Health Law Advisor

On October 23, 2024, Dr. Jill Biden, first lady of the United States,  announced the winners of $110 million in awards on behalf of the Advanced Research Projects Agency for Health (ARPA-H) to accelerate transformative research and development in women’s health.

“It’s time for investors, researchers, and business leaders to have [conversations about women’s health], not as an afterthought but as a first thought,” Dr. Biden said in her prepared remarks. “Those kinds of questions belong in your research proposals, in your laboratories, in your pitch decks.”

The awards will go to 23 teams from small startups to global innovators working to further developments in women’s health—with projects ranging from a non-invasive blood test to diagnose endometriosis to a revolutionary treatment for late-stage and metastatic ovarian cancer.

While we wait for long-anticipated federal regulations from the Occupational Safety and Health Administration (OSHA) addressing the issue of workplace violence in health care, activity continues at the state level.

California and North Carolina are among those currently filling the gaps—with the latter bringing law enforcement officers into hospital emergency departments to address the problem, and the former legislating to keep weapons out (through screening devices).

These laws are the latest developments in the national landscape of initiatives designed to address workplace violence in health care facilities. Though a federal OSHA standard is slated to issue by year-end, it remains to be seen whether that will happen and what effect, if any, the 2024 presidential election might have on those plans.

State courts continue to debate whether a state’s constitution recognizes a right to “liberty of privacy” or personal autonomy that would encompass the right to make personal health care decisions, including abortion.

In the post-Dobbs era, state supreme courts have been divided over whether state constitutions offer protections for abortion. Supreme courts in Florida and Iowa have rejected state constitutional protections for abortions, while those in Oklahoma and Montana have found or upheld certain constitutional protections for abortion. Recently, district court judges in Georgia and North Dakota have issued injunctions against their respective state’s abortion bans, finding that each state’s constitution protects a right to abortion.

On September 14, 2024, a district court judge in North Dakota enjoined North Dakota’s total prohibition on abortion, and on September 30, 2024, a superior court judge in Fulton County, Georgia, issued an injunction blocking the state’s six-week abortion ban. While the fate of the North Dakota injunction remains pending, on October 7, the Georgia Supreme Court stayed the lower court’s injunction, allowing Georgia’s six-week ban on abortion to once again take effect. One Georgia Supreme Court justice—Justice John J. Ellington—dissented in part from the decision, opining that “[t]he ‘status quo’ that should be maintained is the state of the law before the challenged law took effect.”

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing. The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.

Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.

New and Revised HIT Certification Criteria

The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:

Most months, I try to answer a well-focused question.  This month, however, I want to simply take a broad look at how FDA conducts its postmarket surveillance study program under Section 522 of the federal Food, Drug, and Cosmetic Act. FDA published a new final guidance on this topic on October 7, 2022, and the agency also made corresponding updates to its database. That gave me the chance to study the data, however incomplete they are.  More on that later.

Overview of the Guidance and the Program

Before I turn to the data, I thought it would be helpful to provide a high-level reminder of what FDA’s postmarket surveillance study program is all about.  As explained in the guidance, Section 522 provides FDA with the authority to require manufacturers to conduct postmarket surveillance at the time of approval or clearance or at any time thereafter of certain class II or class III devices.  I’ll talk more about the question of timing below.

From our Thought Leaders in Health Law video series: In today's complex and rapidly evolving health care landscape, navigating the path of expanding or selling a business requires a nuanced understanding of the intricate state and federal regulatory frameworks.

With states increasingly imposing legislative oversight to safeguard competition, care access, and quality, it's crucial for health care providers, private equity firms, and management organizations to have a strategic partner adept at handling these challenges.

States are imposing prior approval or prior review legislation to allow for more visibility regarding proposed transactions. Much of the legislation seeks to increase oversight of health care entity relationships with management companies and private equity firms.

What does this mean for you?

From our Thought Leaders in Health Law video series: The U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country.

On April 26, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights published a final rule entitled the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

What are the key takeaways from the Final Rule?

California’s legislature recently passed AB 3129, and it is awaiting Governor Gavin Newsom’s signature. While AB 3129 impacts several different provider types, this article focuses on its impact on Management Service Organizations (MSOs) and Physician Practice Management Companies (PPMCs) as the historically accepted structure for purposes of complying with the prohibitions on the corporate practice of medicine (CPOM). In its initial drafts, AB 3129 seemed highly focused on MSOs and the Friendly PC models for PPMs in the state.

While much of the early language regarding MSOs seems to have been shed from the bill, some ambiguity remains regarding whether, and in what contexts, sponsored MSOs will need to give pre-transaction notice to, or obtain the consent of, the California Attorney General (AG).  A later section of the bill highlights what will likely be CPOM enforcement priorities and is worth the close attention of all MSOs operating in the state.

In August, the United States filed a Complaint-in-Intervention in a False Claims Act (FCA) whistleblower suit alleging that the Georgia Institute of Technology (“Georgia Tech”) and an affiliate, Georgia Tech Research Corp. (GTRC), violated cybersecurity requirements in connection with Department of Defense (DOD) contracts.

The complaint and accompanying press release reflect the Department of Justice’s (DOJ’s) heightened focus on using the FCA to address cybersecurity issues. The DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to sensitive information and critical systems, uses the federal FCA to pursue cyber-related fraud by government contractors and grant recipients.

The U.S. government joins a case originally filed in 2022 by two qui tam whistleblowers, both senior members of Georgia Tech’s cybersecurity compliance team. Both complaints allege that the defendants failed to comply with federal cybersecurity requirements and attempted to obscure this failure by submitting false claims to the government.