The Health Record - Health Law Insights, Issue 2, June 2024

Ralph (Joe) Hagy, Anthony Huber, Joel Jones, Jr., Brienne Marco, Alexander Turner
Spilman Thomas & Battle, PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Issue 2

Welcome

Welcome to our second issue of The Health Record - our healthcare law insights e-newsletter!

During the summer months, our firm is pleased to host a talented group of law students, who get the opportunity to research and write, shadow our attorneys, and learn about the practice of law in a firm setting. As young professionals still deeply involved in higher education, our Summer Associates will be contributing to our summer publications and sharing their perspectives as both students and future legal practitioners. Please join us in welcoming Taiesha Morgan, Jamie Martines, Elijah Stephens, and Ethan Norris to The Health Record team for this special summer edition.

Thank you for reading!

SCOTUS Agrees to Review Medicare DSH Payments Case

“The suit, Advocate Christ Medical Center v. Becerra, was originally filed in 2017 by a group of more than 200 hospitals over the agency’s formula used to calculate outlays.”

Why this is important: The United States Supreme Court has agreed to hear an appeal of a case, originally filed in 2017 by a group of over 200 hospitals, challenging how the Department of Health and Human Services (DHHS) applies the formula for calculating disproportionate share hospital (DSH) adjustments. DSH adjustments provide additional compensation to hospitals that serve an “unusually high percentage of low-income patients.” DHHS has interpreted the program as applying only to patients who receive cash payments for supplemental social security income (SSI) benefits during the month of their hospital stay. The hospitals argue that this approach is inconsistent with prior case law that held that individuals are entitled to Medicare Part A benefits if they qualify for Medicare, whether or not Medicare pays for the hospital stay in question. The lower court sided with DHHS, but the U.S. Supreme Court has granted certiorari and will hear the case. The Supreme Court’s decision is important to hospitals because DHHS’s calculation excludes SSI-eligible patients from the calculation, and this results in losses of more than a billion dollars annually to hospitals, especially those that serve the most vulnerable patients. --- Taiesha K. Morgan

Telehealth Extensions May Not Happen Until Late in the Year

“On the upside, telehealth leaders remain confident that Congress will approve legislation that would allow health systems and providers to continue offering virtual care and hospital-at-home programs.”

Why this is important: On May 16, the U.S. House Energy and Commerce Subcommittee approved the Telehealth Modernization Act, a bill that has bipartisan sponsorship and would continue many telehealth flexibilities that were implemented during the COVID-19 public health emergency, which are set to expire December 31, 2024. In particular, it would remove geographic originating site restrictions for two years and continue the hospital-at-home program for an additional five years. Although telehealth advocates, like the American Telemedicine Association, have urged Congress to enact permanent reforms, they believe it is more likely that Congress will approve another short extension instead of a permanent extension this year. They are further predicting that lawmakers will not take up the legislation until after the election this fall, but they are confident that an extension will be approved. --- Brienne T. Marco

Hospitals are Hacked, Then Sued. Is It Fair?

“Hospitals' insufficient data protections are less about negligence and more about need, according to Hamilton, who frequently assists these organizations post-breach.”

Why this is important: Investing in cybersecurity can be costly. But, responding to a breach can carry a heftier price tag. According to research from IBM, in 2023, the average healthcare data breach cost $10.93 million after costs related to detecting the breach, notifying affected individuals, and lost business were totaled. That figure does not include legal costs related to the lawsuits and settlements that will likely follow. Making data security improvements upfront can prevent expensive remedial measures in the long run.

Taking such steps is becoming even more critical. Data breaches are on the rise in 2024, with publicly reported incidents in the U.S. nearly doubling in the first three months of the year compared to the same period last year, according to research from the Identity Theft Resource Center. While most businesses have data to protect – whether that information is related to customers, clients, business contacts, or employees – those operating in the healthcare space are especially vulnerable to cyberattacks and are among the most attacked due to the sensitive, personal nature of the data in their care, according to the Identity Theft Resource Center’s report.

Keep in mind that data breaches are not always caused by mysterious hackers in a faraway place. They could also be the result of weak security protocols, like failing to establish a routine for protecting shared online workspaces or documents shared over the internet. Further, hospitals are not the only institutions that should be concerned with protecting health-related data. Nursing and personal care homes, schools and universities, along with public health organizations and government health departments, should consider how secure the data in their charge is protected as well. --- Jamie L. Martines

Balancing Trust and Technology: The Role of AI in Patient-Pharmacist Interactions

“Furthermore, patients have shown diverse preferences across all aspects of care in relation to a desire for transparency around the use of AI tools in their care.”

Why this is important: Artificial Intelligence (AI) has been around since the 1950’s. The original theory can be associated with Alan Turing; he reasoned that the same process of storing information and accessing it to solve problems, at that time unique to humans, could be replicated in machines. One of the first AI programs was created by Herbert Simon and Allen Newell, by the name of Logic Theorist, used to perform automated reasoning. Nevertheless, the technology that we encounter today is far different. Similarly, the practice of modern medicine has been around for quite some time, yet the methods used by pharmacists today are far different from that which was used in its infant stages.

The significance? Some processes naturally develop as more information and technology become available. It just happens that we have a unique case where medicine and AI intersect on an important issue, pharmacy. Are we ready to trust AI in our interactions with our pharmacist? Studies, observed by Casey Olsen, PharmD, show that when a patient’s visit with a medical professional is combined with a computer in the room, the perception from the patient is that the medical expert is not compassionate toward them, nor are they professional. An issue that medical professionals find with the implementation of AI is the risk of patients no longer feeling as if they can be honest with their healthcare specialist. The study quotes an individual by the name of Nelson who states, “There are people that bring up concerns that they don’t want to [mention] because they’re being recorded.” Many others feel similar.

However, results from a survey asking citizens how they feel about AI’s implementation in pharmacy, yielded surprising results. In the study, 50 percent of the people who participated preferred AI-Guided Care, whereas, the other 50 percent preferred Human-Guided Care. Results like these are one of the major catalysts for AI’s intersection with the medical practice, specifically pharmacy. This is likely because of a younger population, who are more familiar with and trusting of technological advances.

In sum, knowledge in pharmacy and AI is constantly developing. With this comes a better understanding of what processes work best. AI seems to be the future of many different professions, and pharmacy is not the exception. Though many are weary of what AI-Guided Care might mean for the future, it is worthwhile to consider how many technological advances have occurred in pharmacy. In doing so, one may realize that the pharmacy of their day, was the pharmacy of the future. AI may not be ready to be the sole foundation for which pharmaceutical practitioners rely, but it can definitely be of assistance, as it has in many other professional fields. --- Elijah J. Stephens

Getting Ready for Generative AI in Academic Medical Centers

“Both are wary of introducing generative AI too soon, before clinicians and data scientists understand where it is actually useful and how to handle its risks.”

Why this is important: In this article, Dr. Keith Morse from Stanford Medicine Children’s Health and Dr. Armando Bedoya from Duke Health discuss the benefits and challenges that AI poses to clinical care in academic medical centers. Both commented on the potential of generative AI to enable physicians to more easily and thoroughly incorporate patient data into their diagnosis and care. Generative AI can access patient data from physician notes, medical records, and if given access, the patient’s personal devices. The input of this information enables the AI to analyze patterns to create a product that assists the user.

Importantly, the Drs. spoke about handling AI bias, utilization of AI for workflows, and the creation of AI tools. AI creates a potential risk for patients because it learns from the data put into it. This can lead to biases that negatively impact the care of minority patients. Dr. Bedoya indicated the importance of creating governing procedures that ensure bodies within the academic medical center are checking for potential bias in AI models at every step in the process of implementing those models.

Another challenge with AI is the lack of familiarity physicians have with both the benefits and risks of using AI for patient care. Dr. Morse explains how a lack of familiarity can result in physicians not using AI models that have been implemented at their work to their fullest extent. Rather than an explosion in use of the AI model, he realizes that without experience in how AI could help them, physicians wouldn’t use the AI for its intended purpose.

AI can also pose a legal challenge with access to patient information. Regulations created under the Health Insurance Portability and Accountability Act (HIPAA) require covered entities and business associates to ensure the confidentiality of protected health information that they receive, create, maintain, or transmit. Covered entities are health plans, health care clearinghouses and health care providers that electronically transmit any health information. However, AI developers and vendors may not be regulated by HIPAA if they do not qualify as a business associate. This may limit a medical center’s ability to use the AI, which requires data input to generate helpful responses.

Educating physicians about and exposing them to generative AI in their field is an important part of implementing AI safely and effectively in an academic medical center. Providing physicians with opportunities to learn about the risks and uses of AI models they have access to can address reservations about using AI and reinforce best practices. Additionally, Dr. Morse encourages physicians to attend conferences with colleagues who use AI to be able to discuss ways AI has improved their workflows and increased productivity. --- Ethan S. Norris

Delegation Urges HRSA to Better Classify W.VA.

“This classification determines communities’ eligibility to receive certain federal healthcare resources, and adopting ruggedness in the definition will ensure that West Virginia communities receive the federal funding they deserve.”

Why this is important: United States Senators Joe Manchin and Shelley Moore Capito, and United States Representatives Carol Miller and Alex Mooney recently requested that the Health Resources and Services Administration (HRSA) consider terrain factors in the agency’s definition of rural. Communities designated by HRSA as rural are eligible to receive certain federal health care resources, such as Federal Office of Rural Health Policy (FORHP) grants. If HRSA were to account for terrain when determining eligibility for FORHP grants, more communities in West Virginia may be eligible for such grants, which would help to support health professionals and improve access to quality health care in West Virginia. --- Brienne T. Marco

Avoid the Top HIPAA Violation: Read Our Guide to HIPAA Compliant Email

“The Office for Civil Rights receives around 60,000 notifications of data breaches each year, of which many thousands are wrongful disclosures of Personal Health Information attributable to email failure.”

Why this is important: Email security breaches resulting in prohibited dissemination of Personal Health Information (PHI) are the most common HIPAA violations, for several reasons. Institutional inertia and reluctance to adopt new or appropriate technologies, particularly in dealing with complex and difficult HIPAA compliance, continuously create a stream of actionable HIPAA violations for many medical practices and institutions.

HIPAA email compliance takes a concerted effort in the present medical, legal and technological environment. The first step is developing an email compliance plan that takes into account security, ease of use by end user, and archival, retention and search features. This means that no free email service, including Gmail, Yahoo, Hotmail, AOL and others, is permissible for HIPAA compliance and PHI security. Even many paid, non-customized email services such as Google Workspace or Microsoft Office/Outlook are insufficient without appropriate customization specifically for HIPAA and PHI compliance.

A HIPAA compliant email service will ideally have end-to-end encryption, phishing, spam and virus protection, and will be end-user friendly and easy to use. Portal logins became fashionable over the past several years, but many are poorly designed, with too many login steps, password restrictions, and even device restrictions, such as requiring a phone app to use with no desktop or web accessibility. Compliance officers need to balance information security with patient satisfaction. --- Anthony L. Huber

Battle Brews Over Nursing Home Staffing Requirements

“Nursing homes have filed a lawsuit aiming to upend new federal regulations that would impose staffing requirements at nursing homes.”

Why this is important: As a consequence of a steadily increasing population of elderly Americans, the quality of care in nursing homes has been highlighted by the Centers for Medicare & Medicaid Services (CMS) rule providing for minimum staffing standards in long-term care facilities. Facilities may use any combination of nurse staff (RN, licensed practical nurse [LPN] and licensed vocational nurse [LVN], or nurse aide) to account for the additional 0.48 HPRD needed to comply with the total nurse staffing standard. The new rule will require 3.48 hours per resident per day of nursing care, which will include 0.55 hours per day of care from an RN, and 2.45 hours per day of care from nursing aides. The American Healthcare Association has filed suit in the Northern District of Texas to block the staffing requirements, citing concerns that the new rule will negatively impact patients by preventing their discharge to nursing facilities that are already facing labor and cost challenges. Additional considerations have been whether the new rule will restrict patient access to care in rural or underserved communities, where workforce levels are already a challenge, essentially forcing hospitals to leave much needed beds empty due to insufficient staffing. In contrast, proponents of the rule suggest that the quality of care should be prioritized over labor and operating cost factors, and that patient outcomes should never be compromised. These arguments cite poor outcomes, and an increase in conditions such as pressure ulcers and patient falls, as a consequence of insufficient staffing in nursing homes. While the battle wages through the court system, this rule has garnered bipartisan support from across the political spectrum, and the outcome of the pending litigation will impact patients and providers alike. --- Ralph "Joe" J. Hagy

Physician's Contract Ordeal Reveals Flaws in Corporate Practice of Medicine Laws

"’Not a single physician leader’ could assist in contract negotiations.”

Why this is important: The growing trend of ownership and management of medical practices by non-medical entities has created a predictable friction between medical professionals and non-medical management, most notably within private equity. State corporate practice of medicine laws generally prohibit non-physician ownership of medical practices, but structures have been developed in recent years that bifurcate medical and non-clinical personnel and assets in a practice acquisition, with private equity generally taking a significant ownership interest in non-clinical assets, while appointing a friendly licensed physician to make clinical management decisions.

For example, Jason Liebowitz, a rheumatologist, was previously enjoying his position at a physician-owned practice until it was acquired by a private equity group. Along with the new ownership, Dr. Liebowitz was required to agree to a 100-mile, 2-year noncompete agreement. Dr. Liebowitz was not able to negotiate out of the noncompete, and could only deal with non-medical management at the private equity firm. After being pressured to either agree to the noncompete or resign, Dr. Liebowitz resigned and now works at Columbia University.

In the absence of meaningful and forceful assertion of their independence and professional judgment, medical professionals should expect the continued growing occupation of the industry by private equity, as newly developed non-medical acquisition structures continue to grow unchallenged, and private equity has effectively unlimited funding to acquire practices, which is in opposition to comparatively limited resources of a more traditional acquiring physician practice group. --- Anthony L. Huber

Senator Asks FTC, SEC to Investigate UnitedHealth’s Cybersecurity Practices

“Sen. Ron Wyden requested that the FTC and SEC chairs investigate UHG’s ‘numerous cybersecurity and technology failures’ to determine whether federal laws were broken."

Why this is important: UnitedHealth Group (UHG) had a significant ransomware attack in February 2024 where bad actors exploited a remote access server that was not protected with multifactor identification. This recent attack was on top of a data breach UHG suffered in October 2022. In addition to $22 million in costs associated with the attack, and the need to shut down the entire data clearinghouse that serves most U.S. medical providers, UHG is now subject to Congressional investigations and increased regulatory scrutiny. Even though the February ransom attack occurred months ago, at a Congressional hearing earlier this month, UHG’s CEO still could not identify the extent of the exposure of patient and employee data as a result of the ransom attack. Following that hearing, Senator Ron Wyden (D-Ore.) sent a letter to the Federal Trade Commission and the Securities and Exchange Commission asking them to open investigations into UHG’s failure to adequately protect patient and employee data. These requested investigations would be in addition to the Health and Human Services Office for Civil Rights’ current investigation into these attacks in relation to UHG’s compliance with HIPAA. All of this because UHG failed to take the simple and inexpensive step of putting multifactor authentication on a remote access server. This just goes to prove that cybersecurity and data privacy do not need to be complex and expensive in order to be effective. UHG likely has state-of-the-art cybersecurity in place, but was taken down due to a likely oversight that resulted in a simple tool not being implemented in the correct place. That is why planning and starting with simple solutions first is so important. If your organization needs assistance implementing a comprehensive cybersecurity and data privacy plan, please contact a member of Spilman’s Cybersecurity and Data Privacy Practice Group. --- Alexander L. Turner

 

Feature Attorney Question & Answer

We are excited to introduce you to our large healthcare law team. To help you get to know our team a little better, we are highlighting an attorney in each issue by asking them a healthcare-related question. We hope their response will be insightful for you.

Academic Medical Centers (AMCs) face unique challenges in the healthcare space. What key issues should you be aware of for these particular medical facilities?

Erin Jones Adams, Member in the Winston-Salem Office and Co-Chair of Spilman's Education Practice Group

"AMCs are unique in their delivery of both healthcare and education services. While there are many compliance-related challenges for AMCs, the most immediate is the impending changes to Title IX regulations effective August 1. As institutions that receive federal financial assistance and sponsor residency programs and clinical rotations, among other education-focused activities, AMCs are generally subject to Title IX regardless of their affiliation with a university system. The 2024 amendments to the Title IX regulations expand the scope of sex discrimination and sex-based harassment covered by Title IX and, in turn, the instances when AMCs must follow special Title IX procedures to resolve these complaints in their education programs and activities. To complicate matters, pending lawsuits challenging the 2024 amendments have recently resulted in preliminary injunctions staying enforcement of the new regulations in 10 states. Thus, depending on the state in which an AMC is situated, August 1 may bring continued operation under the 2020 regulations for some period or necessitate complete implementation of the 2024 amendments. In any event, AMCs are encouraged to continue the time-sensitive work of preparing to comply with the 2024 amendments and consult their legal counsel regarding the timeline for effectuating these changes where the injunctions apply.

In addition to Title IX, research compliance continues to be a key issue for AMCs. In addition to protecting patient health information under HIPAA, AMCs involved in clinical trials and research studies must continually monitor their compliance with applicable protocols, informed consent procedures, billing and coding processes, proper handling of research data, adverse event reporting, and funding agency regulations. AMCs must also ensure their adherence to accreditation standards and obligations concerning the ownership, licensing, and commercialization of intellectual property. Adequate liability insurance and quality assurance programs are also essential in this context. As well as impacting research funding and institutional reputation, non-compliance can compromise eligibility for ongoing participation in federal programs, prompt litigation with research sponsors, and cause monetary harm.

In sum, there is no shortage of challenges for AMCs. A knowledgeable attorney who is well-acquainted with AMCs and their unique circumstances can be a valuable resource.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Spilman Thomas & Battle, PLLC | Attorney Advertising

Written by:

Spilman Thomas & Battle, PLLC
Spilman Thomas & Battle, PLLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Spilman Thomas & Battle, PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide