Florida Electronic Health Records Exchange Act Amended – Health Records Maintained by Qualifying Health Care Providers Must Be Stored in the U.S., U.S. Territories, and Canada Only

On May 8, 2023, Governor Ron DeSantis of Florida signed CS/CS/SB 264, amending a suite of Florida statutes to impose heightened requirements on business activities involving foreign interests.  As related to the health care industry, CS/CS/SB 264 amended the Florida Electronic Health Records Exchange Act (“Act”) to, among other things, require “health care providers” that utilize “certified health record technology” to manage health records in an electronic interoperable and digital format to ensure that in addition to maintaining such records in accordance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), the health records must be stored only in environments physically maintained in the U.S., its territories or Canada, effective July 1, 2023.  CS/CS/SB 264 also amended Florida licensure requirements for qualifying health care providers, obligating licensees to comply with the amended requirements of the Act, particularly as related to the security and storage of personal medical information outside of U.S. and Canadian jurisdictions, in order to obtain and maintain a license in Florida.

Key Takeaways and Recommendations

  • Qualifying health care providers must comply with both HIPAA and Florida state requirements for transfers of health care data.  Although HIPAA does not impose specific requirements regarding where health data must be stored, the amendments to the Act require qualifying health care providers in Florida to only store health records in the U.S., its territories, or Canada.  As such, effective July 1, 2023, qualifying health care providers in Florida have heightened health data record storage obligations.
  • Qualifying health care providers must submit a signed affidavit attesting under penalty of perjury that the provider is in compliance with the health records storage requirements of the Act when they submit their initial and renewal license application.  Non-compliant qualifying health care providers may be subject to disciplinary action by the Agency for Health Care Administration, the Florida state agency that regulates health care licenses in Florida. 
  • The applicability of the Act does not depend on where the patient who is the data subject resides, but on whether the entity is a qualifying health care provider under Florida law.  The Act applies to HIPAA covered entities and business associates that are also qualifying health care providers in Florida under the Act.  It also applies to traditionally non-HIPAA covered entities and business associates, such as acupuncturists.  Therefore, the requirements of the Act apply to a broader group of entities that collect health data than HIPAA. 
  • The Act does not directly impose obligations on parties that are not qualifying health care providers under Florida law, such as third-party vendors that provide cloud computing services and other health technology vendors, but effectively prohibits offshoring of data in health records.  To comply with these obligations, qualifying health care providers will most likely contractually flow down the requirement to store health records only in the U.S. and Canada to their third-party vendors via business associate agreements and data processing agreements. 
  • Recent enforcement and regulatory trends suggest the Act is likely the first of many legal and regulatory restrictions that will apply to transfers of sensitive data (e.g., health data) to foreign jurisdictions.  Therefore, third-party vendors providing cloud computing services and other health technologies to qualifying health care providers should be prepared to offer its customers U.S.- or Canada-based data processing, maintenance, and storage options to accommodate legal and regulatory developments.

    Continue Reading

    Antitrust Agencies Target Pharmaceutical Mergers in Enforcers Workshop and Lawsuit

    Last month the Federal Trade Commission (“FTC”) sued to block the $27.8 billion acquisition of Horizon Therapeutics plc (“Horizon”) by the biopharmaceutical corporation, Amgen Inc. (“Amgen”).  The lawsuit was the latest move by the Biden Administration to tackle the high price of prescription drugs, which President Joe Biden described as “excessive” in his July 2021 Executive Order on Promoting Competition in the American Economy.  Notably, this is the first FTC pharmaceutical merger challenge in over a decade.  According to FTC Bureau of Competition Director Holly Vedova, the challenge is meant to send “a clear signal to the market: The FTC won’t hesitate to challenge mergers that enable pharmaceutical conglomerates to entrench their monopolies at the expense of consumers and fair competition.”

    Although neither Amgen nor Horizon operates in the same prescription drug market, the FTC alleged that Amgen, a biopharmaceutical giant, could substantially lessen competition in select markets by offering discounts to insurers and pharmacy benefit managers (“PBMs”) on certain drugs in exchange for giving their products preferential treatment.  This type of discounting is called “cross-market bundling.”  The FTC was specifically concerned that if Amgen were to engage in cross-market bundling with Horizon’s products, which include the only FDA-approved medications used to treat thyroid eye disease and chronic refractory gout, it would allow the combined firm to “entrench” the products’ current monopolies and inhibit entry of potential competitors.  In response, Amgen and Horizon agreed to pause the transaction until October 2023 but argued that it was novel for an antitrust agency to attempt to block a corporate merger using a theory of cross-market bundling.

    Continue Reading

    Envision’s Bankruptcy Provides Insight Into All That is Ailing The Healthcare Industry

    The increase in bankruptcy filings that restructuring professionals have been expecting is now arriving.  With rising inflation, increased interest rates, tightening credit markets, labor shortages and supply chain disruptions, we are starting to see a dramatic increase in filings.  Last week the American Bankruptcy Institute noted that commercial Chapter 11 filings increased 105% in May 2023 as compared to May 2022 and across the board filings are on the rise as well.

    The healthcare industry is not immune from the pressures impacting the economy.  Indeed in many ways, healthcare has been one of the most impacted industries since the beginning of the COVID-19 pandemic.  According to Debtwire, through the first five months of 2023, we have already seen approximately the same number of healthcare Chapter 11 filings as we did in all of 2022.  Despite the increasing number of pre-pack and pre-arranged Chapter 11 cases, since 2016 half of all healthcare cases have been “free fall” cases, resulting in longer and sometimes more contested proceedings.

    Last month, healthcare company and national hospital-based physician group, Envision Healthcare Corporation and 216 affiliates (collectively, “Envision”) filed one of the largest healthcare Chapter 11 bankruptcy cases in recent history.

    Continue Reading

    Singapore Open-sources World’s First AI Governance Testing Framework and Toolkit

    Singapore has open-sourced the world’s first AI governance testing framework and toolkit, called “AI Verify”. As a single integrated software toolkit operating within a user’s enterprise environment, AI Verify allows users to conduct technical tests on their AI models, and record process checks for reporting to any shareholders or regulatory bodies. Additional toolkits can be built upon AI Verify, for instance, to take into account sectoral requirements applicable to health care entities. The framework and toolkit can be used by any company looking to develop or deploy AI, to validate performance of an AI system using internationally recognized governance principles such as accountability, safety, human-centricity, and fairness, all of which are in line with the AI governance principles expounded by the OECD, European Union, and the World Health Organization (among others). To read more about this development in Singapore, please see our original blog post on our Privacy World blog.

    Supreme Court Clarifies Knowledge Requirement for False Claims Act Liability

    In April, we previewed two significant False Claims Act (FCA) cases before the U.S. Supreme Court, United States ex. rel. Schutte v. SuperValu, Inc., No. 21-1326 (“SuperValu”), and United States ex. Rel. Proctor v. Safeway, Inc., No. 22-111 (“Safeway”).  The FCA provides that “any person who knowingly presents, or causes to be presented, a false or fraudulent claim” to the United States, or who engages in other related activity as set forth in the statute, is liable to the United States for substantial civil penalties plus treble damages.  31 U.S.C. § 3729 (emphasis added.)  The SuperValu and Safeway cases involved a situation where the defendants were alleged to have subjectively believed their claims were false, but because of ambiguity in the underlying regulations (which limited reimbursement for prescription drugs based on a pharmacy’s “usual and customary” drug prices), it would have been objectively reasonable to have believed the claims were proper.  The question for the Supreme Court was whether in such a situation the defendants could be said to have “known” their claims were false.  After all, so the defendants argued, even if they subjectively believed their claims were false, it was objectively reasonable for them to have believed they were not.

    The answer, according to a unanimous ruling handed down last week in favor of the government and relators and against the defendant pharmacies: “[w]hat matters for an FCA case is whether the defendant knew the claim was false.”  (emphasis added.)  “Thus, if respondents correctly interpreted the relevant phrase and believed their claims were false, then they could have known their claims were false.”  In other words, “[t]he FCA’s scienter element refers to respondents’ knowledge and subjective beliefs—not to what an objectively reasonable person may have known or believed.”  That the underlying regulation “may be ambiguous on its face” was insufficient, according to the Supreme Court, “to preclude a finding that the defendants knew their claims were false.” 

    Squire Patton Boggs attorneys Vipal Patel, Jerrob Duffy, Kathleen McGovern, Benjamin Glassman and Karen Harbaugh discuss this case in detail and provide some possible takeaways on our Global Investigations & Compliance Review Blog, which may be read here.

    Roadmap to the Phased Transition Process for Medical Devices after Covid-19 Public Health Emergency

    On March 27, 2023, the U.S. Food &Drug Administration (FDA) released two final guidance documents to assist with the transition of medical devices that were legally distributed: (1) subject to certain enforcement policies issued during the COVID-19 public health emergency (PHE) or (2) Emergency Use Authorizations (EUAs). Manufacturers, distributors, and industry stakeholders that have products subject to one of these pathways should review the agency guidance if they wish to continue marketing the products. If an entity is not sure whether an EUA applies to a product, FDA has generated a full list at this site.

    On January 31, 2020, the Department of Health and Human Services (HHS) first determined a public health emergency (PHE) existed because of COVID-19.  This PHE determination has been renewed many times, the most recent on February 9, 2023.  However, change is approaching for the regulated industry since HHS recently announced that it is preparing to declare an end to the PHE for COVID-19 on May 11, 2023. As a result, certain industry sectors will be impacted, particularly those that manufacture or distribute medical devices subject to FDA enforcement polices and EUAs issued during the PHE.

    During the PHE, the FDA issued numerous EUAs and enforcement policies allowing manufacturers to quickly develop and distribute products such as masks, medical devices, and ventilators. The EUAs and enforcement policies provided flexibility for manufacturers to avoid the standard requirements for medical devices, such as premarket notifications, that otherwise could lead to significant delay in reaching the market. These flexibilities helped non-traditional manufacturers to provide much-needed medical devices to aid in the nationwide COVID-19 response.   

    Continue Reading

    Healthcare Companies and Companies Doing Business with the US Government – Supreme Court Appears Likely to Clarify False Claims Act (FCA) Knowledge Requirements

    The Supreme Court recently heard oral argument in the appeal of two False Claims Act (FCA) cases from the Seventh Circuit that called into question the level of intent, or scienter, required to establish corporate liability under the FCA for “knowingly” overbilling the government for goods or services.  The Court’s eventual decision may have widespread implications in healthcare, government contracting, and other industries because it may impact how a company can defend against an FCA claim by arguing that its conduct was objectively reasonable, even if, subjectively, the company or its employees may have intended to violate the FCA or did not otherwise take adequate steps to ensure that their conduct was consistent with the statute.  Squire Patton Boggs attorneys Jerrob Duffy and Karen Harbaugh discuss this and the potential implications of the Court’s upcoming decision on our Global Investigations & Compliance Review Blog, which may be read here.

    Sixth Circuit Limits Anti-Kickback Claims Brought Under False Claims Act

    Recently, the Sixth Circuit issued an important decision limiting the scope of claims alleging violations of the Anti-Kickback Statute that are brought under the False Claims Act. In Shannon Martin, M.D., et al. v. Hathaway, et al., No. 22-1463 (March 28, 2023), the court clarified the meaning of remuneration under the Anti-Kickback Statute. Squire Patton Boggs attorneys Colin Jennings, Vipal Patel, Marisa Darden and Shams Hirji discuss the case in detail on our Global Investigations & Compliance Review Blog, available here.

    CMS Blanket Stark Waivers will Terminate Upon End of COVID-19 Emergency

    Earlier this year, the U.S. Department of Health and Human Services (“HHS”) announced the expiration of the COVID-19 public health emergency declarations effective May 11, 2023.  As a result, many of the regulatory waivers and flexibilities available to health care providers, including the blanket waivers applicable to many Stark Law requirements (the “Stark Waivers”), will terminate on that date.

    As we discussed at the pandemic’s outset, CMS issued the Stark Waivers in March 2020 under the authority provided to the Secretary of HHS through Social Security Act Section 1135.  The Stark Waivers were implemented to help providers respond to the then new COVID-19 pandemic and to ensure the availability of sufficient health care resources to address the emergency.  The Stark Waivers applied to a wide variety of arrangements between entities and physicians so long as the remuneration and referrals were related to broadly defined “COVID-19 Purposes.”  Arrangements protected under the Stark Waivers included rental arrangements, some non-FMV services arrangements, certain loans, and others.  The Stark Waivers were understandably welcomed by providers already struggling to address the COVID-19 pandemic.

    While the OIG did not issue specific Anti-Kickback Statute waivers, in April 2020 it did release a Policy Statement setting forth the OIG’s policy that, in light of the unique circumstances of the COVID-19 emergency, it would “exercise its enforcement discretion not to impose administrative sanctions under the Federal anti-kickback statue for certain remuneration “covered by Stark Waivers. In its Policy Statement, the OIG set this policy to terminate on the same date as the Stark Waivers’ termination.  Thus, providers will no longer be able to rely on the assurance provided by the Policy Statement after May 11.

    In light of the May 11 termination date, providers who have structured agreements relying on the Stark Waivers and OIG Policy Statement should act now to either confirm that such arrangements will remain compliant with the Stark Law and Anti-Kickback Statute as of that date, reform such arrangements to bring them into compliance, or possibly terminate some arrangements.  Reach out to your Squire Patton Boggs attorney if you need help evaluating or reforming any agreements in light of this upcoming deadline. 

    The U.S. Department of Justice Loses Another Labor-related Antitrust Case with Jury’s Acquittal of Four Home-Health Operators

    In a blow to the Biden Administration’s goal to heighten enforcement of labor-related competitor agreements, a Maine jury on Wednesday acquitted four home-health operators who were accused of conspiring to fix the wages of home-health workers in the Spring of 2020.  The U.S. Department of Justice (“DOJ”) had alleged that the operators violated Section 1 of the Sherman Act (15 U.S.C. § 1) by making a secret pact to set wages at $15 to $16 per hour and agreeing to allocate workers by not hiring each other’s employees.  The conspiracy was allegedly carried out via an encrypted messaging app and both virtual and in-person meetings.  Those meetings also allegedly resulted in an agreement to recruit other operators to join the conspiracy.

    The not-guilty verdict is the third time in less than a year that the DOJ lost a labor-related antitrust case in the healthcare sector.  In April 2022, the DOJ faced a similar trial loss in Denver when a jury acquitted dialysis provider DaVita, Inc. and its former CEO of allegedly negotiating agreements with rival companies to not solicit each other’s employees.  That same month, a Texas jury acquitted the former owner and clinical director of a physical therapist staffing company of conspiring to lower wages of physical therapists.  The DaVita case and staffing company case were the DOJ’s first criminal no-poach and wage-fixing challenges.

    Continue Reading

    LexBlog