On September 1, 2023, the U.S. Department of Health and Human Services, through the Centers for Medicare & Medicaid Services (“CMS”) issued a much anticipated and contested proposed rule that seeks to establish minimum staffing level requirements for nursing homes.  The proposed rule represents the first time the federal government has proposed comprehensive nationwide nursing home staffing requirements, although various states have already enacted their own staffing requirements.

Continue Reading CMS Proposes Minimum Staffing Requirements and Enhanced Facility Assessments for Nursing Homes

On July 21, 2023, the Department of Health Care Access and Information of the California Health and Human Services Agency released a Notice of Proposed Rulemaking (the “Proposed Rule”) with regulations that would implement new financial and ownership transparency requirements for skilled nursing facilities (“SNFs”) in California.

Continue Reading New Transparency Requirements for Skilled Nursing Facilities in California

On June 27, 2023, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) issued a final rule (“OIG Final Rule”) that implements statutory provisions for its enforcement of the information blocking penalties created by the 21stCentury Cures Act (“Cures Act”) and assessment of civil money penalties (“CMPs”) of up to $1 million per violation of information blocking for certain individuals or entities subject to the information blocking requirements.

Continue Reading HHS-OIG Releases Final Rule Implementing Information Blocking Penalties

On July 25, 2023, the U.S. Departments of Labor, Treasury, and Health and Human Services (the “Tri-Agencies”) released long awaited proposed regulations (the “Proposed Rule”) and a Technical Release, which together propose new requirements for comparative analyses of nonquantitative treatment limitations (“NQTL”) under the Mental Health Parity and Addiction Equity Act of 2008 (“MHPAEA”).  On the same day, the Tri-Agencies released their annual report to Congress on implementation of MHPAEA, as required under the Consolidated Appropriations Act, 2021 (“CAA 2021”). 

Continue Reading New Proposed MHPAEA Rule Builds on NQTL Comparative Analysis Standards

On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.

Continue Reading FTC Announces Enforcement Action Against Ovulation Tracking App Premom

On January 19, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published the Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. The Trusted Exchange Framework established a set of non-binding, foundational principles for trust policies and practices to help facilitate exchange among health information networks (HINs). The Common Agreement under TEFCA developed the infrastructure model and governing approach for users in different networks to securely share basic clinical information with each other—all under commonly agreed-to expectations and rules, regardless of which network they happen to be in. TEFCA’s main goal is to encourage interoperability across the country by developing uniform policies and technical requirements to regulate data sharing and to ensure that all participants can access real-time health information. For a more detailed breakdown of the structure and function of TEFCA see Crowell’s previous post.

The development of TEFCA was mandated by the 21st Century Cures Act. In 2019, the ONC issued a Notice of Funding Opportunity and ultimately appointed The Sequoia Project, Inc. to serve as the Recognized Coordinating Entity (RCE). About a year after the long-awaited TEFCA publication, ONC held an event on February 13th, 2023 to recognize the first set of applicant organizations that were approved as qualified health information networks (QHINs). The approved HINs consist of CommonWell Health Alliance, eHealth Exchange, Epic TEFCA Interoperability Services, Health Gorilla, Kno2, and KONZA National Network. These six potential QHINs agreed to the same data sharing infrastructure, which allows them to connect to one another and enables their participants, including provides, payers, and public health agencies, to exchange health information nationwide. This first cohort of potential QHINs will undergo onboarding over the course of the year. The ONC plans to announce additional QHINs as they are approved by the RCE.

Since TEFCA participation is voluntary, the extent of its impact is limited by the number of entities that apply for QHIN designation. With widespread network participation, TEFCA is intended to:

  • allow networks to securely share and access data
  • make a core set of data available for networks under the Common Agreement
  • curtail the need for entities to join multiple HINs and agreements which will decrease costs and improve efficiency
  • create a common set of privacy and security requirements for HINs and IT developers to protect patient data

Crowell Health Solutions (CHS) recently hosted “Industry Views on the Trusted Exchange Framework and Common Agreement,” a podcast examining the advancement of information exchange governance in our healthcare landscape, the significance and potential impact of TEFCA, the participation of HINs in TEFCA, and the evolution of data sharing and interoperability in the next 10 years. While TEFCA is still in the early stages, CHS looks forward to tracking the progression of the framework and its impact on health information exchange.

To learn more about TEFCA, recent activities and future implications listen to Industry Views on the Trusted Exchange Framework and Common Agreement here.

On March 2, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action against California-based online counseling service BetterHelp, Inc. (“BetterHelp”) for allegedly sharing consumers’ health information, including sensitive information about mental health challenges, for advertising purposes in violation of Section 5 of the FTC Act.

This latest enforcement action comes just one month after the FTC announced an enforcement action against GoodRx for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Where the GoodRx enforcement action marked the first time the FTC enforced the HBNR, the BetterHelp enforcement action similarly sets a new precedent for the FTC: This is the first FTC enforcement action returning funds to consumers whose health information was compromised by BetterHelp’s alleged misdeeds. The proposed order (“Proposed Order”) also sets out extensive requirements to prohibit BetterHelp from disclosing health information for advertising and misrepresenting its information sharing practices. The GoodRx and BetterHelp enforcement actions appear to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information.

The Complaint

According to the Complaint, BetterHelp offers online counseling services by matching users with BetterHelp therapists and facilitating counseling via BetterHelp’s various websites and apps. BetterHelp also offers specialized versions of its counseling services for people of the Christian faith, members of the LGBTQ community, and teenagers. To sign up for BetterHelp’s services, consumers must fill out a questionnaire that asks sensitive mental health questions, such as whether they have experienced depression or suicidal thoughts, have previously been in counseling, or take any medications. Consumers also provide their name, email address, birth date, and other personal information. In its press release on the enforcement action, FTC suggests that consumers are “pushed’ to provide this information by “repeatedly showing them privacy misrepresentations and nudging them with unavoidable prompts to sign up for its counseling service.” Consumers are then matched with a BetterHelp counselor and pay between $60 and $90 per week for counseling.

The Complaint alleges that in recognition of the amount of sensitive health information consumers provide, BetterHelp “repeatedly promised” to keep this information “private and use it only for non-advertising purposes such as to facilitate consumers’ therapy.” However, over a period of seven years from 2013 through 2020, BetterHelp purportedly “continually broke these privacy promises, monetizing consumers’ health information to target them and others with advertisements” for BetterHelp’s services. For example, BetterHelp allegedly shared its users’ email addresses and the fact they were in counseling with Facebook, which in turn identified similar consumers and targeted them with BetterHelp advertisements. BetterHelp also allegedly shared its users’ information with other third-party advertising platforms, such as Pinterest, Snapchat, and Criteo. These advertising efforts reportedly brought in “tens of thousands of new paying users, and millions of dollars in revenue” to BetterHelp. BetterHelp also allowed these third-party companies to use BetterHelp users’ information for their own research and product development, further evidence that BetterHelp failed to contractually limit how third parties could use consumers’ health information.

The Complaint also alleges that BetterHelp “failed to employ reasonable measures to safeguard the health information it collected from consumers.” BetterHelp is accused of not training its employees on how to properly protect user information when using it for advertising purposes and not overseeing its staff’s use of user information.

The Proposed Order

The Proposed Order imposes a $7.8 million fine on BetterHelp, to be paid into a fund, to refund consumers who signed up and paid for BetterHelp’s counseling services between August 1, 2017, and December 31, 2020. The FTC reports that this is the first enforcement action seeking to return funds to consumers whose health information was compromised. In addition to the monetary penalty, the Proposed Order prohibits BetterHelp from sharing users’ “individually identifiable information relating to the past, present, or future physical or mental health or condition(s)” with third-parties for advertising or re-targeting previous users. Further, the Proposed Order requires BetterHelp to:

  • Obtain users’ affirmative express consent before disclosing personal information to third-parties for any purpose;
  • Establish, implement, and maintain a comprehensive privacy program that includes strong safeguards to protect consumer information;
  • Direct third parties to delete the consumer health information and other personal information that BetterHelp revealed to them; and
  • Limit how long BetterHelp retains personal and health information according to a data retention schedule. 

Takeaways

Digital health companies and other companies that operate websites, apps, or connected devices that capture consumer’s sensitive health information should take heed of the FTC’s enforcement actions against both BetterHelp and GoodRx. As evidenced by the BetterHelp enforcement action, companies must safeguard user information and not endeavor to leverage this information for advertising opportunities in violation of promises made to consumers. The BetterHelp enforcement action also underscores the need for appropriate user notification mechanisms to obtain user consent before disclosing their information to third parties. Further, companies should recall from the GoodRx enforcement action that even companies that are not subject to the requirements of the Health Insurance Portability and Accountability Act could still be subject to the HBNR. While the FTC did not allege violations of the HBNR by BetterHelp, further enforcement action could still be looming.

The BetterHelp enforcement action is especially noteworthy as it is the first time the FTC has endeavored to redress consumer injuries for those whose sensitive health information was inappropriately used and disclosed. This is the FTC’s second “first” in the area of health information enforcement in the span of just one month, so companies should be on the lookout for more to come.

For more information or advice regarding this enforcement action or data privacy issues in general, please contact the professional(s) listed below or your regular Crowell & Moring contact.

On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against California-based telehealth and prescription drug discount provider GoodRx Holdings, Inc. (“GoodRx”) for allegedly violating section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, marks the first time the FTC has enforced the HBNR and could signal the beginning of increased scrutiny and enforcement of the HBNR. In addition to imposing a civil penalty of $1.5 million, the Proposed Order prohibits GoodRx from sharing health information for advertising purposes and imposes several requirements on GoodRx, including requirements to (1) obtain user consent for any other sharing of information, (2) seek the deletion of information held by third parties, (3) limit how long it can retain personal and health information, and (4) implement a privacy program.

The Expanding Scope of the HBNR

The HBNR is relatively simple in its requirements as a breach notification rule and requires vendors of personal health records (“PHRs”) and PHR related entities to notify consumers, the FTC, and, in some cases, the media, in the event of a breach of security of unsecured PHR identifiable health information. If a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must carry out its notification obligations.

What is less simple, however, is the scope of the HBNR. The HBNR defines a PHR as an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. A vendor of PHRs is defined as an entity that offers or maintains a PHR, while a PHR related entity is defined as an entity that (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of covered entities as defined under the Health Insurance Portability and Accountability Act (“HIPAA”) that offer PHRs to individuals; or (3) accesses information in, or sends information to, a PHR. The HBNR does not apply to HIPAA-covered entities or entities to the extent that they engage in activities as a business associate. This does not necessarily mean, however, that entities performing functions as a business associate are wholly exempt from the HBNR since many business associates engage in both HIPAA-covered activities and non-HIPAA-covered activities.

As further detailed in a previous article, the FTC issued a policy statement in September 2021 (“Policy Statement”) that appears to have significantly expanded the rule’s scope to sweep in a large number of technology companies and activities, including health apps that leverage application programming interfaces (“APIs”). For example, an app is subject to the HBNR if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. According to the Policy Statement, an app that draws information from multiple sources is also subject to the HBNR, even if the health information comes from only one source – for example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from the calendar on the consumer’s phone), it is subject to the HBNR. In addition, the Policy Statement clarified that a “breach” is not limited to cybersecurity intrusions or nefarious behavior, but also covers incidents of unauthorized access such as sharing of covered information without an individual’s authorization.

The Complaint

According to the Complaint, GoodRx is a vendor of PHRs and is subject to the HBNR as it maintains “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The Complaint asserts that GoodRx’s website and mobile apps are electronic records of PHR identifiable health information that are capable of drawing information from multiple sources, and the information is managed, shared, or controlled by or primarily for the user. While PHRs are traditionally considered a rather narrow product focused on patients organizing and managing their health information, the Policy Statement demonstrated that the FTC is taking an expansive interpretation of the HBNR’s definition of “PHR” and, consequently, what constitutes a “vendor of PHRs.” It is little surprise therefore that the FTC considers GoodRx subject to the HBNR, particularly in light of the examples articulated in the Policy Statement.

The Complaint alleges that since 2017, GoodRx “repeatedly” violated its promises to users that it would only share their personal information with limited third parties for limited purposes, would restrict third parties’ use of such information, and would never share personal health information with advertisers or other third parties. Without providing notice to users or obtaining their consent, GoodRx allegedly shared information with third-party advertising companies and platforms, which included potentially sensitive information on prescription medications and personal health conditions, in an effort to provide targeted advertisements to users. According to the Complaint, these disclosures revealed “extremely intimate and sensitive details about GoodRx users” that could be linked to such conditions as mental health conditions, substance addiction, and sexual and reproductive health.

According to the FTC, these disclosures constitute a “breach” (i.e., disclosures without the individual’s authorization) that require notification under the HBNR. As noted above, this is broader than the typical interpretation of “breach,” but as the Policy Statement explained, the FTC is seemingly interpreting the HBNR’s definition of “breach” to cover virtually any sharing of information without the individual’s authorization. The Enforcement Action suggests that, in practice, the FTC may be more likely to enforce the HBNR where the entity repeatedly fails to abide by the statements in its privacy policies.

The Complaint also alleges the following:

  • GoodRx allowed third parties to use GoodRx’s information for their own internal purposes, such as for research and development or advertisement optimization purposes.
  • GoodRx displayed a seal at the bottom of its telehealth services homepage attesting HIPAA compliance, which stated “HIPAA Secure. Patient Data Protected.”
  • GoodRx failed to implement adequate policies or procedures to prevent the improper disclosure of sensitive health information.

The Proposed Order

In addition to imposing a $1.5 million civil penalty on GoodRx, the Proposed Order prohibits GoodRx from engaging in certain practices, requires it to notify individuals as required under the HBNR, and requires it to engage in various activities designed to bolster its compliance program. Specifically, the Proposed Order includes the following prohibitions and requirements:

  • GoodRx is prohibited from disclosing health information to third parties for advertising purposes, and the company must obtain affirmative express consent from users before disclosing their health information to third parties for non-advertising purposes.
  • GoodRx is prohibited from making misrepresentations regarding various aspects related to its information privacy and security practices.
  • GoodRx must provide users notice of the breach and Enforcement Action.
  • GoodRx must instruct third parties that received health information to delete such information.
  • Within 180 days of entry of the Proposed Order, all GoodRx businesses must establish and implement a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of personal information. The program must include, among other elements, policies and procedures, assessments, and mandatory annual training for all employees.
  • GoodRx businesses that collect, maintain, use, disclose, or provide access to personal information must hire an independent third party to conduct an initial privacy assessment and biennial assessments thereafter.
  • GoodRx must annually certify to the FTC its compliance with the requirements of the Proposed Order and report, within 30 days of discovery, incidents of noncompliance.

Takeaways

Digital health companies and other organizations across the health care industry should take note of the Enforcement Action and evaluate whether the HBNR applies to their business, particularly since the FTC appears to have significantly expanded the rule’s scope through the Policy Statement. Although HIPAA-regulated activities are generally exempt from the HBNR, many organizations engage in both HIPAA-covered and non-HIPAA-covered activities. For example, a digital health company may be a business associate with respect to certain products it offers on behalf of a HIPAA-covered entity while also offering direct-to-consumer products that are not subject to HIPAA.  

The Enforcement Action is especially noteworthy as it is the first time the FTC has taken enforcement action under the HBNR, a rule that has been in effect since 2009. As first foreshadowed in the Policy Statement, the Enforcement Action could be a harbinger of increasing reliance on the HBNR as a lever for the FTC to penalize companies that misuse health information and violate their promises to consumers.

For more information or advice regarding the applicability of the Enforcement Action to your organization, please contact the professional(s) listed below or your regular Crowell & Moring contact.

Third Circuit Rules on Manufacturer Restrictions on Contract Pharmacies

The first of three pending appeals on whether a pharmaceutical manufacturer can limit distribution of covered 340B drugs to contract pharmacies resulted in a clear victory for pharmaceutical manufacturers.  The Third Circuit resolved conflicting decisions among district courts within the Third Circuit by ruling that the 340B program did not require pharmaceutical manufacturers to distribute or deliver drugs purchased by 340B covered entities to all contract pharmacies that the entity had partnered with.  Sanofi-Aventis U.S., LLC v. HHS, Case No. 21-3167 (1/30/2023).  The court rejected the government’s contrary interpretation that would have required manufacturers to deliver drugs to any location designated by the covered entity. 

Both cases were filed by manufacturers after the government sent letters stating that manufacturers had violated the 340B program by restricting the delivery of drugs to a covered entity’s contract pharmacies. The manufacturers prevailed in AstraZeneca Pharms. LP v. Becerra, 2022 WL 484587 (D. Del. Feb. 16, 2022), and the government prevailed in Sanofi-Aventis U.S., LLC v. HHS, 570 F. Supp. 3d 129 (D.N.J. 2021).

The Third Circuit decision focused on the statutory language requiring that manufacturers “shall offer” drugs that are available to anyone at any price to “covered entities” for “purchase” at a discount. 42 U.S.C. §256b(a)(1). The court observed that “nowhere” did Section 340B mention contract pharmacies, and further, that neither the word “offer” nor the word “purchase” implied any specific requirement for delivery or distribution.  The court held that 340B “imposes a price term for drug sales to covered entities, leaving all other terms blank.” The court rejected the government’s interpretation that would have given covered entities discretion to fill in the blanks on delivery or distribution so long as they foot the bill. Said the court, “when Congress’s words run out, covered entities may not pick up the pen.”

Not All Statutory Interpretation Issues Were Resolved

The Third Circuit noted that its decision did not necessarily give manufacturers the right to impose any and all conditions on the use of contract pharmacies.  The court noted that it might come to a different result if a drug maker barred all use of contract pharmacies, where a covered entity that lacks an in-house pharmacy would have no way to dispense the drugs and so could not in practice “accept” them. But it refused to speculate on a situation that had not been presented. 

Pending Appeals Could Create Circuit Conflicts

Two other circuits are considering the same issue on appeal.  The government has appealed from a decision in the District of Columbia that two manufactures’ policies of restricting the use of contract pharmacies did not violate the 340B statute. Novartis Pharmaceuticals Corp. v. Espinosa, Nos. 21-cv-1479 (DLF), 21-cv-1686 (DLF) (D.D.C. Nov. 5, 2021) (appeal pending). 

 The Seventh Circuit also heard argument in October of 2022 in a manufacturer’s appeal from an Indiana decision that upheld the government’s interpretation, but no opinion has been issued. Eli Lilly and Company v. Becerra, Case No. 21-3128 (7th Cir.).

States Weigh In

States have also recently weighed in on the treatment and availability of 340B covered drugs dispensed by contract pharmacies. 

In December of 2022, a court upheld 38 Ark. Code Ann. § 23-92-604(c) from a challenge by the Pharmaceutical Manufacturers Association that the law was preempted by the Federal 340B statute.  Pharma v. McClain, Case No. 4:21-CV-864-BRW (E.D. Ark. 12/12/22).  The law prohibits pharmaceutical manufacturers from denying or prohibiting “340B drug pricing for an Arkansas-based community pharmacy that receives drugs purchased under a 340B drug pricing contract pharmacy arrangement with an entity authorized to participate in 340B drug pricing.”  The court held that the 340B program did not preclude states from protecting state interest related to the distribution of pharmaceuticals within the state.  The case is on appeal to the Eighth Circuit. 

Finally, in a policy that became effective on January 1, 2023, Pennsylvania issued guidance that appears to eliminate Medicaid reimbursement for 340B covered drugs dispensed by contract pharmacies. That guidance can be found here:  MAB2022122201.pdf (pa.gov).  The policy arises out of ongoing tension between the Medicaid rebate program and 340B discounted pricing, because a manufacturer is obligated to offer rebates or discounts under only one of these programs on drug purchases.  Failure of state Medicaid programs to earn rebates for drugs that are purchased under the 340B program but reimbursed under the Medicaid program has led to conflicts over, essentially, whether 340B covered entities or state Medicaid programs should receive the financial benefit of Federal drug discounting programs.  In addition, both states and manufacturers have alleged significant documentation errors by covered entities and their contract pharmacies in identifying 340B covered drugs that are dispensed to Medicaid beneficiaries, leading to protracted disputes and requests for recoupment by manufacturers.

Throughout the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) issued a number of waivers and flexibilities to help healthcare providers manage the influx of patients during the Public Health Emergency (PHE). The implementation of the Acute Hospital Care at Home (AHCaH) individual waiver in 2020 allowed qualifying hospitals to provide hospital at home (H@H) programs. These programs provide similar services as those administered during inpatient visits, such as physician visits and monitoring, drug prescription, nursing services, diagnostics, etc. Since its employment, 144 systems including 260 hospitals across 37 states have utilized the AHCaH waiver, rapidly increasing the number of H@H programs in the United States. While the initiative was originally set to expire with the end of the PHE, the AHCaH waiver program was extended until December 31, 2024, with the passing of the Consolidated Appropriations Act, 2023 (CAA 2023). The extension of this program sends a strong message about the importance of permanently integrating home-based care delivery models into our healthcare system. Despite the lengthy extension, the nature of this waiver program remains temporary and the concerns about the expiration effects on relevant stakeholders continue to be pertinent.

Continue Reading Hospital at Home Programs Extended, But Final Push Is Needed