The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced on April 11, 2023 that the Notifications of Enforcement Discretions issued during the COVID-19 Public Health Emergency (PHE) would be expiring at 11:59 p.m. on May 11, 2023 due to the expiration of the PHE. A copy of the notice of expiration can be found here.

Despite this expiration, OCR Director Melanie Fontes Rainer announced that OCR would be “providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR is providing a 90-calendar day transition period until 11:59 p.m. on August 9, 2023 for health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. Thus, during this 90-day period, health care providers will not face penalties if they engage in the good faith provision of telehealth.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules would be applied to certain violations during the PHE. The following are links to each of those Notifications:

  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

Health care providers should carefully review each of these Notifications to assess whether adjustments were made to their daily operating practices during the PHE.

Action should be immediately taken to ensure resumed compliance with all applicable HIPAA Rules following the 90-day transition period expiring on August 9, 2023.

On January 5, 2023, the Federal Trade Commission (FTC) published a notice of proposed rulemaking (NPR) for a non-compete clause rule. The NPR, if approved as published, would ban as an unfair method of competition all non-compete clauses between an employer and workers in all industry sectors throughout the country. The NPR might also extend to other restrictive covenants in an employment agreement if the covenants hamper post-employment re-employment.  Upon the NPR’s adoption, an employer would be obligated to give employees written notice of recission of existing non-compete clauses.

The NPR has a narrow exception from the general prohibition for the sale of a business if the seller owns at least 25% of the business sold.

The NPR is likely to be challenged as being promulgated without authority under Section 5 and 6(g) of the Federal Trade Commission Act.  In addition, since the NPR will regulate a significant portion of the U.S. economy, will be of great political significance, and will intrude in an area that has been the domain of state law, the NPR will also likely be challenged under the Supreme Court’s “Major Questions” doctrine. Finally, the NPR may run afoul of the prohibition against congressional delegation of its legislative power to an agency without an intelligible principle to which the agency must conform.

In the healthcare industry, there will be many unintended consequences if the rule is adopted.  Several examples are: (i) physician equity transactions rely upon non-compete clauses to maintain the economic integrity of the participating physicians. The physicians are the economic engine that drive the equity transaction; and (ii) in a consolidated healthcare industry, large numbers of physicians are employed by “Friendly PCs” controlled by non-profit healthcare systems. All the physicians in their employment agreements are bound by non-compete clauses, which would be rescinded under the NPR because the Friendly PCs are profit-making entities subject to the NPR. 

As a result of the potential legal challenges, the road to adoption of the NPR is long and uncertain.  In the interim, non-competes should be narrowly crafted to protect the employer’s legitimate interest and be reasonable in duration and geographic scope. 

In August 2022, President Biden signed into law the Inflation Reduction Act. The Act’s key provisions include the ability of the federal government to negotiate certain prescription drug pricing. Specifically, the law created a program that allows the federal government to negotiate prices for a limited number of high-cost single-source drugs (lacking generic and/or biosimilar substitutions). The Secretary of the Department of Health and Human Services (HHS) will have the ability to choose a list of 50 pharmacy drugs and 50 drugs administered at a physician’s office that will be priced in accordance with this new methodology. 

By September 1, 2023, the Centers for Medicare and Medicaid Services (CMS) must publish the highest cost drugs for negotiation. While the effective date for this first round of drugs is not until CY2026, in CY2023 a total of 10 drugs will be selected from the Medicare Part D program.

In this recent article published by Reuters entitled Bristol Myers, Pfizer, AbbVie Drugs Likely to Face U.S. Price Negotiation, the authors discuss some of the drugs anticipated to be on this initial list and the efforts being made by the industry to better understand how this new pricing system will be implemented.

On March 9, 2023, the New Jersey State Board of Medical Examiners filed an Order and statement of reasons for denying reinstatement of a physician’s medical license that had been previously revoked but with a right to apply for reinstatement. The denial was based on the Board’s conclusion that N.J.S.A. 45:1-15.9 barred reinstatement because of the physician’s prior conviction of criminal sexual contact that had led to the revocation in the first place.

This is the first known application of the statute that became effective in 2022 and will present a case of first impression if the matter proceeds further to the Appellate Division.

The physician’s license had been revoked on January 29, 2017 after earlier proceedings in 2015 temporarily suspending the license pending a plenary hearing. The Board’s disciplinary action arose out of an arrest for criminal sexual contact that allegedly occurred during two office visits with a patient undergoing a neurological examination.  Although the presenting complaint involved a right wrist drop, the physician’s examination included touching the patient’s breasts, her abdomen, thighs, and buttocks as well as exposure of her vaginal area from different angles.

Relying on the Board’s sexual misconduct regulation in N.J.A.C. 13:35-6.3, the Board concluded that the evidential record “palpably demonstrates a clear and imminent danger to the public” from the physician’s continued practice pending final disposition of the Attorney General’s complaint.  It rejected the defense’s argument that a temporary suspension was not warranted because no indictment had yet been returned.

The plenary disposition of the matter was achieved with the Consent Order that was entered on January 29, 2017. By that time, the physician had entered guilty pleas to criminal sexual contact in violation of N.J.S.A. 2C:14-3b. In ordering the revocation, the Board found that the charged conduct demonstrated gross and repeated acts of negligence, professional misconduct, sexual misconduct and acts constituting crimes of moral turpitude and crimes which relate adversely to the practice of medicine, satisfying several statutory grounds set out in N.J.S.A. 45:1-21. The Board’s Order further provided that the physician could not apply for a license in New Jersey until five years had elapsed from the entry of the temporary suspension order in 2015. It also required him to successfully complete courses on medical ethics and boundaries, undergo a psycho-sexual evaluation with follow-through on any treatment recommendation, and to appear before a committee of the Board to demonstrate fitness and competence to resume the practice of medicine.

An application for reinstatement was submitted in 2022 along with supportive documentation from the Board-designated evaluators concerning the physician’s readiness and fitness to resume practice.

On January 10, 2022, Governor Murphy signed Public Law 2021, Chapter 345 into law.  Codified as N.J.S.A. 45:1-15.9, this legislation set out a new provision regarding grounds for refusal to issue, renew, or reinstate licenses or certifications of healthcare professionals. Under this statute, the Board of Medical Examiners and other licensing bodies regulating healthcare professions or occupations:

shall not issue an initial license, certification or registration, or renew, reinstate or reactivate a license, certification or registration unless the entity has first determined that no criminal history record or record with the National Practitioner Data Bank exists demonstrating that an applicant for a license, certification, or registration in a health care profession or occupation has been convicted of sexual assault, criminal sexual contact or lewdness pursuant to endangering the welfare of a child, … attempting to lure or entice a child [contrary to a series of specifically identified New Jersey statutes including N.J.S.A. 2C:14-3] or equivalent offenses in another jurisdiction. [(Emphasis added).]

The Board rebuffed the contention that the physician had provided evidence of his rehabilitation and that he did not present a risk to the public. It construed the statute as depriving the Board of any discretion in making the licensure decision in circumstances encompassed by the statute.

Most fundamentally, the Board rejected the argument that the statute should be applied only to convictions that might occur after its January 10, 2022 effective date.  It saw no distinction between crimes that occurred before January 10, 2022 and those that might occur after that date. While nothing in the text explicitly required this retroactive application, the Board determined that the legislative intent could be found in statements submitted by the Senate Commerce Committee and the Assembly Regulated Professions Committee during consideration of the bill. The stated purpose of the bill was to bar certain convicted sex offenders who had engaged in “prior criminal conduct” from participation in regulated health occupations, in part, because of the risk of recidivism. The Legislature disavowed an intent to use the statute as a punitive measure but rather as protection of the public given the trust that arises from the implicit imprimatur of state licensure.

Going forward it will be necessary to reconcile the statute with provisions of N.J.S.A 45:1-21.5 which creates a presumption of disqualification for licensure from a conviction of murder or resulting in sex offender status but gives the professional licensing boards discretion to issue the license. Moreover, the Board is going to have to deal with biennial renewals submitted by physicians who have a disciplinary history including incidents of sexual misconduct fitting into the several categories of disqualifying offenses in N.J.S.A. 45:1-15.9.  Even when the discipline was not as severe as revocation, the statute bars even a renewal of a medical license.

Legislation requiring permanent revocation of a physician’s medical license when the physician has been convicted of a sex offense or ordered to register as a sex offender has been enacted in several states, including California, Illinois, Ohio, Tennessee, and Texas. In 2014, the Illinois Supreme Court upheld the constitutionality of the requirement of revocation based on convictions predating the effective date of the statute. The United States Supreme Court declined to review the case.

In light of the New Jersey Appellate Division’s recent decision in County of Passaic v. Horizon Healthcare Services affirming the validity of a commercial arbitration agreement that did not contain a jury waiver, contracting entities including those in the healthcare sector need to approach language differently depending on whether they are dealing with a consumer or employment agreement or an arm’s-length commercial contract. Greenbaum partners Robert B. Hille and John W. Kaveney analyze the impact of the February 8, 2023 Appellate ruling in this commentary published by the New Jersey Law Journal.

The NJ BPU’s new Competitive Solicitation Incentive (CSI) Program, mandated by the New Jersey Solar Act of 2021, is available to qualifying grid supply projects, with or without energy storage, and net-metering installations in excess of 5 MWs. The deadline to submit applications to earn solar renewable energy certificates under the program is March 31, 2023. This Client Alert by our partner Barbara J. Koonz provides an overview of this new incentive opportunity and other related details.

In the wake of the New Jersey Supreme Court’s 2017 decision in Allstate Insurance Company v. Northfield Medical Center, P.C., management services organizations (MSOs), physicians, private equity funds, and practicing healthcare attorneys should keep the following “do’s and don’ts” in mind when structuring their MSO arrangements to comply with New Jersey corporate practice of medicine (CPOM) rules:

Do’sDon’ts
Allocate the majority of shares and/or voting rights in the medical practice to the plenary licensed physician-owner(s)Allocate more than a minority of shares or voting rights to any limited licensed professionals and never to an unlicensed individual
Require the physician-owner(s) to contribute start-up capital to the medical practiceThe management contract should not contain a provision allowing the termination and replacement of the physician-owner in the event of a conflict of interest between proper medical judgment and cost-containment
Clearly delineate the roles between the physician-owner’s clinical activities and the management company’s administrative activitiesPay all remaining medical practice profits after expenses to the management company in exchange for the provision of management services, leased space, and leased equipment
Physician-owner(s) should participate in or oversee day-to-day patient care and supervision of clinical personnelRequire the physician-owner of the medical practice to pre-sign undated documents or certificates which permit physician’s removal from the practice
Physician-owner(s) should retain the right to terminate the management contractIncorporate a “break fee” in the management agreement, space rental, or equipment lease which is intended to penalize the medical practice’s physician-owner for breaking the management agreement or lease
The medical practice must pay fair market value for management servicesA management company should not make above-market loans to a medical practice
Monies earned from the provision of patient services should be kept within the medical practice and used to pay salaries, bills, and other medical practice expensesIf possible, a medical practice should not contract with the management company that also leases space and equipment to the medical practice

By following these simple do’s and don’ts the ownership, control, and direction of a medical practice will stay in the hands of the plenary licensed physician-owner, giving the MSO structure the greatest chance of being upheld by a court if ever challenged.

Healthcare employers are among the many members of New Jersey’s business sector who will be impacted by the newly-signed Temporary Workers’ Bill of Rights, which requires temporary workers to be paid the same average compensation rates (or cash equivalent) that is paid to permanent employers. This requirement, and other implications of the bill signed into law by Governor Murphy on February 6, are discussed in this Client Alert by Greenbaum associate Mitchell J. Horner on behalf of the firm’s Employment Law Department.

On February 10, 2023, the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) issued a joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against healthcare and public health sector organizations and other critical infrastructure sector entities.

Given the multi-national involvement in this CSA, healthcare organizations should take particular note of the importance of its contents.

The intent of the CSA is to supplement prior reports on actions of the Democratic People’s Republic of Korea (DPRK), namely Maui and H0lyGh0st ransomware. The CSA highlights additional observed tactics, techniques, and procedures by DPRK cyber actors suspected to be targeting South Korean and U.S. healthcare systems.

Included in the CSA are a list of potential tactics, techniques, and procedures observed in ransomware efforts, including efforts to:

  • acquire infrastructure;
  • obfuscate identities;
  • purchase VPNs and VPSs; and
  • expose vulnerabilities to gain access.

The CSA also offers a list of mitigations to help protect an organization. Many of these should already be in place, but if not should be considered by an organization with urgency:

  • Limit access to data by authenticating and encrypting connections with network services, Internet of Things (IoT) medical devices, and the electronic health record system
  • Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges
  • Turn off weak or unnecessary network device management interfaces and secure with strong passwords and encryption when enabled
  • Protect stored data by masking the permanent account number when displayed and rendering it unreadable when stored
  • Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI)
  • Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise

The CSA concludes by outlining a list of actions to prepare for potential ransomware attacks, including the following:

  • Maintaining isolated backups of data, and regularly testing the backup and restoration
  • Creating, maintaining, and exercising a basic cyber incident response plan
  • Installing software updates as soon as they are released
  • Implementing user training programs
  • Requiring strong passwords
  • Auditing user accounts
  • Installing and regularly updating anti-virus and anti-malware software

Organizational leadership and IT professionals within healthcare organizations should be aware of this CSA and its contents to ensure all possible protective actions have been taken. Continued and persistent vigilance is critical as these cyberattacks seem to only be getting more frequent and more sophisticated in their efforts.

Case in point: On February 15, 2023, it was reported that Community Health Systems, a large Tennessee-based healthcare organization with close to 80 hospitals in 16 states, confirmed that criminal hackers accessed the personal and protected health information of up to 1 million patients. While this breach appears to have been the work of a Russia-linked ransomware group, it serves to highlight how these risks can impact even the largest and most sophisticated organizations. Thus, continued vigilance is critical.

With New Jersey annually ranked as having one of the highest average effective tax rates in the country, NJ-based healthcare entities are impacted by high property taxes across the state, notwithstanding the tax-exempt status of certain hospitals and satellite emergency care facilities pursuant to New Jersey statute. Please join us on Wednesday, March 1 at 12:00pm for a 30-minute lunchtime webinar which will provide an overview of seven things that need to be considered when contemplating a commercial property tax assessment appeal. More details about the program and registration here.

.