On September 26, 2024, the Health Infrastructure Security and Accountability Act was introduced in the U.S. Senate. The bill would amend the Health Insurance Portability and Accountability Act (HIPAA) and direct the U.S. Department of Health and Human Services (HHS) to develop new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates.” It would further mandate annual cybersecurity audits and stress tests for healthcare entities, with particular waivers for small providers. To fund these new endeavors, the bill would remove fine caps for large corporations, fund the HHS’s oversight through user fees, and allocate $1.3 billion to hospitals for cybersecurity improvements.

HHS has indicated its backing of the bill, with Deputy Secretary Andrea Palm stating, “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.” At this writing, the American Hospital Association (AHA) has declined to comment on the bill.

One of the bill’s sponsors, Senator Ron Wyden of Oregon, has commented that the bill is necessary because “megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.” UnitedHealth’s subsidiary Change Healthcare was subject to one of the largest ransomware attacks in America’s history, leading to significant impacts on patients and healthcare providers. The fallout from this ransomware breach continues to be felt across the healthcare industry.

Given that the bill was introduced as Congress concluded its last day of business until the upcoming election, it is unlikely to progress any further during this legislative session. Moreover, depending upon the outcome of the upcoming election, the bill faces an uncertain future. Nevertheless, the healthcare industry is likely to continue to face pressure to improve its cybersecurity standards, whether voluntarily or through legal mandates.

The Attorney General of New Jersey and the Director of the New Jersey Division on Civil Rights jointly commenced a lawsuit against the Virtua Health System and its constituent hospitals alleging that its policy and practices concerning universal drug testing of all pregnant patients constituted unlawful discrimination based on pregnancy and sex in violation of the New Jersey Law Against Discrimination (LAD). The complaint, filed on September 26, 2024, also alleged that these drug tests have been “regularly administered” without obtaining informed consent from the patient. In addition to four counts asserting LAD violations based on pregnancy and sex, the complaint included a separate count alleging a violation of a state constitutional right of privacy enforceable under the New Jersey Civil Rights Act (NJCRA), grounded in the failure to obtain informed consent to the drug testing. It seeks relief in the form of a declaration that the defendants committed the acts and omissions alleged and that they constitute violations of the LAD and the NJCRA, an injunction against the continuation of the policy and requiring informed consent before testing were done, compensatory damages and civil penalties.

Since the Virtua hospitals are not the only hospitals in New Jersey having policies for routine drug testing on urine samples from perinatal patients, this lawsuit provides an incentive to review and evaluate those hospital policies and others in general through the lens of possible discrimination concerns. In addition, some aspects of the State’s pleading merit close attention.

Substance use during pregnancy has been recognized as a public health concern for many years. The New Jersey Supreme Court has ruled that not every instance of drug use during pregnancy, standing alone, will substantiate a finding of abuse and neglect in light of the specific language of the New Jersey statute. Unlike some states, New Jersey has not made prenatal drug use child abuse per se

New Jersey hospitals have a statutory obligation to report suspected child abuse, which can include situations involving opioid usage in pregnant women if it poses a risk to the child. In response to requirements in the federal Child Abuse and Prevention and Treatment Act that healthcare providers involved in the delivery or care of infants affected by substance abuse from prenatal drug exposure notify the child protective services system of the occurrence such infants, the Department of Children and Families and the Department of Health adopted regulations mandating that a hospital report a “substance-affected infant” to the Division of Child Protection & Permanency (DCP&P) for possible child abuse or neglect.

“Substance-affected infant” as defined by rulemaking includes the circumstance where the mother had “a positive toxicology screen for a controlled substance or metabolite thereof during pregnancy or at the time of delivery.” The Virtua hospital policy of obtaining urine drug tests takes place in the context of a regulatory requirement to report possible substance-abused infants.  That report, however, triggers the involvement of DCP&P representatives in an investigation that can be intrusive and offensive. This is a consequence of the occurrence of “false positive” results on the urine drug tests even with confirmatory retesting. The complaint describes the experience of two separate patients who became embroiled in DCP&P investigations even though their urine tests were only positive as a result of their having eaten a poppy seed bagel.

The complaint criticizes the Virtua policy providing for universal urine drug testing for all pregnant patients. It notes that this policy was at odds with recommendations made by the American College of Obstetricians and Gynecologists (ACOG) and the American Society of Addiction Medicine (ASAM) that all pregnant women should be screened for substance use disorders but using a series of verbal questions rather than urine drug testing. The 2017 Committee Opinion stated “[r]outine urine drug screening is controversial for several reasons.” These include that a positive test is not diagnostic of an opioid disorder or its severity as well as only identifying recent use. It might detect the presence of an authorized prescribed medication for pain. In addition, urine testing may not detect other substances that are often abused. Moreover, it notes that “[f]alse positive tests can occur with immune-assay testing and legal consequences can be devastating to the patient and her family.” The complaint relates similar positions by other organizations of national and international stature such as the CDC and the WHO.

Making allegations on information and belief, the complaint asserts that until 2018 Virtua had a policy in which it “did not conduct universal drug testing of all pregnant patients seeking inpatient hospital admission. Instead, it would verbally screen patients and would then decide to administer a urine drug test based on a patient’s risk of drug use.” That policy appears to have conformed to the ACOG/ASAM recommendations. Virtua revised that policy in 2018 because of the rapid increase in opioid usage in the country that has commonly been referred to as the “opioid epidemic” and to deal with the increasing number of infants being seen by Virtua clinicians exhibiting symptoms of neonatal absence syndrome (NAS) as a result of opioid usage. The complaint characterized the justifications offered by Virtua for its universal drug testing policy as “pretextual.” The complaint does not address the provisions in the Department of Health regulations that the hospital’s policies regarding cases of suspected child abuse or neglect are “reviewed by the Department and revised as required by the Department.”

Since the 2017 ACOG/ASAM endorsement of screening for substance abuse through questions and questionnaire, there have been studies published in 2023 and in 2024 identifying racial disparities and implicit bias in the implementation of question-based screening for prenatal substance abuse. The development of this perspective is a manifestation of the axiom articulated by the New Jersey courts over several decades in cases such as Schueler v. Strelinger and Morlino v. Medical Center of Ocean County that medicine is not an exact science.

The complaint states that “Virtua’s drug testing policy mandates that hospital staff obtain informed consent from all pregnant patients prior to mandatory drug testing.” That policy is consistent with New Jersey law. In Mathies v. Mastromonaco, the Supreme Court rejected the contention that “informed consent applies only to invasive procedures.”  And as recognized in Estate of Behringer v. Medical Center at Princeton, issues of pre-test counseling and informed consent are involved in a patient allowing the hospital to test. The United States Supreme Court in Ferguson v. City of Charleston held that urine drug testing of pregnant women for drug use without their informed consent violates the Fourth Amendment. That ruling did not involve a private hospital but rather was in the setting of a public hospital conducting a program in conjunction with law enforcement for the detection of possible child abuse where state law provided for the prosecution of drug-using pregnant women.

While Virtua had a policy requiring informed consent to the drug testing of pregnant patients, according to the complaint, “Virtua’s staff regularly deviates from that policy.” This underscores the importance of adequate education recognizing the difference between consent and informed consent, the difference between a consent form and the consent process. A general consent form signed on admission to the hospital authorizing the practitioner to render care, including but not limited to performing labs, ordering diagnostic tests, and the like, may be sufficient to avoid a battery charge. Such forms may not be effective as evidence of an “informed consent” without a communication of material information regarding the proposed medical treatment.  The form is no replacement for the process of informing a patient as to the purpose, risks, benefits, and alternatives to a proposed course of medical action. The existence of a meaningful policy to obtain patient informed consent can provide an affirmative defense to the claim of discrimination if it is generally enforced. Seemingly there will be questions of fact concerning what Virtua knew about no informed consent being obtained by staff and when it knew it and what it did about that.

The informed consent claim may be fatally flawed. The complaint accurately recites that New Jersey law requires medical providers to obtain informed consent before providing medical treatment including administering a drug test. As understood in the case law, the doctrine of informed consent requires that the hospital or medical provider make the patient aware of any information a reasonably prudent patient would find significant to make an informed decision regarding a course of treatment, procedure, or test and not what a physician might find pertinent or relevant to a given medical decision. The complaint sets forth that this information should include the medical indication for the test, information regarding the right to refuse the test and the possible outcome of positive test results “including any state-mandated reporting requirements.” However, the New Jersey Supreme Court has stated that in a negligence action predicated on lack of informed consent, a plaintiff must demonstrate that a physician “withheld medical information that a reasonably prudent pregnant woman in like circumstances would have considered material before consenting.” (Emphasis in original.) A few years earlier, the Appellate Division had held that “the doctrine of informed consent did not require defendant in this case to advise plaintiff of the FDA regulatory status” of the medical device that was going to be used in an off-label fashion. These precedents may defuse the scope of the lack of information provided to these patients.

The allegations in the third and fourth counts of the complaint seem to be an overreach. These claim a violation of the LAD because of discrimination “on the basis of sex.” More specifically, the complaint asserts that “the vast majority of Virtua’s patients seeking admission to its Labor and Delivery or High-Risk Obstetrics Units are women.” It continues that Virtua does not subject any group of patients comprised entirely or mostly of men to the “Maternal Care Manual” policies and require universal drug testing upon inpatient hospital admission. That undoubtedly is true. The universal urine drug testing of pregnant female patients is directed at determining the presence of opioid substances that could present a substantial risk to the unborn baby. While not completely impossible in an era of transgender males and uterus implantations, it seems self-evident that pregnant patients seeking admission to Labor and Delivery will necessarily be female patients. This does not resemble discrimination “on the basis of sex.”

The fifth count presents a novel claim for deprivation of civil rights with the contention that the failure to obtain an informed consent to the urine testing constitutes a violation of an individual’s right to privacy guaranteed by Article I, Paragraph 1 of the New Jersey Constitution of 1947. In 1976 in Matter of Quinlan, the Supreme Court had identified this state constitutional provision as including a right of privacy broad enough to encompass a patient’s decision to decline medical treatment under certain circumstances consistent with personal autonomy. Although subsequent cases continued to recognize a right of privacy under the state constitution in different settings, nine years later in Matter of Conroy the court reformulated the basis for the refusal of life-sustaining medical treatment as embraced within “the common-law right to self-determination” and “the doctrine of informed consent.” It is quite a stretch to transform the right to refuse medical care into an actionable affirmative claim under the Constitution to receive information. The complaint lays out another new path for a civil rights action with the contention that the failure to comply with the Virtua policy to obtain an informed consent was a violation of rights protected under state law found in the New Jersey Hospital Patients Bill of Rights, to “receive from the physician information necessary to give informed consent.” In light of the statutory interpretation of the Hospital Patients Bill of Rights in the Appellate Division’s ruling in Castro v. NYT Television “that the Legislature did not intend to create a new private right of action for a violation of the rights recognized thereunder,” this is a questionable contention.

The action filed on September 26 is not the first litigation by or on behalf of women claiming they received false positive results from eating poppy seed bagels or salad dressing and then being investigated by child protection agencies.  Complaints with allegations of discrimination in violation of federal rights based on urine drug testing have been filed over the past decade in New York, Pennsylvania, California, Illinois, Alabama, Maryland and elsewhere.  A case filed in upstate New York was recently dismissed and is on appeal.  The New Jersey action is premised entirely on New Jersey law.

 

 

A recent post on this blog previewed the issues raised in the case of Govatos v. Murphy related to the residency requirement in the New Jersey Medical Aid in Dying for the Terminally Ill Act

On September 18, 2024, the Honorable Renée Marie Bumb, the Chief Judge for the U.S. District Court for the District of New Jersey, filed a 59-page opinion along with an Order dismissing the complaint in Govatos challenging the constitutionality of the Act’s residency requirement. Judge Bumb rejected the claim that the State’s requirement that a person be a resident of New Jersey to receive medical aid in dying violates three provisions of the United States Constitution: (1) the Privileges and Immunities Clause of Article IV, § 2; (2) the dormant Commerce Clause of Article I, § 8; and (3) the Equal Protection Clause of the Fourteenth Amendment.

Judge Bumb framed the issue before her as whether the Constitution requires a state to extend to non-residents a non-fundamental privilege to access medical aid in dying that it affords to its own residents pursuant to the New Jersey statute. The opinion analyzes the contention that the Privileges and Immunities Clause is violated by the statutory residents-only provision because it burdens the fundamental right to interstate travel with the denial of the medical aid in dying services to non-residents. The court’s examination of this issue sensibly begins by formulating what the Privileges and Immunities Clause covers. It reviewed interpretations of the clause dating back to 1823. It concluded that the court must engage in a two-step process in evaluating a claim that a state law unjustifiably discriminated against non-residents. The first was a determination of whether the non-resident’s claimed interest was “sufficiently fundamental” to be within the purview of the Clause. If the discriminatory law did affect a fundamental privilege, it was necessary to consider whether there was a substantial reason for the difference in treatment and whether the discriminatory action bore a substantial relationship to the state’s objective.

In concluding that there was no fundamental right to medical aid in dying, the court found the Supreme Court’s 1997 decision in Washington v. Glucksberg to be dispositive in concluding that there was no right to assistance in committing suicide under the Due Process Clause. It also referred to the companion case of Vacco v. Quill decided the same day, which rejected a challenge under the Equal Protection Clause to a statute making assisting someone to commit or attempt suicide a crime as reaching the same conclusion. In Vacco, the court distinguished its 1990 decision in Cruzan v. Director, Missouri Department of Health in which it had assumed that a competent person has a constitutionally protected liberty interest in refusing unwanted medical treatment but emphasized that a right to refuse treatment was not grounded in a general and abstract “right to hasten death” as an exercise of personal autonomy, but rather was premised on well-established, traditional rights to bodily integrity and freedom from unwanted touching. The right to refuse treatment does not necessarily transform into a right to demand a particular treatment.

The Govatos court followed that reasoning in ruling that the “right” to medical aid in dying in New Jersey statute was a qualified right subject to conditions, such as the confirmed presence of a terminal condition with a life expectancy of less than six months. This “right” was derived entirely from statutory authorization, not constitutional protection. It also observed the comment in Kligler v. Attorney General that no state supreme court “has concluded that physician-assisted suicide constitutes a fundamental right” as a matter of state constitutional law. The Kligler decision was the subject of commentary in a January 2023 post on this blog.   

The Govatos court further rebuffed the plaintiffs’ argument that the residency requirement burdened their fundamental right to travel within the United States that had been recognized in Shapiro v. Thompson. It did not accept the attempt to bootstrap the non-fundamental privilege of medical aid in dying to the fundamental right of interstate travel. It rejected the analogy to Doe v. Bolton in which the Supreme Court struck down a Georgia statute criminalizing abortion unless several conditions were met. Among those conditions was that the procedure could only be performed on a woman who resided in Georgia. In distinguishing Doe, the court noted that the Supreme Court had found no basis for this residency requirement. In contrast, the State of New Jersey had several justifications beginning with its observation that medical aid in dying was “legally indistinguishable from the criminal act of suicide” and was not general medical care. Next, the two plaintiff-patients sought to obtain medication that they could self-administer to end their lives in their home states of Delaware and Pennsylvania. Assisting suicide was a criminal act in both Delaware and Pennsylvania. The State had a legitimate interest in protecting New Jersey healthcare providers from liability in another state for conduct that would be a crime there. Moreover, the State had a justifiable interest in ensuring that the self-administration of the lethal medication was completely voluntary and that the provisions of the Medical Aid in Dying Act that provided additional safeguards were followed. The situation before the court was unlike the circumstances of laws such as in Texas that aimed to prevent its citizens from traveling to another state to obtain an abortion legal in that other state but not in Texas and could adversely affect its own citizens’ ability to return to their own state after seeking access to abortion services.

The court found that the Govatos plaintiffs did not have a cognizable Dormant Commerce Clause claim. This Clause provided protection against economic protectionism from measuring benefiting in-state interests and burdening out-of-state competitors. The court concluded that the New Jersey Medical Aid in Dying Act did not discriminate or burden interstate commerce. It also quickly disposed of the Equal Protection Clause challenge because the residency requirement did not target a suspect class and did not infringe on a fundamental right. Thus, it was subject to review under the rational basis test. The residency requirement was rationally related to legitimate governmental objectives. The protection of healthcare providers from either criminal or civil liability in another state based on having provided a person with lethal medication to end their life was a legitimate purpose. The New Jersey Medical Aid in Dying Act provided physicians with broad criminal and civil immunity but only if the terms of the statute were complied with. Otherwise, assisting suicide is still a crime in New Jersey. It was also a criminal offense in both Delaware and Pennsylvania with statutes that punished conduct outside the state where the result occurred within the state.

The Govatos ruling, in combination with the Massachusetts decision in Kligler, illustrates the limits of attempts to establish a right to physician assistance in dying through a constitutional adjudication. Govatos documents the widespread opposition to physician aid in dying with the court repeatedly making the observation that this medical practice is “indistinguishable from the criminal act of assisting suicide.” Only a few states have enacted legislation to permit the practice and eliminate the risk of criminal exposure. The practice of medical tourism by individuals living in states that do not permit medical aid in dying is a matter of continuing risk. While the ethical justification is well-established for accepting and acting on a patient’s right to refuse care whether it involves withholding or withdrawing care, the same cannot be said of physician assistance in dying. 

The federal Corporate Transparency Act (CTA) requires many business entities to disclose information about their business ownership to FinCEN.  Healthcare entities should note that the CTA does not have an exemption for healthcare practitioners, and so small to mid-size healthcare practices of all kinds, as well as practices falling into the “friendly PC” model, are likely to be required to report under this law. This lunch hour complimentary webinar will provide practical guidance for those businesses including a review of key points of the CTA and helpful pointers to ensure legal compliance for entities with reporting requirements. Additional program information and registration link at: bit.ly/47scrMq

The NJ Board of Public Utilities (BPU) has scheduled a stakeholder meeting for Tuesday, September 17, 2024, for the purpose of receiving comments and input regarding the Competitive Solicitation Incentive (CSI) component of the New Jersey solar energy renewable energy certificate program, sometimes referred to as the Successor Solar Incentive (SuSI) Program. Alternatively, stakeholders are invited to submit comments in writing no later than September 24. This Client Alert by our partner Barbara J. Koonz provides related details.

Since being enacted in 2019, the New Jersey Medical Aid in Dying Act has had a threshold condition on a patient’s request for medication under the Act: that they be an “adult resident of New Jersey.” The physician’s record must contain documentation of the patient’s status as a resident of New Jersey, whether in the form of a driver’s license, voter registration or tax returns. This “residency” requirement is a common factor in the laws of other states that have enacted similar legislation authorizing the dispensation of lethal medication to end a person’s life. Only two states currently do not have this requirement.

Focusing on a Pennsylvania resident, the article “Traveling to Die: The Latest Form of Medical Tourism,” originally appearing in the August 20, 2024 issue of KFF Health News and republished in the August 21 issue of Medscape, reviews the experience of individuals who live in states that have not legalized and authorized medical assistance for dying and who travel to one of the two locations which have dispensed with the residency requirements: Oregon and Vermont. This is seen by some as an “emerging trend.” However, the subject of medical tourism, sometimes referred to in this context as “circumvention tourism,” has been a matter of controversy.

The residency requirement presents several obstacles for patients. These include having to find cooperative doctors in a new state since every state requires confirmation of the terminal condition and limited prognosis by two physicians. In addition, there is a need to arrange for a place in the new state to ingest the medication and die. Moreover, the residency requirement imposes a burden of traveling “when too sick to walk to the next room, let alone climb into a car.” The practical burdens of the trip are increased by statutory requirements for a waiting period intended to give a patient the opportunity to calmly reflect and deliberate on their decision.  Not only does this result in the need to obtain housing or engage in repeat travel, but the waiting period also presents the risk of the underlying condition progressing to a point where an individual loses capacity for decision-making and can no longer participate or where an individual dies before the waiting period is over while suffering throughout that time from the underlying condition that brought them to make the request for a physician-assisted death. In New Jersey, like most other states, the waiting period is 15 days. Several states have modified their laws to either shorten the waiting period or provide exceptions in the event of imminent death. A bill to eliminate the 15-day waiting period under the New Jersey Medical Aid in Dying Act was introduced in the 2022-2023 session of the legislature, but not acted upon. It was introduced again on January 9, 2024 in the 2024-2025 session but remains in committee.

The changes to the residency requirements in Oregon and Vermont resulted from the settlement of federal lawsuits challenging these requirements as violating the privileges and immunities clause of the United States Constitution with resulting legislative action to remove the requirement. New Jersey’s residency requirement is being questioned in the case of Govatos v. Murphy. On August 29, 2023, a complaint was filed in the United States District Court for the District of New Jersey asserting a challenge to New Jersey’s residency requirement as violating the Privileges and Immunities Clause (Art. IV, § 2), the Commerce Clause (Art. I, § 8), and the Equal Protection Clause (Amend. XIV, § 2) of the United States Constitution. The State has moved to dismiss the complaint. The motion has been fully briefed and is awaiting disposition and a decision by the court.

If the New Jersey residency requirement is declared constitutionally invalid, there likely will be an increase in the utilization of the Medical Aid in Dying Act. Travel to New Jersey is relatively easy from the abutting states of New York and Pennsylvania which do not permit medical assistance in dying. The Delaware legislature passed a bill to authorize medical assistance with dying and awaits action by the governor. Whether or not the governor will sign the bill is uncertain. However, the Delaware statute as passed would only allow an adult resident of Delaware to request and self-administer medication to end the individual’s life, leaving New Jersey as a probable destination for an individual seeking a physician-assisted death.

An article co-authored by Greenbaum attorneys John Zen Jackson and Madeline B. Gayle, recently published in the Widener Law Review, reviews the tragic circumstances surrounding Charles Cullen, the killer nurse who became known as the “Angel of Death” following the discovery of his role in the deaths of between 40 and 400 patients in New Jersey and Pennsylvania.  Limited pre-employment vetting and background checks combined with the lack of thorough investigations of suspicious circumstances allowed Cullen to change employment at several healthcare institutions without detection for approximately 15 years until his arrest in 2003. The article examines the ensuing litigation, as well as New Jersey’s legislative response which included the enactment of laws imposing a duty to disclose medical errors and report misconduct as well as an obligation on the part of healthcare entities to provide and obtain meaningful background and performance information concerning prospective employees. Mr. Jackson and Ms. Gayle also evaluate the limitations and unintended consequences of the Health Care Professional Responsibility and Reporting Enhancement Act (HCPRREA), also known as the Cullen Law.

On June 24, 2024, the U.S. Department of Health and Human Services (HHS) released a final rule establishing stringent financial penalties, referred to as “disincentives,” for healthcare providers found to have committed information blocking.

In instances where the HHS Office of Inspector General (OIG) finds a healthcare provider has committed information blocking and refers the matter to the Centers for Medicare and Medicaid Services (CMS), HHS has established several disincentives to be applied as follows:

  • Under the Medicare Promoting Interoperability Program, an eligible hospital or critical access hospital (CAH) that has committed information blocking will not be a meaningful electronic health record (EHR) user during the calendar year of the EHR reporting period in which OIG refers its determination to CMS. This means the hospital will not be able to earn three quarters of the annual market basket increase they would have been able to earn for successful program participation. Moreover, for critical access hospitals, payment will be reduced to 100% of reasonable costs instead of 101%. This disincentive will be effective 30 days after publication of the final rule.
  • Under the Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS), a MIPS eligible clinician (including a group practice) who has committed information blocking will not be a meaningful EHR user during the calendar year of the performance period in which OIG refers its determination to CMS. If the MIPS eligible clinician is not a meaningful EHR user, they will then receive a zero score in the MIPS Promoting Interoperability performance category. The MIPS Promoting Interoperability performance category score is typically a quarter of an individual MIPS eligible clinician’s or group’s total final score in a performance period/MIPS payment year, unless an exception applies, and the MIPS eligible clinician is not required to report measures for the performance category. CMS has modified its policy for this disincentive to clarify that if an individual eligible clinician is found to have committed information blocking and is referred to CMS, the disincentive under the MIPS Promoting Interoperability performance category will only apply to the individual, even if they report as part of a group. This disincentive will be effective 30 days after publication of the final rule.
  • Under the Medicare Shared Savings Program, a healthcare provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier who has committed information blocking may be ineligible to participate in the program for a period of at least one year. Consequently, the healthcare provider may not receive revenue they might otherwise have earned through the Shared Savings Program. CMS also finalized in this final rule that it will consider the relevant facts and circumstances (e.g. time since the information blocking conduct, the healthcare provider’s diligence in identifying and correcting the problem, whether the provider was previously subject to a disincentive in another program, etc.) before applying a disincentive under the Shared Savings Program. This disincentive will be effective 30 days after publication of the final rule; however, any disincentive under the Shared Savings Program would be imposed after January 1, 2025.

The final rule also reserves the right of HHS to establish additional disincentives through future rulemaking.

While HHS Secretary Xavier Becerra sees this new rule as a “critical step” for ensuring that patients have access to their electronic health information, many in the industry have raised concerns that these disincentives have gone too far and will unnecessarily harm healthcare providers. In a recent article authored by Andrea Fox of Healthcare IT News, she discusses concerns expressed by the American Hospital Association and the Medical Group Management Association that the disincentives are excessive. Time will tell how aggressive the OIG and CMS will be in imposing these penalties.

Given these significant financial consequences for information blocking, healthcare providers should continue to be vigilant in their efforts to implement proper policies and procedures to ensure timely and proper access, exchange, and use of electronic health information. Given the complexity of the regulations surrounding this area of the law, consultation with healthcare counsel is critical to ensuring full compliance with the law.

On June 25, 2024, the Final Rule issued by the Office of Civil Rights (OCR) that amended the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) became effective as a means of further protecting personal health information (PHI) related to reproductive healthcare privacy. Following the 2022 U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization holding that the right to an abortion is not a fundamental right protected by the U.S. Constitution, OCR responded by promulgating new regulations to protect the integrity of the provider-patient relationship as a means of preserving a person’s expectation of privacy for reproductive healthcare services. As of this date, covered entities and business associates have 180 days, or until December 22, 2024, to comply with the provisions of the Final Rule.

The first part of the Final Rule limits the use and disclosure of PHI related to healthcare if it is for certain non-healthcare purposes. A covered healthcare provider, health plan, or healthcare clearinghouse, or its business associate, is prohibited from using this PHI to (1) conduct a criminal, civil, or administrative investigation into, or to impose criminal, civil, or administrative liability on any person seeking, obtaining, providing, or facilitating reproductive healthcare if, under the circumstance, such healthcare is lawful in the state in which it is provided, or (2) from identifying any person for the purpose of conducting such investigation or imposing such liability.

This prohibition applies when one or more of the following has been reasonably determined:

  • The type of reproductive healthcare is lawful in the state where such healthcare is provided and under the circumstances under which it is provided;
  • The type of reproductive healthcare is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such healthcare is provided; and
  • The type of reproductive healthcare is provided by a person other than the covered healthcare provider, health plan, or healthcare clearinghouse (or business associates) that has received the request for PHI with the presumption that the reproductive health care provided is lawful.

In other words, a healthcare provider, health plan, or healthcare clearinghouse, or its business associate, is prohibited from disclosing PHI related to reproductive healthcare received by a resident of one state who traveled to another state to receive reproductive healthcare, such as an abortion, when it is lawful in the state where such healthcare was provided. A covered entity and business associate is also prohibited from disclosing PHI related to reproductive healthcare if the use of the reproductive healthcare, such as contraception, is protected by the U.S. Constitution. 

Alternatively, the Final Rule does not prohibit the use or disclosure of PHI related to reproductive healthcare if the purpose is to investigate alleged violations of the False Claims Act, federal nondiscrimination laws, or abusive conduct, such as sexual assault, if it occurs in connection with reproductive healthcare, in addition to audits conducted by the Office of Inspector General initiated to protect the integrity of the Medicare or Medicaid programs.

The second part of the Final Rule requires attestation from the requestors that they are not seeking PHI related to reproductive healthcare for a prohibited purpose. It also requires providers to obtain attestation before using or disclosing PHI related to reproductive healthcare for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or to aid coroners and medical examiners. Concisely stated, the provider is required to obtain an attestation before using or disclosing PHI for audits, and investigations, a court order, laws requiring reporting of certain types of wounds or injuries, and before identifying a deceased person or cause of death.

Lastly, the Final Rule requires changes to the Notice of Privacy Practice (NPP) provisions of the regulated entities by February 16, 2026.

We previously provided information on this blog regarding the Garden State Commercial Property Assessed Clean Energy (C-PACE) program, which is poised to become a popular option for hospitals and other healthcare sector entities looking to rehabilitate facilities or adopt clean energy initiatives while seeking to avoid the upfront capital expenditures typically required for such projects. The program was established by the New Jersey Economic Development Authority (EDA) as a mechanism to finance commercial renewable energy projects, energy efficiency initiatives, electric vehicle charging stations, microgrids, power purchase agreements, and water efficiency and other authorized improvement projects.

Greenbaum attorney Maura E. Blau has just published this new update providing details on the EDA’s updated program guidelines (issued on May 29, 2024) and draft supplemental guidelines, which once finalized would expand the C-PACE program to include not only retrofits, but also new construction projects, gut rehabilitation and refinancing. In addition, changes to the draft program guidelines include the addition of water conservation, flood resistant construction, and microgrids as C-PACE eligible improvement categories.