A New Era in Healthcare Regulation & Compliance

Loper Bright Shifts Statutory Interpretation Powers Back to the Courts.

On June 28, 2024, the Supreme Court overturned the Chevron doctrine with its decision in Loper Bright Enterprises v. Raimondo.  Under Chevron, courts have historically deferred to a federal agency’s interpretation of ambiguity in statutes that the agency administers.  Courts premised Chevron deference on the notion that Congress implicitly delegated the interpretation to the agency.

In contrast, Loper Bright rejects Chevron’s assumption of implicit delegation:  “When the best reading of a statute . . . delegates discretionary authority to an agency, the role of the reviewing court under the APA is, as always, to independently interpret the statute and effectuate the will of Congress.”

Loper Bright’s requirement for independent judicial judgment as to whether an agency acted within its authority granted by Congress will necessarily require courts to review agency interpretations on a case-by-case basis.  A court may still defer to or “seek aid from” an agency’s interpretations and consider the agency’s “body of experience and informed judgment,” but courts will also employ far more discretion to disagree with an agency’s interpretation of statutory ambiguity.  Now, more readily, a court may weigh “other information at its disposal” and potentially give increased weight to the perspectives of litigants and amici over agency expertise.  Even where a court finds an agency’s interpretation reasonable, the court may still replace the interpretation with its own.

Some caution is in order, though, because the post-Chevron landscape will not be the same for all agencies.  The Supreme Court acknowledged that there are statutes calling for greater degrees of deference in specific circumstances.  For example, banking agencies receive great deference for their interpretations of federal banking law.  This is not due to the across-the-board presumption, from Chevron, that the Supreme Court overturned.  Rather, it was a judicial reaction to the specific concerns that Congress addressed in federal banking law.  These statute-specific forms of deference tended to merge into Chevron over the years.  But the underlying precedents are still there, and courts may revive these statute-specific deference doctrines.  This possibility is particularly pertinent in healthcare, because, for example, the lower courts have long deferred to CMS interpretations of the Medicare Act, in a manner that might survive Loper Bright.   

Continue Reading

Lawmakers Request Comments from Health Stakeholders on Medical Research and Care Delivery Reforms


On June 6, 2024, Reps. Diana DeGette (D-CO) and Larry Bucshon, MD (R-IN) released a letter requesting information from stakeholders on their 21st Century Cures initiative, a policy effort focused on medical research and health care transformation and reforms. With this opportunity to comment, the lawmakers have renewed their commitment to developing the initiative with the support of the health community, nearly eight years after the passage of the 21st Century Cures Act (Pub. L. 114-255).

Enacted in December 2016, the bipartisan 21st Century Cures Act was led by Reps. DeGette and Fred Upton (R-MI) and represented a landmark legislative effort to accelerate health research and delivery reforms across the United States. The legislation aimed to expedite the discovery, development, and delivery of novel treatments and cures and provide these advancements to patients efficiently. The bill allocated substantial funding to the National Institutes of Health (NIH) to support cutting-edge biomedical research; specifically, it provided $4.8 billion over 10 years to the NIH to support the Precision Medicine Initiative, the Brain Research through Advancing Innovative Neurotechnologies (BRAIN) Initiative, and cancer research through the Cancer Moonshot. Additionally, the legislation streamlined regulatory processes at the Food and Drug Administration, including provisions to speed up the review of novel therapies, encourage the use of real-world evidence in approvals, and allow for adaptive trial designs. Notably, it also introduced crucial reforms in mental health care, supported advancements in health information technology, and emphasized the importance of patient perspectives in the development and regulation phases for emerging drugs.

Continue Reading

Australian Privacy Regulator Commences Penalty Proceedings Against Medibank

Sunrise over Sydney

On 5 June 2024, the Australian Information Commissioner commenced civil penalty proceedings in the Australian Federal Court against Medibank Private Limited (an Australian health insurance provider) in relation to an October 2022 data breach.

On 25 October 2022, Medibank notified the Office of the Australian Information Commissioner (OAIC) of a data breach concerning sensitive personal information of 9.7m Australians (representing approximately 37% of Australia’s total population). As a result of a cyber-attack, malicious actors had gained access to a vast library of customer data which included identity details, government identifiers and medical and insurance records. Over the course of a number of weeks, the malicious actors ‘leaked’ sensitive personal information of Medibank customers and other impacted individuals onto the dark-web in the course of pursuing cyber ransoms from the major insurance-provider. 

Continue Reading

Switching Data – A Potent Tonic for Obtaining CMA Clearance at Phase 1

Handshake and ipad

Customer switching data is an important factor that the Competition and Markets Authority (CMA) considers when assessing the closeness of competition of merging parties. However, as the completed acquisition by Pharmacy2U Limited (Pharmacy2U) of Lloyds Direct demonstrates, switching data can also be determinative when it comes to market definition.

Pharmacy2U is a Distance Selling Pharmacy (DSP) that supplies prescription-only medicines (POMs) in England. POMs are pharmaceutical drugs that require a prescription and are dispensed by a pharmacist. Pharmacy2U also provides other healthcare services, runs an online doctor consultation service and sells a range of health and wellbeing products. Metabolic Healthcare Limited (trading as Lloyds Direct, together with Pharmacy2U, the Parties) is also a DSP and supplies POMs in England. Following the completed acquisition of the entire share capital of Lloyds Direct by Pharmacy2U on 5 October 2023 (Transaction), the CMA called in the Transaction for review and decided to clear the Transaction on 12 March 2024.

Continue Reading

CMS Finalizes a New Rule to Require Extensive API Implementation and Quicker Turnaround for Prior Authorization Decisions: What Payers Should Know

Health applications

On January 17, 2024, the Centers for Medicare & Medicaid Services (“CMS”) issued a final rule regarding interoperability and prior authorization (the “Rule”). CMS-0057-F.  The Rule’s goals, according to CMS, are to facilitate the electronic exchange of health-care data, improve and expedite prior authorization processes, and reduce related burdens for payers, healthcare providers, and patients, with estimated savings of $15 billion over 10 years.  The Rule’s changes focus on two areas: (1) interoperability advancement and (2) prior authorization streamlining.  Both changes target federally regulated health insurers such as Medicare Advantage Organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee-for-Service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers on the Federally Facilitated Exchanges (“FFEs”), (collectively, “Impacted Payers”).

For interoperability advancement, Impacted Payers must implement and maintain four application programing interfaces (“APIs”), which are software that allow other software applications to exchange information and features more efficiently.  These four APIs are (1) the Patient Access API, (2) the Provider Access API, (3) the Payer-to-Payer API, and (4) the Prior Authorization API.  Although compliance dates vary based on payer type, Impacted Payers must generally implement these four APIs by January 1, 2027.

Continue Reading

Private Equity’s Involvement in Health Care Under Increasing Scrutiny


Private equity’s investment in healthcare has increased rapidly over the past decade, and this is now drawing attention from regulators.  Signifying this increased scrutiny is a joint Request for Information (RFI) issued in March by the Department of Justice’s (DOJ) Antitrust Division, Federal Trade Commission (FTC), and Department of Health and Human Services (HHS) seeking comments from the public on “private-equity and other corporations’ increasing control over health care”.  (Access the RFI here.)  While the RFI has made headlines, it is part of a broader regulatory effort to evaluate private equity’s role as a major player in healthcare.  This post summarizes some of those efforts and the concerns among regulators over private equity investment in healthcare that regulators are seeking to address.

Private Equity Investment

Private equity’s investment in healthcare has increased drastically over the last decade.  While exact numbers aren’t available, reliable estimates point to a one hundred and eighty-nine percent (189%) increase in annual private equity deal value in the healthcare industry from 2010 to 2019,[1]  with the number of reported deals increasing from 352 in 2010 to 937  in 2020.[2]  These investments in the industry are wide ranging and include everything from hospitals and physician practices to specialty facilities and managed care plans.[3]  This investment, driven in part by the increasingly complex regulatory environment for healthcare delivery and reimbursement, has engendered speculation and studies on the effect private equity has on the pricing and quality of healthcare services.  A concern among regulators is that private equity is making healthcare more expensive and less effective, and this concern is the driving force behind the actions described below.

Continue Reading

The Status of Non-Competes in Healthcare: How the FTC Rule and Other Recent Developments Affect Non-Competes for Doctors, Nurses, and Other Healthcare Practitioners

Staff In Busy Lobby Area

For healthcare providers and practitioners, the rules surrounding non-competition agreements have evolved rapidly over the last two years, and that evolution accelerated even more this month.  Over the past 18 months, states and the federal government enacted several new laws that substantially limit when healthcare entities can enforce non-competes.  Then, on April 24, the Federal Trade Commission issued a rule that will bar most non-competes in the U.S. if it survives legal challenges (albeit no sooner than late August 2024).  This creates yet another potential hurdle for a healthcare entity seeking to enforce a non-compete.  Going forward, healthcare entities wishing to utilize non-competes with their employees and contractors should ensure they account for all of the following developments.  

The FTC’s rule would bar many healthcare entities from using non-competes, but it arguably would not restrict tax-exempt hospitals and other non-profit providers. 

The FTC rule would cover many healthcare employees in the U.S., but not all of them.  In terms of employer coverage, the rule applies to for-profit healthcare systems, private medical practices, private equity funds, and most other entities that are “organized to carry on business for [their] own profit or that of [their] members.”  The rule does not categorically exempt non-profits, tax-exempt hospitals, and other tax-exempt entities, but these entities will have a good argument that they fall outside the rule’s coverage by its terms.   

From a worker perspective, the rule generally covers non-competes with any “person.”  If the rule covers an employer as set forth above, then it will cover effectively all of their employees, including physicians, nurses, counselors support staff, administrative employees, custodial and maintenance employees, and effectively any employee performing manual work.  One key nuance is that the FTC rule exempts certain “senior executives,” i.e., individuals who earn more than $151,164 annually and serve in policy-making positions.  Thus, even if a rule applies at the employer level, it may not apply to certain senior administrators, department heads, and others in higher level management roles.  The second key exception is that the rule does not apply to non-competes entered into in connection with the sale of a business. 

The FTC rule is facing serious legal challenges, and will not apply at least until 120 days after it is published in the federal register (which currently is scheduled to occur on May 7, which would make the effective date September 4, 2024). The U.S. Chamber of Commerce almost immediately filed a lawsuit challenging the non-compete ban, arguing that the FTC does not have authority under the FTC Act to make rules regulating unfair methods of competition, and that under the U.S. Supreme Court’s “major questions doctrine,” the final rule must be vacated because the FTC acted without clear Congressional authorization. Given the Supreme Court’s increasingly skeptical view of administrative rulemaking of late, these arguments may find favor should they reach the Supreme Court. The Chamber also challenges the final rule on other grounds, including that it impermissibly applies retroactively to existing non-compete agreements, and that it is arbitrary and capricious, as the FTC issued the final rule based on limited and flawed studies without sufficient consideration of the concerns and alternatives raised during the public comment period. Thus, there is a good chance that the rule will not survive legal challenges, and interested parties in the healthcare space should monitor the status of these challenges. 

Continue Reading

Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

Seattle Skyline

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

Squire Patton Boggs attorneys Alan Friel, Kyle Fath, Niloufar Massachi and Gicel Tomimbang provide a detailed discussion of these new CHD Laws on our Privacy World Blog, which you can read here.

42 C.F.R. Part 2 Final Rule to Align with the HIPAA Privacy Rules

Medical history questionnaire clipboard

The US Department of Health and Human Services, Office for Civil Rights (OCR)
and the Substance Abuse and Mental Health Services Administration issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (Part 2), applicable to certain federally assisted SUD treatment programs (Part 2 Programs), and to SUD patient records (Part 2 Records).

The effective date of the Final Rule is April 16, 2024, and entities have until February 16, 2026, to comply.

The Final Rule includes several changes to align Part 2 more closely with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which applies to protected health information, and to reduce administrative burdens, as summarized below:

Continue Reading

President Biden Announces Groundbreaking Restrictions on Access to Americans’ Sensitive Personal Data by Countries of Concern

On February 28, 2024, President Biden issued a groundbreaking executive order (EO) establishing the framework for new restrictions on transactions involving US persons’ sensitive personal data and “countries of concern,” including China, or related parties.

Continue Reading