radar Health Law Scan

Legal Insights and Perspectives for the Healthcare Industry
Through its passage, the Inflation Reduction Act (IRA) ushered in several reforms directed at rising prescription drug costs, aiming to lower costs for Medicare enrollees and reduce spending by the federal government. Included in these reforms is the establishment of the Medicare Prescription Payment Plan (M3P), a monthly installment plan that allows enrollees to pay back prescription drug costs overtime instead of all at once at the pharmacy. While M3P will reduce monthly out-of-pocket costs for enrollees, it requires plan sponsors to cover all up-front costs until payments are collected. Given the potential for non-payment, Medicare Part D plans would be well advised to prepare and account for potential financial losses.
At the end of last year, the US Department of Health and Human Services Office of Inspector General (OIG) issued an Advisory Opinion (AO 23-11, the Opinion) in which OIG approved an arrangement where a medical device manufacturer would provide up to $2,000 in subsidies to Medicare beneficiaries for cost sharing obligations as part of the beneficiary’s participation in a clinical trial.
Shortly after our prior blog post discussing the need for healthcare entities to shore up protections against phishing attacks, the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to alert members of the healthcare industry of indicators of compromise and tactics, techniques, and procedures used in phishing social engineering campaigns. This recent guidance underscores that phishing attacks have the attention of the FBI and HHS, and that health systems should proactively update their policies, procedures, and security to remain compliant with industry standards.
Phishing, the act of impersonating a person or business to deceive a target into revealing sensitive information, has quickly become the tool of choice for scammers and cybercriminals. In 2023, the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center noted that there were 298,878 complaints of phishing, a significant increase from the 114,702 cases reported in 2019.
The Centers for Medicare & Medicaid Services (CMS) published its Final Rule today to implement a minimum staffing “floor” for nursing homes in the United States, as first announced on April 22. The Final Rule, which as proposed garnered significant attention and opposition, with over 46,000 public comments submitted, reflects the Biden administration’s efforts to implement staffing mandates to ensure quality of care for long-term care (LTC) nursing home residents.
The Boston Bar Association hosted its fifth annual White Collar Crime Conference on May 2, 2024, featuring prosecutors from the US Attorney’s Office for the District of Massachusetts (the Office) and the Office of the Massachusetts Attorney General (the AG’s Office) as well as lawyers from the defense bar.
As noted in our recent LawFlash, the US Department of Justice’s (DOJ’s) COVID-19 Fraud Enforcement Task Force (CFETF) recently released its annual compilation report of its efforts to combat fraud related to pandemic relief programs since 2020. Accompanying the report, Deputy Attorney General Lisa Monaco and the Biden administration announced strong support for creating and securing funding for future data analytics tools like those used by the Pandemic Response Accountability Committee’s (PRAC) Pandemic Analytics Center of Excellence (PACE).
The old adage—March comes in like a lion and goes out like a lamb—didn’t quite hold true for the hospice sector, which experienced a late-month flurry of activity. The government gave the hospice sector a lot to consider, from MedPAC’s suggested freeze on hospice rates to CMS’s 2025 Proposed Hospice Rule (public comments due May 28, 2024) that, if finalized as is, would include a 2.6% payment bump. CMS’s Proposed Hospice Rule lays the groundwork for the long-anticipated Hospice Outcomes and Patient Evaluation (HOPE) quality measures data collection instrument, which will be used to collect data at various points during the hospice stay, not just at admission and discharge.
Washington’s My Health My Data Act (MHMDA), signed into law last year, is here and goes into effect on March 31, 2024, with small businesses having until June 30, 2024 to comply. As previously reported, the new data privacy law is broad and will have significant impact for both Washington residents and persons whose business or data flows through the state. In brief, the legislation is intended to protect consumer health data not otherwise protected by state and federal healthcare privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued long awaited updates to the regulations at 42 CFR Part 2 (Part 2) on February 16, 2024. Part 2 is a critical set of rules protecting the privacy of patients receiving substance use disorder (SUD) treatment services and their associated clinical records.