As recently reported by HealthITSecurity, IBM Security’s 2023 Cost of a Data Breach Report revealed that the average cost of a healthcare data breach was almost $11 million in 2022, an $800,000 increase from the prior year and a 53% increase from 2020. The report further revealed that the global average cost of a data breach across all sectors in 2023 was $4.45 million, a 15% increase over the past three years.

IBM’s report analyzed 553 organizations impacted by data breaches during the time period between March 2022 and March 2023. To calculate the cost of data breaches, researchers involved in preparing the report took detection isolation, notification, post-breach response, and lost business costs into account.

The researchers found that the healthcare sector experienced the highest average cost of any industry for the 13th consecutive year. Critical infrastructure faced average breach costs that were significantly higher than other industries, and U.S.-based organizations faced higher breach costs overall than any other country.  

The IBM report further included these key findings:

  • Approximately 5% of the breaches studied were the result of known vulnerabilities that had yet to be addressed;
  • Despite an increased emphasis on cybersecurity, benign third parties or threat actors themselves were more likely to be the ones to identify a breach versus the internal security teams;
  • A shorter breach lifecycle was associated with an overall reduction in total cost for the breach;
  • Nearly a quarter of all attacks that were analyzed involved ransomware;
  • It was observed that organizations that stored data in public cloud systems and multiple environments observed higher costs and longer breach lifecycles; and
  • Only 51% of organizations that suffered a breach reported increasing security investment following the breach.

The IBM report underscores the critical importance of security teams being vigilant and organizations making appropriate investments in cybersecurity. While cybersecurity initiatives can be costly, the average expense of a data breach more than justifies that cost. Moreover, ensuring that your organization has the requisite procedures in place to identify, investigate and remediate a potential data breach quickly and efficiently is critical to minimizing both harm and expense.

Organizations would be well advised to review their HIPAA/HITECH policies and procedures, their compliance programs, and their cybersecurity insurance to ensure they have taken all necessary steps to minimize these risks and prepared their organizations to promptly respond should an incident arise.

On June 15, 2023, the Medicare Payment Advisory Commission (MedPAC), a nonpartisan independent legislative branch agency that was created to advise Congress on a range of issues affecting Medicare, issued its 2023 Report to Congress. Included therein was a report, mandated by the Consolidated Appropriations Act, on the usage of telehealth services during the public health emergency (PHE) and an analysis of the association between expanded telehealth coverage and healthcare quality, access, and costs.

Discussed in the Telehealth Report, among many other things, was the overall utilization of telehealth during the pandemic.

FFS Medicare spending for telehealth services was very low in 2019 ($130 million) but rose dramatically during the early months of the PHE, peaking at $1.9 billion in the second quarter of 2020, as providers and beneficiaries shifted rapidly from in-person visits to telehealth. Telehealth spending declined in the latter half of 2020 and in 2021, falling to $827 million in the fourth quarter of 2021. Similarly, between 2019 and 2020, the number of FFS beneficiaries who received at least one telehealth service paid under the PFS accelerated rapidly from 239,000 to 14.2 million (40 percent of Part B FFS beneficiaries), then declined in 2021 to 9.7 million (29 percent of Part B FFS beneficiaries).

While the latter part of 2020 and 2021 showed a drop-off in the utilization of telehealth services from its peak in the early months of the PHE in 2020, even as the pandemic eased, telehealth spending remained at an amount over six times what it was pre-PHE. Moreover, the number of beneficiaries utilizing telehealth remained steady at 29% into 2021, which is over forty times more beneficiaries than utilized telehealth pre-PHE. The MedPAC’s annual survey of Medicare beneficiaries also revealed that 40% of telehealth users said they were interested in continuing to use telehealth after the PHE. Thus, while it remains to be seen whether telehealth becomes a permanent fixture in the delivery of services to Medicare beneficiaries, there certainly remains a demand.

The Telehealth Report also commented on the question of whether expanded telehealth coverage impacted quality, access, and cost during the PHE. While the MedPAC qualified its comments by indicating that any conclusions were limited because of a time lag in claims data, which could cloud the results due to COVID-19 surges during the available period of time (i.e. 2021), the report nonetheless conveyed some preliminary conclusions. The MedPAC reviewed Medicare fee-for-service administrative data to compare population-based outcomes across hospital service areas (HSAs) with different levels of telehealth service use. The MedPAC also compared rates of hospitalization and clinician encounters for the various groups of HSAs.  The MedPAC concluded that “during the pandemic, greater telehealth use was associated with little change in measured quality, slightly improved access to care for some beneficiaries, and slightly increased costs to the Medicare program.” The MedPAC cautioned that further research, including the review of more recent data as it becomes available, is critical to truly assess these items.

As Congress grapples with the ultimate questions of what telehealth should look like beyond 2023 and 2024, as the various extensions expire, what remains clear is that the PHE has drastically changed how healthcare is provided to patients. In addition, the rate at which telehealth has been utilized over the past few years is likely to signal a desire for its continued availability into the future. Thus, lawmakers are going to have a difficult time putting the genie back in the bottle and returning telehealth-based Medicare services to the much narrower pre-PHE framework.

Our partner Jim Robertson is the featured speaker on the Hospital Finance Podcast episode “Thinking Outside the Box on Challenging State DSH Subsidies,” which is now available online on the Besler website and on major podcast platforms including iTunes, Spotify, Google Podcasts, Stitcher and SoundCloud. Highlights of the episode include a review of the Takings Clause of the U.S. Constitution, the type of government action the takings clause protects private citizens against, challenging government action in the context of hospital reimbursement, and related court decisions specifically in the healthcare field. Besler, a nationally recognized financial and operational consulting firm with over 30 years of experience in healthcare financial management, combines broad healthcare finance expertise with cutting-edge technology to help hospitals enhance and protect their revenue. 

The COVID-19 pandemic created a paradigm shift in the world of medicine with the increased use of telehealth and telemedicine to meet the challenge of expanding the delivery methods patients used to access health care. Although the federal Public Health Emergency related to COVID has now ended, telehealth providers must continue to monitor developments in federal and state laws, regulations and policies, as Greenbaum attorney Jessica M. Carroll explains in an article recently published by the American Health Law Association (AHLA) in its “Health Law Weekly” publication.

Considerable literature has emerged concerning the impact of the extended COVID-19 pandemic on the ability to handle stress and sustain mental health. Healthcare professionals are among the most vulnerable segments of the population to these consequences of the pandemic. There are numerous studies and reports of stress, sleep disturbances, and increased mood and anxiety symptoms among health workers. This is not surprising considering the exposure to an increased risk of infection, fear of infecting other people, working extraordinarily long hours with isolation from family, challenges of working conditions with the early inadequacy of personal protective equipment and overcrowded hospitals, and the experience of the suffering and death of patients.

The ability to cope with prolonged stress and avoid or minimize mental health problems is referred to as “resilience.” The consequences of prolonged stress can be seen in episodes of depression and anxiety leading to negative effects on family and social relationships and work performance. A variety of interventions to support the mental health of healthcare professionals have been proposed and studied. These include various forms of coaching with groups or through telehealth.

An article in the June 3, 2023 issue of The Lancet highlights another tool. It also illustrates how something old can be new. In the midst of the war with Russia, a video depicting a female Ukrainian soldier in full camouflage gear doing a Pikachu dance on a snowy bank with the sound of gunfire in the background went viral on the internet. Noting that medicine is not an actual war, and that doctors and nurses are not soldiers, the physician authors nonetheless emphasized the common need for an emotional outlet during all the trauma, tragedy, and death. They commented that searching for levity in the midst of a crisis serves to confirm our shared humanity and the universal need to laugh. The short article has a particularly powerful paragraph:

The aphorism “laughter is the best medicine” has been attributed to the Book of Proverbs in the Old Testament: “A merry heart doeth good like a medicine: but a broken spirit drieth the bones”. This ancient wisdom might also hold true for some medical conditions. Research suggests that laughter might raise the pain threshold and improve glucose tolerance, have positive effects on the immune system, and lower blood pressure. Indeed, laughter seems to be associated with certain healing properties among some patients.

Indeed, the healing effect of laughter has been the subject of study and commentary from such institutions as the Mayo Clinic and the Geisinger Health System. The health benefits include release of endorphins, reduction in stress, boosting the immune system, and increasing blood flow to internal organs. From a psychiatric perspective, one author has written that “[l]aughing at oneself also encourages healing” and adds a quote from a widely published psychoanalyst that “there is a need to learn to laugh at oneself as an individual and also as a professional.” Studies have shown that humor contributes to personal resiliency.

The closing line of the Lancet article regarding laughter sums things up well: “And in a job as stressful and demanding as health care, [laughter] can often be the medicine that physicians themselves desperately need.”

Considering the report submitted by the New Jersey State Bar Association concerning the prevalence of depression, burnout, suicidal ideation, problem drinking, and isolation among members of the legal profession and the New Jersey Supreme Court’s recent formation of a Committee on Wellness in the Law, there are many transferrable lessons to be learned. While this is a serious topic meriting serious thought and discussion, let’s instead end with Jerry Seinfeld’s memorable observations about a doctor’s waiting room.

The waiting room. I hate when they make you wait in the room. There’s no chance of not waiting. ‘Cause they call it the waiting room, they’re gonna use it. They’ve got it. It’s all set up for you to wait. And you sit there, you know, and you’ve got your little magazine. You pretend you’re reading it, but you’re really looking at the other people. You know, you’re thinking about them. Things like, “I wonder what he’s got. As soon as she goes, I’m getting her magazine.” And then, they finally call you and it’s a very exciting moment. They finally call you, and you stand up and you kinda look around at the other people in the room. “Well, I guess I’ve been chosen. I’ll see you all later.” You know, so you think you’re going to see the doctor, but you’re not, are you? No. You’re going into the next waiting room.

As we advised in a previous post on this blog, the Garden State Commercial Property Assessed Clean Energy (C-PACE) program was established by the New Jersey Economic Development Authority (EDA) as a mechanism to finance, among other things, commercial renewable energy projects, energy efficiency initiatives, electric vehicle charging stations, microgrids, power purchase agreements, as well as water efficiency and other authorized improvements where “capital providers” pay the upfront costs of the project and are then repaid through a real property assessment levied by the participating municipality.

Under C-PACE preliminary draft guidelines posted by the EDA on its website on April 13, 2023, “eligible properties” are defined to include “schools, hospitals, institutions of higher education, or religious institutions” that otherwise meet the eligibility criteria. Accordingly, the C-PACE program is expected to be a popular option for hospitals and other healthcare sector entities looking to rehabilitate facilities or adopt clean energy initiatives while seeking to avoid the upfront capital expenditures typically required for such projects.

This Client Alert by Greenbaum attorney Maura E. Blau provides an overview of key definitions, application and eligibility criteria, fees and more as outlined in the EPA’s draft guidelines, on which public comment will be open through May 15, 2023.

Over the past few years, changes in healthcare have driven fundamental changes in the relationship between providers and Managed Care Organizations. Medicare and Medicaid are front and center in these changes. Successful systems need new ways to look at managed care contract negotiations.

On May 18, 2023, Greenbaum attorney Neil M. Sullivan will be a panelist for a live CLE webinar on “Managed Care Contracts: Medicare and Medicaid Considerations.” The program, presented by Strafford, will examine essential questions including:

  • How have the changes in healthcare and the shift to Medicare and Medicaid impacted the negotiation of managed care agreements?
  • What are some proven approaches for providers’ counsel in negotiating favorable provisions in managed care contracts?
  • What are the most commonly disputed issues during contract negotiations and practical approaches for resolving them?

Additional information and a link to register for this webinar is on the Greenbaum website.

The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced on April 11, 2023 that the Notifications of Enforcement Discretions issued during the COVID-19 Public Health Emergency (PHE) would be expiring at 11:59 p.m. on May 11, 2023 due to the expiration of the PHE. A copy of the notice of expiration can be found here.

Despite this expiration, OCR Director Melanie Fontes Rainer announced that OCR would be “providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR is providing a 90-calendar day transition period until 11:59 p.m. on August 9, 2023 for health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. Thus, during this 90-day period, health care providers will not face penalties if they engage in the good faith provision of telehealth.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules would be applied to certain violations during the PHE. The following are links to each of those Notifications:

  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

Health care providers should carefully review each of these Notifications to assess whether adjustments were made to their daily operating practices during the PHE.

Action should be immediately taken to ensure resumed compliance with all applicable HIPAA Rules following the 90-day transition period expiring on August 9, 2023.

On January 5, 2023, the Federal Trade Commission (FTC) published a notice of proposed rulemaking (NPR) for a non-compete clause rule. The NPR, if approved as published, would ban as an unfair method of competition all non-compete clauses between an employer and workers in all industry sectors throughout the country. The NPR might also extend to other restrictive covenants in an employment agreement if the covenants hamper post-employment re-employment.  Upon the NPR’s adoption, an employer would be obligated to give employees written notice of recission of existing non-compete clauses.

The NPR has a narrow exception from the general prohibition for the sale of a business if the seller owns at least 25% of the business sold.

The NPR is likely to be challenged as being promulgated without authority under Section 5 and 6(g) of the Federal Trade Commission Act.  In addition, since the NPR will regulate a significant portion of the U.S. economy, will be of great political significance, and will intrude in an area that has been the domain of state law, the NPR will also likely be challenged under the Supreme Court’s “Major Questions” doctrine. Finally, the NPR may run afoul of the prohibition against congressional delegation of its legislative power to an agency without an intelligible principle to which the agency must conform.

In the healthcare industry, there will be many unintended consequences if the rule is adopted.  Several examples are: (i) physician equity transactions rely upon non-compete clauses to maintain the economic integrity of the participating physicians. The physicians are the economic engine that drive the equity transaction; and (ii) in a consolidated healthcare industry, large numbers of physicians are employed by “Friendly PCs” controlled by non-profit healthcare systems. All the physicians in their employment agreements are bound by non-compete clauses, which would be rescinded under the NPR because the Friendly PCs are profit-making entities subject to the NPR. 

As a result of the potential legal challenges, the road to adoption of the NPR is long and uncertain.  In the interim, non-competes should be narrowly crafted to protect the employer’s legitimate interest and be reasonable in duration and geographic scope. 

In August 2022, President Biden signed into law the Inflation Reduction Act. The Act’s key provisions include the ability of the federal government to negotiate certain prescription drug pricing. Specifically, the law created a program that allows the federal government to negotiate prices for a limited number of high-cost single-source drugs (lacking generic and/or biosimilar substitutions). The Secretary of the Department of Health and Human Services (HHS) will have the ability to choose a list of 50 pharmacy drugs and 50 drugs administered at a physician’s office that will be priced in accordance with this new methodology. 

By September 1, 2023, the Centers for Medicare and Medicaid Services (CMS) must publish the highest cost drugs for negotiation. While the effective date for this first round of drugs is not until CY2026, in CY2023 a total of 10 drugs will be selected from the Medicare Part D program.

In this recent article published by Reuters entitled Bristol Myers, Pfizer, AbbVie Drugs Likely to Face U.S. Price Negotiation, the authors discuss some of the drugs anticipated to be on this initial list and the efforts being made by the industry to better understand how this new pricing system will be implemented.