singapore. With an aging population, Singapore projects that more citizens and residents will need to consult multiple healthcare providers whose record-keeping systems are scattered and separate.

Whilst the NEHR was established in 2011, only public healthcare institutions and 15% of private providers in Singapore are using the NEHR. This is because participation in the NEHR by private institutions has to-date only been voluntary.

However, this is slated to change, as the Bill will make it mandatory for all licensed healthcare providers (whether public or private) to contribute data to the NEHR.

Continue Reading

Federal Courts Continue to Grapple with Causation in Anti-Kickback-Based False Claims Act Cases

Courts around the country continue to disagree on the causation standard to be applied in False Claims Act cases based on alleged Anti-Kickback Statute violations.  Two recent federal district court decisions out of the District of Massachusetts, United States v. Regeneron Pharms., Inc., No. 20-11217-FDS, 2023 WL 7016900 (D. Mass. Oct. 25, 2023) and United States v. Teva Pharmaceuticals USA, Inc., No. 20-11548-NMG, 2023 WL 4565105 (D. Mass. July 14, 2023), add to differing conclusions on what the causation standard should be, i.e., “but-for,” “exposure,” or some other, less demanding standard. Squire Patton Boggs attorneys Vipal Patel, Kevin Kumar, and Shams Hirji discuss these cases on our Global Investigations & Compliance Review Blog, available here.

Singapore to Pass Comprehensive Health Data Law

On December 4, 2023, Singapore’s Ministry of Health (Ministry) announced that the nation’s first ever comprehensive health data law, the Health Information Bill (Bill), will be introduced in mid-2024.

A set of Cyber & Data Security Guidelines for Healthcare Providers (Guidelines) was also published. Of particular importance is that these Guidelines will frame and eventually be imposed as regulatory requirements under the Bill.

Objective

The healthcare sector has been identified as among the top three targets[1] of cyber attacks. Ransomware and phishing are especially pervasive, with more than one ransomware case reported every three days to the Cybersecurity Authority of Singapore[2]. This statistic is not only representative of Singapore, but appears to be experienced in other parts of the globe. In August 2023, a major healthcare provider in the United States suffered a ransomware attack that compromised its network of 17 hospitals and 166 outpatient clinics across various states, with about 500,000 personal data records being exposed on the dark web, including social security numbers, medical profiles, financial and legal information. Critically, the incident also caused a complete suspension of its clinical operation services.

It is against this backdrop that the Guidelines aim to provide much-needed, urgent guidance and regulatory certainty to healthcare providers as to the requirements for securing the confidentiality, integrity and availability of health information against unauthorized access and other risks. Noting the surge in cyber threats and security risks amplified by increasing digitalisation in the healthcare industry, there is a greater need to address their impact on patient safety and care quality, beyond just privacy and confidentiality. Breaches can also be extremely costly, insofar as they involve recovering affected systems and restoring lost data, as well as irreparable reputational damage.

Scope of applicability

To that end, the Bill aims to ensure the safe and secure processing of health information, with a view to enhancing the overall quality and continuity of care for patients.

“Health information” is defined to include both administrative data and clinical data. “Administrative data” refers to any personal information relating to the consumption or provision of a healthcare service, such as demographics, contact information and details pertaining to the utilization of a healthcare service. “Clinical data” means any information about or relating to either or both of the physical and mental health of an individual, and their diagnosis, treatment and care.

The Guidelines and forthcoming Bill will apply to healthcare providers with systems (including desktops, laptops, servers or devices) that either contain such health information, or connect with other systems that contain such health information. Certain data security requirements will also apply to healthcare providers on pen-and-paper to the extent that these are relevant. However, non-health information such as employee personal particulars are excluded from the scope of the Guidelines and Bill.

Pertinently, the Guidelines do not prescribe extended obligations to healthcare providers’ third party vendors or the latter’s products or services. In other words, providers of clinical management systems and cloud storage services do not have direct obligations, and it will lie on the healthcare providers to ensure that their engagement of such vendors is compliant with the requirements.

Continue Reading

Improving Healthcare Cybersecurity Is a Priority for National Security: U.S. HHS Issues Healthcare Sector Cybersecurity Concept Paper Signaling Forthcoming Cybersecurity Framework

Protecting the healthcare sector from the ever-increasing cyber threat is a matter of national security.  Indeed, on March 1, 2023, President Biden issued the National Cybersecurity Strategy where the President emphasized the need  to defend “the systems and assets that constitute our critical infrastructure [as] vital to our national security, public safety, and economic prosperity.”  Undoubtedly, the healthcare sector is central to the nation’s critical infrastructure, and it remains vulnerable to increasing cybersecurity risks.  The U.S. Department of Health and Human Services (“HHS”) reports a 93% increase in large healthcare sector breaches from 2018 to 2022 with a 278% increase in reported cyber incidents involving ransomware for the same period.  And the ongoing cyber threat is not expected to lighten up anytime soon.  Notably, under HHS supervision, the Federal Government and industry will continue to work together to create a reliable cybersecurity framework to help secure the national healthcare system and protect patients from these rising cyber threats. 

As a spinoff of the National Cybersecurity Strategy, HHS issued a Healthcare Sector Cybersecurity Concept Paper to provide an “overview of HHS’ proposed framework to help the healthcare sector address these cybersecurity threats and protect patients.”  The Concept Paper outlines HHS’s four-part path forward to creating a reliable cybersecurity framework. 

Step 1:  Establish Voluntary Cybersecurity Goals

The first step on the path is HHS’s goal to establish and publish voluntary sector-specific Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (“HPH CPGs”). The intent of the HPH CPGs is to set “a clear direction for industry and helping to inform potential future regulatory action” from HHS to minimize the confusion created from multiple different standards and guidance. The HPH CPGs “will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

Step 2:  Provide Resources to Incentivize Cybersecurity Practices

To mitigate the extreme cost burden that improving a cybersecurity program entails, HHS will work with Congress to obtain “funding to  administer financial support for domestic hospitals’ investments in cybersecurity.”  HHS intends to establish two programs: (1) the upfront investments program to help high-need healthcare providers with the initial costs to implement “essential” CPGs and (2) an incentives program to encourage hospitals to invest in advanced cybersecurity practices.

Step 3:  Implement an HHS-Wide Strategy to Support Greater Enforcement and Accountability

Of course, with clearer rules, will come more enforcement. HHS will seek to have the CPGs incorporated into existing regulations to establish “new enforceable cybersecurity standards” and ask Congress to increase monetary penalties for violations of HIPAA. HHS’s expectation is that all hospitals will meet those sector specific HPH CPGs, and it will increase enforcement efforts as evidenced by HHS’s requests to Congress for more resources and money to investigate potential HIPAA violations, conduct audits, and scale outreach programs.

Step 4:  Expand and Mature the One-Stop Shop Within HHS for Healthcare Sector Cybersecurity

HHS intends on resourcing its “one-stop-shop” cybersecurity support function to the healthcare sector. This “one-stop-shop” will “[e]nhance coordination within HHS and the Federal Government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more.”

So, what is next for those impacted by HHS’s Concept Paper?  The likely best course is to be proactive now and engage how you can with the path laid out above.  Here are three next steps to consider: 

  1. Perform a security risk assessment to drive honest self-reflection on where your organization’s cybersecurity program needs improvement and resources. To ensure objectivity, engaging a third-party security consultant to independently evaluate your organization’s security controls is a best practice. In light of the anticipated increase in enforcement activity, it is important to consider engaging outside counsel to oversee the assessment and provide legal advice with respect to whether your program meets applicable legal and regulatory requirements. By proceeding in this manner, your organization will also be able to assert privilege protection with respect to the assessment findings.
  2. Develop a remediation plan and timeline. Based on the findings of your security risk assessment, your organization should work with the security consultants and counsel engaged to develop a prioritized remediation plan and timeline. By methodically checking off your remediation to-do list based on the risks presented by the gaps identified, your organization can show good faith in the event of a data breach and subsequent regulatory investigation.
  3. Be a voice in the process.  Use the data you learn from your security assessment, industry experience, and on-the-ground knowledge of the threat landscape to engage with relevant Government and industry leaders on where and how the Government and HHS can best support industry.
  4. Talk to your elected officials.  Indeed, as HHS speaks with Congress about funding and resource management, you can complement this goal by speaking with your elected officials to help them shape budgetary (and other) considerations.

Given the race to improve the healthcare sector’s cyber practices, there will likely be many updates over the next year that stem from this Concept Paper.  We will be here to guide you through.

LexBlog