Coronavirus/COVID-19

Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

Despite a shifting privacy landscape and passage of the EU’s General Data Protection Regulation (GDPR) in 2016, the United States has lagged in adopting a comprehensive Federal privacy law. Nevertheless, over the past few years, particular states have prioritized consumer privacy to address growing concern regarding the unfettered and largely unregulated collection, use and disclosure of consumer personal information.[1] Following the watershed moment created through passage of the California Consumer Privacy Act (CCPA) of 2018, an increasing number of states have followed suit to pass comprehensive privacy laws. Yet, the question remains regarding how many states must pass similar laws before the Federal government takes on the charge of passing a comprehensive privacy law.

The success of an artificial intelligence (AI) algorithm depends in large part upon trust, yet many AI technologies function as opaque ‘black boxes.’ Indeed, some are intentionally designed that way. This charts a mistaken course.

Trust in AI is engendered through transparency, reliability and explainability. In order to achieve those ends, an AI application must be trained on data of sufficient variety, volume and verifiability. Given the criticality of these factors, it is unsurprising that regulatory and enforcement agencies afford particular attention to whether personally-identifiable information (“PII”) has been collected and employed appropriately in the development of AI. Thus, as a threshold matter, when AI training requires PII (or even data derived from PII), organizations need to address whether such data have been obtained and utilized in a permissible, transparent and compliant manner.

Overview

In this month’s post, in the medical device realm I explore what kinds of inspection citations most often precede a warning letter.  In this exercise, I do not try to prove causation.  I am simply exploring correlation.  But with that caveat in mind, I think it’s still informative to see what types of inspectional citations, in a high percentage of cases, will precede a warning letter.  And, as I’ve said before, joining two different data sets – in this case inspectional data with warning letter data – might just reveal new insights.

On April 20, 2022, the Department of Justice (DOJ) announced a nationwide coordinated enforcement action targeting COVID-19-related fraud involving charges against 21 individuals across nine federal districts, and over $149 million in alleged false claims submitted to federal programs.[1]

This marks the first significant DOJ enforcement action since Attorney General Merrick Garland named Associate Deputy Attorney General Kevin Chambers as the Director for COVID-19 Fraud Enforcement on March 10, an appointment President Biden previewed in his State of the Union address on March 1.

On April 14, 2022, the Centers for Medicare & Medicaid Services (CMS) issued new guidance on the Independent Dispute Resolution (IDR) process, created under the No Surprises Act (NSA) to provide a mechanism for payers and providers to resolve disputes as to appropriate payment amounts for certain out-of-network claims. In addition, the Departments of Health and Human Services, Labor and the Treasury launched two online portals– one to host the IDR process for providers and payers and one to host the patient-provider dispute resolution process for self-pay and uninsured patients.

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

On April 11, 2022, the Drug Enforcement Administration (DEA) released a final rule which amends DEA regulations to now require all applications for DEA registrations, and renewal of those registrations, to be submitted online. The final rule is effective May 11, 2022.

On January 7, 2021, DEA published a notice of proposed rulemaking (NPRM) that proposed requiring that all applications for DEA registrations, and renewal of those registrations, be submitted online. DEA is promulgating this rule as proposed in the NPRM with one exception: DEA is clarifying that Automated Clearing House (ACH) fund transfers will be accepted as payment for registrations and renewals.

On April 7, 2022, the Centers for Medicare and Medicaid Services (CMS) issued guidance terminating numerous blanket waivers applicable to skilled nursing facilities (SNFs), inpatient hospices, intermediate care facilities for individuals with intellectual disabilities (ICF/IIDs), and end stage renal disease (ESRD) facilities.  The amount of blanket waivers ending is notable; while there have been terminations of waivers previously, these were usually limited to a single waiver.

CMS expressed concern “about how residents’ health and safety has been impacted by the regulations that have been waived, and the length of time for which they have been waived.” CMS reported that findings from onsite surveys at these facilities “revealed significant concerns with resident care that are unrelated to infection control.” Accordingly, CMS is acting to remove certain operational flexibilities not directly related to infection control.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.